* [PATCH 6.12 001/169] posix-clock: Store file pointer in struct posix_clock_context
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 002/169] ptp: Add PHC file mode checks. Allow RO adjtime() without FMODE_WRITE Greg Kroah-Hartman
` (181 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Cochran, Vadim Fedorenko,
Thomas Gleixner, Wojtek Wasko, David S. Miller, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wojtek Wasko <wwasko@nvidia.com>
[ Upstream commit e859d375d1694488015e6804bfeea527a0b25b9f ]
File descriptor based pc_clock_*() operations of dynamic posix clocks
have access to the file pointer and implement permission checks in the
generic code before invoking the relevant dynamic clock callback.
Character device operations (open, read, poll, ioctl) do not implement a
generic permission control and the dynamic clock callbacks have no
access to the file pointer to implement them.
Extend struct posix_clock_context with a struct file pointer and
initialize it in posix_clock_open(), so that all dynamic clock callbacks
can access it.
Acked-by: Richard Cochran <richardcochran@gmail.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Wojtek Wasko <wwasko@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/posix-clock.h | 6 +++++-
kernel/time/posix-clock.c | 1 +
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/include/linux/posix-clock.h b/include/linux/posix-clock.h
index ef8619f489203..a500d3160fe8c 100644
--- a/include/linux/posix-clock.h
+++ b/include/linux/posix-clock.h
@@ -95,10 +95,13 @@ struct posix_clock {
* struct posix_clock_context - represents clock file operations context
*
* @clk: Pointer to the clock
+ * @fp: Pointer to the file used to open the clock
* @private_clkdata: Pointer to user data
*
* Drivers should use struct posix_clock_context during specific character
- * device file operation methods to access the posix clock.
+ * device file operation methods to access the posix clock. In particular,
+ * the file pointer can be used to verify correct access mode for ioctl()
+ * calls.
*
* Drivers can store a private data structure during the open operation
* if they have specific information that is required in other file
@@ -106,6 +109,7 @@ struct posix_clock {
*/
struct posix_clock_context {
struct posix_clock *clk;
+ struct file *fp;
void *private_clkdata;
};
diff --git a/kernel/time/posix-clock.c b/kernel/time/posix-clock.c
index 1af0bb2cc45c0..4e114e34a6e0a 100644
--- a/kernel/time/posix-clock.c
+++ b/kernel/time/posix-clock.c
@@ -129,6 +129,7 @@ static int posix_clock_open(struct inode *inode, struct file *fp)
goto out;
}
pccontext->clk = clk;
+ pccontext->fp = fp;
if (clk->ops.open) {
err = clk->ops.open(pccontext, fp->f_mode);
if (err) {
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 002/169] ptp: Add PHC file mode checks. Allow RO adjtime() without FMODE_WRITE.
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 001/169] posix-clock: Store file pointer in struct posix_clock_context Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-02-11 10:47 ` Jan Lübbe
2026-01-28 15:21 ` [PATCH 6.12 003/169] selftest/ptp: update ptp selftest to exercise the gettimex options Greg Kroah-Hartman
` (180 subsequent siblings)
182 siblings, 1 reply; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Cochran, Vadim Fedorenko,
Wojtek Wasko, Thomas Gleixner, David S. Miller, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wojtek Wasko <wwasko@nvidia.com>
[ Upstream commit b4e53b15c04e3852949003752f48f7a14ae39e86 ]
Many devices implement highly accurate clocks, which the kernel manages
as PTP Hardware Clocks (PHCs). Userspace applications rely on these
clocks to timestamp events, trace workload execution, correlate
timescales across devices, and keep various clocks in sync.
The kernel’s current implementation of PTP clocks does not enforce file
permissions checks for most device operations except for POSIX clock
operations, where file mode is verified in the POSIX layer before
forwarding the call to the PTP subsystem. Consequently, it is common
practice to not give unprivileged userspace applications any access to
PTP clocks whatsoever by giving the PTP chardevs 600 permissions. An
example of users running into this limitation is documented in [1].
Additionally, POSIX layer requires WRITE permission even for readonly
adjtime() calls which are used in PTP layer to return current frequency
offset applied to the PHC.
Add permission checks for functions that modify the state of a PTP
device. Continue enforcing permission checks for POSIX clock operations
(settime, adjtime) in the POSIX layer. Only require WRITE access for
dynamic clocks adjtime() if any flags are set in the modes field.
[1] https://lists.nwtime.org/sympa/arc/linuxptp-users/2024-01/msg00036.html
Changes in v4:
- Require FMODE_WRITE in ajtime() only for calls modifying the clock in
any way.
Acked-by: Richard Cochran <richardcochran@gmail.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Signed-off-by: Wojtek Wasko <wwasko@nvidia.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ptp/ptp_chardev.c | 16 ++++++++++++++++
kernel/time/posix-clock.c | 2 +-
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
index bf6468c56419c..4380e6ddb8495 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -205,6 +205,10 @@ long ptp_ioctl(struct posix_clock_context *pccontext, unsigned int cmd,
case PTP_EXTTS_REQUEST:
case PTP_EXTTS_REQUEST2:
+ if ((pccontext->fp->f_mode & FMODE_WRITE) == 0) {
+ err = -EACCES;
+ break;
+ }
memset(&req, 0, sizeof(req));
if (copy_from_user(&req.extts, (void __user *)arg,
@@ -246,6 +250,10 @@ long ptp_ioctl(struct posix_clock_context *pccontext, unsigned int cmd,
case PTP_PEROUT_REQUEST:
case PTP_PEROUT_REQUEST2:
+ if ((pccontext->fp->f_mode & FMODE_WRITE) == 0) {
+ err = -EACCES;
+ break;
+ }
memset(&req, 0, sizeof(req));
if (copy_from_user(&req.perout, (void __user *)arg,
@@ -314,6 +322,10 @@ long ptp_ioctl(struct posix_clock_context *pccontext, unsigned int cmd,
case PTP_ENABLE_PPS:
case PTP_ENABLE_PPS2:
+ if ((pccontext->fp->f_mode & FMODE_WRITE) == 0) {
+ err = -EACCES;
+ break;
+ }
memset(&req, 0, sizeof(req));
if (!capable(CAP_SYS_TIME))
@@ -456,6 +468,10 @@ long ptp_ioctl(struct posix_clock_context *pccontext, unsigned int cmd,
case PTP_PIN_SETFUNC:
case PTP_PIN_SETFUNC2:
+ if ((pccontext->fp->f_mode & FMODE_WRITE) == 0) {
+ err = -EACCES;
+ break;
+ }
if (copy_from_user(&pd, (void __user *)arg, sizeof(pd))) {
err = -EFAULT;
break;
diff --git a/kernel/time/posix-clock.c b/kernel/time/posix-clock.c
index 4e114e34a6e0a..fe963384d5c2a 100644
--- a/kernel/time/posix-clock.c
+++ b/kernel/time/posix-clock.c
@@ -252,7 +252,7 @@ static int pc_clock_adjtime(clockid_t id, struct __kernel_timex *tx)
if (err)
return err;
- if ((cd.fp->f_mode & FMODE_WRITE) == 0) {
+ if (tx->modes && (cd.fp->f_mode & FMODE_WRITE) == 0) {
err = -EACCES;
goto out;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 002/169] ptp: Add PHC file mode checks. Allow RO adjtime() without FMODE_WRITE.
2026-01-28 15:21 ` [PATCH 6.12 002/169] ptp: Add PHC file mode checks. Allow RO adjtime() without FMODE_WRITE Greg Kroah-Hartman
@ 2026-02-11 10:47 ` Jan Lübbe
0 siblings, 0 replies; 190+ messages in thread
From: Jan Lübbe @ 2026-02-11 10:47 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, Richard Cochran, Vadim Fedorenko, Wojtek Wasko,
Thomas Gleixner, David S. Miller, Sasha Levin
Hi,
these new permission checks break chrony < 4.8 (as used in Debian stable) when
using the PHC reclock with extpps mode, as it's opening the device without
O_RDWR.
chrony 4.8 is fixed:
https://gitlab.com/chrony/chrony/-/commit/f78e4681eff71d941fab3be5ee406d920a155a20
I've also reported this to Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127659
Regards,
Jan
On Wed, 2026-01-28 at 16:21 +0100, Greg Kroah-Hartman wrote:
> 6.12-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Wojtek Wasko <wwasko@nvidia.com>
>
> [ Upstream commit b4e53b15c04e3852949003752f48f7a14ae39e86 ]
>
> Many devices implement highly accurate clocks, which the kernel manages
> as PTP Hardware Clocks (PHCs). Userspace applications rely on these
> clocks to timestamp events, trace workload execution, correlate
> timescales across devices, and keep various clocks in sync.
>
> The kernel’s current implementation of PTP clocks does not enforce file
> permissions checks for most device operations except for POSIX clock
> operations, where file mode is verified in the POSIX layer before
> forwarding the call to the PTP subsystem. Consequently, it is common
> practice to not give unprivileged userspace applications any access to
> PTP clocks whatsoever by giving the PTP chardevs 600 permissions. An
> example of users running into this limitation is documented in [1].
> Additionally, POSIX layer requires WRITE permission even for readonly
> adjtime() calls which are used in PTP layer to return current frequency
> offset applied to the PHC.
>
> Add permission checks for functions that modify the state of a PTP
> device. Continue enforcing permission checks for POSIX clock operations
> (settime, adjtime) in the POSIX layer. Only require WRITE access for
> dynamic clocks adjtime() if any flags are set in the modes field.
>
> [1] https://lists.nwtime.org/sympa/arc/linuxptp-users/2024-01/msg00036.html
>
> Changes in v4:
> - Require FMODE_WRITE in ajtime() only for calls modifying the clock in
> any way.
>
> Acked-by: Richard Cochran <richardcochran@gmail.com>
> Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
> Signed-off-by: Wojtek Wasko <wwasko@nvidia.com>
> Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> drivers/ptp/ptp_chardev.c | 16 ++++++++++++++++
> kernel/time/posix-clock.c | 2 +-
> 2 files changed, 17 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
> index bf6468c56419c..4380e6ddb8495 100644
> --- a/drivers/ptp/ptp_chardev.c
> +++ b/drivers/ptp/ptp_chardev.c
> @@ -205,6 +205,10 @@ long ptp_ioctl(struct posix_clock_context *pccontext,
> unsigned int cmd,
>
> case PTP_EXTTS_REQUEST:
> case PTP_EXTTS_REQUEST2:
> + if ((pccontext->fp->f_mode & FMODE_WRITE) == 0) {
> + err = -EACCES;
> + break;
> + }
> memset(&req, 0, sizeof(req));
>
> if (copy_from_user(&req.extts, (void __user *)arg,
> @@ -246,6 +250,10 @@ long ptp_ioctl(struct posix_clock_context *pccontext,
> unsigned int cmd,
>
> case PTP_PEROUT_REQUEST:
> case PTP_PEROUT_REQUEST2:
> + if ((pccontext->fp->f_mode & FMODE_WRITE) == 0) {
> + err = -EACCES;
> + break;
> + }
> memset(&req, 0, sizeof(req));
>
> if (copy_from_user(&req.perout, (void __user *)arg,
> @@ -314,6 +322,10 @@ long ptp_ioctl(struct posix_clock_context *pccontext,
> unsigned int cmd,
>
> case PTP_ENABLE_PPS:
> case PTP_ENABLE_PPS2:
> + if ((pccontext->fp->f_mode & FMODE_WRITE) == 0) {
> + err = -EACCES;
> + break;
> + }
> memset(&req, 0, sizeof(req));
>
> if (!capable(CAP_SYS_TIME))
> @@ -456,6 +468,10 @@ long ptp_ioctl(struct posix_clock_context *pccontext,
> unsigned int cmd,
>
> case PTP_PIN_SETFUNC:
> case PTP_PIN_SETFUNC2:
> + if ((pccontext->fp->f_mode & FMODE_WRITE) == 0) {
> + err = -EACCES;
> + break;
> + }
> if (copy_from_user(&pd, (void __user *)arg, sizeof(pd))) {
> err = -EFAULT;
> break;
> diff --git a/kernel/time/posix-clock.c b/kernel/time/posix-clock.c
> index 4e114e34a6e0a..fe963384d5c2a 100644
> --- a/kernel/time/posix-clock.c
> +++ b/kernel/time/posix-clock.c
> @@ -252,7 +252,7 @@ static int pc_clock_adjtime(clockid_t id, struct
> __kernel_timex *tx)
> if (err)
> return err;
>
> - if ((cd.fp->f_mode & FMODE_WRITE) == 0) {
> + if (tx->modes && (cd.fp->f_mode & FMODE_WRITE) == 0) {
> err = -EACCES;
> goto out;
> }
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 190+ messages in thread
* [PATCH 6.12 003/169] selftest/ptp: update ptp selftest to exercise the gettimex options
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 001/169] posix-clock: Store file pointer in struct posix_clock_context Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 002/169] ptp: Add PHC file mode checks. Allow RO adjtime() without FMODE_WRITE Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 004/169] testptp: Add option to open PHC in readonly mode Greg Kroah-Hartman
` (179 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mahesh Bandewar, Shuah Khan,
Richard Cochran, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mahesh Bandewar <maheshb@google.com>
[ Upstream commit 3d07b691ee707c00afaf365440975e81bb96cd9b ]
With the inclusion of commit c259acab839e ("ptp/ioctl: support
MONOTONIC{,_RAW} timestamps for PTP_SYS_OFFSET_EXTENDED") clock_gettime()
now allows retrieval of pre/post timestamps for CLOCK_MONOTONIC and
CLOCK_MONOTONIC_RAW timebases along with the previously supported
CLOCK_REALTIME.
This patch adds a command line option 'y' to the testptp program to
choose one of the allowed timebases [realtime aka system, monotonic,
and monotonic-raw).
Signed-off-by: Mahesh Bandewar <maheshb@google.com>
Cc: Shuah Khan <shuah@kernel.org>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Link: https://patch.msgid.link/20241003101506.769418-1-maheshb@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 76868642e427 ("testptp: Add option to open PHC in readonly mode")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/ptp/testptp.c | 62 ++++++++++++++++++++++++---
1 file changed, 57 insertions(+), 5 deletions(-)
diff --git a/tools/testing/selftests/ptp/testptp.c b/tools/testing/selftests/ptp/testptp.c
index 011252fe238c8..58064151f2c89 100644
--- a/tools/testing/selftests/ptp/testptp.c
+++ b/tools/testing/selftests/ptp/testptp.c
@@ -146,6 +146,7 @@ static void usage(char *progname)
" -T val set the ptp clock time to 'val' seconds\n"
" -x val get an extended ptp clock time with the desired number of samples (up to %d)\n"
" -X get a ptp clock cross timestamp\n"
+ " -y val pre/post tstamp timebase to use {realtime|monotonic|monotonic-raw}\n"
" -z test combinations of rising/falling external time stamp flags\n",
progname, PTP_MAX_SAMPLES);
}
@@ -189,6 +190,7 @@ int main(int argc, char *argv[])
int seconds = 0;
int settime = 0;
int channel = -1;
+ clockid_t ext_clockid = CLOCK_REALTIME;
int64_t t1, t2, tp;
int64_t interval, offset;
@@ -198,7 +200,7 @@ int main(int argc, char *argv[])
progname = strrchr(argv[0], '/');
progname = progname ? 1+progname : argv[0];
- while (EOF != (c = getopt(argc, argv, "cd:e:f:F:ghH:i:k:lL:n:o:p:P:sSt:T:w:x:Xz"))) {
+ while (EOF != (c = getopt(argc, argv, "cd:e:f:F:ghH:i:k:lL:n:o:p:P:sSt:T:w:x:Xy:z"))) {
switch (c) {
case 'c':
capabilities = 1;
@@ -278,6 +280,21 @@ int main(int argc, char *argv[])
case 'X':
getcross = 1;
break;
+ case 'y':
+ if (!strcasecmp(optarg, "realtime"))
+ ext_clockid = CLOCK_REALTIME;
+ else if (!strcasecmp(optarg, "monotonic"))
+ ext_clockid = CLOCK_MONOTONIC;
+ else if (!strcasecmp(optarg, "monotonic-raw"))
+ ext_clockid = CLOCK_MONOTONIC_RAW;
+ else {
+ fprintf(stderr,
+ "type needs to be realtime, monotonic or monotonic-raw; was given %s\n",
+ optarg);
+ return -1;
+ }
+ break;
+
case 'z':
flagtest = 1;
break;
@@ -566,6 +583,7 @@ int main(int argc, char *argv[])
}
soe->n_samples = getextended;
+ soe->clockid = ext_clockid;
if (ioctl(fd, PTP_SYS_OFFSET_EXTENDED, soe)) {
perror("PTP_SYS_OFFSET_EXTENDED");
@@ -574,12 +592,46 @@ int main(int argc, char *argv[])
getextended);
for (i = 0; i < getextended; i++) {
- printf("sample #%2d: system time before: %lld.%09u\n",
- i, soe->ts[i][0].sec, soe->ts[i][0].nsec);
+ switch (ext_clockid) {
+ case CLOCK_REALTIME:
+ printf("sample #%2d: real time before: %lld.%09u\n",
+ i, soe->ts[i][0].sec,
+ soe->ts[i][0].nsec);
+ break;
+ case CLOCK_MONOTONIC:
+ printf("sample #%2d: monotonic time before: %lld.%09u\n",
+ i, soe->ts[i][0].sec,
+ soe->ts[i][0].nsec);
+ break;
+ case CLOCK_MONOTONIC_RAW:
+ printf("sample #%2d: monotonic-raw time before: %lld.%09u\n",
+ i, soe->ts[i][0].sec,
+ soe->ts[i][0].nsec);
+ break;
+ default:
+ break;
+ }
printf(" phc time: %lld.%09u\n",
soe->ts[i][1].sec, soe->ts[i][1].nsec);
- printf(" system time after: %lld.%09u\n",
- soe->ts[i][2].sec, soe->ts[i][2].nsec);
+ switch (ext_clockid) {
+ case CLOCK_REALTIME:
+ printf(" real time after: %lld.%09u\n",
+ soe->ts[i][2].sec,
+ soe->ts[i][2].nsec);
+ break;
+ case CLOCK_MONOTONIC:
+ printf(" monotonic time after: %lld.%09u\n",
+ soe->ts[i][2].sec,
+ soe->ts[i][2].nsec);
+ break;
+ case CLOCK_MONOTONIC_RAW:
+ printf(" monotonic-raw time after: %lld.%09u\n",
+ soe->ts[i][2].sec,
+ soe->ts[i][2].nsec);
+ break;
+ default:
+ break;
+ }
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 004/169] testptp: Add option to open PHC in readonly mode
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 003/169] selftest/ptp: update ptp selftest to exercise the gettimex options Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 005/169] dt-bindings: power: qcom,rpmpd: document the SM8750 RPMh Power Domains Greg Kroah-Hartman
` (178 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Cochran, Vadim Fedorenko,
Wojtek Wasko, David S. Miller, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wojtek Wasko <wwasko@nvidia.com>
[ Upstream commit 76868642e42795353106197abf9c607ad80f4c9e ]
PTP Hardware Clocks no longer require WRITE permission to perform
readonly operations, such as listing device capabilities or listening to
EXTTS events once they have been enabled by a process with WRITE
permissions.
Add '-r' option to testptp to open the PHC in readonly mode instead of
the default read-write mode. Skip enabling EXTTS if readonly mode is
requested.
Acked-by: Richard Cochran <richardcochran@gmail.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Signed-off-by: Wojtek Wasko <wwasko@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/ptp/testptp.c | 37 +++++++++++++++++----------
1 file changed, 23 insertions(+), 14 deletions(-)
diff --git a/tools/testing/selftests/ptp/testptp.c b/tools/testing/selftests/ptp/testptp.c
index 58064151f2c89..edc08a4433fd4 100644
--- a/tools/testing/selftests/ptp/testptp.c
+++ b/tools/testing/selftests/ptp/testptp.c
@@ -140,6 +140,7 @@ static void usage(char *progname)
" -H val set output phase to 'val' nanoseconds (requires -p)\n"
" -w val set output pulse width to 'val' nanoseconds (requires -p)\n"
" -P val enable or disable (val=1|0) the system clock PPS\n"
+ " -r open the ptp clock in readonly mode\n"
" -s set the ptp clock time from the system time\n"
" -S set the system time from the ptp clock time\n"
" -t val shift the ptp clock time by 'val' seconds\n"
@@ -188,6 +189,7 @@ int main(int argc, char *argv[])
int pin_index = -1, pin_func;
int pps = -1;
int seconds = 0;
+ int readonly = 0;
int settime = 0;
int channel = -1;
clockid_t ext_clockid = CLOCK_REALTIME;
@@ -200,7 +202,7 @@ int main(int argc, char *argv[])
progname = strrchr(argv[0], '/');
progname = progname ? 1+progname : argv[0];
- while (EOF != (c = getopt(argc, argv, "cd:e:f:F:ghH:i:k:lL:n:o:p:P:sSt:T:w:x:Xy:z"))) {
+ while (EOF != (c = getopt(argc, argv, "cd:e:f:F:ghH:i:k:lL:n:o:p:P:rsSt:T:w:x:Xy:z"))) {
switch (c) {
case 'c':
capabilities = 1;
@@ -252,6 +254,9 @@ int main(int argc, char *argv[])
case 'P':
pps = atoi(optarg);
break;
+ case 'r':
+ readonly = 1;
+ break;
case 's':
settime = 1;
break;
@@ -308,7 +313,7 @@ int main(int argc, char *argv[])
}
}
- fd = open(device, O_RDWR);
+ fd = open(device, readonly ? O_RDONLY : O_RDWR);
if (fd < 0) {
fprintf(stderr, "opening %s: %s\n", device, strerror(errno));
return -1;
@@ -436,14 +441,16 @@ int main(int argc, char *argv[])
}
if (extts) {
- memset(&extts_request, 0, sizeof(extts_request));
- extts_request.index = index;
- extts_request.flags = PTP_ENABLE_FEATURE;
- if (ioctl(fd, PTP_EXTTS_REQUEST, &extts_request)) {
- perror("PTP_EXTTS_REQUEST");
- extts = 0;
- } else {
- puts("external time stamp request okay");
+ if (!readonly) {
+ memset(&extts_request, 0, sizeof(extts_request));
+ extts_request.index = index;
+ extts_request.flags = PTP_ENABLE_FEATURE;
+ if (ioctl(fd, PTP_EXTTS_REQUEST, &extts_request)) {
+ perror("PTP_EXTTS_REQUEST");
+ extts = 0;
+ } else {
+ puts("external time stamp request okay");
+ }
}
for (; extts; extts--) {
cnt = read(fd, &event, sizeof(event));
@@ -455,10 +462,12 @@ int main(int argc, char *argv[])
event.t.sec, event.t.nsec);
fflush(stdout);
}
- /* Disable the feature again. */
- extts_request.flags = 0;
- if (ioctl(fd, PTP_EXTTS_REQUEST, &extts_request)) {
- perror("PTP_EXTTS_REQUEST");
+ if (!readonly) {
+ /* Disable the feature again. */
+ extts_request.flags = 0;
+ if (ioctl(fd, PTP_EXTTS_REQUEST, &extts_request)) {
+ perror("PTP_EXTTS_REQUEST");
+ }
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 005/169] dt-bindings: power: qcom,rpmpd: document the SM8750 RPMh Power Domains
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 004/169] testptp: Add option to open PHC in readonly mode Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 006/169] dt-bindings: power: qcom,rpmpd: add Turbo L5 corner Greg Kroah-Hartman
` (177 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Taniya Das, Jishnu Prakash,
Melody Olvera, Ulf Hansson, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Taniya Das <quic_tdas@quicinc.com>
[ Upstream commit 134e9d035d830aabd1121bcda89f7ee9a476d3a3 ]
Document the RPMh Power Domains on the SM8750 Platform.
Signed-off-by: Taniya Das <quic_tdas@quicinc.com>
Signed-off-by: Jishnu Prakash <quic_jprakash@quicinc.com>
Signed-off-by: Melody Olvera <quic_molvera@quicinc.com>
Message-ID: <20241112002444.2802092-2-quic_molvera@quicinc.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Stable-dep-of: 5bc3e720e725 ("pmdomain: qcom: rpmhpd: Add MXC to SC8280XP")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/devicetree/bindings/power/qcom,rpmpd.yaml | 1 +
include/dt-bindings/power/qcom-rpmpd.h | 2 ++
2 files changed, 3 insertions(+)
diff --git a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml
index 929b7ef9c1bcd..d55758a759717 100644
--- a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml
+++ b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml
@@ -58,6 +58,7 @@ properties:
- qcom,sm8450-rpmhpd
- qcom,sm8550-rpmhpd
- qcom,sm8650-rpmhpd
+ - qcom,sm8750-rpmhpd
- qcom,x1e80100-rpmhpd
- items:
- enum:
diff --git a/include/dt-bindings/power/qcom-rpmpd.h b/include/dt-bindings/power/qcom-rpmpd.h
index 608087fb9a3d9..df599bf462207 100644
--- a/include/dt-bindings/power/qcom-rpmpd.h
+++ b/include/dt-bindings/power/qcom-rpmpd.h
@@ -218,6 +218,7 @@
/* SDM845 Power Domain performance levels */
#define RPMH_REGULATOR_LEVEL_RETENTION 16
#define RPMH_REGULATOR_LEVEL_MIN_SVS 48
+#define RPMH_REGULATOR_LEVEL_LOW_SVS_D3 50
#define RPMH_REGULATOR_LEVEL_LOW_SVS_D2 52
#define RPMH_REGULATOR_LEVEL_LOW_SVS_D1 56
#define RPMH_REGULATOR_LEVEL_LOW_SVS_D0 60
@@ -238,6 +239,7 @@
#define RPMH_REGULATOR_LEVEL_TURBO_L1 416
#define RPMH_REGULATOR_LEVEL_TURBO_L2 432
#define RPMH_REGULATOR_LEVEL_TURBO_L3 448
+#define RPMH_REGULATOR_LEVEL_TURBO_L4 452
#define RPMH_REGULATOR_LEVEL_SUPER_TURBO 464
#define RPMH_REGULATOR_LEVEL_SUPER_TURBO_NO_CPR 480
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 006/169] dt-bindings: power: qcom,rpmpd: add Turbo L5 corner
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 005/169] dt-bindings: power: qcom,rpmpd: document the SM8750 RPMh Power Domains Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 007/169] dt-bindings: power: qcom-rpmpd: split RPMh domains definitions Greg Kroah-Hartman
` (176 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Akhil P Oommen,
Rob Clark, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhil P Oommen <akhilpo@oss.qualcomm.com>
[ Upstream commit 1c402295c10891988fb2a6fc658e6e95d4852a20 ]
Update the RPMH level definitions to include TURBO_L5 corner.
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/661840/
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Stable-dep-of: 5bc3e720e725 ("pmdomain: qcom: rpmhpd: Add MXC to SC8280XP")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/dt-bindings/power/qcom-rpmpd.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/dt-bindings/power/qcom-rpmpd.h b/include/dt-bindings/power/qcom-rpmpd.h
index df599bf462207..5bc4735fb3e6e 100644
--- a/include/dt-bindings/power/qcom-rpmpd.h
+++ b/include/dt-bindings/power/qcom-rpmpd.h
@@ -240,6 +240,7 @@
#define RPMH_REGULATOR_LEVEL_TURBO_L2 432
#define RPMH_REGULATOR_LEVEL_TURBO_L3 448
#define RPMH_REGULATOR_LEVEL_TURBO_L4 452
+#define RPMH_REGULATOR_LEVEL_TURBO_L5 456
#define RPMH_REGULATOR_LEVEL_SUPER_TURBO 464
#define RPMH_REGULATOR_LEVEL_SUPER_TURBO_NO_CPR 480
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 007/169] dt-bindings: power: qcom-rpmpd: split RPMh domains definitions
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 006/169] dt-bindings: power: qcom,rpmpd: add Turbo L5 corner Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 008/169] dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO Greg Kroah-Hartman
` (175 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Rob Herring (Arm),
Konrad Dybcio, Bjorn Andersson, Ulf Hansson, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit dcb8d01b65fb5a891ddbbedcbe6eff0b8ec37867 ]
Historically both RPM and RPMh domain definitions were a part of the
same, qcom-rpmpd.h header. Now as we have a separate header for RPMh
definitions, qcom,rpmhpd.h, move all RPMh power domain definitions to
that header.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Acked-by: Rob Herring (Arm) <robh@kernel.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20250718-rework-rpmhpd-rpmpd-v1-1-eedca108e540@oss.qualcomm.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Stable-dep-of: 5bc3e720e725 ("pmdomain: qcom: rpmhpd: Add MXC to SC8280XP")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/dt-bindings/power/qcom,rpmhpd.h | 233 ++++++++++++++++++++++++
include/dt-bindings/power/qcom-rpmpd.h | 228 +----------------------
2 files changed, 234 insertions(+), 227 deletions(-)
diff --git a/include/dt-bindings/power/qcom,rpmhpd.h b/include/dt-bindings/power/qcom,rpmhpd.h
index e54ffa3614515..73cceb88953f7 100644
--- a/include/dt-bindings/power/qcom,rpmhpd.h
+++ b/include/dt-bindings/power/qcom,rpmhpd.h
@@ -29,4 +29,237 @@
#define RPMHPD_NSP2 19
#define RPMHPD_GMXC 20
+/* RPMh Power Domain performance levels */
+#define RPMH_REGULATOR_LEVEL_RETENTION 16
+#define RPMH_REGULATOR_LEVEL_MIN_SVS 48
+#define RPMH_REGULATOR_LEVEL_LOW_SVS_D3 50
+#define RPMH_REGULATOR_LEVEL_LOW_SVS_D2 52
+#define RPMH_REGULATOR_LEVEL_LOW_SVS_D1 56
+#define RPMH_REGULATOR_LEVEL_LOW_SVS_D0 60
+#define RPMH_REGULATOR_LEVEL_LOW_SVS 64
+#define RPMH_REGULATOR_LEVEL_LOW_SVS_P1 72
+#define RPMH_REGULATOR_LEVEL_LOW_SVS_L1 80
+#define RPMH_REGULATOR_LEVEL_LOW_SVS_L2 96
+#define RPMH_REGULATOR_LEVEL_SVS 128
+#define RPMH_REGULATOR_LEVEL_SVS_L0 144
+#define RPMH_REGULATOR_LEVEL_SVS_L1 192
+#define RPMH_REGULATOR_LEVEL_SVS_L2 224
+#define RPMH_REGULATOR_LEVEL_NOM 256
+#define RPMH_REGULATOR_LEVEL_NOM_L0 288
+#define RPMH_REGULATOR_LEVEL_NOM_L1 320
+#define RPMH_REGULATOR_LEVEL_NOM_L2 336
+#define RPMH_REGULATOR_LEVEL_TURBO 384
+#define RPMH_REGULATOR_LEVEL_TURBO_L0 400
+#define RPMH_REGULATOR_LEVEL_TURBO_L1 416
+#define RPMH_REGULATOR_LEVEL_TURBO_L2 432
+#define RPMH_REGULATOR_LEVEL_TURBO_L3 448
+#define RPMH_REGULATOR_LEVEL_TURBO_L4 452
+#define RPMH_REGULATOR_LEVEL_TURBO_L5 456
+#define RPMH_REGULATOR_LEVEL_SUPER_TURBO 464
+#define RPMH_REGULATOR_LEVEL_SUPER_TURBO_NO_CPR 480
+
+/*
+ * Platform-specific power domain bindings. Don't add new entries here, use
+ * RPMHPD_* above.
+ */
+
+/* SA8775P Power Domain Indexes */
+#define SA8775P_CX 0
+#define SA8775P_CX_AO 1
+#define SA8775P_DDR 2
+#define SA8775P_EBI 3
+#define SA8775P_GFX 4
+#define SA8775P_LCX 5
+#define SA8775P_LMX 6
+#define SA8775P_MMCX 7
+#define SA8775P_MMCX_AO 8
+#define SA8775P_MSS 9
+#define SA8775P_MX 10
+#define SA8775P_MX_AO 11
+#define SA8775P_MXC 12
+#define SA8775P_MXC_AO 13
+#define SA8775P_NSP0 14
+#define SA8775P_NSP1 15
+#define SA8775P_XO 16
+
+/* SDM670 Power Domain Indexes */
+#define SDM670_MX 0
+#define SDM670_MX_AO 1
+#define SDM670_CX 2
+#define SDM670_CX_AO 3
+#define SDM670_LMX 4
+#define SDM670_LCX 5
+#define SDM670_GFX 6
+#define SDM670_MSS 7
+
+/* SDM845 Power Domain Indexes */
+#define SDM845_EBI 0
+#define SDM845_MX 1
+#define SDM845_MX_AO 2
+#define SDM845_CX 3
+#define SDM845_CX_AO 4
+#define SDM845_LMX 5
+#define SDM845_LCX 6
+#define SDM845_GFX 7
+#define SDM845_MSS 8
+
+/* SDX55 Power Domain Indexes */
+#define SDX55_MSS 0
+#define SDX55_MX 1
+#define SDX55_CX 2
+
+/* SDX65 Power Domain Indexes */
+#define SDX65_MSS 0
+#define SDX65_MX 1
+#define SDX65_MX_AO 2
+#define SDX65_CX 3
+#define SDX65_CX_AO 4
+#define SDX65_MXC 5
+
+/* SM6350 Power Domain Indexes */
+#define SM6350_CX 0
+#define SM6350_GFX 1
+#define SM6350_LCX 2
+#define SM6350_LMX 3
+#define SM6350_MSS 4
+#define SM6350_MX 5
+
+/* SM8150 Power Domain Indexes */
+#define SM8150_MSS 0
+#define SM8150_EBI 1
+#define SM8150_LMX 2
+#define SM8150_LCX 3
+#define SM8150_GFX 4
+#define SM8150_MX 5
+#define SM8150_MX_AO 6
+#define SM8150_CX 7
+#define SM8150_CX_AO 8
+#define SM8150_MMCX 9
+#define SM8150_MMCX_AO 10
+
+/* SA8155P is a special case, kept for backwards compatibility */
+#define SA8155P_CX SM8150_CX
+#define SA8155P_CX_AO SM8150_CX_AO
+#define SA8155P_EBI SM8150_EBI
+#define SA8155P_GFX SM8150_GFX
+#define SA8155P_MSS SM8150_MSS
+#define SA8155P_MX SM8150_MX
+#define SA8155P_MX_AO SM8150_MX_AO
+
+/* SM8250 Power Domain Indexes */
+#define SM8250_CX 0
+#define SM8250_CX_AO 1
+#define SM8250_EBI 2
+#define SM8250_GFX 3
+#define SM8250_LCX 4
+#define SM8250_LMX 5
+#define SM8250_MMCX 6
+#define SM8250_MMCX_AO 7
+#define SM8250_MX 8
+#define SM8250_MX_AO 9
+
+/* SM8350 Power Domain Indexes */
+#define SM8350_CX 0
+#define SM8350_CX_AO 1
+#define SM8350_EBI 2
+#define SM8350_GFX 3
+#define SM8350_LCX 4
+#define SM8350_LMX 5
+#define SM8350_MMCX 6
+#define SM8350_MMCX_AO 7
+#define SM8350_MX 8
+#define SM8350_MX_AO 9
+#define SM8350_MXC 10
+#define SM8350_MXC_AO 11
+#define SM8350_MSS 12
+
+/* SM8450 Power Domain Indexes */
+#define SM8450_CX 0
+#define SM8450_CX_AO 1
+#define SM8450_EBI 2
+#define SM8450_GFX 3
+#define SM8450_LCX 4
+#define SM8450_LMX 5
+#define SM8450_MMCX 6
+#define SM8450_MMCX_AO 7
+#define SM8450_MX 8
+#define SM8450_MX_AO 9
+#define SM8450_MXC 10
+#define SM8450_MXC_AO 11
+#define SM8450_MSS 12
+
+/* SM8550 Power Domain Indexes */
+#define SM8550_CX 0
+#define SM8550_CX_AO 1
+#define SM8550_EBI 2
+#define SM8550_GFX 3
+#define SM8550_LCX 4
+#define SM8550_LMX 5
+#define SM8550_MMCX 6
+#define SM8550_MMCX_AO 7
+#define SM8550_MX 8
+#define SM8550_MX_AO 9
+#define SM8550_MXC 10
+#define SM8550_MXC_AO 11
+#define SM8550_MSS 12
+#define SM8550_NSP 13
+
+/* QDU1000/QRU1000 Power Domain Indexes */
+#define QDU1000_EBI 0
+#define QDU1000_MSS 1
+#define QDU1000_CX 2
+#define QDU1000_MX 3
+
+/* SC7180 Power Domain Indexes */
+#define SC7180_CX 0
+#define SC7180_CX_AO 1
+#define SC7180_GFX 2
+#define SC7180_MX 3
+#define SC7180_MX_AO 4
+#define SC7180_LMX 5
+#define SC7180_LCX 6
+#define SC7180_MSS 7
+
+/* SC7280 Power Domain Indexes */
+#define SC7280_CX 0
+#define SC7280_CX_AO 1
+#define SC7280_EBI 2
+#define SC7280_GFX 3
+#define SC7280_MX 4
+#define SC7280_MX_AO 5
+#define SC7280_LMX 6
+#define SC7280_LCX 7
+#define SC7280_MSS 8
+
+/* SC8180X Power Domain Indexes */
+#define SC8180X_CX 0
+#define SC8180X_CX_AO 1
+#define SC8180X_EBI 2
+#define SC8180X_GFX 3
+#define SC8180X_LCX 4
+#define SC8180X_LMX 5
+#define SC8180X_MMCX 6
+#define SC8180X_MMCX_AO 7
+#define SC8180X_MSS 8
+#define SC8180X_MX 9
+#define SC8180X_MX_AO 10
+
+/* SC8280XP Power Domain Indexes */
+#define SC8280XP_CX 0
+#define SC8280XP_CX_AO 1
+#define SC8280XP_DDR 2
+#define SC8280XP_EBI 3
+#define SC8280XP_GFX 4
+#define SC8280XP_LCX 5
+#define SC8280XP_LMX 6
+#define SC8280XP_MMCX 7
+#define SC8280XP_MMCX_AO 8
+#define SC8280XP_MSS 9
+#define SC8280XP_MX 10
+#define SC8280XP_MXC 12
+#define SC8280XP_MX_AO 11
+#define SC8280XP_NSP 13
+#define SC8280XP_QPHY 14
+#define SC8280XP_XO 15
+
#endif
diff --git a/include/dt-bindings/power/qcom-rpmpd.h b/include/dt-bindings/power/qcom-rpmpd.h
index 5bc4735fb3e6e..109d450978f3d 100644
--- a/include/dt-bindings/power/qcom-rpmpd.h
+++ b/include/dt-bindings/power/qcom-rpmpd.h
@@ -4,66 +4,7 @@
#ifndef _DT_BINDINGS_POWER_QCOM_RPMPD_H
#define _DT_BINDINGS_POWER_QCOM_RPMPD_H
-/* SA8775P Power Domain Indexes */
-#define SA8775P_CX 0
-#define SA8775P_CX_AO 1
-#define SA8775P_DDR 2
-#define SA8775P_EBI 3
-#define SA8775P_GFX 4
-#define SA8775P_LCX 5
-#define SA8775P_LMX 6
-#define SA8775P_MMCX 7
-#define SA8775P_MMCX_AO 8
-#define SA8775P_MSS 9
-#define SA8775P_MX 10
-#define SA8775P_MX_AO 11
-#define SA8775P_MXC 12
-#define SA8775P_MXC_AO 13
-#define SA8775P_NSP0 14
-#define SA8775P_NSP1 15
-#define SA8775P_XO 16
-
-/* SDM670 Power Domain Indexes */
-#define SDM670_MX 0
-#define SDM670_MX_AO 1
-#define SDM670_CX 2
-#define SDM670_CX_AO 3
-#define SDM670_LMX 4
-#define SDM670_LCX 5
-#define SDM670_GFX 6
-#define SDM670_MSS 7
-
-/* SDM845 Power Domain Indexes */
-#define SDM845_EBI 0
-#define SDM845_MX 1
-#define SDM845_MX_AO 2
-#define SDM845_CX 3
-#define SDM845_CX_AO 4
-#define SDM845_LMX 5
-#define SDM845_LCX 6
-#define SDM845_GFX 7
-#define SDM845_MSS 8
-
-/* SDX55 Power Domain Indexes */
-#define SDX55_MSS 0
-#define SDX55_MX 1
-#define SDX55_CX 2
-
-/* SDX65 Power Domain Indexes */
-#define SDX65_MSS 0
-#define SDX65_MX 1
-#define SDX65_MX_AO 2
-#define SDX65_CX 3
-#define SDX65_CX_AO 4
-#define SDX65_MXC 5
-
-/* SM6350 Power Domain Indexes */
-#define SM6350_CX 0
-#define SM6350_GFX 1
-#define SM6350_LCX 2
-#define SM6350_LMX 3
-#define SM6350_MSS 4
-#define SM6350_MX 5
+#include <dt-bindings/power/qcom,rpmhpd.h>
/* SM6350 Power Domain Indexes */
#define SM6375_VDDCX 0
@@ -77,173 +18,6 @@
#define SM6375_VDD_LPI_CX 8
#define SM6375_VDD_LPI_MX 9
-/* SM8150 Power Domain Indexes */
-#define SM8150_MSS 0
-#define SM8150_EBI 1
-#define SM8150_LMX 2
-#define SM8150_LCX 3
-#define SM8150_GFX 4
-#define SM8150_MX 5
-#define SM8150_MX_AO 6
-#define SM8150_CX 7
-#define SM8150_CX_AO 8
-#define SM8150_MMCX 9
-#define SM8150_MMCX_AO 10
-
-/* SA8155P is a special case, kept for backwards compatibility */
-#define SA8155P_CX SM8150_CX
-#define SA8155P_CX_AO SM8150_CX_AO
-#define SA8155P_EBI SM8150_EBI
-#define SA8155P_GFX SM8150_GFX
-#define SA8155P_MSS SM8150_MSS
-#define SA8155P_MX SM8150_MX
-#define SA8155P_MX_AO SM8150_MX_AO
-
-/* SM8250 Power Domain Indexes */
-#define SM8250_CX 0
-#define SM8250_CX_AO 1
-#define SM8250_EBI 2
-#define SM8250_GFX 3
-#define SM8250_LCX 4
-#define SM8250_LMX 5
-#define SM8250_MMCX 6
-#define SM8250_MMCX_AO 7
-#define SM8250_MX 8
-#define SM8250_MX_AO 9
-
-/* SM8350 Power Domain Indexes */
-#define SM8350_CX 0
-#define SM8350_CX_AO 1
-#define SM8350_EBI 2
-#define SM8350_GFX 3
-#define SM8350_LCX 4
-#define SM8350_LMX 5
-#define SM8350_MMCX 6
-#define SM8350_MMCX_AO 7
-#define SM8350_MX 8
-#define SM8350_MX_AO 9
-#define SM8350_MXC 10
-#define SM8350_MXC_AO 11
-#define SM8350_MSS 12
-
-/* SM8450 Power Domain Indexes */
-#define SM8450_CX 0
-#define SM8450_CX_AO 1
-#define SM8450_EBI 2
-#define SM8450_GFX 3
-#define SM8450_LCX 4
-#define SM8450_LMX 5
-#define SM8450_MMCX 6
-#define SM8450_MMCX_AO 7
-#define SM8450_MX 8
-#define SM8450_MX_AO 9
-#define SM8450_MXC 10
-#define SM8450_MXC_AO 11
-#define SM8450_MSS 12
-
-/* SM8550 Power Domain Indexes */
-#define SM8550_CX 0
-#define SM8550_CX_AO 1
-#define SM8550_EBI 2
-#define SM8550_GFX 3
-#define SM8550_LCX 4
-#define SM8550_LMX 5
-#define SM8550_MMCX 6
-#define SM8550_MMCX_AO 7
-#define SM8550_MX 8
-#define SM8550_MX_AO 9
-#define SM8550_MXC 10
-#define SM8550_MXC_AO 11
-#define SM8550_MSS 12
-#define SM8550_NSP 13
-
-/* QDU1000/QRU1000 Power Domain Indexes */
-#define QDU1000_EBI 0
-#define QDU1000_MSS 1
-#define QDU1000_CX 2
-#define QDU1000_MX 3
-
-/* SC7180 Power Domain Indexes */
-#define SC7180_CX 0
-#define SC7180_CX_AO 1
-#define SC7180_GFX 2
-#define SC7180_MX 3
-#define SC7180_MX_AO 4
-#define SC7180_LMX 5
-#define SC7180_LCX 6
-#define SC7180_MSS 7
-
-/* SC7280 Power Domain Indexes */
-#define SC7280_CX 0
-#define SC7280_CX_AO 1
-#define SC7280_EBI 2
-#define SC7280_GFX 3
-#define SC7280_MX 4
-#define SC7280_MX_AO 5
-#define SC7280_LMX 6
-#define SC7280_LCX 7
-#define SC7280_MSS 8
-
-/* SC8180X Power Domain Indexes */
-#define SC8180X_CX 0
-#define SC8180X_CX_AO 1
-#define SC8180X_EBI 2
-#define SC8180X_GFX 3
-#define SC8180X_LCX 4
-#define SC8180X_LMX 5
-#define SC8180X_MMCX 6
-#define SC8180X_MMCX_AO 7
-#define SC8180X_MSS 8
-#define SC8180X_MX 9
-#define SC8180X_MX_AO 10
-
-/* SC8280XP Power Domain Indexes */
-#define SC8280XP_CX 0
-#define SC8280XP_CX_AO 1
-#define SC8280XP_DDR 2
-#define SC8280XP_EBI 3
-#define SC8280XP_GFX 4
-#define SC8280XP_LCX 5
-#define SC8280XP_LMX 6
-#define SC8280XP_MMCX 7
-#define SC8280XP_MMCX_AO 8
-#define SC8280XP_MSS 9
-#define SC8280XP_MX 10
-#define SC8280XP_MXC 12
-#define SC8280XP_MX_AO 11
-#define SC8280XP_NSP 13
-#define SC8280XP_QPHY 14
-#define SC8280XP_XO 15
-
-/* SDM845 Power Domain performance levels */
-#define RPMH_REGULATOR_LEVEL_RETENTION 16
-#define RPMH_REGULATOR_LEVEL_MIN_SVS 48
-#define RPMH_REGULATOR_LEVEL_LOW_SVS_D3 50
-#define RPMH_REGULATOR_LEVEL_LOW_SVS_D2 52
-#define RPMH_REGULATOR_LEVEL_LOW_SVS_D1 56
-#define RPMH_REGULATOR_LEVEL_LOW_SVS_D0 60
-#define RPMH_REGULATOR_LEVEL_LOW_SVS 64
-#define RPMH_REGULATOR_LEVEL_LOW_SVS_P1 72
-#define RPMH_REGULATOR_LEVEL_LOW_SVS_L1 80
-#define RPMH_REGULATOR_LEVEL_LOW_SVS_L2 96
-#define RPMH_REGULATOR_LEVEL_SVS 128
-#define RPMH_REGULATOR_LEVEL_SVS_L0 144
-#define RPMH_REGULATOR_LEVEL_SVS_L1 192
-#define RPMH_REGULATOR_LEVEL_SVS_L2 224
-#define RPMH_REGULATOR_LEVEL_NOM 256
-#define RPMH_REGULATOR_LEVEL_NOM_L0 288
-#define RPMH_REGULATOR_LEVEL_NOM_L1 320
-#define RPMH_REGULATOR_LEVEL_NOM_L2 336
-#define RPMH_REGULATOR_LEVEL_TURBO 384
-#define RPMH_REGULATOR_LEVEL_TURBO_L0 400
-#define RPMH_REGULATOR_LEVEL_TURBO_L1 416
-#define RPMH_REGULATOR_LEVEL_TURBO_L2 432
-#define RPMH_REGULATOR_LEVEL_TURBO_L3 448
-#define RPMH_REGULATOR_LEVEL_TURBO_L4 452
-#define RPMH_REGULATOR_LEVEL_TURBO_L5 456
-#define RPMH_REGULATOR_LEVEL_SUPER_TURBO 464
-#define RPMH_REGULATOR_LEVEL_SUPER_TURBO_NO_CPR 480
-
/* MDM9607 Power Domains */
#define MDM9607_VDDCX 0
#define MDM9607_VDDCX_AO 1
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 008/169] dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 007/169] dt-bindings: power: qcom-rpmpd: split RPMh domains definitions Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 009/169] pmdomain: qcom: rpmhpd: Add MXC to SC8280XP Greg Kroah-Hartman
` (174 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rob Herring (Arm), Konrad Dybcio,
Ulf Hansson, Bjorn Andersson, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit 45e1be5ddec98db71e7481fa7a3005673200d85c ]
Not sure how useful it's gonna be in practice, but the definition is
missing (unlike the previously-unused SC8280XP_MXC-non-_AO), so add it
to allow the driver to create the corresponding pmdomain.
Fixes: dbfb5f94e084 ("dt-bindings: power: rpmpd: Add sc8280xp RPMh power-domains")
Acked-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Link: https://lore.kernel.org/r/20251202-topic-8280_mxc-v2-1-46cdf47a829e@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Stable-dep-of: 5bc3e720e725 ("pmdomain: qcom: rpmhpd: Add MXC to SC8280XP")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/dt-bindings/power/qcom,rpmhpd.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/dt-bindings/power/qcom,rpmhpd.h b/include/dt-bindings/power/qcom,rpmhpd.h
index 73cceb88953f7..269b73ff866a8 100644
--- a/include/dt-bindings/power/qcom,rpmhpd.h
+++ b/include/dt-bindings/power/qcom,rpmhpd.h
@@ -261,5 +261,6 @@
#define SC8280XP_NSP 13
#define SC8280XP_QPHY 14
#define SC8280XP_XO 15
+#define SC8280XP_MXC_AO 16
#endif
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 009/169] pmdomain: qcom: rpmhpd: Add MXC to SC8280XP
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 008/169] dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 010/169] arm64: dts: qcom: sc8280xp: Add missing VDD_MXC links Greg Kroah-Hartman
` (173 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Ulf Hansson, Bjorn Andersson, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit 5bc3e720e725cd5fa34875fa1e5434d565858067 ]
This was apparently accounted for in dt-bindings, but never made its
way into the driver.
Fix it for SC8280XP and its VDD_GFX-less cousin, SA8540P.
Fixes: f68f1cb3437d ("soc: qcom: rpmhpd: add sc8280xp & sa8540p rpmh power-domains")
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Link: https://lore.kernel.org/r/20251202-topic-8280_mxc-v2-2-46cdf47a829e@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pmdomain/qcom/rpmhpd.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/pmdomain/qcom/rpmhpd.c b/drivers/pmdomain/qcom/rpmhpd.c
index 65505e1e22198..88cb836e6f67a 100644
--- a/drivers/pmdomain/qcom/rpmhpd.c
+++ b/drivers/pmdomain/qcom/rpmhpd.c
@@ -228,6 +228,8 @@ static struct rpmhpd *sa8540p_rpmhpds[] = {
[SC8280XP_MMCX_AO] = &mmcx_ao,
[SC8280XP_MX] = &mx,
[SC8280XP_MX_AO] = &mx_ao,
+ [SC8280XP_MXC] = &mxc,
+ [SC8280XP_MXC_AO] = &mxc_ao,
[SC8280XP_NSP] = &nsp,
};
@@ -593,6 +595,8 @@ static struct rpmhpd *sc8280xp_rpmhpds[] = {
[SC8280XP_MMCX_AO] = &mmcx_ao,
[SC8280XP_MX] = &mx,
[SC8280XP_MX_AO] = &mx_ao,
+ [SC8280XP_MXC] = &mxc,
+ [SC8280XP_MXC_AO] = &mxc_ao,
[SC8280XP_NSP] = &nsp,
[SC8280XP_QPHY] = &qphy,
};
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 010/169] arm64: dts: qcom: sc8280xp: Add missing VDD_MXC links
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 009/169] pmdomain: qcom: rpmhpd: Add MXC to SC8280XP Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 011/169] Drivers: hv: Always do Hyper-V panic notification in hv_kmsg_dump() Greg Kroah-Hartman
` (172 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Ulf Hansson,
Bjorn Andersson, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit 868b979c5328b867c95a6d5a93ba13ad0d3cd2f1 ]
To make sure that power rail is voted for, wire it up to its consumers.
Fixes: 152d1faf1e2f ("arm64: dts: qcom: add SC8280XP platform")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Link: https://lore.kernel.org/r/20251202-topic-8280_mxc-v2-3-46cdf47a829e@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sc8280xp.dtsi | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/sc8280xp.dtsi b/arch/arm64/boot/dts/qcom/sc8280xp.dtsi
index b1e0e51a55829..c10ee18cb611a 100644
--- a/arch/arm64/boot/dts/qcom/sc8280xp.dtsi
+++ b/arch/arm64/boot/dts/qcom/sc8280xp.dtsi
@@ -5218,8 +5218,12 @@ remoteproc_nsp0: remoteproc@1b300000 {
clocks = <&rpmhcc RPMH_CXO_CLK>;
clock-names = "xo";
- power-domains = <&rpmhpd SC8280XP_NSP>;
- power-domain-names = "nsp";
+ power-domains = <&rpmhpd SC8280XP_NSP>,
+ <&rpmhpd SC8280XP_CX>,
+ <&rpmhpd SC8280XP_MXC>;
+ power-domain-names = "nsp",
+ "cx",
+ "mxc";
memory-region = <&pil_nsp0_mem>;
@@ -5349,8 +5353,12 @@ remoteproc_nsp1: remoteproc@21300000 {
clocks = <&rpmhcc RPMH_CXO_CLK>;
clock-names = "xo";
- power-domains = <&rpmhpd SC8280XP_NSP>;
- power-domain-names = "nsp";
+ power-domains = <&rpmhpd SC8280XP_NSP>,
+ <&rpmhpd SC8280XP_CX>,
+ <&rpmhpd SC8280XP_MXC>;
+ power-domain-names = "nsp",
+ "cx",
+ "mxc";
memory-region = <&pil_nsp1_mem>;
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 011/169] Drivers: hv: Always do Hyper-V panic notification in hv_kmsg_dump()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 010/169] arm64: dts: qcom: sc8280xp: Add missing VDD_MXC links Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 012/169] btrfs: fix missing fields in superblock backup with BLOCK_GROUP_TREE Greg Kroah-Hartman
` (171 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Michael Kelley, Roman Kisel, Wei Liu, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Kelley <mhklinux@outlook.com>
[ Upstream commit 49f49d47af67f8a7b221db1d758fc634242dc91a ]
hv_kmsg_dump() currently skips the panic notification entirely if it
doesn't get any message bytes to pass to Hyper-V due to an error from
kmsg_dump_get_buffer(). Skipping the notification is undesirable because
it leaves the Hyper-V host uncertain about the state of a panic'ed guest.
Fix this by always doing the panic notification, even if bytes_written
is zero. Also ensure that bytes_written is initialized, which fixes a
kernel test robot warning. The warning is actually bogus because
kmsg_dump_get_buffer() happens to set bytes_written even if it fails, and
in the kernel test robot's CONFIG_PRINTK not set case, hv_kmsg_dump() is
never called. But do the initialization for robustness and to quiet the
static checker.
Fixes: 9c318a1d9b50 ("Drivers: hv: move panic report code from vmbus to hv early init code")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/all/202512172103.OcUspn1Z-lkp@intel.com/
Signed-off-by: Michael Kelley <mhklinux@outlook.com>
Reviewed-by: Roman Kisel <vdso@mailbox.org>
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hv/hv_common.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/drivers/hv/hv_common.c b/drivers/hv/hv_common.c
index 7a35c82976e0f..f69dd08475114 100644
--- a/drivers/hv/hv_common.c
+++ b/drivers/hv/hv_common.c
@@ -218,13 +218,15 @@ static void hv_kmsg_dump(struct kmsg_dumper *dumper,
/*
* Write dump contents to the page. No need to synchronize; panic should
- * be single-threaded.
+ * be single-threaded. Ignore failures from kmsg_dump_get_buffer() since
+ * panic notification should be done even if there is no message data.
+ * Don't assume bytes_written is set in case of failure, so initialize it.
*/
kmsg_dump_rewind(&iter);
- kmsg_dump_get_buffer(&iter, false, hv_panic_page, HV_HYP_PAGE_SIZE,
+ bytes_written = 0;
+ (void)kmsg_dump_get_buffer(&iter, false, hv_panic_page, HV_HYP_PAGE_SIZE,
&bytes_written);
- if (!bytes_written)
- return;
+
/*
* P3 to contain the physical address of the panic page & P4 to
* contain the size of the panic data in that page. Rest of the
@@ -233,7 +235,7 @@ static void hv_kmsg_dump(struct kmsg_dumper *dumper,
hv_set_msr(HV_MSR_CRASH_P0, 0);
hv_set_msr(HV_MSR_CRASH_P1, 0);
hv_set_msr(HV_MSR_CRASH_P2, 0);
- hv_set_msr(HV_MSR_CRASH_P3, virt_to_phys(hv_panic_page));
+ hv_set_msr(HV_MSR_CRASH_P3, bytes_written ? virt_to_phys(hv_panic_page) : 0);
hv_set_msr(HV_MSR_CRASH_P4, bytes_written);
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 012/169] btrfs: fix missing fields in superblock backup with BLOCK_GROUP_TREE
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 011/169] Drivers: hv: Always do Hyper-V panic notification in hv_kmsg_dump() Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 013/169] ata: ahci: Do not read the per port area for unimplemented ports Greg Kroah-Hartman
` (170 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Mark Harmstone,
David Sterba, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Harmstone <mark@harmstone.com>
[ Upstream commit 1d8f69f453c2e8a2d99b158e58e02ed65031fa6d ]
When the BLOCK_GROUP_TREE compat_ro flag is set, the extent root and
csum root fields are getting missed.
This is because EXTENT_TREE_V2 treated these differently, and when
they were split off this special-casing was mistakenly assigned to
BGT rather than the rump EXTENT_TREE_V2. There's no reason why the
existence of the block group tree should mean that we don't record the
details of the last commit's extent root and csum root.
Fix the code in backup_super_roots() so that the correct check gets
made.
Fixes: 1c56ab991903 ("btrfs: separate BLOCK_GROUP_TREE compat RO flag from EXTENT_TREE_V2")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Mark Harmstone <mark@harmstone.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/disk-io.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 39fe4385ed361..93300c3fe0cab 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -1676,7 +1676,7 @@ static void backup_super_roots(struct btrfs_fs_info *info)
btrfs_set_backup_chunk_root_level(root_backup,
btrfs_header_level(info->chunk_root->node));
- if (!btrfs_fs_compat_ro(info, BLOCK_GROUP_TREE)) {
+ if (!btrfs_fs_incompat(info, EXTENT_TREE_V2)) {
struct btrfs_root *extent_root = btrfs_extent_root(info, 0);
struct btrfs_root *csum_root = btrfs_csum_root(info, 0);
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 013/169] ata: ahci: Do not read the per port area for unimplemented ports
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 012/169] btrfs: fix missing fields in superblock backup with BLOCK_GROUP_TREE Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 014/169] ata: libata-sata: Improve link_power_management_supported sysfs attribute Greg Kroah-Hartman
` (169 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Cassel, Wolf, Damien Le Moal,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
[ Upstream commit ea4d4ea6d10a561043922d285f1765c7e4bfd32a ]
An AHCI HBA specifies the number of ports it supports using CAP.NP.
The HBA is free to only make a subset of the number of ports available
using the PI (Ports Implemented) register.
libata currently creates dummy ports for HBA ports that are provided by
the HBA, but which are marked as "unavailable" using the PI register.
Each port will have a per port area of registers in the HBA, regardless
if the port is marked as "unavailable" or not.
ahci_mark_external_port() currently reads this per port area of registers
using readl() to see if the port is marked as external/hotplug-capable.
However, AHCI 1.3.1, section "3.1.4 Offset 0Ch: PI – Ports Implemented"
states: "Software must not read or write to registers within unavailable
ports."
Thus, make sure that we only call ahci_mark_external_port() and
ahci_update_initial_lpm_policy() for ports that are implemented.
>From a libata perspective, this should not change anything related to LPM,
as dummy ports do not provide any ap->ops (they do not have a .set_lpm()
callback), so even if EH were to call .set_lpm() on a dummy port, it was
already a no-op.
Fixes: f7131935238d ("ata: ahci: move marking of external port earlier")
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Tested-by: Wolf <wolf@yoxt.cc>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/ahci.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
index 944e44caa2606..e78b97fe81708 100644
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -2071,13 +2071,13 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
if (ap->flags & ATA_FLAG_EM)
ap->em_message_type = hpriv->em_msg_type;
- ahci_mark_external_port(ap);
-
- ahci_update_initial_lpm_policy(ap);
-
/* disabled/not-implemented port */
- if (!(hpriv->port_map & (1 << i)))
+ if (!(hpriv->port_map & (1 << i))) {
ap->ops = &ata_dummy_port_ops;
+ } else {
+ ahci_mark_external_port(ap);
+ ahci_update_initial_lpm_policy(ap);
+ }
}
/* apply workaround for ASUS P5W DH Deluxe mainboard */
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 014/169] ata: libata-sata: Improve link_power_management_supported sysfs attribute
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 013/169] ata: ahci: Do not read the per port area for unimplemented ports Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 015/169] ata: libata: Add cpr_log to ata_dev_print_features() early return Greg Kroah-Hartman
` (168 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Cassel, Wolf, Damien Le Moal,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
[ Upstream commit ce83767ea323baf8509a75eb0c783cd203e14789 ]
The link_power_management_supported sysfs attribute is currently set as
true even for ata ports that lack a .set_lpm() callback, e.g. dummy ports.
This is a bit silly, because while writing to the
link_power_management_policy sysfs attribute will make ata_scsi_lpm_store()
update ap->target_lpm_policy (thus sysfs will reflect the new value) and
call ata_port_schedule_eh() for the port, it is essentially a no-op.
This is because for a port without a .set_lpm() callback, once EH gets to
run, the ata_eh_link_set_lpm() will simply return, since the port does not
provide a .set_lpm() callback.
Thus, make sure that the link_power_management_supported sysfs attribute
is set to false for ports that lack a .set_lpm() callback. This way the
link_power_management_policy sysfs attribute will no longer be writable,
so we will no longer be misleading users to think that their sysfs write
actually does something.
