* [PATCH 6.19 000/378] 6.19.9-rc1 review
@ 2026-03-17 16:29 Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 001/378] remoteproc: qcom_wcnss: Fix reserved region mapping failure Greg Kroah-Hartman
` (384 more replies)
0 siblings, 385 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.19.9 release.
There are 378 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 19 Mar 2026 16:28:59 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.19.9-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.19.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.19.9-rc1
Keith Busch <kbusch@kernel.org>
cxl/acpi: Fix CXL_ACPI and CXL_PMEM Kconfig tristate mismatch
Jens Axboe <axboe@kernel.dk>
io_uring/eventfd: use ctx->rings_rcu for flags checking
Jens Axboe <axboe@kernel.dk>
io_uring: ensure ctx->rings is stable for task work flags manipulation
Marc Zyngier <maz@kernel.org>
KVM: arm64: Eagerly init vgic dist/redist on vgic creation
Sascha Bischoff <Sascha.Bischoff@arm.com>
KVM: arm64: gic: Set vgic_model before initing private IRQs
SeongJae Park <sj@kernel.org>
mm/damon/core: disallow non-power of two min_region_sz
SeongJae Park <sj@kernel.org>
mm/damon: rename min_sz_region of damon_ctx to min_region_sz
SeongJae Park <sj@kernel.org>
mm/damon: rename DAMON_MIN_REGION to DAMON_MIN_REGION_SZ
Adrian Hunter <adrian.hunter@intel.com>
i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue
Adrian Hunter <adrian.hunter@intel.com>
i3c: mipi-i3c-hci: Fix race in DMA ring dequeue
Adrian Hunter <adrian.hunter@intel.com>
i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor
Adrian Hunter <adrian.hunter@intel.com>
i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort
Adrian Hunter <adrian.hunter@intel.com>
i3c: mipi-i3c-hci: Consolidate spinlocks
Adrian Hunter <adrian.hunter@intel.com>
i3c: mipi-i3c-hci: Factor out DMA mapping from queuing path
Adrian Hunter <adrian.hunter@intel.com>
i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors
Yasin Lee <yasin.lee.x@gmail.com>
iio: proximity: hx9023s: Protect against division by zero in set_samp_freq
Yasin Lee <yasin.lee.x@gmail.com>
iio: proximity: hx9023s: fix assignment order for __counted_by
Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
iio: imu: inv_icm42600: fix odr switch when turning buffer off
Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
iio: imu: inv_icm42600: fix odr switch to the same value
Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
iio: imu: inv_icm45600: fix INT1 drive bit inverted
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: light: bh1780: fix PM runtime leak on error path
Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
iio: imu: inv_icm45600: fix regulator put warning when probe fails
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: gyro: mpu3050-i2c: fix pm_runtime error handling
Radu Sabau <radu.sabau@analog.com>
iio: imu: adis: Fix NULL pointer dereference in adis_init
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: gyro: mpu3050-core: fix pm_runtime error handling
Nuno Sá <nuno.sa@analog.com>
iio: buffer: Fix wait_queue not being removed
Chris Spencer <spencercw@gmail.com>
iio: chemical: bme680: Fix measurement wait duration calculation
Lukas Schmid <lukas.schmid@netcube.li>
iio: potentiometer: mcp4131: fix double application of wiper shift
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: magnetometer: tlv493d: remove erroneous shift in X-axis data
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas()
SeungJu Cheon <suunj1331@gmail.com>
iio: frequency: adf4377: Fix duplicated soft reset mask
Oleksij Rempel <o.rempel@pengutronix.de>
iio: dac: ds4424: reject -128 RAW value
Filipe Manana <fdmanana@suse.com>
btrfs: abort transaction on failure to update root in the received subvol ioctl
Bart Van Assche <bvanassche@acm.org>
btrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer()
Filipe Manana <fdmanana@suse.com>
btrfs: fix transaction abort on set received ioctl due to item overflow
Filipe Manana <fdmanana@suse.com>
btrfs: fix transaction abort on file creation due to name hash collision
Filipe Manana <fdmanana@suse.com>
btrfs: fix transaction abort when snapshotting received subvolumes
Henrique Carvalho <henrique.carvalho@suse.com>
smb: client: fix iface port assignment in parse_server_interfaces
Bharath SM <bharathsm@microsoft.com>
smb: client: fix in-place encryption corruption in SMB2_write()
Paulo Alcantara <pc@manguebit.org>
smb: client: fix atomic open with O_DIRECT & O_SYNC
Josh Law <objecting@objecting.org>
lib/bootconfig: check bounds before writing in __xbc_open_brace()
Josh Law <objecting@objecting.org>
lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after()
Masami Hiramatsu (Google) <mhiramat@kernel.org>
kprobes: Remove unneeded warnings from __arm_kprobe_ftrace()
Shashank Balaji <shashank.mahadasyam@sony.com>
x86/apic: Disable x2apic on resume if the kernel expects so
Junxiao Bi <junxiao.bi@oracle.com>
scsi: core: Fix error handling for scsi_alloc_sdev()
Josh Law <objecting@objecting.org>
lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error
Hari Bathini <hbathini@linux.ibm.com>
powerpc64/bpf: fix the address returned by bpf_get_func_ip
Hari Bathini <hbathini@linux.ibm.com>
powerpc64/bpf: fix kfunc call support
Nam Cao <namcao@linutronix.de>
powerpc/pseries: Correct MSI allocation tracking
Stefan Haberland <sth@linux.ibm.com>
s390/dasd: Copy detected format information to secondary device
Stefan Haberland <sth@linux.ibm.com>
s390/dasd: Move quiesce state with pprc swap
Mehul Rao <mehulrao@gmail.com>
ublk: fix NULL pointer dereference in ublk_ctrl_set_size()
Abel Vesa <abel.vesa@oss.qualcomm.com>
dt-bindings: display: msm: Fix reg ranges and clocks on Glymur
Harald Freudenberger <freude@linux.ibm.com>
s390/zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute
Tejun Heo <tj@kernel.org>
sched_ext: Fix enqueue_task_scx() truncation of upper enqueue flags
Long Li <leo.lilong@huawei.com>
xfs: ensure dquot item is deleted from AIL only after log shutdown
Darrick J. Wong <djwong@kernel.org>
xfs: fix undersized l_iclog_roundoff values
Carlos Maiolino <cem@kernel.org>
xfs: fix returned valued from xfs_defer_can_append
Long Li <leo.lilong@huawei.com>
xfs: fix integer overflow in bmap intent sort comparator
Shyam Prasad N <sprasad@microsoft.com>
cifs: make default value of retrans as zero
Jens Axboe <axboe@kernel.dk>
io_uring/kbuf: check if target buffer list is still legacy on recycle
Haibo Chen <haibo.chen@nxp.com>
can: dev: keep the max bitrate error at 5%
Laurent Vivier <lvivier@redhat.com>
qmi_wwan: allow max_mtu above hard_mtu to control rx_urb_size
Paul Moses <p@1g4.org>
net-shapers: don't free reply skb after genlmsg_reply()
Calvin Owens <calvin@wbinvd.org>
tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G
Andrei-Alexandru Tachici <andrei-alexandru.tachici@oss.qualcomm.com>
tracing: Fix enabling multiple events on the kernel command line and bootconfig
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL
Abhinav Kumar <quic_abhinavk@quicinc.com>
drm/msm/dpu: Correct the SA8775P intr_underrun/intr_underrun index
Mario Limonciello <mario.limonciello@amd.com>
drm/amd: Fix a few more NULL pointer dereference in device cleanup
Thomas Fourier <fourier.thomas@gmail.com>
drm/msm: Fix dma_free_attrs() buffer size
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Repeat Selective Update area alignment
Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
drm/i915: Fix potential overflow of shmem scatterlist length
Luca Ceresoli <luca.ceresoli@bootlin.com>
drm/bridge: ti-sn65dsi83: halve horizontal syncs for dual LVDS output
Luca Ceresoli <luca.ceresoli@bootlin.com>
drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding
Mario Limonciello <mario.limonciello@amd.com>
drm/amd: Fix NULL pointer dereference in device cleanup
Mario Limonciello <mario.limonciello@amd.com>
drm/amd: Set num IP blocks to 0 if discovery fails
Alysa Liu <Alysa.Liu@amd.com>
drm/amdgpu: Fix use-after-free race in VM acquire
Yang Wang <kevinyang.wang@amd.com>
drm/amd/pm: remove invalid gpu_metrics.energy_accumulator on smu v13.0.x
Kevin Hao <haokexin@gmail.com>
net: macb: Shuffle the tx ring before enabling tx
Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
net: dsa: microchip: Fix error path in PTP IRQ setup
Fan Wu <fanwu01@zju.edu.cn>
net: ethernet: arc: emac: quiesce interrupts before requesting IRQ
Jian Zhang <zhangjian.3032@bytedance.com>
net: ncsi: fix skb leak in error paths
Mehul Rao <mehulrao@gmail.com>
net: nexthop: fix percpu use-after-free in remove_nh_grp_entry
Johan Hovold <johan@kernel.org>
net: mctp: fix device leak on probe failure
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix use-after-free by using call_rcu() for oplock_info
Thorsten Blum <thorsten.blum@linux.dev>
ksmbd: Don't log keys in SMB3 signing and encryption key generation
Marios Makassikis <mmakassikis@freebox.fr>
smb: server: fix use-after-free in smb2_open()
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close()
Hao Li <hao.li@linux.dev>
memcg: fix slab accounting in refill_obj_stock() trylock path
Vlastimil Babka <vbabka@suse.cz>
slab: distinguish lock and trylock for sheaf_flush_main()
Vasily Gorbik <gor@linux.ibm.com>
s390/xor: Fix xor_xc_5() inline assembly
Dillon Varone <Dillon.Varone@amd.com>
drm/amd/display: Fallback to boot snapshot for dispclk
Heiko Carstens <hca@linux.ibm.com>
s390/xor: Fix xor_xc_2() inline assembly constraints
Maximilian Pezzullo <maximilianpezzullo@gmail.com>
ata: libata-core: Disable LPM on ST1000DM010-2EP102
Heiko Carstens <hca@linux.ibm.com>
s390/stackleak: Fix __stackleak_poison() inline assembly constraint
Ashish Kalra <ashish.kalra@amd.com>
crypto: ccp - allow callers to use HV-Fixed page API when SEV is disabled
Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
drm/ttm: Fix ttm_pool_beneficial_order() return type
Maíra Canal <mcanal@igalia.com>
pmdomain: bcm: bcm2835-power: Fix broken reset status read
Franz Schnyder <franz.schnyder@toradex.com>
regulator: pf9453: Respect IRQ trigger settings from firmware
Pavel Begunkov <asml.silence@gmail.com>
io_uring/net: reject SEND_VECTORIZED when unsupported
Helge Deller <deller@gmx.de>
parisc: Check kernel mapping earlier at bootup
Piotr Jaroszynski <pjaroszynski@nvidia.com>
arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults
Helge Deller <deller@gmx.de>
parisc: Fix initial page table creation for boot
Pavel Begunkov <asml.silence@gmail.com>
io_uring/zcrx: use READ_ONCE with user shared RQEs
Sanman Pradhan <psanman@juniper.net>
hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
Catalin Marinas <catalin.marinas@arm.com>
arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation
Dave Airlie <airlied@redhat.com>
nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
Helge Deller <deller@gmx.de>
parisc: Increase initial mapping to 64 MB with KALLSYMS
Shawn Lin <shawn.lin@rock-chips.com>
pmdomain: rockchip: Fix PD_VCODEC for RK3588
Matt Roper <matthew.d.roper@intel.com>
drm/xe/xe2_hpg: Correct implementation of Wa_16025250150
Sven Eckelmann <sven@narfation.org>
batman-adv: Avoid double-rtnl_lock ELP metric worker
Eric Biggers <ebiggers@kernel.org>
net/tcp-md5: Fix MAC comparison to be constant-time
Shengming Hu <hu.shengming@zte.com.cn>
fgraph: Fix thresh_return nosleeptime double-adjust
Eric Biggers <ebiggers@kernel.org>
net/tcp-ao: Fix MAC comparison to be constant-time
Huiwen He <hehuiwen@kylinos.cn>
tracing: Fix syscall events activation by ensuring refcount hits zero
Shengming Hu <hu.shengming@zte.com.cn>
fgraph: Fix thresh_return clear per-task notrace
Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
ice: fix retry for AQ command 0x06EE
YiFei Zhu <zhuyifei@google.com>
net: Fix rcu_tasks stall in threaded busypoll
Long Li <longli@microsoft.com>
net: mana: Ring doorbell at 4 CQ wraparounds
Ariel Silver <arielsilver77@gmail.com>
media: dvb-net: fix OOB access in ULE extension header tables
Christian Brauner <brauner@kernel.org>
selftests: fix mntns iteration selftests
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
pinctrl: cy8c95x0: Don't miss reading the last bank registers
Luka Gejak <luka.gejak@linux.dev>
staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
Artem Lytkin <iprintercanon@gmail.com>
staging: sm750fb: add missing pci_release_region on error and removal
Harry Yoo <harry.yoo@oracle.com>
mm/slab: fix an incorrect check in obj_exts_alloc_size()
Raul Pazemecxas De Andrade <raul_pazemecxas@hotmail.com>
mm/damon/core: clear walk_control on inactive context in damos_walk()
Zi Yan <ziy@nvidia.com>
mm/huge_memory: fix a folio_split() race condition with folio_try_get()
Pratyush Yadav (Google) <pratyush@kernel.org>
mm: memfd_luo: always dirty all folios
Pratyush Yadav (Google) <pratyush@kernel.org>
mm: memfd_luo: always make all folios uptodate
Jedrzej Jagielski <jedrzej.jagielski@intel.com>
ixgbevf: fix link setup issue
Eric Biggers <ebiggers@kernel.org>
kunit: irq: Ensure timer doesn't fire too frequently
Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
ice: reintroduce retry mechanism for indirect AQ
Christian Brauner <brauner@kernel.org>
nstree: tighten permission checks for listing
Christian Brauner <brauner@kernel.org>
nsfs: tighten permission checks for handle opening
Darrick J. Wong <djwong@kernel.org>
iomap: reject delalloc mappings during writeback
Joanne Koong <joannelkoong@gmail.com>
iomap: don't mark folio uptodate if read IO has bytes pending
Tejun Heo <tj@kernel.org>
sched_ext: Fix starvation of scx_enable() under fair-class saturation
Tejun Heo <tj@kernel.org>
sched_ext: Disable preemption between scx_claim_exit() and kicking helper work
Mark Harmstone <mark@harmstone.com>
btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies()
Marc Zyngier <maz@kernel.org>
irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
device property: Allow secondary lookup in fwnode_get_next_child_node()
Kuniyuki Iwashima <kuniyu@google.com>
nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit().
Catalin Marinas <catalin.marinas@arm.com>
arm64: gcs: Honour mprotect(PROT_NONE) on shadow stack mappings
Jiri Olsa <jolsa@kernel.org>
bpf: Fix kprobe_multi cookies access in show_fdinfo callback
Alexander Gordeev <agordeev@linux.ibm.com>
s390/pfault: Fix virtual vs physical address confusion
Shuicheng Lin <shuicheng.lin@intel.com>
drm/xe/sync: Cleanup partially initialized sync on parse failure
Shuicheng Lin <shuicheng.lin@intel.com>
drm/xe/sync: Fix user fence leak on alloc failure
Corey Minyard <corey@minyard.net>
ipmi:si: Fix check for a misbehaving BMC
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
gpiolib: normalize the return value of gc->get() on behalf of buggy drivers
Jouni Högander <jouni.hogander@intel.com>
drm/i915/alpm: ALPM disable fixes
Dave Airlie <airlied@redhat.com>
nouveau/gsp: drop WARN_ON in ACPI probes
Corey Minyard <corey@minyard.net>
ipmi:si: Handle waiting messages when BMC failure detected
Franz Schnyder <franz.schnyder@toradex.com>
drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used
Osama Abdelkader <osama.abdelkader@gmail.com>
drm/bridge: samsung-dsim: Fix memory leak in error path
Corey Minyard <corey@minyard.net>
ipmi:si: Use a long timeout when the BMC is misbehaving
Corey Minyard <corey@minyard.net>
ipmi:si: Don't block module unload if the BMC is messed up
Mario Limonciello <mario.limonciello@amd.com>
drm/amd: Disable MES LR compute W/A
Sunil Khatri <sunil.khatri@amd.com>
drm/amdgpu: add upper bound check on user inputs in wait ioctl
Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
drm/amdgpu/userq: Fix reference leak in amdgpu_userq_wait_ioctl
Sunil Khatri <sunil.khatri@amd.com>
drm/amdgpu: add upper bound check on user inputs in signal ioctl
David Arcari <darcari@redhat.com>
cpufreq: intel_pstate: Fix NULL pointer dereference in update_cpu_qos_request()
Christian Brauner <brauner@kernel.org>
kthread: consolidate kthread exit paths to prevent use-after-free
Pratyush Yadav (Google) <pratyush@kernel.org>
liveupdate: luo_file: remember retrieve() status
Christian Brauner <brauner@kernel.org>
nsfs: tighten permission checks for ns iteration ioctls
Thomas Hellström <thomas.hellstrom@linux.intel.com>
mm: Fix a hmm_range_fault() livelock / starvation problem
Axel Rasmussen <axelrasmussen@google.com>
Revert "ptdesc: remove references to folios from __pagetable_ctor() and pagetable_dtor()"
Xu Yang <xu.yang_2@nxp.com>
Revert "tcpm: allow looking for role_sw device in the main node"
Ilya Dryomov <idryomov@gmail.com>
libceph: admit message frames only in CEPH_CON_S_OPEN state
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Use u32 for non-negative values in ceph_monmap_decode()
Ilya Dryomov <idryomov@gmail.com>
libceph: prevent potential out-of-bounds reads in process_message_header()
Ilya Dryomov <idryomov@gmail.com>
libceph: reject preamble if control segment is empty
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
Max Kellermann <max.kellermann@ionos.com>
ceph: add a bunch of missing ceph_path_info initializers
Masami Hiramatsu (Google) <mhiramat@kernel.org>
kprobes: avoid crash when rmmod/insmod after ftrace killed
Liwei Song <liwei.song@windriver.com>
firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled
Mehul Rao <mehulrao@gmail.com>
tipc: fix divide-by-zero in tipc_sk_filter_connect()
Ravi Hothi <ravi.hothi@oss.qualcomm.com>
ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start
Penghe Geng <pgeng@nvidia.com>
mmc: core: Avoid bitfield RMW for claim/retune flags
Shawn Lin <shawn.lin@rock-chips.com>
mmc: dw_mmc-rockchip: Fix runtime PM support for internal phase support
Kamal Dasu <kamal.dasu@broadcom.com>
mmc: sdhci-brcmstb: use correct register offset for V1 pin_sel restore
Alexander Potapenko <glider@google.com>
mm/kfence: disable KFENCE upon KASAN HW tags enablement
Felix Gu <ustc.gu@gmail.com>
mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index()
Alexander Potapenko <glider@google.com>
mm/kfence: fix KASAN hardware tag faults during late enablement
Xingui Yang <yangxingui@huawei.com>
scsi: hisi_sas: Fix NULL pointer exception during user_scan()
Vladimir Riabchun <ferr.lambarginio@gmail.com>
scsi: qla2xxx: Completely fix fcport double free
Wang Shuaiwei <wangshuaiwei1@xiaomi.com>
scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend
Viktor Malik <vmalik@redhat.com>
powerpc, perf: Check that current->mm is alive before getting user callchain
Adrian Ng Ho Yin <adrianhoyin.ng@altera.com>
i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach
Thomas Gleixner <tglx@kernel.org>
sched/mmcid: Avoid full tasklist walks
Thomas Gleixner <tglx@kernel.org>
sched/mmcid: Remove pointless preempt guard
Thomas Gleixner <tglx@kernel.org>
sched/mmcid: Handle vfork()/CLONE_VM correctly
Thomas Gleixner <tglx@kernel.org>
sched/mmcid: Prevent CID stalls due to concurrent forks
Steven Rostedt <rostedt@goodmis.org>
time/jiffies: Mark jiffies_64_to_clock_t() notrace
Jessica Liu <liu.xuemei1@zte.com.cn>
irqchip/riscv-aplic: Register syscore operations only once
Jessica Liu <liu.xuemei1@zte.com.cn>
irqchip/riscv-aplic: Do not clear ACPI dependencies on probe failure
Nick Hu <nick.hu@sifive.com>
irqchip/riscv-aplic: Preserve APLIC states across suspend/resume
Josh Poimboeuf <jpoimboe@kernel.org>
objtool: Fix another stack overflow in validate_branch()
Josh Poimboeuf <jpoimboe@kernel.org>
objtool: Fix data alignment in elf_add_data()
Josh Poimboeuf <jpoimboe@kernel.org>
objtool/klp: Fix detection of corrupt static branch/call entries
Geoffrey D. Bennett <g@b4.vu>
ALSA: usb-audio: Improve Focusrite sample rate filtering
Max Kellermann <max.kellermann@ionos.com>
ceph: fix memory leaks in ceph_mdsc_build_path()
Hristo Venev <hristo@venev.name>
ceph: do not skip the first folio of the next object in writeback
Max Kellermann <max.kellermann@ionos.com>
ceph: fix i_nlink underrun during async unlink
Kalesh Singh <kaleshsingh@google.com>
mm/tracing: rss_stat: ensure curr is false from kthread context
Kuen-Han Tsai <khtsai@google.com>
usb: gadget: f_ncm: Fix net_device lifecycle with device_move
Kuen-Han Tsai <khtsai@google.com>
Revert "usb: gadget: u_ether: add gether_opts for config caching"
Kuen-Han Tsai <khtsai@google.com>
Revert "usb: gadget: f_ncm: align net_device lifecycle with bind/unbind"
Kuen-Han Tsai <khtsai@google.com>
Revert "usb: gadget: u_ether: Add auto-cleanup helper for freeing net_device"
Kuen-Han Tsai <khtsai@google.com>
Revert "usb: legacy: ncm: Fix NPE in gncm_bind"
Kuen-Han Tsai <khtsai@google.com>
Revert "usb: gadget: f_ncm: Fix atomic context locking issue"
Kuen-Han Tsai <khtsai@google.com>
usb: legacy: ncm: Fix NPE in gncm_bind
Kuen-Han Tsai <khtsai@google.com>
usb: gadget: f_ncm: Fix atomic context locking issue
Jiasheng Jiang <jiashengjiangcool@gmail.com>
usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
Ziyi Guo <n7l8m4@u.northwestern.edu>
usb: image: mdc800: kill download URB on timeout
Junzhong Pan <panjunzhong@linux.spacemit.com>
usb: gadget: uvc: fix interval_duration calculation
Oliver Neukum <oneukum@suse.com>
usb: mdc800: handle signal and read racing
John Keeping <jkeeping@inmusicbrands.com>
usb: gadget: f_hid: fix SuperSpeed descriptors
Fan Wu <fanwu01@zju.edu.cn>
usb: renesas_usbhs: fix use-after-free in ISR during device removal
Oliver Neukum <oneukum@suse.com>
usb: class: cdc-wdm: fix reordering issue in read code path
Alan Stern <stern@rowland.harvard.edu>
USB: core: Limit the length of unkillable synchronous timeouts
Alan Stern <stern@rowland.harvard.edu>
USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts
Alan Stern <stern@rowland.harvard.edu>
USB: usbcore: Introduce usb_bulk_msg_killable()
RD Babiera <rdbabiera@google.com>
usb: typec: altmode/displayport: set displayport signaling rate in configure message
Xu Yang <xu.yang_2@nxp.com>
usb: roles: get usb role switch from parent only for usb-b-connector
Marc Zyngier <maz@kernel.org>
usb: cdc-acm: Restore CAP_BRK functionnality to CH343
Gabor Juhos <j4g8y7@gmail.com>
usb: core: don't power off roothub PHYs if phy_set_mode() fails
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: misc: uss720: properly clean up reference in uss720_probe()
Heikki Krogerus <heikki.krogerus@linux.intel.com>
usb: dwc3: pci: add support for the Intel Nova Lake -H
Oliver Neukum <oneukum@suse.com>
usb: yurex: fix race in probe
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: Fix NULL pointer dereference when reading portli debugfs files
Dayu Jiang <jiangdayu@xiaomi.com>
usb: xhci: Prevent interrupt storm on host controller error (HCE)
Zilin Guan <zilin@seu.edu.cn>
usb: xhci: Fix memory leak in xhci_disable_slot()
Vyacheslav Vahnenko <vahnenko2003@gmail.com>
USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed
Christoffer Sandberg <cs@tuxedo.de>
usb/core/quirks: Add Huawei ME906S-device to wakeup quirk
A1RM4X <dev@a1rm4x.com>
USB: add QUIRK_NO_BOS for video capture several devices
Marc Zyngier <maz@kernel.org>
KVM: arm64: pkvm: Don't reprobe for ICH_VTR_EL2.TDS on CPU hotplug
Marc Zyngier <maz@kernel.org>
KVM: arm64: vgic: Pick EOIcount deactivations from AP-list tail
Marc Zyngier <maz@kernel.org>
KVM: arm64: pkvm: Fallback to level-3 mapping on host stage-2 fault
Sean Christopherson <seanjc@google.com>
KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated
Sean Christopherson <seanjc@google.com>
KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC
Jim Mattson <jmattson@google.com>
KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM
Marc Zyngier <maz@kernel.org>
KVM: arm64: Fix protected mode handling of pages larger than 4kB
Zhang Heng <zhangheng@kylinos.cn>
ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA
Pedro Falcato <pfalcato@suse.de>
ata: libata-core: Add BRIDGE_OK quirk for QEMU drives
Alexandre Courbot <acourbot@nvidia.com>
rust: str: make NullTerminatedFormatter public
Gary Guo <gary@garyguo.net>
rust: kbuild: emit dep-info into $(depfile) directly
Miguel Ojeda <ojeda@kernel.org>
rust: kbuild: allow `unused_features`
Alice Ryhl <aliceryhl@google.com>
rust_binder: call set_notification_done() without proc lock
Alice Ryhl <aliceryhl@google.com>
rust_binder: avoid reading the written value in offsets array
Alice Ryhl <aliceryhl@google.com>
rust_binder: check ownership before using vma
Carlos Llamas <cmllamas@google.com>
rust_binder: fix oneway spam detection
Johan Hovold <johan@kernel.org>
gpib: lpvo_usb: fix unintended binding of FTDI 8U232AM devices
Oleksij Rempel <o.rempel@pengutronix.de>
net: usb: lan78xx: skip LTM configuration for LAN7850
Oleksij Rempel <o.rempel@pengutronix.de>
net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect
Oleksij Rempel <o.rempel@pengutronix.de>
net: usb: lan78xx: fix TX byte statistics for small packets
Oleksij Rempel <o.rempel@pengutronix.de>
net: usb: lan78xx: fix silent drop of packets with checksum errors
Marc Kleine-Budde <mkl@pengutronix.de>
can: gs_usb: gs_can_open(): always configure bitrates before starting device
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces
Mehul Rao <mehulrao@gmail.com>
ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
cgroup: Don't expose dead tasks in cgroup
Cheng-Yang Chou <yphbchou0911@gmail.com>
sched_ext: Remove redundant css_put() in scx_cgroup_init()
Qingye Zhao <zhaoqingye@honor.com>
cgroup: fix race between task migration and iteration
Perry Yuan <perry.yuan@amd.com>
drm/amdgpu: ensure no_hw_access is visible before MMIO
Seungjin Bae <eeodqql09@gmail.com>
usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
Andreas Kemnade <andreas@kemnade.info>
iio: imu: inv-mpu9150: fix irq ack preventing irq storms
Eric Dumazet <edumazet@google.com>
net: prevent NULL deref in ip[6]tunnel_xmit()
Alok Tiwari <alok.a.tiwari@oracle.com>
octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status
Alok Tiwari <alok.a.tiwari@oracle.com>
octeontx2-af: devlink: fix NIX RAS reporter recovery condition
Chintan Vankar <c-vankar@ti.com>
net: ethernet: ti: am65-cpsw-nuss: Fix rx_filter value for PTP support
Shiraz Saleem <shirazsaleem@microsoft.com>
net/mana: Null service_wq on setup error to prevent double destroy
Sabrina Dubroca <sd@queasysnail.net>
neighbour: restore protocol != 0 check in pneigh update
Marek Behún <kabel@kernel.org>
net: dsa: realtek: Fix LED group port bit for non-zero LED group
Ricardo B. Marlière <rbm@suse.com>
net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled
Chuck Lever <chuck.lever@oracle.com>
perf synthetic-events: Fix stale build ID in module MMAP2 records
Tom Ryan <ryan36005@gmail.com>
io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops
Chen Ni <nichen@iscas.ac.cn>
ASoC: amd: acp-mach-common: Add missing error check for clock acquisition
Philip Yang <Philip.Yang@amd.com>
drm/amdkfd: Unreserve bo if queue update failed
Casey Connolly <casey.connolly@linaro.org>
ASoC: detect empty DMI strings
Chen Ni <nichen@iscas.ac.cn>
ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition
Ben Dooks <ben.dooks@codethink.co.uk>
ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address()
Nicolai Buchwitz <nb@tipi-net.de>
net: bcmgenet: fix broken EEE by converting to phylib-managed state
Jakub Kicinski <kuba@kernel.org>
page_pool: store detach_time as ktime_t to avoid false-negatives
Matt Vollrath <tactii@gmail.com>
e1000/e1000e: Fix leak in DMA error cleanup
Alok Tiwari <alok.a.tiwari@oracle.com>
i40e: fix src IP mask checks and memcpy argument names in cloud filter
Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
ASoC: codecs: rt1011: Use component to get the dapm context in spk_mode_put
Lizhi Hou <lizhi.hou@amd.com>
accel/amdxdna: Fix runtime suspend deadlock when there is pending job
Petr Oros <poros@redhat.com>
iavf: fix incorrect reset handling in callbacks
Petr Oros <poros@redhat.com>
iavf: fix PTP use-after-free during reset
Nikolay Aleksandrov <razor@blackwall.org>
drivers: net: ice: fix devlink parameters get without irdma
Sungwoo Kim <iam@sung-woo.kim>
nvme-pci: Fix race bug in nvme_poll_irqdisable()
Sungwoo Kim <iam@sung-woo.kim>
nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
sched: idle: Make skipping governor callbacks more consistent
Chen Ni <nichen@iscas.ac.cn>
perf ftrace: Fix hashmap__new() error checking
Peng Fan <peng.fan@nxp.com>
regulator: pca9450: Correct probed name for PCA9452
Peng Fan <peng.fan@nxp.com>
regulator: pca9450: Correct interrupt type
Chen Ni <nichen@iscas.ac.cn>
perf annotate: Fix hashmap__new() error checking
Yuan Tan <tanyuan98@outlook.com>
netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
Hyunwoo Kim <imv4bel@gmail.com>
netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
Hyunwoo Kim <imv4bel@gmail.com>
netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
David Dull <monderasdor@gmail.com>
netfilter: x_tables: guard option walkers against 1-byte tail reads
Jenny Guanni Qu <qguanni@gmail.com>
netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
Florian Westphal <fw@strlen.de>
netfilter: nf_tables: always walk all pending catchall elements
Phil Sutter <phil@nwl.cc>
netfilter: nf_tables: Fix for duplicate device in netdev hooks
Weiming Shi <bestswngs@gmail.com>
net: add xmit recursion limit to tunnel xmit functions
Raju Rangoju <Raju.Rangoju@amd.com>
amd-xgbe: reset PHY settings before starting PHY
Raju Rangoju <Raju.Rangoju@amd.com>
amd-xgbe: prevent CRC errors during RX adaptation with AN disabled
Raju Rangoju <Raju.Rangoju@amd.com>
amd-xgbe: fix link status handling in xgbe_rx_adaptation
Chengfeng Ye <dg573847474@gmail.com>
mctp: route: hold key->lock in mctp_flow_prepare_output()
Jiayuan Chen <jiayuan.chen@shopee.com>
bonding: fix type confusion in bond_setup_by_slave()
Wenyuan Li <2063309626@qq.com>
can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value
Haiyue Wang <haiyuewa@163.com>
mctp: i2c: fix skb memory leak in receive path
Wei Fang <wei.fang@nxp.com>
net: enetc: do not skip setting LaBCR[MDIO_PHYAD_PRTAD] for addr 0
Wei Fang <wei.fang@nxp.com>
net: enetc: fix incorrect fallback PHY address handling
Arun R Murthy <arun.r.murthy@intel.com>
drm/i915/dp: Read ALPM caps after DPCD init
Pavan Chebbi <pavan.chebbi@broadcom.com>
bnxt_en: Fix RSS table size check when changing ethtool channels
Shuangpeng Bai <shuangpeng.kernel@gmail.com>
serial: caif: hold tty->link reference in ldisc_open and ser_release
Álvaro Fernández Rojas <noltari@gmail.com>
net: sfp: improve Huawei MA5671a fixup
Sen Wang <sen@ti.com>
ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays
matteo.cotifava <cotifavamatteo@gmail.com>
ASoC: soc-core: flush delayed work before removing DAIs and widgets
matteo.cotifava <cotifavamatteo@gmail.com>
ASoC: soc-core: drop delayed_work_pending() check before flush
Felix Gu <ustc.gu@gmail.com>
spi: rockchip-sfc: Fix double-free in remove() callback
Felix Gu <ustc.gu@gmail.com>
spi: amlogic: spifc-a4: Fix DMA mapping error handling
Richard Fitzgerald <rf@opensource.cirrus.com>
firmware: cs_dsp: Fix fragmentation regression in firmware download
David Lechner <dlechner@baylibre.com>
drm/sitronix/st7586: fix bad pixel data due to byte swap
Vivian Wang <wangruikang@iscas.ac.cn>
net: spacemit: Fix error handling in emac_tx_mem_map()
Vivian Wang <wangruikang@iscas.ac.cn>
net: spacemit: Fix error handling in emac_alloc_rx_desc_buffers()
Miaoqian Lin <linmq006@gmail.com>
rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer()
Weiming Shi <bestswngs@gmail.com>
net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit
Dragos Tatulea <dtatulea@nvidia.com>
net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ
Dragos Tatulea <dtatulea@nvidia.com>
net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ
Gal Pressman <gal@nvidia.com>
net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
Carolina Jubran <cjubran@nvidia.com>
net/mlx5: Fix peer miss rules host disabled checks
Patrisious Haddad <phaddad@nvidia.com>
net/mlx5: Fix crash when moving to switchdev mode
Cosmin Ratiu <cratiu@nvidia.com>
net/mlx5: Fix deadlock between devlink lock and esw->wq
Hangbin Liu <liuhangbin@gmail.com>
bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states
Hangbin Liu <liuhangbin@gmail.com>
bonding: do not set usable_slaves for broadcast mode
Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
drm/amdgpu: Fix kernel-doc comments for some LUT properties
Yang Wang <kevinyang.wang@amd.com>
drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v14
Yang Wang <kevinyang.wang@amd.com>
drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v13
Pengyu Luo <mitltlatltl@gmail.com>
drm/msm/dsi: fix pclk rate calculation for bonded dsi
Mieczyslaw Nalewaj <namiltd@yahoo.com>
net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets
Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
dt-bindings: display/msm: qcom,sm8750-mdss: Fix model typo
Akhil P Oommen <akhilpo@oss.qualcomm.com>
drm/msm/a8xx: Fix ubwc config related to swizzling
Peter Collingbourne <pcc@google.com>
perf disasm: Fix off-by-one bug in outside check
Breno Leitao <leitao@debian.org>
workqueue: Use POOL_BH instead of WQ_BH when checking pool flags
Akhil P Oommen <akhilpo@oss.qualcomm.com>
drm/msm/a6xx: Fix the bogus protect error on X2-85
Sun YangKai <sunk67188@gmail.com>
btrfs: hold space_info->lock when clearing periodic reclaim ready
Eric Badger <ebadger@purestorage.com>
xprtrdma: Decrement re_receiving on the early exit paths
Pengyu Luo <mitltlatltl@gmail.com>
drm/msm/dsi: fix hdisplay calculation when programming dsi registers
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
drm/msm/dpu: Fix LM size on a number of platforms
Roberto Bergantinos Corpas <rbergant@redhat.com>
nfs: return EISDIR on nfs3_proc_create if d_alias is a dir
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Check max frame size for implicit feedback mode, too
sguttula <suresh.guttula@amd.com>
drm/amdgpu/vcn5: Add SMU dpm interface type
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0
wangshuaiwei <wangshuaiwei1@xiaomi.com>
scsi: ufs: core: Fix shift out of bounds when MAXQ=32
Peter Wang <peter.wang@mediatek.com>
scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
Charles Keepax <ckeepax@opensource.cirrus.com>
ASoC: cs42l43: Report insert for exotic peripherals
Azamat Almazbek uulu <almazbek1608@gmail.com>
ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table
Tomas Henzl <thenzl@redhat.com>
scsi: ses: Fix devices attaching to different hosts
Sofia Schneider <sofia@schn.dev>
ACPI: OSI: Add DMI quirk for Acer Aspire One D255
Ramanathan Choodamani <quic_rchoodam@quicinc.com>
wifi: mac80211: set default WMM parameters on all links
Al Viro <viro@zeniv.linux.org.uk>
unshare: fix unshare_fs() handling
Sean Rhodes <sean@starlabs.systems>
ALSA: hda/realtek: Fix speaker pop on Star Labs StarFighter
Ranjan Kumar <ranjan.kumar@broadcom.com>
scsi: mpi3mr: Add NULL checks when resetting request and reply queues
Edward Adam Davis <eadavis@qq.com>
fs: init flags_valid before calling vfs_fileattr_get
Won Jung <wone.jung@samsung.com>
scsi: ufs: core: Reset urgent_bkops_lvl to allow runtime PM power mode
Piotr Mazek <pmazek@outlook.com>
ACPI: PM: Save NVS memory on Lenovo G70-35
Jan Kiszka <jan.kiszka@siemens.com>
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
Guenter Roeck <linux@roeck-us.net>
smb/server: Fix another refcount leak in smb2_open()
J. Neuschäfer <j.ne@posteo.net>
powerpc: 83xx: km83xx: Fix keymile vendor prefix
Tzung-Bi Shih <tzungbi@kernel.org>
remoteproc: mediatek: Unprepare SCP clock during system suspend
Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
remoteproc: sysmon: Correct subsys_name_len type in QMI request
Sourabh Jain <sourabhjain@linux.ibm.com>
powerpc/crash: adjust the elfcorehdr size
Sourabh Jain <sourabhjain@linux.ibm.com>
powerpc/kexec/core: use big-endian types for crash variables
Christophe Leroy (CS GROUP) <chleroy@kernel.org>
powerpc/uaccess: Fix inline assembly for clang build on PPC32
Rob Herring (Arm) <robh@kernel.org>
remoteproc: qcom_wcnss: Fix reserved region mapping failure
-------------
Diffstat:
.../bindings/display/msm/dp-controller.yaml | 21 ++-
.../bindings/display/msm/qcom,glymur-mdss.yaml | 16 +-
.../bindings/display/msm/qcom,sm8750-mdss.yaml | 2 +-
Documentation/virt/kvm/api.rst | 8 +
Makefile | 5 +-
arch/arm64/include/asm/kvm_host.h | 3 +
arch/arm64/include/asm/pgtable-prot.h | 10 +-
arch/arm64/kernel/cpufeature.c | 9 +
arch/arm64/kvm/hyp/nvhe/mem_protect.c | 2 +-
arch/arm64/kvm/mmu.c | 12 +-
arch/arm64/kvm/vgic/vgic-init.c | 34 ++--
arch/arm64/kvm/vgic/vgic-v2.c | 4 +-
arch/arm64/kvm/vgic/vgic-v3.c | 12 +-
arch/arm64/kvm/vgic/vgic.c | 6 +
arch/arm64/mm/contpte.c | 53 +++++-
arch/arm64/mm/mmap.c | 6 +-
arch/parisc/include/asm/pgtable.h | 2 +-
arch/parisc/kernel/head.S | 7 +-
arch/parisc/kernel/setup.c | 20 ++-
arch/powerpc/include/asm/uaccess.h | 2 +-
arch/powerpc/kexec/core.c | 17 +-
arch/powerpc/kexec/file_load_64.c | 14 +-
arch/powerpc/net/bpf_jit_comp.c | 30 ++--
arch/powerpc/net/bpf_jit_comp64.c | 101 ++++++++++-
arch/powerpc/perf/callchain.c | 5 +
arch/powerpc/perf/callchain_32.c | 1 -
arch/powerpc/perf/callchain_64.c | 1 -
arch/powerpc/platforms/83xx/km83xx.c | 4 +-
arch/powerpc/platforms/pseries/msi.c | 2 +-
arch/s390/include/asm/processor.h | 2 +-
arch/s390/lib/xor.c | 5 +-
arch/s390/mm/pfault.c | 4 +-
arch/x86/include/asm/kvm_host.h | 3 +-
arch/x86/include/uapi/asm/kvm.h | 1 +
arch/x86/kernel/apic/apic.c | 6 +
arch/x86/kvm/svm/avic.c | 9 +-
arch/x86/kvm/svm/svm.c | 9 +-
arch/x86/kvm/vmx/nested.c | 22 ++-
drivers/accel/amdxdna/aie2_ctx.c | 14 +-
drivers/accel/amdxdna/amdxdna_ctx.c | 10 ++
drivers/acpi/osi.c | 13 ++
drivers/acpi/osl.c | 2 +-
drivers/acpi/sleep.c | 8 +
drivers/android/binder/page_range.rs | 83 ++++++---
drivers/android/binder/process.rs | 3 +-
drivers/android/binder/range_alloc/array.rs | 35 +++-
drivers/android/binder/range_alloc/mod.rs | 4 +-
drivers/android/binder/range_alloc/tree.rs | 18 +-
drivers/android/binder/thread.rs | 17 +-
drivers/ata/libata-core.c | 2 +
drivers/base/property.c | 27 ++-
drivers/block/ublk_drv.c | 12 +-
drivers/char/ipmi/ipmi_si_intf.c | 37 ++--
drivers/cpufreq/intel_pstate.c | 4 +-
drivers/cpuidle/cpuidle.c | 10 --
drivers/crypto/ccp/sev-dev.c | 10 +-
drivers/cxl/Kconfig | 1 +
drivers/firmware/cirrus/cs_dsp.c | 24 ++-
drivers/firmware/stratix10-rsu.c | 2 +
drivers/gpib/lpvo_usb_gpib/lpvo_usb_gpib.c | 7 +-
drivers/gpio/gpiolib.c | 8 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 6 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 17 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_mode.h | 16 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 14 ++
drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 5 -
drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 5 -
drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c | 4 +
.../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 1 +
.../drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 6 +-
.../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 11 +-
.../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 6 +-
.../gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 3 +-
drivers/gpu/drm/bridge/samsung-dsim.c | 25 ++-
drivers/gpu/drm/bridge/ti-sn65dsi83.c | 13 +-
drivers/gpu/drm/bridge/ti-sn65dsi86.c | 6 +-
drivers/gpu/drm/i915/display/intel_alpm.c | 13 +-
drivers/gpu/drm/i915/display/intel_display.c | 1 -
drivers/gpu/drm/i915/display/intel_dp.c | 7 +
drivers/gpu/drm/i915/display/intel_psr.c | 50 ++++--
drivers/gpu/drm/i915/display/intel_vrr.c | 14 ++
drivers/gpu/drm/i915/gem/i915_gem_shmem.c | 12 +-
drivers/gpu/drm/msm/adreno/a2xx_gpummu.c | 2 +-
drivers/gpu/drm/msm/adreno/a6xx_catalog.c | 3 +-
drivers/gpu/drm/msm/adreno/a8xx_gpu.c | 14 +-
.../drm/msm/disp/dpu1/catalog/dpu_8_0_sc8280xp.h | 12 +-
.../gpu/drm/msm/disp/dpu1/catalog/dpu_8_1_sm8450.h | 12 +-
.../drm/msm/disp/dpu1/catalog/dpu_8_4_sa8775p.h | 4 +-
.../gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h | 12 +-
.../drm/msm/disp/dpu1/catalog/dpu_9_1_sar2130p.h | 12 +-
.../drm/msm/disp/dpu1/catalog/dpu_9_2_x1e80100.h | 12 +-
drivers/gpu/drm/msm/dsi/dsi_host.c | 43 +++--
drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +
.../gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/gsp.c | 12 +-
drivers/gpu/drm/sitronix/st7586.c | 15 +-
drivers/gpu/drm/ttm/ttm_pool_internal.h | 2 +-
drivers/gpu/drm/xe/xe_sync.c | 30 +++-
drivers/gpu/drm/xe/xe_wa.c | 13 +-
drivers/hwmon/pmbus/q54sj108a2.c | 19 ++-
drivers/i3c/master/dw-i3c-master.c | 4 +-
drivers/i3c/master/mipi-i3c-hci/cmd.h | 1 +
drivers/i3c/master/mipi-i3c-hci/cmd_v1.c | 2 +-
drivers/i3c/master/mipi-i3c-hci/cmd_v2.c | 2 +-
drivers/i3c/master/mipi-i3c-hci/core.c | 9 +-
drivers/i3c/master/mipi-i3c-hci/dma.c | 94 +++++++----
drivers/i3c/master/mipi-i3c-hci/hci.h | 2 +
drivers/i3c/master/mipi-i3c-hci/pio.c | 16 +-
drivers/iio/chemical/bme680_core.c | 2 +-
drivers/iio/chemical/sps30_i2c.c | 2 +-
drivers/iio/chemical/sps30_serial.c | 2 +-
drivers/iio/dac/ds4424.c | 2 +-
drivers/iio/frequency/adf4377.c | 2 +-
drivers/iio/gyro/mpu3050-core.c | 18 +-
drivers/iio/gyro/mpu3050-i2c.c | 3 +-
drivers/iio/imu/adis.c | 2 +-
drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 2 +
drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c | 4 +
drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 2 +
drivers/iio/imu/inv_icm45600/inv_icm45600.h | 2 +-
drivers/iio/imu/inv_icm45600/inv_icm45600_core.c | 11 +-
drivers/iio/imu/inv_mpu6050/inv_mpu_core.c | 8 +
drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h | 2 +
drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c | 5 +-
drivers/iio/industrialio-buffer.c | 6 +-
drivers/iio/light/bh1780.c | 2 +-
drivers/iio/magnetometer/tlv493d.c | 2 +-
drivers/iio/potentiometer/mcp4131.c | 2 +-
drivers/iio/proximity/hx9023s.c | 6 +-
drivers/irqchip/irq-gic-v3-its.c | 4 +
drivers/irqchip/irq-riscv-aplic-direct.c | 10 ++
drivers/irqchip/irq-riscv-aplic-main.c | 187 ++++++++++++++++++++-
drivers/irqchip/irq-riscv-aplic-main.h | 19 +++
drivers/media/dvb-core/dvb_net.c | 3 +
drivers/mmc/host/dw_mmc-rockchip.c | 38 ++++-
drivers/mmc/host/mmci_qcom_dml.c | 1 +
drivers/mmc/host/sdhci-brcmstb.c | 2 +-
drivers/net/bonding/bond_main.c | 70 +++++++-
drivers/net/caif/caif_serial.c | 3 +
drivers/net/can/dev/calc_bittiming.c | 2 +-
drivers/net/can/spi/hi311x.c | 5 +-
drivers/net/can/usb/gs_usb.c | 22 ++-
drivers/net/dsa/microchip/ksz_ptp.c | 11 +-
drivers/net/dsa/realtek/rtl8365mb.c | 3 +-
drivers/net/dsa/realtek/rtl8366rb-leds.c | 6 +-
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 19 ++-
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 82 ++++++++-
drivers/net/ethernet/amd/xgbe/xgbe.h | 4 +
drivers/net/ethernet/arc/emac_main.c | 11 ++
drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 4 +-
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 31 ++--
drivers/net/ethernet/broadcom/genet/bcmgenet.h | 5 +-
drivers/net/ethernet/broadcom/genet/bcmmii.c | 10 +-
drivers/net/ethernet/cadence/macb_main.c | 98 ++++++++++-
.../net/ethernet/freescale/enetc/netc_blk_ctrl.c | 24 ++-
drivers/net/ethernet/intel/e1000/e1000_main.c | 2 -
drivers/net/ethernet/intel/e1000e/netdev.c | 2 -
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 14 +-
drivers/net/ethernet/intel/iavf/iavf.h | 3 +-
drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 19 +--
drivers/net/ethernet/intel/iavf/iavf_main.c | 81 +++------
drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 1 -
drivers/net/ethernet/intel/ice/devlink/devlink.c | 4 +-
drivers/net/ethernet/intel/ice/ice_common.c | 13 +-
drivers/net/ethernet/intel/ice/ice_ethtool.c | 35 ++--
drivers/net/ethernet/intel/ixgbevf/vf.c | 3 +-
.../ethernet/marvell/octeontx2/af/rvu_devlink.c | 6 +-
.../ethernet/mellanox/mlx5/core/en/reporter_tx.c | 1 -
.../mellanox/mlx5/core/en_accel/ipsec_fs.c | 2 +-
drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 23 +--
drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 7 +-
drivers/net/ethernet/mellanox/mlx5/core/eswitch.h | 2 +
.../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 45 ++---
drivers/net/ethernet/microsoft/mana/gdma_main.c | 1 +
drivers/net/ethernet/microsoft/mana/mana_en.c | 23 ++-
drivers/net/ethernet/spacemit/k1_emac.c | 19 ++-
drivers/net/ethernet/ti/am65-cpsw-nuss.c | 16 +-
drivers/net/ethernet/ti/am65-cpsw-nuss.h | 2 +-
drivers/net/mctp/mctp-i2c.c | 1 +
drivers/net/mctp/mctp-usb.c | 3 +-
drivers/net/phy/sfp.c | 8 +-
drivers/net/usb/lan78xx.c | 12 +-
drivers/net/usb/lan78xx.h | 3 +
drivers/net/usb/qmi_wwan.c | 4 +-
drivers/net/usb/usbnet.c | 7 +-
drivers/nvme/host/pci.c | 8 +-
drivers/pinctrl/pinctrl-cy8c95x0.c | 4 +-
drivers/pmdomain/bcm/bcm2835-power.c | 6 +-
drivers/pmdomain/rockchip/pm-domains.c | 2 +-
drivers/regulator/pca9450-regulator.c | 14 +-
drivers/regulator/pf9453-regulator.c | 2 +-
drivers/remoteproc/mtk_scp.c | 39 +++++
drivers/remoteproc/qcom_sysmon.c | 2 +-
drivers/remoteproc/qcom_wcnss.c | 2 +-
drivers/s390/block/dasd_eckd.c | 16 ++
drivers/s390/crypto/zcrypt_ccamisc.c | 12 +-
drivers/s390/crypto/zcrypt_cex4.c | 3 +-
drivers/scsi/hisi_sas/hisi_sas_main.c | 2 +-
drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 2 +-
drivers/scsi/mpi3mr/mpi3mr_fw.c | 32 ++--
drivers/scsi/qla2xxx/qla_iocb.c | 2 -
drivers/scsi/scsi_scan.c | 8 +-
drivers/scsi/ses.c | 5 +-
drivers/scsi/storvsc_drv.c | 5 +-
drivers/spi/spi-amlogic-spifc-a4.c | 5 +-
drivers/spi/spi-rockchip-sfc.c | 2 +-
drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 +-
drivers/staging/rtl8723bs/core/rtw_mlme.c | 5 +-
drivers/staging/sm750fb/sm750.c | 1 +
drivers/staging/sm750fb/sm750_hw.c | 22 +--
drivers/ufs/core/ufshcd.c | 11 +-
drivers/usb/class/cdc-acm.c | 5 +
drivers/usb/class/cdc-acm.h | 1 +
drivers/usb/class/cdc-wdm.c | 4 +-
drivers/usb/class/usbtmc.c | 6 +-
drivers/usb/core/message.c | 100 ++++++++---
drivers/usb/core/phy.c | 8 +-
drivers/usb/core/quirks.c | 16 ++
drivers/usb/dwc3/dwc3-pci.c | 2 +
drivers/usb/gadget/function/f_hid.c | 4 +
drivers/usb/gadget/function/f_mass_storage.c | 12 +-
drivers/usb/gadget/function/f_ncm.c | 144 +++++++++-------
drivers/usb/gadget/function/f_tcm.c | 14 ++
drivers/usb/gadget/function/u_ether.c | 67 +++-----
drivers/usb/gadget/function/u_ether.h | 56 +++---
drivers/usb/gadget/function/u_ether_configfs.h | 176 -------------------
drivers/usb/gadget/function/u_ncm.h | 4 +-
drivers/usb/gadget/function/uvc_video.c | 2 +-
drivers/usb/host/xhci-debugfs.c | 10 +-
drivers/usb/host/xhci-ring.c | 1 +
drivers/usb/host/xhci.c | 4 +-
drivers/usb/image/mdc800.c | 6 +-
drivers/usb/misc/uss720.c | 2 +-
drivers/usb/misc/yurex.c | 2 +-
drivers/usb/renesas_usbhs/common.c | 9 +
drivers/usb/roles/class.c | 7 +-
drivers/usb/typec/altmodes/displayport.c | 7 +-
drivers/usb/typec/tcpm/tcpm.c | 2 +-
fs/afs/addr_list.c | 8 +-
fs/btrfs/extent_io.c | 1 +
fs/btrfs/inode.c | 19 +++
fs/btrfs/ioctl.c | 24 ++-
fs/btrfs/space-info.c | 5 +-
fs/btrfs/transaction.c | 16 ++
fs/btrfs/uuid-tree.c | 38 +++++
fs/btrfs/uuid-tree.h | 2 +
fs/btrfs/volumes.c | 6 +-
fs/ceph/addr.c | 1 -
fs/ceph/debugfs.c | 4 +-
fs/ceph/dir.c | 17 +-
fs/ceph/file.c | 4 +-
fs/ceph/inode.c | 2 +-
fs/ceph/mds_client.c | 3 +
fs/file_attr.c | 2 +-
fs/iomap/buffered-io.c | 15 +-
fs/iomap/ioend.c | 13 +-
fs/nfs/nfs3proc.c | 7 +-
fs/nfsd/nfsctl.c | 2 +-
fs/nsfs.c | 15 +-
fs/smb/client/cifsglob.h | 11 ++
fs/smb/client/dir.c | 1 +
fs/smb/client/file.c | 18 +-
fs/smb/client/fs_context.c | 2 +-
fs/smb/client/smb2ops.c | 14 +-
fs/smb/client/smb2pdu.c | 5 +-
fs/smb/server/auth.c | 22 +--
fs/smb/server/oplock.c | 35 ++--
fs/smb/server/oplock.h | 5 +-
fs/smb/server/smb2pdu.c | 8 +-
fs/xfs/libxfs/xfs_defer.c | 2 +-
fs/xfs/xfs_bmap_item.c | 2 +-
fs/xfs/xfs_dquot.c | 8 +-
fs/xfs/xfs_log.c | 2 +
include/kunit/run-in-irq-context.h | 44 +++--
include/linux/damon.h | 10 +-
include/linux/io_uring_types.h | 1 +
include/linux/irqchip/arm-gic-v3.h | 1 +
include/linux/kthread.h | 21 ++-
include/linux/liveupdate.h | 9 +-
include/linux/migrate.h | 10 +-
include/linux/mm.h | 17 +-
include/linux/mmc/host.h | 9 +-
include/linux/netdevice.h | 32 ++++
include/linux/ns_common.h | 2 +
include/linux/rseq_types.h | 6 +-
include/linux/sched.h | 2 -
include/linux/usb.h | 8 +-
include/linux/usb/usbnet.h | 1 +
include/net/ip6_tunnel.h | 14 ++
include/net/ip_tunnels.h | 7 +
include/net/page_pool/types.h | 2 +-
include/trace/events/kmem.h | 8 +-
io_uring/eventfd.c | 10 +-
io_uring/io_uring.c | 26 ++-
io_uring/kbuf.c | 13 +-
io_uring/net.c | 2 +
io_uring/register.c | 12 ++
io_uring/zcrx.c | 5 +-
kernel/cgroup/cgroup.c | 7 +
kernel/exit.c | 6 +
kernel/fork.c | 5 +-
kernel/kprobes.c | 8 +-
kernel/kthread.c | 41 +----
kernel/liveupdate/luo_file.c | 41 +++--
kernel/nscommon.c | 6 +
kernel/nstree.c | 29 +---
kernel/sched/core.c | 81 ++++-----
kernel/sched/ext.c | 84 +++++++--
kernel/sched/idle.c | 11 +-
kernel/time/time.c | 2 +-
kernel/trace/bpf_trace.c | 4 +-
kernel/trace/trace.c | 6 +-
kernel/trace/trace_events.c | 58 +++++--
kernel/trace/trace_functions_graph.c | 19 ++-
kernel/workqueue.c | 2 +-
lib/bootconfig.c | 6 +-
mm/damon/core.c | 79 +++++----
mm/damon/lru_sort.c | 4 +-
mm/damon/reclaim.c | 4 +-
mm/damon/stat.c | 2 +-
mm/damon/sysfs.c | 11 +-
mm/damon/tests/vaddr-kunit.h | 2 +-
mm/damon/vaddr.c | 24 +--
mm/filemap.c | 15 +-
mm/huge_memory.c | 13 +-
mm/kfence/core.c | 29 +++-
mm/memcontrol.c | 2 +-
mm/memfd_luo.c | 56 +++++-
mm/memory.c | 3 +-
mm/migrate.c | 8 +-
mm/migrate_device.c | 2 +-
mm/page_alloc.c | 3 +-
mm/slub.c | 54 ++++--
net/batman-adv/bat_v_elp.c | 10 +-
net/batman-adv/hard-interface.c | 8 +-
net/batman-adv/hard-interface.h | 1 +
net/ceph/auth.c | 6 +-
net/ceph/messenger_v2.c | 31 ++--
net/ceph/mon_client.c | 6 +-
net/core/dev.c | 17 +-
net/core/dev.h | 35 ----
net/core/neighbour.c | 3 +-
net/core/page_pool_user.c | 4 +-
net/ipv4/Kconfig | 2 +
net/ipv4/ip_tunnel_core.c | 15 ++
net/ipv4/nexthop.c | 14 +-
net/ipv4/tcp.c | 3 +-
net/ipv4/tcp_ao.c | 3 +-
net/ipv4/tcp_ipv4.c | 3 +-
net/ipv6/tcp_ipv6.c | 3 +-
net/mac80211/link.c | 2 +
net/mctp/route.c | 13 +-
net/ncsi/ncsi-aen.c | 3 +-
net/ncsi/ncsi-rsp.c | 16 +-
net/netfilter/nf_tables_api.c | 4 +-
net/netfilter/nfnetlink_cthelper.c | 8 +-
net/netfilter/nfnetlink_queue.c | 4 +-
net/netfilter/nft_chain_filter.c | 2 +-
net/netfilter/nft_set_pipapo.c | 3 +-
net/netfilter/xt_IDLETIMER.c | 6 +
net/netfilter/xt_dccp.c | 4 +-
net/netfilter/xt_tcpudp.c | 6 +-
net/rxrpc/af_rxrpc.c | 8 +-
net/sched/sch_teql.c | 1 +
net/shaper/shaper.c | 11 +-
net/sunrpc/xprtrdma/verbs.c | 7 +-
net/tipc/socket.c | 2 +
rust/Makefile | 6 +-
rust/kernel/str.rs | 4 +-
sound/core/pcm_native.c | 19 ++-
sound/hda/codecs/realtek/alc269.c | 25 +++
sound/soc/amd/acp/acp-mach-common.c | 18 +-
sound/soc/amd/acp3x-rt5682-max9836.c | 9 +-
sound/soc/amd/yc/acp6x-mach.c | 14 ++
sound/soc/codecs/cs42l43-jack.c | 1 +
sound/soc/codecs/rt1011.c | 2 +-
sound/soc/generic/simple-card-utils.c | 12 +-
sound/soc/qcom/qdsp6/q6apm-dai.c | 1 +
sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 1 +
sound/soc/qcom/qdsp6/q6apm.c | 1 +
sound/soc/soc-core.c | 11 +-
sound/usb/endpoint.c | 1 +
sound/usb/format.c | 70 +++++++-
sound/usb/mixer_scarlett2.c | 2 +
sound/usb/quirks.c | 2 +
tools/objtool/check.c | 10 +-
tools/objtool/elf.c | 2 +-
tools/objtool/klp-diff.c | 3 +
tools/perf/builtin-ftrace.c | 9 +-
tools/perf/util/annotate.c | 5 +-
tools/perf/util/disasm.c | 2 +-
tools/perf/util/synthetic-events.c | 5 +
.../selftests/filesystems/nsfs/iterate_mntns.c | 25 +--
393 files changed, 3522 insertions(+), 1769 deletions(-)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 001/378] remoteproc: qcom_wcnss: Fix reserved region mapping failure
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 002/378] powerpc/uaccess: Fix inline assembly for clang build on PPC32 Greg Kroah-Hartman
` (383 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski,
André Apitzsch, Rob Herring (Arm), Bjorn Andersson,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Herring (Arm) <robh@kernel.org>
[ Upstream commit f9b888599418951b8229bbb28851ed4da50c58e9 ]
Commit c70b9d5fdcd7 ("remoteproc: qcom: Use of_reserved_mem_region_*
functions for "memory-region"") switched from devm_ioremap_wc() to
devm_ioremap_resource_wc(). The difference is devm_ioremap_resource_wc()
also requests the resource which fails. Testing of both fixed and
dynamic reserved regions indicates that requesting the resource should
work, so I'm not sure why it doesn't work in this case. Fix the issue by
reverting back to devm_ioremap_wc().
Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reported-by: André Apitzsch <git@apitzsch.eu>
Fixes: c70b9d5fdcd7 ("remoteproc: qcom: Use of_reserved_mem_region_* functions for "memory-region"")
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Tested-by: André Apitzsch <git@apitzsch.eu> # on BQ Aquaris M5
Link: https://lore.kernel.org/r/20260128220243.3018526-1-robh@kernel.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/qcom_wcnss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/remoteproc/qcom_wcnss.c b/drivers/remoteproc/qcom_wcnss.c
index ee18bf2e80549..4add9037dbd5a 100644
--- a/drivers/remoteproc/qcom_wcnss.c
+++ b/drivers/remoteproc/qcom_wcnss.c
@@ -537,7 +537,7 @@ static int wcnss_alloc_memory_region(struct qcom_wcnss *wcnss)
wcnss->mem_phys = wcnss->mem_reloc = res.start;
wcnss->mem_size = resource_size(&res);
- wcnss->mem_region = devm_ioremap_resource_wc(wcnss->dev, &res);
+ wcnss->mem_region = devm_ioremap_wc(wcnss->dev, wcnss->mem_phys, wcnss->mem_size);
if (IS_ERR(wcnss->mem_region)) {
dev_err(wcnss->dev, "unable to map memory region: %pR\n", &res);
return PTR_ERR(wcnss->mem_region);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 002/378] powerpc/uaccess: Fix inline assembly for clang build on PPC32
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 001/378] remoteproc: qcom_wcnss: Fix reserved region mapping failure Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 003/378] powerpc/kexec/core: use big-endian types for crash variables Greg Kroah-Hartman
` (382 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot,
Christophe Leroy (CS GROUP), Nathan Chancellor,
Madhavan Srinivasan, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
[ Upstream commit 0ee95a1d458630272d0415d0ffa9424fcb606c90 ]
Test robot reports the following error with clang-16.0.6:
In file included from kernel/rseq.c:75:
include/linux/rseq_entry.h:141:3: error: invalid operand for instruction
unsafe_get_user(offset, &ucs->post_commit_offset, efault);
^
include/linux/uaccess.h:608:2: note: expanded from macro 'unsafe_get_user'
arch_unsafe_get_user(x, ptr, local_label); \
^
arch/powerpc/include/asm/uaccess.h:518:2: note: expanded from macro 'arch_unsafe_get_user'
__get_user_size_goto(__gu_val, __gu_addr, sizeof(*(p)), e); \
^
arch/powerpc/include/asm/uaccess.h:284:2: note: expanded from macro '__get_user_size_goto'
__get_user_size_allowed(x, ptr, size, __gus_retval); \
^
arch/powerpc/include/asm/uaccess.h:275:10: note: expanded from macro '__get_user_size_allowed'
case 8: __get_user_asm2(x, (u64 __user *)ptr, retval); break; \
^
arch/powerpc/include/asm/uaccess.h:258:4: note: expanded from macro '__get_user_asm2'
" li %1+1,0\n" \
^
<inline asm>:7:5: note: instantiated into assembly here
li 31+1,0
^
1 error generated.
On PPC32, for 64 bits vars a pair of registers is used. Usually the
lower register in the pair is the high part and the higher register is
the low part. GCC uses r3/r4 ... r11/r12 ... r14/r15 ... r30/r31
In older kernel code inline assembly was using %1 and %1+1 to represent
64 bits values. However here it looks like clang uses r31 as high part,
allthough r32 doesn't exist hence the error.
Allthoug %1+1 should work, most places now use %L1 instead of %1+1, so
let's do the same here.
With that change, the build doesn't fail anymore and a disassembly shows
clang uses r17/r18 and r31/r14 pair when GCC would have used r16/r17 and
r30/r31:
Disassembly of section .fixup:
00000000 <.fixup>:
0: 38 a0 ff f2 li r5,-14
4: 3a 20 00 00 li r17,0
8: 3a 40 00 00 li r18,0
c: 48 00 00 00 b c <.fixup+0xc>
c: R_PPC_REL24 .text+0xbc
10: 38 a0 ff f2 li r5,-14
14: 3b e0 00 00 li r31,0
18: 39 c0 00 00 li r14,0
1c: 48 00 00 00 b 1c <.fixup+0x1c>
1c: R_PPC_REL24 .text+0x144
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202602021825.otcItxGi-lkp@intel.com/
Fixes: c20beffeec3c ("powerpc/uaccess: Use flexible addressing with __put_user()/__get_user()")
Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
Acked-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/8ca3a657a650e497a96bfe7acde2f637dadab344.1770103646.git.chleroy@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/include/asm/uaccess.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
index 3e622e647d622..f77c503ecc102 100644
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -253,7 +253,7 @@ __gus_failed: \
".section .fixup,\"ax\"\n" \
"4: li %0,%3\n" \
" li %1,0\n" \
- " li %1+1,0\n" \
+ " li %L1,0\n" \
" b 3b\n" \
".previous\n" \
EX_TABLE(1b, 4b) \
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 003/378] powerpc/kexec/core: use big-endian types for crash variables
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 001/378] remoteproc: qcom_wcnss: Fix reserved region mapping failure Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 002/378] powerpc/uaccess: Fix inline assembly for clang build on PPC32 Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 004/378] powerpc/crash: adjust the elfcorehdr size Greg Kroah-Hartman
` (381 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Sourabh Jain,
Venkat Rao Bagalkote, Madhavan Srinivasan, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sourabh Jain <sourabhjain@linux.ibm.com>
[ Upstream commit 20197b967a6a29dab81495f25a988515bda84cfe ]
Use explicit word-sized big-endian types for kexec and crash related
variables. This makes the endianness unambiguous and avoids type
mismatches that trigger sparse warnings.
The change addresses sparse warnings like below (seen on both 32-bit
and 64-bit builds):
CHECK ../arch/powerpc/kexec/core.c
sparse: expected unsigned int static [addressable] [toplevel] [usertype] crashk_base
sparse: got restricted __be32 [usertype]
sparse: warning: incorrect type in assignment (different base types)
sparse: expected unsigned int static [addressable] [toplevel] [usertype] crashk_size
sparse: got restricted __be32 [usertype]
sparse: warning: incorrect type in assignment (different base types)
sparse: expected unsigned long long static [addressable] [toplevel] mem_limit
sparse: got restricted __be32 [usertype]
sparse: warning: incorrect type in assignment (different base types)
sparse: expected unsigned int static [addressable] [toplevel] [usertype] kernel_end
sparse: got restricted __be32 [usertype]
No functional change intended.
Fixes: ea961a828fe7 ("powerpc: Fix endian issues in kexec and crash dump code")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202512221405.VHPKPjnp-lkp@intel.com/
Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20251224151257.28672-1-sourabhjain@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kexec/core.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/arch/powerpc/kexec/core.c b/arch/powerpc/kexec/core.c
index 104c05520bf05..dc44f11be353e 100644
--- a/arch/powerpc/kexec/core.c
+++ b/arch/powerpc/kexec/core.c
@@ -23,6 +23,7 @@
#include <asm/firmware.h>
#define cpu_to_be_ulong __PASTE(cpu_to_be, BITS_PER_LONG)
+#define __be_word __PASTE(__be, BITS_PER_LONG)
#ifdef CONFIG_CRASH_DUMP
void machine_crash_shutdown(struct pt_regs *regs)
@@ -146,25 +147,25 @@ int __init overlaps_crashkernel(unsigned long start, unsigned long size)
}
/* Values we need to export to the second kernel via the device tree. */
-static phys_addr_t crashk_base;
-static phys_addr_t crashk_size;
-static unsigned long long mem_limit;
+static __be_word crashk_base;
+static __be_word crashk_size;
+static __be_word mem_limit;
static struct property crashk_base_prop = {
.name = "linux,crashkernel-base",
- .length = sizeof(phys_addr_t),
+ .length = sizeof(__be_word),
.value = &crashk_base
};
static struct property crashk_size_prop = {
.name = "linux,crashkernel-size",
- .length = sizeof(phys_addr_t),
+ .length = sizeof(__be_word),
.value = &crashk_size,
};
static struct property memory_limit_prop = {
.name = "linux,memory-limit",
- .length = sizeof(unsigned long long),
+ .length = sizeof(__be_word),
.value = &mem_limit,
};
@@ -193,11 +194,11 @@ static void __init export_crashk_values(struct device_node *node)
}
#endif /* CONFIG_CRASH_RESERVE */
-static phys_addr_t kernel_end;
+static __be_word kernel_end;
static struct property kernel_end_prop = {
.name = "linux,kernel-end",
- .length = sizeof(phys_addr_t),
+ .length = sizeof(__be_word),
.value = &kernel_end,
};
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 004/378] powerpc/crash: adjust the elfcorehdr size
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 003/378] powerpc/kexec/core: use big-endian types for crash variables Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 005/378] remoteproc: sysmon: Correct subsys_name_len type in QMI request Greg Kroah-Hartman
` (380 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hari Bathini, Sourabh Jain,
Madhavan Srinivasan, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sourabh Jain <sourabhjain@linux.ibm.com>
[ Upstream commit 04e707cb77c272cb0bb2e2e3c5c7f844d804a089 ]
With crash hotplug support enabled, additional memory is allocated to
the elfcorehdr kexec segment to accommodate resources added during
memory hotplug events. However, the kdump FDT is not updated with the
same size, which can result in elfcorehdr corruption in the kdump
kernel.
Update elf_headers_sz (the kimage member representing the size of the
elfcorehdr kexec segment) to reflect the total memory allocated for the
elfcorehdr segment instead of the elfcorehdr buffer size at the time of
kdump load. This allows of_kexec_alloc_and_setup_fdt() to reserve the
full elfcorehdr memory in the kdump FDT and prevents elfcorehdr
corruption.
Fixes: 849599b702ef8 ("powerpc/crash: add crash memory hotplug support")
Reviewed-by: Hari Bathini <hbathini@linux.ibm.com>
Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260227171801.2238847-1-sourabhjain@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kexec/file_load_64.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kexec/file_load_64.c b/arch/powerpc/kexec/file_load_64.c
index e7ef8b2a25546..5f6d50e4c3d45 100644
--- a/arch/powerpc/kexec/file_load_64.c
+++ b/arch/powerpc/kexec/file_load_64.c
@@ -450,6 +450,11 @@ static int load_elfcorehdr_segment(struct kimage *image, struct kexec_buf *kbuf)
kbuf->buffer = headers;
kbuf->mem = KEXEC_BUF_MEM_UNKNOWN;
kbuf->bufsz = headers_sz;
+
+ /*
+ * Account for extra space required to accommodate additional memory
+ * ranges in elfcorehdr due to memory hotplug events.
+ */
kbuf->memsz = headers_sz + kdump_extra_elfcorehdr_size(cmem);
kbuf->top_down = false;
@@ -460,7 +465,14 @@ static int load_elfcorehdr_segment(struct kimage *image, struct kexec_buf *kbuf)
}
image->elf_load_addr = kbuf->mem;
- image->elf_headers_sz = headers_sz;
+
+ /*
+ * If CONFIG_CRASH_HOTPLUG is enabled, the elfcorehdr kexec segment
+ * memsz can be larger than bufsz. Always initialize elf_headers_sz
+ * with memsz. This ensures the correct size is reserved for elfcorehdr
+ * memory in the FDT prepared for kdump.
+ */
+ image->elf_headers_sz = kbuf->memsz;
image->elf_headers = headers;
out:
kfree(cmem);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 005/378] remoteproc: sysmon: Correct subsys_name_len type in QMI request
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 004/378] powerpc/crash: adjust the elfcorehdr size Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 006/378] remoteproc: mediatek: Unprepare SCP clock during system suspend Greg Kroah-Hartman
` (379 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Andersson, Chris Lew,
Bjorn Andersson, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
[ Upstream commit da994db94e60f9a9411108ddf4d1836147ad4c9c ]
The QMI message encoder has up until recently read a single byte (as
elem_size == 1), but with the introduction of big endian support it's
become apparent that this field is expected to be a full u32 -
regardless of the size of the length in the encoded message (which is
what elem_size specifies).
The result is that the encoder now reads past the length byte and
rejects the unreasonably large length formed when including the
following 3 bytes from the subsys_name array.
Fix this by changing to the expected type.
Fixes: 1fb82ee806d1 ("remoteproc: qcom: Introduce sysmon")
Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Reviewed-by: Chris Lew <christopher.lew@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260220-qmi-encode-invalid-length-v2-1-5674be35ab29@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/qcom_sysmon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/remoteproc/qcom_sysmon.c b/drivers/remoteproc/qcom_sysmon.c
index 660ac6fc40821..c6cc6e519fe56 100644
--- a/drivers/remoteproc/qcom_sysmon.c
+++ b/drivers/remoteproc/qcom_sysmon.c
@@ -203,7 +203,7 @@ static const struct qmi_elem_info ssctl_shutdown_resp_ei[] = {
};
struct ssctl_subsys_event_req {
- u8 subsys_name_len;
+ u32 subsys_name_len;
char subsys_name[SSCTL_SUBSYS_NAME_LENGTH];
u32 event;
u8 evt_driven_valid;
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 006/378] remoteproc: mediatek: Unprepare SCP clock during system suspend
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 005/378] remoteproc: sysmon: Correct subsys_name_len type in QMI request Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 007/378] powerpc: 83xx: km83xx: Fix keymile vendor prefix Greg Kroah-Hartman
` (378 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, AngeloGioacchino Del Regno,
Tzung-Bi Shih, Mathieu Poirier, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tzung-Bi Shih <tzungbi@kernel.org>
[ Upstream commit 35c3f72a2d55dbf52f28f4ecae51c76be1acf545 ]
Prior to commit d935187cfb27 ("remoteproc: mediatek: Break lock
dependency to prepare_lock"), `scp->clk` was prepared and enabled only
when it needs to communicate with the SCP. The commit d935187cfb27
moved the prepare operation to remoteproc's prepare(), keeping the clock
prepared as long as the SCP is running.
The power consumption due to the prolonged clock preparation can be
negligible when the system is running, as SCP is designed to be a very
power efficient processor.
However, the clock remains prepared even when the system enters system
suspend. This prevents the underlying clock controller (and potentially
the parent PLLs) from shutting down, which increases power consumption
and may block the system from entering deep sleep states.
Add suspend and resume callbacks. Unprepare the clock in suspend() if
it was active and re-prepare it in resume() to ensure the clock is
properly disabled during system suspend, while maintaining the "always
prepared" semantics while the system is active. The driver doesn't
implement .attach() callback, hence it only checks for RPROC_RUNNING.
Fixes: d935187cfb27 ("remoteproc: mediatek: Break lock dependency to prepare_lock")
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Link: https://lore.kernel.org/r/20260206033034.3031781-1-tzungbi@kernel.org
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/mtk_scp.c | 39 ++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/drivers/remoteproc/mtk_scp.c b/drivers/remoteproc/mtk_scp.c
index 98d00bd5200cc..b0b65aefc7190 100644
--- a/drivers/remoteproc/mtk_scp.c
+++ b/drivers/remoteproc/mtk_scp.c
@@ -1597,12 +1597,51 @@ static const struct of_device_id mtk_scp_of_match[] = {
};
MODULE_DEVICE_TABLE(of, mtk_scp_of_match);
+static int __maybe_unused scp_suspend(struct device *dev)
+{
+ struct mtk_scp *scp = dev_get_drvdata(dev);
+ struct rproc *rproc = scp->rproc;
+
+ /*
+ * Only unprepare if the SCP is running and holding the clock.
+ *
+ * Note: `scp_ops` doesn't implement .attach() callback, hence
+ * `rproc->state` can never be RPROC_ATTACHED. Otherwise, it
+ * should also be checked here.
+ */
+ if (rproc->state == RPROC_RUNNING)
+ clk_unprepare(scp->clk);
+ return 0;
+}
+
+static int __maybe_unused scp_resume(struct device *dev)
+{
+ struct mtk_scp *scp = dev_get_drvdata(dev);
+ struct rproc *rproc = scp->rproc;
+
+ /*
+ * Only prepare if the SCP was running and holding the clock.
+ *
+ * Note: `scp_ops` doesn't implement .attach() callback, hence
+ * `rproc->state` can never be RPROC_ATTACHED. Otherwise, it
+ * should also be checked here.
+ */
+ if (rproc->state == RPROC_RUNNING)
+ return clk_prepare(scp->clk);
+ return 0;
+}
+
+static const struct dev_pm_ops scp_pm_ops = {
+ SET_SYSTEM_SLEEP_PM_OPS(scp_suspend, scp_resume)
+};
+
static struct platform_driver mtk_scp_driver = {
.probe = scp_probe,
.remove = scp_remove,
.driver = {
.name = "mtk-scp",
.of_match_table = mtk_scp_of_match,
+ .pm = &scp_pm_ops,
},
};
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 007/378] powerpc: 83xx: km83xx: Fix keymile vendor prefix
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 006/378] remoteproc: mediatek: Unprepare SCP clock during system suspend Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 008/378] smb/server: Fix another refcount leak in smb2_open() Greg Kroah-Hartman
` (377 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, J . Neuschäfer, Heiko Schocher,
Madhavan Srinivasan, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: J. Neuschäfer <j.ne@posteo.net>
[ Upstream commit 691417ffe7821721e0a28bd25ad8c0dc0d4ae4ad ]
When kmeter.c was refactored into km83xx.c in 2011, the "keymile" vendor
prefix was changed to upper-case "Keymile". The devicetree at
arch/powerpc/boot/dts/kmeter1.dts never underwent the same change,
suggesting that this was simply a mistake.
Fixes: 93e2b95c81042d ("powerpc/83xx: rename and update kmeter1")
Signed-off-by: J. Neuschäfer <j.ne@posteo.net>
Reviewed-by: Heiko Schocher <hs@nabladev.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260303-keymile-v1-1-463a11e71702@posteo.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/83xx/km83xx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/platforms/83xx/km83xx.c b/arch/powerpc/platforms/83xx/km83xx.c
index 2b5d187d9b62d..9ef8fb39dd1b1 100644
--- a/arch/powerpc/platforms/83xx/km83xx.c
+++ b/arch/powerpc/platforms/83xx/km83xx.c
@@ -155,8 +155,8 @@ machine_device_initcall(mpc83xx_km, mpc83xx_declare_of_platform_devices);
/* list of the supported boards */
static char *board[] __initdata = {
- "Keymile,KMETER1",
- "Keymile,kmpbec8321",
+ "keymile,KMETER1",
+ "keymile,kmpbec8321",
NULL
};
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 008/378] smb/server: Fix another refcount leak in smb2_open()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 007/378] powerpc: 83xx: km83xx: Fix keymile vendor prefix Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 009/378] scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT Greg Kroah-Hartman
` (376 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, ChenXiaoSong,
Namjae Jeon, Steve French, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit c15e7c62feb3751cbdd458555819df1d70374890 ]
If ksmbd_override_fsids() fails, we jump to err_out2. At that point, fp is
NULL because it hasn't been assigned dh_info.fp yet, so ksmbd_fd_put(work,
fp) will not be called. However, dh_info.fp was already inserted into the
session file table by ksmbd_reopen_durable_fd(), so it will leak in the
session file table until the session is closed.
Move fp = dh_info.fp; ahead of the ksmbd_override_fsids() check to fix the
problem.
Found by an experimental AI code review agent at Google.
Fixes: c8efcc786146a ("ksmbd: add support for durable handles v1/v2")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/smb2pdu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index b682e8160504a..302a716e30438 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -3011,13 +3011,14 @@ int smb2_open(struct ksmbd_work *work)
goto err_out2;
}
+ fp = dh_info.fp;
+
if (ksmbd_override_fsids(work)) {
rc = -ENOMEM;
ksmbd_put_durable_fd(dh_info.fp);
goto err_out2;
}
- fp = dh_info.fp;
file_info = FILE_OPENED;
rc = ksmbd_vfs_getattr(&fp->filp->f_path, &stat);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 009/378] scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 008/378] smb/server: Fix another refcount leak in smb2_open() Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 010/378] ACPI: PM: Save NVS memory on Lenovo G70-35 Greg Kroah-Hartman
` (375 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kiszka, Florian Bezdeka,
Michael Kelley, Martin K. Petersen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kiszka <jan.kiszka@siemens.com>
[ Upstream commit 57297736c08233987e5d29ce6584c6ca2a831b12 ]
This resolves the follow splat and lock-up when running with PREEMPT_RT
enabled on Hyper-V:
[ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002
[ 415.140822] INFO: lockdep is turned off.
[ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec ghash_clmulni_intel aesni_intel rapl binfmt_misc nls_ascii nls_cp437 vfat fat snd_pcm hyperv_drm snd_timer drm_client_lib drm_shmem_helper snd sg soundcore drm_kms_helper pcspkr hv_balloon hv_utils evdev joydev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common hv_sock vmw_vsock_vmci_transport vsock vmw_vmci efivarfs autofs4 ext4 crc16 mbcache jbd2 sr_mod sd_mod cdrom hv_storvsc serio_raw hid_generic scsi_transport_fc hid_hyperv scsi_mod hid hv_netvsc hyperv_keyboard scsi_common
[ 415.140846] Preemption disabled at:
[ 415.140847] [<ffffffffc0656171>] storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]
[ 415.140854] CPU: 8 UID: 0 PID: 1048 Comm: stress-ng-iomix Not tainted 6.19.0-rc7 #30 PREEMPT_{RT,(full)}
[ 415.140856] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/04/2024
[ 415.140857] Call Trace:
[ 415.140861] <TASK>
[ 415.140861] ? storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]
[ 415.140863] dump_stack_lvl+0x91/0xb0
[ 415.140870] __schedule_bug+0x9c/0xc0
[ 415.140875] __schedule+0xdf6/0x1300
[ 415.140877] ? rtlock_slowlock_locked+0x56c/0x1980
[ 415.140879] ? rcu_is_watching+0x12/0x60
[ 415.140883] schedule_rtlock+0x21/0x40
[ 415.140885] rtlock_slowlock_locked+0x502/0x1980
[ 415.140891] rt_spin_lock+0x89/0x1e0
[ 415.140893] hv_ringbuffer_write+0x87/0x2a0
[ 415.140899] vmbus_sendpacket_mpb_desc+0xb6/0xe0
[ 415.140900] ? rcu_is_watching+0x12/0x60
[ 415.140902] storvsc_queuecommand+0x669/0xbe0 [hv_storvsc]
[ 415.140904] ? HARDIRQ_verbose+0x10/0x10
[ 415.140908] ? __rq_qos_issue+0x28/0x40
[ 415.140911] scsi_queue_rq+0x760/0xd80 [scsi_mod]
[ 415.140926] __blk_mq_issue_directly+0x4a/0xc0
[ 415.140928] blk_mq_issue_direct+0x87/0x2b0
[ 415.140931] blk_mq_dispatch_queue_requests+0x120/0x440
[ 415.140933] blk_mq_flush_plug_list+0x7a/0x1a0
[ 415.140935] __blk_flush_plug+0xf4/0x150
[ 415.140940] __submit_bio+0x2b2/0x5c0
[ 415.140944] ? submit_bio_noacct_nocheck+0x272/0x360
[ 415.140946] submit_bio_noacct_nocheck+0x272/0x360
[ 415.140951] ext4_read_bh_lock+0x3e/0x60 [ext4]
[ 415.140995] ext4_block_write_begin+0x396/0x650 [ext4]
[ 415.141018] ? __pfx_ext4_da_get_block_prep+0x10/0x10 [ext4]
[ 415.141038] ext4_da_write_begin+0x1c4/0x350 [ext4]
[ 415.141060] generic_perform_write+0x14e/0x2c0
[ 415.141065] ext4_buffered_write_iter+0x6b/0x120 [ext4]
[ 415.141083] vfs_write+0x2ca/0x570
[ 415.141087] ksys_write+0x76/0xf0
[ 415.141089] do_syscall_64+0x99/0x1490
[ 415.141093] ? rcu_is_watching+0x12/0x60
[ 415.141095] ? finish_task_switch.isra.0+0xdf/0x3d0
[ 415.141097] ? rcu_is_watching+0x12/0x60
[ 415.141098] ? lock_release+0x1f0/0x2a0
[ 415.141100] ? rcu_is_watching+0x12/0x60
[ 415.141101] ? finish_task_switch.isra.0+0xe4/0x3d0
[ 415.141103] ? rcu_is_watching+0x12/0x60
[ 415.141104] ? __schedule+0xb34/0x1300
[ 415.141106] ? hrtimer_try_to_cancel+0x1d/0x170
[ 415.141109] ? do_nanosleep+0x8b/0x160
[ 415.141111] ? hrtimer_nanosleep+0x89/0x100
[ 415.141114] ? __pfx_hrtimer_wakeup+0x10/0x10
[ 415.141116] ? xfd_validate_state+0x26/0x90
[ 415.141118] ? rcu_is_watching+0x12/0x60
[ 415.141120] ? do_syscall_64+0x1e0/0x1490
[ 415.141121] ? do_syscall_64+0x1e0/0x1490
[ 415.141123] ? rcu_is_watching+0x12/0x60
[ 415.141124] ? do_syscall_64+0x1e0/0x1490
[ 415.141125] ? do_syscall_64+0x1e0/0x1490
[ 415.141127] ? irqentry_exit+0x140/0x7e0
[ 415.141129] entry_SYSCALL_64_after_hwframe+0x76/0x7e
get_cpu() disables preemption while the spinlock hv_ringbuffer_write is
using is converted to an rt-mutex under PREEMPT_RT.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Tested-by: Florian Bezdeka <florian.bezdeka@siemens.com>
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Tested-by: Michael Kelley <mhklinux@outlook.com>
Link: https://patch.msgid.link/0c7fb5cd-fb21-4760-8593-e04bade84744@siemens.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/storvsc_drv.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
index b43d876747b76..68c837146b9ea 100644
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1855,8 +1855,9 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
cmd_request->payload_sz = payload_sz;
/* Invokes the vsc to start an IO */
- ret = storvsc_do_io(dev, cmd_request, get_cpu());
- put_cpu();
+ migrate_disable();
+ ret = storvsc_do_io(dev, cmd_request, smp_processor_id());
+ migrate_enable();
if (ret)
scsi_dma_unmap(scmnd);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 010/378] ACPI: PM: Save NVS memory on Lenovo G70-35
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 009/378] scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 011/378] scsi: ufs: core: Reset urgent_bkops_lvl to allow runtime PM power mode Greg Kroah-Hartman
` (374 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Piotr Mazek, Rafael J. Wysocki,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Piotr Mazek <pmazek@outlook.com>
[ Upstream commit 023cd6d90f8aa2ef7b72d84be84a18e61ecebd64 ]
[821d6f0359b0614792ab8e2fb93b503e25a65079] prevented machines
produced later than 2012 from saving NVS region to accelerate S3.
Despite being made after 2012, Lenovo G70-35 still needs NVS memory
saving during S3. A quirk is introduced for this platform.
Signed-off-by: Piotr Mazek <pmazek@outlook.com>
[ rjw: Subject adjustment ]
Link: https://patch.msgid.link/GV2PPF3CD5B63CC2442EE3F76F8443EAD90D499A@GV2PPF3CD5B63CC.EURP251.PROD.OUTLOOK.COM
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/sleep.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c
index 66ec81e306d47..132a9df984713 100644
--- a/drivers/acpi/sleep.c
+++ b/drivers/acpi/sleep.c
@@ -386,6 +386,14 @@ static const struct dmi_system_id acpisleep_dmi_table[] __initconst = {
DMI_MATCH(DMI_PRODUCT_NAME, "80E1"),
},
},
+ {
+ .callback = init_nvs_save_s3,
+ .ident = "Lenovo G70-35",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "80Q5"),
+ },
+ },
/*
* ThinkPad X1 Tablet(2016) cannot do suspend-to-idle using
* the Low Power S0 Idle firmware interface (see
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 011/378] scsi: ufs: core: Reset urgent_bkops_lvl to allow runtime PM power mode
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 010/378] ACPI: PM: Save NVS memory on Lenovo G70-35 Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 012/378] fs: init flags_valid before calling vfs_fileattr_get Greg Kroah-Hartman
` (373 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Won Jung, Peter Wang,
Martin K. Petersen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Won Jung <wone.jung@samsung.com>
[ Upstream commit 5b313760059c9df7d60aba7832279bcb81b4aec0 ]
Ensures that UFS Runtime PM can achieve power saving after System PM
suspend by resetting hba->urgent_bkops_lvl. Also modify the
ufshcd_bkops_exception_event_handler to avoid setting urgent_bkops_lvl when
status is 0, which helps maintain optimal power management.
On UFS devices supporting UFSHCD_CAP_AUTO_BKOPS_SUSPEND, a BKOPS exception
event can lead to a situation where UFS Runtime PM can't enter low-power
mode states even after the BKOPS exception has been resolved.
BKOPS exception with bkops status 0 occurs, the driver logs:
"ufshcd_bkops_exception_event_handler: device raised urgent BKOPS exception for bkops status 0"
When a BKOPS exception occurs, ufshcd_bkops_exception_event_handler() reads
the BKOPS status and sets hba->urgent_bkops_lvl to BKOPS_STATUS_NO_OP(0).
This allows the device to perform Runtime PM without changing the UFS power
mode. (__ufshcd_wl_suspend(hba, UFS_RUNTIME_PM))
During system PM suspend, ufshcd_disable_auto_bkops() is called, disabling
auto bkops. After UFS System PM Resume, when runtime PM attempts to suspend
again, ufshcd_urgent_bkops() is invoked. Since hba->urgent_bkops_lvl
remains at BKOPS_STATUS_NO_OP(0), ufshcd_enable_auto_bkops() is triggered.
However, in ufshcd_bkops_ctrl(), the driver compares the current BKOPS
status with hba->urgent_bkops_lvl, and only enables auto bkops if
curr_status >= hba->urgent_bkops_lvl. Since both values are 0, the
condition is met
As a result, __ufshcd_wl_suspend(hba, UFS_RUNTIME_PM) skips power mode
transitions and remains in an active state, preventing power saving even
though no urgent BKOPS condition exists.
Signed-off-by: Won Jung <wone.jung@samsung.com>
Reviewed-by: Peter Wang <peter.wang@mediatek.com>
Link: https://patch.msgid.link/1891546521.01770806581968.JavaMail.epsvc@epcpadp2new
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufshcd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index 80fafad339c75..6f9c5d7012812 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -5971,6 +5971,7 @@ static int ufshcd_disable_auto_bkops(struct ufs_hba *hba)
hba->auto_bkops_enabled = false;
trace_ufshcd_auto_bkops_state(hba, "Disabled");
+ hba->urgent_bkops_lvl = BKOPS_STATUS_PERF_IMPACT;
hba->is_urgent_bkops_lvl_checked = false;
out:
return err;
@@ -6074,7 +6075,7 @@ static void ufshcd_bkops_exception_event_handler(struct ufs_hba *hba)
* impacted or critical. Handle these device by determining their urgent
* bkops status at runtime.
*/
- if (curr_status < BKOPS_STATUS_PERF_IMPACT) {
+ if ((curr_status > BKOPS_STATUS_NO_OP) && (curr_status < BKOPS_STATUS_PERF_IMPACT)) {
dev_err(hba->dev, "%s: device raised urgent BKOPS exception for bkops status %d\n",
__func__, curr_status);
/* update the current status as the urgent bkops level */
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 012/378] fs: init flags_valid before calling vfs_fileattr_get
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 011/378] scsi: ufs: core: Reset urgent_bkops_lvl to allow runtime PM power mode Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 013/378] scsi: mpi3mr: Add NULL checks when resetting request and reply queues Greg Kroah-Hartman
` (372 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+7c31755f2cea07838b0c,
Edward Adam Davis, Christian Brauner, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit cb184dd19154fc486fa3d9e02afe70a97e54e055 ]
syzbot reported a uninit-value bug in [1].
Similar to the "*get" context where the kernel's internal file_kattr
structure is initialized before calling vfs_fileattr_get(), we should
use the same mechanism when using fa.
[1]
BUG: KMSAN: uninit-value in fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517
fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517
vfs_fileattr_get fs/file_attr.c:94 [inline]
__do_sys_file_getattr fs/file_attr.c:416 [inline]
Local variable fa.i created at:
__do_sys_file_getattr fs/file_attr.c:380 [inline]
__se_sys_file_getattr+0x8c/0xbd0 fs/file_attr.c:372
Reported-by: syzbot+7c31755f2cea07838b0c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7c31755f2cea07838b0c
Tested-by: syzbot+7c31755f2cea07838b0c@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Link: https://patch.msgid.link/tencent_B6C4583771D76766D71362A368696EC3B605@qq.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/file_attr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/file_attr.c b/fs/file_attr.c
index 13cdb31a3e947..4889cf59b2562 100644
--- a/fs/file_attr.c
+++ b/fs/file_attr.c
@@ -377,7 +377,7 @@ SYSCALL_DEFINE5(file_getattr, int, dfd, const char __user *, filename,
struct filename *name __free(putname) = NULL;
unsigned int lookup_flags = 0;
struct file_attr fattr;
- struct file_kattr fa;
+ struct file_kattr fa = { .flags_valid = true }; /* hint only */
int error;
BUILD_BUG_ON(sizeof(struct file_attr) < FILE_ATTR_SIZE_VER0);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 013/378] scsi: mpi3mr: Add NULL checks when resetting request and reply queues
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 012/378] fs: init flags_valid before calling vfs_fileattr_get Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 014/378] ALSA: hda/realtek: Fix speaker pop on Star Labs StarFighter Greg Kroah-Hartman
` (371 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ranjan Kumar, Martin K. Petersen,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjan Kumar <ranjan.kumar@broadcom.com>
[ Upstream commit fa96392ebebc8fade2b878acb14cce0f71016503 ]
The driver encountered a crash during resource cleanup when the reply and
request queues were NULL due to freed memory. This issue occurred when the
creation of reply or request queues failed, and the driver freed the memory
first, but attempted to mem set the content of the freed memory, leading to
a system crash.
Add NULL pointer checks for reply and request queues before accessing the
reply/request memory during cleanup
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Link: https://patch.msgid.link/20260212070026.30263-1-ranjan.kumar@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mpi3mr/mpi3mr_fw.c | 34 ++++++++++++++++++---------------
1 file changed, 19 insertions(+), 15 deletions(-)
diff --git a/drivers/scsi/mpi3mr/mpi3mr_fw.c b/drivers/scsi/mpi3mr/mpi3mr_fw.c
index 8c4bb7169a87c..8382afed12813 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
@@ -4705,21 +4705,25 @@ void mpi3mr_memset_buffers(struct mpi3mr_ioc *mrioc)
}
for (i = 0; i < mrioc->num_queues; i++) {
- mrioc->op_reply_qinfo[i].qid = 0;
- mrioc->op_reply_qinfo[i].ci = 0;
- mrioc->op_reply_qinfo[i].num_replies = 0;
- mrioc->op_reply_qinfo[i].ephase = 0;
- atomic_set(&mrioc->op_reply_qinfo[i].pend_ios, 0);
- atomic_set(&mrioc->op_reply_qinfo[i].in_use, 0);
- mpi3mr_memset_op_reply_q_buffers(mrioc, i);
-
- mrioc->req_qinfo[i].ci = 0;
- mrioc->req_qinfo[i].pi = 0;
- mrioc->req_qinfo[i].num_requests = 0;
- mrioc->req_qinfo[i].qid = 0;
- mrioc->req_qinfo[i].reply_qid = 0;
- spin_lock_init(&mrioc->req_qinfo[i].q_lock);
- mpi3mr_memset_op_req_q_buffers(mrioc, i);
+ if (mrioc->op_reply_qinfo) {
+ mrioc->op_reply_qinfo[i].qid = 0;
+ mrioc->op_reply_qinfo[i].ci = 0;
+ mrioc->op_reply_qinfo[i].num_replies = 0;
+ mrioc->op_reply_qinfo[i].ephase = 0;
+ atomic_set(&mrioc->op_reply_qinfo[i].pend_ios, 0);
+ atomic_set(&mrioc->op_reply_qinfo[i].in_use, 0);
+ mpi3mr_memset_op_reply_q_buffers(mrioc, i);
+ }
+
+ if (mrioc->req_qinfo) {
+ mrioc->req_qinfo[i].ci = 0;
+ mrioc->req_qinfo[i].pi = 0;
+ mrioc->req_qinfo[i].num_requests = 0;
+ mrioc->req_qinfo[i].qid = 0;
+ mrioc->req_qinfo[i].reply_qid = 0;
+ spin_lock_init(&mrioc->req_qinfo[i].q_lock);
+ mpi3mr_memset_op_req_q_buffers(mrioc, i);
+ }
}
atomic_set(&mrioc->pend_large_data_sz, 0);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 014/378] ALSA: hda/realtek: Fix speaker pop on Star Labs StarFighter
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 013/378] scsi: mpi3mr: Add NULL checks when resetting request and reply queues Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 015/378] unshare: fix unshare_fs() handling Greg Kroah-Hartman
` (370 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sean Rhodes,
Takashi Iwai, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Rhodes <sean@starlabs.systems>
[ Upstream commit 1cb3c20688fc8380c9b365d03aea7e84faf6a9fd ]
On Star Labs StarFighter (Realtek ALC233/235), the internal speakers can
emit an audible pop when entering or leaving runtime suspend.
Mute the speaker output paths via snd_hda_gen_shutup_speakers() in the
Realtek shutup callback before the codec is powered down.
This is enough to avoid the pop without special EAPD handling.
Test results:
- runtime PM pop fixed
- still reaches D3 (PCI 0000:00:1f.3 power_state=D3hot)
- does not address pops on cold boot (G3 exit) or around display manager
start/shutdown
journalctl -k (boot):
- snd_hda_codec_alc269 hdaudioC0D0: ALC233: picked fixup for PCI SSID
7017:2014
- snd_hda_codec_alc269 hdaudioC0D0: autoconfig for ALC233: line_outs=1
(0x1b/0x0/0x0/0x0/0x0) type:speaker
Suggested-by: Takashi Iwai <tiwai@suse.com>
Tested-by: Sean Rhodes <sean@starlabs.systems>
Signed-off-by: Sean Rhodes <sean@starlabs.systems>
Link: https://patch.msgid.link/4d5fb71b132bb283fd41c622b8413770b2065242.1771532060.git.sean@starlabs.systems
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/codecs/realtek/alc269.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
index f5719e630d28a..4c49f1195e1bc 100644
--- a/sound/hda/codecs/realtek/alc269.c
+++ b/sound/hda/codecs/realtek/alc269.c
@@ -1017,6 +1017,24 @@ static int alc269_resume(struct hda_codec *codec)
return 0;
}
+#define STARLABS_STARFIGHTER_SHUTUP_DELAY_MS 30
+
+static void starlabs_starfighter_shutup(struct hda_codec *codec)
+{
+ if (snd_hda_gen_shutup_speakers(codec))
+ msleep(STARLABS_STARFIGHTER_SHUTUP_DELAY_MS);
+}
+
+static void alc233_fixup_starlabs_starfighter(struct hda_codec *codec,
+ const struct hda_fixup *fix,
+ int action)
+{
+ struct alc_spec *spec = codec->spec;
+
+ if (action == HDA_FIXUP_ACT_PRE_PROBE)
+ spec->shutup = starlabs_starfighter_shutup;
+}
+
static void alc269_fixup_pincfg_no_hp_to_lineout(struct hda_codec *codec,
const struct hda_fixup *fix, int action)
{
@@ -4040,6 +4058,7 @@ enum {
ALC245_FIXUP_CLEVO_NOISY_MIC,
ALC269_FIXUP_VAIO_VJFH52_MIC_NO_PRESENCE,
ALC233_FIXUP_MEDION_MTL_SPK,
+ ALC233_FIXUP_STARLABS_STARFIGHTER,
ALC294_FIXUP_BASS_SPEAKER_15,
ALC283_FIXUP_DELL_HP_RESUME,
ALC294_FIXUP_ASUS_CS35L41_SPI_2,
@@ -6500,6 +6519,10 @@ static const struct hda_fixup alc269_fixups[] = {
{ }
},
},
+ [ALC233_FIXUP_STARLABS_STARFIGHTER] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc233_fixup_starlabs_starfighter,
+ },
[ALC294_FIXUP_BASS_SPEAKER_15] = {
.type = HDA_FIXUP_FUNC,
.v.func = alc294_fixup_bass_speaker_15,
@@ -7662,6 +7685,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x2782, 0x1705, "MEDION E15433", ALC269VC_FIXUP_INFINIX_Y4_MAX),
SND_PCI_QUIRK(0x2782, 0x1707, "Vaio VJFE-ADL", ALC298_FIXUP_SPK_VOLUME),
SND_PCI_QUIRK(0x2782, 0x4900, "MEDION E15443", ALC233_FIXUP_MEDION_MTL_SPK),
+ SND_PCI_QUIRK(0x7017, 0x2014, "Star Labs StarFighter", ALC233_FIXUP_STARLABS_STARFIGHTER),
SND_PCI_QUIRK(0x8086, 0x2074, "Intel NUC 8", ALC233_FIXUP_INTEL_NUC8_DMIC),
SND_PCI_QUIRK(0x8086, 0x2080, "Intel NUC 8 Rugged", ALC256_FIXUP_INTEL_NUC8_RUGGED),
SND_PCI_QUIRK(0x8086, 0x2081, "Intel NUC 10", ALC256_FIXUP_INTEL_NUC10),
@@ -7758,6 +7782,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = {
{.id = ALC298_FIXUP_TPT470_DOCK_FIX, .name = "tpt470-dock-fix"},
{.id = ALC298_FIXUP_TPT470_DOCK, .name = "tpt470-dock"},
{.id = ALC233_FIXUP_LENOVO_MULTI_CODECS, .name = "dual-codecs"},
+ {.id = ALC233_FIXUP_STARLABS_STARFIGHTER, .name = "starlabs-starfighter"},
{.id = ALC700_FIXUP_INTEL_REFERENCE, .name = "alc700-ref"},
{.id = ALC269_FIXUP_SONY_VAIO, .name = "vaio"},
{.id = ALC269_FIXUP_DELL_M101Z, .name = "dell-m101z"},
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 015/378] unshare: fix unshare_fs() handling
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 014/378] ALSA: hda/realtek: Fix speaker pop on Star Labs StarFighter Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 016/378] wifi: mac80211: set default WMM parameters on all links Greg Kroah-Hartman
` (369 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Al Viro, Waiman Long,
Christian Brauner, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 6c4b2243cb6c0755159bd567130d5e12e7b10d9f ]
There's an unpleasant corner case in unshare(2), when we have a
CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that
case copy_mnt_ns() gets passed current->fs instead of a private copy,
which causes interesting warts in proof of correctness]
> I guess if private means fs->users == 1, the condition could still be true.
Unfortunately, it's worse than just a convoluted proof of correctness.
Consider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS
(and current->fs->users == 1).
We pass current->fs to copy_mnt_ns(), all right. Suppose it succeeds and
flips current->fs->{pwd,root} to corresponding locations in the new namespace.
Now we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM).
We call put_mnt_ns() on the namespace created by copy_mnt_ns(), it's
destroyed and its mount tree is dissolved, but... current->fs->root and
current->fs->pwd are both left pointing to now detached mounts.
They are pinning those, so it's not a UAF, but it leaves the calling
process with unshare(2) failing with -ENOMEM _and_ leaving it with
pwd and root on detached isolated mounts. The last part is clearly a bug.
There is other fun related to that mess (races with pivot_root(), including
the one between pivot_root() and fork(), of all things), but this one
is easy to isolate and fix - treat CLONE_NEWNS as "allocate a new
fs_struct even if it hadn't been shared in the first place". Sure, we could
go for something like "if both CLONE_NEWNS *and* one of the things that might
end up failing after copy_mnt_ns() call in create_new_namespaces() are set,
force allocation of new fs_struct", but let's keep it simple - the cost
of copy_fs_struct() is trivial.
Another benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets
a freshly allocated fs_struct, yet to be attached to anything. That
seriously simplifies the analysis...
FWIW, that bug had been there since the introduction of unshare(2) ;-/
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Link: https://patch.msgid.link/20260207082524.GE3183987@ZenIV
Tested-by: Waiman Long <longman@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/fork.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/fork.c b/kernel/fork.c
index b1f3915d5f8ec..68ccbaea7398a 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -3082,7 +3082,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
return 0;
/* don't need lock here; in the worst case we'll do useless copy */
- if (fs->users == 1)
+ if (!(unshare_flags & CLONE_NEWNS) && fs->users == 1)
return 0;
*new_fsp = copy_fs_struct(fs);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 016/378] wifi: mac80211: set default WMM parameters on all links
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 015/378] unshare: fix unshare_fs() handling Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 017/378] ACPI: OSI: Add DMI quirk for Acer Aspire One D255 Greg Kroah-Hartman
` (368 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ramanathan Choodamani, Aishwarya R,
Johannes Berg, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ramanathan Choodamani <quic_rchoodam@quicinc.com>
[ Upstream commit 2259d14499d16b115ef8d5d2ddc867e2be7cb5b5 ]
Currently, mac80211 only initializes default WMM parameters
on the deflink during do_open(). For MLO cases, this
leaves the additional links without proper WMM defaults
if hostapd does not supply per-link WMM parameters, leading
to inconsistent QoS behavior across links.
Set default WMM parameters for each link during
ieee80211_vif_update_links(), because this ensures all
individual links in an MLD have valid WMM settings during
bring-up and behave consistently across different BSS.
Signed-off-by: Ramanathan Choodamani <quic_rchoodam@quicinc.com>
Signed-off-by: Aishwarya R <aishwarya.r@oss.qualcomm.com>
Link: https://patch.msgid.link/20260205094216.3093542-1-aishwarya.r@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/link.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/mac80211/link.c b/net/mac80211/link.c
index 1e05845872afc..b659497680b51 100644
--- a/net/mac80211/link.c
+++ b/net/mac80211/link.c
@@ -281,6 +281,7 @@ static int ieee80211_vif_update_links(struct ieee80211_sub_if_data *sdata,
struct ieee80211_bss_conf *old[IEEE80211_MLD_MAX_NUM_LINKS];
struct ieee80211_link_data *old_data[IEEE80211_MLD_MAX_NUM_LINKS];
bool use_deflink = old_links == 0; /* set for error case */
+ bool non_sta = sdata->vif.type != NL80211_IFTYPE_STATION;
lockdep_assert_wiphy(sdata->local->hw.wiphy);
@@ -337,6 +338,7 @@ static int ieee80211_vif_update_links(struct ieee80211_sub_if_data *sdata,
link = links[link_id];
ieee80211_link_init(sdata, link_id, &link->data, &link->conf);
ieee80211_link_setup(&link->data);
+ ieee80211_set_wmm_default(&link->data, true, non_sta);
}
if (new_links == 0)
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 017/378] ACPI: OSI: Add DMI quirk for Acer Aspire One D255
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 016/378] wifi: mac80211: set default WMM parameters on all links Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 018/378] scsi: ses: Fix devices attaching to different hosts Greg Kroah-Hartman
` (367 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sofia Schneider, Rafael J. Wysocki,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sofia Schneider <sofia@schn.dev>
[ Upstream commit 5ede90206273ff156a778254f0f972a55e973c89 ]
The screen backlight turns off during boot (specifically during udev device
initialization) when returning true for _OSI("Windows 2009").
Analyzing the device's DSDT reveals that the firmware takes a different
code path when Windows 7 is reported, which leads to the backlight shutoff.
Add a DMI quirk to invoke dmi_disable_osi_win7 for this model.
Signed-off-by: Sofia Schneider <sofia@schn.dev>
Link: https://patch.msgid.link/20260223025240.518509-1-sofia@schn.dev
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/osi.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/acpi/osi.c b/drivers/acpi/osi.c
index f2c943b934be0..9470f1830ff50 100644
--- a/drivers/acpi/osi.c
+++ b/drivers/acpi/osi.c
@@ -389,6 +389,19 @@ static const struct dmi_system_id acpi_osi_dmi_table[] __initconst = {
},
},
+ /*
+ * The screen backlight turns off during udev device creation
+ * when returning true for _OSI("Windows 2009")
+ */
+ {
+ .callback = dmi_disable_osi_win7,
+ .ident = "Acer Aspire One D255",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "AOD255"),
+ },
+ },
+
/*
* The wireless hotkey does not work on those machines when
* returning true for _OSI("Windows 2012")
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 018/378] scsi: ses: Fix devices attaching to different hosts
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 017/378] ACPI: OSI: Add DMI quirk for Acer Aspire One D255 Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 019/378] ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table Greg Kroah-Hartman
` (366 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Jeffery, Tomas Henzl,
Martin K. Petersen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomas Henzl <thenzl@redhat.com>
[ Upstream commit 70ca8caa96ce473647054f5c7b9dab5423902402 ]
On a multipath SAS system some devices don't end up with correct symlinks
from the SCSI device to its enclosure. Some devices even have enclosure
links pointing to enclosures attached to different SCSI hosts.
ses_match_to_enclosure() calls enclosure_for_each_device() which iterates
over all enclosures on the system, not just enclosures attached to the
current SCSI host.
Replace the iteration with a direct call to ses_enclosure_find_by_addr().
Reviewed-by: David Jeffery <djeffery@redhat.com>
Signed-off-by: Tomas Henzl <thenzl@redhat.com>
Link: https://patch.msgid.link/20260210191850.36784-1-thenzl@redhat.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/ses.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index 2c61624cb4b03..50e744e891295 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -529,9 +529,8 @@ struct efd {
};
static int ses_enclosure_find_by_addr(struct enclosure_device *edev,
- void *data)
+ struct efd *efd)
{
- struct efd *efd = data;
int i;
struct ses_component *scomp;
@@ -684,7 +683,7 @@ static void ses_match_to_enclosure(struct enclosure_device *edev,
if (efd.addr) {
efd.dev = &sdev->sdev_gendev;
- enclosure_for_each_device(ses_enclosure_find_by_addr, &efd);
+ ses_enclosure_find_by_addr(edev, &efd);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 019/378] ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 018/378] scsi: ses: Fix devices attaching to different hosts Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 020/378] ASoC: cs42l43: Report insert for exotic peripherals Greg Kroah-Hartman
` (365 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Azamat Almazbek uulu,
Vijendar Mukunda, Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Azamat Almazbek uulu <almazbek1608@gmail.com>
[ Upstream commit 32fc4168fa56f6301d858c778a3d712774e9657e ]
The ASUS ExpertBook BM1503CDA (Ryzen 5 7535U, Barcelo-R) has an
internal DMIC connected through the AMD ACP (Audio CoProcessor)
but is missing from the DMI quirk table, so the acp6x machine
driver probe returns -ENODEV and no DMIC capture device is created.
Add the DMI entry so the internal microphone works out of the box.
Signed-off-by: Azamat Almazbek uulu <almazbek1608@gmail.com>
Reviewed-by: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
Link: https://patch.msgid.link/20260221114813.5610-1-almazbek1608@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
index f1a63475100d1..7af4daeb4c6ff 100644
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -703,6 +703,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "Vivobook_ASUSLaptop M6501RR_M6501RR"),
}
},
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "ASUS EXPERTBOOK BM1503CDA"),
+ }
+ },
{}
};
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 020/378] ASoC: cs42l43: Report insert for exotic peripherals
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 019/378] ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 021/378] scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() Greg Kroah-Hartman
` (364 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Charles Keepax, Mark Brown,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charles Keepax <ckeepax@opensource.cirrus.com>
[ Upstream commit 6510e1324bcdc8caf21f6d17efe27604c48f0d64 ]
For some exotic peripherals the type detect can return a reserved value
of 0x4. This will currently return an error and not report anything to
user-space, update this to report the insert normally.
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://patch.msgid.link/20260223093616.3800350-1-ckeepax@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/cs42l43-jack.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/soc/codecs/cs42l43-jack.c b/sound/soc/codecs/cs42l43-jack.c
index b83bc4de1301d..3e04e6897b142 100644
--- a/sound/soc/codecs/cs42l43-jack.c
+++ b/sound/soc/codecs/cs42l43-jack.c
@@ -699,6 +699,7 @@ static int cs42l43_run_type_detect(struct cs42l43_codec *priv)
switch (type & CS42L43_HSDET_TYPE_STS_MASK) {
case 0x0: // CTIA
case 0x1: // OMTP
+ case 0x4:
return cs42l43_run_load_detect(priv, true);
case 0x2: // 3-pole
return cs42l43_run_load_detect(priv, false);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 021/378] scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 020/378] ASoC: cs42l43: Report insert for exotic peripherals Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 022/378] scsi: ufs: core: Fix shift out of bounds when MAXQ=32 Greg Kroah-Hartman
` (363 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Wang, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Wang <peter.wang@mediatek.com>
[ Upstream commit 30df81f2228d65bddf492db3929d9fcaffd38fc5 ]
The kernel log indicates a crash in ufshcd_add_command_trace, due to a NULL
pointer dereference when accessing hwq->id. This can happen if
ufshcd_mcq_req_to_hwq() returns NULL.
This patch adds a NULL check for hwq before accessing its id field to
prevent a kernel crash.
Kernel log excerpt:
[<ffffffd5d192dc4c>] notify_die+0x4c/0x8c
[<ffffffd5d1814e58>] __die+0x60/0xb0
[<ffffffd5d1814d64>] die+0x4c/0xe0
[<ffffffd5d181575c>] die_kernel_fault+0x74/0x88
[<ffffffd5d1864db4>] __do_kernel_fault+0x314/0x318
[<ffffffd5d2a3cdf8>] do_page_fault+0xa4/0x5f8
[<ffffffd5d2a3cd34>] do_translation_fault+0x34/0x54
[<ffffffd5d1864524>] do_mem_abort+0x50/0xa8
[<ffffffd5d2a297dc>] el1_abort+0x3c/0x64
[<ffffffd5d2a29718>] el1h_64_sync_handler+0x44/0xcc
[<ffffffd5d181133c>] el1h_64_sync+0x80/0x88
[<ffffffd5d255c1dc>] ufshcd_add_command_trace+0x23c/0x320
[<ffffffd5d255bad8>] ufshcd_compl_one_cqe+0xa4/0x404
[<ffffffd5d2572968>] ufshcd_mcq_poll_cqe_lock+0xac/0x104
[<ffffffd5d11c7460>] ufs_mtk_mcq_intr+0x54/0x74 [ufs_mediatek_mod]
[<ffffffd5d19ab92c>] __handle_irq_event_percpu+0xc8/0x348
[<ffffffd5d19abca8>] handle_irq_event+0x3c/0xa8
[<ffffffd5d19b1f0c>] handle_fasteoi_irq+0xf8/0x294
[<ffffffd5d19aa778>] generic_handle_domain_irq+0x54/0x80
[<ffffffd5d18102bc>] gic_handle_irq+0x1d4/0x330
[<ffffffd5d1838210>] call_on_irq_stack+0x44/0x68
[<ffffffd5d183af30>] do_interrupt_handler+0x78/0xd8
[<ffffffd5d2a29c00>] el1_interrupt+0x48/0xa8
[<ffffffd5d2a29ba8>] el1h_64_irq_handler+0x14/0x24
[<ffffffd5d18113c4>] el1h_64_irq+0x80/0x88
[<ffffffd5d2527fb4>] arch_local_irq_enable+0x4/0x1c
[<ffffffd5d25282e4>] cpuidle_enter+0x34/0x54
[<ffffffd5d195a678>] do_idle+0x1dc/0x2f8
[<ffffffd5d195a7c4>] cpu_startup_entry+0x30/0x3c
[<ffffffd5d18155c4>] secondary_start_kernel+0x134/0x1ac
[<ffffffd5d18640bc>] __secondary_switched+0xc4/0xcc
Signed-off-by: Peter Wang <peter.wang@mediatek.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260223065657.2432447-1-peter.wang@mediatek.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufshcd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index 6f9c5d7012812..d5628ed086381 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -516,8 +516,8 @@ static void ufshcd_add_command_trace(struct ufs_hba *hba, struct scsi_cmnd *cmd,
if (hba->mcq_enabled) {
struct ufs_hw_queue *hwq = ufshcd_mcq_req_to_hwq(hba, rq);
-
- hwq_id = hwq->id;
+ if (hwq)
+ hwq_id = hwq->id;
} else {
doorbell = ufshcd_readl(hba, REG_UTP_TRANSFER_REQ_DOOR_BELL);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 022/378] scsi: ufs: core: Fix shift out of bounds when MAXQ=32
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 021/378] scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 023/378] ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0 Greg Kroah-Hartman
` (362 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, wangshuaiwei, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: wangshuaiwei <wangshuaiwei1@xiaomi.com>
[ Upstream commit 2f38fd99c0004676d835ae96ac4f3b54edc02c82 ]
According to JESD223F, the maximum number of queues (MAXQ) is 32. When MCQ
is enabled and ESI is disabled, nr_hw_queues=32 causes a shift overflow
problem.
Fix this by using 64-bit intermediate values to handle the nr_hw_queues=32
case safely.
Signed-off-by: wangshuaiwei <wangshuaiwei1@xiaomi.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260224063228.50112-1-wangshuaiwei1@xiaomi.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufshcd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index d5628ed086381..2048ebc86590e 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -7106,7 +7106,7 @@ static irqreturn_t ufshcd_handle_mcq_cq_events(struct ufs_hba *hba)
ret = ufshcd_vops_get_outstanding_cqs(hba, &outstanding_cqs);
if (ret)
- outstanding_cqs = (1U << hba->nr_hw_queues) - 1;
+ outstanding_cqs = (1ULL << hba->nr_hw_queues) - 1;
/* Exclude the poll queues */
nr_queues = hba->nr_hw_queues - hba->nr_queues[HCTX_TYPE_POLL];
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 023/378] ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 022/378] scsi: ufs: core: Fix shift out of bounds when MAXQ=32 Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 024/378] drm/amdgpu/vcn5: Add SMU dpm interface type Greg Kroah-Hartman
` (361 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit c5bf24c8aba1ff711226ee0f039ff01a5754692b ]
Although DIYINHK USB Audio 2.0 (ID 20b1:2009) shows the implicit
feedback source for the capture stream, this would cause several
problems for the playback. Namely, the device can get wMaxPackSize
1024 for 24/32 bit format with 6 channels, and when a high sample rate
like 352.8kHz or 384kHz is played, the packet size overflows the max
limit. Also, the device has another two playback altsets, and those
aren't properly handled with the implicit feedback.
Since the device has been working well even before introducing the
implicit feedback, we can assume that it works fine in the async mode.
This patch adds the explicit skip of the implicit fb detection to make
the playback running in the async mode.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221076
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260225085233.316306-4-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index a89ea2233180a..caca0e586d832 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -2363,6 +2363,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER),
DEVICE_FLG(0x2040, 0x7281, /* Hauppauge HVR-950Q-MXL */
QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER),
+ DEVICE_FLG(0x20b1, 0x2009, /* XMOS Ltd DIYINHK USB Audio 2.0 */
+ QUIRK_FLAG_SKIP_IMPLICIT_FB | QUIRK_FLAG_DSD_RAW),
DEVICE_FLG(0x2040, 0x8200, /* Hauppauge Woodbury */
QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER),
DEVICE_FLG(0x21b4, 0x0081, /* AudioQuest DragonFly */
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 024/378] drm/amdgpu/vcn5: Add SMU dpm interface type
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 023/378] ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0 Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 025/378] ALSA: usb-audio: Check max frame size for implicit feedback mode, too Greg Kroah-Hartman
` (360 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, sguttula, Pratik Vishwakarma,
Alex Deucher, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: sguttula <suresh.guttula@amd.com>
[ Upstream commit a5fe1a54513196e4bc8f9170006057dc31e7155e ]
This will set AMDGPU_VCN_SMU_DPM_INTERFACE_* smu_type
based on soc type and fixing ring timeout issue seen
for DPM enabled case.
Signed-off-by: sguttula <suresh.guttula@amd.com>
Reviewed-by: Pratik Vishwakarma <Pratik.Vishwakarma@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit f0f23c315b38c55e8ce9484cf59b65811f350630)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c
index 0202df5db1e12..6109124f852e5 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c
@@ -174,6 +174,10 @@ static int vcn_v5_0_0_sw_init(struct amdgpu_ip_block *ip_block)
fw_shared->present_flag_0 = cpu_to_le32(AMDGPU_FW_SHARED_FLAG_0_UNIFIED_QUEUE);
fw_shared->sq.is_enabled = 1;
+ fw_shared->present_flag_0 |= cpu_to_le32(AMDGPU_VCN_SMU_DPM_INTERFACE_FLAG);
+ fw_shared->smu_dpm_interface.smu_interface_type = (adev->flags & AMD_IS_APU) ?