Fixes: 0060beec0bfa ("ata: libata-sata: Add link_power_management_supported sysfs attribute")
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Tested-by: Wolf <wolf@yoxt.cc>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/libata-sata.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ata/libata-sata.c b/drivers/ata/libata-sata.c
index cad3855373cb1..5fbbdf6f87e34 100644
--- a/drivers/ata/libata-sata.c
+++ b/drivers/ata/libata-sata.c
@@ -909,7 +909,7 @@ static bool ata_scsi_lpm_supported(struct ata_port *ap)
struct ata_link *link;
struct ata_device *dev;
- if (ap->flags & ATA_FLAG_NO_LPM)
+ if ((ap->flags & ATA_FLAG_NO_LPM) || !ap->ops->set_lpm)
return false;
ata_for_each_link(link, ap, EDGE) {
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 015/169] ata: libata: Add cpr_log to ata_dev_print_features() early return
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 014/169] ata: libata-sata: Improve link_power_management_supported sysfs attribute Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 016/169] ata: libata-core: Introduce ata_dev_config_lpm() Greg Kroah-Hartman
` (167 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Cassel, Wolf, Damien Le Moal,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
[ Upstream commit a6bee5e5243ad02cae575becc4c83df66fc29573 ]
ata_dev_print_features() is supposed to return early and not print anything
if there are no features supported.
However, commit fe22e1c2f705 ("libata: support concurrent positioning
ranges log") added another feature to ata_dev_print_features() without
updating the early return conditional.
Add the missing feature to the early return conditional.
Fixes: fe22e1c2f705 ("libata: support concurrent positioning ranges log")
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Tested-by: Wolf <wolf@yoxt.cc>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/libata-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index 802967eabc344..864248ff1faf9 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -2803,7 +2803,7 @@ static void ata_dev_config_cpr(struct ata_device *dev)
static void ata_dev_print_features(struct ata_device *dev)
{
- if (!(dev->flags & ATA_DFLAG_FEATURES_MASK))
+ if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log)
return;
ata_dev_info(dev,
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 016/169] ata: libata-core: Introduce ata_dev_config_lpm()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 015/169] ata: libata: Add cpr_log to ata_dev_print_features() early return Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 017/169] ata: libata: Call ata_dev_config_lpm() for ATAPI devices Greg Kroah-Hartman
` (166 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Niklas Cassel,
Hannes Reinecke, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
[ Upstream commit d360121832d8a36871249271df5b9ff05f835f62 ]
If the port of a device does not support Device Initiated Power
Management (DIPM), that is, the port is flagged with ATA_FLAG_NO_DIPM,
the DIPM feature of a device should not be used. Though DIPM is disabled
by default on a device, the "Software Settings Preservation feature"
may keep DIPM enabled or DIPM may have been enabled by the system
firmware.
Introduce the function ata_dev_config_lpm() to always disable DIPM on a
device that supports this feature if the port of the device is flagged
with ATA_FLAG_NO_DIPM. ata_dev_config_lpm() is called from
ata_dev_configure(), ensuring that a device DIPM feature is disabled
when it cannot be used.
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Link: https://lore.kernel.org/r/20250701125321.69496-2-dlemoal@kernel.org
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Stable-dep-of: c8c6fb886f57 ("ata: libata: Print features also for ATAPI devices")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/libata-core.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index 864248ff1faf9..cdb41b66bff2b 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -2801,6 +2801,30 @@ static void ata_dev_config_cpr(struct ata_device *dev)
kfree(buf);
}
+/*
+ * Configure features related to link power management.
+ */
+static void ata_dev_config_lpm(struct ata_device *dev)
+{
+ struct ata_port *ap = dev->link->ap;
+ unsigned int err_mask;
+
+ /*
+ * Device Initiated Power Management (DIPM) is normally disabled by
+ * default on a device. However, DIPM may have been enabled and that
+ * setting kept even after COMRESET because of the Software Settings
+ * Preservation feature. So if the port does not support DIPM and the
+ * device does, disable DIPM on the device.
+ */
+ if (ap->flags & ATA_FLAG_NO_DIPM && ata_id_has_dipm(dev->id)) {
+ err_mask = ata_dev_set_feature(dev,
+ SETFEATURES_SATA_DISABLE, SATA_DIPM);
+ if (err_mask && err_mask != AC_ERR_DEV)
+ ata_dev_err(dev, "Disable DIPM failed, Emask 0x%x\n",
+ err_mask);
+ }
+}
+
static void ata_dev_print_features(struct ata_device *dev)
{
if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log)
@@ -2974,6 +2998,7 @@ int ata_dev_configure(struct ata_device *dev)
ata_dev_config_chs(dev);
}
+ ata_dev_config_lpm(dev);
ata_dev_config_fua(dev);
ata_dev_config_devslp(dev);
ata_dev_config_sense_reporting(dev);
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 017/169] ata: libata: Call ata_dev_config_lpm() for ATAPI devices
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 016/169] ata: libata-core: Introduce ata_dev_config_lpm() Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 018/169] ata: libata: Print features also " Greg Kroah-Hartman
` (165 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Cassel, Wolf, Damien Le Moal,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
[ Upstream commit 8f3fb33f8f3f825c708ece800c921977c157f9b6 ]
Commit d360121832d8 ("ata: libata-core: Introduce ata_dev_config_lpm()")
introduced ata_dev_config_lpm(). However, it only called this function for
ATA_DEV_ATA and ATA_DEV_ZAC devices, not for ATA_DEV_ATAPI devices.
Additionally, commit d99a9142e782 ("ata: libata-core: Move device LPM quirk
settings to ata_dev_config_lpm()") moved the LPM quirk application from
ata_dev_configure() to ata_dev_config_lpm(), causing LPM quirks for ATAPI
devices to no longer be applied.
Call ata_dev_config_lpm() also for ATAPI devices, such that LPM quirks are
applied for ATAPI devices with an entry in __ata_dev_quirks once again.
Fixes: d360121832d8 ("ata: libata-core: Introduce ata_dev_config_lpm()")
Fixes: d99a9142e782 ("ata: libata-core: Move device LPM quirk settings to ata_dev_config_lpm()")
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Tested-by: Wolf <wolf@yoxt.cc>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Stable-dep-of: c8c6fb886f57 ("ata: libata: Print features also for ATAPI devices")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/libata-core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index cdb41b66bff2b..fba5166168978 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -3073,6 +3073,8 @@ int ata_dev_configure(struct ata_device *dev)
ata_mode_string(xfer_mask),
cdb_intr_string, atapi_an_string,
dma_dir_string);
+
+ ata_dev_config_lpm(dev);
}
/* determine max_sectors */
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 018/169] ata: libata: Print features also for ATAPI devices
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 017/169] ata: libata: Call ata_dev_config_lpm() for ATAPI devices Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 019/169] ice: initialize ring_stats->syncp Greg Kroah-Hartman
` (164 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Cassel, Wolf, Damien Le Moal,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
[ Upstream commit c8c6fb886f57d5bf71fb6de6334a143608d35707 ]
Commit d633b8a702ab ("libata: print feature list on device scan")
added a print of the features supported by the device for ATA_DEV_ATA and
ATA_DEV_ZAC devices, but not for ATA_DEV_ATAPI devices.
Fix this by printing the features also for ATAPI devices.
Before changes:
ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133
After changes:
ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133
ata1.00: Features: Dev-Attention HIPM DIPM
Fixes: d633b8a702ab ("libata: print feature list on device scan")
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Tested-by: Wolf <wolf@yoxt.cc>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/libata-core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index fba5166168978..33454d01c2044 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -3075,6 +3075,9 @@ int ata_dev_configure(struct ata_device *dev)
dma_dir_string);
ata_dev_config_lpm(dev);
+
+ if (print_info)
+ ata_dev_print_features(dev);
}
/* determine max_sectors */
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 019/169] ice: initialize ring_stats->syncp
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 018/169] ata: libata: Print features also " Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 020/169] ice: Avoid detrimental cleanup for bond during interface stop Greg Kroah-Hartman
` (163 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov, Jacob Keller,
Simon Horman, Tony Nguyen, Sasha Levin, Rinitha S
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacob Keller <jacob.e.keller@intel.com>
[ Upstream commit 8439016c3b8b5ab687c2420317b1691585106611 ]
The u64_stats_sync structure is empty on 64-bit systems. However, on 32-bit
systems it contains a seqcount_t which needs to be initialized. While the
memory is zero-initialized, a lack of u64_stats_init means that lockdep
won't get initialized properly. Fix this by adding u64_stats_init() calls
to the rings just after allocation.
Fixes: 2b245cb29421 ("ice: Implement transmit and NAPI support")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_lib.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
index 8961eebe67aa2..8f8bdc3072ccc 100644
--- a/drivers/net/ethernet/intel/ice/ice_lib.c
+++ b/drivers/net/ethernet/intel/ice/ice_lib.c
@@ -394,6 +394,8 @@ static int ice_vsi_alloc_ring_stats(struct ice_vsi *vsi)
if (!ring_stats)
goto err_out;
+ u64_stats_init(&ring_stats->syncp);
+
WRITE_ONCE(tx_ring_stats[i], ring_stats);
}
@@ -413,6 +415,8 @@ static int ice_vsi_alloc_ring_stats(struct ice_vsi *vsi)
if (!ring_stats)
goto err_out;
+ u64_stats_init(&ring_stats->syncp);
+
WRITE_ONCE(rx_ring_stats[i], ring_stats);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 020/169] ice: Avoid detrimental cleanup for bond during interface stop
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 019/169] ice: initialize ring_stats->syncp Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 021/169] ice: Fix incorrect timeout ice_release_res() Greg Kroah-Hartman
` (162 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacob Keller, Marcin Szycik,
Dave Ertman, Tony Nguyen, Sasha Levin, Rinitha S
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Ertman <david.m.ertman@intel.com>
[ Upstream commit a9d45c22ed120cdd15ff56d0a6e4700c46451901 ]
When the user issues an administrative down to an interface that is the
primary for an aggregate bond, the prune lists are being purged. This
breaks communication to the secondary interface, which shares a prune
list on the main switch block while bonded together.
For the primary interface of an aggregate, avoid deleting these prune
lists during stop, and since they are hardcoded to specific values for
the default vlan and QinQ vlans, the attempt to re-add them during the
up phase will quietly fail without any additional problem.
Fixes: 1e0f9881ef79 ("ice: Flesh out implementation of support for SRIOV on bonded interface")
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Marcin Szycik <marcin.szycik@linux.intel.com>
Signed-off-by: Dave Ertman <david.m.ertman@intel.com>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_lib.c | 25 ++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
index 8f8bdc3072ccc..4e022de9e4bbd 100644
--- a/drivers/net/ethernet/intel/ice/ice_lib.c
+++ b/drivers/net/ethernet/intel/ice/ice_lib.c
@@ -3746,22 +3746,31 @@ int ice_vsi_add_vlan_zero(struct ice_vsi *vsi)
int ice_vsi_del_vlan_zero(struct ice_vsi *vsi)
{
struct ice_vsi_vlan_ops *vlan_ops = ice_get_compat_vsi_vlan_ops(vsi);
+ struct ice_pf *pf = vsi->back;
struct ice_vlan vlan;
int err;
- vlan = ICE_VLAN(0, 0, 0);
- err = vlan_ops->del_vlan(vsi, &vlan);
- if (err && err != -EEXIST)
- return err;
+ if (pf->lag && pf->lag->primary) {
+ dev_dbg(ice_pf_to_dev(pf), "Interface is primary in aggregate - not deleting prune list\n");
+ } else {
+ vlan = ICE_VLAN(0, 0, 0);
+ err = vlan_ops->del_vlan(vsi, &vlan);
+ if (err && err != -EEXIST)
+ return err;
+ }
/* in SVM both VLAN 0 filters are identical */
if (!ice_is_dvm_ena(&vsi->back->hw))
return 0;
- vlan = ICE_VLAN(ETH_P_8021Q, 0, 0);
- err = vlan_ops->del_vlan(vsi, &vlan);
- if (err && err != -EEXIST)
- return err;
+ if (pf->lag && pf->lag->primary) {
+ dev_dbg(ice_pf_to_dev(pf), "Interface is primary in aggregate - not deleting QinQ prune list\n");
+ } else {
+ vlan = ICE_VLAN(ETH_P_8021Q, 0, 0);
+ err = vlan_ops->del_vlan(vsi, &vlan);
+ if (err && err != -EEXIST)
+ return err;
+ }
/* when deleting the last VLAN filter, make sure to disable the VLAN
* promisc mode so the filter isn't left by accident
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 021/169] ice: Fix incorrect timeout ice_release_res()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 020/169] ice: Avoid detrimental cleanup for bond during interface stop Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 022/169] igc: Restore default Qbv schedule when changing channels Greg Kroah-Hartman
` (161 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ding Hui, Simon Horman,
Aleksandr Loktionov, Jacob Keller, Paul Menzel, Tony Nguyen,
Sasha Levin, Rinitha S
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ding Hui <dinghui@sangfor.com.cn>
[ Upstream commit 01139a2ce532d77379e1593230127caa261a8036 ]
The commit 5f6df173f92e ("ice: implement and use rd32_poll_timeout for
ice_sq_done timeout") converted ICE_CTL_Q_SQ_CMD_TIMEOUT from jiffies
to microseconds.
But the ice_release_res() function was missed, and its logic still
treats ICE_CTL_Q_SQ_CMD_TIMEOUT as a jiffies value.
So correct the issue by usecs_to_jiffies().
Found by inspection of the DDP downloading process.
Compile and modprobe tested only.
Fixes: 5f6df173f92e ("ice: implement and use rd32_poll_timeout for ice_sq_done timeout")
Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_common.c b/drivers/net/ethernet/intel/ice/ice_common.c
index 068a467de1d56..36b3912761870 100644
--- a/drivers/net/ethernet/intel/ice/ice_common.c
+++ b/drivers/net/ethernet/intel/ice/ice_common.c
@@ -1951,7 +1951,7 @@ void ice_release_res(struct ice_hw *hw, enum ice_aq_res_ids res)
/* there are some rare cases when trying to release the resource
* results in an admin queue timeout, so handle them correctly
*/
- timeout = jiffies + 10 * ICE_CTL_Q_SQ_CMD_TIMEOUT;
+ timeout = jiffies + 10 * usecs_to_jiffies(ICE_CTL_Q_SQ_CMD_TIMEOUT);
do {
status = ice_aq_release_res(hw, res, 0, NULL);
if (status != -EIO)
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 022/169] igc: Restore default Qbv schedule when changing channels
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 021/169] ice: Fix incorrect timeout ice_release_res() Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 023/169] igc: fix race condition in TX timestamp read for register 0 Greg Kroah-Hartman
` (160 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kurt Kanzenbach, Aleksandr Loktionov,
Avigail Dahan, Vinicius Costa Gomes, Tony Nguyen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kurt Kanzenbach <kurt@linutronix.de>
[ Upstream commit 41a9a6826f20a524242a6c984845c4855f629841 ]
The Multi-queue Priority (MQPRIO) and Earliest TxTime First (ETF) offloads
utilize the Time Sensitive Networking (TSN) Tx mode. This mode is always
coupled to IEEE 802.1Qbv time aware shaper (Qbv). Therefore, the driver
sets a default Qbv schedule of all gates opened and a cycle time of
1s. This schedule is set during probe.
However, the following sequence of events lead to Tx issues:
- Boot a dual core system
igc_probe():
igc_tsn_clear_schedule():
-> Default Schedule is set
Note: At this point the driver has allocated two Tx/Rx queues, because
there are only two CPUs.
- ethtool -L enp3s0 combined 4
igc_ethtool_set_channels():
igc_reinit_queues()
-> Default schedule is gone, per Tx ring start and end time are zero
- tc qdisc replace dev enp3s0 handle 100 parent root mqprio \
num_tc 4 map 3 3 2 2 0 1 1 1 3 3 3 3 3 3 3 3 \
queues 1@0 1@1 1@2 1@3 hw 1
igc_tsn_offload_apply():
igc_tsn_enable_offload():
-> Writes zeros to IGC_STQT(i) and IGC_ENDQT(i), causing Tx to stall/fail
Therefore, restore the default Qbv schedule after changing the number of
channels.
Furthermore, add a restriction to not allow queue reconfiguration when
TSN/Qbv is enabled, because it may lead to inconsistent states.
Fixes: c814a2d2d48f ("igc: Use default cycle 'start' and 'end' values for queues")
Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_ethtool.c | 4 ++--
drivers/net/ethernet/intel/igc/igc_main.c | 5 +++++
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c
index 5b0c6f4337679..f4179b814eafc 100644
--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c
+++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c
@@ -1540,8 +1540,8 @@ static int igc_ethtool_set_channels(struct net_device *netdev,
if (ch->other_count != NON_Q_VECTORS)
return -EINVAL;
- /* Do not allow channel reconfiguration when mqprio is enabled */
- if (adapter->strict_priority_enable)
+ /* Do not allow channel reconfiguration when any TSN qdisc is enabled */
+ if (adapter->flags & IGC_FLAG_TSN_ANY_ENABLED)
return -EINVAL;
/* Verify the number of channels doesn't exceed hw limits */
diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
index 9ba41a427e141..18dad521aefcc 100644
--- a/drivers/net/ethernet/intel/igc/igc_main.c
+++ b/drivers/net/ethernet/intel/igc/igc_main.c
@@ -7582,6 +7582,11 @@ int igc_reinit_queues(struct igc_adapter *adapter)
if (netif_running(netdev))
err = igc_open(netdev);
+ if (!err) {
+ /* Restore default IEEE 802.1Qbv schedule after queue reinit */
+ igc_tsn_clear_schedule(adapter);
+ }
+
return err;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 023/169] igc: fix race condition in TX timestamp read for register 0
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 022/169] igc: Restore default Qbv schedule when changing channels Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 024/169] vsock/virtio: Coalesce only linear skb Greg Kroah-Hartman
` (159 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Avi Shalev, Aleksandr Loktionov,
Song Yoong Siang, Chwee-Lin Choong, Avigail Dahan, Tony Nguyen,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chwee-Lin Choong <chwee.lin.choong@intel.com>
[ Upstream commit 6990dc392a9ab10e52af37e0bee8c7b753756dc4 ]
The current HW bug workaround checks the TXTT_0 ready bit first,
then reads TXSTMPL_0 twice (before and after reading TXSTMPH_0)
to detect whether a new timestamp was captured by timestamp
register 0 during the workaround.
This sequence has a race: if a new timestamp is captured after
checking the TXTT_0 bit but before the first TXSTMPL_0 read, the
detection fails because both the "old" and "new" values come from
the same timestamp.
Fix by reading TXSTMPL_0 first to establish a baseline, then
checking the TXTT_0 bit. This ensures any timestamp captured
during the race window will be detected.
Old sequence:
1. Check TXTT_0 ready bit
2. Read TXSTMPL_0 (baseline)
3. Read TXSTMPH_0 (interrupt workaround)
4. Read TXSTMPL_0 (detect changes vs baseline)
New sequence:
1. Read TXSTMPL_0 (baseline)
2. Check TXTT_0 ready bit
3. Read TXSTMPH_0 (interrupt workaround)
4. Read TXSTMPL_0 (detect changes vs baseline)
Fixes: c789ad7cbebc ("igc: Work around HW bug causing missing timestamps")
Suggested-by: Avi Shalev <avi.shalev@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Co-developed-by: Song Yoong Siang <yoong.siang.song@intel.com>
Signed-off-by: Song Yoong Siang <yoong.siang.song@intel.com>
Signed-off-by: Chwee-Lin Choong <chwee.lin.choong@intel.com>
Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_ptp.c | 43 ++++++++++++++----------
1 file changed, 25 insertions(+), 18 deletions(-)
diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c
index efc7b30e42113..a272d1a29eadb 100644
--- a/drivers/net/ethernet/intel/igc/igc_ptp.c
+++ b/drivers/net/ethernet/intel/igc/igc_ptp.c
@@ -785,36 +785,43 @@ static void igc_ptp_tx_reg_to_stamp(struct igc_adapter *adapter,
static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter)
{
struct igc_hw *hw = &adapter->hw;
+ u32 txstmpl_old;
u64 regval;
u32 mask;
int i;
+ /* Establish baseline of TXSTMPL_0 before checking TXTT_0.
+ * This baseline is used to detect if a new timestamp arrives in
+ * register 0 during the hardware bug workaround below.
+ */
+ txstmpl_old = rd32(IGC_TXSTMPL);
+
mask = rd32(IGC_TSYNCTXCTL) & IGC_TSYNCTXCTL_TXTT_ANY;
if (mask & IGC_TSYNCTXCTL_TXTT_0) {
regval = rd32(IGC_TXSTMPL);
regval |= (u64)rd32(IGC_TXSTMPH) << 32;
} else {
- /* There's a bug in the hardware that could cause
- * missing interrupts for TX timestamping. The issue
- * is that for new interrupts to be triggered, the
- * IGC_TXSTMPH_0 register must be read.
+ /* TXTT_0 not set - register 0 has no new timestamp initially.
+ *
+ * Hardware bug: Future timestamp interrupts won't fire unless
+ * TXSTMPH_0 is read, even if the timestamp was captured in
+ * registers 1-3.
*
- * To avoid discarding a valid timestamp that just
- * happened at the "wrong" time, we need to confirm
- * that there was no timestamp captured, we do that by
- * assuming that no two timestamps in sequence have
- * the same nanosecond value.
+ * Workaround: Read TXSTMPH_0 here to enable future interrupts.
+ * However, this read clears TXTT_0. If a timestamp arrives in
+ * register 0 after checking TXTT_0 but before this read, it
+ * would be lost.
*
- * So, we read the "low" register, read the "high"
- * register (to latch a new timestamp) and read the
- * "low" register again, if "old" and "new" versions
- * of the "low" register are different, a valid
- * timestamp was captured, we can read the "high"
- * register again.
+ * To detect this race: We saved a baseline read of TXSTMPL_0
+ * before TXTT_0 check. After performing the workaround read of
+ * TXSTMPH_0, we read TXSTMPL_0 again. Since consecutive
+ * timestamps never share the same nanosecond value, a change
+ * between the baseline and new TXSTMPL_0 indicates a timestamp
+ * arrived during the race window. If so, read the complete
+ * timestamp.
*/
- u32 txstmpl_old, txstmpl_new;
+ u32 txstmpl_new;
- txstmpl_old = rd32(IGC_TXSTMPL);
rd32(IGC_TXSTMPH);
txstmpl_new = rd32(IGC_TXSTMPL);
@@ -829,7 +836,7 @@ static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter)
done:
/* Now that the problematic first register was handled, we can
- * use retrieve the timestamps from the other registers
+ * retrieve the timestamps from the other registers
* (starting from '1') with less complications.
*/
for (i = 1; i < IGC_MAX_TX_TSTAMP_REGS; i++) {
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 024/169] vsock/virtio: Coalesce only linear skb
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 023/169] igc: fix race condition in TX timestamp read for register 0 Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 025/169] net: usb: dm9601: remove broken SR9700 support Greg Kroah-Hartman
` (158 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Luczaj, Stefano Garzarella,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Luczaj <mhal@rbox.co>
[ Upstream commit 0386bd321d0f95d041a7b3d7b07643411b044a96 ]
vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb
(with a spare tail room) is followed by a small skb (length limited by
GOOD_COPY_LEN = 128), an attempt is made to join them.
Since the introduction of MSG_ZEROCOPY support, assumption that a small skb
will always be linear is incorrect. In the zerocopy case, data is lost and
the linear skb is appended with uninitialized kernel memory.
Of all 3 supported virtio-based transports, only loopback-transport is
affected. G2H virtio-transport rx queue operates on explicitly linear skbs;
see virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G
vhost-transport may allocate non-linear skbs, but only for sizes that are
not considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in
virtio_vsock_alloc_skb().
Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0
guarantees last_skb is linear.
Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support")
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20260113-vsock-recv-coalescence-v2-1-552b17837cf4@rbox.co
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/vmw_vsock/virtio_transport_common.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
index 2c9b1011cdcc8..4e8a9771a04d6 100644
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -1374,9 +1374,11 @@ virtio_transport_recv_enqueue(struct vsock_sock *vsk,
/* Try to copy small packets into the buffer of last packet queued,
* to avoid wasting memory queueing the entire buffer with a small
- * payload.
+ * payload. Skip non-linear (e.g. zerocopy) skbs; these carry payload
+ * in skb_shinfo.
*/
- if (len <= GOOD_COPY_LEN && !skb_queue_empty(&vvs->rx_queue)) {
+ if (len <= GOOD_COPY_LEN && !skb_queue_empty(&vvs->rx_queue) &&
+ !skb_is_nonlinear(skb)) {
struct virtio_vsock_hdr *last_hdr;
struct sk_buff *last_skb;
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 025/169] net: usb: dm9601: remove broken SR9700 support
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 024/169] vsock/virtio: Coalesce only linear skb Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 026/169] bonding: limit BOND_MODE_8023AD to Ethernet devices Greg Kroah-Hartman
` (157 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Nelson-Moore, Peter Korsgaard,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Nelson-Moore <enelsonmoore@gmail.com>
[ Upstream commit 7d7dbafefbe74f5a25efc4807af093b857a7612e ]
The SR9700 chip sends more than one packet in a USB transaction,
like the DM962x chips can optionally do, but the dm9601 driver does not
support this mode, and the hardware does not have the DM962x
MODE_CTL register to disable it, so this driver drops packets on SR9700
devices. The sr9700 driver correctly handles receiving more than one
packet per transaction.
While the dm9601 driver could be improved to handle this, the easiest
way to fix this issue in the short term is to remove the SR9700 device
ID from the dm9601 driver so the sr9700 driver is always used. This
device ID should not have been in more than one driver to begin with.
The "Fixes" commit was chosen so that the patch is automatically
included in all kernels that have the sr9700 driver, even though the
issue affects dm9601.
Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support")
Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
Acked-by: Peter Korsgaard <peter@korsgaard.com>
Link: https://patch.msgid.link/20260113063924.74464-1-enelsonmoore@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/dm9601.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c
index 8b6d6a1b3c2ec..2b4716ccf0c5b 100644
--- a/drivers/net/usb/dm9601.c
+++ b/drivers/net/usb/dm9601.c
@@ -603,10 +603,6 @@ static const struct usb_device_id products[] = {
USB_DEVICE(0x0fe6, 0x8101), /* DM9601 USB to Fast Ethernet Adapter */
.driver_info = (unsigned long)&dm9601_info,
},
- {
- USB_DEVICE(0x0fe6, 0x9700), /* DM9601 USB to Fast Ethernet Adapter */
- .driver_info = (unsigned long)&dm9601_info,
- },
{
USB_DEVICE(0x0a46, 0x9000), /* DM9000E */
.driver_info = (unsigned long)&dm9601_info,
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 026/169] bonding: limit BOND_MODE_8023AD to Ethernet devices
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 025/169] net: usb: dm9601: remove broken SR9700 support Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 027/169] l2tp: Fix memleak in l2tp_udp_encap_recv() Greg Kroah-Hartman
` (156 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+9c081b17773615f24672,
Eric Dumazet, Andrew Lunn, Jay Vosburgh, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6 ]
BOND_MODE_8023AD makes sense for ARPHRD_ETHER only.
syzbot reported:
BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline]
BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497
CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200
__asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
__hw_addr_create net/core/dev_addr_lists.c:63 [inline]
__hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
__dev_mc_add net/core/dev_addr_lists.c:868 [inline]
dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886
bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180
do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963
do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165
rtnl_changelink net/core/rtnetlink.c:3776 [inline]
__rtnl_newlink net/core/rtnetlink.c:3935 [inline]
rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072
rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958
netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
____sys_sendmsg+0x505/0x820 net/socket.c:2592
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646
__sys_sendmsg+0x164/0x220 net/socket.c:2678
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307
do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
</TASK>
The buggy address belongs to the variable:
lacpdu_mcast_addr+0x0/0x40
Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER")
Reported-by: syzbot+9c081b17773615f24672@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6966946b.a70a0220.245e30.0002.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Acked-by: Jay Vosburgh <jv@jvosburgh.net>
Link: https://patch.msgid.link/20260113191201.3970737-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index f17a170d1be47..6f87d7e29e19b 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -2017,6 +2017,12 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
*/
if (!bond_has_slaves(bond)) {
if (bond_dev->type != slave_dev->type) {
+ if (slave_dev->type != ARPHRD_ETHER &&
+ BOND_MODE(bond) == BOND_MODE_8023AD) {
+ SLAVE_NL_ERR(bond_dev, slave_dev, extack,
+ "8023AD mode requires Ethernet devices");
+ return -EINVAL;
+ }
slave_dbg(bond_dev, slave_dev, "change device type from %d to %d\n",
bond_dev->type, slave_dev->type);
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 027/169] l2tp: Fix memleak in l2tp_udp_encap_recv().
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 026/169] bonding: limit BOND_MODE_8023AD to Ethernet devices Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 028/169] selftests: net: fib-onlink-tests: Convert to use namespaces by default Greg Kroah-Hartman
` (155 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+2c42ea4485b29beb0643,
Kuniyuki Iwashima, Guillaume Nault, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 4d10edfd1475b69dbd4c47f34b61a3772ece83ca ]
syzbot reported memleak of struct l2tp_session, l2tp_tunnel,
sock, etc. [0]
The cited commit moved down the validation of the protocol
version in l2tp_udp_encap_recv().
The new place requires an extra error handling to avoid the
memleak.
Let's call l2tp_session_put() there.
[0]:
BUG: memory leak
unreferenced object 0xffff88810a290200 (size 512):
comm "syz.0.17", pid 6086, jiffies 4294944299
hex dump (first 32 bytes):
7d eb 04 0c 00 00 00 00 01 00 00 00 00 00 00 00 }...............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc babb6a4f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
l2tp_session_create+0x3a/0x3b0 net/l2tp/l2tp_core.c:1778
pppol2tp_connect+0x48b/0x920 net/l2tp/l2tp_ppp.c:755
__sys_connect_file+0x7a/0xb0 net/socket.c:2089
__sys_connect+0xde/0x110 net/socket.c:2108
__do_sys_connect net/socket.c:2114 [inline]
__se_sys_connect net/socket.c:2111 [inline]
__x64_sys_connect+0x1c/0x30 net/socket.c:2111
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 364798056f518 ("l2tp: Support different protocol versions with same IP/port quadruple")
Reported-by: syzbot+2c42ea4485b29beb0643@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/696693f2.a70a0220.245e30.0001.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Guillaume Nault <gnault@redhat.com>
Link: https://patch.msgid.link/20260113185446.2533333-1-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/l2tp/l2tp_core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 369a2f2e459cd..61fe27d71c230 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1086,8 +1086,10 @@ int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
tunnel = session->tunnel;
/* Check protocol version */
- if (version != tunnel->version)
+ if (version != tunnel->version) {
+ l2tp_session_put(session);
goto invalid;
+ }
if (version == L2TP_HDR_VER_3 &&
l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) {
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 028/169] selftests: net: fib-onlink-tests: Convert to use namespaces by default
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 027/169] l2tp: Fix memleak in l2tp_udp_encap_recv() Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 029/169] can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error Greg Kroah-Hartman
` (154 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Ricardo B . Marlière, Ido Schimmel, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo B. Marlière <rbm@suse.com>
[ Upstream commit 4f5f148dd7c0459229d2ab9a769b2e820f9ee6a2 ]
Currently, the test breaks if the SUT already has a default route
configured for IPv6. Fix by avoiding the use of the default namespace.
Fixes: 4ed591c8ab44 ("net/ipv6: Allow onlink routes to have a device mismatch if it is the default route")
Suggested-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Link: https://patch.msgid.link/20260113-selftests-net-fib-onlink-v2-1-89de2b931389@suse.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../testing/selftests/net/fib-onlink-tests.sh | 71 ++++++++-----------
1 file changed, 30 insertions(+), 41 deletions(-)
diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh
index ec2d6ceb1f08d..c01be076b210d 100755
--- a/tools/testing/selftests/net/fib-onlink-tests.sh
+++ b/tools/testing/selftests/net/fib-onlink-tests.sh
@@ -120,7 +120,7 @@ log_subsection()
run_cmd()
{
- local cmd="$*"
+ local cmd="$1"
local out
local rc
@@ -145,7 +145,7 @@ get_linklocal()
local pfx
local addr
- addr=$(${pfx} ip -6 -br addr show dev ${dev} | \
+ addr=$(${pfx} ${IP} -6 -br addr show dev ${dev} | \
awk '{
for (i = 3; i <= NF; ++i) {
if ($i ~ /^fe80/)
@@ -173,58 +173,48 @@ setup()
set -e
- # create namespace
- setup_ns PEER_NS
+ # create namespaces
+ setup_ns ns1
+ IP="ip -netns $ns1"
+ setup_ns ns2
# add vrf table
- ip li add ${VRF} type vrf table ${VRF_TABLE}
- ip li set ${VRF} up
- ip ro add table ${VRF_TABLE} unreachable default metric 8192
- ip -6 ro add table ${VRF_TABLE} unreachable default metric 8192
+ ${IP} li add ${VRF} type vrf table ${VRF_TABLE}
+ ${IP} li set ${VRF} up
+ ${IP} ro add table ${VRF_TABLE} unreachable default metric 8192
+ ${IP} -6 ro add table ${VRF_TABLE} unreachable default metric 8192
# create test interfaces
- ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]}
- ip li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]}
- ip li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]}
- ip li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]}
+ ${IP} li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]}
+ ${IP} li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]}
+ ${IP} li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]}
+ ${IP} li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]}
# enslave vrf interfaces
for n in 5 7; do
- ip li set ${NETIFS[p${n}]} vrf ${VRF}
+ ${IP} li set ${NETIFS[p${n}]} vrf ${VRF}
done
# add addresses
for n in 1 3 5 7; do
- ip li set ${NETIFS[p${n}]} up
- ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
- ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
+ ${IP} li set ${NETIFS[p${n}]} up
+ ${IP} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
+ ${IP} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
done
# move peer interfaces to namespace and add addresses
for n in 2 4 6 8; do
- ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up
- ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
- ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
+ ${IP} li set ${NETIFS[p${n}]} netns ${ns2} up
+ ip -netns $ns2 addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
+ ip -netns $ns2 addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
done
- ip -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64}
- ip -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64}
+ ${IP} -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64}
+ ${IP} -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64}
set +e
}
-cleanup()
-{
- # make sure we start from a clean slate
- cleanup_ns ${PEER_NS} 2>/dev/null
- for n in 1 3 5 7; do
- ip link del ${NETIFS[p${n}]} 2>/dev/null
- done
- ip link del ${VRF} 2>/dev/null
- ip ro flush table ${VRF_TABLE}
- ip -6 ro flush table ${VRF_TABLE}
-}
-
################################################################################
# IPv4 tests
#
@@ -241,7 +231,7 @@ run_ip()
# dev arg may be empty
[ -n "${dev}" ] && dev="dev ${dev}"
- run_cmd ip ro add table "${table}" "${prefix}"/32 via "${gw}" "${dev}" onlink
+ run_cmd "${IP} ro add table ${table} ${prefix}/32 via ${gw} ${dev} onlink"
log_test $? ${exp_rc} "${desc}"
}
@@ -257,8 +247,8 @@ run_ip_mpath()
# dev arg may be empty
[ -n "${dev}" ] && dev="dev ${dev}"
- run_cmd ip ro add table "${table}" "${prefix}"/32 \
- nexthop via ${nh1} nexthop via ${nh2}
+ run_cmd "${IP} ro add table ${table} ${prefix}/32 \
+ nexthop via ${nh1} nexthop via ${nh2}"
log_test $? ${exp_rc} "${desc}"
}
@@ -339,7 +329,7 @@ run_ip6()
# dev arg may be empty
[ -n "${dev}" ] && dev="dev ${dev}"
- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 via "${gw}" "${dev}" onlink
+ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 via ${gw} ${dev} onlink"
log_test $? ${exp_rc} "${desc}"
}
@@ -353,8 +343,8 @@ run_ip6_mpath()
local exp_rc="$6"
local desc="$7"
- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 "${opts}" \
- nexthop via ${nh1} nexthop via ${nh2}
+ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 ${opts} \
+ nexthop via ${nh1} nexthop via ${nh2}"
log_test $? ${exp_rc} "${desc}"
}
@@ -491,10 +481,9 @@ do
esac
done
-cleanup
setup
run_onlink_tests
-cleanup
+cleanup_ns ${ns1} ${ns2}
if [ "$TESTS" != "none" ]; then
printf "\nTests passed: %3d\n" ${nsuccess}
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 029/169] can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 028/169] selftests: net: fib-onlink-tests: Convert to use namespaces by default Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 030/169] sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT Greg Kroah-Hartman
` (153 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Marc Kleine-Budde,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
[ Upstream commit 79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7 ]
In commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix
URB memory leak"), the URB was re-anchored before usb_submit_urb() in
gs_usb_receive_bulk_callback() to prevent a leak of this URB during
cleanup.
However, this patch did not take into account that usb_submit_urb() could
fail. The URB remains anchored and
usb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops
infinitely since the anchor list never becomes empty.
To fix the bug, unanchor the URB when an usb_submit_urb() error occurs,
also print an info message.
Fixes: 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak")
Reported-by: Jakub Kicinski <kuba@kernel.org>
Closes: https://lore.kernel.org/all/20260110223836.3890248-1-kuba@kernel.org/
Link: https://patch.msgid.link/20260116-can_usb-fix-reanchor-v1-1-9d74e7289225@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/usb/gs_usb.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
index 1aa2f99f92b20..e63e77f21801c 100644
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -751,6 +751,10 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
usb_anchor_urb(urb, &parent->rx_submitted);
rc = usb_submit_urb(urb, GFP_ATOMIC);
+ if (!rc)
+ return;
+
+ usb_unanchor_urb(urb);
/* USB failure take down all interfaces */
if (rc == -ENODEV) {
@@ -759,6 +763,9 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
if (parent->canch[rc])
netif_device_detach(parent->canch[rc]->netdev);
}
+ } else if (rc != -ESHUTDOWN && net_ratelimit()) {
+ netdev_info(netdev, "failed to re-submit IN URB: %pe\n",
+ ERR_PTR(urb->status));
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 030/169] sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 029/169] can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 031/169] amd-xgbe: avoid misleading per-packet error log Greg Kroah-Hartman
` (152 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhen Chen, Xin Long, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit a80c9d945aef55b23b54838334345f20251dad83 ]
A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key
initialization fails:
==================================================================
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2
RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline]
RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401
Call Trace:
sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189
sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111
sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217
sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787
sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169
sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052
sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88
sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243
sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127
The issue is triggered when sctp_auth_asoc_init_active_key() fails in
sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the
command sequence is currently:
- SCTP_CMD_PEER_INIT
- SCTP_CMD_TIMER_STOP (T1_INIT)
- SCTP_CMD_TIMER_START (T1_COOKIE)
- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)
- SCTP_CMD_ASSOC_SHKEY
- SCTP_CMD_GEN_COOKIE_ECHO
If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while
asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by
SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL
to be queued by sctp_datamsg_from_user().
Since command interpretation stops on failure, no COOKIE_ECHO should been
sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already
been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As
a result, the DATA chunk can be transmitted together with the COOKIE_ECHO
in sctp_outq_flush_data(), leading to the observed issue.
Similar to the other places where it calls sctp_auth_asoc_init_active_key()
right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY
immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting
T1_COOKIE. This ensures that if shared key generation fails, authenticated
DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,
giving the client another chance to process INIT_ACK and retry key setup.
Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
Reported-by: Zhen Chen <chenzhen126@huawei.com>
Tested-by: Zhen Chen <chenzhen126@huawei.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/44881224b375aa8853f5e19b4055a1a56d895813.1768324226.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/sm_statefuns.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index dc66dff33d6d4..966bd6a44594a 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -603,6 +603,11 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
SCTP_PEER_INIT(initchunk));
+ /* SCTP-AUTH: generate the association shared keys so that
+ * we can potentially sign the COOKIE-ECHO.
+ */
+ sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
+
/* Reset init error count upon receipt of INIT-ACK. */
sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
@@ -617,11 +622,6 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
- /* SCTP-AUTH: generate the association shared keys so that
- * we can potentially sign the COOKIE-ECHO.
- */
- sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
-
/* 5.1 C) "A" shall then send the State Cookie received in the
* INIT ACK chunk in a COOKIE ECHO chunk, ...
*/
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 031/169] amd-xgbe: avoid misleading per-packet error log
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 030/169] sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 032/169] gue: Fix skb memleak with inner IP protocol 0 Greg Kroah-Hartman
` (151 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raju Rangoju, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raju Rangoju <Raju.Rangoju@amd.com>
[ Upstream commit c158f985cf6c2c36c99c4f67af2ff3f5ebe09f8f ]
On the receive path, packet can be damaged because of buffer
overflow in Rx FIFO. Avoid misleading per-packet error log when
packet->errors is set, this can flood the log. Instead, rely on the
standard rtnl_link_stats64 stats.
Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver")
Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
Link: https://patch.msgid.link/20260114163037.2062606-1-Raju.Rangoju@amd.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
index 32a6d52614242..e6a2492360227 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
@@ -2105,7 +2105,7 @@ static void xgbe_get_stats64(struct net_device *netdev,
s->multicast = pstats->rxmulticastframes_g;
s->rx_length_errors = pstats->rxlengtherror;
s->rx_crc_errors = pstats->rxcrcerror;
- s->rx_fifo_errors = pstats->rxfifooverflow;
+ s->rx_over_errors = pstats->rxfifooverflow;
s->tx_packets = pstats->txframecount_gb;
s->tx_bytes = pstats->txoctetcount_gb;
@@ -2559,9 +2559,6 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
goto read_again;
if (error || packet->errors) {
- if (packet->errors)
- netif_err(pdata, rx_err, netdev,
- "error in received packet\n");
dev_kfree_skb(skb);
goto next_packet;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 032/169] gue: Fix skb memleak with inner IP protocol 0.
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 031/169] amd-xgbe: avoid misleading per-packet error log Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 033/169] tools: ynl: Specify --no-line-number in ynl-regen.sh Greg Kroah-Hartman
` (150 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4d8c7d16b0e95c0d0f0d,
Kuniyuki Iwashima, Eric Dumazet, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 9a56796ad258786d3624eef5aefba394fc9bdded ]
syzbot reported skb memleak below. [0]
The repro generated a GUE packet with its inner protocol 0.
gue_udp_recv() returns -guehdr->proto_ctype for "resubmit"
in ip_protocol_deliver_rcu(), but this only works with
non-zero protocol number.
Let's drop such packets.
Note that 0 is a valid number (IPv6 Hop-by-Hop Option).
I think it is not practical to encap HOPOPT in GUE, so once
someone starts to complain, we could pass down a resubmit
flag pointer to distinguish two zeros from the upper layer:
* no error
* resubmit HOPOPT
[0]
BUG: memory leak
unreferenced object 0xffff888109695a00 (size 240):
comm "syz.0.17", pid 6088, jiffies 4294943096
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............
backtrace (crc a84b336f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
__build_skb+0x23/0x60 net/core/skbuff.c:474
build_skb+0x20/0x190 net/core/skbuff.c:490
__tun_build_skb drivers/net/tun.c:1541 [inline]
tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636
tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770
tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x45d/0x710 fs/read_write.c:686
ksys_write+0xa7/0x170 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 37dd0247797b1 ("gue: Receive side for Generic UDP Encapsulation")
Reported-by: syzbot+4d8c7d16b0e95c0d0f0d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6965534b.050a0220.38aacd.0001.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260115172533.693652-2-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/fou_core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/ipv4/fou_core.c b/net/ipv4/fou_core.c
index 3e30745e2c09a..0e173998f1d7a 100644
--- a/net/ipv4/fou_core.c
+++ b/net/ipv4/fou_core.c
@@ -215,6 +215,9 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb)
return gue_control_message(skb, guehdr);
proto_ctype = guehdr->proto_ctype;
+ if (unlikely(!proto_ctype))
+ goto drop;
+
__skb_pull(skb, sizeof(struct udphdr) + hdrlen);
skb_reset_transport_header(skb);
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 033/169] tools: ynl: Specify --no-line-number in ynl-regen.sh.
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 032/169] gue: Fix skb memleak with inner IP protocol 0 Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 034/169] fou: Dont allow 0 for FOU_ATTR_IPPROTO Greg Kroah-Hartman
` (149 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Kuniyuki Iwashima,
Eric Dumazet, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 68578370f9b3a2aba5964b273312d51c581b6aad ]
If grep.lineNumber is enabled in .gitconfig,
[grep]
lineNumber = true
ynl-regen.sh fails with the following error:
$ ./tools/net/ynl/ynl-regen.sh -f
...
ynl_gen_c.py: error: argument --mode: invalid choice: '4:' (choose from user, kernel, uapi)
GEN 4: net/ipv4/fou_nl.c
Let's specify --no-line-number explicitly.
Fixes: be5bea1cc0bf ("net: add basic C code generators for Netlink")
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260115172533.693652-3-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/net/ynl/ynl-regen.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/net/ynl/ynl-regen.sh b/tools/net/ynl/ynl-regen.sh
index a37304dcc88e1..7bfe773dce1bf 100755
--- a/tools/net/ynl/ynl-regen.sh
+++ b/tools/net/ynl/ynl-regen.sh
@@ -21,7 +21,7 @@ files=$(git grep --files-with-matches '^/\* YNL-GEN \(kernel\|uapi\|user\)')
for f in $files; do
# params: 0 1 2 3
# $YAML YNL-GEN kernel $mode
- params=( $(git grep -B1 -h '/\* YNL-GEN' $f | sed 's@/\*\(.*\)\*/@\1@') )
+ params=( $(git grep --no-line-number -B1 -h '/\* YNL-GEN' $f | sed 's@/\*\(.*\)\*/@\1@') )
args=$(sed -n 's@/\* YNL-ARG \(.*\) \*/@\1@p' $f)
if [ $f -nt ${params[0]} -a -z "$force" ]; then
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 034/169] fou: Dont allow 0 for FOU_ATTR_IPPROTO.
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 033/169] tools: ynl: Specify --no-line-number in ynl-regen.sh Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 035/169] veth: fix data race in veth_get_ethtool_stats Greg Kroah-Hartman
` (148 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Eric Dumazet,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5 ]
fou_udp_recv() has the same problem mentioned in the previous
patch.
If FOU_ATTR_IPPROTO is set to 0, skb is not freed by
fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu().
Let's forbid 0 for FOU_ATTR_IPPROTO.
Fixes: 23461551c0062 ("fou: Support for foo-over-udp RX path")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260115172533.693652-4-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/netlink/specs/fou.yaml | 2 ++
net/ipv4/fou_nl.c | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml
index 0af5ab842c04d..91721ee406413 100644
--- a/Documentation/netlink/specs/fou.yaml
+++ b/Documentation/netlink/specs/fou.yaml
@@ -39,6 +39,8 @@ attribute-sets:
-
name: ipproto
type: u8
+ checks:
+ min: 1
-
name: type
type: u8
diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c
index 98b90107b5abc..bbd955f4c9d19 100644
--- a/net/ipv4/fou_nl.c
+++ b/net/ipv4/fou_nl.c
@@ -14,7 +14,7 @@
const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = {
[FOU_ATTR_PORT] = { .type = NLA_U16, },
[FOU_ATTR_AF] = { .type = NLA_U8, },
- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, },
+ [FOU_ATTR_IPPROTO] = NLA_POLICY_MIN(NLA_U8, 1),
[FOU_ATTR_TYPE] = { .type = NLA_U8, },
[FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, },
[FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, },
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 035/169] veth: fix data race in veth_get_ethtool_stats
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 034/169] fou: Dont allow 0 for FOU_ATTR_IPPROTO Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:21 ` [PATCH 6.12 036/169] l2tp: avoid one data-race in l2tp_tunnel_del_work() Greg Kroah-Hartman
` (147 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Yang, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Yang <mmyangfl@gmail.com>
[ Upstream commit b47adaab8b3d443868096bac08fdbb3d403194ba ]
In veth_get_ethtool_stats(), some statistics protected by
u64_stats_sync, are read and accumulated in ignorance of possible
u64_stats_fetch_retry() events. These statistics, peer_tq_xdp_xmit and
peer_tq_xdp_xmit_err, are already accumulated by veth_xdp_xmit(). Fix
this by reading them into a temporary buffer first.
Fixes: 5fe6e56776ba ("veth: rely on peer veth_rq for ndo_xdp_xmit accounting")
Signed-off-by: David Yang <mmyangfl@gmail.com>
Link: https://patch.msgid.link/20260114122450.227982-1-mmyangfl@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/veth.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/veth.c b/drivers/net/veth.c
index 4ff0d4232914f..77e4b0d1ca557 100644
--- a/drivers/net/veth.c
+++ b/drivers/net/veth.c
@@ -227,16 +227,20 @@ static void veth_get_ethtool_stats(struct net_device *dev,
const struct veth_rq_stats *rq_stats = &rcv_priv->rq[i].stats;
const void *base = (void *)&rq_stats->vs;
unsigned int start, tx_idx = idx;
+ u64 buf[VETH_TQ_STATS_LEN];
size_t offset;
- tx_idx += (i % dev->real_num_tx_queues) * VETH_TQ_STATS_LEN;
do {
start = u64_stats_fetch_begin(&rq_stats->syncp);
for (j = 0; j < VETH_TQ_STATS_LEN; j++) {
offset = veth_tq_stats_desc[j].offset;
- data[tx_idx + j] += *(u64 *)(base + offset);
+ buf[j] = *(u64 *)(base + offset);
}
} while (u64_stats_fetch_retry(&rq_stats->syncp, start));
+
+ tx_idx += (i % dev->real_num_tx_queues) * VETH_TQ_STATS_LEN;
+ for (j = 0; j < VETH_TQ_STATS_LEN; j++)
+ data[tx_idx + j] += buf[j];
}
pp_idx = idx + dev->real_num_tx_queues * VETH_TQ_STATS_LEN;
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 036/169] l2tp: avoid one data-race in l2tp_tunnel_del_work()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 035/169] veth: fix data race in veth_get_ethtool_stats Greg Kroah-Hartman
@ 2026-01-28 15:21 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 037/169] ipvlan: Make the addrs_lock be per port Greg Kroah-Hartman
` (146 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+7312e82745f7fa2526db,
Eric Dumazet, James Chapman, Guillaume Nault, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 7a29f6bf60f2590fe5e9c4decb451e19afad2bcf ]
We should read sk->sk_socket only when dealing with kernel sockets.
syzbot reported the following data-race:
BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release
write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0:
sk_set_socket include/net/sock.h:2092 [inline]
sock_orphan include/net/sock.h:2118 [inline]
sk_common_release+0xae/0x230 net/core/sock.c:4003
udp_lib_close+0x15/0x20 include/net/udp.h:325
inet_release+0xce/0xf0 net/ipv4/af_inet.c:437
__sock_release net/socket.c:662 [inline]
sock_close+0x6b/0x150 net/socket.c:1455
__fput+0x29b/0x650 fs/file_table.c:468
____fput+0x1c/0x30 fs/file_table.c:496
task_work_run+0x131/0x1a0 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1:
l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340
worker_thread+0x582/0x770 kernel/workqueue.c:3421
kthread+0x489/0x510 kernel/kthread.c:463
ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
value changed: 0xffff88811b818000 -> 0x0000000000000000
Fixes: d00fa9adc528 ("l2tp: fix races with tunnel socket close")
Reported-by: syzbot+7312e82745f7fa2526db@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6968b029.050a0220.58bed.0016.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: James Chapman <jchapman@katalix.com>
Reviewed-by: Guillaume Nault <gnault@redhat.com>
Link: https://patch.msgid.link/20260115092139.3066180-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/l2tp/l2tp_core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 61fe27d71c230..95060ff7adc5f 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1416,8 +1416,6 @@ static void l2tp_tunnel_del_work(struct work_struct *work)
{
struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel,
del_work);
- struct sock *sk = tunnel->sock;
- struct socket *sock = sk->sk_socket;
l2tp_tunnel_closeall(tunnel);
@@ -1425,6 +1423,8 @@ static void l2tp_tunnel_del_work(struct work_struct *work)
* the sk API to release it here.
*/
if (tunnel->fd < 0) {
+ struct socket *sock = tunnel->sock->sk_socket;
+
if (sock) {
kernel_sock_shutdown(sock, SHUT_RDWR);
sock_release(sock);
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 037/169] ipvlan: Make the addrs_lock be per port
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-01-28 15:21 ` [PATCH 6.12 036/169] l2tp: avoid one data-race in l2tp_tunnel_del_work() Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 038/169] octeontx2: cn10k: fix RX flowid TCAM mask handling Greg Kroah-Hartman
` (145 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Skorodumov, Paolo Abeni,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Skorodumov <dskr99@gmail.com>
[ Upstream commit d3ba32162488283c0a4c5bedd8817aec91748802 ]
Make the addrs_lock be per port, not per ipvlan dev.
Initial code seems to be written in the assumption,
that any address change must occur under RTNL.
But it is not so for the case of IPv6. So
1) Introduce per-port addrs_lock.
2) It was needed to fix places where it was forgotten
to take lock (ipvlan_open/ipvlan_close)
This appears to be a very minor problem though.
Since it's highly unlikely that ipvlan_add_addr() will
be called on 2 CPU simultaneously. But nevertheless,
this could cause:
1) False-negative of ipvlan_addr_busy(): one interface
iterated through all port->ipvlans + ipvlan->addrs
under some ipvlan spinlock, and another added IP
under its own lock. Though this is only possible
for IPv6, since looks like only ipvlan_addr6_event() can be
called without rtnl_lock.
2) Race since ipvlan_ht_addr_add(port) is called under
different ipvlan->addrs_lock locks
This should not affect performance, since add/remove IP
is a rare situation and spinlock is not taken on fast
paths.
Fixes: 8230819494b3 ("ipvlan: use per device spinlock to protect addrs list updates")
Signed-off-by: Dmitry Skorodumov <skorodumov.dmitry@huawei.com>
Reviewed-by: Paolo Abeni <pabeni@redhat.com>
Link: https://patch.msgid.link/20260112142417.4039566-2-skorodumov.dmitry@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ipvlan/ipvlan.h | 2 +-
drivers/net/ipvlan/ipvlan_core.c | 16 +++++------
drivers/net/ipvlan/ipvlan_main.c | 49 +++++++++++++++++++-------------
3 files changed, 37 insertions(+), 30 deletions(-)
diff --git a/drivers/net/ipvlan/ipvlan.h b/drivers/net/ipvlan/ipvlan.h
index 025e0c19ec255..fce3ced90bd3d 100644
--- a/drivers/net/ipvlan/ipvlan.h
+++ b/drivers/net/ipvlan/ipvlan.h
@@ -69,7 +69,6 @@ struct ipvl_dev {
DECLARE_BITMAP(mac_filters, IPVLAN_MAC_FILTER_SIZE);
netdev_features_t sfeatures;
u32 msg_enable;
- spinlock_t addrs_lock;
};
struct ipvl_addr {
@@ -90,6 +89,7 @@ struct ipvl_port {
struct net_device *dev;
possible_net_t pnet;
struct hlist_head hlhead[IPVLAN_HASH_SIZE];
+ spinlock_t addrs_lock; /* guards hash-table and addrs */
struct list_head ipvlans;
u16 mode;
u16 flags;
diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
index 83bd65a227709..268ea41a17d52 100644
--- a/drivers/net/ipvlan/ipvlan_core.c
+++ b/drivers/net/ipvlan/ipvlan_core.c
@@ -107,17 +107,15 @@ void ipvlan_ht_addr_del(struct ipvl_addr *addr)
struct ipvl_addr *ipvlan_find_addr(const struct ipvl_dev *ipvlan,
const void *iaddr, bool is_v6)
{
- struct ipvl_addr *addr, *ret = NULL;
+ struct ipvl_addr *addr;
- rcu_read_lock();
- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) {
- if (addr_equal(is_v6, addr, iaddr)) {
- ret = addr;
- break;
- }
+ assert_spin_locked(&ipvlan->port->addrs_lock);
+
+ list_for_each_entry(addr, &ipvlan->addrs, anode) {
+ if (addr_equal(is_v6, addr, iaddr))
+ return addr;
}
- rcu_read_unlock();
- return ret;
+ return NULL;
}
bool ipvlan_addr_busy(struct ipvl_port *port, void *iaddr, bool is_v6)
diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c
index ee2c3cf4df365..bce52c743f0e8 100644
--- a/drivers/net/ipvlan/ipvlan_main.c
+++ b/drivers/net/ipvlan/ipvlan_main.c
@@ -74,6 +74,7 @@ static int ipvlan_port_create(struct net_device *dev)
for (idx = 0; idx < IPVLAN_HASH_SIZE; idx++)
INIT_HLIST_HEAD(&port->hlhead[idx]);
+ spin_lock_init(&port->addrs_lock);
skb_queue_head_init(&port->backlog);
INIT_WORK(&port->wq, ipvlan_process_multicast);
ida_init(&port->ida);
@@ -180,6 +181,7 @@ static void ipvlan_uninit(struct net_device *dev)
static int ipvlan_open(struct net_device *dev)
{
struct ipvl_dev *ipvlan = netdev_priv(dev);
+ struct ipvl_port *port = ipvlan->port;
struct ipvl_addr *addr;
if (ipvlan->port->mode == IPVLAN_MODE_L3 ||
@@ -188,10 +190,10 @@ static int ipvlan_open(struct net_device *dev)
else
dev->flags &= ~IFF_NOARP;
- rcu_read_lock();
- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode)
+ spin_lock_bh(&port->addrs_lock);
+ list_for_each_entry(addr, &ipvlan->addrs, anode)
ipvlan_ht_addr_add(ipvlan, addr);
- rcu_read_unlock();
+ spin_unlock_bh(&port->addrs_lock);
return 0;
}
@@ -205,10 +207,10 @@ static int ipvlan_stop(struct net_device *dev)
dev_uc_unsync(phy_dev, dev);
dev_mc_unsync(phy_dev, dev);
- rcu_read_lock();
- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode)
+ spin_lock_bh(&ipvlan->port->addrs_lock);
+ list_for_each_entry(addr, &ipvlan->addrs, anode)
ipvlan_ht_addr_del(addr);
- rcu_read_unlock();
+ spin_unlock_bh(&ipvlan->port->addrs_lock);
return 0;
}
@@ -576,7 +578,6 @@ int ipvlan_link_new(struct net *src_net, struct net_device *dev,
if (!tb[IFLA_MTU])
ipvlan_adjust_mtu(ipvlan, phy_dev);
INIT_LIST_HEAD(&ipvlan->addrs);
- spin_lock_init(&ipvlan->addrs_lock);
/* TODO Probably put random address here to be presented to the
* world but keep using the physical-dev address for the outgoing
@@ -654,13 +655,13 @@ void ipvlan_link_delete(struct net_device *dev, struct list_head *head)
struct ipvl_dev *ipvlan = netdev_priv(dev);
struct ipvl_addr *addr, *next;
- spin_lock_bh(&ipvlan->addrs_lock);
+ spin_lock_bh(&ipvlan->port->addrs_lock);
list_for_each_entry_safe(addr, next, &ipvlan->addrs, anode) {
ipvlan_ht_addr_del(addr);
list_del_rcu(&addr->anode);
kfree_rcu(addr, rcu);
}
- spin_unlock_bh(&ipvlan->addrs_lock);
+ spin_unlock_bh(&ipvlan->port->addrs_lock);
ida_free(&ipvlan->port->ida, dev->dev_id);
list_del_rcu(&ipvlan->pnode);
@@ -808,6 +809,8 @@ static int ipvlan_add_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6)
{
struct ipvl_addr *addr;
+ assert_spin_locked(&ipvlan->port->addrs_lock);
+
addr = kzalloc(sizeof(struct ipvl_addr), GFP_ATOMIC);
if (!addr)
return -ENOMEM;
@@ -838,16 +841,16 @@ static void ipvlan_del_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6)
{
struct ipvl_addr *addr;
- spin_lock_bh(&ipvlan->addrs_lock);
+ spin_lock_bh(&ipvlan->port->addrs_lock);
addr = ipvlan_find_addr(ipvlan, iaddr, is_v6);
if (!addr) {
- spin_unlock_bh(&ipvlan->addrs_lock);
+ spin_unlock_bh(&ipvlan->port->addrs_lock);
return;
}
ipvlan_ht_addr_del(addr);
list_del_rcu(&addr->anode);
- spin_unlock_bh(&ipvlan->addrs_lock);
+ spin_unlock_bh(&ipvlan->port->addrs_lock);
kfree_rcu(addr, rcu);
}
@@ -869,14 +872,14 @@ static int ipvlan_add_addr6(struct ipvl_dev *ipvlan, struct in6_addr *ip6_addr)
{
int ret = -EINVAL;
- spin_lock_bh(&ipvlan->addrs_lock);
+ spin_lock_bh(&ipvlan->port->addrs_lock);
if (ipvlan_addr_busy(ipvlan->port, ip6_addr, true))
netif_err(ipvlan, ifup, ipvlan->dev,
"Failed to add IPv6=%pI6c addr for %s intf\n",
ip6_addr, ipvlan->dev->name);
else
ret = ipvlan_add_addr(ipvlan, ip6_addr, true);
- spin_unlock_bh(&ipvlan->addrs_lock);
+ spin_unlock_bh(&ipvlan->port->addrs_lock);
return ret;
}
@@ -915,21 +918,24 @@ static int ipvlan_addr6_validator_event(struct notifier_block *unused,
struct in6_validator_info *i6vi = (struct in6_validator_info *)ptr;
struct net_device *dev = (struct net_device *)i6vi->i6vi_dev->dev;
struct ipvl_dev *ipvlan = netdev_priv(dev);
+ int ret = NOTIFY_OK;
if (!ipvlan_is_valid_dev(dev))
return NOTIFY_DONE;
switch (event) {
case NETDEV_UP:
+ spin_lock_bh(&ipvlan->port->addrs_lock);
if (ipvlan_addr_busy(ipvlan->port, &i6vi->i6vi_addr, true)) {
NL_SET_ERR_MSG(i6vi->extack,
"Address already assigned to an ipvlan device");
- return notifier_from_errno(-EADDRINUSE);
+ ret = notifier_from_errno(-EADDRINUSE);
}
+ spin_unlock_bh(&ipvlan->port->addrs_lock);
break;
}
- return NOTIFY_OK;
+ return ret;
}
#endif
@@ -937,14 +943,14 @@ static int ipvlan_add_addr4(struct ipvl_dev *ipvlan, struct in_addr *ip4_addr)
{
int ret = -EINVAL;
- spin_lock_bh(&ipvlan->addrs_lock);
+ spin_lock_bh(&ipvlan->port->addrs_lock);
if (ipvlan_addr_busy(ipvlan->port, ip4_addr, false))
netif_err(ipvlan, ifup, ipvlan->dev,
"Failed to add IPv4=%pI4 on %s intf.\n",
ip4_addr, ipvlan->dev->name);
else
ret = ipvlan_add_addr(ipvlan, ip4_addr, false);
- spin_unlock_bh(&ipvlan->addrs_lock);
+ spin_unlock_bh(&ipvlan->port->addrs_lock);
return ret;
}
@@ -986,21 +992,24 @@ static int ipvlan_addr4_validator_event(struct notifier_block *unused,
struct in_validator_info *ivi = (struct in_validator_info *)ptr;
struct net_device *dev = (struct net_device *)ivi->ivi_dev->dev;
struct ipvl_dev *ipvlan = netdev_priv(dev);
+ int ret = NOTIFY_OK;
if (!ipvlan_is_valid_dev(dev))
return NOTIFY_DONE;
switch (event) {
case NETDEV_UP:
+ spin_lock_bh(&ipvlan->port->addrs_lock);
if (ipvlan_addr_busy(ipvlan->port, &ivi->ivi_addr, false)) {
NL_SET_ERR_MSG(ivi->extack,
"Address already assigned to an ipvlan device");
- return notifier_from_errno(-EADDRINUSE);
+ ret = notifier_from_errno(-EADDRINUSE);
}
+ spin_unlock_bh(&ipvlan->port->addrs_lock);
break;
}
- return NOTIFY_OK;
+ return ret;
}
static struct notifier_block ipvlan_addr4_notifier_block __read_mostly = {
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 038/169] octeontx2: cn10k: fix RX flowid TCAM mask handling
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 037/169] ipvlan: Make the addrs_lock be per port Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 039/169] net/sched: Enforce that teql can only be used as root qdisc Greg Kroah-Hartman
` (144 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Subbaraya Sundeep,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit ab9b218a1521133a4410722907fa7189566be9bc ]
The RX flowid programming initializes the TCAM mask to all ones, but
then overwrites it when clearing the MAC DA mask bits. This results
in losing the intended initialization and may affect other match fields.
Update the code to clear the MAC DA bits using an AND operation, making
the handling of mask[0] consistent with mask[1], where the field-specific
bits are cleared after initializing the mask to ~0ULL.
Fixes: 57d00d4364f3 ("octeontx2-pf: mcs: Match macsec ethertype along with DMAC")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: Subbaraya Sundeep <sbhatta@marvell.com>
Link: https://patch.msgid.link/20260116164724.2733511-1-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
index 74953f67a2bf9..3af58bc9f533c 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
@@ -330,7 +330,7 @@ static int cn10k_mcs_write_rx_flowid(struct otx2_nic *pfvf,
req->data[0] = FIELD_PREP(MCS_TCAM0_MAC_DA_MASK, mac_da);
req->mask[0] = ~0ULL;
- req->mask[0] = ~MCS_TCAM0_MAC_DA_MASK;
+ req->mask[0] &= ~MCS_TCAM0_MAC_DA_MASK;
req->data[1] = FIELD_PREP(MCS_TCAM1_ETYPE_MASK, ETH_P_MACSEC);
req->mask[1] = ~0ULL;
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 039/169] net/sched: Enforce that teql can only be used as root qdisc
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 038/169] octeontx2: cn10k: fix RX flowid TCAM mask handling Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 040/169] net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag Greg Kroah-Hartman
` (143 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, GangMin Kim, Victor Nogueira,
Jamal Hadi Salim, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit 50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b ]
Design intent of teql is that it is only supposed to be used as root qdisc.
We need to check for that constraint.
Although not important, I will describe the scenario that unearthed this
issue for the curious.
GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows:
ROOT qdisc 1:0 (QFQ)
├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s
└── class 1:2 (weight=1, lmax=1514) teql
GangMin sends a packet which is enqueued to 1:1 (netem).
Any invocation of dequeue by QFQ from this class will not return a packet
until after 6.4s. In the meantime, a second packet is sent and it lands on
1:2. teql's enqueue will return success and this will activate class 1:2.
Main issue is that teql only updates the parent visible qlen (sch->q.qlen)
at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's
peek always returns NULL), dequeue will never be called and thus the qlen
will remain as 0. With that in mind, when GangMin updates 1:2's lmax value,
the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's
qlen was not incremented, qfq fails to deactivate the class, but still
frees its pointers from the aggregate. So when the first packet is
rescheduled after 6.4 seconds (netem's delay), a dangling pointer is
accessed causing GangMin's causing a UAF.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: GangMin Kim <km.kim1503@gmail.com>
Tested-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260114160243.913069-2-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_teql.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
index 8badec6d82a24..6e4bdaa876ed6 100644
--- a/net/sched/sch_teql.c
+++ b/net/sched/sch_teql.c
@@ -178,6 +178,11 @@ static int teql_qdisc_init(struct Qdisc *sch, struct nlattr *opt,
if (m->dev == dev)
return -ELOOP;
+ if (sch->parent != TC_H_ROOT) {
+ NL_SET_ERR_MSG_MOD(extack, "teql can only be used as root");
+ return -EOPNOTSUPP;
+ }
+
q->m = m;
skb_queue_head_init(&q->q);
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 040/169] net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 039/169] net/sched: Enforce that teql can only be used as root qdisc Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 041/169] crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec Greg Kroah-Hartman
` (142 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jamal Hadi Salim, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit d837fbee92453fbb829f950c8e7cf76207d73f33 ]
This is more of a preventive patch to make the code more consistent and
to prevent possible exploits that employ child qlen manipulations on qfq.
use cl_is_active instead of relying on the child qdisc's qlen to determine
class activation.
Fixes: 462dbc9101acd ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260114160243.913069-3-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_qfq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
index d8dabc1a620bd..c7c8e8dde31d1 100644
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -373,7 +373,7 @@ static void qfq_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl)
/* Deschedule class and remove it from its parent aggregate. */
static void qfq_deact_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl)
{
- if (cl->qdisc->q.qlen > 0) /* class is active */
+ if (cl_is_active(cl)) /* class is active */
qfq_deactivate_class(q, cl);
qfq_rm_from_agg(q, cl);
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 041/169] crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 040/169] net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 042/169] wifi: mac80211: dont perform DA check on S1G beacon Greg Kroah-Hartman
` (141 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Taeyang Lee, Herbert Xu, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Taeyang Lee <0wn@theori.io>
[ Upstream commit 2397e9264676be7794f8f7f1e9763d90bd3c7335 ]
authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than
the minimum expected length, crypto_authenc_esn_decrypt() can advance past
the end of the destination scatterlist and trigger a NULL pointer dereference
in scatterwalk_map_and_copy(), leading to a kernel panic (DoS).
Add a minimum AAD length check to fail fast on invalid inputs.
Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface")
Reported-By: Taeyang Lee <0wn@theori.io>
Signed-off-by: Taeyang Lee <0wn@theori.io>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/authencesn.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/crypto/authencesn.c b/crypto/authencesn.c
index 2cc933e2f7901..e08032e80f188 100644
--- a/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -185,6 +185,9 @@ static int crypto_authenc_esn_encrypt(struct aead_request *req)
struct scatterlist *src, *dst;
int err;
+ if (assoclen < 8)
+ return -EINVAL;
+
sg_init_table(areq_ctx->src, 2);
src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen);
dst = src;
@@ -275,6 +278,9 @@ static int crypto_authenc_esn_decrypt(struct aead_request *req)
u32 tmp[2];
int err;
+ if (assoclen < 8)
+ return -EINVAL;
+
cryptlen -= authsize;
if (req->src != dst) {
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 042/169] wifi: mac80211: dont perform DA check on S1G beacon
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 041/169] crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 043/169] serial: 8250_pci: Fix broken RS485 for F81504/508/512 Greg Kroah-Hartman
` (140 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lachlan Hodges, Johannes Berg,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lachlan Hodges <lachlan.hodges@morsemicro.com>
[ Upstream commit 5dc6975566f5d142ec53eb7e97af688c45dd314d ]
S1G beacons don't contain the DA field as per IEEE80211-2024 9.3.4.3,
so the DA broadcast check reads the SA address of the S1G beacon which
will subsequently lead to the beacon being dropped. As a result, passive
scanning is not possible. Fix this by only performing the check on
non-S1G beacons to allow S1G long beacons to be processed during a
passive scan.
Fixes: ddf82e752f8a ("wifi: mac80211: Allow beacons to update BSS table regardless of scan")
Signed-off-by: Lachlan Hodges <lachlan.hodges@morsemicro.com>
Link: https://patch.msgid.link/20260120031122.309942-1-lachlan.hodges@morsemicro.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/scan.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index ce6d5857214eb..8675d2e99c564 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -327,8 +327,13 @@ void ieee80211_scan_rx(struct ieee80211_local *local, struct sk_buff *skb)
mgmt->da))
return;
} else {
- /* Beacons are expected only with broadcast address */
- if (!is_broadcast_ether_addr(mgmt->da))
+ /*
+ * Non-S1G beacons are expected only with broadcast address.
+ * S1G beacons only carry the SA so no DA check is required
+ * nor possible.
+ */
+ if (!ieee80211_is_s1g_beacon(mgmt->frame_control) &&
+ !is_broadcast_ether_addr(mgmt->da))
return;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 043/169] serial: 8250_pci: Fix broken RS485 for F81504/508/512
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 042/169] wifi: mac80211: dont perform DA check on S1G beacon Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 044/169] comedi: dmm32at: serialize use of paged registers Greg Kroah-Hartman
` (139 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Marnix Rijnart
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marnix Rijnart <marnix.rijnart@iwell.eu>
commit 27aff0a56b3c77ea1a73641c9b3c4172a8f7238f upstream.
Fintek F81504/508/512 can support both RTS_ON_SEND and RTS_AFTER_SEND,
but pci_fintek_rs485_supported only announces the former.
This makes it impossible to unset SER_RS485_RTS_ON_SEND from
userspace because of uart_sanitize_serial_rs485(). Some devices
with these chips need RTS low on TX, so they are effectively broken.
Fix this by announcing the support for SER_RS485_RTS_AFTER_SEND,
similar to commit 068d35a7be65 ("serial: sc16is7xx: announce support
for SER_RS485_RTS_ON_SEND").
Fixes: 4afeced55baa ("serial: core: fix sanitizing check for RTS settings")
Cc: stable <stable@kernel.org>
Signed-off-by: Marnix Rijnart <marnix.rijnart@iwell.eu>
Link: https://patch.msgid.link/20260112000931.61703-1-marnix.rijnart@iwell.eu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -1641,7 +1641,7 @@ static int pci_fintek_rs485_config(struc
}
static const struct serial_rs485 pci_fintek_rs485_supported = {
- .flags = SER_RS485_ENABLED | SER_RS485_RTS_ON_SEND,
+ .flags = SER_RS485_ENABLED | SER_RS485_RTS_ON_SEND | SER_RS485_RTS_AFTER_SEND,
/* F81504/508/512 does not support RTS delay before or after send */
};
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 044/169] comedi: dmm32at: serialize use of paged registers
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 043/169] serial: 8250_pci: Fix broken RS485 for F81504/508/512 Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 045/169] w1: therm: Fix off-by-one buffer overflow in alarms_store Greg Kroah-Hartman
` (138 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Abbott
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit e03b29b55f2b7c345a919a6ee36633b06bf3fb56 upstream.
Some of the hardware registers of the DMM-32-AT board are multiplexed,
using the least significant two bits of the Miscellaneous Control
register to select the function of registers at offsets 12 to 15:
00 => 8254 timer/counter registers are accessible
01 => 8255 digital I/O registers are accessible
10 => Reserved
11 => Calibration registers are accessible
The interrupt service routine (`dmm32at_isr()`) clobbers the bottom two
bits of the register with value 00, which would interfere with access to
the 8255 registers by the `dm32at_8255_io()` function (used for Comedi
instruction handling on the digital I/O subdevice).
Make use of the generic Comedi device spin-lock `dev->spinlock` (which
is otherwise unused by this driver) to serialize access to the
miscellaneous control register and paged registers.
Fixes: 3c501880ac44 ("Staging: comedi: add dmm32at driver")
Cc: stable@vger.kernel.org
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20260112162835.91688-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/dmm32at.c | 32 ++++++++++++++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)
--- a/drivers/comedi/drivers/dmm32at.c
+++ b/drivers/comedi/drivers/dmm32at.c
@@ -330,6 +330,7 @@ static int dmm32at_ai_cmdtest(struct com
static void dmm32at_setaitimer(struct comedi_device *dev, unsigned int nansec)
{
+ unsigned long irq_flags;
unsigned char lo1, lo2, hi2;
unsigned short both2;
@@ -342,6 +343,9 @@ static void dmm32at_setaitimer(struct co
/* set counter clocks to 10MHz, disable all aux dio */
outb(0, dev->iobase + DMM32AT_CTRDIO_CFG_REG);
+ /* serialize access to control register and paged registers */
+ spin_lock_irqsave(&dev->spinlock, irq_flags);
+
/* get access to the clock regs */
outb(DMM32AT_CTRL_PAGE_8254, dev->iobase + DMM32AT_CTRL_REG);
@@ -354,6 +358,8 @@ static void dmm32at_setaitimer(struct co
outb(lo2, dev->iobase + DMM32AT_CLK2);
outb(hi2, dev->iobase + DMM32AT_CLK2);
+ spin_unlock_irqrestore(&dev->spinlock, irq_flags);
+
/* enable the ai conversion interrupt and the clock to start scans */
outb(DMM32AT_INTCLK_ADINT |
DMM32AT_INTCLK_CLKEN | DMM32AT_INTCLK_CLKSEL,
@@ -363,13 +369,19 @@ static void dmm32at_setaitimer(struct co
static int dmm32at_ai_cmd(struct comedi_device *dev, struct comedi_subdevice *s)
{
struct comedi_cmd *cmd = &s->async->cmd;
+ unsigned long irq_flags;
int ret;
dmm32at_ai_set_chanspec(dev, s, cmd->chanlist[0], cmd->chanlist_len);
+ /* serialize access to control register and paged registers */
+ spin_lock_irqsave(&dev->spinlock, irq_flags);
+
/* reset the interrupt just in case */
outb(DMM32AT_CTRL_INTRST, dev->iobase + DMM32AT_CTRL_REG);
+ spin_unlock_irqrestore(&dev->spinlock, irq_flags);
+
/*
* wait for circuit to settle
* we don't have the 'insn' here but it's not needed
@@ -429,8 +441,13 @@ static irqreturn_t dmm32at_isr(int irq,
comedi_handle_events(dev, s);
}
+ /* serialize access to control register and paged registers */
+ spin_lock(&dev->spinlock);
+
/* reset the interrupt */
outb(DMM32AT_CTRL_INTRST, dev->iobase + DMM32AT_CTRL_REG);
+
+ spin_unlock(&dev->spinlock);
return IRQ_HANDLED;
}
@@ -481,14 +498,25 @@ static int dmm32at_ao_insn_write(struct
static int dmm32at_8255_io(struct comedi_device *dev,
int dir, int port, int data, unsigned long regbase)
{
+ unsigned long irq_flags;
+ int ret;
+
+ /* serialize access to control register and paged registers */
+ spin_lock_irqsave(&dev->spinlock, irq_flags);
+
/* get access to the DIO regs */
outb(DMM32AT_CTRL_PAGE_8255, dev->iobase + DMM32AT_CTRL_REG);
if (dir) {
outb(data, dev->iobase + regbase + port);
- return 0;
+ ret = 0;
+ } else {
+ ret = inb(dev->iobase + regbase + port);
}
- return inb(dev->iobase + regbase + port);
+
+ spin_unlock_irqrestore(&dev->spinlock, irq_flags);
+
+ return ret;
}
/* Make sure the board is there and put it to a known state */
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 045/169] w1: therm: Fix off-by-one buffer overflow in alarms_store
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 044/169] comedi: dmm32at: serialize use of paged registers Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 046/169] w1: fix redundant counter decrement in w1_attach_slave_device() Greg Kroah-Hartman
` (137 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Krzysztof Kozlowski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 761fcf46a1bd797bd32d23f3ea0141ffd437668a upstream.
The sysfs buffer passed to alarms_store() is allocated with 'size + 1'
bytes and a NUL terminator is appended. However, the 'size' argument
does not account for this extra byte. The original code then allocated
'size' bytes and used strcpy() to copy 'buf', which always writes one
byte past the allocated buffer since strcpy() copies until the NUL
terminator at index 'size'.
Fix this by parsing the 'buf' parameter directly using simple_strtoll()
without allocating any intermediate memory or string copying. This
removes the overflow while simplifying the code.
Cc: stable@vger.kernel.org
Fixes: e2c94d6f5720 ("w1_therm: adding alarm sysfs entry")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Link: https://patch.msgid.link/20251216145007.44328-2-thorsten.blum@linux.dev
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/w1/slaves/w1_therm.c | 60 +++++++++++++------------------------------
1 file changed, 19 insertions(+), 41 deletions(-)
--- a/drivers/w1/slaves/w1_therm.c
+++ b/drivers/w1/slaves/w1_therm.c
@@ -1846,53 +1846,35 @@ static ssize_t alarms_store(struct devic
struct w1_slave *sl = dev_to_w1_slave(device);
struct therm_info info;
u8 new_config_register[3]; /* array of data to be written */
- int temp, ret;
- char *token = NULL;
+ long long temp;
+ int ret = 0;
s8 tl, th; /* 1 byte per value + temp ring order */
- char *p_args, *orig;
+ const char *p = buf;
+ char *endp;
- p_args = orig = kmalloc(size, GFP_KERNEL);
- /* Safe string copys as buf is const */
- if (!p_args) {
- dev_warn(device,
- "%s: error unable to allocate memory %d\n",
- __func__, -ENOMEM);
- return size;
- }
- strcpy(p_args, buf);
-
- /* Split string using space char */
- token = strsep(&p_args, " ");
-
- if (!token) {
- dev_info(device,
- "%s: error parsing args %d\n", __func__, -EINVAL);
- goto free_m;
- }
-
- /* Convert 1st entry to int */
- ret = kstrtoint (token, 10, &temp);
+ temp = simple_strtoll(p, &endp, 10);
+ if (p == endp || *endp != ' ')
+ ret = -EINVAL;
+ else if (temp < INT_MIN || temp > INT_MAX)
+ ret = -ERANGE;
if (ret) {
dev_info(device,
"%s: error parsing args %d\n", __func__, ret);
- goto free_m;
+ return size;
}
tl = int_to_short(temp);
- /* Split string using space char */
- token = strsep(&p_args, " ");
- if (!token) {
- dev_info(device,
- "%s: error parsing args %d\n", __func__, -EINVAL);
- goto free_m;
- }
- /* Convert 2nd entry to int */
- ret = kstrtoint (token, 10, &temp);
+ p = endp + 1;
+ temp = simple_strtoll(p, &endp, 10);
+ if (p == endp)
+ ret = -EINVAL;
+ else if (temp < INT_MIN || temp > INT_MAX)
+ ret = -ERANGE;
if (ret) {
dev_info(device,
"%s: error parsing args %d\n", __func__, ret);
- goto free_m;
+ return size;
}
/* Prepare to cast to short by eliminating out of range values */
@@ -1915,7 +1897,7 @@ static ssize_t alarms_store(struct devic
dev_info(device,
"%s: error reading from the slave device %d\n",
__func__, ret);
- goto free_m;
+ return size;
}
/* Write data in the device RAM */
@@ -1923,7 +1905,7 @@ static ssize_t alarms_store(struct devic
dev_info(device,
"%s: Device not supported by the driver %d\n",
__func__, -ENODEV);
- goto free_m;
+ return size;
}
ret = SLAVE_SPECIFIC_FUNC(sl)->write_data(sl, new_config_register);
@@ -1932,10 +1914,6 @@ static ssize_t alarms_store(struct devic
"%s: error writing to the slave device %d\n",
__func__, ret);
-free_m:
- /* free allocated memory */
- kfree(orig);
-
return size;
}
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 046/169] w1: fix redundant counter decrement in w1_attach_slave_device()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 045/169] w1: therm: Fix off-by-one buffer overflow in alarms_store Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 047/169] Revert "nfc/nci: Add the inconsistency check between the input data length and count" Greg Kroah-Hartman
` (136 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Krzysztof Kozlowski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit cc8f92e41eb76f450f05234fef2054afc3633100 upstream.
In w1_attach_slave_device(), if __w1_attach_slave_device() fails,
put_device() -> w1_slave_release() is called to do the cleanup job.
In w1_slave_release(), sl->family->refcnt and sl->master->slave_count
have already been decremented. There is no need to decrement twice
in w1_attach_slave_device().
Fixes: 2c927c0c73fd ("w1: Fix slave count on 1-Wire bus (resend)")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Link: https://patch.msgid.link/20251218111414.564403-1-lihaoxiang@isrc.iscas.ac.cn
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/w1/w1.c | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/w1/w1.c
+++ b/drivers/w1/w1.c
@@ -758,8 +758,6 @@ int w1_attach_slave_device(struct w1_mas
if (err < 0) {
dev_err(&dev->dev, "%s: Attaching %s failed.\n", __func__,
sl->name);
- dev->slave_count--;
- w1_family_put(sl->family);
atomic_dec(&sl->master->refcnt);
kfree(sl);
return err;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 047/169] Revert "nfc/nci: Add the inconsistency check between the input data length and count"
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 046/169] w1: fix redundant counter decrement in w1_attach_slave_device() Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 048/169] Input: i8042 - add quirks for MECHREVO Wujie 15X Pro Greg Kroah-Hartman
` (135 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thadeu Lima de Souza Cascardo,
Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
commit f40ddcc0c0ca1a0122a7f4440b429f97d5832bdf upstream.
This reverts commit 068648aab72c9ba7b0597354ef4d81ffaac7b979.
NFC packets may have NUL-bytes. Checking for string length is not a correct
assumption here. As long as there is a check for the length copied from
copy_from_user, all should be fine.
The fix only prevented the syzbot reproducer from triggering the bug
because the packet is not enqueued anymore and the code that triggers the
bug is not exercised.
The fix even broke
testing/selftests/nci/nci_dev, making all tests there fail. After the
revert, 6 out of 8 tests pass.
Fixes: 068648aab72c ("nfc/nci: Add the inconsistency check between the input data length and count")
Cc: stable@vger.kernel.org
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Link: https://patch.msgid.link/20260113202458.449455-1-cascardo@igalia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nfc/virtual_ncidev.c | 4 ----
1 file changed, 4 deletions(-)
--- a/drivers/nfc/virtual_ncidev.c
+++ b/drivers/nfc/virtual_ncidev.c
@@ -125,10 +125,6 @@ static ssize_t virtual_ncidev_write(stru
kfree_skb(skb);
return -EFAULT;
}
- if (strnlen(skb->data, count) != count) {
- kfree_skb(skb);
- return -EINVAL;
- }
nci_recv_frame(vdev->ndev, skb);
return count;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 048/169] Input: i8042 - add quirks for MECHREVO Wujie 15X Pro
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 047/169] Revert "nfc/nci: Add the inconsistency check between the input data length and count" Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 049/169] Input: i8042 - add quirk for ASUS Zenbook UX425QA_UM425QA Greg Kroah-Hartman
` (134 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, gongqi, Dmitry Torokhov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: gongqi <550230171hxy@gmail.com>
commit 19a5d9ba6208e9006a2a9d5962aea4d6e427d8ab upstream.
The MECHREVO Wujie 15X Pro requires several i8042 quirks to function
correctly. Specifically, NOMUX, RESET_ALWAYS, NOLOOP, and NOPNP are
needed to ensure the keyboard and touchpad work reliably.
Signed-off-by: gongqi <550230171hxy@gmail.com>
Link: https://patch.msgid.link/20260122155501.376199-3-550230171hxy@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/serio/i8042-acpipnpio.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/input/serio/i8042-acpipnpio.h
+++ b/drivers/input/serio/i8042-acpipnpio.h
@@ -1176,6 +1176,13 @@ static const struct dmi_system_id i8042_
.driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS |
SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP)
},
+ {
+ .matches = {
+ DMI_MATCH(DMI_BOARD_NAME, "WUJIE Series-X5SP4NAG"),
+ },
+ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS |
+ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP)
+ },
/*
* A lot of modern Clevo barebones have touchpad and/or keyboard issues
* after suspend fixable with the forcenorestore quirk.
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 049/169] Input: i8042 - add quirk for ASUS Zenbook UX425QA_UM425QA
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 048/169] Input: i8042 - add quirks for MECHREVO Wujie 15X Pro Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 050/169] scsi: storvsc: Process unsupported MODE_SENSE_10 Greg Kroah-Hartman
` (133 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, feng, Dmitry Torokhov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: feng <alec.jiang@gmail.com>
commit 2934325f56150ad8dab8ab92cbe2997242831396 upstream.
The ASUS Zenbook UX425QA_UM425QA fails to initialize the keyboard after
a cold boot.
A quirk already exists for "ZenBook UX425", but some Zenbooks report
"Zenbook" with a lowercase 'b'. Since DMI matching is case-sensitive,
the existing quirk is not applied to these "extra special" Zenbooks.
Testing confirms that this model needs the same quirks as the ZenBook
UX425 variants.
Signed-off-by: feng <alec.jiang@gmail.com>
Link: https://patch.msgid.link/20260122013957.11184-1-alec.jiang@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/serio/i8042-acpipnpio.h | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/input/serio/i8042-acpipnpio.h
+++ b/drivers/input/serio/i8042-acpipnpio.h
@@ -116,6 +116,17 @@ static const struct dmi_system_id i8042_
.driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_NEVER)
},
{
+ /*
+ * ASUS Zenbook UX425QA_UM425QA
+ * Some Zenbooks report "Zenbook" with a lowercase b.
+ */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Zenbook UX425QA_UM425QA"),
+ },
+ .driver_data = (void *)(SERIO_QUIRK_PROBE_DEFER | SERIO_QUIRK_RESET_NEVER)
+ },
+ {
/* ASUS ZenBook UX425UA/QA */
.matches = {
DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 050/169] scsi: storvsc: Process unsupported MODE_SENSE_10
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 049/169] Input: i8042 - add quirk for ASUS Zenbook UX425QA_UM425QA Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 051/169] scsi: xen: scsiback: Fix potential memory leak in scsiback_remove() Greg Kroah-Hartman
` (132 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Long Li, Michael Kelley,
Martin K. Petersen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <longli@microsoft.com>
commit 9eacec5d18f98f89be520eeeef4b377acee3e4b8 upstream.
The Hyper-V host does not support MODE_SENSE_10 and MODE_SENSE. The
driver handles MODE_SENSE as unsupported command, but not for
MODE_SENSE_10. Add MODE_SENSE_10 to the same handling logic and return
correct code to SCSI layer.
Fixes: 89ae7d709357 ("Staging: hv: storvsc: Move the storage driver out of the staging area")
Cc: stable@kernel.org
Signed-off-by: Long Li <longli@microsoft.com>
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Link: https://patch.msgid.link/20260117010302.294068-1-longli@linux.microsoft.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/storvsc_drv.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1145,7 +1145,7 @@ static void storvsc_on_io_completion(str
* The current SCSI handling on the host side does
* not correctly handle:
* INQUIRY command with page code parameter set to 0x80
- * MODE_SENSE command with cmd[2] == 0x1c
+ * MODE_SENSE and MODE_SENSE_10 command with cmd[2] == 0x1c
* MAINTENANCE_IN is not supported by HyperV FC passthrough
*
* Setup srb and scsi status so this won't be fatal.
@@ -1155,6 +1155,7 @@ static void storvsc_on_io_completion(str
if ((stor_pkt->vm_srb.cdb[0] == INQUIRY) ||
(stor_pkt->vm_srb.cdb[0] == MODE_SENSE) ||
+ (stor_pkt->vm_srb.cdb[0] == MODE_SENSE_10) ||
(stor_pkt->vm_srb.cdb[0] == MAINTENANCE_IN &&
hv_dev_is_fc(device))) {
vstor_packet->vm_srb.scsi_status = 0;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 051/169] scsi: xen: scsiback: Fix potential memory leak in scsiback_remove()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 050/169] scsi: storvsc: Process unsupported MODE_SENSE_10 Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 052/169] arm64: dts: rockchip: remove dangerous max-link-speed from helios64 Greg Kroah-Hartman
` (131 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Juergen Gross,
Martin K. Petersen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
commit 901a5f309daba412e2a30364d7ec1492fa11c32c upstream.
Memory allocated for struct vscsiblk_info in scsiback_probe() is not
freed in scsiback_remove() leading to potential memory leaks on remove,
as well as in the scsiback_probe() error paths. Fix that by freeing it
in scsiback_remove().
Cc: stable@vger.kernel.org
Fixes: d9d660f6e562 ("xen-scsiback: Add Xen PV SCSI backend driver")
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Reviewed-by: Juergen Gross <jgross@suse.com>
Link: https://patch.msgid.link/20251223063012.119035-1-nihaal@cse.iitm.ac.in
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/xen-scsiback.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/xen/xen-scsiback.c
+++ b/drivers/xen/xen-scsiback.c
@@ -1262,6 +1262,7 @@ static void scsiback_remove(struct xenbu
gnttab_page_cache_shrink(&info->free_pages, 0);
dev_set_drvdata(&dev->dev, NULL);
+ kfree(info);
}
static int scsiback_probe(struct xenbus_device *dev,
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 052/169] arm64: dts: rockchip: remove dangerous max-link-speed from helios64
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 051/169] scsi: xen: scsiback: Fix potential memory leak in scsiback_remove() Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 053/169] arm64: dts: rockchip: Fix voltage threshold for volume keys for Pinephone Pro Greg Kroah-Hartman
` (130 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shawn Lin, Dragan Simic,
Geraldo Nascimento, Heiko Stuebner
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geraldo Nascimento <geraldogabriel@gmail.com>
commit 0368e4afcf20f377c81fa77b1c7d0dee4a625a44 upstream.
Shawn Lin from Rockchip strongly discourages attempts to use their
RK3399 PCIe core at 5.0 GT/s speed, citing concerns about catastrophic
failures that may happen. Even if the odds are low, drop from last user
of this non-default property for the RK3399 platform, helios64 board
dts.
Fixes: 755fff528b1b ("arm64: dts: rockchip: add variables for pcie completion to helios64")
Link: https://lore.kernel.org/all/e8524bf8-a90c-423f-8a58-9ef05a3db1dd@rock-chips.com/
Cc: stable@vger.kernel.org
Reported-by: Shawn Lin <shawn.lin@rock-chips.com>
Reviewed-by: Dragan Simic <dsimic@manjaro.org>
Signed-off-by: Geraldo Nascimento <geraldogabriel@gmail.com>
Acked-by: Shawn Lin <shawn.lin@rock-chips.com>
Link: https://patch.msgid.link/43bb639c120f599106fca2deee6c6599b2692c5c.1763415706.git.geraldogabriel@gmail.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts | 1 -
1 file changed, 1 deletion(-)
--- a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
@@ -424,7 +424,6 @@
&pcie0 {
ep-gpios = <&gpio2 RK_PD4 GPIO_ACTIVE_HIGH>;
- max-link-speed = <2>;
num-lanes = <2>;
pinctrl-names = "default";
status = "okay";
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 053/169] arm64: dts: rockchip: Fix voltage threshold for volume keys for Pinephone Pro
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 052/169] arm64: dts: rockchip: remove dangerous max-link-speed from helios64 Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 054/169] x86/kfence: avoid writing L1TF-vulnerable PTEs Greg Kroah-Hartman
` (129 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ondrej Jirman, Rudraksha Gupta,
Pavel Machek, Heiko Stuebner
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ondrej Jirman <megi@xff.cz>
commit 5497ffe305b2ea31ae62d4a311d7cabfb671f54a upstream.
Previously sometimes pressing the volume-down button would register as
a volume-up button. Match the thresholds as shown in the Pinephone Pro
schematic.
Tests:
~ $ evtest
// Mashed the volume down ~100 times with varying intensity
Event: time xxx, type 1 (EV_KEY), code 114 (KEY_VOLUMEDOWN), value 1
Event: time xxx, type 1 (EV_KEY), code 114 (KEY_VOLUMEDOWN), value 0
// Mashed the volume up ~100 times with varying intensity
Event: time xxx, type 1 (EV_KEY), code 115 (KEY_VOLUMEUP), value 1
Event: time xxx, type 1 (EV_KEY), code 115 (KEY_VOLUMEUP), value 0
Fixes: d3150ed53580 ("arm64: dts: rockchip: Add support for volume keys to rk3399-pinephone-pro")
Cc: stable@vger.kernel.org
Signed-off-by: Ondrej Jirman <megi@xff.cz>
Signed-off-by: Rudraksha Gupta <guptarud@gmail.com>
Reviewed-by: Pavel Machek <pavel@ucw.cz>
Link: https://patch.msgid.link/20251124-ppp_light_accel_mag_vol-down-v5-4-f9a10a0a50eb@gmail.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/rockchip/rk3399-pinephone-pro.dts | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/boot/dts/rockchip/rk3399-pinephone-pro.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3399-pinephone-pro.dts
@@ -40,13 +40,13 @@
button-up {
label = "Volume Up";
linux,code = <KEY_VOLUMEUP>;
- press-threshold-microvolt = <100000>;
+ press-threshold-microvolt = <2000>;
};
button-down {
label = "Volume Down";
linux,code = <KEY_VOLUMEDOWN>;
- press-threshold-microvolt = <600000>;
+ press-threshold-microvolt = <300000>;
};
};
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 054/169] x86/kfence: avoid writing L1TF-vulnerable PTEs
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 053/169] arm64: dts: rockchip: Fix voltage threshold for volume keys for Pinephone Pro Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 055/169] comedi: Fix getting range information for subdevices 16 to 255 Greg Kroah-Hartman
` (128 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Cooper, Marco Elver,
Alexander Potapenko, Dmitry Vyukov, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Dave Hansen, H. Peter Anvin, Jann Horn,
Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Cooper <andrew.cooper3@citrix.com>
commit b505f1944535f83d369ae68813e7634d11b990d3 upstream.
For native, the choice of PTE is fine. There's real memory backing the
non-present PTE. However, for XenPV, Xen complains:
(XEN) d1 L1TF-vulnerable L1e 8010000018200066 - Shadowing
To explain, some background on XenPV pagetables:
Xen PV guests are control their own pagetables; they choose the new
PTE value, and use hypercalls to make changes so Xen can audit for
safety.
In addition to a regular reference count, Xen also maintains a type
reference count. e.g. SegDesc (referenced by vGDT/vLDT), Writable
(referenced with _PAGE_RW) or L{1..4} (referenced by vCR3 or a lower
pagetable level). This is in order to prevent e.g. a page being
inserted into the pagetables for which the guest has a writable mapping.
For non-present mappings, all other bits become software accessible,
and typically contain metadata rather a real frame address. There is
nothing that a reference count could sensibly be tied to. As such, even
if Xen could recognise the address as currently safe, nothing would
prevent that frame from changing owner to another VM in the future.
When Xen detects a PV guest writing a L1TF-PTE, it responds by
activating shadow paging. This is normally only used for the live phase
of migration, and comes with a reasonable overhead.
KFENCE only cares about getting #PF to catch wild accesses; it doesn't
care about the value for non-present mappings. Use a fully inverted PTE,
to avoid hitting the slow path when running under Xen.
While adjusting the logic, take the opportunity to skip all actions if the
PTE is already in the right state, half the number PVOps callouts, and
skip TLB maintenance on a !P -> P transition which benefits non-Xen cases
too.
Link: https://lkml.kernel.org/r/20260106180426.710013-1-andrew.cooper3@citrix.com
Fixes: 1dc0da6e9ec0 ("x86, kfence: enable KFENCE for x86")
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Tested-by: Marco Elver <elver@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Marco Elver <elver@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Jann Horn <jannh@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/kfence.h | 29 ++++++++++++++++++++++++-----
1 file changed, 24 insertions(+), 5 deletions(-)
--- a/arch/x86/include/asm/kfence.h
+++ b/arch/x86/include/asm/kfence.h
@@ -42,10 +42,34 @@ static inline bool kfence_protect_page(u
{
unsigned int level;
pte_t *pte = lookup_address(addr, &level);
+ pteval_t val;
if (WARN_ON(!pte || level != PG_LEVEL_4K))
return false;
+ val = pte_val(*pte);
+
+ /*
+ * protect requires making the page not-present. If the PTE is
+ * already in the right state, there's nothing to do.
+ */
+ if (protect != !!(val & _PAGE_PRESENT))
+ return true;
+
+ /*
+ * Otherwise, invert the entire PTE. This avoids writing out an
+ * L1TF-vulnerable PTE (not present, without the high address bits
+ * set).
+ */
+ set_pte(pte, __pte(~val));
+
+ /*
+ * If the page was protected (non-present) and we're making it
+ * present, there is no need to flush the TLB at all.
+ */
+ if (!protect)
+ return true;
+
/*
* We need to avoid IPIs, as we may get KFENCE allocations or faults
* with interrupts disabled. Therefore, the below is best-effort, and
@@ -53,11 +77,6 @@ static inline bool kfence_protect_page(u
* lazy fault handling takes care of faults after the page is PRESENT.
*/
- if (protect)
- set_pte(pte, __pte(pte_val(*pte) & ~_PAGE_PRESENT));
- else
- set_pte(pte, __pte(pte_val(*pte) | _PAGE_PRESENT));
-
/*
* Flush this CPU's TLB, assuming whoever did the allocation/free is
* likely to continue running on this CPU.
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 055/169] comedi: Fix getting range information for subdevices 16 to 255
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 054/169] x86/kfence: avoid writing L1TF-vulnerable PTEs Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 056/169] platform/x86: hp-bioscfg: Fix kobject warnings for empty attribute names Greg Kroah-Hartman
` (127 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Abbott
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 10d28cffb3f6ec7ad67f0a4cd32c2afa92909452 upstream.
The `COMEDI_RANGEINFO` ioctl does not work properly for subdevice
indices above 15. Currently, the only in-tree COMEDI drivers that
support more than 16 subdevices are the "8255" driver and the
"comedi_bond" driver. Making the ioctl work for subdevice indices up to
255 is achievable. It needs minor changes to the handling of the
`COMEDI_RANGEINFO` and `COMEDI_CHANINFO` ioctls that should be mostly
harmless to user-space, apart from making them less broken. Details
follow...
The `COMEDI_RANGEINFO` ioctl command gets the list of supported ranges
(usually with units of volts or milliamps) for a COMEDI subdevice or
channel. (Only some subdevices have per-channel range tables, indicated
by the `SDF_RANGETYPE` flag in the subdevice information.) It uses a
`range_type` value and a user-space pointer, both supplied by
user-space, but the `range_type` value should match what was obtained
using the `COMEDI_CHANINFO` ioctl (if the subdevice has per-channel
range tables) or `COMEDI_SUBDINFO` ioctl (if the subdevice uses a
single range table for all channels). Bits 15 to 0 of the `range_type`
value contain the length of the range table, which is the only part that
user-space should care about (so it can use a suitably sized buffer to
fetch the range table). Bits 23 to 16 store the channel index, which is
assumed to be no more than 255 if the subdevice has per-channel range
tables, and is set to 0 if the subdevice has a single range table. For
`range_type` values produced by the `COMEDI_SUBDINFO` ioctl, bits 31 to
24 contain the subdevice index, which is assumed to be no more than 255.
But for `range_type` values produced by the `COMEDI_CHANINFO` ioctl,
bits 27 to 24 contain the subdevice index, which is assumed to be no
more than 15, and bits 31 to 28 contain the COMEDI device's minor device
number for some unknown reason lost in the mists of time. The
`COMEDI_RANGEINFO` ioctl extract the length from bits 15 to 0 of the
user-supplied `range_type` value, extracts the channel index from bits
23 to 16 (only used if the subdevice has per-channel range tables),
extracts the subdevice index from bits 27 to 24, and ignores bits 31 to
28. So for subdevice indices 16 to 255, the `COMEDI_SUBDINFO` or
`COMEDI_CHANINFO` ioctl will report a `range_type` value that doesn't
work with the `COMEDI_RANGEINFO` ioctl. It will either get the range
table for the subdevice index modulo 16, or will fail with `-EINVAL`.
To fix this, always use bits 31 to 24 of the `range_type` value to hold
the subdevice index (assumed to be no more than 255). This affects the
`COMEDI_CHANINFO` and `COMEDI_RANGEINFO` ioctls. There should not be
anything in user-space that depends on the old, broken usage, although
it may now see different values in bits 31 to 28 of the `range_type`
values reported by the `COMEDI_CHANINFO` ioctl for subdevices that have
per-channel subdevices. User-space should not be trying to decode bits
31 to 16 of the `range_type` values anyway.
Fixes: ed9eccbe8970 ("Staging: add comedi core")
Cc: stable@vger.kernel.org #5.17+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20251203162438.176841-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/comedi_fops.c | 2 +-
drivers/comedi/range.c | 2 +-
include/uapi/linux/comedi.h | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -1099,7 +1099,7 @@ static int do_chaninfo_ioctl(struct come
for (i = 0; i < s->n_chan; i++) {
int x;
- x = (dev->minor << 28) | (it->subdev << 24) | (i << 16) |
+ x = (it->subdev << 24) | (i << 16) |
(s->range_table_list[i]->length);
if (put_user(x, it->rangelist + i))
return -EFAULT;
--- a/drivers/comedi/range.c
+++ b/drivers/comedi/range.c
@@ -52,7 +52,7 @@ int do_rangeinfo_ioctl(struct comedi_dev
const struct comedi_lrange *lr;
struct comedi_subdevice *s;
- subd = (it->range_type >> 24) & 0xf;
+ subd = (it->range_type >> 24) & 0xff;
chan = (it->range_type >> 16) & 0xff;
if (!dev->attached)
--- a/include/uapi/linux/comedi.h
+++ b/include/uapi/linux/comedi.h
@@ -640,7 +640,7 @@ struct comedi_chaninfo {
/**
* struct comedi_rangeinfo - used to retrieve the range table for a channel
- * @range_type: Encodes subdevice index (bits 27:24), channel index
+ * @range_type: Encodes subdevice index (bits 31:24), channel index
* (bits 23:16) and range table length (bits 15:0).
* @range_ptr: Pointer to array of @struct comedi_krange to be filled
* in with the range table for the channel or subdevice.
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 056/169] platform/x86: hp-bioscfg: Fix kobject warnings for empty attribute names
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 055/169] comedi: Fix getting range information for subdevices 16 to 255 Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 057/169] platform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro Greg Kroah-Hartman
` (126 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mario Limonciello,
Ilpo Järvinen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit fdee1b09721605f532352628d0a24623e7062efb upstream.
The hp-bioscfg driver attempts to register kobjects with empty names when
the HP BIOS returns attributes with empty name strings. This causes
multiple kernel warnings:
kobject: (00000000135fb5e6): attempted to be registered with empty name!
WARNING: CPU: 14 PID: 3336 at lib/kobject.c:219 kobject_add_internal+0x2eb/0x310
Add validation in hp_init_bios_buffer_attribute() to check if the
attribute name is empty after parsing it from the WMI buffer. If empty,
log a debug message and skip registration of that attribute, allowing the
module to continue processing other valid attributes.
Cc: stable@vger.kernel.org
Fixes: a34fc329b189 ("platform/x86: hp-bioscfg: bioscfg")
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Link: https://patch.msgid.link/20260115203725.828434-2-mario.limonciello@amd.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
+++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
@@ -10,6 +10,8 @@
#include <linux/fs.h>
#include <linux/module.h>
#include <linux/kernel.h>
+#include <linux/printk.h>
+#include <linux/string.h>
#include <linux/wmi.h>
#include "bioscfg.h"
#include "../../firmware_attributes_class.h"
@@ -784,6 +786,12 @@ static int hp_init_bios_buffer_attribute
if (ret < 0)
goto buff_attr_exit;
+ if (strlen(str) == 0) {
+ pr_debug("Ignoring attribute with empty name\n");
+ ret = 0;
+ goto buff_attr_exit;
+ }
+
if (attr_type == HPWMI_PASSWORD_TYPE ||
attr_type == HPWMI_SECURE_PLATFORM_TYPE)
temp_kset = bioscfg_drv.authentication_dir_kset;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 057/169] platform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 056/169] platform/x86: hp-bioscfg: Fix kobject warnings for empty attribute names Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 058/169] mm/rmap: fix two comments related to huge_pmd_unshare() Greg Kroah-Hartman
` (125 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mario Limonciello,
Ilpo Järvinen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 25150715e0b049b99df664daf05dab12f41c3e13 upstream.
The GET_INSTANCE_ID macro that caused a kernel panic when accessing sysfs
attributes:
1. Off-by-one error: The loop condition used '<=' instead of '<',
causing access beyond array bounds. Since array indices are 0-based
and go from 0 to instances_count-1, the loop should use '<'.
2. Missing NULL check: The code dereferenced attr_name_kobj->name
without checking if attr_name_kobj was NULL, causing a null pointer
dereference in min_length_show() and other attribute show functions.
The panic occurred when fwupd tried to read BIOS configuration attributes:
Oops: general protection fault [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:min_length_show+0xcf/0x1d0 [hp_bioscfg]
Add a NULL check for attr_name_kobj before dereferencing and corrects
the loop boundary to match the pattern used elsewhere in the driver.
Cc: stable@vger.kernel.org
Fixes: 5f94f181ca25 ("platform/x86: hp-bioscfg: bioscfg-h")
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Link: https://patch.msgid.link/20260115203725.828434-3-mario.limonciello@amd.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/hp/hp-bioscfg/bioscfg.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.h
+++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.h
@@ -10,6 +10,7 @@
#include <linux/wmi.h>
#include <linux/types.h>
+#include <linux/string.h>
#include <linux/device.h>
#include <linux/module.h>
#include <linux/kernel.h>
@@ -285,8 +286,9 @@ enum hp_wmi_data_elements {
{ \
int i; \
\
- for (i = 0; i <= bioscfg_drv.type##_instances_count; i++) { \
- if (!strcmp(kobj->name, bioscfg_drv.type##_data[i].attr_name_kobj->name)) \
+ for (i = 0; i < bioscfg_drv.type##_instances_count; i++) { \
+ if (bioscfg_drv.type##_data[i].attr_name_kobj && \
+ !strcmp(kobj->name, bioscfg_drv.type##_data[i].attr_name_kobj->name)) \
return i; \
} \
return -EIO; \
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 058/169] mm/rmap: fix two comments related to huge_pmd_unshare()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 057/169] platform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 059/169] io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop Greg Kroah-Hartman
` (124 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand (Red Hat),
Rik van Riel, Laurence Oberman, Lorenzo Stoakes, Oscar Salvador,
Liu Shixin, Harry Yoo, Lance Yang, Uschakow, Stanislav,
Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand (Red Hat) <david@kernel.org>
commit a8682d500f691b6dfaa16ae1502d990aeb86e8be upstream.
PMD page table unsharing no longer touches the refcount of a PMD page
table. Also, it is not about dropping the refcount of a "PMD page" but
the "PMD page table".
Let's just simplify by saying that the PMD page table was unmapped,
consequently also unmapping the folio that was mapped into this page.
This code should be deduplicated in the future.
Link: https://lkml.kernel.org/r/20251223214037.580860-4-david@kernel.org
Fixes: 59d9094df3d7 ("mm: hugetlb: independent PMD page table shared count")
Signed-off-by: David Hildenbrand (Red Hat) <david@kernel.org>
Reviewed-by: Rik van Riel <riel@surriel.com>
Tested-by: Laurence Oberman <loberman@redhat.com>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Oscar Salvador <osalvador@suse.de>
Cc: Liu Shixin <liushixin2@huawei.com>
Cc: Harry Yoo <harry.yoo@oracle.com>
Cc: Lance Yang <lance.yang@linux.dev>
Cc: "Uschakow, Stanislav" <suschako@amazon.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/rmap.c | 20 ++++----------------
1 file changed, 4 insertions(+), 16 deletions(-)
--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -1753,14 +1753,8 @@ static bool try_to_unmap_one(struct foli
flush_tlb_range(vma,
range.start, range.end);
/*
- * The ref count of the PMD page was
- * dropped which is part of the way map
- * counting is done for shared PMDs.
- * Return 'true' here. When there is
- * no other sharing, huge_pmd_unshare
- * returns false and we will unmap the
- * actual page and drop map count
- * to zero.
+ * The PMD table was unmapped,
+ * consequently unmapping the folio.
*/
goto walk_done;
}
@@ -2128,14 +2122,8 @@ static bool try_to_migrate_one(struct fo
range.start, range.end);
/*
- * The ref count of the PMD page was
- * dropped which is part of the way map
- * counting is done for shared PMDs.
- * Return 'true' here. When there is
- * no other sharing, huge_pmd_unshare
- * returns false and we will unmap the
- * actual page and drop map count
- * to zero.
+ * The PMD table was unmapped,
+ * consequently unmapping the folio.
*/
page_vma_mapped_walk_done(&pvmw);
break;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 059/169] io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 058/169] mm/rmap: fix two comments related to huge_pmd_unshare() Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 060/169] iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event detection Greg Kroah-Hartman
` (123 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, syzbot+4eb282331cab6d5b6588,
Jens Axboe
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
commit 10dc959398175736e495f71c771f8641e1ca1907 upstream.
Currently this is checked before running the pending work. Normally this
is quite fine, as work items either end up blocking (which will create a
new worker for other items), or they complete fairly quickly. But syzbot
reports an issue where io-wq takes seemingly forever to exit, and with a
bit of debugging, this turns out to be because it queues a bunch of big
(2GB - 4096b) reads with a /dev/msr* file. Since this file type doesn't
support ->read_iter(), loop_rw_iter() ends up handling them. Each read
returns 16MB of data read, which takes 20 (!!) seconds. With a bunch of
these pending, processing the whole chain can take a long time. Easily
longer than the syzbot uninterruptible sleep timeout of 140 seconds.
This then triggers a complaint off the io-wq exit path:
INFO: task syz.4.135:6326 blocked for more than 143 seconds.
Not tainted syzkaller #0
Blocked by coredump.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.135 state:D stack:26824 pid:6326 tgid:6324 ppid:5957 task_flags:0x400548 flags:0x00080000
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5256 [inline]
__schedule+0x1139/0x6150 kernel/sched/core.c:6863
__schedule_loop kernel/sched/core.c:6945 [inline]
schedule+0xe7/0x3a0 kernel/sched/core.c:6960
schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common+0x2fc/0x4e0 kernel/sched/completion.c:121
io_wq_exit_workers io_uring/io-wq.c:1328 [inline]
io_wq_put_and_exit+0x271/0x8a0 io_uring/io-wq.c:1356
io_uring_clean_tctx+0x10d/0x190 io_uring/tctx.c:203
io_uring_cancel_generic+0x69c/0x9a0 io_uring/cancel.c:651
io_uring_files_cancel include/linux/io_uring.h:19 [inline]
do_exit+0x2ce/0x2bd0 kernel/exit.c:911
do_group_exit+0xd3/0x2a0 kernel/exit.c:1112
get_signal+0x2671/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7e0 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
exit_to_user_mode_loop+0x8c/0x540 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x4ee/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa02738f749
RSP: 002b:00007fa0281ae0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fa0275e6098 RCX: 00007fa02738f749
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa0275e6098
RBP: 00007fa0275e6090 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa0275e6128 R14: 00007fff14e4fcb0 R15: 00007fff14e4fd98
There's really nothing wrong here, outside of processing these reads
will take a LONG time. However, we can speed up the exit by checking the
IO_WQ_BIT_EXIT inside the io_worker_handle_work() loop, as syzbot will
exit the ring after queueing up all of these reads. Then once the first
item is processed, io-wq will simply cancel the rest. That should avoid
syzbot running into this complaint again.
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/68a2decc.050a0220.e29e5.0099.GAE@google.com/
Reported-by: syzbot+4eb282331cab6d5b6588@syzkaller.appspotmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io-wq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/io_uring/io-wq.c
+++ b/io_uring/io-wq.c
@@ -552,9 +552,9 @@ static void io_worker_handle_work(struct
__releases(&acct->lock)
{
struct io_wq *wq = worker->wq;
- bool do_kill = test_bit(IO_WQ_BIT_EXIT, &wq->state);
do {
+ bool do_kill = test_bit(IO_WQ_BIT_EXIT, &wq->state);
struct io_wq_work *work;
/*
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 060/169] iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event detection
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 059/169] io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 061/169] iio: adc: ad7280a: handle spi_setup() errors in probe() Greg Kroah-Hartman
` (122 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Francesco Lavra, Andy Shevchenko,
Lorenzo Bianconi, Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Francesco Lavra <flavra@baylibre.com>
commit c34e2e2d67b3bb8d5a6d09b0d6dac845cdd13fb3 upstream.
The st_lsm6dsx_acc_channels array of struct iio_chan_spec has a non-NULL
event_spec field, indicating support for IIO events. However, event
detection is not supported for all sensors, and if userspace tries to
configure accelerometer wakeup events on a sensor device that does not
support them (e.g. LSM6DS0), st_lsm6dsx_write_event() dereferences a NULL
pointer when trying to write to the wakeup register.
Define an additional struct iio_chan_spec array whose members have a NULL
event_spec field, and use this array instead of st_lsm6dsx_acc_channels for
sensors without event detection capability.
Fixes: b5969abfa8b8 ("iio: imu: st_lsm6dsx: add motion events")
Signed-off-by: Francesco Lavra <flavra@baylibre.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
@@ -101,6 +101,13 @@ static const struct iio_chan_spec st_lsm
IIO_CHAN_SOFT_TIMESTAMP(3),
};
+static const struct iio_chan_spec st_lsm6ds0_acc_channels[] = {
+ ST_LSM6DSX_CHANNEL(IIO_ACCEL, 0x28, IIO_MOD_X, 0),
+ ST_LSM6DSX_CHANNEL(IIO_ACCEL, 0x2a, IIO_MOD_Y, 1),
+ ST_LSM6DSX_CHANNEL(IIO_ACCEL, 0x2c, IIO_MOD_Z, 2),
+ IIO_CHAN_SOFT_TIMESTAMP(3),
+};
+
static const struct iio_chan_spec st_lsm6dsx_gyro_channels[] = {
ST_LSM6DSX_CHANNEL(IIO_ANGL_VEL, 0x22, IIO_MOD_X, 0),
ST_LSM6DSX_CHANNEL(IIO_ANGL_VEL, 0x24, IIO_MOD_Y, 1),
@@ -142,8 +149,8 @@ static const struct st_lsm6dsx_settings
},
.channels = {
[ST_LSM6DSX_ID_ACC] = {
- .chan = st_lsm6dsx_acc_channels,
- .len = ARRAY_SIZE(st_lsm6dsx_acc_channels),
+ .chan = st_lsm6ds0_acc_channels,
+ .len = ARRAY_SIZE(st_lsm6ds0_acc_channels),
},
[ST_LSM6DSX_ID_GYRO] = {
.chan = st_lsm6ds0_gyro_channels,
@@ -1449,8 +1456,8 @@ static const struct st_lsm6dsx_settings
},
.channels = {
[ST_LSM6DSX_ID_ACC] = {
- .chan = st_lsm6dsx_acc_channels,
- .len = ARRAY_SIZE(st_lsm6dsx_acc_channels),
+ .chan = st_lsm6ds0_acc_channels,
+ .len = ARRAY_SIZE(st_lsm6ds0_acc_channels),
},
[ST_LSM6DSX_ID_GYRO] = {
.chan = st_lsm6dsx_gyro_channels,
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 061/169] iio: adc: ad7280a: handle spi_setup() errors in probe()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 060/169] iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event detection Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 062/169] interconnect: debugfs: initialize src_node and dst_node to empty strings Greg Kroah-Hartman
` (121 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pavel Zhigulin, Marcelo Schmitt,
Jonathan Cameron, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
[ Upstream commit 6b39824ac4c15783787e6434449772bfb2e31214 ]
The probe() function ignored the return value of spi_setup(), leaving SPI
configuration failures undetected. If spi_setup() fails, the driver should
stop initialization and propagate the error to the caller.
Add proper error handling: check the return value of spi_setup() and return
it on failure.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 2051f25d2a26 ("iio: adc: New driver for AD7280A Lithium Ion Battery Monitoring System")
Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
Reviewed-by: Marcelo Schmitt <marcelo.schmitt@analog.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/adc/ad7280a.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/iio/adc/ad7280a.c b/drivers/iio/adc/ad7280a.c
index 37522dca2c7c8..01d5719aa3eac 100644
--- a/drivers/iio/adc/ad7280a.c
+++ b/drivers/iio/adc/ad7280a.c
@@ -1026,7 +1026,9 @@ static int ad7280_probe(struct spi_device *spi)
st->spi->max_speed_hz = AD7280A_MAX_SPI_CLK_HZ;
st->spi->mode = SPI_MODE_1;
- spi_setup(st->spi);
+ ret = spi_setup(st->spi);
+ if (ret < 0)
+ return ret;
st->ctrl_lb = FIELD_PREP(AD7280A_CTRL_LB_ACQ_TIME_MSK, st->acquisition_time) |
FIELD_PREP(AD7280A_CTRL_LB_THERMISTOR_MSK, st->thermistor_term_en);
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 062/169] interconnect: debugfs: initialize src_node and dst_node to empty strings
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 061/169] iio: adc: ad7280a: handle spi_setup() errors in probe() Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 063/169] spi: spi-sprd-adi: Fix double free in probe error path Greg Kroah-Hartman
` (120 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Georgi Djakov, Kuan-Wei Chiu,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Georgi Djakov <djakov@kernel.org>
[ Upstream commit 8cc27f5c6dd17dd090f3a696683f04336c162ff5 ]
The debugfs_create_str() API assumes that the string pointer is either NULL
or points to valid kmalloc() memory. Leaving the pointer uninitialized can
cause problems.
Initialize src_node and dst_node to empty strings before creating the
debugfs entries to guarantee that reads and writes are safe.
Fixes: 770c69f037c1 ("interconnect: Add debugfs test client")
Signed-off-by: Georgi Djakov <djakov@kernel.org>
Reviewed-by: Kuan-Wei Chiu <visitorckw@gmail.com>
Tested-by: Kuan-Wei Chiu <visitorckw@gmail.com>
Link: https://lore.kernel.org/r/20260109122523.125843-1-djakov@kernel.org
Signed-off-by: Georgi Djakov <djakov@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/interconnect/debugfs-client.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/interconnect/debugfs-client.c b/drivers/interconnect/debugfs-client.c
index 778deeb4a7e8a..24d7b5a577945 100644
--- a/drivers/interconnect/debugfs-client.c
+++ b/drivers/interconnect/debugfs-client.c
@@ -150,6 +150,11 @@ int icc_debugfs_client_init(struct dentry *icc_dir)
return ret;
}
+ src_node = devm_kstrdup(&pdev->dev, "", GFP_KERNEL);
+ dst_node = devm_kstrdup(&pdev->dev, "", GFP_KERNEL);
+ if (!src_node || !dst_node)
+ return -ENOMEM;
+
client_dir = debugfs_create_dir("test_client", icc_dir);
debugfs_create_str("src_node", 0600, client_dir, &src_node);
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 063/169] spi: spi-sprd-adi: Fix double free in probe error path
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 062/169] interconnect: debugfs: initialize src_node and dst_node to empty strings Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 064/169] regmap: Fix race condition in hwspinlock irqsave routine Greg Kroah-Hartman
` (119 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Baolin Wang, Mark Brown,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <gu_0233@qq.com>
[ Upstream commit 383d4f5cffcc8df930d95b06518a9d25a6d74aac ]
The driver currently uses spi_alloc_host() to allocate the controller
but registers it using devm_spi_register_controller().
If devm_register_restart_handler() fails, the code jumps to the
put_ctlr label and calls spi_controller_put(). However, since the
controller was registered via a devm function, the device core will
automatically call spi_controller_put() again when the probe fails.
This results in a double-free of the spi_controller structure.
Fix this by switching to devm_spi_alloc_host() and removing the
manual spi_controller_put() call.
Fixes: ac17750 ("spi: sprd: Add the support of restarting the system")
Signed-off-by: Felix Gu <gu_0233@qq.com>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Link: https://patch.msgid.link/tencent_AC7D389CE7E24318445E226F7CDCCC2F0D07@qq.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-sprd-adi.c | 33 ++++++++++-----------------------
1 file changed, 10 insertions(+), 23 deletions(-)
diff --git a/drivers/spi/spi-sprd-adi.c b/drivers/spi/spi-sprd-adi.c
index 262c11d977ea3..f25b34a91756f 100644
--- a/drivers/spi/spi-sprd-adi.c
+++ b/drivers/spi/spi-sprd-adi.c
@@ -528,7 +528,7 @@ static int sprd_adi_probe(struct platform_device *pdev)
pdev->id = of_alias_get_id(np, "spi");
num_chipselect = of_get_child_count(np);
- ctlr = spi_alloc_host(&pdev->dev, sizeof(struct sprd_adi));
+ ctlr = devm_spi_alloc_host(&pdev->dev, sizeof(struct sprd_adi));
if (!ctlr)
return -ENOMEM;
@@ -536,10 +536,8 @@ static int sprd_adi_probe(struct platform_device *pdev)
sadi = spi_controller_get_devdata(ctlr);
sadi->base = devm_platform_get_and_ioremap_resource(pdev, 0, &res);
- if (IS_ERR(sadi->base)) {
- ret = PTR_ERR(sadi->base);
- goto put_ctlr;
- }
+ if (IS_ERR(sadi->base))
+ return PTR_ERR(sadi->base);
sadi->slave_vbase = (unsigned long)sadi->base +
data->slave_offset;
@@ -551,18 +549,15 @@ static int sprd_adi_probe(struct platform_device *pdev)
if (ret > 0 || (IS_ENABLED(CONFIG_HWSPINLOCK) && ret == 0)) {
sadi->hwlock =
devm_hwspin_lock_request_specific(&pdev->dev, ret);
- if (!sadi->hwlock) {
- ret = -ENXIO;
- goto put_ctlr;
- }
+ if (!sadi->hwlock)
+ return -ENXIO;
} else {
switch (ret) {
case -ENOENT:
dev_info(&pdev->dev, "no hardware spinlock supplied\n");
break;
default:
- dev_err_probe(&pdev->dev, ret, "failed to find hwlock id\n");
- goto put_ctlr;
+ return dev_err_probe(&pdev->dev, ret, "failed to find hwlock id\n");
}
}
@@ -579,26 +574,18 @@ static int sprd_adi_probe(struct platform_device *pdev)
ctlr->transfer_one = sprd_adi_transfer_one;
ret = devm_spi_register_controller(&pdev->dev, ctlr);
- if (ret) {
- dev_err(&pdev->dev, "failed to register SPI controller\n");
- goto put_ctlr;
- }
+ if (ret)
+ return dev_err_probe(&pdev->dev, ret, "failed to register SPI controller\n");
if (sadi->data->restart) {
ret = devm_register_restart_handler(&pdev->dev,
sadi->data->restart,
sadi);
- if (ret) {
- dev_err(&pdev->dev, "can not register restart handler\n");
- goto put_ctlr;
- }
+ if (ret)
+ return dev_err_probe(&pdev->dev, ret, "can not register restart handler\n");
}
return 0;
-
-put_ctlr:
- spi_controller_put(ctlr);
- return ret;
}
static struct sprd_adi_data sc9860_data = {
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 064/169] regmap: Fix race condition in hwspinlock irqsave routine
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 063/169] spi: spi-sprd-adi: Fix double free in probe error path Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 065/169] kconfig: fix static linking of nconf Greg Kroah-Hartman
` (118 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cheng-Yu Lee, Yu-Chun Lin,
Mark Brown, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cheng-Yu Lee <cylee12@realtek.com>
[ Upstream commit 4b58aac989c1e3fafb1c68a733811859df388250 ]
Previously, the address of the shared member '&map->spinlock_flags' was
passed directly to 'hwspin_lock_timeout_irqsave'. This creates a race
condition where multiple contexts contending for the lock could overwrite
the shared flags variable, potentially corrupting the state for the
current lock owner.