+ AMDGPU_VCN_SMU_DPM_INTERFACE_APU : AMDGPU_VCN_SMU_DPM_INTERFACE_DGPU;
+
if (amdgpu_vcnfw_log)
amdgpu_vcn_fwlog_init(&adev->vcn.inst[i]);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 025/378] ALSA: usb-audio: Check max frame size for implicit feedback mode, too
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 024/378] drm/amdgpu/vcn5: Add SMU dpm interface type Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 026/378] nfs: return EISDIR on nfs3_proc_create if d_alias is a dir Greg Kroah-Hartman
` (359 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 7cb2a5422f5bbdf1cf32eae0eda41000485b9346 ]
When the packet sizes are taken from the capture stream in the
implicit feedback mode, the sizes might be larger than the upper
boundary defined by the descriptor. As already done for other
transfer modes, we have to cap the sizes accordingly at sending,
otherwise this would lead to an error in USB core at submission of
URBs.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221076
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260225085233.316306-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/endpoint.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
index 686f095290673..1a020ea558755 100644
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -221,6 +221,7 @@ int snd_usb_endpoint_next_packet_size(struct snd_usb_endpoint *ep,
packet = ctx->packet_size[idx];
if (packet) {
+ packet = min(packet, ep->maxframesize);
if (avail && packet >= avail)
return -EAGAIN;
return packet;
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 026/378] nfs: return EISDIR on nfs3_proc_create if d_alias is a dir
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 025/378] ALSA: usb-audio: Check max frame size for implicit feedback mode, too Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 027/378] drm/msm/dpu: Fix LM size on a number of platforms Greg Kroah-Hartman
` (358 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olga Kornievskaia, Scott Mayhew,
Roberto Bergantinos Corpas, Anna Schumaker, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roberto Bergantinos Corpas <rbergant@redhat.com>
[ Upstream commit 410666a298c34ebd57256fde6b24c96bd23059a2 ]
If we found an alias through nfs3_do_create/nfs_add_or_obtain
/d_splice_alias which happens to be a dir dentry, we don't return
any error, and simply forget about this alias, but the original
dentry we were adding and passed as parameter remains negative.
This later causes an oops on nfs_atomic_open_v23/finish_open since we
supply a negative dentry to do_dentry_open.
This has been observed running lustre-racer, where dirs and files are
created/removed concurrently with the same name and O_EXCL is not
used to open files (frequent file redirection).
While d_splice_alias typically returns a directory alias or NULL, we
explicitly check d_is_dir() to ensure that we don't attempt to perform
file operations (like finish_open) on a directory inode, which triggers
the observed oops.
Fixes: 7c6c5249f061 ("NFS: add atomic_open for NFSv3 to handle O_TRUNC correctly.")
Reviewed-by: Olga Kornievskaia <okorniev@redhat.com>
Reviewed-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Roberto Bergantinos Corpas <rbergant@redhat.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/nfs3proc.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/nfs/nfs3proc.c b/fs/nfs/nfs3proc.c
index 1181f9cc6dbdb..f8bc9bffdad90 100644
--- a/fs/nfs/nfs3proc.c
+++ b/fs/nfs/nfs3proc.c
@@ -392,8 +392,13 @@ nfs3_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
if (status != 0)
goto out_release_acls;
- if (d_alias)
+ if (d_alias) {
+ if (d_is_dir(d_alias)) {
+ status = -EISDIR;
+ goto out_dput;
+ }
dentry = d_alias;
+ }
/* When we created the file with exclusive semantics, make
* sure we set the attributes afterwards. */
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 027/378] drm/msm/dpu: Fix LM size on a number of platforms
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 026/378] nfs: return EISDIR on nfs3_proc_create if d_alias is a dir Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 028/378] drm/msm/dsi: fix hdisplay calculation when programming dsi registers Greg Kroah-Hartman
` (357 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Abel Vesa,
Dmitry Baryshkov, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit f7bf1319739291067b2bc4b22bd56336afad8f0a ]
The register space has grown with what seems to be DPU8.
Bump up the .len to match.
Fixes: e3b1f369db5a ("drm/msm/dpu: Add X1E80100 support")
Fixes: 4a352c2fc15a ("drm/msm/dpu: Introduce SC8280XP")
Fixes: efcd0107727c ("drm/msm/dpu: add support for SM8550")
Fixes: 100d7ef6995d ("drm/msm/dpu: add support for SM8450")
Fixes: 178575173472 ("drm/msm/dpu: add catalog entry for SAR2130P")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/701063/
Link: https://lore.kernel.org/r/20260127-topic-lm_size_fix-v1-1-25f88d014dfd@oss.qualcomm.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/msm/disp/dpu1/catalog/dpu_8_0_sc8280xp.h | 12 ++++++------
.../gpu/drm/msm/disp/dpu1/catalog/dpu_8_1_sm8450.h | 12 ++++++------
.../gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h | 12 ++++++------
.../gpu/drm/msm/disp/dpu1/catalog/dpu_9_1_sar2130p.h | 12 ++++++------
.../gpu/drm/msm/disp/dpu1/catalog/dpu_9_2_x1e80100.h | 12 ++++++------
5 files changed, 30 insertions(+), 30 deletions(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_0_sc8280xp.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_0_sc8280xp.h
index 303d33dc7783a..9f2bceca1789e 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_0_sc8280xp.h
+++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_0_sc8280xp.h
@@ -133,7 +133,7 @@ static const struct dpu_sspp_cfg sc8280xp_sspp[] = {
static const struct dpu_lm_cfg sc8280xp_lm[] = {
{
.name = "lm_0", .id = LM_0,
- .base = 0x44000, .len = 0x320,
+ .base = 0x44000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_1,
@@ -141,7 +141,7 @@ static const struct dpu_lm_cfg sc8280xp_lm[] = {
.dspp = DSPP_0,
}, {
.name = "lm_1", .id = LM_1,
- .base = 0x45000, .len = 0x320,
+ .base = 0x45000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_0,
@@ -149,7 +149,7 @@ static const struct dpu_lm_cfg sc8280xp_lm[] = {
.dspp = DSPP_1,
}, {
.name = "lm_2", .id = LM_2,
- .base = 0x46000, .len = 0x320,
+ .base = 0x46000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_3,
@@ -157,7 +157,7 @@ static const struct dpu_lm_cfg sc8280xp_lm[] = {
.dspp = DSPP_2,
}, {
.name = "lm_3", .id = LM_3,
- .base = 0x47000, .len = 0x320,
+ .base = 0x47000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_2,
@@ -165,14 +165,14 @@ static const struct dpu_lm_cfg sc8280xp_lm[] = {
.dspp = DSPP_3,
}, {
.name = "lm_4", .id = LM_4,
- .base = 0x48000, .len = 0x320,
+ .base = 0x48000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_5,
.pingpong = PINGPONG_4,
}, {
.name = "lm_5", .id = LM_5,
- .base = 0x49000, .len = 0x320,
+ .base = 0x49000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_4,
diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_1_sm8450.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_1_sm8450.h
index b09a6af4c474a..04b22167f93d6 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_1_sm8450.h
+++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_1_sm8450.h
@@ -134,7 +134,7 @@ static const struct dpu_sspp_cfg sm8450_sspp[] = {
static const struct dpu_lm_cfg sm8450_lm[] = {
{
.name = "lm_0", .id = LM_0,
- .base = 0x44000, .len = 0x320,
+ .base = 0x44000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_1,
@@ -142,7 +142,7 @@ static const struct dpu_lm_cfg sm8450_lm[] = {
.dspp = DSPP_0,
}, {
.name = "lm_1", .id = LM_1,
- .base = 0x45000, .len = 0x320,
+ .base = 0x45000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_0,
@@ -150,7 +150,7 @@ static const struct dpu_lm_cfg sm8450_lm[] = {
.dspp = DSPP_1,
}, {
.name = "lm_2", .id = LM_2,
- .base = 0x46000, .len = 0x320,
+ .base = 0x46000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_3,
@@ -158,7 +158,7 @@ static const struct dpu_lm_cfg sm8450_lm[] = {
.dspp = DSPP_2,
}, {
.name = "lm_3", .id = LM_3,
- .base = 0x47000, .len = 0x320,
+ .base = 0x47000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_2,
@@ -166,14 +166,14 @@ static const struct dpu_lm_cfg sm8450_lm[] = {
.dspp = DSPP_3,
}, {
.name = "lm_4", .id = LM_4,
- .base = 0x48000, .len = 0x320,
+ .base = 0x48000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_5,
.pingpong = PINGPONG_4,
}, {
.name = "lm_5", .id = LM_5,
- .base = 0x49000, .len = 0x320,
+ .base = 0x49000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_4,
diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h
index 465b6460f8754..4c7eb55d474c5 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h
+++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h
@@ -131,7 +131,7 @@ static const struct dpu_sspp_cfg sm8550_sspp[] = {
static const struct dpu_lm_cfg sm8550_lm[] = {
{
.name = "lm_0", .id = LM_0,
- .base = 0x44000, .len = 0x320,
+ .base = 0x44000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_1,
@@ -139,7 +139,7 @@ static const struct dpu_lm_cfg sm8550_lm[] = {
.dspp = DSPP_0,
}, {
.name = "lm_1", .id = LM_1,
- .base = 0x45000, .len = 0x320,
+ .base = 0x45000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_0,
@@ -147,7 +147,7 @@ static const struct dpu_lm_cfg sm8550_lm[] = {
.dspp = DSPP_1,
}, {
.name = "lm_2", .id = LM_2,
- .base = 0x46000, .len = 0x320,
+ .base = 0x46000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_3,
@@ -155,7 +155,7 @@ static const struct dpu_lm_cfg sm8550_lm[] = {
.dspp = DSPP_2,
}, {
.name = "lm_3", .id = LM_3,
- .base = 0x47000, .len = 0x320,
+ .base = 0x47000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_2,
@@ -163,14 +163,14 @@ static const struct dpu_lm_cfg sm8550_lm[] = {
.dspp = DSPP_3,
}, {
.name = "lm_4", .id = LM_4,
- .base = 0x48000, .len = 0x320,
+ .base = 0x48000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_5,
.pingpong = PINGPONG_4,
}, {
.name = "lm_5", .id = LM_5,
- .base = 0x49000, .len = 0x320,
+ .base = 0x49000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_4,
diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_1_sar2130p.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_1_sar2130p.h
index 6caa7d40f3688..dec83ea8167d1 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_1_sar2130p.h
+++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_1_sar2130p.h
@@ -131,7 +131,7 @@ static const struct dpu_sspp_cfg sar2130p_sspp[] = {
static const struct dpu_lm_cfg sar2130p_lm[] = {
{
.name = "lm_0", .id = LM_0,
- .base = 0x44000, .len = 0x320,
+ .base = 0x44000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_1,
@@ -139,7 +139,7 @@ static const struct dpu_lm_cfg sar2130p_lm[] = {
.dspp = DSPP_0,
}, {
.name = "lm_1", .id = LM_1,
- .base = 0x45000, .len = 0x320,
+ .base = 0x45000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_0,
@@ -147,7 +147,7 @@ static const struct dpu_lm_cfg sar2130p_lm[] = {
.dspp = DSPP_1,
}, {
.name = "lm_2", .id = LM_2,
- .base = 0x46000, .len = 0x320,
+ .base = 0x46000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_3,
@@ -155,7 +155,7 @@ static const struct dpu_lm_cfg sar2130p_lm[] = {
.dspp = DSPP_2,
}, {
.name = "lm_3", .id = LM_3,
- .base = 0x47000, .len = 0x320,
+ .base = 0x47000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_2,
@@ -163,14 +163,14 @@ static const struct dpu_lm_cfg sar2130p_lm[] = {
.dspp = DSPP_3,
}, {
.name = "lm_4", .id = LM_4,
- .base = 0x48000, .len = 0x320,
+ .base = 0x48000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_5,
.pingpong = PINGPONG_4,
}, {
.name = "lm_5", .id = LM_5,
- .base = 0x49000, .len = 0x320,
+ .base = 0x49000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_4,
diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_2_x1e80100.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_2_x1e80100.h
index 7243eebb85f36..52ff4baa668a4 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_2_x1e80100.h
+++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_2_x1e80100.h
@@ -130,7 +130,7 @@ static const struct dpu_sspp_cfg x1e80100_sspp[] = {
static const struct dpu_lm_cfg x1e80100_lm[] = {
{
.name = "lm_0", .id = LM_0,
- .base = 0x44000, .len = 0x320,
+ .base = 0x44000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_1,
@@ -138,7 +138,7 @@ static const struct dpu_lm_cfg x1e80100_lm[] = {
.dspp = DSPP_0,
}, {
.name = "lm_1", .id = LM_1,
- .base = 0x45000, .len = 0x320,
+ .base = 0x45000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_0,
@@ -146,7 +146,7 @@ static const struct dpu_lm_cfg x1e80100_lm[] = {
.dspp = DSPP_1,
}, {
.name = "lm_2", .id = LM_2,
- .base = 0x46000, .len = 0x320,
+ .base = 0x46000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_3,
@@ -154,7 +154,7 @@ static const struct dpu_lm_cfg x1e80100_lm[] = {
.dspp = DSPP_2,
}, {
.name = "lm_3", .id = LM_3,
- .base = 0x47000, .len = 0x320,
+ .base = 0x47000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_2,
@@ -162,14 +162,14 @@ static const struct dpu_lm_cfg x1e80100_lm[] = {
.dspp = DSPP_3,
}, {
.name = "lm_4", .id = LM_4,
- .base = 0x48000, .len = 0x320,
+ .base = 0x48000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_5,
.pingpong = PINGPONG_4,
}, {
.name = "lm_5", .id = LM_5,
- .base = 0x49000, .len = 0x320,
+ .base = 0x49000, .len = 0x400,
.features = MIXER_MSM8998_MASK,
.sblk = &sdm845_lm_sblk,
.lm_pair = LM_4,
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 028/378] drm/msm/dsi: fix hdisplay calculation when programming dsi registers
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 027/378] drm/msm/dpu: Fix LM size on a number of platforms Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:44 ` Pengyu Luo
2026-03-17 16:29 ` [PATCH 6.19 029/378] xprtrdma: Decrement re_receiving on the early exit paths Greg Kroah-Hartman
` (356 subsequent siblings)
384 siblings, 1 reply; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengyu Luo, Dmitry Baryshkov,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengyu Luo <mitltlatltl@gmail.com>
[ Upstream commit ac47870fd795549f03d57e0879fc730c79119f4b ]
Recently, the hdisplay calculation is working for 3:1 compressed ratio
only. If we have a video panel with DSC BPP = 8, and BPC = 10, we still
use the default bits_per_pclk = 24, then we get the wrong hdisplay. We
can draw the conclusion by cross-comparing the calculation with the
calculation in dsi_adjust_pclk_for_compression().
Since CMD mode does not use this, we can remove
!(msm_host->mode_flags & MIPI_DSI_MODE_VIDEO) safely.
Fixes: efcbd6f9cdeb ("drm/msm/dsi: Enable widebus for DSI")
Signed-off-by: Pengyu Luo <mitltlatltl@gmail.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/704822/
Link: https://lore.kernel.org/r/20260214105145.105308-1-mitltlatltl@gmail.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dsi/dsi_host.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
index e0de545d40775..e8e83ee61eb09 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
@@ -993,7 +993,7 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi)
if (msm_host->dsc) {
struct drm_dsc_config *dsc = msm_host->dsc;
- u32 bytes_per_pclk;
+ u32 bits_per_pclk;
/* update dsc params with timing params */
if (!dsc || !mode->hdisplay || !mode->vdisplay) {
@@ -1015,7 +1015,9 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi)
/*
* DPU sends 3 bytes per pclk cycle to DSI. If widebus is
- * enabled, bus width is extended to 6 bytes.
+ * enabled, MDP always sends out 48-bit compressed data per
+ * pclk and on average, DSI consumes an amount of compressed
+ * data equivalent to the uncompressed pixel depth per pclk.
*
* Calculate the number of pclks needed to transmit one line of
* the compressed data.
@@ -1027,12 +1029,12 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi)
* unused anyway.
*/
h_total -= hdisplay;
- if (wide_bus_enabled && !(msm_host->mode_flags & MIPI_DSI_MODE_VIDEO))
- bytes_per_pclk = 6;
+ if (wide_bus_enabled)
+ bits_per_pclk = mipi_dsi_pixel_format_to_bpp(msm_host->format);
else
- bytes_per_pclk = 3;
+ bits_per_pclk = 24;
- hdisplay = DIV_ROUND_UP(msm_dsc_get_bytes_per_line(msm_host->dsc), bytes_per_pclk);
+ hdisplay = DIV_ROUND_UP(msm_dsc_get_bytes_per_line(msm_host->dsc) * 8, bits_per_pclk);
h_total += hdisplay;
ha_end = ha_start + hdisplay;
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 029/378] xprtrdma: Decrement re_receiving on the early exit paths
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 028/378] drm/msm/dsi: fix hdisplay calculation when programming dsi registers Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 030/378] btrfs: hold space_info->lock when clearing periodic reclaim ready Greg Kroah-Hartman
` (355 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Badger, Chuck Lever,
Anna Schumaker, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Badger <ebadger@purestorage.com>
[ Upstream commit 7b6275c80a0c81c5f8943272292dfe67730ce849 ]
In the event that rpcrdma_post_recvs() fails to create a work request
(due to memory allocation failure, say) or otherwise exits early, we
should decrement ep->re_receiving before returning. Otherwise we will
hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and
the completion will never be triggered.
On a system with high memory pressure, this can appear as the following
hung task:
INFO: task kworker/u385:17:8393 blocked for more than 122 seconds.
Tainted: G S E 6.19.0 #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000
Workqueue: xprtiod xprt_autoclose [sunrpc]
Call Trace:
<TASK>
__schedule+0x48b/0x18b0
? ib_post_send_mad+0x247/0xae0 [ib_core]
schedule+0x27/0xf0
schedule_timeout+0x104/0x110
__wait_for_common+0x98/0x180
? __pfx_schedule_timeout+0x10/0x10
wait_for_completion+0x24/0x40
rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma]
xprt_rdma_close+0x12/0x40 [rpcrdma]
xprt_autoclose+0x5f/0x120 [sunrpc]
process_one_work+0x191/0x3e0
worker_thread+0x2e3/0x420
? __pfx_worker_thread+0x10/0x10
kthread+0x10d/0x230
? __pfx_kthread+0x10/0x10
ret_from_fork+0x273/0x2b0
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
Fixes: 15788d1d1077 ("xprtrdma: Do not refresh Receive Queue while it is draining")
Signed-off-by: Eric Badger <ebadger@purestorage.com>
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sunrpc/xprtrdma/verbs.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index 63262ef0c2e3a..8abbd9c4045a4 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -1362,7 +1362,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed)
needed += RPCRDMA_MAX_RECV_BATCH;
if (atomic_inc_return(&ep->re_receiving) > 1)
- goto out;
+ goto out_dec;
/* fast path: all needed reps can be found on the free list */
wr = NULL;
@@ -1385,7 +1385,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed)
++count;
}
if (!wr)
- goto out;
+ goto out_dec;
rc = ib_post_recv(ep->re_id->qp, wr,
(const struct ib_recv_wr **)&bad_wr);
@@ -1400,9 +1400,10 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed)
--count;
}
}
+
+out_dec:
if (atomic_dec_return(&ep->re_receiving) > 0)
complete(&ep->re_done);
-
out:
trace_xprtrdma_post_recvs(r_xprt, count);
ep->re_receive_count += count;
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 030/378] btrfs: hold space_info->lock when clearing periodic reclaim ready
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 029/378] xprtrdma: Decrement re_receiving on the early exit paths Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 031/378] drm/msm/a6xx: Fix the bogus protect error on X2-85 Greg Kroah-Hartman
` (354 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Mason, Boris Burkov,
Sun YangKai, David Sterba, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sun YangKai <sunk67188@gmail.com>
[ Upstream commit b8883b61f2fc50dcf22938cbed40fec05020552f ]
btrfs_set_periodic_reclaim_ready() requires space_info->lock to be held,
as enforced by lockdep_assert_held(). However, btrfs_reclaim_sweep() was
calling it after do_reclaim_sweep() returns, at which point
space_info->lock is no longer held.
Fix this by explicitly acquiring space_info->lock before clearing the
periodic reclaim ready flag in btrfs_reclaim_sweep().
Reported-by: Chris Mason <clm@meta.com>
Link: https://lore.kernel.org/linux-btrfs/20260208182556.891815-1-clm@meta.com/
Fixes: 19eff93dc738 ("btrfs: fix periodic reclaim condition")
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Sun YangKai <sunk67188@gmail.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/space-info.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
index 30aedf596b548..13b2bbe674308 100644
--- a/fs/btrfs/space-info.c
+++ b/fs/btrfs/space-info.c
@@ -2196,8 +2196,11 @@ void btrfs_reclaim_sweep(const struct btrfs_fs_info *fs_info)
if (!btrfs_should_periodic_reclaim(space_info))
continue;
for (raid = 0; raid < BTRFS_NR_RAID_TYPES; raid++) {
- if (do_reclaim_sweep(space_info, raid))
+ if (do_reclaim_sweep(space_info, raid)) {
+ spin_lock(&space_info->lock);
btrfs_set_periodic_reclaim_ready(space_info, false);
+ spin_unlock(&space_info->lock);
+ }
}
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 031/378] drm/msm/a6xx: Fix the bogus protect error on X2-85
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 030/378] btrfs: hold space_info->lock when clearing periodic reclaim ready Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 032/378] workqueue: Use POOL_BH instead of WQ_BH when checking pool flags Greg Kroah-Hartman
` (353 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akhil P Oommen, Konrad Dybcio,
Rob Clark, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhil P Oommen <akhilpo@oss.qualcomm.com>
[ Upstream commit 20f644f42e3b8e729d3c3199d48e75c0b257de8f ]
Update the X2-85 gpu's register protect count configuration with the
correct count_max value to avoid blocking the entire MMIO region from the
UMD.
Protect configurations are a bit complicated on A8xx. There are 2 set of
protect registers with different counts: Global and Pipe-specific. The
last-span-unbound feature is available only on the Pipe-specific protect
registers. Due to this, we cannot use the BUILD_BUG sanity check for A8x
protect configurations, so remove the A840 entry from there.
Fixes: 01ff3bf27215 ("drm/msm/a8xx: Add support for Adreno X2-85 GPU")
Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/706944/
Message-ID: <20260225-glymur-protect-fix-v1-1-0deddedf9277@oss.qualcomm.com>
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/adreno/a6xx_catalog.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/msm/adreno/a6xx_catalog.c b/drivers/gpu/drm/msm/adreno/a6xx_catalog.c
index 550a53a7865eb..38561f26837e3 100644
--- a/drivers/gpu/drm/msm/adreno/a6xx_catalog.c
+++ b/drivers/gpu/drm/msm/adreno/a6xx_catalog.c
@@ -1759,7 +1759,7 @@ static const u32 x285_protect_regs[] = {
A6XX_PROTECT_NORDWR(0x27c06, 0x0000),
};
-DECLARE_ADRENO_PROTECT(x285_protect, 64);
+DECLARE_ADRENO_PROTECT(x285_protect, 15);
static const struct adreno_reglist_pipe a840_nonctxt_regs[] = {
{ REG_A8XX_CP_SMMU_STREAM_ID_LPAC, 0x00000101, BIT(PIPE_NONE) },
@@ -1966,5 +1966,4 @@ static inline __always_unused void __build_asserts(void)
BUILD_BUG_ON(a660_protect.count > a660_protect.count_max);
BUILD_BUG_ON(a690_protect.count > a690_protect.count_max);
BUILD_BUG_ON(a730_protect.count > a730_protect.count_max);
- BUILD_BUG_ON(a840_protect.count > a840_protect.count_max);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 032/378] workqueue: Use POOL_BH instead of WQ_BH when checking pool flags
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 031/378] drm/msm/a6xx: Fix the bogus protect error on X2-85 Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 033/378] perf disasm: Fix off-by-one bug in outside check Greg Kroah-Hartman
` (352 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Song Liu, Tejun Heo,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit f42f9091be9e5ff57567a3945cfcdd498f475348 ]
pr_cont_worker_id() checks pool->flags against WQ_BH, which is a
workqueue-level flag (defined in workqueue.h). Pool flags use a
separate namespace with POOL_* constants (defined in workqueue.c).
The correct constant is POOL_BH. Both WQ_BH and POOL_BH are defined
as (1 << 0) so this has no behavioral impact, but it is semantically
wrong and inconsistent with every other pool-level BH check in the
file.
Fixes: 4cb1ef64609f ("workqueue: Implement BH workqueues to eventually replace tasklets")
Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/workqueue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 2909c19540ed1..a4574c1e276aa 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -6254,7 +6254,7 @@ static void pr_cont_worker_id(struct worker *worker)
{
struct worker_pool *pool = worker->pool;
- if (pool->flags & WQ_BH)
+ if (pool->flags & POOL_BH)
pr_cont("bh%s",
pool->attrs->nice == HIGHPRI_NICE_LEVEL ? "-hi" : "");
else
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 033/378] perf disasm: Fix off-by-one bug in outside check
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 032/378] workqueue: Use POOL_BH instead of WQ_BH when checking pool flags Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 034/378] drm/msm/a8xx: Fix ubwc config related to swizzling Greg Kroah-Hartman
` (351 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Peter Collingbourne,
Adrian Hunter, Alexander Shishkin, Bill Wendling, Ingo Molnar,
James Clark, Jiri Olsa, Justin Stitt, Mark Rutland, Namhyung Kim,
Nathan Chancellor, Nick Desaulniers, Peter Zijlstra,
Arnaldo Carvalho de Melo, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Collingbourne <pcc@google.com>
[ Upstream commit b3ce769203a99d6f3c6d6269ec09232a8c5da422 ]
If a branch target points to one past the end of a function, the branch
should be treated as a branch to another function.
This can happen e.g. with a tail call to a function that is laid out
immediately after the caller.
Fixes: 751b1783da784299 ("perf annotate: Mark jumps to outher functions with the call arrow")
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Peter Collingbourne <pcc@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Bill Wendling <morbo@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Justin Stitt <justinstitt@google.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://linux-review.googlesource.com/id/Ide471112e82d68177e0faf08ca411d9fcf0a7bdf
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/disasm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/util/disasm.c b/tools/perf/util/disasm.c
index 88706b98b9064..b1be847446fea 100644
--- a/tools/perf/util/disasm.c
+++ b/tools/perf/util/disasm.c
@@ -412,7 +412,7 @@ static int jump__parse(struct arch *arch, struct ins_operands *ops, struct map_s
start = map__unmap_ip(map, sym->start);
end = map__unmap_ip(map, sym->end);
- ops->target.outside = target.addr < start || target.addr > end;
+ ops->target.outside = target.addr < start || target.addr >= end;
/*
* FIXME: things like this in _cpp_lex_token (gcc's cc1 program):
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 034/378] drm/msm/a8xx: Fix ubwc config related to swizzling
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 033/378] perf disasm: Fix off-by-one bug in outside check Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 035/378] dt-bindings: display/msm: qcom,sm8750-mdss: Fix model typo Greg Kroah-Hartman
` (350 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akhil P Oommen, Dmitry Baryshkov,
Rob Clark, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhil P Oommen <akhilpo@oss.qualcomm.com>
[ Upstream commit 7e459c41264fdd87b096ede8da796a302d569722 ]
To disable l2/l3 swizzling in A8x, set the respective bits in both
GRAS_NC_MODE_CNTL and RB_CCU_NC_MODE_CNTL registers. This is required
for Glymur where it is recommended to keep l2/l3 swizzling disabled.
Fixes: 288a93200892 ("drm/msm/adreno: Introduce A8x GPU Support")
Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
Message-ID: <20260305-a8xx-ubwc-fix-v1-1-d99b6da4c5a9@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/adreno/a8xx_gpu.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/msm/adreno/a8xx_gpu.c b/drivers/gpu/drm/msm/adreno/a8xx_gpu.c
index 30de078e9dfd2..3b17ddac07532 100644
--- a/drivers/gpu/drm/msm/adreno/a8xx_gpu.c
+++ b/drivers/gpu/drm/msm/adreno/a8xx_gpu.c
@@ -306,11 +306,21 @@ static void a8xx_set_ubwc_config(struct msm_gpu *gpu)
hbb = cfg->highest_bank_bit - 13;
hbb_hi = hbb >> 2;
hbb_lo = hbb & 3;
- a8xx_write_pipe(gpu, PIPE_BV, REG_A8XX_GRAS_NC_MODE_CNTL, hbb << 5);
- a8xx_write_pipe(gpu, PIPE_BR, REG_A8XX_GRAS_NC_MODE_CNTL, hbb << 5);
+
+ a8xx_write_pipe(gpu, PIPE_BV, REG_A8XX_GRAS_NC_MODE_CNTL,
+ hbb << 5 |
+ level3_swizzling_dis << 4 |
+ level2_swizzling_dis << 3);
+
+ a8xx_write_pipe(gpu, PIPE_BR, REG_A8XX_GRAS_NC_MODE_CNTL,
+ hbb << 5 |
+ level3_swizzling_dis << 4 |
+ level2_swizzling_dis << 3);
a8xx_write_pipe(gpu, PIPE_BR, REG_A8XX_RB_CCU_NC_MODE_CNTL,
yuvnotcomptofc << 6 |
+ level3_swizzling_dis << 5 |
+ level2_swizzling_dis << 4 |
hbb_hi << 3 |
hbb_lo << 1);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 035/378] dt-bindings: display/msm: qcom,sm8750-mdss: Fix model typo
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 034/378] drm/msm/a8xx: Fix ubwc config related to swizzling Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 036/378] net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets Greg Kroah-Hartman
` (349 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Dmitry Baryshkov, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
[ Upstream commit 4355b13d46f696d687f42b982efed7570e03e532 ]
Fix obvious model typo (SM8650->SM8750) in the description.
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Fixes: 6b93840116df ("dt-bindings: display/msm: qcom,sm8750-mdss: Add SM8750")
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/707192/
Link: https://lore.kernel.org/r/20260225173419.125565-2-krzysztof.kozlowski@oss.qualcomm.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml b/Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml
index d55fda9a523e2..a38c2261ef1ac 100644
--- a/Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml
+++ b/Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml
@@ -10,7 +10,7 @@ maintainers:
- Krzysztof Kozlowski <krzk@kernel.org>
description:
- SM8650 MSM Mobile Display Subsystem(MDSS), which encapsulates sub-blocks like
+ SM8750 MSM Mobile Display Subsystem(MDSS), which encapsulates sub-blocks like
DPU display controller, DSI and DP interfaces etc.
$ref: /schemas/display/msm/mdss-common.yaml#
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 036/378] net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 035/378] dt-bindings: display/msm: qcom,sm8750-mdss: Fix model typo Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 037/378] drm/msm/dsi: fix pclk rate calculation for bonded dsi Greg Kroah-Hartman
` (348 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mieczyslaw Nalewaj,
Luiz Angelo Daros de Luca, Simon Horman, Linus Walleij,
Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mieczyslaw Nalewaj <namiltd@yahoo.com>
[ Upstream commit f76a93241d71fbba8425e3967097b498c29264ed ]
rx_packets should report the number of frames successfully received:
unicast + multicast + broadcast. Subtracting ifOutDiscards (a TX
counter) is incorrect and can undercount RX packets. RX drops are
already reported via rx_dropped (e.g. etherStatsDropEvents), so
there is no need to adjust rx_packets.
This patch removes the subtraction of ifOutDiscards from rx_packets
in rtl8365mb_stats_update().
Link: https://lore.kernel.org/netdev/878777925.105015.1763423928520@mail.yahoo.com/
Fixes: 4af2950c50c8 ("net: dsa: realtek-smi: add rtl8365mb subdriver for RTL8365MB-VC")
Signed-off-by: Mieczyslaw Nalewaj <namiltd@yahoo.com>
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Acked-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/20260303-realtek_namiltd_fix2-v1-1-bfa433d3401e@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/realtek/rtl8365mb.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/dsa/realtek/rtl8365mb.c b/drivers/net/dsa/realtek/rtl8365mb.c
index f938a3f701cc9..31fa94dac627d 100644
--- a/drivers/net/dsa/realtek/rtl8365mb.c
+++ b/drivers/net/dsa/realtek/rtl8365mb.c
@@ -1480,8 +1480,7 @@ static void rtl8365mb_stats_update(struct realtek_priv *priv, int port)
stats->rx_packets = cnt[RTL8365MB_MIB_ifInUcastPkts] +
cnt[RTL8365MB_MIB_ifInMulticastPkts] +
- cnt[RTL8365MB_MIB_ifInBroadcastPkts] -
- cnt[RTL8365MB_MIB_ifOutDiscards];
+ cnt[RTL8365MB_MIB_ifInBroadcastPkts];
stats->tx_packets = cnt[RTL8365MB_MIB_ifOutUcastPkts] +
cnt[RTL8365MB_MIB_ifOutMulticastPkts] +
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 037/378] drm/msm/dsi: fix pclk rate calculation for bonded dsi
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 036/378] net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 038/378] drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v13 Greg Kroah-Hartman
` (347 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengyu Luo, Dmitry Baryshkov,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengyu Luo <mitltlatltl@gmail.com>
[ Upstream commit e4eb11b34d6c84f398d8f08d7cb4d6c38e739dd2 ]
Recently, we round up new_hdisplay once at most, for bonded dsi, we
may need twice, since they are independent links, we should round up
each half separately. This also aligns with the hdisplay we program
later in dsi_timing_setup()
Example:
full_hdisplay = 1904, dsc_bpp = 8, bpc = 8
new_full_hdisplay = DIV_ROUND_UP(1904 * 8, 8 * 3) = 635
if we use half display
new_half_hdisplay = DIV_ROUND_UP(952 * 8, 8 * 3) = 318
new_full_display = 636
Fixes: 7c9e4a554d4a ("drm/msm/dsi: Reduce pclk rate for compression")
Signed-off-by: Pengyu Luo <mitltlatltl@gmail.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/709716/
Link: https://lore.kernel.org/r/20260306163255.215456-1-mitltlatltl@gmail.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dsi/dsi_host.c | 29 +++++++++++++++++++++++------
1 file changed, 23 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
index e8e83ee61eb09..db6da99375a18 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
@@ -584,13 +584,30 @@ void dsi_link_clk_disable_v2(struct msm_dsi_host *msm_host)
* FIXME: Reconsider this if/when CMD mode handling is rewritten to use
* transfer time and data overhead as a starting point of the calculations.
*/
-static unsigned long dsi_adjust_pclk_for_compression(const struct drm_display_mode *mode,
- const struct drm_dsc_config *dsc)
+static unsigned long
+dsi_adjust_pclk_for_compression(const struct drm_display_mode *mode,
+ const struct drm_dsc_config *dsc,
+ bool is_bonded_dsi)
{
- int new_hdisplay = DIV_ROUND_UP(mode->hdisplay * drm_dsc_get_bpp_int(dsc),
- dsc->bits_per_component * 3);
+ int hdisplay, new_hdisplay, new_htotal;
- int new_htotal = mode->htotal - mode->hdisplay + new_hdisplay;
+ /*
+ * For bonded DSI, split hdisplay across two links and round up each
+ * half separately, passing the full hdisplay would only round up once.
+ * This also aligns with the hdisplay we program later in
+ * dsi_timing_setup()
+ */
+ hdisplay = mode->hdisplay;
+ if (is_bonded_dsi)
+ hdisplay /= 2;
+
+ new_hdisplay = DIV_ROUND_UP(hdisplay * drm_dsc_get_bpp_int(dsc),
+ dsc->bits_per_component * 3);
+
+ if (is_bonded_dsi)
+ new_hdisplay *= 2;
+
+ new_htotal = mode->htotal - mode->hdisplay + new_hdisplay;
return mult_frac(mode->clock * 1000u, new_htotal, mode->htotal);
}
@@ -603,7 +620,7 @@ static unsigned long dsi_get_pclk_rate(const struct drm_display_mode *mode,
pclk_rate = mode->clock * 1000u;
if (dsc)
- pclk_rate = dsi_adjust_pclk_for_compression(mode, dsc);
+ pclk_rate = dsi_adjust_pclk_for_compression(mode, dsc, is_bonded_dsi);
/*
* For bonded DSI mode, the current DRM mode has the complete width of the
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 038/378] drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v13
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 037/378] drm/msm/dsi: fix pclk rate calculation for bonded dsi Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 039/378] drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v14 Greg Kroah-Hartman
` (346 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Wang, Alex Deucher, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Wang <kevinyang.wang@amd.com>
[ Upstream commit cb47c882c31334aadc13ace80781728ed22a05ee ]
add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v13.0.0/13.0.7
Fixes: cfffd980bf21 ("drm/amd/pm: add zero RPM OD setting support for SMU13")
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/5018
Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 576a10797b607ee9e4068218daf367b481564120)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 3 ++-
drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
index eaeff6a9bc50f..e8f8c3bae0ab0 100644
--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
@@ -2290,7 +2290,8 @@ static int smu_v13_0_0_restore_user_od_settings(struct smu_context *smu)
user_od_table->OverDriveTable.FeatureCtrlMask = BIT(PP_OD_FEATURE_GFXCLK_BIT) |
BIT(PP_OD_FEATURE_UCLK_BIT) |
BIT(PP_OD_FEATURE_GFX_VF_CURVE_BIT) |
- BIT(PP_OD_FEATURE_FAN_CURVE_BIT);
+ BIT(PP_OD_FEATURE_FAN_CURVE_BIT) |
+ BIT(PP_OD_FEATURE_ZERO_FAN_BIT);
res = smu_v13_0_0_upload_overdrive_table(smu, user_od_table);
user_od_table->OverDriveTable.FeatureCtrlMask = 0;
if (res == 0)
diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
index a3fc35b9011e4..3c3393297c630 100644
--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
@@ -2276,7 +2276,8 @@ static int smu_v13_0_7_restore_user_od_settings(struct smu_context *smu)
user_od_table->OverDriveTable.FeatureCtrlMask = BIT(PP_OD_FEATURE_GFXCLK_BIT) |
BIT(PP_OD_FEATURE_UCLK_BIT) |
BIT(PP_OD_FEATURE_GFX_VF_CURVE_BIT) |
- BIT(PP_OD_FEATURE_FAN_CURVE_BIT);
+ BIT(PP_OD_FEATURE_FAN_CURVE_BIT) |
+ BIT(PP_OD_FEATURE_ZERO_FAN_BIT);
res = smu_v13_0_7_upload_overdrive_table(smu, user_od_table);
user_od_table->OverDriveTable.FeatureCtrlMask = 0;
if (res == 0)
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 039/378] drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v14
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 038/378] drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v13 Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 040/378] drm/amdgpu: Fix kernel-doc comments for some LUT properties Greg Kroah-Hartman
` (345 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Wang, Alex Deucher, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Wang <kevinyang.wang@amd.com>
[ Upstream commit 9d4837a26149355ffe3a1f80de80531eafdd3353 ]
add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v14.0.2/14.0.3
Fixes: 9710b84e2a6a ("drm/amd/pm: add overdrive support on smu v14.0.2/3")
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/5018
Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 1b5cf07d80bb16d1593579ccdb23f08ea4262c14)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
index d7642d388bc38..fa535f43876b5 100644
--- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
@@ -2413,7 +2413,8 @@ static int smu_v14_0_2_restore_user_od_settings(struct smu_context *smu)
user_od_table->OverDriveTable.FeatureCtrlMask = BIT(PP_OD_FEATURE_GFXCLK_BIT) |
BIT(PP_OD_FEATURE_UCLK_BIT) |
BIT(PP_OD_FEATURE_GFX_VF_CURVE_BIT) |
- BIT(PP_OD_FEATURE_FAN_CURVE_BIT);
+ BIT(PP_OD_FEATURE_FAN_CURVE_BIT) |
+ BIT(PP_OD_FEATURE_ZERO_FAN_BIT);
res = smu_v14_0_2_upload_overdrive_table(smu, user_od_table);
user_od_table->OverDriveTable.FeatureCtrlMask = 0;
if (res == 0)
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 040/378] drm/amdgpu: Fix kernel-doc comments for some LUT properties
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 039/378] drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v14 Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 041/378] bonding: do not set usable_slaves for broadcast mode Greg Kroah-Hartman
` (344 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Melissa Wen, Cristian Ciocaltea,
Alex Deucher, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
[ Upstream commit 52289ce48ef1f8a81cd39df1574098356e3c9d4c ]
The following members of struct amdgpu_mode_info do not have valid
references in the related kernel-doc sections:
- plane_shaper_lut_property
- plane_shaper_lut_size_property,
- plane_lut3d_size_property
Correct all affected comment blocks.
Fixes: f545d82479b4 ("drm/amd/display: add plane shaper LUT and TF driver-specific properties")
Fixes: 671994e3bf33 ("drm/amd/display: add plane 3D LUT driver-specific properties")
Reviewed-by: Melissa Wen <mwen@igalia.com>
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit ec5708d6e547f7efe2f009073bfa98dbc4c5c2ac)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_mode.h | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_mode.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_mode.h
index dc8d2f52c7d61..e244c12ceb238 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_mode.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_mode.h
@@ -368,15 +368,15 @@ struct amdgpu_mode_info {
struct drm_property *plane_ctm_property;
/**
- * @shaper_lut_property: Plane property to set pre-blending shaper LUT
- * that converts color content before 3D LUT. If
- * plane_shaper_tf_property != Identity TF, AMD color module will
+ * @plane_shaper_lut_property: Plane property to set pre-blending
+ * shaper LUT that converts color content before 3D LUT.
+ * If plane_shaper_tf_property != Identity TF, AMD color module will
* combine the user LUT values with pre-defined TF into the LUT
* parameters to be programmed.
*/
struct drm_property *plane_shaper_lut_property;
/**
- * @shaper_lut_size_property: Plane property for the size of
+ * @plane_shaper_lut_size_property: Plane property for the size of
* pre-blending shaper LUT as supported by the driver (read-only).
*/
struct drm_property *plane_shaper_lut_size_property;
@@ -400,10 +400,10 @@ struct amdgpu_mode_info {
*/
struct drm_property *plane_lut3d_property;
/**
- * @plane_degamma_lut_size_property: Plane property to define the max
- * size of 3D LUT as supported by the driver (read-only). The max size
- * is the max size of one dimension and, therefore, the max number of
- * entries for 3D LUT array is the 3D LUT size cubed;
+ * @plane_lut3d_size_property: Plane property to define the max size
+ * of 3D LUT as supported by the driver (read-only). The max size is
+ * the max size of one dimension and, therefore, the max number of
+ * entries for 3D LUT array is the 3D LUT size cubed.
*/
struct drm_property *plane_lut3d_size_property;
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 041/378] bonding: do not set usable_slaves for broadcast mode
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 040/378] drm/amdgpu: Fix kernel-doc comments for some LUT properties Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 042/378] bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states Greg Kroah-Hartman
` (343 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liang Li, Hangbin Liu,
Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 45fc134bcfadde456639c1b1e206e6918d69a553 ]
After commit e0caeb24f538 ("net: bonding: update the slave array for broadcast mode"),
broadcast mode will also set all_slaves and usable_slaves during
bond_enslave(). But if we also set updelay, during enslave, the
slave init state will be BOND_LINK_BACK. And later
bond_update_slave_arr() will alloc usable_slaves but add nothing.
This will cause bond_miimon_inspect() to have ignore_updelay
always true. So the updelay will be always ignored. e.g.
[ 6.498368] bond0: (slave veth2): link status definitely down, disabling slave
[ 7.536371] bond0: (slave veth2): link status up, enabling it in 0 ms
[ 7.536402] bond0: (slave veth2): link status definitely up, 10000 Mbps full duplex
To fix it, we can either always call bond_update_slave_arr() on every
place when link changes. Or, let's just not set usable_slaves for
broadcast mode.
Fixes: e0caeb24f538 ("net: bonding: update the slave array for broadcast mode")
Reported-by: Liang Li <liali@redhat.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20260304-b4-bond_updelay-v1-1-f72eb2e454d0@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 739e6eea6b529..5de38258c7d8b 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -5041,13 +5041,18 @@ static void bond_set_slave_arr(struct bonding *bond,
{
struct bond_up_slave *usable, *all;
- usable = rtnl_dereference(bond->usable_slaves);
- rcu_assign_pointer(bond->usable_slaves, usable_slaves);
- kfree_rcu(usable, rcu);
-
all = rtnl_dereference(bond->all_slaves);
rcu_assign_pointer(bond->all_slaves, all_slaves);
kfree_rcu(all, rcu);
+
+ if (BOND_MODE(bond) == BOND_MODE_BROADCAST) {
+ kfree_rcu(usable_slaves, rcu);
+ return;
+ }
+
+ usable = rtnl_dereference(bond->usable_slaves);
+ rcu_assign_pointer(bond->usable_slaves, usable_slaves);
+ kfree_rcu(usable, rcu);
}
static void bond_reset_slave_arr(struct bonding *bond)
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 042/378] bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 041/378] bonding: do not set usable_slaves for broadcast mode Greg Kroah-Hartman
@ 2026-03-17 16:29 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 043/378] net/mlx5: Fix deadlock between devlink lock and esw->wq Greg Kroah-Hartman
` (342 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:29 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hangbin Liu, Jakub Kicinski,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 3348be7978f450ede0c308a4e8416ac716cf1015 ]
Before the fixed commit, we check slave->new_link during commit
state, which values are only BOND_LINK_{NOCHANGE, UP, DOWN}. After
the commit, we start using slave->link_new_state, which state also could
be BOND_LINK_{FAIL, BACK}.
For example, when we set updelay/downdelay, after a failover,
the slave->link_new_state could be set to BOND_LINK_{FAIL, BACK} in
bond_miimon_inspect(). And later in bond_miimon_commit(), it will treat
it as invalid and print an error, which would cause confusion for users.
[ 106.440254] bond0: (slave veth2): link status down for interface, disabling it in 200 ms
[ 106.440265] bond0: (slave veth2): invalid new link 1 on slave
[ 106.648276] bond0: (slave veth2): link status definitely down, disabling slave
[ 107.480271] bond0: (slave veth2): link status up, enabling it in 200 ms
[ 107.480288] bond0: (slave veth2): invalid new link 3 on slave
[ 107.688302] bond0: (slave veth2): link status definitely up, 10000 Mbps full duplex
Let's handle BOND_LINK_{FAIL, BACK} as valid link states.
Fixes: 1899bb325149 ("bonding: fix state transition issue in link monitoring")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20260304-b4-bond_updelay-v1-2-f72eb2e454d0@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 5de38258c7d8b..8be99ae67b77f 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -2769,8 +2769,14 @@ static void bond_miimon_commit(struct bonding *bond)
continue;
+ case BOND_LINK_FAIL:
+ case BOND_LINK_BACK:
+ slave_dbg(bond->dev, slave->dev, "link_new_state %d on slave\n",
+ slave->link_new_state);
+ continue;
+
default:
- slave_err(bond->dev, slave->dev, "invalid new link %d on slave\n",
+ slave_err(bond->dev, slave->dev, "invalid link_new_state %d on slave\n",
slave->link_new_state);
bond_propose_link_state(slave, BOND_LINK_NOCHANGE);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 043/378] net/mlx5: Fix deadlock between devlink lock and esw->wq
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-03-17 16:29 ` [PATCH 6.19 042/378] bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 044/378] net/mlx5: Fix crash when moving to switchdev mode Greg Kroah-Hartman
` (341 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cosmin Ratiu, Moshe Shemesh,
Dragos Tatulea, Simon Horman, Tariq Toukan, Jakub Kicinski,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cosmin Ratiu <cratiu@nvidia.com>
[ Upstream commit aed763abf0e905b4b8d747d1ba9e172961572f57 ]
esw->work_queue executes esw_functions_changed_event_handler ->
esw_vfs_changed_event_handler and acquires the devlink lock.
.eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) ->
mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked ->
mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks
when esw_vfs_changed_event_handler executes.
Fix that by no longer flushing the work to avoid the deadlock, and using
a generation counter to keep track of work relevance. This avoids an old
handler manipulating an esw that has undergone one or more mode changes:
- the counter is incremented in mlx5_eswitch_event_handler_unregister.
- the counter is read and passed to the ephemeral mlx5_host_work struct.
- the work handler takes the devlink lock and bails out if the current
generation is different than the one it was scheduled to operate on.
- mlx5_eswitch_cleanup does the final draining before destroying the wq.
No longer flushing the workqueue has the side effect of maybe no longer
cancelling pending vport_change_handler work items, but that's ok since
those are disabled elsewhere:
- mlx5_eswitch_disable_locked disables the vport eq notifier.
- mlx5_esw_vport_disable disarms the HW EQ notification and marks
vport->enabled under state_lock to false to prevent pending vport
handler from doing anything.
- mlx5_eswitch_cleanup destroys the workqueue and makes sure all events
are disabled/finished.
Fixes: f1bc646c9a06 ("net/mlx5: Use devl_ API in mlx5_esw_offloads_devlink_port_register")
Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260305081019.1811100-1-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/mellanox/mlx5/core/eswitch.c | 7 ++++---
.../net/ethernet/mellanox/mlx5/core/eswitch.h | 2 ++
.../mellanox/mlx5/core/eswitch_offloads.c | 18 +++++++++++++-----
3 files changed, 19 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
index 4b7a1ce7f406b..32bf93e4ffcec 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
@@ -1072,10 +1072,11 @@ static void mlx5_eswitch_event_handler_register(struct mlx5_eswitch *esw)
static void mlx5_eswitch_event_handler_unregister(struct mlx5_eswitch *esw)
{
- if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev))
+ if (esw->mode == MLX5_ESWITCH_OFFLOADS &&
+ mlx5_eswitch_is_funcs_handler(esw->dev)) {
mlx5_eq_notifier_unregister(esw->dev, &esw->esw_funcs.nb);
-
- flush_workqueue(esw->work_queue);
+ atomic_inc(&esw->esw_funcs.generation);
+ }
}
static void mlx5_eswitch_clear_vf_vports_info(struct mlx5_eswitch *esw)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
index 714ad28e8445b..0276609a617c0 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
@@ -334,10 +334,12 @@ struct esw_mc_addr { /* SRIOV only */
struct mlx5_host_work {
struct work_struct work;
struct mlx5_eswitch *esw;
+ int work_gen;
};
struct mlx5_esw_functions {
struct mlx5_nb nb;
+ atomic_t generation;
bool host_funcs_disabled;
u16 num_vfs;
u16 num_ec_vfs;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
index ccf53d4783628..c79231b437976 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
@@ -3582,22 +3582,28 @@ static void esw_offloads_steering_cleanup(struct mlx5_eswitch *esw)
}
static void
-esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, const u32 *out)
+esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, int work_gen,
+ const u32 *out)
{
struct devlink *devlink;
bool host_pf_disabled;
u16 new_num_vfs;
+ devlink = priv_to_devlink(esw->dev);
+ devl_lock(devlink);
+
+ /* Stale work from one or more mode changes ago. Bail out. */
+ if (work_gen != atomic_read(&esw->esw_funcs.generation))
+ goto unlock;
+
new_num_vfs = MLX5_GET(query_esw_functions_out, out,
host_params_context.host_num_of_vfs);
host_pf_disabled = MLX5_GET(query_esw_functions_out, out,
host_params_context.host_pf_disabled);
if (new_num_vfs == esw->esw_funcs.num_vfs || host_pf_disabled)
- return;
+ goto unlock;
- devlink = priv_to_devlink(esw->dev);
- devl_lock(devlink);
/* Number of VFs can only change from "0 to x" or "x to 0". */
if (esw->esw_funcs.num_vfs > 0) {
mlx5_eswitch_unload_vf_vports(esw, esw->esw_funcs.num_vfs);
@@ -3612,6 +3618,7 @@ esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, const u32 *out)
}
}
esw->esw_funcs.num_vfs = new_num_vfs;
+unlock:
devl_unlock(devlink);
}
@@ -3628,7 +3635,7 @@ static void esw_functions_changed_event_handler(struct work_struct *work)
if (IS_ERR(out))
goto out;
- esw_vfs_changed_event_handler(esw, out);
+ esw_vfs_changed_event_handler(esw, host_work->work_gen, out);
kvfree(out);
out:
kfree(host_work);
@@ -3648,6 +3655,7 @@ int mlx5_esw_funcs_changed_handler(struct notifier_block *nb, unsigned long type
esw = container_of(esw_funcs, struct mlx5_eswitch, esw_funcs);
host_work->esw = esw;
+ host_work->work_gen = atomic_read(&esw_funcs->generation);
INIT_WORK(&host_work->work, esw_functions_changed_event_handler);
queue_work(esw->work_queue, &host_work->work);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 044/378] net/mlx5: Fix crash when moving to switchdev mode
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 043/378] net/mlx5: Fix deadlock between devlink lock and esw->wq Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 045/378] net/mlx5: Fix peer miss rules host disabled checks Greg Kroah-Hartman
` (340 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Patrisious Haddad, Leon Romanovsky,
Tariq Toukan, Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Patrisious Haddad <phaddad@nvidia.com>
[ Upstream commit 24b2795f9683e092dc22a68f487e7aaaf2ddafea ]
When moving to switchdev mode when the device doesn't support IPsec,
we try to clean up the IPsec resources anyway which causes the crash
below, fix that by correctly checking for IPsec support before trying
to clean up its resources.
[27642.515799] WARNING: arch/x86/mm/fault.c:1276 at
do_user_addr_fault+0x18a/0x680, CPU#4: devlink/6490
[27642.517159] Modules linked in: xt_conntrack xt_MASQUERADE
ip6table_nat ip6table_filter ip6_tables iptable_nat nf_nat xt_addrtype
rpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_fwctl nfnetlink
zram zsmalloc mlx5_ib fuse rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi
scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_core
ib_core
[27642.521358] CPU: 4 UID: 0 PID: 6490 Comm: devlink Not tainted
6.19.0-rc5_for_upstream_min_debug_2026_01_14_16_47 #1 NONE
[27642.522923] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[27642.524528] RIP: 0010:do_user_addr_fault+0x18a/0x680
[27642.525362] Code: ff 0f 84 75 03 00 00 48 89 ee 4c 89 e7 e8 5e b9 22
00 49 89 c0 48 85 c0 0f 84 a8 02 00 00 f7 c3 60 80 00 00 74 22 31 c9 eb
ae <0f> 0b 48 83 c4 10 48 89 ea 48 89 de 4c 89 f7 5b 5d 41 5c 41 5d
41
[27642.528166] RSP: 0018:ffff88810770f6b8 EFLAGS: 00010046
[27642.529038] RAX: 0000000000000000 RBX: 0000000000000002 RCX:
ffff88810b980f00
[27642.530158] RDX: 00000000000000a0 RSI: 0000000000000002 RDI:
ffff88810770f728
[27642.531270] RBP: 00000000000000a0 R08: 0000000000000000 R09:
0000000000000000
[27642.532383] R10: 0000000000000000 R11: 0000000000000000 R12:
ffff888103f3c4c0
[27642.533499] R13: 0000000000000000 R14: ffff88810770f728 R15:
0000000000000000
[27642.534614] FS: 00007f197c741740(0000) GS:ffff88856a94c000(0000)
knlGS:0000000000000000
[27642.535915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[27642.536858] CR2: 00000000000000a0 CR3: 000000011334c003 CR4:
0000000000172eb0
[27642.537982] Call Trace:
[27642.538466] <TASK>
[27642.538907] exc_page_fault+0x76/0x140
[27642.539583] asm_exc_page_fault+0x22/0x30
[27642.540282] RIP: 0010:_raw_spin_lock_irqsave+0x10/0x30
[27642.541134] Code: 07 85 c0 75 11 ba ff 00 00 00 f0 0f b1 17 75 06 b8
01 00 00 00 c3 31 c0 c3 90 0f 1f 44 00 00 53 9c 5b fa 31 c0 ba 01 00 00
00 <f0> 0f b1 17 75 05 48 89 d8 5b c3 89 c6 e8 7e 02 00 00 48 89 d8
5b
[27642.543936] RSP: 0018:ffff88810770f7d8 EFLAGS: 00010046
[27642.544803] RAX: 0000000000000000 RBX: 0000000000000202 RCX:
ffff888113ad96d8
[27642.545916] RDX: 0000000000000001 RSI: ffff88810770f818 RDI:
00000000000000a0
[27642.547027] RBP: 0000000000000098 R08: 0000000000000400 R09:
ffff88810b980f00
[27642.548140] R10: 0000000000000001 R11: ffff888101845a80 R12:
00000000000000a8
[27642.549263] R13: ffffffffa02a9060 R14: 00000000000000a0 R15:
ffff8881130d8a40
[27642.550379] complete_all+0x20/0x90
[27642.551010] mlx5e_ipsec_disable_events+0xb6/0xf0 [mlx5_core]
[27642.552022] mlx5e_nic_disable+0x12d/0x220 [mlx5_core]
[27642.552929] mlx5e_detach_netdev+0x66/0xf0 [mlx5_core]
[27642.553822] mlx5e_netdev_change_profile+0x5b/0x120 [mlx5_core]
[27642.554821] mlx5e_vport_rep_load+0x419/0x590 [mlx5_core]
[27642.555757] ? xa_load+0x53/0x90
[27642.556361] __esw_offloads_load_rep+0x54/0x70 [mlx5_core]
[27642.557328] mlx5_esw_offloads_rep_load+0x45/0xd0 [mlx5_core]
[27642.558320] esw_offloads_enable+0xb4b/0xc90 [mlx5_core]
[27642.559247] mlx5_eswitch_enable_locked+0x34e/0x4f0 [mlx5_core]
[27642.560257] ? mlx5_rescan_drivers_locked+0x222/0x2d0 [mlx5_core]
[27642.561284] mlx5_devlink_eswitch_mode_set+0x5ac/0x9c0 [mlx5_core]
[27642.562334] ? devlink_rate_set_ops_supported+0x21/0x3a0
[27642.563220] devlink_nl_eswitch_set_doit+0x67/0xe0
[27642.564026] genl_family_rcv_msg_doit+0xe0/0x130
[27642.564816] genl_rcv_msg+0x183/0x290
[27642.565466] ? __devlink_nl_pre_doit.isra.0+0x160/0x160
[27642.566329] ? devlink_nl_eswitch_get_doit+0x290/0x290
[27642.567181] ? devlink_nl_pre_doit_parent_dev_optional+0x20/0x20
[27642.568147] ? genl_family_rcv_msg_dumpit+0xf0/0xf0
[27642.568966] netlink_rcv_skb+0x4b/0xf0
[27642.569629] genl_rcv+0x24/0x40
[27642.570215] netlink_unicast+0x255/0x380
[27642.570901] ? __alloc_skb+0xfa/0x1e0
[27642.571560] netlink_sendmsg+0x1f3/0x420
[27642.572249] __sock_sendmsg+0x38/0x60
[27642.572911] __sys_sendto+0x119/0x180
[27642.573561] ? __sys_recvmsg+0x5c/0xb0
[27642.574227] __x64_sys_sendto+0x20/0x30
[27642.574904] do_syscall_64+0x55/0xc10
[27642.575554] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[27642.576391] RIP: 0033:0x7f197c85e807
[27642.577050] Code: c7 c0 ff ff ff ff eb be 66 2e 0f 1f 84 00 00 00 00
00 90 f3 0f 1e fa 80 3d 45 08 0d 00 00 41 89 ca 74 10 b8 2c 00 00 00 0f
05 <48> 3d 00 f0 ff ff 77 69 c3 55 48 89 e5 53 48 83 ec 38 44 89 4d
d0
[27642.579846] RSP: 002b:00007ffebd4e2248 EFLAGS: 00000202 ORIG_RAX:
000000000000002c
[27642.581082] RAX: ffffffffffffffda RBX: 000055cfcd9cd2a0 RCX:
00007f197c85e807
[27642.582200] RDX: 0000000000000038 RSI: 000055cfcd9cd490 RDI:
0000000000000003
[27642.583320] RBP: 00007ffebd4e2290 R08: 00007f197c942200 R09:
000000000000000c
[27642.584437] R10: 0000000000000000 R11: 0000000000000202 R12:
0000000000000000
[27642.585555] R13: 000055cfcd9cd490 R14: 00007ffebd4e45d1 R15:
000055cfcd9cd2a0
[27642.586671] </TASK>
[27642.587121] ---[ end trace 0000000000000000 ]---
[27642.587910] BUG: kernel NULL pointer dereference, address:
00000000000000a0
Fixes: 664f76be38a1 ("net/mlx5: Fix IPsec cleanup over MPV device")
Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260305142634.1813208-2-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
index feef86fff4bfd..91cfabc450325 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
@@ -2912,7 +2912,7 @@ void mlx5e_ipsec_disable_events(struct mlx5e_priv *priv)
goto out;
peer_priv = mlx5_devcom_get_next_peer_data(priv->devcom, &tmp);
- if (peer_priv)
+ if (peer_priv && peer_priv->ipsec)
complete_all(&peer_priv->ipsec->comp);
mlx5_devcom_for_each_peer_end(priv->devcom);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 045/378] net/mlx5: Fix peer miss rules host disabled checks
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 044/378] net/mlx5: Fix crash when moving to switchdev mode Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 046/378] net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery Greg Kroah-Hartman
` (339 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carolina Jubran, Tariq Toukan,
Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carolina Jubran <cjubran@nvidia.com>
[ Upstream commit 76324e4041c0efb4808702b05426d7a0a7d8df5b ]
The check on mlx5_esw_host_functions_enabled(esw->dev) for adding VF
peer miss rules is incorrect. These rules match traffic from peer's VFs,
so the local device's host function status is irrelevant. Remove this
check to ensure peer VF traffic is properly handled regardless of local
host configuration.
Also fix the PF peer miss rule deletion to be symmetric with the add
path, so only attempt to delete the rule if it was actually created.
Fixes: 520369ef43a8 ("net/mlx5: Support disabling host PFs")
Signed-off-by: Carolina Jubran <cjubran@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260305142634.1813208-3-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../mellanox/mlx5/core/eswitch_offloads.c | 27 +++++++++----------
1 file changed, 12 insertions(+), 15 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
index c79231b437976..166a88988904e 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
@@ -1241,21 +1241,17 @@ static int esw_add_fdb_peer_miss_rules(struct mlx5_eswitch *esw,
flows[peer_vport->index] = flow;
}
- if (mlx5_esw_host_functions_enabled(esw->dev)) {
- mlx5_esw_for_each_vf_vport(peer_esw, i, peer_vport,
- mlx5_core_max_vfs(peer_dev)) {
- esw_set_peer_miss_rule_source_port(esw, peer_esw,
- spec,
- peer_vport->vport);
-
- flow = mlx5_add_flow_rules(mlx5_eswitch_get_slow_fdb(esw),
- spec, &flow_act, &dest, 1);
- if (IS_ERR(flow)) {
- err = PTR_ERR(flow);
- goto add_vf_flow_err;
- }
- flows[peer_vport->index] = flow;
+ mlx5_esw_for_each_vf_vport(peer_esw, i, peer_vport,
+ mlx5_core_max_vfs(peer_dev)) {
+ esw_set_peer_miss_rule_source_port(esw, peer_esw, spec,
+ peer_vport->vport);
+ flow = mlx5_add_flow_rules(mlx5_eswitch_get_slow_fdb(esw),
+ spec, &flow_act, &dest, 1);
+ if (IS_ERR(flow)) {
+ err = PTR_ERR(flow);
+ goto add_vf_flow_err;
}
+ flows[peer_vport->index] = flow;
}
if (mlx5_core_ec_sriov_enabled(peer_dev)) {
@@ -1347,7 +1343,8 @@ static void esw_del_fdb_peer_miss_rules(struct mlx5_eswitch *esw,
mlx5_del_flow_rules(flows[peer_vport->index]);
}
- if (mlx5_core_is_ecpf_esw_manager(peer_dev)) {
+ if (mlx5_core_is_ecpf_esw_manager(peer_dev) &&
+ mlx5_esw_host_functions_enabled(peer_dev)) {
peer_vport = mlx5_eswitch_get_vport(peer_esw, MLX5_VPORT_PF);
mlx5_del_flow_rules(flows[peer_vport->index]);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 046/378] net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 045/378] net/mlx5: Fix peer miss rules host disabled checks Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 047/378] net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ Greg Kroah-Hartman
` (338 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gal Pressman, Dragos Tatulea,
Tariq Toukan, Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <gal@nvidia.com>
[ Upstream commit 1633111d69053512d099658d4a05fc736fab36b0 ]
In case of a TX error CQE, a recovery flow is triggered,
mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc,
desyncing the DMA FIFO producer and consumer.
After recovery, the producer pushes new DMA entries at the old
dma_fifo_pc, while the consumer reads from position 0.
This causes us to unmap stale DMA addresses from before the recovery.
The DMA FIFO is a purely software construct with no HW counterpart.
At the point of reset, all WQEs have been flushed so dma_fifo_cc is
already equal to dma_fifo_pc. There is no need to reset either counter,
similar to how skb_fifo pc/cc are untouched.
Remove the 'dma_fifo_cc = 0' reset.
This fixes the following WARNING:
WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90
Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables]
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:iommu_dma_unmap_page+0x79/0x90
Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00
Call Trace:
<IRQ>
? __warn+0x7d/0x110
? iommu_dma_unmap_page+0x79/0x90
? report_bug+0x16d/0x180
? handle_bug+0x4f/0x90
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x16/0x20
? iommu_dma_unmap_page+0x79/0x90
? iommu_dma_unmap_page+0x2e/0x90
dma_unmap_page_attrs+0x10d/0x1b0
mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core]
mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core]
mlx5e_napi_poll+0x8b/0xac0 [mlx5_core]
__napi_poll+0x24/0x190
net_rx_action+0x32a/0x3b0
? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core]
? notifier_call_chain+0x35/0xa0
handle_softirqs+0xc9/0x270
irq_exit_rcu+0x71/0xd0
common_interrupt+0x7f/0xa0
</IRQ>
<TASK>
asm_common_interrupt+0x22/0x40
Fixes: db75373c91b0 ("net/mlx5e: Recover Send Queue (SQ) from error state")
Signed-off-by: Gal Pressman <gal@nvidia.com>
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260305142634.1813208-4-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
index 9f6454102cf79..d6ace2b6fc1df 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
@@ -46,7 +46,6 @@ static void mlx5e_reset_txqsq_cc_pc(struct mlx5e_txqsq *sq)
"SQ 0x%x: cc (0x%x) != pc (0x%x)\n",
sq->sqn, sq->cc, sq->pc);
sq->cc = 0;
- sq->dma_fifo_cc = 0;
sq->pc = 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 047/378] net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 046/378] net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 048/378] net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ Greg Kroah-Hartman
` (337 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dragos Tatulea, Amery Hung,
Nimrod Oren, Tariq Toukan, Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dragos Tatulea <dtatulea@nvidia.com>
[ Upstream commit db25c42c2e1f9c0d136420fff5e5700f7e771a6f ]
XDP multi-buf programs can modify the layout of the XDP buffer when the
program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The
referenced commit in the fixes tag corrected the assumption in the mlx5
driver that the XDP buffer layout doesn't change during a program
execution. However, this fix introduced another issue: the dropped
fragments still need to be counted on the driver side to avoid page
fragment reference counting issues.
The issue was discovered by the drivers/net/xdp.py selftest,
more specifically the test_xdp_native_tx_mb:
- The mlx5 driver allocates a page_pool page and initializes it with
a frag counter of 64 (pp_ref_count=64) and the internal frag counter
to 0.
- The test sends one packet with no payload.
- On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP
buffer with the packet data starting in the first fragment which is the
page mentioned above.
- The XDP program runs and calls bpf_xdp_pull_data() which moves the
header into the linear part of the XDP buffer. As the packet doesn't
contain more data, the program drops the tail fragment since it no
longer contains any payload (pp_ref_count=63).
- mlx5 device skips counting this fragment. Internal frag counter
remains 0.
- mlx5 releases all 64 fragments of the page but page pp_ref_count is
63 => negative reference counting error.
Resulting splat during the test:
WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]
Modules linked in: [...]
CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]
[...]
Call Trace:
<TASK>
mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core]
mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core]
mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core]
mlx5e_close_rq+0x78/0xa0 [mlx5_core]
mlx5e_close_queues+0x46/0x2a0 [mlx5_core]
mlx5e_close_channel+0x24/0x90 [mlx5_core]
mlx5e_close_channels+0x5d/0xf0 [mlx5_core]
mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core]
mlx5e_change_mtu+0x11d/0x490 [mlx5_core]
mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core]
netif_set_mtu_ext+0xfc/0x240
do_setlink.isra.0+0x226/0x1100
rtnl_newlink+0x7a9/0xba0
rtnetlink_rcv_msg+0x220/0x3c0
netlink_rcv_skb+0x4b/0xf0
netlink_unicast+0x255/0x380
netlink_sendmsg+0x1f3/0x420
__sock_sendmsg+0x38/0x60
____sys_sendmsg+0x1e8/0x240
___sys_sendmsg+0x7c/0xb0
[...]
__sys_sendmsg+0x5f/0xb0
do_syscall_64+0x55/0xc70
The problem applies for XDP_PASS as well which is handled in a different
code path in the driver.
This patch fixes the issue by doing page frag counting on all the
original XDP buffer fragments for all relevant XDP actions (XDP_TX ,
XDP_REDIRECT and XDP_PASS). This is basically reverting to the original
counting before the commit in the fixes tag.
As frag_page is still pointing to the original tail, the nr_frags
parameter to xdp_update_skb_frags_info() needs to be calculated
in a different way to reflect the new nr_frags.
Fixes: 87bcef158ac1 ("net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ")
Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
Cc: Amery Hung <ameryhung@gmail.com>
Reviewed-by: Nimrod Oren <noren@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260305142634.1813208-5-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
index 1f6930c774378..ea6741a822675 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
@@ -2118,14 +2118,13 @@ mlx5e_skb_from_cqe_mpwrq_nonlinear(struct mlx5e_rq *rq, struct mlx5e_mpw_info *w
if (prog) {
u8 nr_frags_free, old_nr_frags = sinfo->nr_frags;
+ u8 new_nr_frags;
u32 len;
if (mlx5e_xdp_handle(rq, prog, mxbuf)) {
if (__test_and_clear_bit(MLX5E_RQ_FLAG_XDP_XMIT, rq->flags)) {
struct mlx5e_frag_page *pfp;
- frag_page -= old_nr_frags - sinfo->nr_frags;
-
for (pfp = head_page; pfp < frag_page; pfp++)
pfp->frags++;
@@ -2136,13 +2135,12 @@ mlx5e_skb_from_cqe_mpwrq_nonlinear(struct mlx5e_rq *rq, struct mlx5e_mpw_info *w
return NULL; /* page/packet was consumed by XDP */
}
- nr_frags_free = old_nr_frags - sinfo->nr_frags;
- if (unlikely(nr_frags_free)) {
- frag_page -= nr_frags_free;
+ new_nr_frags = sinfo->nr_frags;
+ nr_frags_free = old_nr_frags - new_nr_frags;
+ if (unlikely(nr_frags_free))
truesize -= (nr_frags_free - 1) * PAGE_SIZE +
ALIGN(pg_consumed_bytes,
BIT(rq->mpwqe.log_stride_sz));
- }
len = mxbuf->xdp.data_end - mxbuf->xdp.data;
@@ -2164,7 +2162,7 @@ mlx5e_skb_from_cqe_mpwrq_nonlinear(struct mlx5e_rq *rq, struct mlx5e_mpw_info *w
struct mlx5e_frag_page *pagep;
/* sinfo->nr_frags is reset by build_skb, calculate again. */
- xdp_update_skb_frags_info(skb, frag_page - head_page,
+ xdp_update_skb_frags_info(skb, new_nr_frags,
sinfo->xdp_frags_size,
truesize,
xdp_buff_get_skb_flags(&mxbuf->xdp));
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 048/378] net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 047/378] net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 049/378] net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit Greg Kroah-Hartman
` (336 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dragos Tatulea, Tariq Toukan,
Amery Hung, Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dragos Tatulea <dtatulea@nvidia.com>
[ Upstream commit a6413e6f6c9d9bb9833324cb3753582f7bc0f2fa ]
XDP multi-buf programs can modify the layout of the XDP buffer when the
program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The
referenced commit in the fixes tag corrected the assumption in the mlx5
driver that the XDP buffer layout doesn't change during a program
execution. However, this fix introduced another issue: the dropped
fragments still need to be counted on the driver side to avoid page
fragment reference counting issues.
Such issue can be observed with the
test_xdp_native_adjst_tail_shrnk_data selftest when using a payload of
3600 and shrinking by 256 bytes (an upcoming selftest patch): the last
fragment gets released by the XDP code but doesn't get tracked by the
driver. This results in a negative pp_ref_count during page release and
the following splat:
WARNING: include/net/page_pool/helpers.h:297 at mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core], CPU#12: ip/3137
Modules linked in: [...]
CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core]
[...]
Call Trace:
<TASK>
mlx5e_dealloc_rx_wqe+0xcb/0x1a0 [mlx5_core]
mlx5e_free_rx_descs+0x7f/0x110 [mlx5_core]
mlx5e_close_rq+0x50/0x60 [mlx5_core]
mlx5e_close_queues+0x36/0x2c0 [mlx5_core]
mlx5e_close_channel+0x1c/0x50 [mlx5_core]
mlx5e_close_channels+0x45/0x80 [mlx5_core]
mlx5e_safe_switch_params+0x1a5/0x230 [mlx5_core]
mlx5e_change_mtu+0xf3/0x2f0 [mlx5_core]
netif_set_mtu_ext+0xf1/0x230
do_setlink.isra.0+0x219/0x1180
rtnl_newlink+0x79f/0xb60
rtnetlink_rcv_msg+0x213/0x3a0
netlink_rcv_skb+0x48/0xf0
netlink_unicast+0x24a/0x350
netlink_sendmsg+0x1ee/0x410
__sock_sendmsg+0x38/0x60
____sys_sendmsg+0x232/0x280
___sys_sendmsg+0x78/0xb0
__sys_sendmsg+0x5f/0xb0
[...]
do_syscall_64+0x57/0xc50
This patch fixes the issue by doing page frag counting on all the
original XDP buffer fragments for all relevant XDP actions (XDP_TX ,
XDP_REDIRECT and XDP_PASS). This is basically reverting to the original
counting before the commit in the fixes tag.
As frag_page is still pointing to the original tail, the nr_frags
parameter to xdp_update_skb_frags_info() needs to be calculated
in a different way to reflect the new nr_frags.
Fixes: afd5ba577c10 ("net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for legacy RQ")
Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Amery Hung <ameryhung@gmail.com>
Link: https://patch.msgid.link/20260305142634.1813208-6-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
index ea6741a822675..3000286bf29c8 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
@@ -1759,6 +1759,7 @@ mlx5e_skb_from_cqe_nonlinear(struct mlx5e_rq *rq, struct mlx5e_wqe_frag_info *wi
struct skb_shared_info *sinfo;
u32 frag_consumed_bytes;
struct bpf_prog *prog;
+ u8 nr_frags_free = 0;
struct sk_buff *skb;
dma_addr_t addr;
u32 truesize;
@@ -1801,15 +1802,13 @@ mlx5e_skb_from_cqe_nonlinear(struct mlx5e_rq *rq, struct mlx5e_wqe_frag_info *wi
prog = rcu_dereference(rq->xdp_prog);
if (prog) {
- u8 nr_frags_free, old_nr_frags = sinfo->nr_frags;
+ u8 old_nr_frags = sinfo->nr_frags;
if (mlx5e_xdp_handle(rq, prog, mxbuf)) {
if (__test_and_clear_bit(MLX5E_RQ_FLAG_XDP_XMIT,
rq->flags)) {
struct mlx5e_wqe_frag_info *pwi;
- wi -= old_nr_frags - sinfo->nr_frags;
-
for (pwi = head_wi; pwi < wi; pwi++)
pwi->frag_page->frags++;
}
@@ -1817,10 +1816,8 @@ mlx5e_skb_from_cqe_nonlinear(struct mlx5e_rq *rq, struct mlx5e_wqe_frag_info *wi
}
nr_frags_free = old_nr_frags - sinfo->nr_frags;
- if (unlikely(nr_frags_free)) {
- wi -= nr_frags_free;
+ if (unlikely(nr_frags_free))
truesize -= nr_frags_free * frag_info->frag_stride;
- }
}
skb = mlx5e_build_linear_skb(
@@ -1836,7 +1833,7 @@ mlx5e_skb_from_cqe_nonlinear(struct mlx5e_rq *rq, struct mlx5e_wqe_frag_info *wi
if (xdp_buff_has_frags(&mxbuf->xdp)) {
/* sinfo->nr_frags is reset by build_skb, calculate again. */
- xdp_update_skb_frags_info(skb, wi - head_wi - 1,
+ xdp_update_skb_frags_info(skb, wi - head_wi - nr_frags_free - 1,
sinfo->xdp_frags_size, truesize,
xdp_buff_get_skb_flags(&mxbuf->xdp));
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 049/378] net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 048/378] net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 050/378] rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer() Greg Kroah-Hartman
` (335 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 0cc0c2e661af418bbf7074179ea5cfffc0a5c466 ]
teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit
through slave devices, but does not update skb->dev to the slave device
beforehand.
When a gretap tunnel is a TEQL slave, the transmit path reaches
iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0
master) and later calls iptunnel_xmit_stats(dev, pkt_len). This
function does:
get_cpu_ptr(dev->tstats)
Since teql_master_setup() does not set dev->pcpu_stat_type to
NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats
for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes
NULL + __per_cpu_offset[cpu], resulting in a page fault.
BUG: unable to handle page fault for address: ffff8880e6659018
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 68bc067 P4D 68bc067 PUD 0
Oops: Oops: 0002 [#1] SMP KASAN PTI
RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89)
Call Trace:
<TASK>
ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)
__gre_xmit (net/ipv4/ip_gre.c:478)
gre_tap_xmit (net/ipv4/ip_gre.c:779)
teql_master_xmit (net/sched/sch_teql.c:319)
dev_hard_start_xmit (net/core/dev.c:3887)
sch_direct_xmit (net/sched/sch_generic.c:347)
__dev_queue_xmit (net/core/dev.c:4802)
neigh_direct_output (net/core/neighbour.c:1660)
ip_finish_output2 (net/ipv4/ip_output.c:237)
__ip_finish_output.part.0 (net/ipv4/ip_output.c:315)
ip_mc_output (net/ipv4/ip_output.c:369)
ip_send_skb (net/ipv4/ip_output.c:1508)
udp_send_skb (net/ipv4/udp.c:1195)
udp_sendmsg (net/ipv4/udp.c:1485)
inet_sendmsg (net/ipv4/af_inet.c:859)
__sys_sendto (net/socket.c:2206)
Fix this by setting skb->dev = slave before calling
netdev_start_xmit(), so that tunnel xmit functions see the correct
slave device with properly allocated tstats.
Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Link: https://patch.msgid.link/20260304044216.3517851-3-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_teql.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
index 6e4bdaa876ed6..783300d8b0197 100644
--- a/net/sched/sch_teql.c
+++ b/net/sched/sch_teql.c
@@ -315,6 +315,7 @@ static netdev_tx_t teql_master_xmit(struct sk_buff *skb, struct net_device *dev)
if (__netif_tx_trylock(slave_txq)) {
unsigned int length = qdisc_pkt_len(skb);
+ skb->dev = slave;
if (!netif_xmit_frozen_or_stopped(slave_txq) &&
netdev_start_xmit(skb, slave, slave_txq, false) ==
NETDEV_TX_OK) {
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 050/378] rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 049/378] net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 051/378] net: spacemit: Fix error handling in emac_alloc_rx_desc_buffers() Greg Kroah-Hartman
` (334 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, David Howells,
Marc Dionne, Simon Horman, linux-afs, Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit 4245a79003adf30e67f8e9060915bd05cb31d142 ]
rxrpc_kernel_lookup_peer() can also return error pointers in addition to
NULL, so just checking for NULL is not sufficient.
Fix this by:
(1) Changing rxrpc_kernel_lookup_peer() to return -ENOMEM rather than NULL
on allocation failure.
(2) Making the callers in afs use IS_ERR() and PTR_ERR() to pass on the
error code returned.
Fixes: 72904d7b9bfb ("rxrpc, afs: Allow afs to pin rxrpc_peer objects")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Co-developed-by: David Howells <dhowells@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
Link: https://patch.msgid.link/368272.1772713861@warthog.procyon.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/afs/addr_list.c | 8 ++++----
net/rxrpc/af_rxrpc.c | 8 +++++---
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/fs/afs/addr_list.c b/fs/afs/addr_list.c
index e941da5b6dd92..b1704de3d95f5 100644
--- a/fs/afs/addr_list.c
+++ b/fs/afs/addr_list.c
@@ -298,8 +298,8 @@ int afs_merge_fs_addr4(struct afs_net *net, struct afs_addr_list *alist,
srx.transport.sin.sin_addr.s_addr = xdr;
peer = rxrpc_kernel_lookup_peer(net->socket, &srx, GFP_KERNEL);
- if (!peer)
- return -ENOMEM;
+ if (IS_ERR(peer))
+ return PTR_ERR(peer);
for (i = 0; i < alist->nr_ipv4; i++) {
if (peer == alist->addrs[i].peer) {
@@ -342,8 +342,8 @@ int afs_merge_fs_addr6(struct afs_net *net, struct afs_addr_list *alist,
memcpy(&srx.transport.sin6.sin6_addr, xdr, 16);
peer = rxrpc_kernel_lookup_peer(net->socket, &srx, GFP_KERNEL);
- if (!peer)
- return -ENOMEM;
+ if (IS_ERR(peer))
+ return PTR_ERR(peer);
for (i = alist->nr_ipv4; i < alist->nr_addrs; i++) {
if (peer == alist->addrs[i].peer) {
diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
index 0c2c68c4b07e4..0f90272ac254b 100644
--- a/net/rxrpc/af_rxrpc.c
+++ b/net/rxrpc/af_rxrpc.c
@@ -267,12 +267,13 @@ static int rxrpc_listen(struct socket *sock, int backlog)
* Lookup or create a remote transport endpoint record for the specified
* address.
*
- * Return: The peer record found with a reference, %NULL if no record is found
- * or a negative error code if the address is invalid or unsupported.
+ * Return: The peer record found with a reference or a negative error code if
+ * the address is invalid or unsupported.
*/
struct rxrpc_peer *rxrpc_kernel_lookup_peer(struct socket *sock,
struct sockaddr_rxrpc *srx, gfp_t gfp)
{
+ struct rxrpc_peer *peer;
struct rxrpc_sock *rx = rxrpc_sk(sock->sk);
int ret;
@@ -280,7 +281,8 @@ struct rxrpc_peer *rxrpc_kernel_lookup_peer(struct socket *sock,
if (ret < 0)
return ERR_PTR(ret);
- return rxrpc_lookup_peer(rx->local, srx, gfp);
+ peer = rxrpc_lookup_peer(rx->local, srx, gfp);
+ return peer ?: ERR_PTR(-ENOMEM);
}
EXPORT_SYMBOL(rxrpc_kernel_lookup_peer);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 051/378] net: spacemit: Fix error handling in emac_alloc_rx_desc_buffers()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 050/378] rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer() Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 052/378] net: spacemit: Fix error handling in emac_tx_mem_map() Greg Kroah-Hartman
` (333 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vivian Wang, Jakub Kicinski,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vivian Wang <wangruikang@iscas.ac.cn>
[ Upstream commit 3aa1417803c1833cbd5bacb7e6a6489a196f2519 ]
Even if we get a dma_mapping_error() while mapping an RX buffer, we
should still update rx_ring->head to ensure that the buffers we were
able to allocate and map are used. Fix this by breaking out to the
existing code after the loop, analogous to the existing handling for skb
allocation failure.
Fixes: bfec6d7f2001 ("net: spacemit: Add K1 Ethernet MAC")
Signed-off-by: Vivian Wang <wangruikang@iscas.ac.cn>
Link: https://patch.msgid.link/20260305-k1-ethernet-more-fixes-v2-1-e4e434d65055@iscas.ac.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/spacemit/k1_emac.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/spacemit/k1_emac.c b/drivers/net/ethernet/spacemit/k1_emac.c
index b49c4708bf9eb..5de69a105168a 100644
--- a/drivers/net/ethernet/spacemit/k1_emac.c
+++ b/drivers/net/ethernet/spacemit/k1_emac.c
@@ -582,7 +582,9 @@ static void emac_alloc_rx_desc_buffers(struct emac_priv *priv)
DMA_FROM_DEVICE);
if (dma_mapping_error(&priv->pdev->dev, rx_buf->dma_addr)) {
dev_err_ratelimited(&ndev->dev, "Mapping skb failed\n");
- goto err_free_skb;
+ dev_kfree_skb_any(skb);
+ rx_buf->skb = NULL;
+ break;
}
rx_desc_addr = &((struct emac_desc *)rx_ring->desc_addr)[i];
@@ -607,10 +609,6 @@ static void emac_alloc_rx_desc_buffers(struct emac_priv *priv)
rx_ring->head = i;
return;
-
-err_free_skb:
- dev_kfree_skb_any(skb);
- rx_buf->skb = NULL;
}
/* Returns number of packets received */
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 052/378] net: spacemit: Fix error handling in emac_tx_mem_map()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 051/378] net: spacemit: Fix error handling in emac_alloc_rx_desc_buffers() Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 053/378] drm/sitronix/st7586: fix bad pixel data due to byte swap Greg Kroah-Hartman
` (332 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vivian Wang, Jakub Kicinski,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vivian Wang <wangruikang@iscas.ac.cn>
[ Upstream commit 86292155bea578ebab0ca3b65d4d87ecd8a0e9ea ]
The DMA mappings were leaked on mapping error. Free them with the
existing emac_free_tx_buf() function.
Fixes: bfec6d7f2001 ("net: spacemit: Add K1 Ethernet MAC")
Signed-off-by: Vivian Wang <wangruikang@iscas.ac.cn>
Link: https://patch.msgid.link/20260305-k1-ethernet-more-fixes-v2-2-e4e434d65055@iscas.ac.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/spacemit/k1_emac.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/spacemit/k1_emac.c b/drivers/net/ethernet/spacemit/k1_emac.c
index 5de69a105168a..d64ca7bbda9ea 100644
--- a/drivers/net/ethernet/spacemit/k1_emac.c
+++ b/drivers/net/ethernet/spacemit/k1_emac.c
@@ -750,7 +750,7 @@ static void emac_tx_mem_map(struct emac_priv *priv, struct sk_buff *skb)
struct emac_desc tx_desc, *tx_desc_addr;
struct device *dev = &priv->pdev->dev;
struct emac_tx_desc_buffer *tx_buf;
- u32 head, old_head, frag_num, f;
+ u32 head, old_head, frag_num, f, i;
bool buf_idx;
frag_num = skb_shinfo(skb)->nr_frags;
@@ -818,6 +818,15 @@ static void emac_tx_mem_map(struct emac_priv *priv, struct sk_buff *skb)
err_free_skb:
dev_dstats_tx_dropped(priv->ndev);
+
+ i = old_head;
+ while (i != head) {
+ emac_free_tx_buf(priv, i);
+
+ if (++i == tx_ring->total_cnt)
+ i = 0;
+ }
+
dev_kfree_skb_any(skb);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 053/378] drm/sitronix/st7586: fix bad pixel data due to byte swap
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 052/378] net: spacemit: Fix error handling in emac_tx_mem_map() Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 054/378] firmware: cs_dsp: Fix fragmentation regression in firmware download Greg Kroah-Hartman
` (331 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann,
Javier Martinez Canillas, David Lechner, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner <dlechner@baylibre.com>
[ Upstream commit 46d8a07b4ae262e2fec6ce2aa454e06243661265 ]
Correctly set dbi->write_memory_bpw for the ST7586 driver. This driver
is for a monochrome display that has an unusual data format, so the
default value set in mipi_dbi_spi_init() is not correct simply because
this controller is non-standard.
Previously, we were using dbi->swap_bytes to make the same sort of
workaround, but it was removed in the same commit that added
dbi->write_memory_bpw, so we need to use the latter now to have the
correct behavior.
This fixes every 3 columns of pixels being swapped on the display. There
are 3 pixels per byte, so the byte swap caused this effect.
Fixes: df3fb27a74a4 ("drm/mipi-dbi: Make bits per word configurable for pixel transfers")
Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: David Lechner <dlechner@baylibre.com>
Link: https://patch.msgid.link/20260228-drm-mipi-dbi-fix-st7586-byte-swap-v1-1-e78f6c24cd28@baylibre.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/sitronix/st7586.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/drivers/gpu/drm/sitronix/st7586.c b/drivers/gpu/drm/sitronix/st7586.c
index b57ebf37a664c..16b6b4e368af8 100644
--- a/drivers/gpu/drm/sitronix/st7586.c
+++ b/drivers/gpu/drm/sitronix/st7586.c
@@ -347,6 +347,12 @@ static int st7586_probe(struct spi_device *spi)
if (ret)
return ret;
+ /*
+ * Override value set by mipi_dbi_spi_init(). This driver is a bit
+ * non-standard, so best to set it explicitly here.
+ */
+ dbi->write_memory_bpw = 8;
+
/* Cannot read from this controller via SPI */
dbi->read_commands = NULL;
@@ -356,15 +362,6 @@ static int st7586_probe(struct spi_device *spi)
if (ret)
return ret;
- /*
- * we are using 8-bit data, so we are not actually swapping anything,
- * but setting mipi->swap_bytes makes mipi_dbi_typec3_command() do the
- * right thing and not use 16-bit transfers (which results in swapped
- * bytes on little-endian systems and causes out of order data to be
- * sent to the display).
- */
- dbi->swap_bytes = true;
-
drm_mode_config_reset(drm);
ret = drm_dev_register(drm, 0);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 054/378] firmware: cs_dsp: Fix fragmentation regression in firmware download
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 053/378] drm/sitronix/st7586: fix bad pixel data due to byte swap Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 055/378] spi: amlogic: spifc-a4: Fix DMA mapping error handling Greg Kroah-Hartman
` (330 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Fitzgerald, Mark Brown,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Fitzgerald <rf@opensource.cirrus.com>
[ Upstream commit facfdef64d11c08e6f1e69d02a0b87cb74cee0f5 ]
Use vmalloc() instead of kmalloc(..., GFP_DMA) to alloc the temporary
buffer for firmware download blobs. This avoids the problem that a
heavily fragmented system cannot allocate enough physically-contiguous
memory for a large blob.
The redundant alloc buffer mechanism was removed in commit 900baa6e7bb0
("firmware: cs_dsp: Remove redundant download buffer allocator").
While doing that I was overly focused on the possibility of the
underlying bus requiring DMA-safe memory. So I used GFP_DMA kmalloc()s.
I failed to notice that the code I was removing used vmalloc().
This creates a regression.
Way back in 2014 the problem of fragmentation with kmalloc()s was fixed
by commit cdcd7f728753 ("ASoC: wm_adsp: Use vmalloc to allocate firmware
download buffer").
Although we don't need physically-contiguous memory, we don't know if the
bus needs some particular alignment of the buffers. Since the change in
2014, the firmware download has always used whatever alignment vmalloc()
returns. To avoid introducing a new problem, the temporary buffer is still
used, to keep the same alignment of pointers passed to regmap_raw_write().
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Fixes: 900baa6e7bb0 ("firmware: cs_dsp: Remove redundant download buffer allocator")
Link: https://patch.msgid.link/20260304141250.1578597-1-rf@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/cirrus/cs_dsp.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/drivers/firmware/cirrus/cs_dsp.c b/drivers/firmware/cirrus/cs_dsp.c
index abed96fa5853a..a34633b875758 100644
--- a/drivers/firmware/cirrus/cs_dsp.c
+++ b/drivers/firmware/cirrus/cs_dsp.c
@@ -1610,11 +1610,17 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware,
region_name);
if (reg) {
+ /*
+ * Although we expect the underlying bus does not require
+ * physically-contiguous buffers, we pessimistically use
+ * a temporary buffer instead of trusting that the
+ * alignment of region->data is ok.
+ */
region_len = le32_to_cpu(region->len);
if (region_len > buf_len) {
buf_len = round_up(region_len, PAGE_SIZE);
- kfree(buf);
- buf = kmalloc(buf_len, GFP_KERNEL | GFP_DMA);
+ vfree(buf);
+ buf = vmalloc(buf_len);
if (!buf) {
ret = -ENOMEM;
goto out_fw;
@@ -1643,7 +1649,7 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware,
ret = 0;
out_fw:
- kfree(buf);
+ vfree(buf);
if (ret == -EOVERFLOW)
cs_dsp_err(dsp, "%s: file content overflows file data\n", file);
@@ -2320,11 +2326,17 @@ static int cs_dsp_load_coeff(struct cs_dsp *dsp, const struct firmware *firmware
}
if (reg) {
+ /*
+ * Although we expect the underlying bus does not require
+ * physically-contiguous buffers, we pessimistically use
+ * a temporary buffer instead of trusting that the
+ * alignment of blk->data is ok.
+ */
region_len = le32_to_cpu(blk->len);
if (region_len > buf_len) {
buf_len = round_up(region_len, PAGE_SIZE);
- kfree(buf);
- buf = kmalloc(buf_len, GFP_KERNEL | GFP_DMA);
+ vfree(buf);
+ buf = vmalloc(buf_len);
if (!buf) {
ret = -ENOMEM;
goto out_fw;
@@ -2355,7 +2367,7 @@ static int cs_dsp_load_coeff(struct cs_dsp *dsp, const struct firmware *firmware
ret = 0;
out_fw:
- kfree(buf);
+ vfree(buf);
if (ret == -EOVERFLOW)
cs_dsp_err(dsp, "%s: file content overflows file data\n", file);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 055/378] spi: amlogic: spifc-a4: Fix DMA mapping error handling
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 054/378] firmware: cs_dsp: Fix fragmentation regression in firmware download Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 056/378] spi: rockchip-sfc: Fix double-free in remove() callback Greg Kroah-Hartman
` (329 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Felix Gu, Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit b20b437666e1cb26a7c499d1664e8f2a0ac67000 ]
Fix three bugs in aml_sfc_dma_buffer_setup() error paths:
1. Unnecessary goto: When the first DMA mapping (sfc->daddr) fails,
nothing needs cleanup. Use direct return instead of goto.
2. Double-unmap bug: When info DMA mapping failed, the code would
unmap sfc->daddr inline, then fall through to out_map_data which
would unmap it again, causing a double-unmap.
3. Wrong unmap size: The out_map_info label used datalen instead of
infolen when unmapping sfc->iaddr, which could lead to incorrect
DMA sync behavior.
Fixes: 4670db6f32e9 ("spi: amlogic: add driver for Amlogic SPI Flash Controller")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Link: https://patch.msgid.link/20260306-spifc-a4-v1-1-f22c9965f64a@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-amlogic-spifc-a4.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/spi/spi-amlogic-spifc-a4.c b/drivers/spi/spi-amlogic-spifc-a4.c
index 35a7c4965e113..f324aa39a8976 100644
--- a/drivers/spi/spi-amlogic-spifc-a4.c
+++ b/drivers/spi/spi-amlogic-spifc-a4.c
@@ -411,7 +411,7 @@ static int aml_sfc_dma_buffer_setup(struct aml_sfc *sfc, void *databuf,
ret = dma_mapping_error(sfc->dev, sfc->daddr);
if (ret) {
dev_err(sfc->dev, "DMA mapping error\n");
- goto out_map_data;
+ return ret;
}
cmd = CMD_DATA_ADDRL(sfc->daddr);
@@ -429,7 +429,6 @@ static int aml_sfc_dma_buffer_setup(struct aml_sfc *sfc, void *databuf,
ret = dma_mapping_error(sfc->dev, sfc->iaddr);
if (ret) {
dev_err(sfc->dev, "DMA mapping error\n");
- dma_unmap_single(sfc->dev, sfc->daddr, datalen, dir);
goto out_map_data;
}
@@ -448,7 +447,7 @@ static int aml_sfc_dma_buffer_setup(struct aml_sfc *sfc, void *databuf,
return 0;
out_map_info:
- dma_unmap_single(sfc->dev, sfc->iaddr, datalen, dir);
+ dma_unmap_single(sfc->dev, sfc->iaddr, infolen, dir);
out_map_data:
dma_unmap_single(sfc->dev, sfc->daddr, datalen, dir);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 056/378] spi: rockchip-sfc: Fix double-free in remove() callback
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 055/378] spi: amlogic: spifc-a4: Fix DMA mapping error handling Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 057/378] ASoC: soc-core: drop delayed_work_pending() check before flush Greg Kroah-Hartman
` (328 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Felix Gu, Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 111e2863372c322e836e0c896f6dd9cf4ee08c71 ]
The driver uses devm_spi_register_controller() for registration, which
automatically unregisters the controller via devm cleanup when the
device is removed. The manual call to spi_unregister_controller() in
the remove() callback can lead to a double-free.
And to make sure controller is unregistered before DMA buffer is
unmapped, switch to use spi_register_controller() in probe().
Fixes: 8011709906d0 ("spi: rockchip-sfc: Support pm ops")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Link: https://patch.msgid.link/20260310-sfc-v2-1-67fab04b097f@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-rockchip-sfc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/spi/spi-rockchip-sfc.c b/drivers/spi/spi-rockchip-sfc.c
index b3c2b03b11535..8acf955636977 100644
--- a/drivers/spi/spi-rockchip-sfc.c
+++ b/drivers/spi/spi-rockchip-sfc.c
@@ -712,7 +712,7 @@ static int rockchip_sfc_probe(struct platform_device *pdev)
}
}
- ret = devm_spi_register_controller(dev, host);
+ ret = spi_register_controller(host);
if (ret)
goto err_register;
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 057/378] ASoC: soc-core: drop delayed_work_pending() check before flush
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 056/378] spi: rockchip-sfc: Fix double-free in remove() callback Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 058/378] ASoC: soc-core: flush delayed work before removing DAIs and widgets Greg Kroah-Hartman
` (327 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matteo Cotifava, Mark Brown,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: matteo.cotifava <cotifavamatteo@gmail.com>
[ Upstream commit 3c99c9f0ed60582c1c9852b685d78d5d3a50de63 ]
The delayed_work_pending() check before flush_delayed_work() in
soc_free_pcm_runtime() is unnecessary and racy. flush_delayed_work()
is safe to call unconditionally - it is a no-op when no work is
pending. Remove the check.
The original check was added by commit 9c9b65203492 ("ASoC: core:
only flush inited work during free") but delayed_work_pending()
followed by flush_delayed_work() has a time-of-check/time-of-use
window where work can become pending between the two calls.
Fixes: 9c9b65203492 ("ASoC: core: only flush inited work during free")
Signed-off-by: Matteo Cotifava <cotifavamatteo@gmail.com>
Link: https://patch.msgid.link/20260309215412.545628-2-cotifavamatteo@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index e4b21bf39e59f..182d2272c2f39 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -462,8 +462,7 @@ static void soc_free_pcm_runtime(struct snd_soc_pcm_runtime *rtd)
list_del(&rtd->list);
- if (delayed_work_pending(&rtd->delayed_work))
- flush_delayed_work(&rtd->delayed_work);
+ flush_delayed_work(&rtd->delayed_work);
snd_soc_pcm_component_free(rtd);
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 058/378] ASoC: soc-core: flush delayed work before removing DAIs and widgets
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 057/378] ASoC: soc-core: drop delayed_work_pending() check before flush Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 059/378] ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays Greg Kroah-Hartman
` (326 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matteo Cotifava, Mark Brown,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: matteo.cotifava <cotifavamatteo@gmail.com>
[ Upstream commit 95bc5c225513fc3c4ce169563fb5e3929fbb938b ]
When a sound card is unbound while a PCM stream is open, a
use-after-free can occur in snd_soc_dapm_stream_event(), called from
the close_delayed_work workqueue handler.
During unbind, snd_soc_unbind_card() flushes delayed work and then
calls soc_cleanup_card_resources(). Inside cleanup,
snd_card_disconnect_sync() releases all PCM file descriptors, and
the resulting PCM close path can call snd_soc_dapm_stream_stop()
which schedules new delayed work with a pmdown_time timer delay.
Since this happens after the flush in snd_soc_unbind_card(), the
new work is not caught. soc_remove_link_components() then frees
DAPM widgets before this work fires, leading to the use-after-free.
The existing flush in soc_free_pcm_runtime() also cannot help as it
runs after soc_remove_link_components() has already freed the widgets.
Add a flush in soc_cleanup_card_resources() after
snd_card_disconnect_sync() (after which no new PCM closes can
schedule further delayed work) and before soc_remove_link_dais()
and soc_remove_link_components() (which tear down the structures the
delayed work accesses).
Fixes: e894efef9ac7 ("ASoC: core: add support to card rebind")
Signed-off-by: Matteo Cotifava <cotifavamatteo@gmail.com>
Link: https://patch.msgid.link/20260309215412.545628-3-cotifavamatteo@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 182d2272c2f39..e6045d30ee8e1 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -2121,6 +2121,9 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card)
for_each_card_rtds(card, rtd)
if (rtd->initialized)
snd_soc_link_exit(rtd);
+ /* flush delayed work before removing DAIs and DAPM widgets */
+ snd_soc_flush_all_delayed_work(card);
+
/* remove and free each DAI */
soc_remove_link_dais(card);
soc_remove_link_components(card);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 059/378] ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 058/378] ASoC: soc-core: flush delayed work before removing DAIs and widgets Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 060/378] net: sfp: improve Huawei MA5671a fixup Greg Kroah-Hartman
` (325 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sen Wang, Kuninori Morimoto,
Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sen Wang <sen@ti.com>
[ Upstream commit 4185b95f8a42d92d68c49289b4644546b51e252b ]
graph_util_is_ports0() identifies DPCM front-end (ports@0) vs back-end
(ports@1) by calling of_get_child_by_name() to find the first "ports"
child and comparing pointers. This relies on child iteration order
matching DTS source order.
When the DPCM topology comes from a DT overlay, __of_attach_node()
inserts new children at the head of the sibling list, reversing the
order. of_get_child_by_name() then returns ports@1 instead of ports@0,
causing all front-end links to be classified as back-ends. The card
registers with no PCM devices.
Fix this by matching the unit address directly from the node name
instead of relying on sibling order.
Fixes: 92939252458f ("ASoC: simple-card-utils: add asoc_graph_is_ports0()")
Signed-off-by: Sen Wang <sen@ti.com>
Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/20260309042109.2576612-1-sen@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/generic/simple-card-utils.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/sound/soc/generic/simple-card-utils.c b/sound/soc/generic/simple-card-utils.c
index bdc02e85b089f..9e5be0eaa77f3 100644
--- a/sound/soc/generic/simple-card-utils.c
+++ b/sound/soc/generic/simple-card-utils.c
@@ -1038,11 +1038,15 @@ int graph_util_is_ports0(struct device_node *np)
else
port = np;
- struct device_node *ports __free(device_node) = of_get_parent(port);
- struct device_node *top __free(device_node) = of_get_parent(ports);
- struct device_node *ports0 __free(device_node) = of_get_child_by_name(top, "ports");
+ struct device_node *ports __free(device_node) = of_get_parent(port);
+ const char *at = strchr(kbasename(ports->full_name), '@');
- return ports0 == ports;
+ /*
+ * Since child iteration order may differ
+ * between a base DT and DT overlays,
+ * string match "ports" or "ports@0" in the node name instead.
+ */
+ return !at || !strcmp(at, "@0");
}
EXPORT_SYMBOL_GPL(graph_util_is_ports0);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 060/378] net: sfp: improve Huawei MA5671a fixup
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 059/378] ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 061/378] serial: caif: hold tty->link reference in ldisc_open and ser_release Greg Kroah-Hartman
` (324 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Álvaro Fernández Rojas,
Andrew Lunn, Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit 87d126852158467ab87d5cbc36ccfd3f15464a6c ]
With the current sfp_fixup_ignore_tx_fault() fixup we ignore the TX_FAULT
signal, but we also need to apply sfp_fixup_ignore_los() in order to be
able to communicate with the module even if the fiber isn't connected for
configuration purposes.
This is needed for all the MA5671a firmwares, excluding the FS modded
firmware.
Fixes: 2069624dac19 ("net: sfp: Add tx-fault workaround for Huawei MA5671A SFP ONT")
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20260306125139.213637-1-noltari@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/sfp.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
index 43aefdd8b70f7..ca09925335725 100644
--- a/drivers/net/phy/sfp.c
+++ b/drivers/net/phy/sfp.c
@@ -367,6 +367,12 @@ static void sfp_fixup_ignore_tx_fault(struct sfp *sfp)
sfp->state_ignore_mask |= SFP_F_TX_FAULT;
}
+static void sfp_fixup_ignore_tx_fault_and_los(struct sfp *sfp)
+{
+ sfp_fixup_ignore_tx_fault(sfp);
+ sfp_fixup_ignore_los(sfp);
+}
+
static void sfp_fixup_ignore_hw(struct sfp *sfp, unsigned int mask)
{
sfp->state_hw_mask &= ~mask;
@@ -530,7 +536,7 @@ static const struct sfp_quirk sfp_quirks[] = {
// Huawei MA5671A can operate at 2500base-X, but report 1.2GBd NRZ in
// their EEPROM
SFP_QUIRK("HUAWEI", "MA5671A", sfp_quirk_2500basex,
- sfp_fixup_ignore_tx_fault),
+ sfp_fixup_ignore_tx_fault_and_los),
// Lantech 8330-262D-E and 8330-265D can operate at 2500base-X, but
// incorrectly report 2500MBd NRZ in their EEPROM.
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 061/378] serial: caif: hold tty->link reference in ldisc_open and ser_release
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 060/378] net: sfp: improve Huawei MA5671a fixup Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 062/378] bnxt_en: Fix RSS table size check when changing ethtool channels Greg Kroah-Hartman
` (323 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuangpeng Bai, Jiayuan Chen,
Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
[ Upstream commit 288598d80a068a0e9281de35bcb4ce495f189e2a ]
A reproducer triggers a KASAN slab-use-after-free in pty_write_room()
when caif_serial's TX path calls tty_write_room(). The faulting access
is on tty->link->port.
Hold an extra kref on tty->link for the lifetime of the caif_serial line
discipline: get it in ldisc_open() and drop it in ser_release(), and
also drop it on the ldisc_open() error path.
With this change applied, the reproducer no longer triggers the UAF in
my testing.
Link: https://gist.github.com/shuangpengbai/c898debad6bdf170a84be7e6b3d8707f
Link: https://lore.kernel.org/netdev/20260301220525.1546355-1-shuangpeng.kernel@gmail.com
Fixes: e31d5a05948e ("caif: tty's are kref objects so take a reference")
Signed-off-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20260306034006.3395740-1-shuangpeng.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/caif/caif_serial.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
index b90890030751f..1873d8287bb9b 100644
--- a/drivers/net/caif/caif_serial.c
+++ b/drivers/net/caif/caif_serial.c
@@ -297,6 +297,7 @@ static void ser_release(struct work_struct *work)
dev_close(ser->dev);
unregister_netdevice(ser->dev);
debugfs_deinit(ser);
+ tty_kref_put(tty->link);
tty_kref_put(tty);
}
rtnl_unlock();
@@ -331,6 +332,7 @@ static int ldisc_open(struct tty_struct *tty)
ser = netdev_priv(dev);
ser->tty = tty_kref_get(tty);
+ tty_kref_get(tty->link);
ser->dev = dev;
debugfs_init(ser, tty);
tty->receive_room = 4096;
@@ -339,6 +341,7 @@ static int ldisc_open(struct tty_struct *tty)
rtnl_lock();
result = register_netdevice(dev);
if (result) {
+ tty_kref_put(tty->link);
tty_kref_put(tty);
rtnl_unlock();
free_netdev(dev);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 062/378] bnxt_en: Fix RSS table size check when changing ethtool channels
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 061/378] serial: caif: hold tty->link reference in ldisc_open and ser_release Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 063/378] drm/i915/dp: Read ALPM caps after DPCD init Greg Kroah-Hartman
` (322 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Björn Töpel,
Andy Gospodarek, Pavan Chebbi, Michael Chan, Jakub Kicinski,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavan Chebbi <pavan.chebbi@broadcom.com>
[ Upstream commit 0d9a60a0618d255530ca56072c5f39eb58e1ed4a ]
When changing channels, the current check in bnxt_set_channels()
is not checking for non-default RSS contexts when the RSS table size
changes. The current check for IFF_RXFH_CONFIGURED is only sufficient
for the default RSS context. Expand the check to include the presence
of any non-default RSS contexts.
Allowing such change will result in incorrect configuration of the
context's RSS table when the table size changes.
Fixes: b3d0083caf9a ("bnxt_en: Support RSS contexts in ethtool .{get|set}_rxfh()")
Reported-by: Björn Töpel <bjorn@kernel.org>
Link: https://lore.kernel.org/netdev/20260303181535.2671734-1-bjorn@kernel.org/
Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Signed-off-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Link: https://patch.msgid.link/20260306225854.3575672-1-michael.chan@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
index c76a7623870be..fa452d6272e0f 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
@@ -979,8 +979,8 @@ static int bnxt_set_channels(struct net_device *dev,
if (bnxt_get_nr_rss_ctxs(bp, req_rx_rings) !=
bnxt_get_nr_rss_ctxs(bp, bp->rx_nr_rings) &&
- netif_is_rxfh_configured(dev)) {
- netdev_warn(dev, "RSS table size change required, RSS table entries must be default to proceed\n");
+ (netif_is_rxfh_configured(dev) || bp->num_rss_ctx)) {
+ netdev_warn(dev, "RSS table size change required, RSS table entries must be default (with no additional RSS contexts present) to proceed\n");
return -EINVAL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 063/378] drm/i915/dp: Read ALPM caps after DPCD init
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 062/378] bnxt_en: Fix RSS table size check when changing ethtool channels Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 064/378] net: enetc: fix incorrect fallback PHY address handling Greg Kroah-Hartman
` (321 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arun R Murthy, Animesh Manna,
Jouni Högander, Tvrtko Ursulin, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arun R Murthy <arun.r.murthy@intel.com>
[ Upstream commit 335b237d902c7362cb7228802e68374406b24acf ]
For eDP read the ALPM DPCD caps after DPCD initalization and just before
the PSR init.
v2: Move intel_alpm_init to intel_edp_init_dpcd (Jouni)
v3: Add Fixes with commit-id (Jouni)
v4: Separated the alpm dpcd read caps from alpm_init and moved to
intel_edp_init_dpcd.
v5: Read alpm_caps always for eDP irrespective of the eDP version (Jouni)
v6: replace drm_dp_dpcd_readb with drm_dp_dpcd_read_byte (Jouni)
Fixes: 15438b325987 ("drm/i915/alpm: Add compute config for lobf")
Signed-off-by: Arun R Murthy <arun.r.murthy@intel.com>
Reviewed-by: Animesh Manna <animesh.manna@intel.com>
Reviewed-by: Jouni Högander <jouni.hogander@intel.com>
Signed-off-by: Animesh Manna <animesh.manna@intel.com>
Link: https://patch.msgid.link/20260304072157.1123283-1-arun.r.murthy@intel.com
(cherry picked from commit 88442ba208dd5d3405de3f5000cf5b2c86876ae3)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_alpm.c | 6 ------
drivers/gpu/drm/i915/display/intel_dp.c | 7 +++++++
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/i915/display/intel_alpm.c b/drivers/gpu/drm/i915/display/intel_alpm.c
index 6372f533f65b5..5ba767bb38521 100644
--- a/drivers/gpu/drm/i915/display/intel_alpm.c
+++ b/drivers/gpu/drm/i915/display/intel_alpm.c
@@ -43,12 +43,6 @@ bool intel_alpm_is_alpm_aux_less(struct intel_dp *intel_dp,
void intel_alpm_init(struct intel_dp *intel_dp)
{
- u8 dpcd;
-
- if (drm_dp_dpcd_readb(&intel_dp->aux, DP_RECEIVER_ALPM_CAP, &dpcd) < 0)
- return;
-
- intel_dp->alpm_dpcd = dpcd;
mutex_init(&intel_dp->alpm.lock);
}
diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c
index ee258df439a7d..b6ce11267b92d 100644
--- a/drivers/gpu/drm/i915/display/intel_dp.c
+++ b/drivers/gpu/drm/i915/display/intel_dp.c
@@ -4547,6 +4547,7 @@ static bool
intel_edp_init_dpcd(struct intel_dp *intel_dp, struct intel_connector *connector)
{
struct intel_display *display = to_intel_display(intel_dp);
+ int ret;
/* this function is meant to be called only once */
drm_WARN_ON(display->drm, intel_dp->dpcd[DP_DPCD_REV] != 0);
@@ -4586,6 +4587,12 @@ intel_edp_init_dpcd(struct intel_dp *intel_dp, struct intel_connector *connector
*/
intel_dp_init_source_oui(intel_dp);
+ /* Read the ALPM DPCD caps */
+ ret = drm_dp_dpcd_read_byte(&intel_dp->aux, DP_RECEIVER_ALPM_CAP,
+ &intel_dp->alpm_dpcd);
+ if (ret < 0)
+ return false;
+
/*
* This has to be called after intel_dp->edp_dpcd is filled, PSR checks
* for SET_POWER_CAPABLE bit in intel_dp->edp_dpcd[1]
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 064/378] net: enetc: fix incorrect fallback PHY address handling
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 063/378] drm/i915/dp: Read ALPM caps after DPCD init Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 065/378] net: enetc: do not skip setting LaBCR[MDIO_PHYAD_PRTAD] for addr 0 Greg Kroah-Hartman
` (320 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Stein, Clark Wang,
Wei Fang, Paolo Abeni, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit 246953f33e8cf95621d6c00332e2780ce1594082 ]
The current netc_get_phy_addr() implementation falls back to PHY address
0 when the "mdio" node or the PHY child node is missing. On i.MX95, this
causes failures when a real PHY is actually assigned address 0 and is
managed through the EMDIO interface. Because the bit 0 of phy_mask will
be set, leading imx95_enetc_mdio_phyaddr_config() to return an error, and
the netc_blk_ctrl driver probe subsequently fails. Fix this by returning
-ENODEV when neither an "mdio" node nor any PHY node is present, it means
that ENETC port MDIO is not used to manage the PHY, so there is no need
to configure LaBCR[MDIO_PHYAD_PRTAD].
Reported-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Closes: https://lore.kernel.org/all/7825188.GXAFRqVoOG@steina-w
Fixes: 6633df05f3ad ("net: enetc: set the external PHY address in IERB for port MDIO usage")
Reviewed-by: Clark Wang <xiaoning.wang@nxp.com>
Tested-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Link: https://patch.msgid.link/20260305031211.904812-2-wei.fang@nxp.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c b/drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c
index 7fd39f8952901..f0e103615e884 100644
--- a/drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c
+++ b/drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c
@@ -333,11 +333,13 @@ static int netc_get_phy_addr(struct device_node *np)
mdio_node = of_get_child_by_name(np, "mdio");
if (!mdio_node)
- return 0;
+ return -ENODEV;
phy_node = of_get_next_child(mdio_node, NULL);
- if (!phy_node)
+ if (!phy_node) {
+ err = -ENODEV;
goto of_put_mdio_node;
+ }
err = of_property_read_u32(phy_node, "reg", &addr);
if (err)
@@ -423,6 +425,9 @@ static int imx95_enetc_mdio_phyaddr_config(struct platform_device *pdev)
addr = netc_get_phy_addr(gchild);
if (addr < 0) {
+ if (addr == -ENODEV)
+ continue;
+
dev_err(dev, "Failed to get PHY address\n");
return addr;
}
@@ -578,6 +583,9 @@ static int imx94_enetc_mdio_phyaddr_config(struct netc_blk_ctrl *priv,
addr = netc_get_phy_addr(np);
if (addr < 0) {
+ if (addr == -ENODEV)
+ return 0;
+
dev_err(dev, "Failed to get PHY address\n");
return addr;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 065/378] net: enetc: do not skip setting LaBCR[MDIO_PHYAD_PRTAD] for addr 0
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 064/378] net: enetc: fix incorrect fallback PHY address handling Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 066/378] mctp: i2c: fix skb memory leak in receive path Greg Kroah-Hartman
` (319 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Clark Wang, Wei Fang, Paolo Abeni,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit dbe17e7783cb5d6451ff1217d0464865857e97e1 ]
Given that some platforms may use PHY address 0 (I suppose the PHY may
not treat address 0 as a broadcast address or default response address).
It is possible for some boards to connect multiple PHYs to the same
ENETC MAC, for example:
- a PHY with a non-zero address connects to ENETC MAC through SGMII
interface (selected via DTS_A)
- a PHY with address 0 connects to ENETC MAC through RGMII interface
(selected via DTS_B)
For the case where the ENETC port MDIO is used to manage the PHY, when
switching from DTS_A to DTS_B via soft reboot, LaBCR[MDIO_PHYAD_PRTAD]
must be updated to 0 because the NETCMIX block is not reset during soft
reboot. However, the current driver explicitly skips configuring address
0, causing LaBCR[MDIO_PHYAD_PRTAD] to retain its old value.
Therefore, remove the special-case skip of PHY address 0 so that valid
configurations using address 0 are properly supported.
Fixes: 6633df05f3ad ("net: enetc: set the external PHY address in IERB for port MDIO usage")
Fixes: 50bfd9c06f0f ("net: enetc: set external PHY address in IERB for i.MX94 ENETC")
Reviewed-by: Clark Wang <xiaoning.wang@nxp.com>
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Link: https://patch.msgid.link/20260305031211.904812-3-wei.fang@nxp.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c b/drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c
index f0e103615e884..92a0f824dae7a 100644
--- a/drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c
+++ b/drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c
@@ -438,12 +438,6 @@ static int imx95_enetc_mdio_phyaddr_config(struct platform_device *pdev)
return -EINVAL;
}
- /* The default value of LaBCR[MDIO_PHYAD_PRTAD ] is
- * 0, so no need to set the register.
- */
- if (!addr)
- continue;
-
switch (bus_devfn) {
case IMX95_ENETC0_BUS_DEVFN:
netc_reg_write(priv->ierb, IERB_LBCR(0),
@@ -590,12 +584,6 @@ static int imx94_enetc_mdio_phyaddr_config(struct netc_blk_ctrl *priv,
return addr;
}
- /* The default value of LaBCR[MDIO_PHYAD_PRTAD] is 0,
- * so no need to set the register.
- */
- if (!addr)
- return 0;
-
if (phy_mask & BIT(addr)) {
dev_err(dev,
"Find same PHY address in EMDIO and ENETC node\n");
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 066/378] mctp: i2c: fix skb memory leak in receive path
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 065/378] net: enetc: do not skip setting LaBCR[MDIO_PHYAD_PRTAD] for addr 0 Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 067/378] can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value Greg Kroah-Hartman
` (318 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haiyue Wang, Paolo Abeni,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haiyue Wang <haiyuewa@163.com>
[ Upstream commit e3f5e0f22cfc2371e7471c9fd5b4da78f9df7c69 ]
When 'midev->allow_rx' is false, the newly allocated skb isn't consumed
by netif_rx(), it needs to free the skb directly.
Fixes: f5b8abf9fc3d ("mctp i2c: MCTP I2C binding driver")
Signed-off-by: Haiyue Wang <haiyuewa@163.com>
Link: https://patch.msgid.link/20260305143240.97592-1-haiyuewa@163.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/mctp/mctp-i2c.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c
index 8043b57bdf250..f138b0251313e 100644
--- a/drivers/net/mctp/mctp-i2c.c
+++ b/drivers/net/mctp/mctp-i2c.c
@@ -343,6 +343,7 @@ static int mctp_i2c_recv(struct mctp_i2c_dev *midev)
} else {
status = NET_RX_DROP;
spin_unlock_irqrestore(&midev->lock, flags);
+ kfree_skb(skb);
}
if (status == NET_RX_SUCCESS) {
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 067/378] can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 066/378] mctp: i2c: fix skb memory leak in receive path Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 068/378] bonding: fix type confusion in bond_setup_by_slave() Greg Kroah-Hartman
` (317 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenyuan Li, Marc Kleine-Budde,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenyuan Li <2063309626@qq.com>
[ Upstream commit 47bba09b14fa21712398febf36cb14fd4fc3bded ]
In hi3110_open(), the return value of hi3110_power_enable() is not checked.
If power enable fails, the device may not function correctly, while the
driver still returns success.
Add a check for the return value and propagate the error accordingly.
Signed-off-by: Wenyuan Li <2063309626@qq.com>
Link: https://patch.msgid.link/tencent_B5E2E7528BB28AA8A2A56E16C49BD58B8B07@qq.com
Fixes: 57e83fb9b746 ("can: hi311x: Add Holt HI-311x CAN driver")
[mkl: adjust subject, commit message and jump label]
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/spi/hi311x.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c
index e00d3dbc4cf43..91b1fa970f8fb 100644
--- a/drivers/net/can/spi/hi311x.c
+++ b/drivers/net/can/spi/hi311x.c
@@ -755,7 +755,9 @@ static int hi3110_open(struct net_device *net)
return ret;
mutex_lock(&priv->hi3110_lock);
- hi3110_power_enable(priv->transceiver, 1);
+ ret = hi3110_power_enable(priv->transceiver, 1);
+ if (ret)
+ goto out_close_candev;
priv->force_quit = 0;
priv->tx_skb = NULL;
@@ -790,6 +792,7 @@ static int hi3110_open(struct net_device *net)
hi3110_hw_sleep(spi);
out_close:
hi3110_power_enable(priv->transceiver, 0);
+ out_close_candev:
close_candev(net);
mutex_unlock(&priv->hi3110_lock);
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 068/378] bonding: fix type confusion in bond_setup_by_slave()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 067/378] can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 069/378] mctp: route: hold key->lock in mctp_flow_prepare_output() Greg Kroah-Hartman
` (316 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jay Vosburgh, Eric Dumazet,
Jiayuan Chen, Paolo Abeni, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@shopee.com>
[ Upstream commit 950803f7254721c1c15858fbbfae3deaaeeecb11 ]
kernel BUG at net/core/skbuff.c:2306!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306
RSP: 0018:ffffc90004aff760 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e
RDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900
RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000
R10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780
R13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0
Call Trace:
<TASK>
ipgre_header+0xdd/0x540 net/ipv4/ip_gre.c:900
dev_hard_header include/linux/netdevice.h:3439 [inline]
packet_snd net/packet/af_packet.c:3028 [inline]
packet_sendmsg+0x3ae5/0x53c0 net/packet/af_packet.c:3108
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
____sys_sendmsg+0xa54/0xc30 net/socket.c:2592
___sys_sendmsg+0x190/0x1e0 net/socket.c:2646
__sys_sendmsg+0x170/0x220 net/socket.c:2678
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe1a0e6c1a9
When a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond,
bond_setup_by_slave() directly copies the slave's header_ops to the
bond device:
bond_dev->header_ops = slave_dev->header_ops;
This causes a type confusion when dev_hard_header() is later called
on the bond device. Functions like ipgre_header(), ip6gre_header(),all use
netdev_priv(dev) to access their device-specific private data. When
called with the bond device, netdev_priv() returns the bond's private
data (struct bonding) instead of the expected type (e.g. struct
ip_tunnel), leading to garbage values being read and kernel crashes.