Fix this by using a local stack variable 'flags' to store the IRQ state
temporarily.
Fixes: 8698b9364710 ("regmap: Add hardware spinlock support")
Signed-off-by: Cheng-Yu Lee <cylee12@realtek.com>
Co-developed-by: Yu-Chun Lin <eleanor.lin@realtek.com>
Signed-off-by: Yu-Chun Lin <eleanor.lin@realtek.com>
Link: https://patch.msgid.link/20260109032633.8732-1-eleanor.lin@realtek.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/regmap/regmap.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
index 66b3840bd96e3..70cde1bd04000 100644
--- a/drivers/base/regmap/regmap.c
+++ b/drivers/base/regmap/regmap.c
@@ -408,9 +408,11 @@ static void regmap_lock_hwlock_irq(void *__map)
static void regmap_lock_hwlock_irqsave(void *__map)
{
struct regmap *map = __map;
+ unsigned long flags = 0;
hwspin_lock_timeout_irqsave(map->hwlock, UINT_MAX,
- &map->spinlock_flags);
+ &flags);
+ map->spinlock_flags = flags;
}
static void regmap_unlock_hwlock(void *__map)
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 065/169] kconfig: fix static linking of nconf
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 064/169] regmap: Fix race condition in hwspinlock irqsave routine Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 066/169] riscv: clocksource: Fix stimecmp update hazard on RV32 Greg Kroah-Hartman
` (117 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Arusekk, Nicolas Schier, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arkadiusz Kozdra <floss@arusekk.pl>
[ Upstream commit baaecfcac559bcac73206df447eb5c385fa22f2a ]
When running make nconfig with a static linking host toolchain,
the libraries are linked in an incorrect order,
resulting in errors similar to the following:
$ MAKEFLAGS='HOSTCC=cc\ -static' make nconfig
/usr/bin/ld: /usr/lib64/gcc/x86_64-unknown-linux-gnu/14.2.1/../../../../lib64/libpanel.a(p_new.o): in function `new_panel':
(.text+0x13): undefined reference to `_nc_panelhook_sp'
/usr/bin/ld: (.text+0x6c): undefined reference to `_nc_panelhook_sp'
Fixes: 1c5af5cf9308 ("kconfig: refactor ncurses package checks for building mconf and nconf")
Signed-off-by: Arusekk <floss@arusekk.pl>
Link: https://patch.msgid.link/20260110114808.22595-1-floss@arusekk.pl
[nsc: Added comment about library order]
Signed-off-by: Nicolas Schier <nsc@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/kconfig/nconf-cfg.sh | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/scripts/kconfig/nconf-cfg.sh b/scripts/kconfig/nconf-cfg.sh
index a20290b1a37d8..4d08453f9bdb7 100755
--- a/scripts/kconfig/nconf-cfg.sh
+++ b/scripts/kconfig/nconf-cfg.sh
@@ -6,8 +6,9 @@ set -eu
cflags=$1
libs=$2
-PKG="ncursesw menuw panelw"
-PKG2="ncurses menu panel"
+# Keep library order for static linking (HOSTCC='cc -static')
+PKG="menuw panelw ncursesw"
+PKG2="menu panel ncurses"
if [ -n "$(command -v ${HOSTPKG_CONFIG})" ]; then
if ${HOSTPKG_CONFIG} --exists $PKG; then
@@ -28,19 +29,19 @@ fi
# find ncurses by pkg-config.)
if [ -f /usr/include/ncursesw/ncurses.h ]; then
echo -D_GNU_SOURCE -I/usr/include/ncursesw > ${cflags}
- echo -lncursesw -lmenuw -lpanelw > ${libs}
+ echo -lmenuw -lpanelw -lncursesw > ${libs}
exit 0
fi
if [ -f /usr/include/ncurses/ncurses.h ]; then
echo -D_GNU_SOURCE -I/usr/include/ncurses > ${cflags}
- echo -lncurses -lmenu -lpanel > ${libs}
+ echo -lmenu -lpanel -lncurses > ${libs}
exit 0
fi
if [ -f /usr/include/ncurses.h ]; then
echo -D_GNU_SOURCE > ${cflags}
- echo -lncurses -lmenu -lpanel > ${libs}
+ echo -lmenu -lpanel -lncurses > ${libs}
exit 0
fi
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 066/169] riscv: clocksource: Fix stimecmp update hazard on RV32
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 065/169] kconfig: fix static linking of nconf Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 067/169] platform/x86/amd: Fix memory leak in wbrf_record() Greg Kroah-Hartman
` (116 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naohiko Shimizu, Anup Patel,
Paul Walmsley, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naohiko Shimizu <naohiko.shimizu@gmail.com>
[ Upstream commit eaa9bb1d39d59e7c17b06cec12622b7c586ab629 ]
On RV32, updating the 64-bit stimecmp (or vstimecmp) CSR requires two
separate 32-bit writes. A race condition exists if the timer triggers
during these two writes.
The RISC-V Privileged Specification (e.g., Section 3.2.1 for mtimecmp)
recommends a specific 3-step sequence to avoid spurious interrupts
when updating 64-bit comparison registers on 32-bit systems:
1. Set the low-order bits (stimecmp) to all ones (ULONG_MAX).
2. Set the high-order bits (stimecmph) to the desired value.
3. Set the low-order bits (stimecmp) to the desired value.
Current implementation writes the LSB first without ensuring a future
value, which may lead to a transient state where the 64-bit comparison
is incorrectly evaluated as "expired" by the hardware. This results in
spurious timer interrupts.
This patch adopts the spec-recommended 3-step sequence to ensure the
intermediate 64-bit state is never smaller than the current time.
Fixes: 9f7a8ff6391f ("RISC-V: Prefer sstc extension if available")
Signed-off-by: Naohiko Shimizu <naohiko.shimizu@gmail.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://patch.msgid.link/20260104135938.524-2-naohiko.shimizu@gmail.com
Signed-off-by: Paul Walmsley <pjw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clocksource/timer-riscv.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/clocksource/timer-riscv.c b/drivers/clocksource/timer-riscv.c
index 4d7cf338824a3..cfc4d83c42c03 100644
--- a/drivers/clocksource/timer-riscv.c
+++ b/drivers/clocksource/timer-riscv.c
@@ -50,8 +50,9 @@ static int riscv_clock_next_event(unsigned long delta,
if (static_branch_likely(&riscv_sstc_available)) {
#if defined(CONFIG_32BIT)
- csr_write(CSR_STIMECMP, next_tval & 0xFFFFFFFF);
+ csr_write(CSR_STIMECMP, ULONG_MAX);
csr_write(CSR_STIMECMPH, next_tval >> 32);
+ csr_write(CSR_STIMECMP, next_tval & 0xFFFFFFFF);
#else
csr_write(CSR_STIMECMP, next_tval);
#endif
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 067/169] platform/x86/amd: Fix memory leak in wbrf_record()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 066/169] riscv: clocksource: Fix stimecmp update hazard on RV32 Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 068/169] scsi: core: Wake up the error handler when final completions race against each other Greg Kroah-Hartman
` (115 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen, Jianhao Xu,
Zilin Guan, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 2bf1877b7094c684e1d652cac6912cfbc507ad3e ]
The tmp buffer is allocated using kcalloc() but is not freed if
acpi_evaluate_dsm() fails. This causes a memory leak in the error path.
Fix this by explicitly freeing the tmp buffer in the error handling
path of acpi_evaluate_dsm().
Fixes: 58e82a62669d ("platform/x86/amd: Add support for AMD ACPI based Wifi band RFI mitigation feature")
Suggested-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Co-developed-by: Jianhao Xu <jianhao.xu@seu.edu.cn>
Signed-off-by: Jianhao Xu <jianhao.xu@seu.edu.cn>
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Link: https://patch.msgid.link/20260106091318.747019-1-zilin@seu.edu.cn
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/amd/wbrf.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/x86/amd/wbrf.c b/drivers/platform/x86/amd/wbrf.c
index dd197b3aebe06..0f58d252b620a 100644
--- a/drivers/platform/x86/amd/wbrf.c
+++ b/drivers/platform/x86/amd/wbrf.c
@@ -104,8 +104,10 @@ static int wbrf_record(struct acpi_device *adev, uint8_t action, struct wbrf_ran
obj = acpi_evaluate_dsm(adev->handle, &wifi_acpi_dsm_guid,
WBRF_REVISION, WBRF_RECORD, &argv4);
- if (!obj)
+ if (!obj) {
+ kfree(tmp);
return -EINVAL;
+ }
if (obj->type != ACPI_TYPE_INTEGER) {
ret = -EINVAL;
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 068/169] scsi: core: Wake up the error handler when final completions race against each other
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 067/169] platform/x86/amd: Fix memory leak in wbrf_record() Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 069/169] scsi: qla2xxx: Sanitize payload size to prevent member overflow Greg Kroah-Hartman
` (114 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Jeffery, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Jeffery <djeffery@redhat.com>
[ Upstream commit fe2f8ad6f0999db3b318359a01ee0108c703a8c3 ]
The fragile ordering between marking commands completed or failed so
that the error handler only wakes when the last running command
completes or times out has race conditions. These race conditions can
cause the SCSI layer to fail to wake the error handler, leaving I/O
through the SCSI host stuck as the error state cannot advance.
First, there is an memory ordering issue within scsi_dec_host_busy().
The write which clears SCMD_STATE_INFLIGHT may be reordered with reads
counting in scsi_host_busy(). While the local CPU will see its own
write, reordering can allow other CPUs in scsi_dec_host_busy() or
scsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to
see a host busy equal to the host_failed count.
This race condition can be prevented with a memory barrier on the error
path to force the write to be visible before counting host busy
commands.
Second, there is a general ordering issue with scsi_eh_inc_host_failed(). By
counting busy commands before incrementing host_failed, it can race with a
final command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does
not see host_failed incremented but scsi_eh_inc_host_failed() counts busy
commands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(),
resulting in neither waking the error handler task.
This needs the call to scsi_host_busy() to be moved after host_failed is
incremented to close the race condition.
Fixes: 6eb045e092ef ("scsi: core: avoid host-wide host_busy counter for scsi_mq")
Signed-off-by: David Jeffery <djeffery@redhat.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260113161036.6730-1-djeffery@redhat.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_error.c | 11 ++++++++++-
drivers/scsi/scsi_lib.c | 8 ++++++++
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
index 35b841515d1d6..9a89a94784cd0 100644
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -282,11 +282,20 @@ static void scsi_eh_inc_host_failed(struct rcu_head *head)
{
struct scsi_cmnd *scmd = container_of(head, typeof(*scmd), rcu);
struct Scsi_Host *shost = scmd->device->host;
- unsigned int busy = scsi_host_busy(shost);
+ unsigned int busy;
unsigned long flags;
spin_lock_irqsave(shost->host_lock, flags);
shost->host_failed++;
+ spin_unlock_irqrestore(shost->host_lock, flags);
+ /*
+ * The counting of busy requests needs to occur after adding to
+ * host_failed or after the lock acquire for adding to host_failed
+ * to prevent a race with host unbusy and missing an eh wakeup.
+ */
+ busy = scsi_host_busy(shost);
+
+ spin_lock_irqsave(shost->host_lock, flags);
scsi_eh_wakeup(shost, busy);
spin_unlock_irqrestore(shost->host_lock, flags);
}
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index a4cafc688c2a1..55717fd3234be 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -373,6 +373,14 @@ static void scsi_dec_host_busy(struct Scsi_Host *shost, struct scsi_cmnd *cmd)
rcu_read_lock();
__clear_bit(SCMD_STATE_INFLIGHT, &cmd->state);
if (unlikely(scsi_host_in_recovery(shost))) {
+ /*
+ * Ensure the clear of SCMD_STATE_INFLIGHT is visible to
+ * other CPUs before counting busy requests. Otherwise,
+ * reordering can cause CPUs to race and miss an eh wakeup
+ * when no CPU sees all busy requests as done or timed out.
+ */
+ smp_mb();
+
unsigned int busy = scsi_host_busy(shost);
spin_lock_irqsave(shost->host_lock, flags);
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 069/169] scsi: qla2xxx: Sanitize payload size to prevent member overflow
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 068/169] scsi: core: Wake up the error handler when final completions race against each other Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 070/169] ALSA: usb: Increase volume range that triggers a warning Greg Kroah-Hartman
` (113 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Himanshu Madhani,
Martin K. Petersen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
[ Upstream commit 19bc5f2a6962dfaa0e32d0e0bc2271993d85d414 ]
In qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_size
reported by firmware is used to calculate the copy length into
item->iocb. However, the iocb member is defined as a fixed-size 64-byte
array within struct purex_item.
If the reported frame_size exceeds 64 bytes, subsequent memcpy calls will
overflow the iocb member boundary. While extra memory might be allocated,
this cross-member write is unsafe and triggers warnings under
CONFIG_FORTIFY_SOURCE.
Fix this by capping total_bytes to the size of the iocb member (64 bytes)
before allocation and copying. This ensures all copies remain within the
bounds of the destination structure member.
Fixes: 875386b98857 ("scsi: qla2xxx: Add Unsolicited LS Request and Response Support for NVMe")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com>
Link: https://patch.msgid.link/20260106205344.18031-1-jiashengjiangcool@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qla2xxx/qla_isr.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
index 77c779cca97f8..a1c5ef569f9d8 100644
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -878,6 +878,9 @@ qla27xx_copy_multiple_pkt(struct scsi_qla_host *vha, void **pkt,
payload_size = sizeof(purex->els_frame_payload);
}
+ if (total_bytes > sizeof(item->iocb.iocb))
+ total_bytes = sizeof(item->iocb.iocb);
+
pending_bytes = total_bytes;
no_bytes = (pending_bytes > payload_size) ? payload_size :
pending_bytes;
@@ -1163,6 +1166,10 @@ qla27xx_copy_fpin_pkt(struct scsi_qla_host *vha, void **pkt,
total_bytes = (le16_to_cpu(purex->frame_size) & 0x0FFF)
- PURX_ELS_HEADER_SIZE;
+
+ if (total_bytes > sizeof(item->iocb.iocb))
+ total_bytes = sizeof(item->iocb.iocb);
+
pending_bytes = total_bytes;
entry_count = entry_count_remaining = purex->entry_count;
no_bytes = (pending_bytes > sizeof(purex->els_frame_payload)) ?
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 070/169] ALSA: usb: Increase volume range that triggers a warning
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 069/169] scsi: qla2xxx: Sanitize payload size to prevent member overflow Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 071/169] drm/imagination: Wait for FW trace update command completion Greg Kroah-Hartman
` (112 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jaroslav Kysela, Takashi Iwai,
linux-sound, Arun Raghavan, Takashi Iwai, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arun Raghavan <arunr@valvesoftware.com>
[ Upstream commit 6b971191fcfc9e3c2c0143eea22534f1f48dbb62 ]
On at least the HyperX Cloud III, the range is 18944 (-18944 -> 0 in
steps of 1), so the original check for 255 steps is definitely obsolete.
Let's give ourselves a little more headroom before we emit a warning.
Fixes: 80acefff3bc7 ("ALSA: usb-audio - Add volume range check and warn if it too big")
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: linux-sound@vger.kernel.org
Signed-off-by: Arun Raghavan <arunr@valvesoftware.com>
Link: https://patch.msgid.link/20260116225804.3845935-1-arunr@valvesoftware.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/mixer.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 7307e29c60b75..577f9121971e8 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1807,11 +1807,10 @@ static void __build_feature_ctl(struct usb_mixer_interface *mixer,
range = (cval->max - cval->min) / cval->res;
/*
- * Are there devices with volume range more than 255? I use a bit more
- * to be sure. 384 is a resolution magic number found on Logitech
- * devices. It will definitively catch all buggy Logitech devices.
+ * There are definitely devices with a range of ~20,000, so let's be
+ * conservative and allow for a bit more.
*/
- if (range > 384) {
+ if (range > 65535) {
usb_audio_warn(mixer->chip,
"Warning! Unlikely big volume range (=%u), cval->res is probably wrong.",
range);
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 071/169] drm/imagination: Wait for FW trace update command completion
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 070/169] ALSA: usb: Increase volume range that triggers a warning Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 072/169] netdevsim: fix a race issue related to the operation on bpf_bound_progs list Greg Kroah-Hartman
` (111 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Brajesh Gupta, Matt Coster,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brajesh Gupta <brajesh.gupta@imgtec.com>
[ Upstream commit 812062e74a3945b575dce89d330b67cb50054a77 ]
Possibility of no FW trace available after update in the fw_trace_mask due
to asynchronous mode of command consumption in the FW.
To ensure FW trace is available after update, wait for FW trace log update
command completion from the FW.
Fixes: cc1aeedb98ad ("drm/imagination: Implement firmware infrastructure and META FW support")
Signed-off-by: Brajesh Gupta <brajesh.gupta@imgtec.com>
Reviewed-by: Matt Coster <matt.coster@imgtec.com>
Link: https://patch.msgid.link/20260108040936.129769-1-brajesh.gupta@imgtec.com
Signed-off-by: Matt Coster <matt.coster@imgtec.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/imagination/pvr_fw_trace.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/imagination/pvr_fw_trace.c b/drivers/gpu/drm/imagination/pvr_fw_trace.c
index 5dbb636d7d4ff..634c84bfc885a 100644
--- a/drivers/gpu/drm/imagination/pvr_fw_trace.c
+++ b/drivers/gpu/drm/imagination/pvr_fw_trace.c
@@ -141,6 +141,7 @@ update_logtype(struct pvr_device *pvr_dev, u32 group_mask)
struct rogue_fwif_kccb_cmd cmd;
int idx;
int err;
+ int slot;
if (group_mask)
fw_trace->tracebuf_ctrl->log_type = ROGUE_FWIF_LOG_TYPE_TRACE | group_mask;
@@ -158,8 +159,13 @@ update_logtype(struct pvr_device *pvr_dev, u32 group_mask)
cmd.cmd_type = ROGUE_FWIF_KCCB_CMD_LOGTYPE_UPDATE;
cmd.kccb_flags = 0;
- err = pvr_kccb_send_cmd(pvr_dev, &cmd, NULL);
+ err = pvr_kccb_send_cmd(pvr_dev, &cmd, &slot);
+ if (err)
+ goto err_drm_dev_exit;
+
+ err = pvr_kccb_wait_for_completion(pvr_dev, slot, HZ, NULL);
+err_drm_dev_exit:
drm_dev_exit(idx);
err_up_read:
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 072/169] netdevsim: fix a race issue related to the operation on bpf_bound_progs list
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 071/169] drm/imagination: Wait for FW trace update command completion Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 073/169] ice: Fix persistent failure in ice_get_rxfh Greg Kroah-Hartman
` (110 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yinhao Hu, Kaiyan Mei, Yun Lu,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yun Lu <luyun@kylinos.cn>
[ Upstream commit b97d5eedf4976cc94321243be83b39efe81a0e15 ]
The netdevsim driver lacks a protection mechanism for operations on the
bpf_bound_progs list. When the nsim_bpf_create_prog() performs
list_add_tail, it is possible that nsim_bpf_destroy_prog() is
simultaneously performs list_del. Concurrent operations on the list may
lead to list corruption and trigger a kernel crash as follows:
[ 417.290971] kernel BUG at lib/list_debug.c:62!
[ 417.290983] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[ 417.290992] CPU: 10 PID: 168 Comm: kworker/10:1 Kdump: loaded Not tainted 6.19.0-rc5 #1
[ 417.291003] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 417.291007] Workqueue: events bpf_prog_free_deferred
[ 417.291021] RIP: 0010:__list_del_entry_valid_or_report+0xa7/0xc0
[ 417.291034] Code: a8 ff 0f 0b 48 89 fe 48 89 ca 48 c7 c7 48 a1 eb ae e8 ed fb a8 ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 80 a1 eb ae e8 d9 fb a8 ff <0f> 0b 48 89 d1 48 c7 c7 d0 a1 eb ae 48 89 f2 48 89 c6 e8 c2 fb a8
[ 417.291040] RSP: 0018:ffffb16a40807df8 EFLAGS: 00010246
[ 417.291046] RAX: 000000000000006d RBX: ffff8e589866f500 RCX: 0000000000000000
[ 417.291051] RDX: 0000000000000000 RSI: ffff8e59f7b23180 RDI: ffff8e59f7b23180
[ 417.291055] RBP: ffffb16a412c9000 R08: 0000000000000000 R09: 0000000000000003
[ 417.291059] R10: ffffb16a40807c80 R11: ffffffffaf9edce8 R12: ffff8e594427ac20
[ 417.291063] R13: ffff8e59f7b44780 R14: ffff8e58800b7a05 R15: 0000000000000000
[ 417.291074] FS: 0000000000000000(0000) GS:ffff8e59f7b00000(0000) knlGS:0000000000000000
[ 417.291079] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 417.291083] CR2: 00007fc4083efe08 CR3: 00000001c3626006 CR4: 0000000000770ee0
[ 417.291088] PKRU: 55555554
[ 417.291091] Call Trace:
[ 417.291096] <TASK>
[ 417.291103] nsim_bpf_destroy_prog+0x31/0x80 [netdevsim]
[ 417.291154] __bpf_prog_offload_destroy+0x2a/0x80
[ 417.291163] bpf_prog_dev_bound_destroy+0x6f/0xb0
[ 417.291171] bpf_prog_free_deferred+0x18e/0x1a0
[ 417.291178] process_one_work+0x18a/0x3a0
[ 417.291188] worker_thread+0x27b/0x3a0
[ 417.291197] ? __pfx_worker_thread+0x10/0x10
[ 417.291207] kthread+0xe5/0x120
[ 417.291214] ? __pfx_kthread+0x10/0x10
[ 417.291221] ret_from_fork+0x31/0x50
[ 417.291230] ? __pfx_kthread+0x10/0x10
[ 417.291236] ret_from_fork_asm+0x1a/0x30
[ 417.291246] </TASK>
Add a mutex lock, to prevent simultaneous addition and deletion operations
on the list.
Fixes: 31d3ad832948 ("netdevsim: add bpf offload support")
Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Signed-off-by: Yun Lu <luyun@kylinos.cn>
Link: https://patch.msgid.link/20260116095308.11441-1-luyun_611@163.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/netdevsim/bpf.c | 6 ++++++
drivers/net/netdevsim/dev.c | 2 ++
drivers/net/netdevsim/netdevsim.h | 1 +
3 files changed, 9 insertions(+)
diff --git a/drivers/net/netdevsim/bpf.c b/drivers/net/netdevsim/bpf.c
index 608953d4f98da..ca64136372fca 100644
--- a/drivers/net/netdevsim/bpf.c
+++ b/drivers/net/netdevsim/bpf.c
@@ -244,7 +244,9 @@ static int nsim_bpf_create_prog(struct nsim_dev *nsim_dev,
&state->state, &nsim_bpf_string_fops);
debugfs_create_bool("loaded", 0400, state->ddir, &state->is_loaded);
+ mutex_lock(&nsim_dev->progs_list_lock);
list_add_tail(&state->l, &nsim_dev->bpf_bound_progs);
+ mutex_unlock(&nsim_dev->progs_list_lock);
prog->aux->offload->dev_priv = state;
@@ -273,12 +275,16 @@ static int nsim_bpf_translate(struct bpf_prog *prog)
static void nsim_bpf_destroy_prog(struct bpf_prog *prog)
{
struct nsim_bpf_bound_prog *state;
+ struct nsim_dev *nsim_dev;
state = prog->aux->offload->dev_priv;
+ nsim_dev = state->nsim_dev;
WARN(state->is_loaded,
"offload state destroyed while program still bound");
debugfs_remove_recursive(state->ddir);
+ mutex_lock(&nsim_dev->progs_list_lock);
list_del(&state->l);
+ mutex_unlock(&nsim_dev->progs_list_lock);
kfree(state);
}
diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c
index 3e0b61202f0c9..2614d6509954c 100644
--- a/drivers/net/netdevsim/dev.c
+++ b/drivers/net/netdevsim/dev.c
@@ -1545,6 +1545,7 @@ int nsim_drv_probe(struct nsim_bus_dev *nsim_bus_dev)
nsim_dev->max_macs = NSIM_DEV_MAX_MACS_DEFAULT;
nsim_dev->test1 = NSIM_DEV_TEST1_DEFAULT;
spin_lock_init(&nsim_dev->fa_cookie_lock);
+ mutex_init(&nsim_dev->progs_list_lock);
dev_set_drvdata(&nsim_bus_dev->dev, nsim_dev);
@@ -1683,6 +1684,7 @@ void nsim_drv_remove(struct nsim_bus_dev *nsim_bus_dev)
devl_unregister(devlink);
kfree(nsim_dev->vfconfigs);
kfree(nsim_dev->fa_cookie);
+ mutex_destroy(&nsim_dev->progs_list_lock);
devl_unlock(devlink);
devlink_free(devlink);
dev_set_drvdata(&nsim_bus_dev->dev, NULL);
diff --git a/drivers/net/netdevsim/netdevsim.h b/drivers/net/netdevsim/netdevsim.h
index 84181dcb98831..736d0dde679ec 100644
--- a/drivers/net/netdevsim/netdevsim.h
+++ b/drivers/net/netdevsim/netdevsim.h
@@ -308,6 +308,7 @@ struct nsim_dev {
u32 prog_id_gen;
struct list_head bpf_bound_progs;
struct list_head bpf_bound_maps;
+ struct mutex progs_list_lock;
struct netdev_phys_item_id switch_id;
struct list_head port_list;
bool fw_update_status;
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 073/169] ice: Fix persistent failure in ice_get_rxfh
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 072/169] netdevsim: fix a race issue related to the operation on bpf_bound_progs list Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 074/169] net: hns3: fix data race in hns3_fetch_stats Greg Kroah-Hartman
` (109 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cody Haas, Aleksandr Loktionov,
Przemek Kitszel, Tony Nguyen, Sasha Levin, Rinitha S
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cody Haas <chaas@riotgames.com>
[ Upstream commit f406220eb8e227ca344eef1a6d30aff53706b196 ]
Several ioctl functions have the ability to call ice_get_rxfh, however
all of these ioctl functions do not provide all of the expected
information in ethtool_rxfh_param. For example, ethtool_get_rxfh_indir does
not provide an rss_key. This previously caused ethtool_get_rxfh_indir to
always fail with -EINVAL.
This change draws inspiration from i40e_get_rss to handle this
situation, by only calling the appropriate rss helpers when the
necessary information has been provided via ethtool_rxfh_param.
Fixes: b66a972abb6b ("ice: Refactor ice_set/get_rss into LUT and key specific functions")
Signed-off-by: Cody Haas <chaas@riotgames.com>
Closes: https://lore.kernel.org/intel-wired-lan/CAH7f-UKkJV8MLY7zCdgCrGE55whRhbGAXvgkDnwgiZ9gUZT7_w@mail.gmail.com/
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice.h | 1 +
drivers/net/ethernet/intel/ice/ice_ethtool.c | 6 +----
drivers/net/ethernet/intel/ice/ice_main.c | 28 ++++++++++++++++++++
3 files changed, 30 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice.h b/drivers/net/ethernet/intel/ice/ice.h
index 0e699a0432c5b..bffdf537dafa8 100644
--- a/drivers/net/ethernet/intel/ice/ice.h
+++ b/drivers/net/ethernet/intel/ice/ice.h
@@ -952,6 +952,7 @@ void ice_map_xdp_rings(struct ice_vsi *vsi);
int
ice_xdp_xmit(struct net_device *dev, int n, struct xdp_frame **frames,
u32 flags);
+int ice_get_rss(struct ice_vsi *vsi, u8 *seed, u8 *lut, u16 lut_size);
int ice_set_rss_lut(struct ice_vsi *vsi, u8 *lut, u16 lut_size);
int ice_get_rss_lut(struct ice_vsi *vsi, u8 *lut, u16 lut_size);
int ice_set_rss_key(struct ice_vsi *vsi, u8 *seed);
diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c
index 2a2acbeb57221..5379fbe06b073 100644
--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
+++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
@@ -3649,11 +3649,7 @@ ice_get_rxfh(struct net_device *netdev, struct ethtool_rxfh_param *rxfh)
if (!lut)
return -ENOMEM;
- err = ice_get_rss_key(vsi, rxfh->key);
- if (err)
- goto out;
-
- err = ice_get_rss_lut(vsi, lut, vsi->rss_table_size);
+ err = ice_get_rss(vsi, rxfh->key, lut, vsi->rss_table_size);
if (err)
goto out;
diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
index 4f4678607e55f..d024e71722de3 100644
--- a/drivers/net/ethernet/intel/ice/ice_main.c
+++ b/drivers/net/ethernet/intel/ice/ice_main.c
@@ -8042,6 +8042,34 @@ int ice_get_rss_key(struct ice_vsi *vsi, u8 *seed)
return status;
}
+/**
+ * ice_get_rss - Get RSS LUT and/or key
+ * @vsi: Pointer to VSI structure
+ * @seed: Buffer to store the key in
+ * @lut: Buffer to store the lookup table entries
+ * @lut_size: Size of buffer to store the lookup table entries
+ *
+ * Return: 0 on success, negative on failure
+ */
+int ice_get_rss(struct ice_vsi *vsi, u8 *seed, u8 *lut, u16 lut_size)
+{
+ int err;
+
+ if (seed) {
+ err = ice_get_rss_key(vsi, seed);
+ if (err)
+ return err;
+ }
+
+ if (lut) {
+ err = ice_get_rss_lut(vsi, lut, lut_size);
+ if (err)
+ return err;
+ }
+
+ return 0;
+}
+
/**
* ice_set_rss_hfunc - Set RSS HASH function
* @vsi: Pointer to VSI structure
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 074/169] net: hns3: fix data race in hns3_fetch_stats
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 073/169] ice: Fix persistent failure in ice_get_rxfh Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 075/169] be2net: fix data race in be_get_new_eqd Greg Kroah-Hartman
` (108 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Yang, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Yang <mmyangfl@gmail.com>
[ Upstream commit 748a81c8ceda1fdbdcd0af595947422e810442aa ]
In hns3_fetch_stats(), ring statistics, protected by u64_stats_sync, are
read and accumulated in ignorance of possible u64_stats_fetch_retry()
events. These statistics are already accumulated by
hns3_ring_stats_update(). Fix this by reading them into a temporary
buffer first.
Fixes: b20d7fe51e0d ("net: hns3: add some statitics info to tx process")
Signed-off-by: David Yang <mmyangfl@gmail.com>
Link: https://patch.msgid.link/20260119160759.1455950-1-mmyangfl@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/hisilicon/hns3/hns3_enet.c | 69 ++++++++++---------
1 file changed, 36 insertions(+), 33 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
index 94432e237640d..b477bd286ed72 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
@@ -2500,44 +2500,47 @@ static netdev_features_t hns3_features_check(struct sk_buff *skb,
static void hns3_fetch_stats(struct rtnl_link_stats64 *stats,
struct hns3_enet_ring *ring, bool is_tx)
{
+ struct ring_stats ring_stats;
unsigned int start;
do {
start = u64_stats_fetch_begin(&ring->syncp);
- if (is_tx) {
- stats->tx_bytes += ring->stats.tx_bytes;
- stats->tx_packets += ring->stats.tx_pkts;
- stats->tx_dropped += ring->stats.sw_err_cnt;
- stats->tx_dropped += ring->stats.tx_vlan_err;
- stats->tx_dropped += ring->stats.tx_l4_proto_err;
- stats->tx_dropped += ring->stats.tx_l2l3l4_err;
- stats->tx_dropped += ring->stats.tx_tso_err;
- stats->tx_dropped += ring->stats.over_max_recursion;
- stats->tx_dropped += ring->stats.hw_limitation;
- stats->tx_dropped += ring->stats.copy_bits_err;
- stats->tx_dropped += ring->stats.skb2sgl_err;
- stats->tx_dropped += ring->stats.map_sg_err;
- stats->tx_errors += ring->stats.sw_err_cnt;
- stats->tx_errors += ring->stats.tx_vlan_err;
- stats->tx_errors += ring->stats.tx_l4_proto_err;
- stats->tx_errors += ring->stats.tx_l2l3l4_err;
- stats->tx_errors += ring->stats.tx_tso_err;
- stats->tx_errors += ring->stats.over_max_recursion;
- stats->tx_errors += ring->stats.hw_limitation;
- stats->tx_errors += ring->stats.copy_bits_err;
- stats->tx_errors += ring->stats.skb2sgl_err;
- stats->tx_errors += ring->stats.map_sg_err;
- } else {
- stats->rx_bytes += ring->stats.rx_bytes;
- stats->rx_packets += ring->stats.rx_pkts;
- stats->rx_dropped += ring->stats.l2_err;
- stats->rx_errors += ring->stats.l2_err;
- stats->rx_errors += ring->stats.l3l4_csum_err;
- stats->rx_crc_errors += ring->stats.l2_err;
- stats->multicast += ring->stats.rx_multicast;
- stats->rx_length_errors += ring->stats.err_pkt_len;
- }
+ ring_stats = ring->stats;
} while (u64_stats_fetch_retry(&ring->syncp, start));
+
+ if (is_tx) {
+ stats->tx_bytes += ring_stats.tx_bytes;
+ stats->tx_packets += ring_stats.tx_pkts;
+ stats->tx_dropped += ring_stats.sw_err_cnt;
+ stats->tx_dropped += ring_stats.tx_vlan_err;
+ stats->tx_dropped += ring_stats.tx_l4_proto_err;
+ stats->tx_dropped += ring_stats.tx_l2l3l4_err;
+ stats->tx_dropped += ring_stats.tx_tso_err;
+ stats->tx_dropped += ring_stats.over_max_recursion;
+ stats->tx_dropped += ring_stats.hw_limitation;
+ stats->tx_dropped += ring_stats.copy_bits_err;
+ stats->tx_dropped += ring_stats.skb2sgl_err;
+ stats->tx_dropped += ring_stats.map_sg_err;
+ stats->tx_errors += ring_stats.sw_err_cnt;
+ stats->tx_errors += ring_stats.tx_vlan_err;
+ stats->tx_errors += ring_stats.tx_l4_proto_err;
+ stats->tx_errors += ring_stats.tx_l2l3l4_err;
+ stats->tx_errors += ring_stats.tx_tso_err;
+ stats->tx_errors += ring_stats.over_max_recursion;
+ stats->tx_errors += ring_stats.hw_limitation;
+ stats->tx_errors += ring_stats.copy_bits_err;
+ stats->tx_errors += ring_stats.skb2sgl_err;
+ stats->tx_errors += ring_stats.map_sg_err;
+ } else {
+ stats->rx_bytes += ring_stats.rx_bytes;
+ stats->rx_packets += ring_stats.rx_pkts;
+ stats->rx_dropped += ring_stats.l2_err;
+ stats->rx_errors += ring_stats.l2_err;
+ stats->rx_errors += ring_stats.l3l4_csum_err;
+ stats->rx_crc_errors += ring_stats.l2_err;
+ stats->multicast += ring_stats.rx_multicast;
+ stats->rx_length_errors += ring_stats.err_pkt_len;
+ }
}
static void hns3_nic_get_stats64(struct net_device *netdev,
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 075/169] be2net: fix data race in be_get_new_eqd
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 074/169] net: hns3: fix data race in hns3_fetch_stats Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 076/169] net: hns3: fix wrong GENMASK() for HCLGE_FD_AD_COUNTER_NUM_M Greg Kroah-Hartman
` (107 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Yang, Vadim Fedorenko,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Yang <mmyangfl@gmail.com>
[ Upstream commit 302e5b481caa7b3d11ec0e058434c1fc95195e50 ]
In be_get_new_eqd(), statistics of pkts, protected by u64_stats_sync, are
read and accumulated in ignorance of possible u64_stats_fetch_retry()
events. Before the commit in question, these statistics were retrieved
one by one directly from queues. Fix this by reading them into temporary
variables first.
Fixes: 209477704187 ("be2net: set interrupt moderation for Skyhawk-R using EQ-DB")
Signed-off-by: David Yang <mmyangfl@gmail.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20260119153440.1440578-1-mmyangfl@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/emulex/benet/be_main.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
index 8c3314445acab..71565b27893e3 100644
--- a/drivers/net/ethernet/emulex/benet/be_main.c
+++ b/drivers/net/ethernet/emulex/benet/be_main.c
@@ -2141,7 +2141,7 @@ static int be_get_new_eqd(struct be_eq_obj *eqo)
struct be_aic_obj *aic;
struct be_rx_obj *rxo;
struct be_tx_obj *txo;
- u64 rx_pkts = 0, tx_pkts = 0;
+ u64 rx_pkts = 0, tx_pkts = 0, pkts;
ulong now;
u32 pps, delta;
int i;
@@ -2157,15 +2157,17 @@ static int be_get_new_eqd(struct be_eq_obj *eqo)
for_all_rx_queues_on_eq(adapter, eqo, rxo, i) {
do {
start = u64_stats_fetch_begin(&rxo->stats.sync);
- rx_pkts += rxo->stats.rx_pkts;
+ pkts = rxo->stats.rx_pkts;
} while (u64_stats_fetch_retry(&rxo->stats.sync, start));
+ rx_pkts += pkts;
}
for_all_tx_queues_on_eq(adapter, eqo, txo, i) {
do {
start = u64_stats_fetch_begin(&txo->stats.sync);
- tx_pkts += txo->stats.tx_reqs;
+ pkts = txo->stats.tx_reqs;
} while (u64_stats_fetch_retry(&txo->stats.sync, start));
+ tx_pkts += pkts;
}
/* Skip, if wrapped around or first calculation */
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 076/169] net: hns3: fix wrong GENMASK() for HCLGE_FD_AD_COUNTER_NUM_M
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 075/169] be2net: fix data race in be_get_new_eqd Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 077/169] net: hns3: fix the HCLGE_FD_AD_NXT_KEY error setting issue Greg Kroah-Hartman
` (106 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jijie Shao, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jijie Shao <shaojijie@huawei.com>
[ Upstream commit d57c67c956a1bad15115eba6e59d77a6dfeba01d ]
HCLGE_FD_AD_COUNTER_NUM_M should be at GENMASK(19, 13),
rather than at GENMASK(20, 13), because bit 20 is
HCLGE_FD_AD_NXT_STEP_B.
This patch corrects the wrong definition.
Fixes: 117328680288 ("net: hns3: Add input key and action config support for flow director")
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Link: https://patch.msgid.link/20260119132840.410513-2-shaojijie@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h
index 9bb708fa42f24..416e02e7b995f 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h
@@ -731,7 +731,7 @@ struct hclge_fd_tcam_config_3_cmd {
#define HCLGE_FD_AD_QID_M GENMASK(11, 2)
#define HCLGE_FD_AD_USE_COUNTER_B 12
#define HCLGE_FD_AD_COUNTER_NUM_S 13
-#define HCLGE_FD_AD_COUNTER_NUM_M GENMASK(20, 13)
+#define HCLGE_FD_AD_COUNTER_NUM_M GENMASK(19, 13)
#define HCLGE_FD_AD_NXT_STEP_B 20
#define HCLGE_FD_AD_NXT_KEY_S 21
#define HCLGE_FD_AD_NXT_KEY_M GENMASK(25, 21)
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 077/169] net: hns3: fix the HCLGE_FD_AD_NXT_KEY error setting issue
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 076/169] net: hns3: fix wrong GENMASK() for HCLGE_FD_AD_COUNTER_NUM_M Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 078/169] mISDN: annotate data-race around dev->work Greg Kroah-Hartman
` (105 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jijie Shao, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jijie Shao <shaojijie@huawei.com>
[ Upstream commit f87e034d16e43af984380a95c32c25201b7759a7 ]
Use next_input_key instead of counter_id to set HCLGE_FD_AD_NXT_KEY.
Fixes: 117328680288 ("net: hns3: Add input key and action config support for flow director")
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Link: https://patch.msgid.link/20260119132840.410513-3-shaojijie@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
index 8dd970ef02ac6..7468e03051ea4 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
@@ -5700,7 +5700,7 @@ static int hclge_fd_ad_config(struct hclge_dev *hdev, u8 stage, int loc,
HCLGE_FD_AD_COUNTER_NUM_S, action->counter_id);
hnae3_set_bit(ad_data, HCLGE_FD_AD_NXT_STEP_B, action->use_next_stage);
hnae3_set_field(ad_data, HCLGE_FD_AD_NXT_KEY_M, HCLGE_FD_AD_NXT_KEY_S,
- action->counter_id);
+ action->next_input_key);
req->ad_data = cpu_to_le64(ad_data);
ret = hclge_cmd_send(&hdev->hw, &desc, 1);
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 078/169] mISDN: annotate data-race around dev->work
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 077/169] net: hns3: fix the HCLGE_FD_AD_NXT_KEY error setting issue Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 079/169] ipv6: annotate data-race in ndisc_router_discovery() Greg Kroah-Hartman
` (104 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 8175dbf174d487afab81e936a862a8d9b8a1ccb6 ]
dev->work can re read locklessly in mISDN_read()
and mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations.
BUG: KCSAN: data-race in mISDN_ioctl / mISDN_read
write to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1:
misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline]
mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xce/0x140 fs/ioctl.c:583
__x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583
x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffff88812d848280 of 4 bytes by task 10857 on cpu 0:
mISDN_read+0x1f2/0x470 drivers/isdn/mISDN/timerdev.c:112
do_loop_readv_writev fs/read_write.c:847 [inline]
vfs_readv+0x3fb/0x690 fs/read_write.c:1020
do_readv+0xe7/0x210 fs/read_write.c:1080
__do_sys_readv fs/read_write.c:1165 [inline]
__se_sys_readv fs/read_write.c:1162 [inline]
__x64_sys_readv+0x45/0x50 fs/read_write.c:1162
x64_sys_call+0x2831/0x3000 arch/x86/include/generated/asm/syscalls_64.h:20
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x00000000 -> 0x00000001
Fixes: 1b2b03f8e514 ("Add mISDN core files")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260118132528.2349573-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/isdn/mISDN/timerdev.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/isdn/mISDN/timerdev.c b/drivers/isdn/mISDN/timerdev.c
index 7cfa8c61dba0a..b2df23234ed3c 100644
--- a/drivers/isdn/mISDN/timerdev.c
+++ b/drivers/isdn/mISDN/timerdev.c
@@ -109,14 +109,14 @@ mISDN_read(struct file *filep, char __user *buf, size_t count, loff_t *off)
spin_unlock_irq(&dev->lock);
if (filep->f_flags & O_NONBLOCK)
return -EAGAIN;
- wait_event_interruptible(dev->wait, (dev->work ||
+ wait_event_interruptible(dev->wait, (READ_ONCE(dev->work) ||
!list_empty(list)));
if (signal_pending(current))
return -ERESTARTSYS;
spin_lock_irq(&dev->lock);
}
if (dev->work)
- dev->work = 0;
+ WRITE_ONCE(dev->work, 0);
if (!list_empty(list)) {
timer = list_first_entry(list, struct mISDNtimer, list);
list_del(&timer->list);
@@ -141,13 +141,16 @@ mISDN_poll(struct file *filep, poll_table *wait)
if (*debug & DEBUG_TIMER)
printk(KERN_DEBUG "%s(%p, %p)\n", __func__, filep, wait);
if (dev) {
+ u32 work;
+
poll_wait(filep, &dev->wait, wait);
mask = 0;
- if (dev->work || !list_empty(&dev->expired))
+ work = READ_ONCE(dev->work);
+ if (work || !list_empty(&dev->expired))
mask |= (EPOLLIN | EPOLLRDNORM);
if (*debug & DEBUG_TIMER)
printk(KERN_DEBUG "%s work(%d) empty(%d)\n", __func__,
- dev->work, list_empty(&dev->expired));
+ work, list_empty(&dev->expired));
}
return mask;
}
@@ -172,7 +175,7 @@ misdn_add_timer(struct mISDNtimerdev *dev, int timeout)
struct mISDNtimer *timer;
if (!timeout) {
- dev->work = 1;
+ WRITE_ONCE(dev->work, 1);
wake_up_interruptible(&dev->wait);
id = 0;
} else {
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 079/169] ipv6: annotate data-race in ndisc_router_discovery()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 078/169] mISDN: annotate data-race around dev->work Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 080/169] usbnet: limit max_mtu based on devices hard_mtu Greg Kroah-Hartman
` (103 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet, Rocco Yue,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 9a063f96d87efc3a6cc667f8de096a3d38d74bb5 ]
syzbot found that ndisc_router_discovery() could read and write
in6_dev->ra_mtu without holding a lock [1]
This looks fine, IFLA_INET6_RA_MTU is best effort.
Add READ_ONCE()/WRITE_ONCE() to document the race.
Note that we might also reject illegal MTU values
(mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch.
[1]
BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery
read to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1:
ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558
ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841
icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989
ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438
ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489
NF_HOOK include/linux/netfilter.h:318 [inline]
ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500
ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590
dst_input include/net/dst.h:474 [inline]
ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79
...
write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0:
ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559
ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841
icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989
ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438
ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489
NF_HOOK include/linux/netfilter.h:318 [inline]
ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500
ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590
dst_input include/net/dst.h:474 [inline]
ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79
...
value changed: 0x00000000 -> 0xe5400659
Fixes: 49b99da2c9ce ("ipv6: add IFLA_INET6_RA_MTU to expose mtu value")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Rocco Yue <rocco.yue@mediatek.com>
Link: https://patch.msgid.link/20260118152941.2563857-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ndisc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index d961e6c2d09d7..480c906cb374c 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1582,8 +1582,8 @@ static enum skb_drop_reason ndisc_router_discovery(struct sk_buff *skb)
memcpy(&n, ((u8 *)(ndopts.nd_opts_mtu+1))+2, sizeof(mtu));
mtu = ntohl(n);
- if (in6_dev->ra_mtu != mtu) {
- in6_dev->ra_mtu = mtu;
+ if (READ_ONCE(in6_dev->ra_mtu) != mtu) {
+ WRITE_ONCE(in6_dev->ra_mtu, mtu);
send_ifinfo_notify = true;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 080/169] usbnet: limit max_mtu based on devices hard_mtu
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 079/169] ipv6: annotate data-race in ndisc_router_discovery() Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 081/169] clocksource: Reduce watchdog readout delay limit to prevent false positives Greg Kroah-Hartman
` (102 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Vivier, Stefano Brivio,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laurent Vivier <lvivier@redhat.com>
[ Upstream commit c7159e960f1472a5493ac99aff0086ab1d683594 ]
The usbnet driver initializes net->max_mtu to ETH_MAX_MTU before calling
the device's bind() callback. When the bind() callback sets
dev->hard_mtu based the device's actual capability (from CDC Ethernet's
wMaxSegmentSize descriptor), max_mtu is never updated to reflect this
hardware limitation).
This allows userspace (DHCP or IPv6 RA) to configure MTU larger than the
device can handle, leading to silent packet drops when the backend sends
packet exceeding the device's buffer size.
Fix this by limiting net->max_mtu to the device's hard_mtu after the
bind callback returns.
See https://gitlab.com/qemu-project/qemu/-/issues/3268 and
https://bugs.passt.top/attachment.cgi?bugid=189
Fixes: f77f0aee4da4 ("net: use core MTU range checking in USB NIC drivers")
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Link: https://bugs.passt.top/show_bug.cgi?id=189
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Link: https://patch.msgid.link/20260119075518.2774373-1-lvivier@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/usbnet.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index f1f61d85d9498..f4a05737abf7a 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1797,9 +1797,12 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
if ((dev->driver_info->flags & FLAG_NOARP) != 0)
net->flags |= IFF_NOARP;
- /* maybe the remote can't receive an Ethernet MTU */
- if (net->mtu > (dev->hard_mtu - net->hard_header_len))
- net->mtu = dev->hard_mtu - net->hard_header_len;
+ if (net->max_mtu > (dev->hard_mtu - net->hard_header_len))
+ net->max_mtu = dev->hard_mtu - net->hard_header_len;
+
+ if (net->mtu > net->max_mtu)
+ net->mtu = net->max_mtu;
+
} else if (!info->in || !info->out)
status = usbnet_get_endpoints (dev, udev);
else {
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 081/169] clocksource: Reduce watchdog readout delay limit to prevent false positives
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 080/169] usbnet: limit max_mtu based on devices hard_mtu Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 082/169] sched/fair: Fix pelt clock sync when entering idle Greg Kroah-Hartman
` (101 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel J Blueman, Thomas Gleixner,
Paul E. McKenney, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit c06343be0b4e03fe319910dd7a5d5b9929e1c0cb ]
The "valid" readout delay between the two reads of the watchdog is larger
than the valid delta between the resulting watchdog and clocksource
intervals, which results in false positive watchdog results.
Assume TSC is the clocksource and HPET is the watchdog and both have a
uncertainty margin of 250us (default). The watchdog readout does:
1) wdnow = read(HPET);
2) csnow = read(TSC);
3) wdend = read(HPET);
The valid window for the delta between #1 and #3 is calculated by the
uncertainty margins of the watchdog and the clocksource:
m = 2 * watchdog.uncertainty_margin + cs.uncertainty margin;
which results in 750us for the TSC/HPET case.
The actual interval comparison uses a smaller margin:
m = watchdog.uncertainty_margin + cs.uncertainty margin;
which results in 500us for the TSC/HPET case.
That means the following scenario will trigger the watchdog:
Watchdog cycle N:
1) wdnow[N] = read(HPET);
2) csnow[N] = read(TSC);
3) wdend[N] = read(HPET);
Assume the delay between #1 and #2 is 100us and the delay between #1 and
Watchdog cycle N + 1:
4) wdnow[N + 1] = read(HPET);
5) csnow[N + 1] = read(TSC);
6) wdend[N + 1] = read(HPET);
If the delay between #4 and #6 is within the 750us margin then any delay
between #4 and #5 which is larger than 600us will fail the interval check
and mark the TSC unstable because the intervals are calculated against the
previous value:
wd_int = wdnow[N + 1] - wdnow[N];
cs_int = csnow[N + 1] - csnow[N];
Putting the above delays in place this results in:
cs_int = (wdnow[N + 1] + 610us) - (wdnow[N] + 100us);
-> cs_int = wd_int + 510us;
which is obviously larger than the allowed 500us margin and results in
marking TSC unstable.
Fix this by using the same margin as the interval comparison. If the delay
between two watchdog reads is larger than that, then the readout was either
disturbed by interconnect congestion, NMIs or SMIs.
Fixes: 4ac1dd3245b9 ("clocksource: Set cs_watchdog_read() checks based on .uncertainty_margin")
Reported-by: Daniel J Blueman <daniel@quora.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
Tested-by: Paul E. McKenney <paulmck@kernel.org>
Link: https://lore.kernel.org/lkml/20250602223251.496591-1-daniel@quora.org/
Link: https://patch.msgid.link/87bjjxc9dq.ffs@tglx
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/clocksource.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
index ae862ad9642cb..df386912f9613 100644
--- a/kernel/time/clocksource.c
+++ b/kernel/time/clocksource.c
@@ -244,7 +244,7 @@ enum wd_read_status {
static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow, u64 *wdnow)
{
- int64_t md = 2 * watchdog->uncertainty_margin;
+ int64_t md = watchdog->uncertainty_margin;
unsigned int nretries, max_retries;
int64_t wd_delay, wd_seq_delay;
u64 wd_end, wd_end2;
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 082/169] sched/fair: Fix pelt clock sync when entering idle
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 081/169] clocksource: Reduce watchdog readout delay limit to prevent false positives Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 083/169] drm/amd/pm: Dont clear SI SMC table when setting power limit Greg Kroah-Hartman
` (100 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Samuel Wu, Alex Hoh, Vincent Guittot,
Peter Zijlstra (Intel), Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vincent Guittot <vincent.guittot@linaro.org>
[ Upstream commit 98c88dc8a1ace642d9021b103b28cba7b51e3abc ]
Samuel and Alex reported regressions of the util_avg of RT rq with
commit 17e3e88ed0b6 ("sched/fair: Fix pelt lost idle time detection").
It happens that fair is updating and syncing the pelt clock with task one
when pick_next_task_fair() fails to pick a task but before the prev
scheduling class got a chance to update its pelt signals.
Move update_idle_rq_clock_pelt() in set_next_task_idle() which is called
after prev class has been called.
Fixes: 17e3e88ed0b6 ("sched/fair: Fix pelt lost idle time detection")
Closes: https://lore.kernel.org/all/CAG2KctpO6VKS6GN4QWDji0t92_gNBJ7HjjXrE+6H+RwRXt=iLg@mail.gmail.com/
Closes: https://lore.kernel.org/all/8cf19bf0e0054dcfed70e9935029201694f1bb5a.camel@mediatek.com/
Reported-by: Samuel Wu <wusamuel@google.com>
Reported-by: Alex Hoh <Alex.Hoh@mediatek.com>
Signed-off-by: Vincent Guittot <vincent.guittot@linaro.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Samuel Wu <wusamuel@google.com>
Tested-by: Alex Hoh <Alex.Hoh@mediatek.com>
Link: https://patch.msgid.link/20260121163317.505635-1-vincent.guittot@linaro.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/fair.c | 6 ------
kernel/sched/idle.c | 6 ++++++
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 1436d6bb86ec4..6efb1dfcd943a 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -9033,12 +9033,6 @@ pick_next_task_fair(struct rq *rq, struct task_struct *prev, struct rq_flags *rf
goto again;
}
- /*
- * rq is about to be idle, check if we need to update the
- * lost_idle_time of clock_pelt
- */
- update_idle_rq_clock_pelt(rq);
-
return NULL;
}
diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c
index 53bb9193c537a..624ef809f6715 100644
--- a/kernel/sched/idle.c
+++ b/kernel/sched/idle.c
@@ -462,6 +462,12 @@ static void set_next_task_idle(struct rq *rq, struct task_struct *next, bool fir
scx_update_idle(rq, true, true);
schedstat_inc(rq->sched_goidle);
next->se.exec_start = rq_clock_task(rq);
+
+ /*
+ * rq is about to be idle, check if we need to update the
+ * lost_idle_time of clock_pelt
+ */
+ update_idle_rq_clock_pelt(rq);
}
struct task_struct *pick_task_idle(struct rq *rq)
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 083/169] drm/amd/pm: Dont clear SI SMC table when setting power limit
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 082/169] sched/fair: Fix pelt clock sync when entering idle Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 084/169] drm/amd/pm: Workaround SI powertune issue on Radeon 430 (v2) Greg Kroah-Hartman
` (99 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Deucher, Timur Kristóf,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit d5077426e1a76d269e518e048bde2e9fc49b32ad ]
There is no reason to clear the SMC table.
We also don't need to recalculate the power limit then.
Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)")
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit e214d626253f5b180db10dedab161b7caa41f5e9)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c
index f6ba54cf701e7..45bde4f4c8515 100644
--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c
+++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c
@@ -2257,8 +2257,6 @@ static int si_populate_smc_tdp_limits(struct amdgpu_device *adev,
if (scaling_factor == 0)
return -EINVAL;
- memset(smc_table, 0, sizeof(SISLANDS_SMC_STATETABLE));
-
ret = si_calculate_adjusted_tdp_limits(adev,
false, /* ??? */
adev->pm.dpm.tdp_adjustment,
@@ -2312,16 +2310,8 @@ static int si_populate_smc_tdp_limits_2(struct amdgpu_device *adev,
if (ni_pi->enable_power_containment) {
SISLANDS_SMC_STATETABLE *smc_table = &si_pi->smc_statetable;
- u32 scaling_factor = si_get_smc_power_scaling_factor(adev);
int ret;
- memset(smc_table, 0, sizeof(SISLANDS_SMC_STATETABLE));
-
- smc_table->dpm2Params.NearTDPLimit =
- cpu_to_be32(si_scale_power_for_smc(adev->pm.dpm.near_tdp_limit_adjusted, scaling_factor) * 1000);
- smc_table->dpm2Params.SafePowerLimit =
- cpu_to_be32(si_scale_power_for_smc((adev->pm.dpm.near_tdp_limit_adjusted * SISLANDS_DPM2_TDP_SAFE_LIMIT_PERCENT) / 100, scaling_factor) * 1000);
-
ret = amdgpu_si_copy_bytes_to_smc(adev,
(si_pi->state_table_start +
offsetof(SISLANDS_SMC_STATETABLE, dpm2Params) +
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 084/169] drm/amd/pm: Workaround SI powertune issue on Radeon 430 (v2)
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 083/169] drm/amd/pm: Dont clear SI SMC table when setting power limit Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 085/169] drm/nouveau: add missing DCB connector types Greg Kroah-Hartman
` (98 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Deucher, Timur Kristóf,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 764a90eb02268a23b1bb98be5f4a13671346804a ]
Radeon 430 and 520 are OEM GPUs from 2016~2017
They have the same device id: 0x6611 and revision: 0x87
On the Radeon 430, powertune is buggy and throttles the GPU,
never allowing it to reach its maximum SCLK. Work around this
bug by raising the TDP limits we program to the SMC from
24W (specified by the VBIOS on Radeon 430) to 32W.
Disabling powertune entirely is not a viable workaround,
because it causes the Radeon 520 to heat up above 100 C,
which I prefer to avoid.
Additionally, revise the maximum SCLK limit. Considering the
above issue, these GPUs never reached a high SCLK on Linux,
and the workarounds were added before the GPUs were released,
so the workaround likely didn't target these specifically.
Use 780 MHz (the maximum SCLK according to the VBIOS on the
Radeon 430). Note that the Radeon 520 VBIOS has a higher
maximum SCLK: 905 MHz, but in practice it doesn't seem to
perform better with the higher clock, only heats up more.
v2:
Move the workaround to si_populate_smc_tdp_limits.
Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)")
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 966d70f1e160bdfdecaf7ff2b3f22ad088516e9f)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c
index 45bde4f4c8515..29cecfab07042 100644
--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c
+++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c
@@ -2265,6 +2265,12 @@ static int si_populate_smc_tdp_limits(struct amdgpu_device *adev,
if (ret)
return ret;
+ if (adev->pdev->device == 0x6611 && adev->pdev->revision == 0x87) {
+ /* Workaround buggy powertune on Radeon 430 and 520. */
+ tdp_limit = 32;
+ near_tdp_limit = 28;
+ }
+
smc_table->dpm2Params.TDPLimit =
cpu_to_be32(si_scale_power_for_smc(tdp_limit, scaling_factor) * 1000);
smc_table->dpm2Params.NearTDPLimit =
@@ -3448,10 +3454,15 @@ static void si_apply_state_adjust_rules(struct amdgpu_device *adev,
(adev->pdev->revision == 0x80) ||
(adev->pdev->revision == 0x81) ||
(adev->pdev->revision == 0x83) ||
- (adev->pdev->revision == 0x87) ||
+ (adev->pdev->revision == 0x87 &&
+ adev->pdev->device != 0x6611) ||
(adev->pdev->device == 0x6604) ||
(adev->pdev->device == 0x6605)) {
max_sclk = 75000;
+ } else if (adev->pdev->revision == 0x87 &&
+ adev->pdev->device == 0x6611) {
+ /* Radeon 430 and 520 */
+ max_sclk = 78000;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 085/169] drm/nouveau: add missing DCB connector types
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 084/169] drm/amd/pm: Workaround SI powertune issue on Radeon 430 (v2) Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 086/169] drm/nouveau: implement missing DCB connector types; gracefully handle unknown connectors Greg Kroah-Hartman
` (97 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Ramírez, Lyude Paul,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Ramírez <lxrmrz732@rocketmail.com>
[ Upstream commit 3036b4ce4b209af690fa776e4616925892caba4c ]
* Add missing DCB connectors in conn.h as per the NVIDIA DCB specification.
A lot of connector logic was rewritten for Linux v6.5; some display connector types
went unaccounted-for which caused kernel warnings on devices with the now-unsupported
DCB connectors. This patch adds all of the DCB connectors as defined by NVIDIA to the
dcb_connector_type enum to bring back support for these connectors to the new logic.
Fixes: 8b7d92cad953 ("drm/nouveau/kms/nv50-: create connectors based on nvkm info")
Link: https://download.nvidia.com/open-gpu-doc/DCB/1/DCB-4.0-Specification.html#_connector_table_entry
Signed-off-by: Alex Ramírez <lxrmrz732@rocketmail.com>
Reviewed-by: Lyude Paul <lyude@redhat.com>
[Lyude: Clarify DCB_CONNECTOR_HDMI_0 weirdness in comments]
Signed-off-by: Lyude Paul <lyude@redhat.com>
Link: https://patch.msgid.link/20251213005327.9495-2-lxrmrz732@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../nouveau/include/nvkm/subdev/bios/conn.h | 95 +++++++++++++++----
1 file changed, 74 insertions(+), 21 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/include/nvkm/subdev/bios/conn.h b/drivers/gpu/drm/nouveau/include/nvkm/subdev/bios/conn.h
index d1beaad0c82b6..834ed6587aa52 100644
--- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/bios/conn.h
+++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/bios/conn.h
@@ -1,28 +1,81 @@
/* SPDX-License-Identifier: MIT */
#ifndef __NVBIOS_CONN_H__
#define __NVBIOS_CONN_H__
+
+/*
+ * An enumerator representing all of the possible VBIOS connector types defined
+ * by Nvidia at
+ * https://nvidia.github.io/open-gpu-doc/DCB/DCB-4.x-Specification.html.
+ *
+ * [1] Nvidia's documentation actually claims DCB_CONNECTOR_HDMI_0 is a "3-Pin
+ * DIN Stereo Connector". This seems very likely to be a documentation typo
+ * or some sort of funny historical baggage, because we've treated this
+ * connector type as HDMI for years without issue.