Fix this by introducing bond_header_ops with wrapper functions that
delegate to the active slave's header_ops using the slave's own
device. This ensures netdev_priv() in the slave's header functions
always receives the correct device.
The fix is placed in the bonding driver rather than individual device
drivers, as the root cause is bond blindly inheriting header_ops from
the slave without considering that these callbacks expect a specific
netdev_priv() layout.
The type confusion can be observed by adding a printk in
ipgre_header() and running the following commands:
ip link add dummy0 type dummy
ip addr add 10.0.0.1/24 dev dummy0
ip link set dummy0 up
ip link add gre1 type gre local 10.0.0.1
ip link add bond1 type bond mode active-backup
ip link set gre1 master bond1
ip link set gre1 up
ip link set bond1 up
ip addr add fe80::1/64 dev bond1
Fixes: 1284cd3a2b74 ("bonding: two small fixes for IPoIB support")
Suggested-by: Jay Vosburgh <jv@jvosburgh.net>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
Link: https://patch.msgid.link/20260306021508.222062-1-jiayuan.chen@linux.dev
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 47 ++++++++++++++++++++++++++++++++-
1 file changed, 46 insertions(+), 1 deletion(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 8be99ae67b77f..139ece7676c50 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1476,6 +1476,50 @@ static netdev_features_t bond_fix_features(struct net_device *dev,
return features;
}
+static int bond_header_create(struct sk_buff *skb, struct net_device *bond_dev,
+ unsigned short type, const void *daddr,
+ const void *saddr, unsigned int len)
+{
+ struct bonding *bond = netdev_priv(bond_dev);
+ const struct header_ops *slave_ops;
+ struct slave *slave;
+ int ret = 0;
+
+ rcu_read_lock();
+ slave = rcu_dereference(bond->curr_active_slave);
+ if (slave) {
+ slave_ops = READ_ONCE(slave->dev->header_ops);
+ if (slave_ops && slave_ops->create)
+ ret = slave_ops->create(skb, slave->dev,
+ type, daddr, saddr, len);
+ }
+ rcu_read_unlock();
+ return ret;
+}
+
+static int bond_header_parse(const struct sk_buff *skb, unsigned char *haddr)
+{
+ struct bonding *bond = netdev_priv(skb->dev);
+ const struct header_ops *slave_ops;
+ struct slave *slave;
+ int ret = 0;
+
+ rcu_read_lock();
+ slave = rcu_dereference(bond->curr_active_slave);
+ if (slave) {
+ slave_ops = READ_ONCE(slave->dev->header_ops);
+ if (slave_ops && slave_ops->parse)
+ ret = slave_ops->parse(skb, haddr);
+ }
+ rcu_read_unlock();
+ return ret;
+}
+
+static const struct header_ops bond_header_ops = {
+ .create = bond_header_create,
+ .parse = bond_header_parse,
+};
+
static void bond_setup_by_slave(struct net_device *bond_dev,
struct net_device *slave_dev)
{
@@ -1483,7 +1527,8 @@ static void bond_setup_by_slave(struct net_device *bond_dev,
dev_close(bond_dev);
- bond_dev->header_ops = slave_dev->header_ops;
+ bond_dev->header_ops = slave_dev->header_ops ?
+ &bond_header_ops : NULL;
bond_dev->type = slave_dev->type;
bond_dev->hard_header_len = slave_dev->hard_header_len;
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 069/378] mctp: route: hold key->lock in mctp_flow_prepare_output()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 068/378] bonding: fix type confusion in bond_setup_by_slave() Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 070/378] amd-xgbe: fix link status handling in xgbe_rx_adaptation Greg Kroah-Hartman
` (315 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chengfeng Ye, Paolo Abeni,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chengfeng Ye <dg573847474@gmail.com>
[ Upstream commit 7d86aa41c073c4e7eb75fd2e674f1fd8f289728a ]
mctp_flow_prepare_output() checks key->dev and may call
mctp_dev_set_key(), but it does not hold key->lock while doing so.
mctp_dev_set_key() and mctp_dev_release_key() are annotated with
__must_hold(&key->lock), so key->dev access is intended to be
serialized by key->lock. The mctp_sendmsg() transmit path reaches
mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output()
without holding key->lock, so the check-and-set sequence is racy.
Example interleaving:
CPU0 CPU1
---- ----
mctp_flow_prepare_output(key, devA)
if (!key->dev) // sees NULL
mctp_flow_prepare_output(
key, devB)
if (!key->dev) // still NULL
mctp_dev_set_key(devB, key)
mctp_dev_hold(devB)
key->dev = devB
mctp_dev_set_key(devA, key)
mctp_dev_hold(devA)
key->dev = devA // overwrites devB
Now both devA and devB references were acquired, but only the final
key->dev value is tracked for release. One reference can be lost,
causing a resource leak as mctp_dev_release_key() would only decrease
the reference on one dev.
Fix by taking key->lock around the key->dev check and
mctp_dev_set_key() call.
Fixes: 67737c457281 ("mctp: Pass flow data & flow release events to drivers")
Signed-off-by: Chengfeng Ye <dg573847474@gmail.com>
Link: https://patch.msgid.link/20260306031402.857224-1-dg573847474@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mctp/route.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/net/mctp/route.c b/net/mctp/route.c
index ecbbe4beb2133..7a94b58f00978 100644
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -359,6 +359,7 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev)
{
struct mctp_sk_key *key;
struct mctp_flow *flow;
+ unsigned long flags;
flow = skb_ext_find(skb, SKB_EXT_MCTP);
if (!flow)
@@ -366,12 +367,14 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev)
key = flow->key;
- if (key->dev) {
+ spin_lock_irqsave(&key->lock, flags);
+
+ if (!key->dev)
+ mctp_dev_set_key(dev, key);
+ else
WARN_ON(key->dev != dev);
- return;
- }
- mctp_dev_set_key(dev, key);
+ spin_unlock_irqrestore(&key->lock, flags);
}
#else
static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key) {}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 070/378] amd-xgbe: fix link status handling in xgbe_rx_adaptation
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 069/378] mctp: route: hold key->lock in mctp_flow_prepare_output() Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 071/378] amd-xgbe: prevent CRC errors during RX adaptation with AN disabled Greg Kroah-Hartman
` (314 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raju Rangoju, Paolo Abeni,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raju Rangoju <Raju.Rangoju@amd.com>
[ Upstream commit 6485cb96be5cd0f4bf39554737ba11322cc9b053 ]
The link status bit is latched low to allow detection of momentary
link drops. If the status indicates that the link is already down,
read it again to obtain the current state.
Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation")
Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
Link: https://patch.msgid.link/20260306111629.1515676-2-Raju.Rangoju@amd.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
index c63ddb12237ea..13c556dc0d67a 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
@@ -1942,7 +1942,7 @@ static void xgbe_set_rx_adap_mode(struct xgbe_prv_data *pdata,
static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata)
{
struct xgbe_phy_data *phy_data = pdata->phy_data;
- unsigned int reg;
+ int reg;
/* step 2: force PCS to send RX_ADAPT Req to PHY */
XMDIO_WRITE_BITS(pdata, MDIO_MMD_PMAPMD, MDIO_PMA_RX_EQ_CTRL4,
@@ -1964,11 +1964,20 @@ static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata)
/* Step 4: Check for Block lock */
- /* Link status is latched low, so read once to clear
- * and then read again to get current state
- */
- reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
+ if (reg < 0)
+ goto set_mode;
+
+ /* Link status is latched low so that momentary link drops
+ * can be detected. If link was already down read again
+ * to get the latest state.
+ */
+ if (!pdata->phy.link && !(reg & MDIO_STAT1_LSTATUS)) {
+ reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
+ if (reg < 0)
+ goto set_mode;
+ }
+
if (reg & MDIO_STAT1_LSTATUS) {
/* If the block lock is found, update the helpers
* and declare the link up
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 071/378] amd-xgbe: prevent CRC errors during RX adaptation with AN disabled
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 070/378] amd-xgbe: fix link status handling in xgbe_rx_adaptation Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 072/378] amd-xgbe: reset PHY settings before starting PHY Greg Kroah-Hartman
` (313 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raju Rangoju, Paolo Abeni,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raju Rangoju <Raju.Rangoju@amd.com>
[ Upstream commit 27a4dd0c702b3b2b9cf2c045d100cc2fe8720b81 ]
When operating in 10GBASE-KR mode with auto-negotiation disabled and RX
adaptation enabled, CRC errors can occur during the RX adaptation
process. This happens because the driver continues transmitting and
receiving packets while adaptation is in progress.
Fix this by stopping TX/RX immediately when the link goes down and RX
adaptation needs to be re-triggered, and only re-enabling TX/RX after
adaptation completes and the link is confirmed up. Introduce a flag to
track whether TX/RX was disabled for adaptation so it can be restored
correctly.
This prevents packets from being transmitted or received during the RX
adaptation window and avoids CRC errors from corrupted frames.
The flag tracking the data path state is synchronized with hardware
state in xgbe_start() to prevent stale state after device restarts.
This ensures that after a restart cycle (where xgbe_stop disables
TX/RX and xgbe_start re-enables them), the flag correctly reflects
that the data path is active.
Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation")
Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
Link: https://patch.msgid.link/20260306111629.1515676-3-Raju.Rangoju@amd.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 4 ++
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 63 ++++++++++++++++++++-
drivers/net/ethernet/amd/xgbe/xgbe.h | 4 ++
3 files changed, 69 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
index 20ce2ed4cd9f7..3444ec681a11f 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
@@ -1277,6 +1277,10 @@ static int xgbe_start(struct xgbe_prv_data *pdata)
hw_if->enable_tx(pdata);
hw_if->enable_rx(pdata);
+ /* Synchronize flag with hardware state after enabling TX/RX.
+ * This prevents stale state after device restart cycles.
+ */
+ pdata->data_path_stopped = false;
udp_tunnel_nic_reset_ntf(netdev);
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
index 13c556dc0d67a..b8cf6ccfe6414 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
@@ -2017,6 +2017,48 @@ static void xgbe_phy_rx_adaptation(struct xgbe_prv_data *pdata)
xgbe_rx_adaptation(pdata);
}
+/*
+ * xgbe_phy_stop_data_path - Stop TX/RX to prevent packet corruption
+ * @pdata: driver private data
+ *
+ * This function stops the data path (TX and RX) to prevent packet
+ * corruption during critical PHY operations like RX adaptation.
+ * Must be called before initiating RX adaptation when link goes down.
+ */
+static void xgbe_phy_stop_data_path(struct xgbe_prv_data *pdata)
+{
+ if (pdata->data_path_stopped)
+ return;
+
+ /* Stop TX/RX to prevent packet corruption during RX adaptation */
+ pdata->hw_if.disable_tx(pdata);
+ pdata->hw_if.disable_rx(pdata);
+ pdata->data_path_stopped = true;
+
+ netif_dbg(pdata, link, pdata->netdev,
+ "stopping data path for RX adaptation\n");
+}
+
+/*
+ * xgbe_phy_start_data_path - Re-enable TX/RX after RX adaptation
+ * @pdata: driver private data
+ *
+ * This function re-enables the data path (TX and RX) after RX adaptation
+ * has completed successfully. Only called when link is confirmed up.
+ */
+static void xgbe_phy_start_data_path(struct xgbe_prv_data *pdata)
+{
+ if (!pdata->data_path_stopped)
+ return;
+
+ pdata->hw_if.enable_rx(pdata);
+ pdata->hw_if.enable_tx(pdata);
+ pdata->data_path_stopped = false;
+
+ netif_dbg(pdata, link, pdata->netdev,
+ "restarting data path after RX adaptation\n");
+}
+
static void xgbe_phy_rx_reset(struct xgbe_prv_data *pdata)
{
int reg;
@@ -2810,13 +2852,27 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart)
if (pdata->en_rx_adap) {
/* if the link is available and adaptation is done,
* declare link up
+ *
+ * Note: When link is up and adaptation is done, we can
+ * safely re-enable the data path if it was stopped
+ * for adaptation.
*/
- if ((reg & MDIO_STAT1_LSTATUS) && pdata->rx_adapt_done)
+ if ((reg & MDIO_STAT1_LSTATUS) && pdata->rx_adapt_done) {
+ xgbe_phy_start_data_path(pdata);
return 1;
+ }
/* If either link is not available or adaptation is not done,
* retrigger the adaptation logic. (if the mode is not set,
* then issue mailbox command first)
*/
+
+ /* CRITICAL: Stop data path BEFORE triggering RX adaptation
+ * to prevent CRC errors from packets corrupted during
+ * the adaptation process. This is especially important
+ * when AN is OFF in 10G KR mode.
+ */
+ xgbe_phy_stop_data_path(pdata);
+
if (pdata->mode_set) {
xgbe_phy_rx_adaptation(pdata);
} else {
@@ -2824,8 +2880,11 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart)
xgbe_phy_set_mode(pdata, phy_data->cur_mode);
}
- if (pdata->rx_adapt_done)
+ if (pdata->rx_adapt_done) {
+ /* Adaptation complete, safe to re-enable data path */
+ xgbe_phy_start_data_path(pdata);
return 1;
+ }
} else if (reg & MDIO_STAT1_LSTATUS)
return 1;
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h
index 4ba23779b2b7e..3bc748c7cb24d 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
+++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
@@ -1242,6 +1242,10 @@ struct xgbe_prv_data {
bool en_rx_adap;
int rx_adapt_retries;
bool rx_adapt_done;
+ /* Flag to track if data path (TX/RX) was stopped for RX adaptation.
+ * This prevents packet corruption during the adaptation window.
+ */
+ bool data_path_stopped;
bool mode_set;
bool sph;
};
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 072/378] amd-xgbe: reset PHY settings before starting PHY
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 071/378] amd-xgbe: prevent CRC errors during RX adaptation with AN disabled Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 073/378] net: add xmit recursion limit to tunnel xmit functions Greg Kroah-Hartman
` (312 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Raju Rangoju,
Paolo Abeni, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raju Rangoju <Raju.Rangoju@amd.com>
[ Upstream commit a8ba129af46856112981c124850ec6a85a1c1ab6 ]
commit f93505f35745 ("amd-xgbe: let the MAC manage PHY PM") moved
xgbe_phy_reset() from xgbe_open() to xgbe_start(), placing it after
phy_start(). As a result, the PHY settings were being reset after the
PHY had already started.
Reorder the calls so that the PHY settings are reset before
phy_start() is invoked.
Fixes: f93505f35745 ("amd-xgbe: let the MAC manage PHY PM")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
Link: https://patch.msgid.link/20260306111629.1515676-4-Raju.Rangoju@amd.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
index 3444ec681a11f..6de12a0e06553 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
@@ -1271,6 +1271,12 @@ static int xgbe_start(struct xgbe_prv_data *pdata)
if (ret)
goto err_napi;
+ /* Reset the phy settings */
+ ret = xgbe_phy_reset(pdata);
+ if (ret)
+ goto err_irqs;
+
+ /* Start the phy */
ret = phy_if->phy_start(pdata);
if (ret)
goto err_irqs;
@@ -1284,11 +1290,6 @@ static int xgbe_start(struct xgbe_prv_data *pdata)
udp_tunnel_nic_reset_ntf(netdev);
- /* Reset the phy settings */
- ret = xgbe_phy_reset(pdata);
- if (ret)
- goto err_txrx;
-
netif_tx_start_all_queues(netdev);
xgbe_start_timers(pdata);
@@ -1298,10 +1299,6 @@ static int xgbe_start(struct xgbe_prv_data *pdata)
return 0;
-err_txrx:
- hw_if->disable_rx(pdata);
- hw_if->disable_tx(pdata);
-
err_irqs:
xgbe_free_irqs(pdata);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 073/378] net: add xmit recursion limit to tunnel xmit functions
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 072/378] amd-xgbe: reset PHY settings before starting PHY Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 074/378] netfilter: nf_tables: Fix for duplicate device in netdev hooks Greg Kroah-Hartman
` (311 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Paolo Abeni,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 6f1a9140ecda3baba3d945b9a6155af4268aafc4 ]
Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own
recursion limit. When a bond device in broadcast mode has GRE tap
interfaces as slaves, and those GRE tunnels route back through the
bond, multicast/broadcast traffic triggers infinite recursion between
bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing
kernel stack overflow.
The existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not
sufficient because tunnel recursion involves route lookups and full IP
output, consuming much more stack per level. Use a lower limit of 4
(IP_TUNNEL_RECURSION_LIMIT) to prevent overflow.
Add recursion detection using dev_xmit_recursion helpers directly in
iptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel
paths including UDP encapsulated tunnels (VXLAN, Geneve, etc.).
Move dev_xmit_recursion helpers from net/core/dev.h to public header
include/linux/netdevice.h so they can be used by tunnel code.
BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160
Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11
Workqueue: mld mld_ifc_work
Call Trace:
<TASK>
__build_flow_key.constprop.0 (net/ipv4/route.c:515)
ip_rt_update_pmtu (net/ipv4/route.c:1073)
iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84)
ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)
gre_tap_xmit (net/ipv4/ip_gre.c:779)
dev_hard_start_xmit (net/core/dev.c:3887)
sch_direct_xmit (net/sched/sch_generic.c:347)
__dev_queue_xmit (net/core/dev.c:4802)
bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)
bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)
bond_start_xmit (drivers/net/bonding/bond_main.c:5530)
dev_hard_start_xmit (net/core/dev.c:3887)
__dev_queue_xmit (net/core/dev.c:4841)
ip_finish_output2 (net/ipv4/ip_output.c:237)
ip_output (net/ipv4/ip_output.c:438)
iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)
gre_tap_xmit (net/ipv4/ip_gre.c:779)
dev_hard_start_xmit (net/core/dev.c:3887)
sch_direct_xmit (net/sched/sch_generic.c:347)
__dev_queue_xmit (net/core/dev.c:4802)
bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)
bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)
bond_start_xmit (drivers/net/bonding/bond_main.c:5530)
dev_hard_start_xmit (net/core/dev.c:3887)
__dev_queue_xmit (net/core/dev.c:4841)
ip_finish_output2 (net/ipv4/ip_output.c:237)
ip_output (net/ipv4/ip_output.c:438)
iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)
ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)
gre_tap_xmit (net/ipv4/ip_gre.c:779)
dev_hard_start_xmit (net/core/dev.c:3887)
sch_direct_xmit (net/sched/sch_generic.c:347)
__dev_queue_xmit (net/core/dev.c:4802)
bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)
bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)
bond_start_xmit (drivers/net/bonding/bond_main.c:5530)
dev_hard_start_xmit (net/core/dev.c:3887)
__dev_queue_xmit (net/core/dev.c:4841)
mld_sendpack
mld_ifc_work
process_one_work
worker_thread
</TASK>
Fixes: 745e20f1b626 ("net: add a recursion limit in xmit path")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Link: https://patch.msgid.link/20260306160133.3852900-2-bestswngs@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netdevice.h | 32 ++++++++++++++++++++++++++++++++
include/net/ip6_tunnel.h | 12 ++++++++++++
include/net/ip_tunnels.h | 7 +++++++
net/core/dev.h | 35 -----------------------------------
net/ipv4/ip_tunnel_core.c | 13 +++++++++++++
5 files changed, 64 insertions(+), 35 deletions(-)
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 6655b0c6e42b4..65d85dc9c8f05 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -3573,17 +3573,49 @@ struct page_pool_bh {
};
DECLARE_PER_CPU(struct page_pool_bh, system_page_pool);
+#define XMIT_RECURSION_LIMIT 8
+
#ifndef CONFIG_PREEMPT_RT
static inline int dev_recursion_level(void)
{
return this_cpu_read(softnet_data.xmit.recursion);
}
+
+static inline bool dev_xmit_recursion(void)
+{
+ return unlikely(__this_cpu_read(softnet_data.xmit.recursion) >
+ XMIT_RECURSION_LIMIT);
+}
+
+static inline void dev_xmit_recursion_inc(void)
+{
+ __this_cpu_inc(softnet_data.xmit.recursion);
+}
+
+static inline void dev_xmit_recursion_dec(void)
+{
+ __this_cpu_dec(softnet_data.xmit.recursion);
+}
#else
static inline int dev_recursion_level(void)
{
return current->net_xmit.recursion;
}
+static inline bool dev_xmit_recursion(void)
+{
+ return unlikely(current->net_xmit.recursion > XMIT_RECURSION_LIMIT);
+}
+
+static inline void dev_xmit_recursion_inc(void)
+{
+ current->net_xmit.recursion++;
+}
+
+static inline void dev_xmit_recursion_dec(void)
+{
+ current->net_xmit.recursion--;
+}
#endif
void __netif_schedule(struct Qdisc *q);
diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h
index 120db28658112..1253cbb4b0a45 100644
--- a/include/net/ip6_tunnel.h
+++ b/include/net/ip6_tunnel.h
@@ -156,6 +156,16 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb,
{
int pkt_len, err;
+ if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) {
+ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
+ dev->name);
+ DEV_STATS_INC(dev, tx_errors);
+ kfree_skb(skb);
+ return;
+ }
+
+ dev_xmit_recursion_inc();
+
memset(skb->cb, 0, sizeof(struct inet6_skb_parm));
IP6CB(skb)->flags = ip6cb_flags;
pkt_len = skb->len - skb_inner_network_offset(skb);
@@ -166,6 +176,8 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb,
pkt_len = -1;
iptunnel_xmit_stats(dev, pkt_len);
}
+
+ dev_xmit_recursion_dec();
}
#endif
#endif
diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
index 4021e6a73e32b..80662f8120803 100644
--- a/include/net/ip_tunnels.h
+++ b/include/net/ip_tunnels.h
@@ -27,6 +27,13 @@
#include <net/ip6_route.h>
#endif
+/* Recursion limit for tunnel xmit to detect routing loops.
+ * Unlike XMIT_RECURSION_LIMIT (8) used in the no-qdisc path, tunnel
+ * recursion involves route lookups and full IP output, consuming much
+ * more stack per level, so a lower limit is needed.
+ */
+#define IP_TUNNEL_RECURSION_LIMIT 4
+
/* Keep error state on tunnel for 30 sec */
#define IPTUNNEL_ERR_TIMEO (30*HZ)
diff --git a/net/core/dev.h b/net/core/dev.h
index da18536cbd357..49173702e15e1 100644
--- a/net/core/dev.h
+++ b/net/core/dev.h
@@ -361,41 +361,6 @@ static inline void napi_assert_will_not_race(const struct napi_struct *napi)
void kick_defer_list_purge(unsigned int cpu);
-#define XMIT_RECURSION_LIMIT 8
-
-#ifndef CONFIG_PREEMPT_RT
-static inline bool dev_xmit_recursion(void)
-{
- return unlikely(__this_cpu_read(softnet_data.xmit.recursion) >
- XMIT_RECURSION_LIMIT);
-}
-
-static inline void dev_xmit_recursion_inc(void)
-{
- __this_cpu_inc(softnet_data.xmit.recursion);
-}
-
-static inline void dev_xmit_recursion_dec(void)
-{
- __this_cpu_dec(softnet_data.xmit.recursion);
-}
-#else
-static inline bool dev_xmit_recursion(void)
-{
- return unlikely(current->net_xmit.recursion > XMIT_RECURSION_LIMIT);
-}
-
-static inline void dev_xmit_recursion_inc(void)
-{
- current->net_xmit.recursion++;
-}
-
-static inline void dev_xmit_recursion_dec(void)
-{
- current->net_xmit.recursion--;
-}
-#endif
-
int dev_set_hwtstamp_phylib(struct net_device *dev,
struct kernel_hwtstamp_config *cfg,
struct netlink_ext_ack *extack);
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index 2e61ac1371289..b1b6bf949f65a 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -58,6 +58,17 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb,
struct iphdr *iph;
int err;
+ if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) {
+ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
+ dev->name);
+ DEV_STATS_INC(dev, tx_errors);
+ ip_rt_put(rt);
+ kfree_skb(skb);
+ return;
+ }
+
+ dev_xmit_recursion_inc();
+
skb_scrub_packet(skb, xnet);
skb_clear_hash_if_not_l4(skb);
@@ -88,6 +99,8 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb,
pkt_len = 0;
iptunnel_xmit_stats(dev, pkt_len);
}
+
+ dev_xmit_recursion_dec();
}
EXPORT_SYMBOL_GPL(iptunnel_xmit);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 074/378] netfilter: nf_tables: Fix for duplicate device in netdev hooks
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 073/378] net: add xmit recursion limit to tunnel xmit functions Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 075/378] netfilter: nf_tables: always walk all pending catchall elements Greg Kroah-Hartman
` (310 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal,
syzbot+bb9127e278fa198e110c, Helen Koike, Phil Sutter,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Sutter <phil@nwl.cc>
[ Upstream commit b7cdc5a97d02c943f4bdde4d5767ad0c13cad92b ]
When handling NETDEV_REGISTER notification, duplicate device
registration must be avoided since the device may have been added by
nft_netdev_hook_alloc() already when creating the hook.
Suggested-by: Florian Westphal <fw@strlen.de>
Reported-by: syzbot+bb9127e278fa198e110c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bb9127e278fa198e110c
Fixes: a331b78a5525 ("netfilter: nf_tables: Respect NETDEV_REGISTER events")
Tested-by: Helen Koike <koike@igalia.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 2 +-
net/netfilter/nft_chain_filter.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index a3865924a505d..c75c2379d30bd 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -9675,7 +9675,7 @@ static int nft_flowtable_event(unsigned long event, struct net_device *dev,
break;
case NETDEV_REGISTER:
/* NOP if not matching or already registered */
- if (!match || (changename && ops))
+ if (!match || ops)
continue;
ops = kzalloc(sizeof(struct nf_hook_ops),
diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c
index b16185e9a6dd7..041426e3bdbf1 100644
--- a/net/netfilter/nft_chain_filter.c
+++ b/net/netfilter/nft_chain_filter.c
@@ -344,7 +344,7 @@ static int nft_netdev_event(unsigned long event, struct net_device *dev,
break;
case NETDEV_REGISTER:
/* NOP if not matching or already registered */
- if (!match || (changename && ops))
+ if (!match || ops)
continue;
ops = kmemdup(&basechain->ops,
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 075/378] netfilter: nf_tables: always walk all pending catchall elements
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 074/378] netfilter: nf_tables: Fix for duplicate device in netdev hooks Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 076/378] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() Greg Kroah-Hartman
` (309 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiming Qian, Florian Westphal,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9 ]
During transaction processing we might have more than one catchall element:
1 live catchall element and 1 pending element that is coming as part of the
new batch.
If the map holding the catchall elements is also going away, its
required to toggle all catchall elements and not just the first viable
candidate.
Otherwise, we get:
WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404
RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]
[..]
__nft_set_elem_destroy+0x106/0x380 [nf_tables]
nf_tables_abort_release+0x348/0x8d0 [nf_tables]
nf_tables_abort+0xcf2/0x3ac0 [nf_tables]
nfnetlink_rcv_batch+0x9c9/0x20e0 [..]
Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index c75c2379d30bd..c9a76c760b17c 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -828,7 +828,6 @@ static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,
nft_set_elem_change_active(ctx->net, set, ext);
nft_setelem_data_deactivate(ctx->net, set, catchall->elem);
- break;
}
}
@@ -5873,7 +5872,6 @@ static void nft_map_catchall_activate(const struct nft_ctx *ctx,
nft_clear(ctx->net, ext);
nft_setelem_data_activate(ctx->net, set, catchall->elem);
- break;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 076/378] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 075/378] netfilter: nf_tables: always walk all pending catchall elements Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 077/378] netfilter: x_tables: guard option walkers against 1-byte tail reads Greg Kroah-Hartman
` (308 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jenny Guanni Qu, Florian Westphal,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jenny Guanni Qu <qguanni@gmail.com>
[ Upstream commit d6d8cd2db236a9dd13dbc2d05843b3445cc964b5 ]
pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the
to_offset argument on every iteration, including the last one where
i == m->field_count - 1. This reads one element past the end of the
stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS]
with NFT_PIPAPO_MAX_FIELDS == 16).
Although pipapo_unmap() returns early when is_last is true without
using the to_offset value, the argument is evaluated at the call site
before the function body executes, making this a genuine out-of-bounds
stack read confirmed by KASAN:
BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables]
Read of size 4 at addr ffff8000810e71a4
This frame has 1 object:
[32, 160) 'rulemap'
The buggy address is at offset 164 -- exactly 4 bytes past the end
of the rulemap array.
Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid
the out-of-bounds read.
Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_set_pipapo.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
index d9b74d588c768..394b78a00a6a5 100644
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1641,6 +1641,7 @@ static void pipapo_drop(struct nft_pipapo_match *m,
int i;
nft_pipapo_for_each_field(f, i, m) {
+ bool last = i == m->field_count - 1;
int g;
for (g = 0; g < f->groups; g++) {
@@ -1660,7 +1661,7 @@ static void pipapo_drop(struct nft_pipapo_match *m,
}
pipapo_unmap(f->mt, f->rules, rulemap[i].to, rulemap[i].n,
- rulemap[i + 1].n, i == m->field_count - 1);
+ last ? 0 : rulemap[i + 1].n, last);
if (pipapo_resize(f, f->rules, f->rules - rulemap[i].n)) {
/* We can ignore this, a failure to shrink tables down
* doesn't make tables invalid.
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 077/378] netfilter: x_tables: guard option walkers against 1-byte tail reads
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 076/378] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 078/378] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path Greg Kroah-Hartman
` (307 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Dull, Florian Westphal,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Dull <monderasdor@gmail.com>
[ Upstream commit cfe770220ac2dbd3e104c6b45094037455da81d4 ]
When the last byte of options is a non-single-byte option kind, walkers
that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end
of the option area.
Add an explicit i == optlen - 1 check before dereferencing op[i + 1]
in xt_tcpudp and xt_dccp option walkers.
Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables")
Signed-off-by: David Dull <monderasdor@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_dccp.c | 4 ++--
net/netfilter/xt_tcpudp.c | 6 ++++--
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index e5a13ecbe67a0..037ab93e25d0a 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -62,10 +62,10 @@ dccp_find_option(u_int8_t option,
return true;
}
- if (op[i] < 2)
+ if (op[i] < 2 || i == optlen - 1)
i++;
else
- i += op[i+1]?:1;
+ i += op[i + 1] ? : 1;
}
spin_unlock_bh(&dccp_buflock);
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index e8991130a3de0..f76cf18f1a244 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -59,8 +59,10 @@ tcp_find_option(u_int8_t option,
for (i = 0; i < optlen; ) {
if (op[i] == option) return !invert;
- if (op[i] < 2) i++;
- else i += op[i+1]?:1;
+ if (op[i] < 2 || i == optlen - 1)
+ i++;
+ else
+ i += op[i + 1] ? : 1;
}
return invert;
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 078/378] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 077/378] netfilter: x_tables: guard option walkers against 1-byte tail reads Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 079/378] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() Greg Kroah-Hartman
` (306 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Dull, Hyunwoo Kim,
Florian Westphal, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit f1ba83755d81c6fc66ac7acd723d238f974091e9 ]
nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue
entry from the queue data structures, taking ownership of the entry.
For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN
attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN
present but NFQA_VLAN_TCI missing), the function returns immediately
without freeing the dequeued entry or its sk_buff.
This leaks the nf_queue_entry, its associated sk_buff, and all held
references (net_device refcounts, struct net refcount). Repeated
triggering exhausts kernel memory.
Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict
on the error path, consistent with other error handling in this file.
Fixes: 8d45ff22f1b4 ("netfilter: bridge: nf queue verdict to use NFQA_VLAN and NFQA_L2HDR")
Reviewed-by: David Dull <monderasdor@gmail.com>
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_queue.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 34548213f2f14..0b96d20bacb73 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -1549,8 +1549,10 @@ static int nfqnl_recv_verdict(struct sk_buff *skb, const struct nfnl_info *info,
if (entry->state.pf == PF_BRIDGE) {
err = nfqa_parse_bridge(entry, nfqa);
- if (err < 0)
+ if (err < 0) {
+ nfqnl_reinject(entry, NF_DROP);
return err;
+ }
}
if (nfqa[NFQA_PAYLOAD]) {
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 079/378] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 078/378] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 080/378] netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels Greg Kroah-Hartman
` (305 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Florian Westphal,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit 6dcee8496d53165b2d8a5909b3050b62ae71fe89 ]
nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label
inside the for loop body. When the "last" helper saved in cb->args[1]
is deleted between dump rounds, every entry fails the (cur != last)
check, so cb->args[1] is never cleared. The for loop finishes with
cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back
into the loop body bypassing the bounds check, causing an 8-byte
out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize].
The 'goto restart' block was meant to re-traverse the current bucket
when "last" is no longer found, but it was placed after the for loop
instead of inside it. Move the block into the for loop body so that
the restart only occurs while cb->args[0] is still within bounds.
BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0
Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131
Call Trace:
nfnl_cthelper_dump_table+0x9f/0x1b0
netlink_dump+0x333/0x880
netlink_recvmsg+0x3e2/0x4b0
sock_recvmsg+0xde/0xf0
__sys_recvfrom+0x150/0x200
__x64_sys_recvfrom+0x76/0x90
do_syscall_64+0xc3/0x6e0
Allocated by task 1:
__kvmalloc_node_noprof+0x21b/0x700
nf_ct_alloc_hashtable+0x65/0xd0
nf_conntrack_helper_init+0x21/0x60
nf_conntrack_init_start+0x18d/0x300
nf_conntrack_standalone_init+0x12/0xc0
Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_cthelper.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index 97248963a7d3b..71a248cca746a 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -603,10 +603,10 @@ nfnl_cthelper_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
goto out;
}
}
- }
- if (cb->args[1]) {
- cb->args[1] = 0;
- goto restart;
+ if (cb->args[1]) {
+ cb->args[1] = 0;
+ goto restart;
+ }
}
out:
rcu_read_unlock();
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 080/378] netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 079/378] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 081/378] perf annotate: Fix hashmap__new() error checking Greg Kroah-Hartman
` (304 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Yuan Tan,
Xin Liu, Florian Westphal, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuan Tan <tanyuan98@outlook.com>
[ Upstream commit 329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf ]
IDLETIMER revision 0 rules reuse existing timers by label and always call
mod_timer() on timer->timer.
If the label was created first by revision 1 with XT_IDLETIMER_ALARM,
the object uses alarm timer semantics and timer->timer is never initialized.
Reusing that object from revision 0 causes mod_timer() on an uninitialized
timer_list, triggering debugobjects warnings and possible panic when
panic_on_warn=1.
Fix this by rejecting revision 0 rule insertion when an existing timer with
the same label is of ALARM type.
Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target")
Co-developed-by: Yifan Wu <yifanwucs@gmail.com>
Signed-off-by: Yifan Wu <yifanwucs@gmail.com>
Co-developed-by: Juefei Pu <tomapufckgml@gmail.com>
Signed-off-by: Juefei Pu <tomapufckgml@gmail.com>
Signed-off-by: Yuan Tan <tanyuan98@outlook.com>
Signed-off-by: Xin Liu <dstsmallbird@foxmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_IDLETIMER.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index d73957592c9d9..bb7af92ac82a4 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -318,6 +318,12 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par)
info->timer = __idletimer_tg_find_by_label(info->label);
if (info->timer) {
+ if (info->timer->timer_type & XT_IDLETIMER_ALARM) {
+ pr_debug("Adding/Replacing rule with same label and different timer type is not allowed\n");
+ mutex_unlock(&list_mutex);
+ return -EINVAL;
+ }
+
info->timer->refcnt++;
mod_timer(&info->timer->timer,
secs_to_jiffies(info->timeout) + jiffies);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 081/378] perf annotate: Fix hashmap__new() error checking
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 080/378] netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 082/378] regulator: pca9450: Correct interrupt type Greg Kroah-Hartman
` (303 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Chen Ni, Adrian Hunter,
Alexander Shishkin, Ingo Molnar, James Clark, Jiri Olsa,
Mark Rutland, Namhyung Kim, Peter Zijlstra, Tianyou Li,
Arnaldo Carvalho de Melo, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit bf29cb3641b80bac759c3332b02e0b270e16bf94 ]
The hashmap__new() function never returns NULL, it returns error
pointers. Fix the error checking to match.
Additionally, set src->samples to NULL to prevent any later code from
accidentally using the error pointer.
Fixes: d3e7cad6f36d9e80 ("perf annotate: Add a hashmap for symbol histogram")
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Tianyou Li <tianyou.li@intel.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/annotate.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
index 791d60f97c23e..df7b7e70c19fe 100644
--- a/tools/perf/util/annotate.c
+++ b/tools/perf/util/annotate.c
@@ -44,6 +44,7 @@
#include "strbuf.h"
#include <regex.h>
#include <linux/bitops.h>
+#include <linux/err.h>
#include <linux/kernel.h>
#include <linux/string.h>
#include <linux/zalloc.h>
@@ -137,8 +138,10 @@ static int annotated_source__alloc_histograms(struct annotated_source *src,
return -1;
src->samples = hashmap__new(sym_hist_hash, sym_hist_equal, NULL);
- if (src->samples == NULL)
+ if (IS_ERR(src->samples)) {
zfree(&src->histograms);
+ src->samples = NULL;
+ }
return src->histograms ? 0 : -1;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 082/378] regulator: pca9450: Correct interrupt type
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 081/378] perf annotate: Fix hashmap__new() error checking Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 083/378] regulator: pca9450: Correct probed name for PCA9452 Greg Kroah-Hartman
` (302 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 5d0efaf47ee90ac60efae790acee3a3ed99ebf80 ]
Kernel warning on i.MX8MP-EVK when doing module test:
irq: type mismatch, failed to map hwirq-3 for gpio@30200000!
Per PCA945[X] specification: The IRQ_B pin is pulled low when any unmasked
interrupt bit status is changed and it is released high once application
processor read INT1 register.
So the interrupt should be configured as IRQF_TRIGGER_LOW, not
IRQF_TRIGGER_FALLING.
Fixes: 0935ff5f1f0a4 ("regulator: pca9450: add pca9450 pmic driver")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Link: https://patch.msgid.link/20260310-pca9450-irq-v1-1-36adf52c2c55@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/pca9450-regulator.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c
index 5fa8682642505..2205f6de37e7d 100644
--- a/drivers/regulator/pca9450-regulator.c
+++ b/drivers/regulator/pca9450-regulator.c
@@ -1369,7 +1369,7 @@ static int pca9450_i2c_probe(struct i2c_client *i2c)
if (pca9450->irq) {
ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL,
pca9450_irq_handler,
- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT),
+ (IRQF_TRIGGER_LOW | IRQF_ONESHOT),
"pca9450-irq", pca9450);
if (ret != 0)
return dev_err_probe(pca9450->dev, ret, "Failed to request IRQ: %d\n",
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 083/378] regulator: pca9450: Correct probed name for PCA9452
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 082/378] regulator: pca9450: Correct interrupt type Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 084/378] perf ftrace: Fix hashmap__new() error checking Greg Kroah-Hartman
` (301 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 21b3fb7dc19caa488d285e3c47999f7f1a179334 ]
An incorrect device name was logged for PCA9452 because the dev_info()
ternary omitted PCA9452 and fell through to "pca9450bc". Introduce a
type_name and set it per device type so the probed message matches the
actual PMIC. While here, make the PCA9451A case explicit.
No functional changes.
Fixes: 017b76fb8e5b6 ("regulator: pca9450: Add PMIC pca9452 support")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Link: https://patch.msgid.link/20260310-pca9450-irq-v1-2-36adf52c2c55@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/pca9450-regulator.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c
index 2205f6de37e7d..45d7dc44c2cd0 100644
--- a/drivers/regulator/pca9450-regulator.c
+++ b/drivers/regulator/pca9450-regulator.c
@@ -1293,6 +1293,7 @@ static int pca9450_i2c_probe(struct i2c_client *i2c)
struct regulator_dev *ldo5;
struct pca9450 *pca9450;
unsigned int device_id, i;
+ const char *type_name;
int ret;
pca9450 = devm_kzalloc(&i2c->dev, sizeof(struct pca9450), GFP_KERNEL);
@@ -1303,15 +1304,22 @@ static int pca9450_i2c_probe(struct i2c_client *i2c)
case PCA9450_TYPE_PCA9450A:
regulator_desc = pca9450a_regulators;
pca9450->rcnt = ARRAY_SIZE(pca9450a_regulators);
+ type_name = "pca9450a";
break;
case PCA9450_TYPE_PCA9450BC:
regulator_desc = pca9450bc_regulators;
pca9450->rcnt = ARRAY_SIZE(pca9450bc_regulators);
+ type_name = "pca9450bc";
break;
case PCA9450_TYPE_PCA9451A:
+ regulator_desc = pca9451a_regulators;
+ pca9450->rcnt = ARRAY_SIZE(pca9451a_regulators);
+ type_name = "pca9451a";
+ break;
case PCA9450_TYPE_PCA9452:
regulator_desc = pca9451a_regulators;
pca9450->rcnt = ARRAY_SIZE(pca9451a_regulators);
+ type_name = "pca9452";
break;
default:
dev_err(&i2c->dev, "Unknown device type");
@@ -1413,9 +1421,7 @@ static int pca9450_i2c_probe(struct i2c_client *i2c)
pca9450_i2c_restart_handler, pca9450))
dev_warn(&i2c->dev, "Failed to register restart handler\n");
- dev_info(&i2c->dev, "%s probed.\n",
- type == PCA9450_TYPE_PCA9450A ? "pca9450a" :
- (type == PCA9450_TYPE_PCA9451A ? "pca9451a" : "pca9450bc"));
+ dev_info(&i2c->dev, "%s probed.\n", type_name);
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 084/378] perf ftrace: Fix hashmap__new() error checking
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 083/378] regulator: pca9450: Correct probed name for PCA9452 Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 085/378] sched: idle: Make skipping governor callbacks more consistent Greg Kroah-Hartman
` (300 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Chen Ni, Adrian Hunter,
Alexander Shishkin, Ingo Molnar, James Clark, Jiri Olsa,
Mark Rutland, Namhyung Kim, Peter Zijlstra,
Arnaldo Carvalho de Melo, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit be34705aa527872e5ce83927b7bc9307ba8095ca ]
The hashmap__new() function never returns NULL, it returns error
pointers. Fix the error checking to match.
Additionally, set ftrace->profile_hash to NULL on error, and return the
exact error code from hashmap__new().
Fixes: 0f223813edd051a5 ("perf ftrace: Add 'profile' command")
Suggested-by: Ian Rogers <irogers@google.com>
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-ftrace.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/tools/perf/builtin-ftrace.c b/tools/perf/builtin-ftrace.c
index 6b6eec65f93f5..4cc33452d79b6 100644
--- a/tools/perf/builtin-ftrace.c
+++ b/tools/perf/builtin-ftrace.c
@@ -18,6 +18,7 @@
#include <poll.h>
#include <ctype.h>
#include <linux/capability.h>
+#include <linux/err.h>
#include <linux/string.h>
#include <sys/stat.h>
@@ -1209,8 +1210,12 @@ static int prepare_func_profile(struct perf_ftrace *ftrace)
ftrace->graph_verbose = 0;
ftrace->profile_hash = hashmap__new(profile_hash, profile_equal, NULL);
- if (ftrace->profile_hash == NULL)
- return -ENOMEM;
+ if (IS_ERR(ftrace->profile_hash)) {
+ int err = PTR_ERR(ftrace->profile_hash);
+
+ ftrace->profile_hash = NULL;
+ return err;
+ }
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 085/378] sched: idle: Make skipping governor callbacks more consistent
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 084/378] perf ftrace: Fix hashmap__new() error checking Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 086/378] nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set Greg Kroah-Hartman
` (299 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Christian Loehle,
Aboorva Devarajan, Frederic Weisbecker, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit d557640e4ce589a24dca5ca7ce3b9680f471325f ]
If the cpuidle governor .select() callback is skipped because there
is only one idle state in the cpuidle driver, the .reflect() callback
should be skipped as well, at least for consistency (if not for
correctness), so do it.
Fixes: e5c9ffc6ae1b ("cpuidle: Skip governor when only one idle state is available")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Christian Loehle <christian.loehle@arm.com>
Reviewed-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
Link: https://patch.msgid.link/12857700.O9o76ZdvQC@rafael.j.wysocki
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpuidle/cpuidle.c | 10 ----------
kernel/sched/idle.c | 11 ++++++++++-
2 files changed, 10 insertions(+), 11 deletions(-)
diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c
index 65fbb8e807b97..c7876e9e024f9 100644
--- a/drivers/cpuidle/cpuidle.c
+++ b/drivers/cpuidle/cpuidle.c
@@ -359,16 +359,6 @@ noinstr int cpuidle_enter_state(struct cpuidle_device *dev,
int cpuidle_select(struct cpuidle_driver *drv, struct cpuidle_device *dev,
bool *stop_tick)
{
- /*
- * If there is only a single idle state (or none), there is nothing
- * meaningful for the governor to choose. Skip the governor and
- * always use state 0 with the tick running.
- */
- if (drv->state_count <= 1) {
- *stop_tick = false;
- return 0;
- }
-
return cpuidle_curr_governor->select(drv, dev, stop_tick);
}
diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c
index abf8f15d60c9e..69c70d509e1cf 100644
--- a/kernel/sched/idle.c
+++ b/kernel/sched/idle.c
@@ -221,7 +221,7 @@ static void cpuidle_idle_call(void)
next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns);
call_cpuidle(drv, dev, next_state);
- } else {
+ } else if (drv->state_count > 1) {
bool stop_tick = true;
/*
@@ -239,6 +239,15 @@ static void cpuidle_idle_call(void)
* Give the governor an opportunity to reflect on the outcome
*/
cpuidle_reflect(dev, entered_state);
+ } else {
+ tick_nohz_idle_retain_tick();
+
+ /*
+ * If there is only a single idle state (or none), there is
+ * nothing meaningful for the governor to choose. Skip the
+ * governor and always use state 0.
+ */
+ call_cpuidle(drv, dev, 0);
}
exit_idle:
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 086/378] nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 085/378] sched: idle: Make skipping governor callbacks more consistent Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 087/378] nvme-pci: Fix race bug in nvme_poll_irqdisable() Greg Kroah-Hartman
` (298 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Shi, Weidong Zhu, Dave Tian,
Sungwoo Kim, Keith Busch, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sungwoo Kim <iam@sung-woo.kim>
[ Upstream commit b4e78f1427c7d6859229ae9616df54e1fc05a516 ]
dev->online_queues is a count incremented in nvme_init_queue. Thus,
valid indices are 0 through dev->online_queues − 1.
This patch fixes the loop condition to ensure the index stays within the
valid range. Index 0 is excluded because it is the admin queue.
KASAN splat:
==================================================================
BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]
BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404
Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74
CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: nvme-reset-wq nvme_reset_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xce/0x5d0 mm/kasan/report.c:482
kasan_report+0xdc/0x110 mm/kasan/report.c:595
__asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379
nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]
nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404
nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252
process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x65c/0xe60 kernel/workqueue.c:3421
kthread+0x41a/0x930 kernel/kthread.c:463
ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Allocated by task 34 on cpu 1 at 4.241550s:
kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57
kasan_save_track+0x1c/0x70 mm/kasan/common.c:78
kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__do_kmalloc_node mm/slub.c:5657 [inline]
__kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663
kmalloc_array_node_noprof include/linux/slab.h:1075 [inline]
nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline]
nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534
local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324
pci_call_probe drivers/pci/pci-driver.c:392 [inline]
__pci_device_probe drivers/pci/pci-driver.c:417 [inline]
pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451
call_driver_probe drivers/base/dd.c:583 [inline]
really_probe+0x29b/0xb70 drivers/base/dd.c:661
__driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803
driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833
__driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159
async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129
process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x65c/0xe60 kernel/workqueue.c:3421
kthread+0x41a/0x930 kernel/kthread.c:463
ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
The buggy address belongs to the object at ffff88800592a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 244 bytes to the right of
allocated 1152-byte region [ffff88800592a000, ffff88800592a480)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff)
page_type: f5(slab)
raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001
head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 000fffffc0000003 ffffea0000164a01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88800592a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88800592a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88800592a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88800592a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88800592a600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Fixes: 0f0d2c876c96 (nvme: free sq/cq dbbuf pointers when dbbuf set fails)
Acked-by: Chao Shi <cshi008@fiu.edu>
Acked-by: Weidong Zhu <weizhu@fiu.edu>
Acked-by: Dave Tian <daveti@purdue.edu>
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index d86f2565a92ca..ca86f85968708 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -400,7 +400,7 @@ static void nvme_dbbuf_set(struct nvme_dev *dev)
/* Free memory and continue on */
nvme_dbbuf_dma_free(dev);
- for (i = 1; i <= dev->online_queues; i++)
+ for (i = 1; i < dev->online_queues; i++)
nvme_dbbuf_free(&dev->queues[i]);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 087/378] nvme-pci: Fix race bug in nvme_poll_irqdisable()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 086/378] nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 088/378] drivers: net: ice: fix devlink parameters get without irdma Greg Kroah-Hartman
` (297 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Shi, Weidong Zhu, Dave Tian,
Christoph Hellwig, Sungwoo Kim, Keith Busch, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sungwoo Kim <iam@sung-woo.kim>
[ Upstream commit fc71f409b22ca831a9f87a2712eaa09ef2bb4a5e ]
In the following scenario, pdev can be disabled between (1) and (3) by
(2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will
return MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2).
This causes IRQ warning because it tries to enable INTx IRQ that has
never been disabled before.
To fix this, save IRQ number into a local variable and ensure
disable_irq() and enable_irq() operate on the same IRQ number. Even if
pci_free_irq_vectors() frees the IRQ concurrently, disable_irq() and
enable_irq() on a stale IRQ number is still valid and safe, and the
depth accounting reamins balanced.
task 1:
nvme_poll_irqdisable()
disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(1)
enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(3)
task 2:
nvme_reset_work()
nvme_dev_disable()
pdev->msix_enable = 0; ...(2)
crash log:
------------[ cut here ]------------
Unbalanced enable for IRQ 10
WARNING: kernel/irq/manage.c:753 at __enable_irq+0x102/0x190 kernel/irq/manage.c:753, CPU#1: kworker/1:0H/26
Modules linked in:
CPU: 1 UID: 0 PID: 26 Comm: kworker/1:0H Not tainted 6.19.0-dirty #9 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: kblockd blk_mq_timeout_work
RIP: 0010:__enable_irq+0x107/0x190 kernel/irq/manage.c:753
Code: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 79 48 8d 3d 2e 7a 3f 05 41 8b 74 24 2c <67> 48 0f b9 3a e8 ef b9 21 00 5b 41 5c 5d e9 46 54 66 03 e8 e1 b9
RSP: 0018:ffffc900001bf550 EFLAGS: 00010046
RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffffb20c0e90
RDX: 0000000000000000 RSI: 000000000000000a RDI: ffffffffb74b88f0
RBP: ffffc900001bf560 R08: ffff88800197cf00 R09: 0000000000000001
R10: 0000000000000003 R11: 0000000000000003 R12: ffff8880012a6000
R13: 1ffff92000037eae R14: 000000000000000a R15: 0000000000000293
FS: 0000000000000000(0000) GS:ffff8880b49f7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555da4a25fa8 CR3: 00000000208e8000 CR4: 00000000000006f0
Call Trace:
<TASK>
enable_irq+0x121/0x1e0 kernel/irq/manage.c:797
nvme_poll_irqdisable+0x162/0x1c0 drivers/nvme/host/pci.c:1494
nvme_timeout+0x965/0x14b0 drivers/nvme/host/pci.c:1744
blk_mq_rq_timed_out block/blk-mq.c:1653 [inline]
blk_mq_handle_expired+0x227/0x2d0 block/blk-mq.c:1721
bt_iter+0x2fc/0x3a0 block/blk-mq-tag.c:292
__sbitmap_for_each_set include/linux/sbitmap.h:269 [inline]
sbitmap_for_each_set include/linux/sbitmap.h:290 [inline]
bt_for_each block/blk-mq-tag.c:324 [inline]
blk_mq_queue_tag_busy_iter+0x969/0x1e80 block/blk-mq-tag.c:536
blk_mq_timeout_work+0x627/0x870 block/blk-mq.c:1763
process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x65c/0xe60 kernel/workqueue.c:3421
kthread+0x41a/0x930 kernel/kthread.c:463
ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
irq event stamp: 74478
hardirqs last enabled at (74477): [<ffffffffb5720a9c>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline]
hardirqs last enabled at (74477): [<ffffffffb5720a9c>] _raw_spin_unlock_irq+0x2c/0x60 kernel/locking/spinlock.c:202
hardirqs last disabled at (74478): [<ffffffffb57207b5>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (74478): [<ffffffffb57207b5>] _raw_spin_lock_irqsave+0x85/0xa0 kernel/locking/spinlock.c:162
softirqs last enabled at (74304): [<ffffffffb1e9466c>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last enabled at (74304): [<ffffffffb1e9466c>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last enabled at (74304): [<ffffffffb1e9466c>] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723
softirqs last disabled at (74287): [<ffffffffb1e9466c>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (74287): [<ffffffffb1e9466c>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (74287): [<ffffffffb1e9466c>] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723
---[ end trace 0000000000000000 ]---
Fixes: fa059b856a59 (nvme-pci: Simplify nvme_poll_irqdisable)
Acked-by: Chao Shi <cshi008@fiu.edu>
Acked-by: Weidong Zhu <weizhu@fiu.edu>
Acked-by: Dave Tian <daveti@purdue.edu>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index ca86f85968708..3c83076a57e57 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1484,14 +1484,16 @@ static irqreturn_t nvme_irq_check(int irq, void *data)
static void nvme_poll_irqdisable(struct nvme_queue *nvmeq)
{
struct pci_dev *pdev = to_pci_dev(nvmeq->dev->dev);
+ int irq;
WARN_ON_ONCE(test_bit(NVMEQ_POLLED, &nvmeq->flags));
- disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector));
+ irq = pci_irq_vector(pdev, nvmeq->cq_vector);
+ disable_irq(irq);
spin_lock(&nvmeq->cq_poll_lock);
nvme_poll_cq(nvmeq, NULL);
spin_unlock(&nvmeq->cq_poll_lock);
- enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector));
+ enable_irq(irq);
}
static int nvme_poll(struct blk_mq_hw_ctx *hctx, struct io_comp_batch *iob)
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 088/378] drivers: net: ice: fix devlink parameters get without irdma
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 087/378] nvme-pci: Fix race bug in nvme_poll_irqdisable() Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 089/378] iavf: fix PTP use-after-free during reset Greg Kroah-Hartman
` (296 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Aleksandrov, Tony Nguyen,
Sasha Levin, Rinitha S
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <nikolay@nvidia.com>
[ Upstream commit bd98c6204d1195973b1760fe45860863deb6200c ]
If CONFIG_IRDMA isn't enabled but there are ice NICs in the system, the
driver will prevent full devlink dev param show dump because its rdma get
callbacks return ENODEV and stop the dump. For example:
$ devlink dev param show
pci/0000:82:00.0:
name msix_vec_per_pf_max type generic
values:
cmode driverinit value 2
name msix_vec_per_pf_min type generic
values:
cmode driverinit value 2
kernel answers: No such device
Returning EOPNOTSUPP allows the dump to continue so we can see all devices'
devlink parameters.
Fixes: c24a65b6a27c ("iidc/ice/irdma: Update IDC to support multiple consumers")
Signed-off-by: Nikolay Aleksandrov <nikolay@nvidia.com>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/devlink/devlink.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/devlink/devlink.c b/drivers/net/ethernet/intel/ice/devlink/devlink.c
index 2ef39cc70c21d..7de749d3f0479 100644
--- a/drivers/net/ethernet/intel/ice/devlink/devlink.c
+++ b/drivers/net/ethernet/intel/ice/devlink/devlink.c
@@ -1360,7 +1360,7 @@ ice_devlink_enable_roce_get(struct devlink *devlink, u32 id,
cdev = pf->cdev_info;
if (!cdev)
- return -ENODEV;
+ return -EOPNOTSUPP;
ctx->val.vbool = !!(cdev->rdma_protocol & IIDC_RDMA_PROTOCOL_ROCEV2);
@@ -1427,7 +1427,7 @@ ice_devlink_enable_iw_get(struct devlink *devlink, u32 id,
cdev = pf->cdev_info;
if (!cdev)
- return -ENODEV;
+ return -EOPNOTSUPP;
ctx->val.vbool = !!(cdev->rdma_protocol & IIDC_RDMA_PROTOCOL_IWARP);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 089/378] iavf: fix PTP use-after-free during reset
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 088/378] drivers: net: ice: fix devlink parameters get without irdma Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 090/378] iavf: fix incorrect reset handling in callbacks Greg Kroah-Hartman
` (295 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Ivan Vecera, Jacob Keller,
Vadim Fedorenko, Paul Menzel, Aleksandr Loktionov, Tony Nguyen,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit efc54fb13d79117a825fef17364315a58682c7ec ]
Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a
worker to cache PHC time, but failed to stop it during reset or disable.
This creates a race condition where `iavf_reset_task()` or
`iavf_disable_vf()` free adapter resources (AQ) while the worker is still
running. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it
accesses freed memory/locks, leading to a crash.
Fix this by calling `iavf_ptp_release()` before tearing down the adapter.
This ensures `ptp_clock_unregister()` synchronously cancels the worker and
cleans up the chardev before the backing resources are destroyed.
Fixes: 7c01dbfc8a1c5f ("iavf: periodically cache PHC time")
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Ivan Vecera <ivecera@redhat.com>
Acked-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
index 53a0366fbf998..3625c70bc3292 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
@@ -3040,6 +3040,8 @@ static void iavf_disable_vf(struct iavf_adapter *adapter)
adapter->flags |= IAVF_FLAG_PF_COMMS_FAILED;
+ iavf_ptp_release(adapter);
+
/* We don't use netif_running() because it may be true prior to
* ndo_open() returning, so we can't assume it means all our open
* tasks have finished, since we're not holding the rtnl_lock here.
@@ -3215,6 +3217,8 @@ static void iavf_reset_task(struct work_struct *work)
iavf_change_state(adapter, __IAVF_RESETTING);
adapter->flags &= ~IAVF_FLAG_RESET_PENDING;
+ iavf_ptp_release(adapter);
+
/* free the Tx/Rx rings and descriptors, might be better to just
* re-use them sometime in the future
*/
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 090/378] iavf: fix incorrect reset handling in callbacks
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 089/378] iavf: fix PTP use-after-free during reset Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 091/378] accel/amdxdna: Fix runtime suspend deadlock when there is pending job Greg Kroah-Hartman
` (294 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacob Keller, Petr Oros,
Przemek Kitszel, Rafal Romanowski, Tony Nguyen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit fdadbf6e84c44df8dbb85cfdd38bc10e4431501d ]
Three driver callbacks schedule a reset and wait for its completion:
ndo_change_mtu(), ethtool set_ringparam(), and ethtool set_channels().
Waiting for reset in ndo_change_mtu() and set_ringparam() was added by
commit c2ed2403f12c ("iavf: Wait for reset in callbacks which trigger
it") to fix a race condition where adding an interface to bonding
immediately after MTU or ring parameter change failed because the
interface was still in __RESETTING state. The same commit also added
waiting in iavf_set_priv_flags(), which was later removed by commit
53844673d555 ("iavf: kill "legacy-rx" for good").
Waiting in set_channels() was introduced earlier by commit 4e5e6b5d9d13
("iavf: Fix return of set the new channel count") to ensure the PF has
enough time to complete the VF reset when changing channel count, and to
return correct error codes to userspace.
Commit ef490bbb2267 ("iavf: Add net_shaper_ops support") added
net_shaper_ops to iavf, which required reset_task to use _locked NAPI
variants (napi_enable_locked, napi_disable_locked) that need the netdev
instance lock.
Later, commit 7e4d784f5810 ("net: hold netdev instance lock during
rtnetlink operations") and commit 2bcf4772e45a ("net: ethtool: try to
protect all callback with netdev instance lock") started holding the
netdev instance lock during ndo and ethtool callbacks for drivers with
net_shaper_ops.
Finally, commit 120f28a6f314 ("iavf: get rid of the crit lock")
replaced the driver's crit_lock with netdev_lock in reset_task, causing
incorrect behavior: the callback holds netdev_lock and waits for
reset_task, but reset_task needs the same lock:
Thread 1 (callback) Thread 2 (reset_task)
------------------- ---------------------
netdev_lock() [blocked on workqueue]
ndo_change_mtu() or ethtool op
iavf_schedule_reset()
iavf_wait_for_reset() iavf_reset_task()
waiting... netdev_lock() <- blocked
This does not strictly deadlock because iavf_wait_for_reset() uses
wait_event_interruptible_timeout() with a 5-second timeout. The wait
eventually times out, the callback returns an error to userspace, and
after the lock is released reset_task completes the reset. This leads to
incorrect behavior: userspace sees an error even though the configuration
change silently takes effect after the timeout.
Fix this by extracting the reset logic from iavf_reset_task() into a new
iavf_reset_step() function that expects netdev_lock to be already held.
The three callbacks now call iavf_reset_step() directly instead of
scheduling the work and waiting, performing the reset synchronously in
the caller's context which already holds netdev_lock. This eliminates
both the incorrect error reporting and the need for
iavf_wait_for_reset(), which is removed along with the now-unused
reset_waitqueue.
The workqueue-based iavf_reset_task() becomes a thin wrapper that
acquires netdev_lock and calls iavf_reset_step(), preserving its use
for PF-initiated resets.
The callbacks may block for several seconds while iavf_reset_step()
polls hardware registers, but this is acceptable since netdev_lock is a
per-device mutex and only serializes operations on the same interface.
v3:
- Remove netif_running() guard from iavf_set_channels(). Unlike
set_ringparam where descriptor counts are picked up by iavf_open()
directly, num_req_queues is only consumed during
iavf_reinit_interrupt_scheme() in the reset path. Skipping the reset
on a down device would silently discard the channel count change.
- Remove dead reset_waitqueue code (struct field, init, and all
wake_up calls) since iavf_wait_for_reset() was the only consumer.
Fixes: 120f28a6f314 ("iavf: get rid of the crit lock")
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/iavf/iavf.h | 3 +-
.../net/ethernet/intel/iavf/iavf_ethtool.c | 19 ++---
drivers/net/ethernet/intel/iavf/iavf_main.c | 77 ++++++-------------
.../net/ethernet/intel/iavf/iavf_virtchnl.c | 1 -
4 files changed, 31 insertions(+), 69 deletions(-)
diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h
index a87e0c6d4017a..e9fb0a0919e37 100644
--- a/drivers/net/ethernet/intel/iavf/iavf.h
+++ b/drivers/net/ethernet/intel/iavf/iavf.h
@@ -260,7 +260,6 @@ struct iavf_adapter {
struct work_struct adminq_task;
struct work_struct finish_config;
wait_queue_head_t down_waitqueue;
- wait_queue_head_t reset_waitqueue;
wait_queue_head_t vc_waitqueue;
struct iavf_q_vector *q_vectors;
struct list_head vlan_filter_list;
@@ -626,5 +625,5 @@ void iavf_add_adv_rss_cfg(struct iavf_adapter *adapter);
void iavf_del_adv_rss_cfg(struct iavf_adapter *adapter);
struct iavf_mac_filter *iavf_add_filter(struct iavf_adapter *adapter,
const u8 *macaddr);
-int iavf_wait_for_reset(struct iavf_adapter *adapter);
+void iavf_reset_step(struct iavf_adapter *adapter);
#endif /* _IAVF_H_ */
diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c
index 2cc21289a7077..6ff3842a1ff1f 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c
@@ -492,7 +492,6 @@ static int iavf_set_ringparam(struct net_device *netdev,
{
struct iavf_adapter *adapter = netdev_priv(netdev);
u32 new_rx_count, new_tx_count;
- int ret = 0;
if ((ring->rx_mini_pending) || (ring->rx_jumbo_pending))
return -EINVAL;
@@ -537,13 +536,11 @@ static int iavf_set_ringparam(struct net_device *netdev,
}
if (netif_running(netdev)) {
- iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED);
- ret = iavf_wait_for_reset(adapter);
- if (ret)
- netdev_warn(netdev, "Changing ring parameters timeout or interrupted waiting for reset");
+ adapter->flags |= IAVF_FLAG_RESET_NEEDED;
+ iavf_reset_step(adapter);
}
- return ret;
+ return 0;
}
/**
@@ -1723,7 +1720,6 @@ static int iavf_set_channels(struct net_device *netdev,
{
struct iavf_adapter *adapter = netdev_priv(netdev);
u32 num_req = ch->combined_count;
- int ret = 0;
if ((adapter->vf_res->vf_cap_flags & VIRTCHNL_VF_OFFLOAD_ADQ) &&
adapter->num_tc) {
@@ -1745,13 +1741,10 @@ static int iavf_set_channels(struct net_device *netdev,
adapter->num_req_queues = num_req;
adapter->flags |= IAVF_FLAG_REINIT_ITR_NEEDED;
- iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED);
+ adapter->flags |= IAVF_FLAG_RESET_NEEDED;
+ iavf_reset_step(adapter);
- ret = iavf_wait_for_reset(adapter);
- if (ret)
- netdev_warn(netdev, "Changing channel count timeout or interrupted waiting for reset");
-
- return ret;
+ return 0;
}
/**
diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
index 3625c70bc3292..03ab2a4276bbf 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
@@ -185,31 +185,6 @@ static bool iavf_is_reset_in_progress(struct iavf_adapter *adapter)
return false;
}
-/**
- * iavf_wait_for_reset - Wait for reset to finish.
- * @adapter: board private structure
- *
- * Returns 0 if reset finished successfully, negative on timeout or interrupt.
- */
-int iavf_wait_for_reset(struct iavf_adapter *adapter)
-{
- int ret = wait_event_interruptible_timeout(adapter->reset_waitqueue,
- !iavf_is_reset_in_progress(adapter),
- msecs_to_jiffies(5000));
-
- /* If ret < 0 then it means wait was interrupted.
- * If ret == 0 then it means we got a timeout while waiting
- * for reset to finish.
- * If ret > 0 it means reset has finished.
- */
- if (ret > 0)
- return 0;
- else if (ret < 0)
- return -EINTR;
- else
- return -EBUSY;
-}
-
/**
* iavf_allocate_dma_mem_d - OS specific memory alloc for shared code
* @hw: pointer to the HW structure
@@ -3117,18 +3092,16 @@ static void iavf_reconfig_qs_bw(struct iavf_adapter *adapter)
}
/**
- * iavf_reset_task - Call-back task to handle hardware reset
- * @work: pointer to work_struct
+ * iavf_reset_step - Perform the VF reset sequence
+ * @adapter: board private structure
*
- * During reset we need to shut down and reinitialize the admin queue
- * before we can use it to communicate with the PF again. We also clear
- * and reinit the rings because that context is lost as well.
- **/
-static void iavf_reset_task(struct work_struct *work)
+ * Requests a reset from PF, polls for completion, and reconfigures
+ * the driver. Caller must hold the netdev instance lock.
+ *
+ * This can sleep for several seconds while polling HW registers.
+ */
+void iavf_reset_step(struct iavf_adapter *adapter)
{
- struct iavf_adapter *adapter = container_of(work,
- struct iavf_adapter,
- reset_task);
struct virtchnl_vf_resource *vfres = adapter->vf_res;
struct net_device *netdev = adapter->netdev;
struct iavf_hw *hw = &adapter->hw;
@@ -3139,7 +3112,7 @@ static void iavf_reset_task(struct work_struct *work)
int i = 0, err;
bool running;
- netdev_lock(netdev);
+ netdev_assert_locked(netdev);
iavf_misc_irq_disable(adapter);
if (adapter->flags & IAVF_FLAG_RESET_NEEDED) {
@@ -3184,7 +3157,6 @@ static void iavf_reset_task(struct work_struct *work)
dev_err(&adapter->pdev->dev, "Reset never finished (%x)\n",
reg_val);
iavf_disable_vf(adapter);
- netdev_unlock(netdev);
return; /* Do not attempt to reinit. It's dead, Jim. */
}
@@ -3196,7 +3168,6 @@ static void iavf_reset_task(struct work_struct *work)
iavf_startup(adapter);
queue_delayed_work(adapter->wq, &adapter->watchdog_task,
msecs_to_jiffies(30));
- netdev_unlock(netdev);
return;
}
@@ -3339,9 +3310,6 @@ static void iavf_reset_task(struct work_struct *work)
adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED;
- wake_up(&adapter->reset_waitqueue);
- netdev_unlock(netdev);
-
return;
reset_err:
if (running) {
@@ -3350,10 +3318,21 @@ static void iavf_reset_task(struct work_struct *work)
}
iavf_disable_vf(adapter);
- netdev_unlock(netdev);
dev_err(&adapter->pdev->dev, "failed to allocate resources during reinit\n");
}
+static void iavf_reset_task(struct work_struct *work)
+{
+ struct iavf_adapter *adapter = container_of(work,
+ struct iavf_adapter,
+ reset_task);
+ struct net_device *netdev = adapter->netdev;
+
+ netdev_lock(netdev);
+ iavf_reset_step(adapter);
+ netdev_unlock(netdev);
+}
+
/**
* iavf_adminq_task - worker thread to clean the admin queue
* @work: pointer to work_struct containing our data
@@ -4619,22 +4598,17 @@ static int iavf_close(struct net_device *netdev)
static int iavf_change_mtu(struct net_device *netdev, int new_mtu)
{
struct iavf_adapter *adapter = netdev_priv(netdev);
- int ret = 0;
netdev_dbg(netdev, "changing MTU from %d to %d\n",
netdev->mtu, new_mtu);
WRITE_ONCE(netdev->mtu, new_mtu);
if (netif_running(netdev)) {
- iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED);
- ret = iavf_wait_for_reset(adapter);
- if (ret < 0)
- netdev_warn(netdev, "MTU change interrupted waiting for reset");
- else if (ret)
- netdev_warn(netdev, "MTU change timed out waiting for reset");
+ adapter->flags |= IAVF_FLAG_RESET_NEEDED;
+ iavf_reset_step(adapter);
}
- return ret;
+ return 0;
}
/**
@@ -5439,9 +5413,6 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
/* Setup the wait queue for indicating transition to down status */
init_waitqueue_head(&adapter->down_waitqueue);
- /* Setup the wait queue for indicating transition to running state */
- init_waitqueue_head(&adapter->reset_waitqueue);
-
/* Setup the wait queue for indicating virtchannel events */
init_waitqueue_head(&adapter->vc_waitqueue);
diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
index 88156082a41da..a52c100dcbc56 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
@@ -2736,7 +2736,6 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter,
case VIRTCHNL_OP_ENABLE_QUEUES:
/* enable transmits */
iavf_irq_enable(adapter, true);
- wake_up(&adapter->reset_waitqueue);
adapter->flags &= ~IAVF_FLAG_QUEUES_DISABLED;
break;
case VIRTCHNL_OP_DISABLE_QUEUES:
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 091/378] accel/amdxdna: Fix runtime suspend deadlock when there is pending job
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 090/378] iavf: fix incorrect reset handling in callbacks Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 092/378] ASoC: codecs: rt1011: Use component to get the dapm context in spk_mode_put Greg Kroah-Hartman
` (293 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello (AMD), Lizhi Hou,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lizhi Hou <lizhi.hou@amd.com>
[ Upstream commit 6b13cb8f48a42ddf6dd98865b673a82e37ff238b ]
The runtime suspend callback drains the running job workqueue before
suspending the device. If a job is still executing and calls
pm_runtime_resume_and_get(), it can deadlock with the runtime suspend
path.
Fix this by moving pm_runtime_resume_and_get() from the job execution
routine to the job submission routine, ensuring the device is resumed
before the job is queued and avoiding the deadlock during runtime
suspend.
Fixes: 063db451832b ("accel/amdxdna: Enhance runtime power management")
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
Link: https://patch.msgid.link/20260310180058.336348-1-lizhi.hou@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/accel/amdxdna/aie2_ctx.c | 14 ++------------
drivers/accel/amdxdna/amdxdna_ctx.c | 10 ++++++++++
2 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/drivers/accel/amdxdna/aie2_ctx.c b/drivers/accel/amdxdna/aie2_ctx.c
index 9fc33b4298f23..9284c35aacfbf 100644
--- a/drivers/accel/amdxdna/aie2_ctx.c
+++ b/drivers/accel/amdxdna/aie2_ctx.c
@@ -165,7 +165,6 @@ aie2_sched_notify(struct amdxdna_sched_job *job)
trace_xdna_job(&job->base, job->hwctx->name, "signaled fence", job->seq);
- amdxdna_pm_suspend_put(job->hwctx->client->xdna);
job->hwctx->priv->completed++;
dma_fence_signal(fence);
@@ -290,19 +289,11 @@ aie2_sched_job_run(struct drm_sched_job *sched_job)
struct dma_fence *fence;
int ret;
- ret = amdxdna_pm_resume_get(hwctx->client->xdna);
- if (ret)
+ if (!hwctx->priv->mbox_chann)
return NULL;
- if (!hwctx->priv->mbox_chann) {
- amdxdna_pm_suspend_put(hwctx->client->xdna);
- return NULL;
- }
-
- if (!mmget_not_zero(job->mm)) {
- amdxdna_pm_suspend_put(hwctx->client->xdna);
+ if (!mmget_not_zero(job->mm))
return ERR_PTR(-ESRCH);
- }
kref_get(&job->refcnt);
fence = dma_fence_get(job->fence);
@@ -333,7 +324,6 @@ aie2_sched_job_run(struct drm_sched_job *sched_job)
out:
if (ret) {
- amdxdna_pm_suspend_put(hwctx->client->xdna);
dma_fence_put(job->fence);
aie2_job_put(job);
mmput(job->mm);
diff --git a/drivers/accel/amdxdna/amdxdna_ctx.c b/drivers/accel/amdxdna/amdxdna_ctx.c
index 4e48519b699ac..f678ae4c682d1 100644
--- a/drivers/accel/amdxdna/amdxdna_ctx.c
+++ b/drivers/accel/amdxdna/amdxdna_ctx.c
@@ -17,6 +17,7 @@
#include "amdxdna_ctx.h"
#include "amdxdna_gem.h"
#include "amdxdna_pci_drv.h"
+#include "amdxdna_pm.h"
#define MAX_HWCTX_ID 255
#define MAX_ARG_COUNT 4095
@@ -445,6 +446,7 @@ amdxdna_arg_bos_lookup(struct amdxdna_client *client,
void amdxdna_sched_job_cleanup(struct amdxdna_sched_job *job)
{
trace_amdxdna_debug_point(job->hwctx->name, job->seq, "job release");
+ amdxdna_pm_suspend_put(job->hwctx->client->xdna);
amdxdna_arg_bos_put(job);
amdxdna_gem_put_obj(job->cmd_bo);
dma_fence_put(job->fence);
@@ -482,6 +484,12 @@ int amdxdna_cmd_submit(struct amdxdna_client *client,
goto cmd_put;
}
+ ret = amdxdna_pm_resume_get(xdna);
+ if (ret) {
+ XDNA_ERR(xdna, "Resume failed, ret %d", ret);
+ goto put_bos;
+ }
+
idx = srcu_read_lock(&client->hwctx_srcu);
hwctx = xa_load(&client->hwctx_xa, hwctx_hdl);
if (!hwctx) {
@@ -522,6 +530,8 @@ int amdxdna_cmd_submit(struct amdxdna_client *client,
dma_fence_put(job->fence);
unlock_srcu:
srcu_read_unlock(&client->hwctx_srcu, idx);
+ amdxdna_pm_suspend_put(xdna);
+put_bos:
amdxdna_arg_bos_put(job);
cmd_put:
amdxdna_gem_put_obj(job->cmd_bo);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 092/378] ASoC: codecs: rt1011: Use component to get the dapm context in spk_mode_put
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 091/378] accel/amdxdna: Fix runtime suspend deadlock when there is pending job Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 093/378] i40e: fix src IP mask checks and memcpy argument names in cloud filter Greg Kroah-Hartman
` (292 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peter Ujfalusi, Mark Brown,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
[ Upstream commit 30e4b2290cc2a8d1b9ddb9dcb9c981df1f2a7399 ]
The correct helper to use in rt1011_recv_spk_mode_put() to retrieve the
DAPM context is snd_soc_component_to_dapm(), from kcontrol we will
receive NULL pointer.
Closes: https://github.com/thesofproject/linux/issues/5691
Fixes: 5b35bb517f27 ("ASoC: codecs: rt1011: convert to snd_soc_dapm_xxx()")
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://patch.msgid.link/20260310065350.18921-1-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/rt1011.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/rt1011.c b/sound/soc/codecs/rt1011.c
index 9f34a6a354876..03f31d9d916e6 100644
--- a/sound/soc/codecs/rt1011.c
+++ b/sound/soc/codecs/rt1011.c
@@ -1047,7 +1047,7 @@ static int rt1011_recv_spk_mode_put(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
{
struct snd_soc_component *component = snd_kcontrol_chip(kcontrol);
- struct snd_soc_dapm_context *dapm = snd_soc_dapm_kcontrol_to_dapm(kcontrol);
+ struct snd_soc_dapm_context *dapm = snd_soc_component_to_dapm(component);
struct rt1011_priv *rt1011 =
snd_soc_component_get_drvdata(component);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 093/378] i40e: fix src IP mask checks and memcpy argument names in cloud filter
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 092/378] ASoC: codecs: rt1011: Use component to get the dapm context in spk_mode_put Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 094/378] e1000/e1000e: Fix leak in DMA error cleanup Greg Kroah-Hartman
` (291 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Aleksandr Loktionov,
Paul Menzel, Tony Nguyen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit e809085f492842ce7a519c9ef72d40f4bca89c13 ]
Fix following issues in the IPv4 and IPv6 cloud filter handling logic in
both the add and delete paths:
- The source-IP mask check incorrectly compares mask.src_ip[0] against
tcf.dst_ip[0]. Update it to compare against tcf.src_ip[0]. This likely
goes unnoticed because the check is in an "else if" path that only
executes when dst_ip is not set, most cloud filter use cases focus on
destination-IP matching, and the buggy condition can accidentally
evaluate true in some cases.
- memcpy() for the IPv4 source address incorrectly uses
ARRAY_SIZE(tcf.dst_ip) instead of ARRAY_SIZE(tcf.src_ip), although
both arrays are the same size.
- The IPv4 memcpy operations used ARRAY_SIZE(tcf.dst_ip) and ARRAY_SIZE
(tcf.src_ip), Update these to use sizeof(cfilter->ip.v4.dst_ip) and
sizeof(cfilter->ip.v4.src_ip) to ensure correct and explicit copy size.
- In the IPv6 delete path, memcmp() uses sizeof(src_ip6) when comparing
dst_ip6 fields. Replace this with sizeof(dst_ip6) to make the intent
explicit, even though both fields are struct in6_addr.
Fixes: e284fc280473 ("i40e: Add and delete cloud filter")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
index 1fa877b52f618..5a383ed09f790 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -3833,10 +3833,10 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg)
cfilter.n_proto = ETH_P_IP;
if (mask.dst_ip[0] & tcf.dst_ip[0])
memcpy(&cfilter.ip.v4.dst_ip, tcf.dst_ip,
- ARRAY_SIZE(tcf.dst_ip));
- else if (mask.src_ip[0] & tcf.dst_ip[0])
+ sizeof(cfilter.ip.v4.dst_ip));
+ else if (mask.src_ip[0] & tcf.src_ip[0])
memcpy(&cfilter.ip.v4.src_ip, tcf.src_ip,
- ARRAY_SIZE(tcf.dst_ip));
+ sizeof(cfilter.ip.v4.src_ip));
break;
case VIRTCHNL_TCP_V6_FLOW:
cfilter.n_proto = ETH_P_IPV6;
@@ -3891,7 +3891,7 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg)
/* for ipv6, mask is set for all sixteen bytes (4 words) */
if (cfilter.n_proto == ETH_P_IPV6 && mask.dst_ip[3])
if (memcmp(&cfilter.ip.v6.dst_ip6, &cf->ip.v6.dst_ip6,
- sizeof(cfilter.ip.v6.src_ip6)))
+ sizeof(cfilter.ip.v6.dst_ip6)))
continue;
if (mask.vlan_id)
if (cfilter.vlan_id != cf->vlan_id)
@@ -3979,10 +3979,10 @@ static int i40e_vc_add_cloud_filter(struct i40e_vf *vf, u8 *msg)
cfilter->n_proto = ETH_P_IP;
if (mask.dst_ip[0] & tcf.dst_ip[0])
memcpy(&cfilter->ip.v4.dst_ip, tcf.dst_ip,
- ARRAY_SIZE(tcf.dst_ip));
- else if (mask.src_ip[0] & tcf.dst_ip[0])
+ sizeof(cfilter->ip.v4.dst_ip));
+ else if (mask.src_ip[0] & tcf.src_ip[0])
memcpy(&cfilter->ip.v4.src_ip, tcf.src_ip,
- ARRAY_SIZE(tcf.dst_ip));
+ sizeof(cfilter->ip.v4.src_ip));
break;
case VIRTCHNL_TCP_V6_FLOW:
cfilter->n_proto = ETH_P_IPV6;
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 094/378] e1000/e1000e: Fix leak in DMA error cleanup
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 093/378] i40e: fix src IP mask checks and memcpy argument names in cloud filter Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 095/378] page_pool: store detach_time as ktime_t to avoid false-negatives Greg Kroah-Hartman
` (290 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matt Vollrath, Tony Nguyen,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Vollrath <tactii@gmail.com>
[ Upstream commit e94eaef11142b01f77bf8ba4d0b59720b7858109 ]
If an error is encountered while mapping TX buffers, the driver should
unmap any buffers already mapped for that skb.
Because count is incremented after a successful mapping, it will always
match the correct number of unmappings needed when dma_error is reached.
Decrementing count before the while loop in dma_error causes an
off-by-one error. If any mapping was successful before an unsuccessful
mapping, exactly one DMA mapping would leak.
In these commits, a faulty while condition caused an infinite loop in
dma_error:
Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e
driver")
Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver")
Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of
unsigned in *_tx_map()") fixed the infinite loop, but introduced the
off-by-one error.
This issue may still exist in the igbvf driver, but I did not address it
in this patch.
Fixes: c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()")
Assisted-by: Claude:claude-4.6-opus
Signed-off-by: Matt Vollrath <tactii@gmail.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/e1000/e1000_main.c | 2 --
drivers/net/ethernet/intel/e1000e/netdev.c | 2 --
2 files changed, 4 deletions(-)
diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
index 7f078ec9c14c5..15160427c8b30 100644
--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
+++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
@@ -2952,8 +2952,6 @@ static int e1000_tx_map(struct e1000_adapter *adapter,
dma_error:
dev_err(&pdev->dev, "TX DMA map failed\n");
buffer_info->dma = 0;
- if (count)
- count--;
while (count--) {
if (i == 0)
diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
index ddbe2f7d81121..6bcb57609d16a 100644
--- a/drivers/net/ethernet/intel/e1000e/netdev.c
+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
@@ -5654,8 +5654,6 @@ static int e1000_tx_map(struct e1000_ring *tx_ring, struct sk_buff *skb,
dma_error:
dev_err(&pdev->dev, "Tx DMA map failed\n");
buffer_info->dma = 0;
- if (count)
- count--;
while (count--) {
if (i == 0)
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 095/378] page_pool: store detach_time as ktime_t to avoid false-negatives
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 094/378] e1000/e1000e: Fix leak in DMA error cleanup Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 096/378] net: bcmgenet: fix broken EEE by converting to phylib-managed state Greg Kroah-Hartman
` (289 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jesper Dangaard Brouer,
Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 28b225282d44e2ef40e7f46cfdbd5d1b20b8874f ]
While testing other changes in vng I noticed that
nl_netdev.page_pool_check flakes. This never happens in real CI.
Turns out vng may boot and get to that test in less than a second.
page_pool_detached() records the detach time in seconds, so if
vng is fast enough detach time is set to 0. Other code treats
0 as "not detached". detach_time is only used to report the state
to the user, so it's not a huge deal in practice but let's fix it.
Store the raw ktime_t (nanoseconds) instead. A nanosecond value
of 0 is practically impossible.
Acked-by: Jesper Dangaard Brouer <hawk@kernel.org>
Fixes: 69cb4952b6f6 ("net: page_pool: report when page pool was destroyed")
Link: https://patch.msgid.link/20260310003907.3540019-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/page_pool/types.h | 2 +-
net/core/page_pool_user.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/include/net/page_pool/types.h b/include/net/page_pool/types.h
index 1509a536cb855..fb4f03ccd6156 100644
--- a/include/net/page_pool/types.h
+++ b/include/net/page_pool/types.h
@@ -246,7 +246,7 @@ struct page_pool {
/* User-facing fields, protected by page_pools_lock */
struct {
struct hlist_node list;
- u64 detach_time;
+ ktime_t detach_time;
u32 id;
} user;
};
diff --git a/net/core/page_pool_user.c b/net/core/page_pool_user.c
index c82a95beceff8..ee5060d8eec0e 100644
--- a/net/core/page_pool_user.c
+++ b/net/core/page_pool_user.c
@@ -245,7 +245,7 @@ page_pool_nl_fill(struct sk_buff *rsp, const struct page_pool *pool,
goto err_cancel;
if (pool->user.detach_time &&
nla_put_uint(rsp, NETDEV_A_PAGE_POOL_DETACH_TIME,
- pool->user.detach_time))
+ ktime_divns(pool->user.detach_time, NSEC_PER_SEC)))
goto err_cancel;
if (pool->mp_ops && pool->mp_ops->nl_fill(pool->mp_priv, rsp, NULL))
@@ -337,7 +337,7 @@ int page_pool_list(struct page_pool *pool)
void page_pool_detached(struct page_pool *pool)
{
mutex_lock(&page_pools_lock);
- pool->user.detach_time = ktime_get_boottime_seconds();
+ pool->user.detach_time = ktime_get_boottime();
netdev_nl_page_pool_event(pool, NETDEV_CMD_PAGE_POOL_CHANGE_NTF);
mutex_unlock(&page_pools_lock);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 096/378] net: bcmgenet: fix broken EEE by converting to phylib-managed state
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 095/378] page_pool: store detach_time as ktime_t to avoid false-negatives Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 097/378] ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address() Greg Kroah-Hartman
` (288 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Lunn, Nicolai Buchwitz,
Florian Fainelli, Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolai Buchwitz <nb@tipi-net.de>
[ Upstream commit 908c344d5cfac4160f49715da9efacdf5b6a28bd ]
The bcmgenet EEE implementation is broken in several ways.
phy_support_eee() is never called, so the PHY never advertises EEE
and phylib never sets phydev->enable_tx_lpi. bcmgenet_mac_config()
checks priv->eee.eee_enabled to decide whether to enable the MAC
LPI logic, but that field is never initialised to true, so the MAC
never enters Low Power Idle even when EEE is negotiated - wasting
the power savings EEE is designed to provide. The only way to get
EEE working at all is a manual 'ethtool --set-eee eth0 eee on' after
every link-up, and even then bcmgenet_get_eee() immediately clobbers
the reported state because phy_ethtool_get_eee() overwrites
eee_enabled and tx_lpi_enabled with the uninitialised PHY eee_cfg
values. Finally, bcmgenet_mac_config() is only called on link-up,
so EEE is never disabled in hardware on link-down.
Fix all of this by removing the MAC-side EEE state tracking
(priv->eee) and aligning with the pattern used by other non-phylink
MAC drivers such as FEC.
Call phy_support_eee() in bcmgenet_mii_probe() so the PHY advertises
EEE link modes and phylib tracks negotiation state. Move the EEE
hardware control to bcmgenet_mii_setup(), which is called on every
link event, and drive it directly from phydev->enable_tx_lpi - the
flag phylib sets when EEE is negotiated and the user has not disabled
it. This enables EEE automatically once the link partner agrees and
disables it cleanly on link-down.
Make bcmgenet_get_eee() and bcmgenet_set_eee() pure passthroughs to
phy_ethtool_get_eee() and phy_ethtool_set_eee(), with the MAC
hardware register read/written for tx_lpi_timer. Drop struct
ethtool_keee eee from struct bcmgenet_priv.
Fixes: fe0d4fd9285e ("net: phy: Keep track of EEE configuration")
Link: https://lore.kernel.org/netdev/d352039f-4cbb-41e6-9aeb-0b4f3941b54c@lunn.ch/
Suggested-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Nicolai Buchwitz <nb@tipi-net.de>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20260310054935.1238594-1-nb@tipi-net.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/broadcom/genet/bcmgenet.c | 31 +++++++------------
.../net/ethernet/broadcom/genet/bcmgenet.h | 5 +--
drivers/net/ethernet/broadcom/genet/bcmmii.c | 10 +++---
3 files changed, 18 insertions(+), 28 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index 05512aa10c209..1c2fdaca14f9b 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1342,8 +1342,7 @@ static void bcmgenet_get_ethtool_stats(struct net_device *dev,
}
}
-void bcmgenet_eee_enable_set(struct net_device *dev, bool enable,
- bool tx_lpi_enabled)
+void bcmgenet_eee_enable_set(struct net_device *dev, bool enable)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
u32 off = priv->hw_params->tbuf_offset + TBUF_ENERGY_CTRL;
@@ -1363,7 +1362,7 @@ void bcmgenet_eee_enable_set(struct net_device *dev, bool enable,
/* Enable EEE and switch to a 27Mhz clock automatically */
reg = bcmgenet_readl(priv->base + off);
- if (tx_lpi_enabled)
+ if (enable)
reg |= TBUF_EEE_EN | TBUF_PM_EN;
else
reg &= ~(TBUF_EEE_EN | TBUF_PM_EN);
@@ -1382,14 +1381,12 @@ void bcmgenet_eee_enable_set(struct net_device *dev, bool enable,
priv->clk_eee_enabled = false;
}
- priv->eee.eee_enabled = enable;
- priv->eee.tx_lpi_enabled = tx_lpi_enabled;
}
static int bcmgenet_get_eee(struct net_device *dev, struct ethtool_keee *e)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
- struct ethtool_keee *p = &priv->eee;
+ int ret;
if (GENET_IS_V1(priv))
return -EOPNOTSUPP;
@@ -1397,17 +1394,21 @@ static int bcmgenet_get_eee(struct net_device *dev, struct ethtool_keee *e)
if (!dev->phydev)
return -ENODEV;
- e->tx_lpi_enabled = p->tx_lpi_enabled;
+ ret = phy_ethtool_get_eee(dev->phydev, e);
+ if (ret)
+ return ret;
+
+ /* tx_lpi_timer is maintained by the MAC hardware register; the
+ * PHY-level eee_cfg timer is not set for GENET.
+ */
e->tx_lpi_timer = bcmgenet_umac_readl(priv, UMAC_EEE_LPI_TIMER);
- return phy_ethtool_get_eee(dev->phydev, e);
+ return 0;
}
static int bcmgenet_set_eee(struct net_device *dev, struct ethtool_keee *e)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
- struct ethtool_keee *p = &priv->eee;
- bool active;
if (GENET_IS_V1(priv))
return -EOPNOTSUPP;
@@ -1415,15 +1416,7 @@ static int bcmgenet_set_eee(struct net_device *dev, struct ethtool_keee *e)
if (!dev->phydev)
return -ENODEV;
- p->eee_enabled = e->eee_enabled;
-
- if (!p->eee_enabled) {
- bcmgenet_eee_enable_set(dev, false, false);
- } else {
- active = phy_init_eee(dev->phydev, false) >= 0;
- bcmgenet_umac_writel(priv, e->tx_lpi_timer, UMAC_EEE_LPI_TIMER);
- bcmgenet_eee_enable_set(dev, active, e->tx_lpi_enabled);
- }
+ bcmgenet_umac_writel(priv, e->tx_lpi_timer, UMAC_EEE_LPI_TIMER);
return phy_ethtool_set_eee(dev->phydev, e);
}
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.h b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
index 5ec3979779ece..9e4110c7fdf6f 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
@@ -665,8 +665,6 @@ struct bcmgenet_priv {
u8 sopass[SOPASS_MAX];
struct bcmgenet_mib_counters mib;
-
- struct ethtool_keee eee;
};
static inline bool bcmgenet_has_40bits(struct bcmgenet_priv *priv)
@@ -749,7 +747,6 @@ int bcmgenet_wol_power_down_cfg(struct bcmgenet_priv *priv,
int bcmgenet_wol_power_up_cfg(struct bcmgenet_priv *priv,
enum bcmgenet_power_mode mode);
-void bcmgenet_eee_enable_set(struct net_device *dev, bool enable,
- bool tx_lpi_enabled);
+void bcmgenet_eee_enable_set(struct net_device *dev, bool enable);
#endif /* __BCMGENET_H__ */
diff --git a/drivers/net/ethernet/broadcom/genet/bcmmii.c b/drivers/net/ethernet/broadcom/genet/bcmmii.c
index 38f854b94a799..a4e0d5a682687 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
@@ -29,7 +29,6 @@ static void bcmgenet_mac_config(struct net_device *dev)
struct bcmgenet_priv *priv = netdev_priv(dev);
struct phy_device *phydev = dev->phydev;
u32 reg, cmd_bits = 0;
- bool active;
/* speed */
if (phydev->speed == SPEED_1000)
@@ -90,10 +89,6 @@ static void bcmgenet_mac_config(struct net_device *dev)
bcmgenet_umac_writel(priv, reg, UMAC_CMD);
spin_unlock_bh(&priv->reg_lock);
- active = phy_init_eee(phydev, 0) >= 0;
- bcmgenet_eee_enable_set(dev,
- priv->eee.eee_enabled && active,
- priv->eee.tx_lpi_enabled);
}
/* setup netdev link state when PHY link status change and
@@ -113,6 +108,8 @@ void bcmgenet_mii_setup(struct net_device *dev)
bcmgenet_ext_writel(priv, reg, EXT_RGMII_OOB_CTRL);
}
+ bcmgenet_eee_enable_set(dev, phydev->enable_tx_lpi);
+
phy_print_status(phydev);
}
@@ -412,6 +409,9 @@ int bcmgenet_mii_probe(struct net_device *dev)
/* Indicate that the MAC is responsible for PHY PM */
dev->phydev->mac_managed_pm = true;
+ if (!GENET_IS_V1(priv))
+ phy_support_eee(dev->phydev);
+
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 097/378] ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 096/378] net: bcmgenet: fix broken EEE by converting to phylib-managed state Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 098/378] ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition Greg Kroah-Hartman
` (287 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Dooks, Rafael J. Wysocki,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Dooks <ben.dooks@codethink.co.uk>
[ Upstream commit 393815f57651101f1590632092986d1d5a3a41bd ]
The pointer returned from acpi_os_map_generic_address() is
tagged with __iomem, so make the rv it is returned to also
of void __iomem * type.
Fixes the following sparse warning:
drivers/acpi/osl.c:1686:20: warning: incorrect type in assignment (different address spaces)
drivers/acpi/osl.c:1686:20: expected void *rv
drivers/acpi/osl.c:1686:20: got void [noderef] __iomem *
Fixes: 6915564dc5a8 ("ACPI: OSL: Change the type of acpi_os_map_generic_address() return value")
Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
[ rjw: Subject tweak, added Fixes tag ]
Link: https://patch.msgid.link/20260311105835.463030-1-ben.dooks@codethink.co.uk
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/osl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index 05393a7315fec..2addb40961b60 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -1681,7 +1681,7 @@ acpi_status __init acpi_os_initialize(void)
* Use acpi_os_map_generic_address to pre-map the reset
* register if it's in system memory.
*/
- void *rv;
+ void __iomem *rv;
rv = acpi_os_map_generic_address(&acpi_gbl_FADT.reset_register);
pr_debug("%s: Reset register mapping %s\n", __func__,
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 098/378] ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 097/378] ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address() Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 099/378] ASoC: detect empty DMI strings Greg Kroah-Hartman
` (286 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Ni, Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit 53f3a900e9a383d47af7253076e19f510c5708d0 ]
The acp3x_5682_init() function did not check the return value of
clk_get(), which could lead to dereferencing error pointers in
rt5682_clk_enable().
Fix this by:
1. Changing clk_get() to the device-managed devm_clk_get().
2. Adding proper IS_ERR() checks for both clock acquisitions.
Fixes: 6b8e4e7db3cd ("ASoC: amd: Add machine driver for Raven based platform")
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Link: https://patch.msgid.link/20260310024246.2153827-1-nichen@iscas.ac.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/acp3x-rt5682-max9836.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/sound/soc/amd/acp3x-rt5682-max9836.c b/sound/soc/amd/acp3x-rt5682-max9836.c
index 4ca1978020a96..d1eb6f12a1830 100644
--- a/sound/soc/amd/acp3x-rt5682-max9836.c
+++ b/sound/soc/amd/acp3x-rt5682-max9836.c
@@ -94,8 +94,13 @@ static int acp3x_5682_init(struct snd_soc_pcm_runtime *rtd)
return ret;
}
- rt5682_dai_wclk = clk_get(component->dev, "rt5682-dai-wclk");
- rt5682_dai_bclk = clk_get(component->dev, "rt5682-dai-bclk");
+ rt5682_dai_wclk = devm_clk_get(component->dev, "rt5682-dai-wclk");
+ if (IS_ERR(rt5682_dai_wclk))
+ return PTR_ERR(rt5682_dai_wclk);
+
+ rt5682_dai_bclk = devm_clk_get(component->dev, "rt5682-dai-bclk");
+ if (IS_ERR(rt5682_dai_bclk))
+ return PTR_ERR(rt5682_dai_bclk);
ret = snd_soc_card_jack_new_pins(card, "Headset Jack",
SND_JACK_HEADSET |
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 099/378] ASoC: detect empty DMI strings
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 098/378] ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 100/378] drm/amdkfd: Unreserve bo if queue update failed Greg Kroah-Hartman
` (285 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Casey Connolly, Mark Brown,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Casey Connolly <casey.connolly@linaro.org>
[ Upstream commit a9683730e8b1d632674f81844ed03ddfbe4821c0 ]
Some bootloaders like recent versions of U-Boot may install some DMI
properties with empty values rather than not populate them. This manages
to make its way through the validator and cleanup resulting in a rogue
hyphen being appended to the card longname.
Fixes: 4e01e5dbba96 ("ASoC: improve the DMI long card code in asoc-core")
Signed-off-by: Casey Connolly <casey.connolly@linaro.org>
Link: https://patch.msgid.link/20260306174707.283071-2-casey.connolly@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index e6045d30ee8e1..23ba821cd759d 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -1863,12 +1863,15 @@ static void cleanup_dmi_name(char *name)
/*
* Check if a DMI field is valid, i.e. not containing any string
- * in the black list.
+ * in the black list and not the empty string.
*/
static int is_dmi_valid(const char *field)
{
int i = 0;
+ if (!field[0])
+ return 0;
+
while (dmi_blacklist[i]) {
if (strstr(field, dmi_blacklist[i]))
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 100/378] drm/amdkfd: Unreserve bo if queue update failed
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 099/378] ASoC: detect empty DMI strings Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 101/378] ASoC: amd: acp-mach-common: Add missing error check for clock acquisition Greg Kroah-Hartman
` (284 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Yang, Alex Sierra,
Alex Deucher, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philip Yang <Philip.Yang@amd.com>
[ Upstream commit 2ce75a0b7e1bfddbcb9bc8aeb2e5e7fa99971acf ]
Error handling path should unreserve bo then return failed.
Fixes: 305cd109b761 ("drm/amdkfd: Validate user queue update")
Signed-off-by: Philip Yang <Philip.Yang@amd.com>
Reviewed-by: Alex Sierra <alex.sierra@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit c24afed7de9ecce341825d8ab55a43a254348b33)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
index 7fbb5c274ccc4..7bf712032c52c 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
@@ -606,6 +606,7 @@ int pqm_update_queue_properties(struct process_queue_manager *pqm,
p->queue_size)) {
pr_debug("ring buf 0x%llx size 0x%llx not mapped on GPU\n",
p->queue_address, p->queue_size);
+ amdgpu_bo_unreserve(vm->root.bo);
return -EFAULT;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 101/378] ASoC: amd: acp-mach-common: Add missing error check for clock acquisition
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 100/378] drm/amdkfd: Unreserve bo if queue update failed Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 102/378] io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops Greg Kroah-Hartman
` (283 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Ni, Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit 30c64fb9839949f085c8eb55b979cbd8a4c51f00 ]
The acp_card_rt5682_init() and acp_card_rt5682s_init() functions did not
check the return values of clk_get(). This could lead to a kernel crash
when the invalid pointers are later dereferenced by clock core
functions.
Fix this by:
1. Changing clk_get() to the device-managed devm_clk_get().
2. Adding IS_ERR() checks immediately after each clock acquisition.
Fixes: 8b7256266848 ("ASoC: amd: acp: Add support for RT5682-VS codec")
Fixes: d4c750f2c7d4 ("ASoC: amd: acp: Add generic machine driver support for ACP cards")
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Link: https://patch.msgid.link/20260310044327.2582018-1-nichen@iscas.ac.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/acp/acp-mach-common.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/sound/soc/amd/acp/acp-mach-common.c b/sound/soc/amd/acp/acp-mach-common.c
index 4d99472c75baf..09f6c9a2c0410 100644
--- a/sound/soc/amd/acp/acp-mach-common.c
+++ b/sound/soc/amd/acp/acp-mach-common.c
@@ -127,8 +127,13 @@ static int acp_card_rt5682_init(struct snd_soc_pcm_runtime *rtd)
if (drvdata->hs_codec_id != RT5682)
return -EINVAL;
- drvdata->wclk = clk_get(component->dev, "rt5682-dai-wclk");
- drvdata->bclk = clk_get(component->dev, "rt5682-dai-bclk");
+ drvdata->wclk = devm_clk_get(component->dev, "rt5682-dai-wclk");
+ if (IS_ERR(drvdata->wclk))
+ return PTR_ERR(drvdata->wclk);
+
+ drvdata->bclk = devm_clk_get(component->dev, "rt5682-dai-bclk");
+ if (IS_ERR(drvdata->bclk))
+ return PTR_ERR(drvdata->bclk);
ret = snd_soc_dapm_new_controls(dapm, rt5682_widgets,
ARRAY_SIZE(rt5682_widgets));
@@ -370,8 +375,13 @@ static int acp_card_rt5682s_init(struct snd_soc_pcm_runtime *rtd)
return -EINVAL;
if (!drvdata->soc_mclk) {
- drvdata->wclk = clk_get(component->dev, "rt5682-dai-wclk");
- drvdata->bclk = clk_get(component->dev, "rt5682-dai-bclk");
+ drvdata->wclk = devm_clk_get(component->dev, "rt5682-dai-wclk");
+ if (IS_ERR(drvdata->wclk))
+ return PTR_ERR(drvdata->wclk);
+
+ drvdata->bclk = devm_clk_get(component->dev, "rt5682-dai-bclk");
+ if (IS_ERR(drvdata->bclk))
+ return PTR_ERR(drvdata->bclk);
}
ret = snd_soc_dapm_new_controls(dapm, rt5682s_widgets,
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 102/378] io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 101/378] ASoC: amd: acp-mach-common: Add missing error check for clock acquisition Greg Kroah-Hartman
@ 2026-03-17 16:30 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 103/378] perf synthetic-events: Fix stale build ID in module MMAP2 records Greg Kroah-Hartman
` (282 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:30 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tom Ryan, Jens Axboe, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tom Ryan <ryan36005@gmail.com>
[ Upstream commit 6f02c6b196036dbb6defb4647d8707d29b7fe95b ]
When IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY,
the boundary check for 128-byte SQE operations in io_init_req()
validated the logical SQ head position rather than the physical SQE
index.
The existing check:
!(ctx->cached_sq_head & (ctx->sq_entries - 1))
ensures the logical position isn't at the end of the ring, which is
correct for NO_SQARRAY rings where physical == logical. However, when
sq_array is present, an unprivileged user can remap any logical
position to an arbitrary physical index via sq_array. Setting
sq_array[N] = sq_entries - 1 places a 128-byte operation at the last
physical SQE slot, causing the 128-byte memcpy in
io_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQE
array.
Replace the cached_sq_head alignment check with a direct validation
of the physical SQE index, which correctly handles both sq_array and
NO_SQARRAY cases.
Fixes: 1cba30bf9fdd ("io_uring: add support for IORING_SETUP_SQE_MIXED")
Signed-off-by: Tom Ryan <ryan36005@gmail.com>
Link: https://patch.msgid.link/20260310052003.72871-1-ryan36005@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
io_uring/io_uring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 63efd60829f37..b10f33eef19da 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2152,7 +2152,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req,
* well as 2 contiguous entries.
*/
if (!(ctx->flags & IORING_SETUP_SQE_MIXED) || *left < 2 ||
- !(ctx->cached_sq_head & (ctx->sq_entries - 1)))
+ (unsigned)(sqe - ctx->sq_sqes) >= ctx->sq_entries - 1)
return io_init_fail_req(req, -EINVAL);
/*
* A 128b operation on a mixed SQ uses two entries, so we have
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 103/378] perf synthetic-events: Fix stale build ID in module MMAP2 records
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-03-17 16:30 ` [PATCH 6.19 102/378] io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 104/378] net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled Greg Kroah-Hartman
` (281 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Chuck Lever,
Adrian Hunter, Alexander Shishkin, Ingo Molnar, James Clark,
Jiri Olsa, Mark Rutland, Namhyung Kim, Peter Zijlstra,
Arnaldo Carvalho de Melo, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 35b16a7a2c4fc458304447128b86514ce9f70f3c ]
perf_event__synthesize_modules() allocates a single union perf_event and
reuses it across every kernel module callback.
After the first module is processed, perf_record_mmap2__read_build_id()
sets PERF_RECORD_MISC_MMAP_BUILD_ID in header.misc and writes that
module's build ID into the event.
On subsequent iterations the callback overwrites start, len, pid, and
filename for the next module but never clears the stale build ID fields
or the MMAP_BUILD_ID flag.
When perf_record_mmap2__read_build_id() runs for the second module it
sees the flag, reads the stale build ID into a dso_id, and
__dso__improve_id() permanently poisons the DSO with the wrong build ID.
Every module after the first therefore receives the first module's build
ID in its MMAP2 record.
On a system with the sunrpc and nfsd modules loaded, this causes perf
script and perf report to show [unknown] for all module symbols.
The latent bug has existed since commit d9f2ecbc5e47fca7 ("perf dso:
Move build_id to dso_id") introduced the PERF_RECORD_MISC_MMAP_BUILD_ID
check in perf_record_mmap2__read_build_id().
Commit 53b00ff358dc75b1 ("perf record: Make --buildid-mmap the default")
then exposed it to all users by making the MMAP2-with-build-ID path the
default. Both commits were merged in the same series.
Clear the MMAP_BUILD_ID flag and zero the build_id union before each
call to perf_record_mmap2__read_build_id() so that every module starts
with a clean slate.
Fixes: d9f2ecbc5e47fca7 ("perf dso: Move build_id to dso_id")
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/synthetic-events.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tools/perf/util/synthetic-events.c b/tools/perf/util/synthetic-events.c
index 2ba9fa25e00a6..7a47e21c6704f 100644
--- a/tools/perf/util/synthetic-events.c
+++ b/tools/perf/util/synthetic-events.c
@@ -703,6 +703,11 @@ static int perf_event__synthesize_modules_maps_cb(struct map *map, void *data)
memcpy(event->mmap2.filename, dso__long_name(dso), dso__long_name_len(dso) + 1);
+ /* Clear stale build ID from previous module iteration */
+ event->mmap2.header.misc &= ~PERF_RECORD_MISC_MMAP_BUILD_ID;
+ memset(event->mmap2.build_id, 0, sizeof(event->mmap2.build_id));
+ event->mmap2.build_id_size = 0;
+
perf_record_mmap2__read_build_id(&event->mmap2, args->machine, false);
} else {
size = PERF_ALIGN(dso__long_name_len(dso) + 1, sizeof(u64));
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 104/378] net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 103/378] perf synthetic-events: Fix stale build ID in module MMAP2 records Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 105/378] net: dsa: realtek: Fix LED group port bit for non-zero LED group Greg Kroah-Hartman
` (280 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Ricardo B . Marlière, Hangbin Liu, Jakub Kicinski,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo B. Marlière <rbm@suse.com>
[ Upstream commit 30021e969d48e5819d5ae56936c2f34c0f7ce997 ]
When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
initialized because inet6_init() exits before ndisc_init() is called
which initializes it. If bonding ARP/NS validation is enabled, an IPv6
NS/NA packet received on a slave can reach bond_validate_na(), which
calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can
crash in __ipv6_chk_addr_and_flags().
BUG: kernel NULL pointer dereference, address: 00000000000005d8
Oops: Oops: 0000 [#1] SMP NOPTI
RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170
Call Trace:
<IRQ>
ipv6_chk_addr+0x1f/0x30
bond_validate_na+0x12e/0x1d0 [bonding]
? __pfx_bond_handle_frame+0x10/0x10 [bonding]
bond_rcv_validate+0x1a0/0x450 [bonding]
bond_handle_frame+0x5e/0x290 [bonding]
? srso_alias_return_thunk+0x5/0xfbef5
__netif_receive_skb_core.constprop.0+0x3e8/0xe50
? srso_alias_return_thunk+0x5/0xfbef5
? update_cfs_rq_load_avg+0x1a/0x240
? srso_alias_return_thunk+0x5/0xfbef5
? __enqueue_entity+0x5e/0x240
__netif_receive_skb_one_core+0x39/0xa0
process_backlog+0x9c/0x150
__napi_poll+0x30/0x200
? srso_alias_return_thunk+0x5/0xfbef5
net_rx_action+0x338/0x3b0
handle_softirqs+0xc9/0x2a0
do_softirq+0x42/0x60
</IRQ>
<TASK>
__local_bh_enable_ip+0x62/0x70
__dev_queue_xmit+0x2d3/0x1000
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? packet_parse_headers+0x10a/0x1a0
packet_sendmsg+0x10da/0x1700
? kick_pool+0x5f/0x140
? srso_alias_return_thunk+0x5/0xfbef5
? __queue_work+0x12d/0x4f0
__sys_sendto+0x1f3/0x220
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x101/0xf80
? exc_page_fault+0x6e/0x170
? srso_alias_return_thunk+0x5/0xfbef5
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to
bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate()
and avoid the path to ipv6_chk_addr().
Suggested-by: Fernando Fernandez Mancera <fmancera@suse.de>
Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets")
Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20260307-net-nd_tbl_fixes-v4-2-e2677e85628c@suse.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 139ece7676c50..e8e261e0cb4e1 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -3402,7 +3402,7 @@ int bond_rcv_validate(const struct sk_buff *skb, struct bonding *bond,
} else if (is_arp) {
return bond_arp_rcv(skb, bond, slave);
#if IS_ENABLED(CONFIG_IPV6)
- } else if (is_ipv6) {
+ } else if (is_ipv6 && likely(ipv6_mod_enabled())) {
return bond_na_rcv(skb, bond, slave);
#endif
} else {
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 105/378] net: dsa: realtek: Fix LED group port bit for non-zero LED group
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 104/378] net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 106/378] neighbour: restore protocol != 0 check in pneigh update Greg Kroah-Hartman
` (279 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Behún, Andrew Lunn,
Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Behún <kabel@kernel.org>
[ Upstream commit e8f0dc024ce55451ebd54bad975134ba802e4fcc ]
The rtl8366rb_led_group_port_mask() function always returns LED port
bit in LED group 0; the switch statement returns the same thing in all
non-default cases.
This means that the driver does not currently support configuring LEDs
in non-zero LED groups.
Fix this.
Fixes: 32d617005475a71e ("net: dsa: realtek: add LED drivers for rtl8366rb")
Signed-off-by: Marek Behún <kabel@kernel.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20260311111237.29002-1-kabel@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/realtek/rtl8366rb-leds.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/dsa/realtek/rtl8366rb-leds.c b/drivers/net/dsa/realtek/rtl8366rb-leds.c
index 99c890681ae60..509ffd3f8db5c 100644
--- a/drivers/net/dsa/realtek/rtl8366rb-leds.c
+++ b/drivers/net/dsa/realtek/rtl8366rb-leds.c
@@ -12,11 +12,11 @@ static inline u32 rtl8366rb_led_group_port_mask(u8 led_group, u8 port)
case 0:
return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port));
case 1:
- return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port));
+ return FIELD_PREP(RTL8366RB_LED_X_1_CTRL_MASK, BIT(port));
case 2:
- return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port));
+ return FIELD_PREP(RTL8366RB_LED_2_X_CTRL_MASK, BIT(port));
case 3:
- return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port));
+ return FIELD_PREP(RTL8366RB_LED_X_3_CTRL_MASK, BIT(port));
default:
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 106/378] neighbour: restore protocol != 0 check in pneigh update
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 105/378] net: dsa: realtek: Fix LED group port bit for non-zero LED group Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 107/378] net/mana: Null service_wq on setup error to prevent double destroy Greg Kroah-Hartman
` (278 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sabrina Dubroca, David Ahern,
Kuniyuki Iwashima, Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit cbada1048847a348797aec63a1d8056621cbe653 ]
Prior to commit dc2a27e524ac ("neighbour: Update pneigh_entry in
pneigh_create()."), a pneigh's protocol was updated only when the
value of the NDA_PROTOCOL attribute was non-0. While moving the code,
that check was removed. This is a small change of user-visible
behavior, and inconsistent with the (non-proxy) neighbour behavior.
Fixes: dc2a27e524ac ("neighbour: Update pneigh_entry in pneigh_create().")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/38c61de1bb032871a886aff9b9b52fe1cdd4cada.1772894876.git.sd@queasysnail.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/neighbour.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 96a3b1a93252a..e4ee0c02fb443 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -821,7 +821,8 @@ int pneigh_create(struct neigh_table *tbl, struct net *net,
update:
WRITE_ONCE(n->flags, flags);
n->permanent = permanent;
- WRITE_ONCE(n->protocol, protocol);
+ if (protocol)
+ WRITE_ONCE(n->protocol, protocol);
out:
mutex_unlock(&tbl->phash_lock);
return err;
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 107/378] net/mana: Null service_wq on setup error to prevent double destroy
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 106/378] neighbour: restore protocol != 0 check in pneigh update Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 108/378] net: ethernet: ti: am65-cpsw-nuss: Fix rx_filter value for PTP support Greg Kroah-Hartman
` (277 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shiraz Saleem, Konstantin Taranov,
Simon Horman, Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shiraz Saleem <shirazsaleem@microsoft.com>
[ Upstream commit 87c2302813abc55c46485711a678e3c312b00666 ]
In mana_gd_setup() error path, set gc->service_wq to NULL after
destroy_workqueue() to match the cleanup in mana_gd_cleanup().
This prevents a use-after-free if the workqueue pointer is checked
after a failed setup.
Fixes: f975a0955276 ("net: mana: Fix double destroy_workqueue on service rescan PCI path")
Signed-off-by: Shiraz Saleem <shirazsaleem@microsoft.com>
Signed-off-by: Konstantin Taranov <kotaranov@microsoft.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260309172443.688392-1-kotaranov@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/gdma_main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c
index 3926d18f1840b..cbea0ea242c26 100644
--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c
+++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c
@@ -1934,6 +1934,7 @@ static int mana_gd_setup(struct pci_dev *pdev)
mana_gd_remove_irqs(pdev);
free_workqueue:
destroy_workqueue(gc->service_wq);
+ gc->service_wq = NULL;
dev_err(&pdev->dev, "%s failed (error %d)\n", __func__, err);
return err;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 108/378] net: ethernet: ti: am65-cpsw-nuss: Fix rx_filter value for PTP support
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 107/378] net/mana: Null service_wq on setup error to prevent double destroy Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 109/378] octeontx2-af: devlink: fix NIX RAS reporter recovery condition Greg Kroah-Hartman
` (276 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chintan Vankar, Jakub Kicinski,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chintan Vankar <c-vankar@ti.com>
[ Upstream commit 840c9d13cb1ca96683a5307ee8e221be163a2c1e ]
The "rx_filter" member of "hwtstamp_config" structure is an enum field and
does not support bitwise OR combination of multiple filter values. It
causes error while linuxptp application tries to match rx filter version.
Fix this by storing the requested filter type in a new port field.
Fixes: 97248adb5a3b ("net: ti: am65-cpsw: Update hw timestamping filter for PTPv1 RX packets")
Signed-off-by: Chintan Vankar <c-vankar@ti.com>
Link: https://patch.msgid.link/20260310160940.109822-1-c-vankar@ti.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/ti/am65-cpsw-nuss.c | 16 +++++++++-------
drivers/net/ethernet/ti/am65-cpsw-nuss.h | 2 +-
2 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
index 9679180504330..265ce5479915f 100644
--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
@@ -1351,7 +1351,7 @@ static int am65_cpsw_nuss_rx_packets(struct am65_cpsw_rx_flow *flow,
ndev_priv = netdev_priv(ndev);
am65_cpsw_nuss_set_offload_fwd_mark(skb, ndev_priv->offload_fwd_mark);
skb_put(skb, pkt_len);
- if (port->rx_ts_enabled)
+ if (port->rx_ts_filter)
am65_cpts_rx_timestamp(common->cpts, skb);
skb_mark_for_recycle(skb);
skb->protocol = eth_type_trans(skb, ndev);
@@ -1811,11 +1811,14 @@ static int am65_cpsw_nuss_hwtstamp_set(struct net_device *ndev,
switch (cfg->rx_filter) {
case HWTSTAMP_FILTER_NONE:
- port->rx_ts_enabled = false;
+ port->rx_ts_filter = HWTSTAMP_FILTER_NONE;
break;
case HWTSTAMP_FILTER_PTP_V1_L4_EVENT:
case HWTSTAMP_FILTER_PTP_V1_L4_SYNC:
case HWTSTAMP_FILTER_PTP_V1_L4_DELAY_REQ:
+ port->rx_ts_filter = HWTSTAMP_FILTER_PTP_V1_L4_EVENT;
+ cfg->rx_filter = HWTSTAMP_FILTER_PTP_V1_L4_EVENT;
+ break;
case HWTSTAMP_FILTER_PTP_V2_L4_EVENT:
case HWTSTAMP_FILTER_PTP_V2_L4_SYNC:
case HWTSTAMP_FILTER_PTP_V2_L4_DELAY_REQ:
@@ -1825,8 +1828,8 @@ static int am65_cpsw_nuss_hwtstamp_set(struct net_device *ndev,
case HWTSTAMP_FILTER_PTP_V2_EVENT:
case HWTSTAMP_FILTER_PTP_V2_SYNC:
case HWTSTAMP_FILTER_PTP_V2_DELAY_REQ:
- port->rx_ts_enabled = true;
- cfg->rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT | HWTSTAMP_FILTER_PTP_V1_L4_EVENT;
+ port->rx_ts_filter = HWTSTAMP_FILTER_PTP_V2_EVENT;
+ cfg->rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT;
break;
case HWTSTAMP_FILTER_ALL:
case HWTSTAMP_FILTER_SOME:
@@ -1863,7 +1866,7 @@ static int am65_cpsw_nuss_hwtstamp_set(struct net_device *ndev,
ts_ctrl |= AM65_CPSW_TS_TX_ANX_ALL_EN |
AM65_CPSW_PN_TS_CTL_TX_VLAN_LT1_EN;
- if (port->rx_ts_enabled)
+ if (port->rx_ts_filter)
ts_ctrl |= AM65_CPSW_TS_RX_ANX_ALL_EN |
AM65_CPSW_PN_TS_CTL_RX_VLAN_LT1_EN;
@@ -1888,8 +1891,7 @@ static int am65_cpsw_nuss_hwtstamp_get(struct net_device *ndev,
cfg->flags = 0;
cfg->tx_type = port->tx_ts_enabled ?
HWTSTAMP_TX_ON : HWTSTAMP_TX_OFF;
- cfg->rx_filter = port->rx_ts_enabled ? HWTSTAMP_FILTER_PTP_V2_EVENT |
- HWTSTAMP_FILTER_PTP_V1_L4_EVENT : HWTSTAMP_FILTER_NONE;
+ cfg->rx_filter = port->rx_ts_filter;
return 0;
}
diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.h b/drivers/net/ethernet/ti/am65-cpsw-nuss.h
index 917c37e4e89bd..7750448e47468 100644
--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.h
+++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.h
@@ -52,7 +52,7 @@ struct am65_cpsw_port {
bool disabled;
struct am65_cpsw_slave_data slave;
bool tx_ts_enabled;
- bool rx_ts_enabled;
+ enum hwtstamp_rx_filters rx_ts_filter;
struct am65_cpsw_qos qos;
struct devlink_port devlink_port;
struct bpf_prog *xdp_prog;
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 109/378] octeontx2-af: devlink: fix NIX RAS reporter recovery condition
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 108/378] net: ethernet: ti: am65-cpsw-nuss: Fix rx_filter value for PTP support Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 110/378] octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status Greg Kroah-Hartman
` (275 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Jakub Kicinski,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit dc26ca99b835e21e76a58b1463b84adb0ca34f58 ]
The NIX RAS health reporter recovery routine checks nix_af_rvu_int to
decide whether to re-enable NIX_AF_RAS interrupts. This is the RVU
interrupt status field and is unrelated to RAS events, so the recovery
flow may incorrectly skip re-enabling NIX_AF_RAS interrupts.
Check nix_af_rvu_ras instead before writing NIX_AF_RAS_ENA_W1S.
Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20260310184824.1183651-1-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
index 0f9953eaf1b09..fa6ca4f41b59a 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
@@ -475,7 +475,7 @@ static int rvu_hw_nix_ras_recover(struct devlink_health_reporter *reporter,
if (blkaddr < 0)
return blkaddr;
- if (nix_event_ctx->nix_af_rvu_int)
+ if (nix_event_ctx->nix_af_rvu_ras)
rvu_write64(rvu, blkaddr, NIX_AF_RAS_ENA_W1S, ~0ULL);
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 110/378] octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 109/378] octeontx2-af: devlink: fix NIX RAS reporter recovery condition Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 111/378] net: prevent NULL deref in ip[6]tunnel_xmit() Greg Kroah-Hartman
` (274 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Jakub Kicinski,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 87f7dff3ec75b91def0024ebaaf732457f47a63b ]
The NIX RAS health report path uses nix_af_rvu_err when handling the
NIX_AF_RVU_RAS case, so the report prints the ERR interrupt status rather
than the RAS interrupt status.
Use nix_af_rvu_ras for the NIX_AF_RVU_RAS report.
Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20260310184824.1183651-2-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
index fa6ca4f41b59a..2a715872e9edf 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
@@ -327,10 +327,10 @@ static int rvu_nix_report_show(struct devlink_fmsg *fmsg, void *ctx,
rvu_report_pair_end(fmsg);
break;
case NIX_AF_RVU_RAS:
- intr_val = nix_event_context->nix_af_rvu_err;
+ intr_val = nix_event_context->nix_af_rvu_ras;
rvu_report_pair_start(fmsg, "NIX_AF_RAS");
devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ",
- nix_event_context->nix_af_rvu_err);
+ nix_event_context->nix_af_rvu_ras);
devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:");
if (intr_val & BIT_ULL(34))
devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S");
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 111/378] net: prevent NULL deref in ip[6]tunnel_xmit()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 110/378] octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 112/378] iio: imu: inv-mpu9150: fix irq ack preventing irq storms Greg Kroah-Hartman
` (273 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Weiming Shi,
Paolo Abeni, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit c38b8f5f791ecce13ab77e2257f8fd2444ba80f6 ]
Blamed commit missed that both functions can be called with dev == NULL.
Also add unlikely() hints for these conditions that only fuzzers can hit.
Fixes: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions")
Signed-off-by: Eric Dumazet <edumazet@google.com>
CC: Weiming Shi <bestswngs@gmail.com>
Link: https://patch.msgid.link/20260312043908.2790803-1-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/ip6_tunnel.h | 10 ++++++----
net/ipv4/ip_tunnel_core.c | 10 ++++++----
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h
index 1253cbb4b0a45..359b595f1df93 100644
--- a/include/net/ip6_tunnel.h
+++ b/include/net/ip6_tunnel.h
@@ -156,10 +156,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb,
{
int pkt_len, err;
- if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) {
- net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
- dev->name);
- DEV_STATS_INC(dev, tx_errors);
+ if (unlikely(dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT)) {
+ if (dev) {
+ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
+ dev->name);
+ DEV_STATS_INC(dev, tx_errors);
+ }
kfree_skb(skb);
return;
}
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index b1b6bf949f65a..5683c328990f4 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -58,10 +58,12 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb,
struct iphdr *iph;
int err;
- if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) {
- net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
- dev->name);
- DEV_STATS_INC(dev, tx_errors);
+ if (unlikely(dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT)) {
+ if (dev) {
+ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
+ dev->name);
+ DEV_STATS_INC(dev, tx_errors);
+ }
ip_rt_put(rt);
kfree_skb(skb);
return;
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 112/378] iio: imu: inv-mpu9150: fix irq ack preventing irq storms
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 111/378] net: prevent NULL deref in ip[6]tunnel_xmit() Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 113/378] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() Greg Kroah-Hartman
` (272 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andreas Kemnade,
Jean-Baptiste Maneyrol, Jonathan Cameron, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Kemnade <andreas@kemnade.info>
[ Upstream commit d23d763e00ace4e9c59f8d33e0713d401133ba88 ]
IRQ needs to be acked. for some odd reasons, reading from irq status does
not reliable help, enable acking from any register to be on the safe side
and read the irq status register. Comments in the code indicate a known
unreliability with that register.
The blamed commit was tested with mpu6050 in lg,p895 and lg,p880 according
to Tested-bys. But with the MPU9150 in the Epson Moverio BT-200 this leads
to irq storms without properly acking the irq.
Fixes: 0a3b517c8089 ("iio: imu: inv_mpu6050: fix interrupt status read for old buggy chips")
Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
Acked-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/imu/inv_mpu6050/inv_mpu_core.c | 8 ++++++++
drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h | 2 ++
drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c | 5 ++++-
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
index b2fa1f4957a5b..5796896d54cd8 100644
--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
+++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
@@ -1943,6 +1943,14 @@ int inv_mpu_core_probe(struct regmap *regmap, int irq, const char *name,
irq_type);
return -EINVAL;
}
+
+ /*
+ * Acking interrupts by status register does not work reliably
+ * but seem to work when this bit is set.
+ */
+ if (st->chip_type == INV_MPU9150)
+ st->irq_mask |= INV_MPU6050_INT_RD_CLEAR;
+
device_set_wakeup_capable(dev, true);
st->vdd_supply = devm_regulator_get(dev, "vdd");
diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h
index 211901f8b8eb6..6239b1a803f77 100644
--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h
+++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h
@@ -390,6 +390,8 @@ struct inv_mpu6050_state {
/* enable level triggering */
#define INV_MPU6050_LATCH_INT_EN 0x20
#define INV_MPU6050_BIT_BYPASS_EN 0x2
+/* allow acking interrupts by any register read */
+#define INV_MPU6050_INT_RD_CLEAR 0x10
/* Allowed timestamp period jitter in percent */
#define INV_MPU6050_TS_PERIOD_JITTER 4
diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c
index 10a4733420759..22c1ce66f99ee 100644
--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c
+++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c
@@ -248,7 +248,6 @@ static irqreturn_t inv_mpu6050_interrupt_handle(int irq, void *p)
switch (st->chip_type) {
case INV_MPU6000:
case INV_MPU6050:
- case INV_MPU9150:
/*
* WoM is not supported and interrupt status read seems to be broken for
* some chips. Since data ready is the only interrupt, bypass interrupt
@@ -257,6 +256,10 @@ static irqreturn_t inv_mpu6050_interrupt_handle(int irq, void *p)
wom_bits = 0;
int_status = INV_MPU6050_BIT_RAW_DATA_RDY_INT;
goto data_ready_interrupt;
+ case INV_MPU9150:
+ /* IRQ needs to be acked */
+ wom_bits = 0;
+ break;
case INV_MPU6500:
case INV_MPU6515:
case INV_MPU6880:
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 113/378] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 112/378] iio: imu: inv-mpu9150: fix irq ack preventing irq storms Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 114/378] drm/amdgpu: ensure no_hw_access is visible before MMIO Greg Kroah-Hartman
` (271 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Seungjin Bae, Alan Stern,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seungjin Bae <eeodqql09@gmail.com>
[ Upstream commit 8479891d1f04a8ce55366fe4ca361ccdb96f02e1 ]
The `check_command_size_in_blocks()` function calculates the data size
in bytes by left shifting `common->data_size_from_cmnd` by the block
size (`common->curlun->blkbits`). However, it does not validate whether
this shift operation will cause an integer overflow.
Initially, the block size is set up in `fsg_lun_open()` , and the
`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During
initialization, there is no integer overflow check for the interaction
between two variables.
So if a malicious USB host sends a SCSI READ or WRITE command
requesting a large amount of data (`common->data_size_from_cmnd`), the
left shift operation can wrap around. This results in a truncated data
size, which can bypass boundary checks and potentially lead to memory
corruption or out-of-bounds accesses.
Fix this by using the check_shl_overflow() macro to safely perform the
shift and catch any overflows.
Fixes: 144974e7f9e3 ("usb: gadget: mass_storage: support multi-luns with different logic block size")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/20260228104324.1696455-2-eeodqql09@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/function/f_mass_storage.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c
index 94d478b6bcd3d..6f275c3d11ac5 100644
--- a/drivers/usb/gadget/function/f_mass_storage.c
+++ b/drivers/usb/gadget/function/f_mass_storage.c
@@ -180,6 +180,7 @@
#include <linux/kthread.h>
#include <linux/sched/signal.h>
#include <linux/limits.h>
+#include <linux/overflow.h>
#include <linux/pagemap.h>
#include <linux/rwsem.h>
#include <linux/slab.h>
@@ -1853,8 +1854,15 @@ static int check_command_size_in_blocks(struct fsg_common *common,
int cmnd_size, enum data_direction data_dir,
unsigned int mask, int needs_medium, const char *name)
{
- if (common->curlun)
- common->data_size_from_cmnd <<= common->curlun->blkbits;
+ if (common->curlun) {
+ if (check_shl_overflow(common->data_size_from_cmnd,
+ common->curlun->blkbits,
+ &common->data_size_from_cmnd)) {
+ common->phase_error = 1;
+ return -EINVAL;
+ }
+ }
+
return check_command(common, cmnd_size, data_dir,
mask, needs_medium, name);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 114/378] drm/amdgpu: ensure no_hw_access is visible before MMIO
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 113/378] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 115/378] cgroup: fix race between task migration and iteration Greg Kroah-Hartman
` (270 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Perry Yuan, Yifan Zhang,
Alex Deucher, Simon Liebold
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Perry Yuan <perry.yuan@amd.com>
commit 31b153315b8702d0249aa44d83d9fbf42c5c7a79 upstream.
Add a full memory barrier after clearing no_hw_access in
amdgpu_device_mode1_reset() so subsequent PCI state restore
access cannot observe stale state on other CPUs.
Fixes: 7edb503fe4b6 ("drm/amd/pm: Disable MMIO access during SMU Mode 1 reset")
Signed-off-by: Perry Yuan <perry.yuan@amd.com>
Reviewed-by: Yifan Zhang <yifan1.zhang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: Simon Liebold <simonlie@amazon.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -5878,6 +5878,9 @@ int amdgpu_device_mode1_reset(struct amd
/* enable mmio access after mode 1 reset completed */
adev->no_hw_access = false;
+ /* ensure no_hw_access is updated before we access hw */
+ smp_mb();
+
amdgpu_device_load_pci_state(adev->pdev);
ret = amdgpu_psp_wait_for_bootloader(adev);
if (ret)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 115/378] cgroup: fix race between task migration and iteration
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 114/378] drm/amdgpu: ensure no_hw_access is visible before MMIO Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 116/378] sched_ext: Remove redundant css_put() in scx_cgroup_init() Greg Kroah-Hartman
` (269 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qingye Zhao, Michal Koutný,
Tejun Heo
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingye Zhao <zhaoqingye@honor.com>
commit 5ee01f1a7343d6a3547b6802ca2d4cdce0edacb1 upstream.
When a task is migrated out of a css_set, cgroup_migrate_add_task()
first moves it from cset->tasks to cset->mg_tasks via:
list_move_tail(&task->cg_list, &cset->mg_tasks);
If a css_task_iter currently has it->task_pos pointing to this task,
css_set_move_task() calls css_task_iter_skip() to keep the iterator
valid. However, since the task has already been moved to ->mg_tasks,
the iterator is advanced relative to the mg_tasks list instead of the
original tasks list. As a result, remaining tasks on cset->tasks, as
well as tasks queued on cset->mg_tasks, can be skipped by iteration.
Fix this by calling css_set_skip_task_iters() before unlinking
task->cg_list from cset->tasks. This advances all active iterators to
the next task on cset->tasks, so iteration continues correctly even
when a task is concurrently being migrated.
This race is hard to hit in practice without instrumentation, but it
can be reproduced by artificially slowing down cgroup_procs_show().
For example, on an Android device a temporary
/sys/kernel/cgroup/cgroup_test knob can be added to inject a delay
into cgroup_procs_show(), and then:
1) Spawn three long-running tasks (PIDs 101, 102, 103).
2) Create a test cgroup and move the tasks into it.
3) Enable a large delay via /sys/kernel/cgroup/cgroup_test.
4) In one shell, read cgroup.procs from the test cgroup.
5) Within the delay window, in another shell migrate PID 102 by
writing it to a different cgroup.procs file.
Under this setup, cgroup.procs can intermittently show only PID 101
while skipping PID 103. Once the migration completes, reading the
file again shows all tasks as expected.
Note that this change does not allow removing the existing
css_set_skip_task_iters() call in css_set_move_task(). The new call
in cgroup_migrate_add_task() only handles iterators that are racing
with migration while the task is still on cset->tasks. Iterators may
also start after the task has been moved to cset->mg_tasks. If we
dropped css_set_skip_task_iters() from css_set_move_task(), such
iterators could keep task_pos pointing to a migrating task, causing
css_task_iter_advance() to malfunction on the destination css_set,
up to and including crashes or infinite loops.
The race window between migration and iteration is very small, and
css_task_iter is not on a hot path. In the worst case, when an
iterator is positioned on the first thread of the migrating process,
cgroup_migrate_add_task() may have to skip multiple tasks via
css_set_skip_task_iters(). However, this only happens when migration
and iteration actually race, so the performance impact is negligible
compared to the correctness fix provided here.
Fixes: b636fd38dc40 ("cgroup: Implement css_task_iter_skip()")
Cc: stable@vger.kernel.org # v5.2+
Signed-off-by: Qingye Zhao <zhaoqingye@honor.com>
Reviewed-by: Michal Koutný <mkoutny@suse.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/cgroup/cgroup.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -2608,6 +2608,7 @@ static void cgroup_migrate_add_task(stru
mgctx->tset.nr_tasks++;
+ css_set_skip_task_iters(cset, task);
list_move_tail(&task->cg_list, &cset->mg_tasks);
if (list_empty(&cset->mg_node))
list_add_tail(&cset->mg_node,
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 116/378] sched_ext: Remove redundant css_put() in scx_cgroup_init()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 115/378] cgroup: fix race between task migration and iteration Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 117/378] cgroup: Dont expose dead tasks in cgroup Greg Kroah-Hartman
` (268 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cheng-Yang Chou, Andrea Righi,
Tejun Heo
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cheng-Yang Chou <yphbchou0911@gmail.com>
commit 1336b579f6079fb8520be03624fcd9ba443c930b upstream.
The iterator css_for_each_descendant_pre() walks the cgroup hierarchy
under cgroup_lock(). It does not increment the reference counts on
yielded css structs.
According to the cgroup documentation, css_put() should only be used
to release a reference obtained via css_get() or css_tryget_online().
Since the iterator does not use either of these to acquire a reference,
calling css_put() in the error path of scx_cgroup_init() causes a
refcount underflow.
Remove the unbalanced css_put() to prevent a potential Use-After-Free
(UAF) vulnerability.
Fixes: 819513666966 ("sched_ext: Add cgroup support")
Cc: stable@vger.kernel.org # v6.12+
Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com>
Reviewed-by: Andrea Righi <arighi@nvidia.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/ext.c | 1 -
1 file changed, 1 deletion(-)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -3553,7 +3553,6 @@ static int scx_cgroup_init(struct scx_sc
ret = SCX_CALL_OP_RET(sch, SCX_KF_UNLOCKED, cgroup_init, NULL,
css->cgroup, &args);
if (ret) {
- css_put(css);
scx_error(sch, "ops.cgroup_init() failed (%d)", ret);
return ret;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 117/378] cgroup: Dont expose dead tasks in cgroup
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 116/378] sched_ext: Remove redundant css_put() in scx_cgroup_init() Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 118/378] ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() Greg Kroah-Hartman
` (267 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bert Karwatzki,
Sebastian Andrzej Siewior, Tejun Heo
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
commit a72f73c4dd9b209c53cf8b03b6e97fcefad4262c upstream.
Once a task exits it has its state set to TASK_DEAD and then it is
removed from the cgroup it belonged to. The last step happens on the task
gets out of its last schedule() invocation and is delayed on PREEMPT_RT
due to locking constraints.
As a result it is possible to receive a pid via waitpid() of a task
which is still listed in cgroup.procs for the cgroup it belonged
to. This is something that systemd does not expect and as a result it
waits for its exit until a time out occurs.
This can also be reproduced on !PREEMPT_RT kernel with a significant
delay in do_exit() after exit_notify().
Hide the task from the output which have PF_EXITING set which is done
before the parent is notified. Keeping zombies with live threads
shouldn't break anything (suggested by Tejun).
Reported-by: Bert Karwatzki <spasswolf@web.de>
Closes: https://lore.kernel.org/all/20260219164648.3014-1-spasswolf@web.de/
Tested-by: Bert Karwatzki <spasswolf@web.de>
Fixes: 9311e6c29b34 ("cgroup: Fix sleeping from invalid context warning on PREEMPT_RT")
Cc: stable@vger.kernel.org # v6.19+
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/cgroup/cgroup.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index be1d71dda317..01fc2a93f3ef 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -5109,6 +5109,12 @@ static void css_task_iter_advance(struct css_task_iter *it)
return;
task = list_entry(it->task_pos, struct task_struct, cg_list);
+ /*
+ * Hide tasks that are exiting but not yet removed. Keep zombie
+ * leaders with live threads visible.
+ */
+ if ((task->flags & PF_EXITING) && !atomic_read(&task->signal->live))
+ goto repeat;
if (it->flags & CSS_TASK_ITER_PROCS) {
/* if PROCS, skip over tasks which aren't group leaders */
--
2.53.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 118/378] ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 117/378] cgroup: Dont expose dead tasks in cgroup Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 119/378] ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces Greg Kroah-Hartman
` (266 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mehul Rao, Takashi Iwai
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mehul Rao <mehulrao@gmail.com>
commit 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6 upstream.
In the drain loop, the local variable 'runtime' is reassigned to a
linked stream's runtime (runtime = s->runtime at line 2157). After
releasing the stream lock at line 2169, the code accesses
runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size
(lines 2170-2178) — all referencing the linked stream's runtime without
any lock or refcount protecting its lifetime.
A concurrent close() on the linked stream's fd triggers
snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private()
→ snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime).
No synchronization prevents kfree(runtime) from completing while the
drain path dereferences the stale pointer.
Fix by caching the needed runtime fields (no_period_wakeup, rate,
buffer_size) into local variables while still holding the stream lock,
and using the cached values after the lock is released.
Fixes: f2b3614cefb6 ("ALSA: PCM - Don't check DMA time-out too shortly")
Cc: stable@vger.kernel.org
Signed-off-by: Mehul Rao <mehulrao@gmail.com>
Link: https://patch.msgid.link/20260305193508.311096-1-mehulrao@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/pcm_native.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -2144,6 +2144,10 @@ static int snd_pcm_drain(struct snd_pcm_
for (;;) {
long tout;
struct snd_pcm_runtime *to_check;
+ unsigned int drain_rate;
+ snd_pcm_uframes_t drain_bufsz;
+ bool drain_no_period_wakeup;
+
if (signal_pending(current)) {
result = -ERESTARTSYS;
break;
@@ -2163,16 +2167,25 @@ static int snd_pcm_drain(struct snd_pcm_
snd_pcm_group_unref(group, substream);
if (!to_check)
break; /* all drained */
+ /*
+ * Cache the runtime fields needed after unlock.
+ * A concurrent close() on the linked stream may free
+ * its runtime via snd_pcm_detach_substream() once we
+ * release the stream lock below.
+ */
+ drain_no_period_wakeup = to_check->no_period_wakeup;
+ drain_rate = to_check->rate;
+ drain_bufsz = to_check->buffer_size;
init_waitqueue_entry(&wait, current);
set_current_state(TASK_INTERRUPTIBLE);
add_wait_queue(&to_check->sleep, &wait);
snd_pcm_stream_unlock_irq(substream);
- if (runtime->no_period_wakeup)
+ if (drain_no_period_wakeup)
tout = MAX_SCHEDULE_TIMEOUT;
else {
tout = 100;
- if (runtime->rate) {
- long t = runtime->buffer_size * 1100 / runtime->rate;
+ if (drain_rate) {
+ long t = drain_bufsz * 1100 / drain_rate;
tout = max(t, tout);
}
tout = msecs_to_jiffies(tout);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 119/378] ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 118/378] ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 120/378] can: gs_usb: gs_can_open(): always configure bitrates before starting device Greg Kroah-Hartman
` (265 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8f29539ef9a1c8334f42,
syzbot+ae893a8901067fde2741, Takashi Iwai
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit df1d8abf36ca3681c21a6809eaa9a1e01ef897a6 upstream.
The Scarlett2 mixer quirk in USB-audio driver may hit a NULL
dereference when a malformed USB descriptor is passed, since it
assumes the presence of an endpoint in the parsed interface in
scarlett2_find_fc_interface(), as reported by fuzzer.
For avoiding the NULL dereference, just add the sanity check of
bNumEndpoints and skip the invalid interface.
Reported-by: syzbot+8f29539ef9a1c8334f42@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/69acbbe1.050a0220.310d8.0001.GAE@google.com
Reported-by: syzbot+ae893a8901067fde2741@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/69acf72a.050a0220.310d8.0004.GAE@google.com
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260309104632.141895-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_scarlett2.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/usb/mixer_scarlett2.c
+++ b/sound/usb/mixer_scarlett2.c
@@ -8251,6 +8251,8 @@ static int scarlett2_find_fc_interface(s
if (desc->bInterfaceClass != 255)
continue;
+ if (desc->bNumEndpoints < 1)
+ continue;
epd = get_endpoint(intf->altsetting, 0);
private->bInterfaceNumber = desc->bInterfaceNumber;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 120/378] can: gs_usb: gs_can_open(): always configure bitrates before starting device
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 119/378] ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 121/378] net: usb: lan78xx: fix silent drop of packets with checksum errors Greg Kroah-Hartman
` (264 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
commit 2df6162785f31f1bbb598cfc3b08e4efc88f80b6 upstream.
So far the driver populated the struct can_priv::do_set_bittiming() and
struct can_priv::fd::do_set_data_bittiming() callbacks.
Before bringing up the interface, user space has to configure the bitrates.
With these callbacks the configuration is directly forwarded into the CAN
hardware. Then the interface can be brought up.
An ifdown-ifup cycle (without changing the bit rates) doesn't re-configure
the bitrates in the CAN hardware. This leads to a problem with the
CANable-2.5 [1] firmware, which resets the configured bit rates during
ifdown.
To fix the problem remove both bit timing callbacks and always configure
the bitrates in the struct net_device_ops::ndo_open() callback.
[1] https://github.com/Elmue/CANable-2.5-firmware-Slcan-and-Candlelight
Cc: stable@vger.kernel.org
Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
Link: https://patch.msgid.link/20260219-gs_usb-always-configure-bitrates-v2-1-671f8ba5b0a5@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/gs_usb.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -772,9 +772,8 @@ device_detach:
}
}
-static int gs_usb_set_bittiming(struct net_device *netdev)
+static int gs_usb_set_bittiming(struct gs_can *dev)
{
- struct gs_can *dev = netdev_priv(netdev);
struct can_bittiming *bt = &dev->can.bittiming;
struct gs_device_bittiming dbt = {
.prop_seg = cpu_to_le32(bt->prop_seg),
@@ -791,9 +790,8 @@ static int gs_usb_set_bittiming(struct n
GFP_KERNEL);
}
-static int gs_usb_set_data_bittiming(struct net_device *netdev)
+static int gs_usb_set_data_bittiming(struct gs_can *dev)
{
- struct gs_can *dev = netdev_priv(netdev);
struct can_bittiming *bt = &dev->can.fd.data_bittiming;
struct gs_device_bittiming dbt = {
.prop_seg = cpu_to_le32(bt->prop_seg),
@@ -1057,6 +1055,20 @@ static int gs_can_open(struct net_device
if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP)
flags |= GS_CAN_MODE_HW_TIMESTAMP;
+ rc = gs_usb_set_bittiming(dev);
+ if (rc) {
+ netdev_err(netdev, "failed to set bittiming: %pe\n", ERR_PTR(rc));
+ goto out_usb_kill_anchored_urbs;
+ }
+
+ if (ctrlmode & CAN_CTRLMODE_FD) {
+ rc = gs_usb_set_data_bittiming(dev);
+ if (rc) {
+ netdev_err(netdev, "failed to set data bittiming: %pe\n", ERR_PTR(rc));
+ goto out_usb_kill_anchored_urbs;
+ }
+ }
+
/* finally start device */
dev->can.state = CAN_STATE_ERROR_ACTIVE;
dm.flags = cpu_to_le32(flags);
@@ -1370,7 +1382,6 @@ static struct gs_can *gs_make_candev(uns
dev->can.state = CAN_STATE_STOPPED;
dev->can.clock.freq = le32_to_cpu(bt_const.fclk_can);
dev->can.bittiming_const = &dev->bt_const;
- dev->can.do_set_bittiming = gs_usb_set_bittiming;
dev->can.ctrlmode_supported = CAN_CTRLMODE_CC_LEN8_DLC;
@@ -1394,7 +1405,6 @@ static struct gs_can *gs_make_candev(uns
* GS_CAN_FEATURE_BT_CONST_EXT is set.
*/
dev->can.fd.data_bittiming_const = &dev->bt_const;
- dev->can.fd.do_set_data_bittiming = gs_usb_set_data_bittiming;
}
if (feature & GS_CAN_FEATURE_TERMINATION) {
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 121/378] net: usb: lan78xx: fix silent drop of packets with checksum errors
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 120/378] can: gs_usb: gs_can_open(): always configure bitrates before starting device Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 122/378] net: usb: lan78xx: fix TX byte statistics for small packets Greg Kroah-Hartman
` (263 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit e4f774a0cc955ce762aec91c66915a6e15087ab7 upstream.
Do not drop packets with checksum errors at the USB driver level;
pass them to the network stack.
Previously, the driver dropped all packets where the 'Receive Error
Detected' (RED) bit was set, regardless of the specific error type. This
caused packets with only IP or TCP/UDP checksum errors to be dropped
before reaching the kernel, preventing the network stack from accounting
for them or performing software fallback.
Add a mask for hard hardware errors to safely drop genuinely corrupt
frames, while allowing checksum-errored frames to pass with their
ip_summed field explicitly set to CHECKSUM_NONE.
Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20260305143429.530909-2-o.rempel@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/lan78xx.c | 4 +++-
drivers/net/usb/lan78xx.h | 3 +++
2 files changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -3829,6 +3829,7 @@ static void lan78xx_rx_csum_offload(stru
*/
if (!(dev->net->features & NETIF_F_RXCSUM) ||
unlikely(rx_cmd_a & RX_CMD_A_ICSM_) ||
+ unlikely(rx_cmd_a & RX_CMD_A_CSE_MASK_) ||
((rx_cmd_a & RX_CMD_A_FVTG_) &&
!(dev->net->features & NETIF_F_HW_VLAN_CTAG_RX))) {
skb->ip_summed = CHECKSUM_NONE;
@@ -3901,7 +3902,8 @@ static int lan78xx_rx(struct lan78xx_net
return 0;
}
- if (unlikely(rx_cmd_a & RX_CMD_A_RED_)) {
+ if (unlikely(rx_cmd_a & RX_CMD_A_RED_) &&
+ (rx_cmd_a & RX_CMD_A_RX_HARD_ERRS_MASK_)) {
netif_dbg(dev, rx_err, dev->net,
"Error rx_cmd_a=0x%08x", rx_cmd_a);
} else {
--- a/drivers/net/usb/lan78xx.h
+++ b/drivers/net/usb/lan78xx.h
@@ -74,6 +74,9 @@
#define RX_CMD_A_ICSM_ (0x00004000)
#define RX_CMD_A_LEN_MASK_ (0x00003FFF)
+#define RX_CMD_A_RX_HARD_ERRS_MASK_ \
+ (RX_CMD_A_RX_ERRS_MASK_ & ~RX_CMD_A_CSE_MASK_)
+
/* Rx Command B */
#define RX_CMD_B_CSUM_SHIFT_ (16)
#define RX_CMD_B_CSUM_MASK_ (0xFFFF0000)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 122/378] net: usb: lan78xx: fix TX byte statistics for small packets
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 121/378] net: usb: lan78xx: fix silent drop of packets with checksum errors Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 123/378] net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect Greg Kroah-Hartman
` (262 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit 50988747c30df47b73b787f234f746027cb7ec6c upstream.
Account for hardware auto-padding in TX byte counters to reflect actual
wire traffic.
The LAN7850 hardware automatically pads undersized frames to the minimum
Ethernet frame length (ETH_ZLEN, 60 bytes). However, the driver tracks
the network statistics based on the unpadded socket buffer length. This
results in the tx_bytes counter under-reporting the actual physical
bytes placed on the Ethernet wire for small packets (like short ARP or
ICMP requests).
Use max_t() to ensure the transmission statistics accurately account for
the hardware-generated padding.
Fixes: d383216a7efe ("lan78xx: Introduce Tx URB processing improvements")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20260305143429.530909-3-o.rempel@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/lan78xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -4178,7 +4178,7 @@ static struct skb_data *lan78xx_tx_buf_f
}
tx_data += len;
- entry->length += len;
+ entry->length += max_t(unsigned int, len, ETH_ZLEN);
entry->num_of_packet += skb_shinfo(skb)->gso_segs ?: 1;
dev_kfree_skb_any(skb);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 123/378] net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 122/378] net: usb: lan78xx: fix TX byte statistics for small packets Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 124/378] net: usb: lan78xx: skip LTM configuration for LAN7850 Greg Kroah-Hartman
` (261 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit 312c816c6bc30342bc30dca0d6db617ab4d3ae4e upstream.
Remove redundant netif_napi_del() call from disconnect path.
A WARN may be triggered in __netif_napi_del_locked() during USB device
disconnect:
WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350
This happens because netif_napi_del() is called in the disconnect path while
NAPI is still enabled. However, it is not necessary to call netif_napi_del()
explicitly, since unregister_netdev() will handle NAPI teardown automatically
and safely. Removing the redundant call avoids triggering the warning.
Full trace:
lan78xx 1-1:1.0 enu1: Failed to read register index 0x000000c4. ret = -ENODEV
lan78xx 1-1:1.0 enu1: Failed to set MAC down with error -ENODEV
lan78xx 1-1:1.0 enu1: Link is Down
lan78xx 1-1:1.0 enu1: Failed to read register index 0x00000120. ret = -ENODEV
------------[ cut here ]------------
WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350
Modules linked in: flexcan can_dev fuse
CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.0-rc2-00624-ge926949dab03 #9 PREEMPT
Hardware name: SKOV IMX8MP CPU revC - bd500 (DT)
Workqueue: usb_hub_wq hub_event
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __netif_napi_del_locked+0x2b4/0x350
lr : __netif_napi_del_locked+0x7c/0x350
sp : ffffffc085b673c0
x29: ffffffc085b673c0 x28: ffffff800b7f2000 x27: ffffff800b7f20d8
x26: ffffff80110bcf58 x25: ffffff80110bd978 x24: 1ffffff0022179eb
x23: ffffff80110bc000 x22: ffffff800b7f5000 x21: ffffff80110bc000
x20: ffffff80110bcf38 x19: ffffff80110bcf28 x18: dfffffc000000000
x17: ffffffc081578940 x16: ffffffc08284cee0 x15: 0000000000000028
x14: 0000000000000006 x13: 0000000000040000 x12: ffffffb0022179e8
x11: 1ffffff0022179e7 x10: ffffffb0022179e7 x9 : dfffffc000000000
x8 : 0000004ffdde8619 x7 : ffffff80110bcf3f x6 : 0000000000000001
x5 : ffffff80110bcf38 x4 : ffffff80110bcf38 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 1ffffff0022179e7 x0 : 0000000000000000
Call trace:
__netif_napi_del_locked+0x2b4/0x350 (P)
lan78xx_disconnect+0xf4/0x360
usb_unbind_interface+0x158/0x718
device_remove+0x100/0x150
device_release_driver_internal+0x308/0x478
device_release_driver+0x1c/0x30
bus_remove_device+0x1a8/0x368
device_del+0x2e0/0x7b0
usb_disable_device+0x244/0x540
usb_disconnect+0x220/0x758
hub_event+0x105c/0x35e0
process_one_work+0x760/0x17b0
worker_thread+0x768/0xce8
kthread+0x3bc/0x690
ret_from_fork+0x10/0x20
irq event stamp: 211604
hardirqs last enabled at (211603): [<ffffffc0828cc9ec>] _raw_spin_unlock_irqrestore+0x84/0x98
hardirqs last disabled at (211604): [<ffffffc0828a9a84>] el1_dbg+0x24/0x80
softirqs last enabled at (211296): [<ffffffc080095f10>] handle_softirqs+0x820/0xbc8
softirqs last disabled at (210993): [<ffffffc080010288>] __do_softirq+0x18/0x20
---[ end trace 0000000000000000 ]---
lan78xx 1-1:1.0 enu1: failed to kill vid 0081/0
Fixes: e110bc825897 ("net: usb: lan78xx: Convert to PHYLINK for improved PHY and MAC management")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20260305143429.530909-5-o.rempel@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/lan78xx.c | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -4548,8 +4548,6 @@ static void lan78xx_disconnect(struct us
phylink_disconnect_phy(dev->phylink);
rtnl_unlock();
- netif_napi_del(&dev->napi);
-
unregister_netdev(net);
timer_shutdown_sync(&dev->stat_monitor);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 124/378] net: usb: lan78xx: skip LTM configuration for LAN7850
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 123/378] net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 125/378] gpib: lpvo_usb: fix unintended binding of FTDI 8U232AM devices Greg Kroah-Hartman
` (260 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit d9cc0e440f0664f6f3e2c26e39ab9dd5f3badba7 upstream.
Do not configure Latency Tolerance Messaging (LTM) on USB 2.0 hardware.
The LAN7850 is a High-Speed (USB 2.0) only device and does not support
SuperSpeed features like LTM. Currently, the driver unconditionally
attempts to configure LTM registers during initialization. On the
LAN7850, these registers do not exist, resulting in writes to invalid
or undocumented memory space.
This issue was identified during a port to the regmap API with strict
register validation enabled. While no functional issues or crashes have
been observed from these invalid writes, bypassing LTM initialization
on the LAN7850 ensures the driver strictly adheres to the hardware's
valid register map.
Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20260305143429.530909-4-o.rempel@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/lan78xx.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -3119,6 +3119,10 @@ static int lan78xx_init_ltm(struct lan78
int ret;
u32 buf;
+ /* LAN7850 is USB 2.0 and does not support LTM */
+ if (dev->chipid == ID_REV_CHIP_ID_7850_)
+ return 0;
+
ret = lan78xx_read_reg(dev, USB_CFG1, &buf);
if (ret < 0)
goto init_ltm_failed;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 125/378] gpib: lpvo_usb: fix unintended binding of FTDI 8U232AM devices
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 124/378] net: usb: lan78xx: skip LTM configuration for LAN7850 Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 126/378] rust_binder: fix oneway spam detection Greg Kroah-Hartman
` (259 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dave Penkler, stable, Johan Hovold
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 163cc462dea7d5b75be4db49ca78a2b99c55375e upstream.
The LPVO USB GPIB adapter apparently uses an FTDI 8U232AM with the
default PID, but this device id is already handled by the ftdi_sio
serial driver.
Stop binding to the default PID to avoid breaking existing setups with
FTDI 8U232AM.
Anyone using this driver should blacklist the ftdi_sio driver and add
the device id manually through sysfs (e.g. using udev rules).
Fixes: fce79512a96a ("staging: gpib: Add LPVO DIY USB GPIB driver")
Fixes: e6ab504633e4 ("staging: gpib: Destage gpib")
Cc: Dave Penkler <dpenkler@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260305151729.10501-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpib/lpvo_usb_gpib/lpvo_usb_gpib.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/gpib/lpvo_usb_gpib/lpvo_usb_gpib.c
+++ b/drivers/gpib/lpvo_usb_gpib/lpvo_usb_gpib.c
@@ -38,8 +38,10 @@ MODULE_DESCRIPTION("GPIB driver for LPVO
/*
* Table of devices that work with this driver.
*
- * Currently, only one device is known to be used in the
- * lpvo_usb_gpib adapter (FTDI 0403:6001).
+ * Currently, only one device is known to be used in the lpvo_usb_gpib
+ * adapter (FTDI 0403:6001) but as this device id is already handled by the
+ * ftdi_sio USB serial driver the LPVO driver must not bind to it by default.
+ *
* If your adapter uses a different chip, insert a line
* in the following table with proper <Vendor-id>, <Product-id>.
*
@@ -50,7 +52,6 @@ MODULE_DESCRIPTION("GPIB driver for LPVO
*/
static const struct usb_device_id skel_table[] = {
- { USB_DEVICE(0x0403, 0x6001) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, skel_table);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 126/378] rust_binder: fix oneway spam detection
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 125/378] gpib: lpvo_usb: fix unintended binding of FTDI 8U232AM devices Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 127/378] rust_binder: check ownership before using vma Greg Kroah-Hartman
` (258 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alice Ryhl, Carlos Llamas
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Llamas <cmllamas@google.com>
commit 4fc87c240b8f30e22b7ebaae29d57105589e1c0b upstream.
The spam detection logic in TreeRange was executed before the current
request was inserted into the tree. So the new request was not being
factored in the spam calculation. Fix this by moving the logic after
the new range has been inserted.
Also, the detection logic for ArrayRange was missing altogether which
meant large spamming transactions could get away without being detected.
Fix this by implementing an equivalent low_oneway_space() in ArrayRange.
Note that I looked into centralizing this logic in RangeAllocator but
iterating through 'state' and 'size' got a bit too complicated (for me)
and I abandoned this effort.
Cc: stable <stable@kernel.org>
Cc: Alice Ryhl <aliceryhl@google.com>
Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver")
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20260210232949.3770644-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder/range_alloc/array.rs | 35 ++++++++++++++++++++++++++--
drivers/android/binder/range_alloc/mod.rs | 4 +--
drivers/android/binder/range_alloc/tree.rs | 18 +++++++-------
3 files changed, 44 insertions(+), 13 deletions(-)
--- a/drivers/android/binder/range_alloc/array.rs
+++ b/drivers/android/binder/range_alloc/array.rs
@@ -118,7 +118,7 @@ impl<T> ArrayRangeAllocator<T> {
size: usize,
is_oneway: bool,
pid: Pid,
- ) -> Result<usize> {
+ ) -> Result<(usize, bool)> {
// Compute new value of free_oneway_space, which is set only on success.
let new_oneway_space = if is_oneway {
match self.free_oneway_space.checked_sub(size) {
@@ -146,7 +146,38 @@ impl<T> ArrayRangeAllocator<T> {
.ok()
.unwrap();
- Ok(insert_at_offset)
+ // Start detecting spammers once we have less than 20%
+ // of async space left (which is less than 10% of total
+ // buffer size).
+ //
+ // (This will short-circuit, so `low_oneway_space` is
+ // only called when necessary.)
+ let oneway_spam_detected =
+ is_oneway && new_oneway_space < self.size / 10 && self.low_oneway_space(pid);
+
+ Ok((insert_at_offset, oneway_spam_detected))
+ }
+
+ /// Find the amount and size of buffers allocated by the current caller.
+ ///
+ /// The idea is that once we cross the threshold, whoever is responsible
+ /// for the low async space is likely to try to send another async transaction,
+ /// and at some point we'll catch them in the act. This is more efficient
+ /// than keeping a map per pid.
+ fn low_oneway_space(&self, calling_pid: Pid) -> bool {
+ let mut total_alloc_size = 0;
+ let mut num_buffers = 0;
+
+ // Warn if this pid has more than 50 transactions, or more than 50% of
+ // async space (which is 25% of total buffer size). Oneway spam is only
+ // detected when the threshold is exceeded.
+ for range in &self.ranges {
+ if range.state.is_oneway() && range.state.pid() == calling_pid {
+ total_alloc_size += range.size;
+ num_buffers += 1;
+ }
+ }
+ num_buffers > 50 || total_alloc_size > self.size / 4
}
pub(crate) fn reservation_abort(&mut self, offset: usize) -> Result<FreedRange> {
--- a/drivers/android/binder/range_alloc/mod.rs
+++ b/drivers/android/binder/range_alloc/mod.rs
@@ -188,11 +188,11 @@ impl<T> RangeAllocator<T> {
self.reserve_new(args)
}
Impl::Array(array) => {
- let offset =
+ let (offset, oneway_spam_detected) =
array.reserve_new(args.debug_id, args.size, args.is_oneway, args.pid)?;
Ok(ReserveNew::Success(ReserveNewSuccess {
offset,
- oneway_spam_detected: false,
+ oneway_spam_detected,
_empty_array_alloc: args.empty_array_alloc,
_new_tree_alloc: args.new_tree_alloc,
_tree_alloc: args.tree_alloc,
--- a/drivers/android/binder/range_alloc/tree.rs
+++ b/drivers/android/binder/range_alloc/tree.rs
@@ -164,15 +164,6 @@ impl<T> TreeRangeAllocator<T> {
self.free_oneway_space
};
- // Start detecting spammers once we have less than 20%
- // of async space left (which is less than 10% of total
- // buffer size).
- //
- // (This will short-circut, so `low_oneway_space` is
- // only called when necessary.)
- let oneway_spam_detected =
- is_oneway && new_oneway_space < self.size / 10 && self.low_oneway_space(pid);
-
let (found_size, found_off, tree_node, free_tree_node) = match self.find_best_match(size) {
None => {
pr_warn!("ENOSPC from range_alloc.reserve_new - size: {}", size);
@@ -203,6 +194,15 @@ impl<T> TreeRangeAllocator<T> {
self.free_tree.insert(free_tree_node);
}
+ // Start detecting spammers once we have less than 20%
+ // of async space left (which is less than 10% of total
+ // buffer size).
+ //
+ // (This will short-circuit, so `low_oneway_space` is
+ // only called when necessary.)
+ let oneway_spam_detected =
+ is_oneway && new_oneway_space < self.size / 10 && self.low_oneway_space(pid);
+
Ok((found_off, oneway_spam_detected))
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 127/378] rust_binder: check ownership before using vma
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 126/378] rust_binder: fix oneway spam detection Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 128/378] rust_binder: avoid reading the written value in offsets array Greg Kroah-Hartman
` (257 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jann Horn, Alice Ryhl,
Danilo Krummrich, Liam R. Howlett
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice Ryhl <aliceryhl@google.com>
commit 8ef2c15aeae07647f530d30f6daaf79eb801bcd1 upstream.
When installing missing pages (or zapping them), Rust Binder will look
up the vma in the mm by address, and then call vm_insert_page (or
zap_page_range_single). However, if the vma is closed and replaced with
a different vma at the same address, this can lead to Rust Binder
installing pages into the wrong vma.
By installing the page into a writable vma, it becomes possible to write
to your own binder pages, which are normally read-only. Although you're
not supposed to be able to write to those pages, the intent behind the
design of Rust Binder is that even if you get that ability, it should not
lead to anything bad. Unfortunately, due to another bug, that is not the
case.
To fix this, store a pointer in vm_private_data and check that the vma
returned by vma_lookup() has the right vm_ops and vm_private_data before
trying to use the vma. This should ensure that Rust Binder will refuse
to interact with any other VMA. The plan is to introduce more vma
abstractions to avoid this unsafe access to vm_ops and vm_private_data,
but for now let's start with the simplest possible fix.
C Binder performs the same check in a slightly different way: it
provides a vm_ops->close that sets a boolean to true, then checks that
boolean after calling vma_lookup(), but this is more fragile
than the solution in this patch. (We probably still want to do both, but
the vm_ops->close callback will be added later as part of the follow-up
vma API changes.)
It's still possible to remap the vma so that pages appear in the right
vma, but at the wrong offset, but this is a separate issue and will be
fixed when Rust Binder gets a vm_ops->close callback.
Cc: stable <stable@kernel.org>
Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver")
Reported-by: Jann Horn <jannh@google.com>
Reviewed-by: Jann Horn <jannh@google.com>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Danilo Krummrich <dakr@kernel.org>
Acked-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Link: https://patch.msgid.link/20260218-binder-vma-check-v2-1-60f9d695a990@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder/page_range.rs | 83 ++++++++++++++++++++++++++---------
1 file changed, 63 insertions(+), 20 deletions(-)
--- a/drivers/android/binder/page_range.rs
+++ b/drivers/android/binder/page_range.rs
@@ -142,6 +142,30 @@ pub(crate) struct ShrinkablePageRange {
_pin: PhantomPinned,
}
+// We do not define any ops. For now, used only to check identity of vmas.
+static BINDER_VM_OPS: bindings::vm_operations_struct = pin_init::zeroed();
+
+// To ensure that we do not accidentally install pages into or zap pages from the wrong vma, we
+// check its vm_ops and private data before using it.
+fn check_vma(vma: &virt::VmaRef, owner: *const ShrinkablePageRange) -> Option<&virt::VmaMixedMap> {
+ // SAFETY: Just reading the vm_ops pointer of any active vma is safe.
+ let vm_ops = unsafe { (*vma.as_ptr()).vm_ops };
+ if !ptr::eq(vm_ops, &BINDER_VM_OPS) {
+ return None;
+ }
+
+ // SAFETY: Reading the vm_private_data pointer of a binder-owned vma is safe.
+ let vm_private_data = unsafe { (*vma.as_ptr()).vm_private_data };
+ // The ShrinkablePageRange is only dropped when the Process is dropped, which only happens once
+ // the file's ->release handler is invoked, which means the ShrinkablePageRange outlives any
+ // VMA associated with it, so there can't be any false positives due to pointer reuse here.
+ if !ptr::eq(vm_private_data, owner.cast()) {
+ return None;
+ }
+
+ vma.as_mixedmap_vma()
+}
+
struct Inner {
/// Array of pages.
///
@@ -308,6 +332,18 @@ impl ShrinkablePageRange {
inner.size = num_pages;
inner.vma_addr = vma.start();
+ // This pointer is only used for comparison - it's not dereferenced.
+ //
+ // SAFETY: We own the vma, and we don't use any methods on VmaNew that rely on
+ // `vm_private_data`.
+ unsafe {
+ (*vma.as_ptr()).vm_private_data = ptr::from_ref(self).cast_mut().cast::<c_void>()
+ };
+
+ // SAFETY: We own the vma, and we don't use any methods on VmaNew that rely on
+ // `vm_ops`.
+ unsafe { (*vma.as_ptr()).vm_ops = &BINDER_VM_OPS };
+
Ok(num_pages)
}
@@ -399,22 +435,24 @@ impl ShrinkablePageRange {
//
// Using `mmput_async` avoids this, because then the `mm` cleanup is instead queued to a
// workqueue.
- MmWithUser::into_mmput_async(self.mm.mmget_not_zero().ok_or(ESRCH)?)
- .mmap_read_lock()
- .vma_lookup(vma_addr)
- .ok_or(ESRCH)?
- .as_mixedmap_vma()
- .ok_or(ESRCH)?
- .vm_insert_page(user_page_addr, &new_page)
- .inspect_err(|err| {
- pr_warn!(
- "Failed to vm_insert_page({}): vma_addr:{} i:{} err:{:?}",
- user_page_addr,
- vma_addr,
- i,
- err
- )
- })?;
+ check_vma(
+ MmWithUser::into_mmput_async(self.mm.mmget_not_zero().ok_or(ESRCH)?)
+ .mmap_read_lock()
+ .vma_lookup(vma_addr)
+ .ok_or(ESRCH)?,
+ self,
+ )
+ .ok_or(ESRCH)?
+ .vm_insert_page(user_page_addr, &new_page)
+ .inspect_err(|err| {
+ pr_warn!(
+ "Failed to vm_insert_page({}): vma_addr:{} i:{} err:{:?}",
+ user_page_addr,
+ vma_addr,
+ i,
+ err
+ )
+ })?;
let inner = self.lock.lock();
@@ -667,12 +705,15 @@ unsafe extern "C" fn rust_shrink_free_pa
let mmap_read;
let mm_mutex;
let vma_addr;
+ let range_ptr;
{
// CAST: The `list_head` field is first in `PageInfo`.
let info = item as *mut PageInfo;
// SAFETY: The `range` field of `PageInfo` is immutable.
- let range = unsafe { &*((*info).range) };
+ range_ptr = unsafe { (*info).range };
+ // SAFETY: The `range` outlives its `PageInfo` values.
+ let range = unsafe { &*range_ptr };
mm = match range.mm.mmget_not_zero() {
Some(mm) => MmWithUser::into_mmput_async(mm),
@@ -717,9 +758,11 @@ unsafe extern "C" fn rust_shrink_free_pa
// SAFETY: The lru lock is locked when this method is called.
unsafe { bindings::spin_unlock(&raw mut (*lru).lock) };
- if let Some(vma) = mmap_read.vma_lookup(vma_addr) {
- let user_page_addr = vma_addr + (page_index << PAGE_SHIFT);
- vma.zap_page_range_single(user_page_addr, PAGE_SIZE);
+ if let Some(unchecked_vma) = mmap_read.vma_lookup(vma_addr) {
+ if let Some(vma) = check_vma(unchecked_vma, range_ptr) {
+ let user_page_addr = vma_addr + (page_index << PAGE_SHIFT);
+ vma.zap_page_range_single(user_page_addr, PAGE_SIZE);
+ }
}
drop(mmap_read);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 128/378] rust_binder: avoid reading the written value in offsets array
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 127/378] rust_binder: check ownership before using vma Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 129/378] rust_binder: call set_notification_done() without proc lock Greg Kroah-Hartman
` (256 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jann Horn, Alice Ryhl,
Liam R. Howlett
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice Ryhl <aliceryhl@google.com>
commit 4cb9e13fec0de7c942f5f927469beb8e48ddd20f upstream.
When sending a transaction, its offsets array is first copied into the
target proc's vma, and then the values are read back from there. This is
normally fine because the vma is a read-only mapping, so the target
process cannot change the value under us.
However, if the target process somehow gains the ability to write to its
own vma, it could change the offset before it's read back, causing the
kernel to misinterpret what the sender meant. If the sender happens to
send a payload with a specific shape, this could in the worst case lead
to the receiver being able to privilege escalate into the sender.
The intent is that gaining the ability to change the read-only vma of
your own process should not be exploitable, so remove this TOCTOU read
even though it's unexploitable without another Binder bug.
Cc: stable <stable@kernel.org>
Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver")
Reported-by: Jann Horn <jannh@google.com>
Reviewed-by: Jann Horn <jannh@google.com>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Link: https://patch.msgid.link/20260218-binder-vma-check-v2-2-60f9d695a990@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder/thread.rs | 17 ++++++-----------
1 file changed, 6 insertions(+), 11 deletions(-)
--- a/drivers/android/binder/thread.rs
+++ b/drivers/android/binder/thread.rs
@@ -1018,12 +1018,9 @@ impl Thread {
// Copy offsets if there are any.
if offsets_size > 0 {
- {
- let mut reader =
- UserSlice::new(UserPtr::from_addr(trd_data_ptr.offsets as _), offsets_size)
- .reader();
- alloc.copy_into(&mut reader, aligned_data_size, offsets_size)?;
- }
+ let mut offsets_reader =
+ UserSlice::new(UserPtr::from_addr(trd_data_ptr.offsets as _), offsets_size)
+ .reader();
let offsets_start = aligned_data_size;
let offsets_end = aligned_data_size + offsets_size;
@@ -1044,11 +1041,9 @@ impl Thread {
.step_by(size_of::<u64>())
.enumerate()
{
- let offset: usize = view
- .alloc
- .read::<u64>(index_offset)?
- .try_into()
- .map_err(|_| EINVAL)?;
+ let offset = offsets_reader.read::<u64>()?;
+ view.alloc.write(index_offset, &offset)?;
+ let offset: usize = offset.try_into().map_err(|_| EINVAL)?;
if offset < end_of_previous_object || !is_aligned(offset, size_of::<u32>()) {
pr_warn!("Got transaction with invalid offset.");
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 129/378] rust_binder: call set_notification_done() without proc lock
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 128/378] rust_binder: avoid reading the written value in offsets array Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 130/378] rust: kbuild: allow `unused_features` Greg Kroah-Hartman
` (255 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+c8287e65a57a89e7fb72,
Alice Ryhl, Gary Guo, Andreas Hindborg
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice Ryhl <aliceryhl@google.com>
commit 2e303f0febb65a434040774b793ba8356698802b upstream.
Consider the following sequence of events on a death listener:
1. The remote process dies and sends a BR_DEAD_BINDER message.
2. The local process invokes the BC_CLEAR_DEATH_NOTIFICATION command.
3. The local process then invokes the BC_DEAD_BINDER_DONE.
Then, the kernel will reply to the BC_DEAD_BINDER_DONE command with a
BR_CLEAR_DEATH_NOTIFICATION_DONE reply using push_work_if_looper().
However, this can result in a deadlock if the current thread is not a
looper. This is because dead_binder_done() still holds the proc lock
during set_notification_done(), which called push_work_if_looper().
Normally, push_work_if_looper() takes the thread lock, which is fine to
take under the proc lock. But if the current thread is not a looper,
then it falls back to delivering the reply to the process work queue,
which involves taking the proc lock. Since the proc lock is already
held, this is a deadlock.
Fix this by releasing the proc lock during set_notification_done(). It
was not intentional that it was held during that function to begin with.
I don't think this ever happens in Android because BC_DEAD_BINDER_DONE
is only invoked in response to BR_DEAD_BINDER messages, and the kernel
always delivers BR_DEAD_BINDER to a looper. So there's no scenario where
Android userspace will call BC_DEAD_BINDER_DONE on a non-looper thread.
Cc: stable <stable@kernel.org>
Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver")
Reported-by: syzbot+c8287e65a57a89e7fb72@syzkaller.appspotmail.com
Tested-by: syzbot+c8287e65a57a89e7fb72@syzkaller.appspotmail.com
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Gary Guo <gary@garyguo.net>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Link: https://patch.msgid.link/20260224-binder-dead-binder-done-proc-lock-v1-1-bbe1b8a6e74a@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder/process.rs | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/android/binder/process.rs
+++ b/drivers/android/binder/process.rs
@@ -1289,7 +1289,8 @@ impl Process {
}
pub(crate) fn dead_binder_done(&self, cookie: u64, thread: &Thread) {
- if let Some(death) = self.inner.lock().pull_delivered_death(cookie) {
+ let death = self.inner.lock().pull_delivered_death(cookie);
+ if let Some(death) = death {
death.set_notification_done(thread);
}
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 130/378] rust: kbuild: allow `unused_features`
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 129/378] rust_binder: call set_notification_done() without proc lock Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 131/378] rust: kbuild: emit dep-info into $(depfile) directly Greg Kroah-Hartman
` (254 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Benno Lossin, Gary Guo, Miguel Ojeda
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miguel Ojeda <ojeda@kernel.org>
commit 592c61f3bfceaa29f8275696bd67c3dfad7ef72e upstream.
Starting with the upcoming Rust 1.96.0 (to be released 2026-05-28),
`rustc` introduces the new lint `unused_features` [1], which warns [2]:
warning: feature `used_with_arg` is declared but not used
--> <crate attribute>:1:93
|
1 | #![feature(asm_const,asm_goto,arbitrary_self_types,lint_reasons,offset_of_nested,raw_ref_op,used_with_arg)]
| ^^^^^^^^^^^^^
|
= note: `#[warn(unused_features)]` (part of `#[warn(unused)]`) on by default
The original goal of using `-Zcrate-attr` automatically was that there
is a consistent set of features enabled and managed globally for all
Rust kernel code (modulo exceptions like the `rust/` crated).
While we could require crates to enable features manually (even if we
still keep the `-Zallow-features=` list, i.e. removing the `-Zcrate-attr`
list), it is not really worth making all developers worry about it just
for a new lint.
The features are expected to eventually become stable anyway (most already
did), and thus having to remove features in every file that may use them
is not worth it either.
Thus just allow the new lint globally.
The lint actually existed for a long time, which is why `rustc` does
not complain about an unknown lint in the stable versions we support,
but it was "disabled" years ago [3], and now it was made to work again.
For extra context, the new implementation of the lint has already been
improved to avoid linting about features that became stable thanks to
Benno's report and the ensuing discussion [4] [5], but while that helps,
it is still the case that we may have features enabled that are not used
for one reason or another in a particular crate.
Cc: stable@vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs).
Link: https://github.com/rust-lang/rust/pull/152164 [1]
Link: https://github.com/Rust-for-Linux/pin-init/pull/114 [2]
Link: https://github.com/rust-lang/rust/issues/44232 [3]
Link: https://github.com/rust-lang/rust/issues/153523 [4]
Link: https://github.com/rust-lang/rust/pull/153610 [5]
Reviewed-by: Benno Lossin <lossin@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Link: https://patch.msgid.link/20260312111014.74198-1-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Makefile | 1 +
1 file changed, 1 insertion(+)
--- a/Makefile
+++ b/Makefile
@@ -473,6 +473,7 @@ KBUILD_USERLDFLAGS := $(USERLDFLAGS)
export rust_common_flags := --edition=2021 \
-Zbinary_dep_depinfo=y \
-Astable_features \
+ -Aunused_features \
-Dnon_ascii_idents \
-Dunsafe_op_in_unsafe_fn \
-Wmissing_docs \
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 131/378] rust: kbuild: emit dep-info into $(depfile) directly
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 130/378] rust: kbuild: allow `unused_features` Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 132/378] rust: str: make NullTerminatedFormatter public Greg Kroah-Hartman
` (253 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Onur Özkan, Gary Guo,
Miguel Ojeda
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gary Guo <gary@garyguo.net>
commit e174dd14bf0beac811a5201e370ab26ce8c67f23 upstream.
After commit 295d8398c67e ("kbuild: specify output names separately for
each emission type from rustc"), the preferred pattern is to ask rustc to
emit dependency information into $(depfile) directly, and after commit
2185242faddd ("kbuild: remove sed commands after rustc rules"), the
post-processing to remove comments is no longer necessary as fixdep can
handle comments directly. Thus, emit dep-info into $(depfile) directly and
remove the mv and sed invocation.
This fixes the issue where a non-ignored .d file is emitted during
compilation and removed shortly afterwards.
[ Like Gary mentioned in Zulip, this likely happened due to rebasing
the builds part of the old `syn` work I had. - Miguel ]
Reported-by: Onur Özkan <work@onurozkan.dev>
Closes: https://rust-for-linux.zulipchat.com/#narrow/channel/288089-General/topic/syn.20artifact.20being.20tracked.20by.20git/with/575467879
Fixes: 7dbe46c0b11d ("rust: kbuild: add proc macro library support")
Signed-off-by: Gary Guo <gary@garyguo.net>
Tested-by: Onur Özkan <work@onurozkan.dev>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260224072957.214979-1-gary@garyguo.net
[ Reworded for a couple of typos. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
rust/Makefile | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/rust/Makefile
+++ b/rust/Makefile
@@ -509,11 +509,9 @@ quiet_cmd_rustc_procmacrolibrary = $(RUS
cmd_rustc_procmacrolibrary = \
$(if $(skip_clippy),$(RUSTC),$(RUSTC_OR_CLIPPY)) \
$(filter-out $(skip_flags),$(rust_common_flags) $(rustc_target_flags)) \
- --emit=dep-info,link --crate-type rlib -O \
+ --emit=dep-info=$(depfile) --emit=link=$@ --crate-type rlib -O \
--out-dir $(objtree)/$(obj) -L$(objtree)/$(obj) \
- --crate-name $(patsubst lib%.rlib,%,$(notdir $@)) $<; \
- mv $(objtree)/$(obj)/$(patsubst lib%.rlib,%,$(notdir $@)).d $(depfile); \
- sed -i '/^\#/d' $(depfile)
+ --crate-name $(patsubst lib%.rlib,%,$(notdir $@)) $<
$(obj)/libproc_macro2.rlib: private skip_clippy = 1
$(obj)/libproc_macro2.rlib: private rustc_target_flags = $(proc_macro2-flags)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 132/378] rust: str: make NullTerminatedFormatter public
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 131/378] rust: kbuild: emit dep-info into $(depfile) directly Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 133/378] ata: libata-core: Add BRIDGE_OK quirk for QEMU drives Greg Kroah-Hartman
` (252 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre Courbot, Alice Ryhl,
Andreas Hindborg, Miguel Ojeda
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Courbot <acourbot@nvidia.com>
commit 3ac88a9948792b092a4b11323e2abd1ecbe0cc68 upstream.
If `CONFIG_BLOCK` is disabled, the following warnings are displayed
during build:
warning: struct `NullTerminatedFormatter` is never constructed
--> ../rust/kernel/str.rs:667:19
|
667 | pub(crate) struct NullTerminatedFormatter<'a> {
| ^^^^^^^^^^^^^^^^^^^^^^^
|
= note: `#[warn(dead_code)]` (part of `#[warn(unused)]`) on by default
warning: associated function `new` is never used
--> ../rust/kernel/str.rs:673:19
|
671 | impl<'a> NullTerminatedFormatter<'a> {
| ------------------------------------ associated function in this implementation
672 | /// Create a new [`Self`] instance.
673 | pub(crate) fn new(buffer: &'a mut [u8]) -> Option<NullTerminatedFormatter<'a>> {
Fix them by making `NullTerminatedFormatter` public, as it could be
useful for drivers anyway.
Fixes: cdde7a1951ff ("rust: str: introduce `NullTerminatedFormatter`")
Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260224-nullterminatedformatter-v1-1-5bef7b9b3d4c@nvidia.com
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
rust/kernel/str.rs | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/rust/kernel/str.rs
+++ b/rust/kernel/str.rs
@@ -664,13 +664,13 @@ impl fmt::Write for Formatter<'_> {
///
/// * The first byte of `buffer` is always zero.
/// * The length of `buffer` is at least 1.
-pub(crate) struct NullTerminatedFormatter<'a> {
+pub struct NullTerminatedFormatter<'a> {
buffer: &'a mut [u8],
}
impl<'a> NullTerminatedFormatter<'a> {
/// Create a new [`Self`] instance.
- pub(crate) fn new(buffer: &'a mut [u8]) -> Option<NullTerminatedFormatter<'a>> {
+ pub fn new(buffer: &'a mut [u8]) -> Option<NullTerminatedFormatter<'a>> {
*(buffer.first_mut()?) = 0;
// INVARIANT:
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 133/378] ata: libata-core: Add BRIDGE_OK quirk for QEMU drives
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 132/378] rust: str: make NullTerminatedFormatter public Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 134/378] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA Greg Kroah-Hartman
` (251 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pedro Falcato, Damien Le Moal,
Hannes Reinecke, Niklas Cassel
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pedro Falcato <pfalcato@suse.de>
commit b92b0075ee1870f78f59ab1f7da7dbfdd718ad7a upstream.
Currently, whenever you boot with a QEMU drive over an AHCI interface,
you get:
[ 1.632121] ata1.00: applying bridge limits
This happens due to the kernel not believing the given drive is SATA,
since word 93 of IDENTIFY (ATA_ID_HW_CONFIG) is non-zero. The result is
a pretty severe limit in max_hw_sectors_kb, which limits our IO sizes.
QEMU has set word 93 erroneously for SATA drives but does not, in any
way, emulate any of these real hardware details. There is no PATA
drive and no SATA cable.
As such, add a BRIDGE_OK quirk for QEMU HARDDISK. Special care is taken
to limit this quirk to "2.5+", to allow for fixed future versions.
This results in the max_hw_sectors being limited solely by the
controller interface's limits. Which, for AHCI controllers, takes it
from 128KB to 32767KB.
Cc: stable@vger.kernel.org
Signed-off-by: Pedro Falcato <pfalcato@suse.de>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/libata-core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4228,6 +4228,7 @@ static const struct ata_dev_quirks_entry
/* Devices that do not need bridging limits applied */
{ "MTRON MSP-SATA*", NULL, ATA_QUIRK_BRIDGE_OK },
{ "BUFFALO HD-QSU2/R5", NULL, ATA_QUIRK_BRIDGE_OK },
+ { "QEMU HARDDISK", "2.5+", ATA_QUIRK_BRIDGE_OK },
/* Devices which aren't very happy with higher link speeds */
{ "WD My Book", NULL, ATA_QUIRK_1_5_GBPS },
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 134/378] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 133/378] ata: libata-core: Add BRIDGE_OK quirk for QEMU drives Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 135/378] KVM: arm64: Fix protected mode handling of pages larger than 4kB Greg Kroah-Hartman
` (250 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Heng, Mark Brown
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Heng <zhangheng@kylinos.cn>
commit 325291b20f8a6f14b9c82edbf5d12e4e71f6adaa upstream.
Add a DMI quirk for the ASUS EXPERTBOOK PM1503CDA fixing the
issue where the internal microphone was not detected.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221070
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
Link: https://patch.msgid.link/20260304063255.139331-1-zhangheng@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -710,6 +710,13 @@ static const struct dmi_system_id yc_acp
DMI_MATCH(DMI_PRODUCT_NAME, "ASUS EXPERTBOOK BM1503CDA"),
}
},
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_BOARD_NAME, "PM1503CDA"),
+ }
+ },
{}
};
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 135/378] KVM: arm64: Fix protected mode handling of pages larger than 4kB
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 134/378] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 136/378] KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM Greg Kroah-Hartman
` (249 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fuad Tabba, Marc Zyngier
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit 08f97454b7fa39bfcf82524955c771d2d693d6fe upstream.
Since 3669ddd8fa8b5 ("KVM: arm64: Add a range to pkvm_mappings"),
pKVM tracks the memory that has been mapped into a guest in a
side data structure. Crucially, it uses it to find out whether
a page has already been mapped, and therefore refuses to map it
twice. So far, so good.
However, this very patch completely breaks non-4kB page support,
with guests being unable to boot. The most obvious symptom is that
we take the same fault repeatedly, and not making forward progress.
A quick investigation shows that this is because of the above
rejection code.
As it turns out, there are multiple issues at play:
- while the HPFAR_EL2 register gives you the faulting IPA minus
the bottom 12 bits, it will still give you the extra bits that
are part of the page offset for anything larger than 4kB,
even for a level-3 mapping
- pkvm_pgtable_stage2_map() assumes that the address passed as
a parameter is aligned to the size of the intended mapping
- the faulting address is only aligned for a non-page mapping
When the planets are suitably aligned (pun intended), the guest
faults on a page by accessing it past the bottom 4kB, and extra bits
get set in the HPFAR_EL2 register. If this results in a page mapping
(which is likely with large granule sizes), nothing aligns it further
down, and pkvm_mapping_iter_first() finds an intersection that
doesn't really exist. We assume this is a spurious fault and return
-EAGAIN. And again...
This doesn't hit outside of the protected code, as the page table
code always aligns the IPA down to a page boundary, hiding the issue
for everyone else.
Fix it by always forcing the alignment on vma_pagesize, irrespective
of the value of vma_pagesize.
Fixes: 3669ddd8fa8b5 ("KVM: arm64: Add a range to pkvm_mappings")
Reviewed-by: Fuad Tabba <tabba@google.com>
Tested-by: Fuad Tabba <tabba@google.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://https://patch.msgid.link/20260222141000.3084258-1-maz@kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/mmu.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
--- a/arch/arm64/kvm/mmu.c
+++ b/arch/arm64/kvm/mmu.c
@@ -1753,14 +1753,12 @@ static int user_mem_abort(struct kvm_vcp
}
/*
- * Both the canonical IPA and fault IPA must be hugepage-aligned to
- * ensure we find the right PFN and lay down the mapping in the right
- * place.
+ * Both the canonical IPA and fault IPA must be aligned to the
+ * mapping size to ensure we find the right PFN and lay down the
+ * mapping in the right place.
*/
- if (vma_pagesize == PMD_SIZE || vma_pagesize == PUD_SIZE) {
- fault_ipa &= ~(vma_pagesize - 1);
- ipa &= ~(vma_pagesize - 1);
- }
+ fault_ipa = ALIGN_DOWN(fault_ipa, vma_pagesize);
+ ipa = ALIGN_DOWN(ipa, vma_pagesize);
gfn = ipa >> PAGE_SHIFT;
mte_allowed = kvm_vma_mte_allowed(vma);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 136/378] KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 135/378] KVM: arm64: Fix protected mode handling of pages larger than 4kB Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 137/378] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC Greg Kroah-Hartman
` (248 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jim Mattson, Sean Christopherson,
Paolo Bonzini
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jim Mattson <jmattson@google.com>
commit e2ffe85b6d2bb7780174b87aa4468a39be17eb81 upstream.
Add KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM to allow L1 to set
FREEZE_IN_SMM in vmcs12's GUEST_IA32_DEBUGCTL field, as permitted
prior to commit 6b1dd26544d0 ("KVM: VMX: Preserve host's
DEBUGCTLMSR_FREEZE_IN_SMM while running the guest"). Enable the quirk
by default for backwards compatibility (like all quirks); userspace
can disable it via KVM_CAP_DISABLE_QUIRKS2 for consistency with the
constraints on WRMSR(IA32_DEBUGCTL).
Note that the quirk only bypasses the consistency check. The vmcs02 bit is
still owned by the host, and PMCs are not frozen during virtualized SMM.
In particular, if a host administrator decides that PMCs should not be
frozen during physical SMM, then L1 has no say in the matter.
Fixes: 095686e6fcb4 ("KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested VM-Enter")
Cc: stable@vger.kernel.org
Signed-off-by: Jim Mattson <jmattson@google.com>
Link: https://patch.msgid.link/20260205231537.1278753-1-jmattson@google.com
[sean: tag for stable@, clean-up and fix goofs in the comment and docs]
Signed-off-by: Sean Christopherson <seanjc@google.com>
[Rename quirk. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/virt/kvm/api.rst | 8 ++++++++
arch/x86/include/asm/kvm_host.h | 3 ++-
arch/x86/include/uapi/asm/kvm.h | 1 +
arch/x86/kvm/vmx/nested.c | 22 ++++++++++++++++++----
4 files changed, 29 insertions(+), 5 deletions(-)
--- a/Documentation/virt/kvm/api.rst
+++ b/Documentation/virt/kvm/api.rst
@@ -8438,6 +8438,14 @@ KVM_X86_QUIRK_IGNORE_GUEST_PAT By d
guest software, for example if it does not
expose a bochs graphics device (which is
known to have had a buggy driver).
+
+KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM By default, KVM relaxes the consistency
+ check for GUEST_IA32_DEBUGCTL in vmcs12
+ to allow FREEZE_IN_SMM to be set. When
+ this quirk is disabled, KVM requires this
+ bit to be cleared. Note that the vmcs02
+ bit is still completely controlled by the
+ host, regardless of the quirk setting.
=================================== ============================================
7.32 KVM_CAP_MAX_VCPU_ID
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -2470,7 +2470,8 @@ int memslot_rmap_alloc(struct kvm_memory
KVM_X86_QUIRK_MWAIT_NEVER_UD_FAULTS | \
KVM_X86_QUIRK_SLOT_ZAP_ALL | \
KVM_X86_QUIRK_STUFF_FEATURE_MSRS | \
- KVM_X86_QUIRK_IGNORE_GUEST_PAT)
+ KVM_X86_QUIRK_IGNORE_GUEST_PAT | \
+ KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM)
#define KVM_X86_CONDITIONAL_QUIRKS \
(KVM_X86_QUIRK_CD_NW_CLEARED | \
--- a/arch/x86/include/uapi/asm/kvm.h
+++ b/arch/x86/include/uapi/asm/kvm.h
@@ -476,6 +476,7 @@ struct kvm_sync_regs {
#define KVM_X86_QUIRK_SLOT_ZAP_ALL (1 << 7)
#define KVM_X86_QUIRK_STUFF_FEATURE_MSRS (1 << 8)
#define KVM_X86_QUIRK_IGNORE_GUEST_PAT (1 << 9)
+#define KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM (1 << 10)
#define KVM_STATE_NESTED_FORMAT_VMX 0
#define KVM_STATE_NESTED_FORMAT_SVM 1
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -3292,10 +3292,24 @@ static int nested_vmx_check_guest_state(
if (CC(vmcs12->guest_cr4 & X86_CR4_CET && !(vmcs12->guest_cr0 & X86_CR0_WP)))
return -EINVAL;
- if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) &&
- (CC(!kvm_dr7_valid(vmcs12->guest_dr7)) ||
- CC(!vmx_is_valid_debugctl(vcpu, vmcs12->guest_ia32_debugctl, false))))
- return -EINVAL;
+ if (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) {
+ u64 debugctl = vmcs12->guest_ia32_debugctl;
+
+ /*
+ * FREEZE_IN_SMM is not virtualized, but allow L1 to set it in
+ * vmcs12's DEBUGCTL under a quirk for backwards compatibility.
+ * Note that the quirk only relaxes the consistency check. The
+ * vmcc02 bit is still under the control of the host. In
+ * particular, if a host administrator decides to clear the bit,
+ * then L1 has no say in the matter.
+ */
+ if (kvm_check_has_quirk(vcpu->kvm, KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM))
+ debugctl &= ~DEBUGCTLMSR_FREEZE_IN_SMM;
+
+ if (CC(!kvm_dr7_valid(vmcs12->guest_dr7)) ||
+ CC(!vmx_is_valid_debugctl(vcpu, debugctl, false)))
+ return -EINVAL;
+ }
if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_PAT) &&
CC(!kvm_pat_valid(vmcs12->guest_ia32_pat)))
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 137/378] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 136/378] KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 138/378] KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated Greg Kroah-Hartman
` (247 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naveen N Rao (AMD), Jim Mattson,
Sean Christopherson, Paolo Bonzini
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 3989a6d036c8ec82c0de3614bed23a1dacd45de5 upstream.
Initialize all per-vCPU AVIC control fields in the VMCB if AVIC is enabled
in KVM and the VM has an in-kernel local APIC, i.e. if it's _possible_ the
vCPU could activate AVIC at any point in its lifecycle. Configuring the
VMCB if and only if AVIC is active "works" purely because of optimizations
in kvm_create_lapic() to speculatively set apicv_active if AVIC is enabled
*and* to defer updates until the first KVM_RUN. In quotes because KVM
likely won't do the right thing if kvm_apicv_activated() is false, i.e. if
a vCPU is created while APICv is inhibited at the VM level for whatever
reason. E.g. if the inhibit is *removed* before KVM_REQ_APICV_UPDATE is
handled in KVM_RUN, then __kvm_vcpu_update_apicv() will elide calls to
vendor code due to seeing "apicv_active == activate".
Cleaning up the initialization code will also allow fixing a bug where KVM
incorrectly leaves CR8 interception enabled when AVIC is activated without
creating a mess with respect to whether AVIC is activated or not.
Cc: stable@vger.kernel.org
Fixes: 67034bb9dd5e ("KVM: SVM: Add irqchip_split() checks before enabling AVIC")
Fixes: 6c3e4422dd20 ("svm: Add support for dynamic APICv")
Reviewed-by: Naveen N Rao (AMD) <naveen@kernel.org>
Reviewed-by: Jim Mattson <jmattson@google.com>
Link: https://patch.msgid.link/20260203190711.458413-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/avic.c | 2 +-
arch/x86/kvm/svm/svm.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -368,7 +368,7 @@ void avic_init_vmcb(struct vcpu_svm *svm
vmcb->control.avic_physical_id = __sme_set(__pa(kvm_svm->avic_physical_id_table));
vmcb->control.avic_vapic_bar = APIC_DEFAULT_PHYS_BASE;
- if (kvm_apicv_activated(svm->vcpu.kvm))
+ if (kvm_vcpu_apicv_active(&svm->vcpu))
avic_activate_vmcb(svm);
else
avic_deactivate_vmcb(svm);
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -1141,7 +1141,7 @@ static void init_vmcb(struct kvm_vcpu *v
svm_clr_intercept(svm, INTERCEPT_PAUSE);
}
- if (kvm_vcpu_apicv_active(vcpu))
+ if (enable_apicv && irqchip_in_kernel(vcpu->kvm))
avic_init_vmcb(svm, vmcb);
if (vnmi)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 138/378] KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 137/378] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 139/378] KVM: arm64: pkvm: Fallback to level-3 mapping on host stage-2 fault Greg Kroah-Hartman
` (246 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jim Mattson, Naveen N Rao (AMD),
Maciej S. Szmigiero, Sean Christopherson, Paolo Bonzini
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 87d0f901a9bd8ae6be57249c737f20ac0cace93d upstream.
Explicitly set/clear CR8 write interception when AVIC is (de)activated to
fix a bug where KVM leaves the interception enabled after AVIC is
activated. E.g. if KVM emulates INIT=>WFS while AVIC is deactivated, CR8
will remain intercepted in perpetuity.
On its own, the dangling CR8 intercept is "just" a performance issue, but
combined with the TPR sync bug fixed by commit d02e48830e3f ("KVM: SVM:
Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active"), the danging
intercept is fatal to Windows guests as the TPR seen by hardware gets
wildly out of sync with reality.
Note, VMX isn't affected by the bug as TPR_THRESHOLD is explicitly ignored
when Virtual Interrupt Delivery is enabled, i.e. when APICv is active in
KVM's world. I.e. there's no need to trigger update_cr8_intercept(), this
is firmly an SVM implementation flaw/detail.
WARN if KVM gets a CR8 write #VMEXIT while AVIC is active, as KVM should
never enter the guest with AVIC enabled and CR8 writes intercepted.
Fixes: 3bbf3565f48c ("svm: Do not intercept CR8 when enable AVIC")
Cc: stable@vger.kernel.org
Cc: Jim Mattson <jmattson@google.com>
Cc: Naveen N Rao (AMD) <naveen@kernel.org>
Cc: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
Reviewed-by: Naveen N Rao (AMD) <naveen@kernel.org>
Reviewed-by: Jim Mattson <jmattson@google.com>
Link: https://patch.msgid.link/20260203190711.458413-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[Squash fix to avic_deactivate_vmcb. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/avic.c | 7 +++++--
arch/x86/kvm/svm/svm.c | 7 ++++---
2 files changed, 9 insertions(+), 5 deletions(-)
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -189,12 +189,12 @@ static void avic_activate_vmcb(struct vc
struct kvm_vcpu *vcpu = &svm->vcpu;
vmcb->control.int_ctl &= ~(AVIC_ENABLE_MASK | X2APIC_MODE_MASK);
-
vmcb->control.avic_physical_id &= ~AVIC_PHYSICAL_MAX_INDEX_MASK;
vmcb->control.avic_physical_id |= avic_get_max_physical_id(vcpu);
-
vmcb->control.int_ctl |= AVIC_ENABLE_MASK;
+ svm_clr_intercept(svm, INTERCEPT_CR8_WRITE);
+
/*
* Note: KVM supports hybrid-AVIC mode, where KVM emulates x2APIC MSR
* accesses, while interrupt injection to a running vCPU can be
@@ -226,6 +226,9 @@ static void avic_deactivate_vmcb(struct
vmcb->control.int_ctl &= ~(AVIC_ENABLE_MASK | X2APIC_MODE_MASK);
vmcb->control.avic_physical_id &= ~AVIC_PHYSICAL_MAX_INDEX_MASK;
+ if (!sev_es_guest(svm->vcpu.kvm))
+ svm_set_intercept(svm, INTERCEPT_CR8_WRITE);
+
/*
* If running nested and the guest uses its own MSR bitmap, there
* is no need to update L0's msr bitmap
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -1032,8 +1032,7 @@ static void init_vmcb(struct kvm_vcpu *v
svm_set_intercept(svm, INTERCEPT_CR0_WRITE);
svm_set_intercept(svm, INTERCEPT_CR3_WRITE);
svm_set_intercept(svm, INTERCEPT_CR4_WRITE);
- if (!kvm_vcpu_apicv_active(vcpu))
- svm_set_intercept(svm, INTERCEPT_CR8_WRITE);
+ svm_set_intercept(svm, INTERCEPT_CR8_WRITE);
set_dr_intercepts(svm);
@@ -2603,9 +2602,11 @@ static int dr_interception(struct kvm_vc
static int cr8_write_interception(struct kvm_vcpu *vcpu)
{
+ u8 cr8_prev = kvm_get_cr8(vcpu);
int r;
- u8 cr8_prev = kvm_get_cr8(vcpu);
+ WARN_ON_ONCE(kvm_vcpu_apicv_active(vcpu));
+
/* instruction emulation calls kvm_set_cr8() */
r = cr_interception(vcpu);
if (lapic_in_kernel(vcpu))
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 139/378] KVM: arm64: pkvm: Fallback to level-3 mapping on host stage-2 fault
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 138/378] KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 140/378] KVM: arm64: vgic: Pick EOIcount deactivations from AP-list tail Greg Kroah-Hartman
` (245 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Quentin Perret, Marc Zyngier
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit 8531d5a83d8eb8affb5c0249b466c28d94192603 upstream.
If, for any odd reason, we cannot converge to mapping size that is
completely contained in a memblock region, we fail to install a S2
mapping and go back to the faulting instruction. Rince, repeat.
This happens when faulting in regions that are smaller than a page
or that do not have PAGE_SIZE-aligned boundaries (as witnessed on
an O6 board that refuses to boot in protected mode).
In this situation, fallback to using a PAGE_SIZE mapping anyway --
it isn't like we can go any lower.
Fixes: e728e705802fe ("KVM: arm64: Adjust range correctly during host stage-2 faults")
Link: https://lore.kernel.org/r/86wlzr77cn.wl-maz@kernel.org
Cc: stable@vger.kernel.org
Cc: Quentin Perret <qperret@google.com>
Reviewed-by: Quentin Perret <qperret@google.com>
Link: https://patch.msgid.link/20260305132751.2928138-1-maz@kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/hyp/nvhe/mem_protect.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c
+++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c
@@ -516,7 +516,7 @@ static int host_stage2_adjust_range(u64
granule = kvm_granule_size(level);
cur.start = ALIGN_DOWN(addr, granule);
cur.end = cur.start + granule;
- if (!range_included(&cur, range))
+ if (!range_included(&cur, range) && level < KVM_PGTABLE_LAST_LEVEL)
continue;
*range = cur;
return 0;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 140/378] KVM: arm64: vgic: Pick EOIcount deactivations from AP-list tail
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 139/378] KVM: arm64: pkvm: Fallback to level-3 mapping on host stage-2 fault Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 141/378] KVM: arm64: pkvm: Dont reprobe for ICH_VTR_EL2.TDS on CPU hotplug Greg Kroah-Hartman
` (244 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Valentine Burley, Marc Zyngier
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit 6da5e537f5afe091658e846da1949d7e557d2ade upstream.
Valentine reports that their guests fail to boot correctly, losing
interrupts, and indicates that the wrong interrupt gets deactivated.
What happens here is that if the maintenance interrupt is slow enough
to kick us out of the guest, extra interrupts can be activated from
the LRs. We then exit and proceed to handle EOIcount deactivations,
picking active interrupts from the AP list. But we start from the
top of the list, potentially deactivating interrupts that were in
the LRs, while EOIcount only denotes deactivation of interrupts that
are not present in an LR.
Solve this by tracking the last interrupt that made it in the LRs,
and start the EOIcount deactivation walk *after* that interrupt.
Since this only makes sense while the vcpu is loaded, stash this
in the per-CPU host state.
Huge thanks to Valentine for doing all the detective work and
providing an initial patch.
Fixes: 3cfd59f81e0f3 ("KVM: arm64: GICv3: Handle LR overflow when EOImode==0")
Fixes: 281c6c06e2a7b ("KVM: arm64: GICv2: Handle LR overflow when EOImode==0")
Reported-by: Valentine Burley <valentine.burley@collabora.com>
Tested-by: Valentine Burley <valentine.burley@collabora.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20260307115955.369455-1-valentine.burley@collabora.com
Link: https://patch.msgid.link/20260307191151.3781182-1-maz@kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/kvm_host.h | 3 +++
arch/arm64/kvm/vgic/vgic-v2.c | 4 ++--
arch/arm64/kvm/vgic/vgic-v3.c | 12 ++++++------
arch/arm64/kvm/vgic/vgic.c | 6 ++++++
4 files changed, 17 insertions(+), 8 deletions(-)
--- a/arch/arm64/include/asm/kvm_host.h
+++ b/arch/arm64/include/asm/kvm_host.h
@@ -760,6 +760,9 @@ struct kvm_host_data {
/* Number of debug breakpoints/watchpoints for this CPU (minus 1) */
unsigned int debug_brps;
unsigned int debug_wrps;
+
+ /* Last vgic_irq part of the AP list recorded in an LR */
+ struct vgic_irq *last_lr_irq;
};
struct kvm_host_psci_config {
--- a/arch/arm64/kvm/vgic/vgic-v2.c
+++ b/arch/arm64/kvm/vgic/vgic-v2.c
@@ -115,7 +115,7 @@ void vgic_v2_fold_lr_state(struct kvm_vc
struct vgic_cpu *vgic_cpu = &vcpu->arch.vgic_cpu;
struct vgic_v2_cpu_if *cpuif = &vgic_cpu->vgic_v2;
u32 eoicount = FIELD_GET(GICH_HCR_EOICOUNT, cpuif->vgic_hcr);
- struct vgic_irq *irq;
+ struct vgic_irq *irq = *host_data_ptr(last_lr_irq);
DEBUG_SPINLOCK_BUG_ON(!irqs_disabled());
@@ -123,7 +123,7 @@ void vgic_v2_fold_lr_state(struct kvm_vc
vgic_v2_fold_lr(vcpu, cpuif->vgic_lr[lr]);
/* See the GICv3 equivalent for the EOIcount handling rationale */
- list_for_each_entry(irq, &vgic_cpu->ap_list_head, ap_list) {
+ list_for_each_entry_continue(irq, &vgic_cpu->ap_list_head, ap_list) {
u32 lr;
if (!eoicount) {
--- a/arch/arm64/kvm/vgic/vgic-v3.c
+++ b/arch/arm64/kvm/vgic/vgic-v3.c
@@ -148,7 +148,7 @@ void vgic_v3_fold_lr_state(struct kvm_vc
struct vgic_cpu *vgic_cpu = &vcpu->arch.vgic_cpu;
struct vgic_v3_cpu_if *cpuif = &vgic_cpu->vgic_v3;
u32 eoicount = FIELD_GET(ICH_HCR_EL2_EOIcount, cpuif->vgic_hcr);
- struct vgic_irq *irq;
+ struct vgic_irq *irq = *host_data_ptr(last_lr_irq);
DEBUG_SPINLOCK_BUG_ON(!irqs_disabled());
@@ -158,12 +158,12 @@ void vgic_v3_fold_lr_state(struct kvm_vc
/*
* EOIMode=0: use EOIcount to emulate deactivation. We are
* guaranteed to deactivate in reverse order of the activation, so
- * just pick one active interrupt after the other in the ap_list,
- * and replay the deactivation as if the CPU was doing it. We also
- * rely on priority drop to have taken place, and the list to be
- * sorted by priority.
+ * just pick one active interrupt after the other in the tail part
+ * of the ap_list, past the LRs, and replay the deactivation as if
+ * the CPU was doing it. We also rely on priority drop to have taken
+ * place, and the list to be sorted by priority.
*/
- list_for_each_entry(irq, &vgic_cpu->ap_list_head, ap_list) {
+ list_for_each_entry_continue(irq, &vgic_cpu->ap_list_head, ap_list) {
u64 lr;
/*
--- a/arch/arm64/kvm/vgic/vgic.c
+++ b/arch/arm64/kvm/vgic/vgic.c
@@ -814,6 +814,9 @@ retry:
static inline void vgic_fold_lr_state(struct kvm_vcpu *vcpu)
{
+ if (!*host_data_ptr(last_lr_irq))
+ return;
+
if (kvm_vgic_global_state.type == VGIC_V2)
vgic_v2_fold_lr_state(vcpu);
else
@@ -960,10 +963,13 @@ static void vgic_flush_lr_state(struct k
if (irqs_outside_lrs(&als))
vgic_sort_ap_list(vcpu);
+ *host_data_ptr(last_lr_irq) = NULL;
+
list_for_each_entry(irq, &vgic_cpu->ap_list_head, ap_list) {
scoped_guard(raw_spinlock, &irq->irq_lock) {
if (likely(vgic_target_oracle(irq) == vcpu)) {
vgic_populate_lr(vcpu, irq, count++);
+ *host_data_ptr(last_lr_irq) = irq;
}
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 141/378] KVM: arm64: pkvm: Dont reprobe for ICH_VTR_EL2.TDS on CPU hotplug
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 140/378] KVM: arm64: vgic: Pick EOIcount deactivations from AP-list tail Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 142/378] USB: add QUIRK_NO_BOS for video capture several devices Greg Kroah-Hartman
` (243 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vincent Donnefort, Suzuki K Poulose,
Marc Zyngier
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit a79f7b4aeb8e7562cd6dbf9c223e2c2a04b1a85f upstream.
Hotplugging a CPU off and back on fails with pKVM, as we try to
probe for ICH_VTR_EL2.TDS. In a non-VHE setup, this is achieved
by using an EL2 stub helper. However, the stubs are out of reach
once pKVM has deprivileged the kernel. The CPU never boots.
Since pKVM doesn't allow late onlining of CPUs, we can detect
that protected mode is enforced early on, and return the current
state of the capability.
Fixes: 2a28810cbb8b2 ("KVM: arm64: GICv3: Detect and work around the lack of ICV_DIR_EL1 trapping")
Reported-by: Vincent Donnefort <vdonnefort@google.com>
Tested-by: Vincent Donnefort <vdonnefort@google.com>
Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://patch.msgid.link/20260310085433.3936742-1-maz@kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/cpufeature.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -2336,6 +2336,15 @@ static bool can_trap_icv_dir_el1(const s
if (this_cpu_has_cap(ARM64_HAS_GICV5_LEGACY))
return true;
+ /*
+ * pKVM prevents late onlining of CPUs. This means that whatever
+ * state the capability is in after deprivilege cannot be affected
+ * by a new CPU booting -- this is garanteed to be a CPU we have
+ * already seen, and the cap is therefore unchanged.
+ */
+ if (system_capabilities_finalized() && is_protected_kvm_enabled())
+ return cpus_have_final_cap(ARM64_HAS_ICH_HCR_EL2_TDIR);
+
if (is_kernel_in_hyp_mode())
res.a1 = read_sysreg_s(SYS_ICH_VTR_EL2);
else
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 142/378] USB: add QUIRK_NO_BOS for video capture several devices
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 141/378] KVM: arm64: pkvm: Dont reprobe for ICH_VTR_EL2.TDS on CPU hotplug Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 143/378] usb/core/quirks: Add Huawei ME906S-device to wakeup quirk Greg Kroah-Hartman
` (242 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, A1RM4X
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: A1RM4X <dev@a1rm4x.com>
commit 93cd0d664661f58f7e7bed7373714ab2ace41734 upstream.
Several USB capture devices also need the USB_QUIRK_NO_BOS set for them
to work properly, odds are they are all the same chip inside, just
different vendor/product ids.
This fixes up:
- ASUS TUF 4K PRO
- Avermedia Live Gamer Ultra 2.1 (GC553G2)
- UGREEN 35871
to now run at full speed (10 Gbps/4K 60 fps mode.)
Link: https://lore.kernel.org/r/CACy+XB-f-51xGpNQFCSm5pE_momTQLu=BaZggHYU1DiDmFX=ug@mail.gmail.com
Cc: stable <stable@kernel.org>
Signed-off-by: A1RM4X <dev@a1rm4x.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -377,6 +377,9 @@ static const struct usb_device_id usb_qu
/* SanDisk Extreme 55AE */
{ USB_DEVICE(0x0781, 0x55ae), .driver_info = USB_QUIRK_NO_LPM },
+ /* Avermedia Live Gamer Ultra 2.1 (GC553G2) - BOS descriptor fetch hangs at SuperSpeed Plus */
+ { USB_DEVICE(0x07ca, 0x2553), .driver_info = USB_QUIRK_NO_BOS },
+
/* Realforce 87U Keyboard */
{ USB_DEVICE(0x0853, 0x011b), .driver_info = USB_QUIRK_NO_LPM },
@@ -437,6 +440,9 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x0b05, 0x17e0), .driver_info =
USB_QUIRK_IGNORE_REMOTE_WAKEUP },
+ /* ASUS TUF 4K PRO - BOS descriptor fetch hangs at SuperSpeed Plus */
+ { USB_DEVICE(0x0b05, 0x1ab9), .driver_info = USB_QUIRK_NO_BOS },
+
/* Realtek Semiconductor Corp. Mass Storage Device (Multicard Reader)*/
{ USB_DEVICE(0x0bda, 0x0151), .driver_info = USB_QUIRK_CONFIG_INTF_STRINGS },
@@ -565,6 +571,9 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x2386, 0x350e), .driver_info = USB_QUIRK_NO_LPM },
+ /* UGREEN 35871 - BOS descriptor fetch hangs at SuperSpeed Plus */
+ { USB_DEVICE(0x2b89, 0x5871), .driver_info = USB_QUIRK_NO_BOS },
+
/* APTIV AUTOMOTIVE HUB */
{ USB_DEVICE(0x2c48, 0x0132), .driver_info =
USB_QUIRK_SHORT_SET_ADDRESS_REQ_TIMEOUT },
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 143/378] usb/core/quirks: Add Huawei ME906S-device to wakeup quirk
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 142/378] USB: add QUIRK_NO_BOS for video capture several devices Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 144/378] USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed Greg Kroah-Hartman
` (241 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Christoffer Sandberg,
Werner Sembach
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoffer Sandberg <cs@tuxedo.de>
commit 0326ff28d56b4fa202de36ffc8462a354f383a64 upstream.
Similar to other Huawei LTE modules using this quirk, this version with
another vid/pid suffers from spurious wakeups.
Setting the quirk fixes the issue for this device as well.
Cc: stable <stable@kernel.org>
Signed-off-by: Christoffer Sandberg <cs@tuxedo.de>
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Link: https://patch.msgid.link/20260306172817.2098898-1-wse@tuxedocomputers.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -208,6 +208,10 @@ static const struct usb_device_id usb_qu
/* HP v222w 16GB Mini USB Drive */
{ USB_DEVICE(0x03f0, 0x3f40), .driver_info = USB_QUIRK_DELAY_INIT },
+ /* Huawei 4G LTE module ME906S */
+ { USB_DEVICE(0x03f0, 0xa31d), .driver_info =
+ USB_QUIRK_DISCONNECT_SUSPEND },
+
/* Creative SB Audigy 2 NX */
{ USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME },
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 144/378] USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 143/378] usb/core/quirks: Add Huawei ME906S-device to wakeup quirk Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 145/378] usb: xhci: Fix memory leak in xhci_disable_slot() Greg Kroah-Hartman
` (240 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vyacheslav Vahnenko, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vyacheslav Vahnenko <vahnenko2003@gmail.com>
commit d0d9b1f4f5391e6a00cee81d73ed2e8f98446d5f upstream.
Add USB_QUIRK_NO_BOS for ezcap401 capture card, without it dmesg will show
"unable to get BOS descriptor or descriptor too short" and "unable to
read config index 0 descriptor/start: -71" errors and device will not
able to work at full speed at 10gbs
Signed-off-by: Vyacheslav Vahnenko <vahnenko2003@gmail.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260313123638.20481-1-vahnenko2003@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -588,6 +588,9 @@ static const struct usb_device_id usb_qu
/* Alcor Link AK9563 SC Reader used in 2022 Lenovo ThinkPads */
{ USB_DEVICE(0x2ce3, 0x9563), .driver_info = USB_QUIRK_NO_LPM },
+ /* ezcap401 - BOS descriptor fetch hangs at SuperSpeed Plus */
+ { USB_DEVICE(0x32ed, 0x0401), .driver_info = USB_QUIRK_NO_BOS },
+
/* DELL USB GEN2 */
{ USB_DEVICE(0x413c, 0xb062), .driver_info = USB_QUIRK_NO_LPM | USB_QUIRK_RESET_RESUME },
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 145/378] usb: xhci: Fix memory leak in xhci_disable_slot()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 144/378] USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 146/378] usb: xhci: Prevent interrupt storm on host controller error (HCE) Greg Kroah-Hartman
` (239 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zilin Guan, Mathias Nyman
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
commit c1c8550e70401159184130a1afc6261db01fc0ce upstream.
xhci_alloc_command() allocates a command structure and, when the
second argument is true, also allocates a completion structure.
Currently, the error handling path in xhci_disable_slot() only frees
the command structure using kfree(), causing the completion structure
to leak.
Use xhci_free_command() instead of kfree(). xhci_free_command() correctly
frees both the command structure and the associated completion structure.
Since the command structure is allocated with zero-initialization,
command->in_ctx is NULL and will not be erroneously freed by
xhci_free_command().
This bug was found using an experimental static analysis tool we are
developing. The tool is based on the LLVM framework and is specifically
designed to detect memory management issues. It is currently under
active development and not yet publicly available, but we plan to
open-source it after our research is published.
The bug was originally detected on v6.13-rc1 using our static analysis
tool, and we have verified that the issue persists in the latest mainline
kernel.
We performed build testing on x86_64 with allyesconfig using GCC=11.4.0.
Since triggering these error paths in xhci_disable_slot() requires specific
hardware conditions or abnormal state, we were unable to construct a test
case to reliably trigger these specific error paths at runtime.
Fixes: 7faac1953ed1 ("xhci: avoid race between disable slot command and host runtime suspend")
CC: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://patch.msgid.link/20260304223639.3882398-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -4146,7 +4146,7 @@ int xhci_disable_slot(struct xhci_hcd *x
if (state == 0xffffffff || (xhci->xhc_state & XHCI_STATE_DYING) ||
(xhci->xhc_state & XHCI_STATE_HALTED)) {
spin_unlock_irqrestore(&xhci->lock, flags);
- kfree(command);
+ xhci_free_command(xhci, command);
return -ENODEV;
}
@@ -4154,7 +4154,7 @@ int xhci_disable_slot(struct xhci_hcd *x
slot_id);
if (ret) {
spin_unlock_irqrestore(&xhci->lock, flags);
- kfree(command);
+ xhci_free_command(xhci, command);
return ret;
}
xhci_ring_cmd_db(xhci);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 146/378] usb: xhci: Prevent interrupt storm on host controller error (HCE)
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 145/378] usb: xhci: Fix memory leak in xhci_disable_slot() Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 147/378] xhci: Fix NULL pointer dereference when reading portli debugfs files Greg Kroah-Hartman
` (238 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dayu Jiang, Mathias Nyman
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dayu Jiang <jiangdayu@xiaomi.com>
commit d6d5febd12452b7fd951fdd15c3ec262f01901a4 upstream.
The xHCI controller reports a Host Controller Error (HCE) in UAS Storage
Device plug/unplug scenarios on Android devices. HCE is checked in
xhci_irq() function and causes an interrupt storm (since the interrupt
isn’t cleared), leading to severe system-level faults.
When the xHC controller reports HCE in the interrupt handler, the driver
only logs a warning and assumes xHC activity will stop as stated in xHCI
specification. An interrupt storm does however continue on some hosts
even after HCE, and only ceases after manually disabling xHC interrupt
and stopping the controller by calling xhci_halt().
Add xhci_halt() to xhci_irq() function where STS_HCE status is checked,
mirroring the existing error handling pattern used for STS_FATAL errors.
This only fixes the interrupt storm. Proper HCE recovery requires resetting
and re-initializing the xHC.
CC: stable@vger.kernel.org
Signed-off-by: Dayu Jiang <jiangdayu@xiaomi.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://patch.msgid.link/20260304223639.3882398-3-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-ring.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -3195,6 +3195,7 @@ irqreturn_t xhci_irq(struct usb_hcd *hcd
if (status & STS_HCE) {
xhci_warn(xhci, "WARNING: Host Controller Error\n");
+ xhci_halt(xhci);
goto out;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 147/378] xhci: Fix NULL pointer dereference when reading portli debugfs files
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 146/378] usb: xhci: Prevent interrupt storm on host controller error (HCE) Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 148/378] usb: yurex: fix race in probe Greg Kroah-Hartman
` (237 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michal Pecio, Mathias Nyman
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit ae4ff9dead5efa2025eddfcdb29411432bf40a7c upstream.
Michal reported and debgged a NULL pointer dereference bug in the
recently added portli debugfs files
Oops is caused when there are more port registers counted in
xhci->max_ports than ports reported by Supported Protocol capabilities.
This is possible if max_ports is more than maximum port number, or
if there are gaps between ports of different speeds the 'Supported
Protocol' capabilities.
In such cases port->rhub will be NULL so we can't reach xhci behind it.
Add an explicit NULL check for this case, and print portli in hex
without dereferencing port->rhub.
Reported-by: Michal Pecio <michal.pecio@gmail.com>
Closes: https://lore.kernel.org/linux-usb/20260304103856.48b785fd.michal.pecio@gmail.com
Fixes: 384c57ec7205 ("usb: xhci: Add debugfs support for xHCI Port Link Info (PORTLI) register.")
Cc: stable@vger.kernel.org
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://patch.msgid.link/20260304223639.3882398-4-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-debugfs.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci-debugfs.c b/drivers/usb/host/xhci-debugfs.c
index 890fc5e892f1..ade178ab34a7 100644
--- a/drivers/usb/host/xhci-debugfs.c
+++ b/drivers/usb/host/xhci-debugfs.c
@@ -386,11 +386,19 @@ static const struct file_operations port_fops = {
static int xhci_portli_show(struct seq_file *s, void *unused)
{
struct xhci_port *port = s->private;
- struct xhci_hcd *xhci = hcd_to_xhci(port->rhub->hcd);
+ struct xhci_hcd *xhci;
u32 portli;
portli = readl(&port->port_reg->portli);
+ /* port without protocol capability isn't added to a roothub */
+ if (!port->rhub) {
+ seq_printf(s, "0x%08x\n", portli);
+ return 0;
+ }
+
+ xhci = hcd_to_xhci(port->rhub->hcd);
+
/* PORTLI fields are valid if port is a USB3 or eUSB2V2 port */
if (port->rhub == &xhci->usb3_rhub)
seq_printf(s, "0x%08x LEC=%u RLC=%u TLC=%u\n", portli,
--
2.53.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 148/378] usb: yurex: fix race in probe
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 147/378] xhci: Fix NULL pointer dereference when reading portli debugfs files Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 149/378] usb: dwc3: pci: add support for the Intel Nova Lake -H Greg Kroah-Hartman
` (236 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Oliver Neukum
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 7a875c09899ba0404844abfd8f0d54cdc481c151 upstream.
The bbu member of the descriptor must be set to the value
standing for uninitialized values before the URB whose
completion handler sets bbu is submitted. Otherwise there is
a window during which probing can overwrite already retrieved
data.
Cc: stable <stable@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://patch.msgid.link/20260209143720.1507500-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/yurex.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/misc/yurex.c
+++ b/drivers/usb/misc/yurex.c
@@ -272,6 +272,7 @@ static int yurex_probe(struct usb_interf
dev->int_buffer, YUREX_BUF_SIZE, yurex_interrupt,
dev, 1);
dev->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+ dev->bbu = -1;
if (usb_submit_urb(dev->urb, GFP_KERNEL)) {
retval = -EIO;
dev_err(&interface->dev, "Could not submitting URB\n");
@@ -280,7 +281,6 @@ static int yurex_probe(struct usb_interf
/* save our data pointer in this interface device */
usb_set_intfdata(interface, dev);
- dev->bbu = -1;
/* we can register the device now, as it is ready */
retval = usb_register_dev(interface, &yurex_class);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 149/378] usb: dwc3: pci: add support for the Intel Nova Lake -H
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 148/378] usb: yurex: fix race in probe Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 150/378] usb: misc: uss720: properly clean up reference in uss720_probe() Greg Kroah-Hartman
` (235 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Heikki Krogerus, stable,
Thinh Nguyen
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
commit 17ab4d4078e22be7fd8fd6fc710c15c085a4cb1b upstream.
This patch adds the necessary PCI ID for Intel Nova Lake -H
devices.
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: stable <stable@kernel.org>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/20260309130204.208661-1-heikki.krogerus@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-pci.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/dwc3/dwc3-pci.c
+++ b/drivers/usb/dwc3/dwc3-pci.c
@@ -56,6 +56,7 @@
#define PCI_DEVICE_ID_INTEL_CNPH 0xa36e
#define PCI_DEVICE_ID_INTEL_CNPV 0xa3b0
#define PCI_DEVICE_ID_INTEL_RPL 0xa70e
+#define PCI_DEVICE_ID_INTEL_NVLH 0xd37f
#define PCI_DEVICE_ID_INTEL_PTLH 0xe332
#define PCI_DEVICE_ID_INTEL_PTLH_PCH 0xe37e
#define PCI_DEVICE_ID_INTEL_PTLU 0xe432
@@ -447,6 +448,7 @@ static const struct pci_device_id dwc3_p
{ PCI_DEVICE_DATA(INTEL, CNPH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, CNPV, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, RPL, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, NVLH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, PTLH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, PTLH_PCH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, PTLU, &dwc3_pci_intel_swnode) },
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 150/378] usb: misc: uss720: properly clean up reference in uss720_probe()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 149/378] usb: dwc3: pci: add support for the Intel Nova Lake -H Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 151/378] usb: core: dont power off roothub PHYs if phy_set_mode() fails Greg Kroah-Hartman
` (234 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 45dba8011efac11a2f360383221b541f5ea53ce5 upstream.
If get_1284_register() fails, the usb device reference count is
incorrect and needs to be properly dropped before returning. That will
happen when the kref is dropped in the call to destroy_priv(), so jump
to that error path instead of returning directly.
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_2000
Link: https://patch.msgid.link/2026022342-smokiness-stove-d792@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/uss720.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/misc/uss720.c
+++ b/drivers/usb/misc/uss720.c
@@ -736,7 +736,7 @@ static int uss720_probe(struct usb_inter
ret = get_1284_register(pp, 0, ®, GFP_KERNEL);
dev_dbg(&intf->dev, "reg: %7ph\n", priv->reg);
if (ret < 0)
- return ret;
+ goto probe_abort;
ret = usb_find_last_int_in_endpoint(interface, &epd);
if (!ret) {
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 151/378] usb: core: dont power off roothub PHYs if phy_set_mode() fails
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 150/378] usb: misc: uss720: properly clean up reference in uss720_probe() Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 152/378] usb: cdc-acm: Restore CAP_BRK functionnality to CH343 Greg Kroah-Hartman
` (233 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gabor Juhos, Miquel Raynal
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
commit e293015ba76eb96ce4ebed7e3b2cb1a7d319f3e9 upstream.
Remove the error path from the usb_phy_roothub_set_mode() function.
The code is clearly wrong, because phy_set_mode() calls can't be
balanced with phy_power_off() calls.
Additionally, the usb_phy_roothub_set_mode() function is called only
from usb_add_hcd() before it powers on the PHYs, so powering off those
makes no sense anyway.
Presumably, the code is copy-pasted from the phy_power_on() function
without adjusting the error handling.
Cc: stable@vger.kernel.org # v5.1+
Fixes: b97a31348379 ("usb: core: comply to PHY framework")
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://patch.msgid.link/20260218-usb-phy-poweroff-fix-v1-1-66e6831e860e@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/phy.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
--- a/drivers/usb/core/phy.c
+++ b/drivers/usb/core/phy.c
@@ -200,16 +200,10 @@ int usb_phy_roothub_set_mode(struct usb_
list_for_each_entry(roothub_entry, head, list) {
err = phy_set_mode(roothub_entry->phy, mode);
if (err)
- goto err_out;
+ return err;
}
return 0;
-
-err_out:
- list_for_each_entry_continue_reverse(roothub_entry, head, list)
- phy_power_off(roothub_entry->phy);
-
- return err;
}
EXPORT_SYMBOL_GPL(usb_phy_roothub_set_mode);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 152/378] usb: cdc-acm: Restore CAP_BRK functionnality to CH343
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 151/378] usb: core: dont power off roothub PHYs if phy_set_mode() fails Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 153/378] usb: roles: get usb role switch from parent only for usb-b-connector Greg Kroah-Hartman
` (232 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Zyngier, stable, Oliver Neukum
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit 14ae24cba291bddfdc296bbcbfd00cd09d0498ef upstream.
The CH343 USB/serial adapter is as buggy as it is popular (very).
One of its quirks is that despite being capable of signalling a
BREAK condition, it doesn't advertise it.
This used to work nonetheless until 66aad7d8d3ec5 ("usb: cdc-acm:
return correct error code on unsupported break") applied some
reasonable restrictions, preventing breaks from being emitted on
devices that do not advertise CAP_BRK.
Add a quirk for this particular device, so that breaks can still
be produced on some of my machines attached to my console server.
Fixes: 66aad7d8d3ec5 ("usb: cdc-acm: return correct error code on unsupported break")
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable <stable@kernel.org>
Cc: Oliver Neukum <oneukum@suse.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Oliver Neukum <oneukum@suse.com>
Link: https://patch.msgid.link/20260301124440.1192752-1-maz@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-acm.c | 5 +++++
drivers/usb/class/cdc-acm.h | 1 +
2 files changed, 6 insertions(+)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1379,6 +1379,8 @@ made_compressed_probe:
acm->ctrl_caps = h.usb_cdc_acm_descriptor->bmCapabilities;
if (quirks & NO_CAP_LINE)
acm->ctrl_caps &= ~USB_CDC_CAP_LINE;
+ if (quirks & MISSING_CAP_BRK)
+ acm->ctrl_caps |= USB_CDC_CAP_BRK;
acm->ctrlsize = ctrlsize;
acm->readsize = readsize;
acm->rx_buflimit = num_rx_buf;
@@ -2002,6 +2004,9 @@ static const struct usb_device_id acm_id
.driver_info = IGNORE_DEVICE,
},
+ /* CH343 supports CAP_BRK, but doesn't advertise it */
+ { USB_DEVICE(0x1a86, 0x55d3), .driver_info = MISSING_CAP_BRK, },
+
/* control interfaces without any protocol set */
{ USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
USB_CDC_PROTO_NONE) },
--- a/drivers/usb/class/cdc-acm.h
+++ b/drivers/usb/class/cdc-acm.h
@@ -113,3 +113,4 @@ struct acm {
#define CLEAR_HALT_CONDITIONS BIT(5)
#define SEND_ZERO_PACKET BIT(6)
#define DISABLE_ECHO BIT(7)
+#define MISSING_CAP_BRK BIT(8)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 153/378] usb: roles: get usb role switch from parent only for usb-b-connector
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 152/378] usb: cdc-acm: Restore CAP_BRK functionnality to CH343 Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 154/378] usb: typec: altmode/displayport: set displayport signaling rate in configure message Greg Kroah-Hartman
` (231 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Xu Yang, Arnaud Ferraris,
Heikki Krogerus
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 8345b1539faa49fcf9c9439c3cbd97dac6eca171 upstream.
usb_role_switch_is_parent() was walking up to the parent node and checking
for the "usb-role-switch" property regardless of the type of the passed
fwnode. This could cause unrelated device nodes to be probed as potential
role switch parent, leading to spurious matches and "-EPROBE_DEFER" being
returned infinitely.
Till now only Type-B connector node will have a parent node which may
present "usb-role-switch" property and register the role switch device.
For Type-C connector node, its parent node will always be a Type-C chip
device which will never register the role switch device. However, it may
still present a non-boolean "usb-role-switch = <&usb_controller>" property
for historical compatibility.
So restrict the helper to only operate on Type-B connector when attempting
to get the role switch from parent node.
Fixes: 6fadd72943b8 ("usb: roles: get usb-role-switch from parent")
Cc: stable <stable@kernel.org>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Tested-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260309074313.2809867-3-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/roles/class.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/roles/class.c
+++ b/drivers/usb/roles/class.c
@@ -139,9 +139,14 @@ static void *usb_role_switch_match(const
static struct usb_role_switch *
usb_role_switch_is_parent(struct fwnode_handle *fwnode)
{
- struct fwnode_handle *parent = fwnode_get_parent(fwnode);
+ struct fwnode_handle *parent;
struct device *dev;
+ if (!fwnode_device_is_compatible(fwnode, "usb-b-connector"))
+ return NULL;
+
+ parent = fwnode_get_parent(fwnode);
+
if (!fwnode_property_present(parent, "usb-role-switch")) {
fwnode_handle_put(parent);
return NULL;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 154/378] usb: typec: altmode/displayport: set displayport signaling rate in configure message
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 153/378] usb: roles: get usb role switch from parent only for usb-b-connector Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 155/378] USB: usbcore: Introduce usb_bulk_msg_killable() Greg Kroah-Hartman
` (230 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, RD Babiera, Heikki Krogerus
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: RD Babiera <rdbabiera@google.com>
commit e8557acfa079a54b59a21f447c82a31aec7717df upstream.
dp_altmode_configure sets the signaling rate to the current
configuration's rate and then shifts the value to the Select
Configuration bitfield. On the initial configuration, dp->data.conf
is 0 to begin with, so the signaling rate field is never set, which
leads to some DisplayPort Alt Mode partners sending NAK to the
Configure message.
Set the signaling rate to the capabilities supported by both the
port and the port partner. If the cable supports DisplayPort Alt Mode,
then include its capabilities as well.
Fixes: a17fae8fc38e ("usb: typec: Add Displayport Alternate Mode 2.1 Support")
Cc: stable <stable@kernel.org>
Signed-off-by: RD Babiera <rdbabiera@google.com>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260310204106.3939862-2-rdbabiera@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/altmodes/displayport.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/typec/altmodes/displayport.c
+++ b/drivers/usb/typec/altmodes/displayport.c
@@ -100,9 +100,14 @@ static int dp_altmode_configure(struct d
{
u8 pin_assign = 0;
u32 conf;
+ u32 signal;
/* DP Signalling */
- conf = (dp->data.conf & DP_CONF_SIGNALLING_MASK) >> DP_CONF_SIGNALLING_SHIFT;
+ signal = DP_CAP_DP_SIGNALLING(dp->port->vdo) & DP_CAP_DP_SIGNALLING(dp->alt->vdo);
+ if (dp->plug_prime)
+ signal &= DP_CAP_DP_SIGNALLING(dp->plug_prime->vdo);
+
+ conf = signal << DP_CONF_SIGNALLING_SHIFT;
switch (con) {
case DP_STATUS_CON_DISABLED:
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 155/378] USB: usbcore: Introduce usb_bulk_msg_killable()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 154/378] usb: typec: altmode/displayport: set displayport signaling rate in configure message Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 156/378] USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts Greg Kroah-Hartman
` (229 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alan Stern, Oliver Neukum
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 416909962e7cdf29fd01ac523c953f37708df93d upstream.
The synchronous message API in usbcore (usb_control_msg(),
usb_bulk_msg(), and so on) uses uninterruptible waits. However,
drivers may call these routines in the context of a user thread, which
means it ought to be possible to at least kill them.
For this reason, introduce a new usb_bulk_msg_killable() function
which behaves the same as usb_bulk_msg() except for using
wait_for_completion_killable_timeout() instead of
wait_for_completion_timeout(). The same can be done later for
usb_control_msg() later on, if it turns out to be needed.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Suggested-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/linux-usb/3acfe838-6334-4f6d-be7c-4bb01704b33d@rowland.harvard.edu/
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
CC: stable@vger.kernel.org
Link: https://patch.msgid.link/248628b4-cc83-4e81-a620-3ce4e0376d41@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/message.c | 79 +++++++++++++++++++++++++++++++++++++++------
include/linux/usb.h | 5 +-
2 files changed, 72 insertions(+), 12 deletions(-)
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -42,16 +42,17 @@ static void usb_api_blocking_completion(
/*
- * Starts urb and waits for completion or timeout. Note that this call
- * is NOT interruptible. Many device driver i/o requests should be
- * interruptible and therefore these drivers should implement their
- * own interruptible routines.
+ * Starts urb and waits for completion or timeout.
+ * Whether or not the wait is killable depends on the flag passed in.
+ * For example, compare usb_bulk_msg() and usb_bulk_msg_killable().
*/
-static int usb_start_wait_urb(struct urb *urb, int timeout, int *actual_length)
+static int usb_start_wait_urb(struct urb *urb, int timeout, int *actual_length,
+ bool killable)
{
struct api_context ctx;
unsigned long expire;
int retval;
+ long rc;
init_completion(&ctx.done);
urb->context = &ctx;
@@ -61,12 +62,21 @@ static int usb_start_wait_urb(struct urb
goto out;
expire = timeout ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT;
- if (!wait_for_completion_timeout(&ctx.done, expire)) {
+ if (killable)
+ rc = wait_for_completion_killable_timeout(&ctx.done, expire);
+ else
+ rc = wait_for_completion_timeout(&ctx.done, expire);
+ if (rc <= 0) {
usb_kill_urb(urb);
- retval = (ctx.status == -ENOENT ? -ETIMEDOUT : ctx.status);
+ if (ctx.status != -ENOENT)
+ retval = ctx.status;
+ else if (rc == 0)
+ retval = -ETIMEDOUT;
+ else
+ retval = rc;
dev_dbg(&urb->dev->dev,
- "%s timed out on ep%d%s len=%u/%u\n",
+ "%s timed out or killed on ep%d%s len=%u/%u\n",
current->comm,
usb_endpoint_num(&urb->ep->desc),
usb_urb_dir_in(urb) ? "in" : "out",
@@ -100,7 +110,7 @@ static int usb_internal_control_msg(stru
usb_fill_control_urb(urb, usb_dev, pipe, (unsigned char *)cmd, data,
len, usb_api_blocking_completion, NULL);
- retv = usb_start_wait_urb(urb, timeout, &length);
+ retv = usb_start_wait_urb(urb, timeout, &length, false);
if (retv < 0)
return retv;
else
@@ -385,10 +395,59 @@ int usb_bulk_msg(struct usb_device *usb_
usb_fill_bulk_urb(urb, usb_dev, pipe, data, len,
usb_api_blocking_completion, NULL);
- return usb_start_wait_urb(urb, timeout, actual_length);
+ return usb_start_wait_urb(urb, timeout, actual_length, false);
}
EXPORT_SYMBOL_GPL(usb_bulk_msg);
+/**
+ * usb_bulk_msg_killable - Builds a bulk urb, sends it off and waits for completion in a killable state
+ * @usb_dev: pointer to the usb device to send the message to
+ * @pipe: endpoint "pipe" to send the message to
+ * @data: pointer to the data to send
+ * @len: length in bytes of the data to send
+ * @actual_length: pointer to a location to put the actual length transferred
+ * in bytes
+ * @timeout: time in msecs to wait for the message to complete before
+ * timing out (if 0 the wait is forever)
+ *
+ * Context: task context, might sleep.
+ *
+ * This function is just like usb_blk_msg() except that it waits in a
+ * killable state.
+ *
+ * Return:
+ * If successful, 0. Otherwise a negative error number. The number of actual
+ * bytes transferred will be stored in the @actual_length parameter.
+ *
+ */
+int usb_bulk_msg_killable(struct usb_device *usb_dev, unsigned int pipe,
+ void *data, int len, int *actual_length, int timeout)
+{
+ struct urb *urb;
+ struct usb_host_endpoint *ep;
+
+ ep = usb_pipe_endpoint(usb_dev, pipe);
+ if (!ep || len < 0)
+ return -EINVAL;
+
+ urb = usb_alloc_urb(0, GFP_KERNEL);
+ if (!urb)
+ return -ENOMEM;
+
+ if ((ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) ==
+ USB_ENDPOINT_XFER_INT) {
+ pipe = (pipe & ~(3 << 30)) | (PIPE_INTERRUPT << 30);
+ usb_fill_int_urb(urb, usb_dev, pipe, data, len,
+ usb_api_blocking_completion, NULL,
+ ep->desc.bInterval);
+ } else
+ usb_fill_bulk_urb(urb, usb_dev, pipe, data, len,
+ usb_api_blocking_completion, NULL);
+
+ return usb_start_wait_urb(urb, timeout, actual_length, true);
+}
+EXPORT_SYMBOL_GPL(usb_bulk_msg_killable);
+
/*-------------------------------------------------------------------*/
static void sg_clean(struct usb_sg_request *io)
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -1869,8 +1869,9 @@ extern int usb_control_msg(struct usb_de
extern int usb_interrupt_msg(struct usb_device *usb_dev, unsigned int pipe,
void *data, int len, int *actual_length, int timeout);
extern int usb_bulk_msg(struct usb_device *usb_dev, unsigned int pipe,
- void *data, int len, int *actual_length,
- int timeout);
+ void *data, int len, int *actual_length, int timeout);
+extern int usb_bulk_msg_killable(struct usb_device *usb_dev, unsigned int pipe,
+ void *data, int len, int *actual_length, int timeout);
/* wrappers around usb_control_msg() for the most common standard requests */
int usb_control_msg_send(struct usb_device *dev, __u8 endpoint, __u8 request,
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 156/378] USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 155/378] USB: usbcore: Introduce usb_bulk_msg_killable() Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 157/378] USB: core: Limit the length of unkillable synchronous timeouts Greg Kroah-Hartman
` (228 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, syzbot+25ba18e2c5040447585d,
Alan Stern
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 7784caa413a89487dd14dd5c41db8753483b2acb upstream.
The usbtmc driver accepts timeout values specified by the user in an
ioctl command, and uses these timeouts for some usb_bulk_msg() calls.
Since the user can specify arbitrarily long timeouts and
usb_bulk_msg() uses unkillable waits, call usb_bulk_msg_killable()
instead to avoid the possibility of the user hanging a kernel thread
indefinitely.
Reported-by: syzbot+25ba18e2c5040447585d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-usb/8e1c7ac5-e076-44b0-84b8-1b34b20f0ae1@suse.com/T/#t
Tested-by: syzbot+25ba18e2c5040447585d@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Fixes: 048c6d88a021 ("usb: usbtmc: Add ioctls to set/get usb timeout")
CC: stable@vger.kernel.org
Link: https://patch.msgid.link/81c6fc24-0607-40f1-8c20-5270dab2fad5@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usbtmc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -727,7 +727,7 @@ static int usbtmc488_ioctl_trigger(struc
buffer[1] = data->bTag;
buffer[2] = ~data->bTag;
- retval = usb_bulk_msg(data->usb_dev,
+ retval = usb_bulk_msg_killable(data->usb_dev,
usb_sndbulkpipe(data->usb_dev,
data->bulk_out),
buffer, USBTMC_HEADER_SIZE,
@@ -1347,7 +1347,7 @@ static int send_request_dev_dep_msg_in(s
buffer[11] = 0; /* Reserved */
/* Send bulk URB */
- retval = usb_bulk_msg(data->usb_dev,
+ retval = usb_bulk_msg_killable(data->usb_dev,
usb_sndbulkpipe(data->usb_dev,
data->bulk_out),
buffer, USBTMC_HEADER_SIZE,
@@ -1419,7 +1419,7 @@ static ssize_t usbtmc_read(struct file *
actual = 0;
/* Send bulk URB */
- retval = usb_bulk_msg(data->usb_dev,
+ retval = usb_bulk_msg_killable(data->usb_dev,
usb_rcvbulkpipe(data->usb_dev,
data->bulk_in),
buffer, bufsize, &actual,
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 157/378] USB: core: Limit the length of unkillable synchronous timeouts
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 156/378] USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 158/378] usb: class: cdc-wdm: fix reordering issue in read code path Greg Kroah-Hartman
` (227 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alan Stern
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 1015c27a5e1a63efae2b18a9901494474b4d1dc3 upstream.
The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in
usbcore allow unlimited timeout durations. And since they use
uninterruptible waits, this leaves open the possibility of hanging a
task for an indefinitely long time, with no way to kill it short of
unplugging the target device.
To prevent this sort of problem, enforce a maximum limit on the length
of these unkillable timeouts. The limit chosen here, somewhat
arbitrarily, is 60 seconds. On many systems (although not all) this
is short enough to avoid triggering the kernel's hung-task detector.
In addition, clear up the ambiguity of negative timeout values by
treating them the same as 0, i.e., using the maximum allowed timeout.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/linux-usb/3acfe838-6334-4f6d-be7c-4bb01704b33d@rowland.harvard.edu/
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
CC: stable@vger.kernel.org
Link: https://patch.msgid.link/15fc9773-a007-47b0-a703-df89a8cf83dd@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/message.c | 27 +++++++++++++--------------
include/linux/usb.h | 3 +++
2 files changed, 16 insertions(+), 14 deletions(-)
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -45,6 +45,8 @@ static void usb_api_blocking_completion(
* Starts urb and waits for completion or timeout.