+ * TODO: Check with Nvidia what's actually happening here.
+ */
enum dcb_connector_type {
- DCB_CONNECTOR_VGA = 0x00,
- DCB_CONNECTOR_TV_0 = 0x10,
- DCB_CONNECTOR_TV_1 = 0x11,
- DCB_CONNECTOR_TV_3 = 0x13,
- DCB_CONNECTOR_DVI_I = 0x30,
- DCB_CONNECTOR_DVI_D = 0x31,
- DCB_CONNECTOR_DMS59_0 = 0x38,
- DCB_CONNECTOR_DMS59_1 = 0x39,
- DCB_CONNECTOR_LVDS = 0x40,
- DCB_CONNECTOR_LVDS_SPWG = 0x41,
- DCB_CONNECTOR_DP = 0x46,
- DCB_CONNECTOR_eDP = 0x47,
- DCB_CONNECTOR_mDP = 0x48,
- DCB_CONNECTOR_HDMI_0 = 0x60,
- DCB_CONNECTOR_HDMI_1 = 0x61,
- DCB_CONNECTOR_HDMI_C = 0x63,
- DCB_CONNECTOR_DMS59_DP0 = 0x64,
- DCB_CONNECTOR_DMS59_DP1 = 0x65,
- DCB_CONNECTOR_WFD = 0x70,
- DCB_CONNECTOR_USB_C = 0x71,
- DCB_CONNECTOR_NONE = 0xff
+ /* Analog outputs */
+ DCB_CONNECTOR_VGA = 0x00, // VGA 15-pin connector
+ DCB_CONNECTOR_DVI_A = 0x01, // DVI-A
+ DCB_CONNECTOR_POD_VGA = 0x02, // Pod - VGA 15-pin connector
+ DCB_CONNECTOR_TV_0 = 0x10, // TV - Composite Out
+ DCB_CONNECTOR_TV_1 = 0x11, // TV - S-Video Out
+ DCB_CONNECTOR_TV_2 = 0x12, // TV - S-Video Breakout - Composite
+ DCB_CONNECTOR_TV_3 = 0x13, // HDTV Component - YPrPb
+ DCB_CONNECTOR_TV_SCART = 0x14, // TV - SCART Connector
+ DCB_CONNECTOR_TV_SCART_D = 0x16, // TV - Composite SCART over D-connector
+ DCB_CONNECTOR_TV_DTERM = 0x17, // HDTV - D-connector (EIAJ4120)
+ DCB_CONNECTOR_POD_TV_3 = 0x18, // Pod - HDTV - YPrPb
+ DCB_CONNECTOR_POD_TV_1 = 0x19, // Pod - S-Video
+ DCB_CONNECTOR_POD_TV_0 = 0x1a, // Pod - Composite
+
+ /* DVI digital outputs */
+ DCB_CONNECTOR_DVI_I_TV_1 = 0x20, // DVI-I-TV-S-Video
+ DCB_CONNECTOR_DVI_I_TV_0 = 0x21, // DVI-I-TV-Composite
+ DCB_CONNECTOR_DVI_I_TV_2 = 0x22, // DVI-I-TV-S-Video Breakout-Composite
+ DCB_CONNECTOR_DVI_I = 0x30, // DVI-I
+ DCB_CONNECTOR_DVI_D = 0x31, // DVI-D
+ DCB_CONNECTOR_DVI_ADC = 0x32, // Apple Display Connector (ADC)
+ DCB_CONNECTOR_DMS59_0 = 0x38, // LFH-DVI-I-1
+ DCB_CONNECTOR_DMS59_1 = 0x39, // LFH-DVI-I-2
+ DCB_CONNECTOR_BNC = 0x3c, // BNC Connector [for SDI?]
+
+ /* LVDS / TMDS digital outputs */
+ DCB_CONNECTOR_LVDS = 0x40, // LVDS-SPWG-Attached [is this name correct?]
+ DCB_CONNECTOR_LVDS_SPWG = 0x41, // LVDS-OEM-Attached (non-removable)
+ DCB_CONNECTOR_LVDS_REM = 0x42, // LVDS-SPWG-Detached [following naming above]
+ DCB_CONNECTOR_LVDS_SPWG_REM = 0x43, // LVDS-OEM-Detached (removable)
+ DCB_CONNECTOR_TMDS = 0x45, // TMDS-OEM-Attached (non-removable)
+
+ /* DP digital outputs */
+ DCB_CONNECTOR_DP = 0x46, // DisplayPort External Connector
+ DCB_CONNECTOR_eDP = 0x47, // DisplayPort Internal Connector
+ DCB_CONNECTOR_mDP = 0x48, // DisplayPort (Mini) External Connector
+
+ /* Dock outputs (not used) */
+ DCB_CONNECTOR_DOCK_VGA_0 = 0x50, // VGA 15-pin if not docked
+ DCB_CONNECTOR_DOCK_VGA_1 = 0x51, // VGA 15-pin if docked
+ DCB_CONNECTOR_DOCK_DVI_I_0 = 0x52, // DVI-I if not docked
+ DCB_CONNECTOR_DOCK_DVI_I_1 = 0x53, // DVI-I if docked
+ DCB_CONNECTOR_DOCK_DVI_D_0 = 0x54, // DVI-D if not docked
+ DCB_CONNECTOR_DOCK_DVI_D_1 = 0x55, // DVI-D if docked
+ DCB_CONNECTOR_DOCK_DP_0 = 0x56, // DisplayPort if not docked
+ DCB_CONNECTOR_DOCK_DP_1 = 0x57, // DisplayPort if docked
+ DCB_CONNECTOR_DOCK_mDP_0 = 0x58, // DisplayPort (Mini) if not docked
+ DCB_CONNECTOR_DOCK_mDP_1 = 0x59, // DisplayPort (Mini) if docked
+
+ /* HDMI? digital outputs */
+ DCB_CONNECTOR_HDMI_0 = 0x60, // HDMI? See [1] in top-level enum comment above
+ DCB_CONNECTOR_HDMI_1 = 0x61, // HDMI-A connector
+ DCB_CONNECTOR_SPDIF = 0x62, // Audio S/PDIF connector
+ DCB_CONNECTOR_HDMI_C = 0x63, // HDMI-C (Mini) connector
+
+ /* Misc. digital outputs */
+ DCB_CONNECTOR_DMS59_DP0 = 0x64, // LFH-DP-1
+ DCB_CONNECTOR_DMS59_DP1 = 0x65, // LFH-DP-2
+ DCB_CONNECTOR_WFD = 0x70, // Virtual connector for Wifi Display (WFD)
+ DCB_CONNECTOR_USB_C = 0x71, // [DP over USB-C; not present in docs]
+ DCB_CONNECTOR_NONE = 0xff // Skip Entry
};
struct nvbios_connT {
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 086/169] drm/nouveau: implement missing DCB connector types; gracefully handle unknown connectors
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 085/169] drm/nouveau: add missing DCB connector types Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 087/169] be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list Greg Kroah-Hartman
` (96 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Ramírez, Lyude Paul,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Ramírez <lxrmrz732@rocketmail.com>
[ Upstream commit d0bd10792d6cc3725ddee43f03fd6ee234f24844 ]
* Implement missing DCB connectors in uconn.c previously defined in conn.h.
* Replace kernel WARN_ON macro with printk message to more gracefully signify
an unknown connector was encountered.
With this patch, unknown connectors are explicitly marked with value 0
(DCB_CONNECTOR_VGA) to match the tested current behavior. Although 0xff
(DCB_CONNECTOR_NONE) may be more suitable, I don't want to introduce a
breaking change.
Fixes: 8b7d92cad953 ("drm/nouveau/kms/nv50-: create connectors based on nvkm info")
Link: https://download.nvidia.com/open-gpu-doc/DCB/1/DCB-4.0-Specification.html#_connector_table_entry
Signed-off-by: Alex Ramírez <lxrmrz732@rocketmail.com>
Reviewed-by: Lyude Paul <lyude@redhat.com>
[Lyude: Remove unneeded parenthesis around nvkm_warn()]
Signed-off-by: Lyude Paul <lyude@redhat.com>
Link: https://patch.msgid.link/20251213005327.9495-3-lxrmrz732@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/nouveau/nvkm/engine/disp/uconn.c | 73 ++++++++++++++-----
1 file changed, 53 insertions(+), 20 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c
index 2dab6612c4fc8..23d1e5c27bb1e 100644
--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c
@@ -191,27 +191,60 @@ nvkm_uconn_new(const struct nvkm_oclass *oclass, void *argv, u32 argc, struct nv
spin_lock(&disp->client.lock);
if (!conn->object.func) {
switch (conn->info.type) {
- case DCB_CONNECTOR_VGA : args->v0.type = NVIF_CONN_V0_VGA; break;
- case DCB_CONNECTOR_TV_0 :
- case DCB_CONNECTOR_TV_1 :
- case DCB_CONNECTOR_TV_3 : args->v0.type = NVIF_CONN_V0_TV; break;
- case DCB_CONNECTOR_DMS59_0 :
- case DCB_CONNECTOR_DMS59_1 :
- case DCB_CONNECTOR_DVI_I : args->v0.type = NVIF_CONN_V0_DVI_I; break;
- case DCB_CONNECTOR_DVI_D : args->v0.type = NVIF_CONN_V0_DVI_D; break;
- case DCB_CONNECTOR_LVDS : args->v0.type = NVIF_CONN_V0_LVDS; break;
- case DCB_CONNECTOR_LVDS_SPWG: args->v0.type = NVIF_CONN_V0_LVDS_SPWG; break;
- case DCB_CONNECTOR_DMS59_DP0:
- case DCB_CONNECTOR_DMS59_DP1:
- case DCB_CONNECTOR_DP :
- case DCB_CONNECTOR_mDP :
- case DCB_CONNECTOR_USB_C : args->v0.type = NVIF_CONN_V0_DP; break;
- case DCB_CONNECTOR_eDP : args->v0.type = NVIF_CONN_V0_EDP; break;
- case DCB_CONNECTOR_HDMI_0 :
- case DCB_CONNECTOR_HDMI_1 :
- case DCB_CONNECTOR_HDMI_C : args->v0.type = NVIF_CONN_V0_HDMI; break;
+ /* VGA */
+ case DCB_CONNECTOR_DVI_A :
+ case DCB_CONNECTOR_POD_VGA :
+ case DCB_CONNECTOR_VGA : args->v0.type = NVIF_CONN_V0_VGA; break;
+
+ /* TV */
+ case DCB_CONNECTOR_TV_0 :
+ case DCB_CONNECTOR_TV_1 :
+ case DCB_CONNECTOR_TV_2 :
+ case DCB_CONNECTOR_TV_SCART :
+ case DCB_CONNECTOR_TV_SCART_D :
+ case DCB_CONNECTOR_TV_DTERM :
+ case DCB_CONNECTOR_POD_TV_3 :
+ case DCB_CONNECTOR_POD_TV_1 :
+ case DCB_CONNECTOR_POD_TV_0 :
+ case DCB_CONNECTOR_TV_3 : args->v0.type = NVIF_CONN_V0_TV; break;
+
+ /* DVI */
+ case DCB_CONNECTOR_DVI_I_TV_1 :
+ case DCB_CONNECTOR_DVI_I_TV_0 :
+ case DCB_CONNECTOR_DVI_I_TV_2 :
+ case DCB_CONNECTOR_DVI_ADC :
+ case DCB_CONNECTOR_DMS59_0 :
+ case DCB_CONNECTOR_DMS59_1 :
+ case DCB_CONNECTOR_DVI_I : args->v0.type = NVIF_CONN_V0_DVI_I; break;
+ case DCB_CONNECTOR_TMDS :
+ case DCB_CONNECTOR_DVI_D : args->v0.type = NVIF_CONN_V0_DVI_D; break;
+
+ /* LVDS */
+ case DCB_CONNECTOR_LVDS : args->v0.type = NVIF_CONN_V0_LVDS; break;
+ case DCB_CONNECTOR_LVDS_SPWG : args->v0.type = NVIF_CONN_V0_LVDS_SPWG; break;
+
+ /* DP */
+ case DCB_CONNECTOR_DMS59_DP0 :
+ case DCB_CONNECTOR_DMS59_DP1 :
+ case DCB_CONNECTOR_DP :
+ case DCB_CONNECTOR_mDP :
+ case DCB_CONNECTOR_USB_C : args->v0.type = NVIF_CONN_V0_DP; break;
+ case DCB_CONNECTOR_eDP : args->v0.type = NVIF_CONN_V0_EDP; break;
+
+ /* HDMI */
+ case DCB_CONNECTOR_HDMI_0 :
+ case DCB_CONNECTOR_HDMI_1 :
+ case DCB_CONNECTOR_HDMI_C : args->v0.type = NVIF_CONN_V0_HDMI; break;
+
+ /*
+ * Dock & unused outputs.
+ * BNC, SPDIF, WFD, and detached LVDS go here.
+ */
default:
- WARN_ON(1);
+ nvkm_warn(&disp->engine.subdev,
+ "unimplemented connector type 0x%02x\n",
+ conn->info.type);
+ args->v0.type = NVIF_CONN_V0_VGA;
ret = -EINVAL;
break;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 087/169] be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 086/169] drm/nouveau: implement missing DCB connector types; gracefully handle unknown connectors Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 088/169] selftests: net: amt: wait longer for connection before sending packets Greg Kroah-Hartman
` (95 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrey Vatoropin, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Vatoropin <a.vatoropin@crpt.ru>
[ Upstream commit 8215794403d264739cc676668087512950b2ff31 ]
When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is
set to false, the driver may request the PMAC_ID from the firmware of the
network card, and this function will store that PMAC_ID at the provided
address pmac_id. This is the contract of this function.
However, there is a location within the driver where both
pmac_id_valid == false and pmac_id == NULL are being passed. This could
result in dereferencing a NULL pointer.
To resolve this issue, it is necessary to pass the address of a stub
variable to the function.
Fixes: 95046b927a54 ("be2net: refactor MAC-addr setup code")
Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru>
Link: https://patch.msgid.link/20260120113734.20193-1-a.vatoropin@crpt.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/emulex/benet/be_cmds.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c
index 779f1324bb5f8..0cda78b78fb87 100644
--- a/drivers/net/ethernet/emulex/benet/be_cmds.c
+++ b/drivers/net/ethernet/emulex/benet/be_cmds.c
@@ -3797,6 +3797,7 @@ int be_cmd_get_perm_mac(struct be_adapter *adapter, u8 *mac)
{
int status;
bool pmac_valid = false;
+ u32 pmac_id;
eth_zero_addr(mac);
@@ -3809,7 +3810,7 @@ int be_cmd_get_perm_mac(struct be_adapter *adapter, u8 *mac)
adapter->if_handle, 0);
} else {
status = be_cmd_get_mac_from_list(adapter, mac, &pmac_valid,
- NULL, adapter->if_handle, 0);
+ &pmac_id, adapter->if_handle, 0);
}
return status;
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 088/169] selftests: net: amt: wait longer for connection before sending packets
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 087/169] be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 089/169] bonding: provide a net pointer to __skb_flow_dissect() Greg Kroah-Hartman
` (94 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Taehee Yoo, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Taehee Yoo <ap420073@gmail.com>
[ Upstream commit 04708606fd7bdc34b69089a4ff848ff36d7088f9 ]
Both send_mcast4() and send_mcast6() use sleep 2 to wait for the tunnel
connection between the gateway and the relay, and for the listener
socket to be created in the LISTENER namespace.
However, tests sometimes fail because packets are sent before the
connection is fully established.
Increase the waiting time to make the tests more reliable, and use
wait_local_port_listen() to explicitly wait for the listener socket.
Fixes: c08e8baea78e ("selftests: add amt interface selftest script")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Link: https://patch.msgid.link/20260120133930.863845-1-ap420073@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/amt.sh | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/net/amt.sh b/tools/testing/selftests/net/amt.sh
index d458b45c775b4..42957561c414a 100755
--- a/tools/testing/selftests/net/amt.sh
+++ b/tools/testing/selftests/net/amt.sh
@@ -73,6 +73,8 @@
# +------------------------+
#==============================================================================
+source lib.sh
+
readonly LISTENER=$(mktemp -u listener-XXXXXXXX)
readonly GATEWAY=$(mktemp -u gateway-XXXXXXXX)
readonly RELAY=$(mktemp -u relay-XXXXXXXX)
@@ -240,14 +242,15 @@ test_ipv6_forward()
send_mcast4()
{
- sleep 2
+ sleep 5
+ wait_local_port_listen ${LISTENER} 4000 udp
ip netns exec "${SOURCE}" bash -c \
'printf "%s %128s" 172.17.0.2 | nc -w 1 -u 239.0.0.1 4000' &
}
send_mcast6()
{
- sleep 2
+ wait_local_port_listen ${LISTENER} 6000 udp
ip netns exec "${SOURCE}" bash -c \
'printf "%s %128s" 2001:db8:3::2 | nc -w 1 -u ff0e::5:6 6000' &
}
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 089/169] bonding: provide a net pointer to __skb_flow_dissect()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 088/169] selftests: net: amt: wait longer for connection before sending packets Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 090/169] net: dsa: fix off-by-one in maximum bridge ID determination Greg Kroah-Hartman
` (93 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+c46409299c70a221415e,
Eric Dumazet, Matteo Croce, Stanislav Fomichev, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 5f9b329096596b7e53e07d041d7fca4cbe1be752 ]
After 3cbf4ffba5ee ("net: plumb network namespace into __skb_flow_dissect")
we have to provide a net pointer to __skb_flow_dissect(),
either via skb->dev, skb->sk, or a user provided pointer.
In the following case, syzbot was able to cook a bare skb.
WARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053
Call Trace:
<TASK>
bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline]
__bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157
bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline]
bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline]
bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515
xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388
bpf_prog_run_xdp include/net/xdp.h:700 [inline]
bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421
bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390
bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703
__sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
Fixes: 58deb77cc52d ("bonding: balance ICMP echoes in layer3+4 mode")
Reported-by: syzbot+c46409299c70a221415e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/696faa23.050a0220.4cb9c.001f.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Matteo Croce <mcroce@redhat.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Link: https://patch.msgid.link/20260120161744.1893263-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 6f87d7e29e19b..b52f5f64e3abb 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -4263,8 +4263,9 @@ static bool bond_flow_dissect(struct bonding *bond, struct sk_buff *skb, const v
case BOND_XMIT_POLICY_ENCAP23:
case BOND_XMIT_POLICY_ENCAP34:
memset(fk, 0, sizeof(*fk));
- return __skb_flow_dissect(NULL, skb, &flow_keys_bonding,
- fk, data, l2_proto, nhoff, hlen, 0);
+ return __skb_flow_dissect(dev_net(bond->dev), skb,
+ &flow_keys_bonding, fk, data,
+ l2_proto, nhoff, hlen, 0);
default:
break;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 090/169] net: dsa: fix off-by-one in maximum bridge ID determination
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 089/169] bonding: provide a net pointer to __skb_flow_dissect() Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 091/169] octeontx2-af: Fix error handling Greg Kroah-Hartman
` (92 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit dfca045cd4d0ea07ff4198ba392be3e718acaddc ]
Prior to the blamed commit, the bridge_num range was from
0 to ds->max_num_bridges - 1. After the commit, it is from
1 to ds->max_num_bridges.
So this check:
if (bridge_num >= max)
return 0;
must be updated to:
if (bridge_num > max)
return 0;
in order to allow the last bridge_num value (==max) to be used.
This is easiest visible when a driver sets ds->max_num_bridges=1.
The observed behaviour is that even the first created bridge triggers
the netlink extack "Range of offloadable bridges exceeded" warning, and
is handled in software rather than being offloaded.
Fixes: 3f9bb0301d50 ("net: dsa: make dp->bridge_num one-based")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/20260120211039.3228999-1-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/dsa/dsa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c
index 97599e0d5a1d0..76a086e846c45 100644
--- a/net/dsa/dsa.c
+++ b/net/dsa/dsa.c
@@ -157,7 +157,7 @@ unsigned int dsa_bridge_num_get(const struct net_device *bridge_dev, int max)
bridge_num = find_next_zero_bit(&dsa_fwd_offloading_bridges,
DSA_MAX_NUM_OFFLOADING_BRIDGES,
1);
- if (bridge_num >= max)
+ if (bridge_num > max)
return 0;
set_bit(bridge_num, &dsa_fwd_offloading_bridges);
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 091/169] octeontx2-af: Fix error handling
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 090/169] net: dsa: fix off-by-one in maximum bridge ID determination Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 092/169] net: openvswitch: fix data race in ovs_vport_get_upcall_stats Greg Kroah-Hartman
` (91 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ratheesh Kannoth, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ratheesh Kannoth <rkannoth@marvell.com>
[ Upstream commit 19e4175e997a5b85eab97d522f00cc99abd1873c ]
This commit adds error handling and rollback logic to
rvu_mbox_handler_attach_resources() to properly clean up partially
attached resources when rvu_attach_block() fails.
Fixes: 746ea74241fa0 ("octeontx2-af: Add RVU block LF provisioning support")
Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
Link: https://patch.msgid.link/20260121033934.1900761-1-rkannoth@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/marvell/octeontx2/af/rvu.c | 86 ++++++++++++++-----
1 file changed, 64 insertions(+), 22 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
index 6575c422635b7..74201e0210bbf 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
@@ -1546,8 +1546,8 @@ static int rvu_get_attach_blkaddr(struct rvu *rvu, int blktype,
return -ENODEV;
}
-static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype,
- int num_lfs, struct rsrc_attach *attach)
+static int rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype,
+ int num_lfs, struct rsrc_attach *attach)
{
struct rvu_pfvf *pfvf = rvu_get_pfvf(rvu, pcifunc);
struct rvu_hwinfo *hw = rvu->hw;
@@ -1557,21 +1557,21 @@ static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype,
u64 cfg;
if (!num_lfs)
- return;
+ return -EINVAL;
blkaddr = rvu_get_attach_blkaddr(rvu, blktype, pcifunc, attach);
if (blkaddr < 0)
- return;
+ return -EFAULT;
block = &hw->block[blkaddr];
if (!block->lf.bmap)
- return;
+ return -ESRCH;
for (slot = 0; slot < num_lfs; slot++) {
/* Allocate the resource */
lf = rvu_alloc_rsrc(&block->lf);
if (lf < 0)
- return;
+ return -EFAULT;
cfg = (1ULL << 63) | (pcifunc << 8) | slot;
rvu_write64(rvu, blkaddr, block->lfcfg_reg |
@@ -1582,6 +1582,8 @@ static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype,
/* Set start MSIX vector for this LF within this PF/VF */
rvu_set_msix_offset(rvu, pfvf, block, lf);
}
+
+ return 0;
}
static int rvu_check_rsrc_availability(struct rvu *rvu,
@@ -1719,22 +1721,31 @@ int rvu_mbox_handler_attach_resources(struct rvu *rvu,
int err;
/* If first request, detach all existing attached resources */
- if (!attach->modify)
- rvu_detach_rsrcs(rvu, NULL, pcifunc);
+ if (!attach->modify) {
+ err = rvu_detach_rsrcs(rvu, NULL, pcifunc);
+ if (err)
+ return err;
+ }
mutex_lock(&rvu->rsrc_lock);
/* Check if the request can be accommodated */
err = rvu_check_rsrc_availability(rvu, attach, pcifunc);
if (err)
- goto exit;
+ goto fail1;
/* Now attach the requested resources */
- if (attach->npalf)
- rvu_attach_block(rvu, pcifunc, BLKTYPE_NPA, 1, attach);
+ if (attach->npalf) {
+ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_NPA, 1, attach);
+ if (err)
+ goto fail1;
+ }
- if (attach->nixlf)
- rvu_attach_block(rvu, pcifunc, BLKTYPE_NIX, 1, attach);
+ if (attach->nixlf) {
+ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_NIX, 1, attach);
+ if (err)
+ goto fail2;
+ }
if (attach->sso) {
/* RVU func doesn't know which exact LF or slot is attached
@@ -1744,33 +1755,64 @@ int rvu_mbox_handler_attach_resources(struct rvu *rvu,
*/
if (attach->modify)
rvu_detach_block(rvu, pcifunc, BLKTYPE_SSO);
- rvu_attach_block(rvu, pcifunc, BLKTYPE_SSO,
- attach->sso, attach);
+ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_SSO,
+ attach->sso, attach);
+ if (err)
+ goto fail3;
}
if (attach->ssow) {
if (attach->modify)
rvu_detach_block(rvu, pcifunc, BLKTYPE_SSOW);
- rvu_attach_block(rvu, pcifunc, BLKTYPE_SSOW,
- attach->ssow, attach);
+ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_SSOW,
+ attach->ssow, attach);
+ if (err)
+ goto fail4;
}
if (attach->timlfs) {
if (attach->modify)
rvu_detach_block(rvu, pcifunc, BLKTYPE_TIM);
- rvu_attach_block(rvu, pcifunc, BLKTYPE_TIM,
- attach->timlfs, attach);
+ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_TIM,
+ attach->timlfs, attach);
+ if (err)
+ goto fail5;
}
if (attach->cptlfs) {
if (attach->modify &&
rvu_attach_from_same_block(rvu, BLKTYPE_CPT, attach))
rvu_detach_block(rvu, pcifunc, BLKTYPE_CPT);
- rvu_attach_block(rvu, pcifunc, BLKTYPE_CPT,
- attach->cptlfs, attach);
+ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_CPT,
+ attach->cptlfs, attach);
+ if (err)
+ goto fail6;
}
-exit:
+ mutex_unlock(&rvu->rsrc_lock);
+ return 0;
+
+fail6:
+ if (attach->timlfs)
+ rvu_detach_block(rvu, pcifunc, BLKTYPE_TIM);
+
+fail5:
+ if (attach->ssow)
+ rvu_detach_block(rvu, pcifunc, BLKTYPE_SSOW);
+
+fail4:
+ if (attach->sso)
+ rvu_detach_block(rvu, pcifunc, BLKTYPE_SSO);
+
+fail3:
+ if (attach->nixlf)
+ rvu_detach_block(rvu, pcifunc, BLKTYPE_NIX);
+
+fail2:
+ if (attach->npalf)
+ rvu_detach_block(rvu, pcifunc, BLKTYPE_NPA);
+
+fail1:
mutex_unlock(&rvu->rsrc_lock);
return err;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 092/169] net: openvswitch: fix data race in ovs_vport_get_upcall_stats
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 091/169] octeontx2-af: Fix error handling Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 093/169] vsock/virtio: fix potential underflow in virtio_transport_get_credit() Greg Kroah-Hartman
` (90 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Yang, Ilya Maximets,
Eric Dumazet, Aaron Conole, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Yang <mmyangfl@gmail.com>
[ Upstream commit cc4816bdb08639e5cd9acb295a02d6f0f09736b4 ]
In ovs_vport_get_upcall_stats(), some statistics protected by
u64_stats_sync, are read and accumulated in ignorance of possible
u64_stats_fetch_retry() events. These statistics are already accumulated
by u64_stats_inc(). Fix this by reading them into temporary variables
first.
Fixes: 1933ea365aa7 ("net: openvswitch: Add support to count upcall packets")
Signed-off-by: David Yang <mmyangfl@gmail.com>
Acked-by: Ilya Maximets <i.maximets@ovn.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/20260121072932.2360971-1-mmyangfl@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/vport.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/net/openvswitch/vport.c b/net/openvswitch/vport.c
index 8732f6e51ae5a..2a996858a9145 100644
--- a/net/openvswitch/vport.c
+++ b/net/openvswitch/vport.c
@@ -310,22 +310,23 @@ void ovs_vport_get_stats(struct vport *vport, struct ovs_vport_stats *stats)
*/
int ovs_vport_get_upcall_stats(struct vport *vport, struct sk_buff *skb)
{
+ u64 tx_success = 0, tx_fail = 0;
struct nlattr *nla;
int i;
- __u64 tx_success = 0;
- __u64 tx_fail = 0;
-
for_each_possible_cpu(i) {
const struct vport_upcall_stats_percpu *stats;
+ u64 n_success, n_fail;
unsigned int start;
stats = per_cpu_ptr(vport->upcall_stats, i);
do {
start = u64_stats_fetch_begin(&stats->syncp);
- tx_success += u64_stats_read(&stats->n_success);
- tx_fail += u64_stats_read(&stats->n_fail);
+ n_success = u64_stats_read(&stats->n_success);
+ n_fail = u64_stats_read(&stats->n_fail);
} while (u64_stats_fetch_retry(&stats->syncp, start));
+ tx_success += n_success;
+ tx_fail += n_fail;
}
nla = nla_nest_start_noflag(skb, OVS_VPORT_ATTR_UPCALL_STATS);
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 093/169] vsock/virtio: fix potential underflow in virtio_transport_get_credit()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 092/169] net: openvswitch: fix data race in ovs_vport_get_upcall_stats Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 094/169] vsock/test: fix seqpacket message bounds test Greg Kroah-Hartman
` (89 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefano Garzarella, Melbin K Mathew,
Luigi Leonardi, Michael S. Tsirkin, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Melbin K Mathew <mlbnkm1@gmail.com>
[ Upstream commit 3ef3d52a1a9860d094395c7a3e593f3aa26ff012 ]
The credit calculation in virtio_transport_get_credit() uses unsigned
arithmetic:
ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt);
If the peer shrinks its advertised buffer (peer_buf_alloc) while bytes
are in flight, the subtraction can underflow and produce a large
positive value, potentially allowing more data to be queued than the
peer can handle.
Reuse virtio_transport_has_space() which already handles this case and
add a comment to make it clear why we are doing that.
Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko")
Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Melbin K Mathew <mlbnkm1@gmail.com>
[Stefano: use virtio_transport_has_space() instead of duplicating the code]
[Stefano: tweak the commit message]
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
Link: https://patch.msgid.link/20260121093628.9941-2-sgarzare@redhat.com
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/vmw_vsock/virtio_transport_common.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
index 4e8a9771a04d6..dfb8cad4259c2 100644
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -28,6 +28,7 @@
static void virtio_transport_cancel_close_work(struct vsock_sock *vsk,
bool cancel_timeout);
+static s64 virtio_transport_has_space(struct virtio_vsock_sock *vvs);
static const struct virtio_transport *
virtio_transport_get_ops(struct vsock_sock *vsk)
@@ -497,9 +498,7 @@ u32 virtio_transport_get_credit(struct virtio_vsock_sock *vvs, u32 credit)
return 0;
spin_lock_bh(&vvs->tx_lock);
- ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt);
- if (ret > credit)
- ret = credit;
+ ret = min_t(u32, credit, virtio_transport_has_space(vvs));
vvs->tx_cnt += ret;
vvs->bytes_unsent += ret;
spin_unlock_bh(&vvs->tx_lock);
@@ -875,11 +874,14 @@ u32 virtio_transport_seqpacket_has_data(struct vsock_sock *vsk)
}
EXPORT_SYMBOL_GPL(virtio_transport_seqpacket_has_data);
-static s64 virtio_transport_has_space(struct vsock_sock *vsk)
+static s64 virtio_transport_has_space(struct virtio_vsock_sock *vvs)
{
- struct virtio_vsock_sock *vvs = vsk->trans;
s64 bytes;
+ /* Use s64 arithmetic so if the peer shrinks peer_buf_alloc while
+ * we have bytes in flight (tx_cnt - peer_fwd_cnt), the subtraction
+ * does not underflow.
+ */
bytes = (s64)vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt);
if (bytes < 0)
bytes = 0;
@@ -893,7 +895,7 @@ s64 virtio_transport_stream_has_space(struct vsock_sock *vsk)
s64 bytes;
spin_lock_bh(&vvs->tx_lock);
- bytes = virtio_transport_has_space(vsk);
+ bytes = virtio_transport_has_space(vvs);
spin_unlock_bh(&vvs->tx_lock);
return bytes;
@@ -1507,7 +1509,7 @@ static bool virtio_transport_space_update(struct sock *sk,
spin_lock_bh(&vvs->tx_lock);
vvs->peer_buf_alloc = le32_to_cpu(hdr->buf_alloc);
vvs->peer_fwd_cnt = le32_to_cpu(hdr->fwd_cnt);
- space_available = virtio_transport_has_space(vsk);
+ space_available = virtio_transport_has_space(vvs);
spin_unlock_bh(&vvs->tx_lock);
return space_available;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 094/169] vsock/test: fix seqpacket message bounds test
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 093/169] vsock/virtio: fix potential underflow in virtio_transport_get_credit() Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-02-11 7:50 ` Johan Korsnes
2026-01-28 15:22 ` [PATCH 6.12 095/169] vsock/virtio: cap TX credit to local buffer size Greg Kroah-Hartman
` (88 subsequent siblings)
182 siblings, 1 reply; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefano Garzarella,
Michael S. Tsirkin, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Garzarella <sgarzare@redhat.com>
[ Upstream commit 0a98de80136968bab7db37b16282b37f044694d3 ]
The test requires the sender (client) to send all messages before waking
up the receiver (server).
Since virtio-vsock had a bug and did not respect the size of the TX
buffer, this test worked, but now that we are going to fix the bug, the
test hangs because the sender would fill the TX buffer before waking up
the receiver.
Set the buffer size in the sender (client) as well, as we already do for
the receiver (server).
Fixes: 5c338112e48a ("test/vsock: rework message bounds test")
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20260121093628.9941-3-sgarzare@redhat.com
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/vsock/vsock_test.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/tools/testing/vsock/vsock_test.c b/tools/testing/vsock/vsock_test.c
index 0c22ff7a8de2a..79ef11c0ab14f 100644
--- a/tools/testing/vsock/vsock_test.c
+++ b/tools/testing/vsock/vsock_test.c
@@ -359,6 +359,7 @@ static void test_stream_msg_peek_server(const struct test_opts *opts)
static void test_seqpacket_msg_bounds_client(const struct test_opts *opts)
{
+ unsigned long long sock_buf_size;
unsigned long curr_hash;
size_t max_msg_size;
int page_size;
@@ -371,6 +372,16 @@ static void test_seqpacket_msg_bounds_client(const struct test_opts *opts)
exit(EXIT_FAILURE);
}
+ sock_buf_size = SOCK_BUF_SIZE;
+
+ setsockopt_ull_check(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_MAX_SIZE,
+ sock_buf_size,
+ "setsockopt(SO_VM_SOCKETS_BUFFER_MAX_SIZE)");
+
+ setsockopt_ull_check(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_SIZE,
+ sock_buf_size,
+ "setsockopt(SO_VM_SOCKETS_BUFFER_SIZE)");
+
/* Wait, until receiver sets buffer size. */
control_expectln("SRVREADY");
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 094/169] vsock/test: fix seqpacket message bounds test
2026-01-28 15:22 ` [PATCH 6.12 094/169] vsock/test: fix seqpacket message bounds test Greg Kroah-Hartman
@ 2026-02-11 7:50 ` Johan Korsnes
2026-02-11 8:30 ` Stefano Garzarella
0 siblings, 1 reply; 190+ messages in thread
From: Johan Korsnes @ 2026-02-11 7:50 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, Stefano Garzarella, Michael S. Tsirkin, Paolo Abeni,
Sasha Levin
On 28/01/2026 16:22, Greg Kroah-Hartman wrote:
> 6.12-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Stefano Garzarella <sgarzare@redhat.com>
>
> [ Upstream commit 0a98de80136968bab7db37b16282b37f044694d3 ]
>
> The test requires the sender (client) to send all messages before waking
> up the receiver (server).
> Since virtio-vsock had a bug and did not respect the size of the TX
> buffer, this test worked, but now that we are going to fix the bug, the
> test hangs because the sender would fill the TX buffer before waking up
> the receiver.
>
> Set the buffer size in the sender (client) as well, as we already do for
> the receiver (server).
>
> Fixes: 5c338112e48a ("test/vsock: rework message bounds test")
> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
> Link: https://patch.msgid.link/20260121093628.9941-3-sgarzare@redhat.com
> Acked-by: Michael S. Tsirkin <mst@redhat.com>
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> tools/testing/vsock/vsock_test.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/tools/testing/vsock/vsock_test.c b/tools/testing/vsock/vsock_test.c
> index 0c22ff7a8de2a..79ef11c0ab14f 100644
> --- a/tools/testing/vsock/vsock_test.c
> +++ b/tools/testing/vsock/vsock_test.c
> @@ -359,6 +359,7 @@ static void test_stream_msg_peek_server(const struct test_opts *opts)
>
> static void test_seqpacket_msg_bounds_client(const struct test_opts *opts)
> {
> + unsigned long long sock_buf_size;
> unsigned long curr_hash;
> size_t max_msg_size;
> int page_size;
> @@ -371,6 +372,16 @@ static void test_seqpacket_msg_bounds_client(const struct test_opts *opts)
> exit(EXIT_FAILURE);
> }
>
> + sock_buf_size = SOCK_BUF_SIZE;
> +
> + setsockopt_ull_check(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_MAX_SIZE,
> + sock_buf_size,
> + "setsockopt(SO_VM_SOCKETS_BUFFER_MAX_SIZE)");
Hi Greg,
This patch causes build failure as the setsockopt_ull_check() function
does not seem to be defined in the 6.12 tree.
Kind regards,
Johan Korsnes
> +
> + setsockopt_ull_check(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_SIZE,
> + sock_buf_size,
> + "setsockopt(SO_VM_SOCKETS_BUFFER_SIZE)");
> +
> /* Wait, until receiver sets buffer size. */
> control_expectln("SRVREADY");
>
^ permalink raw reply [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 094/169] vsock/test: fix seqpacket message bounds test
2026-02-11 7:50 ` Johan Korsnes
@ 2026-02-11 8:30 ` Stefano Garzarella
2026-02-11 8:58 ` Johan Korsnes
0 siblings, 1 reply; 190+ messages in thread
From: Stefano Garzarella @ 2026-02-11 8:30 UTC (permalink / raw)
To: Johan Korsnes
Cc: Greg Kroah-Hartman, stable, patches, Michael S. Tsirkin,
Paolo Abeni, Sasha Levin
On Wed, Feb 11, 2026 at 08:50:11AM +0100, Johan Korsnes wrote:
>On 28/01/2026 16:22, Greg Kroah-Hartman wrote:
>> 6.12-stable review patch. If anyone has any objections, please let me know.
>>
>> ------------------
>>
>> From: Stefano Garzarella <sgarzare@redhat.com>
>>
>> [ Upstream commit 0a98de80136968bab7db37b16282b37f044694d3 ]
>>
>> The test requires the sender (client) to send all messages before waking
>> up the receiver (server).
>> Since virtio-vsock had a bug and did not respect the size of the TX
>> buffer, this test worked, but now that we are going to fix the bug, the
>> test hangs because the sender would fill the TX buffer before waking up
>> the receiver.
>>
>> Set the buffer size in the sender (client) as well, as we already do for
>> the receiver (server).
>>
>> Fixes: 5c338112e48a ("test/vsock: rework message bounds test")
>> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
>> Link: https://patch.msgid.link/20260121093628.9941-3-sgarzare@redhat.com
>> Acked-by: Michael S. Tsirkin <mst@redhat.com>
>> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>> ---
>> tools/testing/vsock/vsock_test.c | 11 +++++++++++
>> 1 file changed, 11 insertions(+)
>>
>> diff --git a/tools/testing/vsock/vsock_test.c b/tools/testing/vsock/vsock_test.c
>> index 0c22ff7a8de2a..79ef11c0ab14f 100644
>> --- a/tools/testing/vsock/vsock_test.c
>> +++ b/tools/testing/vsock/vsock_test.c
>> @@ -359,6 +359,7 @@ static void test_stream_msg_peek_server(const struct test_opts *opts)
>>
>> static void test_seqpacket_msg_bounds_client(const struct test_opts *opts)
>> {
>> + unsigned long long sock_buf_size;
>> unsigned long curr_hash;
>> size_t max_msg_size;
>> int page_size;
>> @@ -371,6 +372,16 @@ static void test_seqpacket_msg_bounds_client(const struct test_opts *opts)
>> exit(EXIT_FAILURE);
>> }
>>
>> + sock_buf_size = SOCK_BUF_SIZE;
>> +
>> + setsockopt_ull_check(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_MAX_SIZE,
>> + sock_buf_size,
>> + "setsockopt(SO_VM_SOCKETS_BUFFER_MAX_SIZE)");
>
>Hi Greg,
>
>This patch causes build failure as the setsockopt_ull_check() function
>does not seem to be defined in the 6.12 tree.
I guess just when you build vsock_test, right?
BTW to fix that we should backport commit 86814d8ffd55 ("vsock/test:
verify socket options after setting them").
I tried to cherry-pick it on current linux-6.12.y and apply clean.
Greg, let me know if I should send a proper patch for 6.12.
Thanks,
Stefano
^ permalink raw reply [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 094/169] vsock/test: fix seqpacket message bounds test
2026-02-11 8:30 ` Stefano Garzarella
@ 2026-02-11 8:58 ` Johan Korsnes
2026-02-11 11:37 ` Greg Kroah-Hartman
0 siblings, 1 reply; 190+ messages in thread
From: Johan Korsnes @ 2026-02-11 8:58 UTC (permalink / raw)
To: Stefano Garzarella
Cc: Greg Kroah-Hartman, stable, patches, Michael S. Tsirkin,
Paolo Abeni, Sasha Levin
On 11/02/2026 09:30, Stefano Garzarella wrote:
> On Wed, Feb 11, 2026 at 08:50:11AM +0100, Johan Korsnes wrote:
>> On 28/01/2026 16:22, Greg Kroah-Hartman wrote:
>>> 6.12-stable review patch. If anyone has any objections, please let me know.
>>>
>>> ------------------
>>>
>>> From: Stefano Garzarella <sgarzare@redhat.com>
>>>
>>> [ Upstream commit 0a98de80136968bab7db37b16282b37f044694d3 ]
>>>
>>> The test requires the sender (client) to send all messages before waking
>>> up the receiver (server).
>>> Since virtio-vsock had a bug and did not respect the size of the TX
>>> buffer, this test worked, but now that we are going to fix the bug, the
>>> test hangs because the sender would fill the TX buffer before waking up
>>> the receiver.
>>>
>>> Set the buffer size in the sender (client) as well, as we already do for
>>> the receiver (server).
>>>
>>> Fixes: 5c338112e48a ("test/vsock: rework message bounds test")
>>> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
>>> Link: https://patch.msgid.link/20260121093628.9941-3-sgarzare@redhat.com
>>> Acked-by: Michael S. Tsirkin <mst@redhat.com>
>>> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
>>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>>> ---
>>> tools/testing/vsock/vsock_test.c | 11 +++++++++++
>>> 1 file changed, 11 insertions(+)
>>>
>>> diff --git a/tools/testing/vsock/vsock_test.c b/tools/testing/vsock/vsock_test.c
>>> index 0c22ff7a8de2a..79ef11c0ab14f 100644
>>> --- a/tools/testing/vsock/vsock_test.c
>>> +++ b/tools/testing/vsock/vsock_test.c
>>> @@ -359,6 +359,7 @@ static void test_stream_msg_peek_server(const struct test_opts *opts)
>>>
>>> static void test_seqpacket_msg_bounds_client(const struct test_opts *opts)
>>> {
>>> + unsigned long long sock_buf_size;
>>> unsigned long curr_hash;
>>> size_t max_msg_size;
>>> int page_size;
>>> @@ -371,6 +372,16 @@ static void test_seqpacket_msg_bounds_client(const struct test_opts *opts)
>>> exit(EXIT_FAILURE);
>>> }
>>>
>>> + sock_buf_size = SOCK_BUF_SIZE;
>>> +
>>> + setsockopt_ull_check(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_MAX_SIZE,
>>> + sock_buf_size,
>>> + "setsockopt(SO_VM_SOCKETS_BUFFER_MAX_SIZE)");
>>
>> Hi Greg,
>>
>> This patch causes build failure as the setsockopt_ull_check() function
>> does not seem to be defined in the 6.12 tree.
>
> I guess just when you build vsock_test, right?
>
Correct. I should have specified that.
> BTW to fix that we should backport commit 86814d8ffd55 ("vsock/test:
> verify socket options after setting them").
>
> I tried to cherry-pick it on current linux-6.12.y and apply clean.
>
I can confirm it builds fine after cherry-picking that commit.
Kind regards,
Johan
> Greg, let me know if I should send a proper patch for 6.12.
>
> Thanks,
> Stefano
>
^ permalink raw reply [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 094/169] vsock/test: fix seqpacket message bounds test
2026-02-11 8:58 ` Johan Korsnes
@ 2026-02-11 11:37 ` Greg Kroah-Hartman
2026-02-11 12:15 ` Stefano Garzarella
0 siblings, 1 reply; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-02-11 11:37 UTC (permalink / raw)
To: Johan Korsnes
Cc: Stefano Garzarella, stable, patches, Michael S. Tsirkin,
Paolo Abeni, Sasha Levin
On Wed, Feb 11, 2026 at 09:58:08AM +0100, Johan Korsnes wrote:
> On 11/02/2026 09:30, Stefano Garzarella wrote:
> > On Wed, Feb 11, 2026 at 08:50:11AM +0100, Johan Korsnes wrote:
> >> On 28/01/2026 16:22, Greg Kroah-Hartman wrote:
> >>> 6.12-stable review patch. If anyone has any objections, please let me know.
> >>>
> >>> ------------------
> >>>
> >>> From: Stefano Garzarella <sgarzare@redhat.com>
> >>>
> >>> [ Upstream commit 0a98de80136968bab7db37b16282b37f044694d3 ]
> >>>
> >>> The test requires the sender (client) to send all messages before waking
> >>> up the receiver (server).
> >>> Since virtio-vsock had a bug and did not respect the size of the TX
> >>> buffer, this test worked, but now that we are going to fix the bug, the
> >>> test hangs because the sender would fill the TX buffer before waking up
> >>> the receiver.
> >>>
> >>> Set the buffer size in the sender (client) as well, as we already do for
> >>> the receiver (server).
> >>>
> >>> Fixes: 5c338112e48a ("test/vsock: rework message bounds test")
> >>> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
> >>> Link: https://patch.msgid.link/20260121093628.9941-3-sgarzare@redhat.com
> >>> Acked-by: Michael S. Tsirkin <mst@redhat.com>
> >>> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> >>> Signed-off-by: Sasha Levin <sashal@kernel.org>
> >>> ---
> >>> tools/testing/vsock/vsock_test.c | 11 +++++++++++
> >>> 1 file changed, 11 insertions(+)
> >>>
> >>> diff --git a/tools/testing/vsock/vsock_test.c b/tools/testing/vsock/vsock_test.c
> >>> index 0c22ff7a8de2a..79ef11c0ab14f 100644
> >>> --- a/tools/testing/vsock/vsock_test.c
> >>> +++ b/tools/testing/vsock/vsock_test.c
> >>> @@ -359,6 +359,7 @@ static void test_stream_msg_peek_server(const struct test_opts *opts)
> >>>
> >>> static void test_seqpacket_msg_bounds_client(const struct test_opts *opts)
> >>> {
> >>> + unsigned long long sock_buf_size;
> >>> unsigned long curr_hash;
> >>> size_t max_msg_size;
> >>> int page_size;
> >>> @@ -371,6 +372,16 @@ static void test_seqpacket_msg_bounds_client(const struct test_opts *opts)
> >>> exit(EXIT_FAILURE);
> >>> }
> >>>
> >>> + sock_buf_size = SOCK_BUF_SIZE;
> >>> +
> >>> + setsockopt_ull_check(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_MAX_SIZE,
> >>> + sock_buf_size,
> >>> + "setsockopt(SO_VM_SOCKETS_BUFFER_MAX_SIZE)");
> >>
> >> Hi Greg,
> >>
> >> This patch causes build failure as the setsockopt_ull_check() function
> >> does not seem to be defined in the 6.12 tree.
> >
> > I guess just when you build vsock_test, right?
> >
>
> Correct. I should have specified that.
>
> > BTW to fix that we should backport commit 86814d8ffd55 ("vsock/test:
> > verify socket options after setting them").
> >
> > I tried to cherry-pick it on current linux-6.12.y and apply clean.
> >
>
> I can confirm it builds fine after cherry-picking that commit.
>
> Kind regards,
> Johan
>
> > Greg, let me know if I should send a proper patch for 6.12.
Great! Can you send a proper patch for 6.12.y for this?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 094/169] vsock/test: fix seqpacket message bounds test
2026-02-11 11:37 ` Greg Kroah-Hartman
@ 2026-02-11 12:15 ` Stefano Garzarella
0 siblings, 0 replies; 190+ messages in thread
From: Stefano Garzarella @ 2026-02-11 12:15 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Johan Korsnes, stable, patches, Michael S. Tsirkin, Paolo Abeni,
Sasha Levin
On Wed, Feb 11, 2026 at 12:37:20PM +0100, Greg Kroah-Hartman wrote:
>On Wed, Feb 11, 2026 at 09:58:08AM +0100, Johan Korsnes wrote:
>> On 11/02/2026 09:30, Stefano Garzarella wrote:
>> > On Wed, Feb 11, 2026 at 08:50:11AM +0100, Johan Korsnes wrote:
[...]
>> >> Hi Greg,
>> >>
>> >> This patch causes build failure as the setsockopt_ull_check() function
>> >> does not seem to be defined in the 6.12 tree.
>> >
>> > I guess just when you build vsock_test, right?
>> >
>>
>> Correct. I should have specified that.
>>
>> > BTW to fix that we should backport commit 86814d8ffd55 ("vsock/test:
>> > verify socket options after setting them").
>> >
>> > I tried to cherry-pick it on current linux-6.12.y and apply clean.
>> >
>>
>> I can confirm it builds fine after cherry-picking that commit.
>>
>> Kind regards,
>> Johan
>>
>> > Greg, let me know if I should send a proper patch for 6.12.
>
>Great! Can you send a proper patch for 6.12.y for this?
Done, I discovered that a similar issue is also in 6.6.y so I sent a fix
also for that tree:
- 6.12.y:
https://lore.kernel.org/stable/20260211115948.108140-1-sgarzare@redhat.com/
- 6.6.y:
https://lore.kernel.org/stable/20260211121135.116071-1-sgarzare@redhat.com/
Thanks,
Stefano
^ permalink raw reply [flat|nested] 190+ messages in thread
* [PATCH 6.12 095/169] vsock/virtio: cap TX credit to local buffer size
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 094/169] vsock/test: fix seqpacket message bounds test Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:22 ` [PATCH 6.12 096/169] net/sched: act_ife: avoid possible NULL deref Greg Kroah-Hartman
` (87 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefano Garzarella, Melbin K Mathew,
Luigi Leonardi, Michael S. Tsirkin, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Melbin K Mathew <mlbnkm1@gmail.com>
[ Upstream commit 8ee784fdf006cbe8739cfa093f54d326cbf54037 ]
The virtio transports derives its TX credit directly from peer_buf_alloc,
which is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value.
On the host side this means that the amount of data we are willing to
queue for a connection is scaled by a guest-chosen buffer size, rather
than the host's own vsock configuration. A malicious guest can advertise
a large buffer and read slowly, causing the host to allocate a
correspondingly large amount of sk_buff memory.
The same thing would happen in the guest with a malicious host, since
virtio transports share the same code base.
Introduce a small helper, virtio_transport_tx_buf_size(), that
returns min(peer_buf_alloc, buf_alloc), and use it wherever we consume
peer_buf_alloc.
This ensures the effective TX window is bounded by both the peer's
advertised buffer and our own buf_alloc (already clamped to
buffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer
cannot force the other to queue more data than allowed by its own
vsock settings.
On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with
32 guest vsock connections advertising 2 GiB each and reading slowly
drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only
recovered after killing the QEMU process. That said, if QEMU memory is
limited with cgroups, the maximum memory used will be limited.
With this patch applied:
Before:
MemFree: ~61.6 GiB
Slab: ~142 MiB
SUnreclaim: ~117 MiB
After 32 high-credit connections:
MemFree: ~61.5 GiB
Slab: ~178 MiB
SUnreclaim: ~152 MiB
Only ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest
remains responsive.
Compatibility with non-virtio transports:
- VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per
socket based on the local vsk->buffer_* values; the remote side
cannot enlarge those queues beyond what the local endpoint
configured.
- Hyper-V's vsock transport uses fixed-size VMBus ring buffers and
an MTU bound; there is no peer-controlled credit field comparable
to peer_buf_alloc, and the remote endpoint cannot drive in-flight
kernel memory above those ring sizes.
- The loopback path reuses virtio_transport_common.c, so it
naturally follows the same semantics as the virtio transport.
This change is limited to virtio_transport_common.c and thus affects
virtio-vsock, vhost-vsock, and loopback, bringing them in line with the
"remote window intersected with local policy" behaviour that VMCI and
Hyper-V already effectively have.
Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko")
Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Melbin K Mathew <mlbnkm1@gmail.com>
[Stefano: small adjustments after changing the previous patch]
[Stefano: tweak the commit message]
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
Link: https://patch.msgid.link/20260121093628.9941-4-sgarzare@redhat.com
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/vmw_vsock/virtio_transport_common.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
index dfb8cad4259c2..a2f0f81be1d5d 100644
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -819,6 +819,15 @@ virtio_transport_seqpacket_dequeue(struct vsock_sock *vsk,
}
EXPORT_SYMBOL_GPL(virtio_transport_seqpacket_dequeue);
+static u32 virtio_transport_tx_buf_size(struct virtio_vsock_sock *vvs)
+{
+ /* The peer advertises its receive buffer via peer_buf_alloc, but we
+ * cap it to our local buf_alloc so a remote peer cannot force us to
+ * queue more data than our own buffer configuration allows.
+ */
+ return min(vvs->peer_buf_alloc, vvs->buf_alloc);
+}
+
int
virtio_transport_seqpacket_enqueue(struct vsock_sock *vsk,
struct msghdr *msg,
@@ -828,7 +837,7 @@ virtio_transport_seqpacket_enqueue(struct vsock_sock *vsk,
spin_lock_bh(&vvs->tx_lock);
- if (len > vvs->peer_buf_alloc) {
+ if (len > virtio_transport_tx_buf_size(vvs)) {
spin_unlock_bh(&vvs->tx_lock);
return -EMSGSIZE;
}
@@ -882,7 +891,8 @@ static s64 virtio_transport_has_space(struct virtio_vsock_sock *vvs)
* we have bytes in flight (tx_cnt - peer_fwd_cnt), the subtraction
* does not underflow.
*/
- bytes = (s64)vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt);
+ bytes = (s64)virtio_transport_tx_buf_size(vvs) -
+ (vvs->tx_cnt - vvs->peer_fwd_cnt);
if (bytes < 0)
bytes = 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 096/169] net/sched: act_ife: avoid possible NULL deref
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 095/169] vsock/virtio: cap TX credit to local buffer size Greg Kroah-Hartman
@ 2026-01-28 15:22 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 097/169] dpll: Prevent duplicate registrations Greg Kroah-Hartman
` (86 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+5cf914f193dffde3bd3c,
Eric Dumazet, Yotam Gigi, Jamal Hadi Salim, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 27880b0b0d35ad1c98863d09788254e36f874968 ]
tcf_ife_encode() must make sure ife_encode() does not return NULL.
syzbot reported:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166
CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full)
Call Trace:
<TASK>
ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101
tcf_ife_encode net/sched/act_ife.c:841 [inline]
tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877
tc_act include/net/tc_wrapper.h:130 [inline]
tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152
tcf_exts_exec include/net/pkt_cls.h:349 [inline]
mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42
tc_classify include/net/tc_wrapper.h:197 [inline]
__tcf_classify net/sched/cls_api.c:1764 [inline]
tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860
multiq_classify net/sched/sch_multiq.c:39 [inline]
multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66
dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147
__dev_xmit_skb net/core/dev.c:4262 [inline]
__dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798
Fixes: 295a6e06d21e ("net/sched: act_ife: Change to use ife module")
Reported-by: syzbot+5cf914f193dffde3bd3c@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6970d61d.050a0220.706b.0010.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Yotam Gigi <yotam.gi@gmail.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260121133724.3400020-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/act_ife.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
index 7c6975632fc2e..c7ab25642d997 100644
--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -821,6 +821,7 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a,
/* could be stupid policy setup or mtu config
* so lets be conservative.. */
if ((action == TC_ACT_SHOT) || exceed_mtu) {
+drop:
qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats));
return TC_ACT_SHOT;
}
@@ -829,6 +830,8 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a,
skb_push(skb, skb->dev->hard_header_len);
ife_meta = ife_encode(skb, metalen);
+ if (!ife_meta)
+ goto drop;
spin_lock(&ife->tcf_lock);
@@ -844,8 +847,7 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a,
if (err < 0) {
/* too corrupt to keep around if overwritten */
spin_unlock(&ife->tcf_lock);
- qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats));
- return TC_ACT_SHOT;
+ goto drop;
}
skboff += err;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 097/169] dpll: Prevent duplicate registrations
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-01-28 15:22 ` [PATCH 6.12 096/169] net/sched: act_ife: avoid possible NULL deref Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 098/169] x86: make page fault handling disable interrupts properly Greg Kroah-Hartman
` (85 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ivan Vecera, Arkadiusz Kubalewski,
Vadim Fedorenko, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Vecera <ivecera@redhat.com>
[ Upstream commit f3ddbaaaaf4d0633b40482f471753f9c71294a4a ]
Modify the internal registration helpers dpll_xa_ref_{dpll,pin}_add()
to reject duplicate registration attempts.
Previously, if a caller attempted to register the same pin multiple
times (with the same ops, priv, and cookie) on the same device, the core
silently increments the reference count and return success. This behavior
is incorrect because if the caller makes these duplicate registrations
then for the first one dpll_pin_registration is allocated and for others
the associated dpll_pin_ref.refcount is incremented. During the first
unregistration the associated dpll_pin_registration is freed and for
others WARN is fired.
Fix this by updating the logic to return `-EEXIST` if a matching
registration is found to enforce a strict "register once" policy.
Fixes: 9431063ad323 ("dpll: core: Add DPLL framework base functions")
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20260121130012.112606-1-ivecera@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dpll/dpll_core.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/drivers/dpll/dpll_core.c b/drivers/dpll/dpll_core.c
index 20bdc52f63a50..cafb8832219d0 100644
--- a/drivers/dpll/dpll_core.c
+++ b/drivers/dpll/dpll_core.c
@@ -83,10 +83,8 @@ dpll_xa_ref_pin_add(struct xarray *xa_pins, struct dpll_pin *pin,
if (ref->pin != pin)
continue;
reg = dpll_pin_registration_find(ref, ops, priv, cookie);
- if (reg) {
- refcount_inc(&ref->refcount);
- return 0;
- }
+ if (reg)
+ return -EEXIST;
ref_exists = true;
break;
}
@@ -164,10 +162,8 @@ dpll_xa_ref_dpll_add(struct xarray *xa_dplls, struct dpll_device *dpll,
if (ref->dpll != dpll)
continue;
reg = dpll_pin_registration_find(ref, ops, priv, cookie);
- if (reg) {
- refcount_inc(&ref->refcount);
- return 0;
- }
+ if (reg)
+ return -EEXIST;
ref_exists = true;
break;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 098/169] x86: make page fault handling disable interrupts properly
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 097/169] dpll: Prevent duplicate registrations Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 099/169] tpm: Compare HMAC values in constant time Greg Kroah-Hartman
` (84 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cedric Xing, Dave Hansen,
Peter Zijlstra, Thomas Gleixner, Linus Torvalds, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cedric Xing <cedric.xing@intel.com>
[ Upstream commit 614da1d3d4cdbd6e41aea06bc97ec15aacff6daf ]
There's a big comment in the x86 do_page_fault() about our interrupt
disabling code:
* User address page fault handling might have reenabled
* interrupts. Fixing up all potential exit points of
* do_user_addr_fault() and its leaf functions is just not
* doable w/o creating an unholy mess or turning the code
* upside down.
but it turns out that comment is subtly wrong, and the code as a result
is also wrong.
Because it's certainly true that we may have re-enabled interrupts when
handling user page faults. And it's most certainly true that we don't
want to bother fixing up all the cases.
But what isn't true is that it's limited to user address page faults.
The confusion stems from the fact that we have logic here that depends
on the address range of the access, but other code then depends on the
_context_ the access was done in. The two are not related, even though
both of them are about user-vs-kernel.
In other words, both user and kernel addresses can cause interrupts to
have been enabled (eg when __bad_area_nosemaphore() gets called for user
accesses to kernel addresses). As a result we should make sure to
disable interrupts again regardless of the address range before
returning to the low-level fault handling code.
The __bad_area_nosemaphore() code actually did disable interrupts again
after enabling them, just not consistently. Ironically, as noted in the
original comment, fixing up all the cases is just not worth it, when the
simple solution is to just do it unconditionally in one single place.
So remove the incomplete case that unsuccessfully tried to do what the
comment said was "not doable" in commit ca4c6a9858c2 ("x86/traps: Make
interrupt enable/disable symmetric in C code"), and just make it do the
simple and straightforward thing.
Signed-off-by: Cedric Xing <cedric.xing@intel.com>
Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
Fixes: ca4c6a9858c2 ("x86/traps: Make interrupt enable/disable symmetric in C code")
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/mm/fault.c | 15 +++++----------
1 file changed, 5 insertions(+), 10 deletions(-)
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index ac52255fab01f..adef0e8dc5e12 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -823,8 +823,6 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
force_sig_pkuerr((void __user *)address, pkey);
else
force_sig_fault(SIGSEGV, si_code, (void __user *)address);
-
- local_irq_disable();
}
static noinline void
@@ -1479,15 +1477,12 @@ handle_page_fault(struct pt_regs *regs, unsigned long error_code,
do_kern_addr_fault(regs, error_code, address);
} else {
do_user_addr_fault(regs, error_code, address);
- /*
- * User address page fault handling might have reenabled
- * interrupts. Fixing up all potential exit points of
- * do_user_addr_fault() and its leaf functions is just not
- * doable w/o creating an unholy mess or turning the code
- * upside down.
- */
- local_irq_disable();
}
+ /*
+ * page fault handling might have reenabled interrupts,
+ * make sure to disable them again.
+ */
+ local_irq_disable();
}
DEFINE_IDTENTRY_RAW_ERRORCODE(exc_page_fault)
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 099/169] tpm: Compare HMAC values in constant time
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 098/169] x86: make page fault handling disable interrupts properly Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 100/169] keys/trusted_keys: fix handle passed to tpm_buf_append_name during unseal Greg Kroah-Hartman
` (83 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Biggers, Jarkko Sakkinen,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
[ Upstream commit 2c2615c8423890b5ef8e0a186b65607ef5fdeda1 ]
In tpm_buf_check_hmac_response(), compare the HMAC values in constant
time using crypto_memneq() instead of in variable time using memcmp().