* Whether or not the wait is killable depends on the flag passed in.
* For example, compare usb_bulk_msg() and usb_bulk_msg_killable().
+ *
+ * For non-killable waits, we enforce a maximum limit on the timeout value.
*/
static int usb_start_wait_urb(struct urb *urb, int timeout, int *actual_length,
bool killable)
@@ -61,7 +63,9 @@ static int usb_start_wait_urb(struct urb
if (unlikely(retval))
goto out;
- expire = timeout ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT;
+ if (!killable && (timeout <= 0 || timeout > USB_MAX_SYNCHRONOUS_TIMEOUT))
+ timeout = USB_MAX_SYNCHRONOUS_TIMEOUT;
+ expire = (timeout > 0) ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT;
if (killable)
rc = wait_for_completion_killable_timeout(&ctx.done, expire);
else
@@ -127,8 +131,7 @@ static int usb_internal_control_msg(stru
* @index: USB message index value
* @data: pointer to the data to send
* @size: length in bytes of the data to send
- * @timeout: time in msecs to wait for the message to complete before timing
- * out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
*
* Context: task context, might sleep.
*
@@ -183,8 +186,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg);
* @index: USB message index value
* @driver_data: pointer to the data to send
* @size: length in bytes of the data to send
- * @timeout: time in msecs to wait for the message to complete before timing
- * out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
* @memflags: the flags for memory allocation for buffers
*
* Context: !in_interrupt ()
@@ -242,8 +244,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg_send);
* @index: USB message index value
* @driver_data: pointer to the data to be filled in by the message
* @size: length in bytes of the data to be received
- * @timeout: time in msecs to wait for the message to complete before timing
- * out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
* @memflags: the flags for memory allocation for buffers
*
* Context: !in_interrupt ()
@@ -314,8 +315,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg_recv);
* @len: length in bytes of the data to send
* @actual_length: pointer to a location to put the actual length transferred
* in bytes
- * @timeout: time in msecs to wait for the message to complete before
- * timing out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
*
* Context: task context, might sleep.
*
@@ -347,8 +347,7 @@ EXPORT_SYMBOL_GPL(usb_interrupt_msg);
* @len: length in bytes of the data to send
* @actual_length: pointer to a location to put the actual length transferred
* in bytes
- * @timeout: time in msecs to wait for the message to complete before
- * timing out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
*
* Context: task context, might sleep.
*
@@ -408,12 +407,12 @@ EXPORT_SYMBOL_GPL(usb_bulk_msg);
* @actual_length: pointer to a location to put the actual length transferred
* in bytes
* @timeout: time in msecs to wait for the message to complete before
- * timing out (if 0 the wait is forever)
+ * timing out (if <= 0, the wait is as long as possible)
*
* Context: task context, might sleep.
*
- * This function is just like usb_blk_msg() except that it waits in a
- * killable state.
+ * This function is just like usb_blk_msg(), except that it waits in a
+ * killable state and there is no limit on the timeout length.
*
* Return:
* If successful, 0. Otherwise a negative error number. The number of actual
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -1863,6 +1863,9 @@ void usb_free_noncoherent(struct usb_dev
* SYNCHRONOUS CALL SUPPORT *
*-------------------------------------------------------------------*/
+/* Maximum value allowed for timeout in synchronous routines below */
+#define USB_MAX_SYNCHRONOUS_TIMEOUT 60000 /* ms */
+
extern int usb_control_msg(struct usb_device *dev, unsigned int pipe,
__u8 request, __u8 requesttype, __u16 value, __u16 index,
void *data, __u16 size, int timeout);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 158/378] usb: class: cdc-wdm: fix reordering issue in read code path
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 157/378] USB: core: Limit the length of unkillable synchronous timeouts Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 159/378] usb: renesas_usbhs: fix use-after-free in ISR during device removal Greg Kroah-Hartman
` (226 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Oliver Neukum, Gui-Dong Han
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 8df672bfe3ec2268c2636584202755898e547173 upstream.
Quoting the bug report:
Due to compiler optimization or CPU out-of-order execution, the
desc->length update can be reordered before the memmove. If this
happens, wdm_read() can see the new length and call copy_to_user() on
uninitialized memory. This also violates LKMM data race rules [1].
Fix it by using WRITE_ONCE and memory barriers.
Fixes: afba937e540c9 ("USB: CDC WDM driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Closes: https://lore.kernel.org/linux-usb/CALbr=LbrUZn_cfp7CfR-7Z5wDTHF96qeuM=3fO2m-q4cDrnC4A@mail.gmail.com/
Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
Reviewed-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://patch.msgid.link/20260304130116.1721682-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-wdm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -225,7 +225,8 @@ static void wdm_in_callback(struct urb *
/* we may already be in overflow */
if (!test_bit(WDM_OVERFLOW, &desc->flags)) {
memmove(desc->ubuf + desc->length, desc->inbuf, length);
- desc->length += length;
+ smp_wmb(); /* against wdm_read() */
+ WRITE_ONCE(desc->length, desc->length + length);
}
}
skip_error:
@@ -533,6 +534,7 @@ static ssize_t wdm_read
return -ERESTARTSYS;
cntr = READ_ONCE(desc->length);
+ smp_rmb(); /* against wdm_in_callback() */
if (cntr == 0) {
desc->read = 0;
retry:
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 159/378] usb: renesas_usbhs: fix use-after-free in ISR during device removal
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 158/378] usb: class: cdc-wdm: fix reordering issue in read code path Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 160/378] usb: gadget: f_hid: fix SuperSpeed descriptors Greg Kroah-Hartman
` (225 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alan Stern, Fan Wu
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fan Wu <fanwu01@zju.edu.cn>
commit 3cbc242b88c607f55da3d0d0d336b49bf1e20412 upstream.
In usbhs_remove(), the driver frees resources (including the pipe array)
while the interrupt handler (usbhs_interrupt) is still registered. If an
interrupt fires after usbhs_pipe_remove() but before the driver is fully
unbound, the ISR may access freed memory, causing a use-after-free.
Fix this by calling devm_free_irq() before freeing resources. This ensures
the interrupt handler is both disabled and synchronized (waits for any
running ISR to complete) before usbhs_pipe_remove() is called.
Fixes: f1407d5c6624 ("usb: renesas_usbhs: Add Renesas USBHS common code")
Cc: stable <stable@kernel.org>
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Fan Wu <fanwu01@zju.edu.cn>
Link: https://patch.msgid.link/20260303073344.34577-1-fanwu01@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/renesas_usbhs/common.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/usb/renesas_usbhs/common.c
+++ b/drivers/usb/renesas_usbhs/common.c
@@ -815,6 +815,15 @@ static void usbhs_remove(struct platform
usbhs_platform_call(priv, hardware_exit, pdev);
reset_control_assert(priv->rsts);
+
+ /*
+ * Explicitly free the IRQ to ensure the interrupt handler is
+ * disabled and synchronized before freeing resources.
+ * devm_free_irq() calls free_irq() which waits for any running
+ * ISR to complete, preventing UAF.
+ */
+ devm_free_irq(&pdev->dev, priv->irq, priv);
+
usbhs_mod_remove(priv);
usbhs_fifo_remove(priv);
usbhs_pipe_remove(priv);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 160/378] usb: gadget: f_hid: fix SuperSpeed descriptors
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 159/378] usb: renesas_usbhs: fix use-after-free in ISR during device removal Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 161/378] usb: mdc800: handle signal and read racing Greg Kroah-Hartman
` (224 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, John Keeping,
Peter Korsgaard
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Keeping <jkeeping@inmusicbrands.com>
commit 7f58b4148ef5d8ee0fb7d8113dcc38ff5374babc upstream.
When adding dynamic configuration for bInterval, the value was removed
from the static SuperSpeed endpoint descriptors but was not set from the
configured value in hidg_bind(). Thus at SuperSpeed the interrupt
endpoints have bInterval as zero which is not valid per the USB
specification.
Add the missing setting for SuperSpeed endpoints.
Fixes: ea34925f5b2ee ("usb: gadget: hid: allow dynamic interval configuration via configfs")
Cc: stable <stable@kernel.org>
Signed-off-by: John Keeping <jkeeping@inmusicbrands.com>
Acked-by: Peter Korsgaard <peter@korsgaard.com>
Link: https://patch.msgid.link/20260227111540.431521-1-jkeeping@inmusicbrands.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_hid.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -1207,9 +1207,11 @@ static int hidg_bind(struct usb_configur
if (!hidg->interval_user_set) {
hidg_fs_in_ep_desc.bInterval = 10;
hidg_hs_in_ep_desc.bInterval = 4;
+ hidg_ss_in_ep_desc.bInterval = 4;
} else {
hidg_fs_in_ep_desc.bInterval = hidg->interval;
hidg_hs_in_ep_desc.bInterval = hidg->interval;
+ hidg_ss_in_ep_desc.bInterval = hidg->interval;
}
hidg_ss_out_comp_desc.wBytesPerInterval =
@@ -1239,9 +1241,11 @@ static int hidg_bind(struct usb_configur
if (!hidg->interval_user_set) {
hidg_fs_out_ep_desc.bInterval = 10;
hidg_hs_out_ep_desc.bInterval = 4;
+ hidg_ss_out_ep_desc.bInterval = 4;
} else {
hidg_fs_out_ep_desc.bInterval = hidg->interval;
hidg_hs_out_ep_desc.bInterval = hidg->interval;
+ hidg_ss_out_ep_desc.bInterval = hidg->interval;
}
status = usb_assign_descriptors(f,
hidg_fs_descriptors_intout,
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 161/378] usb: mdc800: handle signal and read racing
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 160/378] usb: gadget: f_hid: fix SuperSpeed descriptors Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 162/378] usb: gadget: uvc: fix interval_duration calculation Greg Kroah-Hartman
` (223 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 2d6d260e9a3576256fe9ef6d1f7930c9ec348723 upstream.
If a signal arrives after a read has partially completed,
we need to return the number of bytes read. -EINTR is correct
only if that number is zero.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260209142048.1503791-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/image/mdc800.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/image/mdc800.c
+++ b/drivers/usb/image/mdc800.c
@@ -707,7 +707,7 @@ static ssize_t mdc800_device_read (struc
if (signal_pending (current))
{
mutex_unlock(&mdc800->io_lock);
- return -EINTR;
+ return len == left ? -EINTR : len-left;
}
sts=left > (mdc800->out_count-mdc800->out_ptr)?mdc800->out_count-mdc800->out_ptr:left;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 162/378] usb: gadget: uvc: fix interval_duration calculation
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 161/378] usb: mdc800: handle signal and read racing Greg Kroah-Hartman
@ 2026-03-17 16:31 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 163/378] usb: image: mdc800: kill download URB on timeout Greg Kroah-Hartman
` (222 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:31 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Junzhong Pan, Xu Yang
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junzhong Pan <panjunzhong@linux.spacemit.com>
commit 56135c0c60b07729401af9d329fa9c0eded845a6 upstream.
To correctly convert bInterval as interval_duration:
interval_duration = 2^(bInterval-1) * frame_interval
Current code uses a wrong left shift operand, computing 2^bInterval
instead of 2^(bInterval-1).
Fixes: 010dc57cb516 ("usb: gadget: uvc: fix interval_duration calculation")
Cc: stable <stable@kernel.org>
Signed-off-by: Junzhong Pan <panjunzhong@linux.spacemit.com>
Reviewed-by: Xu Yang <xu.yang_2@nxp.com>
Link: https://patch.msgid.link/20260306-fix-uvc-interval-v1-1-9a2df6859859@linux.spacemit.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/uvc_video.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -513,7 +513,7 @@ uvc_video_prep_requests(struct uvc_video
return;
}
- interval_duration = 2 << (video->ep->desc->bInterval - 1);
+ interval_duration = 1 << (video->ep->desc->bInterval - 1);
if (cdev->gadget->speed < USB_SPEED_HIGH)
interval_duration *= 10000;
else
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 163/378] usb: image: mdc800: kill download URB on timeout
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-03-17 16:31 ` [PATCH 6.19 162/378] usb: gadget: uvc: fix interval_duration calculation Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 164/378] usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling Greg Kroah-Hartman
` (221 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ziyi Guo, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ziyi Guo <n7l8m4@u.northwestern.edu>
commit 1be3b77de4eb89af8ae2fd6610546be778e25589 upstream.
mdc800_device_read() submits download_urb and waits for completion.
If the timeout fires and the device has not responded, the function
returns without killing the URB, leaving it active.
A subsequent read() resubmits the same URB while it is still
in-flight, triggering the WARN in usb_submit_urb():
"URB submitted while active"
Check the return value of wait_event_timeout() and kill the URB if
it indicates timeout, ensuring the URB is complete before its status
is inspected or the URB is resubmitted.
Similar to
- commit 372c93131998 ("USB: yurex: fix control-URB timeout handling")
- commit b98d5000c505 ("media: rc: iguanair: handle timeouts")
Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260209151937.2247202-1-n7l8m4@u.northwestern.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/image/mdc800.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/image/mdc800.c
+++ b/drivers/usb/image/mdc800.c
@@ -730,9 +730,11 @@ static ssize_t mdc800_device_read (struc
mutex_unlock(&mdc800->io_lock);
return len-left;
}
- wait_event_timeout(mdc800->download_wait,
+ retval = wait_event_timeout(mdc800->download_wait,
mdc800->downloaded,
msecs_to_jiffies(TO_DOWNLOAD_GET_READY));
+ if (!retval)
+ usb_kill_urb(mdc800->download_urb);
mdc800->downloaded = 0;
if (mdc800->download_urb->status != 0)
{
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 164/378] usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 163/378] usb: image: mdc800: kill download URB on timeout Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 165/378] usb: gadget: f_ncm: Fix atomic context locking issue Greg Kroah-Hartman
` (220 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Jiasheng Jiang, Thinh Nguyen
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
commit b9fde507355342a2d64225d582dc8b98ff5ecb19 upstream.
The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically
managed and tied to userspace configuration via ConfigFS. It can be
NULL if the USB host sends requests before the nexus is fully
established or immediately after it is dropped.
Currently, functions like `bot_submit_command()` and the data
transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately
dereference `tv_nexus->tvn_se_sess` without any validation. If a
malicious or misconfigured USB host sends a BOT (Bulk-Only Transport)
command during this race window, it triggers a NULL pointer
dereference, leading to a kernel panic (local DoS).
This exposes an inconsistent API usage within the module, as peer
functions like `usbg_submit_command()` and `bot_send_bad_response()`
correctly implement a NULL check for `tv_nexus` before proceeding.
Fix this by bringing consistency to the nexus handling. Add the
missing `if (!tv_nexus)` checks to the vulnerable BOT command and
request processing paths, aborting the command gracefully with an
error instead of crashing the system.
Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT")
Cc: stable <stable@kernel.org>
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Reviewed-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/20260219023834.17976-1-jiashengjiangcool@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_tcm.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/usb/gadget/function/f_tcm.c
+++ b/drivers/usb/gadget/function/f_tcm.c
@@ -1222,6 +1222,13 @@ static void usbg_submit_cmd(struct usbg_
se_cmd = &cmd->se_cmd;
tpg = cmd->fu->tpg;
tv_nexus = tpg->tpg_nexus;
+ if (!tv_nexus) {
+ struct usb_gadget *gadget = fuas_to_gadget(cmd->fu);
+
+ dev_err(&gadget->dev, "Missing nexus, ignoring command\n");
+ return;
+ }
+
dir = get_cmd_dir(cmd->cmd_buf);
if (dir < 0)
goto out;
@@ -1482,6 +1489,13 @@ static void bot_cmd_work(struct work_str
se_cmd = &cmd->se_cmd;
tpg = cmd->fu->tpg;
tv_nexus = tpg->tpg_nexus;
+ if (!tv_nexus) {
+ struct usb_gadget *gadget = fuas_to_gadget(cmd->fu);
+
+ dev_err(&gadget->dev, "Missing nexus, ignoring command\n");
+ return;
+ }
+
dir = get_cmd_dir(cmd->cmd_buf);
if (dir < 0)
goto out;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 165/378] usb: gadget: f_ncm: Fix atomic context locking issue
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 164/378] usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 166/378] usb: legacy: ncm: Fix NPE in gncm_bind Greg Kroah-Hartman
` (219 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Kuen-Han Tsai
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuen-Han Tsai <khtsai@google.com>
commit 0d6c8144ca4d93253de952a5ea0028c19ed7ab68 upstream.
The ncm_set_alt function was holding a mutex to protect against races
with configfs, which invokes the might-sleep function inside an atomic
context.
Remove the struct net_device pointer from the f_ncm_opts structure to
eliminate the contention. The connection state is now managed by a new
boolean flag to preserve the use-after-free fix from
commit 6334b8e4553c ("usb: gadget: f_ncm: Fix UAF ncm object at re-bind
after usb ep transport error").
BUG: sleeping function called from invalid context
Call Trace:
dump_stack_lvl+0x83/0xc0
dump_stack+0x14/0x16
__might_resched+0x389/0x4c0
__might_sleep+0x8e/0x100
...
__mutex_lock+0x6f/0x1740
...
ncm_set_alt+0x209/0xa40
set_config+0x6b6/0xb40
composite_setup+0x734/0x2b40
...
Fixes: 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind")
Cc: stable@kernel.org
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://patch.msgid.link/20260221-legacy-ncm-v2-2-dfb891d76507@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_ncm.c | 29 ++++++++++---------------
drivers/usb/gadget/function/u_ether_configfs.h | 11 ---------
drivers/usb/gadget/function/u_ncm.h | 1
3 files changed, 13 insertions(+), 28 deletions(-)
--- a/drivers/usb/gadget/function/f_ncm.c
+++ b/drivers/usb/gadget/function/f_ncm.c
@@ -58,6 +58,7 @@ struct f_ncm {
u8 notify_state;
atomic_t notify_count;
bool is_open;
+ bool is_connected;
const struct ndp_parser_opts *parser_opts;
bool is_crc;
@@ -864,7 +865,6 @@ invalid:
static int ncm_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
{
struct f_ncm *ncm = func_to_ncm(f);
- struct f_ncm_opts *opts = func_to_ncm_opts(f);
struct usb_composite_dev *cdev = f->config->cdev;
/* Control interface has only altsetting 0 */
@@ -887,13 +887,12 @@ static int ncm_set_alt(struct usb_functi
if (alt > 1)
goto fail;
- scoped_guard(mutex, &opts->lock)
- if (opts->net) {
- DBG(cdev, "reset ncm\n");
- opts->net = NULL;
- gether_disconnect(&ncm->port);
- ncm_reset_values(ncm);
- }
+ if (ncm->is_connected) {
+ DBG(cdev, "reset ncm\n");
+ ncm->is_connected = false;
+ gether_disconnect(&ncm->port);
+ ncm_reset_values(ncm);
+ }
/*
* CDC Network only sends data in non-default altsettings.
@@ -926,8 +925,7 @@ static int ncm_set_alt(struct usb_functi
net = gether_connect(&ncm->port);
if (IS_ERR(net))
return PTR_ERR(net);
- scoped_guard(mutex, &opts->lock)
- opts->net = net;
+ ncm->is_connected = true;
}
spin_lock(&ncm->lock);
@@ -1374,16 +1372,14 @@ err:
static void ncm_disable(struct usb_function *f)
{
struct f_ncm *ncm = func_to_ncm(f);
- struct f_ncm_opts *opts = func_to_ncm_opts(f);
struct usb_composite_dev *cdev = f->config->cdev;
DBG(cdev, "ncm deactivated\n");
- scoped_guard(mutex, &opts->lock)
- if (opts->net) {
- opts->net = NULL;
- gether_disconnect(&ncm->port);
- }
+ if (ncm->is_connected) {
+ ncm->is_connected = false;
+ gether_disconnect(&ncm->port);
+ }
if (ncm->notify->enabled) {
usb_ep_disable(ncm->notify);
@@ -1687,7 +1683,6 @@ static struct usb_function_instance *ncm
if (!opts)
return ERR_PTR(-ENOMEM);
- opts->net = NULL;
opts->ncm_os_desc.ext_compat_id = opts->ncm_ext_compat_id;
gether_setup_opts_default(&opts->net_opts, "usb");
--- a/drivers/usb/gadget/function/u_ether_configfs.h
+++ b/drivers/usb/gadget/function/u_ether_configfs.h
@@ -326,18 +326,9 @@ out: \
char *page) \
{ \
struct f_##_f_##_opts *opts = to_f_##_f_##_opts(item); \
- const char *name; \
\
guard(mutex)(&opts->lock); \
- rtnl_lock(); \
- if (opts->net_opts.ifname_set) \
- name = opts->net_opts.name; \
- else if (opts->net) \
- name = netdev_name(opts->net); \
- else \
- name = "(inactive net_device)"; \
- rtnl_unlock(); \
- return sysfs_emit(page, "%s\n", name); \
+ return sysfs_emit(page, "%s\n", opts->net_opts.name); \
} \
\
static ssize_t _f_##_opts_ifname_store(struct config_item *item, \
--- a/drivers/usb/gadget/function/u_ncm.h
+++ b/drivers/usb/gadget/function/u_ncm.h
@@ -19,7 +19,6 @@
struct f_ncm_opts {
struct usb_function_instance func_inst;
- struct net_device *net;
struct gether_opts net_opts;
struct config_group *ncm_interf_group;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 166/378] usb: legacy: ncm: Fix NPE in gncm_bind
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 165/378] usb: gadget: f_ncm: Fix atomic context locking issue Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 167/378] Revert "usb: gadget: f_ncm: Fix atomic context locking issue" Greg Kroah-Hartman
` (218 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, kernel test robot,
Kuen-Han Tsai
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuen-Han Tsai <khtsai@google.com>
commit fde0634ad9856b3943a2d1a8cc8de174a63ac840 upstream.
Commit 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle
with bind/unbind") deferred the allocation of the net_device. This
change leads to a NULL pointer dereference in the legacy NCM driver as
it attempts to access the net_device before it's fully instantiated.
Store the provided qmult, host_addr, and dev_addr into the struct
ncm_opts->net_opts during gncm_bind(). These values will be properly
applied to the net_device when it is allocated and configured later in
the binding process by the NCM function driver.
Fixes: 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind")
Cc: stable@kernel.org
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202602181727.fd76c561-lkp@intel.com
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://patch.msgid.link/20260221-legacy-ncm-v2-1-dfb891d76507@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/legacy/ncm.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/drivers/usb/gadget/legacy/ncm.c
+++ b/drivers/usb/gadget/legacy/ncm.c
@@ -15,8 +15,10 @@
/* #define DEBUG */
/* #define VERBOSE_DEBUG */
+#include <linux/hex.h>
#include <linux/kernel.h>
#include <linux/module.h>
+#include <linux/string.h>
#include <linux/usb/composite.h>
#include "u_ether.h"
@@ -129,6 +131,7 @@ static int gncm_bind(struct usb_composit
struct usb_gadget *gadget = cdev->gadget;
struct f_ncm_opts *ncm_opts;
int status;
+ u8 mac[ETH_ALEN];
f_ncm_inst = usb_get_function_instance("ncm");
if (IS_ERR(f_ncm_inst))
@@ -136,11 +139,15 @@ static int gncm_bind(struct usb_composit
ncm_opts = container_of(f_ncm_inst, struct f_ncm_opts, func_inst);
- gether_set_qmult(ncm_opts->net, qmult);
- if (!gether_set_host_addr(ncm_opts->net, host_addr))
+ ncm_opts->net_opts.qmult = qmult;
+ if (host_addr && mac_pton(host_addr, mac)) {
+ memcpy(&ncm_opts->net_opts.host_mac, mac, ETH_ALEN);
pr_info("using host ethernet address: %s", host_addr);
- if (!gether_set_dev_addr(ncm_opts->net, dev_addr))
+ }
+ if (dev_addr && mac_pton(dev_addr, mac)) {
+ memcpy(&ncm_opts->net_opts.dev_mac, mac, ETH_ALEN);
pr_info("using self ethernet address: %s", dev_addr);
+ }
/* Allocate string descriptor numbers ... note that string
* contents can be overridden by the composite_dev glue.
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 167/378] Revert "usb: gadget: f_ncm: Fix atomic context locking issue"
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 166/378] usb: legacy: ncm: Fix NPE in gncm_bind Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 168/378] Revert "usb: legacy: ncm: Fix NPE in gncm_bind" Greg Kroah-Hartman
` (217 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Heidelberg, stable,
Kuen-Han Tsai
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuen-Han Tsai <khtsai@google.com>
commit 11199720fac2debbe718aec11e026ab3330dc80d upstream.
This reverts commit 0d6c8144ca4d93253de952a5ea0028c19ed7ab68.
This commit is being reverted as part of a series-wide revert.
By deferring the net_device allocation to the bind() phase, a single
function instance will spawn multiple network devices if it is symlinked
to multiple USB configurations.
This causes regressions for userspace tools (like the postmarketOS DHCP
daemon) that rely on reading the interface name (e.g., "usb0") from
configfs. Currently, configfs returns the template "usb%d", causing the
userspace network setup to fail.
Crucially, because this patch breaks the 1:1 mapping between the
function instance and the network device, this naming issue cannot
simply be patched. Configfs only exposes a single 'ifname' attribute per
instance, making it impossible to accurately report the actual interface
name when multiple underlying network devices can exist for that single
instance.
All configurations tied to the same function instance are meant to share
a single network device. Revert this change to restore the 1:1 mapping
by allocating the network device at the instance level (alloc_inst).
Reported-by: David Heidelberg <david@ixit.cz>
Closes: https://lore.kernel.org/linux-usb/70b558ea-a12e-4170-9b8e-c951131249af@ixit.cz/
Fixes: 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind")
Cc: stable <stable@kernel.org>
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://patch.msgid.link/20260309-f-ncm-revert-v2-1-ea2afbc7d9b2@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_ncm.c | 29 ++++++++++++++-----------
drivers/usb/gadget/function/u_ether_configfs.h | 11 ++++++++-
drivers/usb/gadget/function/u_ncm.h | 1
3 files changed, 28 insertions(+), 13 deletions(-)
--- a/drivers/usb/gadget/function/f_ncm.c
+++ b/drivers/usb/gadget/function/f_ncm.c
@@ -58,7 +58,6 @@ struct f_ncm {
u8 notify_state;
atomic_t notify_count;
bool is_open;
- bool is_connected;
const struct ndp_parser_opts *parser_opts;
bool is_crc;
@@ -865,6 +864,7 @@ invalid:
static int ncm_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
{
struct f_ncm *ncm = func_to_ncm(f);
+ struct f_ncm_opts *opts = func_to_ncm_opts(f);
struct usb_composite_dev *cdev = f->config->cdev;
/* Control interface has only altsetting 0 */
@@ -887,12 +887,13 @@ static int ncm_set_alt(struct usb_functi
if (alt > 1)
goto fail;
- if (ncm->is_connected) {
- DBG(cdev, "reset ncm\n");
- ncm->is_connected = false;
- gether_disconnect(&ncm->port);
- ncm_reset_values(ncm);
- }
+ scoped_guard(mutex, &opts->lock)
+ if (opts->net) {
+ DBG(cdev, "reset ncm\n");
+ opts->net = NULL;
+ gether_disconnect(&ncm->port);
+ ncm_reset_values(ncm);
+ }
/*
* CDC Network only sends data in non-default altsettings.
@@ -925,7 +926,8 @@ static int ncm_set_alt(struct usb_functi
net = gether_connect(&ncm->port);
if (IS_ERR(net))
return PTR_ERR(net);
- ncm->is_connected = true;
+ scoped_guard(mutex, &opts->lock)
+ opts->net = net;
}
spin_lock(&ncm->lock);
@@ -1372,14 +1374,16 @@ err:
static void ncm_disable(struct usb_function *f)
{
struct f_ncm *ncm = func_to_ncm(f);
+ struct f_ncm_opts *opts = func_to_ncm_opts(f);
struct usb_composite_dev *cdev = f->config->cdev;
DBG(cdev, "ncm deactivated\n");
- if (ncm->is_connected) {
- ncm->is_connected = false;
- gether_disconnect(&ncm->port);
- }
+ scoped_guard(mutex, &opts->lock)
+ if (opts->net) {
+ opts->net = NULL;
+ gether_disconnect(&ncm->port);
+ }
if (ncm->notify->enabled) {
usb_ep_disable(ncm->notify);
@@ -1683,6 +1687,7 @@ static struct usb_function_instance *ncm
if (!opts)
return ERR_PTR(-ENOMEM);
+ opts->net = NULL;
opts->ncm_os_desc.ext_compat_id = opts->ncm_ext_compat_id;
gether_setup_opts_default(&opts->net_opts, "usb");
--- a/drivers/usb/gadget/function/u_ether_configfs.h
+++ b/drivers/usb/gadget/function/u_ether_configfs.h
@@ -326,9 +326,18 @@ out: \
char *page) \
{ \
struct f_##_f_##_opts *opts = to_f_##_f_##_opts(item); \
+ const char *name; \
\
guard(mutex)(&opts->lock); \
- return sysfs_emit(page, "%s\n", opts->net_opts.name); \
+ rtnl_lock(); \
+ if (opts->net_opts.ifname_set) \
+ name = opts->net_opts.name; \
+ else if (opts->net) \
+ name = netdev_name(opts->net); \
+ else \
+ name = "(inactive net_device)"; \
+ rtnl_unlock(); \
+ return sysfs_emit(page, "%s\n", name); \
} \
\
static ssize_t _f_##_opts_ifname_store(struct config_item *item, \
--- a/drivers/usb/gadget/function/u_ncm.h
+++ b/drivers/usb/gadget/function/u_ncm.h
@@ -19,6 +19,7 @@
struct f_ncm_opts {
struct usb_function_instance func_inst;
+ struct net_device *net;
struct gether_opts net_opts;
struct config_group *ncm_interf_group;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 168/378] Revert "usb: legacy: ncm: Fix NPE in gncm_bind"
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 167/378] Revert "usb: gadget: f_ncm: Fix atomic context locking issue" Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 169/378] Revert "usb: gadget: u_ether: Add auto-cleanup helper for freeing net_device" Greg Kroah-Hartman
` (216 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Heidelberg, stable,
Kuen-Han Tsai
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuen-Han Tsai <khtsai@google.com>
commit f2524c0e6ff0a5f72f1e1a32441c69d3b56430c4 upstream.
This reverts commit fde0634ad9856b3943a2d1a8cc8de174a63ac840.
This commit is being reverted as part of a series-wide revert.
By deferring the net_device allocation to the bind() phase, a single
function instance will spawn multiple network devices if it is symlinked
to multiple USB configurations.
This causes regressions for userspace tools (like the postmarketOS DHCP
daemon) that rely on reading the interface name (e.g., "usb0") from
configfs. Currently, configfs returns the template "usb%d", causing the
userspace network setup to fail.
Crucially, because this patch breaks the 1:1 mapping between the
function instance and the network device, this naming issue cannot
simply be patched. Configfs only exposes a single 'ifname' attribute per
instance, making it impossible to accurately report the actual interface
name when multiple underlying network devices can exist for that single
instance.
All configurations tied to the same function instance are meant to share
a single network device. Revert this change to restore the 1:1 mapping
by allocating the network device at the instance level (alloc_inst).
Reported-by: David Heidelberg <david@ixit.cz>
Closes: https://lore.kernel.org/linux-usb/70b558ea-a12e-4170-9b8e-c951131249af@ixit.cz/
Fixes: 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind")
Cc: stable <stable@kernel.org>
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://patch.msgid.link/20260309-f-ncm-revert-v2-2-ea2afbc7d9b2@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/legacy/ncm.c | 13 +++----------
1 file changed, 3 insertions(+), 10 deletions(-)
--- a/drivers/usb/gadget/legacy/ncm.c
+++ b/drivers/usb/gadget/legacy/ncm.c
@@ -15,10 +15,8 @@
/* #define DEBUG */
/* #define VERBOSE_DEBUG */
-#include <linux/hex.h>
#include <linux/kernel.h>
#include <linux/module.h>
-#include <linux/string.h>
#include <linux/usb/composite.h>
#include "u_ether.h"
@@ -131,7 +129,6 @@ static int gncm_bind(struct usb_composit
struct usb_gadget *gadget = cdev->gadget;
struct f_ncm_opts *ncm_opts;
int status;
- u8 mac[ETH_ALEN];
f_ncm_inst = usb_get_function_instance("ncm");
if (IS_ERR(f_ncm_inst))
@@ -139,15 +136,11 @@ static int gncm_bind(struct usb_composit
ncm_opts = container_of(f_ncm_inst, struct f_ncm_opts, func_inst);
- ncm_opts->net_opts.qmult = qmult;
- if (host_addr && mac_pton(host_addr, mac)) {
- memcpy(&ncm_opts->net_opts.host_mac, mac, ETH_ALEN);
+ gether_set_qmult(ncm_opts->net, qmult);
+ if (!gether_set_host_addr(ncm_opts->net, host_addr))
pr_info("using host ethernet address: %s", host_addr);
- }
- if (dev_addr && mac_pton(dev_addr, mac)) {
- memcpy(&ncm_opts->net_opts.dev_mac, mac, ETH_ALEN);
+ if (!gether_set_dev_addr(ncm_opts->net, dev_addr))
pr_info("using self ethernet address: %s", dev_addr);
- }
/* Allocate string descriptor numbers ... note that string
* contents can be overridden by the composite_dev glue.
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 169/378] Revert "usb: gadget: u_ether: Add auto-cleanup helper for freeing net_device"
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 168/378] Revert "usb: legacy: ncm: Fix NPE in gncm_bind" Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 170/378] Revert "usb: gadget: f_ncm: align net_device lifecycle with bind/unbind" Greg Kroah-Hartman
` (215 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Heidelberg, stable,
Kuen-Han Tsai
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuen-Han Tsai <khtsai@google.com>
commit 46662d3a1ad40282ba9f753cccc6f909ec4468cc upstream.
This reverts commit 0c0981126b99288ed354d3d414c8a5fd42ac9e25.
This commit is being reverted as part of a series-wide revert.
By deferring the net_device allocation to the bind() phase, a single
function instance will spawn multiple network devices if it is symlinked
to multiple USB configurations.
This causes regressions for userspace tools (like the postmarketOS DHCP
daemon) that rely on reading the interface name (e.g., "usb0") from
configfs. Currently, configfs returns the template "usb%d", causing the
userspace network setup to fail.
Crucially, because this patch breaks the 1:1 mapping between the
function instance and the network device, this naming issue cannot
simply be patched. Configfs only exposes a single 'ifname' attribute per
instance, making it impossible to accurately report the actual interface
name when multiple underlying network devices can exist for that single
instance.
All configurations tied to the same function instance are meant to share
a single network device. Revert this change to restore the 1:1 mapping
by allocating the network device at the instance level (alloc_inst).
Reported-by: David Heidelberg <david@ixit.cz>
Closes: https://lore.kernel.org/linux-usb/70b558ea-a12e-4170-9b8e-c951131249af@ixit.cz/
Fixes: 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind")
Cc: stable <stable@kernel.org>
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://patch.msgid.link/20260309-f-ncm-revert-v2-4-ea2afbc7d9b2@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/u_ether.c | 15 ---------------
drivers/usb/gadget/function/u_ether.h | 2 --
2 files changed, 17 deletions(-)
--- a/drivers/usb/gadget/function/u_ether.c
+++ b/drivers/usb/gadget/function/u_ether.c
@@ -1125,21 +1125,6 @@ void gether_cleanup(struct eth_dev *dev)
}
EXPORT_SYMBOL_GPL(gether_cleanup);
-void gether_unregister_free_netdev(struct net_device *net)
-{
- if (!net)
- return;
-
- struct eth_dev *dev = netdev_priv(net);
-
- if (net->reg_state == NETREG_REGISTERED) {
- unregister_netdev(net);
- flush_work(&dev->work);
- }
- free_netdev(net);
-}
-EXPORT_SYMBOL_GPL(gether_unregister_free_netdev);
-
/**
* gether_connect - notify network layer that USB link is active
* @link: the USB link, set up with endpoints, descriptors matching
--- a/drivers/usb/gadget/function/u_ether.h
+++ b/drivers/usb/gadget/function/u_ether.h
@@ -283,8 +283,6 @@ int gether_get_ifname(struct net_device
int gether_set_ifname(struct net_device *net, const char *name, int len);
void gether_cleanup(struct eth_dev *dev);
-void gether_unregister_free_netdev(struct net_device *net);
-DEFINE_FREE(free_gether_netdev, struct net_device *, gether_unregister_free_netdev(_T));
void gether_setup_opts_default(struct gether_opts *opts, const char *name);
void gether_apply_opts(struct net_device *net, struct gether_opts *opts);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 170/378] Revert "usb: gadget: f_ncm: align net_device lifecycle with bind/unbind"
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 169/378] Revert "usb: gadget: u_ether: Add auto-cleanup helper for freeing net_device" Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 171/378] Revert "usb: gadget: u_ether: add gether_opts for config caching" Greg Kroah-Hartman
` (214 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Heidelberg, stable,
Kuen-Han Tsai
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuen-Han Tsai <khtsai@google.com>
commit 37893bc5de2460c543ec1aa8250c37a305234054 upstream.
This reverts commit 56a512a9b4107079f68701e7d55da8507eb963d9.
This commit is being reverted as part of a series-wide revert.
By deferring the net_device allocation to the bind() phase, a single
function instance will spawn multiple network devices if it is symlinked
to multiple USB configurations.
This causes regressions for userspace tools (like the postmarketOS DHCP
daemon) that rely on reading the interface name (e.g., "usb0") from
configfs. Currently, configfs returns the template "usb%d", causing the
userspace network setup to fail.
Crucially, because this patch breaks the 1:1 mapping between the
function instance and the network device, this naming issue cannot
simply be patched. Configfs only exposes a single 'ifname' attribute per
instance, making it impossible to accurately report the actual interface
name when multiple underlying network devices can exist for that single
instance.
All configurations tied to the same function instance are meant to share
a single network device. Revert this change to restore the 1:1 mapping
by allocating the network device at the instance level (alloc_inst).
Reported-by: David Heidelberg <david@ixit.cz>
Closes: https://lore.kernel.org/linux-usb/70b558ea-a12e-4170-9b8e-c951131249af@ixit.cz/
Fixes: 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind")
Cc: stable <stable@kernel.org>
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://patch.msgid.link/20260309-f-ncm-revert-v2-3-ea2afbc7d9b2@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_ncm.c | 128 ++++++++++++++++++------------------
drivers/usb/gadget/function/u_ncm.h | 4 -
2 files changed, 66 insertions(+), 66 deletions(-)
--- a/drivers/usb/gadget/function/f_ncm.c
+++ b/drivers/usb/gadget/function/f_ncm.c
@@ -83,11 +83,6 @@ static inline struct f_ncm *func_to_ncm(
return container_of(f, struct f_ncm, port.func);
}
-static inline struct f_ncm_opts *func_to_ncm_opts(struct usb_function *f)
-{
- return container_of(f->fi, struct f_ncm_opts, func_inst);
-}
-
/*-------------------------------------------------------------------------*/
/*
@@ -864,7 +859,6 @@ invalid:
static int ncm_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
{
struct f_ncm *ncm = func_to_ncm(f);
- struct f_ncm_opts *opts = func_to_ncm_opts(f);
struct usb_composite_dev *cdev = f->config->cdev;
/* Control interface has only altsetting 0 */
@@ -887,13 +881,12 @@ static int ncm_set_alt(struct usb_functi
if (alt > 1)
goto fail;
- scoped_guard(mutex, &opts->lock)
- if (opts->net) {
- DBG(cdev, "reset ncm\n");
- opts->net = NULL;
- gether_disconnect(&ncm->port);
- ncm_reset_values(ncm);
- }
+ if (ncm->netdev) {
+ DBG(cdev, "reset ncm\n");
+ ncm->netdev = NULL;
+ gether_disconnect(&ncm->port);
+ ncm_reset_values(ncm);
+ }
/*
* CDC Network only sends data in non-default altsettings.
@@ -926,8 +919,7 @@ static int ncm_set_alt(struct usb_functi
net = gether_connect(&ncm->port);
if (IS_ERR(net))
return PTR_ERR(net);
- scoped_guard(mutex, &opts->lock)
- opts->net = net;
+ ncm->netdev = net;
}
spin_lock(&ncm->lock);
@@ -1374,16 +1366,14 @@ err:
static void ncm_disable(struct usb_function *f)
{
struct f_ncm *ncm = func_to_ncm(f);
- struct f_ncm_opts *opts = func_to_ncm_opts(f);
struct usb_composite_dev *cdev = f->config->cdev;
DBG(cdev, "ncm deactivated\n");
- scoped_guard(mutex, &opts->lock)
- if (opts->net) {
- opts->net = NULL;
- gether_disconnect(&ncm->port);
- }
+ if (ncm->netdev) {
+ ncm->netdev = NULL;
+ gether_disconnect(&ncm->port);
+ }
if (ncm->notify->enabled) {
usb_ep_disable(ncm->notify);
@@ -1443,44 +1433,39 @@ static int ncm_bind(struct usb_configura
{
struct usb_composite_dev *cdev = c->cdev;
struct f_ncm *ncm = func_to_ncm(f);
- struct f_ncm_opts *ncm_opts = func_to_ncm_opts(f);
struct usb_string *us;
int status = 0;
struct usb_ep *ep;
+ struct f_ncm_opts *ncm_opts;
struct usb_os_desc_table *os_desc_table __free(kfree) = NULL;
- struct net_device *netdev __free(free_gether_netdev) = NULL;
struct usb_request *request __free(free_usb_request) = NULL;
if (!can_support_ecm(cdev->gadget))
return -EINVAL;
+ ncm_opts = container_of(f->fi, struct f_ncm_opts, func_inst);
+
if (cdev->use_os_string) {
os_desc_table = kzalloc(sizeof(*os_desc_table), GFP_KERNEL);
if (!os_desc_table)
return -ENOMEM;
}
- netdev = gether_setup_default();
- if (IS_ERR(netdev))
- return -ENOMEM;
-
- scoped_guard(mutex, &ncm_opts->lock) {
- gether_apply_opts(netdev, &ncm_opts->net_opts);
- netdev->mtu = ncm_opts->max_segment_size - ETH_HLEN;
+ mutex_lock(&ncm_opts->lock);
+ gether_set_gadget(ncm_opts->net, cdev->gadget);
+ if (!ncm_opts->bound) {
+ ncm_opts->net->mtu = (ncm_opts->max_segment_size - ETH_HLEN);
+ status = gether_register_netdev(ncm_opts->net);
}
+ mutex_unlock(&ncm_opts->lock);
- gether_set_gadget(netdev, cdev->gadget);
- status = gether_register_netdev(netdev);
if (status)
return status;
- /* export host's Ethernet address in CDC format */
- status = gether_get_host_addr_cdc(netdev, ncm->ethaddr,
- sizeof(ncm->ethaddr));
- if (status < 12)
- return -EINVAL;
- ncm_string_defs[STRING_MAC_IDX].s = ncm->ethaddr;
+ ncm_opts->bound = true;
+
+ ncm_string_defs[1].s = ncm->ethaddr;
us = usb_gstrings_attach(cdev, ncm_strings,
ARRAY_SIZE(ncm_string_defs));
@@ -1578,8 +1563,6 @@ static int ncm_bind(struct usb_configura
f->os_desc_n = 1;
}
ncm->notify_req = no_free_ptr(request);
- ncm->netdev = no_free_ptr(netdev);
- ncm->port.ioport = netdev_priv(ncm->netdev);
DBG(cdev, "CDC Network: IN/%s OUT/%s NOTIFY/%s\n",
ncm->port.in_ep->name, ncm->port.out_ep->name,
@@ -1594,19 +1577,19 @@ static inline struct f_ncm_opts *to_f_nc
}
/* f_ncm_item_ops */
-USB_ETHER_OPTS_ITEM(ncm);
+USB_ETHERNET_CONFIGFS_ITEM(ncm);
/* f_ncm_opts_dev_addr */
-USB_ETHER_OPTS_ATTR_DEV_ADDR(ncm);
+USB_ETHERNET_CONFIGFS_ITEM_ATTR_DEV_ADDR(ncm);
/* f_ncm_opts_host_addr */
-USB_ETHER_OPTS_ATTR_HOST_ADDR(ncm);
+USB_ETHERNET_CONFIGFS_ITEM_ATTR_HOST_ADDR(ncm);
/* f_ncm_opts_qmult */
-USB_ETHER_OPTS_ATTR_QMULT(ncm);
+USB_ETHERNET_CONFIGFS_ITEM_ATTR_QMULT(ncm);
/* f_ncm_opts_ifname */
-USB_ETHER_OPTS_ATTR_IFNAME(ncm);
+USB_ETHERNET_CONFIGFS_ITEM_ATTR_IFNAME(ncm);
static ssize_t ncm_opts_max_segment_size_show(struct config_item *item,
char *page)
@@ -1672,27 +1655,34 @@ static void ncm_free_inst(struct usb_fun
struct f_ncm_opts *opts;
opts = container_of(f, struct f_ncm_opts, func_inst);
+ if (opts->bound)
+ gether_cleanup(netdev_priv(opts->net));
+ else
+ free_netdev(opts->net);
kfree(opts->ncm_interf_group);
kfree(opts);
}
static struct usb_function_instance *ncm_alloc_inst(void)
{
- struct usb_function_instance *ret;
+ struct f_ncm_opts *opts;
struct usb_os_desc *descs[1];
char *names[1];
struct config_group *ncm_interf_group;
- struct f_ncm_opts *opts __free(kfree) = kzalloc(sizeof(*opts), GFP_KERNEL);
+ opts = kzalloc(sizeof(*opts), GFP_KERNEL);
if (!opts)
return ERR_PTR(-ENOMEM);
-
- opts->net = NULL;
opts->ncm_os_desc.ext_compat_id = opts->ncm_ext_compat_id;
- gether_setup_opts_default(&opts->net_opts, "usb");
mutex_init(&opts->lock);
opts->func_inst.free_func_inst = ncm_free_inst;
+ opts->net = gether_setup_default();
+ if (IS_ERR(opts->net)) {
+ struct net_device *net = opts->net;
+ kfree(opts);
+ return ERR_CAST(net);
+ }
opts->max_segment_size = ETH_FRAME_LEN;
INIT_LIST_HEAD(&opts->ncm_os_desc.ext_prop);
@@ -1703,22 +1693,26 @@ static struct usb_function_instance *ncm
ncm_interf_group =
usb_os_desc_prepare_interf_dir(&opts->func_inst.group, 1, descs,
names, THIS_MODULE);
- if (IS_ERR(ncm_interf_group))
+ if (IS_ERR(ncm_interf_group)) {
+ ncm_free_inst(&opts->func_inst);
return ERR_CAST(ncm_interf_group);
+ }
opts->ncm_interf_group = ncm_interf_group;
- ret = &opts->func_inst;
- retain_and_null_ptr(opts);
- return ret;
+ return &opts->func_inst;
}
static void ncm_free(struct usb_function *f)
{
- struct f_ncm_opts *opts = func_to_ncm_opts(f);
+ struct f_ncm *ncm;
+ struct f_ncm_opts *opts;
- scoped_guard(mutex, &opts->lock)
- opts->refcnt--;
- kfree(func_to_ncm(f));
+ ncm = func_to_ncm(f);
+ opts = container_of(f->fi, struct f_ncm_opts, func_inst);
+ kfree(ncm);
+ mutex_lock(&opts->lock);
+ opts->refcnt--;
+ mutex_unlock(&opts->lock);
}
static void ncm_unbind(struct usb_configuration *c, struct usb_function *f)
@@ -1742,15 +1736,13 @@ static void ncm_unbind(struct usb_config
kfree(ncm->notify_req->buf);
usb_ep_free_request(ncm->notify, ncm->notify_req);
-
- ncm->port.ioport = NULL;
- gether_cleanup(netdev_priv(ncm->netdev));
}
static struct usb_function *ncm_alloc(struct usb_function_instance *fi)
{
struct f_ncm *ncm;
struct f_ncm_opts *opts;
+ int status;
/* allocate and initialize one new instance */
ncm = kzalloc(sizeof(*ncm), GFP_KERNEL);
@@ -1758,12 +1750,22 @@ static struct usb_function *ncm_alloc(st
return ERR_PTR(-ENOMEM);
opts = container_of(fi, struct f_ncm_opts, func_inst);
+ mutex_lock(&opts->lock);
+ opts->refcnt++;
- scoped_guard(mutex, &opts->lock)
- opts->refcnt++;
+ /* export host's Ethernet address in CDC format */
+ status = gether_get_host_addr_cdc(opts->net, ncm->ethaddr,
+ sizeof(ncm->ethaddr));
+ if (status < 12) { /* strlen("01234567890a") */
+ kfree(ncm);
+ mutex_unlock(&opts->lock);
+ return ERR_PTR(-EINVAL);
+ }
spin_lock_init(&ncm->lock);
ncm_reset_values(ncm);
+ ncm->port.ioport = netdev_priv(opts->net);
+ mutex_unlock(&opts->lock);
ncm->port.is_fixed = true;
ncm->port.supports_multi_frame = true;
--- a/drivers/usb/gadget/function/u_ncm.h
+++ b/drivers/usb/gadget/function/u_ncm.h
@@ -15,13 +15,11 @@
#include <linux/usb/composite.h>
-#include "u_ether.h"
-
struct f_ncm_opts {
struct usb_function_instance func_inst;
struct net_device *net;
+ bool bound;
- struct gether_opts net_opts;
struct config_group *ncm_interf_group;
struct usb_os_desc ncm_os_desc;
char ncm_ext_compat_id[16];
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 171/378] Revert "usb: gadget: u_ether: add gether_opts for config caching"
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 170/378] Revert "usb: gadget: f_ncm: align net_device lifecycle with bind/unbind" Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 172/378] usb: gadget: f_ncm: Fix net_device lifecycle with device_move Greg Kroah-Hartman
` (213 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Heidelberg, stable,
Kuen-Han Tsai
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuen-Han Tsai <khtsai@google.com>
commit 3131c1aff7cdffb96239f06f98e16188cbc2083f upstream.
This reverts commit e065c6a7e46c2ee9c677fdbf50035323d2de1215.
This commit is being reverted as part of a series-wide revert.
By deferring the net_device allocation to the bind() phase, a single
function instance will spawn multiple network devices if it is symlinked
to multiple USB configurations.
This causes regressions for userspace tools (like the postmarketOS DHCP
daemon) that rely on reading the interface name (e.g., "usb0") from
configfs. Currently, configfs returns the template "usb%d", causing the
userspace network setup to fail.
Crucially, because this patch breaks the 1:1 mapping between the
function instance and the network device, this naming issue cannot
simply be patched. Configfs only exposes a single 'ifname' attribute per
instance, making it impossible to accurately report the actual interface
name when multiple underlying network devices can exist for that single
instance.
All configurations tied to the same function instance are meant to share
a single network device. Revert this change to restore the 1:1 mapping
by allocating the network device at the instance level (alloc_inst).
Reported-by: David Heidelberg <david@ixit.cz>
Closes: https://lore.kernel.org/linux-usb/70b558ea-a12e-4170-9b8e-c951131249af@ixit.cz/
Fixes: 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind")
Cc: stable <stable@kernel.org>
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://patch.msgid.link/20260309-f-ncm-revert-v2-6-ea2afbc7d9b2@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/u_ether.c | 30 ----
drivers/usb/gadget/function/u_ether.h | 28 ---
drivers/usb/gadget/function/u_ether_configfs.h | 176 -------------------------
3 files changed, 234 deletions(-)
--- a/drivers/usb/gadget/function/u_ether.c
+++ b/drivers/usb/gadget/function/u_ether.c
@@ -1039,36 +1039,6 @@ int gether_set_ifname(struct net_device
}
EXPORT_SYMBOL_GPL(gether_set_ifname);
-void gether_setup_opts_default(struct gether_opts *opts, const char *name)
-{
- opts->qmult = QMULT_DEFAULT;
- snprintf(opts->name, sizeof(opts->name), "%s%%d", name);
- eth_random_addr(opts->dev_mac);
- opts->addr_assign_type = NET_ADDR_RANDOM;
- eth_random_addr(opts->host_mac);
-}
-EXPORT_SYMBOL_GPL(gether_setup_opts_default);
-
-void gether_apply_opts(struct net_device *net, struct gether_opts *opts)
-{
- struct eth_dev *dev = netdev_priv(net);
-
- dev->qmult = opts->qmult;
-
- if (opts->ifname_set) {
- strscpy(net->name, opts->name, sizeof(net->name));
- dev->ifname_set = true;
- }
-
- memcpy(dev->host_mac, opts->host_mac, sizeof(dev->host_mac));
-
- if (opts->addr_assign_type == NET_ADDR_SET) {
- memcpy(dev->dev_mac, opts->dev_mac, sizeof(dev->dev_mac));
- net->addr_assign_type = opts->addr_assign_type;
- }
-}
-EXPORT_SYMBOL_GPL(gether_apply_opts);
-
void gether_suspend(struct gether *link)
{
struct eth_dev *dev = link->ioport;
--- a/drivers/usb/gadget/function/u_ether.h
+++ b/drivers/usb/gadget/function/u_ether.h
@@ -38,31 +38,6 @@
struct eth_dev;
-/**
- * struct gether_opts - Options for Ethernet gadget function instances
- * @name: Pattern for the network interface name (e.g., "usb%d").
- * Used to generate the net device name.
- * @qmult: Queue length multiplier for high/super speed.
- * @host_mac: The MAC address to be used by the host side.
- * @dev_mac: The MAC address to be used by the device side.
- * @ifname_set: True if the interface name pattern has been set by userspace.
- * @addr_assign_type: The method used for assigning the device MAC address
- * (e.g., NET_ADDR_RANDOM, NET_ADDR_SET).
- *
- * This structure caches network-related settings provided through configfs
- * before the net_device is fully instantiated. This allows for early
- * configuration while deferring net_device allocation until the function
- * is bound.
- */
-struct gether_opts {
- char name[IFNAMSIZ];
- unsigned int qmult;
- u8 host_mac[ETH_ALEN];
- u8 dev_mac[ETH_ALEN];
- bool ifname_set;
- unsigned char addr_assign_type;
-};
-
/*
* This represents the USB side of an "ethernet" link, managed by a USB
* function which provides control and (maybe) framing. Two functions
@@ -284,9 +259,6 @@ int gether_set_ifname(struct net_device
void gether_cleanup(struct eth_dev *dev);
-void gether_setup_opts_default(struct gether_opts *opts, const char *name);
-void gether_apply_opts(struct net_device *net, struct gether_opts *opts);
-
void gether_suspend(struct gether *link);
void gether_resume(struct gether *link);
--- a/drivers/usb/gadget/function/u_ether_configfs.h
+++ b/drivers/usb/gadget/function/u_ether_configfs.h
@@ -13,12 +13,6 @@
#ifndef __U_ETHER_CONFIGFS_H
#define __U_ETHER_CONFIGFS_H
-#include <linux/cleanup.h>
-#include <linux/if_ether.h>
-#include <linux/mutex.h>
-#include <linux/netdevice.h>
-#include <linux/rtnetlink.h>
-
#define USB_ETHERNET_CONFIGFS_ITEM(_f_) \
static void _f_##_attr_release(struct config_item *item) \
{ \
@@ -203,174 +197,4 @@ out: \
\
CONFIGFS_ATTR(_f_##_opts_, _n_)
-#define USB_ETHER_OPTS_ITEM(_f_) \
- static void _f_##_attr_release(struct config_item *item) \
- { \
- struct f_##_f_##_opts *opts = to_f_##_f_##_opts(item); \
- \
- usb_put_function_instance(&opts->func_inst); \
- } \
- \
- static struct configfs_item_operations _f_##_item_ops = { \
- .release = _f_##_attr_release, \
- }
-
-#define USB_ETHER_OPTS_ATTR_DEV_ADDR(_f_) \
- static ssize_t _f_##_opts_dev_addr_show(struct config_item *item, \
- char *page) \
- { \
- struct f_##_f_##_opts *opts = to_f_##_f_##_opts(item); \
- \
- guard(mutex)(&opts->lock); \
- return sysfs_emit(page, "%pM\n", opts->net_opts.dev_mac); \
- } \
- \
- static ssize_t _f_##_opts_dev_addr_store(struct config_item *item, \
- const char *page, size_t len) \
- { \
- struct f_##_f_##_opts *opts = to_f_##_f_##_opts(item); \
- u8 new_addr[ETH_ALEN]; \
- const char *p = page; \
- \
- guard(mutex)(&opts->lock); \
- if (opts->refcnt) \
- return -EBUSY; \
- \
- for (int i = 0; i < ETH_ALEN; i++) { \
- unsigned char num; \
- if ((*p == '.') || (*p == ':')) \
- p++; \
- num = hex_to_bin(*p++) << 4; \
- num |= hex_to_bin(*p++); \
- new_addr[i] = num; \
- } \
- if (!is_valid_ether_addr(new_addr)) \
- return -EINVAL; \
- memcpy(opts->net_opts.dev_mac, new_addr, ETH_ALEN); \
- opts->net_opts.addr_assign_type = NET_ADDR_SET; \
- return len; \
- } \
- \
- CONFIGFS_ATTR(_f_##_opts_, dev_addr)
-
-#define USB_ETHER_OPTS_ATTR_HOST_ADDR(_f_) \
- static ssize_t _f_##_opts_host_addr_show(struct config_item *item, \
- char *page) \
- { \
- struct f_##_f_##_opts *opts = to_f_##_f_##_opts(item); \
- \
- guard(mutex)(&opts->lock); \
- return sysfs_emit(page, "%pM\n", opts->net_opts.host_mac); \
- } \
- \
- static ssize_t _f_##_opts_host_addr_store(struct config_item *item, \
- const char *page, size_t len) \
- { \
- struct f_##_f_##_opts *opts = to_f_##_f_##_opts(item); \
- u8 new_addr[ETH_ALEN]; \
- const char *p = page; \
- \
- guard(mutex)(&opts->lock); \
- if (opts->refcnt) \
- return -EBUSY; \
- \
- for (int i = 0; i < ETH_ALEN; i++) { \
- unsigned char num; \
- if ((*p == '.') || (*p == ':')) \
- p++; \
- num = hex_to_bin(*p++) << 4; \
- num |= hex_to_bin(*p++); \
- new_addr[i] = num; \
- } \
- if (!is_valid_ether_addr(new_addr)) \
- return -EINVAL; \
- memcpy(opts->net_opts.host_mac, new_addr, ETH_ALEN); \
- return len; \
- } \
- \
- CONFIGFS_ATTR(_f_##_opts_, host_addr)
-
-#define USB_ETHER_OPTS_ATTR_QMULT(_f_) \
- static ssize_t _f_##_opts_qmult_show(struct config_item *item, \
- char *page) \
- { \
- struct f_##_f_##_opts *opts = to_f_##_f_##_opts(item); \
- \
- guard(mutex)(&opts->lock); \
- return sysfs_emit(page, "%u\n", opts->net_opts.qmult); \
- } \
- \
- static ssize_t _f_##_opts_qmult_store(struct config_item *item, \
- const char *page, size_t len) \
- { \
- struct f_##_f_##_opts *opts = to_f_##_f_##_opts(item); \
- u32 val; \
- int ret; \
- \
- guard(mutex)(&opts->lock); \
- if (opts->refcnt) \
- return -EBUSY; \
- \
- ret = kstrtou32(page, 0, &val); \
- if (ret) \
- return ret; \
- \
- opts->net_opts.qmult = val; \
- return len; \
- } \
- \
- CONFIGFS_ATTR(_f_##_opts_, qmult)
-
-#define USB_ETHER_OPTS_ATTR_IFNAME(_f_) \
- static ssize_t _f_##_opts_ifname_show(struct config_item *item, \
- char *page) \
- { \
- struct f_##_f_##_opts *opts = to_f_##_f_##_opts(item); \
- const char *name; \
- \
- guard(mutex)(&opts->lock); \
- rtnl_lock(); \
- if (opts->net_opts.ifname_set) \
- name = opts->net_opts.name; \
- else if (opts->net) \
- name = netdev_name(opts->net); \
- else \
- name = "(inactive net_device)"; \
- rtnl_unlock(); \
- return sysfs_emit(page, "%s\n", name); \
- } \
- \
- static ssize_t _f_##_opts_ifname_store(struct config_item *item, \
- const char *page, size_t len) \
- { \
- struct f_##_f_##_opts *opts = to_f_##_f_##_opts(item); \
- char tmp[IFNAMSIZ]; \
- const char *p; \
- size_t c_len = len; \
- \
- if (c_len > 0 && page[c_len - 1] == '\n') \
- c_len--; \
- \
- if (c_len >= sizeof(tmp)) \
- return -E2BIG; \
- \
- strscpy(tmp, page, c_len + 1); \
- if (!dev_valid_name(tmp)) \
- return -EINVAL; \
- \
- /* Require exactly one %d */ \
- p = strchr(tmp, '%'); \
- if (!p || p[1] != 'd' || strchr(p + 2, '%')) \
- return -EINVAL; \
- \
- guard(mutex)(&opts->lock); \
- if (opts->refcnt) \
- return -EBUSY; \
- strscpy(opts->net_opts.name, tmp, sizeof(opts->net_opts.name)); \
- opts->net_opts.ifname_set = true; \
- return len; \
- } \
- \
- CONFIGFS_ATTR(_f_##_opts_, ifname)
-
#endif /* __U_ETHER_CONFIGFS_H */
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 172/378] usb: gadget: f_ncm: Fix net_device lifecycle with device_move
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 171/378] Revert "usb: gadget: u_ether: add gether_opts for config caching" Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 173/378] mm/tracing: rss_stat: ensure curr is false from kthread context Greg Kroah-Hartman
` (212 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Kuen-Han Tsai
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuen-Han Tsai <khtsai@google.com>
commit ec35c1969650e7cb6c8a91020e568ed46e3551b0 upstream.
The network device outlived its parent gadget device during
disconnection, resulting in dangling sysfs links and null pointer
dereference problems.
A prior attempt to solve this by removing SET_NETDEV_DEV entirely [1]
was reverted due to power management ordering concerns and a NO-CARRIER
regression.
A subsequent attempt to defer net_device allocation to bind [2] broke
1:1 mapping between function instance and network device, making it
impossible for configfs to report the resolved interface name. This
results in a regression where the DHCP server fails on pmOS.
Use device_move to reparent the net_device between the gadget device and
/sys/devices/virtual/ across bind/unbind cycles. This preserves the
network interface across USB reconnection, allowing the DHCP server to
retain their binding.
Introduce gether_attach_gadget()/gether_detach_gadget() helpers and use
__free(detach_gadget) macro to undo attachment on bind failure. The
bind_count ensures device_move executes only on the first bind.
[1] https://lore.kernel.org/lkml/f2a4f9847617a0929d62025748384092e5f35cce.camel@crapouillou.net/
[2] https://lore.kernel.org/linux-usb/795ea759-7eaf-4f78-81f4-01ffbf2d7961@ixit.cz/
Fixes: 40d133d7f542 ("usb: gadget: f_ncm: convert to new function interface with backward compatibility")
Cc: stable <stable@kernel.org>
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://patch.msgid.link/20260309-f-ncm-revert-v2-7-ea2afbc7d9b2@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_ncm.c | 38 ++++++++++++++++++++++------------
drivers/usb/gadget/function/u_ether.c | 22 +++++++++++++++++++
drivers/usb/gadget/function/u_ether.h | 26 +++++++++++++++++++++++
drivers/usb/gadget/function/u_ncm.h | 2 -
4 files changed, 74 insertions(+), 14 deletions(-)
--- a/drivers/usb/gadget/function/f_ncm.c
+++ b/drivers/usb/gadget/function/f_ncm.c
@@ -1439,6 +1439,7 @@ static int ncm_bind(struct usb_configura
struct f_ncm_opts *ncm_opts;
struct usb_os_desc_table *os_desc_table __free(kfree) = NULL;
+ struct net_device *net __free(detach_gadget) = NULL;
struct usb_request *request __free(free_usb_request) = NULL;
if (!can_support_ecm(cdev->gadget))
@@ -1452,18 +1453,19 @@ static int ncm_bind(struct usb_configura
return -ENOMEM;
}
- mutex_lock(&ncm_opts->lock);
- gether_set_gadget(ncm_opts->net, cdev->gadget);
- if (!ncm_opts->bound) {
- ncm_opts->net->mtu = (ncm_opts->max_segment_size - ETH_HLEN);
- status = gether_register_netdev(ncm_opts->net);
- }
- mutex_unlock(&ncm_opts->lock);
-
- if (status)
- return status;
-
- ncm_opts->bound = true;
+ scoped_guard(mutex, &ncm_opts->lock)
+ if (ncm_opts->bind_count == 0) {
+ if (!device_is_registered(&ncm_opts->net->dev)) {
+ ncm_opts->net->mtu = (ncm_opts->max_segment_size - ETH_HLEN);
+ gether_set_gadget(ncm_opts->net, cdev->gadget);
+ status = gether_register_netdev(ncm_opts->net);
+ } else
+ status = gether_attach_gadget(ncm_opts->net, cdev->gadget);
+
+ if (status)
+ return status;
+ net = ncm_opts->net;
+ }
ncm_string_defs[1].s = ncm->ethaddr;
@@ -1564,6 +1566,9 @@ static int ncm_bind(struct usb_configura
}
ncm->notify_req = no_free_ptr(request);
+ ncm_opts->bind_count++;
+ retain_and_null_ptr(net);
+
DBG(cdev, "CDC Network: IN/%s OUT/%s NOTIFY/%s\n",
ncm->port.in_ep->name, ncm->port.out_ep->name,
ncm->notify->name);
@@ -1655,7 +1660,7 @@ static void ncm_free_inst(struct usb_fun
struct f_ncm_opts *opts;
opts = container_of(f, struct f_ncm_opts, func_inst);
- if (opts->bound)
+ if (device_is_registered(&opts->net->dev))
gether_cleanup(netdev_priv(opts->net));
else
free_netdev(opts->net);
@@ -1718,9 +1723,12 @@ static void ncm_free(struct usb_function
static void ncm_unbind(struct usb_configuration *c, struct usb_function *f)
{
struct f_ncm *ncm = func_to_ncm(f);
+ struct f_ncm_opts *ncm_opts;
DBG(c->cdev, "ncm unbind\n");
+ ncm_opts = container_of(f->fi, struct f_ncm_opts, func_inst);
+
hrtimer_cancel(&ncm->task_timer);
kfree(f->os_desc_table);
@@ -1736,6 +1744,10 @@ static void ncm_unbind(struct usb_config
kfree(ncm->notify_req->buf);
usb_ep_free_request(ncm->notify, ncm->notify_req);
+
+ ncm_opts->bind_count--;
+ if (ncm_opts->bind_count == 0)
+ gether_detach_gadget(ncm_opts->net);
}
static struct usb_function *ncm_alloc(struct usb_function_instance *fi)
--- a/drivers/usb/gadget/function/u_ether.c
+++ b/drivers/usb/gadget/function/u_ether.c
@@ -896,6 +896,28 @@ void gether_set_gadget(struct net_device
}
EXPORT_SYMBOL_GPL(gether_set_gadget);
+int gether_attach_gadget(struct net_device *net, struct usb_gadget *g)
+{
+ int ret;
+
+ ret = device_move(&net->dev, &g->dev, DPM_ORDER_DEV_AFTER_PARENT);
+ if (ret)
+ return ret;
+
+ gether_set_gadget(net, g);
+ return 0;
+}
+EXPORT_SYMBOL_GPL(gether_attach_gadget);
+
+void gether_detach_gadget(struct net_device *net)
+{
+ struct eth_dev *dev = netdev_priv(net);
+
+ device_move(&net->dev, NULL, DPM_ORDER_NONE);
+ dev->gadget = NULL;
+}
+EXPORT_SYMBOL_GPL(gether_detach_gadget);
+
int gether_set_dev_addr(struct net_device *net, const char *dev_addr)
{
struct eth_dev *dev;
--- a/drivers/usb/gadget/function/u_ether.h
+++ b/drivers/usb/gadget/function/u_ether.h
@@ -151,6 +151,32 @@ static inline struct net_device *gether_
void gether_set_gadget(struct net_device *net, struct usb_gadget *g);
/**
+ * gether_attach_gadget - Reparent net_device to the gadget device.
+ * @net: The network device to reparent.
+ * @g: The target USB gadget device to parent to.
+ *
+ * This function moves the network device to be a child of the USB gadget
+ * device in the device hierarchy. This is typically done when the function
+ * is bound to a configuration.
+ *
+ * Returns 0 on success, or a negative error code on failure.
+ */
+int gether_attach_gadget(struct net_device *net, struct usb_gadget *g);
+
+/**
+ * gether_detach_gadget - Detach net_device from its gadget parent.
+ * @net: The network device to detach.
+ *
+ * This function moves the network device to be a child of the virtual
+ * devices parent, effectively detaching it from the USB gadget device
+ * hierarchy. This is typically done when the function is unbound
+ * from a configuration but the instance is not yet freed.
+ */
+void gether_detach_gadget(struct net_device *net);
+
+DEFINE_FREE(detach_gadget, struct net_device *, if (_T) gether_detach_gadget(_T))
+
+/**
* gether_set_dev_addr - initialize an ethernet-over-usb link with eth address
* @net: device representing this link
* @dev_addr: eth address of this device
--- a/drivers/usb/gadget/function/u_ncm.h
+++ b/drivers/usb/gadget/function/u_ncm.h
@@ -18,7 +18,7 @@
struct f_ncm_opts {
struct usb_function_instance func_inst;
struct net_device *net;
- bool bound;
+ int bind_count;
struct config_group *ncm_interf_group;
struct usb_os_desc ncm_os_desc;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 173/378] mm/tracing: rss_stat: ensure curr is false from kthread context
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 172/378] usb: gadget: f_ncm: Fix net_device lifecycle with device_move Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 174/378] ceph: fix i_nlink underrun during async unlink Greg Kroah-Hartman
` (211 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kalesh Singh, Zi Yan, SeongJae Park,
Pedro Falcato, David Hildenbrand (Arm), Joel Fernandes,
Lorenzo Stoakes, Minchan Kim, Steven Rostedt, Suren Baghdasaryan,
Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kalesh Singh <kaleshsingh@google.com>
commit 079c24d5690262e83ee476e2a548e416f3237511 upstream.
The rss_stat trace event allows userspace tools, like Perfetto [1], to
inspect per-process RSS metric changes over time.
The curr field was introduced to rss_stat in commit e4dcad204d3a
("rss_stat: add support to detect RSS updates of external mm"). Its
intent is to indicate whether the RSS update is for the mm_struct of the
current execution context; and is set to false when operating on a remote
mm_struct (e.g., via kswapd or a direct reclaimer).
However, an issue arises when a kernel thread temporarily adopts a user
process's mm_struct. Kernel threads do not have their own mm_struct and
normally have current->mm set to NULL. To operate on user memory, they
can "borrow" a memory context using kthread_use_mm(), which sets
current->mm to the user process's mm.
This can be observed, for example, in the USB Function Filesystem (FFS)
driver. The ffs_user_copy_worker() handles AIO completions and uses
kthread_use_mm() to copy data to a user-space buffer. If a page fault
occurs during this copy, the fault handler executes in the kthread's
context.
At this point, current is the kthread, but current->mm points to the user
process's mm. Since the rss_stat event (from the page fault) is for that
same mm, the condition current->mm == mm becomes true, causing curr to be
incorrectly set to true when the trace event is emitted.
This is misleading because it suggests the mm belongs to the kthread,
confusing userspace tools that track per-process RSS changes and
corrupting their mm_id-to-process association.
Fix this by ensuring curr is always false when the trace event is emitted
from a kthread context by checking for the PF_KTHREAD flag.
Link: https://lkml.kernel.org/r/20260219233708.1971199-1-kaleshsingh@google.com
Link: https://perfetto.dev/ [1]
Fixes: e4dcad204d3a ("rss_stat: add support to detect RSS updates of external mm")
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
Acked-by: Zi Yan <ziy@nvidia.com>
Acked-by: SeongJae Park <sj@kernel.org>
Reviewed-by: Pedro Falcato <pfalcato@suse.de>
Cc: "David Hildenbrand (Arm)" <david@kernel.org>
Cc: Joel Fernandes <joel@joelfernandes.org>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: <stable@vger.kernel.org> [5.10+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/trace/events/kmem.h | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/include/trace/events/kmem.h
+++ b/include/trace/events/kmem.h
@@ -440,7 +440,13 @@ TRACE_EVENT(rss_stat,
TP_fast_assign(
__entry->mm_id = mm_ptr_to_hash(mm);
- __entry->curr = !!(current->mm == mm);
+ /*
+ * curr is true if the mm matches the current task's mm_struct.
+ * Since kthreads (PF_KTHREAD) have no mm_struct of their own
+ * but can borrow one via kthread_use_mm(), we must filter them
+ * out to avoid incorrectly attributing the RSS update to them.
+ */
+ __entry->curr = current->mm == mm && !(current->flags & PF_KTHREAD);
__entry->member = member;
__entry->size = (percpu_counter_sum_positive(&mm->rss_stat[member])
<< PAGE_SHIFT);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 174/378] ceph: fix i_nlink underrun during async unlink
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 173/378] mm/tracing: rss_stat: ensure curr is false from kthread context Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 175/378] ceph: do not skip the first folio of the next object in writeback Greg Kroah-Hartman
` (210 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Kellermann, Viacheslav Dubeyko,
Ilya Dryomov
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Kellermann <max.kellermann@ionos.com>
commit ce0123cbb4a40a2f1bbb815f292b26e96088639f upstream.
During async unlink, we drop the `i_nlink` counter before we receive
the completion (that will eventually update the `i_nlink`) because "we
assume that the unlink will succeed". That is not a bad idea, but it
races against deletions by other clients (or against the completion of
our own unlink) and can lead to an underrun which emits a WARNING like
this one:
WARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68
Modules linked in:
CPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted 6.14.11-cm4all1-ampere #655
Hardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023
pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : drop_nlink+0x50/0x68
lr : ceph_unlink+0x6c4/0x720
sp : ffff80012173bc90
x29: ffff80012173bc90 x28: ffff086d0a45aaf8 x27: ffff0871d0eb5680
x26: ffff087f2a64a718 x25: 0000020000000180 x24: 0000000061c88647
x23: 0000000000000002 x22: ffff07ff9236d800 x21: 0000000000001203
x20: ffff07ff9237b000 x19: ffff088b8296afc0 x18: 00000000f3c93365
x17: 0000000000070000 x16: ffff08faffcbdfe8 x15: ffff08faffcbdfec
x14: 0000000000000000 x13: 45445f65645f3037 x12: 34385f6369706f74
x11: 0000a2653104bb20 x10: ffffd85f26d73290 x9 : ffffd85f25664f94
x8 : 00000000000000c0 x7 : 0000000000000000 x6 : 0000000000000002
x5 : 0000000000000081 x4 : 0000000000000481 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff08727d3f91e8
Call trace:
drop_nlink+0x50/0x68 (P)
vfs_unlink+0xb0/0x2e8
do_unlinkat+0x204/0x288
__arm64_sys_unlinkat+0x3c/0x80
invoke_syscall.constprop.0+0x54/0xe8
do_el0_svc+0xa4/0xc8
el0_svc+0x18/0x58
el0t_64_sync_handler+0x104/0x130
el0t_64_sync+0x154/0x158
In ceph_unlink(), a call to ceph_mdsc_submit_request() submits the
CEPH_MDS_OP_UNLINK to the MDS, but does not wait for completion.
Meanwhile, between this call and the following drop_nlink() call, a
worker thread may process a CEPH_CAP_OP_IMPORT, CEPH_CAP_OP_GRANT or
just a CEPH_MSG_CLIENT_REPLY (the latter of which could be our own
completion). These will lead to a set_nlink() call, updating the
`i_nlink` counter to the value received from the MDS. If that new
`i_nlink` value happens to be zero, it is illegal to decrement it
further. But that is exactly what ceph_unlink() will do then.
The WARNING can be reproduced this way:
1. Force async unlink; only the async code path is affected. Having
no real clue about Ceph internals, I was unable to find out why the
MDS wouldn't give me the "Fxr" capabilities, so I patched
get_caps_for_async_unlink() to always succeed.
(Note that the WARNING dump above was found on an unpatched kernel,
without this kludge - this is not a theoretical bug.)
2. Add a sleep call after ceph_mdsc_submit_request() so the unlink
completion gets handled by a worker thread before drop_nlink() is
called. This guarantees that the `i_nlink` is already zero before
drop_nlink() runs.
The solution is to skip the counter decrement when it is already zero,
but doing so without a lock is still racy (TOCTOU). Since
ceph_fill_inode() and handle_cap_grant() both hold the
`ceph_inode_info.i_ceph_lock` spinlock while set_nlink() runs, this
seems like the proper lock to protect the `i_nlink` updates.
I found prior art in NFS and SMB (using `inode.i_lock`) and AFS (using
`afs_vnode.cb_lock`). All three have the zero check as well.
Cc: stable@vger.kernel.org
Fixes: 2ccb45462aea ("ceph: perform asynchronous unlink if we have sufficient caps")
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/dir.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/fs/ceph/dir.c
+++ b/fs/ceph/dir.c
@@ -1339,6 +1339,7 @@ static int ceph_unlink(struct inode *dir
struct ceph_client *cl = fsc->client;
struct ceph_mds_client *mdsc = fsc->mdsc;
struct inode *inode = d_inode(dentry);
+ struct ceph_inode_info *ci = ceph_inode(inode);
struct ceph_mds_request *req;
bool try_async = ceph_test_mount_opt(fsc, ASYNC_DIROPS);
struct dentry *dn;
@@ -1424,7 +1425,19 @@ retry:
* We have enough caps, so we assume that the unlink
* will succeed. Fix up the target inode and dcache.
*/
- drop_nlink(inode);
+
+ /*
+ * Protect the i_nlink update with i_ceph_lock
+ * to precent racing against ceph_fill_inode()
+ * handling our completion on a worker thread
+ * and don't decrement if i_nlink has already
+ * been updated to zero by this completion.
+ */
+ spin_lock(&ci->i_ceph_lock);
+ if (inode->i_nlink > 0)
+ drop_nlink(inode);
+ spin_unlock(&ci->i_ceph_lock);
+
d_delete(dentry);
} else {
spin_lock(&fsc->async_unlink_conflict_lock);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 175/378] ceph: do not skip the first folio of the next object in writeback
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 174/378] ceph: fix i_nlink underrun during async unlink Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 176/378] ceph: fix memory leaks in ceph_mdsc_build_path() Greg Kroah-Hartman
` (209 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hristo Venev, Viacheslav Dubeyko,
Ilya Dryomov
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hristo Venev <hristo@venev.name>
commit 081a0b78ef30f5746cda3e92e28b4d4ae92901d1 upstream.
When `ceph_process_folio_batch` encounters a folio past the end of the
current object, it should leave it in the batch so that it is picked up
in the next iteration.
Removing the folio from the batch means that it does not get written
back and remains dirty instead. This makes `fsync()` silently skip some
of the data, delays capability release, and breaks coherence with
`O_DIRECT`.
The link below contains instructions for reproducing the bug.
Cc: stable@vger.kernel.org
Fixes: ce80b76dd327 ("ceph: introduce ceph_process_folio_batch() method")
Link: https://tracker.ceph.com/issues/75156
Signed-off-by: Hristo Venev <hristo@venev.name>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/addr.c | 1 -
1 file changed, 1 deletion(-)
--- a/fs/ceph/addr.c
+++ b/fs/ceph/addr.c
@@ -1330,7 +1330,6 @@ int ceph_process_folio_batch(struct addr
} else if (rc == -E2BIG) {
rc = 0;
folio_unlock(folio);
- ceph_wbc->fbatch.folios[i] = NULL;
break;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 176/378] ceph: fix memory leaks in ceph_mdsc_build_path()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 175/378] ceph: do not skip the first folio of the next object in writeback Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 177/378] ALSA: usb-audio: Improve Focusrite sample rate filtering Greg Kroah-Hartman
` (208 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Kellermann, Viacheslav Dubeyko,
Ilya Dryomov
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Kellermann <max.kellermann@ionos.com>
commit 040d159a45ded7f33201421a81df0aa2a86e5a0b upstream.
Add __putname() calls to error code paths that did not free the "path"
pointer obtained by __getname(). If ownership of this pointer is not
passed to the caller via path_info.path, the function must free it
before returning.
Cc: stable@vger.kernel.org
Fixes: 3fd945a79e14 ("ceph: encode encrypted name in ceph_mdsc_build_path and dentry release")
Fixes: 550f7ca98ee0 ("ceph: give up on paths longer than PATH_MAX")
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/mds_client.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -2768,6 +2768,7 @@ retry:
if (ret < 0) {
dput(parent);
dput(cur);
+ __putname(path);
return ERR_PTR(ret);
}
@@ -2777,6 +2778,7 @@ retry:
if (len < 0) {
dput(parent);
dput(cur);
+ __putname(path);
return ERR_PTR(len);
}
}
@@ -2813,6 +2815,7 @@ retry:
* cannot ever succeed. Creating paths that long is
* possible with Ceph, but Linux cannot use them.
*/
+ __putname(path);
return ERR_PTR(-ENAMETOOLONG);
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 177/378] ALSA: usb-audio: Improve Focusrite sample rate filtering
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 176/378] ceph: fix memory leaks in ceph_mdsc_build_path() Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 178/378] objtool/klp: Fix detection of corrupt static branch/call entries Greg Kroah-Hartman
` (207 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geoffrey D. Bennett, Takashi Iwai,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geoffrey D. Bennett <g@b4.vu>
[ Upstream commit 24d2d3c5f94007a5a0554065ab7349bb69e28bcb ]
Replace the bLength == 10 max_rate check in
focusrite_valid_sample_rate() with filtering that also examines the
bmControls VAL_ALT_SETTINGS bit.
When VAL_ALT_SETTINGS is readable, the device uses strict
per-altsetting rate filtering (only the highest rate pair for that
altsetting is valid). When it is not readable, all rates up to
max_rate are valid.
For devices without the bLength == 10 Format Type descriptor extension
but with VAL_ALT_SETTINGS readable and multiple altsettings (only seen
in Scarlett 18i8 3rd Gen playback), fall back to the Focusrite
convention: alt 1 = 48kHz, alt 2 = 96kHz, alt 3 = 192kHz.
This produces correct rate tables for all tested Focusrite devices
(all Scarlett 2nd, 3rd, and 4th Gen, Clarett+, and Vocaster) using
only USB descriptors, allowing QUIRK_FLAG_VALIDATE_RATES to be removed
for Focusrite in the next commit.
Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/7e18c1f393a6ecb6fc75dd867a2c4dbe135e3e22.1771594828.git.g@b4.vu
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/format.c | 70 ++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 65 insertions(+), 5 deletions(-)
diff --git a/sound/usb/format.c b/sound/usb/format.c
index 64cfe4a9d8cdf..1207c507882ad 100644
--- a/sound/usb/format.c
+++ b/sound/usb/format.c
@@ -305,17 +305,48 @@ static bool s1810c_valid_sample_rate(struct audioformat *fp,
}
/*
- * Many Focusrite devices supports a limited set of sampling rates per
- * altsetting. Maximum rate is exposed in the last 4 bytes of Format Type
- * descriptor which has a non-standard bLength = 10.
+ * Focusrite devices use rate pairs: 44100/48000, 88200/96000, and
+ * 176400/192000. Return true if rate is in the pair for max_rate.
+ */
+static bool focusrite_rate_pair(unsigned int rate,
+ unsigned int max_rate)
+{
+ switch (max_rate) {
+ case 48000: return rate == 44100 || rate == 48000;
+ case 96000: return rate == 88200 || rate == 96000;
+ case 192000: return rate == 176400 || rate == 192000;
+ default: return true;
+ }
+}
+
+/*
+ * Focusrite devices report all supported rates in a single clock
+ * source but only a subset is valid per altsetting.
+ *
+ * Detection uses two descriptor features:
+ *
+ * 1. Format Type descriptor bLength == 10: non-standard extension
+ * with max sample rate in bytes 6..9.
+ *
+ * 2. bmControls VAL_ALT_SETTINGS readable bit: when set, the device
+ * only supports the highest rate pair for that altsetting, and when
+ * clear, all rates up to max_rate are valid.
+ *
+ * For devices without the bLength == 10 extension but with
+ * VAL_ALT_SETTINGS readable and multiple altsettings (only seen in
+ * Scarlett 18i8 3rd Gen playback), fall back to the Focusrite
+ * convention: alt 1 = 48kHz, alt 2 = 96kHz, alt 3 = 192kHz.
*/
static bool focusrite_valid_sample_rate(struct snd_usb_audio *chip,
struct audioformat *fp,
unsigned int rate)
{
+ struct usb_interface *iface;
struct usb_host_interface *alts;
+ struct uac2_as_header_descriptor *as;
unsigned char *fmt;
unsigned int max_rate;
+ bool val_alt;
alts = snd_usb_get_host_interface(chip, fp->iface, fp->altsetting);
if (!alts)
@@ -326,9 +357,21 @@ static bool focusrite_valid_sample_rate(struct snd_usb_audio *chip,
if (!fmt)
return true;
+ as = snd_usb_find_csint_desc(alts->extra, alts->extralen,
+ NULL, UAC_AS_GENERAL);
+ if (!as)
+ return true;
+
+ val_alt = uac_v2v3_control_is_readable(as->bmControls,
+ UAC2_AS_VAL_ALT_SETTINGS);
+
if (fmt[0] == 10) { /* bLength */
max_rate = combine_quad(&fmt[6]);
+ if (val_alt)
+ return focusrite_rate_pair(rate, max_rate);
+
+ /* No val_alt: rates fall through from higher */
switch (max_rate) {
case 192000:
if (rate == 176400 || rate == 192000)
@@ -344,12 +387,29 @@ static bool focusrite_valid_sample_rate(struct snd_usb_audio *chip,
usb_audio_info(chip,
"%u:%d : unexpected max rate: %u\n",
fp->iface, fp->altsetting, max_rate);
-
return true;
}
}
- return true;
+ if (!val_alt)
+ return true;
+
+ /* Multi-altsetting device with val_alt but no max_rate
+ * in the format descriptor. Use Focusrite convention:
+ * alt 1 = 48kHz, alt 2 = 96kHz, alt 3 = 192kHz.
+ */
+ iface = usb_ifnum_to_if(chip->dev, fp->iface);
+ if (!iface || iface->num_altsetting <= 2)
+ return true;
+
+ switch (fp->altsetting) {
+ case 1: max_rate = 48000; break;
+ case 2: max_rate = 96000; break;
+ case 3: max_rate = 192000; break;
+ default: return true;
+ }
+
+ return focusrite_rate_pair(rate, max_rate);
}
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 178/378] objtool/klp: Fix detection of corrupt static branch/call entries
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 177/378] ALSA: usb-audio: Improve Focusrite sample rate filtering Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 179/378] objtool: Fix data alignment in elf_add_data() Greg Kroah-Hartman
` (206 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Song Liu, Josh Poimboeuf,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit f9fb44b0ecefc1f218db56661ed66d4e8d67317d ]
Patching a function which references a static key living in a kernel
module is unsupported due to ordering issues inherent to late module
patching:
1) Load a livepatch module which has a __jump_table entry which needs
a klp reloc to reference static key K which lives in module M.
2) The __jump_table klp reloc does *not* get resolved because module M
is not yet loaded.
3) jump_label_add_module() corrupts memory (or causes a panic) when
dereferencing the uninitialized pointer to key K.
validate_special_section_klp_reloc() intends to prevent that from ever
happening by catching it at build time. However, it incorrectly assumes
the special section entry's reloc symbol references have already been
converted from section symbols to object symbols, causing the validation
to miss corruption in extracted static branch/call table entries.
Make sure the references have been properly converted before doing the
validation.
Fixes: dd590d4d57eb ("objtool/klp: Introduce klp diff subcommand for diffing object files")
Reported-by: Song Liu <song@kernel.org>
Reviewed-and-tested-by: Song Liu <song@kernel.org>
Link: https://patch.msgid.link/124ad747b751df0df1725eff89de8332e3fb26d6.1770759954.git.jpoimboe@kernel.org
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/objtool/klp-diff.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tools/objtool/klp-diff.c b/tools/objtool/klp-diff.c
index 9f1f4011eb9cd..d94632e809558 100644
--- a/tools/objtool/klp-diff.c
+++ b/tools/objtool/klp-diff.c
@@ -1364,6 +1364,9 @@ static int validate_special_section_klp_reloc(struct elfs *e, struct symbol *sym
const char *sym_modname;
struct export *export;
+ if (convert_reloc_sym(e->patched, reloc))
+ continue;
+
/* Static branch/call keys are always STT_OBJECT */
if (reloc->sym->type != STT_OBJECT) {
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 179/378] objtool: Fix data alignment in elf_add_data()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 178/378] objtool/klp: Fix detection of corrupt static branch/call entries Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 180/378] objtool: Fix another stack overflow in validate_branch() Greg Kroah-Hartman
` (205 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josh Poimboeuf, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit 356e4b2f5b80f757965f3f4d0219c81fca91b6f2 ]
Any data added to a section needs to be aligned in accordance with the
section's sh_addralign value. Particularly strings added to a .str1.8
section. Otherwise you may get some funky strings.
Fixes: dd590d4d57eb ("objtool/klp: Introduce klp diff subcommand for diffing object files")
Link: https://patch.msgid.link/d962fc0ca24fa0825cca8dad71932dccdd9312a9.1772681234.git.jpoimboe@kernel.org
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/objtool/elf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c
index 2c02c7b492658..3da90686350d7 100644
--- a/tools/objtool/elf.c
+++ b/tools/objtool/elf.c
@@ -1375,7 +1375,7 @@ void *elf_add_data(struct elf *elf, struct section *sec, const void *data, size_
memcpy(sec->data->d_buf, data, size);
sec->data->d_size = size;
- sec->data->d_align = 1;
+ sec->data->d_align = sec->sh.sh_addralign;
offset = ALIGN(sec->sh.sh_size, sec->sh.sh_addralign);
sec->sh.sh_size = offset + size;
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 180/378] objtool: Fix another stack overflow in validate_branch()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 179/378] objtool: Fix data alignment in elf_add_data() Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 181/378] irqchip/riscv-aplic: Preserve APLIC states across suspend/resume Greg Kroah-Hartman
` (204 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Josh Poimboeuf,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit 9a73f085dc91980ab7fcc5e9716f4449424b3b59 ]
The insn state is getting saved on the stack twice for each recursive
iteration. No need for that, once is enough.
Fixes the following reported stack overflow:
drivers/scsi/qla2xxx/qla_dbg.o: error: SIGSEGV: objtool stack overflow!
Segmentation fault
Fixes: 70589843b36f ("objtool: Add option to trace function validation")
Reported-by: Arnd Bergmann <arnd@arndb.de>
Closes: https://lore.kernel.org/90956545-2066-46e3-b547-10c884582eb0@app.fastmail.com
Link: https://patch.msgid.link/8b97f62d083457f3b0a29a424275f7957dd3372f.1772821683.git.jpoimboe@kernel.org
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/objtool/check.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/tools/objtool/check.c b/tools/objtool/check.c
index 37ec0d757e9b1..eba35bb8c0bdf 100644
--- a/tools/objtool/check.c
+++ b/tools/objtool/check.c
@@ -3694,7 +3694,7 @@ static void checksum_update_insn(struct objtool_file *file, struct symbol *func,
static int validate_branch(struct objtool_file *file, struct symbol *func,
struct instruction *insn, struct insn_state state);
static int do_validate_branch(struct objtool_file *file, struct symbol *func,
- struct instruction *insn, struct insn_state state);
+ struct instruction *insn, struct insn_state *state);
static int validate_insn(struct objtool_file *file, struct symbol *func,
struct instruction *insn, struct insn_state *statep,
@@ -3959,7 +3959,7 @@ static int validate_insn(struct objtool_file *file, struct symbol *func,
* tools/objtool/Documentation/objtool.txt.
*/
static int do_validate_branch(struct objtool_file *file, struct symbol *func,
- struct instruction *insn, struct insn_state state)
+ struct instruction *insn, struct insn_state *state)
{
struct instruction *next_insn, *prev_insn = NULL;
bool dead_end;
@@ -3990,7 +3990,7 @@ static int do_validate_branch(struct objtool_file *file, struct symbol *func,
return 1;
}
- ret = validate_insn(file, func, insn, &state, prev_insn, next_insn,
+ ret = validate_insn(file, func, insn, state, prev_insn, next_insn,
&dead_end);
if (!insn->trace) {
@@ -4001,7 +4001,7 @@ static int do_validate_branch(struct objtool_file *file, struct symbol *func,
}
if (!dead_end && !next_insn) {
- if (state.cfi.cfa.base == CFI_UNDEFINED)
+ if (state->cfi.cfa.base == CFI_UNDEFINED)
return 0;
if (file->ignore_unreachables)
return 0;
@@ -4026,7 +4026,7 @@ static int validate_branch(struct objtool_file *file, struct symbol *func,
int ret;
trace_depth_inc();
- ret = do_validate_branch(file, func, insn, state);
+ ret = do_validate_branch(file, func, insn, &state);
trace_depth_dec();
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 181/378] irqchip/riscv-aplic: Preserve APLIC states across suspend/resume
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 180/378] objtool: Fix another stack overflow in validate_branch() Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 182/378] irqchip/riscv-aplic: Do not clear ACPI dependencies on probe failure Greg Kroah-Hartman
` (203 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nick Hu, Thomas Gleixner,
Yong-Xuan Wang, Cyan Yang, Nutty Liu, Anup Patel, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nick Hu <nick.hu@sifive.com>
[ Upstream commit 95a8ddde36601d0a645475fb080ed118db59c8c3 ]
The APLIC states might be reset when the platform enters a low power
state, but the register states are not being preserved and restored,
which prevents interrupt delivery after the platform resumes.
Solve this by adding a syscore ops and a power management notifier to
preserve and restore the APLIC states on suspend and resume.
[ tglx: Folded the build fix provided by Geert ]
Signed-off-by: Nick Hu <nick.hu@sifive.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Yong-Xuan Wang <yongxuan.wang@sifive.com>
Reviewed-by: Cyan Yang <cyan.yang@sifive.com>
Reviewed-by: Nutty Liu <liujingqi@lanxincomputing.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://patch.msgid.link/20251202-preserve-aplic-imsic-v3-2-1844fbf1fe92@sifive.com
Stable-dep-of: 620b6ded72a7 ("irqchip/riscv-aplic: Do not clear ACPI dependencies on probe failure")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-riscv-aplic-direct.c | 10 ++
drivers/irqchip/irq-riscv-aplic-main.c | 170 ++++++++++++++++++++++-
drivers/irqchip/irq-riscv-aplic-main.h | 19 +++
3 files changed, 198 insertions(+), 1 deletion(-)
diff --git a/drivers/irqchip/irq-riscv-aplic-direct.c b/drivers/irqchip/irq-riscv-aplic-direct.c
index c2a75bf3d20c6..5a9650225dd80 100644
--- a/drivers/irqchip/irq-riscv-aplic-direct.c
+++ b/drivers/irqchip/irq-riscv-aplic-direct.c
@@ -8,6 +8,7 @@
#include <linux/bitfield.h>
#include <linux/bitops.h>
#include <linux/cpu.h>
+#include <linux/cpumask.h>
#include <linux/interrupt.h>
#include <linux/irqchip.h>
#include <linux/irqchip/chained_irq.h>
@@ -171,6 +172,15 @@ static void aplic_idc_set_delivery(struct aplic_idc *idc, bool en)
writel(de, idc->regs + APLIC_IDC_IDELIVERY);
}
+void aplic_direct_restore_states(struct aplic_priv *priv)
+{
+ struct aplic_direct *direct = container_of(priv, struct aplic_direct, priv);
+ int cpu;
+
+ for_each_cpu(cpu, &direct->lmask)
+ aplic_idc_set_delivery(per_cpu_ptr(&aplic_idcs, cpu), true);
+}
+
static int aplic_direct_dying_cpu(unsigned int cpu)
{
if (aplic_direct_parent_irq)
diff --git a/drivers/irqchip/irq-riscv-aplic-main.c b/drivers/irqchip/irq-riscv-aplic-main.c
index 93e7c51f944ab..4495ca26abf57 100644
--- a/drivers/irqchip/irq-riscv-aplic-main.c
+++ b/drivers/irqchip/irq-riscv-aplic-main.c
@@ -12,10 +12,169 @@
#include <linux/of.h>
#include <linux/of_irq.h>
#include <linux/platform_device.h>
+#include <linux/pm_domain.h>
+#include <linux/pm_runtime.h>
#include <linux/printk.h>
+#include <linux/syscore_ops.h>
#include "irq-riscv-aplic-main.h"
+static LIST_HEAD(aplics);
+
+static void aplic_restore_states(struct aplic_priv *priv)
+{
+ struct aplic_saved_regs *saved_regs = &priv->saved_hw_regs;
+ struct aplic_src_ctrl *srcs;
+ void __iomem *regs;
+ u32 nr_irqs, i;
+
+ regs = priv->regs;
+ writel(saved_regs->domaincfg, regs + APLIC_DOMAINCFG);
+#ifdef CONFIG_RISCV_M_MODE
+ writel(saved_regs->msiaddr, regs + APLIC_xMSICFGADDR);
+ writel(saved_regs->msiaddrh, regs + APLIC_xMSICFGADDRH);
+#endif
+ /*
+ * The sourcecfg[i] has to be restored prior to the target[i], interrupt-pending and
+ * interrupt-enable bits. The AIA specification states that "Whenever interrupt source i is
+ * inactive in an interrupt domain, the corresponding interrupt-pending and interrupt-enable
+ * bits within the domain are read-only zeros, and register target[i] is also read-only
+ * zero."
+ */
+ nr_irqs = priv->nr_irqs;
+ for (i = 0; i < nr_irqs; i++) {
+ srcs = &priv->saved_hw_regs.srcs[i];
+ writel(srcs->sourcecfg, regs + APLIC_SOURCECFG_BASE + i * sizeof(u32));
+ writel(srcs->target, regs + APLIC_TARGET_BASE + i * sizeof(u32));
+ }
+
+ for (i = 0; i <= nr_irqs; i += 32) {
+ srcs = &priv->saved_hw_regs.srcs[i];
+ writel(-1U, regs + APLIC_CLRIE_BASE + (i / 32) * sizeof(u32));
+ writel(srcs->ie, regs + APLIC_SETIE_BASE + (i / 32) * sizeof(u32));
+
+ /* Re-trigger the interrupts if it forwards interrupts to target harts by MSIs */
+ if (!priv->nr_idcs)
+ writel(readl(regs + APLIC_CLRIP_BASE + (i / 32) * sizeof(u32)),
+ regs + APLIC_SETIP_BASE + (i / 32) * sizeof(u32));
+ }
+
+ if (priv->nr_idcs)
+ aplic_direct_restore_states(priv);
+}
+
+static void aplic_save_states(struct aplic_priv *priv)
+{
+ struct aplic_src_ctrl *srcs;
+ void __iomem *regs;
+ u32 i, nr_irqs;
+
+ regs = priv->regs;
+ nr_irqs = priv->nr_irqs;
+ /* The valid interrupt source IDs range from 1 to N, where N is priv->nr_irqs */
+ for (i = 0; i < nr_irqs; i++) {
+ srcs = &priv->saved_hw_regs.srcs[i];
+ srcs->target = readl(regs + APLIC_TARGET_BASE + i * sizeof(u32));
+
+ if (i % 32)
+ continue;
+
+ srcs->ie = readl(regs + APLIC_SETIE_BASE + (i / 32) * sizeof(u32));
+ }
+
+ /* Save the nr_irqs bit if needed */
+ if (!(nr_irqs % 32)) {
+ srcs = &priv->saved_hw_regs.srcs[nr_irqs];
+ srcs->ie = readl(regs + APLIC_SETIE_BASE + (nr_irqs / 32) * sizeof(u32));
+ }
+}
+
+static int aplic_syscore_suspend(void *data)
+{
+ struct aplic_priv *priv;
+
+ list_for_each_entry(priv, &aplics, head)
+ aplic_save_states(priv);
+
+ return 0;
+}
+
+static void aplic_syscore_resume(void *data)
+{
+ struct aplic_priv *priv;
+
+ list_for_each_entry(priv, &aplics, head)
+ aplic_restore_states(priv);
+}
+
+static struct syscore_ops aplic_syscore_ops = {
+ .suspend = aplic_syscore_suspend,
+ .resume = aplic_syscore_resume,
+};
+
+static struct syscore aplic_syscore = {
+ .ops = &aplic_syscore_ops,
+};
+
+static int aplic_pm_notifier(struct notifier_block *nb, unsigned long action, void *data)
+{
+ struct aplic_priv *priv = container_of(nb, struct aplic_priv, genpd_nb);
+
+ switch (action) {
+ case GENPD_NOTIFY_PRE_OFF:
+ aplic_save_states(priv);
+ break;
+ case GENPD_NOTIFY_ON:
+ aplic_restore_states(priv);
+ break;
+ default:
+ break;
+ }
+
+ return 0;
+}
+
+static void aplic_pm_remove(void *data)
+{
+ struct aplic_priv *priv = data;
+ struct device *dev = priv->dev;
+
+ list_del(&priv->head);
+ if (dev->pm_domain)
+ dev_pm_genpd_remove_notifier(dev);
+}
+
+static int aplic_pm_add(struct device *dev, struct aplic_priv *priv)
+{
+ struct aplic_src_ctrl *srcs;
+ int ret;
+
+ srcs = devm_kzalloc(dev, (priv->nr_irqs + 1) * sizeof(*srcs), GFP_KERNEL);
+ if (!srcs)
+ return -ENOMEM;
+
+ priv->saved_hw_regs.srcs = srcs;
+ list_add(&priv->head, &aplics);
+ if (dev->pm_domain) {
+ priv->genpd_nb.notifier_call = aplic_pm_notifier;
+ ret = dev_pm_genpd_add_notifier(dev, &priv->genpd_nb);
+ if (ret)
+ goto remove_head;
+
+ ret = devm_pm_runtime_enable(dev);
+ if (ret)
+ goto remove_notifier;
+ }
+
+ return devm_add_action_or_reset(dev, aplic_pm_remove, priv);
+
+remove_notifier:
+ dev_pm_genpd_remove_notifier(dev);
+remove_head:
+ list_del(&priv->head);
+ return ret;
+}
+
void aplic_irq_unmask(struct irq_data *d)
{
struct aplic_priv *priv = irq_data_get_irq_chip_data(d);
@@ -60,6 +219,8 @@ int aplic_irq_set_type(struct irq_data *d, unsigned int type)
sourcecfg += (d->hwirq - 1) * sizeof(u32);
writel(val, sourcecfg);
+ priv->saved_hw_regs.srcs[d->hwirq - 1].sourcecfg = val;
+
return 0;
}
@@ -82,6 +243,7 @@ int aplic_irqdomain_translate(struct irq_fwspec *fwspec, u32 gsi_base,
void aplic_init_hw_global(struct aplic_priv *priv, bool msi_mode)
{
+ struct aplic_saved_regs *saved_regs = &priv->saved_hw_regs;
u32 val;
#ifdef CONFIG_RISCV_M_MODE
u32 valh;
@@ -95,6 +257,8 @@ void aplic_init_hw_global(struct aplic_priv *priv, bool msi_mode)
valh |= FIELD_PREP(APLIC_xMSICFGADDRH_HHXS, priv->msicfg.hhxs);
writel(val, priv->regs + APLIC_xMSICFGADDR);
writel(valh, priv->regs + APLIC_xMSICFGADDRH);
+ saved_regs->msiaddr = val;
+ saved_regs->msiaddrh = valh;
}
#endif
@@ -106,6 +270,8 @@ void aplic_init_hw_global(struct aplic_priv *priv, bool msi_mode)
writel(val, priv->regs + APLIC_DOMAINCFG);
if (readl(priv->regs + APLIC_DOMAINCFG) != val)
dev_warn(priv->dev, "unable to write 0x%x in domaincfg\n", val);
+
+ saved_regs->domaincfg = val;
}
static void aplic_init_hw_irqs(struct aplic_priv *priv)
@@ -176,7 +342,7 @@ int aplic_setup_priv(struct aplic_priv *priv, struct device *dev, void __iomem *
/* Setup initial state APLIC interrupts */
aplic_init_hw_irqs(priv);
- return 0;
+ return aplic_pm_add(dev, priv);
}
static int aplic_probe(struct platform_device *pdev)
@@ -209,6 +375,8 @@ static int aplic_probe(struct platform_device *pdev)
if (rc)
dev_err_probe(dev, rc, "failed to setup APLIC in %s mode\n",
msi_mode ? "MSI" : "direct");
+ else
+ register_syscore(&aplic_syscore);
#ifdef CONFIG_ACPI
if (!acpi_disabled)
diff --git a/drivers/irqchip/irq-riscv-aplic-main.h b/drivers/irqchip/irq-riscv-aplic-main.h
index b0ad8cde69b13..2d8ad7138541a 100644
--- a/drivers/irqchip/irq-riscv-aplic-main.h
+++ b/drivers/irqchip/irq-riscv-aplic-main.h
@@ -23,7 +23,25 @@ struct aplic_msicfg {
u32 lhxw;
};
+struct aplic_src_ctrl {
+ u32 sourcecfg;
+ u32 target;
+ u32 ie;
+};
+
+struct aplic_saved_regs {
+ u32 domaincfg;
+#ifdef CONFIG_RISCV_M_MODE
+ u32 msiaddr;
+ u32 msiaddrh;
+#endif
+ struct aplic_src_ctrl *srcs;
+};
+
struct aplic_priv {
+ struct list_head head;
+ struct notifier_block genpd_nb;
+ struct aplic_saved_regs saved_hw_regs;
struct device *dev;
u32 gsi_base;
u32 nr_irqs;
@@ -40,6 +58,7 @@ int aplic_irqdomain_translate(struct irq_fwspec *fwspec, u32 gsi_base,
unsigned long *hwirq, unsigned int *type);
void aplic_init_hw_global(struct aplic_priv *priv, bool msi_mode);
int aplic_setup_priv(struct aplic_priv *priv, struct device *dev, void __iomem *regs);
+void aplic_direct_restore_states(struct aplic_priv *priv);
int aplic_direct_setup(struct device *dev, void __iomem *regs);
#ifdef CONFIG_RISCV_APLIC_MSI
int aplic_msi_setup(struct device *dev, void __iomem *regs);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 182/378] irqchip/riscv-aplic: Do not clear ACPI dependencies on probe failure
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 181/378] irqchip/riscv-aplic: Preserve APLIC states across suspend/resume Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 183/378] irqchip/riscv-aplic: Register syscore operations only once Greg Kroah-Hartman
` (202 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jessica Liu, Thomas Gleixner,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jessica Liu <liu.xuemei1@zte.com.cn>
[ Upstream commit 620b6ded72a7f0f77be6ec44d0462bb85729ab7a ]
aplic_probe() calls acpi_dev_clear_dependencies() unconditionally at the
end, even when the preceding setup (MSI or direct mode) has failed. This is
incorrect because if the device failed to probe, it should not be
considered as active and should not clear dependencies for other devices
waiting on it.
Fix this by returning immediately when the setup fails, skipping the ACPI
dependency cleanup. Also, explicitly return 0 on success instead of relying
on the value of 'rc' to make the success path clear.
Fixes: 5122e380c23b ("irqchip/riscv-aplic: Add ACPI support")
Signed-off-by: Jessica Liu <liu.xuemei1@zte.com.cn>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260310141600411Fu8H8-GXOOgKISU48Tjgx@zte.com.cn
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-riscv-aplic-main.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/irqchip/irq-riscv-aplic-main.c b/drivers/irqchip/irq-riscv-aplic-main.c
index 4495ca26abf57..8775f188ea4fc 100644
--- a/drivers/irqchip/irq-riscv-aplic-main.c
+++ b/drivers/irqchip/irq-riscv-aplic-main.c
@@ -372,18 +372,21 @@ static int aplic_probe(struct platform_device *pdev)
rc = aplic_msi_setup(dev, regs);
else
rc = aplic_direct_setup(dev, regs);
- if (rc)
+
+ if (rc) {
dev_err_probe(dev, rc, "failed to setup APLIC in %s mode\n",
msi_mode ? "MSI" : "direct");
- else
- register_syscore(&aplic_syscore);
+ return rc;
+ }
+
+ register_syscore(&aplic_syscore);
#ifdef CONFIG_ACPI
if (!acpi_disabled)
acpi_dev_clear_dependencies(ACPI_COMPANION(dev));
#endif
- return rc;
+ return 0;
}
static const struct of_device_id aplic_match[] = {
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 183/378] irqchip/riscv-aplic: Register syscore operations only once
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 182/378] irqchip/riscv-aplic: Do not clear ACPI dependencies on probe failure Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 184/378] time/jiffies: Mark jiffies_64_to_clock_t() notrace Greg Kroah-Hartman
` (201 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jessica Liu, Thomas Gleixner,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jessica Liu <liu.xuemei1@zte.com.cn>
[ Upstream commit b330fbfd34d7624bec62b99ad88dba2614326a19 ]
Since commit 95a8ddde3660 ("irqchip/riscv-aplic: Preserve APLIC
states across suspend/resume"), when multiple NUMA nodes exist
and AIA is not configured as "none", aplic_probe() is called
multiple times. This leads to register_syscore(&aplic_syscore)
being invoked repeatedly, causing the following Oops:
list_add double add: new=ffffffffb91461f0, prev=ffffffffb91461f0, next=ffffffffb915c408.
[<ffffffffb7b5c8ca>] __list_add_valid_or_report+0x60/0xc0
[<ffffffffb7cc3236>] register_syscore+0x3e/0x70
[<ffffffffb7b8d61c>] aplic_probe+0xc6/0x112
Fix this by registering syscore operations only once, using a static
variable aplic_syscore_registered to track registration.
[ tglx: Trim backtrace properly ]
Fixes: 95a8ddde3660 ("irqchip/riscv-aplic: Preserve APLIC states across suspend/resume")
Signed-off-by: Jessica Liu <liu.xuemei1@zte.com.cn>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260310141731145xMwLsyvXl9Gw-m6A4VRYj@zte.com.cn
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-riscv-aplic-main.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/irqchip/irq-riscv-aplic-main.c b/drivers/irqchip/irq-riscv-aplic-main.c
index 8775f188ea4fc..9f53979b69625 100644
--- a/drivers/irqchip/irq-riscv-aplic-main.c
+++ b/drivers/irqchip/irq-riscv-aplic-main.c
@@ -116,6 +116,16 @@ static struct syscore aplic_syscore = {
.ops = &aplic_syscore_ops,
};
+static bool aplic_syscore_registered __ro_after_init;
+
+static void aplic_syscore_init(void)
+{
+ if (!aplic_syscore_registered) {
+ register_syscore(&aplic_syscore);
+ aplic_syscore_registered = true;
+ }
+}
+
static int aplic_pm_notifier(struct notifier_block *nb, unsigned long action, void *data)
{
struct aplic_priv *priv = container_of(nb, struct aplic_priv, genpd_nb);
@@ -379,7 +389,7 @@ static int aplic_probe(struct platform_device *pdev)
return rc;
}
- register_syscore(&aplic_syscore);
+ aplic_syscore_init();
#ifdef CONFIG_ACPI
if (!acpi_disabled)
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 184/378] time/jiffies: Mark jiffies_64_to_clock_t() notrace
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 183/378] irqchip/riscv-aplic: Register syscore operations only once Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 185/378] sched/mmcid: Prevent CID stalls due to concurrent forks Greg Kroah-Hartman
` (200 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steven Rostedt (Google),
Thomas Gleixner, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
[ Upstream commit 755a648e78f12574482d4698d877375793867fa1 ]
The trace_clock_jiffies() function that handles the "uptime" clock for
tracing calls jiffies_64_to_clock_t(). This causes the function tracer to
constantly recurse when the tracing clock is set to "uptime". Mark it
notrace to prevent unnecessary recursion when using the "uptime" clock.
Fixes: 58d4e21e50ff3 ("tracing: Fix wraparound problems in "uptime" trace clock")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260306212403.72270bb2@robin
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/time.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/time/time.c b/kernel/time/time.c
index 0ba8e3c50d625..155cf7def9146 100644
--- a/kernel/time/time.c
+++ b/kernel/time/time.c
@@ -702,7 +702,7 @@ EXPORT_SYMBOL(clock_t_to_jiffies);
*
* Return: jiffies_64 value converted to 64-bit "clock_t" (CLOCKS_PER_SEC)
*/
-u64 jiffies_64_to_clock_t(u64 x)
+notrace u64 jiffies_64_to_clock_t(u64 x)
{
#if (TICK_NSEC % (NSEC_PER_SEC / USER_HZ)) == 0
# if HZ < USER_HZ
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 185/378] sched/mmcid: Prevent CID stalls due to concurrent forks
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 184/378] time/jiffies: Mark jiffies_64_to_clock_t() notrace Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 186/378] sched/mmcid: Handle vfork()/CLONE_VM correctly Greg Kroah-Hartman
` (199 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner,
Peter Zijlstra (Intel), Matthieu Baerts (NGI0), Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@kernel.org>
[ Upstream commit b2e48c429ec54715d16fefa719dd2fbded2e65be ]
A newly forked task is accounted as MMCID user before the task is visible
in the process' thread list and the global task list. This creates the
following problem:
CPU1 CPU2
fork()
sched_mm_cid_fork(tnew1)
tnew1->mm.mm_cid_users++;
tnew1->mm_cid.cid = getcid()
-> preemption
fork()
sched_mm_cid_fork(tnew2)
tnew2->mm.mm_cid_users++;
// Reaches the per CPU threshold
mm_cid_fixup_tasks_to_cpus()
for_each_other(current, p)
....
As tnew1 is not visible yet, this fails to fix up the already allocated CID
of tnew1. As a consequence a subsequent schedule in might fail to acquire a
(transitional) CID and the machine stalls.
Move the invocation of sched_mm_cid_fork() after the new task becomes
visible in the thread and the task list to prevent this.
This also makes it symmetrical vs. exit() where the task is removed as CID
user before the task is removed from the thread and task lists.
Fixes: fbd0e71dc370 ("sched/mmcid: Provide CID ownership mode fixup functions")
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260310202525.969061974@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/sched.h | 2 --
kernel/fork.c | 2 --
kernel/sched/core.c | 22 +++++++++++++++-------
3 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/include/linux/sched.h b/include/linux/sched.h
index eb1c4c347a5cf..0719862970a28 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -2313,7 +2313,6 @@ static __always_inline void alloc_tag_restore(struct alloc_tag *tag, struct allo
#ifdef CONFIG_SCHED_MM_CID
void sched_mm_cid_before_execve(struct task_struct *t);
void sched_mm_cid_after_execve(struct task_struct *t);
-void sched_mm_cid_fork(struct task_struct *t);
void sched_mm_cid_exit(struct task_struct *t);
static __always_inline int task_mm_cid(struct task_struct *t)
{
@@ -2322,7 +2321,6 @@ static __always_inline int task_mm_cid(struct task_struct *t)
#else
static inline void sched_mm_cid_before_execve(struct task_struct *t) { }
static inline void sched_mm_cid_after_execve(struct task_struct *t) { }
-static inline void sched_mm_cid_fork(struct task_struct *t) { }
static inline void sched_mm_cid_exit(struct task_struct *t) { }
static __always_inline int task_mm_cid(struct task_struct *t)
{
diff --git a/kernel/fork.c b/kernel/fork.c
index 68ccbaea7398a..2d79096e0fecb 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1585,7 +1585,6 @@ static int copy_mm(u64 clone_flags, struct task_struct *tsk)
tsk->mm = mm;
tsk->active_mm = mm;
- sched_mm_cid_fork(tsk);
return 0;
}
@@ -2496,7 +2495,6 @@ __latent_entropy struct task_struct *copy_process(
exit_nsproxy_namespaces(p);
bad_fork_cleanup_mm:
if (p->mm) {
- sched_mm_cid_exit(p);
mm_clear_owner(p->mm, p);
mmput(p->mm);
}
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index dbf4e32a063f7..ca6e6e4b17eaf 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -4708,8 +4708,11 @@ void sched_cancel_fork(struct task_struct *p)
scx_cancel_fork(p);
}
+static void sched_mm_cid_fork(struct task_struct *t);
+
void sched_post_fork(struct task_struct *p)
{
+ sched_mm_cid_fork(p);
uclamp_post_fork(p);
scx_post_fork(p);
}
@@ -10594,12 +10597,13 @@ static void mm_cid_do_fixup_tasks_to_cpus(struct mm_struct *mm)
* possible switch back to per task mode happens either in the
* deferred handler function or in the next fork()/exit().
*
- * The caller has already transferred. The newly incoming task is
- * already accounted for, but not yet visible.
+ * The caller has already transferred so remove it from the users
+ * count. The incoming task is already visible and has mm_cid.active,
+ * but has task::mm_cid::cid == UNSET. Still it needs to be accounted
+ * for. Concurrent fork()s might add more threads, but all of them have
+ * task::mm_cid::active = 0, so they don't affect the accounting here.
*/
- users = mm->mm_cid.users - 2;
- if (!users)
- return;
+ users = mm->mm_cid.users - 1;
guard(rcu)();
for_other_threads(current, t) {
@@ -10636,12 +10640,15 @@ static bool sched_mm_cid_add_user(struct task_struct *t, struct mm_struct *mm)
return mm_update_max_cids(mm);
}
-void sched_mm_cid_fork(struct task_struct *t)
+static void sched_mm_cid_fork(struct task_struct *t)
{
struct mm_struct *mm = t->mm;
bool percpu;
- WARN_ON_ONCE(!mm || t->mm_cid.cid != MM_CID_UNSET);
+ if (!mm)
+ return;
+
+ WARN_ON_ONCE(t->mm_cid.cid != MM_CID_UNSET);
guard(mutex)(&mm->mm_cid.mutex);
scoped_guard(raw_spinlock_irq, &mm->mm_cid.lock) {
@@ -10833,6 +10840,7 @@ void mm_init_cid(struct mm_struct *mm, struct task_struct *p)
}
#else /* CONFIG_SCHED_MM_CID */
static inline void mm_update_cpus_allowed(struct mm_struct *mm, const struct cpumask *affmsk) { }
+static inline void sched_mm_cid_fork(struct task_struct *t) { }
#endif /* !CONFIG_SCHED_MM_CID */
static DEFINE_PER_CPU(struct sched_change_ctx, sched_change_ctx);
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 186/378] sched/mmcid: Handle vfork()/CLONE_VM correctly
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 185/378] sched/mmcid: Prevent CID stalls due to concurrent forks Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 187/378] sched/mmcid: Remove pointless preempt guard Greg Kroah-Hartman
` (198 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts, Jiri Slaby,
Thomas Gleixner, Peter Zijlstra (Intel), Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@kernel.org>
[ Upstream commit 28b5a1395036d6c7a6c8034d85ad3d7d365f192c ]
Matthieu and Jiri reported stalls where a task endlessly loops in
mm_get_cid() when scheduling in.
It turned out that the logic which handles vfork()'ed tasks is broken. It
is invoked when the number of tasks associated to a process is smaller than
the number of MMCID users. It then walks the task list to find the
vfork()'ed task, but accounts all the already processed tasks as well.
If that double processing brings the number of to be handled tasks to 0,
the walk stops and the vfork()'ed task's CID is not fixed up. As a
consequence a subsequent schedule in fails to acquire a (transitional) CID
and the machine stalls.
Cure this by removing the accounting condition and make the fixup always
walk the full task list if it could not find the exact number of users in
the process' thread list.
Fixes: fbd0e71dc370 ("sched/mmcid: Provide CID ownership mode fixup functions")
Closes: https://lore.kernel.org/b24ffcb3-09d5-4e48-9070-0b69bc654281@kernel.org
Reported-by: Matthieu Baerts <matttbe@kernel.org>
Reported-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260310202526.048657665@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/core.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index ca6e6e4b17eaf..24d607c78f119 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -10618,10 +10618,7 @@ static void mm_cid_do_fixup_tasks_to_cpus(struct mm_struct *mm)
for_each_process_thread(p, t) {
if (t == current || t->mm != mm)
continue;
- if (mm_cid_fixup_task_to_cpu(t, mm)) {
- if (--users == 0)
- return;
- }
+ mm_cid_fixup_task_to_cpu(t, mm);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 187/378] sched/mmcid: Remove pointless preempt guard
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 186/378] sched/mmcid: Handle vfork()/CLONE_VM correctly Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 188/378] sched/mmcid: Avoid full tasklist walks Greg Kroah-Hartman
` (197 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner,
Peter Zijlstra (Intel), Matthieu Baerts (NGI0), Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@kernel.org>
[ Upstream commit 7574ac6e49789ddee1b1be9b2afb42b4a1b4b1f4 ]
This is a leftover from the early versions of this function where it could
be invoked without mm::mm_cid::lock held.
Remove it and add lockdep asserts instead.
Fixes: 653fda7ae73d ("sched/mmcid: Switch over to the new mechanism")
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260310202526.116363613@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/core.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 24d607c78f119..c80076fcd78f2 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -10632,6 +10632,8 @@ static void mm_cid_fixup_tasks_to_cpus(void)
static bool sched_mm_cid_add_user(struct task_struct *t, struct mm_struct *mm)
{
+ lockdep_assert_held(&mm->mm_cid.lock);
+
t->mm_cid.active = 1;
mm->mm_cid.users++;
return mm_update_max_cids(mm);
@@ -10684,12 +10686,12 @@ static void sched_mm_cid_fork(struct task_struct *t)
static bool sched_mm_cid_remove_user(struct task_struct *t)
{
+ lockdep_assert_held(&t->mm->mm_cid.lock);
+
t->mm_cid.active = 0;
- scoped_guard(preempt) {
- /* Clear the transition bit */
- t->mm_cid.cid = cid_from_transit_cid(t->mm_cid.cid);
- mm_unset_cid_on_task(t);
- }
+ /* Clear the transition bit */
+ t->mm_cid.cid = cid_from_transit_cid(t->mm_cid.cid);
+ mm_unset_cid_on_task(t);
t->mm->mm_cid.users--;
return mm_update_max_cids(t->mm);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 188/378] sched/mmcid: Avoid full tasklist walks
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 187/378] sched/mmcid: Remove pointless preempt guard Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 189/378] i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach Greg Kroah-Hartman
` (196 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner,
Peter Zijlstra (Intel), Matthieu Baerts (NGI0), Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@kernel.org>
[ Upstream commit 192d852129b1b7c4f0ddbab95d0de1efd5ee1405 ]
Chasing vfork()'ed tasks on a CID ownership mode switch requires a full
task list walk, which is obviously expensive on large systems.
Avoid that by keeping a list of tasks using a mm MMCID entity in mm::mm_cid
and walk this list instead. This removes the proven to be flaky counting
logic and avoids a full task list walk in the case of vfork()'ed tasks.
Fixes: fbd0e71dc370 ("sched/mmcid: Provide CID ownership mode fixup functions")
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260310202526.183824481@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/rseq_types.h | 6 ++++-
kernel/fork.c | 1 +
kernel/sched/core.c | 54 +++++++++-----------------------------
3 files changed, 18 insertions(+), 43 deletions(-)
diff --git a/include/linux/rseq_types.h b/include/linux/rseq_types.h
index ef0811379c540..a612959c5b17f 100644
--- a/include/linux/rseq_types.h
+++ b/include/linux/rseq_types.h
@@ -103,10 +103,12 @@ struct rseq_data { };
* @active: MM CID is active for the task
* @cid: The CID associated to the task either permanently or
* borrowed from the CPU
+ * @node: Queued in the per MM MMCID list
*/
struct sched_mm_cid {
unsigned int active;
unsigned int cid;
+ struct hlist_node node;
};
/**
@@ -127,6 +129,7 @@ struct mm_cid_pcpu {
* @work: Regular work to handle the affinity mode change case
* @lock: Spinlock to protect against affinity setting which can't take @mutex
* @mutex: Mutex to serialize forks and exits related to this mm
+ * @user_list: List of the MM CID users of a MM
* @nr_cpus_allowed: The number of CPUs in the per MM allowed CPUs map. The map
* is growth only.
* @users: The number of tasks sharing this MM. Separate from mm::mm_users
@@ -147,13 +150,14 @@ struct mm_mm_cid {
raw_spinlock_t lock;
struct mutex mutex;
+ struct hlist_head user_list;
/* Low frequency modified */
unsigned int nr_cpus_allowed;
unsigned int users;
unsigned int pcpu_thrs;
unsigned int update_deferred;
-}____cacheline_aligned_in_smp;
+} ____cacheline_aligned;
#else /* CONFIG_SCHED_MM_CID */
struct mm_mm_cid { };
struct sched_mm_cid { };
diff --git a/kernel/fork.c b/kernel/fork.c
index 2d79096e0fecb..5b45887435dcc 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -999,6 +999,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig, int node)
#ifdef CONFIG_SCHED_MM_CID
tsk->mm_cid.cid = MM_CID_UNSET;
tsk->mm_cid.active = 0;
+ INIT_HLIST_NODE(&tsk->mm_cid.node);
#endif
return tsk;
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index c80076fcd78f2..011fe1b2ae911 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -10568,13 +10568,10 @@ static inline void mm_cid_transit_to_cpu(struct task_struct *t, struct mm_cid_pc
}
}
-static bool mm_cid_fixup_task_to_cpu(struct task_struct *t, struct mm_struct *mm)
+static void mm_cid_fixup_task_to_cpu(struct task_struct *t, struct mm_struct *mm)
{
/* Remote access to mm::mm_cid::pcpu requires rq_lock */
guard(task_rq_lock)(t);
- /* If the task is not active it is not in the users count */
- if (!t->mm_cid.active)
- return false;
if (cid_on_task(t->mm_cid.cid)) {
/* If running on the CPU, put the CID in transit mode, otherwise drop it */
if (task_rq(t)->curr == t)
@@ -10582,51 +10579,21 @@ static bool mm_cid_fixup_task_to_cpu(struct task_struct *t, struct mm_struct *mm
else
mm_unset_cid_on_task(t);
}
- return true;
}
-static void mm_cid_do_fixup_tasks_to_cpus(struct mm_struct *mm)
+static void mm_cid_fixup_tasks_to_cpus(void)
{
- struct task_struct *p, *t;
- unsigned int users;
-
- /*
- * This can obviously race with a concurrent affinity change, which
- * increases the number of allowed CPUs for this mm, but that does
- * not affect the mode and only changes the CID constraints. A
- * possible switch back to per task mode happens either in the
- * deferred handler function or in the next fork()/exit().
- *
- * The caller has already transferred so remove it from the users
- * count. The incoming task is already visible and has mm_cid.active,
- * but has task::mm_cid::cid == UNSET. Still it needs to be accounted
- * for. Concurrent fork()s might add more threads, but all of them have
- * task::mm_cid::active = 0, so they don't affect the accounting here.
- */
- users = mm->mm_cid.users - 1;
-
- guard(rcu)();
- for_other_threads(current, t) {
- if (mm_cid_fixup_task_to_cpu(t, mm))
- users--;
- }
+ struct mm_struct *mm = current->mm;
+ struct task_struct *t;
- if (!users)
- return;
+ lockdep_assert_held(&mm->mm_cid.mutex);
- /* Happens only for VM_CLONE processes. */
- for_each_process_thread(p, t) {
- if (t == current || t->mm != mm)
- continue;
- mm_cid_fixup_task_to_cpu(t, mm);
+ hlist_for_each_entry(t, &mm->mm_cid.user_list, mm_cid.node) {
+ /* Current has already transferred before invoking the fixup. */
+ if (t != current)
+ mm_cid_fixup_task_to_cpu(t, mm);
}
-}
-
-static void mm_cid_fixup_tasks_to_cpus(void)
-{
- struct mm_struct *mm = current->mm;
- mm_cid_do_fixup_tasks_to_cpus(mm);
mm_cid_complete_transit(mm, MM_CID_ONCPU);
}
@@ -10635,6 +10602,7 @@ static bool sched_mm_cid_add_user(struct task_struct *t, struct mm_struct *mm)
lockdep_assert_held(&mm->mm_cid.lock);
t->mm_cid.active = 1;
+ hlist_add_head(&t->mm_cid.node, &mm->mm_cid.user_list);
mm->mm_cid.users++;
return mm_update_max_cids(mm);
}
@@ -10692,6 +10660,7 @@ static bool sched_mm_cid_remove_user(struct task_struct *t)
/* Clear the transition bit */
t->mm_cid.cid = cid_from_transit_cid(t->mm_cid.cid);
mm_unset_cid_on_task(t);
+ hlist_del_init(&t->mm_cid.node);
t->mm->mm_cid.users--;
return mm_update_max_cids(t->mm);
}
@@ -10834,6 +10803,7 @@ void mm_init_cid(struct mm_struct *mm, struct task_struct *p)
mutex_init(&mm->mm_cid.mutex);
mm->mm_cid.irq_work = IRQ_WORK_INIT_HARD(mm_cid_irq_work);
INIT_WORK(&mm->mm_cid.work, mm_cid_work_fn);
+ INIT_HLIST_HEAD(&mm->mm_cid.user_list);
cpumask_copy(mm_cpus_allowed(mm), &p->cpus_mask);
bitmap_zero(mm_cidmask(mm), num_possible_cpus());
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 189/378] i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 188/378] sched/mmcid: Avoid full tasklist walks Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 190/378] powerpc, perf: Check that current->mm is alive before getting user callchain Greg Kroah-Hartman
` (195 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Ng Ho Yin, Frank Li,
Alexandre Belloni, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Ng Ho Yin <adrianhoyin.ng@altera.com>
[ Upstream commit f311a05784634febd299f03476b80f3f18489767 ]
The DesignWare I3C master controller ACKs IBIs as soon as a valid
Device Address Table (DAT) entry is present. This can create a race
between device attachment (after DAA) and the point where the client
driver enables IBIs via i3c_device_enable_ibi().
Set DEV_ADDR_TABLE_SIR_REJECT in the DAT entry during
attach_i3c_dev() and reattach_i3c_dev() so that IBIs are rejected
by default. The bit is managed thereafter by the existing
dw_i3c_master_set_sir_enabled() function, which clears it in
enable_ibi() after ENEC is issued, and restores it in disable_ibi()
after DISEC.
Fixes: 1dd728f5d4d4 ("i3c: master: Add driver for Synopsys DesignWare IP")
Signed-off-by: Adrian Ng Ho Yin <adrianhoyin.ng@altera.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/53f5b8cbdd8af789ec38b95b02873f32f9182dd6.1770962368.git.adrianhoyin.ng@altera.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/dw-i3c-master.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index 4033bc16677ff..f9b981abd10c5 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1010,7 +1010,7 @@ static int dw_i3c_master_reattach_i3c_dev(struct i3c_dev_desc *dev,
master->free_pos &= ~BIT(pos);
}
- writel(DEV_ADDR_TABLE_DYNAMIC_ADDR(dev->info.dyn_addr),
+ writel(DEV_ADDR_TABLE_DYNAMIC_ADDR(dev->info.dyn_addr) | DEV_ADDR_TABLE_SIR_REJECT,
master->regs +
DEV_ADDR_TABLE_LOC(master->datstartaddr, data->index));
@@ -1039,7 +1039,7 @@ static int dw_i3c_master_attach_i3c_dev(struct i3c_dev_desc *dev)
master->free_pos &= ~BIT(pos);
i3c_dev_set_master_data(dev, data);
- writel(DEV_ADDR_TABLE_DYNAMIC_ADDR(master->devs[pos].addr),
+ writel(DEV_ADDR_TABLE_DYNAMIC_ADDR(master->devs[pos].addr) | DEV_ADDR_TABLE_SIR_REJECT,
master->regs +
DEV_ADDR_TABLE_LOC(master->datstartaddr, data->index));
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 190/378] powerpc, perf: Check that current->mm is alive before getting user callchain
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 189/378] i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 191/378] scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend Greg Kroah-Hartman
` (194 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viktor Malik, Qiao Zhao,
Venkat Rao Bagalkote, Saket Kumar Bhaskar, Madhavan Srinivasan,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viktor Malik <vmalik@redhat.com>
[ Upstream commit e9bbfb4bfa86c6b5515b868d6982ac60505d7e39 ]
It may happen that mm is already released, which leads to kernel panic.
This adds the NULL check for current->mm, similarly to
commit 20afc60f892d ("x86, perf: Check that current->mm is alive before getting user callchain").
I was getting this panic when running a profiling BPF program
(profile.py from bcc-tools):
[26215.051935] Kernel attempted to read user page (588) - exploit attempt? (uid: 0)
[26215.051950] BUG: Kernel NULL pointer dereference on read at 0x00000588
[26215.051952] Faulting instruction address: 0xc00000000020fac0
[26215.051957] Oops: Kernel access of bad area, sig: 11 [#1]
[...]
[26215.052049] Call Trace:
[26215.052050] [c000000061da6d30] [c00000000020fc10] perf_callchain_user_64+0x2d0/0x490 (unreliable)
[26215.052054] [c000000061da6dc0] [c00000000020f92c] perf_callchain_user+0x1c/0x30
[26215.052057] [c000000061da6de0] [c0000000005ab2a0] get_perf_callchain+0x100/0x360
[26215.052063] [c000000061da6e70] [c000000000573bc8] bpf_get_stackid+0x88/0xf0
[26215.052067] [c000000061da6ea0] [c008000000042258] bpf_prog_16d4ab9ab662f669_do_perf_event+0xf8/0x274
[...]
In addition, move storing the top-level stack entry to generic
perf_callchain_user to make sure the top-evel entry is always captured,
even if current->mm is NULL.
Fixes: 20002ded4d93 ("perf_counter: powerpc: Add callchain support")
Signed-off-by: Viktor Malik <vmalik@redhat.com>
Tested-by: Qiao Zhao <qzhao@redhat.com>
Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Reviewed-by: Saket Kumar Bhaskar <skb99@linux.ibm.com>
[Maddy: fixed message to avoid checkpatch format style error]
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260309144045.169427-1-vmalik@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/perf/callchain.c | 5 +++++
arch/powerpc/perf/callchain_32.c | 1 -
arch/powerpc/perf/callchain_64.c | 1 -
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/perf/callchain.c b/arch/powerpc/perf/callchain.c
index 26aa26482c9ac..992cc5c982144 100644
--- a/arch/powerpc/perf/callchain.c
+++ b/arch/powerpc/perf/callchain.c
@@ -103,6 +103,11 @@ perf_callchain_kernel(struct perf_callchain_entry_ctx *entry, struct pt_regs *re
void
perf_callchain_user(struct perf_callchain_entry_ctx *entry, struct pt_regs *regs)
{
+ perf_callchain_store(entry, perf_arch_instruction_pointer(regs));
+
+ if (!current->mm)
+ return;
+
if (!is_32bit_task())
perf_callchain_user_64(entry, regs);
else
diff --git a/arch/powerpc/perf/callchain_32.c b/arch/powerpc/perf/callchain_32.c
index ddcc2d8aa64a5..0de21c5d272c2 100644
--- a/arch/powerpc/perf/callchain_32.c
+++ b/arch/powerpc/perf/callchain_32.c
@@ -142,7 +142,6 @@ void perf_callchain_user_32(struct perf_callchain_entry_ctx *entry,
next_ip = perf_arch_instruction_pointer(regs);
lr = regs->link;
sp = regs->gpr[1];
- perf_callchain_store(entry, next_ip);
while (entry->nr < entry->max_stack) {
fp = (unsigned int __user *) (unsigned long) sp;
diff --git a/arch/powerpc/perf/callchain_64.c b/arch/powerpc/perf/callchain_64.c
index 115d1c105e8a8..30fb61c5f0cb0 100644
--- a/arch/powerpc/perf/callchain_64.c
+++ b/arch/powerpc/perf/callchain_64.c
@@ -77,7 +77,6 @@ void perf_callchain_user_64(struct perf_callchain_entry_ctx *entry,
next_ip = perf_arch_instruction_pointer(regs);
lr = regs->link;
sp = regs->gpr[1];
- perf_callchain_store(entry, next_ip);
while (entry->nr < entry->max_stack) {
fp = (unsigned long __user *) sp;
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 191/378] scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 190/378] powerpc, perf: Check that current->mm is alive before getting user callchain Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 192/378] scsi: qla2xxx: Completely fix fcport double free Greg Kroah-Hartman
` (193 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bean Huo, Bart Van Assche,
Wang Shuaiwei, Martin K. Petersen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Shuaiwei <wangshuaiwei1@xiaomi.com>
[ Upstream commit b0bd84c39289ef6a6c3827dd52c875659291970a ]
In __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancel
the UFS RTC work, but it is placed after ufshcd_vops_suspend(hba, pm_op,
POST_CHANGE). This creates a race condition where ufshcd_rtc_work() can
still be running while ufshcd_vops_suspend() is executing. When
UFSHCD_CAP_CLK_GATING is not supported, the condition
!hba->clk_gating.active_reqs is always true, causing ufshcd_update_rtc()
to be executed. Since ufshcd_vops_suspend() typically performs clock
gating operations, executing ufshcd_update_rtc() at that moment triggers
an SError. The kernel panic trace is as follows:
Kernel panic - not syncing: Asynchronous SError Interrupt
Call trace:
dump_backtrace+0xec/0x128
show_stack+0x18/0x28
dump_stack_lvl+0x40/0xa0
dump_stack+0x18/0x24
panic+0x148/0x374
nmi_panic+0x3c/0x8c
arm64_serror_panic+0x64/0x8c
do_serror+0xc4/0xc8
el1h_64_error_handler+0x34/0x4c
el1h_64_error+0x68/0x6c
el1_interrupt+0x20/0x58
el1h_64_irq_handler+0x18/0x24
el1h_64_irq+0x68/0x6c
ktime_get+0xc4/0x12c
ufshcd_mcq_sq_stop+0x4c/0xec
ufshcd_mcq_sq_cleanup+0x64/0x1dc
ufshcd_clear_cmd+0x38/0x134
ufshcd_issue_dev_cmd+0x298/0x4d0
ufshcd_exec_dev_cmd+0x1a4/0x1c4
ufshcd_query_attr+0xbc/0x19c
ufshcd_rtc_work+0x10c/0x1c8
process_scheduled_works+0x1c4/0x45c
worker_thread+0x32c/0x3e8
kthread+0x120/0x1d8
ret_from_fork+0x10/0x20
Fix this by moving cancel_delayed_work_sync() before the call to
ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE), ensuring the UFS RTC work is
fully completed or cancelled at that point.
Cc: Bean Huo <beanhuo@iokpp.de>
Fixes: 6bf999e0eb41 ("scsi: ufs: core: Add UFS RTC support")
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Wang Shuaiwei <wangshuaiwei1@xiaomi.com>
Link: https://patch.msgid.link/20260307035128.3419687-1-wangshuaiwei1@xiaomi.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufshcd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index 2048ebc86590e..5038b8428fc30 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -10061,6 +10061,7 @@ static int __ufshcd_wl_suspend(struct ufs_hba *hba, enum ufs_pm_op pm_op)
}
flush_work(&hba->eeh_work);
+ cancel_delayed_work_sync(&hba->ufs_rtc_update_work);
ret = ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE);
if (ret)
@@ -10115,7 +10116,6 @@ static int __ufshcd_wl_suspend(struct ufs_hba *hba, enum ufs_pm_op pm_op)
if (ret)
goto set_link_active;
- cancel_delayed_work_sync(&hba->ufs_rtc_update_work);
goto out;
set_link_active:
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 192/378] scsi: qla2xxx: Completely fix fcport double free
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 191/378] scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 193/378] scsi: hisi_sas: Fix NULL pointer exception during user_scan() Greg Kroah-Hartman
` (192 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Riabchun, Farhat Abbas,
Martin K. Petersen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Riabchun <ferr.lambarginio@gmail.com>
[ Upstream commit c0b7da13a04bd70ef6070bfb9ea85f582294560a ]
In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free().
When an error happens, this function is called by qla2x00_sp_release(),
when kref_put() releases the first and the last reference.
qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport().
Doing it one more time after kref_put() is a bad idea.
Fixes: 82f522ae0d97 ("scsi: qla2xxx: Fix double free of fcport")
Fixes: 4895009c4bb7 ("scsi: qla2xxx: Prevent command send on chip reset")
Signed-off-by: Vladimir Riabchun <ferr.lambarginio@gmail.com>
Signed-off-by: Farhat Abbas <fabbas@cloudlinux.com>
Link: https://patch.msgid.link/aYsDln9NFQQsPDgg@vova-pc
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qla2xxx/qla_iocb.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c
index 3224044f17753..0de015de7eb59 100644
--- a/drivers/scsi/qla2xxx/qla_iocb.c
+++ b/drivers/scsi/qla2xxx/qla_iocb.c
@@ -2751,7 +2751,6 @@ qla24xx_els_dcmd_iocb(scsi_qla_host_t *vha, int els_opcode,
if (!elsio->u.els_logo.els_logo_pyld) {
/* ref: INIT */
kref_put(&sp->cmd_kref, qla2x00_sp_release);
- qla2x00_free_fcport(fcport);
return QLA_FUNCTION_FAILED;
}
@@ -2776,7 +2775,6 @@ qla24xx_els_dcmd_iocb(scsi_qla_host_t *vha, int els_opcode,
if (rval != QLA_SUCCESS) {
/* ref: INIT */
kref_put(&sp->cmd_kref, qla2x00_sp_release);
- qla2x00_free_fcport(fcport);
return QLA_FUNCTION_FAILED;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 193/378] scsi: hisi_sas: Fix NULL pointer exception during user_scan()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 192/378] scsi: qla2xxx: Completely fix fcport double free Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 194/378] mm/kfence: fix KASAN hardware tag faults during late enablement Greg Kroah-Hartman
` (191 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xingui Yang, Yihang Li,
Martin K. Petersen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xingui Yang <yangxingui@huawei.com>
[ Upstream commit 8ddc0c26916574395447ebf4cff684314f6873a9 ]
user_scan() invokes updated sas_user_scan() for channel 0, and if
successful, iteratively scans remaining channels (1 to shost->max_channel)
via scsi_scan_host_selected() in commit 37c4e72b0651 ("scsi: Fix
sas_user_scan() to handle wildcard and multi-channel scans"). However,
hisi_sas supports only one channel, and the current value of max_channel is
1. sas_user_scan() for channel 1 will trigger the following NULL pointer
exception:
[ 441.554662] Unable to handle kernel NULL pointer dereference at virtual address 00000000000008b0
[ 441.554699] Mem abort info:
[ 441.554710] ESR = 0x0000000096000004
[ 441.554718] EC = 0x25: DABT (current EL), IL = 32 bits
[ 441.554723] SET = 0, FnV = 0
[ 441.554726] EA = 0, S1PTW = 0
[ 441.554730] FSC = 0x04: level 0 translation fault
[ 441.554735] Data abort info:
[ 441.554737] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 441.554742] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 441.554747] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 441.554752] user pgtable: 4k pages, 48-bit VAs, pgdp=00000828377a6000
[ 441.554757] [00000000000008b0] pgd=0000000000000000, p4d=0000000000000000
[ 441.554769] Internal error: Oops: 0000000096000004 [#1] SMP
[ 441.629589] Modules linked in: arm_spe_pmu arm_smmuv3_pmu tpm_tis_spi hisi_uncore_sllc_pmu hisi_uncore_pa_pmu hisi_uncore_l3c_pmu hisi_uncore_hha_pmu hisi_uncore_ddrc_pmu hisi_uncore_cpa_pmu hns3_pmu hisi_ptt hisi_pcie_pmu tpm_tis_core spidev spi_hisi_sfc_v3xx hisi_uncore_pmu spi_dw_mmio fuse hclge hclge_common hisi_sec2 hisi_hpre hisi_zip hisi_qm hns3 hisi_sas_v3_hw sm3_ce sbsa_gwdt hnae3 hisi_sas_main uacce hisi_dma i2c_hisi dm_mirror dm_region_hash dm_log dm_mod
[ 441.670819] CPU: 46 UID: 0 PID: 6994 Comm: bash Kdump: loaded Not tainted 7.0.0-rc2+ #84 PREEMPT
[ 441.691327] pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 441.698277] pc : sas_find_dev_by_rphy+0x44/0x118
[ 441.702896] lr : sas_find_dev_by_rphy+0x3c/0x118
[ 441.707502] sp : ffff80009abbba40
[ 441.710805] x29: ffff80009abbba40 x28: ffff082819a40008 x27: ffff082810c37c08
[ 441.717930] x26: ffff082810c37c28 x25: ffff082819a40290 x24: ffff082810c37c00
[ 441.725054] x23: 0000000000000000 x22: 0000000000000001 x21: ffff082819a40000
[ 441.732179] x20: ffff082819a40290 x19: 0000000000000000 x18: 0000000000000020
[ 441.739304] x17: 0000000000000000 x16: ffffb5dad6bda690 x15: 00000000ffffffff
[ 441.746428] x14: ffff082814c3b26c x13: 00000000ffffffff x12: ffff082814c3b26a
[ 441.753553] x11: 00000000000000c0 x10: 000000000000003a x9 : ffffb5dad5ea94f4
[ 441.760678] x8 : 000000000000003a x7 : ffff80009abbbab0 x6 : 0000000000000030
[ 441.767802] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
[ 441.774926] x2 : ffff08280f35a300 x1 : ffffb5dad7127180 x0 : 0000000000000000
[ 441.782053] Call trace:
[ 441.784488] sas_find_dev_by_rphy+0x44/0x118 (P)
[ 441.789095] sas_target_alloc+0x24/0xb0
[ 441.792920] scsi_alloc_target+0x290/0x330
[ 441.797010] __scsi_scan_target+0x88/0x258
[ 441.801096] scsi_scan_channel+0x74/0xb8
[ 441.805008] scsi_scan_host_selected+0x170/0x188
[ 441.809615] sas_user_scan+0xfc/0x148
[ 441.813267] store_scan+0x10c/0x180
[ 441.816743] dev_attr_store+0x20/0x40
[ 441.820398] sysfs_kf_write+0x84/0xa8
[ 441.824054] kernfs_fop_write_iter+0x130/0x1c8
[ 441.828487] vfs_write+0x2c0/0x370
[ 441.831880] ksys_write+0x74/0x118
[ 441.835271] __arm64_sys_write+0x24/0x38
[ 441.839182] invoke_syscall+0x50/0x120
[ 441.842919] el0_svc_common.constprop.0+0xc8/0xf0
[ 441.847611] do_el0_svc+0x24/0x38
[ 441.850913] el0_svc+0x38/0x158
[ 441.854043] el0t_64_sync_handler+0xa0/0xe8
[ 441.858214] el0t_64_sync+0x1ac/0x1b0
[ 441.861865] Code: aa1303e0 97ff70a8 34ffff80 d10a4273 (f9445a75)
[ 441.867946] ---[ end trace 0000000000000000 ]---
Therefore, set max_channel to 0.
Fixes: e21fe3a52692 ("scsi: hisi_sas: add initialisation for v3 pci-based controller")
Signed-off-by: Xingui Yang <yangxingui@huawei.com>
Signed-off-by: Yihang Li <liyihang9@huawei.com>
Link: https://patch.msgid.link/20260305064039.4096775-1-liyihang9@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/hisi_sas/hisi_sas_main.c | 2 +-
drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
index 30a9c66126513..c2b082f1252c3 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -2578,7 +2578,7 @@ int hisi_sas_probe(struct platform_device *pdev,
shost->transportt = hisi_sas_stt;
shost->max_id = HISI_SAS_MAX_DEVICES;
shost->max_lun = ~0;
- shost->max_channel = 1;
+ shost->max_channel = 0;
shost->max_cmd_len = HISI_SAS_MAX_CDB_LEN;
if (hisi_hba->hw->slot_index_alloc) {
shost->can_queue = HISI_SAS_MAX_COMMANDS;
diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
index 2f9e01717ef38..f69efc6494b8e 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
@@ -4993,7 +4993,7 @@ hisi_sas_v3_probe(struct pci_dev *pdev, const struct pci_device_id *id)
shost->transportt = hisi_sas_stt;
shost->max_id = HISI_SAS_MAX_DEVICES;
shost->max_lun = ~0;
- shost->max_channel = 1;
+ shost->max_channel = 0;
shost->max_cmd_len = HISI_SAS_MAX_CDB_LEN;
shost->can_queue = HISI_SAS_UNRESERVED_IPTT;
shost->cmd_per_lun = HISI_SAS_UNRESERVED_IPTT;
--
2.51.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 194/378] mm/kfence: fix KASAN hardware tag faults during late enablement
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 193/378] scsi: hisi_sas: Fix NULL pointer exception during user_scan() Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 195/378] mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index() Greg Kroah-Hartman
` (190 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Potapenko,
Ernesto Martinez Garcia, Andrey Konovalov, Andrey Ryabinin,
Dmitry Vyukov, Kees Cook, Marco Elver, Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Potapenko <glider@google.com>
commit d155aab90fffa00f93cea1f107aef0a3d548b2ff upstream.
When KASAN hardware tags are enabled, re-enabling KFENCE late (via
/sys/module/kfence/parameters/sample_interval) causes KASAN faults.
This happens because the KFENCE pool and metadata are allocated via the
page allocator, which tags the memory, while KFENCE continues to access it
using untagged pointers during initialization.
Use __GFP_SKIP_KASAN for late KFENCE pool and metadata allocations to
ensure the memory remains untagged, consistent with early allocations from
memblock. To support this, add __GFP_SKIP_KASAN to the allowlist in
__alloc_contig_verify_gfp_mask().
Link: https://lkml.kernel.org/r/20260220144940.2779209-1-glider@google.com
Fixes: 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure")
Signed-off-by: Alexander Potapenko <glider@google.com>
Suggested-by: Ernesto Martinez Garcia <ernesto.martinezgarcia@tugraz.at>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Kees Cook <kees@kernel.org>
Cc: Marco Elver <elver@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/kfence/core.c | 14 ++++++++------
mm/page_alloc.c | 3 ++-
2 files changed, 10 insertions(+), 7 deletions(-)
--- a/mm/kfence/core.c
+++ b/mm/kfence/core.c
@@ -984,14 +984,14 @@ static int kfence_init_late(void)
#ifdef CONFIG_CONTIG_ALLOC
struct page *pages;
- pages = alloc_contig_pages(nr_pages_pool, GFP_KERNEL, first_online_node,
- NULL);
+ pages = alloc_contig_pages(nr_pages_pool, GFP_KERNEL | __GFP_SKIP_KASAN,
+ first_online_node, NULL);
if (!pages)
return -ENOMEM;
__kfence_pool = page_to_virt(pages);
- pages = alloc_contig_pages(nr_pages_meta, GFP_KERNEL, first_online_node,
- NULL);
+ pages = alloc_contig_pages(nr_pages_meta, GFP_KERNEL | __GFP_SKIP_KASAN,
+ first_online_node, NULL);
if (pages)
kfence_metadata_init = page_to_virt(pages);
#else
@@ -1001,11 +1001,13 @@ static int kfence_init_late(void)
return -EINVAL;
}
- __kfence_pool = alloc_pages_exact(KFENCE_POOL_SIZE, GFP_KERNEL);
+ __kfence_pool = alloc_pages_exact(KFENCE_POOL_SIZE,
+ GFP_KERNEL | __GFP_SKIP_KASAN);
if (!__kfence_pool)
return -ENOMEM;
- kfence_metadata_init = alloc_pages_exact(KFENCE_METADATA_SIZE, GFP_KERNEL);
+ kfence_metadata_init = alloc_pages_exact(KFENCE_METADATA_SIZE,
+ GFP_KERNEL | __GFP_SKIP_KASAN);
#endif
if (!kfence_metadata_init)
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -6941,7 +6941,8 @@ static int __alloc_contig_verify_gfp_mas
{
const gfp_t reclaim_mask = __GFP_IO | __GFP_FS | __GFP_RECLAIM;
const gfp_t action_mask = __GFP_COMP | __GFP_RETRY_MAYFAIL | __GFP_NOWARN |
- __GFP_ZERO | __GFP_ZEROTAGS | __GFP_SKIP_ZERO;
+ __GFP_ZERO | __GFP_ZEROTAGS | __GFP_SKIP_ZERO |
+ __GFP_SKIP_KASAN;
const gfp_t cc_action_mask = __GFP_RETRY_MAYFAIL | __GFP_NOWARN;
/*
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 195/378] mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 194/378] mm/kfence: fix KASAN hardware tag faults during late enablement Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 196/378] mm/kfence: disable KFENCE upon KASAN HW tags enablement Greg Kroah-Hartman
` (189 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Felix Gu, Ulf Hansson
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
commit af12e64ae0661546e8b4f5d30d55c5f53a11efe7 upstream.
When calling of_parse_phandle_with_args(), the caller is responsible
to call of_node_put() to release the reference of device node.
In of_get_dml_pipe_index(), it does not release the reference.
Fixes: 9cb15142d0e3 ("mmc: mmci: Add qcom dml support to the driver.")
Signed-off-by: Felix Gu <gu_0233@qq.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/mmci_qcom_dml.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mmc/host/mmci_qcom_dml.c
+++ b/drivers/mmc/host/mmci_qcom_dml.c
@@ -109,6 +109,7 @@ static int of_get_dml_pipe_index(struct
&dma_spec))
return -ENODEV;
+ of_node_put(dma_spec.np);
if (dma_spec.args_count)
return dma_spec.args[0];
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 196/378] mm/kfence: disable KFENCE upon KASAN HW tags enablement
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 195/378] mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index() Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 197/378] mmc: sdhci-brcmstb: use correct register offset for V1 pin_sel restore Greg Kroah-Hartman
` (188 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Potapenko, Marco Elver,
Andrey Konovalov, Andrey Ryabinin, Dmitry Vyukov,
Ernesto Martinez Garcia, Kees Cook, Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Potapenko <glider@google.com>
commit 09833d99db36d74456a4d13eb29c32d56ff8f2b6 upstream.
KFENCE does not currently support KASAN hardware tags. As a result, the
two features are incompatible when enabled simultaneously.
Given that MTE provides deterministic protection and KFENCE is a
sampling-based debugging tool, prioritize the stronger hardware
protections. Disable KFENCE initialization and free the pre-allocated
pool if KASAN hardware tags are detected to ensure the system maintains
the security guarantees provided by MTE.
Link: https://lkml.kernel.org/r/20260213095410.1862978-1-glider@google.com
Fixes: 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure")
Signed-off-by: Alexander Potapenko <glider@google.com>
Suggested-by: Marco Elver <elver@google.com>
Reviewed-by: Marco Elver <elver@google.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Ernesto Martinez Garcia <ernesto.martinezgarcia@tugraz.at>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Kees Cook <kees@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/kfence/core.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/mm/kfence/core.c
+++ b/mm/kfence/core.c
@@ -13,6 +13,7 @@
#include <linux/hash.h>
#include <linux/irq_work.h>
#include <linux/jhash.h>
+#include <linux/kasan-enabled.h>
#include <linux/kcsan-checks.h>
#include <linux/kfence.h>
#include <linux/kmemleak.h>
@@ -912,6 +913,20 @@ void __init kfence_alloc_pool_and_metada
return;
/*
+ * If KASAN hardware tags are enabled, disable KFENCE, because it
+ * does not support MTE yet.
+ */
+ if (kasan_hw_tags_enabled()) {
+ pr_info("disabled as KASAN HW tags are enabled\n");
+ if (__kfence_pool) {
+ memblock_free(__kfence_pool, KFENCE_POOL_SIZE);
+ __kfence_pool = NULL;
+ }
+ kfence_sample_interval = 0;
+ return;
+ }
+
+ /*
* If the pool has already been initialized by arch, there is no need to
* re-allocate the memory pool.
*/
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 197/378] mmc: sdhci-brcmstb: use correct register offset for V1 pin_sel restore
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 196/378] mm/kfence: disable KFENCE upon KASAN HW tags enablement Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 198/378] mmc: dw_mmc-rockchip: Fix runtime PM support for internal phase support Greg Kroah-Hartman
` (187 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kamal Dasu, Florian Fainelli,
Ulf Hansson
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kamal Dasu <kamal.dasu@broadcom.com>
commit 79ad471530e0baef0dce991816013df55e401d9c upstream.
The restore path for SDIO_CFG_CORE_V1 was incorrectly using
SDIO_CFG_SD_PIN_SEL (offset 0x44) instead of SDIO_CFG_V1_SD_PIN_SEL
(offset 0x54), causing the wrong register to be written on resume.
The save path already uses the correct V1-specific offset. This
affects BCM7445 and BCM72116 platforms which use the V1 config core.
Fixes: b7e614802e3f ("mmc: sdhci-brcmstb: save and restore registers during PM")
Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
Cc: stable@vger.kernel.org
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-brcmstb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mmc/host/sdhci-brcmstb.c b/drivers/mmc/host/sdhci-brcmstb.c
index c9442499876c..57e45951644e 100644
--- a/drivers/mmc/host/sdhci-brcmstb.c
+++ b/drivers/mmc/host/sdhci-brcmstb.c
@@ -116,7 +116,7 @@ static void sdhci_brcmstb_restore_regs(struct mmc_host *mmc, enum cfg_core_ver v
writel(sr->boot_main_ctl, priv->boot_regs + SDIO_BOOT_MAIN_CTL);
if (ver == SDIO_CFG_CORE_V1) {
- writel(sr->sd_pin_sel, cr + SDIO_CFG_SD_PIN_SEL);
+ writel(sr->sd_pin_sel, cr + SDIO_CFG_V1_SD_PIN_SEL);
return;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 198/378] mmc: dw_mmc-rockchip: Fix runtime PM support for internal phase support
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 197/378] mmc: sdhci-brcmstb: use correct register offset for V1 pin_sel restore Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 199/378] mmc: core: Avoid bitfield RMW for claim/retune flags Greg Kroah-Hartman
` (186 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shawn Lin, Marco Schirrmeister,
Heiko Stuebner, Ulf Hansson
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shawn Lin <shawn.lin@rock-chips.com>
commit 6465a8bbb0f6ad98aeb66dc9ea19c32c193a610b upstream.
RK3576 is the first platform to introduce internal phase support, and
subsequent platforms are expected to adopt a similar design. In this
architecture, runtime suspend powers off the attached power domain, which
resets registers, including vendor-specific ones such as SDMMC_TIMING_CON0,
SDMMC_TIMING_CON1, and SDMMC_MISC_CON. These registers must be saved and
restored, a requirement that falls outside the scope of the dw_mmc core.
Fixes: 59903441f5e4 ("mmc: dw_mmc-rockchip: Add internal phase support")
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Tested-by: Marco Schirrmeister <mschirrmeister@gmail.com>
Reviewed-by: Heiko Stuebner <heiko@sntech.de>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/dw_mmc-rockchip.c | 38 ++++++++++++++++++++++++++++++++++++-
1 file changed, 37 insertions(+), 1 deletion(-)
--- a/drivers/mmc/host/dw_mmc-rockchip.c
+++ b/drivers/mmc/host/dw_mmc-rockchip.c
@@ -36,6 +36,8 @@ struct dw_mci_rockchip_priv_data {
int default_sample_phase;
int num_phases;
bool internal_phase;
+ int sample_phase;
+ int drv_phase;
};
/*
@@ -574,9 +576,43 @@ static void dw_mci_rockchip_remove(struc
dw_mci_pltfm_remove(pdev);
}
+static int dw_mci_rockchip_runtime_suspend(struct device *dev)
+{
+ struct platform_device *pdev = to_platform_device(dev);
+ struct dw_mci *host = platform_get_drvdata(pdev);
+ struct dw_mci_rockchip_priv_data *priv = host->priv;
+
+ if (priv->internal_phase) {
+ priv->sample_phase = rockchip_mmc_get_phase(host, true);
+ priv->drv_phase = rockchip_mmc_get_phase(host, false);
+ }
+
+ return dw_mci_runtime_suspend(dev);
+}
+
+static int dw_mci_rockchip_runtime_resume(struct device *dev)
+{
+ struct platform_device *pdev = to_platform_device(dev);
+ struct dw_mci *host = platform_get_drvdata(pdev);
+ struct dw_mci_rockchip_priv_data *priv = host->priv;
+ int ret;
+
+ ret = dw_mci_runtime_resume(dev);
+ if (ret)
+ return ret;
+
+ if (priv->internal_phase) {
+ rockchip_mmc_set_phase(host, true, priv->sample_phase);
+ rockchip_mmc_set_phase(host, false, priv->drv_phase);
+ mci_writel(host, MISC_CON, MEM_CLK_AUTOGATE_ENABLE);
+ }
+
+ return ret;
+}
+
static const struct dev_pm_ops dw_mci_rockchip_dev_pm_ops = {
SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend, pm_runtime_force_resume)
- RUNTIME_PM_OPS(dw_mci_runtime_suspend, dw_mci_runtime_resume, NULL)
+ RUNTIME_PM_OPS(dw_mci_rockchip_runtime_suspend, dw_mci_rockchip_runtime_resume, NULL)
};
static struct platform_driver dw_mci_rockchip_pltfm_driver = {
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 199/378] mmc: core: Avoid bitfield RMW for claim/retune flags
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 198/378] mmc: dw_mmc-rockchip: Fix runtime PM support for internal phase support Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 200/378] ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start Greg Kroah-Hartman
` (185 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Penghe Geng,
Ulf Hansson
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Penghe Geng <pgeng@nvidia.com>
commit 901084c51a0a8fb42a3f37d2e9c62083c495f824 upstream.
Move claimed and retune control flags out of the bitfield word to
avoid unrelated RMW side effects in asynchronous contexts.
The host->claimed bit shared a word with retune flags. Writes to claimed
in __mmc_claim_host() or retune_now in mmc_mq_queue_rq() can overwrite
other bits when concurrent updates happen in other contexts, triggering
spurious WARN_ON(!host->claimed). Convert claimed, can_retune,
retune_now and retune_paused to bool to remove shared-word coupling.
Fixes: 6c0cedd1ef952 ("mmc: core: Introduce host claiming by context")
Fixes: 1e8e55b67030c ("mmc: block: Add CQE support")
Cc: stable@vger.kernel.org
Suggested-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Penghe Geng <pgeng@nvidia.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mmc/host.h | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/include/linux/mmc/host.h
+++ b/include/linux/mmc/host.h
@@ -486,14 +486,12 @@ struct mmc_host {
struct mmc_ios ios; /* current io bus settings */
+ bool claimed; /* host exclusively claimed */
+
/* group bitfields together to minimize padding */
unsigned int use_spi_crc:1;
- unsigned int claimed:1; /* host exclusively claimed */
unsigned int doing_init_tune:1; /* initial tuning in progress */
- unsigned int can_retune:1; /* re-tuning can be used */
unsigned int doing_retune:1; /* re-tuning in progress */
- unsigned int retune_now:1; /* do re-tuning at next req */
- unsigned int retune_paused:1; /* re-tuning is temporarily disabled */
unsigned int retune_crc_disable:1; /* don't trigger retune upon crc */
unsigned int can_dma_map_merge:1; /* merging can be used */
unsigned int vqmmc_enabled:1; /* vqmmc regulator is enabled */
@@ -508,6 +506,9 @@ struct mmc_host {
int rescan_disable; /* disable card detection */
int rescan_entered; /* used with nonremovable devices */
+ bool can_retune; /* re-tuning can be used */
+ bool retune_now; /* do re-tuning at next req */
+ bool retune_paused; /* re-tuning is temporarily disabled */
int need_retune; /* re-tuning is needed */
int hold_retune; /* hold off re-tuning */
unsigned int retune_period; /* re-tuning period in secs */
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 200/378] ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 199/378] mmc: core: Avoid bitfield RMW for claim/retune flags Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 201/378] tipc: fix divide-by-zero in tipc_sk_filter_connect() Greg Kroah-Hartman
` (184 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ravi Hothi, Srinivas Kandagatla,
Mark Brown
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ravi Hothi <ravi.hothi@oss.qualcomm.com>
commit d6db827b430bdcca3976cebca7bd69cca03cde2c upstream.
During ADSP stop and start, the kernel crashes due to the order in which
ASoC components are removed.
On ADSP stop, the q6apm-audio .remove callback unloads topology and removes
PCM runtimes during ASoC teardown. This deletes the RTDs that contain the
q6apm DAI components before their removal pass runs, leaving those
components still linked to the card and causing crashes on the next rebind.
Fix this by ensuring that all dependent (child) components are removed
first, and the q6apm component is removed last.
[ 48.105720] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0
[ 48.114763] Mem abort info:
[ 48.117650] ESR = 0x0000000096000004
[ 48.121526] EC = 0x25: DABT (current EL), IL = 32 bits
[ 48.127010] SET = 0, FnV = 0
[ 48.130172] EA = 0, S1PTW = 0
[ 48.133415] FSC = 0x04: level 0 translation fault
[ 48.138446] Data abort info:
[ 48.141422] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 48.147079] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 48.152354] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 48.157859] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001173cf000
[ 48.164517] [00000000000000d0] pgd=0000000000000000, p4d=0000000000000000
[ 48.171530] Internal error: Oops: 0000000096000004 [#1] SMP
[ 48.177348] Modules linked in: q6prm_clocks q6apm_lpass_dais q6apm_dai snd_q6dsp_common q6prm snd_q6apm 8021q garp mrp stp llc snd_soc_hdmi_codec apr pdr_interface phy_qcom_edp fastrpc qcom_pd_mapper rpmsg_ctrl qrtr_smd rpmsg_char qcom_pdr_msg qcom_iris v4l2_mem2mem videobuf2_dma_contig ath11k_pci msm ubwc_config at24 ath11k videobuf2_memops mac80211 ocmem videobuf2_v4l2 libarc4 drm_gpuvm mhi qrtr videodev drm_exec snd_soc_sc8280xp gpu_sched videobuf2_common nvmem_qcom_spmi_sdam snd_soc_qcom_sdw drm_dp_aux_bus qcom_q6v5_pas qcom_spmi_temp_alarm snd_soc_qcom_common rtc_pm8xxx qcom_pon drm_display_helper cec qcom_pil_info qcom_stats soundwire_bus drm_client_lib mc dispcc0_sa8775p videocc_sa8775p qcom_q6v5 camcc_sa8775p snd_soc_dmic phy_qcom_sgmii_eth snd_soc_max98357a i2c_qcom_geni snd_soc_core dwmac_qcom_ethqos llcc_qcom icc_bwmon qcom_sysmon snd_compress qcom_refgen_regulator coresight_stm stmmac_platform snd_pcm_dmaengine qcom_common coresight_tmc stmmac coresight_replicator qcom_glink_smem coresight_cti stm_core
[ 48.177444] coresight_funnel snd_pcm ufs_qcom phy_qcom_qmp_usb gpi phy_qcom_snps_femto_v2 coresight phy_qcom_qmp_ufs qcom_wdt gpucc_sa8775p pcs_xpcs mdt_loader qcom_ice icc_osm_l3 qmi_helpers snd_timer snd soundcore display_connector qcom_rng nvmem_reboot_mode drm_kms_helper phy_qcom_qmp_pcie sha256 cfg80211 rfkill socinfo fuse drm backlight ipv6
[ 48.301059] CPU: 2 UID: 0 PID: 293 Comm: kworker/u32:2 Not tainted 6.19.0-rc6-dirty #10 PREEMPT
[ 48.310081] Hardware name: Qualcomm Technologies, Inc. Lemans EVK (DT)
[ 48.316782] Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]
[ 48.323672] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 48.330825] pc : mutex_lock+0xc/0x54
[ 48.334514] lr : soc_dapm_shutdown_dapm+0x44/0x174 [snd_soc_core]
[ 48.340794] sp : ffff800084ddb7b0
[ 48.344207] x29: ffff800084ddb7b0 x28: ffff00009cd9cf30 x27: ffff00009cd9cc00
[ 48.351544] x26: ffff000099610190 x25: ffffa31d2f19c810 x24: ffffa31d2f185098
[ 48.358869] x23: ffff800084ddb7f8 x22: 0000000000000000 x21: 00000000000000d0
[ 48.366198] x20: ffff00009ba6c338 x19: ffff00009ba6c338 x18: 00000000ffffffff
[ 48.373528] x17: 000000040044ffff x16: ffffa31d4ae6dca8 x15: 072007740775076f
[ 48.380853] x14: 0765076d07690774 x13: 00313a323a656369 x12: 767265733a637673
[ 48.388182] x11: 00000000000003f9 x10: ffffa31d4c7dea98 x9 : 0000000000000001
[ 48.395519] x8 : ffff00009a2aadc0 x7 : 0000000000000003 x6 : 0000000000000000
[ 48.402854] x5 : 0000000000000000 x4 : 0000000000000028 x3 : ffff000ef397a698
[ 48.410180] x2 : ffff00009a2aadc0 x1 : 0000000000000000 x0 : 00000000000000d0
[ 48.417506] Call trace:
[ 48.420025] mutex_lock+0xc/0x54 (P)
[ 48.423712] snd_soc_dapm_shutdown+0x44/0xbc [snd_soc_core]
[ 48.429447] soc_cleanup_card_resources+0x30/0x2c0 [snd_soc_core]
[ 48.435719] snd_soc_bind_card+0x4dc/0xcc0 [snd_soc_core]
[ 48.441278] snd_soc_add_component+0x27c/0x2c8 [snd_soc_core]
[ 48.447192] snd_soc_register_component+0x9c/0xf4 [snd_soc_core]
[ 48.453371] devm_snd_soc_register_component+0x64/0xc4 [snd_soc_core]
[ 48.459994] apm_probe+0xb4/0x110 [snd_q6apm]
[ 48.464479] apr_device_probe+0x24/0x40 [apr]
[ 48.468964] really_probe+0xbc/0x298
[ 48.472651] __driver_probe_device+0x78/0x12c
[ 48.477132] driver_probe_device+0x40/0x160
[ 48.481435] __device_attach_driver+0xb8/0x134
[ 48.486011] bus_for_each_drv+0x80/0xdc
[ 48.489964] __device_attach+0xa8/0x1b0
[ 48.493916] device_initial_probe+0x50/0x54
[ 48.498219] bus_probe_device+0x38/0xa0
[ 48.502170] device_add+0x590/0x760
[ 48.505761] device_register+0x20/0x30
[ 48.509623] of_register_apr_devices+0x1d8/0x318 [apr]
[ 48.514905] apr_pd_status+0x2c/0x54 [apr]
[ 48.519114] pdr_notifier_work+0x8c/0xe0 [pdr_interface]
[ 48.524570] process_one_work+0x150/0x294
[ 48.528692] worker_thread+0x2d8/0x3d8
[ 48.532551] kthread+0x130/0x204
[ 48.535874] ret_from_fork+0x10/0x20
[ 48.539559] Code: d65f03c0 d5384102 d503201f d2800001 (c8e17c02)
[ 48.545823] ---[ end trace 0000000000000000 ]---
Fixes: 5477518b8a0e ("ASoC: qdsp6: audioreach: add q6apm support")
Cc: stable@vger.kernel.org
Signed-off-by: Ravi Hothi <ravi.hothi@oss.qualcomm.com>
Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260227144534.278568-1-ravi.hothi@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm-dai.c | 1 +
sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 1 +
sound/soc/qcom/qdsp6/q6apm.c | 1 +
3 files changed, 3 insertions(+)
--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
@@ -838,6 +838,7 @@ static const struct snd_soc_component_dr
.ack = q6apm_dai_ack,
.compress_ops = &q6apm_dai_compress_ops,
.use_dai_pcm_id = true,
+ .remove_order = SND_SOC_COMP_ORDER_EARLY,
};
static int q6apm_dai_probe(struct platform_device *pdev)
--- a/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c
+++ b/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c
@@ -278,6 +278,7 @@ static const struct snd_soc_component_dr
.of_xlate_dai_name = q6dsp_audio_ports_of_xlate_dai_name,
.be_pcm_base = AUDIOREACH_BE_PCM_BASE,
.use_dai_pcm_id = true,
+ .remove_order = SND_SOC_COMP_ORDER_FIRST,
};
static int q6apm_lpass_dai_dev_probe(struct platform_device *pdev)
--- a/sound/soc/qcom/qdsp6/q6apm.c
+++ b/sound/soc/qcom/qdsp6/q6apm.c
@@ -712,6 +712,7 @@ static const struct snd_soc_component_dr
.name = APM_AUDIO_DRV_NAME,
.probe = q6apm_audio_probe,
.remove = q6apm_audio_remove,
+ .remove_order = SND_SOC_COMP_ORDER_LAST,
};
static int apm_probe(gpr_device_t *gdev)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 201/378] tipc: fix divide-by-zero in tipc_sk_filter_connect()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 200/378] ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 202/378] firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled Greg Kroah-Hartman
` (183 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mehul Rao, Tung Nguyen,
Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mehul Rao <mehulrao@gmail.com>
commit 6c5a9baa15de240e747263aba435a0951da8d8d2 upstream.
A user can set conn_timeout to any value via
setsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a
SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in
tipc_sk_filter_connect() executes:
delay %= (tsk->conn_timeout / 4);
If conn_timeout is in the range [0, 3], the integer division yields 0,
and the modulo operation triggers a divide-by-zero exception, causing a
kernel oops/panic.
Fix this by clamping conn_timeout to a minimum of 4 at the point of use
in tipc_sk_filter_connect().
Oops: divide error: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+
RIP: 0010:tipc_sk_filter_rcv (net/tipc/socket.c:2236 net/tipc/socket.c:2362)
Call Trace:
tipc_sk_backlog_rcv (include/linux/instrumented.h:82 include/linux/atomic/atomic-instrumented.h:32 include/net/sock.h:2357 net/tipc/socket.c:2406)
__release_sock (include/net/sock.h:1185 net/core/sock.c:3213)
release_sock (net/core/sock.c:3797)
tipc_connect (net/tipc/socket.c:2570)
__sys_connect (include/linux/file.h:62 include/linux/file.h:83 net/socket.c:2098)
Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket")
Cc: stable@vger.kernel.org
Signed-off-by: Mehul Rao <mehulrao@gmail.com>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Link: https://patch.msgid.link/20260310170730.28841-1-mehulrao@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tipc/socket.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -2233,6 +2233,8 @@ static bool tipc_sk_filter_connect(struc
if (skb_queue_empty(&sk->sk_write_queue))
break;
get_random_bytes(&delay, 2);
+ if (tsk->conn_timeout < 4)
+ tsk->conn_timeout = 4;
delay %= (tsk->conn_timeout / 4);
delay = msecs_to_jiffies(delay + 100);
sk_reset_timer(sk, &sk->sk_timer, jiffies + delay);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 202/378] firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 201/378] tipc: fix divide-by-zero in tipc_sk_filter_connect() Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 203/378] kprobes: avoid crash when rmmod/insmod after ftrace killed Greg Kroah-Hartman
` (182 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Liwei Song, Dinh Nguyen
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liwei Song <liwei.song@windriver.com>
commit c45f7263100cece247dd3fa5fe277bd97fdb5687 upstream.
When the Remote System Update (RSU) isn't enabled in the First Stage
Boot Loader (FSBL), the driver encounters a NULL pointer dereference when
excute svc_normal_to_secure_thread() thread, resulting in a kernel panic:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
Mem abort info:
...
Data abort info:
...
[0000000000000008] user address but active_mm is swapper
Internal error: Oops: 0000000096000004 [#1] SMP
Modules linked in:
CPU: 0 UID: 0 PID: 79 Comm: svc_smc_hvc_thr Not tainted 6.19.0-rc8-yocto-standard+ #59 PREEMPT
Hardware name: SoCFPGA Stratix 10 SoCDK (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : svc_normal_to_secure_thread+0x38c/0x990
lr : svc_normal_to_secure_thread+0x144/0x990
...
Call trace:
svc_normal_to_secure_thread+0x38c/0x990 (P)
kthread+0x150/0x210
ret_from_fork+0x10/0x20
Code: 97cfc113 f9400260 aa1403e1 f9400400 (f9400402)
---[ end trace 0000000000000000 ]---
The issue occurs because rsu_send_async_msg() fails when RSU is not enabled
in firmware, causing the channel to be freed via stratix10_svc_free_channel().
However, the probe function continues execution and registers
svc_normal_to_secure_thread(), which subsequently attempts to access the
already-freed channel, triggering the NULL pointer dereference.
Fix this by properly cleaning up the async client and returning early on
failure, preventing the thread from being used with an invalid channel.
Fixes: 15847537b623 ("firmware: stratix10-rsu: Migrate RSU driver to use stratix10 asynchronous framework.")
Cc: stable@kernel.org
Signed-off-by: Liwei Song <liwei.song@windriver.com>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/stratix10-rsu.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/firmware/stratix10-rsu.c b/drivers/firmware/stratix10-rsu.c
index 41da07c445a6..e1912108a0fe 100644
--- a/drivers/firmware/stratix10-rsu.c
+++ b/drivers/firmware/stratix10-rsu.c
@@ -768,7 +768,9 @@ static int stratix10_rsu_probe(struct platform_device *pdev)
rsu_async_status_callback);
if (ret) {
dev_err(dev, "Error, getting RSU status %i\n", ret);
+ stratix10_svc_remove_async_client(priv->chan);
stratix10_svc_free_channel(priv->chan);
+ return ret;
}
/* get DCMF version from firmware */
--
2.53.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 203/378] kprobes: avoid crash when rmmod/insmod after ftrace killed
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 202/378] firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 204/378] ceph: add a bunch of missing ceph_path_info initializers Greg Kroah-Hartman
` (181 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Masami Hiramatsu (Google),
Steven Rostedt (Google)
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
commit e113f0b46d19626ec15388bcb91432c9a4fd6261 upstream.
After we hit ftrace is killed by some errors, the kernel crash if
we remove modules in which kprobe probes.
BUG: unable to handle page fault for address: fffffbfff805000d
PGD 817fcc067 P4D 817fcc067 PUD 817fc8067 PMD 101555067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN PTI
CPU: 4 UID: 0 PID: 2012 Comm: rmmod Tainted: G W OE
Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
RIP: 0010:kprobes_module_callback+0x89/0x790
RSP: 0018:ffff88812e157d30 EFLAGS: 00010a02
RAX: 1ffffffff805000d RBX: dffffc0000000000 RCX: ffffffff86a8de90
RDX: ffffed1025c2af9b RSI: 0000000000000008 RDI: ffffffffc0280068
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed1025c2af9a
R10: ffff88812e157cd7 R11: 205d323130325420 R12: 0000000000000002
R13: ffffffffc0290488 R14: 0000000000000002 R15: ffffffffc0280040
FS: 00007fbc450dd740(0000) GS:ffff888420331000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff805000d CR3: 000000010f624000 CR4: 00000000000006f0
Call Trace:
<TASK>
notifier_call_chain+0xc6/0x280
blocking_notifier_call_chain+0x60/0x90
__do_sys_delete_module.constprop.0+0x32a/0x4e0
do_syscall_64+0x5d/0xfa0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
This is because the kprobe on ftrace does not correctly handles
the kprobe_ftrace_disabled flag set by ftrace_kill().
To prevent this error, check kprobe_ftrace_disabled in
__disarm_kprobe_ftrace() and skip all ftrace related operations.
Link: https://lore.kernel.org/all/176473947565.1727781.13110060700668331950.stgit@mhiramat.tok.corp.google.com/
Reported-by: Ye Bin <yebin10@huawei.com>
Closes: https://lore.kernel.org/all/20251125020536.2484381-1-yebin@huaweicloud.com/
Fixes: ae6aa16fdc16 ("kprobes: introduce ftrace based optimization")
Cc: stable@vger.kernel.org
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/kprobes.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1104,6 +1104,10 @@ static int __disarm_kprobe_ftrace(struct
int ret;
lockdep_assert_held(&kprobe_mutex);
+ if (unlikely(kprobe_ftrace_disabled)) {
+ /* Now ftrace is disabled forever, disarm is already done. */
+ return 0;
+ }
if (*cnt == 1) {
ret = unregister_ftrace_function(ops);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 204/378] ceph: add a bunch of missing ceph_path_info initializers
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 203/378] kprobes: avoid crash when rmmod/insmod after ftrace killed Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 205/378] libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() Greg Kroah-Hartman
` (180 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Kellermann, Viacheslav Dubeyko,
Ilya Dryomov
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Kellermann <max.kellermann@ionos.com>
commit 43323a5934b660afae687e8e4e95ac328615a5c4 upstream.
ceph_mdsc_build_path() must be called with a zero-initialized
ceph_path_info parameter, or else the following
ceph_mdsc_free_path_info() may crash.
Example crash (on Linux 6.18.12):
virt_to_cache: Object is not a Slab page!
WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6732 kmem_cache_free+0x316/0x400
[...]
Call Trace:
[...]
ceph_open+0x13d/0x3e0
do_dentry_open+0x134/0x480
vfs_open+0x2a/0xe0
path_openat+0x9a3/0x1160
[...]
cache_from_obj: Wrong slab cache. names_cache but object is from ceph_inode_info
WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6746 kmem_cache_free+0x2dd/0x400
[...]
kernel BUG at mm/slub.c:634!
Oops: invalid opcode: 0000 [#1] SMP NOPTI
RIP: 0010:__slab_free+0x1a4/0x350
Some of the ceph_mdsc_build_path() callers had initializers, but
others had not, even though they were all added by commit 15f519e9f883
("ceph: fix race condition validating r_parent before applying state").
The ones without initializer are suspectible to random crashes. (I can
imagine it could even be possible to exploit this bug to elevate
privileges.)
Unfortunately, these Ceph functions are undocumented and its semantics
can only be derived from the code. I see that ceph_mdsc_build_path()
initializes the structure only on success, but not on error.
Calling ceph_mdsc_free_path_info() after a failed
ceph_mdsc_build_path() call does not even make sense, but that's what
all callers do, and for it to be safe, the structure must be
zero-initialized. The least intrusive approach to fix this is
therefore to add initializers everywhere.
Cc: stable@vger.kernel.org
Fixes: 15f519e9f883 ("ceph: fix race condition validating r_parent before applying state")
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/debugfs.c | 4 ++--
fs/ceph/dir.c | 2 +-
fs/ceph/file.c | 4 ++--
fs/ceph/inode.c | 2 +-
4 files changed, 6 insertions(+), 6 deletions(-)
--- a/fs/ceph/debugfs.c
+++ b/fs/ceph/debugfs.c
@@ -79,7 +79,7 @@ static int mdsc_show(struct seq_file *s,
if (req->r_inode) {
seq_printf(s, " #%llx", ceph_ino(req->r_inode));
} else if (req->r_dentry) {
- struct ceph_path_info path_info;
+ struct ceph_path_info path_info = {0};
path = ceph_mdsc_build_path(mdsc, req->r_dentry, &path_info, 0);
if (IS_ERR(path))
path = NULL;
@@ -98,7 +98,7 @@ static int mdsc_show(struct seq_file *s,
}
if (req->r_old_dentry) {
- struct ceph_path_info path_info;
+ struct ceph_path_info path_info = {0};
path = ceph_mdsc_build_path(mdsc, req->r_old_dentry, &path_info, 0);
if (IS_ERR(path))
path = NULL;
--- a/fs/ceph/dir.c
+++ b/fs/ceph/dir.c
@@ -1364,7 +1364,7 @@ static int ceph_unlink(struct inode *dir
if (!dn) {
try_async = false;
} else {
- struct ceph_path_info path_info;
+ struct ceph_path_info path_info = {0};
path = ceph_mdsc_build_path(mdsc, dn, &path_info, 0);
if (IS_ERR(path)) {
try_async = false;
--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -397,7 +397,7 @@ int ceph_open(struct inode *inode, struc
if (!dentry) {
do_sync = true;
} else {
- struct ceph_path_info path_info;
+ struct ceph_path_info path_info = {0};
path = ceph_mdsc_build_path(mdsc, dentry, &path_info, 0);
if (IS_ERR(path)) {
do_sync = true;
@@ -807,7 +807,7 @@ int ceph_atomic_open(struct inode *dir,
if (!dn) {
try_async = false;
} else {
- struct ceph_path_info path_info;
+ struct ceph_path_info path_info = {0};
path = ceph_mdsc_build_path(mdsc, dn, &path_info, 0);
if (IS_ERR(path)) {
try_async = false;
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -2551,7 +2551,7 @@ int __ceph_setattr(struct mnt_idmap *idm
if (!dentry) {
do_sync = true;
} else {
- struct ceph_path_info path_info;
+ struct ceph_path_info path_info = {0};
path = ceph_mdsc_build_path(mdsc, dentry, &path_info, 0);
if (IS_ERR(path)) {
do_sync = true;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 205/378] libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 204/378] ceph: add a bunch of missing ceph_path_info initializers Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 206/378] libceph: reject preamble if control segment is empty Greg Kroah-Hartman
` (179 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Viacheslav Dubeyko,
Ilya Dryomov
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit b282c43ed156ae15ea76748fc15cd5c39dc9ab72 upstream.
This patch fixes an out-of-bounds access in ceph_handle_auth_reply()
that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In
ceph_handle_auth_reply(), the value of the payload_len field of such a
message is stored in a variable of type int. A value greater than
INT_MAX leads to an integer overflow and is interpreted as a negative
value. This leads to decrementing the pointer address by this value and
subsequently accessing it because ceph_decode_need() only checks that
the memory access does not exceed the end address of the allocation.
This patch fixes the issue by changing the data type of payload_len to
u32. Additionally, the data type of result_msg_len is changed to u32,
as it is also a variable holding a non-negative length.
Also, an additional layer of sanity checks is introduced, ensuring that
directly after reading it from the message, payload_len and
result_msg_len are not greater than the overall segment length.
BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph]
Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262
CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: ceph-msgr ceph_con_workfn [libceph]
Call Trace:
<TASK>
dump_stack_lvl+0x76/0xa0
print_report+0xd1/0x620
? __pfx__raw_spin_lock_irqsave+0x10/0x10
? kasan_complete_mode_report_info+0x72/0x210
kasan_report+0xe7/0x130
? ceph_handle_auth_reply+0x642/0x7a0 [libceph]
? ceph_handle_auth_reply+0x642/0x7a0 [libceph]
__asan_report_load_n_noabort+0xf/0x20
ceph_handle_auth_reply+0x642/0x7a0 [libceph]
mon_dispatch+0x973/0x23d0 [libceph]
? apparmor_socket_recvmsg+0x6b/0xa0
? __pfx_mon_dispatch+0x10/0x10 [libceph]
? __kasan_check_write+0x14/0x30i
? mutex_unlock+0x7f/0xd0
? __pfx_mutex_unlock+0x10/0x10
? __pfx_do_recvmsg+0x10/0x10 [libceph]
ceph_con_process_message+0x1f1/0x650 [libceph]
process_message+0x1e/0x450 [libceph]
ceph_con_v2_try_read+0x2e48/0x6c80 [libceph]
? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph]
? save_fpregs_to_fpstate+0xb0/0x230
? raw_spin_rq_unlock+0x17/0xa0
? finish_task_switch.isra.0+0x13b/0x760
? __switch_to+0x385/0xda0
? __kasan_check_write+0x14/0x30
? mutex_lock+0x8d/0xe0
? __pfx_mutex_lock+0x10/0x10
ceph_con_workfn+0x248/0x10c0 [libceph]
process_one_work+0x629/0xf80
? __kasan_check_write+0x14/0x30
worker_thread+0x87f/0x1570
? __pfx__raw_spin_lock_irqsave+0x10/0x10
? __pfx_try_to_wake_up+0x10/0x10
? kasan_print_address_stack_frame+0x1f7/0x280
? __pfx_worker_thread+0x10/0x10
kthread+0x396/0x830
? __pfx__raw_spin_lock_irq+0x10/0x10
? __pfx_kthread+0x10/0x10
? __kasan_check_write+0x14/0x30
? recalc_sigpending+0x180/0x210
? __pfx_kthread+0x10/0x10
ret_from_fork+0x3f7/0x610
? __pfx_ret_from_fork+0x10/0x10
? __switch_to+0x385/0xda0
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
[ idryomov: replace if statements with ceph_decode_need() for
payload_len and result_msg_len ]
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/auth.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -205,9 +205,9 @@ int ceph_handle_auth_reply(struct ceph_a
s32 result;
u64 global_id;
void *payload, *payload_end;
- int payload_len;
+ u32 payload_len;
char *result_msg;
- int result_msg_len;
+ u32 result_msg_len;
int ret = -EINVAL;
mutex_lock(&ac->mutex);
@@ -217,10 +217,12 @@ int ceph_handle_auth_reply(struct ceph_a
result = ceph_decode_32(&p);
global_id = ceph_decode_64(&p);
payload_len = ceph_decode_32(&p);
+ ceph_decode_need(&p, end, payload_len, bad);
payload = p;
p += payload_len;
ceph_decode_need(&p, end, sizeof(u32), bad);
result_msg_len = ceph_decode_32(&p);
+ ceph_decode_need(&p, end, result_msg_len, bad);
result_msg = p;
p += result_msg_len;
if (p != end)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 206/378] libceph: reject preamble if control segment is empty
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 205/378] libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 207/378] libceph: prevent potential out-of-bounds reads in process_message_header() Greg Kroah-Hartman
` (178 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ilya Dryomov, Alex Markuze
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit c4c22b846eceff05b1129b8844a80310e55a7f87 upstream.
While head_onwire_len() has a branch to handle ctrl_len == 0 case,
prepare_read_control() always sets up a kvec for the CRC meaning that
a non-empty control segment is effectively assumed. All frames that
clients deal with meet that assumption, so let's make it official and
treat the preamble with an empty control segment as malformed.
Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/messenger_v2.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -392,7 +392,7 @@ static int head_onwire_len(int ctrl_len,
int head_len;
int rem_len;
- BUG_ON(ctrl_len < 0 || ctrl_len > CEPH_MSG_MAX_CONTROL_LEN);
+ BUG_ON(ctrl_len < 1 || ctrl_len > CEPH_MSG_MAX_CONTROL_LEN);
if (secure) {
head_len = CEPH_PREAMBLE_SECURE_LEN;
@@ -401,9 +401,7 @@ static int head_onwire_len(int ctrl_len,
head_len += padded_len(rem_len) + CEPH_GCM_TAG_LEN;
}
} else {
- head_len = CEPH_PREAMBLE_PLAIN_LEN;
- if (ctrl_len)
- head_len += ctrl_len + CEPH_CRC_LEN;
+ head_len = CEPH_PREAMBLE_PLAIN_LEN + ctrl_len + CEPH_CRC_LEN;
}
return head_len;
}
@@ -528,11 +526,16 @@ static int decode_preamble(void *p, stru
desc->fd_aligns[i] = ceph_decode_16(&p);
}
- if (desc->fd_lens[0] < 0 ||
+ /*
+ * This would fire for FRAME_TAG_WAIT (it has one empty
+ * segment), but we should never get it as client.
+ */
+ if (desc->fd_lens[0] < 1 ||
desc->fd_lens[0] > CEPH_MSG_MAX_CONTROL_LEN) {
pr_err("bad control segment length %d\n", desc->fd_lens[0]);
return -EINVAL;
}
+
if (desc->fd_lens[1] < 0 ||
desc->fd_lens[1] > CEPH_MSG_MAX_FRONT_LEN) {
pr_err("bad front segment length %d\n", desc->fd_lens[1]);
@@ -549,10 +552,6 @@ static int decode_preamble(void *p, stru
return -EINVAL;
}
- /*
- * This would fire for FRAME_TAG_WAIT (it has one empty
- * segment), but we should never get it as client.
- */
if (!desc->fd_lens[desc->fd_seg_cnt - 1]) {
pr_err("last segment empty, segment count %d\n",
desc->fd_seg_cnt);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 207/378] libceph: prevent potential out-of-bounds reads in process_message_header()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 206/378] libceph: reject preamble if control segment is empty Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 208/378] libceph: Use u32 for non-negative values in ceph_monmap_decode() Greg Kroah-Hartman
` (177 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov,
Alex Markuze, Viacheslav Dubeyko
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit 69fb5d91bba44ecf7eb80530b85fa4fb028921d5 upstream.
If the message frame is (maliciously) corrupted in a way that the
length of the control segment ends up being less than the size of the
message header or a different frame is made to look like a message
frame, out-of-bounds reads may ensue in process_message_header().
Perform an explicit bounds check before decoding the message header.
Cc: stable@vger.kernel.org
Reported-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/messenger_v2.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -2832,12 +2832,15 @@ static int process_message_header(struct
void *p, void *end)
{
struct ceph_frame_desc *desc = &con->v2.in_desc;
- struct ceph_msg_header2 *hdr2 = p;
+ struct ceph_msg_header2 *hdr2;
struct ceph_msg_header hdr;
int skip;
int ret;
u64 seq;
+ ceph_decode_need(&p, end, sizeof(*hdr2), bad);
+ hdr2 = p;
+
/* verify seq# */
seq = le64_to_cpu(hdr2->seq);
if ((s64)seq - (s64)con->in_seq < 1) {
@@ -2868,6 +2871,10 @@ static int process_message_header(struct
WARN_ON(!con->in_msg);
WARN_ON(con->in_msg->con != con);
return 1;
+
+bad:
+ pr_err("failed to decode message header\n");
+ return -EINVAL;
}
static int process_message(struct ceph_connection *con)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 208/378] libceph: Use u32 for non-negative values in ceph_monmap_decode()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 207/378] libceph: prevent potential out-of-bounds reads in process_message_header() Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 209/378] libceph: admit message frames only in CEPH_CON_S_OPEN state Greg Kroah-Hartman
` (176 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Viacheslav Dubeyko,
Ilya Dryomov
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit 770444611f047dbfd4517ec0bc1b179d40c2f346 upstream.
This patch fixes unnecessary implicit conversions that change signedness
of blob_len and num_mon in ceph_monmap_decode().
Currently blob_len and num_mon are (signed) int variables. They are used
to hold values that are always non-negative and get assigned in
ceph_decode_32_safe(), which is meant to assign u32 values. Both
variables are subsequently used as unsigned values, and the value of
num_mon is further assigned to monmap->num_mon, which is of type u32.
Therefore, both variables should be of type u32. This is especially
relevant for num_mon. If the value read from the incoming message is
very large, it is interpreted as a negative value, and the check for
num_mon > CEPH_MAX_MON does not catch it. This leads to the attempt to
allocate a very large chunk of memory for monmap, which will most likely
fail. In this case, an unnecessary attempt to allocate memory is
performed, and -ENOMEM is returned instead of -EINVAL.
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/mon_client.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -72,8 +72,8 @@ static struct ceph_monmap *ceph_monmap_d
struct ceph_monmap *monmap = NULL;
struct ceph_fsid fsid;
u32 struct_len;
- int blob_len;
- int num_mon;
+ u32 blob_len;
+ u32 num_mon;
u8 struct_v;
u32 epoch;
int ret;
@@ -112,7 +112,7 @@ static struct ceph_monmap *ceph_monmap_d
}
ceph_decode_32_safe(p, end, num_mon, e_inval);
- dout("%s fsid %pU epoch %u num_mon %d\n", __func__, &fsid, epoch,
+ dout("%s fsid %pU epoch %u num_mon %u\n", __func__, &fsid, epoch,
num_mon);
if (num_mon > CEPH_MAX_MON)
goto e_inval;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 209/378] libceph: admit message frames only in CEPH_CON_S_OPEN state
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 208/378] libceph: Use u32 for non-negative values in ceph_monmap_decode() Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 210/378] Revert "tcpm: allow looking for role_sw device in the main node" Greg Kroah-Hartman
` (175 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilya Dryomov, Alex Markuze,
Viacheslav Dubeyko
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit a5a373705081d7cc6363e16990e2361b0b362314 upstream.
Similar checks are performed for all control frames, but an early check
for message frames was missing. process_message() is already set up to
terminate the loop in case the state changes while con->ops->dispatch()
handler is being executed.
Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/messenger_v2.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -2904,6 +2904,11 @@ static int __handle_control(struct ceph_
if (con->v2.in_desc.fd_tag != FRAME_TAG_MESSAGE)
return process_control(con, p, end);
+ if (con->state != CEPH_CON_S_OPEN) {
+ con->error_msg = "protocol error, unexpected message";
+ return -EINVAL;
+ }
+
ret = process_message_header(con, p, end);
if (ret < 0)
return ret;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 210/378] Revert "tcpm: allow looking for role_sw device in the main node"
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 209/378] libceph: admit message frames only in CEPH_CON_S_OPEN state Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 211/378] Revert "ptdesc: remove references to folios from __pagetable_ctor() and pagetable_dtor()" Greg Kroah-Hartman
` (174 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Xu Yang, Arnaud Ferraris,
Heikki Krogerus
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 6b275bfaa16be3fb1689fa6794e445ecd127a1b4 upstream.
This reverts commit 1366cd228b0c67b60a2c0c26ef37fe9f7cfedb7f.
The fwnode_usb_role_switch_get() returns NULL only if no connection is
found, returns ERR_PTR(-EPROBE_DEFER) if connection is found but deferred
probe is needed, or a valid pointer of usb_role_switch.
When switching from a NULL check to IS_ERR_OR_NULL(), usb_role_switch_get()
returns NULL and overwrites the ERR_PTR(-EPROBE_DEFER) returned by
fwnode_usb_role_switch_get(). This causes the deferred probe indication to
be lost, preventing the USB role switch from ever being retrieved.
Fixes: 1366cd228b0c ("tcpm: allow looking for role_sw device in the main node")
Cc: stable <stable@kernel.org>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Tested-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260309074313.2809867-2-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -7890,7 +7890,7 @@ struct tcpm_port *tcpm_register_port(str
port->partner_desc.identity = &port->partner_ident;
port->role_sw = fwnode_usb_role_switch_get(tcpc->fwnode);
- if (IS_ERR_OR_NULL(port->role_sw))
+ if (!port->role_sw)
port->role_sw = usb_role_switch_get(port->dev);
if (IS_ERR(port->role_sw)) {
err = PTR_ERR(port->role_sw);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 211/378] Revert "ptdesc: remove references to folios from __pagetable_ctor() and pagetable_dtor()"
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 210/378] Revert "tcpm: allow looking for role_sw device in the main node" Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 212/378] mm: Fix a hmm_range_fault() livelock / starvation problem Greg Kroah-Hartman
` (173 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Axel Rasmussen, Shakeel Butt,
Johannes Weiner, Vishal Moola (Oracle), David Hildenbrand,
Liam Howlett, Lorenzo Stoakes, Matthew Wilcox (Oracle),
Michal Hocko, Mike Rapoport, Suren Baghdasaryan, Vlastimil Babka,
Roman Gushchin, Muchun Song, Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Axel Rasmussen <axelrasmussen@google.com>
commit 2d28ed588f8d7d0d41b0a4fad7f0d05e4bbf1797 upstream.
This change swapped out mod_node_page_state for lruvec_stat_add_folio.
But, these two APIs are not interchangeable: the lruvec version also
increments memcg stats, in addition to "global" pgdat stats.
So after this change, the "pagetables" memcg stat in memory.stat always
yields "0", which is a userspace visible regression.
I tried to look for a refactor where we add a variant of
lruvec_stat_mod_folio which takes a pgdat and a memcg instead of a folio,
to try to adhere to the spirit of the original patch. But at the end of
the day this just means we have to call folio_memcg(ptdesc_folio(ptdesc))
anyway, which doesn't really accomplish much.
This regression is visible in master as well as 6.18 stable, so CC stable
too.
Link: https://lkml.kernel.org/r/20260225002434.2953895-1-axelrasmussen@google.com
Fixes: f0c92726e89f ("ptdesc: remove references to folios from __pagetable_ctor() and pagetable_dtor()")
Signed-off-by: Axel Rasmussen <axelrasmussen@google.com>
Acked-by: Shakeel Butt <shakeel.butt@linux.dev>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Reviewed-by: Vishal Moola (Oracle) <vishal.moola@gmail.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mm.h | 17 ++++++-----------
1 file changed, 6 insertions(+), 11 deletions(-)
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -3304,26 +3304,21 @@ static inline bool ptlock_init(struct pt
static inline void ptlock_free(struct ptdesc *ptdesc) {}
#endif /* defined(CONFIG_SPLIT_PTE_PTLOCKS) */
-static inline unsigned long ptdesc_nr_pages(const struct ptdesc *ptdesc)
-{
- return compound_nr(ptdesc_page(ptdesc));
-}
-
static inline void __pagetable_ctor(struct ptdesc *ptdesc)
{
- pg_data_t *pgdat = NODE_DATA(memdesc_nid(ptdesc->pt_flags));
+ struct folio *folio = ptdesc_folio(ptdesc);
- __SetPageTable(ptdesc_page(ptdesc));
- mod_node_page_state(pgdat, NR_PAGETABLE, ptdesc_nr_pages(ptdesc));
+ __folio_set_pgtable(folio);
+ lruvec_stat_add_folio(folio, NR_PAGETABLE);
}
static inline void pagetable_dtor(struct ptdesc *ptdesc)
{
- pg_data_t *pgdat = NODE_DATA(memdesc_nid(ptdesc->pt_flags));
+ struct folio *folio = ptdesc_folio(ptdesc);
ptlock_free(ptdesc);
- __ClearPageTable(ptdesc_page(ptdesc));
- mod_node_page_state(pgdat, NR_PAGETABLE, -ptdesc_nr_pages(ptdesc));
+ __folio_clear_pgtable(folio);
+ lruvec_stat_sub_folio(folio, NR_PAGETABLE);
}
static inline void pagetable_dtor_free(struct ptdesc *ptdesc)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 212/378] mm: Fix a hmm_range_fault() livelock / starvation problem
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 211/378] Revert "ptdesc: remove references to folios from __pagetable_ctor() and pagetable_dtor()" Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 213/378] nsfs: tighten permission checks for ns iteration ioctls Greg Kroah-Hartman
` (172 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alistair Popple, Ralph Campbell,
Christoph Hellwig, Jason Gunthorpe, Jason Gunthorpe,
Leon Romanovsky, Andrew Morton, Matthew Brost, John Hubbard,
linux-mm, dri-devel, Thomas Hellström, Rodrigo Vivi
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Hellström <thomas.hellstrom@linux.intel.com>
commit b570f37a2ce480be26c665345c5514686a8a0274 upstream.
If hmm_range_fault() fails a folio_trylock() in do_swap_page,
trying to acquire the lock of a device-private folio for migration,
to ram, the function will spin until it succeeds grabbing the lock.
However, if the process holding the lock is depending on a work
item to be completed, which is scheduled on the same CPU as the
spinning hmm_range_fault(), that work item might be starved and
we end up in a livelock / starvation situation which is never
resolved.
This can happen, for example if the process holding the
device-private folio lock is stuck in
migrate_device_unmap()->lru_add_drain_all()
sinc lru_add_drain_all() requires a short work-item
to be run on all online cpus to complete.
A prerequisite for this to happen is:
a) Both zone device and system memory folios are considered in
migrate_device_unmap(), so that there is a reason to call
lru_add_drain_all() for a system memory folio while a
folio lock is held on a zone device folio.
b) The zone device folio has an initial mapcount > 1 which causes
at least one migration PTE entry insertion to be deferred to
try_to_migrate(), which can happen after the call to
lru_add_drain_all().
c) No or voluntary only preemption.
This all seems pretty unlikely to happen, but indeed is hit by
the "xe_exec_system_allocator" igt test.
Resolve this by waiting for the folio to be unlocked if the
folio_trylock() fails in do_swap_page().
Rename migration_entry_wait_on_locked() to
softleaf_entry_wait_unlock() and update its documentation to
indicate the new use-case.
Future code improvements might consider moving
the lru_add_drain_all() call in migrate_device_unmap() to be
called *after* all pages have migration entries inserted.
That would eliminate also b) above.
v2:
- Instead of a cond_resched() in hmm_range_fault(),
eliminate the problem by waiting for the folio to be unlocked
in do_swap_page() (Alistair Popple, Andrew Morton)
v3:
- Add a stub migration_entry_wait_on_locked() for the
!CONFIG_MIGRATION case. (Kernel Test Robot)
v4:
- Rename migrate_entry_wait_on_locked() to
softleaf_entry_wait_on_locked() and update docs (Alistair Popple)
v5:
- Add a WARN_ON_ONCE() for the !CONFIG_MIGRATION
version of softleaf_entry_wait_on_locked().
- Modify wording around function names in the commit message
(Andrew Morton)
Suggested-by: Alistair Popple <apopple@nvidia.com>
Fixes: 1afaeb8293c9 ("mm/migrate: Trylock device page in do_swap_page")
Cc: Ralph Campbell <rcampbell@nvidia.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Jason Gunthorpe <jgg@mellanox.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Leon Romanovsky <leon@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: linux-mm@kvack.org
Cc: <dri-devel@lists.freedesktop.org>
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Cc: <stable@vger.kernel.org> # v6.15+
Reviewed-by: John Hubbard <jhubbard@nvidia.com> #v3
Reviewed-by: Alistair Popple <apopple@nvidia.com>
Link: https://patch.msgid.link/20260210115653.92413-1-thomas.hellstrom@linux.intel.com
(cherry picked from commit a69d1ab971a624c6f112cea61536569d579c3215)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/migrate.h | 10 +++++++++-
mm/filemap.c | 15 ++++++++++-----
mm/memory.c | 3 ++-
mm/migrate.c | 8 ++++----
mm/migrate_device.c | 2 +-
5 files changed, 26 insertions(+), 12 deletions(-)
--- a/include/linux/migrate.h
+++ b/include/linux/migrate.h
@@ -65,7 +65,7 @@ bool isolate_folio_to_list(struct folio
int migrate_huge_page_move_mapping(struct address_space *mapping,
struct folio *dst, struct folio *src);
-void migration_entry_wait_on_locked(softleaf_t entry, spinlock_t *ptl)
+void softleaf_entry_wait_on_locked(softleaf_t entry, spinlock_t *ptl)
__releases(ptl);
void folio_migrate_flags(struct folio *newfolio, struct folio *folio);
int folio_migrate_mapping(struct address_space *mapping,
@@ -97,6 +97,14 @@ static inline int set_movable_ops(const
return -ENOSYS;
}
+static inline void softleaf_entry_wait_on_locked(softleaf_t entry, spinlock_t *ptl)
+ __releases(ptl)
+{
+ WARN_ON_ONCE(1);
+
+ spin_unlock(ptl);
+}
+
#endif /* CONFIG_MIGRATION */
#ifdef CONFIG_NUMA_BALANCING
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -1379,14 +1379,16 @@ repeat:
#ifdef CONFIG_MIGRATION
/**
- * migration_entry_wait_on_locked - Wait for a migration entry to be removed
- * @entry: migration swap entry.
+ * softleaf_entry_wait_on_locked - Wait for a migration entry or
+ * device_private entry to be removed.
+ * @entry: migration or device_private swap entry.
* @ptl: already locked ptl. This function will drop the lock.
*
- * Wait for a migration entry referencing the given page to be removed. This is
+ * Wait for a migration entry referencing the given page, or device_private
+ * entry referencing a dvice_private page to be unlocked. This is
* equivalent to folio_put_wait_locked(folio, TASK_UNINTERRUPTIBLE) except
* this can be called without taking a reference on the page. Instead this
- * should be called while holding the ptl for the migration entry referencing
+ * should be called while holding the ptl for @entry referencing
* the page.
*
* Returns after unlocking the ptl.
@@ -1394,7 +1396,7 @@ repeat:
* This follows the same logic as folio_wait_bit_common() so see the comments
* there.
*/
-void migration_entry_wait_on_locked(softleaf_t entry, spinlock_t *ptl)
+void softleaf_entry_wait_on_locked(softleaf_t entry, spinlock_t *ptl)
__releases(ptl)
{
struct wait_page_queue wait_page;
@@ -1428,6 +1430,9 @@ void migration_entry_wait_on_locked(soft
* If a migration entry exists for the page the migration path must hold
* a valid reference to the page, and it must take the ptl to remove the
* migration entry. So the page is valid until the ptl is dropped.
+ * Similarly any path attempting to drop the last reference to a
+ * device-private page needs to grab the ptl to remove the device-private
+ * entry.
*/
spin_unlock(ptl);
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -4684,7 +4684,8 @@ vm_fault_t do_swap_page(struct vm_fault
unlock_page(vmf->page);
put_page(vmf->page);
} else {
- pte_unmap_unlock(vmf->pte, vmf->ptl);
+ pte_unmap(vmf->pte);
+ softleaf_entry_wait_on_locked(entry, vmf->ptl);
}
} else if (softleaf_is_hwpoison(entry)) {
ret = VM_FAULT_HWPOISON;
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -499,7 +499,7 @@ void migration_entry_wait(struct mm_stru
if (!softleaf_is_migration(entry))
goto out;
- migration_entry_wait_on_locked(entry, ptl);
+ softleaf_entry_wait_on_locked(entry, ptl);
return;
out:
spin_unlock(ptl);
@@ -531,10 +531,10 @@ void migration_entry_wait_huge(struct vm
* If migration entry existed, safe to release vma lock
* here because the pgtable page won't be freed without the
* pgtable lock released. See comment right above pgtable
- * lock release in migration_entry_wait_on_locked().
+ * lock release in softleaf_entry_wait_on_locked().
*/
hugetlb_vma_unlock_read(vma);
- migration_entry_wait_on_locked(entry, ptl);
+ softleaf_entry_wait_on_locked(entry, ptl);
return;
}
@@ -552,7 +552,7 @@ void pmd_migration_entry_wait(struct mm_
ptl = pmd_lock(mm, pmd);
if (!pmd_is_migration_entry(*pmd))
goto unlock;
- migration_entry_wait_on_locked(softleaf_from_pmd(*pmd), ptl);
+ softleaf_entry_wait_on_locked(softleaf_from_pmd(*pmd), ptl);
return;
unlock:
spin_unlock(ptl);
--- a/mm/migrate_device.c
+++ b/mm/migrate_device.c
@@ -176,7 +176,7 @@ static int migrate_vma_collect_huge_pmd(
}
if (softleaf_is_migration(entry)) {
- migration_entry_wait_on_locked(entry, ptl);
+ softleaf_entry_wait_on_locked(entry, ptl);
spin_unlock(ptl);
return -EAGAIN;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 213/378] nsfs: tighten permission checks for ns iteration ioctls
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 212/378] mm: Fix a hmm_range_fault() livelock / starvation problem Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 214/378] liveupdate: luo_file: remember retrieve() status Greg Kroah-Hartman
` (171 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Christian Brauner,
stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
commit e6b899f08066e744f89df16ceb782e06868bd148 upstream.
Even privileged services should not necessarily be able to see other
privileged service's namespaces so they can't leak information to each
other. Use may_see_all_namespaces() helper that centralizes this policy
until the nstree adapts.
Link: https://patch.msgid.link/20260226-work-visibility-fixes-v1-1-d2c2853313bd@kernel.org
Fixes: a1d220d9dafa ("nsfs: iterate through mount namespaces")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@kernel.org # v6.12+
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nsfs.c | 13 +++++++++++++
include/linux/ns_common.h | 2 ++
kernel/nscommon.c | 6 ++++++
3 files changed, 21 insertions(+)
--- a/fs/nsfs.c
+++ b/fs/nsfs.c
@@ -186,6 +186,17 @@ static bool nsfs_ioctl_valid(unsigned in
return false;
}
+static bool may_use_nsfs_ioctl(unsigned int cmd)
+{
+ switch (_IOC_NR(cmd)) {
+ case _IOC_NR(NS_MNT_GET_NEXT):
+ fallthrough;
+ case _IOC_NR(NS_MNT_GET_PREV):
+ return may_see_all_namespaces();
+ }
+ return true;
+}
+
static long ns_ioctl(struct file *filp, unsigned int ioctl,
unsigned long arg)
{
@@ -201,6 +212,8 @@ static long ns_ioctl(struct file *filp,
if (!nsfs_ioctl_valid(ioctl))
return -ENOIOCTLCMD;
+ if (!may_use_nsfs_ioctl(ioctl))
+ return -EPERM;
ns = get_proc_ns(file_inode(filp));
switch (ioctl) {
--- a/include/linux/ns_common.h
+++ b/include/linux/ns_common.h
@@ -55,6 +55,8 @@ static __always_inline bool is_ns_init_i
#define ns_common_free(__ns) __ns_common_free(to_ns_common((__ns)))
+bool may_see_all_namespaces(void);
+
static __always_inline __must_check int __ns_ref_active_read(const struct ns_common *ns)
{
return atomic_read(&ns->__ns_ref_active);
--- a/kernel/nscommon.c
+++ b/kernel/nscommon.c
@@ -309,3 +309,9 @@ void __ns_ref_active_get(struct ns_commo
return;
}
}
+
+bool may_see_all_namespaces(void)
+{
+ return (task_active_pid_ns(current) == &init_pid_ns) &&
+ ns_capable_noaudit(init_pid_ns.user_ns, CAP_SYS_ADMIN);
+}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 214/378] liveupdate: luo_file: remember retrieve() status
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 213/378] nsfs: tighten permission checks for ns iteration ioctls Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 215/378] kthread: consolidate kthread exit paths to prevent use-after-free Greg Kroah-Hartman
` (170 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pratyush Yadav (Google),
Mike Rapoport (Microsoft), Pasha Tatashin, Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pratyush Yadav (Google) <pratyush@kernel.org>
commit f85b1c6af5bc3872f994df0a5688c1162de07a62 upstream.
LUO keeps track of successful retrieve attempts on a LUO file. It does so
to avoid multiple retrievals of the same file. Multiple retrievals cause
problems because once the file is retrieved, the serialized data
structures are likely freed and the file is likely in a very different
state from what the code expects.
The retrieve boolean in struct luo_file keeps track of this, and is passed
to the finish callback so it knows what work was already done and what it
has left to do.
All this works well when retrieve succeeds. When it fails,
luo_retrieve_file() returns the error immediately, without ever storing
anywhere that a retrieve was attempted or what its error code was. This
results in an errored LIVEUPDATE_SESSION_RETRIEVE_FD ioctl to userspace,
but nothing prevents it from trying this again.
The retry is problematic for much of the same reasons listed above. The
file is likely in a very different state than what the retrieve logic
normally expects, and it might even have freed some serialization data
structures. Attempting to access them or free them again is going to
break things.
For example, if memfd managed to restore 8 of its 10 folios, but fails on
the 9th, a subsequent retrieve attempt will try to call
kho_restore_folio() on the first folio again, and that will fail with a
warning since it is an invalid operation.
Apart from the retry, finish() also breaks. Since on failure the
retrieved bool in luo_file is never touched, the finish() call on session
close will tell the file handler that retrieve was never attempted, and it
will try to access or free the data structures that might not exist, much
in the same way as the retry attempt.
There is no sane way of attempting the retrieve again. Remember the error
retrieve returned and directly return it on a retry. Also pass this
status code to finish() so it can make the right decision on the work it
needs to do.
This is done by changing the bool to an integer. A value of 0 means
retrieve was never attempted, a positive value means it succeeded, and a
negative value means it failed and the error code is the value.
Link: https://lkml.kernel.org/r/20260216132221.987987-1-pratyush@kernel.org
Fixes: 7c722a7f44e0 ("liveupdate: luo_file: implement file systems callbacks")
Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Cc: Pasha Tatashin <pasha.tatashin@soleen.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/liveupdate.h | 9 ++++++---
kernel/liveupdate/luo_file.c | 41 +++++++++++++++++++++++++----------------
mm/memfd_luo.c | 7 ++++++-
3 files changed, 37 insertions(+), 20 deletions(-)
--- a/include/linux/liveupdate.h
+++ b/include/linux/liveupdate.h
@@ -20,8 +20,11 @@ struct file;
/**
* struct liveupdate_file_op_args - Arguments for file operation callbacks.
* @handler: The file handler being called.
- * @retrieved: The retrieve status for the 'can_finish / finish'
- * operation.
+ * @retrieve_status: The retrieve status for the 'can_finish / finish'
+ * operation. A value of 0 means the retrieve has not been
+ * attempted, a positive value means the retrieve was
+ * successful, and a negative value means the retrieve failed,
+ * and the value is the error code of the call.
* @file: The file object. For retrieve: [OUT] The callback sets
* this to the new file. For other ops: [IN] The caller sets
* this to the file being operated on.
@@ -37,7 +40,7 @@ struct file;
*/
struct liveupdate_file_op_args {
struct liveupdate_file_handler *handler;
- bool retrieved;
+ int retrieve_status;
struct file *file;
u64 serialized_data;
void *private_data;
--- a/kernel/liveupdate/luo_file.c
+++ b/kernel/liveupdate/luo_file.c
@@ -133,9 +133,12 @@ static LIST_HEAD(luo_file_handler_list);
* state that is not preserved. Set by the handler's .preserve()
* callback, and must be freed in the handler's .unpreserve()
* callback.
- * @retrieved: A flag indicating whether a user/kernel in the new kernel has
+ * @retrieve_status: Status code indicating whether a user/kernel in the new kernel has
* successfully called retrieve() on this file. This prevents
- * multiple retrieval attempts.
+ * multiple retrieval attempts. A value of 0 means a retrieve()
+ * has not been attempted, a positive value means the retrieve()
+ * was successful, and a negative value means the retrieve()
+ * failed, and the value is the error code of the call.
* @mutex: A mutex that protects the fields of this specific instance
* (e.g., @retrieved, @file), ensuring that operations like
* retrieving or finishing a file are atomic.
@@ -160,7 +163,7 @@ struct luo_file {
struct file *file;
u64 serialized_data;
void *private_data;
- bool retrieved;
+ int retrieve_status;
struct mutex mutex;
struct list_head list;
u64 token;
@@ -293,7 +296,6 @@ int luo_preserve_file(struct luo_file_se
luo_file->file = file;
luo_file->fh = fh;
luo_file->token = token;
- luo_file->retrieved = false;
mutex_init(&luo_file->mutex);
args.handler = fh;
@@ -569,7 +571,12 @@ int luo_retrieve_file(struct luo_file_se
return -ENOENT;
guard(mutex)(&luo_file->mutex);
- if (luo_file->retrieved) {
+ if (luo_file->retrieve_status < 0) {
+ /* Retrieve was attempted and it failed. Return the error code. */
+ return luo_file->retrieve_status;
+ }
+
+ if (luo_file->retrieve_status > 0) {
/*
* Someone is asking for this file again, so get a reference
* for them.
@@ -582,16 +589,19 @@ int luo_retrieve_file(struct luo_file_se
args.handler = luo_file->fh;
args.serialized_data = luo_file->serialized_data;
err = luo_file->fh->ops->retrieve(&args);
- if (!err) {
- luo_file->file = args.file;
-
- /* Get reference so we can keep this file in LUO until finish */
- get_file(luo_file->file);
- *filep = luo_file->file;
- luo_file->retrieved = true;
+ if (err) {
+ /* Keep the error code for later use. */
+ luo_file->retrieve_status = err;
+ return err;
}
- return err;
+ luo_file->file = args.file;
+ /* Get reference so we can keep this file in LUO until finish */
+ get_file(luo_file->file);
+ *filep = luo_file->file;
+ luo_file->retrieve_status = 1;
+
+ return 0;
}
static int luo_file_can_finish_one(struct luo_file_set *file_set,
@@ -607,7 +617,7 @@ static int luo_file_can_finish_one(struc
args.handler = luo_file->fh;
args.file = luo_file->file;
args.serialized_data = luo_file->serialized_data;
- args.retrieved = luo_file->retrieved;
+ args.retrieve_status = luo_file->retrieve_status;
can_finish = luo_file->fh->ops->can_finish(&args);
}
@@ -624,7 +634,7 @@ static void luo_file_finish_one(struct l
args.handler = luo_file->fh;
args.file = luo_file->file;
args.serialized_data = luo_file->serialized_data;
- args.retrieved = luo_file->retrieved;
+ args.retrieve_status = luo_file->retrieve_status;
luo_file->fh->ops->finish(&args);
}
@@ -779,7 +789,6 @@ int luo_file_deserialize(struct luo_file
luo_file->file = NULL;
luo_file->serialized_data = file_ser[i].data;
luo_file->token = file_ser[i].token;
- luo_file->retrieved = false;
mutex_init(&luo_file->mutex);
list_add_tail(&luo_file->list, &file_set->files_list);
}
--- a/mm/memfd_luo.c
+++ b/mm/memfd_luo.c
@@ -326,7 +326,12 @@ static void memfd_luo_finish(struct live
struct memfd_luo_folio_ser *folios_ser;
struct memfd_luo_ser *ser;
- if (args->retrieved)
+ /*
+ * If retrieve was successful, nothing to do. If it failed, retrieve()
+ * already cleaned up everything it could. So nothing to do there
+ * either. Only need to clean up when retrieve was not called.
+ */
+ if (args->retrieve_status)
return;
ser = phys_to_virt(args->serialized_data);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 215/378] kthread: consolidate kthread exit paths to prevent use-after-free
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 214/378] liveupdate: luo_file: remember retrieve() status Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 216/378] cpufreq: intel_pstate: Fix NULL pointer dereference in update_cpu_qos_request() Greg Kroah-Hartman
` (169 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillaume Tucker, Mark Brown,
David Gow, Linus Torvalds, Christian Brauner
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
commit 28aaa9c39945b7925a1cc1d513c8f21ed38f5e4f upstream.
Guillaume reported crashes via corrupted RCU callback function pointers
during KUnit testing. The crash was traced back to the pidfs rhashtable
conversion which replaced the 24-byte rb_node with an 8-byte rhash_head
in struct pid, shrinking it from 160 to 144 bytes.
struct kthread (without CONFIG_BLK_CGROUP) is also 144 bytes. With
CONFIG_SLAB_MERGE_DEFAULT and SLAB_HWCACHE_ALIGN both round up to
192 bytes and share the same slab cache. struct pid.rcu.func and
struct kthread.affinity_node both sit at offset 0x78.
When a kthread exits via make_task_dead() it bypasses kthread_exit() and
misses the affinity_node cleanup. free_kthread_struct() frees the memory
while the node is still linked into the global kthread_affinity_list. A
subsequent list_del() by another kthread writes through dangling list
pointers into the freed and reused memory, corrupting the pid's
rcu.func pointer.
Instead of patching free_kthread_struct() to handle the missed cleanup,
consolidate all kthread exit paths. Turn kthread_exit() into a macro
that calls do_exit() and add kthread_do_exit() which is called from
do_exit() for any task with PF_KTHREAD set. This guarantees that
kthread-specific cleanup always happens regardless of the exit path -
make_task_dead(), direct do_exit(), or kthread_exit().
Replace __to_kthread() with a new tsk_is_kthread() accessor in the
public header. Export do_exit() since module code using the
kthread_exit() macro now needs it directly.
Reported-by: Guillaume Tucker <gtucker@gtucker.io>
Tested-by: Guillaume Tucker <gtucker@gtucker.io>
Tested-by: Mark Brown <broonie@kernel.org>
Tested-by: David Gow <davidgow@google.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/all/20260224-mittlerweile-besessen-2738831ae7f6@brauner
Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
Fixes: 4d13f4304fa4 ("kthread: Implement preferred affinity")
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/kthread.h | 21 ++++++++++++++++++++-
kernel/exit.c | 6 ++++++
kernel/kthread.c | 41 +++++------------------------------------
3 files changed, 31 insertions(+), 37 deletions(-)
--- a/include/linux/kthread.h
+++ b/include/linux/kthread.h
@@ -7,6 +7,24 @@
struct mm_struct;
+/* opaque kthread data */
+struct kthread;
+
+/*
+ * When "(p->flags & PF_KTHREAD)" is set the task is a kthread and will
+ * always remain a kthread. For kthreads p->worker_private always
+ * points to a struct kthread. For tasks that are not kthreads
+ * p->worker_private is used to point to other things.
+ *
+ * Return NULL for any task that is not a kthread.
+ */
+static inline struct kthread *tsk_is_kthread(struct task_struct *p)
+{
+ if (p->flags & PF_KTHREAD)
+ return p->worker_private;
+ return NULL;
+}
+
__printf(4, 5)
struct task_struct *kthread_create_on_node(int (*threadfn)(void *data),
void *data,
@@ -98,8 +116,9 @@ void *kthread_probe_data(struct task_str
int kthread_park(struct task_struct *k);
void kthread_unpark(struct task_struct *k);
void kthread_parkme(void);
-void kthread_exit(long result) __noreturn;
+#define kthread_exit(result) do_exit(result)
void kthread_complete_and_exit(struct completion *, long) __noreturn;
+void kthread_do_exit(struct kthread *, long);
int kthreadd(void *unused);
extern struct task_struct *kthreadd_task;
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -896,11 +896,16 @@ static void synchronize_group_exit(struc
void __noreturn do_exit(long code)
{
struct task_struct *tsk = current;
+ struct kthread *kthread;
int group_dead;
WARN_ON(irqs_disabled());
WARN_ON(tsk->plug);
+ kthread = tsk_is_kthread(tsk);
+ if (unlikely(kthread))
+ kthread_do_exit(kthread, code);
+
kcov_task_exit(tsk);
kmsan_task_exit(tsk);
@@ -1013,6 +1018,7 @@ void __noreturn do_exit(long code)
lockdep_free_task(tsk);
do_task_dead();
}
+EXPORT_SYMBOL(do_exit);
void __noreturn make_task_dead(int signr)
{
--- a/kernel/kthread.c
+++ b/kernel/kthread.c
@@ -85,24 +85,6 @@ static inline struct kthread *to_kthread
return k->worker_private;
}
-/*
- * Variant of to_kthread() that doesn't assume @p is a kthread.
- *
- * When "(p->flags & PF_KTHREAD)" is set the task is a kthread and will
- * always remain a kthread. For kthreads p->worker_private always
- * points to a struct kthread. For tasks that are not kthreads
- * p->worker_private is used to point to other things.
- *
- * Return NULL for any task that is not a kthread.
- */
-static inline struct kthread *__to_kthread(struct task_struct *p)
-{
- void *kthread = p->worker_private;
- if (kthread && !(p->flags & PF_KTHREAD))
- kthread = NULL;
- return kthread;
-}
-
void get_kthread_comm(char *buf, size_t buf_size, struct task_struct *tsk)
{
struct kthread *kthread = to_kthread(tsk);
@@ -193,7 +175,7 @@ EXPORT_SYMBOL_GPL(kthread_should_park);
bool kthread_should_stop_or_park(void)
{
- struct kthread *kthread = __to_kthread(current);
+ struct kthread *kthread = tsk_is_kthread(current);
if (!kthread)
return false;
@@ -234,7 +216,7 @@ EXPORT_SYMBOL_GPL(kthread_freezable_shou
*/
void *kthread_func(struct task_struct *task)
{
- struct kthread *kthread = __to_kthread(task);
+ struct kthread *kthread = tsk_is_kthread(task);
if (kthread)
return kthread->threadfn;
return NULL;
@@ -266,7 +248,7 @@ EXPORT_SYMBOL_GPL(kthread_data);
*/
void *kthread_probe_data(struct task_struct *task)
{
- struct kthread *kthread = __to_kthread(task);
+ struct kthread *kthread = tsk_is_kthread(task);
void *data = NULL;
if (kthread)
@@ -309,19 +291,8 @@ void kthread_parkme(void)
}
EXPORT_SYMBOL_GPL(kthread_parkme);
-/**
- * kthread_exit - Cause the current kthread return @result to kthread_stop().
- * @result: The integer value to return to kthread_stop().
- *
- * While kthread_exit can be called directly, it exists so that
- * functions which do some additional work in non-modular code such as
- * module_put_and_kthread_exit can be implemented.
- *
- * Does not return.
- */
-void __noreturn kthread_exit(long result)
+void kthread_do_exit(struct kthread *kthread, long result)
{
- struct kthread *kthread = to_kthread(current);
kthread->result = result;
if (!list_empty(&kthread->hotplug_node)) {
mutex_lock(&kthreads_hotplug_lock);
@@ -333,9 +304,7 @@ void __noreturn kthread_exit(long result
kthread->preferred_affinity = NULL;
}
}
- do_exit(0);
}
-EXPORT_SYMBOL(kthread_exit);
/**
* kthread_complete_and_exit - Exit the current kthread.
@@ -680,7 +649,7 @@ void kthread_set_per_cpu(struct task_str
bool kthread_is_per_cpu(struct task_struct *p)
{
- struct kthread *kthread = __to_kthread(p);
+ struct kthread *kthread = tsk_is_kthread(p);
if (!kthread)
return false;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 216/378] cpufreq: intel_pstate: Fix NULL pointer dereference in update_cpu_qos_request()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 215/378] kthread: consolidate kthread exit paths to prevent use-after-free Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 217/378] drm/amdgpu: add upper bound check on user inputs in signal ioctl Greg Kroah-Hartman
` (168 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jirka Hladky, David Arcari,
Rafael J. Wysocki
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Arcari <darcari@redhat.com>
commit ab39cc4cb8ceecdc2b61747433e7237f1ac2b789 upstream.
The update_cpu_qos_request() function attempts to initialize the 'freq'
variable by dereferencing 'cpudata' before verifying if the 'policy'
is valid.
This issue occurs on systems booted with the "nosmt" parameter, where
all_cpu_data[cpu] is NULL for the SMT sibling threads. As a result,
any call to update_qos_requests() will result in a NULL pointer
dereference as the code will attempt to access pstate.turbo_freq using
the NULL cpudata pointer.
Also, pstate.turbo_freq may be updated by intel_pstate_get_hwp_cap()
after initializing the 'freq' variable, so it is better to defer the
'freq' until intel_pstate_get_hwp_cap() has been called.
Fix this by deferring the 'freq' assignment until after the policy and
driver_data have been validated.
Fixes: ae1bdd23b99f ("cpufreq: intel_pstate: Adjust frequency percentage computations")
Reported-by: Jirka Hladky <jhladky@redhat.com>
Closes: https://lore.kernel.org/all/CAE4VaGDfiPvz3AzrwrwM4kWB3SCkMci25nPO8W1JmTBd=xHzZg@mail.gmail.com/
Signed-off-by: David Arcari <darcari@redhat.com>
Cc: 6.18+ <stable@vger.kernel.org> # 6.18+
[ rjw: Added one paragraph to the changelog ]
Link: https://patch.msgid.link/20260224122106.228116-1-darcari@redhat.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/intel_pstate.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -1647,8 +1647,8 @@ static ssize_t store_no_turbo(struct kob
static void update_cpu_qos_request(int cpu, enum freq_qos_req_type type)
{
struct cpudata *cpudata = all_cpu_data[cpu];
- unsigned int freq = cpudata->pstate.turbo_freq;
struct freq_qos_request *req;
+ unsigned int freq;
struct cpufreq_policy *policy __free(put_cpufreq_policy) = cpufreq_cpu_get(cpu);
if (!policy)
@@ -1661,6 +1661,8 @@ static void update_cpu_qos_request(int c
if (hwp_active)
intel_pstate_get_hwp_cap(cpudata);
+ freq = cpudata->pstate.turbo_freq;
+
if (type == FREQ_QOS_MIN) {
freq = DIV_ROUND_UP(freq * global.min_perf_pct, 100);
} else {
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 217/378] drm/amdgpu: add upper bound check on user inputs in signal ioctl
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 216/378] cpufreq: intel_pstate: Fix NULL pointer dereference in update_cpu_qos_request() Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 218/378] drm/amdgpu/userq: Fix reference leak in amdgpu_userq_wait_ioctl Greg Kroah-Hartman
` (167 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sunil Khatri, Christian König,
Alex Deucher
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sunil Khatri <sunil.khatri@amd.com>
commit ea78f8c68f4f6211c557df49174c54d167821962 upstream.
Huge input values in amdgpu_userq_signal_ioctl can lead to a OOM and
could be exploited.
So check these input value against AMDGPU_USERQ_MAX_HANDLES
which is big enough value for genuine use cases and could
potentially avoid OOM.
Signed-off-by: Sunil Khatri <sunil.khatri@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit be267e15f99bc97cbe202cd556717797cdcf79a5)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
@@ -35,6 +35,8 @@
static const struct dma_fence_ops amdgpu_userq_fence_ops;
static struct kmem_cache *amdgpu_userq_fence_slab;
+#define AMDGPU_USERQ_MAX_HANDLES (1U << 16)
+
int amdgpu_userq_fence_slab_init(void)
{
amdgpu_userq_fence_slab = kmem_cache_create("amdgpu_userq_fence",
@@ -476,6 +478,11 @@ int amdgpu_userq_signal_ioctl(struct drm
if (!amdgpu_userq_enabled(dev))
return -ENOTSUPP;
+ if (args->num_syncobj_handles > AMDGPU_USERQ_MAX_HANDLES ||
+ args->num_bo_write_handles > AMDGPU_USERQ_MAX_HANDLES ||
+ args->num_bo_read_handles > AMDGPU_USERQ_MAX_HANDLES)
+ return -EINVAL;
+
num_syncobj_handles = args->num_syncobj_handles;
syncobj_handles = memdup_user(u64_to_user_ptr(args->syncobj_handles),
size_mul(sizeof(u32), num_syncobj_handles));
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 218/378] drm/amdgpu/userq: Fix reference leak in amdgpu_userq_wait_ioctl
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 217/378] drm/amdgpu: add upper bound check on user inputs in signal ioctl Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 219/378] drm/amdgpu: add upper bound check on user inputs in wait ioctl Greg Kroah-Hartman
` (166 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Deucher, Tvrtko Ursulin,
Arunpravin Paneer Selvam, Christian König
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
commit 49abfa812617a7f2d0132c70d23ac98b389c6ec1 upstream.
Drop reference to syncobj and timeline fence when aborting the ioctl due
output array being too small.
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Fixes: a292fdecd728 ("drm/amdgpu: Implement userqueue signal/wait IOCTL")
Cc: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam@amd.com>
Cc: Christian König <christian.koenig@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 68951e9c3e6bb22396bc42ef2359751c8315dd27)
Cc: <stable@vger.kernel.org> # v6.16+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
@@ -880,6 +880,7 @@ int amdgpu_userq_wait_ioctl(struct drm_d
dma_fence_unwrap_for_each(f, &iter, fence) {
if (num_fences >= wait_info->num_fences) {
r = -EINVAL;
+ dma_fence_put(fence);
goto free_fences;
}
@@ -904,6 +905,7 @@ int amdgpu_userq_wait_ioctl(struct drm_d
if (num_fences >= wait_info->num_fences) {
r = -EINVAL;
+ dma_fence_put(fence);
goto free_fences;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 219/378] drm/amdgpu: add upper bound check on user inputs in wait ioctl
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 218/378] drm/amdgpu/userq: Fix reference leak in amdgpu_userq_wait_ioctl Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 220/378] drm/amd: Disable MES LR compute W/A Greg Kroah-Hartman
` (165 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sunil Khatri, Christian König,
Alex Deucher
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sunil Khatri <sunil.khatri@amd.com>
commit 64ac7c09fc44985ec9bb6a9db740899fa40ca613 upstream.
Huge input values in amdgpu_userq_wait_ioctl can lead to a OOM and
could be exploited.
So check these input value against AMDGPU_USERQ_MAX_HANDLES
which is big enough value for genuine use cases and could
potentially avoid OOM.
v2: squash in Srini's fix
Signed-off-by: Sunil Khatri <sunil.khatri@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit fcec012c664247531aed3e662f4280ff804d1476)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
@@ -668,6 +668,11 @@ int amdgpu_userq_wait_ioctl(struct drm_d
if (!amdgpu_userq_enabled(dev))
return -ENOTSUPP;
+ if (wait_info->num_syncobj_handles > AMDGPU_USERQ_MAX_HANDLES ||
+ wait_info->num_bo_write_handles > AMDGPU_USERQ_MAX_HANDLES ||
+ wait_info->num_bo_read_handles > AMDGPU_USERQ_MAX_HANDLES)
+ return -EINVAL;
+
num_read_bo_handles = wait_info->num_bo_read_handles;
bo_handles_read = memdup_user(u64_to_user_ptr(wait_info->bo_read_handles),
size_mul(sizeof(u32), num_read_bo_handles));
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 220/378] drm/amd: Disable MES LR compute W/A
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 219/378] drm/amdgpu: add upper bound check on user inputs in wait ioctl Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 221/378] ipmi:si: Dont block module unload if the BMC is messed up Greg Kroah-Hartman
` (164 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Deucher, Mario Limonciello
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 6b0d812971370c64b837a2db4275410f478272fe upstream.
A workaround was introduced in commit 1fb710793ce2 ("drm/amdgpu: Enable
MES lr_compute_wa by default") to help with some hangs observed in gfx1151.
This WA didn't fully fix the issue. It was actually fixed by adjusting
the VGPR size to the correct value that matched the hardware in commit
b42f3bf9536c ("drm/amdkfd: bump minimum vgpr size for gfx1151").
There are reports of instability on other products with newer GC microcode
versions, and I believe they're caused by this workaround. As we don't
need the workaround any more, remove it.
Fixes: b42f3bf9536c ("drm/amdkfd: bump minimum vgpr size for gfx1151")
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 9973e64bd6ee7642860a6f3b6958cbf14e89cabd)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 5 -----
drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 5 -----
2 files changed, 10 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c
@@ -718,11 +718,6 @@ static int mes_v11_0_set_hw_resources(st
mes_set_hw_res_pkt.enable_reg_active_poll = 1;
mes_set_hw_res_pkt.enable_level_process_quantum_check = 1;
mes_set_hw_res_pkt.oversubscription_timer = 50;
- if ((mes->adev->mes.sched_version & AMDGPU_MES_VERSION_MASK) >= 0x7f)
- mes_set_hw_res_pkt.enable_lr_compute_wa = 1;
- else
- dev_info_once(mes->adev->dev,
- "MES FW version must be >= 0x7f to enable LR compute workaround.\n");
if (amdgpu_mes_log_enable) {
mes_set_hw_res_pkt.enable_mes_event_int_logging = 1;
--- a/drivers/gpu/drm/amd/amdgpu/mes_v12_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/mes_v12_0.c
@@ -779,11 +779,6 @@ static int mes_v12_0_set_hw_resources(st
mes_set_hw_res_pkt.use_different_vmid_compute = 1;
mes_set_hw_res_pkt.enable_reg_active_poll = 1;
mes_set_hw_res_pkt.enable_level_process_quantum_check = 1;
- if ((mes->adev->mes.sched_version & AMDGPU_MES_VERSION_MASK) >= 0x82)
- mes_set_hw_res_pkt.enable_lr_compute_wa = 1;
- else
- dev_info_once(adev->dev,
- "MES FW version must be >= 0x82 to enable LR compute workaround.\n");
/*
* Keep oversubscribe timer for sdma . When we have unmapped doorbell
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 221/378] ipmi:si: Dont block module unload if the BMC is messed up
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 220/378] drm/amd: Disable MES LR compute W/A Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 222/378] ipmi:si: Use a long timeout when the BMC is misbehaving Greg Kroah-Hartman
` (163 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Corey Minyard
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit f895e5df80316a308c2f7d64d13a78494630ea05 upstream.
If the BMC is in a bad state, don't bother waiting for queues messages
since there can't be any. Otherwise the unload is blocked until the
BMC is back in a good state.
Reported-by: Rafael J. Wysocki <rafael@kernel.org>
Fixes: bc3a9d217755 ("ipmi:si: Gracefully handle if the BMC is non-functional")
Cc: stable@vger.kernel.org # 4.18
Signed-off-by: Corey Minyard <corey@minyard.net>
Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_si_intf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -2226,7 +2226,8 @@ static void wait_msg_processed(struct sm
unsigned long jiffies_now;
long time_diff;
- while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) {
+ while (smi_info->si_state != SI_HOSED &&
+ (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL))) {
jiffies_now = jiffies;
time_diff = (((long)jiffies_now - (long)smi_info->last_timeout_jiffies)
* SI_USEC_PER_JIFFY);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 222/378] ipmi:si: Use a long timeout when the BMC is misbehaving
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 221/378] ipmi:si: Dont block module unload if the BMC is messed up Greg Kroah-Hartman
@ 2026-03-17 16:32 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 223/378] drm/bridge: samsung-dsim: Fix memory leak in error path Greg Kroah-Hartman
` (162 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Igor Raits, Corey Minyard
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit c3bb3295637cc9bf514f690941ca9a385bf30113 upstream.
If the driver goes into HOSED state, don't reset the timeout to the
short timeout in the timeout handler.
Reported-by: Igor Raits <igor@gooddata.com>
Closes: https://lore.kernel.org/linux-acpi/CAK8fFZ58fidGUCHi5WFX0uoTPzveUUDzT=k=AAm4yWo3bAuCFg@mail.gmail.com/
Fixes: bc3a9d217755 ("ipmi:si: Gracefully handle if the BMC is non-functional")
Cc: stable@vger.kernel.org # 4.18
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_si_intf.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -1113,7 +1113,9 @@ static void smi_timeout(struct timer_lis
* SI_USEC_PER_JIFFY);
smi_result = smi_event_handler(smi_info, time_diff);
- if ((smi_info->io.irq) && (!smi_info->interrupt_disabled)) {
+ if (smi_info->si_state == SI_HOSED) {
+ timeout = jiffies + SI_TIMEOUT_HOSED;
+ } else if ((smi_info->io.irq) && (!smi_info->interrupt_disabled)) {
/* Running with interrupts, only do long timeouts. */
timeout = jiffies + SI_TIMEOUT_JIFFIES;
smi_inc_stat(smi_info, long_timeouts);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 223/378] drm/bridge: samsung-dsim: Fix memory leak in error path
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-03-17 16:32 ` [PATCH 6.19 222/378] ipmi:si: Use a long timeout when the BMC is misbehaving Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 224/378] drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used Greg Kroah-Hartman
` (161 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Osama Abdelkader, Luca Ceresoli
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Osama Abdelkader <osama.abdelkader@gmail.com>
commit 803ec1faf7c1823e6e3b1f2aaa81be18528c9436 upstream.
In samsung_dsim_host_attach(), drm_bridge_add() is called to add the
bridge. However, if samsung_dsim_register_te_irq() or
pdata->host_ops->attach() fails afterwards, the function returns
without removing the bridge, causing a memory leak.
Fix this by adding proper error handling with goto labels to ensure
drm_bridge_remove() is called in all error paths. Also ensure that
samsung_dsim_unregister_te_irq() is called if the attach operation
fails after the TE IRQ has been registered.
samsung_dsim_unregister_te_irq() function is moved without changes
to be before samsung_dsim_host_attach() to avoid forward declaration.
Fixes: e7447128ca4a ("drm: bridge: Generalize Exynos-DSI driver into a Samsung DSIM bridge")
Cc: stable@vger.kernel.org
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Link: https://patch.msgid.link/20260209184115.10937-1-osama.abdelkader@gmail.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/samsung-dsim.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
--- a/drivers/gpu/drm/bridge/samsung-dsim.c
+++ b/drivers/gpu/drm/bridge/samsung-dsim.c
@@ -1881,6 +1881,14 @@ static int samsung_dsim_register_te_irq(
return 0;
}
+static void samsung_dsim_unregister_te_irq(struct samsung_dsim *dsi)
+{
+ if (dsi->te_gpio) {
+ free_irq(gpiod_to_irq(dsi->te_gpio), dsi);
+ gpiod_put(dsi->te_gpio);
+ }
+}
+
static int samsung_dsim_host_attach(struct mipi_dsi_host *host,
struct mipi_dsi_device *device)
{
@@ -1955,13 +1963,13 @@ of_find_panel_or_bridge:
if (!(device->mode_flags & MIPI_DSI_MODE_VIDEO)) {
ret = samsung_dsim_register_te_irq(dsi, &device->dev);
if (ret)
- return ret;
+ goto err_remove_bridge;
}
if (pdata->host_ops && pdata->host_ops->attach) {
ret = pdata->host_ops->attach(dsi, device);
if (ret)
- return ret;
+ goto err_unregister_te_irq;
}
dsi->lanes = device->lanes;
@@ -1969,14 +1977,13 @@ of_find_panel_or_bridge:
dsi->mode_flags = device->mode_flags;
return 0;
-}
-static void samsung_dsim_unregister_te_irq(struct samsung_dsim *dsi)
-{
- if (dsi->te_gpio) {
- free_irq(gpiod_to_irq(dsi->te_gpio), dsi);
- gpiod_put(dsi->te_gpio);
- }
+err_unregister_te_irq:
+ if (!(device->mode_flags & MIPI_DSI_MODE_VIDEO))
+ samsung_dsim_unregister_te_irq(dsi);
+err_remove_bridge:
+ drm_bridge_remove(&dsi->bridge);
+ return ret;
}
static int samsung_dsim_host_detach(struct mipi_dsi_host *host,
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 224/378] drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 223/378] drm/bridge: samsung-dsim: Fix memory leak in error path Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 225/378] ipmi:si: Handle waiting messages when BMC failure detected Greg Kroah-Hartman
` (160 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Franz Schnyder, Douglas Anderson
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Franz Schnyder <franz.schnyder@toradex.com>
commit 0b87d51690dd5131cbe9fbd23746b037aab89815 upstream.
Fallback to polling to detect hotplug events on systems without
interrupts.
On systems where the interrupt line of the bridge is not connected,
the bridge cannot notify hotplug events. Only add the
DRM_BRIDGE_OP_HPD flag if an interrupt has been registered
otherwise remain in polling mode.