This is worthwhile to follow best practices and to be consistent with
MAC comparisons elsewhere in the kernel. However, in this driver the
side channel seems to have been benign: the HMAC input data is
guaranteed to always be unique, which makes the usual MAC forgery via
timing side channel not possible. Specifically, the HMAC input data in
tpm_buf_check_hmac_response() includes the "our_nonce" field, which was
generated by the kernel earlier, remains under the control of the
kernel, and is unique for each call to tpm_buf_check_hmac_response().
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Stable-dep-of: 6342969dafbc ("keys/trusted_keys: fix handle passed to tpm_buf_append_name during unseal")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/tpm/Kconfig | 1 +
drivers/char/tpm/tpm2-sessions.c | 6 +++---
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig
index db41301e63f28..f0473d2148786 100644
--- a/drivers/char/tpm/Kconfig
+++ b/drivers/char/tpm/Kconfig
@@ -33,6 +33,7 @@ config TCG_TPM2_HMAC
select CRYPTO_ECDH
select CRYPTO_LIB_AESCFB
select CRYPTO_LIB_SHA256
+ select CRYPTO_LIB_UTILS
help
Setting this causes us to deploy a scheme which uses request
and response HMACs in addition to encryption for
diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c
index 4d9acfb1787e9..cb944df7b3ca6 100644
--- a/drivers/char/tpm/tpm2-sessions.c
+++ b/drivers/char/tpm/tpm2-sessions.c
@@ -71,6 +71,7 @@
#include <crypto/ecdh.h>
#include <crypto/hash.h>
#include <crypto/hmac.h>
+#include <crypto/utils.h>
/* maximum number of names the TPM must remember for authorization */
#define AUTH_MAX_NAMES 3
@@ -888,12 +889,11 @@ int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf,
/* we're done with the rphash, so put our idea of the hmac there */
tpm2_hmac_final(&sctx, auth->session_key, sizeof(auth->session_key)
+ auth->passphrase_len, rphash);
- if (memcmp(rphash, &buf->data[offset_s], SHA256_DIGEST_SIZE) == 0) {
- rc = 0;
- } else {
+ if (crypto_memneq(rphash, &buf->data[offset_s], SHA256_DIGEST_SIZE)) {
dev_err(&chip->dev, "TPM: HMAC check failed\n");
goto out;
}
+ rc = 0;
/* now do response decryption */
if (auth->attrs & TPM2_SA_ENCRYPT) {
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 100/169] keys/trusted_keys: fix handle passed to tpm_buf_append_name during unseal
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 099/169] tpm: Compare HMAC values in constant time Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 101/169] leds: led-class: Only Add LED to leds_list when it is fully ready Greg Kroah-Hartman
` (82 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srish Srinivasan, Stefan Berger,
Jarkko Sakkinen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srish Srinivasan <ssrish@linux.ibm.com>
[ Upstream commit 6342969dafbc63597cfc221aa13c3b123c2800c5 ]
TPM2_Unseal[1] expects the handle of a loaded data object, and not the
handle of the parent key. But the tpm2_unseal_cmd provides the parent
keyhandle instead of blob_handle for the session HMAC calculation. This
causes unseal to fail.
Fix this by passing blob_handle to tpm_buf_append_name().
References:
[1] trustedcomputinggroup.org/wp-content/uploads/
Trusted-Platform-Module-2.0-Library-Part-3-Version-184_pub.pdf
Fixes: 6e9722e9a7bf ("tpm2-sessions: Fix out of range indexing in name_size")
Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/keys/trusted-keys/trusted_tpm2.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c
index 7187768716b78..74cea80ed9be5 100644
--- a/security/keys/trusted-keys/trusted_tpm2.c
+++ b/security/keys/trusted-keys/trusted_tpm2.c
@@ -489,7 +489,7 @@ static int tpm2_load_cmd(struct tpm_chip *chip,
}
/**
- * tpm2_unseal_cmd() - execute a TPM2_Unload command
+ * tpm2_unseal_cmd() - execute a TPM2_Unseal command
*
* @chip: TPM chip to use
* @payload: the key data in clear and encrypted form
@@ -520,7 +520,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip,
return rc;
}
- rc = tpm_buf_append_name(chip, &buf, options->keyhandle, NULL);
+ rc = tpm_buf_append_name(chip, &buf, blob_handle, NULL);
if (rc)
goto out;
--
2.51.0
^ permalink raw reply related [flat|nested] 190+ messages in thread* [PATCH 6.12 101/169] leds: led-class: Only Add LED to leds_list when it is fully ready
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 100/169] keys/trusted_keys: fix handle passed to tpm_buf_append_name during unseal Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 102/169] of: fix reference count leak in of_alias_scan() Greg Kroah-Hartman
` (81 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, Sebastian Reichel,
Lee Jones
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <johannes.goede@oss.qualcomm.com>
commit d1883cefd31752f0504b94c3bcfa1f6d511d6e87 upstream.
Before this change the LED was added to leds_list before led_init_core()
gets called adding it the list before led_classdev.set_brightness_work gets
initialized.
This leaves a window where led_trigger_register() of a LED's default
trigger will call led_trigger_set() which calls led_set_brightness()
which in turn will end up queueing the *uninitialized*
led_classdev.set_brightness_work.
This race gets hit by the lenovo-thinkpad-t14s EC driver which registers
2 LEDs with a default trigger provided by snd_ctl_led.ko in quick
succession. The first led_classdev_register() causes an async modprobe of
snd_ctl_led to run and that async modprobe manages to exactly hit
the window where the second LED is on the leds_list without led_init_core()
being called for it, resulting in:
------------[ cut here ]------------
WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390
Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025
...
Call trace:
__flush_work+0x344/0x390 (P)
flush_work+0x2c/0x50
led_trigger_set+0x1c8/0x340
led_trigger_register+0x17c/0x1c0
led_trigger_register_simple+0x84/0xe8
snd_ctl_led_init+0x40/0xf88 [snd_ctl_led]
do_one_initcall+0x5c/0x318
do_init_module+0x9c/0x2b8
load_module+0x7e0/0x998
Close the race window by moving the adding of the LED to leds_list to
after the led_init_core() call.
Cc: stable@vger.kernel.org
Fixes: d23a22a74fde ("leds: delay led_set_brightness if stopping soft-blink")
Signed-off-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Reviewed-by: Sebastian Reichel <sre@kernel.org>
Link: https://patch.msgid.link/20251211163727.366441-1-johannes.goede@oss.qualcomm.com
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/leds/led-class.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/leds/led-class.c
+++ b/drivers/leds/led-class.c
@@ -547,11 +547,6 @@ int led_classdev_register_ext(struct dev
#ifdef CONFIG_LEDS_BRIGHTNESS_HW_CHANGED
led_cdev->brightness_hw_changed = -1;
#endif
- /* add to the list of leds */
- down_write(&leds_list_lock);
- list_add_tail(&led_cdev->node, &leds_list);
- up_write(&leds_list_lock);
-
if (!led_cdev->max_brightness)
led_cdev->max_brightness = LED_FULL;
@@ -559,6 +554,11 @@ int led_classdev_register_ext(struct dev
led_init_core(led_cdev);
+ /* add to the list of leds */
+ down_write(&leds_list_lock);
+ list_add_tail(&led_cdev->node, &leds_list);
+ up_write(&leds_list_lock);
+
#ifdef CONFIG_LEDS_TRIGGERS
led_trigger_set_default(led_cdev);
#endif
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 102/169] of: fix reference count leak in of_alias_scan()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 101/169] leds: led-class: Only Add LED to leds_list when it is fully ready Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 103/169] of: platform: Use default match table for /firmware Greg Kroah-Hartman
` (80 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Weigang He, Rob Herring (Arm)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weigang He <geoffreyhe2@gmail.com>
commit 81122fba08fa3ccafab6ed272a5c6f2203923a7e upstream.
of_find_node_by_path() returns a device_node with its refcount
incremented. When kstrtoint() fails or dt_alloc() fails, the function
continues to the next iteration without calling of_node_put(), causing
a reference count leak.
Add of_node_put(np) before continue on both error paths to properly
release the device_node reference.
Fixes: 611cad720148 ("dt: add of_alias_scan and of_alias_get_id")
Cc: stable@vger.kernel.org
Signed-off-by: Weigang He <geoffreyhe2@gmail.com>
Link: https://patch.msgid.link/20260117091238.481243-1-geoffreyhe2@gmail.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/base.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/of/base.c
+++ b/drivers/of/base.c
@@ -1822,13 +1822,17 @@ void of_alias_scan(void * (*dt_alloc)(u6
end--;
len = end - start;
- if (kstrtoint(end, 10, &id) < 0)
+ if (kstrtoint(end, 10, &id) < 0) {
+ of_node_put(np);
continue;
+ }
/* Allocate an alias_prop with enough space for the stem */
ap = dt_alloc(sizeof(*ap) + len + 1, __alignof__(*ap));
- if (!ap)
+ if (!ap) {
+ of_node_put(np);
continue;
+ }
memset(ap, 0, sizeof(*ap) + len + 1);
ap->alias = start;
of_alias_add(ap, np, id, start, len);
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 103/169] of: platform: Use default match table for /firmware
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 102/169] of: fix reference count leak in of_alias_scan() Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 104/169] iio: accel: adxl380: fix handling of unavailable "INT1" interrupt Greg Kroah-Hartman
` (79 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sudeep Holla, Rob Herring (Arm)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Herring (Arm) <robh@kernel.org>
commit 48e6a9c4a20870e09f85ff1a3628275d6bce31c0 upstream.
Calling of_platform_populate() without a match table will only populate
the immediate child nodes under /firmware. This is usually fine, but in
the case of something like a "simple-mfd" node such as
"raspberrypi,bcm2835-firmware", those child nodes will not be populated.
And subsequent calls won't work either because the /firmware node is
marked as processed already.
Switch the call to of_platform_default_populate() to solve this problem.
It should be a nop for existing cases.
Fixes: 3aa0582fdb82 ("of: platform: populate /firmware/ node from of_platform_default_populate_init()")
Cc: stable@vger.kernel.org
Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
Link: https://patch.msgid.link/20260114015158.692170-2-robh@kernel.org
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/platform.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/of/platform.c
+++ b/drivers/of/platform.c
@@ -570,7 +570,7 @@ static int __init of_platform_default_po
node = of_find_node_by_path("/firmware");
if (node) {
- of_platform_populate(node, NULL, NULL, NULL);
+ of_platform_default_populate(node, NULL, NULL);
of_node_put(node);
}
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 104/169] iio: accel: adxl380: fix handling of unavailable "INT1" interrupt
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 103/169] of: platform: Use default match table for /firmware Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 105/169] iio: accel: iis328dq: fix gain values Greg Kroah-Hartman
` (78 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Francesco Lavra, Andy Shevchenko,
Nuno Sá, Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Francesco Lavra <flavra@baylibre.com>
commit 4ff39d6de4bf359ec6d5cd2be34b36d077dd0a07 upstream.
fwnode_irq_get_byname() returns a negative value on failure; if a negative
value is returned, use it as `err` argument for dev_err_probe().
While at it, add a missing trailing newline to the dev_err_probe() error
message.
Fixes: df36de13677a ("iio: accel: add ADXL380 driver")
Signed-off-by: Francesco Lavra <flavra@baylibre.com>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/accel/adxl380.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/iio/accel/adxl380.c
+++ b/drivers/iio/accel/adxl380.c
@@ -1730,9 +1730,9 @@ static int adxl380_config_irq(struct iio
st->int_map[1] = ADXL380_INT0_MAP1_REG;
} else {
st->irq = fwnode_irq_get_byname(dev_fwnode(st->dev), "INT1");
- if (st->irq > 0)
- return dev_err_probe(st->dev, -ENODEV,
- "no interrupt name specified");
+ if (st->irq < 0)
+ return dev_err_probe(st->dev, st->irq,
+ "no interrupt name specified\n");
st->int_map[0] = ADXL380_INT1_MAP0_REG;
st->int_map[1] = ADXL380_INT1_MAP1_REG;
}
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 105/169] iio: accel: iis328dq: fix gain values
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 104/169] iio: accel: adxl380: fix handling of unavailable "INT1" interrupt Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 106/169] iio: adc: ad9467: fix ad9434 vref mask Greg Kroah-Hartman
` (77 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dimitri Fedrau, Markus Koeniger,
Stable, Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Markus Koeniger <markus.koeniger@liebherr.com>
commit b8f15d1df2e73322e2112de21a4a7f3553c7fb60 upstream.
The sensors IIS328DQ and H3LIS331DL share one configuration but
H3LIS331DL has different gain parameters, configs therefore
need to be split up.
The gain parameters for the IIS328DQ are 0.98, 1.95 and 3.91,
depending on the selected measurement range.
See sensor manuals, chapter 2.1 "mechanical characteristics",
parameter "Sensitivity".
Datasheet: https://www.st.com/resource/en/datasheet/iis328dq.pdf
Datasheet: https://www.st.com/resource/en/datasheet/h3lis331dl.pdf
Fixes: 46e33707fe95 ("iio: accel: add support for IIS328DQ variant")
Reviewed-by: Dimitri Fedrau <dimitri.fedrau@liebherr.com>
Signed-off-by: Markus Koeniger <markus.koeniger@liebherr.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/accel/st_accel_core.c | 72 +++++++++++++++++++++++++++++++++++++-
1 file changed, 71 insertions(+), 1 deletion(-)
--- a/drivers/iio/accel/st_accel_core.c
+++ b/drivers/iio/accel/st_accel_core.c
@@ -517,7 +517,6 @@ static const struct st_sensor_settings s
.wai_addr = ST_SENSORS_DEFAULT_WAI_ADDRESS,
.sensors_supported = {
[0] = H3LIS331DL_ACCEL_DEV_NAME,
- [1] = IIS328DQ_ACCEL_DEV_NAME,
},
.ch = (struct iio_chan_spec *)st_accel_12bit_channels,
.odr = {
@@ -561,6 +560,77 @@ static const struct st_sensor_settings s
},
},
},
+ .bdu = {
+ .addr = 0x23,
+ .mask = 0x80,
+ },
+ .drdy_irq = {
+ .int1 = {
+ .addr = 0x22,
+ .mask = 0x02,
+ },
+ .int2 = {
+ .addr = 0x22,
+ .mask = 0x10,
+ },
+ .addr_ihl = 0x22,
+ .mask_ihl = 0x80,
+ },
+ .sim = {
+ .addr = 0x23,
+ .value = BIT(0),
+ },
+ .multi_read_bit = true,
+ .bootime = 2,
+ },
+ {
+ .wai = 0x32,
+ .wai_addr = ST_SENSORS_DEFAULT_WAI_ADDRESS,
+ .sensors_supported = {
+ [0] = IIS328DQ_ACCEL_DEV_NAME,
+ },
+ .ch = (struct iio_chan_spec *)st_accel_12bit_channels,
+ .odr = {
+ .addr = 0x20,
+ .mask = 0x18,
+ .odr_avl = {
+ { .hz = 50, .value = 0x00, },
+ { .hz = 100, .value = 0x01, },
+ { .hz = 400, .value = 0x02, },
+ { .hz = 1000, .value = 0x03, },
+ },
+ },
+ .pw = {
+ .addr = 0x20,
+ .mask = 0x20,
+ .value_on = ST_SENSORS_DEFAULT_POWER_ON_VALUE,
+ .value_off = ST_SENSORS_DEFAULT_POWER_OFF_VALUE,
+ },
+ .enable_axis = {
+ .addr = ST_SENSORS_DEFAULT_AXIS_ADDR,
+ .mask = ST_SENSORS_DEFAULT_AXIS_MASK,
+ },
+ .fs = {
+ .addr = 0x23,
+ .mask = 0x30,
+ .fs_avl = {
+ [0] = {
+ .num = ST_ACCEL_FS_AVL_100G,
+ .value = 0x00,
+ .gain = IIO_G_TO_M_S_2(980),
+ },
+ [1] = {
+ .num = ST_ACCEL_FS_AVL_200G,
+ .value = 0x01,
+ .gain = IIO_G_TO_M_S_2(1950),
+ },
+ [2] = {
+ .num = ST_ACCEL_FS_AVL_400G,
+ .value = 0x03,
+ .gain = IIO_G_TO_M_S_2(3910),
+ },
+ },
+ },
.bdu = {
.addr = 0x23,
.mask = 0x80,
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 106/169] iio: adc: ad9467: fix ad9434 vref mask
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 105/169] iio: accel: iis328dq: fix gain values Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 107/169] iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver Greg Kroah-Hartman
` (76 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Nuno Sá,
David Lechner, Tomas Melin, Stable, Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomas Melin <tomas.melin@vaisala.com>
commit 92452b1760ff2d1d411414965d4d06f75e1bda9a upstream.
The mask setting is 5 bits wide for the ad9434
(ref. data sheet register 0x18 FLEX_VREF). Apparently the settings
from ad9265 were copied by mistake when support for the device was added
to the driver.
Fixes: 4606d0f4b05f ("iio: adc: ad9467: add support for AD9434 high-speed ADC")
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Signed-off-by: Tomas Melin <tomas.melin@vaisala.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad9467.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/adc/ad9467.c
+++ b/drivers/iio/adc/ad9467.c
@@ -95,7 +95,7 @@
#define CHIPID_AD9434 0x6A
#define AD9434_DEF_OUTPUT_MODE 0x00
-#define AD9434_REG_VREF_MASK 0xC0
+#define AD9434_REG_VREF_MASK GENMASK(4, 0)
/*
* Analog Devices AD9467 16-Bit, 200/250 MSPS ADC
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 107/169] iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 106/169] iio: adc: ad9467: fix ad9434 vref mask Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 108/169] iio: adc: pac1934: Fix clamped value in pac1934_reg_snapshot Greg Kroah-Hartman
` (75 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pei Xiao, Stable, Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pei Xiao <xiaopei01@kylinos.cn>
commit dbdb442218cd9d613adeab31a88ac973f22c4873 upstream.
at91_adc_interrupt can call at91_adc_touch_data_handler function
to start the work by schedule_work(&st->touch_st.workq).
If we remove the module which will call at91_adc_remove to
make cleanup, it will free indio_dev through iio_device_unregister but
quite a bit later. While the work mentioned above will be used. The
sequence of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| at91_adc_workq_handler
at91_adc_remove |
iio_device_unregister(indio_dev) |
//free indio_dev a bit later |
| iio_push_to_buffers(indio_dev)
| //use indio_dev
Fix it by ensuring that the work is canceled before proceeding with
the cleanup in at91_adc_remove.
Fixes: 23ec2774f1cc ("iio: adc: at91-sama5d2_adc: add support for position and pressure channels")
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/at91-sama5d2_adc.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/adc/at91-sama5d2_adc.c
+++ b/drivers/iio/adc/at91-sama5d2_adc.c
@@ -2504,6 +2504,7 @@ static void at91_adc_remove(struct platf
struct at91_adc_state *st = iio_priv(indio_dev);
iio_device_unregister(indio_dev);
+ cancel_work_sync(&st->touch_st.workq);
at91_adc_dma_disable(st);
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 108/169] iio: adc: pac1934: Fix clamped value in pac1934_reg_snapshot
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 107/169] iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 109/169] iio: chemical: scd4x: fix reported channel endianness Greg Kroah-Hartman
` (74 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit da934ef0fdff5ba21e82ec3ab3f95fe73137b0c9 upstream.
The local variable 'curr_energy' was never clamped to
PAC_193X_MIN_POWER_ACC or PAC_193X_MAX_POWER_ACC because the return
value of clamp() was not used. Fix this by assigning the clamped value
back to 'curr_energy'.
Cc: stable@vger.kernel.org
Fixes: 0fb528c8255b ("iio: adc: adding support for PAC193x")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/pac1934.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/iio/adc/pac1934.c
+++ b/drivers/iio/adc/pac1934.c
@@ -665,9 +665,9 @@ static int pac1934_reg_snapshot(struct p
/* add the power_acc field */
curr_energy += inc;
- clamp(curr_energy, PAC_193X_MIN_POWER_ACC, PAC_193X_MAX_POWER_ACC);
-
- reg_data->energy_sec_acc[cnt] = curr_energy;
+ reg_data->energy_sec_acc[cnt] = clamp(curr_energy,
+ PAC_193X_MIN_POWER_ACC,
+ PAC_193X_MAX_POWER_ACC);
}
offset_reg_data_p += PAC1934_VPOWER_ACC_REG_LEN;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 109/169] iio: chemical: scd4x: fix reported channel endianness
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 108/169] iio: adc: pac1934: Fix clamped value in pac1934_reg_snapshot Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 110/169] iio: dac: ad5686: add AD5695R to ad5686_chip_info_tbl Greg Kroah-Hartman
` (73 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fiona Klute, David Lechner,
Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fiona Klute <fiona.klute@gmx.de>
commit 81d5a5366d3c20203fb9d7345e1aa46d668445a2 upstream.
The driver converts values read from the sensor from BE to CPU
endianness in scd4x_read_meas(). The result is then pushed into the
buffer in scd4x_trigger_handler(), so on LE architectures parsing the
buffer using the reported BE type gave wrong results.
scd4x_read_raw() which provides sysfs *_raw values is not affected, it
used the values returned by scd4x_read_meas() without further
conversion.
Fixes: 49d22b695cbb6 ("drivers: iio: chemical: Add support for Sensirion SCD4x CO2 sensor")
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/scd4x.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/iio/chemical/scd4x.c
+++ b/drivers/iio/chemical/scd4x.c
@@ -585,7 +585,7 @@ static const struct iio_chan_spec scd4x_
.sign = 'u',
.realbits = 16,
.storagebits = 16,
- .endianness = IIO_BE,
+ .endianness = IIO_CPU,
},
},
{
@@ -600,7 +600,7 @@ static const struct iio_chan_spec scd4x_
.sign = 'u',
.realbits = 16,
.storagebits = 16,
- .endianness = IIO_BE,
+ .endianness = IIO_CPU,
},
},
{
@@ -613,7 +613,7 @@ static const struct iio_chan_spec scd4x_
.sign = 'u',
.realbits = 16,
.storagebits = 16,
- .endianness = IIO_BE,
+ .endianness = IIO_CPU,
},
},
};
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 110/169] iio: dac: ad5686: add AD5695R to ad5686_chip_info_tbl
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 109/169] iio: chemical: scd4x: fix reported channel endianness Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 111/169] ALSA: ctxfi: Fix potential OOB access in audio mixer handling Greg Kroah-Hartman
` (72 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andreas Kübrich,
Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kübrich, Andreas <andreas.kuebrich@spektra-dresden.de>
commit 441ac29923c9172bc5e4b2c4f52ae756192f5715 upstream.
The chip info for this variant (I2C, four channels, 14 bit, internal
reference) seems to have been left out due to oversight, so
ad5686_chip_info_tbl[ID_AD5695R] is all zeroes. Initialisation of an
AD5695R still succeeds, but the resulting IIO device has no channels and no
/dev/iio:device* node.
Add the missing chip info to the table.
Fixes: 4177381b4401 ("iio:dac:ad5686: Add AD5671R/75R/94/94R/95R/96/96R support")
Signed-off-by: Andreas Kübrich <andreas.kuebrich@spektra-dresden.de>
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5686.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/iio/dac/ad5686.c
+++ b/drivers/iio/dac/ad5686.c
@@ -434,6 +434,12 @@ static const struct ad5686_chip_info ad5
.num_channels = 4,
.regmap_type = AD5686_REGMAP,
},
+ [ID_AD5695R] = {
+ .channels = ad5685r_channels,
+ .int_vref_mv = 2500,
+ .num_channels = 4,
+ .regmap_type = AD5686_REGMAP,
+ },
[ID_AD5696] = {
.channels = ad5686_channels,
.num_channels = 4,
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 111/169] ALSA: ctxfi: Fix potential OOB access in audio mixer handling
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 110/169] iio: dac: ad5686: add AD5695R to ad5686_chip_info_tbl Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 112/169] ALSA: scarlett2: Fix buffer overflow in config retrieval Greg Kroah-Hartman
` (71 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Salvatore Bonaccorso,
Karsten Hohmeier, Takashi Iwai
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 61006c540cbdedea83b05577dc7fb7fa18fe1276 upstream.
In the audio mixer handling code of ctxfi driver, the conf field is
used as a kind of loop index, and it's referred in the index callbacks
(amixer_index() and sum_index()).
As spotted recently by fuzzers, the current code causes OOB access at
those functions.
| UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48
| index 8 is out of range for type 'unsigned char [8]'
After the analysis, the cause was found to be the lack of the proper
(re-)initialization of conj field.
This patch addresses those OOB accesses by adding the proper
initializations of the loop indices.
Reported-by: Salvatore Bonaccorso <carnil@debian.org>
Tested-by: Karsten Hohmeier <linux@hohmatik.de>
Closes: https://bugs.debian.org/1121535
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/all/aSk8KJI35H7gFru6@eldamar.lan/
Link: https://patch.msgid.link/20260119133212.189129-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/ctxfi/ctamixer.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/pci/ctxfi/ctamixer.c
+++ b/sound/pci/ctxfi/ctamixer.c
@@ -205,6 +205,7 @@ static int amixer_rsc_init(struct amixer
/* Set amixer specific operations */
amixer->rsc.ops = &amixer_basic_rsc_ops;
+ amixer->rsc.conj = 0;
amixer->ops = &amixer_ops;
amixer->input = NULL;
amixer->sum = NULL;
@@ -370,6 +371,7 @@ static int sum_rsc_init(struct sum *sum,
return err;
sum->rsc.ops = &sum_basic_rsc_ops;
+ sum->rsc.conj = 0;
return 0;
}
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 112/169] ALSA: scarlett2: Fix buffer overflow in config retrieval
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 111/169] ALSA: ctxfi: Fix potential OOB access in audio mixer handling Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 113/169] ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() Greg Kroah-Hartman
` (70 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Samasth Norway Ananda, Takashi Iwai
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
commit 6f5c69f72e50d51be3a8c028ae7eda42c82902cb upstream.
The scarlett2_usb_get_config() function has a logic error in the
endianness conversion code that can cause buffer overflows when
count > 1.
The code checks `if (size == 2)` where `size` is the total buffer size in
bytes, then loops `count` times treating each element as u16 (2 bytes).
This causes the loop to access `count * 2` bytes when the buffer only
has `size` bytes allocated.
Fix by checking the element size (config_item->size) instead of the
total buffer size. This ensures the endianness conversion matches the
actual element type.
Fixes: ac34df733d2d ("ALSA: usb-audio: scarlett2: Update get_config to do endian conversion")
Cc: stable@vger.kernel.org
Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Link: https://patch.msgid.link/20260117012706.1715574-1-samasth.norway.ananda@oracle.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_scarlett2.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/sound/usb/mixer_scarlett2.c
+++ b/sound/usb/mixer_scarlett2.c
@@ -2496,13 +2496,13 @@ static int scarlett2_usb_get_config(
err = scarlett2_usb_get(mixer, config_item->offset, buf, size);
if (err < 0)
return err;
- if (size == 2) {
+ if (config_item->size == 16) {
u16 *buf_16 = buf;
for (i = 0; i < count; i++, buf_16++)
*buf_16 = le16_to_cpu(*(__le16 *)buf_16);
- } else if (size == 4) {
- u32 *buf_32 = buf;
+ } else if (config_item->size == 32) {
+ u32 *buf_32 = (u32 *)buf;
for (i = 0; i < count; i++, buf_32++)
*buf_32 = le32_to_cpu(*(__le32 *)buf_32);
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 113/169] ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 112/169] ALSA: scarlett2: Fix buffer overflow in config retrieval Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 114/169] mmc: rtsx_pci_sdmmc: implement sdmmc_card_busy function Greg Kroah-Hartman
` (69 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrey Konovalov, Berk Cem Goksel,
Takashi Iwai
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Berk Cem Goksel <berkcgoksel@gmail.com>
commit 930e69757b74c3ae083b0c3c7419bfe7f0edc7b2 upstream.
When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees
mixer->id_elems but the controls already added to the card still
reference the freed memory. Later when snd_card_register() runs,
the OSS mixer layer calls their callbacks and hits a use-after-free read.
Call trace:
get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411
get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241
mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381
snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887
...
snd_card_register+0x4ed/0x6d0 sound/core/init.c:923
usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025
Fix by calling snd_ctl_remove() for all mixer controls before freeing
id_elems. We save the next pointer first because snd_ctl_remove()
frees the current element.
Fixes: 6639b6c2367f ("[ALSA] usb-audio - add mixer control notifications")
Cc: stable@vger.kernel.org
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Signed-off-by: Berk Cem Goksel <berkcgoksel@gmail.com>
Link: https://patch.msgid.link/20260120102855.7300-1-berkcgoksel@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -2938,10 +2938,23 @@ static int parse_audio_unit(struct mixer
static void snd_usb_mixer_free(struct usb_mixer_interface *mixer)
{
+ struct usb_mixer_elem_list *list, *next;
+ int id;
+
/* kill pending URBs */
snd_usb_mixer_disconnect(mixer);
- kfree(mixer->id_elems);
+ /* Unregister controls first, snd_ctl_remove() frees the element */
+ if (mixer->id_elems) {
+ for (id = 0; id < MAX_ID_ELEMS; id++) {
+ for (list = mixer->id_elems[id]; list; list = next) {
+ next = list->next_id_elem;
+ if (list->kctl)
+ snd_ctl_remove(mixer->chip->card, list->kctl);
+ }
+ }
+ kfree(mixer->id_elems);
+ }
if (mixer->urb) {
kfree(mixer->urb->transfer_buffer);
usb_free_urb(mixer->urb);
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 114/169] mmc: rtsx_pci_sdmmc: implement sdmmc_card_busy function
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 113/169] ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 115/169] mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode Greg Kroah-Hartman
` (68 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matthew Schwartz, Ricky WU,
Ulf Hansson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Schwartz <matthew.schwartz@linux.dev>
commit 122610220134b32c742cc056eaf64f7017ac8cd9 upstream.
rtsx_pci_sdmmc does not have an sdmmc_card_busy function, so any voltage
switches cause a kernel warning, "mmc0: cannot verify signal voltage
switch."
Copy the sdmmc_card_busy function from rtsx_pci_usb to rtsx_pci_sdmmc to
fix this.
Fixes: ff984e57d36e ("mmc: Add realtek pcie sdmmc host driver")
Signed-off-by: Matthew Schwartz <matthew.schwartz@linux.dev>
Tested-by: Ricky WU <ricky_wu@realtek.com>
Reviewed-by: Ricky WU <ricky_wu@realtek.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/rtsx_pci_sdmmc.c | 41 ++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
--- a/drivers/mmc/host/rtsx_pci_sdmmc.c
+++ b/drivers/mmc/host/rtsx_pci_sdmmc.c
@@ -1308,6 +1308,46 @@ out:
return err;
}
+static int sdmmc_card_busy(struct mmc_host *mmc)
+{
+ struct realtek_pci_sdmmc *host = mmc_priv(mmc);
+ struct rtsx_pcr *pcr = host->pcr;
+ int err;
+ u8 stat;
+ u8 mask = SD_DAT3_STATUS | SD_DAT2_STATUS | SD_DAT1_STATUS
+ | SD_DAT0_STATUS;
+
+ mutex_lock(&pcr->pcr_mutex);
+
+ rtsx_pci_start_run(pcr);
+
+ err = rtsx_pci_write_register(pcr, SD_BUS_STAT,
+ SD_CLK_TOGGLE_EN | SD_CLK_FORCE_STOP,
+ SD_CLK_TOGGLE_EN);
+ if (err)
+ goto out;
+
+ mdelay(1);
+
+ err = rtsx_pci_read_register(pcr, SD_BUS_STAT, &stat);
+ if (err)
+ goto out;
+
+ err = rtsx_pci_write_register(pcr, SD_BUS_STAT,
+ SD_CLK_TOGGLE_EN | SD_CLK_FORCE_STOP, 0);
+out:
+ mutex_unlock(&pcr->pcr_mutex);
+
+ if (err)
+ return err;
+
+ /* check if any pin between dat[0:3] is low */
+ if ((stat & mask) != mask)
+ return 1;
+ else
+ return 0;
+}
+
static int sdmmc_execute_tuning(struct mmc_host *mmc, u32 opcode)
{
struct realtek_pci_sdmmc *host = mmc_priv(mmc);
@@ -1420,6 +1460,7 @@ static const struct mmc_host_ops realtek
.get_ro = sdmmc_get_ro,
.get_cd = sdmmc_get_cd,
.start_signal_voltage_switch = sdmmc_switch_voltage,
+ .card_busy = sdmmc_card_busy,
.execute_tuning = sdmmc_execute_tuning,
.init_sd_express = sdmmc_init_sd_express,
};
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 115/169] mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 114/169] mmc: rtsx_pci_sdmmc: implement sdmmc_card_busy function Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 116/169] drm/nouveau/disp: Set drm_mode_config_funcs.atomic_(check|commit) Greg Kroah-Hartman
` (67 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Reichel, Yifeng Zhao,
Shawn Lin, Ulf Hansson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shawn Lin <shawn.lin@rock-chips.com>
commit 3009738a855cf938bbfc9078bec725031ae623a4 upstream.
When operating in HS200 or HS400 timing modes, reducing the clock frequency
below 52MHz will lead to link broken as the Rockchip DWC MSHC controller
requires maintaining a minimum clock of 52MHz in these modes.
Add a check to prevent illegal clock reduction through debugfs:
root@debian:/# echo 50000000 > /sys/kernel/debug/mmc0/clock
root@debian:/# [ 30.090146] mmc0: running CQE recovery
mmc0: cqhci: Failed to halt
mmc0: cqhci: spurious TCN for tag 0
WARNING: drivers/mmc/host/cqhci-core.c:797 at cqhci_irq+0x254/0x818, CPU#1: kworker/1:0H/24
Modules linked in:
CPU: 1 UID: 0 PID: 24 Comm: kworker/1:0H Not tainted 6.19.0-rc1-00001-g09db0998649d-dirty #204 PREEMPT
Hardware name: Rockchip RK3588 EVB1 V10 Board (DT)
Workqueue: kblockd blk_mq_run_work_fn
pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : cqhci_irq+0x254/0x818
lr : cqhci_irq+0x254/0x818
...
Fixes: c6f361cba51c ("mmc: sdhci-of-dwcmshc: add support for rk3588")
Cc: Sebastian Reichel <sebastian.reichel@collabora.com>
Cc: Yifeng Zhao <yifeng.zhao@rock-chips.com>
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-of-dwcmshc.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/mmc/host/sdhci-of-dwcmshc.c
+++ b/drivers/mmc/host/sdhci-of-dwcmshc.c
@@ -650,6 +650,13 @@ static void dwcmshc_rk3568_set_clock(str
sdhci_writel(host, extra, reg);
if (clock <= 52000000) {
+ if (host->mmc->ios.timing == MMC_TIMING_MMC_HS200 ||
+ host->mmc->ios.timing == MMC_TIMING_MMC_HS400) {
+ dev_err(mmc_dev(host->mmc),
+ "Can't reduce the clock below 52MHz in HS200/HS400 mode");
+ return;
+ }
+
/*
* Disable DLL and reset both of sample and drive clock.
* The bypass bit and start bit need to be set if DLL is not locked.
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 116/169] drm/nouveau/disp: Set drm_mode_config_funcs.atomic_(check|commit)
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 115/169] mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 117/169] wifi: ath10k: fix dma_free_coherent() pointer Greg Kroah-Hartman
` (66 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lyude Paul, Dave Airlie
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lyude Paul <lyude@redhat.com>
commit 604826acb3f53c6648a7ee99a3914ead680ab7fb upstream.
Apparently we never actually filled these in, despite the fact that we do
in fact technically support atomic modesetting.
Since not having these filled in causes us to potentially forget to disable
fbdev and friends during suspend/resume, let's fix it.
Signed-off-by: Lyude Paul <lyude@redhat.com>
Cc: stable@vger.kernel.org
Reviewed-by: Dave Airlie <airlied@redhat.com>
Link: https://patch.msgid.link/20260121191320.210342-1-lyude@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nouveau_display.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/gpu/drm/nouveau/nouveau_display.c
+++ b/drivers/gpu/drm/nouveau/nouveau_display.c
@@ -391,6 +391,8 @@ nouveau_user_framebuffer_create(struct d
static const struct drm_mode_config_funcs nouveau_mode_config_funcs = {
.fb_create = nouveau_user_framebuffer_create,
+ .atomic_commit = drm_atomic_helper_commit,
+ .atomic_check = drm_atomic_helper_check,
};
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 117/169] wifi: ath10k: fix dma_free_coherent() pointer
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 116/169] drm/nouveau/disp: Set drm_mode_config_funcs.atomic_(check|commit) Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 118/169] wifi: ath12k: " Greg Kroah-Hartman
` (65 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Baochen Qiang,
Jeff Johnson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit 9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f upstream.
dma_alloc_coherent() allocates a DMA mapped buffer and stores the
addresses in XXX_unaligned fields. Those should be reused when freeing
the buffer rather than the aligned addresses.
Fixes: 2a1e1ad3fd37 ("ath10k: Add support for 64 bit ce descriptor")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Link: https://patch.msgid.link/20260105210439.20131-2-fourier.thomas@gmail.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath10k/ce.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/drivers/net/wireless/ath/ath10k/ce.c
+++ b/drivers/net/wireless/ath/ath10k/ce.c
@@ -1727,8 +1727,8 @@ static void _ath10k_ce_free_pipe(struct
(ce_state->src_ring->nentries *
sizeof(struct ce_desc) +
CE_DESC_RING_ALIGN),
- ce_state->src_ring->base_addr_owner_space,
- ce_state->src_ring->base_addr_ce_space);
+ ce_state->src_ring->base_addr_owner_space_unaligned,
+ ce_state->src_ring->base_addr_ce_space_unaligned);
kfree(ce_state->src_ring);
}
@@ -1737,8 +1737,8 @@ static void _ath10k_ce_free_pipe(struct
(ce_state->dest_ring->nentries *
sizeof(struct ce_desc) +
CE_DESC_RING_ALIGN),
- ce_state->dest_ring->base_addr_owner_space,
- ce_state->dest_ring->base_addr_ce_space);
+ ce_state->dest_ring->base_addr_owner_space_unaligned,
+ ce_state->dest_ring->base_addr_ce_space_unaligned);
kfree(ce_state->dest_ring);
}
@@ -1758,8 +1758,8 @@ static void _ath10k_ce_free_pipe_64(stru
(ce_state->src_ring->nentries *
sizeof(struct ce_desc_64) +
CE_DESC_RING_ALIGN),
- ce_state->src_ring->base_addr_owner_space,
- ce_state->src_ring->base_addr_ce_space);
+ ce_state->src_ring->base_addr_owner_space_unaligned,
+ ce_state->src_ring->base_addr_ce_space_unaligned);
kfree(ce_state->src_ring);
}
@@ -1768,8 +1768,8 @@ static void _ath10k_ce_free_pipe_64(stru
(ce_state->dest_ring->nentries *
sizeof(struct ce_desc_64) +
CE_DESC_RING_ALIGN),
- ce_state->dest_ring->base_addr_owner_space,
- ce_state->dest_ring->base_addr_ce_space);
+ ce_state->dest_ring->base_addr_owner_space_unaligned,
+ ce_state->dest_ring->base_addr_ce_space_unaligned);
kfree(ce_state->dest_ring);
}
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 118/169] wifi: ath12k: fix dma_free_coherent() pointer
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 117/169] wifi: ath10k: fix dma_free_coherent() pointer Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 119/169] wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize() Greg Kroah-Hartman
` (64 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Baochen Qiang,
Jeff Johnson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit bb97131fbf9b708dd9616ac2bdc793ad102b5c48 upstream.
dma_alloc_coherent() allocates a DMA mapped buffer and stores the
addresses in XXX_unaligned fields. Those should be reused when freeing
the buffer rather than the aligned addresses.
Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Link: https://patch.msgid.link/20260106084905.18622-2-fourier.thomas@gmail.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath12k/ce.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/net/wireless/ath/ath12k/ce.c
+++ b/drivers/net/wireless/ath/ath12k/ce.c
@@ -893,8 +893,8 @@ void ath12k_ce_free_pipes(struct ath12k_
dma_free_coherent(ab->dev,
pipe->src_ring->nentries * desc_sz +
CE_DESC_RING_ALIGN,
- pipe->src_ring->base_addr_owner_space,
- pipe->src_ring->base_addr_ce_space);
+ pipe->src_ring->base_addr_owner_space_unaligned,
+ pipe->src_ring->base_addr_ce_space_unaligned);
kfree(pipe->src_ring);
pipe->src_ring = NULL;
}
@@ -904,8 +904,8 @@ void ath12k_ce_free_pipes(struct ath12k_
dma_free_coherent(ab->dev,
pipe->dest_ring->nentries * desc_sz +
CE_DESC_RING_ALIGN,
- pipe->dest_ring->base_addr_owner_space,
- pipe->dest_ring->base_addr_ce_space);
+ pipe->dest_ring->base_addr_owner_space_unaligned,
+ pipe->dest_ring->base_addr_ce_space_unaligned);
kfree(pipe->dest_ring);
pipe->dest_ring = NULL;
}
@@ -916,8 +916,8 @@ void ath12k_ce_free_pipes(struct ath12k_
dma_free_coherent(ab->dev,
pipe->status_ring->nentries * desc_sz +
CE_DESC_RING_ALIGN,
- pipe->status_ring->base_addr_owner_space,
- pipe->status_ring->base_addr_ce_space);
+ pipe->status_ring->base_addr_owner_space_unaligned,
+ pipe->status_ring->base_addr_ce_space_unaligned);
kfree(pipe->status_ring);
pipe->status_ring = NULL;
}
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 119/169] wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 118/169] wifi: ath12k: " Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 120/169] wifi: rsi: Fix memory corruption due to not set vif driver data size Greg Kroah-Hartman
` (63 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Jeff Chen,
Johannes Berg
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
commit 2120f3a3738a65730c81bf10447b1ff776078915 upstream.
The "i" iterator variable is used to count two different things but
unfortunately we can't store two different numbers in the same variable.
Use "i" for the outside loop and "j" for the inside loop.
Cc: stable@vger.kernel.org
Fixes: d219b7eb3792 ("mwifiex: handle BT coex event to adjust Rx BA window size")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Jeff Chen <jeff.chen_1@nxp.com>
Link: https://patch.msgid.link/aWAM2MGUWRP0zWUd@stanley.mountain
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
+++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
@@ -825,7 +825,7 @@ void mwifiex_update_rxreor_flags(struct
static void mwifiex_update_ampdu_rxwinsize(struct mwifiex_adapter *adapter,
bool coex_flag)
{
- u8 i;
+ u8 i, j;
u32 rx_win_size;
struct mwifiex_private *priv;
@@ -863,8 +863,8 @@ static void mwifiex_update_ampdu_rxwinsi
if (rx_win_size != priv->add_ba_param.rx_win_size) {
if (!priv->media_connected)
continue;
- for (i = 0; i < MAX_NUM_TID; i++)
- mwifiex_11n_delba(priv, i);
+ for (j = 0; j < MAX_NUM_TID; j++)
+ mwifiex_11n_delba(priv, j);
}
}
}
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 120/169] wifi: rsi: Fix memory corruption due to not set vif driver data size
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 119/169] wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize() Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 121/169] arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA Greg Kroah-Hartman
` (62 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marek Vasut, Johannes Berg
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marex@nabladev.com>
commit 4f431d88ea8093afc7ba55edf4652978c5a68f33 upstream.
The struct ieee80211_vif contains trailing space for vif driver data,
when struct ieee80211_vif is allocated, the total memory size that is
allocated is sizeof(struct ieee80211_vif) + size of vif driver data.
The size of vif driver data is set by each WiFi driver as needed.
The RSI911x driver does not set vif driver data size, no trailing space
for vif driver data is therefore allocated past struct ieee80211_vif .
The RSI911x driver does however use the vif driver data to store its
vif driver data structure "struct vif_priv". An access to vif->drv_priv
leads to access out of struct ieee80211_vif bounds and corruption of
some memory.
In case of the failure observed locally, rsi_mac80211_add_interface()
would write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv;
vif_info->vap_id = vap_idx. This write corrupts struct fq_tin member
struct list_head new_flows . The flow = list_first_entry(head, struct
fq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus
address, which when accessed causes a crash.
The trigger is very simple, boot the machine with init=/bin/sh , mount
devtmpfs, sysfs, procfs, and then do "ip link set wlan0 up", "sleep 1",
"ip link set wlan0 down" and the crash occurs.
Fix this by setting the correct size of vif driver data, which is the
size of "struct vif_priv", so that memory is allocated and the driver
can store its driver data in it, instead of corrupting memory around
it.
Cc: stable@vger.kernel.org
Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver")
Signed-off-by: Marek Vasut <marex@nabladev.com>
Link: https://patch.msgid.link/20260109235817.150330-1-marex@nabladev.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/rsi/rsi_91x_mac80211.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c
+++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c
@@ -2028,6 +2028,7 @@ int rsi_mac80211_attach(struct rsi_commo
hw->queues = MAX_HW_QUEUES;
hw->extra_tx_headroom = RSI_NEEDED_HEADROOM;
+ hw->vif_data_size = sizeof(struct vif_priv);
hw->max_rates = 1;
hw->max_rate_tries = MAX_RETRIES;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 121/169] arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 120/169] wifi: rsi: Fix memory corruption due to not set vif driver data size Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 122/169] arm64: Set __nocfi on swsusp_arch_resume() Greg Kroah-Hartman
` (61 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Mark Brown,
Will Deacon, Catalin Marinas
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4 upstream.
The code to restore a ZA context doesn't attempt to allocate the task's
sve_state before setting TIF_SME. Consequently, restoring a ZA context
can place a task into an invalid state where TIF_SME is set but the
task's sve_state is NULL.
In legitimate but uncommon cases where the ZA signal context was NOT
created by the kernel in the context of the same task (e.g. if the task
is saved/restored with something like CRIU), we have no guarantee that
sve_state had been allocated previously. In these cases, userspace can
enter streaming mode without trapping while sve_state is NULL, causing a
later NULL pointer dereference when the kernel attempts to store the
register state:
| # ./sigreturn-za
| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
| Mem abort info:
| ESR = 0x0000000096000046
| EC = 0x25: DABT (current EL), IL = 32 bits
| SET = 0, FnV = 0
| EA = 0, S1PTW = 0
| FSC = 0x06: level 2 translation fault
| Data abort info:
| ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000
| CM = 0, WnR = 1, TnD = 0, TagAccess = 0
| GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
| user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00
| [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000
| Internal error: Oops: 0000000096000046 [#1] SMP
| Modules linked in:
| CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT
| Hardware name: linux,dummy-virt (DT)
| pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
| pc : sve_save_state+0x4/0xf0
| lr : fpsimd_save_user_state+0xb0/0x1c0
| sp : ffff80008070bcc0
| x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658
| x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000
| x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40
| x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000
| x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c
| x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020
| x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0
| x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48
| x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000
| x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440
| Call trace:
| sve_save_state+0x4/0xf0 (P)
| fpsimd_thread_switch+0x48/0x198
| __switch_to+0x20/0x1c0
| __schedule+0x36c/0xce0
| schedule+0x34/0x11c
| exit_to_user_mode_loop+0x124/0x188
| el0_interrupt+0xc8/0xd8
| __el0_irq_handler_common+0x18/0x24
| el0t_64_irq_handler+0x10/0x1c
| el0t_64_irq+0x198/0x19c
| Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800)
| ---[ end trace 0000000000000000 ]---
Fix this by having restore_za_context() ensure that the task's sve_state
is allocated, matching what we do when taking an SME trap. Any live
SVE/SSVE state (which is restored earlier from a separate signal
context) must be preserved, and hence this is not zeroed.
Fixes: 39782210eb7e ("arm64/sme: Implement ZA signal handling")
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: <stable@vger.kernel.org>
Cc: Mark Brown <broonie@kernel.org>
Cc: Will Deacon <will@kernel.org>
Reviewed-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/signal.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -590,6 +590,10 @@ static int restore_za_context(struct use
fpsimd_flush_task_state(current);
/* From now, fpsimd_thread_switch() won't touch thread.sve_state */
+ sve_alloc(current, false);
+ if (!current->thread.sve_state)
+ return -ENOMEM;
+
sme_alloc(current, true);
if (!current->thread.sme_state) {
current->thread.svcr &= ~SVCR_ZA_MASK;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 122/169] arm64: Set __nocfi on swsusp_arch_resume()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 121/169] arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 123/169] octeontx2: Fix otx2_dma_map_page() error return code Greg Kroah-Hartman
` (60 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeson Gao, Zhaoyang Huang,
Will Deacon, Mark Rutland, Catalin Marinas
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhaoyang Huang <zhaoyang.huang@unisoc.com>
commit e2f8216ca2d8e61a23cb6ec355616339667e0ba6 upstream.
A DABT is reported[1] on an android based system when resume from hiberate.
This happens because swsusp_arch_suspend_exit() is marked with SYM_CODE_*()
and does not have a CFI hash, but swsusp_arch_resume() will attempt to
verify the CFI hash when calling a copy of swsusp_arch_suspend_exit().
Given that there's an existing requirement that the entrypoint to
swsusp_arch_suspend_exit() is the first byte of the .hibernate_exit.text
section, we cannot fix this by marking swsusp_arch_suspend_exit() with
SYM_FUNC_*(). The simplest fix for now is to disable the CFI check in
swsusp_arch_resume().
Mark swsusp_arch_resume() as __nocfi to disable the CFI check.
[1]
[ 22.991934][ T1] Unable to handle kernel paging request at virtual address 0000000109170ffc
[ 22.991934][ T1] Mem abort info:
[ 22.991934][ T1] ESR = 0x0000000096000007
[ 22.991934][ T1] EC = 0x25: DABT (current EL), IL = 32 bits
[ 22.991934][ T1] SET = 0, FnV = 0
[ 22.991934][ T1] EA = 0, S1PTW = 0
[ 22.991934][ T1] FSC = 0x07: level 3 translation fault
[ 22.991934][ T1] Data abort info:
[ 22.991934][ T1] ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000
[ 22.991934][ T1] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 22.991934][ T1] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 22.991934][ T1] [0000000109170ffc] user address but active_mm is swapper
[ 22.991934][ T1] Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP
[ 22.991934][ T1] Dumping ftrace buffer:
[ 22.991934][ T1] (ftrace buffer empty)
[ 22.991934][ T1] Modules linked in:
[ 22.991934][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.98-android15-8-g0b1d2aee7fc3-dirty-4k #1 688c7060a825a3ac418fe53881730b355915a419
[ 22.991934][ T1] Hardware name: Unisoc UMS9360-base Board (DT)
[ 22.991934][ T1] pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 22.991934][ T1] pc : swsusp_arch_resume+0x2ac/0x344
[ 22.991934][ T1] lr : swsusp_arch_resume+0x294/0x344
[ 22.991934][ T1] sp : ffffffc08006b960
[ 22.991934][ T1] x29: ffffffc08006b9c0 x28: 0000000000000000 x27: 0000000000000000
[ 22.991934][ T1] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000820
[ 22.991934][ T1] x23: ffffffd0817e3000 x22: ffffffd0817e3000 x21: 0000000000000000
[ 22.991934][ T1] x20: ffffff8089171000 x19: ffffffd08252c8c8 x18: ffffffc080061058
[ 22.991934][ T1] x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 0000000000000004
[ 22.991934][ T1] x14: ffffff8178c88000 x13: 0000000000000006 x12: 0000000000000000
[ 22.991934][ T1] x11: 0000000000000015 x10: 0000000000000001 x9 : ffffffd082533000
[ 22.991934][ T1] x8 : 0000000109171000 x7 : 205b5d3433393139 x6 : 392e32322020205b
[ 22.991934][ T1] x5 : 000000010916f000 x4 : 000000008164b000 x3 : ffffff808a4e0530
[ 22.991934][ T1] x2 : ffffffd08058e784 x1 : 0000000082326000 x0 : 000000010a283000
[ 22.991934][ T1] Call trace:
[ 22.991934][ T1] swsusp_arch_resume+0x2ac/0x344
[ 22.991934][ T1] hibernation_restore+0x158/0x18c
[ 22.991934][ T1] load_image_and_restore+0xb0/0xec
[ 22.991934][ T1] software_resume+0xf4/0x19c
[ 22.991934][ T1] software_resume_initcall+0x34/0x78
[ 22.991934][ T1] do_one_initcall+0xe8/0x370
[ 22.991934][ T1] do_initcall_level+0xc8/0x19c
[ 22.991934][ T1] do_initcalls+0x70/0xc0
[ 22.991934][ T1] do_basic_setup+0x1c/0x28
[ 22.991934][ T1] kernel_init_freeable+0xe0/0x148
[ 22.991934][ T1] kernel_init+0x20/0x1a8
[ 22.991934][ T1] ret_from_fork+0x10/0x20
[ 22.991934][ T1] Code: a9400a61 f94013e0 f9438923 f9400a64 (b85fc110)
Co-developed-by: Jeson Gao <jeson.gao@unisoc.com>
Signed-off-by: Jeson Gao <jeson.gao@unisoc.com>
Signed-off-by: Zhaoyang Huang <zhaoyang.huang@unisoc.com>
Acked-by: Will Deacon <will@kernel.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Cc: <stable@vger.kernel.org>
[catalin.marinas@arm.com: commit log updated by Mark Rutland]
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/hibernate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/kernel/hibernate.c
+++ b/arch/arm64/kernel/hibernate.c
@@ -396,7 +396,7 @@ int swsusp_arch_suspend(void)
* Memory allocated by get_safe_page() will be dealt with by the hibernate code,
* we don't need to free it here.
*/
-int swsusp_arch_resume(void)
+int __nocfi swsusp_arch_resume(void)
{
int rc;
void *zero_page;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 123/169] octeontx2: Fix otx2_dma_map_page() error return code
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 122/169] arm64: Set __nocfi on swsusp_arch_resume() Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 124/169] slimbus: core: fix runtime PM imbalance on report present Greg Kroah-Hartman
` (59 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit d998b0e5afffa90d0f03770bad31083767079858 upstream.
0 is a valid DMA address [1] so using it as the error value can lead to
errors. The error value of dma_map_XXX() functions is DMA_MAPPING_ERROR
which is ~0. The callers of otx2_dma_map_page() use dma_mapping_error()
to test the return value of otx2_dma_map_page(). This means that they
would not detect an error in otx2_dma_map_page().
Make otx2_dma_map_page() return the raw value of dma_map_page_attrs().
[1] https://lore.kernel.org/all/f977f68b-cec5-4ab7-b4bd-2cf6aca46267@intel.com
Fixes: caa2da34fd25 ("octeontx2-pf: Initialize and config queues")
Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://patch.msgid.link/20260114123107.42387-2-fourier.thomas@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h
@@ -894,13 +894,8 @@ static inline dma_addr_t otx2_dma_map_pa
size_t offset, size_t size,
enum dma_data_direction dir)
{
- dma_addr_t iova;
-
- iova = dma_map_page_attrs(pfvf->dev, page,
+ return dma_map_page_attrs(pfvf->dev, page,
offset, size, dir, DMA_ATTR_SKIP_CPU_SYNC);
- if (unlikely(dma_mapping_error(pfvf->dev, iova)))
- return (dma_addr_t)NULL;
- return iova;
}
static inline void otx2_dma_unmap_page(struct otx2_nic *pfvf,
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 124/169] slimbus: core: fix runtime PM imbalance on report present
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 123/169] octeontx2: Fix otx2_dma_map_page() error return code Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 125/169] slimbus: core: fix device reference leak " Greg Kroah-Hartman
` (58 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 0eb4ff6596114aabba1070a66afa2c2f5593739f upstream.
Make sure to balance the runtime PM usage count in case slimbus device
or address allocation fails on report present, which would otherwise
prevent the controller from suspending.
Fixes: 4b14e62ad3c9 ("slimbus: Add support for 'clock-pause' feature")
Cc: stable@vger.kernel.org # 4.16
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251126145329.5022-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/slimbus/core.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/drivers/slimbus/core.c
+++ b/drivers/slimbus/core.c
@@ -496,21 +496,23 @@ int slim_device_report_present(struct sl
if (ctrl->sched.clk_state != SLIM_CLK_ACTIVE) {
dev_err(ctrl->dev, "slim ctrl not active,state:%d, ret:%d\n",
ctrl->sched.clk_state, ret);
- goto slimbus_not_active;
+ goto out_put_rpm;
}
sbdev = slim_get_device(ctrl, e_addr);
- if (IS_ERR(sbdev))
- return -ENODEV;
+ if (IS_ERR(sbdev)) {
+ ret = -ENODEV;
+ goto out_put_rpm;
+ }
if (sbdev->is_laddr_valid) {
*laddr = sbdev->laddr;
- return 0;
+ ret = 0;
+ } else {
+ ret = slim_device_alloc_laddr(sbdev, true);
}
- ret = slim_device_alloc_laddr(sbdev, true);
-
-slimbus_not_active:
+out_put_rpm:
pm_runtime_mark_last_busy(ctrl->dev);
pm_runtime_put_autosuspend(ctrl->dev);
return ret;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 125/169] slimbus: core: fix device reference leak on report present
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 124/169] slimbus: core: fix runtime PM imbalance on report present Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 126/169] tracing: Fix crash on synthetic stacktrace field usage Greg Kroah-Hartman
` (57 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 9391380eb91ea5ac792aae9273535c8da5b9aa01 upstream.
Slimbus devices can be allocated dynamically upon reception of
report-present messages.
Make sure to drop the reference taken when looking up already registered
devices.
Note that this requires taking an extra reference in case the device has
not yet been registered and has to be allocated.
Fixes: 46a2bb5a7f7e ("slimbus: core: Add slim controllers support")
Cc: stable@vger.kernel.org # 4.16
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251126145329.5022-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/slimbus/core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/slimbus/core.c
+++ b/drivers/slimbus/core.c
@@ -378,6 +378,8 @@ struct slim_device *slim_get_device(stru
sbdev = slim_alloc_device(ctrl, e_addr, NULL);
if (!sbdev)
return ERR_PTR(-ENOMEM);
+
+ get_device(&sbdev->dev);
}
return sbdev;
@@ -512,6 +514,7 @@ int slim_device_report_present(struct sl
ret = slim_device_alloc_laddr(sbdev, true);
}
+ put_device(&sbdev->dev);
out_put_rpm:
pm_runtime_mark_last_busy(ctrl->dev);
pm_runtime_put_autosuspend(ctrl->dev);
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 126/169] tracing: Fix crash on synthetic stacktrace field usage
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 125/169] slimbus: core: fix device reference leak " Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 127/169] intel_th: fix device leak on output open() Greg Kroah-Hartman
` (56 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Tom Zanussi, Steven Rostedt (Google)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit 90f9f5d64cae4e72defd96a2a22760173cb3c9ec upstream.
When creating a synthetic event based on an existing synthetic event that
had a stacktrace field and the new synthetic event used that field a
kernel crash occurred:
~# cd /sys/kernel/tracing
~# echo 's:stack unsigned long stack[];' > dynamic_events
~# echo 'hist:keys=prev_pid:s0=common_stacktrace if prev_state & 3' >> events/sched/sched_switch/trigger
~# echo 'hist:keys=next_pid:s1=$s0:onmatch(sched.sched_switch).trace(stack,$s1)' >> events/sched/sched_switch/trigger
The above creates a synthetic event that takes a stacktrace when a task
schedules out in a non-running state and passes that stacktrace to the
sched_switch event when that task schedules back in. It triggers the
"stack" synthetic event that has a stacktrace as its field (called "stack").
~# echo 's:syscall_stack s64 id; unsigned long stack[];' >> dynamic_events
~# echo 'hist:keys=common_pid:s2=stack' >> events/synthetic/stack/trigger
~# echo 'hist:keys=common_pid:s3=$s2,i0=id:onmatch(synthetic.stack).trace(syscall_stack,$i0,$s3)' >> events/raw_syscalls/sys_exit/trigger
The above makes another synthetic event called "syscall_stack" that
attaches the first synthetic event (stack) to the sys_exit trace event and
records the stacktrace from the stack event with the id of the system call
that is exiting.
When enabling this event (or using it in a historgram):
~# echo 1 > events/synthetic/syscall_stack/enable
Produces a kernel crash!
BUG: unable to handle page fault for address: 0000000000400010
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP PTI
CPU: 6 UID: 0 PID: 1257 Comm: bash Not tainted 6.16.3+deb14-amd64 #1 PREEMPT(lazy) Debian 6.16.3-1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
RIP: 0010:trace_event_raw_event_synth+0x90/0x380
Code: c5 00 00 00 00 85 d2 0f 84 e1 00 00 00 31 db eb 34 0f 1f 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 <49> 8b 04 24 48 83 c3 01 8d 0c c5 08 00 00 00 01 cd 41 3b 5d 40 0f
RSP: 0018:ffffd2670388f958 EFLAGS: 00010202
RAX: ffff8ba1065cc100 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: fffff266ffda7b90 RDI: ffffd2670388f9b0
RBP: 0000000000000010 R08: ffff8ba104e76000 R09: ffffd2670388fa50
R10: ffff8ba102dd42e0 R11: ffffffff9a908970 R12: 0000000000400010
R13: ffff8ba10a246400 R14: ffff8ba10a710220 R15: fffff266ffda7b90
FS: 00007fa3bc63f740(0000) GS:ffff8ba2e0f48000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000400010 CR3: 0000000107f9e003 CR4: 0000000000172ef0
Call Trace:
<TASK>
? __tracing_map_insert+0x208/0x3a0
action_trace+0x67/0x70
event_hist_trigger+0x633/0x6d0
event_triggers_call+0x82/0x130
trace_event_buffer_commit+0x19d/0x250
trace_event_raw_event_sys_exit+0x62/0xb0
syscall_exit_work+0x9d/0x140
do_syscall_64+0x20a/0x2f0
? trace_event_raw_event_sched_switch+0x12b/0x170
? save_fpregs_to_fpstate+0x3e/0x90
? _raw_spin_unlock+0xe/0x30
? finish_task_switch.isra.0+0x97/0x2c0
? __rseq_handle_notify_resume+0xad/0x4c0
? __schedule+0x4b8/0xd00
? restore_fpregs_from_fpstate+0x3c/0x90
? switch_fpu_return+0x5b/0xe0
? do_syscall_64+0x1ef/0x2f0
? do_fault+0x2e9/0x540
? __handle_mm_fault+0x7d1/0xf70
? count_memcg_events+0x167/0x1d0
? handle_mm_fault+0x1d7/0x2e0
? do_user_addr_fault+0x2c3/0x7f0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The reason is that the stacktrace field is not labeled as such, and is
treated as a normal field and not as a dynamic event that it is.