Fixes: 55e8ff842051 ("drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type")
Cc: stable@vger.kernel.org # 6.16: 9133bc3f0564: drm/bridge: ti-sn65dsi86: Add
Signed-off-by: Franz Schnyder <franz.schnyder@toradex.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
[dianders: Adjusted Fixes/stable line based on discussion]
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://patch.msgid.link/20260206123758.374555-1-fra.schnyder@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/ti-sn65dsi86.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
@@ -1415,6 +1415,7 @@ static int ti_sn_bridge_probe(struct aux
{
struct ti_sn65dsi86 *pdata = dev_get_drvdata(adev->dev.parent);
struct device_node *np = pdata->dev->of_node;
+ const struct i2c_client *client = to_i2c_client(pdata->dev);
int ret;
pdata->next_bridge = devm_drm_of_get_bridge(&adev->dev, np, 1, 0);
@@ -1433,8 +1434,9 @@ static int ti_sn_bridge_probe(struct aux
? DRM_MODE_CONNECTOR_DisplayPort : DRM_MODE_CONNECTOR_eDP;
if (pdata->bridge.type == DRM_MODE_CONNECTOR_DisplayPort) {
- pdata->bridge.ops = DRM_BRIDGE_OP_EDID | DRM_BRIDGE_OP_DETECT |
- DRM_BRIDGE_OP_HPD;
+ pdata->bridge.ops = DRM_BRIDGE_OP_EDID | DRM_BRIDGE_OP_DETECT;
+ if (client->irq)
+ pdata->bridge.ops |= DRM_BRIDGE_OP_HPD;
/*
* If comms were already enabled they would have been enabled
* with the wrong value of HPD_DISABLE. Update it now. Comms
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 225/378] ipmi:si: Handle waiting messages when BMC failure detected
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 224/378] drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 226/378] nouveau/gsp: drop WARN_ON in ACPI probes Greg Kroah-Hartman
` (159 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Rafael J. Wysocki,
Corey Minyard
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit 52c9ee202edd21d0599ac3b5a6fe1da2a2f053e5 upstream.
If a BMC failure is detected, the current message is returned with an
error. However, if there was a waiting message, it would not be
handled.
Add a check for the waiting message after handling the current message.
Suggested-by: Guenter Roeck <linux@roeck-us.net>
Reported-by: Rafael J. Wysocki <rafael@kernel.org>
Closes: https://lore.kernel.org/linux-acpi/CAK8fFZ58fidGUCHi5WFX0uoTPzveUUDzT=k=AAm4yWo3bAuCFg@mail.gmail.com/
Fixes: bc3a9d217755 ("ipmi:si: Gracefully handle if the BMC is non-functional")
Cc: stable@vger.kernel.org # 4.18
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_si_intf.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -809,6 +809,12 @@ restart:
*/
return_hosed_msg(smi_info, IPMI_BUS_ERR);
}
+ if (smi_info->waiting_msg != NULL) {
+ /* Also handle if there was a message waiting. */
+ smi_info->curr_msg = smi_info->waiting_msg;
+ smi_info->waiting_msg = NULL;
+ return_hosed_msg(smi_info, IPMI_BUS_ERR);
+ }
smi_mod_timer(smi_info, jiffies + SI_TIMEOUT_HOSED);
goto out;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 226/378] nouveau/gsp: drop WARN_ON in ACPI probes
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 225/378] ipmi:si: Handle waiting messages when BMC failure detected Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 227/378] drm/i915/alpm: ALPM disable fixes Greg Kroah-Hartman
` (158 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dave Airlie, Danilo Krummrich
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Airlie <airlied@redhat.com>
commit 9478c166c46934160135e197b049b5a05753f2ad upstream.
These WARN_ONs seem to trigger a lot, and we don't seem to have a
plan to fix them, so just drop them, as they are most likely
harmless.
Cc: stable@vger.kernel.org
Fixes: 176fdcbddfd2 ("drm/nouveau/gsp/r535: add support for booting GSP-RM")
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patch.msgid.link/20241121014601.229391-1-airlied@gmail.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/gsp.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/gsp.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/gsp.c
@@ -737,8 +737,8 @@ r535_gsp_acpi_caps(acpi_handle handle, C
if (!obj)
goto done;
- if (WARN_ON(obj->type != ACPI_TYPE_BUFFER) ||
- WARN_ON(obj->buffer.length != 4))
+ if (obj->type != ACPI_TYPE_BUFFER ||
+ obj->buffer.length != 4)
goto done;
caps->status = 0;
@@ -773,8 +773,8 @@ r535_gsp_acpi_jt(acpi_handle handle, JT_
if (!obj)
goto done;
- if (WARN_ON(obj->type != ACPI_TYPE_BUFFER) ||
- WARN_ON(obj->buffer.length != 4))
+ if (obj->type != ACPI_TYPE_BUFFER ||
+ obj->buffer.length != 4)
goto done;
jt->status = 0;
@@ -861,8 +861,8 @@ r535_gsp_acpi_dod(acpi_handle handle, DO
_DOD = output.pointer;
- if (WARN_ON(_DOD->type != ACPI_TYPE_PACKAGE) ||
- WARN_ON(_DOD->package.count > ARRAY_SIZE(dod->acpiIdList)))
+ if (_DOD->type != ACPI_TYPE_PACKAGE ||
+ _DOD->package.count > ARRAY_SIZE(dod->acpiIdList))
return;
for (int i = 0; i < _DOD->package.count; i++) {
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 227/378] drm/i915/alpm: ALPM disable fixes
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 226/378] nouveau/gsp: drop WARN_ON in ACPI probes Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 228/378] gpiolib: normalize the return value of gc->get() on behalf of buggy drivers Greg Kroah-Hartman
` (157 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Animesh Manna, Jani Nikula,
Jouni Högander, Michał Grzelak, Joonas Lahtinen
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
commit eb4a7139e97374f42b7242cc754e77f1623fbcd5 upstream.
PORT_ALPM_CTL is supposed to be written only before link training. Remove
writing it from ALPM disable.
Also clearing ALPM_CTL_ALPM_AUX_LESS_ENABLE and is not about disabling ALPM
but switching to AUX-Wake ALPM. Stop touching this bit on ALPM disable.
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/7153
Fixes: 1ccbf135862b ("drm/i915/psr: Enable ALPM on source side for eDP Panel replay")
Cc: Animesh Manna <animesh.manna@intel.com>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: <stable@vger.kernel.org> # v6.10+
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Michał Grzelak <michal.grzelak@intel.com>
Link: https://patch.msgid.link/20260212062731.397801-1-jouni.hogander@intel.com
(cherry picked from commit 008304c9ae75c772d3460040de56e12112cdf5e6)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/display/intel_alpm.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
--- a/drivers/gpu/drm/i915/display/intel_alpm.c
+++ b/drivers/gpu/drm/i915/display/intel_alpm.c
@@ -558,12 +558,7 @@ void intel_alpm_disable(struct intel_dp
mutex_lock(&intel_dp->alpm.lock);
intel_de_rmw(display, ALPM_CTL(display, cpu_transcoder),
- ALPM_CTL_ALPM_ENABLE | ALPM_CTL_LOBF_ENABLE |
- ALPM_CTL_ALPM_AUX_LESS_ENABLE, 0);
-
- intel_de_rmw(display,
- PORT_ALPM_CTL(cpu_transcoder),
- PORT_ALPM_CTL_ALPM_AUX_LESS_ENABLE, 0);
+ ALPM_CTL_ALPM_ENABLE | ALPM_CTL_LOBF_ENABLE, 0);
drm_dbg_kms(display->drm, "Disabling ALPM\n");
mutex_unlock(&intel_dp->alpm.lock);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 228/378] gpiolib: normalize the return value of gc->get() on behalf of buggy drivers
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 227/378] drm/i915/alpm: ALPM disable fixes Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 229/378] ipmi:si: Fix check for a misbehaving BMC Greg Kroah-Hartman
` (156 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Torokhov, Linus Walleij,
Bartosz Golaszewski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
commit ec2cceadfae72304ca19650f9cac4b2a97b8a2fc upstream.
Commit 86ef402d805d ("gpiolib: sanitize the return value of
gpio_chip::get()") started checking the return value of the .get()
callback in struct gpio_chip. Now - almost a year later - it turns out
that there are quite a few drivers in tree that can break with this
change. Partially revert it: normalize the return value in GPIO core but
also emit a warning.
Cc: stable@vger.kernel.org
Fixes: 86ef402d805d ("gpiolib: sanitize the return value of gpio_chip::get()")
Reported-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Closes: https://lore.kernel.org/all/aZSkqGTqMp_57qC7@google.com/
Reviewed-by: Linus Walleij <linusw@kernel.org>
Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Link: https://patch.msgid.link/20260219-gpiolib-set-normalize-v2-1-f84630e45796@oss.qualcomm.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -3268,8 +3268,12 @@ static int gpiochip_get(struct gpio_chip
/* Make sure this is called after checking for gc->get(). */
ret = gc->get(gc, offset);
- if (ret > 1)
- ret = -EBADE;
+ if (ret > 1) {
+ gpiochip_warn(gc,
+ "invalid return value from gc->get(): %d, consider fixing the driver\n",
+ ret);
+ ret = !!ret;
+ }
return ret;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 229/378] ipmi:si: Fix check for a misbehaving BMC
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 228/378] gpiolib: normalize the return value of gc->get() on behalf of buggy drivers Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 230/378] drm/xe/sync: Fix user fence leak on alloc failure Greg Kroah-Hartman
` (155 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Corey Minyard
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
commit cae66f1a1dcd23e17da5a015ef9d731129f9d2dd upstream.
There is a race on checking the state in the sender, it needs to be
checked under a lock. But you also need a check to avoid issues with
a misbehaving BMC for run to completion mode. So leave the check at
the beginning for run to completion, and add a check under the lock
to avoid the race.
Reported-by: Rafael J. Wysocki <rafael@kernel.org>
Fixes: bc3a9d217755 ("ipmi:si: Gracefully handle if the BMC is non-functional")
Cc: stable@vger.kernel.org # 4.18
Signed-off-by: Corey Minyard <corey@minyard.net>
Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_si_intf.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -924,9 +924,14 @@ static int sender(void *send_info, struc
{
struct smi_info *smi_info = send_info;
unsigned long flags;
+ int rv = IPMI_CC_NO_ERROR;
debug_timestamp(smi_info, "Enqueue");
+ /*
+ * Check here for run to completion mode. A check under lock is
+ * later.
+ */
if (smi_info->si_state == SI_HOSED)
return IPMI_BUS_ERR;
@@ -940,18 +945,15 @@ static int sender(void *send_info, struc
}
spin_lock_irqsave(&smi_info->si_lock, flags);
- /*
- * The following two lines don't need to be under the lock for
- * the lock's sake, but they do need SMP memory barriers to
- * avoid getting things out of order. We are already claiming
- * the lock, anyway, so just do it under the lock to avoid the
- * ordering problem.
- */
- BUG_ON(smi_info->waiting_msg);
- smi_info->waiting_msg = msg;
- check_start_timer_thread(smi_info);
+ if (smi_info->si_state == SI_HOSED) {
+ rv = IPMI_BUS_ERR;
+ } else {
+ BUG_ON(smi_info->waiting_msg);
+ smi_info->waiting_msg = msg;
+ check_start_timer_thread(smi_info);
+ }
spin_unlock_irqrestore(&smi_info->si_lock, flags);
- return IPMI_CC_NO_ERROR;
+ return rv;
}
static void set_run_to_completion(void *send_info, bool i_run_to_completion)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 230/378] drm/xe/sync: Fix user fence leak on alloc failure
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 229/378] ipmi:si: Fix check for a misbehaving BMC Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 231/378] drm/xe/sync: Cleanup partially initialized sync on parse failure Greg Kroah-Hartman
` (154 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Brost, Shuicheng Lin,
Rodrigo Vivi
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuicheng Lin <shuicheng.lin@intel.com>
commit 0879c3f04f67e2a1677c25dcc24669ce21eb6a6c upstream.
When dma_fence_chain_alloc() fails, properly release the user fence
reference to prevent a memory leak.
Fixes: 0995c2fc39b0 ("drm/xe: Enforce correct user fence signaling order using")
Cc: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20260219233516.2938172-6-shuicheng.lin@intel.com
(cherry picked from commit a5d5634cde48a9fcd68c8504aa07f89f175074a0)
Cc: stable@vger.kernel.org
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_sync.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/xe/xe_sync.c
+++ b/drivers/gpu/drm/xe/xe_sync.c
@@ -200,8 +200,10 @@ int xe_sync_entry_parse(struct xe_device
if (XE_IOCTL_DBG(xe, IS_ERR(sync->ufence)))
return PTR_ERR(sync->ufence);
sync->ufence_chain_fence = dma_fence_chain_alloc();
- if (!sync->ufence_chain_fence)
- return -ENOMEM;
+ if (!sync->ufence_chain_fence) {
+ err = -ENOMEM;
+ goto free_sync;
+ }
sync->ufence_syncobj = ufence_syncobj;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 231/378] drm/xe/sync: Cleanup partially initialized sync on parse failure
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 230/378] drm/xe/sync: Fix user fence leak on alloc failure Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 232/378] s390/pfault: Fix virtual vs physical address confusion Greg Kroah-Hartman
` (153 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Brost, Shuicheng Lin,
Rodrigo Vivi
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuicheng Lin <shuicheng.lin@intel.com>
commit 1bfd7575092420ba5a0b944953c95b74a5646ff8 upstream.
xe_sync_entry_parse() can allocate references (syncobj, fence, chain fence,
or user fence) before hitting a later failure path. Several of those paths
returned directly, leaving partially initialized state and leaking refs.
Route these error paths through a common free_sync label and call
xe_sync_entry_cleanup(sync) before returning the error.
Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
Cc: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20260219233516.2938172-5-shuicheng.lin@intel.com
(cherry picked from commit f939bdd9207a5d1fc55cced5459858480686ce22)
Cc: stable@vger.kernel.org
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_sync.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
--- a/drivers/gpu/drm/xe/xe_sync.c
+++ b/drivers/gpu/drm/xe/xe_sync.c
@@ -146,8 +146,10 @@ int xe_sync_entry_parse(struct xe_device
if (!signal) {
sync->fence = drm_syncobj_fence_get(sync->syncobj);
- if (XE_IOCTL_DBG(xe, !sync->fence))
- return -EINVAL;
+ if (XE_IOCTL_DBG(xe, !sync->fence)) {
+ err = -EINVAL;
+ goto free_sync;
+ }
}
break;
@@ -167,17 +169,21 @@ int xe_sync_entry_parse(struct xe_device
if (signal) {
sync->chain_fence = dma_fence_chain_alloc();
- if (!sync->chain_fence)
- return -ENOMEM;
+ if (!sync->chain_fence) {
+ err = -ENOMEM;
+ goto free_sync;
+ }
} else {
sync->fence = drm_syncobj_fence_get(sync->syncobj);
- if (XE_IOCTL_DBG(xe, !sync->fence))
- return -EINVAL;
+ if (XE_IOCTL_DBG(xe, !sync->fence)) {
+ err = -EINVAL;
+ goto free_sync;
+ }
err = dma_fence_chain_find_seqno(&sync->fence,
sync_in.timeline_value);
if (err)
- return err;
+ goto free_sync;
}
break;
@@ -218,6 +224,10 @@ int xe_sync_entry_parse(struct xe_device
sync->timeline_value = sync_in.timeline_value;
return 0;
+
+free_sync:
+ xe_sync_entry_cleanup(sync);
+ return err;
}
ALLOW_ERROR_INJECTION(xe_sync_entry_parse, ERRNO);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 232/378] s390/pfault: Fix virtual vs physical address confusion
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 231/378] drm/xe/sync: Cleanup partially initialized sync on parse failure Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 233/378] bpf: Fix kprobe_multi cookies access in show_fdinfo callback Greg Kroah-Hartman
` (152 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Claudio Imbrenda, Heiko Carstens,
Alexander Gordeev, Vasily Gorbik
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Gordeev <agordeev@linux.ibm.com>
commit d879ac6756b662a085a743e76023c768c3241579 upstream.
When Linux is running as guest, runs a user space process and the
user space process accesses a page that the host has paged out,
the guest gets a pfault interrupt and schedules a different process.
Without this mechanism the host would have to suspend the whole
virtual CPU until the page has been paged in.
To setup the pfault interrupt the real address of parameter list
should be passed to DIAGNOSE 0x258, but a virtual address is passed
instead.
That has a performance impact, since the pfault setup never succeeds,
the interrupt is never delivered to a guest and the whole virtual CPU
is suspended as result.
Cc: stable@vger.kernel.org
Fixes: c98d2ecae08f ("s390/mm: Uncouple physical vs virtual address spaces")
Reported-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/mm/pfault.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/s390/mm/pfault.c
+++ b/arch/s390/mm/pfault.c
@@ -62,7 +62,7 @@ int __pfault_init(void)
"0: nopr %%r7\n"
EX_TABLE(0b, 0b)
: [rc] "+d" (rc)
- : [refbk] "a" (&pfault_init_refbk), "m" (pfault_init_refbk)
+ : [refbk] "a" (virt_to_phys(&pfault_init_refbk)), "m" (pfault_init_refbk)
: "cc");
return rc;
}
@@ -84,7 +84,7 @@ void __pfault_fini(void)
"0: nopr %%r7\n"
EX_TABLE(0b, 0b)
:
- : [refbk] "a" (&pfault_fini_refbk), "m" (pfault_fini_refbk)
+ : [refbk] "a" (virt_to_phys(&pfault_fini_refbk)), "m" (pfault_fini_refbk)
: "cc");
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 233/378] bpf: Fix kprobe_multi cookies access in show_fdinfo callback
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 232/378] s390/pfault: Fix virtual vs physical address confusion Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 234/378] arm64: gcs: Honour mprotect(PROT_NONE) on shadow stack mappings Greg Kroah-Hartman
` (151 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiri Olsa, Alexei Starovoitov
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Olsa <jolsa@kernel.org>
commit ad6fface76da42721c15e8fb281570aaa44a2c01 upstream.
We don't check if cookies are available on the kprobe_multi link
before accessing them in show_fdinfo callback, we should.
Cc: stable@vger.kernel.org
Fixes: da7e9c0a7fbc ("bpf: Add show_fdinfo for kprobe_multi")
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/r/20260225111249.186230-1-jolsa@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/bpf_trace.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -2441,8 +2441,10 @@ static void bpf_kprobe_multi_show_fdinfo
struct seq_file *seq)
{
struct bpf_kprobe_multi_link *kmulti_link;
+ bool has_cookies;
kmulti_link = container_of(link, struct bpf_kprobe_multi_link, link);
+ has_cookies = !!kmulti_link->cookies;
seq_printf(seq,
"kprobe_cnt:\t%u\n"
@@ -2454,7 +2456,7 @@ static void bpf_kprobe_multi_show_fdinfo
for (int i = 0; i < kmulti_link->cnt; i++) {
seq_printf(seq,
"%llu\t %pS\n",
- kmulti_link->cookies[i],
+ has_cookies ? kmulti_link->cookies[i] : 0,
(void *)kmulti_link->addrs[i]);
}
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 234/378] arm64: gcs: Honour mprotect(PROT_NONE) on shadow stack mappings
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 233/378] bpf: Fix kprobe_multi cookies access in show_fdinfo callback Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 235/378] nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit() Greg Kroah-Hartman
` (150 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Catalin Marinas, Mark Brown,
Will Deacon, David Hildenbrand
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Catalin Marinas <catalin.marinas@arm.com>
commit 47a8aad135ac1aed04b7b0c0a8157fd208075827 upstream.
vm_get_page_prot() short-circuits the protection_map[] lookup for a
VM_SHADOW_STACK mapping since it uses a different PIE index from the
typical read/write/exec permissions. However, the side effect is that it
also ignores mprotect(PROT_NONE) by creating an accessible PTE.
Special-case the !(vm_flags & VM_ACCESS_FLAGS) flags to use the
protection_map[VM_NONE] permissions instead. No GCS attributes are
required for an inaccessible PTE.
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Fixes: 6497b66ba694 ("arm64/mm: Map pages for guarded control stack")
Cc: stable@vger.kernel.org
Cc: Mark Brown <broonie@kernel.org>
Cc: Will Deacon <will@kernel.org>
Cc: David Hildenbrand <david@kernel.org>
Reviewed-by: David Hildenbrand (Arm) <david@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/mm/mmap.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/arch/arm64/mm/mmap.c
+++ b/arch/arm64/mm/mmap.c
@@ -91,7 +91,11 @@ pgprot_t vm_get_page_prot(vm_flags_t vm_
/* Short circuit GCS to avoid bloating the table. */
if (system_supports_gcs() && (vm_flags & VM_SHADOW_STACK)) {
- prot = gcs_page_prot;
+ /* Honour mprotect(PROT_NONE) on shadow stack mappings */
+ if (vm_flags & VM_ACCESS_FLAGS)
+ prot = gcs_page_prot;
+ else
+ prot = pgprot_val(protection_map[VM_NONE]);
} else {
prot = pgprot_val(protection_map[vm_flags &
(VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 235/378] nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit().
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 234/378] arm64: gcs: Honour mprotect(PROT_NONE) on shadow stack mappings Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 236/378] device property: Allow secondary lookup in fwnode_get_next_child_node() Greg Kroah-Hartman
` (149 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Jeff Layton,
Chuck Lever
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
commit 92978c83bb4eef55d02a6c990c01c423131eefa7 upstream.
nfsd_nl_listener_set_doit() uses get_current_cred() without
put_cred().
As we can see from other callers, svc_xprt_create_from_sa()
does not require the extra refcount.
nfsd_nl_listener_set_doit() is always in the process context,
sendmsg(), and current->cred does not go away.
Let's use current_cred() in nfsd_nl_listener_set_doit().
Fixes: 16a471177496 ("NFSD: add listener-{set,get} netlink command")
Cc: stable@vger.kernel.org
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfsctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -1993,7 +1993,7 @@ int nfsd_nl_listener_set_doit(struct sk_
}
ret = svc_xprt_create_from_sa(serv, xcl_name, net, sa, 0,
- get_current_cred());
+ current_cred());
/* always save the latest error */
if (ret < 0)
err = ret;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 236/378] device property: Allow secondary lookup in fwnode_get_next_child_node()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 235/378] nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit() Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 237/378] irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports Greg Kroah-Hartman
` (148 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko,
Rafael J. Wysocki (Intel), Sakari Ailus, Danilo Krummrich
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit 2692c614f8f05929d692b3dbfd3faef1f00fbaf0 upstream.
When device_get_child_node_count() got split to the fwnode and device
respective APIs, the fwnode didn't inherit the ability to traverse over
the secondary fwnode. Hence any user, that switches from device to fwnode
API misses this feature. In particular, this was revealed by the commit
1490cbb9dbfd ("device property: Split fwnode_get_child_node_count()")
that effectively broke the GPIO enumeration on Intel Galileo boards.
Fix this by moving the secondary lookup from device to fwnode API.
Note, in general no device_*() API should go into the depth of the fwnode
implementation.
Fixes: 114dbb4fa7c4 ("drivers property: When no children in primary, try secondary")
Cc: stable@vger.kernel.org
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Link: https://patch.msgid.link/20260210135822.47335-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/property.c | 27 +++++++++++++--------------
1 file changed, 13 insertions(+), 14 deletions(-)
--- a/drivers/base/property.c
+++ b/drivers/base/property.c
@@ -797,7 +797,18 @@ struct fwnode_handle *
fwnode_get_next_child_node(const struct fwnode_handle *fwnode,
struct fwnode_handle *child)
{
- return fwnode_call_ptr_op(fwnode, get_next_child_node, child);
+ struct fwnode_handle *next;
+
+ if (IS_ERR_OR_NULL(fwnode))
+ return NULL;
+
+ /* Try to find a child in primary fwnode */
+ next = fwnode_call_ptr_op(fwnode, get_next_child_node, child);
+ if (next)
+ return next;
+
+ /* When no more children in primary, continue with secondary */
+ return fwnode_call_ptr_op(fwnode->secondary, get_next_child_node, child);
}
EXPORT_SYMBOL_GPL(fwnode_get_next_child_node);
@@ -841,19 +852,7 @@ EXPORT_SYMBOL_GPL(fwnode_get_next_availa
struct fwnode_handle *device_get_next_child_node(const struct device *dev,
struct fwnode_handle *child)
{
- const struct fwnode_handle *fwnode = dev_fwnode(dev);
- struct fwnode_handle *next;
-
- if (IS_ERR_OR_NULL(fwnode))
- return NULL;
-
- /* Try to find a child in primary fwnode */
- next = fwnode_get_next_child_node(fwnode, child);
- if (next)
- return next;
-
- /* When no more children in primary, continue with secondary */
- return fwnode_get_next_child_node(fwnode->secondary, child);
+ return fwnode_get_next_child_node(dev_fwnode(dev), child);
}
EXPORT_SYMBOL_GPL(device_get_next_child_node);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 237/378] irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 236/378] device property: Allow secondary lookup in fwnode_get_next_child_node() Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 238/378] btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies() Greg Kroah-Hartman
` (147 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marc Zyngier, Thomas Gleixner,
Robin Murphy, Zenghui Yu
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit ce9e40a9a5e5cff0b1b0d2fa582b3d71a8ce68e8 upstream.
The ITS driver blindly assumes that EventIDs are in abundant supply, to the
point where it never checks how many the hardware actually supports.
It turns out that some pretty esoteric integrations make it so that only a
few bits are available, all the way down to a single bit.
Enforce the advertised limitation at the point of allocating the device
structure, and hope that the endpoint driver can deal with such limitation.
Fixes: 84a6a2e7fc18d ("irqchip: GICv3: ITS: device allocation and configuration")
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Zenghui Yu <zenghui.yu@linux.dev>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260206154816.3582887-1-maz@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-gic-v3-its.c | 4 ++++
include/linux/irqchip/arm-gic-v3.h | 1 +
2 files changed, 5 insertions(+)
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -3475,6 +3475,7 @@ static struct its_device *its_create_dev
int lpi_base;
int nr_lpis;
int nr_ites;
+ int id_bits;
int sz;
if (!its_alloc_device_table(its, dev_id))
@@ -3486,7 +3487,10 @@ static struct its_device *its_create_dev
/*
* Even if the device wants a single LPI, the ITT must be
* sized as a power of two (and you need at least one bit...).
+ * Also honor the ITS's own EID limit.
*/
+ id_bits = FIELD_GET(GITS_TYPER_IDBITS, its->typer) + 1;
+ nvecs = min_t(unsigned int, nvecs, BIT(id_bits));
nr_ites = max(2, nvecs);
sz = nr_ites * (FIELD_GET(GITS_TYPER_ITT_ENTRY_SIZE, its->typer) + 1);
sz = max(sz, ITS_ITT_ALIGN);
--- a/include/linux/irqchip/arm-gic-v3.h
+++ b/include/linux/irqchip/arm-gic-v3.h
@@ -394,6 +394,7 @@
#define GITS_TYPER_VLPIS (1UL << 1)
#define GITS_TYPER_ITT_ENTRY_SIZE_SHIFT 4
#define GITS_TYPER_ITT_ENTRY_SIZE GENMASK_ULL(7, 4)
+#define GITS_TYPER_IDBITS GENMASK_ULL(12, 8)
#define GITS_TYPER_IDBITS_SHIFT 8
#define GITS_TYPER_DEVBITS_SHIFT 13
#define GITS_TYPER_DEVBITS GENMASK_ULL(17, 13)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 238/378] btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 237/378] irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 239/378] sched_ext: Disable preemption between scx_claim_exit() and kicking helper work Greg Kroah-Hartman
` (146 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, Mark Harmstone,
David Sterba
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Harmstone <mark@harmstone.com>
commit f15fb3d41543244d1179f423da4a4832a55bc050 upstream.
Fix a chunk map leak in btrfs_map_block(): if we return early with -EINVAL,
we're not freeing the chunk map that we've just looked up.
Fixes: 0ae653fbec2b ("btrfs: reduce chunk_map lookups in btrfs_map_block()")
CC: stable@vger.kernel.org # 6.12+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Mark Harmstone <mark@harmstone.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/volumes.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -6707,8 +6707,10 @@ int btrfs_map_block(struct btrfs_fs_info
return PTR_ERR(map);
num_copies = btrfs_chunk_map_num_copies(map);
- if (io_geom.mirror_num > num_copies)
- return -EINVAL;
+ if (io_geom.mirror_num > num_copies) {
+ ret = -EINVAL;
+ goto out;
+ }
map_offset = logical - map->start;
io_geom.raid56_full_stripe_start = (u64)-1;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 239/378] sched_ext: Disable preemption between scx_claim_exit() and kicking helper work
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 238/378] btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies() Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 240/378] sched_ext: Fix starvation of scx_enable() under fair-class saturation Greg Kroah-Hartman
` (145 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrea Righi, Tejun Heo
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
commit 83236b2e43dba00bee5b82eb5758816b1a674f6a upstream.
scx_claim_exit() atomically sets exit_kind, which prevents scx_error() from
triggering further error handling. After claiming exit, the caller must kick
the helper kthread work which initiates bypass mode and teardown.
If the calling task gets preempted between claiming exit and kicking the
helper work, and the BPF scheduler fails to schedule it back (since error
handling is now disabled), the helper work is never queued, bypass mode
never activates, tasks stop being dispatched, and the system wedges.
Disable preemption across scx_claim_exit() and the subsequent work kicking
in all callers - scx_disable() and scx_vexit(). Add
lockdep_assert_preemption_disabled() to scx_claim_exit() to enforce the
requirement.
Fixes: f0e1a0643a59 ("sched_ext: Implement BPF extensible scheduler class")
Cc: stable@vger.kernel.org # v6.12+
Reviewed-by: Andrea Righi <arighi@nvidia.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/ext.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -4390,10 +4390,19 @@ done:
scx_bypass(false);
}
+/*
+ * Claim the exit on @sch. The caller must ensure that the helper kthread work
+ * is kicked before the current task can be preempted. Once exit_kind is
+ * claimed, scx_error() can no longer trigger, so if the current task gets
+ * preempted and the BPF scheduler fails to schedule it back, the helper work
+ * will never be kicked and the whole system can wedge.
+ */
static bool scx_claim_exit(struct scx_sched *sch, enum scx_exit_kind kind)
{
int none = SCX_EXIT_NONE;
+ lockdep_assert_preemption_disabled();
+
if (!atomic_try_cmpxchg(&sch->exit_kind, &none, kind))
return false;
@@ -4416,6 +4425,7 @@ static void scx_disable(enum scx_exit_ki
rcu_read_lock();
sch = rcu_dereference(scx_root);
if (sch) {
+ guard(preempt)();
scx_claim_exit(sch, kind);
kthread_queue_work(sch->helper, &sch->disable_work);
}
@@ -4738,6 +4748,8 @@ static bool scx_vexit(struct scx_sched *
{
struct scx_exit_info *ei = sch->exit_info;
+ guard(preempt)();
+
if (!scx_claim_exit(sch, kind))
return false;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 240/378] sched_ext: Fix starvation of scx_enable() under fair-class saturation
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 239/378] sched_ext: Disable preemption between scx_claim_exit() and kicking helper work Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-19 7:11 ` Jiri Slaby
2026-03-17 16:33 ` [PATCH 6.19 241/378] iomap: dont mark folio uptodate if read IO has bytes pending Greg Kroah-Hartman
` (144 subsequent siblings)
384 siblings, 1 reply; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tejun Heo
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
commit b06ccbabe2506fd70b9167a644978b049150224a upstream.
During scx_enable(), the READY -> ENABLED task switching loop changes the
calling thread's sched_class from fair to ext. Since fair has higher
priority than ext, saturating fair-class workloads can indefinitely starve
the enable thread, hanging the system. This was introduced when the enable
path switched from preempt_disable() to scx_bypass() which doesn't protect
against fair-class starvation. Note that the original preempt_disable()
protection wasn't complete either - in partial switch modes, the calling
thread could still be starved after preempt_enable() as it may have been
switched to ext class.
Fix it by offloading the enable body to a dedicated system-wide RT
(SCHED_FIFO) kthread which cannot be starved by either fair or ext class
tasks. scx_enable() lazily creates the kthread on first use and passes the
ops pointer through a struct scx_enable_cmd containing the kthread_work,
then synchronously waits for completion.
The workfn runs on a different kthread from sch->helper (which runs
disable_work), so it can safely flush disable_work on the error path
without deadlock.
Fixes: 8c2090c504e9 ("sched_ext: Initialize in bypass mode")
Cc: stable@vger.kernel.org # v6.12+
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/ext.c | 66 ++++++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 56 insertions(+), 10 deletions(-)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -4935,20 +4935,30 @@ static int validate_ops(struct scx_sched
return 0;
}
-static int scx_enable(struct sched_ext_ops *ops, struct bpf_link *link)
+/*
+ * scx_enable() is offloaded to a dedicated system-wide RT kthread to avoid
+ * starvation. During the READY -> ENABLED task switching loop, the calling
+ * thread's sched_class gets switched from fair to ext. As fair has higher
+ * priority than ext, the calling thread can be indefinitely starved under
+ * fair-class saturation, leading to a system hang.
+ */
+struct scx_enable_cmd {
+ struct kthread_work work;
+ struct sched_ext_ops *ops;
+ int ret;
+};
+
+static void scx_enable_workfn(struct kthread_work *work)
{
+ struct scx_enable_cmd *cmd =
+ container_of(work, struct scx_enable_cmd, work);
+ struct sched_ext_ops *ops = cmd->ops;
struct scx_sched *sch;
struct scx_task_iter sti;
struct task_struct *p;
unsigned long timeout;
int i, cpu, ret;
- if (!cpumask_equal(housekeeping_cpumask(HK_TYPE_DOMAIN),
- cpu_possible_mask)) {
- pr_err("sched_ext: Not compatible with \"isolcpus=\" domain isolation\n");
- return -EINVAL;
- }
-
mutex_lock(&scx_enable_mutex);
if (scx_enable_state() != SCX_DISABLED) {
@@ -5165,13 +5175,15 @@ static int scx_enable(struct sched_ext_o
atomic_long_inc(&scx_enable_seq);
- return 0;
+ cmd->ret = 0;
+ return;
err_free_ksyncs:
free_kick_syncs();
err_unlock:
mutex_unlock(&scx_enable_mutex);
- return ret;
+ cmd->ret = ret;
+ return;
err_disable_unlock_all:
scx_cgroup_unlock();
@@ -5190,7 +5202,41 @@ err_disable:
*/
scx_error(sch, "scx_enable() failed (%d)", ret);
kthread_flush_work(&sch->disable_work);
- return 0;
+ cmd->ret = 0;
+}
+
+static int scx_enable(struct sched_ext_ops *ops, struct bpf_link *link)
+{
+ static struct kthread_worker *helper;
+ static DEFINE_MUTEX(helper_mutex);
+ struct scx_enable_cmd cmd;
+
+ if (!cpumask_equal(housekeeping_cpumask(HK_TYPE_DOMAIN),
+ cpu_possible_mask)) {
+ pr_err("sched_ext: Not compatible with \"isolcpus=\" domain isolation\n");
+ return -EINVAL;
+ }
+
+ if (!READ_ONCE(helper)) {
+ mutex_lock(&helper_mutex);
+ if (!helper) {
+ helper = kthread_run_worker(0, "scx_enable_helper");
+ if (IS_ERR_OR_NULL(helper)) {
+ helper = NULL;
+ mutex_unlock(&helper_mutex);
+ return -ENOMEM;
+ }
+ sched_set_fifo(helper->task);
+ }
+ mutex_unlock(&helper_mutex);
+ }
+
+ kthread_init_work(&cmd.work, scx_enable_workfn);
+ cmd.ops = ops;
+
+ kthread_queue_work(READ_ONCE(helper), &cmd.work);
+ kthread_flush_work(&cmd.work);
+ return cmd.ret;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 241/378] iomap: dont mark folio uptodate if read IO has bytes pending
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 240/378] sched_ext: Fix starvation of scx_enable() under fair-class saturation Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 242/378] iomap: reject delalloc mappings during writeback Greg Kroah-Hartman
` (143 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wei Gao, Sasha Levin,
Darrick J. Wong, Joanne Koong, Christian Brauner
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joanne Koong <joannelkoong@gmail.com>
commit debc1a492b2695d05973994fb0f796dbd9ceaae6 upstream.
If a folio has ifs metadata attached to it and the folio is partially
read in through an async IO helper with the rest of it then being read
in through post-EOF zeroing or as inline data, and the helper
successfully finishes the read first, then post-EOF zeroing / reading
inline will mark the folio as uptodate in iomap_set_range_uptodate().
This is a problem because when the read completion path later calls
iomap_read_end(), it will call folio_end_read(), which sets the uptodate
bit using XOR semantics. Calling folio_end_read() on a folio that was
already marked uptodate clears the uptodate bit.
Fix this by not marking the folio as uptodate if the read IO has bytes
pending. The folio uptodate state will be set in the read completion
path through iomap_end_read() -> folio_end_read().
Reported-by: Wei Gao <wegao@suse.com>
Suggested-by: Sasha Levin <sashal@kernel.org>
Tested-by: Wei Gao <wegao@suse.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Cc: stable@vger.kernel.org # v6.19
Link: https://lore.kernel.org/linux-fsdevel/aYbmy8JdgXwsGaPP@autotest-wegao.qe.prg2.suse.org/
Fixes: b2f35ac4146d ("iomap: add caller-provided callbacks for read and readahead")
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Link: https://patch.msgid.link/20260303233420.874231-2-joannelkoong@gmail.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/iomap/buffered-io.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/fs/iomap/buffered-io.c
+++ b/fs/iomap/buffered-io.c
@@ -79,18 +79,27 @@ static void iomap_set_range_uptodate(str
{
struct iomap_folio_state *ifs = folio->private;
unsigned long flags;
- bool uptodate = true;
+ bool mark_uptodate = true;
if (folio_test_uptodate(folio))
return;
if (ifs) {
spin_lock_irqsave(&ifs->state_lock, flags);
- uptodate = ifs_set_range_uptodate(folio, ifs, off, len);
+ /*
+ * If a read with bytes pending is in progress, we must not call
+ * folio_mark_uptodate(). The read completion path
+ * (iomap_read_end()) will call folio_end_read(), which uses XOR
+ * semantics to set the uptodate bit. If we set it here, the XOR
+ * in folio_end_read() will clear it, leaving the folio not
+ * uptodate.
+ */
+ mark_uptodate = ifs_set_range_uptodate(folio, ifs, off, len) &&
+ !ifs->read_bytes_pending;
spin_unlock_irqrestore(&ifs->state_lock, flags);
}
- if (uptodate)
+ if (mark_uptodate)
folio_mark_uptodate(folio);
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 242/378] iomap: reject delalloc mappings during writeback
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 241/378] iomap: dont mark folio uptodate if read IO has bytes pending Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 243/378] nsfs: tighten permission checks for handle opening Greg Kroah-Hartman
` (142 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Christoph Hellwig,
Carlos Maiolino, Christian Brauner
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
commit d320f160aa5ff36cdf83c645cca52b615e866e32 upstream.
Filesystems should never provide a delayed allocation mapping to
writeback; they're supposed to allocate the space before replying.
This can lead to weird IO errors and crashes in the block layer if the
filesystem is being malicious, or if it hadn't set iomap->dev because
it's a delalloc mapping.
Fix this by failing writeback on delalloc mappings. Currently no
filesystems actually misbehave in this manner, but we ought to be
stricter about things like that.
Cc: stable@vger.kernel.org # v5.5
Fixes: 598ecfbaa742ac ("iomap: lift the xfs writeback code to iomap")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Link: https://patch.msgid.link/20260302173002.GL13829@frogsfrogsfrogs
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/iomap/ioend.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/fs/iomap/ioend.c
+++ b/fs/iomap/ioend.c
@@ -163,17 +163,18 @@ ssize_t iomap_add_to_ioend(struct iomap_
WARN_ON_ONCE(!folio->private && map_len < dirty_len);
switch (wpc->iomap.type) {
- case IOMAP_INLINE:
- WARN_ON_ONCE(1);
- return -EIO;
+ case IOMAP_UNWRITTEN:
+ ioend_flags |= IOMAP_IOEND_UNWRITTEN;
+ break;
+ case IOMAP_MAPPED:
+ break;
case IOMAP_HOLE:
return map_len;
default:
- break;
+ WARN_ON_ONCE(1);
+ return -EIO;
}
- if (wpc->iomap.type == IOMAP_UNWRITTEN)
- ioend_flags |= IOMAP_IOEND_UNWRITTEN;
if (wpc->iomap.flags & IOMAP_F_SHARED)
ioend_flags |= IOMAP_IOEND_SHARED;
if (folio_test_dropbehind(folio))
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 243/378] nsfs: tighten permission checks for handle opening
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 242/378] iomap: reject delalloc mappings during writeback Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 244/378] nstree: tighten permission checks for listing Greg Kroah-Hartman
` (141 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Christian Brauner,
stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
commit d2324a9317f00013facb0ba00b00440e19d2af5e upstream.
Even privileged services should not necessarily be able to see other
privileged service's namespaces so they can't leak information to each
other. Use may_see_all_namespaces() helper that centralizes this policy
until the nstree adapts.
Link: https://patch.msgid.link/20260226-work-visibility-fixes-v1-2-d2c2853313bd@kernel.org
Fixes: 5222470b2fbb ("nsfs: support file handles")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@kernel.org # v6.18+
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nsfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nsfs.c
+++ b/fs/nsfs.c
@@ -614,7 +614,7 @@ static struct dentry *nsfs_fh_to_dentry(
return ERR_PTR(-EOPNOTSUPP);
}
- if (owning_ns && !ns_capable(owning_ns, CAP_SYS_ADMIN)) {
+ if (owning_ns && !may_see_all_namespaces()) {
ns->ops->put(ns);
return ERR_PTR(-EPERM);
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 244/378] nstree: tighten permission checks for listing
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 243/378] nsfs: tighten permission checks for handle opening Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 245/378] ice: reintroduce retry mechanism for indirect AQ Greg Kroah-Hartman
` (140 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Christian Brauner,
stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
commit 8d76afe84fa2babf604b3c173730d4d2b067e361 upstream.
Even privileged services should not necessarily be able to see other
privileged service's namespaces so they can't leak information to each
other. Use may_see_all_namespaces() helper that centralizes this policy
until the nstree adapts.
Link: https://patch.msgid.link/20260226-work-visibility-fixes-v1-3-d2c2853313bd@kernel.org
Fixes: 76b6f5dfb3fd ("nstree: add listns()")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@kernel.org # v6.19+
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/nstree.c | 29 ++++-------------------------
1 file changed, 4 insertions(+), 25 deletions(-)
diff --git a/kernel/nstree.c b/kernel/nstree.c
index f36c59e6951d..6d12e5900ac0 100644
--- a/kernel/nstree.c
+++ b/kernel/nstree.c
@@ -515,32 +515,11 @@ static inline bool __must_check ns_requested(const struct klistns *kls,
static inline bool __must_check may_list_ns(const struct klistns *kls,
struct ns_common *ns)
{
- if (kls->user_ns) {
- if (kls->userns_capable)
- return true;
- } else {
- struct ns_common *owner;
- struct user_namespace *user_ns;
-
- owner = ns_owner(ns);
- if (owner)
- user_ns = to_user_ns(owner);
- else
- user_ns = &init_user_ns;
- if (ns_capable_noaudit(user_ns, CAP_SYS_ADMIN))
- return true;
- }
-
+ if (kls->user_ns && kls->userns_capable)
+ return true;
if (is_current_namespace(ns))
return true;
-
- if (ns->ns_type != CLONE_NEWUSER)
- return false;
-
- if (ns_capable_noaudit(to_user_ns(ns), CAP_SYS_ADMIN))
- return true;
-
- return false;
+ return may_see_all_namespaces();
}
static inline void ns_put(struct ns_common *ns)
@@ -600,7 +579,7 @@ static ssize_t do_listns_userns(struct klistns *kls)
ret = 0;
head = &to_ns_common(kls->user_ns)->ns_owner_root.ns_list_head;
- kls->userns_capable = ns_capable_noaudit(kls->user_ns, CAP_SYS_ADMIN);
+ kls->userns_capable = may_see_all_namespaces();
rcu_read_lock();
--
2.53.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 245/378] ice: reintroduce retry mechanism for indirect AQ
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 244/378] nstree: tighten permission checks for listing Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 246/378] kunit: irq: Ensure timer doesnt fire too frequently Greg Kroah-Hartman
` (139 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Schmidt, Jakub Staniszewski,
Dawid Osuchowski, Aleksandr Loktionov, Przemek Kitszel,
Paul Menzel, Tony Nguyen, Rinitha S
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
commit 326256c0a72d4877cec1d4df85357da106233128 upstream.
Add retry mechanism for indirect Admin Queue (AQ) commands. To do so we
need to keep the command buffer.
This technically reverts commit 43a630e37e25
("ice: remove unused buffer copy code in ice_sq_send_cmd_retry()"),
but combines it with a fix in the logic by using a kmemdup() call,
making it more robust and less likely to break in the future due to
programmer error.
Cc: Michal Schmidt <mschmidt@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 3056df93f7a8 ("ice: Re-send some AQ commands, as result of EBUSY AQ error")
Signed-off-by: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
Co-developed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Signed-off-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_common.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/intel/ice/ice_common.c
+++ b/drivers/net/ethernet/intel/ice/ice_common.c
@@ -1879,6 +1879,7 @@ ice_sq_send_cmd_retry(struct ice_hw *hw,
{
struct libie_aq_desc desc_cpy;
bool is_cmd_for_retry;
+ u8 *buf_cpy = NULL;
u8 idx = 0;
u16 opcode;
int status;
@@ -1888,8 +1889,11 @@ ice_sq_send_cmd_retry(struct ice_hw *hw,
memset(&desc_cpy, 0, sizeof(desc_cpy));
if (is_cmd_for_retry) {
- /* All retryable cmds are direct, without buf. */
- WARN_ON(buf);
+ if (buf) {
+ buf_cpy = kmemdup(buf, buf_size, GFP_KERNEL);
+ if (!buf_cpy)
+ return -ENOMEM;
+ }
memcpy(&desc_cpy, desc, sizeof(desc_cpy));
}
@@ -1901,12 +1905,14 @@ ice_sq_send_cmd_retry(struct ice_hw *hw,
hw->adminq.sq_last_status != LIBIE_AQ_RC_EBUSY)
break;
+ if (buf_cpy)
+ memcpy(buf, buf_cpy, buf_size);
memcpy(desc, &desc_cpy, sizeof(desc_cpy));
-
msleep(ICE_SQ_SEND_DELAY_TIME_MS);
} while (++idx < ICE_SQ_SEND_MAX_EXECUTE);
+ kfree(buf_cpy);
return status;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 246/378] kunit: irq: Ensure timer doesnt fire too frequently
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 245/378] ice: reintroduce retry mechanism for indirect AQ Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 247/378] ixgbevf: fix link setup issue Greg Kroah-Hartman
` (138 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Gow, Eric Biggers
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 201ceb94aa1def0024a7c18ce643e5f65026be06 upstream.
Fix a bug where kunit_run_irq_test() could hang if the system is too
slow. This was noticed with the crypto library tests in certain VMs.
Specifically, if kunit_irq_test_timer_func() and the associated hrtimer
code took over 5us to run, then the CPU would spend all its time
executing that code in hardirq context. As a result, the task executing
kunit_run_irq_test() never had a chance to run, exit the loop, and
cancel the timer.
To fix it, make kunit_irq_test_timer_func() increase the timer interval
when the other contexts aren't having a chance to run.
Fixes: 950a81224e8b ("lib/crypto: tests: Add hash-test-template.h and gen-hash-testvecs.py")
Cc: stable@vger.kernel.org
Reviewed-by: David Gow <david@davidgow.net>
Link: https://lore.kernel.org/r/20260224033751.97615-1-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/kunit/run-in-irq-context.h | 44 +++++++++++++++++++++++--------------
1 file changed, 28 insertions(+), 16 deletions(-)
--- a/include/kunit/run-in-irq-context.h
+++ b/include/kunit/run-in-irq-context.h
@@ -12,16 +12,16 @@
#include <linux/hrtimer.h>
#include <linux/workqueue.h>
-#define KUNIT_IRQ_TEST_HRTIMER_INTERVAL us_to_ktime(5)
-
struct kunit_irq_test_state {
bool (*func)(void *test_specific_state);
void *test_specific_state;
bool task_func_reported_failure;
bool hardirq_func_reported_failure;
bool softirq_func_reported_failure;
+ atomic_t task_func_calls;
atomic_t hardirq_func_calls;
atomic_t softirq_func_calls;
+ ktime_t interval;
struct hrtimer timer;
struct work_struct bh_work;
};
@@ -30,14 +30,25 @@ static enum hrtimer_restart kunit_irq_te
{
struct kunit_irq_test_state *state =
container_of(timer, typeof(*state), timer);
+ int task_calls, hardirq_calls, softirq_calls;
WARN_ON_ONCE(!in_hardirq());
- atomic_inc(&state->hardirq_func_calls);
+ task_calls = atomic_read(&state->task_func_calls);
+ hardirq_calls = atomic_inc_return(&state->hardirq_func_calls);
+ softirq_calls = atomic_read(&state->softirq_func_calls);
+
+ /*
+ * If the timer is firing too often for the softirq or task to ever have
+ * a chance to run, increase the timer interval. This is needed on very
+ * slow systems.
+ */
+ if (hardirq_calls >= 20 && (softirq_calls == 0 || task_calls == 0))
+ state->interval = ktime_add_ns(state->interval, 250);
if (!state->func(state->test_specific_state))
state->hardirq_func_reported_failure = true;
- hrtimer_forward_now(&state->timer, KUNIT_IRQ_TEST_HRTIMER_INTERVAL);
+ hrtimer_forward_now(&state->timer, state->interval);
queue_work(system_bh_wq, &state->bh_work);
return HRTIMER_RESTART;
}
@@ -86,10 +97,14 @@ static inline void kunit_run_irq_test(st
struct kunit_irq_test_state state = {
.func = func,
.test_specific_state = test_specific_state,
+ /*
+ * Start with a 5us timer interval. If the system can't keep
+ * up, kunit_irq_test_timer_func() will increase it.
+ */
+ .interval = us_to_ktime(5),
};
unsigned long end_jiffies;
- int hardirq_calls, softirq_calls;
- bool allctx = false;
+ int task_calls, hardirq_calls, softirq_calls;
/*
* Set up a hrtimer (the way we access hardirq context) and a work
@@ -104,21 +119,18 @@ static inline void kunit_run_irq_test(st
* and hardirq), or 1 second, whichever comes first.
*/
end_jiffies = jiffies + HZ;
- hrtimer_start(&state.timer, KUNIT_IRQ_TEST_HRTIMER_INTERVAL,
- HRTIMER_MODE_REL_HARD);
- for (int task_calls = 0, calls = 0;
- ((calls < max_iterations) || !allctx) &&
- !time_after(jiffies, end_jiffies);
- task_calls++) {
+ hrtimer_start(&state.timer, state.interval, HRTIMER_MODE_REL_HARD);
+ do {
if (!func(test_specific_state))
state.task_func_reported_failure = true;
+ task_calls = atomic_inc_return(&state.task_func_calls);
hardirq_calls = atomic_read(&state.hardirq_func_calls);
softirq_calls = atomic_read(&state.softirq_func_calls);
- calls = task_calls + hardirq_calls + softirq_calls;
- allctx = (task_calls > 0) && (hardirq_calls > 0) &&
- (softirq_calls > 0);
- }
+ } while ((task_calls + hardirq_calls + softirq_calls < max_iterations ||
+ (task_calls == 0 || hardirq_calls == 0 ||
+ softirq_calls == 0)) &&
+ !time_after(jiffies, end_jiffies));
/* Cancel the timer and work. */
hrtimer_cancel(&state.timer);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 247/378] ixgbevf: fix link setup issue
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 246/378] kunit: irq: Ensure timer doesnt fire too frequently Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 248/378] mm: memfd_luo: always make all folios uptodate Greg Kroah-Hartman
` (137 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov,
Piotr Kwapulinski, Paul Menzel, Jedrzej Jagielski,
Rafal Romanowski, Tony Nguyen
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
commit feae40a6a178bb525a15f19288016e5778102a99 upstream.
It may happen that VF spawned for E610 adapter has problem with setting
link up. This happens when ixgbevf supporting mailbox API 1.6 cooperates
with PF driver which doesn't support this version of API, and hence
doesn't support new approach for getting PF link data.
In that case VF asks PF to provide link data but as PF doesn't support
it, returns -EOPNOTSUPP what leads to early bail from link configuration
sequence.
Avoid such situation by using legacy VFLINKS approach whenever negotiated
API version is less than 1.6.
To reproduce the issue just create VF and set its link up - adapter must
be any from the E610 family, ixgbevf must support API 1.6 or higher while
ixgbevf must not.
Fixes: 53f0eb62b4d2 ("ixgbevf: fix getting link speed data for E610 devices")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Piotr Kwapulinski <piotr.kwapulinski@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Cc: stable@vger.kernel.org
Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ixgbevf/vf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/intel/ixgbevf/vf.c
+++ b/drivers/net/ethernet/intel/ixgbevf/vf.c
@@ -852,7 +852,8 @@ static s32 ixgbevf_check_mac_link_vf(str
if (!mac->get_link_status)
goto out;
- if (hw->mac.type == ixgbe_mac_e610_vf) {
+ if (hw->mac.type == ixgbe_mac_e610_vf &&
+ hw->api_version >= ixgbe_mbox_api_16) {
ret_val = ixgbevf_get_pf_link_state(hw, speed, link_up);
if (ret_val)
goto out;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 248/378] mm: memfd_luo: always make all folios uptodate
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 247/378] ixgbevf: fix link setup issue Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 249/378] mm: memfd_luo: always dirty all folios Greg Kroah-Hartman
` (136 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pratyush Yadav (Google),
Mike Rapoport (Microsoft), Pasha Tatashin, Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pratyush Yadav (Google) <pratyush@kernel.org>
commit 50d7b4332f27762d24641970fc34bb68a2621926 upstream.
Patch series "mm: memfd_luo: fixes for folio flag preservation".
This series contains a couple fixes for flag preservation for memfd live
update.
The first patch fixes memfd preservation when fallocate() was used to
pre-allocate some pages. For these memfds, all the writes to fallocated
pages touched after preserve were lost.
The second patch fixes dirty flag tracking. If the dirty flag is not
tracked correctly, the next kernel might incorrectly reclaim some folios
under memory pressure, losing user data. This is a theoretical bug that I
observed when reading the code, and haven't been able to reproduce it.
This patch (of 2):
When a folio is added to a shmem file via fallocate, it is not zeroed on
allocation. This is done as a performance optimization since it is
possible the folio will never end up being used at all. When the folio is
used, shmem checks for the uptodate flag, and if absent, zeroes the folio
(and sets the flag) before returning to user.
With LUO, the flags of each folio are saved at preserve time. It is
possible to have a memfd with some folios fallocated but not uptodate.
For those, the uptodate flag doesn't get saved. The folios might later
end up being used and become uptodate. They would get passed to the next
kernel via KHO correctly since they did get preserved. But they won't
have the MEMFD_LUO_FOLIO_UPTODATE flag.
This means that when the memfd is retrieved, the folios will be added to
the shmem file without the uptodate flag. They will be zeroed before
first use, losing the data in those folios.
Since we take a big performance hit in allocating, zeroing, and pinning
all folios at prepare time anyway, take some more and zero all
non-uptodate ones too.
Later when there is a stronger need to make prepare faster, this can be
optimized.
To avoid racing with another uptodate operation, take the folio lock.
Link: https://lkml.kernel.org/r/20260223173931.2221759-2-pratyush@kernel.org
Fixes: b3749f174d68 ("mm: memfd_luo: allow preserving memfd")
Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Cc: Pasha Tatashin <pasha.tatashin@soleen.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memfd_luo.c | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/mm/memfd_luo.c b/mm/memfd_luo.c
index e485b828d173..1c9510289312 100644
--- a/mm/memfd_luo.c
+++ b/mm/memfd_luo.c
@@ -152,10 +152,31 @@ static int memfd_luo_preserve_folios(struct file *file,
if (err)
goto err_unpreserve;
+ folio_lock(folio);
+
if (folio_test_dirty(folio))
flags |= MEMFD_LUO_FOLIO_DIRTY;
- if (folio_test_uptodate(folio))
- flags |= MEMFD_LUO_FOLIO_UPTODATE;
+
+ /*
+ * If the folio is not uptodate, it was fallocated but never
+ * used. Saving this flag at prepare() doesn't work since it
+ * might change later when someone uses the folio.
+ *
+ * Since we have taken the performance penalty of allocating,
+ * zeroing, and pinning all the folios in the holes, take a bit
+ * more and zero all non-uptodate folios too.
+ *
+ * NOTE: For someone looking to improve preserve performance,
+ * this is a good place to look.
+ */
+ if (!folio_test_uptodate(folio)) {
+ folio_zero_range(folio, 0, folio_size(folio));
+ flush_dcache_folio(folio);
+ folio_mark_uptodate(folio);
+ }
+ flags |= MEMFD_LUO_FOLIO_UPTODATE;
+
+ folio_unlock(folio);
pfolio->pfn = folio_pfn(folio);
pfolio->flags = flags;
--
2.53.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 249/378] mm: memfd_luo: always dirty all folios
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 248/378] mm: memfd_luo: always make all folios uptodate Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 250/378] mm/huge_memory: fix a folio_split() race condition with folio_try_get() Greg Kroah-Hartman
` (135 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pratyush Yadav (Google),
Mike Rapoport (Microsoft), Pasha Tatashin, Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pratyush Yadav (Google) <pratyush@kernel.org>
commit 7e04bf1f33151a30e06a65b74b5f2c19fc2be128 upstream.
A dirty folio is one which has been written to. A clean folio is its
opposite. Since a clean folio has no user data, it can be freed under
memory pressure.
memfd preservation with LUO saves the flag at preserve(). This is
problematic. The folio might get dirtied later. Saving it at freeze()
also doesn't work, since the dirty bit from PTE is normally synced at
unmap and there might still be mappings of the file at freeze().
To see why this is a problem, say a folio is clean at preserve, but gets
dirtied later. The serialized state of the folio will mark it as clean.
After retrieve, the next kernel will see the folio as clean and might try
to reclaim it under memory pressure. This will result in losing user
data.
Mark all folios of the file as dirty, and always set the
MEMFD_LUO_FOLIO_DIRTY flag. This comes with the side effect of making all
clean folios un-reclaimable. This is a cost that has to be paid for
participants of live update. It is not expected to be a common use case
to preserve a lot of clean folios anyway.
Since the value of pfolio->flags is a constant now, drop the flags
variable and set it directly.
Link: https://lkml.kernel.org/r/20260223173931.2221759-3-pratyush@kernel.org
Fixes: b3749f174d68 ("mm: memfd_luo: allow preserving memfd")
Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Cc: Pasha Tatashin <pasha.tatashin@soleen.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memfd_luo.c | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
diff --git a/mm/memfd_luo.c b/mm/memfd_luo.c
index 1c9510289312..b8edb9f981d7 100644
--- a/mm/memfd_luo.c
+++ b/mm/memfd_luo.c
@@ -146,7 +146,6 @@ static int memfd_luo_preserve_folios(struct file *file,
for (i = 0; i < nr_folios; i++) {
struct memfd_luo_folio_ser *pfolio = &folios_ser[i];
struct folio *folio = folios[i];
- unsigned int flags = 0;
err = kho_preserve_folio(folio);
if (err)
@@ -154,8 +153,26 @@ static int memfd_luo_preserve_folios(struct file *file,
folio_lock(folio);
- if (folio_test_dirty(folio))
- flags |= MEMFD_LUO_FOLIO_DIRTY;
+ /*
+ * A dirty folio is one which has been written to. A clean folio
+ * is its opposite. Since a clean folio does not carry user
+ * data, it can be freed by page reclaim under memory pressure.
+ *
+ * Saving the dirty flag at prepare() time doesn't work since it
+ * can change later. Saving it at freeze() also won't work
+ * because the dirty bit is normally synced at unmap and there
+ * might still be a mapping of the file at freeze().
+ *
+ * To see why this is a problem, say a folio is clean at
+ * preserve, but gets dirtied later. The pfolio flags will mark
+ * it as clean. After retrieve, the next kernel might try to
+ * reclaim this folio under memory pressure, losing user data.
+ *
+ * Unconditionally mark it dirty to avoid this problem. This
+ * comes at the cost of making clean folios un-reclaimable after
+ * live update.
+ */
+ folio_mark_dirty(folio);
/*
* If the folio is not uptodate, it was fallocated but never
@@ -174,12 +191,11 @@ static int memfd_luo_preserve_folios(struct file *file,
flush_dcache_folio(folio);
folio_mark_uptodate(folio);
}
- flags |= MEMFD_LUO_FOLIO_UPTODATE;
folio_unlock(folio);
pfolio->pfn = folio_pfn(folio);
- pfolio->flags = flags;
+ pfolio->flags = MEMFD_LUO_FOLIO_DIRTY | MEMFD_LUO_FOLIO_UPTODATE;
pfolio->index = folio->index;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 250/378] mm/huge_memory: fix a folio_split() race condition with folio_try_get()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 249/378] mm: memfd_luo: always dirty all folios Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 251/378] mm/damon/core: clear walk_control on inactive context in damos_walk() Greg Kroah-Hartman
` (134 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zi Yan, Bas van Dijk, Lance Yang,
Lorenzo Stoakes, Wei Yang, Baolin Wang, Barry Song,
David Hildenbrand, Dev Jain, Hugh Dickins, Liam Howlett,
Matthew Wilcox (Oracle), Nico Pache, Ryan Roberts, Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zi Yan <ziy@nvidia.com>
commit 577a1f495fd78d8fb61b67ac3d3b595b01f6fcb0 upstream.
During a pagecache folio split, the values in the related xarray should
not be changed from the original folio at xarray split time until all
after-split folios are well formed and stored in the xarray. Current use
of xas_try_split() in __split_unmapped_folio() lets some after-split
folios show up at wrong indices in the xarray. When these misplaced
after-split folios are unfrozen, before correct folios are stored via
__xa_store(), and grabbed by folio_try_get(), they are returned to
userspace at wrong file indices, causing data corruption. More detailed
explanation is at the bottom.
The reproducer is at: https://github.com/dfinity/thp-madv-remove-test
It
1. creates a memfd,
2. forks,
3. in the child process, maps the file with large folios (via shmem code
path) and reads the mapped file continuously with 16 threads,
4. in the parent process, uses madvise(MADV_REMOVE) to punch poles in the
large folio.
Data corruption can be observed without the fix. Basically, data from a
wrong page->index is returned.
Fix it by using the original folio in xas_try_split() calls, so that
folio_try_get() can get the right after-split folios after the original
folio is unfrozen.
Uniform split, split_huge_page*(), is not affected, since it uses
xas_split_alloc() and xas_split() only once and stores the original folio
in the xarray. Change xas_split() used in uniform split branch to use the
original folio to avoid confusion.
Fixes below points to the commit introduces the code, but folio_split() is
used in a later commit 7460b470a131f ("mm/truncate: use folio_split() in
truncate operation").
More details:
For example, a folio f is split non-uniformly into f, f2, f3, f4 like
below:
+----------------+---------+----+----+
| f | f2 | f3 | f4 |
+----------------+---------+----+----+
but the xarray would look like below after __split_unmapped_folio() is
done:
+----------------+---------+----+----+
| f | f2 | f3 | f3 |
+----------------+---------+----+----+
After __split_unmapped_folio(), the code changes the xarray and unfreezes
after-split folios:
1. unfreezes f2, __xa_store(f2)
2. unfreezes f3, __xa_store(f3)
3. unfreezes f4, __xa_store(f4), which overwrites the second f3 to f4.
4. unfreezes f.
Meanwhile, a parallel filemap_get_entry() can read the second f3 from the
xarray and use folio_try_get() on it at step 2 when f3 is unfrozen. Then,
f3 is wrongly returned to user.
After the fix, the xarray looks like below after __split_unmapped_folio():
+----------------+---------+----+----+
| f | f | f | f |
+----------------+---------+----+----+
so that the race window no longer exists.
[ziy@nvidia.com: move comment, per David]
Link: https://lkml.kernel.org/r/5C9FA053-A4C6-4615-BE05-74E47A6462B3@nvidia.com
Link: https://lkml.kernel.org/r/20260302203159.3208341-1-ziy@nvidia.com
Fixes: 00527733d0dc ("mm/huge_memory: add two new (not yet used) functions for folio_split()")
Signed-off-by: Zi Yan <ziy@nvidia.com>
Reported-by: Bas van Dijk <bas@dfinity.org>
Closes: https://lore.kernel.org/all/CAKNNEtw5_kZomhkugedKMPOG-sxs5Q5OLumWJdiWXv+C9Yct0w@mail.gmail.com/
Tested-by: Lance Yang <lance.yang@linux.dev>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Reviewed-by: Wei Yang <richard.weiyang@gmail.com>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Barry Song <baohua@kernel.org>
Cc: David Hildenbrand <david@kernel.org>
Cc: Dev Jain <dev.jain@arm.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Nico Pache <npache@redhat.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/huge_memory.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -3631,6 +3631,7 @@ static int __split_unmapped_folio(struct
const bool is_anon = folio_test_anon(folio);
int old_order = folio_order(folio);
int start_order = split_type == SPLIT_TYPE_UNIFORM ? new_order : old_order - 1;
+ struct folio *old_folio = folio;
int split_order;
/*
@@ -3651,12 +3652,16 @@ static int __split_unmapped_folio(struct
* uniform split has xas_split_alloc() called before
* irq is disabled to allocate enough memory, whereas
* non-uniform split can handle ENOMEM.
+ * Use the to-be-split folio, so that a parallel
+ * folio_try_get() waits on it until xarray is updated
+ * with after-split folios and the original one is
+ * unfrozen.
*/
- if (split_type == SPLIT_TYPE_UNIFORM)
- xas_split(xas, folio, old_order);
- else {
+ if (split_type == SPLIT_TYPE_UNIFORM) {
+ xas_split(xas, old_folio, old_order);
+ } else {
xas_set_order(xas, folio->index, split_order);
- xas_try_split(xas, folio, old_order);
+ xas_try_split(xas, old_folio, old_order);
if (xas_error(xas))
return xas_error(xas);
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 251/378] mm/damon/core: clear walk_control on inactive context in damos_walk()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 250/378] mm/huge_memory: fix a folio_split() race condition with folio_try_get() Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 252/378] mm/slab: fix an incorrect check in obj_exts_alloc_size() Greg Kroah-Hartman
` (133 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raul Pazemecxas De Andrade,
SeongJae Park, Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raul Pazemecxas De Andrade <raul_pazemecxas@hotmail.com>
commit d210fdcac9c0d1380eab448aebc93f602c1cd4e6 upstream.
damos_walk() sets ctx->walk_control to the caller-provided control
structure before checking whether the context is running. If the context
is inactive (damon_is_running() returns false), the function returns
-EINVAL without clearing ctx->walk_control. This leaves a dangling
pointer to a stack-allocated structure that will be freed when the caller
returns.
This is structurally identical to the bug fixed in commit f9132fbc2e83
("mm/damon/core: remove call_control in inactive contexts") for
damon_call(), which had the same pattern of linking a control object and
returning an error without unlinking it.
The dangling walk_control pointer can cause:
1. Use-after-free if the context is later started and kdamond
dereferences ctx->walk_control (e.g., in damos_walk_cancel()
which writes to control->canceled and calls complete())
2. Permanent -EBUSY from subsequent damos_walk() calls, since the
stale pointer is non-NULL
Nonetheless, the real user impact is quite restrictive. The
use-after-free is impossible because there is no damos_walk() callers who
starts the context later. The permanent -EBUSY can actually confuse
users, as DAMON is not running. But the symptom is kept only while the
context is turned off. Turning it on again will make DAMON internally
uses a newly generated damon_ctx object that doesn't have the invalid
damos_walk_control pointer, so everything will work fine again.
Fix this by clearing ctx->walk_control under walk_control_lock before
returning -EINVAL, mirroring the fix pattern from f9132fbc2e83.
Link: https://lkml.kernel.org/r/20260224011102.56033-1-sj@kernel.org
Fixes: bf0eaba0ff9c ("mm/damon/core: implement damos_walk()")
Reported-by: Raul Pazemecxas De Andrade <raul_pazemecxas@hotmail.com>
Closes: https://lore.kernel.org/CPUPR80MB8171025468965E583EF2490F956CA@CPUPR80MB8171.lamprd80.prod.outlook.com
Signed-off-by: Raul Pazemecxas De Andrade <raul_pazemecxas@hotmail.com>
Signed-off-by: SeongJae Park <sj@kernel.org>
Reviewed-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> [6.14+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -1531,8 +1531,13 @@ int damos_walk(struct damon_ctx *ctx, st
}
ctx->walk_control = control;
mutex_unlock(&ctx->walk_control_lock);
- if (!damon_is_running(ctx))
+ if (!damon_is_running(ctx)) {
+ mutex_lock(&ctx->walk_control_lock);
+ if (ctx->walk_control == control)
+ ctx->walk_control = NULL;
+ mutex_unlock(&ctx->walk_control_lock);
return -EINVAL;
+ }
wait_for_completion(&control->completion);
if (control->canceled)
return -ECANCELED;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 252/378] mm/slab: fix an incorrect check in obj_exts_alloc_size()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 251/378] mm/damon/core: clear walk_control on inactive context in damos_walk() Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 253/378] staging: sm750fb: add missing pci_release_region on error and removal Greg Kroah-Hartman
` (132 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zw Tang, Harry Yoo,
Vlastimil Babka (SUSE)
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Yoo <harry.yoo@oracle.com>
commit 8dafa9f5900c4855a65dbfee51e3bd00636deee1 upstream.
obj_exts_alloc_size() prevents recursive allocation of slabobj_ext
array from the same cache, to avoid creating slabs that are never freed.
There is one mistake that returns the original size when memory
allocation profiling is disabled. The assumption was that
memcg-triggered slabobj_ext allocation is always served from
KMALLOC_CGROUP type. But this is wrong [1]: when the caller specifies
both __GFP_RECLAIMABLE and __GFP_ACCOUNT with SLUB_TINY enabled, the
allocation is served from normal kmalloc. This is because kmalloc_type()
prioritizes __GFP_RECLAIMABLE over __GFP_ACCOUNT, and SLUB_TINY aliases
KMALLOC_RECLAIM with KMALLOC_NORMAL.
As a result, the recursion guard is bypassed and the problematic slabs
can be created. Fix this by removing the mem_alloc_profiling_enabled()
check entirely. The remaining is_kmalloc_normal() check is still
sufficient to detect whether the cache is of KMALLOC_NORMAL type and
avoid bumping the size if it's not.
Without SLUB_TINY, no functional change intended.
With SLUB_TINY, allocations with __GFP_ACCOUNT|__GFP_RECLAIMABLE
now allocate a larger array if the sizes equal.
Reported-by: Zw Tang <shicenci@gmail.com>
Fixes: 280ea9c3154b ("mm/slab: avoid allocating slabobj_ext array from its own slab")
Closes: https://lore.kernel.org/linux-mm/CAPHJ_VKuMKSke8b11AZQw1PTSFN4n2C0gFxC6xGOG0ZLHgPmnA@mail.gmail.com [1]
Cc: stable@vger.kernel.org
Signed-off-by: Harry Yoo <harry.yoo@oracle.com>
Link: https://patch.msgid.link/20260309072219.22653-1-harry.yoo@oracle.com
Tested-by: Zw Tang <shicenci@gmail.com>
Signed-off-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/slub.c | 7 -------
1 file changed, 7 deletions(-)
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -2113,13 +2113,6 @@ static inline size_t obj_exts_alloc_size
size_t sz = sizeof(struct slabobj_ext) * slab->objects;
struct kmem_cache *obj_exts_cache;
- /*
- * slabobj_ext array for KMALLOC_CGROUP allocations
- * are served from KMALLOC_NORMAL caches.
- */
- if (!mem_alloc_profiling_enabled())
- return sz;
-
if (sz > KMALLOC_MAX_CACHE_SIZE)
return sz;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 253/378] staging: sm750fb: add missing pci_release_region on error and removal
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 252/378] mm/slab: fix an incorrect check in obj_exts_alloc_size() Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 254/378] staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Greg Kroah-Hartman
` (131 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Artem Lytkin, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Artem Lytkin <iprintercanon@gmail.com>
commit 8225489ddb900656cc21573b4e1b00c9181fd777 upstream.
hw_sm750_map() calls pci_request_region() but never releases the
region on error paths or in lynxfb_pci_remove(). This causes a
resource leak that prevents the PCI region from being mapped again
after driver removal or a failed probe. A TODO comment in the code
acknowledges this missing cleanup.
Restructure the error handling in hw_sm750_map() to properly release
the PCI region on ioremap failures, and add pci_release_region() to
lynxfb_pci_remove().
Signed-off-by: Artem Lytkin <iprintercanon@gmail.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260216202038.1828-1-iprintercanon@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/sm750fb/sm750.c | 1 +
drivers/staging/sm750fb/sm750_hw.c | 22 +++++++++++-----------
2 files changed, 12 insertions(+), 11 deletions(-)
--- a/drivers/staging/sm750fb/sm750.c
+++ b/drivers/staging/sm750fb/sm750.c
@@ -1123,6 +1123,7 @@ static void lynxfb_pci_remove(struct pci
iounmap(sm750_dev->pvReg);
iounmap(sm750_dev->pvMem);
+ pci_release_region(pdev, 1);
kfree(g_settings);
}
--- a/drivers/staging/sm750fb/sm750_hw.c
+++ b/drivers/staging/sm750fb/sm750_hw.c
@@ -36,16 +36,11 @@ int hw_sm750_map(struct sm750_dev *sm750
pr_info("mmio phyAddr = %lx\n", sm750_dev->vidreg_start);
- /*
- * reserve the vidreg space of smi adaptor
- * if you do this, you need to add release region code
- * in lynxfb_remove, or memory will not be mapped again
- * successfully
- */
+ /* reserve the vidreg space of smi adaptor */
ret = pci_request_region(pdev, 1, "sm750fb");
if (ret) {
pr_err("Can not request PCI regions.\n");
- goto exit;
+ return ret;
}
/* now map mmio and vidmem */
@@ -54,7 +49,7 @@ int hw_sm750_map(struct sm750_dev *sm750
if (!sm750_dev->pvReg) {
pr_err("mmio failed\n");
ret = -EFAULT;
- goto exit;
+ goto err_release_region;
}
pr_info("mmio virtual addr = %p\n", sm750_dev->pvReg);
@@ -79,13 +74,18 @@ int hw_sm750_map(struct sm750_dev *sm750
sm750_dev->pvMem =
ioremap_wc(sm750_dev->vidmem_start, sm750_dev->vidmem_size);
if (!sm750_dev->pvMem) {
- iounmap(sm750_dev->pvReg);
pr_err("Map video memory failed\n");
ret = -EFAULT;
- goto exit;
+ goto err_unmap_reg;
}
pr_info("video memory vaddr = %p\n", sm750_dev->pvMem);
-exit:
+
+ return 0;
+
+err_unmap_reg:
+ iounmap(sm750_dev->pvReg);
+err_release_region:
+ pci_release_region(pdev, 1);
return ret;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 254/378] staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 253/378] staging: sm750fb: add missing pci_release_region on error and removal Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 255/378] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie Greg Kroah-Hartman
` (130 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Navaneeth K
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f0109b9d3e1e455429279d602f6276e34689750a upstream.
Just like in commit 154828bf9559 ("staging: rtl8723bs: fix out-of-bounds
read in rtw_get_ie() parser"), we don't trust the data in the frame so
we should check the length better before acting on it
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_2000
Tested-by: Navaneeth K <knavaneeth786@gmail.com>
Reviewed-by: Navaneeth K <knavaneeth786@gmail.com>
Link: https://patch.msgid.link/2026022336-arrange-footwork-6e54@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
@@ -185,20 +185,25 @@ u8 *rtw_get_ie_ex(u8 *in_ie, uint in_len
cnt = 0;
- while (cnt < in_len) {
+ while (cnt + 2 <= in_len) {
+ u8 ie_len = in_ie[cnt + 1];
+
+ if (cnt + 2 + ie_len > in_len)
+ break;
+
if (eid == in_ie[cnt]
- && (!oui || !memcmp(&in_ie[cnt+2], oui, oui_len))) {
+ && (!oui || (ie_len >= oui_len && !memcmp(&in_ie[cnt + 2], oui, oui_len)))) {
target_ie = &in_ie[cnt];
if (ie)
- memcpy(ie, &in_ie[cnt], in_ie[cnt+1]+2);
+ memcpy(ie, &in_ie[cnt], ie_len + 2);
if (ielen)
- *ielen = in_ie[cnt+1]+2;
+ *ielen = ie_len + 2;
break;
}
- cnt += in_ie[cnt+1]+2; /* goto next */
+ cnt += ie_len + 2; /* goto next */
}
return target_ie;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 255/378] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 254/378] staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 256/378] pinctrl: cy8c95x0: Dont miss reading the last bank registers Greg Kroah-Hartman
` (129 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Luka Gejak, Dan Carpenter
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luka Gejak <luka.gejak@linux.dev>
commit a75281626fc8fa6dc6c9cc314ee423e8bc45203b upstream.
The current code checks 'i + 5 < in_len' at the end of the if statement.
However, it accesses 'in_ie[i + 5]' before that check, which can lead
to an out-of-bounds read. Move the length check to the beginning of the
conditional to ensure the index is within bounds before accessing the
array.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Luka Gejak <luka.gejak@linux.dev>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/20260224132647.11642-2-luka.gejak@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_mlme.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
@@ -2002,7 +2002,10 @@ int rtw_restruct_wmm_ie(struct adapter *
while (i < in_len) {
ielength = initial_out_len;
- if (in_ie[i] == 0xDD && in_ie[i+2] == 0x00 && in_ie[i+3] == 0x50 && in_ie[i+4] == 0xF2 && in_ie[i+5] == 0x02 && i+5 < in_len) { /* WMM element ID and OUI */
+ if (i + 5 < in_len &&
+ in_ie[i] == 0xDD && in_ie[i + 2] == 0x00 &&
+ in_ie[i + 3] == 0x50 && in_ie[i + 4] == 0xF2 &&
+ in_ie[i + 5] == 0x02) {
for (j = i; j < i + 9; j++) {
out_ie[ielength] = in_ie[j];
ielength++;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 256/378] pinctrl: cy8c95x0: Dont miss reading the last bank registers
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 255/378] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 257/378] selftests: fix mntns iteration selftests Greg Kroah-Hartman
` (128 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Linus Walleij
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit b6c3af46c26f2d07c10a1452adc34b821719327e upstream.
When code had been changed to use for_each_set_clump8(), it mistakenly
switched from chip->nport to chip->tpin since the cy8c9540 and cy8c9560
have a 4-pin gap. This, in particular, led to the missed read of
the last bank interrupt status register and hence missing interrupts
on those pins. Restore the upper limit in for_each_set_clump8() to take
into consideration that gap.
Fixes: 83e29a7a1fdf ("pinctrl: cy8c95x0; Switch to use for_each_set_clump8()")
Cc: stable@vger.kernel.org
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/pinctrl-cy8c95x0.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/pinctrl/pinctrl-cy8c95x0.c
+++ b/drivers/pinctrl/pinctrl-cy8c95x0.c
@@ -627,7 +627,7 @@ static int cy8c95x0_write_regs_mask(stru
bitmap_scatter(tmask, mask, chip->map, MAX_LINE);
bitmap_scatter(tval, val, chip->map, MAX_LINE);
- for_each_set_clump8(offset, bits, tmask, chip->tpin) {
+ for_each_set_clump8(offset, bits, tmask, chip->nport * BANK_SZ) {
unsigned int i = offset / 8;
write_val = bitmap_get_value8(tval, offset);
@@ -655,7 +655,7 @@ static int cy8c95x0_read_regs_mask(struc
bitmap_scatter(tmask, mask, chip->map, MAX_LINE);
bitmap_scatter(tval, val, chip->map, MAX_LINE);
- for_each_set_clump8(offset, bits, tmask, chip->tpin) {
+ for_each_set_clump8(offset, bits, tmask, chip->nport * BANK_SZ) {
unsigned int i = offset / 8;
ret = cy8c95x0_regmap_read_bits(chip, reg, i, bits, &read_val);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 257/378] selftests: fix mntns iteration selftests
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 256/378] pinctrl: cy8c95x0: Dont miss reading the last bank registers Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 258/378] media: dvb-net: fix OOB access in ULE extension header tables Greg Kroah-Hartman
` (127 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Christian Brauner,
stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
commit 4c7b2ec23cc5d880e3ffe35e8c2aad686b67723a upstream.
Now that we changed permission checking make sure that we reflect that
in the selftests.
Link: https://patch.msgid.link/20260226-work-visibility-fixes-v1-4-d2c2853313bd@kernel.org
Fixes: 9d87b1067382 ("selftests: add tests for mntns iteration")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@kernel.org # v6.14+
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/filesystems/nsfs/iterate_mntns.c | 25 +++++++++------
1 file changed, 15 insertions(+), 10 deletions(-)
--- a/tools/testing/selftests/filesystems/nsfs/iterate_mntns.c
+++ b/tools/testing/selftests/filesystems/nsfs/iterate_mntns.c
@@ -37,17 +37,20 @@ FIXTURE(iterate_mount_namespaces) {
__u64 mnt_ns_id[MNT_NS_COUNT];
};
+static inline bool mntns_in_list(__u64 *mnt_ns_id, struct mnt_ns_info *info)
+{
+ for (int i = 0; i < MNT_NS_COUNT; i++) {
+ if (mnt_ns_id[i] == info->mnt_ns_id)
+ return true;
+ }
+ return false;
+}
+
FIXTURE_SETUP(iterate_mount_namespaces)
{
for (int i = 0; i < MNT_NS_COUNT; i++)
self->fd_mnt_ns[i] = -EBADF;
- /*
- * Creating a new user namespace let's us guarantee that we only see
- * mount namespaces that we did actually create.
- */
- ASSERT_EQ(unshare(CLONE_NEWUSER), 0);
-
for (int i = 0; i < MNT_NS_COUNT; i++) {
struct mnt_ns_info info = {};
@@ -75,13 +78,15 @@ TEST_F(iterate_mount_namespaces, iterate
fd_mnt_ns_cur = fcntl(self->fd_mnt_ns[0], F_DUPFD_CLOEXEC);
ASSERT_GE(fd_mnt_ns_cur, 0);
- for (;; count++) {
+ for (;;) {
struct mnt_ns_info info = {};
int fd_mnt_ns_next;
fd_mnt_ns_next = ioctl(fd_mnt_ns_cur, NS_MNT_GET_NEXT, &info);
if (fd_mnt_ns_next < 0 && errno == ENOENT)
break;
+ if (mntns_in_list(self->mnt_ns_id, &info))
+ count++;
ASSERT_GE(fd_mnt_ns_next, 0);
ASSERT_EQ(close(fd_mnt_ns_cur), 0);
fd_mnt_ns_cur = fd_mnt_ns_next;
@@ -96,13 +101,15 @@ TEST_F(iterate_mount_namespaces, iterate
fd_mnt_ns_cur = fcntl(self->fd_mnt_ns[MNT_NS_LAST_INDEX], F_DUPFD_CLOEXEC);
ASSERT_GE(fd_mnt_ns_cur, 0);
- for (;; count++) {
+ for (;;) {
struct mnt_ns_info info = {};
int fd_mnt_ns_prev;
fd_mnt_ns_prev = ioctl(fd_mnt_ns_cur, NS_MNT_GET_PREV, &info);
if (fd_mnt_ns_prev < 0 && errno == ENOENT)
break;
+ if (mntns_in_list(self->mnt_ns_id, &info))
+ count++;
ASSERT_GE(fd_mnt_ns_prev, 0);
ASSERT_EQ(close(fd_mnt_ns_cur), 0);
fd_mnt_ns_cur = fd_mnt_ns_prev;
@@ -125,7 +132,6 @@ TEST_F(iterate_mount_namespaces, iterate
ASSERT_GE(fd_mnt_ns_next, 0);
ASSERT_EQ(close(fd_mnt_ns_cur), 0);
fd_mnt_ns_cur = fd_mnt_ns_next;
- ASSERT_EQ(info.mnt_ns_id, self->mnt_ns_id[i]);
}
}
@@ -144,7 +150,6 @@ TEST_F(iterate_mount_namespaces, iterate
ASSERT_GE(fd_mnt_ns_prev, 0);
ASSERT_EQ(close(fd_mnt_ns_cur), 0);
fd_mnt_ns_cur = fd_mnt_ns_prev;
- ASSERT_EQ(info.mnt_ns_id, self->mnt_ns_id[i]);
}
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 258/378] media: dvb-net: fix OOB access in ULE extension header tables
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 257/378] selftests: fix mntns iteration selftests Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 259/378] net: mana: Ring doorbell at 4 CQ wraparounds Greg Kroah-Hartman
` (126 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ariel Silver, Mauro Carvalho Chehab
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ariel Silver <arielsilver77@gmail.com>
commit 24d87712727a5017ad142d63940589a36cd25647 upstream.
The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables
in handle_one_ule_extension() are declared with 255 elements (valid
indices 0-254), but the index htype is derived from network-controlled
data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When
htype equals 255, an out-of-bounds read occurs on the function pointer
table, and the OOB value may be called as a function pointer.
Add a bounds check on htype against the array size before either table
is accessed. Out-of-range values now cause the SNDU to be discarded.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Ariel Silver <arielsilver77@gmail.com>
Signed-off-by: Ariel Silver <arielsilver77@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/dvb-core/dvb_net.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/media/dvb-core/dvb_net.c
+++ b/drivers/media/dvb-core/dvb_net.c
@@ -228,6 +228,9 @@ static int handle_one_ule_extension( str
unsigned char hlen = (p->ule_sndu_type & 0x0700) >> 8;
unsigned char htype = p->ule_sndu_type & 0x00FF;
+ if (htype >= ARRAY_SIZE(ule_mandatory_ext_handlers))
+ return -1;
+
/* Discriminate mandatory and optional extension headers. */
if (hlen == 0) {
/* Mandatory extension header */
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 259/378] net: mana: Ring doorbell at 4 CQ wraparounds
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 258/378] media: dvb-net: fix OOB access in ULE extension header tables Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 260/378] net: Fix rcu_tasks stall in threaded busypoll Greg Kroah-Hartman
` (125 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Long Li, Haiyang Zhang,
Vadim Fedorenko, Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <longli@microsoft.com>
commit dabffd08545ffa1d7183bc45e387860984025291 upstream.
MANA hardware requires at least one doorbell ring every 8 wraparounds
of the CQ. The driver rings the doorbell as a form of flow control to
inform hardware that CQEs have been consumed.
The NAPI poll functions mana_poll_tx_cq() and mana_poll_rx_cq() can
poll up to CQE_POLLING_BUFFER (512) completions per call. If the CQ
has fewer than 512 entries, a single poll call can process more than
4 wraparounds without ringing the doorbell. The doorbell threshold
check also uses ">" instead of ">=", delaying the ring by one extra
CQE beyond 4 wraparounds. Combined, these issues can cause the driver
to exceed the 8-wraparound hardware limit, leading to missed
completions and stalled queues.
Fix this by capping the number of CQEs polled per call to 4 wraparounds
of the CQ in both TX and RX paths. Also change the doorbell threshold
from ">" to ">=" so the doorbell is rung as soon as 4 wraparounds are
reached.
Cc: stable@vger.kernel.org
Fixes: 58a63729c957 ("net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings")
Signed-off-by: Long Li <longli@microsoft.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20260226192833.1050807-1-longli@microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -1725,8 +1725,14 @@ static void mana_poll_tx_cq(struct mana_
ndev = txq->ndev;
apc = netdev_priv(ndev);
+ /* Limit CQEs polled to 4 wraparounds of the CQ to ensure the
+ * doorbell can be rung in time for the hardware's requirement
+ * of at least one doorbell ring every 8 wraparounds.
+ */
comp_read = mana_gd_poll_cq(cq->gdma_cq, completions,
- CQE_POLLING_BUFFER);
+ min((cq->gdma_cq->queue_size /
+ COMP_ENTRY_SIZE) * 4,
+ CQE_POLLING_BUFFER));
if (comp_read < 1)
return;
@@ -2111,7 +2117,14 @@ static void mana_poll_rx_cq(struct mana_
struct mana_rxq *rxq = cq->rxq;
int comp_read, i;
- comp_read = mana_gd_poll_cq(cq->gdma_cq, comp, CQE_POLLING_BUFFER);
+ /* Limit CQEs polled to 4 wraparounds of the CQ to ensure the
+ * doorbell can be rung in time for the hardware's requirement
+ * of at least one doorbell ring every 8 wraparounds.
+ */
+ comp_read = mana_gd_poll_cq(cq->gdma_cq, comp,
+ min((cq->gdma_cq->queue_size /
+ COMP_ENTRY_SIZE) * 4,
+ CQE_POLLING_BUFFER));
WARN_ON_ONCE(comp_read > CQE_POLLING_BUFFER);
rxq->xdp_flush = false;
@@ -2156,11 +2169,11 @@ static int mana_cq_handler(void *context
mana_gd_ring_cq(gdma_queue, SET_ARM_BIT);
cq->work_done_since_doorbell = 0;
napi_complete_done(&cq->napi, w);
- } else if (cq->work_done_since_doorbell >
- cq->gdma_cq->queue_size / COMP_ENTRY_SIZE * 4) {
+ } else if (cq->work_done_since_doorbell >=
+ (cq->gdma_cq->queue_size / COMP_ENTRY_SIZE) * 4) {
/* MANA hardware requires at least one doorbell ring every 8
* wraparounds of CQ even if there is no need to arm the CQ.
- * This driver rings the doorbell as soon as we have exceeded
+ * This driver rings the doorbell as soon as it has processed
* 4 wraparounds.
*/
mana_gd_ring_cq(gdma_queue, 0);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 260/378] net: Fix rcu_tasks stall in threaded busypoll
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 259/378] net: mana: Ring doorbell at 4 CQ wraparounds Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 261/378] ice: fix retry for AQ command 0x06EE Greg Kroah-Hartman
` (124 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, YiFei Zhu, Samiullah Khawaja,
Paolo Abeni
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: YiFei Zhu <zhuyifei@google.com>
commit 1a86a1f7d88996085934139fa4c063b6299a2dd3 upstream.
I was debugging a NIC driver when I noticed that when I enable
threaded busypoll, bpftrace hangs when starting up. dmesg showed:
rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 10658 jiffies old.
rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 40793 jiffies old.
rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 131273 jiffies old.
rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 402058 jiffies old.
INFO: rcu_tasks detected stalls on tasks:
00000000769f52cd: .N nvcsw: 2/2 holdout: 1 idle_cpu: -1/64
task:napi/eth2-8265 state:R running task stack:0 pid:48300 tgid:48300 ppid:2 task_flags:0x208040 flags:0x00004000
Call Trace:
<TASK>
? napi_threaded_poll_loop+0x27c/0x2c0
? __pfx_napi_threaded_poll+0x10/0x10
? napi_threaded_poll+0x26/0x80
? kthread+0xfa/0x240
? __pfx_kthread+0x10/0x10
? ret_from_fork+0x31/0x50
? __pfx_kthread+0x10/0x10
? ret_from_fork_asm+0x1a/0x30
</TASK>
The cause is that in threaded busypoll, the main loop is in
napi_threaded_poll rather than napi_threaded_poll_loop, where the
latter rarely iterates more than once within its loop. For
rcu_softirq_qs_periodic inside napi_threaded_poll_loop to report its
qs state, the last_qs must be 100ms behind, and this can't happen
because napi_threaded_poll_loop rarely iterates in threaded busypoll,
and each time napi_threaded_poll_loop is called last_qs is reset to
latest jiffies.
This patch changes so that in threaded busypoll, last_qs is saved
in the outer napi_threaded_poll, and whether busy_poll_last_qs
is NULL indicates whether napi_threaded_poll_loop is called for
busypoll. This way last_qs would not reset to latest jiffies on
each invocation of napi_threaded_poll_loop.
Fixes: c18d4b190a46 ("net: Extend NAPI threaded polling to allow kthread based busy polling")
Cc: stable@vger.kernel.org
Signed-off-by: YiFei Zhu <zhuyifei@google.com>
Reviewed-by: Samiullah Khawaja <skhawaja@google.com>
Link: https://patch.msgid.link/20260227221937.1060857-1-zhuyifei@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/dev.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -7788,11 +7788,12 @@ static int napi_thread_wait(struct napi_
return -1;
}
-static void napi_threaded_poll_loop(struct napi_struct *napi, bool busy_poll)
+static void napi_threaded_poll_loop(struct napi_struct *napi,
+ unsigned long *busy_poll_last_qs)
{
+ unsigned long last_qs = busy_poll_last_qs ? *busy_poll_last_qs : jiffies;
struct bpf_net_context __bpf_net_ctx, *bpf_net_ctx;
struct softnet_data *sd;
- unsigned long last_qs = jiffies;
for (;;) {
bool repoll = false;
@@ -7821,12 +7822,12 @@ static void napi_threaded_poll_loop(stru
/* When busy poll is enabled, the old packets are not flushed in
* napi_complete_done. So flush them here.
*/
- if (busy_poll)
+ if (busy_poll_last_qs)
gro_flush_normal(&napi->gro, HZ >= 1000);
local_bh_enable();
/* Call cond_resched here to avoid watchdog warnings. */
- if (repoll || busy_poll) {
+ if (repoll || busy_poll_last_qs) {
rcu_softirq_qs_periodic(last_qs);
cond_resched();
}
@@ -7834,11 +7835,15 @@ static void napi_threaded_poll_loop(stru
if (!repoll)
break;
}
+
+ if (busy_poll_last_qs)
+ *busy_poll_last_qs = last_qs;
}
static int napi_threaded_poll(void *data)
{
struct napi_struct *napi = data;
+ unsigned long last_qs = jiffies;
bool want_busy_poll;
bool in_busy_poll;
unsigned long val;
@@ -7856,7 +7861,7 @@ static int napi_threaded_poll(void *data
assign_bit(NAPI_STATE_IN_BUSY_POLL, &napi->state,
want_busy_poll);
- napi_threaded_poll_loop(napi, want_busy_poll);
+ napi_threaded_poll_loop(napi, want_busy_poll ? &last_qs : NULL);
}
return 0;
@@ -13167,7 +13172,7 @@ static void run_backlog_napi(unsigned in
{
struct softnet_data *sd = per_cpu_ptr(&softnet_data, cpu);
- napi_threaded_poll_loop(&sd->backlog, false);
+ napi_threaded_poll_loop(&sd->backlog, NULL);
}
static void backlog_napi_setup(unsigned int cpu)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 261/378] ice: fix retry for AQ command 0x06EE
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 260/378] net: Fix rcu_tasks stall in threaded busypoll Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 262/378] fgraph: Fix thresh_return clear per-task notrace Greg Kroah-Hartman
` (123 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Staniszewski, Dawid Osuchowski,
Aleksandr Loktionov, Przemek Kitszel, Paul Menzel, Tony Nguyen,
Rinitha S
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
commit fb4903b3354aed4a2301180cf991226f896c87ed upstream.
Executing ethtool -m can fail reporting a netlink I/O error while firmware
link management holds the i2c bus used to communicate with the module.
According to Intel(R) Ethernet Controller E810 Datasheet Rev 2.8 [1]
Section 3.3.10.4 Read/Write SFF EEPROM (0x06EE)
request should to be retried upon receiving EBUSY from firmware.
Commit e9c9692c8a81 ("ice: Reimplement module reads used by ethtool")
implemented it only for part of ice_get_module_eeprom(), leaving all other
calls to ice_aq_sff_eeprom() vulnerable to returning early on getting
EBUSY without retrying.
Remove the retry loop from ice_get_module_eeprom() and add Admin Queue
(AQ) command with opcode 0x06EE to the list of commands that should be
retried on receiving EBUSY from firmware.
Cc: stable@vger.kernel.org
Fixes: e9c9692c8a81 ("ice: Reimplement module reads used by ethtool")
Signed-off-by: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
Co-developed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Signed-off-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Link: https://www.intel.com/content/www/us/en/content-details/613875/intel-ethernet-controller-e810-datasheet.html [1]
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_common.c | 1
drivers/net/ethernet/intel/ice/ice_ethtool.c | 35 ++++++++++-----------------
2 files changed, 15 insertions(+), 21 deletions(-)
--- a/drivers/net/ethernet/intel/ice/ice_common.c
+++ b/drivers/net/ethernet/intel/ice/ice_common.c
@@ -1854,6 +1854,7 @@ static bool ice_should_retry_sq_send_cmd
case ice_aqc_opc_lldp_stop:
case ice_aqc_opc_lldp_start:
case ice_aqc_opc_lldp_filter_ctrl:
+ case ice_aqc_opc_sff_eeprom:
return true;
}
--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
+++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
@@ -4508,7 +4508,7 @@ ice_get_module_eeprom(struct net_device
u8 addr = ICE_I2C_EEPROM_DEV_ADDR;
struct ice_hw *hw = &pf->hw;
bool is_sfp = false;
- unsigned int i, j;
+ unsigned int i;
u16 offset = 0;
u8 page = 0;
int status;
@@ -4550,26 +4550,19 @@ ice_get_module_eeprom(struct net_device
if (page == 0 || !(data[0x2] & 0x4)) {
u32 copy_len;
- /* If i2c bus is busy due to slow page change or
- * link management access, call can fail. This is normal.
- * So we retry this a few times.
- */
- for (j = 0; j < 4; j++) {
- status = ice_aq_sff_eeprom(hw, 0, addr, offset, page,
- !is_sfp, value,
- SFF_READ_BLOCK_SIZE,
- 0, NULL);
- netdev_dbg(netdev, "SFF %02X %02X %02X %X = %02X%02X%02X%02X.%02X%02X%02X%02X (%X)\n",
- addr, offset, page, is_sfp,
- value[0], value[1], value[2], value[3],
- value[4], value[5], value[6], value[7],
- status);
- if (status) {
- usleep_range(1500, 2500);
- memset(value, 0, SFF_READ_BLOCK_SIZE);
- continue;
- }
- break;
+ status = ice_aq_sff_eeprom(hw, 0, addr, offset, page,
+ !is_sfp, value,
+ SFF_READ_BLOCK_SIZE,
+ 0, NULL);
+ netdev_dbg(netdev, "SFF %02X %02X %02X %X = %02X%02X%02X%02X.%02X%02X%02X%02X (%pe)\n",
+ addr, offset, page, is_sfp,
+ value[0], value[1], value[2], value[3],
+ value[4], value[5], value[6], value[7],
+ ERR_PTR(status));
+ if (status) {
+ netdev_err(netdev, "%s: error reading module EEPROM: status %pe\n",
+ __func__, ERR_PTR(status));
+ return status;
}
/* Make sure we have enough room for the new block */
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 262/378] fgraph: Fix thresh_return clear per-task notrace
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 261/378] ice: fix retry for AQ command 0x06EE Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 263/378] tracing: Fix syscall events activation by ensuring refcount hits zero Greg Kroah-Hartman
` (122 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu (Google),
Shengming Hu, Steven Rostedt (Google)
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengming Hu <hu.shengming@zte.com.cn>
commit 6ca8379b5d36e22b04e6315c3e49a6083377c862 upstream.
When tracing_thresh is enabled, function graph tracing uses
trace_graph_thresh_return() as the return handler. Unlike
trace_graph_return(), it did not clear the per-task TRACE_GRAPH_NOTRACE
flag set by the entry handler for set_graph_notrace addresses. This could
leave the task permanently in "notrace" state and effectively disable
function graph tracing for that task.
Mirror trace_graph_return()'s per-task notrace handling by clearing
TRACE_GRAPH_NOTRACE and returning early when set.
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260221113007819YgrZsMGABff4Rc-O_fZxL@zte.com.cn
Fixes: b84214890a9bc ("function_graph: Move graph notrace bit to shadow stack global var")
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Shengming Hu <hu.shengming@zte.com.cn>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_functions_graph.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/kernel/trace/trace_functions_graph.c
+++ b/kernel/trace/trace_functions_graph.c
@@ -400,14 +400,15 @@ static void trace_graph_thresh_return(st
struct fgraph_ops *gops,
struct ftrace_regs *fregs)
{
+ unsigned long *task_var = fgraph_get_task_var(gops);
struct fgraph_times *ftimes;
struct trace_array *tr;
int size;
ftrace_graph_addr_finish(gops, trace);
- if (trace_recursion_test(TRACE_GRAPH_NOTRACE_BIT)) {
- trace_recursion_clear(TRACE_GRAPH_NOTRACE_BIT);
+ if (*task_var & TRACE_GRAPH_NOTRACE) {
+ *task_var &= ~TRACE_GRAPH_NOTRACE;
return;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 263/378] tracing: Fix syscall events activation by ensuring refcount hits zero
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 262/378] fgraph: Fix thresh_return clear per-task notrace Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 264/378] net/tcp-ao: Fix MAC comparison to be constant-time Greg Kroah-Hartman
` (121 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Huiwen He, Steven Rostedt (Google)
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huiwen He <hehuiwen@kylinos.cn>
commit 0a663b764dbdf135a126284f454c9f01f95a87d4 upstream.
When multiple syscall events are specified in the kernel command line
(e.g., trace_event=syscalls:sys_enter_openat,syscalls:sys_enter_close),
they are often not captured after boot, even though they appear enabled
in the tracing/set_event file.
The issue stems from how syscall events are initialized. Syscall
tracepoints require the global reference count (sys_tracepoint_refcount)
to transition from 0 to 1 to trigger the registration of the syscall
work (TIF_SYSCALL_TRACEPOINT) for tasks, including the init process (pid 1).
The current implementation of early_enable_events() with disable_first=true
used an interleaved sequence of "Disable A -> Enable A -> Disable B -> Enable B".
If multiple syscalls are enabled, the refcount never drops to zero,
preventing the 0->1 transition that triggers actual registration.
Fix this by splitting early_enable_events() into two distinct phases:
1. Disable all events specified in the buffer.
2. Enable all events specified in the buffer.
This ensures the refcount hits zero before re-enabling, allowing syscall
events to be properly activated during early boot.
The code is also refactored to use a helper function to avoid logic
duplication between the disable and enable phases.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://patch.msgid.link/20260224023544.1250787-1-hehuiwen@kylinos.cn
Fixes: ce1039bd3a89 ("tracing: Fix enabling of syscall events on the command line")
Signed-off-by: Huiwen He <hehuiwen@kylinos.cn>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events.c | 52 +++++++++++++++++++++++++++++++-------------
1 file changed, 37 insertions(+), 15 deletions(-)
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -4512,26 +4512,22 @@ static __init int event_trace_memsetup(v
return 0;
}
-__init void
-early_enable_events(struct trace_array *tr, char *buf, bool disable_first)
+/*
+ * Helper function to enable or disable a comma-separated list of events
+ * from the bootup buffer.
+ */
+static __init void __early_set_events(struct trace_array *tr, char *buf, bool enable)
{
char *token;
- int ret;
-
- while (true) {
- token = strsep(&buf, ",");
-
- if (!token)
- break;
+ while ((token = strsep(&buf, ","))) {
if (*token) {
- /* Restarting syscalls requires that we stop them first */
- if (disable_first)
+ if (enable) {
+ if (ftrace_set_clr_event(tr, token, 1))
+ pr_warn("Failed to enable trace event: %s\n", token);
+ } else {
ftrace_set_clr_event(tr, token, 0);
-
- ret = ftrace_set_clr_event(tr, token, 1);
- if (ret)
- pr_warn("Failed to enable trace event: %s\n", token);
+ }
}
/* Put back the comma to allow this to be called again */
@@ -4540,6 +4536,32 @@ early_enable_events(struct trace_array *
}
}
+/**
+ * early_enable_events - enable events from the bootup buffer
+ * @tr: The trace array to enable the events in
+ * @buf: The buffer containing the comma separated list of events
+ * @disable_first: If true, disable all events in @buf before enabling them
+ *
+ * This function enables events from the bootup buffer. If @disable_first
+ * is true, it will first disable all events in the buffer before enabling
+ * them.
+ *
+ * For syscall events, which rely on a global refcount to register the
+ * SYSCALL_WORK_SYSCALL_TRACEPOINT flag (especially for pid 1), we must
+ * ensure the refcount hits zero before re-enabling them. A simple
+ * "disable then enable" per-event is not enough if multiple syscalls are
+ * used, as the refcount will stay above zero. Thus, we need a two-phase
+ * approach: disable all, then enable all.
+ */
+__init void
+early_enable_events(struct trace_array *tr, char *buf, bool disable_first)
+{
+ if (disable_first)
+ __early_set_events(tr, buf, false);
+
+ __early_set_events(tr, buf, true);
+}
+
static __init int event_trace_enable(void)
{
struct trace_array *tr = top_trace_array();
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 264/378] net/tcp-ao: Fix MAC comparison to be constant-time
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 263/378] tracing: Fix syscall events activation by ensuring refcount hits zero Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 265/378] fgraph: Fix thresh_return nosleeptime double-adjust Greg Kroah-Hartman
` (120 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Biggers, Dmitry Safonov,
Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 67edfec516d30d3e62925c397be4a1e5185802fc upstream.
To prevent timing attacks, MACs need to be compared in constant
time. Use the appropriate helper function for this.
Fixes: 0a3a809089eb ("net/tcp: Verify inbound TCP-AO signed segments")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
Link: https://patch.msgid.link/20260302203600.13561-1-ebiggers@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/Kconfig | 1 +
net/ipv4/tcp_ao.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -748,6 +748,7 @@ config TCP_SIGPOOL
config TCP_AO
bool "TCP: Authentication Option (RFC5925)"
select CRYPTO
+ select CRYPTO_LIB_UTILS
select TCP_SIGPOOL
depends on 64BIT && IPV6 != m # seq-number extension needs WRITE_ONCE(u64)
help
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -10,6 +10,7 @@
#define pr_fmt(fmt) "TCP: " fmt
#include <crypto/hash.h>
+#include <crypto/utils.h>
#include <linux/inetdevice.h>
#include <linux/tcp.h>
@@ -922,7 +923,7 @@ tcp_ao_verify_hash(const struct sock *sk
/* XXX: make it per-AF callback? */
tcp_ao_hash_skb(family, hash_buf, key, sk, skb, traffic_key,
(phash - (u8 *)th), sne);
- if (memcmp(phash, hash_buf, maclen)) {
+ if (crypto_memneq(phash, hash_buf, maclen)) {
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD);
atomic64_inc(&info->counters.pkt_bad);
atomic64_inc(&key->pkt_bad);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 265/378] fgraph: Fix thresh_return nosleeptime double-adjust
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 264/378] net/tcp-ao: Fix MAC comparison to be constant-time Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 266/378] net/tcp-md5: Fix MAC comparison to be constant-time Greg Kroah-Hartman
` (119 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu (Google),
Shengming Hu, Steven Rostedt (Google)
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengming Hu <hu.shengming@zte.com.cn>
commit b96d0c59cdbb2a22b2545f6f3d5c6276b05761dd upstream.
trace_graph_thresh_return() called handle_nosleeptime() and then delegated
to trace_graph_return(), which calls handle_nosleeptime() again. When
sleep-time accounting is disabled this double-adjusts calltime and can
produce bogus durations (including underflow).
Fix this by computing rettime once, applying handle_nosleeptime() only
once, using the adjusted calltime for threshold comparison, and writing
the return event directly via __trace_graph_return() when the threshold is
met.
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260221113314048jE4VRwIyZEALiYByGK0My@zte.com.cn
Fixes: 3c9880f3ab52b ("ftrace: Use a running sleeptime instead of saving on shadow stack")
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Shengming Hu <hu.shengming@zte.com.cn>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_functions_graph.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/kernel/trace/trace_functions_graph.c
+++ b/kernel/trace/trace_functions_graph.c
@@ -403,8 +403,12 @@ static void trace_graph_thresh_return(st
unsigned long *task_var = fgraph_get_task_var(gops);
struct fgraph_times *ftimes;
struct trace_array *tr;
+ unsigned int trace_ctx;
+ u64 calltime, rettime;
int size;
+ rettime = trace_clock_local();
+
ftrace_graph_addr_finish(gops, trace);
if (*task_var & TRACE_GRAPH_NOTRACE) {
@@ -419,11 +423,13 @@ static void trace_graph_thresh_return(st
tr = gops->private;
handle_nosleeptime(tr, trace, ftimes, size);
- if (tracing_thresh &&
- (trace_clock_local() - ftimes->calltime < tracing_thresh))
+ calltime = ftimes->calltime;
+
+ if (tracing_thresh && (rettime - calltime < tracing_thresh))
return;
- else
- trace_graph_return(trace, gops, fregs);
+
+ trace_ctx = tracing_gen_ctx();
+ __trace_graph_return(tr, trace, trace_ctx, calltime, rettime);
}
static struct fgraph_ops funcgraph_ops = {
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 266/378] net/tcp-md5: Fix MAC comparison to be constant-time
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 265/378] fgraph: Fix thresh_return nosleeptime double-adjust Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 267/378] batman-adv: Avoid double-rtnl_lock ELP metric worker Greg Kroah-Hartman
` (118 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 46d0d6f50dab706637f4c18a470aac20a21900d3 upstream.
To prevent timing attacks, MACs need to be compared in constant
time. Use the appropriate helper function for this.
Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
Fixes: 658ddaaf6694 ("tcp: md5: RST: getting md5 key from listener")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Link: https://patch.msgid.link/20260302203409.13388-1-ebiggers@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/Kconfig | 1 +
net/ipv4/tcp.c | 3 ++-
net/ipv4/tcp_ipv4.c | 3 ++-
net/ipv6/tcp_ipv6.c | 3 ++-
4 files changed, 7 insertions(+), 3 deletions(-)
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -762,6 +762,7 @@ config TCP_AO
config TCP_MD5SIG
bool "TCP: MD5 Signature Option support (RFC2385)"
select CRYPTO_LIB_MD5
+ select CRYPTO_LIB_UTILS
help
RFC2385 specifies a method of giving MD5 protection to TCP sessions.
Its main (only?) use is to protect BGP sessions between core routers
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -244,6 +244,7 @@
#define pr_fmt(fmt) "TCP: " fmt
#include <crypto/md5.h>
+#include <crypto/utils.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/types.h>
@@ -4912,7 +4913,7 @@ tcp_inbound_md5_hash(const struct sock *
tcp_v4_md5_hash_skb(newhash, key, NULL, skb);
else
tp->af_specific->calc_md5_hash(newhash, key, NULL, skb);
- if (memcmp(hash_location, newhash, 16) != 0) {
+ if (crypto_memneq(hash_location, newhash, 16)) {
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE);
trace_tcp_hash_md5_mismatch(sk, skb);
return SKB_DROP_REASON_TCP_MD5FAILURE;
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -88,6 +88,7 @@
#include <linux/skbuff_ref.h>
#include <crypto/md5.h>
+#include <crypto/utils.h>
#include <trace/events/tcp.h>
@@ -838,7 +839,7 @@ static void tcp_v4_send_reset(const stru
goto out;
tcp_v4_md5_hash_skb(newhash, key, NULL, skb);
- if (memcmp(md5_hash_location, newhash, 16) != 0)
+ if (crypto_memneq(md5_hash_location, newhash, 16))
goto out;
}
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -68,6 +68,7 @@
#include <linux/seq_file.h>
#include <crypto/md5.h>
+#include <crypto/utils.h>
#include <trace/events/tcp.h>
@@ -1043,7 +1044,7 @@ static void tcp_v6_send_reset(const stru
key.type = TCP_KEY_MD5;
tcp_v6_md5_hash_skb(newhash, key.md5_key, NULL, skb);
- if (memcmp(md5_hash_location, newhash, 16) != 0)
+ if (crypto_memneq(md5_hash_location, newhash, 16))
goto out;
}
#endif
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 267/378] batman-adv: Avoid double-rtnl_lock ELP metric worker
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 266/378] net/tcp-md5: Fix MAC comparison to be constant-time Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 268/378] drm/xe/xe2_hpg: Correct implementation of Wa_16025250150 Greg Kroah-Hartman
` (117 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Schmidbauer,
Sven Eckelmann, Sören Skaarup, Simon Wunderlich
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit cfc83a3c71517b59c1047db57da31e26a9dc2f33 upstream.
batadv_v_elp_get_throughput() might be called when the RTNL lock is already
held. This could be problematic when the work queue item is cancelled via
cancel_delayed_work_sync() in batadv_v_elp_iface_disable(). In this case,
an rtnl_lock() would cause a deadlock.
To avoid this, rtnl_trylock() was used in this function to skip the
retrieval of the ethtool information in case the RTNL lock was already
held.
But for cfg80211 interfaces, batadv_get_real_netdev() was called - which
also uses rtnl_lock(). The approach for __ethtool_get_link_ksettings() must
also be used instead and the lockless version __batadv_get_real_netdev()
has to be called.
Cc: stable@vger.kernel.org
Fixes: 8c8ecc98f5c6 ("batman-adv: Drop unmanaged ELP metric worker")
Reported-by: Christian Schmidbauer <github@grische.xyz>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Tested-by: Sören Skaarup <freifunk_nordm4nn@gmx.de>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bat_v_elp.c | 10 +++++++++-
net/batman-adv/hard-interface.c | 8 ++++----
net/batman-adv/hard-interface.h | 1 +
3 files changed, 14 insertions(+), 5 deletions(-)
--- a/net/batman-adv/bat_v_elp.c
+++ b/net/batman-adv/bat_v_elp.c
@@ -111,7 +111,15 @@ static bool batadv_v_elp_get_throughput(
/* unsupported WiFi driver version */
goto default_throughput;
- real_netdev = batadv_get_real_netdev(hard_iface->net_dev);
+ /* only use rtnl_trylock because the elp worker will be cancelled while
+ * the rntl_lock is held. the cancel_delayed_work_sync() would otherwise
+ * wait forever when the elp work_item was started and it is then also
+ * trying to rtnl_lock
+ */
+ if (!rtnl_trylock())
+ return false;
+ real_netdev = __batadv_get_real_netdev(hard_iface->net_dev);
+ rtnl_unlock();
if (!real_netdev)
goto default_throughput;
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -204,7 +204,7 @@ static bool batadv_is_valid_iface(const
}
/**
- * batadv_get_real_netdevice() - check if the given netdev struct is a virtual
+ * __batadv_get_real_netdev() - check if the given netdev struct is a virtual
* interface on top of another 'real' interface
* @netdev: the device to check
*
@@ -214,7 +214,7 @@ static bool batadv_is_valid_iface(const
* Return: the 'real' net device or the original net device and NULL in case
* of an error.
*/
-static struct net_device *batadv_get_real_netdevice(struct net_device *netdev)
+struct net_device *__batadv_get_real_netdev(struct net_device *netdev)
{
struct batadv_hard_iface *hard_iface = NULL;
struct net_device *real_netdev = NULL;
@@ -267,7 +267,7 @@ struct net_device *batadv_get_real_netde
struct net_device *real_netdev;
rtnl_lock();
- real_netdev = batadv_get_real_netdevice(net_device);
+ real_netdev = __batadv_get_real_netdev(net_device);
rtnl_unlock();
return real_netdev;
@@ -336,7 +336,7 @@ static u32 batadv_wifi_flags_evaluate(st
if (batadv_is_cfg80211_netdev(net_device))
wifi_flags |= BATADV_HARDIF_WIFI_CFG80211_DIRECT;
- real_netdev = batadv_get_real_netdevice(net_device);
+ real_netdev = __batadv_get_real_netdev(net_device);
if (!real_netdev)
return wifi_flags;
--- a/net/batman-adv/hard-interface.h
+++ b/net/batman-adv/hard-interface.h
@@ -67,6 +67,7 @@ enum batadv_hard_if_bcast {
extern struct notifier_block batadv_hard_if_notifier;
+struct net_device *__batadv_get_real_netdev(struct net_device *net_device);
struct net_device *batadv_get_real_netdev(struct net_device *net_device);
bool batadv_is_cfg80211_hardif(struct batadv_hard_iface *hard_iface);
bool batadv_is_wifi_hardif(struct batadv_hard_iface *hard_iface);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 268/378] drm/xe/xe2_hpg: Correct implementation of Wa_16025250150
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 267/378] batman-adv: Avoid double-rtnl_lock ELP metric worker Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 269/378] pmdomain: rockchip: Fix PD_VCODEC for RK3588 Greg Kroah-Hartman
` (116 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aradhya Bhatia, Tejas Upadhyay,
Ngai-Mint Kwan, Matt Roper, Rodrigo Vivi
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Roper <matthew.d.roper@intel.com>
commit 89865e6dc8487b627302bdced3f965cd0c406835 upstream.
Wa_16025250150 asks us to set five register fields of the register to
0x1 each. However we were just OR'ing this into the existing register
value (which has a default of 0x4 for each nibble-sized field) resulting
in final field values of 0x5 instead of the desired 0x1. Correct the
RTP programming (use FIELD_SET instead of SET) to ensure each field is
assigned to exactly the value we want.
Cc: Aradhya Bhatia <aradhya.bhatia@intel.com>
Cc: Tejas Upadhyay <tejas.upadhyay@intel.com>
Cc: stable@vger.kernel.org # v6.16+
Fixes: 7654d51f1fd8 ("drm/xe/xe2hpg: Add Wa_16025250150")
Reviewed-by: Ngai-Mint Kwan <ngai-mint.kwan@linux.intel.com>
Link: https://patch.msgid.link/20260227164341.3600098-2-matthew.d.roper@intel.com
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
(cherry picked from commit d139209ef88e48af1f6731cd45440421c757b6b5)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_wa.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/drivers/gpu/drm/xe/xe_wa.c
+++ b/drivers/gpu/drm/xe/xe_wa.c
@@ -255,12 +255,13 @@ static const struct xe_rtp_entry_sr gt_w
{ XE_RTP_NAME("16025250150"),
XE_RTP_RULES(GRAPHICS_VERSION(2001)),
- XE_RTP_ACTIONS(SET(LSN_VC_REG2,
- LSN_LNI_WGT(1) |
- LSN_LNE_WGT(1) |
- LSN_DIM_X_WGT(1) |
- LSN_DIM_Y_WGT(1) |
- LSN_DIM_Z_WGT(1)))
+ XE_RTP_ACTIONS(FIELD_SET(LSN_VC_REG2,
+ LSN_LNI_WGT_MASK | LSN_LNE_WGT_MASK |
+ LSN_DIM_X_WGT_MASK | LSN_DIM_Y_WGT_MASK |
+ LSN_DIM_Z_WGT_MASK,
+ LSN_LNI_WGT(1) | LSN_LNE_WGT(1) |
+ LSN_DIM_X_WGT(1) | LSN_DIM_Y_WGT(1) |
+ LSN_DIM_Z_WGT(1)))
},
/* Xe2_HPM */
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 269/378] pmdomain: rockchip: Fix PD_VCODEC for RK3588
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 268/378] drm/xe/xe2_hpg: Correct implementation of Wa_16025250150 Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 270/378] parisc: Increase initial mapping to 64 MB with KALLSYMS Greg Kroah-Hartman
` (115 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chaoyi Chen, Shawn Lin,
Sebastian Reichel, Ulf Hansson
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shawn Lin <shawn.lin@rock-chips.com>
commit 0fb59eaca18f1254ecdce34354eec3cb1b3b5e10 upstream.
>From the RK3588 TRM Table 7-1 RK3588 Voltage Domain and Power Domain Summary,
PD_RKVDEC0/1 and PD_VENC0/1 rely on VD_VCODEC which require extra voltages to
be applied, otherwise it breaks RK3588-evb1-v10 board after vdec support landed[1].
The panic looks like below:
rockchip-pm-domain fd8d8000.power-management:power-controller: failed to set domain 'rkvdec0' on, val=0
rockchip-pm-domain fd8d8000.power-management:power-controller: failed to set domain 'rkvdec1' on, val=0
...
Hardware name: Rockchip RK3588S EVB1 V10 Board (DT)
Workqueue: pm genpd_power_off_work_fn
Call trace:
show_stack+0x18/0x24 (C)
dump_stack_lvl+0x40/0x84
dump_stack+0x18/0x24
vpanic+0x1ec/0x4fc
vpanic+0x0/0x4fc
check_panic_on_warn+0x0/0x94
arm64_serror_panic+0x6c/0x78
do_serror+0xc4/0xcc
el1h_64_error_handler+0x3c/0x5c
el1h_64_error+0x6c/0x70
regmap_mmio_read32le+0x18/0x24 (P)
regmap_bus_reg_read+0xfc/0x130
regmap_read+0x188/0x1ac
regmap_read+0x54/0x78
rockchip_pd_power+0xcc/0x5f0
rockchip_pd_power_off+0x1c/0x4c
genpd_power_off+0x84/0x120
genpd_power_off+0x1b4/0x260
genpd_power_off_work_fn+0x38/0x58
process_scheduled_works+0x194/0x2c4
worker_thread+0x2ac/0x3d8
kthread+0x104/0x124
ret_from_fork+0x10/0x20
SMP: stopping secondary CPUs
Kernel Offset: disabled
CPU features: 0x3000000,000e0005,40230521,0400720b
Memory Limit: none
---[ end Kernel panic - not syncing: Asynchronous SError Interrupt ]---
Chaoyi pointed out the PD_VCODEC is the parent of PD_RKVDEC0/1 and PD_VENC0/1, so checking
the PD_VCODEC is enough.