In trace_event_raw_event_synth() the event is field is still treated as a
dynamic array, but the retrieval of the data is considered a normal field,
and the reference is just the meta data:
// Meta data is retrieved instead of a dynamic array
str_val = (char *)(long)var_ref_vals[val_idx];
// Then when it tries to process it:
len = *((unsigned long *)str_val) + 1;
It triggers a kernel page fault.
To fix this, first when defining the fields of the first synthetic event,
set the filter type to FILTER_STACKTRACE. This is used later by the second
synthetic event to know that this field is a stacktrace. When creating
the field of the new synthetic event, have it use this FILTER_STACKTRACE
to know to create a stacktrace field to copy the stacktrace into.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Tom Zanussi <zanussi@kernel.org>
Link: https://patch.msgid.link/20260122194824.6905a38e@gandalf.local.home
Fixes: 00cf3d672a9d ("tracing: Allow synthetic events to pass around stacktraces")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events_hist.c | 9 +++++++++
kernel/trace/trace_events_synth.c | 8 +++++++-
2 files changed, 16 insertions(+), 1 deletion(-)
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -2040,6 +2040,15 @@ static struct hist_field *create_hist_fi
hist_field->fn_num = HIST_FIELD_FN_RELDYNSTRING;
else
hist_field->fn_num = HIST_FIELD_FN_PSTRING;
+ } else if (field->filter_type == FILTER_STACKTRACE) {
+ flags |= HIST_FIELD_FL_STACKTRACE;
+
+ hist_field->size = MAX_FILTER_STR_VAL;
+ hist_field->type = kstrdup_const(field->type, GFP_KERNEL);
+ if (!hist_field->type)
+ goto free;
+
+ hist_field->fn_num = HIST_FIELD_FN_STACK;
} else {
hist_field->size = field->size;
hist_field->is_signed = field->is_signed;
--- a/kernel/trace/trace_events_synth.c
+++ b/kernel/trace/trace_events_synth.c
@@ -137,7 +137,9 @@ static int synth_event_define_fields(str
struct synth_event *event = call->data;
unsigned int i, size, n_u64;
char *name, *type;
+ int filter_type;
bool is_signed;
+ bool is_stack;
int ret = 0;
for (i = 0, n_u64 = 0; i < event->n_fields; i++) {
@@ -145,8 +147,12 @@ static int synth_event_define_fields(str
is_signed = event->fields[i]->is_signed;
type = event->fields[i]->type;
name = event->fields[i]->name;
+ is_stack = event->fields[i]->is_stack;
+
+ filter_type = is_stack ? FILTER_STACKTRACE : FILTER_OTHER;
+
ret = trace_define_field(call, type, name, offset, size,
- is_signed, FILTER_OTHER);
+ is_signed, filter_type);
if (ret)
break;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 127/169] intel_th: fix device leak on output open()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 126/169] tracing: Fix crash on synthetic stacktrace field usage Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 128/169] mei: trace: treat reg parameter as string Greg Kroah-Hartman
` (55 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexander Shishkin, Ma Ke,
Johan Hovold
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 95fc36a234da24bbc5f476f8104a5a15f99ed3e3 upstream.
Make sure to drop the reference taken when looking up the th device
during output device open() on errors and on close().
Note that a recent commit fixed the leak in a couple of open() error
paths but not all of them, and the reference is still leaking on
successful open().
Fixes: 39f4034693b7 ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices")
Fixes: 6d5925b667e4 ("intel_th: Fix error handling in intel_th_output_open")
Cc: stable@vger.kernel.org # 4.4: 6d5925b667e4
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251208153524.68637-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/intel_th/core.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
--- a/drivers/hwtracing/intel_th/core.c
+++ b/drivers/hwtracing/intel_th/core.c
@@ -810,9 +810,12 @@ static int intel_th_output_open(struct i
int err;
dev = bus_find_device_by_devt(&intel_th_bus, inode->i_rdev);
- if (!dev || !dev->driver) {
+ if (!dev)
+ return -ENODEV;
+
+ if (!dev->driver) {
err = -ENODEV;
- goto out_no_device;
+ goto out_put_device;
}
thdrv = to_intel_th_driver(dev->driver);
@@ -836,12 +839,22 @@ static int intel_th_output_open(struct i
out_put_device:
put_device(dev);
-out_no_device:
+
return err;
}
+static int intel_th_output_release(struct inode *inode, struct file *file)
+{
+ struct intel_th_device *thdev = file->private_data;
+
+ put_device(&thdev->dev);
+
+ return 0;
+}
+
static const struct file_operations intel_th_output_fops = {
.open = intel_th_output_open,
+ .release = intel_th_output_release,
.llseek = noop_llseek,
};
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 128/169] mei: trace: treat reg parameter as string
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 127/169] intel_th: fix device leak on output open() Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 129/169] s390/ap: Fix wrong APQN fill calculation Greg Kroah-Hartman
` (54 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexander Usyskin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Usyskin <alexander.usyskin@intel.com>
commit 06d5a7afe1d0b47102936d8fba568572c2b4b941 upstream.
The commit
afd2627f727b ("tracing: Check "%s" dereference via the field and not the TP_printk format")
forbids to emit event with a plain char* without a wrapper.
The reg parameter always passed as static string and wrapper
is not strictly required, contrary to dev parameter.
Use the string wrapper anyway to check sanity of the reg parameters,
store it value independently and prevent internal kernel data leaks.
Since some code refactoring has taken place, explicit backporting may
be needed for kernels older than 6.10.
Cc: stable@vger.kernel.org # v6.11+
Fixes: a0a927d06d79 ("mei: me: add io register tracing")
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Link: https://patch.msgid.link/20260111145125.1754912-1-alexander.usyskin@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/mei/mei-trace.h | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/drivers/misc/mei/mei-trace.h
+++ b/drivers/misc/mei/mei-trace.h
@@ -21,18 +21,18 @@ TRACE_EVENT(mei_reg_read,
TP_ARGS(dev, reg, offs, val),
TP_STRUCT__entry(
__string(dev, dev_name(dev))
- __field(const char *, reg)
+ __string(reg, reg)
__field(u32, offs)
__field(u32, val)
),
TP_fast_assign(
__assign_str(dev);
- __entry->reg = reg;
+ __assign_str(reg);
__entry->offs = offs;
__entry->val = val;
),
TP_printk("[%s] read %s:[%#x] = %#x",
- __get_str(dev), __entry->reg, __entry->offs, __entry->val)
+ __get_str(dev), __get_str(reg), __entry->offs, __entry->val)
);
TRACE_EVENT(mei_reg_write,
@@ -40,18 +40,18 @@ TRACE_EVENT(mei_reg_write,
TP_ARGS(dev, reg, offs, val),
TP_STRUCT__entry(
__string(dev, dev_name(dev))
- __field(const char *, reg)
+ __string(reg, reg)
__field(u32, offs)
__field(u32, val)
),
TP_fast_assign(
__assign_str(dev);
- __entry->reg = reg;
+ __assign_str(reg);
__entry->offs = offs;
__entry->val = val;
),
TP_printk("[%s] write %s[%#x] = %#x",
- __get_str(dev), __entry->reg, __entry->offs, __entry->val)
+ __get_str(dev), __get_str(reg), __entry->offs, __entry->val)
);
TRACE_EVENT(mei_pci_cfg_read,
@@ -59,18 +59,18 @@ TRACE_EVENT(mei_pci_cfg_read,
TP_ARGS(dev, reg, offs, val),
TP_STRUCT__entry(
__string(dev, dev_name(dev))
- __field(const char *, reg)
+ __string(reg, reg)
__field(u32, offs)
__field(u32, val)
),
TP_fast_assign(
__assign_str(dev);
- __entry->reg = reg;
+ __assign_str(reg);
__entry->offs = offs;
__entry->val = val;
),
TP_printk("[%s] pci cfg read %s:[%#x] = %#x",
- __get_str(dev), __entry->reg, __entry->offs, __entry->val)
+ __get_str(dev), __get_str(reg), __entry->offs, __entry->val)
);
#endif /* _MEI_TRACE_H_ */
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 129/169] s390/ap: Fix wrong APQN fill calculation
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 128/169] mei: trace: treat reg parameter as string Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 130/169] uacce: fix cdev handling in the cleanup path Greg Kroah-Hartman
` (53 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ingo Franzki, Harald Freudenberger,
Heiko Carstens
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harald Freudenberger <freude@linux.ibm.com>
commit 3317785a8803db629efc759d811d0f589d3a0b2d upstream.
The upper limit of the firmware queue fill state for each APQN
is reported by the hwinfo.qd field. This field shows the
numbers 0-7 for 1-8 queue spaces available. But the exploiting
code assumed the real boundary is stored there and thus stoppes
queuing in messages one tick too early.
Correct the limit calculation and thus offer a boost
of 12.5% performance for high traffic on one APQN.
Fixes: d4c53ae8e4948 ("s390/ap: store TAPQ hwinfo in struct ap_card")
Cc: stable@vger.kernel.org
Reported-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/crypto/ap_card.c | 2 +-
drivers/s390/crypto/ap_queue.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/s390/crypto/ap_card.c
+++ b/drivers/s390/crypto/ap_card.c
@@ -44,7 +44,7 @@ static ssize_t depth_show(struct device
{
struct ap_card *ac = to_ap_card(dev);
- return sysfs_emit(buf, "%d\n", ac->hwinfo.qd);
+ return sysfs_emit(buf, "%d\n", ac->hwinfo.qd + 1);
}
static DEVICE_ATTR_RO(depth);
--- a/drivers/s390/crypto/ap_queue.c
+++ b/drivers/s390/crypto/ap_queue.c
@@ -268,7 +268,7 @@ static enum ap_sm_wait ap_sm_write(struc
list_move_tail(&ap_msg->list, &aq->pendingq);
aq->requestq_count--;
aq->pendingq_count++;
- if (aq->queue_count < aq->card->hwinfo.qd) {
+ if (aq->queue_count < aq->card->hwinfo.qd + 1) {
aq->sm_state = AP_SM_STATE_WORKING;
return AP_SM_WAIT_AGAIN;
}
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 130/169] uacce: fix cdev handling in the cleanup path
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 129/169] s390/ap: Fix wrong APQN fill calculation Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 131/169] uacce: fix isolate sysfs check condition Greg Kroah-Hartman
` (52 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenkai Lin, Chenghai Huang,
Zhangfei Gao
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenkai Lin <linwenkai6@hisilicon.com>
commit a3bece3678f6c88db1f44c602b2a63e84b4040ac upstream.
When cdev_device_add fails, it internally releases the cdev memory,
and if cdev_device_del is then executed, it will cause a hang error.
To fix it, we check the return value of cdev_device_add() and clear
uacce->cdev to avoid calling cdev_device_del in the uacce_remove.
Fixes: 015d239ac014 ("uacce: add uacce driver")
Cc: stable@vger.kernel.org
Signed-off-by: Wenkai Lin <linwenkai6@hisilicon.com>
Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
Acked-by: Zhangfei Gao <zhangfei.gao@linaro.org>
Link: https://patch.msgid.link/20251202061256.4158641-2-huangchenghai2@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/uacce/uacce.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/misc/uacce/uacce.c
+++ b/drivers/misc/uacce/uacce.c
@@ -556,6 +556,8 @@ EXPORT_SYMBOL_GPL(uacce_alloc);
*/
int uacce_register(struct uacce_device *uacce)
{
+ int ret;
+
if (!uacce)
return -ENODEV;
@@ -566,7 +568,11 @@ int uacce_register(struct uacce_device *
uacce->cdev->ops = &uacce_fops;
uacce->cdev->owner = THIS_MODULE;
- return cdev_device_add(uacce->cdev, &uacce->dev);
+ ret = cdev_device_add(uacce->cdev, &uacce->dev);
+ if (ret)
+ uacce->cdev = NULL;
+
+ return ret;
}
EXPORT_SYMBOL_GPL(uacce_register);
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 131/169] uacce: fix isolate sysfs check condition
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 130/169] uacce: fix cdev handling in the cleanup path Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 132/169] uacce: implement mremap in uacce_vm_ops to return -EPERM Greg Kroah-Hartman
` (51 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chenghai Huang, Zhangfei Gao
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenghai Huang <huangchenghai2@huawei.com>
commit 98eec349259b1fd876f350b1c600403bcef8f85d upstream.
uacce supports the device isolation feature. If the driver
implements the isolate_err_threshold_read and
isolate_err_threshold_write callback functions, uacce will create
sysfs files now. Users can read and configure the isolation policy
through sysfs. Currently, sysfs files are created as long as either
isolate_err_threshold_read or isolate_err_threshold_write callback
functions are present.
However, accessing a non-existent callback function may cause the
system to crash. Therefore, intercept the creation of sysfs if
neither read nor write exists; create sysfs if either is supported,
but intercept unsupported operations at the call site.
Fixes: e3e289fbc0b5 ("uacce: supports device isolation feature")
Cc: stable@vger.kernel.org
Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
Acked-by: Zhangfei Gao <zhangfei.gao@linaro.org>
Link: https://patch.msgid.link/20251202061256.4158641-3-huangchenghai2@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/uacce/uacce.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/misc/uacce/uacce.c
+++ b/drivers/misc/uacce/uacce.c
@@ -382,6 +382,9 @@ static ssize_t isolate_strategy_show(str
struct uacce_device *uacce = to_uacce_device(dev);
u32 val;
+ if (!uacce->ops->isolate_err_threshold_read)
+ return -ENOENT;
+
val = uacce->ops->isolate_err_threshold_read(uacce);
return sysfs_emit(buf, "%u\n", val);
@@ -394,6 +397,9 @@ static ssize_t isolate_strategy_store(st
unsigned long val;
int ret;
+ if (!uacce->ops->isolate_err_threshold_write)
+ return -ENOENT;
+
if (kstrtoul(buf, 0, &val) < 0)
return -EINVAL;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 132/169] uacce: implement mremap in uacce_vm_ops to return -EPERM
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 131/169] uacce: fix isolate sysfs check condition Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 133/169] uacce: ensure safe queue release with state management Greg Kroah-Hartman
` (50 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Shen, Chenghai Huang,
Zhangfei Gao
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Shen <shenyang39@huawei.com>
commit 02695347be532b628f22488300d40c4eba48b9b7 upstream.
The current uacce_vm_ops does not support the mremap operation of
vm_operations_struct. Implement .mremap to return -EPERM to remind
users.
The reason we need to explicitly disable mremap is that when the
driver does not implement .mremap, it uses the default mremap
method. This could lead to a risk scenario:
An application might first mmap address p1, then mremap to p2,
followed by munmap(p1), and finally munmap(p2). Since the default
mremap copies the original vma's vm_private_data (i.e., q) to the
new vma, both munmap operations would trigger vma_close, causing
q->qfr to be freed twice(qfr will be set to null here, so repeated
release is ok).
Fixes: 015d239ac014 ("uacce: add uacce driver")
Cc: stable@vger.kernel.org
Signed-off-by: Yang Shen <shenyang39@huawei.com>
Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
Acked-by: Zhangfei Gao <zhangfei.gao@linaro.org>
Link: https://patch.msgid.link/20251202061256.4158641-4-huangchenghai2@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/uacce/uacce.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/misc/uacce/uacce.c
+++ b/drivers/misc/uacce/uacce.c
@@ -214,8 +214,14 @@ static void uacce_vma_close(struct vm_ar
}
}
+static int uacce_vma_mremap(struct vm_area_struct *area)
+{
+ return -EPERM;
+}
+
static const struct vm_operations_struct uacce_vm_ops = {
.close = uacce_vma_close,
+ .mremap = uacce_vma_mremap,
};
static int uacce_fops_mmap(struct file *filep, struct vm_area_struct *vma)
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 133/169] uacce: ensure safe queue release with state management
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 132/169] uacce: implement mremap in uacce_vm_ops to return -EPERM Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 134/169] netrom: fix double-free in nr_route_frame() Greg Kroah-Hartman
` (49 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chenghai Huang, Yang Shen,
Zhangfei Gao
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenghai Huang <huangchenghai2@huawei.com>
commit 26c08dabe5475d99a13f353d8dd70e518de45663 upstream.
Directly calling `put_queue` carries risks since it cannot
guarantee that resources of `uacce_queue` have been fully released
beforehand. So adding a `stop_queue` operation for the
UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to
the final resource release ensures safety.
Queue states are defined as follows:
- UACCE_Q_ZOMBIE: Initial state
- UACCE_Q_INIT: After opening `uacce`
- UACCE_Q_STARTED: After `start` is issued via `ioctl`
When executing `poweroff -f` in virt while accelerator are still
working, `uacce_fops_release` and `uacce_remove` may execute
concurrently. This can cause `uacce_put_queue` within
`uacce_fops_release` to access a NULL `ops` pointer. Therefore, add
state checks to prevent accessing freed pointers.
Fixes: 015d239ac014 ("uacce: add uacce driver")
Cc: stable@vger.kernel.org
Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
Signed-off-by: Yang Shen <shenyang39@huawei.com>
Acked-by: Zhangfei Gao <zhangfei.gao@linaro.org>
Link: https://patch.msgid.link/20251202061256.4158641-5-huangchenghai2@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/uacce/uacce.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
--- a/drivers/misc/uacce/uacce.c
+++ b/drivers/misc/uacce/uacce.c
@@ -40,20 +40,34 @@ static int uacce_start_queue(struct uacc
return 0;
}
-static int uacce_put_queue(struct uacce_queue *q)
+static int uacce_stop_queue(struct uacce_queue *q)
{
struct uacce_device *uacce = q->uacce;
- if ((q->state == UACCE_Q_STARTED) && uacce->ops->stop_queue)
+ if (q->state != UACCE_Q_STARTED)
+ return 0;
+
+ if (uacce->ops->stop_queue)
uacce->ops->stop_queue(q);
- if ((q->state == UACCE_Q_INIT || q->state == UACCE_Q_STARTED) &&
- uacce->ops->put_queue)
+ q->state = UACCE_Q_INIT;
+
+ return 0;
+}
+
+static void uacce_put_queue(struct uacce_queue *q)
+{
+ struct uacce_device *uacce = q->uacce;
+
+ uacce_stop_queue(q);
+
+ if (q->state != UACCE_Q_INIT)
+ return;
+
+ if (uacce->ops->put_queue)
uacce->ops->put_queue(q);
q->state = UACCE_Q_ZOMBIE;
-
- return 0;
}
static long uacce_fops_unl_ioctl(struct file *filep,
@@ -80,7 +94,7 @@ static long uacce_fops_unl_ioctl(struct
ret = uacce_start_queue(q);
break;
case UACCE_CMD_PUT_Q:
- ret = uacce_put_queue(q);
+ ret = uacce_stop_queue(q);
break;
default:
if (uacce->ops->ioctl)
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 134/169] netrom: fix double-free in nr_route_frame()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 133/169] uacce: ensure safe queue release with state management Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 135/169] platform/x86: hp-bioscfg: Fix automatic module loading Greg Kroah-Hartman
` (48 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+999115c3bf275797dc27,
Jeongjun Park, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
commit ba1096c315283ee3292765f6aea4cca15816c4f7 upstream.
In nr_route_frame(), old_skb is immediately freed without checking if
nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL,
the caller function will free old_skb again, causing a double-free bug.
Therefore, to prevent this, we need to modify it to check whether
nr_neigh->ax25 is NULL before freeing old_skb.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+999115c3bf275797dc27@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0029.GAE@google.com/
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Link: https://patch.msgid.link/20260119063359.10604-1-aha310510@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netrom/nr_route.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/net/netrom/nr_route.c
+++ b/net/netrom/nr_route.c
@@ -752,7 +752,7 @@ int nr_route_frame(struct sk_buff *skb,
unsigned char *dptr;
ax25_cb *ax25s;
int ret;
- struct sk_buff *skbn;
+ struct sk_buff *nskb, *oskb;
/*
* Reject malformed packets early. Check that it contains at least 2
@@ -811,14 +811,16 @@ int nr_route_frame(struct sk_buff *skb,
/* We are going to change the netrom headers so we should get our
own skb, we also did not know until now how much header space
we had to reserve... - RXQ */
- if ((skbn=skb_copy_expand(skb, dev->hard_header_len, 0, GFP_ATOMIC)) == NULL) {
+ nskb = skb_copy_expand(skb, dev->hard_header_len, 0, GFP_ATOMIC);
+
+ if (!nskb) {
nr_node_unlock(nr_node);
nr_node_put(nr_node);
dev_put(dev);
return 0;
}
- kfree_skb(skb);
- skb=skbn;
+ oskb = skb;
+ skb = nskb;
skb->data[14]--;
dptr = skb_push(skb, 1);
@@ -837,6 +839,9 @@ int nr_route_frame(struct sk_buff *skb,
nr_node_unlock(nr_node);
nr_node_put(nr_node);
+ if (ret)
+ kfree_skb(oskb);
+
return ret;
}
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 135/169] platform/x86: hp-bioscfg: Fix automatic module loading
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 134/169] netrom: fix double-free in nr_route_frame() Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 136/169] pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu Greg Kroah-Hartman
` (47 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mario Limonciello,
Ilpo Järvinen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 467d4afc6caa64b84a6db1634f8091e931f4a7cb upstream.
hp-bioscfg has a MODULE_DEVICE_TABLE with a GUID in it that looks
plausible, but the module doesn't automatically load on applicable
systems.
This is because the GUID has some lower case characters and so it
doesn't match the modalias during boot. Update the GUIDs to be all
uppercase.
Cc: stable@vger.kernel.org
Fixes: 5f94f181ca25 ("platform/x86: hp-bioscfg: bioscfg-h")
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Link: https://patch.msgid.link/20260115203725.828434-4-mario.limonciello@amd.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/hp/hp-bioscfg/bioscfg.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.h
+++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.h
@@ -57,14 +57,14 @@ enum mechanism_values {
#define PASSWD_MECHANISM_TYPES "password"
-#define HP_WMI_BIOS_GUID "5FB7F034-2C63-45e9-BE91-3D44E2C707E4"
+#define HP_WMI_BIOS_GUID "5FB7F034-2C63-45E9-BE91-3D44E2C707E4"
-#define HP_WMI_BIOS_STRING_GUID "988D08E3-68F4-4c35-AF3E-6A1B8106F83C"
+#define HP_WMI_BIOS_STRING_GUID "988D08E3-68F4-4C35-AF3E-6A1B8106F83C"
#define HP_WMI_BIOS_INTEGER_GUID "8232DE3D-663D-4327-A8F4-E293ADB9BF05"
#define HP_WMI_BIOS_ENUMERATION_GUID "2D114B49-2DFB-4130-B8FE-4A3C09E75133"
#define HP_WMI_BIOS_ORDERED_LIST_GUID "14EA9746-CE1F-4098-A0E0-7045CB4DA745"
#define HP_WMI_BIOS_PASSWORD_GUID "322F2028-0F84-4901-988E-015176049E2D"
-#define HP_WMI_SET_BIOS_SETTING_GUID "1F4C91EB-DC5C-460b-951D-C7CB9B4B8D5E"
+#define HP_WMI_SET_BIOS_SETTING_GUID "1F4C91EB-DC5C-460B-951D-C7CB9B4B8D5E"
enum hp_wmi_spm_commandtype {
HPWMI_SECUREPLATFORM_GET_STATE = 0x10,
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 136/169] pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 135/169] platform/x86: hp-bioscfg: Fix automatic module loading Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 137/169] perf/x86/intel: Do not enable BTS for guests Greg Kroah-Hartman
` (46 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming Qian, Benjamin Gaignard,
Peng Fan, Frank Li, Ulf Hansson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Qian <ming.qian@oss.nxp.com>
commit 3de49966499634454fd59e0e6fecd50baab7febd upstream.
For i.MX8MQ platform, the ADB in the VPUMIX domain has no separate reset
and clock enable bits, but is ungated and reset together with the VPUs.
So we can't reset G1 or G2 separately, it may led to the system hang.
Remove rst_mask and clk_mask of imx8mq_vpu_blk_ctl_domain_data.
Let imx8mq_vpu_power_notifier() do really vpu reset.
Fixes: 608d7c325e85 ("soc: imx: imx8m-blk-ctrl: add i.MX8MQ VPU blk-ctrl")
Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
Reviewed-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pmdomain/imx/imx8m-blk-ctrl.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/drivers/pmdomain/imx/imx8m-blk-ctrl.c
+++ b/drivers/pmdomain/imx/imx8m-blk-ctrl.c
@@ -846,22 +846,25 @@ static int imx8mq_vpu_power_notifier(str
return NOTIFY_OK;
}
+/*
+ * For i.MX8MQ, the ADB in the VPUMIX domain has no separate reset and clock
+ * enable bits, but is ungated and reset together with the VPUs.
+ * Resetting G1 or G2 separately may led to system hang.
+ * Remove the rst_mask and clk_mask from the domain data of G1 and G2,
+ * Let imx8mq_vpu_power_notifier() do really vpu reset.
+ */
static const struct imx8m_blk_ctrl_domain_data imx8mq_vpu_blk_ctl_domain_data[] = {
[IMX8MQ_VPUBLK_PD_G1] = {
.name = "vpublk-g1",
.clk_names = (const char *[]){ "g1", },
.num_clks = 1,
.gpc_name = "g1",
- .rst_mask = BIT(1),
- .clk_mask = BIT(1),
},
[IMX8MQ_VPUBLK_PD_G2] = {
.name = "vpublk-g2",
.clk_names = (const char *[]){ "g2", },
.num_clks = 1,
.gpc_name = "g2",
- .rst_mask = BIT(0),
- .clk_mask = BIT(0),
},
};
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 137/169] perf/x86/intel: Do not enable BTS for guests
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 136/169] pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 138/169] irqchip/gic-v3-its: Avoid truncating memory addresses Greg Kroah-Hartman
` (45 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan H . Schönherr,
Peter Zijlstra, Fernand Sieber
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernand Sieber <sieberf@amazon.com>
commit 91dcfae0ff2b9b9ab03c1ec95babaceefbffb9f4 upstream.
By default when users program perf to sample branch instructions
(PERF_COUNT_HW_BRANCH_INSTRUCTIONS) with a sample period of 1, perf
interprets this as a special case and enables BTS (Branch Trace Store)
as an optimization to avoid taking an interrupt on every branch.
Since BTS doesn't virtualize, this optimization doesn't make sense when
the request originates from a guest. Add an additional check that
prevents this optimization for virtualized events (exclude_host).
Reported-by: Jan H. Schönherr <jschoenh@amazon.de>
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Fernand Sieber <sieberf@amazon.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20251211183604.868641-1-sieberf@amazon.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/perf_event.h | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/arch/x86/events/perf_event.h
+++ b/arch/x86/events/perf_event.h
@@ -1513,13 +1513,22 @@ static inline bool intel_pmu_has_bts_per
struct hw_perf_event *hwc = &event->hw;
unsigned int hw_event, bts_event;
- if (event->attr.freq)
+ /*
+ * Only use BTS for fixed rate period==1 events.
+ */
+ if (event->attr.freq || period != 1)
+ return false;
+
+ /*
+ * BTS doesn't virtualize.
+ */
+ if (event->attr.exclude_host)
return false;
hw_event = hwc->config & INTEL_ARCH_EVENT_MASK;
bts_event = x86_pmu.event_map(PERF_COUNT_HW_BRANCH_INSTRUCTIONS);
- return hw_event == bts_event && period == 1;
+ return hw_event == bts_event;
}
static inline bool intel_pmu_has_bts(struct perf_event *event)
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 138/169] irqchip/gic-v3-its: Avoid truncating memory addresses
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 137/169] perf/x86/intel: Do not enable BTS for guests Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 139/169] net: sfp: add potron quirk to the H-COM SPP425H-GAB4 SFP+ Stick Greg Kroah-Hartman
` (44 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Thomas Gleixner,
Marc Zyngier
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 8d76a7d89c12d08382b66e2f21f20d0627d14859 upstream.
On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem
allocations to be backed by addresses physical memory above the 32-bit
address limit, as found while experimenting with larger VMSPLIT
configurations.
This caused the qemu virt model to crash in the GICv3 driver, which
allocates the 'itt' object using GFP_KERNEL. Since all memory below
the 4GB physical address limit is in ZONE_DMA in this configuration,
kmalloc() defaults to higher addresses for ZONE_NORMAL, and the
ITS driver stores the physical address in a 32-bit 'unsigned long'
variable.
Change the itt_addr variable to the correct phys_addr_t type instead,
along with all other variables in this driver that hold a physical
address.
The gicv5 driver correctly uses u64 variables, while all other irqchip
drivers don't call virt_to_phys or similar interfaces. It's expected that
other device drivers have similar issues, but fixing this one is
sufficient for booting a virtio based guest.
Fixes: cc2d3216f53c ("irqchip: GICv3: ITS command queue")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260119201603.2713066-1-arnd@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-gic-v3-its.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -619,7 +619,7 @@ static struct its_collection *its_build_
struct its_cmd_block *cmd,
struct its_cmd_desc *desc)
{
- unsigned long itt_addr;
+ phys_addr_t itt_addr;
u8 size = ilog2(desc->its_mapd_cmd.dev->nr_ites);
itt_addr = virt_to_phys(desc->its_mapd_cmd.dev->itt);
@@ -790,7 +790,7 @@ static struct its_vpe *its_build_vmapp_c
struct its_cmd_desc *desc)
{
struct its_vpe *vpe = valid_vpe(its, desc->its_vmapp_cmd.vpe);
- unsigned long vpt_addr, vconf_addr;
+ phys_addr_t vpt_addr, vconf_addr;
u64 target;
bool alloc;
@@ -2395,10 +2395,10 @@ retry_baser:
baser->psz = psz;
tmp = indirect ? GITS_LVL1_ENTRY_SIZE : esz;
- pr_info("ITS@%pa: allocated %d %s @%lx (%s, esz %d, psz %dK, shr %d)\n",
+ pr_info("ITS@%pa: allocated %d %s @%llx (%s, esz %d, psz %dK, shr %d)\n",
&its->phys_base, (int)(PAGE_ORDER_TO_SIZE(order) / (int)tmp),
its_base_type_string[type],
- (unsigned long)virt_to_phys(base),
+ (u64)virt_to_phys(base),
indirect ? "indirect" : "flat", (int)esz,
psz / SZ_1K, (int)shr >> GITS_BASER_SHAREABILITY_SHIFT);
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 139/169] net: sfp: add potron quirk to the H-COM SPP425H-GAB4 SFP+ Stick
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 138/169] irqchip/gic-v3-its: Avoid truncating memory addresses Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 140/169] can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak Greg Kroah-Hartman
` (43 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hamza Mahfooz, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hamza Mahfooz <someguy@effective-light.com>
commit a92a6c50e35b75a8021265507f3c2a9084df0b94 upstream.
This is another one of those XGSPON ONU sticks that's using the
X-ONU-SFPP internally, thus it also requires the potron quirk to avoid tx
faults. So, add an entry for it in sfp_quirks[].
Cc: stable@vger.kernel.org
Signed-off-by: Hamza Mahfooz <someguy@effective-light.com>
Link: https://patch.msgid.link/20260113232957.609642-1-someguy@effective-light.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/phy/sfp.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/phy/sfp.c
+++ b/drivers/net/phy/sfp.c
@@ -513,6 +513,8 @@ static const struct sfp_quirk sfp_quirks
SFP_QUIRK_F("HALNy", "HL-GSFP", sfp_fixup_halny_gsfp),
+ SFP_QUIRK_F("H-COM", "SPP425H-GAB4", sfp_fixup_potron),
+
// HG MXPD-483II-F 2.5G supports 2500Base-X, but incorrectly reports
// 2600MBd in their EERPOM
SFP_QUIRK_M("HG GENUINE", "MXPD-483II", sfp_quirk_2500basex),
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 140/169] can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 139/169] net: sfp: add potron quirk to the H-COM SPP425H-GAB4 SFP+ Stick Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 141/169] can: kvaser_usb: kvaser_usb_read_bulk_callback(): " Greg Kroah-Hartman
` (42 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
commit 0ce73a0eb5a27070957b67fd74059b6da89cc516 upstream.
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In ems_usb_open(), the URBs for USB-in transfers are allocated, added to
the dev->rx_submitted anchor and submitted. In the complete callback
ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
ems_usb_close() the URBs are freed by calling
usb_kill_anchored_urbs(&dev->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in ems_usb_close().
Fix the memory leak by anchoring the URB in the
ems_usb_read_bulk_callback() to the dev->rx_submitted anchor.
Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-1-4b8cb2915571@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/ems_usb.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -486,11 +486,17 @@ resubmit_urb:
urb->transfer_buffer, RX_BUFFER_SIZE,
ems_usb_read_bulk_callback, dev);
+ usb_anchor_urb(urb, &dev->rx_submitted);
+
retval = usb_submit_urb(urb, GFP_ATOMIC);
+ if (!retval)
+ return;
+
+ usb_unanchor_urb(urb);
if (retval == -ENODEV)
netif_device_detach(netdev);
- else if (retval)
+ else
netdev_err(netdev,
"failed resubmitting read bulk urb: %d\n", retval);
}
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 141/169] can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 140/169] can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 142/169] can: mcba_usb: mcba_usb_read_bulk_callback(): " Greg Kroah-Hartman
` (41 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
commit 248e8e1a125fa875158df521b30f2cc7e27eeeaa upstream.
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the
URBs for USB-in transfers are allocated, added to the dev->rx_submitted
anchor and submitted. In the complete callback
kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
kvaser_usb_remove_interfaces() the URBs are freed by calling
usb_kill_anchored_urbs(&dev->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in usb_kill_anchored_urbs().
Fix the memory leak by anchoring the URB in the
kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor.
Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-3-4b8cb2915571@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
@@ -361,7 +361,14 @@ resubmit_urb:
urb->transfer_buffer, KVASER_USB_RX_BUFFER_SIZE,
kvaser_usb_read_bulk_callback, dev);
+ usb_anchor_urb(urb, &dev->rx_submitted);
+
err = usb_submit_urb(urb, GFP_ATOMIC);
+ if (!err)
+ return;
+
+ usb_unanchor_urb(urb);
+
if (err == -ENODEV) {
for (i = 0; i < dev->nchannels; i++) {
if (!dev->nets[i])
@@ -369,7 +376,7 @@ resubmit_urb:
netif_device_detach(dev->nets[i]->netdev);
}
- } else if (err) {
+ } else {
dev_err(&dev->intf->dev,
"Failed resubmitting read bulk urb: %d\n", err);
}
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 142/169] can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 141/169] can: kvaser_usb: kvaser_usb_read_bulk_callback(): " Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 143/169] can: usb_8dev: usb_8dev_read_bulk_callback(): " Greg Kroah-Hartman
` (40 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
commit 710a7529fb13c5a470258ff5508ed3c498d54729 upstream.
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are
allocated, added to the priv->rx_submitted anchor and submitted. In the
complete callback mcba_usb_read_bulk_callback(), the URBs are processed and
resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by
calling usb_kill_anchored_urbs(&priv->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in usb_kill_anchored_urbs().
Fix the memory leak by anchoring the URB in the
mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor.
Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-4-4b8cb2915571@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/mcba_usb.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/net/can/usb/mcba_usb.c
+++ b/drivers/net/can/usb/mcba_usb.c
@@ -608,11 +608,17 @@ resubmit_urb:
urb->transfer_buffer, MCBA_USB_RX_BUFF_SIZE,
mcba_usb_read_bulk_callback, priv);
+ usb_anchor_urb(urb, &priv->rx_submitted);
+
retval = usb_submit_urb(urb, GFP_ATOMIC);
+ if (!retval)
+ return;
+
+ usb_unanchor_urb(urb);
if (retval == -ENODEV)
netif_device_detach(netdev);
- else if (retval)
+ else
netdev_err(netdev, "failed resubmitting read bulk urb: %d\n",
retval);
}
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 143/169] can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 142/169] can: mcba_usb: mcba_usb_read_bulk_callback(): " Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 144/169] drm/amdgpu: remove frame cntl for gfx v12 Greg Kroah-Hartman
` (39 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
commit f7a980b3b8f80fe367f679da376cf76e800f9480 upstream.
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are
allocated, added to the priv->rx_submitted anchor and submitted. In the
complete callback usb_8dev_read_bulk_callback(), the URBs are processed and
resubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by
calling usb_kill_anchored_urbs(&priv->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in usb_kill_anchored_urbs().
Fix the memory leak by anchoring the URB in the
usb_8dev_read_bulk_callback() to the priv->rx_submitted anchor.
Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-5-4b8cb2915571@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/usb_8dev.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/net/can/usb/usb_8dev.c
+++ b/drivers/net/can/usb/usb_8dev.c
@@ -541,11 +541,17 @@ resubmit_urb:
urb->transfer_buffer, RX_BUFFER_SIZE,
usb_8dev_read_bulk_callback, priv);
+ usb_anchor_urb(urb, &priv->rx_submitted);
+
retval = usb_submit_urb(urb, GFP_ATOMIC);
+ if (!retval)
+ return;
+
+ usb_unanchor_urb(urb);
if (retval == -ENODEV)
netif_device_detach(netdev);
- else if (retval)
+ else
netdev_err(netdev,
"failed resubmitting read bulk urb: %d\n", retval);
}
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 144/169] drm/amdgpu: remove frame cntl for gfx v12
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 143/169] can: usb_8dev: usb_8dev_read_bulk_callback(): " Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 145/169] gpio: cdev: Correct return code on memory allocation failure Greg Kroah-Hartman
` (38 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Likun Gao, Hawking Zhang,
Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Likun Gao <Likun.Gao@amd.com>
commit 10343253328e0dbdb465bff709a2619a08fe01ad upstream.
Remove emit_frame_cntl function for gfx v12, which is not support.
Signed-off-by: Likun Gao <Likun.Gao@amd.com>
Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 5aaa5058dec5bfdcb24c42fe17ad91565a3037ca)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 12 ------------
1 file changed, 12 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c
@@ -248,7 +248,6 @@ static void gfx_v12_0_select_se_sh(struc
u32 sh_num, u32 instance, int xcc_id);
static u32 gfx_v12_0_get_wgp_active_bitmap_per_sh(struct amdgpu_device *adev);
-static void gfx_v12_0_ring_emit_frame_cntl(struct amdgpu_ring *ring, bool start, bool secure);
static void gfx_v12_0_ring_emit_wreg(struct amdgpu_ring *ring, uint32_t reg,
uint32_t val);
static int gfx_v12_0_wait_for_rlc_autoload_complete(struct amdgpu_device *adev);
@@ -4556,16 +4555,6 @@ static int gfx_v12_0_ring_preempt_ib(str
return r;
}
-static void gfx_v12_0_ring_emit_frame_cntl(struct amdgpu_ring *ring,
- bool start,
- bool secure)
-{
- uint32_t v = secure ? FRAME_TMZ : 0;
-
- amdgpu_ring_write(ring, PACKET3(PACKET3_FRAME_CONTROL, 0));
- amdgpu_ring_write(ring, v | FRAME_CMD(start ? 0 : 1));
-}
-
static void gfx_v12_0_ring_emit_rreg(struct amdgpu_ring *ring, uint32_t reg,
uint32_t reg_val_offs)
{
@@ -5316,7 +5305,6 @@ static const struct amdgpu_ring_funcs gf
.emit_cntxcntl = gfx_v12_0_ring_emit_cntxcntl,
.init_cond_exec = gfx_v12_0_ring_emit_init_cond_exec,
.preempt_ib = gfx_v12_0_ring_preempt_ib,
- .emit_frame_cntl = gfx_v12_0_ring_emit_frame_cntl,
.emit_wreg = gfx_v12_0_ring_emit_wreg,
.emit_reg_wait = gfx_v12_0_ring_emit_reg_wait,
.emit_reg_write_reg_wait = gfx_v12_0_ring_emit_reg_write_reg_wait,
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 145/169] gpio: cdev: Correct return code on memory allocation failure
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 144/169] drm/amdgpu: remove frame cntl for gfx v12 Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 146/169] migrate: correct lock ordering for hugetlb file folios Greg Kroah-Hartman
` (37 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tzung-Bi Shih, Bartosz Golaszewski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tzung-Bi Shih <tzungbi@kernel.org>
commit faff6846474e99295a139997f93ef6db222b5cee upstream.
-ENOMEM is a more appropriate return code for memory allocation
failures. Correct it.
Cc: stable@vger.kernel.org
Fixes: 20bddcb40b2b ("gpiolib: cdev: replace locking wrappers for gpio_device with guards")
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Link: https://lore.kernel.org/r/20260116081036.352286-6-tzungbi@kernel.org
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib-cdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -2767,7 +2767,7 @@ static int gpio_chrdev_open(struct inode
cdev = kzalloc(sizeof(*cdev), GFP_KERNEL);
if (!cdev)
- return -ENODEV;
+ return -ENOMEM;
cdev->watched_lines = bitmap_zalloc(gdev->ngpio, GFP_KERNEL);
if (!cdev->watched_lines)
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 146/169] migrate: correct lock ordering for hugetlb file folios
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 145/169] gpio: cdev: Correct return code on memory allocation failure Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 147/169] dmaengine: ti: k3-udma: Enable second resource range for BCDMA and PKTDMA Greg Kroah-Hartman
` (36 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
syzbot+2d9c96466c978346b55f, David Hildenbrand (Red Hat), Zi Yan,
Alistair Popple, Byungchul Park, Gregory Price, Jann Horn,
Joshua Hahn, Liam Howlett, Lorenzo Stoakes, Matthew Brost,
Rakie Kim, Rik van Riel, Vlastimil Babka, Ying Huang,
Andrew Morton, Lance Yang
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
commit b7880cb166ab62c2409046b2347261abf701530e upstream.
Syzbot has found a deadlock (analyzed by Lance Yang):
1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).
2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire
folio_lock.
migrate_pages()
-> migrate_hugetlbs()
-> unmap_and_move_huge_page() <- Takes folio_lock!
-> remove_migration_ptes()
-> __rmap_walk_file()
-> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)!
hugetlbfs_fallocate()
-> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)!
-> hugetlbfs_zero_partial_page()
-> filemap_lock_hugetlb_folio()
-> filemap_lock_folio()
-> __filemap_get_folio <- Waits for folio_lock!
The migration path is the one taking locks in the wrong order according to
the documentation at the top of mm/rmap.c. So expand the scope of the
existing i_mmap_lock to cover the calls to remove_migration_ptes() too.
This is (mostly) how it used to be after commit c0d0381ade79. That was
removed by 336bf30eb765 for both file & anon hugetlb pages when it should
only have been removed for anon hugetlb pages.
Link: https://lkml.kernel.org/r/20260109041345.3863089-2-willy@infradead.org
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Fixes: 336bf30eb765 ("hugetlbfs: fix anon huge page migration race")
Reported-by: syzbot+2d9c96466c978346b55f@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/68e9715a.050a0220.1186a4.000d.GAE@google.com
Debugged-by: Lance Yang <lance.yang@linux.dev>
Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
Acked-by: Zi Yan <ziy@nvidia.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Byungchul Park <byungchul@sk.com>
Cc: Gregory Price <gourry@gourry.net>
Cc: Jann Horn <jannh@google.com>
Cc: Joshua Hahn <joshua.hahnjy@gmail.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Rakie Kim <rakie.kim@sk.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Ying Huang <ying.huang@linux.alibaba.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/migrate.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -1439,6 +1439,7 @@ static int unmap_and_move_huge_page(new_
int page_was_mapped = 0;
struct anon_vma *anon_vma = NULL;
struct address_space *mapping = NULL;
+ enum ttu_flags ttu = 0;
if (folio_ref_count(src) == 1) {
/* page was freed from under us. So we are done. */
@@ -1479,8 +1480,6 @@ static int unmap_and_move_huge_page(new_
goto put_anon;
if (folio_mapped(src)) {
- enum ttu_flags ttu = 0;
-
if (!folio_test_anon(src)) {
/*
* In shared mappings, try_to_unmap could potentially
@@ -1497,9 +1496,6 @@ static int unmap_and_move_huge_page(new_
try_to_migrate(src, ttu);
page_was_mapped = 1;
-
- if (ttu & TTU_RMAP_LOCKED)
- i_mmap_unlock_write(mapping);
}
if (!folio_mapped(src))
@@ -1507,7 +1503,11 @@ static int unmap_and_move_huge_page(new_
if (page_was_mapped)
remove_migration_ptes(src,
- rc == MIGRATEPAGE_SUCCESS ? dst : src, 0);
+ rc == MIGRATEPAGE_SUCCESS ? dst : src,
+ ttu ? RMP_LOCKED : 0);
+
+ if (ttu & TTU_RMAP_LOCKED)
+ i_mmap_unlock_write(mapping);
unlock_put_anon:
folio_unlock(dst);
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 147/169] dmaengine: ti: k3-udma: Enable second resource range for BCDMA and PKTDMA
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 146/169] migrate: correct lock ordering for hugetlb file folios Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 148/169] can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak Greg Kroah-Hartman
` (35 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Siddharth Vadapalli, Peter Ujfalusi,
Vinod Koul, Sai Sree Kartheek Adivi
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siddharth Vadapalli <s-vadapalli@ti.com>
commit 566beb347eded7a860511164a7a163bc882dc4d0 upstream.
The SoC DMA resources for UDMA, BCDMA and PKTDMA can be described via a
combination of up to two resource ranges. The first resource range handles
the default partitioning wherein all resources belonging to that range are
allocated to a single entity and form a continuous range. For use-cases
where the resources are shared across multiple entities and require to be
described via discontinuous ranges, a second resource range is required.
Currently, udma_setup_resources() supports handling resources that belong
to the second range. Extend bcdma_setup_resources() and
pktdma_setup_resources() to support the same.
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
Acked-by: Peter Ujfalusi <peter.ujfalusi@gmail.com>
Link: https://lore.kernel.org/r/20250205121805.316792-1-s-vadapalli@ti.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Tested-by: Sai Sree Kartheek Adivi <s-adivi@ti.com>
Signed-off-by: Sai Sree Kartheek Adivi <s-adivi@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/ti/k3-udma.c | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
--- a/drivers/dma/ti/k3-udma.c
+++ b/drivers/dma/ti/k3-udma.c
@@ -4876,6 +4876,12 @@ static int bcdma_setup_resources(struct
irq_res.desc[i].start = rm_res->desc[i].start +
oes->bcdma_bchan_ring;
irq_res.desc[i].num = rm_res->desc[i].num;
+
+ if (rm_res->desc[i].num_sec) {
+ irq_res.desc[i].start_sec = rm_res->desc[i].start_sec +
+ oes->bcdma_bchan_ring;
+ irq_res.desc[i].num_sec = rm_res->desc[i].num_sec;
+ }
}
}
} else {
@@ -4899,6 +4905,15 @@ static int bcdma_setup_resources(struct
irq_res.desc[i + 1].start = rm_res->desc[j].start +
oes->bcdma_tchan_ring;
irq_res.desc[i + 1].num = rm_res->desc[j].num;
+
+ if (rm_res->desc[j].num_sec) {
+ irq_res.desc[i].start_sec = rm_res->desc[j].start_sec +
+ oes->bcdma_tchan_data;
+ irq_res.desc[i].num_sec = rm_res->desc[j].num_sec;
+ irq_res.desc[i + 1].start_sec = rm_res->desc[j].start_sec +
+ oes->bcdma_tchan_ring;
+ irq_res.desc[i + 1].num_sec = rm_res->desc[j].num_sec;
+ }
}
}
}
@@ -4919,6 +4934,15 @@ static int bcdma_setup_resources(struct
irq_res.desc[i + 1].start = rm_res->desc[j].start +
oes->bcdma_rchan_ring;
irq_res.desc[i + 1].num = rm_res->desc[j].num;
+
+ if (rm_res->desc[j].num_sec) {
+ irq_res.desc[i].start_sec = rm_res->desc[j].start_sec +
+ oes->bcdma_rchan_data;
+ irq_res.desc[i].num_sec = rm_res->desc[j].num_sec;
+ irq_res.desc[i + 1].start_sec = rm_res->desc[j].start_sec +
+ oes->bcdma_rchan_ring;
+ irq_res.desc[i + 1].num_sec = rm_res->desc[j].num_sec;
+ }
}
}
}
@@ -5053,6 +5077,12 @@ static int pktdma_setup_resources(struct
irq_res.desc[i].start = rm_res->desc[i].start +
oes->pktdma_tchan_flow;
irq_res.desc[i].num = rm_res->desc[i].num;
+
+ if (rm_res->desc[i].num_sec) {
+ irq_res.desc[i].start_sec = rm_res->desc[i].start_sec +
+ oes->pktdma_tchan_flow;
+ irq_res.desc[i].num_sec = rm_res->desc[i].num_sec;
+ }
}
}
rm_res = tisci_rm->rm_ranges[RM_RANGE_RFLOW];
@@ -5064,6 +5094,12 @@ static int pktdma_setup_resources(struct
irq_res.desc[i].start = rm_res->desc[j].start +
oes->pktdma_rchan_flow;
irq_res.desc[i].num = rm_res->desc[j].num;
+
+ if (rm_res->desc[j].num_sec) {
+ irq_res.desc[i].start_sec = rm_res->desc[j].start_sec +
+ oes->pktdma_rchan_flow;
+ irq_res.desc[i].num_sec = rm_res->desc[j].num_sec;
+ }
}
}
ret = ti_sci_inta_msi_domain_alloc_irqs(ud->dev, &irq_res);
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 148/169] can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 147/169] dmaengine: ti: k3-udma: Enable second resource range for BCDMA and PKTDMA Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 149/169] selftests/bpf: Check for timeout in perf_link test Greg Kroah-Hartman
` (34 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
commit 5a4391bdc6c8357242f62f22069c865b792406b3 upstream.
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In esd_usb_open(), the URBs for USB-in transfers are allocated, added to
the dev->rx_submitted anchor and submitted. In the complete callback
esd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
esd_usb_close() the URBs are freed by calling
usb_kill_anchored_urbs(&dev->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in esd_usb_close().
Fix the memory leak by anchoring the URB in the
esd_usb_read_bulk_callback() to the dev->rx_submitted anchor.
Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-2-4b8cb2915571@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/esd_usb.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/net/can/usb/esd_usb.c
+++ b/drivers/net/can/usb/esd_usb.c
@@ -539,13 +539,20 @@ resubmit_urb:
urb->transfer_buffer, ESD_USB_RX_BUFFER_SIZE,
esd_usb_read_bulk_callback, dev);
+ usb_anchor_urb(urb, &dev->rx_submitted);
+
retval = usb_submit_urb(urb, GFP_ATOMIC);
+ if (!retval)
+ return;
+
+ usb_unanchor_urb(urb);
+
if (retval == -ENODEV) {
for (i = 0; i < dev->net_count; i++) {
if (dev->nets[i])
netif_device_detach(dev->nets[i]->netdev);
}
- } else if (retval) {
+ } else {
dev_err(dev->udev->dev.parent,
"failed resubmitting read bulk urb: %d\n", retval);
}
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 149/169] selftests/bpf: Check for timeout in perf_link test
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 148/169] can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 150/169] bpf: Do not let BPF test infra emit invalid GSO types to stack Greg Kroah-Hartman
` (33 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ihor Solodrai, Andrii Nakryiko,
Shung-Hsi Yu
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ihor Solodrai <ihor.solodrai@pm.me>
commit e6c209da7e0e9aaf955a7b59e91ed78c2b6c96fb upstream.
Recently perf_link test started unreliably failing on libbpf CI:
* https://github.com/libbpf/libbpf/actions/runs/11260672407/job/31312405473
* https://github.com/libbpf/libbpf/actions/runs/11260992334/job/31315514626
* https://github.com/libbpf/libbpf/actions/runs/11263162459/job/31320458251
Part of the test is running a dummy loop for a while and then checking
for a counter incremented by the test program.
Instead of waiting for an arbitrary number of loop iterations once,
check for the test counter in a loop and use get_time_ns() helper to
enforce a 100ms timeout.
v1: https://lore.kernel.org/bpf/zuRd072x9tumn2iN4wDNs5av0nu5nekMNV4PkR-YwCT10eFFTrUtZBRkLWFbrcCe7guvLStGQlhibo8qWojCO7i2-NGajes5GYIyynexD-w=@pm.me/
Signed-off-by: Ihor Solodrai <ihor.solodrai@pm.me>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20241011153104.249800-1-ihor.solodrai@pm.me
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/bpf/prog_tests/perf_link.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/tools/testing/selftests/bpf/prog_tests/perf_link.c
+++ b/tools/testing/selftests/bpf/prog_tests/perf_link.c
@@ -4,8 +4,12 @@
#include <pthread.h>
#include <sched.h>
#include <test_progs.h>
+#include "testing_helpers.h"
#include "test_perf_link.skel.h"
+#define BURN_TIMEOUT_MS 100
+#define BURN_TIMEOUT_NS BURN_TIMEOUT_MS * 1000000
+
static void burn_cpu(void)
{
volatile int j = 0;
@@ -32,6 +36,7 @@ void serial_test_perf_link(void)
int run_cnt_before, run_cnt_after;
struct bpf_link_info info;
__u32 info_len = sizeof(info);
+ __u64 timeout_time_ns;
/* create perf event */
memset(&attr, 0, sizeof(attr));
@@ -63,8 +68,14 @@ void serial_test_perf_link(void)
ASSERT_GT(info.prog_id, 0, "link_prog_id");
/* ensure we get at least one perf_event prog execution */
- burn_cpu();
- ASSERT_GT(skel->bss->run_cnt, 0, "run_cnt");
+ timeout_time_ns = get_time_ns() + BURN_TIMEOUT_NS;
+ while (true) {
+ burn_cpu();
+ if (skel->bss->run_cnt > 0)
+ break;
+ if (!ASSERT_LT(get_time_ns(), timeout_time_ns, "run_cnt_timeout"))
+ break;
+ }
/* perf_event is still active, but we close link and BPF program
* shouldn't be executed anymore
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 150/169] bpf: Do not let BPF test infra emit invalid GSO types to stack
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 149/169] selftests/bpf: Check for timeout in perf_link test Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 151/169] arm64: dts: rockchip: remove redundant max-link-speed from nanopi-r4s Greg Kroah-Hartman
` (32 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yinhao Hu, Kaiyan Mei, Dongliang Mu,
Daniel Borkmann, Martin KaFai Lau, Shung-Hsi Yu
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
commit 04a899573fb87273a656f178b5f920c505f68875 upstream.
Yinhao et al. reported that their fuzzer tool was able to trigger a
skb_warn_bad_offload() from netif_skb_features() -> gso_features_check().
When a BPF program - triggered via BPF test infra - pushes the packet
to the loopback device via bpf_clone_redirect() then mentioned offload
warning can be seen. GSO-related features are then rightfully disabled.
We get into this situation due to convert___skb_to_skb() setting
gso_segs and gso_size but not gso_type. Technically, it makes sense
that this warning triggers since the GSO properties are malformed due
to the gso_type. Potentially, the gso_type could be marked non-trustworthy
through setting it at least to SKB_GSO_DODGY without any other specific
assumptions, but that also feels wrong given we should not go further
into the GSO engine in the first place.
The checks were added in 121d57af308d ("gso: validate gso_type in GSO
handlers") because there were malicious (syzbot) senders that combine
a protocol with a non-matching gso_type. If we would want to drop such
packets, gso_features_check() currently only returns feature flags via
netif_skb_features(), so one location for potentially dropping such skbs
could be validate_xmit_unreadable_skb(), but then otoh it would be
an additional check in the fast-path for a very corner case. Given
bpf_clone_redirect() is the only place where BPF test infra could emit
such packets, lets reject them right there.
Fixes: 850a88cc4096 ("bpf: Expose __sk_buff wire_len/gso_segs to BPF_PROG_TEST_RUN")
Fixes: cf62089b0edd ("bpf: Add gso_size to __sk_buff")
Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Reported-by: Dongliang Mu <dzm91@hust.edu.cn>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Link: https://patch.msgid.link/20251020075441.127980-1-daniel@iogearbox.net
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bpf/test_run.c | 5 +++++
net/core/filter.c | 7 +++++++
2 files changed, 12 insertions(+)
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -944,6 +944,11 @@ static int convert___skb_to_skb(struct s
if (__skb->gso_segs > GSO_MAX_SEGS)
return -EINVAL;
+
+ /* Currently GSO type is zero/unset. If this gets extended with
+ * a small list of accepted GSO types in future, the filter for
+ * an unset GSO type in bpf_clone_redirect() can be lifted.
+ */
skb_shinfo(skb)->gso_segs = __skb->gso_segs;
skb_shinfo(skb)->gso_size = __skb->gso_size;
skb_shinfo(skb)->hwtstamps.hwtstamp = __skb->hwtstamp;
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2466,6 +2466,13 @@ BPF_CALL_3(bpf_clone_redirect, struct sk
if (unlikely(flags & (~(BPF_F_INGRESS) | BPF_F_REDIRECT_INTERNAL)))
return -EINVAL;
+ /* BPF test infra's convert___skb_to_skb() can create type-less
+ * GSO packets. gso_features_check() will detect this as a bad
+ * offload. However, lets not leak them out in the first place.
+ */
+ if (unlikely(skb_is_gso(skb) && !skb_shinfo(skb)->gso_type))
+ return -EBADMSG;
+
dev = dev_get_by_index_rcu(dev_net(skb->dev), ifindex);
if (unlikely(!dev))
return -EINVAL;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 151/169] arm64: dts: rockchip: remove redundant max-link-speed from nanopi-r4s
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 150/169] bpf: Do not let BPF test infra emit invalid GSO types to stack Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 152/169] iio: core: add missing mutex_destroy in iio_dev_release() Greg Kroah-Hartman
` (31 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dragan Simic, Geraldo Nascimento,
Shawn Lin, Heiko Stuebner, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geraldo Nascimento <geraldogabriel@gmail.com>
[ Upstream commit ce652c98a7bfa0b7c675ef5cd85c44c186db96af ]
This is already the default in rk3399-base.dtsi, remove redundant
declaration from rk3399-nanopi-r4s.dtsi.
Fixes: db792e9adbf8 ("rockchip: rk3399: Add support for FriendlyARM NanoPi R4S")
Cc: stable@vger.kernel.org
Reported-by: Dragan Simic <dsimic@manjaro.org>
Reviewed-by: Dragan Simic <dsimic@manjaro.org>
Signed-off-by: Geraldo Nascimento <geraldogabriel@gmail.com>
Acked-by: Shawn Lin <shawn.lin@rock-chips.com>
Link: https://patch.msgid.link/6694456a735844177c897581f785cc00c064c7d1.1763415706.git.geraldogabriel@gmail.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
[ adapted file path from rk3399-nanopi-r4s.dtsi to rk3399-nanopi-r4s.dts ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts | 1 -
1 file changed, 1 deletion(-)
--- a/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts
@@ -73,7 +73,6 @@
};
&pcie0 {
- max-link-speed = <1>;
num-lanes = <1>;
vpcie3v3-supply = <&vcc3v3_sys>;
};
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 152/169] iio: core: add missing mutex_destroy in iio_dev_release()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 151/169] arm64: dts: rockchip: remove redundant max-link-speed from nanopi-r4s Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 153/169] iio: core: Replace lockdep_set_class() + mutex_init() by combined call Greg Kroah-Hartman
` (30 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Nuno Sá,
Jonathan Cameron, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit f5d203467a31798191365efeb16cd619d2c8f23a ]
Add missing mutex_destroy() call in iio_dev_release() to properly
clean up the mutex initialized in iio_device_alloc(). Ensure proper
resource cleanup and follows kernel practices.
Found by code review.
While at it, create a lockdep key before mutex initialisation.
This will help with converting it to the better API in the future.
Fixes: 847ec80bbaa7 ("Staging: IIO: core support for device registration and management")
Fixes: ac917a81117c ("staging:iio:core set the iio_dev.info pointer to null on unregister under lock.")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: 9910159f0659 ("iio: core: add separate lockdep class for info_exist_lock")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-core.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -1628,6 +1628,9 @@ static void iio_dev_release(struct devic
iio_device_detach_buffers(indio_dev);
+ mutex_destroy(&iio_dev_opaque->info_exist_lock);
+ mutex_destroy(&iio_dev_opaque->mlock);
+
lockdep_unregister_key(&iio_dev_opaque->mlock_key);
ida_free(&iio_ida, iio_dev_opaque->id);
@@ -1672,8 +1675,7 @@ struct iio_dev *iio_device_alloc(struct
indio_dev->dev.type = &iio_device_type;
indio_dev->dev.bus = &iio_bus_type;
device_initialize(&indio_dev->dev);
- mutex_init(&iio_dev_opaque->mlock);
- mutex_init(&iio_dev_opaque->info_exist_lock);
+
INIT_LIST_HEAD(&iio_dev_opaque->channel_attr_list);
iio_dev_opaque->id = ida_alloc(&iio_ida, GFP_KERNEL);
@@ -1696,6 +1698,9 @@ struct iio_dev *iio_device_alloc(struct
lockdep_register_key(&iio_dev_opaque->mlock_key);
lockdep_set_class(&iio_dev_opaque->mlock, &iio_dev_opaque->mlock_key);
+ mutex_init(&iio_dev_opaque->mlock);
+ mutex_init(&iio_dev_opaque->info_exist_lock);
+
return indio_dev;
}
EXPORT_SYMBOL(iio_device_alloc);
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 153/169] iio: core: Replace lockdep_set_class() + mutex_init() by combined call
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 152/169] iio: core: add missing mutex_destroy in iio_dev_release() Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 154/169] iio: core: add separate lockdep class for info_exist_lock Greg Kroah-Hartman
` (29 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Nuno Sá,
Jonathan Cameron, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit c76ba4b2644424b8dbacee80bb40991eac29d39e ]
Replace lockdep_set_class() + mutex_init() by combined call
mutex_init_with_key().
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: 9910159f0659 ("iio: core: add separate lockdep class for info_exist_lock")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -1696,9 +1696,8 @@ struct iio_dev *iio_device_alloc(struct
INIT_LIST_HEAD(&iio_dev_opaque->ioctl_handlers);
lockdep_register_key(&iio_dev_opaque->mlock_key);
- lockdep_set_class(&iio_dev_opaque->mlock, &iio_dev_opaque->mlock_key);
- mutex_init(&iio_dev_opaque->mlock);
+ mutex_init_with_key(&iio_dev_opaque->mlock, &iio_dev_opaque->mlock_key);
mutex_init(&iio_dev_opaque->info_exist_lock);
return indio_dev;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 154/169] iio: core: add separate lockdep class for info_exist_lock
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 153/169] iio: core: Replace lockdep_set_class() + mutex_init() by combined call Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 155/169] iio: adc: exynos_adc: fix OF populate on driver rebind Greg Kroah-Hartman
` (28 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rasmus Villemoes, Peter Rosin,
Jonathan Cameron, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rasmus Villemoes <ravi@prevas.dk>
[ Upstream commit 9910159f06590c17df4fbddedaabb4c0201cc4cb ]
When one iio device is a consumer of another, it is possible that
the ->info_exist_lock of both ends up being taken when reading the
value of the consumer device.
Since they currently belong to the same lockdep class (being
initialized in a single location with mutex_init()), that results in a
lockdep warning
CPU0
----
lock(&iio_dev_opaque->info_exist_lock);
lock(&iio_dev_opaque->info_exist_lock);
*** DEADLOCK ***
May be due to missing lock nesting notation
4 locks held by sensors/414:
#0: c31fd6dc (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0x44/0x4e4
#1: c4f5a1c4 (&of->mutex){+.+.}-{3:3}, at: kernfs_seq_start+0x1c/0xac
#2: c2827548 (kn->active#34){.+.+}-{0:0}, at: kernfs_seq_start+0x30/0xac
#3: c1dd2b68 (&iio_dev_opaque->info_exist_lock){+.+.}-{3:3}, at: iio_read_channel_processed_scale+0x24/0xd8
stack backtrace:
CPU: 0 UID: 0 PID: 414 Comm: sensors Not tainted 6.17.11 #5 NONE
Hardware name: Generic AM33XX (Flattened Device Tree)
Call trace:
unwind_backtrace from show_stack+0x10/0x14
show_stack from dump_stack_lvl+0x44/0x60
dump_stack_lvl from print_deadlock_bug+0x2b8/0x334
print_deadlock_bug from __lock_acquire+0x13a4/0x2ab0
__lock_acquire from lock_acquire+0xd0/0x2c0
lock_acquire from __mutex_lock+0xa0/0xe8c
__mutex_lock from mutex_lock_nested+0x1c/0x24
mutex_lock_nested from iio_read_channel_raw+0x20/0x6c
iio_read_channel_raw from rescale_read_raw+0x128/0x1c4
rescale_read_raw from iio_channel_read+0xe4/0xf4
iio_channel_read from iio_read_channel_processed_scale+0x6c/0xd8
iio_read_channel_processed_scale from iio_hwmon_read_val+0x68/0xbc
iio_hwmon_read_val from dev_attr_show+0x18/0x48
dev_attr_show from sysfs_kf_seq_show+0x80/0x110
sysfs_kf_seq_show from seq_read_iter+0xdc/0x4e4
seq_read_iter from vfs_read+0x238/0x2e4
vfs_read from ksys_read+0x6c/0xec
ksys_read from ret_fast_syscall+0x0/0x1c
Just as the mlock_key already has its own lockdep class, add a
lock_class_key for the info_exist mutex.
Note that this has in theory been a problem since before IIO first
left staging, but it only occurs when a chain of consumers is in use
and that is not often done.
Fixes: ac917a81117c ("staging:iio:core set the iio_dev.info pointer to null on unregister under lock.")
Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
Reviewed-by: Peter Rosin <peda@axentia.se>
Cc: <stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-core.c | 4 +++-
include/linux/iio/iio-opaque.h | 2 ++
2 files changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -1631,6 +1631,7 @@ static void iio_dev_release(struct devic
mutex_destroy(&iio_dev_opaque->info_exist_lock);
mutex_destroy(&iio_dev_opaque->mlock);
+ lockdep_unregister_key(&iio_dev_opaque->info_exist_key);
lockdep_unregister_key(&iio_dev_opaque->mlock_key);
ida_free(&iio_ida, iio_dev_opaque->id);
@@ -1696,9 +1697,10 @@ struct iio_dev *iio_device_alloc(struct
INIT_LIST_HEAD(&iio_dev_opaque->ioctl_handlers);
lockdep_register_key(&iio_dev_opaque->mlock_key);
+ lockdep_register_key(&iio_dev_opaque->info_exist_key);
mutex_init_with_key(&iio_dev_opaque->mlock, &iio_dev_opaque->mlock_key);
- mutex_init(&iio_dev_opaque->info_exist_lock);
+ mutex_init_with_key(&iio_dev_opaque->info_exist_lock, &iio_dev_opaque->info_exist_key);
return indio_dev;
}
--- a/include/linux/iio/iio-opaque.h
+++ b/include/linux/iio/iio-opaque.h
@@ -14,6 +14,7 @@
* @mlock: lock used to prevent simultaneous device state changes
* @mlock_key: lockdep class for iio_dev lock
* @info_exist_lock: lock to prevent use during removal
+ * @info_exist_key: lockdep class for info_exist lock
* @trig_readonly: mark the current trigger immutable
* @event_interface: event chrdevs associated with interrupt lines
* @attached_buffers: array of buffers statically attached by the driver
@@ -47,6 +48,7 @@ struct iio_dev_opaque {
struct mutex mlock;
struct lock_class_key mlock_key;
struct mutex info_exist_lock;
+ struct lock_class_key info_exist_key;
bool trig_readonly;
struct iio_event_interface *event_interface;
struct iio_buffer **attached_buffers;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 155/169] iio: adc: exynos_adc: fix OF populate on driver rebind
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 154/169] iio: core: add separate lockdep class for info_exist_lock Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:23 ` [PATCH 6.12 156/169] exfat: fix refcount leak in exfat_find Greg Kroah-Hartman
` (27 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Krzysztof Kozlowski,
Jonathan Cameron, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit ea6b4feba85e996e840e0b661bc42793df6eb701 ]
Since commit c6e126de43e7 ("of: Keep track of populated platform
devices") child devices will not be created by of_platform_populate()
if the devices had previously been deregistered individually so that the
OF_POPULATED flag is still set in the corresponding OF nodes.
Switch to using of_platform_depopulate() instead of open coding so that
the child devices are created if the driver is rebound.
Fixes: c6e126de43e7 ("of: Keep track of populated platform devices")
Cc: stable@vger.kernel.org # 3.16
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/exynos_adc.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)
--- a/drivers/iio/adc/exynos_adc.c
+++ b/drivers/iio/adc/exynos_adc.c
@@ -721,14 +721,7 @@ static const struct iio_chan_spec exynos
ADC_CHANNEL(9, "adc9"),
};
-static int exynos_adc_remove_devices(struct device *dev, void *c)
-{
- struct platform_device *pdev = to_platform_device(dev);
-
- platform_device_unregister(pdev);
- return 0;
-}
static int exynos_adc_ts_open(struct input_dev *dev)
{
@@ -929,8 +922,7 @@ static int exynos_adc_probe(struct platf
return 0;
err_of_populate:
- device_for_each_child(&indio_dev->dev, NULL,
- exynos_adc_remove_devices);
+ of_platform_depopulate(&indio_dev->dev);
if (has_ts) {
input_unregister_device(info->input);
free_irq(info->tsirq, info);
@@ -959,8 +951,7 @@ static void exynos_adc_remove(struct pla
free_irq(info->tsirq, info);
input_unregister_device(info->input);
}
- device_for_each_child(&indio_dev->dev, NULL,
- exynos_adc_remove_devices);
+ of_platform_depopulate(&indio_dev->dev);
iio_device_unregister(indio_dev);
free_irq(info->irq, info);
if (info->data->exit_hw)
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 156/169] exfat: fix refcount leak in exfat_find
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 155/169] iio: adc: exynos_adc: fix OF populate on driver rebind Greg Kroah-Hartman
@ 2026-01-28 15:23 ` Greg Kroah-Hartman
2026-01-28 15:24 ` [PATCH 6.12 157/169] sched_ext: Fix possible deadlock in the deferred_irq_workfn() Greg Kroah-Hartman
` (26 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuhao Fu, Yuezhang Mo, Namjae Jeon,
Li hongliang
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuhao Fu <sfual@cse.ust.hk>
[ Upstream commit 9aee8de970f18c2aaaa348e3de86c38e2d956c1d ]
Fix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`.
Function `exfat_get_dentry_set` would increase the reference counter of
`es->bh` on success. Therefore, `exfat_put_dentry_set` must be called
after `exfat_get_dentry_set` to ensure refcount consistency. This patch
relocate two checks to avoid possible leaks.
Fixes: 82ebecdc74ff ("exfat: fix improper check of dentry.stream.valid_size")
Fixes: 13940cef9549 ("exfat: add a check for invalid data size")
Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
Reviewed-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Li hongliang <1468888505@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/exfat/namei.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
--- a/fs/exfat/namei.c
+++ b/fs/exfat/namei.c
@@ -638,16 +638,6 @@ static int exfat_find(struct inode *dir,
info->valid_size = le64_to_cpu(ep2->dentry.stream.valid_size);
info->size = le64_to_cpu(ep2->dentry.stream.size);
- if (info->valid_size < 0) {
- exfat_fs_error(sb, "data valid size is invalid(%lld)", info->valid_size);
- return -EIO;
- }
-
- if (unlikely(EXFAT_B_TO_CLU_ROUND_UP(info->size, sbi) > sbi->used_clusters)) {
- exfat_fs_error(sb, "data size is invalid(%lld)", info->size);
- return -EIO;
- }
-
info->start_clu = le32_to_cpu(ep2->dentry.stream.start_clu);
if (!is_valid_cluster(sbi, info->start_clu) && info->size) {
exfat_warn(sb, "start_clu is invalid cluster(0x%x)",
@@ -685,6 +675,16 @@ static int exfat_find(struct inode *dir,
0);
exfat_put_dentry_set(&es, false);
+ if (info->valid_size < 0) {
+ exfat_fs_error(sb, "data valid size is invalid(%lld)", info->valid_size);
+ return -EIO;
+ }
+
+ if (unlikely(EXFAT_B_TO_CLU_ROUND_UP(info->size, sbi) > sbi->used_clusters)) {
+ exfat_fs_error(sb, "data size is invalid(%lld)", info->size);
+ return -EIO;
+ }
+
if (ei->start_clu == EXFAT_FREE_CLUSTER) {
exfat_fs_error(sb,
"non-zero size file starts with zero cluster (size : %llu, p_dir : %u, entry : 0x%08x)",
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 157/169] sched_ext: Fix possible deadlock in the deferred_irq_workfn()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-01-28 15:23 ` [PATCH 6.12 156/169] exfat: fix refcount leak in exfat_find Greg Kroah-Hartman
@ 2026-01-28 15:24 ` Greg Kroah-Hartman
2026-01-28 15:24 ` [PATCH 6.12 158/169] fs/ntfs3: Initialize allocated memory before use Greg Kroah-Hartman
` (25 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zqiang, Tejun Heo, Chen Yu
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zqiang <qiang.zhang@linux.dev>
[ Upstream commit a257e974210320ede524f340ffe16bf4bf0dda1e ]
For PREEMPT_RT=y kernels, the deferred_irq_workfn() is executed in
the per-cpu irq_work/* task context and not disable-irq, if the rq
returned by container_of() is current CPU's rq, the following scenarios
may occur:
lock(&rq->__lock);
<Interrupt>
lock(&rq->__lock);
This commit use IRQ_WORK_INIT_HARD() to replace init_irq_work() to
initialize rq->scx.deferred_irq_work, make the deferred_irq_workfn()
is always invoked in hard-irq context.
Signed-off-by: Zqiang <qiang.zhang@linux.dev>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Chen Yu <xnguchen@sina.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/ext.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -6044,7 +6044,7 @@ void __init init_sched_ext_class(void)
BUG_ON(!zalloc_cpumask_var(&rq->scx.cpus_to_kick_if_idle, GFP_KERNEL));
BUG_ON(!zalloc_cpumask_var(&rq->scx.cpus_to_preempt, GFP_KERNEL));
BUG_ON(!zalloc_cpumask_var(&rq->scx.cpus_to_wait, GFP_KERNEL));
- init_irq_work(&rq->scx.deferred_irq_work, deferred_irq_workfn);
+ rq->scx.deferred_irq_work = IRQ_WORK_INIT_HARD(deferred_irq_workfn);
init_irq_work(&rq->scx.kick_cpus_irq_work, kick_cpus_irq_workfn);
if (cpu_online(cpu))
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 158/169] fs/ntfs3: Initialize allocated memory before use
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-01-28 15:24 ` [PATCH 6.12 157/169] sched_ext: Fix possible deadlock in the deferred_irq_workfn() Greg Kroah-Hartman
@ 2026-01-28 15:24 ` Greg Kroah-Hartman
2026-01-28 15:24 ` [PATCH 6.12 159/169] accel/ivpu: Fix race condition when unbinding BOs Greg Kroah-Hartman
` (24 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+332bd4e9d148f11a87dc,
syzbot+0399100e525dd9696764, Khalid Aziz, Bartlomiej Kubik,
Konstantin Komarov, Li hongliang
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartlomiej Kubik <kubik.bartlomiej@gmail.com>
[ Upstream commit a8a3ca23bbd9d849308a7921a049330dc6c91398 ]
KMSAN reports: Multiple uninitialized values detected:
- KMSAN: uninit-value in ntfs_read_hdr (3)
- KMSAN: uninit-value in bcmp (3)
Memory is allocated by __getname(), which is a wrapper for
kmem_cache_alloc(). This memory is used before being properly
cleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to
properly allocate and clear memory before use.
Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
Fixes: 78ab59fee07f ("fs/ntfs3: Rework file operations")
Tested-by: syzbot+332bd4e9d148f11a87dc@syzkaller.appspotmail.com
Reported-by: syzbot+332bd4e9d148f11a87dc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=332bd4e9d148f11a87dc
Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
Fixes: 78ab59fee07f ("fs/ntfs3: Rework file operations")
Tested-by: syzbot+0399100e525dd9696764@syzkaller.appspotmail.com
Reported-by: syzbot+0399100e525dd9696764@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0399100e525dd9696764
Reviewed-by: Khalid Aziz <khalid@kernel.org>
Signed-off-by: Bartlomiej Kubik <kubik.bartlomiej@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Li hongliang <1468888505@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/inode.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/fs/ntfs3/inode.c
+++ b/fs/ntfs3/inode.c
@@ -1301,7 +1301,7 @@ int ntfs_create_inode(struct mnt_idmap *
fa |= FILE_ATTRIBUTE_READONLY;
/* Allocate PATH_MAX bytes. */
- new_de = __getname();
+ new_de = kmem_cache_zalloc(names_cachep, GFP_KERNEL);
if (!new_de) {
err = -ENOMEM;
goto out1;
@@ -1734,10 +1734,9 @@ int ntfs_link_inode(struct inode *inode,
struct NTFS_DE *de;
/* Allocate PATH_MAX bytes. */
- de = __getname();
+ de = kmem_cache_zalloc(names_cachep, GFP_KERNEL);
if (!de)
return -ENOMEM;
- memset(de, 0, PATH_MAX);
/* Mark rw ntfs as dirty. It will be cleared at umount. */
ntfs_set_state(sbi, NTFS_DIRTY_DIRTY);
@@ -1773,7 +1772,7 @@ int ntfs_unlink_inode(struct inode *dir,
return -EINVAL;
/* Allocate PATH_MAX bytes. */
- de = __getname();
+ de = kmem_cache_zalloc(names_cachep, GFP_KERNEL);
if (!de)
return -ENOMEM;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 159/169] accel/ivpu: Fix race condition when unbinding BOs
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-01-28 15:24 ` [PATCH 6.12 158/169] fs/ntfs3: Initialize allocated memory before use Greg Kroah-Hartman
@ 2026-01-28 15:24 ` Greg Kroah-Hartman
2026-01-28 15:24 ` [PATCH 6.12 160/169] btrfs: fix racy bitfield write in btrfs_clear_space_info_full() Greg Kroah-Hartman
` (23 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Rusinowicz, Jeff Hugo,
Karol Wachowski, Rahul Sharma
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Rusinowicz <tomasz.rusinowicz@intel.com>
[ Upstream commit 00812636df370bedf4e44a0c81b86ea96bca8628 ]
Fix 'Memory manager not clean during takedown' warning that occurs
when ivpu_gem_bo_free() removes the BO from the BOs list before it
gets unmapped. Then file_priv_unbind() triggers a warning in
drm_mm_takedown() during context teardown.
Protect the unmapping sequence with bo_list_lock to ensure the BO is
always fully unmapped when removed from the list. This ensures the BO
is either fully unmapped at context teardown time or present on the
list and unmapped by file_priv_unbind().
Fixes: 48aea7f2a2ef ("accel/ivpu: Fix locking in ivpu_bo_remove_all_bos_from_context()")
Signed-off-by: Tomasz Rusinowicz <tomasz.rusinowicz@intel.com>
Reviewed-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Link: https://patch.msgid.link/20251029071451.184243-1-karol.wachowski@linux.intel.com
[ The context change is due to the commit e0c0891cd63b
("accel/ivpu: Rework bind/unbind of imported buffers")
and the proper adoption is done. ]
Signed-off-by: Rahul Sharma <black.hawk@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/accel/ivpu/ivpu_gem.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/accel/ivpu/ivpu_gem.c
+++ b/drivers/accel/ivpu/ivpu_gem.c
@@ -240,7 +240,6 @@ static void ivpu_gem_bo_free(struct drm_
mutex_lock(&vdev->bo_list_lock);
list_del(&bo->bo_list_node);
- mutex_unlock(&vdev->bo_list_lock);
drm_WARN_ON(&vdev->drm, !drm_gem_is_imported(&bo->base.base) &&
!dma_resv_test_signaled(obj->resv, DMA_RESV_USAGE_READ));
@@ -248,6 +247,8 @@ static void ivpu_gem_bo_free(struct drm_
drm_WARN_ON(&vdev->drm, bo->base.vaddr);
ivpu_bo_unbind_locked(bo);
+ mutex_unlock(&vdev->bo_list_lock);
+
drm_WARN_ON(&vdev->drm, bo->mmu_mapped);
drm_WARN_ON(&vdev->drm, bo->ctx);
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 160/169] btrfs: fix racy bitfield write in btrfs_clear_space_info_full()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-01-28 15:24 ` [PATCH 6.12 159/169] accel/ivpu: Fix race condition when unbinding BOs Greg Kroah-Hartman
@ 2026-01-28 15:24 ` Greg Kroah-Hartman
2026-01-28 15:24 ` [PATCH 6.12 161/169] wifi: ath11k: fix RCU stall while reaping monitor destination ring Greg Kroah-Hartman
` (22 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Boris Burkov,
David Sterba, Rahul Sharma
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boris Burkov <boris@bur.io>
[ Upstream commit 38e818718c5e04961eea0fa8feff3f100ce40408 ]
>From the memory-barriers.txt document regarding memory barrier ordering
guarantees:
(*) These guarantees do not apply to bitfields, because compilers often
generate code to modify these using non-atomic read-modify-write
sequences. Do not attempt to use bitfields to synchronize parallel
algorithms.
(*) Even in cases where bitfields are protected by locks, all fields
in a given bitfield must be protected by one lock. If two fields
in a given bitfield are protected by different locks, the compiler's
non-atomic read-modify-write sequences can cause an update to one
field to corrupt the value of an adjacent field.
btrfs_space_info has a bitfield sharing an underlying word consisting of
the fields full, chunk_alloc, and flush:
struct btrfs_space_info {
struct btrfs_fs_info * fs_info; /* 0 8 */
struct btrfs_space_info * parent; /* 8 8 */
...
int clamp; /* 172 4 */
unsigned int full:1; /* 176: 0 4 */
unsigned int chunk_alloc:1; /* 176: 1 4 */
unsigned int flush:1; /* 176: 2 4 */
...
Therefore, to be safe from parallel read-modify-writes losing a write to
one of the bitfield members protected by a lock, all writes to all the
bitfields must use the lock. They almost universally do, except for
btrfs_clear_space_info_full() which iterates over the space_infos and
writes out found->full = 0 without a lock.
Imagine that we have one thread completing a transaction in which we
finished deleting a block_group and are thus calling
btrfs_clear_space_info_full() while simultaneously the data reclaim
ticket infrastructure is running do_async_reclaim_data_space():
T1 T2
btrfs_commit_transaction
btrfs_clear_space_info_full
data_sinfo->full = 0
READ: full:0, chunk_alloc:0, flush:1
do_async_reclaim_data_space(data_sinfo)
spin_lock(&space_info->lock);
if(list_empty(tickets))
space_info->flush = 0;
READ: full: 0, chunk_alloc:0, flush:1
MOD/WRITE: full: 0, chunk_alloc:0, flush:0
spin_unlock(&space_info->lock);
return;
MOD/WRITE: full:0, chunk_alloc:0, flush:1
and now data_sinfo->flush is 1 but the reclaim worker has exited. This
breaks the invariant that flush is 0 iff there is no work queued or
running. Once this invariant is violated, future allocations that go
into __reserve_bytes() will add tickets to space_info->tickets but will
see space_info->flush is set to 1 and not queue the work. After this,
they will block forever on the resulting ticket, as it is now impossible
to kick the worker again.
I also confirmed by looking at the assembly of the affected kernel that
it is doing RMW operations. For example, to set the flush (3rd) bit to 0,
the assembly is:
andb $0xfb,0x60(%rbx)
and similarly for setting the full (1st) bit to 0:
andb $0xfe,-0x20(%rax)
So I think this is really a bug on practical systems. I have observed
a number of systems in this exact state, but am currently unable to
reproduce it.
Rather than leaving this footgun lying around for the future, take
advantage of the fact that there is room in the struct anyway, and that
it is already quite large and simply change the three bitfield members to
bools. This avoids writes to space_info->full having any effect on
writes to space_info->flush, regardless of locking.
Fixes: 957780eb2788 ("Btrfs: introduce ticketed enospc infrastructure")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Boris Burkov <boris@bur.io>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[ The context change is due to the commit cc0517fe779f
("btrfs: tweak extent/chunk allocation for space_info sub-space")
in v6.16 which is irrelevant to the logic of this patch. ]
Signed-off-by: Rahul Sharma <black.hawk@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/block-group.c | 6 +++---
fs/btrfs/space-info.c | 22 +++++++++++-----------
fs/btrfs/space-info.h | 6 +++---
3 files changed, 17 insertions(+), 17 deletions(-)
--- a/fs/btrfs/block-group.c
+++ b/fs/btrfs/block-group.c
@@ -4195,7 +4195,7 @@ int btrfs_chunk_alloc(struct btrfs_trans
mutex_unlock(&fs_info->chunk_mutex);
} else {
/* Proceed with allocation */
- space_info->chunk_alloc = 1;
+ space_info->chunk_alloc = true;
wait_for_alloc = false;
spin_unlock(&space_info->lock);
}
@@ -4244,7 +4244,7 @@ int btrfs_chunk_alloc(struct btrfs_trans
spin_lock(&space_info->lock);
if (ret < 0) {
if (ret == -ENOSPC)
- space_info->full = 1;
+ space_info->full = true;
else
goto out;
} else {
@@ -4254,7 +4254,7 @@ int btrfs_chunk_alloc(struct btrfs_trans
space_info->force_alloc = CHUNK_ALLOC_NO_FORCE;
out:
- space_info->chunk_alloc = 0;
+ space_info->chunk_alloc = false;
spin_unlock(&space_info->lock);
mutex_unlock(&fs_info->chunk_mutex);
--- a/fs/btrfs/space-info.c
+++ b/fs/btrfs/space-info.c
@@ -183,7 +183,7 @@ void btrfs_clear_space_info_full(struct
struct btrfs_space_info *found;
list_for_each_entry(found, head, list)
- found->full = 0;
+ found->full = false;
}
/*
@@ -364,7 +364,7 @@ void btrfs_add_bg_to_space_info(struct b
found->bytes_readonly += block_group->bytes_super;
btrfs_space_info_update_bytes_zone_unusable(info, found, block_group->zone_unusable);
if (block_group->length > 0)
- found->full = 0;
+ found->full = false;
btrfs_try_granting_tickets(info, found);
spin_unlock(&found->lock);
@@ -1140,7 +1140,7 @@ static void btrfs_async_reclaim_metadata
spin_lock(&space_info->lock);
to_reclaim = btrfs_calc_reclaim_metadata_size(fs_info, space_info);
if (!to_reclaim) {
- space_info->flush = 0;
+ space_info->flush = false;
spin_unlock(&space_info->lock);
return;
}
@@ -1152,7 +1152,7 @@ static void btrfs_async_reclaim_metadata
flush_space(fs_info, space_info, to_reclaim, flush_state, false);
spin_lock(&space_info->lock);
if (list_empty(&space_info->tickets)) {
- space_info->flush = 0;
+ space_info->flush = false;
spin_unlock(&space_info->lock);
return;
}
@@ -1195,7 +1195,7 @@ static void btrfs_async_reclaim_metadata
flush_state = FLUSH_DELAYED_ITEMS_NR;
commit_cycles--;
} else {
- space_info->flush = 0;
+ space_info->flush = false;
}
} else {
flush_state = FLUSH_DELAYED_ITEMS_NR;
@@ -1357,7 +1357,7 @@ static void btrfs_async_reclaim_data_spa
spin_lock(&space_info->lock);
if (list_empty(&space_info->tickets)) {
- space_info->flush = 0;
+ space_info->flush = false;
spin_unlock(&space_info->lock);
return;
}
@@ -1368,7 +1368,7 @@ static void btrfs_async_reclaim_data_spa
flush_space(fs_info, space_info, U64_MAX, ALLOC_CHUNK_FORCE, false);
spin_lock(&space_info->lock);
if (list_empty(&space_info->tickets)) {
- space_info->flush = 0;
+ space_info->flush = false;
spin_unlock(&space_info->lock);
return;
}
@@ -1385,7 +1385,7 @@ static void btrfs_async_reclaim_data_spa
data_flush_states[flush_state], false);
spin_lock(&space_info->lock);
if (list_empty(&space_info->tickets)) {
- space_info->flush = 0;
+ space_info->flush = false;
spin_unlock(&space_info->lock);
return;
}
@@ -1402,7 +1402,7 @@ static void btrfs_async_reclaim_data_spa
if (maybe_fail_all_tickets(fs_info, space_info))
flush_state = 0;
else
- space_info->flush = 0;
+ space_info->flush = false;
} else {
flush_state = 0;
}
@@ -1418,7 +1418,7 @@ static void btrfs_async_reclaim_data_spa
aborted_fs:
maybe_fail_all_tickets(fs_info, space_info);
- space_info->flush = 0;
+ space_info->flush = false;
spin_unlock(&space_info->lock);
}
@@ -1787,7 +1787,7 @@ static int __reserve_bytes(struct btrfs_
*/
maybe_clamp_preempt(fs_info, space_info);
- space_info->flush = 1;
+ space_info->flush = true;
trace_btrfs_trigger_flush(fs_info,
space_info->flags,
orig_bytes, flush,
--- a/fs/btrfs/space-info.h
+++ b/fs/btrfs/space-info.h
@@ -136,11 +136,11 @@ struct btrfs_space_info {
flushing. The value is >> clamp, so turns
out to be a 2^clamp divisor. */
- unsigned int full:1; /* indicates that we cannot allocate any more
+ bool full; /* indicates that we cannot allocate any more
chunks for this space */
- unsigned int chunk_alloc:1; /* set if we are allocating a chunk */
+ bool chunk_alloc; /* set if we are allocating a chunk */
- unsigned int flush:1; /* set if we are trying to make space */
+ bool flush; /* set if we are trying to make space */
unsigned int force_alloc; /* set if we need to force a chunk
alloc for this space */
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 161/169] wifi: ath11k: fix RCU stall while reaping monitor destination ring
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-01-28 15:24 ` [PATCH 6.12 160/169] btrfs: fix racy bitfield write in btrfs_clear_space_info_full() Greg Kroah-Hartman
@ 2026-01-28 15:24 ` Greg Kroah-Hartman
2026-01-28 15:24 ` [PATCH 6.12 162/169] vsock/virtio: Move length check to callers of virtio_vsock_skb_rx_put() Greg Kroah-Hartman
` (21 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, P Praneesh, Kang Yang, Kalle Valo,
Jeff Johnson, Jeff Johnson, Li hongliang
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: P Praneesh <quic_ppranees@quicinc.com>
[ Upstream commit 16c6c35c03ea73054a1f6d3302a4ce4a331b427d ]
While processing the monitor destination ring, MSDUs are reaped from the
link descriptor based on the corresponding buf_id.
However, sometimes the driver cannot obtain a valid buffer corresponding
to the buf_id received from the hardware. This causes an infinite loop
in the destination processing, resulting in a kernel crash.
kernel log:
ath11k_pci 0000:58:00.0: data msdu_pop: invalid buf_id 309
ath11k_pci 0000:58:00.0: data dp_rx_monitor_link_desc_return failed
ath11k_pci 0000:58:00.0: data msdu_pop: invalid buf_id 309
ath11k_pci 0000:58:00.0: data dp_rx_monitor_link_desc_return failed
Fix this by skipping the problematic buf_id and reaping the next entry,
replacing the break with the next MSDU processing.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30
Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Signed-off-by: P Praneesh <quic_ppranees@quicinc.com>
Signed-off-by: Kang Yang <quic_kangyang@quicinc.com>
Acked-by: Kalle Valo <kvalo@kernel.org>
Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Link: https://patch.msgid.link/20241219110531.2096-2-quic_kangyang@quicinc.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Li hongliang <1468888505@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath11k/dp_rx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -4777,7 +4777,7 @@ ath11k_dp_rx_mon_mpdu_pop(struct ath11k
if (!msdu) {
ath11k_dbg(ar->ab, ATH11K_DBG_DATA,
"msdu_pop: invalid buf_id %d\n", buf_id);
- break;
+ goto next_msdu;
}
rxcb = ATH11K_SKB_RXCB(msdu);
if (!rxcb->unmapped) {
@@ -5404,7 +5404,7 @@ ath11k_dp_rx_full_mon_mpdu_pop(struct at
"full mon msdu_pop: invalid buf_id %d\n",
buf_id);
spin_unlock_bh(&rx_ring->idr_lock);
- break;
+ goto next_msdu;
}
idr_remove(&rx_ring->bufs_idr, buf_id);
spin_unlock_bh(&rx_ring->idr_lock);
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 162/169] vsock/virtio: Move length check to callers of virtio_vsock_skb_rx_put()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-01-28 15:24 ` [PATCH 6.12 161/169] wifi: ath11k: fix RCU stall while reaping monitor destination ring Greg Kroah-Hartman
@ 2026-01-28 15:24 ` Greg Kroah-Hartman
2026-01-28 15:24 ` [PATCH 6.12 163/169] vsock/virtio: Rename virtio_vsock_alloc_skb() Greg Kroah-Hartman
` (20 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
kernel-dev@igalia.com, Heitor Alves de Siqueira,
Stefano Garzarella, Will Deacon, Michael S. Tsirkin,
Heitor Alves de Siqueira
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
[Upstream commit 87dbae5e36613a6020f3d64a2eaeac0a1e0e6dc6]
virtio_vsock_skb_rx_put() only calls skb_put() if the length in the
packet header is not zero even though skb_put() handles this case
gracefully.
Remove the functionally redundant check from virtio_vsock_skb_rx_put()
and, on the assumption that this is a worthwhile optimisation for
handling credit messages, augment the existing length checks in
virtio_transport_rx_work() to elide the call for zero-length payloads.
Since the callers all have the length, extend virtio_vsock_skb_rx_put()
to take it as an additional parameter rather than fish it back out of
the packet header.
Note that the vhost code already has similar logic in
vhost_vsock_alloc_skb().
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Will Deacon <will@kernel.org>
Message-Id: <20250717090116.11987-4-will@kernel.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vhost/vsock.c | 2 +-
include/linux/virtio_vsock.h | 9 ++-------
net/vmw_vsock/virtio_transport.c | 4 +++-
3 files changed, 6 insertions(+), 9 deletions(-)
--- a/drivers/vhost/vsock.c
+++ b/drivers/vhost/vsock.c
@@ -376,7 +376,7 @@ vhost_vsock_alloc_skb(struct vhost_virtq
return NULL;
}
- virtio_vsock_skb_rx_put(skb);
+ virtio_vsock_skb_rx_put(skb, payload_len);
nbytes = copy_from_iter(skb->data, payload_len, &iov_iter);
if (nbytes != payload_len) {
--- a/include/linux/virtio_vsock.h
+++ b/include/linux/virtio_vsock.h
@@ -47,14 +47,9 @@ static inline void virtio_vsock_skb_clea
VIRTIO_VSOCK_SKB_CB(skb)->tap_delivered = false;
}
-static inline void virtio_vsock_skb_rx_put(struct sk_buff *skb)
+static inline void virtio_vsock_skb_rx_put(struct sk_buff *skb, u32 len)
{
- u32 len;
-
- len = le32_to_cpu(virtio_vsock_hdr(skb)->len);
-
- if (len > 0)
- skb_put(skb, len);
+ skb_put(skb, len);
}
static inline struct sk_buff *virtio_vsock_alloc_skb(unsigned int size, gfp_t mask)
--- a/net/vmw_vsock/virtio_transport.c
+++ b/net/vmw_vsock/virtio_transport.c
@@ -656,7 +656,9 @@ static void virtio_transport_rx_work(str
continue;
}
- virtio_vsock_skb_rx_put(skb);
+ if (payload_len)
+ virtio_vsock_skb_rx_put(skb, payload_len);
+
virtio_transport_deliver_tap_pkt(skb);
virtio_transport_recv_pkt(&virtio_transport, skb);
}
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 163/169] vsock/virtio: Rename virtio_vsock_alloc_skb()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-01-28 15:24 ` [PATCH 6.12 162/169] vsock/virtio: Move length check to callers of virtio_vsock_skb_rx_put() Greg Kroah-Hartman
@ 2026-01-28 15:24 ` Greg Kroah-Hartman
2026-01-28 15:24 ` [PATCH 6.12 164/169] vsock/virtio: Move SKB allocation lower-bound check to callers Greg Kroah-Hartman
` (19 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
kernel-dev@igalia.com, Heitor Alves de Siqueira,
Stefano Garzarella, Will Deacon, Michael S. Tsirkin,
Heitor Alves de Siqueira
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
[Upstream commit 2304c64a2866c58534560c63dc6e79d09b8f8d8d]
In preparation for nonlinear allocations for large SKBs, rename
virtio_vsock_alloc_skb() to virtio_vsock_alloc_linear_skb() to indicate
that it returns linear SKBs unconditionally and switch all callers over
to this new interface for now.
No functional change.
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Will Deacon <will@kernel.org>
Message-Id: <20250717090116.11987-6-will@kernel.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vhost/vsock.c | 2 +-
include/linux/virtio_vsock.h | 3 ++-
net/vmw_vsock/virtio_transport.c | 2 +-
net/vmw_vsock/virtio_transport_common.c | 2 +-
4 files changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/vhost/vsock.c
+++ b/drivers/vhost/vsock.c
@@ -349,7 +349,7 @@ vhost_vsock_alloc_skb(struct vhost_virtq
return NULL;
/* len contains both payload and hdr */
- skb = virtio_vsock_alloc_skb(len, GFP_KERNEL);
+ skb = virtio_vsock_alloc_linear_skb(len, GFP_KERNEL);
if (!skb)
return NULL;
--- a/include/linux/virtio_vsock.h
+++ b/include/linux/virtio_vsock.h
@@ -52,7 +52,8 @@ static inline void virtio_vsock_skb_rx_p
skb_put(skb, len);
}
-static inline struct sk_buff *virtio_vsock_alloc_skb(unsigned int size, gfp_t mask)
+static inline struct sk_buff *
+virtio_vsock_alloc_linear_skb(unsigned int size, gfp_t mask)
{
struct sk_buff *skb;
--- a/net/vmw_vsock/virtio_transport.c
+++ b/net/vmw_vsock/virtio_transport.c
@@ -316,7 +316,7 @@ static void virtio_vsock_rx_fill(struct
vq = vsock->vqs[VSOCK_VQ_RX];
do {
- skb = virtio_vsock_alloc_skb(total_len, GFP_KERNEL);
+ skb = virtio_vsock_alloc_linear_skb(total_len, GFP_KERNEL);
if (!skb)
break;
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -263,7 +263,7 @@ static struct sk_buff *virtio_transport_
if (!zcopy)
skb_len += payload_len;
- skb = virtio_vsock_alloc_skb(skb_len, GFP_KERNEL);
+ skb = virtio_vsock_alloc_linear_skb(skb_len, GFP_KERNEL);
if (!skb)
return NULL;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 164/169] vsock/virtio: Move SKB allocation lower-bound check to callers
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-01-28 15:24 ` [PATCH 6.12 163/169] vsock/virtio: Rename virtio_vsock_alloc_skb() Greg Kroah-Hartman
@ 2026-01-28 15:24 ` Greg Kroah-Hartman
2026-01-28 15:24 ` [PATCH 6.12 165/169] vsock/virtio: Rename virtio_vsock_skb_rx_put() Greg Kroah-Hartman
` (18 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
kernel-dev@igalia.com, Heitor Alves de Siqueira,
Stefano Garzarella, Will Deacon, Michael S. Tsirkin,
Heitor Alves de Siqueira
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
[Upstream commit fac6b82e0f3eaca33c8c67ec401681b21143ae17]
virtio_vsock_alloc_linear_skb() checks that the requested size is at
least big enough for the packet header (VIRTIO_VSOCK_SKB_HEADROOM).
Of the three callers of virtio_vsock_alloc_linear_skb(), only
vhost_vsock_alloc_skb() can potentially pass a packet smaller than the
header size and, as it already has a check against the maximum packet
size, extend its bounds checking to consider the minimum packet size
and remove the check from virtio_vsock_alloc_linear_skb().
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Will Deacon <will@kernel.org>
Message-Id: <20250717090116.11987-7-will@kernel.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vhost/vsock.c | 3 ++-
include/linux/virtio_vsock.h | 3 ---
2 files changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/vhost/vsock.c
+++ b/drivers/vhost/vsock.c
@@ -345,7 +345,8 @@ vhost_vsock_alloc_skb(struct vhost_virtq
len = iov_length(vq->iov, out);
- if (len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM)
+ if (len < VIRTIO_VSOCK_SKB_HEADROOM ||
+ len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM)
return NULL;
/* len contains both payload and hdr */
--- a/include/linux/virtio_vsock.h
+++ b/include/linux/virtio_vsock.h
@@ -57,9 +57,6 @@ virtio_vsock_alloc_linear_skb(unsigned i
{
struct sk_buff *skb;
- if (size < VIRTIO_VSOCK_SKB_HEADROOM)
- return NULL;
-
skb = alloc_skb(size, mask);
if (!skb)
return NULL;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 165/169] vsock/virtio: Rename virtio_vsock_skb_rx_put()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-01-28 15:24 ` [PATCH 6.12 164/169] vsock/virtio: Move SKB allocation lower-bound check to callers Greg Kroah-Hartman
@ 2026-01-28 15:24 ` Greg Kroah-Hartman
2026-01-28 15:24 ` [PATCH 6.12 166/169] vhost/vsock: Allocate nonlinear SKBs for handling large receive buffers Greg Kroah-Hartman
` (17 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
kernel-dev@igalia.com, Heitor Alves de Siqueira,
Stefano Garzarella, Will Deacon, Michael S. Tsirkin,
Heitor Alves de Siqueira
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
[Upstream commit 8ca76151d2c8219edea82f1925a2a25907ff6a9d]
In preparation for using virtio_vsock_skb_rx_put() when populating SKBs
on the vsock TX path, rename virtio_vsock_skb_rx_put() to
virtio_vsock_skb_put().
No functional change.
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Will Deacon <will@kernel.org>
Message-Id: <20250717090116.11987-9-will@kernel.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vhost/vsock.c | 2 +-
include/linux/virtio_vsock.h | 2 +-
net/vmw_vsock/virtio_transport.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/vhost/vsock.c
+++ b/drivers/vhost/vsock.c
@@ -377,7 +377,7 @@ vhost_vsock_alloc_skb(struct vhost_virtq
return NULL;
}
- virtio_vsock_skb_rx_put(skb, payload_len);
+ virtio_vsock_skb_put(skb, payload_len);
nbytes = copy_from_iter(skb->data, payload_len, &iov_iter);
if (nbytes != payload_len) {
--- a/include/linux/virtio_vsock.h
+++ b/include/linux/virtio_vsock.h
@@ -47,7 +47,7 @@ static inline void virtio_vsock_skb_clea
VIRTIO_VSOCK_SKB_CB(skb)->tap_delivered = false;
}
-static inline void virtio_vsock_skb_rx_put(struct sk_buff *skb, u32 len)
+static inline void virtio_vsock_skb_put(struct sk_buff *skb, u32 len)
{
skb_put(skb, len);
}
--- a/net/vmw_vsock/virtio_transport.c
+++ b/net/vmw_vsock/virtio_transport.c
@@ -657,7 +657,7 @@ static void virtio_transport_rx_work(str
}
if (payload_len)
- virtio_vsock_skb_rx_put(skb, payload_len);
+ virtio_vsock_skb_put(skb, payload_len);
virtio_transport_deliver_tap_pkt(skb);
virtio_transport_recv_pkt(&virtio_transport, skb);
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 166/169] vhost/vsock: Allocate nonlinear SKBs for handling large receive buffers
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-01-28 15:24 ` [PATCH 6.12 165/169] vsock/virtio: Rename virtio_vsock_skb_rx_put() Greg Kroah-Hartman
@ 2026-01-28 15:24 ` Greg Kroah-Hartman
2026-01-28 15:24 ` [PATCH 6.12 167/169] vsock/virtio: Allocate nonlinear SKBs for handling large transmit buffers Greg Kroah-Hartman
` (16 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
kernel-dev@igalia.com, Heitor Alves de Siqueira,
Stefano Garzarella, Will Deacon, Michael S. Tsirkin,
Heitor Alves de Siqueira
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
[Upstream commit ab9aa2f3afc2713c14f6c4c6b90c9a0933b837f1]
When receiving a packet from a guest, vhost_vsock_handle_tx_kick()
calls vhost_vsock_alloc_linear_skb() to allocate and fill an SKB with
the receive data. Unfortunately, these are always linear allocations and
can therefore result in significant pressure on kmalloc() considering
that the maximum packet size (VIRTIO_VSOCK_MAX_PKT_BUF_SIZE +
VIRTIO_VSOCK_SKB_HEADROOM) is a little over 64KiB, resulting in a 128KiB
allocation for each packet.
Rework the vsock SKB allocation so that, for sizes with page order
greater than PAGE_ALLOC_COSTLY_ORDER, a nonlinear SKB is allocated
instead with the packet header in the SKB and the receive data in the
fragments. Finally, add a debug warning if virtio_vsock_skb_rx_put() is
ever called on an SKB with a non-zero length, as this would be
destructive for the nonlinear case.
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Will Deacon <will@kernel.org>
Message-Id: <20250717090116.11987-8-will@kernel.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vhost/vsock.c | 8 +++-----
include/linux/virtio_vsock.h | 32 +++++++++++++++++++++++++++++---
2 files changed, 32 insertions(+), 8 deletions(-)
--- a/drivers/vhost/vsock.c
+++ b/drivers/vhost/vsock.c
@@ -350,7 +350,7 @@ vhost_vsock_alloc_skb(struct vhost_virtq
return NULL;
/* len contains both payload and hdr */
- skb = virtio_vsock_alloc_linear_skb(len, GFP_KERNEL);
+ skb = virtio_vsock_alloc_skb(len, GFP_KERNEL);
if (!skb)
return NULL;
@@ -379,10 +379,8 @@ vhost_vsock_alloc_skb(struct vhost_virtq
virtio_vsock_skb_put(skb, payload_len);
- nbytes = copy_from_iter(skb->data, payload_len, &iov_iter);
- if (nbytes != payload_len) {
- vq_err(vq, "Expected %zu byte payload, got %zu bytes\n",
- payload_len, nbytes);
+ if (skb_copy_datagram_from_iter(skb, 0, &iov_iter, payload_len)) {
+ vq_err(vq, "Failed to copy %zu byte payload\n", payload_len);
kfree_skb(skb);
return NULL;
}
--- a/include/linux/virtio_vsock.h
+++ b/include/linux/virtio_vsock.h
@@ -49,22 +49,48 @@ static inline void virtio_vsock_skb_clea
static inline void virtio_vsock_skb_put(struct sk_buff *skb, u32 len)
{
- skb_put(skb, len);
+ DEBUG_NET_WARN_ON_ONCE(skb->len);
+
+ if (skb_is_nonlinear(skb))
+ skb->len = len;
+ else
+ skb_put(skb, len);
}
static inline struct sk_buff *
-virtio_vsock_alloc_linear_skb(unsigned int size, gfp_t mask)
+__virtio_vsock_alloc_skb_with_frags(unsigned int header_len,
+ unsigned int data_len,
+ gfp_t mask)
{
struct sk_buff *skb;
+ int err;
- skb = alloc_skb(size, mask);
+ skb = alloc_skb_with_frags(header_len, data_len,
+ PAGE_ALLOC_COSTLY_ORDER, &err, mask);
if (!skb)
return NULL;
skb_reserve(skb, VIRTIO_VSOCK_SKB_HEADROOM);
+ skb->data_len = data_len;
return skb;
}
+static inline struct sk_buff *
+virtio_vsock_alloc_linear_skb(unsigned int size, gfp_t mask)
+{
+ return __virtio_vsock_alloc_skb_with_frags(size, 0, mask);
+}
+
+static inline struct sk_buff *virtio_vsock_alloc_skb(unsigned int size, gfp_t mask)
+{
+ if (size <= SKB_WITH_OVERHEAD(PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER))
+ return virtio_vsock_alloc_linear_skb(size, mask);
+
+ size -= VIRTIO_VSOCK_SKB_HEADROOM;
+ return __virtio_vsock_alloc_skb_with_frags(VIRTIO_VSOCK_SKB_HEADROOM,
+ size, mask);
+}
+
static inline void
virtio_vsock_skb_queue_head(struct sk_buff_head *list, struct sk_buff *skb)
{
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 167/169] vsock/virtio: Allocate nonlinear SKBs for handling large transmit buffers
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-01-28 15:24 ` [PATCH 6.12 166/169] vhost/vsock: Allocate nonlinear SKBs for handling large receive buffers Greg Kroah-Hartman
@ 2026-01-28 15:24 ` Greg Kroah-Hartman
2026-01-28 15:24 ` [PATCH 6.12 168/169] net: Introduce skb_copy_datagram_from_iter_full() Greg Kroah-Hartman
` (15 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
kernel-dev@igalia.com, Heitor Alves de Siqueira,
Stefano Garzarella, Will Deacon, Michael S. Tsirkin,
Heitor Alves de Siqueira
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
[Upstream commit 6693731487a8145a9b039bc983d77edc47693855]
When transmitting a vsock packet, virtio_transport_send_pkt_info() calls
virtio_transport_alloc_linear_skb() to allocate and fill SKBs with the
transmit data. Unfortunately, these are always linear allocations and
can therefore result in significant pressure on kmalloc() considering
that the maximum packet size (VIRTIO_VSOCK_MAX_PKT_BUF_SIZE +
VIRTIO_VSOCK_SKB_HEADROOM) is a little over 64KiB, resulting in a 128KiB
allocation for each packet.
Rework the vsock SKB allocation so that, for sizes with page order
greater than PAGE_ALLOC_COSTLY_ORDER, a nonlinear SKB is allocated
instead with the packet header in the SKB and the transmit data in the
fragments. Note that this affects both the vhost and virtio transports.
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Will Deacon <will@kernel.org>
Message-Id: <20250717090116.11987-10-will@kernel.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/virtio_transport_common.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -111,7 +111,8 @@ static int virtio_transport_fill_skb(str
&info->msg->msg_iter,
len);
- return memcpy_from_msg(skb_put(skb, len), info->msg, len);
+ virtio_vsock_skb_put(skb, len);
+ return skb_copy_datagram_from_iter(skb, 0, &info->msg->msg_iter, len);
}
static void virtio_transport_init_hdr(struct sk_buff *skb,
@@ -263,7 +264,7 @@ static struct sk_buff *virtio_transport_
if (!zcopy)
skb_len += payload_len;
- skb = virtio_vsock_alloc_linear_skb(skb_len, GFP_KERNEL);
+ skb = virtio_vsock_alloc_skb(skb_len, GFP_KERNEL);
if (!skb)
return NULL;
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 168/169] net: Introduce skb_copy_datagram_from_iter_full()
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-01-28 15:24 ` [PATCH 6.12 167/169] vsock/virtio: Allocate nonlinear SKBs for handling large transmit buffers Greg Kroah-Hartman
@ 2026-01-28 15:24 ` Greg Kroah-Hartman
2026-01-28 15:24 ` [PATCH 6.12 169/169] vsock/virtio: Fix message iterator handling on transmit path Greg Kroah-Hartman
` (14 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Brauner, Alexander Viro,
Will Deacon, Michael S. Tsirkin, Stefan Hajnoczi, Jakub Kicinski,
Heitor Alves de Siqueira
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
[Upstream commit b08a784a5d1495c42ff9b0c70887d49211cddfe0]
In a similar manner to copy_from_iter()/copy_from_iter_full(), introduce
skb_copy_datagram_from_iter_full() which reverts the iterator to its
initial state when returning an error.
A subsequent fix for a vsock regression will make use of this new
function.
Cc: Christian Brauner <brauner@kernel.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Will Deacon <will@kernel.org>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Link: https://patch.msgid.link/20250818180355.29275-2-will@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/skbuff.h | 2 ++
net/core/datagram.c | 14 ++++++++++++++
2 files changed, 16 insertions(+)
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -4117,6 +4117,8 @@ int skb_copy_and_hash_datagram_iter(cons
struct ahash_request *hash);
int skb_copy_datagram_from_iter(struct sk_buff *skb, int offset,
struct iov_iter *from, int len);
+int skb_copy_datagram_from_iter_full(struct sk_buff *skb, int offset,
+ struct iov_iter *from, int len);
int zerocopy_sg_from_iter(struct sk_buff *skb, struct iov_iter *frm);
void skb_free_datagram(struct sock *sk, struct sk_buff *skb);
int skb_kill_datagram(struct sock *sk, struct sk_buff *skb, unsigned int flags);
--- a/net/core/datagram.c
+++ b/net/core/datagram.c
@@ -621,6 +621,20 @@ fault:
}
EXPORT_SYMBOL(skb_copy_datagram_from_iter);
+int skb_copy_datagram_from_iter_full(struct sk_buff *skb, int offset,
+ struct iov_iter *from, int len)
+{
+ struct iov_iter_state state;
+ int ret;
+
+ iov_iter_save_state(from, &state);
+ ret = skb_copy_datagram_from_iter(skb, offset, from, len);
+ if (ret)
+ iov_iter_restore(from, &state);
+ return ret;
+}
+EXPORT_SYMBOL(skb_copy_datagram_from_iter_full);
+
int zerocopy_fill_skb_from_iter(struct sk_buff *skb,
struct iov_iter *from, size_t length)
{
^ permalink raw reply [flat|nested] 190+ messages in thread* [PATCH 6.12 169/169] vsock/virtio: Fix message iterator handling on transmit path
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-01-28 15:24 ` [PATCH 6.12 168/169] net: Introduce skb_copy_datagram_from_iter_full() Greg Kroah-Hartman
@ 2026-01-28 15:24 ` Greg Kroah-Hartman
2026-01-28 19:38 ` [PATCH 6.12 000/169] 6.12.68-rc1 review Brett A C Sheffield
` (13 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-28 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Wang, Stefano Garzarella,
syzbot+b4d960daf7a3c7c2b7b1, Will Deacon, Michael S. Tsirkin,
Stefan Hajnoczi, Jakub Kicinski, Heitor Alves de Siqueira
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
[Upstream commit 7fb1291257ea1e27dbc3f34c6a37b4d640aafdd7]
Commit 6693731487a8 ("vsock/virtio: Allocate nonlinear SKBs for handling
large transmit buffers") converted the virtio vsock transmit path to
utilise nonlinear SKBs when handling large buffers. As part of this
change, virtio_transport_fill_skb() was updated to call
skb_copy_datagram_from_iter() instead of memcpy_from_msg() as the latter
expects a single destination buffer and cannot handle nonlinear SKBs
correctly.
Unfortunately, during this conversion, I overlooked the error case when
the copying function returns -EFAULT due to a fault on the input buffer
in userspace. In this case, memcpy_from_msg() reverts the iterator to
its initial state thanks to copy_from_iter_full() whereas
skb_copy_datagram_from_iter() leaves the iterator partially advanced.
This results in a WARN_ONCE() from the vsock code, which expects the
iterator to stay in sync with the number of bytes transmitted so that
virtio_transport_send_pkt_info() can return -EFAULT when it is called
again:
------------[ cut here ]------------
'send_pkt()' returns 0, but 65536 expected
WARNING: CPU: 0 PID: 5503 at net/vmw_vsock/virtio_transport_common.c:428 virtio_transport_send_pkt_info+0xd11/0xf00 net/vmw_vsock/virtio_transport_common.c:426
Modules linked in:
CPU: 0 UID: 0 PID: 5503 Comm: syz.0.17 Not tainted 6.16.0-syzkaller-12063-g37816488247d #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call virtio_transport_fill_skb_full() to restore the previous iterator
behaviour.
Cc: Jason Wang <jasowang@redhat.com>
Cc: Stefano Garzarella <sgarzare@redhat.com>
Fixes: 6693731487a8 ("vsock/virtio: Allocate nonlinear SKBs for handling large transmit buffers")
Reported-by: syzbot+b4d960daf7a3c7c2b7b1@syzkaller.appspotmail.com
Signed-off-by: Will Deacon <will@kernel.org>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Link: https://patch.msgid.link/20250818180355.29275-3-will@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[halves: adjust __zerocopy_sg_from_iter() parameters]
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/virtio_transport_common.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -106,13 +106,15 @@ static int virtio_transport_fill_skb(str
size_t len,
bool zcopy)
{
+ struct msghdr *msg = info->msg;
+
if (zcopy)
- return __zerocopy_sg_from_iter(info->msg, NULL, skb,
- &info->msg->msg_iter,
+ return __zerocopy_sg_from_iter(msg, NULL, skb,
+ &msg->msg_iter,
len);
virtio_vsock_skb_put(skb, len);
- return skb_copy_datagram_from_iter(skb, 0, &info->msg->msg_iter, len);
+ return skb_copy_datagram_from_iter_full(skb, 0, &msg->msg_iter, len);
}
static void virtio_transport_init_hdr(struct sk_buff *skb,
^ permalink raw reply [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 000/169] 6.12.68-rc1 review
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-01-28 15:24 ` [PATCH 6.12 169/169] vsock/virtio: Fix message iterator handling on transmit path Greg Kroah-Hartman
@ 2026-01-28 19:38 ` Brett A C Sheffield
2026-01-28 20:08 ` Florian Fainelli
` (12 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Brett A C Sheffield @ 2026-01-28 19:38 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 6.12.68-rc1-g559b99a93134 #1 SMP PREEMPT_DYNAMIC Wed Jan 28 18:40:27 -00 2026 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 000/169] 6.12.68-rc1 review
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-01-28 19:38 ` [PATCH 6.12 000/169] 6.12.68-rc1 review Brett A C Sheffield
@ 2026-01-28 20:08 ` Florian Fainelli
2026-01-28 20:13 ` Pavel Machek
` (11 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Florian Fainelli @ 2026-01-28 20:08 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, rwarsow, conor,
hargar, broonie, achill, sr
On 1/28/26 07:21, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.12.68 release.
> There are 169 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 30 Jan 2026 14:53:02 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.68-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 000/169] 6.12.68-rc1 review
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-01-28 20:08 ` Florian Fainelli
@ 2026-01-28 20:13 ` Pavel Machek
2026-01-29 2:09 ` Shung-Hsi Yu
` (10 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Pavel Machek @ 2026-01-28 20:13 UTC (permalink / raw)
To: Greg Kroah-Hartman, pavel
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
Hi!
Please update my email address. I no longer have access to @denx
address, new one is pavel@nabladev.com .
Thanks and best regards,
Pavel
^ permalink raw reply [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 000/169] 6.12.68-rc1 review
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-01-28 20:13 ` Pavel Machek
@ 2026-01-29 2:09 ` Shung-Hsi Yu
2026-01-29 6:51 ` Peter Schneider
` (9 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Shung-Hsi Yu @ 2026-01-29 2:09 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Wed, Jan 28, 2026 at 04:21:23PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.12.68 release.
> There are 169 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
test_progs, test_progs-no_alu32, test_progs-cpuv4, test_maps,
test_verifier in BPF selftests all passes[1] on x86_64.
Tested-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
1: https://github.com/shunghsiyu/libbpf/actions/runs/21450963930/job/61779347559
^ permalink raw reply [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 000/169] 6.12.68-rc1 review
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-01-29 2:09 ` Shung-Hsi Yu
@ 2026-01-29 6:51 ` Peter Schneider
2026-01-29 6:55 ` Slade Watkins
` (8 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Peter Schneider @ 2026-01-29 6:51 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
Am 28.01.2026 um 16:21 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.12.68 release.
> There are 169 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 000/169] 6.12.68-rc1 review
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-01-29 6:51 ` Peter Schneider
@ 2026-01-29 6:55 ` Slade Watkins
2026-01-29 7:31 ` Francesco Dolcini
` (7 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Slade Watkins @ 2026-01-29 6:55 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill
On Wed, Jan 28, 2026 at 10:41 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.12.68 release.
> There are 169 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 30 Jan 2026 14:53:02 +0000.
> Anything received after that time might be too late.
6.12.68-rc1 built and run on my x86_64 test system (AMD Ryzen 9 9900X,
System76 thelio-mira-r4-n3). No errors or regressions.
Tested-by: Slade Watkins <sr@sladewatkins.com>
Thanks,
Slade
^ permalink raw reply [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 000/169] 6.12.68-rc1 review
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-01-29 6:55 ` Slade Watkins
@ 2026-01-29 7:31 ` Francesco Dolcini
2026-01-29 9:49 ` Jon Hunter
` (6 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Francesco Dolcini @ 2026-01-29 7:31 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Wed, Jan 28, 2026 at 04:21:23PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.12.68 release.
> There are 169 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Compiled and tested on
- Verdin AM62
- Verdin iMX8MP
- Toradex SMARC iMX8MP
Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com>
^ permalink raw reply [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 000/169] 6.12.68-rc1 review
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-01-29 7:31 ` Francesco Dolcini
@ 2026-01-29 9:49 ` Jon Hunter
2026-01-29 10:18 ` Ron Economos
` (5 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Jon Hunter @ 2026-01-29 9:49 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
linux-tegra, stable
On Wed, 28 Jan 2026 16:21:23 +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.12.68 release.
> There are 169 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 30 Jan 2026 14:53:02 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.68-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v6.12:
10 builds: 10 pass, 0 fail
28 boots: 28 pass, 0 fail
133 tests: 133 pass, 0 fail
Linux version: 6.12.68-rc1-g559b99a93134
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra186-p3509-0000+p3636-0001, tegra194-p2972-0000,
tegra194-p3509-0000+p3668-0000, tegra20-ventana,
tegra210-p2371-2180, tegra210-p3450-0000,
tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 000/169] 6.12.68-rc1 review
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-01-29 9:49 ` Jon Hunter
@ 2026-01-29 10:18 ` Ron Economos
2026-01-29 13:25 ` Mark Brown
` (4 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Ron Economos @ 2026-01-29 10:18 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
On 1/28/26 07:21, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.12.68 release.
> There are 169 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 30 Jan 2026 14:53:02 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.68-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 000/169] 6.12.68-rc1 review
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-01-29 10:18 ` Ron Economos
@ 2026-01-29 13:25 ` Mark Brown
2026-01-29 14:26 ` Brett Mastbergen
` (3 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Mark Brown @ 2026-01-29 13:25 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, achill, sr
[-- Attachment #1: Type: text/plain, Size: 346 bytes --]
On Wed, Jan 28, 2026 at 04:21:23PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.12.68 release.
> There are 169 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Mark Brown <broonie@kernel.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 000/169] 6.12.68-rc1 review
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-01-29 13:25 ` Mark Brown
@ 2026-01-29 14:26 ` Brett Mastbergen
2026-01-29 19:47 ` Hardik Garg
` (2 subsequent siblings)
182 siblings, 0 replies; 190+ messages in thread
From: Brett Mastbergen @ 2026-01-29 14:26 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Wed, Jan 28, 2026 at 10:57 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.12.68 release.
> There are 169 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 30 Jan 2026 14:53:02 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.68-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Builds successfully. Boots and works on qemu and Dell XPS 15 9520 w/
Intel Core i7-12600H
Tested-by: Brett Mastbergen <bmastbergen@ciq.com>
Thanks,
Brett
^ permalink raw reply [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 000/169] 6.12.68-rc1 review
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-01-29 14:26 ` Brett Mastbergen
@ 2026-01-29 19:47 ` Hardik Garg
2026-01-29 20:38 ` Miguel Ojeda
2026-01-30 14:35 ` Harshit Mogalapalli
182 siblings, 0 replies; 190+ messages in thread
From: Hardik Garg @ 2026-01-29 19:47 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Hardik Garg
The kernel, bpf tool, perf tool, and kselftest builds fine for
v6.12.68-rc1 on x86 and arm64 Azure VM.
Tested-by: Hardik Garg <hargar@linux.microsoft.com>
Thanks,
Hardik
^ permalink raw reply [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 000/169] 6.12.68-rc1 review
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-01-29 19:47 ` Hardik Garg
@ 2026-01-29 20:38 ` Miguel Ojeda
2026-01-30 14:35 ` Harshit Mogalapalli
182 siblings, 0 replies; 190+ messages in thread
From: Miguel Ojeda @ 2026-01-29 20:38 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda
On Wed, 28 Jan 2026 16:21:23 +0100 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.12.68 release.
> There are 169 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 30 Jan 2026 14:53:02 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64, arm64 and riscv64; built-tested
for loongarch64:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 190+ messages in thread* Re: [PATCH 6.12 000/169] 6.12.68-rc1 review
2026-01-28 15:21 [PATCH 6.12 000/169] 6.12.68-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-01-29 20:38 ` Miguel Ojeda
@ 2026-01-30 14:35 ` Harshit Mogalapalli
182 siblings, 0 replies; 190+ messages in thread
From: Harshit Mogalapalli @ 2026-01-30 14:35 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
Hi Greg,
On 28/01/26 20:51, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.12.68 release.
> There are 169 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 30 Jan 2026 14:53:02 +0000.
> Anything received after that time might be too late.
>
Yeah, I delayed sending the results. But:
No problems seen on x86_64 and aarch64 with our testing.
Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Thanks,
Harshit
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/
> patch-6.12.68-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
> and the diffstat can be found below.
>
> thanks,
^ permalink raw reply [flat|nested] 190+ messages in thread