[1] https://lore.kernel.org/linux-rockchip/20251020212009.8852-2-detlev.casanova@collabora.com/
Fixes: db6df2e3fc16 ("pmdomain: rockchip: add regulator support")
Cc: stable@vger.kernel.org
Suggested-by: Chaoyi Chen <chaoyi.chen@rock-chips.com>
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Reviewed-by: Chaoyi Chen <chaoyi.chen@rock-chips.com>
Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pmdomain/rockchip/pm-domains.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pmdomain/rockchip/pm-domains.c
+++ b/drivers/pmdomain/rockchip/pm-domains.c
@@ -1311,7 +1311,7 @@ static const struct rockchip_domain_info
static const struct rockchip_domain_info rk3588_pm_domains[] = {
[RK3588_PD_GPU] = DOMAIN_RK3588("gpu", 0x0, BIT(0), 0, 0x0, 0, BIT(1), 0x0, BIT(0), BIT(0), false, true),
[RK3588_PD_NPU] = DOMAIN_RK3588("npu", 0x0, BIT(1), BIT(1), 0x0, 0, 0, 0x0, 0, 0, false, true),
- [RK3588_PD_VCODEC] = DOMAIN_RK3588("vcodec", 0x0, BIT(2), BIT(2), 0x0, 0, 0, 0x0, 0, 0, false, false),
+ [RK3588_PD_VCODEC] = DOMAIN_RK3588("vcodec", 0x0, BIT(2), BIT(2), 0x0, 0, 0, 0x0, 0, 0, false, true),
[RK3588_PD_NPUTOP] = DOMAIN_RK3588("nputop", 0x0, BIT(3), 0, 0x0, BIT(11), BIT(2), 0x0, BIT(1), BIT(1), false, false),
[RK3588_PD_NPU1] = DOMAIN_RK3588("npu1", 0x0, BIT(4), 0, 0x0, BIT(12), BIT(3), 0x0, BIT(2), BIT(2), false, false),
[RK3588_PD_NPU2] = DOMAIN_RK3588("npu2", 0x0, BIT(5), 0, 0x0, BIT(13), BIT(4), 0x0, BIT(3), BIT(3), false, false),
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 270/378] parisc: Increase initial mapping to 64 MB with KALLSYMS
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 269/378] pmdomain: rockchip: Fix PD_VCODEC for RK3588 Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 271/378] nouveau/dpcd: return EBUSY for aux xfer if the device is asleep Greg Kroah-Hartman
` (114 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 8e732934fb81282be41602550e7e07baf265e972 upstream.
The 32MB initial kernel mapping can become too small when CONFIG_KALLSYMS
is used. Increase the mapping to 64 MB in this case.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org> # v6.0+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/include/asm/pgtable.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/parisc/include/asm/pgtable.h
+++ b/arch/parisc/include/asm/pgtable.h
@@ -85,7 +85,7 @@ extern void __update_cache(pte_t pte);
printk("%s:%d: bad pgd %08lx.\n", __FILE__, __LINE__, (unsigned long)pgd_val(e))
/* This is the size of the initially mapped kernel memory */
-#if defined(CONFIG_64BIT)
+#if defined(CONFIG_64BIT) || defined(CONFIG_KALLSYMS)
#define KERNEL_INITIAL_ORDER 26 /* 1<<26 = 64MB */
#else
#define KERNEL_INITIAL_ORDER 25 /* 1<<25 = 32MB */
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 271/378] nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 270/378] parisc: Increase initial mapping to 64 MB with KALLSYMS Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 272/378] arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation Greg Kroah-Hartman
` (113 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lyude Paul, Dave Airlie,
Danilo Krummrich
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Airlie <airlied@redhat.com>
commit 8f3c6f08ababad2e3bdd239728cf66a9949446b4 upstream.
If we have runtime suspended, and userspace wants to use /dev/drm_dp_*
then just tell it the device is busy instead of crashing in the GSP
code.
WARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau]
CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy)
Hardware name: LENOVO 20QTS0PQ00/20QTS0PQ00, BIOS N2OET65W (1.52 ) 08/05/2024
RIP: 0010:r535_gsp_msgq_wait+0x9a/0xb0 [nouveau]
This is a simple fix to get backported. We should probably engineer a
proper power domain solution to wake up devices and keep them awake
while fw updates are happening.
Cc: stable@vger.kernel.org
Fixes: 8894f4919bc4 ("drm/nouveau: register a drm_dp_aux channel for each dp connector")
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patch.msgid.link/20260224031750.791621-1-airlied@gmail.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
@@ -1230,6 +1230,9 @@ nouveau_connector_aux_xfer(struct drm_dp
u8 size = msg->size;
int ret;
+ if (pm_runtime_suspended(nv_connector->base.dev->dev))
+ return -EBUSY;
+
nv_encoder = find_encoder(&nv_connector->base, DCB_OUTPUT_DP);
if (!nv_encoder)
return -ENODEV;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 272/378] arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 271/378] nouveau/dpcd: return EBUSY for aux xfer if the device is asleep Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 273/378] hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read Greg Kroah-Hartman
` (112 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Catalin Marinas, Jianpeng Chang,
Will Deacon, Huang, Ying, Guenter Roeck
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Catalin Marinas <catalin.marinas@arm.com>
commit c25c4aa3f79a488cc270507935a29c07dc6bddfc upstream.
Commit 143937ca51cc ("arm64, mm: avoid always making PTE dirty in
pte_mkwrite()") changed pte_mkwrite_novma() to only clear PTE_RDONLY
when PTE_DIRTY is set. This was to allow writable-clean PTEs for swap
pages that haven't actually been written.
However, this broke kexec and hibernation for some platforms. Both go
through trans_pgd_create_copy() -> _copy_pte(), which calls
pte_mkwrite_novma() to make the temporary linear-map copy fully
writable. With the updated pte_mkwrite_novma(), read-only kernel pages
(without PTE_DIRTY) remain read-only in the temporary mapping.
While such behaviour is fine for user pages where hardware DBM or
trapping will make them writeable, subsequent in-kernel writes by the
kexec relocation code will fault.
Add PTE_DIRTY back to all _PAGE_KERNEL* protection definitions. This was
the case prior to 5.4, commit aa57157be69f ("arm64: Ensure
VM_WRITE|VM_SHARED ptes are clean by default"). With the kernel
linear-map PTEs always having PTE_DIRTY set, pte_mkwrite_novma()
correctly clears PTE_RDONLY.
Fixes: 143937ca51cc ("arm64, mm: avoid always making PTE dirty in pte_mkwrite()")
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: stable@vger.kernel.org
Reported-by: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
Link: https://lore.kernel.org/r/20251204062722.3367201-1-jianpeng.chang.cn@windriver.com
Cc: Will Deacon <will@kernel.org>
Cc: Huang, Ying <ying.huang@linux.alibaba.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Huang Ying <ying.huang@linux.alibaba.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/pgtable-prot.h | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/arch/arm64/include/asm/pgtable-prot.h
+++ b/arch/arm64/include/asm/pgtable-prot.h
@@ -50,11 +50,11 @@
#define _PAGE_DEFAULT (_PROT_DEFAULT | PTE_ATTRINDX(MT_NORMAL))
-#define _PAGE_KERNEL (PROT_NORMAL)
-#define _PAGE_KERNEL_RO ((PROT_NORMAL & ~PTE_WRITE) | PTE_RDONLY)
-#define _PAGE_KERNEL_ROX ((PROT_NORMAL & ~(PTE_WRITE | PTE_PXN)) | PTE_RDONLY)
-#define _PAGE_KERNEL_EXEC (PROT_NORMAL & ~PTE_PXN)
-#define _PAGE_KERNEL_EXEC_CONT ((PROT_NORMAL & ~PTE_PXN) | PTE_CONT)
+#define _PAGE_KERNEL (PROT_NORMAL | PTE_DIRTY)
+#define _PAGE_KERNEL_RO ((PROT_NORMAL & ~PTE_WRITE) | PTE_RDONLY | PTE_DIRTY)
+#define _PAGE_KERNEL_ROX ((PROT_NORMAL & ~(PTE_WRITE | PTE_PXN)) | PTE_RDONLY | PTE_DIRTY)
+#define _PAGE_KERNEL_EXEC ((PROT_NORMAL & ~PTE_PXN) | PTE_DIRTY)
+#define _PAGE_KERNEL_EXEC_CONT ((PROT_NORMAL & ~PTE_PXN) | PTE_CONT | PTE_DIRTY)
#define _PAGE_SHARED (_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN | PTE_WRITE)
#define _PAGE_SHARED_EXEC (_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_WRITE)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 273/378] hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 272/378] arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 274/378] io_uring/zcrx: use READ_ONCE with user shared RQEs Greg Kroah-Hartman
` (111 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanman Pradhan <psanman@juniper.net>
commit 25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43 upstream.
The q54sj108a2_debugfs_read function suffers from a stack buffer overflow
due to incorrect arguments passed to bin2hex(). The function currently
passes 'data' as the destination and 'data_char' as the source.
Because bin2hex() converts each input byte into two hex characters, a
32-byte block read results in 64 bytes of output. Since 'data' is only
34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end
of the buffer onto the stack.
Additionally, the arguments were swapped: it was reading from the
zero-initialized 'data_char' and writing to 'data', resulting in
all-zero output regardless of the actual I2C read.
Fix this by:
1. Expanding 'data_char' to 66 bytes to safely hold the hex output.
2. Correcting the bin2hex() argument order and using the actual read count.
3. Using a pointer to select the correct output buffer for the final
simple_read_from_buffer call.
Fixes: d014538aa385 ("hwmon: (pmbus) Driver for Delta power supplies Q54SJ108A2")
Cc: stable@vger.kernel.org
Signed-off-by: Sanman Pradhan <psanman@juniper.net>
Link: https://lore.kernel.org/r/20260304235116.1045-1-sanman.p211993@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/q54sj108a2.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
--- a/drivers/hwmon/pmbus/q54sj108a2.c
+++ b/drivers/hwmon/pmbus/q54sj108a2.c
@@ -78,7 +78,8 @@ static ssize_t q54sj108a2_debugfs_read(s
int idx = *idxp;
struct q54sj108a2_data *psu = to_psu(idxp, idx);
char data[I2C_SMBUS_BLOCK_MAX + 2] = { 0 };
- char data_char[I2C_SMBUS_BLOCK_MAX + 2] = { 0 };
+ char data_char[I2C_SMBUS_BLOCK_MAX * 2 + 2] = { 0 };
+ char *out = data;
char *res;
switch (idx) {
@@ -149,27 +150,27 @@ static ssize_t q54sj108a2_debugfs_read(s
if (rc < 0)
return rc;
- res = bin2hex(data, data_char, 32);
- rc = res - data;
-
+ res = bin2hex(data_char, data, rc);
+ rc = res - data_char;
+ out = data_char;
break;
case Q54SJ108A2_DEBUGFS_FLASH_KEY:
rc = i2c_smbus_read_block_data(psu->client, PMBUS_FLASH_KEY_WRITE, data);
if (rc < 0)
return rc;
- res = bin2hex(data, data_char, 4);
- rc = res - data;
-
+ res = bin2hex(data_char, data, rc);
+ rc = res - data_char;
+ out = data_char;
break;
default:
return -EINVAL;
}
- data[rc] = '\n';
+ out[rc] = '\n';
rc += 2;
- return simple_read_from_buffer(buf, count, ppos, data, rc);
+ return simple_read_from_buffer(buf, count, ppos, out, rc);
}
static ssize_t q54sj108a2_debugfs_write(struct file *file, const char __user *buf,
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 274/378] io_uring/zcrx: use READ_ONCE with user shared RQEs
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 273/378] hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 275/378] parisc: Fix initial page table creation for boot Greg Kroah-Hartman
` (110 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pavel Begunkov, Jens Axboe
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Begunkov <asml.silence@gmail.com>
commit 531bb98a030cc1073bd7ed9a502c0a3a781e92ee upstream.
Refill queue entries are shared with the user space, use READ_ONCE when
reading them.
Fixes: 34a3e60821ab9 ("io_uring/zcrx: implement zerocopy receive pp memory provider");
Cc: stable@vger.kernel.org
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/zcrx.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -898,11 +898,12 @@ static inline bool io_parse_rqe(struct i
struct io_zcrx_ifq *ifq,
struct net_iov **ret_niov)
{
+ __u64 off = READ_ONCE(rqe->off);
unsigned niov_idx, area_idx;
struct io_zcrx_area *area;
- area_idx = rqe->off >> IORING_ZCRX_AREA_SHIFT;
- niov_idx = (rqe->off & ~IORING_ZCRX_AREA_MASK) >> ifq->niov_shift;
+ area_idx = off >> IORING_ZCRX_AREA_SHIFT;
+ niov_idx = (off & ~IORING_ZCRX_AREA_MASK) >> ifq->niov_shift;
if (unlikely(rqe->__pad || area_idx))
return false;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 275/378] parisc: Fix initial page table creation for boot
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 274/378] io_uring/zcrx: use READ_ONCE with user shared RQEs Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 276/378] arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults Greg Kroah-Hartman
` (109 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 8475d8fe21ec9c7eb2faca555fbc5b68cf0d2597 upstream.
The KERNEL_INITIAL_ORDER value defines the initial size (usually 32 or
64 MB) of the page table during bootup. Up until now the whole area was
initialized with PTE entries, but there was no check if we filled too
many entries. Change the code to fill up with so many entries that the
"_end" symbol can be reached by the kernel, but not more entries than
actually fit into the initial PTE tables.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org> # v6.0+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/head.S | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/arch/parisc/kernel/head.S
+++ b/arch/parisc/kernel/head.S
@@ -56,6 +56,7 @@ ENTRY(parisc_kernel_start)
.import __bss_start,data
.import __bss_stop,data
+ .import __end,data
load32 PA(__bss_start),%r3
load32 PA(__bss_stop),%r4
@@ -149,7 +150,11 @@ $cpu_ok:
* everything ... it will get remapped correctly later */
ldo 0+_PAGE_KERNEL_RWX(%r0),%r3 /* Hardwired 0 phys addr start */
load32 (1<<(KERNEL_INITIAL_ORDER-PAGE_SHIFT)),%r11 /* PFN count */
- load32 PA(pg0),%r1
+ load32 PA(_end),%r1
+ SHRREG %r1,PAGE_SHIFT,%r1 /* %r1 is PFN count for _end symbol */
+ cmpb,<<,n %r11,%r1,1f
+ copy %r1,%r11 /* %r1 PFN count smaller than %r11 */
+1: load32 PA(pg0),%r1
$pgt_fill_loop:
STREGM %r3,ASM_PTE_ENTRY_SIZE(%r1)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 276/378] arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 275/378] parisc: Fix initial page table creation for boot Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 277/378] parisc: Check kernel mapping earlier at bootup Greg Kroah-Hartman
` (108 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryan Roberts, Catalin Marinas,
Will Deacon, Jason Gunthorpe, John Hubbard, Zi Yan, Breno Leitao,
Alistair Popple, James Houghton, Piotr Jaroszynski, Balbir Singh
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Piotr Jaroszynski <pjaroszynski@nvidia.com>
commit 97c5550b763171dbef61e6239cab372b9f9cd4a2 upstream.
contpte_ptep_set_access_flags() compared the gathered ptep_get() value
against the requested entry to detect no-ops. ptep_get() ORs AF/dirty
from all sub-PTEs in the CONT block, so a dirty sibling can make the
target appear already-dirty. When the gathered value matches entry, the
function returns 0 even though the target sub-PTE still has PTE_RDONLY
set in hardware.
For a CPU with FEAT_HAFDBS this gathered view is fine, since hardware may
set AF/dirty on any sub-PTE and CPU TLB behavior is effectively gathered
across the CONT range. But page-table walkers that evaluate each
descriptor individually (e.g. a CPU without DBM support, or an SMMU
without HTTU, or with HA/HD disabled in CD.TCR) can keep faulting on the
unchanged target sub-PTE, causing an infinite fault loop.
Gathering can therefore cause false no-ops when only a sibling has been
updated:
- write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared)
- read faults: target still lacks PTE_AF
Fix by checking each sub-PTE against the requested AF/dirty/write state
(the same bits consumed by __ptep_set_access_flags()), using raw
per-PTE values rather than the gathered ptep_get() view, before
returning no-op. Keep using the raw target PTE for the write-bit unfold
decision.
Per Arm ARM (DDI 0487) D8.7.1 ("The Contiguous bit"), any sub-PTE in a CONT
range may become the effective cached translation and software must
maintain consistent attributes across the range.
Fixes: 4602e5757bcc ("arm64/mm: wire up PTE_CONT for user mappings")
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: Breno Leitao <leitao@debian.org>
Cc: stable@vger.kernel.org
Reviewed-by: Alistair Popple <apopple@nvidia.com>
Reviewed-by: James Houghton <jthoughton@google.com>
Reviewed-by: Ryan Roberts <ryan.roberts@arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Tested-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Piotr Jaroszynski <pjaroszynski@nvidia.com>
Acked-by: Balbir Singh <balbirs@nvidia.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/mm/contpte.c | 53 ++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 49 insertions(+), 4 deletions(-)
--- a/arch/arm64/mm/contpte.c
+++ b/arch/arm64/mm/contpte.c
@@ -581,6 +581,27 @@ void contpte_clear_young_dirty_ptes(stru
}
EXPORT_SYMBOL_GPL(contpte_clear_young_dirty_ptes);
+static bool contpte_all_subptes_match_access_flags(pte_t *ptep, pte_t entry)
+{
+ pte_t *cont_ptep = contpte_align_down(ptep);
+ /*
+ * PFNs differ per sub-PTE. Match only bits consumed by
+ * __ptep_set_access_flags(): AF, DIRTY and write permission.
+ */
+ const pteval_t cmp_mask = PTE_RDONLY | PTE_AF | PTE_WRITE | PTE_DIRTY;
+ pteval_t entry_cmp = pte_val(entry) & cmp_mask;
+ int i;
+
+ for (i = 0; i < CONT_PTES; i++) {
+ pteval_t pte_cmp = pte_val(__ptep_get(cont_ptep + i)) & cmp_mask;
+
+ if (pte_cmp != entry_cmp)
+ return false;
+ }
+
+ return true;
+}
+
int contpte_ptep_set_access_flags(struct vm_area_struct *vma,
unsigned long addr, pte_t *ptep,
pte_t entry, int dirty)
@@ -590,14 +611,38 @@ int contpte_ptep_set_access_flags(struct
int i;
/*
- * Gather the access/dirty bits for the contiguous range. If nothing has
- * changed, its a noop.
+ * Check whether all sub-PTEs in the CONT block already match the
+ * requested access flags/write permission, using raw per-PTE values
+ * rather than the gathered ptep_get() view.
+ *
+ * __ptep_set_access_flags() can update AF, dirty and write
+ * permission, but only to make the mapping more permissive.
+ *
+ * ptep_get() gathers AF/dirty state across the whole CONT block,
+ * which is correct for a CPU with FEAT_HAFDBS. But page-table
+ * walkers that evaluate each descriptor individually (e.g. a CPU
+ * without DBM support, or an SMMU without HTTU, or with HA/HD
+ * disabled in CD.TCR) can keep faulting on the target sub-PTE if
+ * only a sibling has been updated. Gathering can therefore cause
+ * false no-ops when only a sibling has been updated:
+ * - write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared)
+ * - read faults: target still lacks PTE_AF
+ *
+ * Per Arm ARM (DDI 0487) D8.7.1, any sub-PTE in a CONT range may
+ * become the effective cached translation, so all entries must have
+ * consistent attributes. Check the full CONT block before returning
+ * no-op, and when any sub-PTE mismatches, proceed to update the whole
+ * range.
*/
- orig_pte = pte_mknoncont(ptep_get(ptep));
- if (pte_val(orig_pte) == pte_val(entry))
+ if (contpte_all_subptes_match_access_flags(ptep, entry))
return 0;
/*
+ * Use raw target pte (not gathered) for write-bit unfold decision.
+ */
+ orig_pte = pte_mknoncont(__ptep_get(ptep));
+
+ /*
* We can fix up access/dirty bits without having to unfold the contig
* range. But if the write bit is changing, we must unfold.
*/
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 277/378] parisc: Check kernel mapping earlier at bootup
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 276/378] arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 278/378] io_uring/net: reject SEND_VECTORIZED when unsupported Greg Kroah-Hartman
` (107 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 17c144f1104bfc29a3ce3f7d0931a1bfb7a3558c upstream.
The check if the initial mapping is sufficient needs to happen much
earlier during bootup. Move this test directly to the start_parisc()
function and use native PDC iodc functions to print the warning, because
panic() and printk() are not functional yet.
This fixes boot when enabling various KALLSYSMS options which need
much more space.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org> # v6.0+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/setup.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/arch/parisc/kernel/setup.c
+++ b/arch/parisc/kernel/setup.c
@@ -120,14 +120,6 @@ void __init setup_arch(char **cmdline_p)
#endif
printk(KERN_CONT ".\n");
- /*
- * Check if initial kernel page mappings are sufficient.
- * panic early if not, else we may access kernel functions
- * and variables which can't be reached.
- */
- if (__pa((unsigned long) &_end) >= KERNEL_INITIAL_SIZE)
- panic("KERNEL_INITIAL_ORDER too small!");
-
#ifdef CONFIG_64BIT
if(parisc_narrow_firmware) {
printk(KERN_INFO "Kernel is using PDC in 32-bit mode.\n");
@@ -279,6 +271,18 @@ void __init start_parisc(void)
int ret, cpunum;
struct pdc_coproc_cfg coproc_cfg;
+ /*
+ * Check if initial kernel page mapping is sufficient.
+ * Print warning if not, because we may access kernel functions and
+ * variables which can't be reached yet through the initial mappings.
+ * Note that the panic() and printk() functions are not functional
+ * yet, so we need to use direct iodc() firmware calls instead.
+ */
+ const char warn1[] = "CRITICAL: Kernel may crash because "
+ "KERNEL_INITIAL_ORDER is too small.\n";
+ if (__pa((unsigned long) &_end) >= KERNEL_INITIAL_SIZE)
+ pdc_iodc_print(warn1, sizeof(warn1) - 1);
+
/* check QEMU/SeaBIOS marker in PAGE0 */
running_on_qemu = (memcmp(&PAGE0->pad0, "SeaBIOS", 8) == 0);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 278/378] io_uring/net: reject SEND_VECTORIZED when unsupported
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 277/378] parisc: Check kernel mapping earlier at bootup Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 279/378] regulator: pf9453: Respect IRQ trigger settings from firmware Greg Kroah-Hartman
` (106 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pavel Begunkov, Jens Axboe
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Begunkov <asml.silence@gmail.com>
commit c36e28becd0586ac98318fd335e5e91d19cd2623 upstream.
IORING_SEND_VECTORIZED with registered buffers is not implemented but
could be. Don't silently ignore the flag in this case but reject it with
an error. It only affects sendzc as normal sends don't support
registered buffers.
Fixes: 6f02527729bd3 ("io_uring/net: Allow to do vectorized send")
Cc: stable@vger.kernel.org
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/net.c | 2 ++
1 file changed, 2 insertions(+)
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -375,6 +375,8 @@ static int io_send_setup(struct io_kiocb
kmsg->msg.msg_namelen = addr_len;
}
if (sr->flags & IORING_RECVSEND_FIXED_BUF) {
+ if (sr->flags & IORING_SEND_VECTORIZED)
+ return -EINVAL;
req->flags |= REQ_F_IMPORT_BUFFER;
return 0;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 279/378] regulator: pf9453: Respect IRQ trigger settings from firmware
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 278/378] io_uring/net: reject SEND_VECTORIZED when unsupported Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 280/378] pmdomain: bcm: bcm2835-power: Fix broken reset status read Greg Kroah-Hartman
` (105 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Franz Schnyder, Mark Brown
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Franz Schnyder <franz.schnyder@toradex.com>
commit 2d85ecd6fb0eb2fee0ffa040ec1ddea57b09bc38 upstream.
The datasheet specifies, that the IRQ_B pin is pulled low when any
unmasked interrupt bit status is changed, and it is released high once
the application processor reads the INT1 register. As it specifies a
level-low behavior, it should not force a falling-edge interrupt.
Remove the IRQF_TRIGGER_FALLING to not force the falling-edge interrupt
and instead rely on the flag from the device tree.
Fixes: 0959b6706325 ("regulator: pf9453: add PMIC PF9453 support")
Cc: stable@vger.kernel.org
Signed-off-by: Franz Schnyder <franz.schnyder@toradex.com>
Link: https://patch.msgid.link/20260218102518.238943-2-fra.schnyder@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/pf9453-regulator.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/regulator/pf9453-regulator.c
+++ b/drivers/regulator/pf9453-regulator.c
@@ -809,7 +809,7 @@ static int pf9453_i2c_probe(struct i2c_c
}
ret = devm_request_threaded_irq(pf9453->dev, pf9453->irq, NULL, pf9453_irq_handler,
- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT),
+ IRQF_ONESHOT,
"pf9453-irq", pf9453);
if (ret)
return dev_err_probe(pf9453->dev, ret, "Failed to request IRQ: %d\n", pf9453->irq);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 280/378] pmdomain: bcm: bcm2835-power: Fix broken reset status read
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 279/378] regulator: pf9453: Respect IRQ trigger settings from firmware Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 281/378] drm/ttm: Fix ttm_pool_beneficial_order() return type Greg Kroah-Hartman
` (104 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maíra Canal, Florian Fainelli,
Stefan Wahren, Ulf Hansson
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maíra Canal <mcanal@igalia.com>
commit 550bae2c0931dbb664a61b08c21cf156f0a5362a upstream.
bcm2835_reset_status() has a misplaced parenthesis on every PM_READ()
call. Since PM_READ(reg) expands to readl(power->base + (reg)), the
expression:
PM_READ(PM_GRAFX & PM_V3DRSTN)
computes the bitwise AND of the register offset PM_GRAFX with the
bitmask PM_V3DRSTN before using the result as a register offset, reading
from the wrong MMIO address instead of the intended PM_GRAFX register.
The same issue affects the PM_IMAGE cases.
Fix by moving the closing parenthesis so PM_READ() receives only the
register offset, and the bitmask is applied to the value returned by
the read.
Fixes: 670c672608a1 ("soc: bcm: bcm2835-pm: Add support for power domains under a new binding.")
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Stefan Wahren <wahrenst@gmx.net>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pmdomain/bcm/bcm2835-power.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/pmdomain/bcm/bcm2835-power.c
+++ b/drivers/pmdomain/bcm/bcm2835-power.c
@@ -580,11 +580,11 @@ static int bcm2835_reset_status(struct r
switch (id) {
case BCM2835_RESET_V3D:
- return !PM_READ(PM_GRAFX & PM_V3DRSTN);
+ return !(PM_READ(PM_GRAFX) & PM_V3DRSTN);
case BCM2835_RESET_H264:
- return !PM_READ(PM_IMAGE & PM_H264RSTN);
+ return !(PM_READ(PM_IMAGE) & PM_H264RSTN);
case BCM2835_RESET_ISP:
- return !PM_READ(PM_IMAGE & PM_ISPRSTN);
+ return !(PM_READ(PM_IMAGE) & PM_ISPRSTN);
default:
return -EINVAL;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 281/378] drm/ttm: Fix ttm_pool_beneficial_order() return type
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 280/378] pmdomain: bcm: bcm2835-power: Fix broken reset status read Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 282/378] crypto: ccp - allow callers to use HV-Fixed page API when SEV is disabled Greg Kroah-Hartman
` (103 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tvrtko Ursulin, Christian König,
Thadeu Lima de Souza Cascardo, dri-devel, Tvrtko Ursulin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
commit 6e3f4514e3b432871ac81717d24f56b441857f77 upstream.
Fix a nasty copy and paste bug, where the incorrect boolean return type of
the ttm_pool_beneficial_order() helper had a consequence of avoiding
direct reclaim too eagerly for drivers which use this feature (currently
amdgpu).
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Fixes: 7e9c548d3709 ("drm/ttm: Allow drivers to specify maximum beneficial TTM pool size")
Cc: Christian König <christian.koenig@amd.com>
Cc: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v6.19+
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Link: https://lore.kernel.org/r/20260227124901.3177-1-tvrtko.ursulin@igalia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/ttm/ttm_pool_internal.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/ttm/ttm_pool_internal.h b/drivers/gpu/drm/ttm/ttm_pool_internal.h
index 82c4b7e56a99..24c179fd69d1 100644
--- a/drivers/gpu/drm/ttm/ttm_pool_internal.h
+++ b/drivers/gpu/drm/ttm/ttm_pool_internal.h
@@ -17,7 +17,7 @@ static inline bool ttm_pool_uses_dma32(struct ttm_pool *pool)
return pool->alloc_flags & TTM_ALLOCATION_POOL_USE_DMA32;
}
-static inline bool ttm_pool_beneficial_order(struct ttm_pool *pool)
+static inline unsigned int ttm_pool_beneficial_order(struct ttm_pool *pool)
{
return pool->alloc_flags & 0xff;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 282/378] crypto: ccp - allow callers to use HV-Fixed page API when SEV is disabled
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 281/378] drm/ttm: Fix ttm_pool_beneficial_order() return type Greg Kroah-Hartman
@ 2026-03-17 16:33 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 283/378] s390/stackleak: Fix __stackleak_poison() inline assembly constraint Greg Kroah-Hartman
` (102 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ashish Kalra, Tom Lendacky,
Herbert Xu
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ashish Kalra <ashish.kalra@amd.com>
commit 8168a7b72bdee3790b126f63bd30306759206b15 upstream.
When SEV is disabled, the HV-Fixed page allocation call fails, which in
turn causes SFS initialization to fail.
Fix the HV-Fixed API so callers (for example, SFS) can use it even when
SEV is disabled by performing normal page allocation and freeing.
Fixes: e09701dcdd9c ("crypto: ccp - Add new HV-Fixed page allocation/free API")
Cc: stable@vger.kernel.org
Signed-off-by: Ashish Kalra <ashish.kalra@amd.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/ccp/sev-dev.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -1105,15 +1105,12 @@ struct page *snp_alloc_hv_fixed_pages(un
{
struct psp_device *psp_master = psp_get_master_device();
struct snp_hv_fixed_pages_entry *entry;
- struct sev_device *sev;
unsigned int order;
struct page *page;
- if (!psp_master || !psp_master->sev_data)
+ if (!psp_master)
return NULL;
- sev = psp_master->sev_data;
-
order = get_order(PMD_SIZE * num_2mb_pages);
/*
@@ -1126,7 +1123,8 @@ struct page *snp_alloc_hv_fixed_pages(un
* This API uses SNP_INIT_EX to transition allocated pages to HV_Fixed
* page state, fail if SNP is already initialized.
*/
- if (sev->snp_initialized)
+ if (psp_master->sev_data &&
+ ((struct sev_device *)psp_master->sev_data)->snp_initialized)
return NULL;
/* Re-use freed pages that match the request */
@@ -1162,7 +1160,7 @@ void snp_free_hv_fixed_pages(struct page
struct psp_device *psp_master = psp_get_master_device();
struct snp_hv_fixed_pages_entry *entry, *nentry;
- if (!psp_master || !psp_master->sev_data)
+ if (!psp_master)
return;
/*
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 283/378] s390/stackleak: Fix __stackleak_poison() inline assembly constraint
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2026-03-17 16:33 ` [PATCH 6.19 282/378] crypto: ccp - allow callers to use HV-Fixed page API when SEV is disabled Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 284/378] ata: libata-core: Disable LPM on ST1000DM010-2EP102 Greg Kroah-Hartman
` (101 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Heiko Carstens, Vasily Gorbik
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
commit 674c5ff0f440a051ebf299d29a4c013133d81a65 upstream.
The __stackleak_poison() inline assembly comes with a "count" operand where
the "d" constraint is used. "count" is used with the exrl instruction and
"d" means that the compiler may allocate any register from 0 to 15.
If the compiler would allocate register 0 then the exrl instruction would
not or the value of "count" into the executed instruction - resulting in a
stackframe which is only partially poisoned.
Use the correct "a" constraint, which excludes register 0 from register
allocation.
Fixes: 2a405f6bb3a5 ("s390/stackleak: provide fast __stackleak_poison() implementation")
Cc: stable@vger.kernel.org
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
Link: https://lore.kernel.org/r/20260302133500.1560531-4-hca@linux.ibm.com
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/include/asm/processor.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/s390/include/asm/processor.h
+++ b/arch/s390/include/asm/processor.h
@@ -158,7 +158,7 @@ static __always_inline void __stackleak_
" j 4f\n"
"3: mvc 8(1,%[addr]),0(%[addr])\n"
"4:"
- : [addr] "+&a" (erase_low), [count] "+&d" (count), [tmp] "=&a" (tmp)
+ : [addr] "+&a" (erase_low), [count] "+&a" (count), [tmp] "=&a" (tmp)
: [poison] "d" (poison)
: "memory", "cc"
);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 284/378] ata: libata-core: Disable LPM on ST1000DM010-2EP102
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 283/378] s390/stackleak: Fix __stackleak_poison() inline assembly constraint Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 285/378] s390/xor: Fix xor_xc_2() inline assembly constraints Greg Kroah-Hartman
` (100 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filippo Baiamonte,
Maximilian Pezzullo, Damien Le Moal, Niklas Cassel
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maximilian Pezzullo <maximilianpezzullo@gmail.com>
commit b3b1d3ae1d87bc9398fb715c945968bf4c75a09a upstream.
According to a user report, the ST1000DM010-2EP102 has problems with LPM,
causing random system freezes. The drive belongs to the same BarraCuda
family as the ST2000DM008-2FR102 which has the same issue.
Cc: stable@vger.kernel.org
Fixes: 7627a0edef54 ("ata: ahci: Drop low power policy board type")
Reported-by: Filippo Baiamonte <filippo.ba03@bugzilla.kernel.org>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221163
Signed-off-by: Maximilian Pezzullo <maximilianpezzullo@gmail.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/libata-core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4186,6 +4186,7 @@ static const struct ata_dev_quirks_entry
ATA_QUIRK_FIRMWARE_WARN },
/* Seagate disks with LPM issues */
+ { "ST1000DM010-2EP102", NULL, ATA_QUIRK_NOLPM },
{ "ST2000DM008-2FR102", NULL, ATA_QUIRK_NOLPM },
/* drives which fail FPDMA_AA activation (some may freeze afterwards)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 285/378] s390/xor: Fix xor_xc_2() inline assembly constraints
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 284/378] ata: libata-core: Disable LPM on ST1000DM010-2EP102 Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 286/378] drm/amd/display: Fallback to boot snapshot for dispclk Greg Kroah-Hartman
` (99 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Heiko Carstens, Vasily Gorbik
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
commit f775276edc0c505dc0f782773796c189f31a1123 upstream.
The inline assembly constraints for xor_xc_2() are incorrect. "bytes",
"p1", and "p2" are input operands, while all three of them are modified
within the inline assembly. Given that the function consists only of this
inline assembly it seems unlikely that this may cause any problems, however
fix this in any case.
Fixes: 2cfc5f9ce7f5 ("s390/xor: optimized xor routing using the XC instruction")
Cc: stable@vger.kernel.org
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
Link: https://lore.kernel.org/r/20260302133500.1560531-2-hca@linux.ibm.com
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/lib/xor.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/s390/lib/xor.c
+++ b/arch/s390/lib/xor.c
@@ -28,8 +28,8 @@ static void xor_xc_2(unsigned long bytes
" j 3f\n"
"2: xc 0(1,%1),0(%2)\n"
"3:"
- : : "d" (bytes), "a" (p1), "a" (p2)
- : "0", "cc", "memory");
+ : "+d" (bytes), "+a" (p1), "+a" (p2)
+ : : "0", "cc", "memory");
}
static void xor_xc_3(unsigned long bytes, unsigned long * __restrict p1,
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 286/378] drm/amd/display: Fallback to boot snapshot for dispclk
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 285/378] s390/xor: Fix xor_xc_2() inline assembly constraints Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 287/378] s390/xor: Fix xor_xc_5() inline assembly Greg Kroah-Hartman
` (98 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicholas Kazlauskas, Dillon Varone,
Alex Hung, Mario Limonciello, Alex Deucher, Dan Wheeler
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dillon Varone <Dillon.Varone@amd.com>
commit 30d937f63bd19bbcaafa4b892eb251f8bbbf04ef upstream.
[WHY & HOW]
If the dentist is unavailable, fallback to reading CLKIP via the boot
snapshot to get the current dispclk.
Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Signed-off-by: Dillon Varone <Dillon.Varone@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 2ab77600d1e55a042c02437326d3c7563e853c6c)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c
+++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c
@@ -71,7 +71,11 @@ void dcn401_initialize_min_clocks(struct
* audio corruption. Read current DISPCLK from DENTIST and request the same
* freq to ensure that the timing is valid and unchanged.
*/
- clocks->dispclk_khz = dc->clk_mgr->funcs->get_dispclk_from_dentist(dc->clk_mgr);
+ if (dc->clk_mgr->funcs->get_dispclk_from_dentist) {
+ clocks->dispclk_khz = dc->clk_mgr->funcs->get_dispclk_from_dentist(dc->clk_mgr);
+ } else {
+ clocks->dispclk_khz = dc->clk_mgr->boot_snapshot.dispclk * 1000;
+ }
}
clocks->ref_dtbclk_khz = dc->clk_mgr->bw_params->clk_table.entries[0].dtbclk_mhz * 1000;
clocks->fclk_p_state_change_support = true;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 287/378] s390/xor: Fix xor_xc_5() inline assembly
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 286/378] drm/amd/display: Fallback to boot snapshot for dispclk Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 288/378] slab: distinguish lock and trylock for sheaf_flush_main() Greg Kroah-Hartman
` (97 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Juergen Christ, Heiko Carstens,
Sven Schnelle, Vasily Gorbik
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasily Gorbik <gor@linux.ibm.com>
commit 5f25805303e201f3afaff0a90f7c7ce257468704 upstream.
xor_xc_5() contains a larl 1,2f that is not used by the asm and is not
declared as a clobber. This can corrupt a compiler-allocated value in %r1
and lead to miscompilation. Remove the instruction.
Fixes: 745600ed6965 ("s390/lib: Use exrl instead of ex in xor functions")
Cc: stable@vger.kernel.org
Reviewed-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
Reviewed-by: Sven Schnelle <svens@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/lib/xor.c | 1 -
1 file changed, 1 deletion(-)
--- a/arch/s390/lib/xor.c
+++ b/arch/s390/lib/xor.c
@@ -96,7 +96,6 @@ static void xor_xc_5(unsigned long bytes
const unsigned long * __restrict p5)
{
asm volatile(
- " larl 1,2f\n"
" aghi %0,-1\n"
" jm 6f\n"
" srlg 0,%0,8\n"
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 288/378] slab: distinguish lock and trylock for sheaf_flush_main()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 287/378] s390/xor: Fix xor_xc_5() inline assembly Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 289/378] memcg: fix slab accounting in refill_obj_stock() trylock path Greg Kroah-Hartman
` (96 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcelo Tosatti, Vlastimil Babka,
Harry Yoo, Hao Li, Vlastimil Babka (SUSE)
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vlastimil Babka <vbabka@suse.cz>
commit 48647d3f9a644d1e81af6558102d43cdb260597b upstream.
sheaf_flush_main() can be called from __pcs_replace_full_main() where
it's fine if the trylock fails, and pcs_flush_all() where it's not
expected to and for some flush callers (when destroying the cache or
memory hotremove) it would be actually a problem if it failed and left
the main sheaf not flushed. The flush callers can however safely use
local_lock() instead of trylock.
The trylock failure should not happen in practice on !PREEMPT_RT, but
can happen on PREEMPT_RT. The impact is limited in practice because when
a trylock fails in the kmem_cache_destroy() path, it means someone is
using the cache while destroying it, which is a bug on its own. The memory
hotremove path is unlikely to be employed in a production RT config, but
it's possible.
To fix this, split the function into sheaf_flush_main() (using
local_lock()) and sheaf_try_flush_main() (using local_trylock()) where
both call __sheaf_flush_main_batch() to flush a single batch of objects.
This will also allow lockdep to verify our context assumptions.
The problem was raised in an off-list question by Marcelo.
Fixes: 2d517aa09bbc ("slab: add opt-in caching layer of percpu sheaves")
Cc: stable@vger.kernel.org
Reported-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
Reviewed-by: Hao Li <hao.li@linux.dev>
Link: https://patch.msgid.link/20260211-b4-sheaf-flush-v1-1-4e7f492f0055@suse.cz
Signed-off-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/slub.c | 47 +++++++++++++++++++++++++++++++++++++----------
1 file changed, 37 insertions(+), 10 deletions(-)
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -2730,19 +2730,19 @@ static void __kmem_cache_free_bulk(struc
* object pointers are moved to a on-stack array under the lock. To bound the
* stack usage, limit each batch to PCS_BATCH_MAX.
*
- * returns true if at least partially flushed
+ * Must be called with s->cpu_sheaves->lock locked, returns with the lock
+ * unlocked.
+ *
+ * Returns how many objects are remaining to be flushed
*/
-static bool sheaf_flush_main(struct kmem_cache *s)
+static unsigned int __sheaf_flush_main_batch(struct kmem_cache *s)
{
struct slub_percpu_sheaves *pcs;
unsigned int batch, remaining;
void *objects[PCS_BATCH_MAX];
struct slab_sheaf *sheaf;
- bool ret = false;
-next_batch:
- if (!local_trylock(&s->cpu_sheaves->lock))
- return ret;
+ lockdep_assert_held(this_cpu_ptr(&s->cpu_sheaves->lock));
pcs = this_cpu_ptr(s->cpu_sheaves);
sheaf = pcs->main;
@@ -2760,10 +2760,37 @@ next_batch:
stat_add(s, SHEAF_FLUSH, batch);
- ret = true;
+ return remaining;
+}
- if (remaining)
- goto next_batch;
+static void sheaf_flush_main(struct kmem_cache *s)
+{
+ unsigned int remaining;
+
+ do {
+ local_lock(&s->cpu_sheaves->lock);
+
+ remaining = __sheaf_flush_main_batch(s);
+
+ } while (remaining);
+}
+
+/*
+ * Returns true if the main sheaf was at least partially flushed.
+ */
+static bool sheaf_try_flush_main(struct kmem_cache *s)
+{
+ unsigned int remaining;
+ bool ret = false;
+
+ do {
+ if (!local_trylock(&s->cpu_sheaves->lock))
+ return ret;
+
+ ret = true;
+ remaining = __sheaf_flush_main_batch(s);
+
+ } while (remaining);
return ret;
}
@@ -6215,7 +6242,7 @@ alloc_empty:
if (put_fail)
stat(s, BARN_PUT_FAIL);
- if (!sheaf_flush_main(s))
+ if (!sheaf_try_flush_main(s))
return NULL;
if (!local_trylock(&s->cpu_sheaves->lock))
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 289/378] memcg: fix slab accounting in refill_obj_stock() trylock path
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 288/378] slab: distinguish lock and trylock for sheaf_flush_main() Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 290/378] ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() Greg Kroah-Hartman
` (95 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hao Li, Shakeel Butt,
Johannes Weiner, Michal Hocko, Muchun Song, Roman Gushchin,
Vlastimil Babka, Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hao Li <hao.li@linux.dev>
commit dccd5ee2625d50239510bcd73ed78559005e00a3 upstream.
In the trylock path of refill_obj_stock(), mod_objcg_mlstate() should use
the real alloc/free bytes (i.e., nr_acct) for accounting, rather than
nr_bytes.
The user-visible impact is that the NR_SLAB_RECLAIMABLE_B and
NR_SLAB_UNRECLAIMABLE_B stats can end up being incorrect.
For example, if a user allocates a 6144-byte object, then before this
fix efill_obj_stock() calls mod_objcg_mlstate(..., nr_bytes=2048), even
though it should account for 6144 bytes (i.e., nr_acct).
When the user later frees the same object with kfree(),
refill_obj_stock() calls mod_objcg_mlstate(..., nr_bytes=6144). This
ends up adding 6144 to the stats, but it should be applying -6144
(i.e., nr_acct) since the object is being freed.
Link: https://lkml.kernel.org/r/20260226115145.62903-1-hao.li@linux.dev
Fixes: 200577f69f29 ("memcg: objcg stock trylock without irq disabling")
Signed-off-by: Hao Li <hao.li@linux.dev>
Acked-by: Shakeel Butt <shakeel.butt@linux.dev>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: Vlastimil Babka <vbabka@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memcontrol.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -3052,7 +3052,7 @@ static void refill_obj_stock(struct obj_
if (!local_trylock(&obj_stock.lock)) {
if (pgdat)
- mod_objcg_mlstate(objcg, pgdat, idx, nr_bytes);
+ mod_objcg_mlstate(objcg, pgdat, idx, nr_acct);
nr_pages = nr_bytes >> PAGE_SHIFT;
nr_bytes = nr_bytes & (PAGE_SIZE - 1);
atomic_add(nr_bytes, &objcg->nr_charged_bytes);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 290/378] ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 289/378] memcg: fix slab accounting in refill_obj_stock() trylock path Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 291/378] smb: server: fix use-after-free in smb2_open() Greg Kroah-Hartman
` (94 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit eac3361e3d5dd8067b3258c69615888eb45e9f25 upstream.
opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is being
accessed after rcu_read_unlock() has been called. This creates a
race condition where the memory could be freed by a concurrent
writer between the unlock and the subsequent pointer dereferences
(opinfo->is_lease, etc.), leading to a use-after-free.
Fixes: 5fb282ba4fef ("ksmbd: fix possible null-deref in smb_lazy_parent_lease_break_close")
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/oplock.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -1123,10 +1123,12 @@ void smb_lazy_parent_lease_break_close(s
rcu_read_lock();
opinfo = rcu_dereference(fp->f_opinfo);
- rcu_read_unlock();
- if (!opinfo || !opinfo->is_lease || opinfo->o_lease->version != 2)
+ if (!opinfo || !opinfo->is_lease || opinfo->o_lease->version != 2) {
+ rcu_read_unlock();
return;
+ }
+ rcu_read_unlock();
p_ci = ksmbd_inode_lookup_lock(fp->filp->f_path.dentry->d_parent);
if (!p_ci)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 291/378] smb: server: fix use-after-free in smb2_open()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 290/378] ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 292/378] ksmbd: Dont log keys in SMB3 signing and encryption key generation Greg Kroah-Hartman
` (93 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marios Makassikis, Namjae Jeon,
Steve French
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marios Makassikis <mmakassikis@freebox.fr>
commit 1e689a56173827669a35da7cb2a3c78ed5c53680 upstream.
The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is
dereferenced after rcu_read_unlock(), creating a use-after-free
window.
Cc: stable@vger.kernel.org
Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -3616,10 +3616,8 @@ int smb2_open(struct ksmbd_work *work)
reconnected_fp:
rsp->StructureSize = cpu_to_le16(89);
- rcu_read_lock();
- opinfo = rcu_dereference(fp->f_opinfo);
+ opinfo = opinfo_get(fp);
rsp->OplockLevel = opinfo != NULL ? opinfo->level : 0;
- rcu_read_unlock();
rsp->Flags = 0;
rsp->CreateAction = cpu_to_le32(file_info);
rsp->CreationTime = cpu_to_le64(fp->create_time);
@@ -3660,6 +3658,7 @@ reconnected_fp:
next_ptr = &lease_ccontext->Next;
next_off = conn->vals->create_lease_size;
}
+ opinfo_put(opinfo);
if (maximal_access_ctxt) {
struct create_context *mxac_ccontext;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 292/378] ksmbd: Dont log keys in SMB3 signing and encryption key generation
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 291/378] smb: server: fix use-after-free in smb2_open() Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 293/378] ksmbd: fix use-after-free by using call_rcu() for oplock_info Greg Kroah-Hartman
` (92 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Namjae Jeon,
Steve French
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 441336115df26b966575de56daf7107ed474faed upstream.
When KSMBD_DEBUG_AUTH logging is enabled, generate_smb3signingkey() and
generate_smb3encryptionkey() log the session, signing, encryption, and
decryption key bytes. Remove the logs to avoid exposing credentials.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/auth.c | 22 ++--------------------
1 file changed, 2 insertions(+), 20 deletions(-)
--- a/fs/smb/server/auth.c
+++ b/fs/smb/server/auth.c
@@ -589,12 +589,8 @@ static int generate_smb3signingkey(struc
if (!(conn->dialect >= SMB30_PROT_ID && signing->binding))
memcpy(chann->smb3signingkey, key, SMB3_SIGN_KEY_SIZE);
- ksmbd_debug(AUTH, "dumping generated AES signing keys\n");
+ ksmbd_debug(AUTH, "generated SMB3 signing key\n");
ksmbd_debug(AUTH, "Session Id %llu\n", sess->id);
- ksmbd_debug(AUTH, "Session Key %*ph\n",
- SMB2_NTLMV2_SESSKEY_SIZE, sess->sess_key);
- ksmbd_debug(AUTH, "Signing Key %*ph\n",
- SMB3_SIGN_KEY_SIZE, key);
return 0;
}
@@ -652,23 +648,9 @@ static void generate_smb3encryptionkey(s
ptwin->decryption.context,
sess->smb3decryptionkey, SMB3_ENC_DEC_KEY_SIZE);
- ksmbd_debug(AUTH, "dumping generated AES encryption keys\n");
+ ksmbd_debug(AUTH, "generated SMB3 encryption/decryption keys\n");
ksmbd_debug(AUTH, "Cipher type %d\n", conn->cipher_type);
ksmbd_debug(AUTH, "Session Id %llu\n", sess->id);
- ksmbd_debug(AUTH, "Session Key %*ph\n",
- SMB2_NTLMV2_SESSKEY_SIZE, sess->sess_key);
- if (conn->cipher_type == SMB2_ENCRYPTION_AES256_CCM ||
- conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM) {
- ksmbd_debug(AUTH, "ServerIn Key %*ph\n",
- SMB3_GCM256_CRYPTKEY_SIZE, sess->smb3encryptionkey);
- ksmbd_debug(AUTH, "ServerOut Key %*ph\n",
- SMB3_GCM256_CRYPTKEY_SIZE, sess->smb3decryptionkey);
- } else {
- ksmbd_debug(AUTH, "ServerIn Key %*ph\n",
- SMB3_GCM128_CRYPTKEY_SIZE, sess->smb3encryptionkey);
- ksmbd_debug(AUTH, "ServerOut Key %*ph\n",
- SMB3_GCM128_CRYPTKEY_SIZE, sess->smb3decryptionkey);
- }
}
void ksmbd_gen_smb30_encryptionkey(struct ksmbd_conn *conn,
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 293/378] ksmbd: fix use-after-free by using call_rcu() for oplock_info
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 292/378] ksmbd: Dont log keys in SMB3 signing and encryption key generation Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 294/378] net: mctp: fix device leak on probe failure Greg Kroah-Hartman
` (91 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit 1dfd062caa165ec9d7ee0823087930f3ab8a6294 upstream.
ksmbd currently frees oplock_info immediately using kfree(), even
though it is accessed under RCU read-side critical sections in places
like opinfo_get() and proc_show_files().
Since there is no RCU grace period delay between nullifying the pointer
and freeing the memory, a reader can still access oplock_info
structure after it has been freed. This can leads to a use-after-free
especially in opinfo_get() where atomic_inc_not_zero() is called on
already freed memory.
Fix this by switching to deferred freeing using call_rcu().
Fixes: 18b4fac5ef17 ("ksmbd: fix use-after-free in smb_break_all_levII_oplock()")
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/oplock.c | 29 +++++++++++++++++++++--------
fs/smb/server/oplock.h | 5 +++--
2 files changed, 24 insertions(+), 10 deletions(-)
--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -120,7 +120,7 @@ static void free_lease(struct oplock_inf
kfree(lease);
}
-static void free_opinfo(struct oplock_info *opinfo)
+static void __free_opinfo(struct oplock_info *opinfo)
{
if (opinfo->is_lease)
free_lease(opinfo);
@@ -129,6 +129,18 @@ static void free_opinfo(struct oplock_in
kfree(opinfo);
}
+static void free_opinfo_rcu(struct rcu_head *rcu)
+{
+ struct oplock_info *opinfo = container_of(rcu, struct oplock_info, rcu);
+
+ __free_opinfo(opinfo);
+}
+
+static void free_opinfo(struct oplock_info *opinfo)
+{
+ call_rcu(&opinfo->rcu, free_opinfo_rcu);
+}
+
struct oplock_info *opinfo_get(struct ksmbd_file *fp)
{
struct oplock_info *opinfo;
@@ -176,9 +188,9 @@ void opinfo_put(struct oplock_info *opin
free_opinfo(opinfo);
}
-static void opinfo_add(struct oplock_info *opinfo)
+static void opinfo_add(struct oplock_info *opinfo, struct ksmbd_file *fp)
{
- struct ksmbd_inode *ci = opinfo->o_fp->f_ci;
+ struct ksmbd_inode *ci = fp->f_ci;
down_write(&ci->m_lock);
list_add(&opinfo->op_entry, &ci->m_op_list);
@@ -1279,20 +1291,21 @@ set_lev:
set_oplock_level(opinfo, req_op_level, lctx);
out:
- rcu_assign_pointer(fp->f_opinfo, opinfo);
- opinfo->o_fp = fp;
-
opinfo_count_inc(fp);
- opinfo_add(opinfo);
+ opinfo_add(opinfo, fp);
+
if (opinfo->is_lease) {
err = add_lease_global_list(opinfo);
if (err)
goto err_out;
}
+ rcu_assign_pointer(fp->f_opinfo, opinfo);
+ opinfo->o_fp = fp;
+
return 0;
err_out:
- free_opinfo(opinfo);
+ __free_opinfo(opinfo);
return err;
}
--- a/fs/smb/server/oplock.h
+++ b/fs/smb/server/oplock.h
@@ -69,8 +69,9 @@ struct oplock_info {
struct lease *o_lease;
struct list_head op_entry;
struct list_head lease_entry;
- wait_queue_head_t oplock_q; /* Other server threads */
- wait_queue_head_t oplock_brk; /* oplock breaking wait */
+ wait_queue_head_t oplock_q; /* Other server threads */
+ wait_queue_head_t oplock_brk; /* oplock breaking wait */
+ struct rcu_head rcu;
};
struct lease_break_info {
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 294/378] net: mctp: fix device leak on probe failure
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 293/378] ksmbd: fix use-after-free by using call_rcu() for oplock_info Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 295/378] net: nexthop: fix percpu use-after-free in remove_nh_grp_entry Greg Kroah-Hartman
` (90 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Jeremy Kerr,
Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 224a0d284c3caf1951302d1744a714784febed71 upstream.
Driver core holds a reference to the USB interface and its parent USB
device while the interface is bound to a driver and there is no need to
take additional references unless the structures are needed after
disconnect.
This driver takes a reference to the USB device during probe but does
not to release it on probe failures.
Drop the redundant device reference to fix the leak, reduce cargo
culting, make it easier to spot drivers where an extra reference is
needed, and reduce the risk of further memory leaks.
Fixes: 0791c0327a6e ("net: mctp: Add MCTP USB transport driver")
Cc: stable@vger.kernel.org # 6.15
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Jeremy Kerr <jk@codeconstruct.com.au>
Link: https://patch.msgid.link/20260305104549.16110-1-johan@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/mctp/mctp-usb.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/net/mctp/mctp-usb.c
+++ b/drivers/net/mctp/mctp-usb.c
@@ -329,7 +329,7 @@ static int mctp_usb_probe(struct usb_int
SET_NETDEV_DEV(netdev, &intf->dev);
dev = netdev_priv(netdev);
dev->netdev = netdev;
- dev->usbdev = usb_get_dev(interface_to_usbdev(intf));
+ dev->usbdev = interface_to_usbdev(intf);
dev->intf = intf;
usb_set_intfdata(intf, dev);
@@ -365,7 +365,6 @@ static void mctp_usb_disconnect(struct u
mctp_unregister_netdev(dev->netdev);
usb_free_urb(dev->tx_urb);
usb_free_urb(dev->rx_urb);
- usb_put_dev(dev->usbdev);
free_netdev(dev->netdev);
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 295/378] net: nexthop: fix percpu use-after-free in remove_nh_grp_entry
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 294/378] net: mctp: fix device leak on probe failure Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 296/378] net: ncsi: fix skb leak in error paths Greg Kroah-Hartman
` (89 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mehul Rao, Eric Dumazet,
Ido Schimmel, Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mehul Rao <mehulrao@gmail.com>
commit b2662e7593e94ae09b1cf7ee5f09160a3612bcb2 upstream.
When removing a nexthop from a group, remove_nh_grp_entry() publishes
the new group via rcu_assign_pointer() then immediately frees the
removed entry's percpu stats with free_percpu(). However, the
synchronize_net() grace period in the caller remove_nexthop_from_groups()
runs after the free. RCU readers that entered before the publish still
see the old group and can dereference the freed stats via
nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a
use-after-free on percpu memory.
Fix by deferring the free_percpu() until after synchronize_net() in the
caller. Removed entries are chained via nh_list onto a local deferred
free list. After the grace period completes and all RCU readers have
finished, the percpu stats are safely freed.
Fixes: f4676ea74b85 ("net: nexthop: Add nexthop group entry stats")
Cc: stable@vger.kernel.org
Signed-off-by: Mehul Rao <mehulrao@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260306233821.196789-1-mehulrao@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/nexthop.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/net/ipv4/nexthop.c
+++ b/net/ipv4/nexthop.c
@@ -2005,7 +2005,8 @@ static void nh_hthr_group_rebalance(stru
}
static void remove_nh_grp_entry(struct net *net, struct nh_grp_entry *nhge,
- struct nl_info *nlinfo)
+ struct nl_info *nlinfo,
+ struct list_head *deferred_free)
{
struct nh_grp_entry *nhges, *new_nhges;
struct nexthop *nhp = nhge->nh_parent;
@@ -2065,8 +2066,8 @@ static void remove_nh_grp_entry(struct n
rcu_assign_pointer(nhp->nh_grp, newg);
list_del(&nhge->nh_list);
- free_percpu(nhge->stats);
nexthop_put(nhge->nh);
+ list_add(&nhge->nh_list, deferred_free);
/* Removal of a NH from a resilient group is notified through
* bucket notifications.
@@ -2086,6 +2087,7 @@ static void remove_nexthop_from_groups(s
struct nl_info *nlinfo)
{
struct nh_grp_entry *nhge, *tmp;
+ LIST_HEAD(deferred_free);
/* If there is nothing to do, let's avoid the costly call to
* synchronize_net()
@@ -2094,10 +2096,16 @@ static void remove_nexthop_from_groups(s
return;
list_for_each_entry_safe(nhge, tmp, &nh->grp_list, nh_list)
- remove_nh_grp_entry(net, nhge, nlinfo);
+ remove_nh_grp_entry(net, nhge, nlinfo, &deferred_free);
/* make sure all see the newly published array before releasing rtnl */
synchronize_net();
+
+ /* Now safe to free percpu stats — all RCU readers have finished */
+ list_for_each_entry_safe(nhge, tmp, &deferred_free, nh_list) {
+ list_del(&nhge->nh_list);
+ free_percpu(nhge->stats);
+ }
}
static void remove_nexthop_group(struct nexthop *nh, struct nl_info *nlinfo)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 296/378] net: ncsi: fix skb leak in error paths
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 295/378] net: nexthop: fix percpu use-after-free in remove_nh_grp_entry Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 297/378] net: ethernet: arc: emac: quiesce interrupts before requesting IRQ Greg Kroah-Hartman
` (88 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jian Zhang, Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Zhang <zhangjian.3032@bytedance.com>
commit 5c3398a54266541610c8d0a7082e654e9ff3e259 upstream.
Early return paths in NCSI RX and AEN handlers fail to release
the received skb, resulting in a memory leak.
Specifically, ncsi_aen_handler() returns on invalid AEN packets
without consuming the skb. Similarly, ncsi_rcv_rsp() exits early
when failing to resolve the NCSI device, response handler, or
request, leaving the skb unfreed.
CC: stable@vger.kernel.org
Fixes: 7a82ecf4cfb8 ("net/ncsi: NCSI AEN packet handler")
Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler")
Signed-off-by: Jian Zhang <zhangjian.3032@bytedance.com>
Link: https://patch.msgid.link/20260305060656.3357250-1-zhangjian.3032@bytedance.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ncsi/ncsi-aen.c | 3 ++-
net/ncsi/ncsi-rsp.c | 16 ++++++++++++----
2 files changed, 14 insertions(+), 5 deletions(-)
--- a/net/ncsi/ncsi-aen.c
+++ b/net/ncsi/ncsi-aen.c
@@ -224,7 +224,8 @@ int ncsi_aen_handler(struct ncsi_dev_pri
if (!nah) {
netdev_warn(ndp->ndev.dev, "Invalid AEN (0x%x) received\n",
h->type);
- return -ENOENT;
+ ret = -ENOENT;
+ goto out;
}
ret = ncsi_validate_aen_pkt(h, nah->payload);
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -1176,8 +1176,10 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st
/* Find the NCSI device */
nd = ncsi_find_dev(orig_dev);
ndp = nd ? TO_NCSI_DEV_PRIV(nd) : NULL;
- if (!ndp)
- return -ENODEV;
+ if (!ndp) {
+ ret = -ENODEV;
+ goto err_free_skb;
+ }
/* Check if it is AEN packet */
hdr = (struct ncsi_pkt_hdr *)skb_network_header(skb);
@@ -1199,7 +1201,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st
if (!nrh) {
netdev_err(nd->dev, "Received unrecognized packet (0x%x)\n",
hdr->type);
- return -ENOENT;
+ ret = -ENOENT;
+ goto err_free_skb;
}
/* Associate with the request */
@@ -1207,7 +1210,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st
nr = &ndp->requests[hdr->id];
if (!nr->used) {
spin_unlock_irqrestore(&ndp->lock, flags);
- return -ENODEV;
+ ret = -ENODEV;
+ goto err_free_skb;
}
nr->rsp = skb;
@@ -1261,4 +1265,8 @@ out_netlink:
out:
ncsi_free_request(nr);
return ret;
+
+err_free_skb:
+ kfree_skb(skb);
+ return ret;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 297/378] net: ethernet: arc: emac: quiesce interrupts before requesting IRQ
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 296/378] net: ncsi: fix skb leak in error paths Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 298/378] net: dsa: microchip: Fix error path in PTP IRQ setup Greg Kroah-Hartman
` (87 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fan Wu, Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fan Wu <fanwu01@zju.edu.cn>
commit 2503d08f8a2de618e5c3a8183b250ff4a2e2d52c upstream.
Normal RX/TX interrupts are enabled later, in arc_emac_open(), so probe
should not see interrupt delivery in the usual case. However, hardware may
still present stale or latched interrupt status left by firmware or the
bootloader.
If probe later unwinds after devm_request_irq() has installed the handler,
such a stale interrupt can still reach arc_emac_intr() during teardown and
race with release of the associated net_device.
Avoid that window by putting the device into a known quiescent state before
requesting the IRQ: disable all EMAC interrupt sources and clear any
pending EMAC interrupt status bits. This keeps the change hardware-focused
and minimal, while preventing spurious IRQ delivery from leftover state.
Fixes: e4f2379db6c6 ("ethernet/arc/arc_emac - Add new driver")
Cc: stable@vger.kernel.org
Signed-off-by: Fan Wu <fanwu01@zju.edu.cn>
Link: https://patch.msgid.link/20260309132409.584966-1-fanwu01@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/arc/emac_main.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/net/ethernet/arc/emac_main.c
+++ b/drivers/net/ethernet/arc/emac_main.c
@@ -934,6 +934,17 @@ int arc_emac_probe(struct net_device *nd
/* Set poll rate so that it polls every 1 ms */
arc_reg_set(priv, R_POLLRATE, clock_frequency / 1000000);
+ /*
+ * Put the device into a known quiescent state before requesting
+ * the IRQ. Clear only EMAC interrupt status bits here; leave the
+ * MDIO completion bit alone and avoid writing TXPL_MASK, which is
+ * used to force TX polling rather than acknowledge interrupts.
+ */
+ arc_reg_set(priv, R_ENABLE, 0);
+ arc_reg_set(priv, R_STATUS, RXINT_MASK | TXINT_MASK | ERR_MASK |
+ TXCH_MASK | MSER_MASK | RXCR_MASK |
+ RXFR_MASK | RXFL_MASK);
+
ndev->irq = irq;
dev_info(dev, "IRQ is %d\n", ndev->irq);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 298/378] net: dsa: microchip: Fix error path in PTP IRQ setup
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 297/378] net: ethernet: arc: emac: quiesce interrupts before requesting IRQ Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 299/378] net: macb: Shuffle the tx ring before enabling tx Greg Kroah-Hartman
` (86 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
Bastien Curutchet (Schneider Electric), Simon Horman,
Vladimir Oltean, Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
commit 99c8c16a4aad0b37293cae213e15957c573cf79b upstream.
If request_threaded_irq() fails during the PTP message IRQ setup, the
newly created IRQ mapping is never disposed. Indeed, the
ksz_ptp_irq_setup()'s error path only frees the mappings that were
successfully set up.
Dispose the newly created mapping if the associated
request_threaded_irq() fails at setup.
Cc: stable@vger.kernel.org
Fixes: d0b8fec8ae505 ("net: dsa: microchip: Fix symetry in ksz_ptp_msg_irq_{setup/free}()")
Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
Link: https://patch.msgid.link/20260309-ksz-ptp-irq-fix-v1-1-757b3b985955@bootlin.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dsa/microchip/ksz_ptp.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/drivers/net/dsa/microchip/ksz_ptp.c
+++ b/drivers/net/dsa/microchip/ksz_ptp.c
@@ -1095,6 +1095,7 @@ static int ksz_ptp_msg_irq_setup(struct
const struct ksz_dev_ops *ops = port->ksz_dev->dev_ops;
struct ksz_irq *ptpirq = &port->ptpirq;
struct ksz_ptp_irq *ptpmsg_irq;
+ int ret;
ptpmsg_irq = &port->ptpmsg_irq[n];
ptpmsg_irq->num = irq_create_mapping(ptpirq->domain, n);
@@ -1106,9 +1107,13 @@ static int ksz_ptp_msg_irq_setup(struct
strscpy(ptpmsg_irq->name, name[n]);
- return request_threaded_irq(ptpmsg_irq->num, NULL,
- ksz_ptp_msg_thread_fn, IRQF_ONESHOT,
- ptpmsg_irq->name, ptpmsg_irq);
+ ret = request_threaded_irq(ptpmsg_irq->num, NULL,
+ ksz_ptp_msg_thread_fn, IRQF_ONESHOT,
+ ptpmsg_irq->name, ptpmsg_irq);
+ if (ret)
+ irq_dispose_mapping(ptpmsg_irq->num);
+
+ return ret;
}
int ksz_ptp_irq_setup(struct dsa_switch *ds, u8 p)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 299/378] net: macb: Shuffle the tx ring before enabling tx
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 298/378] net: dsa: microchip: Fix error path in PTP IRQ setup Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 300/378] drm/amd/pm: remove invalid gpu_metrics.energy_accumulator on smu v13.0.x Greg Kroah-Hartman
` (85 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quanyang Wang, Kevin Hao,
Simon Horman, Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Hao <haokexin@gmail.com>
commit 881a0263d502e1a93ebc13a78254e9ad19520232 upstream.
Quanyang observed that when using an NFS rootfs on an AMD ZynqMp board,
the rootfs may take an extended time to recover after a suspend.
Upon investigation, it was determined that the issue originates from a
problem in the macb driver.
According to the Zynq UltraScale TRM [1], when transmit is disabled,
the transmit buffer queue pointer resets to point to the address
specified by the transmit buffer queue base address register.
In the current implementation, the code merely resets `queue->tx_head`
and `queue->tx_tail` to '0'. This approach presents several issues:
- Packets already queued in the tx ring are silently lost,
leading to memory leaks since the associated skbs cannot be released.
- Concurrent write access to `queue->tx_head` and `queue->tx_tail` may
occur from `macb_tx_poll()` or `macb_start_xmit()` when these values
are reset to '0'.
- The transmission may become stuck on a packet that has already been sent
out, with its 'TX_USED' bit set, but has not yet been processed. However,
due to the manipulation of 'queue->tx_head' and 'queue->tx_tail',
`macb_tx_poll()` incorrectly assumes there are no packets to handle
because `queue->tx_head == queue->tx_tail`. This issue is only resolved
when a new packet is placed at this position. This is the root cause of
the prolonged recovery time observed for the NFS root filesystem.
To resolve this issue, shuffle the tx ring and tx skb array so that
the first unsent packet is positioned at the start of the tx ring.
Additionally, ensure that updates to `queue->tx_head` and
`queue->tx_tail` are properly protected with the appropriate lock.
[1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm
Fixes: bf9cf80cab81 ("net: macb: Fix tx/rx malfunction after phy link down and up")
Reported-by: Quanyang Wang <quanyang.wang@windriver.com>
Signed-off-by: Kevin Hao <haokexin@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260307-zynqmp-v2-1-6ef98a70e1d0@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/cadence/macb_main.c | 98 ++++++++++++++++++++++++++++++-
1 file changed, 95 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/cadence/macb_main.c
+++ b/drivers/net/ethernet/cadence/macb_main.c
@@ -36,6 +36,7 @@
#include <linux/tcp.h>
#include <linux/types.h>
#include <linux/udp.h>
+#include <linux/gcd.h>
#include <net/pkt_sched.h>
#include "macb.h"
@@ -668,6 +669,97 @@ static void macb_mac_link_down(struct ph
netif_tx_stop_all_queues(ndev);
}
+/* Use juggling algorithm to left rotate tx ring and tx skb array */
+static void gem_shuffle_tx_one_ring(struct macb_queue *queue)
+{
+ unsigned int head, tail, count, ring_size, desc_size;
+ struct macb_tx_skb tx_skb, *skb_curr, *skb_next;
+ struct macb_dma_desc *desc_curr, *desc_next;
+ unsigned int i, cycles, shift, curr, next;
+ struct macb *bp = queue->bp;
+ unsigned char desc[24];
+ unsigned long flags;
+
+ desc_size = macb_dma_desc_get_size(bp);
+
+ if (WARN_ON_ONCE(desc_size > ARRAY_SIZE(desc)))
+ return;
+
+ spin_lock_irqsave(&queue->tx_ptr_lock, flags);
+ head = queue->tx_head;
+ tail = queue->tx_tail;
+ ring_size = bp->tx_ring_size;
+ count = CIRC_CNT(head, tail, ring_size);
+
+ if (!(tail % ring_size))
+ goto unlock;
+
+ if (!count) {
+ queue->tx_head = 0;
+ queue->tx_tail = 0;
+ goto unlock;
+ }
+
+ shift = tail % ring_size;
+ cycles = gcd(ring_size, shift);
+
+ for (i = 0; i < cycles; i++) {
+ memcpy(&desc, macb_tx_desc(queue, i), desc_size);
+ memcpy(&tx_skb, macb_tx_skb(queue, i),
+ sizeof(struct macb_tx_skb));
+
+ curr = i;
+ next = (curr + shift) % ring_size;
+
+ while (next != i) {
+ desc_curr = macb_tx_desc(queue, curr);
+ desc_next = macb_tx_desc(queue, next);
+
+ memcpy(desc_curr, desc_next, desc_size);
+
+ if (next == ring_size - 1)
+ desc_curr->ctrl &= ~MACB_BIT(TX_WRAP);
+ if (curr == ring_size - 1)
+ desc_curr->ctrl |= MACB_BIT(TX_WRAP);
+
+ skb_curr = macb_tx_skb(queue, curr);
+ skb_next = macb_tx_skb(queue, next);
+ memcpy(skb_curr, skb_next, sizeof(struct macb_tx_skb));
+
+ curr = next;
+ next = (curr + shift) % ring_size;
+ }
+
+ desc_curr = macb_tx_desc(queue, curr);
+ memcpy(desc_curr, &desc, desc_size);
+ if (i == ring_size - 1)
+ desc_curr->ctrl &= ~MACB_BIT(TX_WRAP);
+ if (curr == ring_size - 1)
+ desc_curr->ctrl |= MACB_BIT(TX_WRAP);
+ memcpy(macb_tx_skb(queue, curr), &tx_skb,
+ sizeof(struct macb_tx_skb));
+ }
+
+ queue->tx_head = count;
+ queue->tx_tail = 0;
+
+ /* Make descriptor updates visible to hardware */
+ wmb();
+
+unlock:
+ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags);
+}
+
+/* Rotate the queue so that the tail is at index 0 */
+static void gem_shuffle_tx_rings(struct macb *bp)
+{
+ struct macb_queue *queue;
+ int q;
+
+ for (q = 0, queue = bp->queues; q < bp->num_queues; q++, queue++)
+ gem_shuffle_tx_one_ring(queue);
+}
+
static void macb_mac_link_up(struct phylink_config *config,
struct phy_device *phy,
unsigned int mode, phy_interface_t interface,
@@ -706,8 +798,6 @@ static void macb_mac_link_up(struct phyl
ctrl |= MACB_BIT(PAE);
for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue) {
- queue->tx_head = 0;
- queue->tx_tail = 0;
queue_writel(queue, IER,
bp->rx_intr_mask | MACB_TX_INT_FLAGS | MACB_BIT(HRESP));
}
@@ -721,8 +811,10 @@ static void macb_mac_link_up(struct phyl
spin_unlock_irqrestore(&bp->lock, flags);
- if (!(bp->caps & MACB_CAPS_MACB_IS_EMAC))
+ if (!(bp->caps & MACB_CAPS_MACB_IS_EMAC)) {
macb_set_tx_clk(bp, speed);
+ gem_shuffle_tx_rings(bp);
+ }
/* Enable Rx and Tx; Enable PTP unicast */
ctrl = macb_readl(bp, NCR);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 300/378] drm/amd/pm: remove invalid gpu_metrics.energy_accumulator on smu v13.0.x
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 299/378] net: macb: Shuffle the tx ring before enabling tx Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 301/378] drm/amdgpu: Fix use-after-free race in VM acquire Greg Kroah-Hartman
` (84 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Wang, Alex Deucher
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Wang <kevinyang.wang@amd.com>
commit 68785c5e79e0fc1eacf63026fbba32be3867f410 upstream.
v1:
The metrics->EnergyAccumulator field has been deprecated on newer pmfw.
v2:
add smu 13.0.0/13.0.7/13.0.10 support.
Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 8de9edb35976fa56565dc8fbb5d1310e8e10187c)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 8 +++++++-
drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 3 ++-
2 files changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
@@ -2110,6 +2110,7 @@ static ssize_t smu_v13_0_0_get_gpu_metri
(struct gpu_metrics_v1_3 *)smu_table->gpu_metrics_table;
SmuMetricsExternal_t metrics_ext;
SmuMetrics_t *metrics = &metrics_ext.SmuMetrics;
+ uint32_t mp1_ver = amdgpu_ip_version(smu->adev, MP1_HWIP, 0);
int ret = 0;
ret = smu_cmn_get_metrics_table(smu,
@@ -2134,7 +2135,12 @@ static ssize_t smu_v13_0_0_get_gpu_metri
metrics->Vcn1ActivityPercentage);
gpu_metrics->average_socket_power = metrics->AverageSocketPower;
- gpu_metrics->energy_accumulator = metrics->EnergyAccumulator;
+
+ if ((mp1_ver == IP_VERSION(13, 0, 0) && smu->smc_fw_version <= 0x004e1e00) ||
+ (mp1_ver == IP_VERSION(13, 0, 10) && smu->smc_fw_version <= 0x00500800))
+ gpu_metrics->energy_accumulator = metrics->EnergyAccumulator;
+ else
+ gpu_metrics->energy_accumulator = UINT_MAX;
if (metrics->AverageGfxActivity <= SMU_13_0_0_BUSY_THRESHOLD)
gpu_metrics->average_gfxclk_frequency = metrics->AverageGfxclkFrequencyPostDs;
--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
@@ -2120,7 +2120,8 @@ static ssize_t smu_v13_0_7_get_gpu_metri
metrics->Vcn1ActivityPercentage);
gpu_metrics->average_socket_power = metrics->AverageSocketPower;
- gpu_metrics->energy_accumulator = metrics->EnergyAccumulator;
+ gpu_metrics->energy_accumulator = smu->smc_fw_version <= 0x00521400 ?
+ metrics->EnergyAccumulator : UINT_MAX;
if (metrics->AverageGfxActivity <= SMU_13_0_7_BUSY_THRESHOLD)
gpu_metrics->average_gfxclk_frequency = metrics->AverageGfxclkFrequencyPostDs;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 301/378] drm/amdgpu: Fix use-after-free race in VM acquire
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 300/378] drm/amd/pm: remove invalid gpu_metrics.energy_accumulator on smu v13.0.x Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 302/378] drm/amd: Set num IP blocks to 0 if discovery fails Greg Kroah-Hartman
` (83 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harish Kasiviswanathan, Alysa Liu,
Alex Deucher
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alysa Liu <Alysa.Liu@amd.com>
commit 2c1030f2e84885cc58bffef6af67d5b9d2e7098f upstream.
Replace non-atomic vm->process_info assignment with cmpxchg()
to prevent race when parent/child processes sharing a drm_file
both try to acquire the same VM after fork().
Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
Signed-off-by: Alysa Liu <Alysa.Liu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
@@ -1428,7 +1428,10 @@ static int init_kfd_vm(struct amdgpu_vm
*process_info = info;
}
- vm->process_info = *process_info;
+ if (cmpxchg(&vm->process_info, NULL, *process_info) != NULL) {
+ ret = -EINVAL;
+ goto already_acquired;
+ }
/* Validate page directory and attach eviction fence */
ret = amdgpu_bo_reserve(vm->root.bo, true);
@@ -1468,6 +1471,7 @@ validate_pd_fail:
amdgpu_bo_unreserve(vm->root.bo);
reserve_pd_fail:
vm->process_info = NULL;
+already_acquired:
if (info) {
dma_fence_put(&info->eviction_fence->base);
*process_info = NULL;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 302/378] drm/amd: Set num IP blocks to 0 if discovery fails
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 301/378] drm/amdgpu: Fix use-after-free race in VM acquire Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 303/378] drm/amd: Fix NULL pointer dereference in device cleanup Greg Kroah-Hartman
` (82 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lijo Lazar, Mario Limonciello,
Alex Deucher
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 3646ff28780b4c52c5b5081443199e7a430110e5 upstream.
If discovery has failed for any reason (such as no support for a block)
then there is no need to unwind all the IP blocks in fini. In this
condition there can actually be failures during the unwind too.
Reset num_ip_blocks to zero during failure path and skip the unnecessary
cleanup path.
Suggested-by: Lijo Lazar <lijo.lazar@amd.com>
Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit fae5984296b981c8cc3acca35b701c1f332a6cd8)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 +++-
drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -2843,8 +2843,10 @@ static int amdgpu_device_ip_early_init(s
break;
default:
r = amdgpu_discovery_set_ip_blocks(adev);
- if (r)
+ if (r) {
+ adev->num_ip_blocks = 0;
return r;
+ }
break;
}
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
@@ -83,7 +83,7 @@ void amdgpu_driver_unload_kms(struct drm
{
struct amdgpu_device *adev = drm_to_adev(dev);
- if (adev == NULL)
+ if (adev == NULL || !adev->num_ip_blocks)
return;
amdgpu_unregister_gpu_instance(adev);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 303/378] drm/amd: Fix NULL pointer dereference in device cleanup
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 302/378] drm/amd: Set num IP blocks to 0 if discovery fails Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 304/378] drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding Greg Kroah-Hartman
` (81 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Deucher, Mario Limonciello
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 062ea905fff7756b2e87143ffccaece5cdb44267 upstream.
When GPU initialization fails due to an unsupported HW block
IP blocks may have a NULL version pointer. During cleanup in
amdgpu_device_fini_hw, the code calls amdgpu_device_set_pg_state and
amdgpu_device_set_cg_state which iterate over all IP blocks and access
adev->ip_blocks[i].version without NULL checks, leading to a kernel
NULL pointer dereference.
Add NULL checks for adev->ip_blocks[i].version in both
amdgpu_device_set_cg_state and amdgpu_device_set_pg_state to prevent
dereferencing NULL pointers during GPU teardown when initialization has
failed.
Fixes: 39fc2bc4da00 ("drm/amdgpu: Protect GPU register accesses in powergated state in some paths")
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit b7ac77468cda92eecae560b05f62f997a12fe2f2)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -3404,6 +3404,8 @@ int amdgpu_device_set_cg_state(struct am
i = state == AMD_CG_STATE_GATE ? j : adev->num_ip_blocks - j - 1;
if (!adev->ip_blocks[i].status.late_initialized)
continue;
+ if (!adev->ip_blocks[i].version)
+ continue;
/* skip CG for GFX, SDMA on S0ix */
if (adev->in_s0ix &&
(adev->ip_blocks[i].version->type == AMD_IP_BLOCK_TYPE_GFX ||
@@ -3443,6 +3445,8 @@ int amdgpu_device_set_pg_state(struct am
i = state == AMD_PG_STATE_GATE ? j : adev->num_ip_blocks - j - 1;
if (!adev->ip_blocks[i].status.late_initialized)
continue;
+ if (!adev->ip_blocks[i].version)
+ continue;
/* skip PG for GFX, SDMA on S0ix */
if (adev->in_s0ix &&
(adev->ip_blocks[i].version->type == AMD_IP_BLOCK_TYPE_GFX ||
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 304/378] drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 303/378] drm/amd: Fix NULL pointer dereference in device cleanup Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 305/378] drm/bridge: ti-sn65dsi83: halve horizontal syncs for dual LVDS output Greg Kroah-Hartman
` (80 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marek Vasut, Luca Ceresoli
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Ceresoli <luca.ceresoli@bootlin.com>
commit 2f22702dc0fee06a240404e0f7ead5b789b253d8 upstream.
The DSI frequency must be in the range:
(CHA_DSI_CLK_RANGE * 5 MHz) <= DSI freq < ((CHA_DSI_CLK_RANGE + 1) * 5 MHz)
So the register value should point to the lower range value, but
DIV_ROUND_UP() rounds the division to the higher range value, resulting in
an excess of 1 (unless the frequency is an exact multiple of 5 MHz).
For example for a 437100000 MHz clock CHA_DSI_CLK_RANGE should be 87 (0x57):
(87 * 5 = 435) <= 437.1 < (88 * 5 = 440)
but current code returns 88 (0x58).
Fix the computation by removing the DIV_ROUND_UP().
Fixes: ceb515ba29ba ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver")
Cc: stable@vger.kernel.org
Reviewed-by: Marek Vasut <marek.vasut@mailbox.org>
Link: https://patch.msgid.link/20260226-ti-sn65dsi83-dual-lvds-fixes-and-test-pattern-v1-1-2e15f5a9a6a0@bootlin.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/ti-sn65dsi83.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c
+++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c
@@ -351,9 +351,9 @@ static u8 sn65dsi83_get_dsi_range(struct
* DSI_CLK = mode clock * bpp / dsi_data_lanes / 2
* the 2 is there because the bus is DDR.
*/
- return DIV_ROUND_UP(clamp((unsigned int)mode->clock *
- mipi_dsi_pixel_format_to_bpp(ctx->dsi->format) /
- ctx->dsi->lanes / 2, 40000U, 500000U), 5000U);
+ return clamp((unsigned int)mode->clock *
+ mipi_dsi_pixel_format_to_bpp(ctx->dsi->format) /
+ ctx->dsi->lanes / 2, 40000U, 500000U) / 5000U;
}
static u8 sn65dsi83_get_dsi_div(struct sn65dsi83 *ctx)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 305/378] drm/bridge: ti-sn65dsi83: halve horizontal syncs for dual LVDS output
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 304/378] drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 306/378] drm/i915: Fix potential overflow of shmem scatterlist length Greg Kroah-Hartman
` (79 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marek Vasut, Luca Ceresoli
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Ceresoli <luca.ceresoli@bootlin.com>
commit d0d727746944096a6681dc6adb5f123fc5aa018d upstream.
Dual LVDS output (available on the SN65DSI84) requires HSYNC_PULSE_WIDTH
and HORIZONTAL_BACK_PORCH to be divided by two with respect to the values
used for single LVDS output.
While not clearly stated in the datasheet, this is needed according to the
DSI Tuner [0] output. It also makes sense intuitively because in dual LVDS
output two pixels at a time are output and so the output clock is half of
the pixel clock.
Some dual-LVDS panels refuse to show any picture without this fix.
Divide by two HORIZONTAL_FRONT_PORCH too, even though this register is used
only for test pattern generation which is not currently implemented by this
driver.
[0] https://www.ti.com/tool/DSI-TUNER
Fixes: ceb515ba29ba ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver")
Cc: stable@vger.kernel.org
Reviewed-by: Marek Vasut <marek.vasut@mailbox.org>
Link: https://patch.msgid.link/20260226-ti-sn65dsi83-dual-lvds-fixes-and-test-pattern-v1-2-2e15f5a9a6a0@bootlin.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/ti-sn65dsi83.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c
+++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c
@@ -474,6 +474,7 @@ static void sn65dsi83_atomic_pre_enable(
struct drm_atomic_state *state)
{
struct sn65dsi83 *ctx = bridge_to_sn65dsi83(bridge);
+ const unsigned int dual_factor = ctx->lvds_dual_link ? 2 : 1;
const struct drm_bridge_state *bridge_state;
const struct drm_crtc_state *crtc_state;
const struct drm_display_mode *mode;
@@ -606,18 +607,18 @@ static void sn65dsi83_atomic_pre_enable(
/* 32 + 1 pixel clock to ensure proper operation */
le16val = cpu_to_le16(32 + 1);
regmap_bulk_write(ctx->regmap, REG_VID_CHA_SYNC_DELAY_LOW, &le16val, 2);
- le16val = cpu_to_le16(mode->hsync_end - mode->hsync_start);
+ le16val = cpu_to_le16((mode->hsync_end - mode->hsync_start) / dual_factor);
regmap_bulk_write(ctx->regmap, REG_VID_CHA_HSYNC_PULSE_WIDTH_LOW,
&le16val, 2);
le16val = cpu_to_le16(mode->vsync_end - mode->vsync_start);
regmap_bulk_write(ctx->regmap, REG_VID_CHA_VSYNC_PULSE_WIDTH_LOW,
&le16val, 2);
regmap_write(ctx->regmap, REG_VID_CHA_HORIZONTAL_BACK_PORCH,
- mode->htotal - mode->hsync_end);
+ (mode->htotal - mode->hsync_end) / dual_factor);
regmap_write(ctx->regmap, REG_VID_CHA_VERTICAL_BACK_PORCH,
mode->vtotal - mode->vsync_end);
regmap_write(ctx->regmap, REG_VID_CHA_HORIZONTAL_FRONT_PORCH,
- mode->hsync_start - mode->hdisplay);
+ (mode->hsync_start - mode->hdisplay) / dual_factor);
regmap_write(ctx->regmap, REG_VID_CHA_VERTICAL_FRONT_PORCH,
mode->vsync_start - mode->vdisplay);
regmap_write(ctx->regmap, REG_VID_CHA_TEST_PATTERN, 0x00);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 306/378] drm/i915: Fix potential overflow of shmem scatterlist length
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 305/378] drm/bridge: ti-sn65dsi83: halve horizontal syncs for dual LVDS output Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 307/378] drm/i915/psr: Repeat Selective Update area alignment Greg Kroah-Hartman
` (78 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Andrew Morton, Janusz Krzysztofik, Andi Shyti, Tvrtko Ursulin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
commit 029ae067431ab9d0fca479bdabe780fa436706ea upstream.
When a scatterlists table of a GEM shmem object of size 4 GB or more is
populated with pages allocated from a folio, unsigned int .length
attribute of a scatterlist may get overflowed if total byte length of
pages allocated to that single scatterlist happens to reach or cross the
4GB limit. As a consequence, users of the object may suffer from hitting
unexpected, premature end of the object's backing pages.
[278.780187] ------------[ cut here ]------------
[278.780377] WARNING: CPU: 1 PID: 2326 at drivers/gpu/drm/i915/i915_mm.c:55 remap_sg+0x199/0x1d0 [i915]
...
[278.780654] CPU: 1 UID: 0 PID: 2326 Comm: gem_mmap_offset Tainted: G S U 6.17.0-rc1-CI_DRM_16981-ged823aaa0607+ #1 PREEMPT(voluntary)
[278.780656] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER
[278.780658] Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P LP5x T3 RVP, BIOS MTLPFWI1.R00.3471.D91.2401310918 01/31/2024
[278.780659] RIP: 0010:remap_sg+0x199/0x1d0 [i915]
...
[278.780786] Call Trace:
[278.780787] <TASK>
[278.780788] ? __apply_to_page_range+0x3e6/0x910
[278.780795] ? __pfx_remap_sg+0x10/0x10 [i915]
[278.780906] apply_to_page_range+0x14/0x30
[278.780908] remap_io_sg+0x14d/0x260 [i915]
[278.781013] vm_fault_cpu+0xd2/0x330 [i915]
[278.781137] __do_fault+0x3a/0x1b0
[278.781140] do_fault+0x322/0x640
[278.781143] __handle_mm_fault+0x938/0xfd0
[278.781150] handle_mm_fault+0x12c/0x300
[278.781152] ? lock_mm_and_find_vma+0x4b/0x760
[278.781155] do_user_addr_fault+0x2d6/0x8e0
[278.781160] exc_page_fault+0x96/0x2c0
[278.781165] asm_exc_page_fault+0x27/0x30
...
That issue was apprehended by the author of a change that introduced it,
and potential risk even annotated with a comment, but then never addressed.
When adding folio pages to a scatterlist table, take care of byte length
of any single scatterlist not exceeding max_segment.
Fixes: 0b62af28f249b ("i915: convert shmem_sg_free_table() to use a folio_batch")
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14809
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org # v6.5+
Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
Link: https://lore.kernel.org/r/20260224094944.2447913-2-janusz.krzysztofik@linux.intel.com
(cherry picked from commit 06249b4e691a75694c014a61708c007fb5755f60)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gem/i915_gem_shmem.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/i915/gem/i915_gem_shmem.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_shmem.c
@@ -151,8 +151,12 @@ int shmem_sg_alloc_table(struct drm_i915
}
} while (1);
- nr_pages = min_t(unsigned long,
- folio_nr_pages(folio), page_count - i);
+ nr_pages = min_array(((unsigned long[]) {
+ folio_nr_pages(folio),
+ page_count - i,
+ max_segment / PAGE_SIZE,
+ }), 3);
+
if (!i ||
sg->length >= max_segment ||
folio_pfn(folio) != next_pfn) {
@@ -162,7 +166,9 @@ int shmem_sg_alloc_table(struct drm_i915
st->nents++;
sg_set_folio(sg, folio, nr_pages * PAGE_SIZE, 0);
} else {
- /* XXX: could overflow? */
+ nr_pages = min_t(unsigned long, nr_pages,
+ (max_segment - sg->length) / PAGE_SIZE);
+
sg->length += nr_pages * PAGE_SIZE;
}
next_pfn = folio_pfn(folio) + nr_pages;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 307/378] drm/i915/psr: Repeat Selective Update area alignment
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 306/378] drm/i915: Fix potential overflow of shmem scatterlist length Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 308/378] drm/msm: Fix dma_free_attrs() buffer size Greg Kroah-Hartman
` (77 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Högander, Ankit Nautiyal,
Tvrtko Ursulin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
commit 1be2fca84f520105413d0d89ed04bb0ff742ab16 upstream.
Currently we are aligning Selective Update area to cover cursor fully if
needed only once. It may happen that cursor is in Selective Update area
after pipe alignment and after that covering cursor plane only
partially. Fix this by looping alignment as long as alignment isn't needed
anymore.
v2:
- do not unecessarily loop if cursor was already fully covered
- rename aligned as su_area_changed
Fixes: 1bff93b8bc27 ("drm/i915/psr: Extend SU area to cover cursor fully if needed")
Cc: <stable@vger.kernel.org> # v6.9+
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
Link: https://patch.msgid.link/20260304113011.626542-2-jouni.hogander@intel.com
(cherry picked from commit 681e12440d8b110350a5709101169f319e10ccbb)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/display/intel_psr.c | 50 +++++++++++++++++++++++--------
1 file changed, 38 insertions(+), 12 deletions(-)
--- a/drivers/gpu/drm/i915/display/intel_psr.c
+++ b/drivers/gpu/drm/i915/display/intel_psr.c
@@ -2667,11 +2667,12 @@ static void clip_area_update(struct drm_
overlap_damage_area->y2 = damage_area->y2;
}
-static void intel_psr2_sel_fetch_pipe_alignment(struct intel_crtc_state *crtc_state)
+static bool intel_psr2_sel_fetch_pipe_alignment(struct intel_crtc_state *crtc_state)
{
struct intel_display *display = to_intel_display(crtc_state);
const struct drm_dsc_config *vdsc_cfg = &crtc_state->dsc.config;
u16 y_alignment;
+ bool su_area_changed = false;
/* ADLP aligns the SU region to vdsc slice height in case dsc is enabled */
if (crtc_state->dsc.compression_enable &&
@@ -2680,10 +2681,18 @@ static void intel_psr2_sel_fetch_pipe_al
else
y_alignment = crtc_state->su_y_granularity;
- crtc_state->psr2_su_area.y1 -= crtc_state->psr2_su_area.y1 % y_alignment;
- if (crtc_state->psr2_su_area.y2 % y_alignment)
+ if (crtc_state->psr2_su_area.y1 % y_alignment) {
+ crtc_state->psr2_su_area.y1 -= crtc_state->psr2_su_area.y1 % y_alignment;
+ su_area_changed = true;
+ }
+
+ if (crtc_state->psr2_su_area.y2 % y_alignment) {
crtc_state->psr2_su_area.y2 = ((crtc_state->psr2_su_area.y2 /
y_alignment) + 1) * y_alignment;
+ su_area_changed = true;
+ }
+
+ return su_area_changed;
}
/*
@@ -2816,7 +2825,7 @@ int intel_psr2_sel_fetch_update(struct i
struct intel_crtc_state *crtc_state = intel_atomic_get_new_crtc_state(state, crtc);
struct intel_plane_state *new_plane_state, *old_plane_state;
struct intel_plane *plane;
- bool full_update = false, cursor_in_su_area = false;
+ bool full_update = false, su_area_changed;
int i, ret;
if (!crtc_state->enable_psr2_sel_fetch)
@@ -2923,15 +2932,32 @@ int intel_psr2_sel_fetch_update(struct i
if (ret)
return ret;
- /*
- * Adjust su area to cover cursor fully as necessary (early
- * transport). This needs to be done after
- * drm_atomic_add_affected_planes to ensure visible cursor is added into
- * affected planes even when cursor is not updated by itself.
- */
- intel_psr2_sel_fetch_et_alignment(state, crtc, &cursor_in_su_area);
+ do {
+ bool cursor_in_su_area;
- intel_psr2_sel_fetch_pipe_alignment(crtc_state);
+ /*
+ * Adjust su area to cover cursor fully as necessary
+ * (early transport). This needs to be done after
+ * drm_atomic_add_affected_planes to ensure visible
+ * cursor is added into affected planes even when
+ * cursor is not updated by itself.
+ */
+ intel_psr2_sel_fetch_et_alignment(state, crtc, &cursor_in_su_area);
+
+ su_area_changed = intel_psr2_sel_fetch_pipe_alignment(crtc_state);
+
+ /*
+ * If the cursor was outside the SU area before
+ * alignment, the alignment step (which only expands
+ * SU) may pull the cursor partially inside, so we
+ * must run ET alignment again to fully cover it. But
+ * if the cursor was already fully inside before
+ * alignment, expanding the SU area won't change that,
+ * so no further work is needed.
+ */
+ if (cursor_in_su_area)
+ break;
+ } while (su_area_changed);
/*
* Now that we have the pipe damaged area check if it intersect with
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 308/378] drm/msm: Fix dma_free_attrs() buffer size
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 307/378] drm/i915/psr: Repeat Selective Update area alignment Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 309/378] drm/amd: Fix a few more NULL pointer dereference in device cleanup Greg Kroah-Hartman
` (76 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Dmitry Baryshkov,
Rob Clark
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit e4eb6e4dd6348dd00e19c2275e3fbaed304ca3bd upstream.
The gpummu->table buffer is alloc'd with size TABLE_SIZE + 32 in
a2xx_gpummu_new() but freed with size TABLE_SIZE in
a2xx_gpummu_destroy().
Change the free size to match the allocation.
Fixes: c2052a4e5c99 ("drm/msm: implement a2xx mmu")
Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/707340/
Message-ID: <20260226095714.12126-2-fourier.thomas@gmail.com>
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/msm/adreno/a2xx_gpummu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/msm/adreno/a2xx_gpummu.c
+++ b/drivers/gpu/drm/msm/adreno/a2xx_gpummu.c
@@ -78,7 +78,7 @@ static void a2xx_gpummu_destroy(struct m
{
struct a2xx_gpummu *gpummu = to_a2xx_gpummu(mmu);
- dma_free_attrs(mmu->dev, TABLE_SIZE, gpummu->table, gpummu->pt_base,
+ dma_free_attrs(mmu->dev, TABLE_SIZE + 32, gpummu->table, gpummu->pt_base,
DMA_ATTR_FORCE_CONTIGUOUS);
kfree(gpummu);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 309/378] drm/amd: Fix a few more NULL pointer dereference in device cleanup
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 308/378] drm/msm: Fix dma_free_attrs() buffer size Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 310/378] drm/msm/dpu: Correct the SA8775P intr_underrun/intr_underrun index Greg Kroah-Hartman
` (75 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Deucher, Mario Limonciello
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 72ecb1dae72775fa9fea0159d8445d620a0a2295 upstream.
I found a few more paths that cleanup fails due to a NULL version pointer
on unsupported hardware.
Add NULL checks as applicable.
Fixes: 39fc2bc4da00 ("drm/amdgpu: Protect GPU register accesses in powergated state in some paths")
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit f5a05f8414fc10f307eb965f303580c7778f8dd2)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -3654,6 +3654,8 @@ static int amdgpu_device_ip_fini_early(s
int i, r;
for (i = 0; i < adev->num_ip_blocks; i++) {
+ if (!adev->ip_blocks[i].version)
+ continue;
if (!adev->ip_blocks[i].version->funcs->early_fini)
continue;
@@ -3730,6 +3732,8 @@ static int amdgpu_device_ip_fini(struct
if (!adev->ip_blocks[i].status.sw)
continue;
+ if (!adev->ip_blocks[i].version)
+ continue;
if (adev->ip_blocks[i].version->type == AMD_IP_BLOCK_TYPE_GMC) {
amdgpu_ucode_free_bo(adev);
amdgpu_free_static_csa(&adev->virt.csa_obj);
@@ -3756,6 +3760,8 @@ static int amdgpu_device_ip_fini(struct
for (i = adev->num_ip_blocks - 1; i >= 0; i--) {
if (!adev->ip_blocks[i].status.late_initialized)
continue;
+ if (!adev->ip_blocks[i].version)
+ continue;
if (adev->ip_blocks[i].version->funcs->late_fini)
adev->ip_blocks[i].version->funcs->late_fini(&adev->ip_blocks[i]);
adev->ip_blocks[i].status.late_initialized = false;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 310/378] drm/msm/dpu: Correct the SA8775P intr_underrun/intr_underrun index
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 309/378] drm/amd: Fix a few more NULL pointer dereference in device cleanup Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 311/378] drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL Greg Kroah-Hartman
` (74 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abhinav Kumar, Yongxing Mou,
Konrad Dybcio, Dmitry Baryshkov
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abhinav Kumar <quic_abhinavk@quicinc.com>
commit 4ce71cea574658f5c5c7412b1a3cc54efe4f9b50 upstream.
The intr_underrun and intr_vsync indices have been swapped, just simply
corrects them.
Cc: stable@vger.kernel.org
Fixes: b139c80d181c ("drm/msm/dpu: Add SA8775P support")
Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Signed-off-by: Yongxing Mou <yongxing.mou@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/709209/
Link: https://lore.kernel.org/r/20260305-mdss_catalog-v5-2-06678ac39ac7@oss.qualcomm.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_4_sa8775p.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_4_sa8775p.h
+++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_4_sa8775p.h
@@ -366,8 +366,8 @@ static const struct dpu_intf_cfg sa8775p
.type = INTF_NONE,
.controller_id = MSM_DP_CONTROLLER_0, /* pair with intf_0 for DP MST */
.prog_fetch_lines_worst_case = 24,
- .intr_underrun = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 17),
- .intr_vsync = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 16),
+ .intr_underrun = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 16),
+ .intr_vsync = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 17),
}, {
.name = "intf_7", .id = INTF_7,
.base = 0x3b000, .len = 0x280,
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 311/378] drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 310/378] drm/msm/dpu: Correct the SA8775P intr_underrun/intr_underrun index Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 312/378] tracing: Fix enabling multiple events on the kernel command line and bootconfig Greg Kroah-Hartman
` (73 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ankit Nautiyal, Benjamin Tissoires,
Ville Syrjälä, Tvrtko Ursulin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
commit 237aab549676288d9255bb8dcc284738e56eaa31 upstream.
Apparently ICL may hang with an MCE if we write TRANS_VRR_VMAX/FLIPLINE
before enabling TRANS_DDI_FUNC_CTL.
Personally I was only able to reproduce a hang (on an Dell XPS 7390
2-in-1) with an external display connected via a dock using a dodgy
type-C cable that made the link training fail. After the failed
link training the machine would hang. TGL seemed immune to the
problem for whatever reason.
BSpec does tell us to configure VRR after enabling TRANS_DDI_FUNC_CTL
as well. The DMC firmware also does the VRR restore in two stages:
- first stage seems to be unconditional and includes TRANS_VRR_CTL
and a few other VRR registers, among other things
- second stage is conditional on the DDI being enabled,
and includes TRANS_DDI_FUNC_CTL and TRANS_VRR_VMAX/VMIN/FLIPLINE,
among other things
So let's reorder the steps to match to avoid the hang, and
toss in an extra WARN to make sure we don't screw this up later.
BSpec: 22243
Cc: stable@vger.kernel.org
Cc: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
Reported-by: Benjamin Tissoires <bentiss@kernel.org>
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15777
Tested-by: Benjamin Tissoires <bentiss@kernel.org>
Fixes: dda7dcd9da73 ("drm/i915/vrr: Use fixed timings for platforms that support VRR")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patch.msgid.link/20260303095414.4331-1-ville.syrjala@linux.intel.com
Reviewed-by: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
(cherry picked from commit 93f3a267c3dd4d811b224bb9e179a10d81456a74)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/display/intel_display.c | 1 -
drivers/gpu/drm/i915/display/intel_vrr.c | 14 ++++++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/i915/display/intel_display.c
+++ b/drivers/gpu/drm/i915/display/intel_display.c
@@ -1614,7 +1614,6 @@ static void hsw_configure_cpu_transcoder
}
intel_set_transcoder_timings(crtc_state);
- intel_vrr_set_transcoder_timings(crtc_state);
if (cpu_transcoder != TRANSCODER_EDP)
intel_de_write(display, TRANS_MULT(display, cpu_transcoder),
--- a/drivers/gpu/drm/i915/display/intel_vrr.c
+++ b/drivers/gpu/drm/i915/display/intel_vrr.c
@@ -529,6 +529,18 @@ void intel_vrr_set_transcoder_timings(co
return;
/*
+ * Bspec says:
+ * "(note: VRR needs to be programmed after
+ * TRANS_DDI_FUNC_CTL and before TRANS_CONF)."
+ *
+ * In practice it turns out that ICL can hang if
+ * TRANS_VRR_VMAX/FLIPLINE are written before
+ * enabling TRANS_DDI_FUNC_CTL.
+ */
+ drm_WARN_ON(display->drm,
+ !(intel_de_read(display, TRANS_DDI_FUNC_CTL(display, cpu_transcoder)) & TRANS_DDI_FUNC_ENABLE));
+
+ /*
* This bit seems to have two meanings depending on the platform:
* TGL: generate VRR "safe window" for DSB vblank waits
* ADL/DG2: make TRANS_SET_CONTEXT_LATENCY effective with VRR
@@ -754,6 +766,8 @@ void intel_vrr_transcoder_enable(const s
{
struct intel_display *display = to_intel_display(crtc_state);
+ intel_vrr_set_transcoder_timings(crtc_state);
+
if (!intel_vrr_possible(crtc_state))
return;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 312/378] tracing: Fix enabling multiple events on the kernel command line and bootconfig
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 311/378] drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 313/378] tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G Greg Kroah-Hartman
` (72 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Andrei-Alexandru Tachici, Steven Rostedt (Google)
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrei-Alexandru Tachici <andrei-alexandru.tachici@oss.qualcomm.com>
commit 3b1679e086bb869ca02722f6bd29b3573a6a0e7e upstream.
Multiple events can be enabled on the kernel command line via a comma
separator. But if the are specified one at a time, then only the last
event is enabled. This is because the event names are saved in a temporary
buffer, and each call by the init cmdline code will reset that buffer.
This also affects names in the boot config file, as it may call the
callback multiple times with an example of:
kernel.trace_event = ":mod:rproc_qcom_common", ":mod:qrtr", ":mod:qcom_aoss"
Change the cmdline callback function to append a comma and the next value
if the temporary buffer already has content.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://patch.msgid.link/20260302-trace-events-allow-multiple-modules-v1-1-ce4436e37fb8@oss.qualcomm.com
Signed-off-by: Andrei-Alexandru Tachici <andrei-alexandru.tachici@oss.qualcomm.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -4341,7 +4341,11 @@ static char bootup_event_buf[COMMAND_LIN
static __init int setup_trace_event(char *str)
{
- strscpy(bootup_event_buf, str, COMMAND_LINE_SIZE);
+ if (bootup_event_buf[0] != '\0')
+ strlcat(bootup_event_buf, ",", COMMAND_LINE_SIZE);
+
+ strlcat(bootup_event_buf, str, COMMAND_LINE_SIZE);
+
trace_set_ring_buffer_expanded(NULL);
disable_tracing_selftest("running event tracing");
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 313/378] tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 312/378] tracing: Fix enabling multiple events on the kernel command line and bootconfig Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 314/378] net-shapers: dont free reply skb after genlmsg_reply() Greg Kroah-Hartman
` (71 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Calvin Owens, Steven Rostedt (Google)
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Calvin Owens <calvin@wbinvd.org>
commit d008ba8be8984760e36d7dcd4adbd5a41a645708 upstream.
Some of the sizing logic through tracer_alloc_buffers() uses int
internally, causing unexpected behavior if the user passes a value that
does not fit in an int (on my x86 machine, the result is uselessly tiny
buffers).
Fix by plumbing the parameter's real type (unsigned long) through to the
ring buffer allocation functions, which already use unsigned long.
It has always been possible to create larger ring buffers via the sysfs
interface: this only affects the cmdline parameter.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://patch.msgid.link/bff42a4288aada08bdf74da3f5b67a2c28b761f8.1772852067.git.calvin@wbinvd.org
Fixes: 73c5162aa362 ("tracing: keep ring buffer to minimum size till used")
Signed-off-by: Calvin Owens <calvin@wbinvd.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -10136,7 +10136,7 @@ static void setup_trace_scratch(struct t
}
static int
-allocate_trace_buffer(struct trace_array *tr, struct array_buffer *buf, int size)
+allocate_trace_buffer(struct trace_array *tr, struct array_buffer *buf, unsigned long size)
{
enum ring_buffer_flags rb_flags;
struct trace_scratch *tscratch;
@@ -10191,7 +10191,7 @@ static void free_trace_buffer(struct arr
}
}
-static int allocate_trace_buffers(struct trace_array *tr, int size)
+static int allocate_trace_buffers(struct trace_array *tr, unsigned long size)
{
int ret;
@@ -11557,7 +11557,7 @@ __init static void enable_instances(void
__init static int tracer_alloc_buffers(void)
{
- int ring_buf_size;
+ unsigned long ring_buf_size;
int ret = -ENOMEM;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 314/378] net-shapers: dont free reply skb after genlmsg_reply()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 313/378] tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 315/378] qmi_wwan: allow max_mtu above hard_mtu to control rx_urb_size Greg Kroah-Hartman
` (70 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paul Moses, Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Moses <p@1g4.org>
commit 57885276cc16a2e2b76282c808a4e84cbecb3aae upstream.
genlmsg_reply() hands the reply skb to netlink, and
netlink_unicast() consumes it on all return paths, whether the
skb is queued successfully or freed on an error path.
net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit()
currently jump to free_msg after genlmsg_reply() fails and call
nlmsg_free(msg), which can hit the same skb twice.
Return the genlmsg_reply() error directly and keep free_msg
only for pre-reply failures.
Fixes: 4b623f9f0f59 ("net-shapers: implement NL get operation")
Fixes: 553ea9f1efd6 ("net: shaper: implement introspection support")
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moses <p@1g4.org>
Link: https://patch.msgid.link/20260309173450.538026-2-p@1g4.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/shaper/shaper.c | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
--- a/net/shaper/shaper.c
+++ b/net/shaper/shaper.c
@@ -759,11 +759,7 @@ int net_shaper_nl_get_doit(struct sk_buf
if (ret)
goto free_msg;
- ret = genlmsg_reply(msg, info);
- if (ret)
- goto free_msg;
-
- return 0;
+ return genlmsg_reply(msg, info);
free_msg:
nlmsg_free(msg);
@@ -1314,10 +1310,7 @@ int net_shaper_nl_cap_get_doit(struct sk
if (ret)
goto free_msg;
- ret = genlmsg_reply(msg, info);
- if (ret)
- goto free_msg;
- return 0;
+ return genlmsg_reply(msg, info);
free_msg:
nlmsg_free(msg);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 315/378] qmi_wwan: allow max_mtu above hard_mtu to control rx_urb_size
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 314/378] net-shapers: dont free reply skb after genlmsg_reply() Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 316/378] can: dev: keep the max bitrate error at 5% Greg Kroah-Hartman
` (69 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Koen Vandeputte, Daniele Palmas,
Laurent Vivier, Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laurent Vivier <lvivier@redhat.com>
commit 55f854dd5bdd8e19b936a00ef1f8d776ac32c7b0 upstream.
Commit c7159e960f14 ("usbnet: limit max_mtu based on device's hard_mtu")
capped net->max_mtu to the device's hard_mtu in usbnet_probe(). While
this correctly prevents oversized packets on standard USB network
devices, it breaks the qmi_wwan driver.
qmi_wwan relies on userspace (e.g. ModemManager) setting a large MTU on
the wwan0 interface to configure rx_urb_size via usbnet_change_mtu().
QMI modems negotiate USB transfer sizes of 16,383 or 32,767 bytes, and
the USB receive buffers must be sized accordingly. With max_mtu capped
to hard_mtu (~1500 bytes), userspace can no longer raise the MTU, the
receive buffers remain small, and download speeds drop from >300 Mbps
to ~0.8 Mbps.
Introduce a FLAG_NOMAXMTU driver flag that allows individual usbnet
drivers to opt out of the max_mtu cap. Set this flag in qmi_wwan's
driver_info structures to restore the previous behavior for QMI devices,
while keeping the safety fix in place for all other usbnet drivers.
Fixes: c7159e960f14 ("usbnet: limit max_mtu based on device's hard_mtu")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/lkml/CAPh3n803k8JcBPV5qEzUB-oKzWkAs-D5CU7z=Vd_nLRCr5ZqQg@mail.gmail.com/
Reported-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
Tested-by: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Link: https://patch.msgid.link/20260304134338.1785002-1-lvivier@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/qmi_wwan.c | 4 ++--
drivers/net/usb/usbnet.c | 7 ++++---
include/linux/usb/usbnet.h | 1 +
3 files changed, 7 insertions(+), 5 deletions(-)
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -928,7 +928,7 @@ err:
static const struct driver_info qmi_wwan_info = {
.description = "WWAN/QMI device",
- .flags = FLAG_WWAN | FLAG_SEND_ZLP,
+ .flags = FLAG_WWAN | FLAG_NOMAXMTU | FLAG_SEND_ZLP,
.bind = qmi_wwan_bind,
.unbind = qmi_wwan_unbind,
.manage_power = qmi_wwan_manage_power,
@@ -937,7 +937,7 @@ static const struct driver_info qmi_wwan
static const struct driver_info qmi_wwan_info_quirk_dtr = {
.description = "WWAN/QMI device",
- .flags = FLAG_WWAN | FLAG_SEND_ZLP,
+ .flags = FLAG_WWAN | FLAG_NOMAXMTU | FLAG_SEND_ZLP,
.bind = qmi_wwan_bind,
.unbind = qmi_wwan_unbind,
.manage_power = qmi_wwan_manage_power,
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1821,11 +1821,12 @@ usbnet_probe(struct usb_interface *udev,
if ((dev->driver_info->flags & FLAG_NOARP) != 0)
net->flags |= IFF_NOARP;
- if (net->max_mtu > (dev->hard_mtu - net->hard_header_len))
+ if ((dev->driver_info->flags & FLAG_NOMAXMTU) == 0 &&
+ net->max_mtu > (dev->hard_mtu - net->hard_header_len))
net->max_mtu = dev->hard_mtu - net->hard_header_len;
- if (net->mtu > net->max_mtu)
- net->mtu = net->max_mtu;
+ if (net->mtu > (dev->hard_mtu - net->hard_header_len))
+ net->mtu = dev->hard_mtu - net->hard_header_len;
} else if (!info->in || !info->out)
status = usbnet_get_endpoints(dev, udev);
--- a/include/linux/usb/usbnet.h
+++ b/include/linux/usb/usbnet.h
@@ -132,6 +132,7 @@ struct driver_info {
#define FLAG_MULTI_PACKET 0x2000
#define FLAG_RX_ASSEMBLE 0x4000 /* rx packets may span >1 frames */
#define FLAG_NOARP 0x8000 /* device can't do ARP */
+#define FLAG_NOMAXMTU 0x10000 /* allow max_mtu above hard_mtu */
/* init device ... can sleep, or cause probe() failure */
int (*bind)(struct usbnet *, struct usb_interface *);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 316/378] can: dev: keep the max bitrate error at 5%
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 315/378] qmi_wwan: allow max_mtu above hard_mtu to control rx_urb_size Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 317/378] io_uring/kbuf: check if target buffer list is still legacy on recycle Greg Kroah-Hartman
` (68 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haibo Chen, stable,
Marc Kleine-Budde
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haibo Chen <haibo.chen@nxp.com>
commit 1eea46908c57abb7109b1fce024f366ae6c69c4f upstream.
Commit b360a13d44db ("can: dev: print bitrate error with two decimal
digits") changed calculation of the bit rate error from on-tenth of a
percent to on-hundredth of a percent, but forgot to adjust the scale of the
CAN_CALC_MAX_ERROR constant.
Keeping the existing logic unchanged: Only when the bitrate error exceeds
5% should an error be returned. Otherwise, simply output a warning log.
Fixes: b360a13d44db ("can: dev: print bitrate error with two decimal digits")
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Link: https://patch.msgid.link/20260306-can-fix-v1-1-ac526cec6777@nxp.com
Cc: stable@kernel.org
[mkl: improve commit message]
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/dev/calc_bittiming.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/can/dev/calc_bittiming.c b/drivers/net/can/dev/calc_bittiming.c
index cc4022241553..42498e9d3f38 100644
--- a/drivers/net/can/dev/calc_bittiming.c
+++ b/drivers/net/can/dev/calc_bittiming.c
@@ -8,7 +8,7 @@
#include <linux/units.h>
#include <linux/can/dev.h>
-#define CAN_CALC_MAX_ERROR 50 /* in one-tenth of a percent */
+#define CAN_CALC_MAX_ERROR 500 /* max error 5% */
/* CiA recommended sample points for Non Return to Zero encoding. */
static int can_calc_sample_point_nrz(const struct can_bittiming *bt)
--
2.53.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 317/378] io_uring/kbuf: check if target buffer list is still legacy on recycle
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 316/378] can: dev: keep the max bitrate error at 5% Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 318/378] cifs: make default value of retrans as zero Greg Kroah-Hartman
` (67 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Keenan Dong, Jens Axboe
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
commit c2c185be5c85d37215397c8e8781abf0a69bec1f upstream.
There's a gap between when the buffer was grabbed and when it
potentially gets recycled, where if the list is empty, someone could've
upgraded it to a ring provided type. This can happen if the request
is forced via io-wq. The legacy recycling is missing checking if the
buffer_list still exists, and if it's of the correct type. Add those
checks.
Cc: stable@vger.kernel.org
Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers")
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/kbuf.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -111,9 +111,18 @@ bool io_kbuf_recycle_legacy(struct io_ki
buf = req->kbuf;
bl = io_buffer_get_list(ctx, buf->bgid);
- list_add(&buf->list, &bl->buf_list);
- bl->nbufs++;
+ /*
+ * If the buffer list was upgraded to a ring-based one, or removed,
+ * while the request was in-flight in io-wq, drop it.
+ */
+ if (bl && !(bl->flags & IOBL_BUF_RING)) {
+ list_add(&buf->list, &bl->buf_list);
+ bl->nbufs++;
+ } else {
+ kfree(buf);
+ }
req->flags &= ~REQ_F_BUFFER_SELECTED;
+ req->kbuf = NULL;
io_ring_submit_unlock(ctx, issue_flags);
return true;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 318/378] cifs: make default value of retrans as zero
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 317/378] io_uring/kbuf: check if target buffer list is still legacy on recycle Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 319/378] xfs: fix integer overflow in bmap intent sort comparator Greg Kroah-Hartman
` (66 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bharath SM, Shyam Prasad N,
Steve French
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shyam Prasad N <sprasad@microsoft.com>
commit e3beefd3af09f8e460ddaf39063d3d7664d7ab59 upstream.
When retrans mount option was introduced, the default value was set
as 1. However, in the light of some bugs that this has exposed recently
we should change it to 0 and retain the old behaviour before this option
was introduced.
Cc: <stable@vger.kernel.org>
Reviewed-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/fs_context.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/smb/client/fs_context.c
+++ b/fs/smb/client/fs_context.c
@@ -1998,7 +1998,7 @@ int smb3_init_fs_context(struct fs_conte
ctx->backupuid_specified = false; /* no backup intent for a user */
ctx->backupgid_specified = false; /* no backup intent for a group */
- ctx->retrans = 1;
+ ctx->retrans = 0;
ctx->reparse_type = CIFS_REPARSE_TYPE_DEFAULT;
ctx->symlink_type = CIFS_SYMLINK_TYPE_DEFAULT;
ctx->nonativesocket = 0;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 319/378] xfs: fix integer overflow in bmap intent sort comparator
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 318/378] cifs: make default value of retrans as zero Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 320/378] xfs: fix returned valued from xfs_defer_can_append Greg Kroah-Hartman
` (65 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Long Li, Darrick J. Wong,
Carlos Maiolino
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <leo.lilong@huawei.com>
commit 362c490980867930a098b99f421268fbd7ca05fd upstream.
xfs_bmap_update_diff_items() sorts bmap intents by inode number using
a subtraction of two xfs_ino_t (uint64_t) values, with the result
truncated to int. This is incorrect when two inode numbers differ by
more than INT_MAX (2^31 - 1), which is entirely possible on large XFS
filesystems.
Fix this by replacing the subtraction with cmp_int().
Cc: <stable@vger.kernel.org> # v4.9
Fixes: 9f3afb57d5f1 ("xfs: implement deferred bmbt map/unmap operations")
Signed-off-by: Long Li <leo.lilong@huawei.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_bmap_item.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/xfs/xfs_bmap_item.c
+++ b/fs/xfs/xfs_bmap_item.c
@@ -247,7 +247,7 @@ xfs_bmap_update_diff_items(
struct xfs_bmap_intent *ba = bi_entry(a);
struct xfs_bmap_intent *bb = bi_entry(b);
- return ba->bi_owner->i_ino - bb->bi_owner->i_ino;
+ return cmp_int(ba->bi_owner->i_ino, bb->bi_owner->i_ino);
}
/* Log bmap updates in the intent item. */
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 320/378] xfs: fix returned valued from xfs_defer_can_append
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 319/378] xfs: fix integer overflow in bmap intent sort comparator Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 321/378] xfs: fix undersized l_iclog_roundoff values Greg Kroah-Hartman
` (64 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carlos Maiolino, Darrick J. Wong,
Souptick Joarder, Carlos Maiolino
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Maiolino <cem@kernel.org>
commit 54fcd2f95f8d216183965a370ec69e1aab14f5da upstream.
xfs_defer_can_append returns a bool, it shouldn't be returning
a NULL.
Found by code inspection.
Fixes: 4dffb2cbb483 ("xfs: allow pausing of pending deferred work items")
Cc: <stable@vger.kernel.org> # v6.8
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Acked-by: Souptick Joarder <souptick.joarder@hpe.com>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/libxfs/xfs_defer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/xfs/libxfs/xfs_defer.c
+++ b/fs/xfs/libxfs/xfs_defer.c
@@ -809,7 +809,7 @@ xfs_defer_can_append(
/* Paused items cannot absorb more work */
if (dfp->dfp_flags & XFS_DEFER_PAUSED)
- return NULL;
+ return false;
/* Already full? */
if (ops->max_items && dfp->dfp_count >= ops->max_items)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 321/378] xfs: fix undersized l_iclog_roundoff values
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 320/378] xfs: fix returned valued from xfs_defer_can_append Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 322/378] xfs: ensure dquot item is deleted from AIL only after log shutdown Greg Kroah-Hartman
` (63 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Christoph Hellwig,
Carlos Maiolino
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
commit 52a8a1ba883defbfe3200baa22cf4cd21985d51a upstream.
If the superblock doesn't list a log stripe unit, we set the incore log
roundoff value to 512. This leads to corrupt logs and unmountable
filesystems in generic/617 on a disk with 4k physical sectors...
XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c
XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197.
XFS (sda1): failed to locate log tail
XFS (sda1): log mount/recovery failed: error -74
XFS (sda1): log mount failed
XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c
XFS (sda1): Ending clean mount
...on the current xfsprogs for-next which has a broken mkfs. xfs_info
shows this...
meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks
= sectsz=4096 attr=2, projid32bit=1
= crc=1 finobt=1, sparse=1, rmapbt=1
= reflink=1 bigtime=1 inobtcount=1 nrext64=1
= exchange=1 metadir=1
data = bsize=4096 blocks=2579968, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1
log =internal log bsize=4096 blocks=16384, version=2
= sectsz=4096 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
= rgcount=0 rgsize=268435456 extents
= zoned=0 start=0 reserved=0
...observe that the log section has sectsz=4096 sunit=0, which means
that the roundoff factor is 512, not 4096 as you'd expect. We should
fix mkfs not to generate broken filesystems, but anyone can fuzz the
ondisk superblock so we should be more cautious. I think the inadequate
logic predates commit a6a65fef5ef8d0, but that's clearly going to
require a different backport.
Cc: stable@vger.kernel.org # v5.14
Fixes: a6a65fef5ef8d0 ("xfs: log stripe roundoff is a property of the log")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_log.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/xfs/xfs_log.c
+++ b/fs/xfs/xfs_log.c
@@ -1399,6 +1399,8 @@ xlog_alloc_log(
if (xfs_has_logv2(mp) && mp->m_sb.sb_logsunit > 1)
log->l_iclog_roundoff = mp->m_sb.sb_logsunit;
+ else if (mp->m_sb.sb_logsectsize > 0)
+ log->l_iclog_roundoff = mp->m_sb.sb_logsectsize;
else
log->l_iclog_roundoff = BBSIZE;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 322/378] xfs: ensure dquot item is deleted from AIL only after log shutdown
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 321/378] xfs: fix undersized l_iclog_roundoff values Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 323/378] sched_ext: Fix enqueue_task_scx() truncation of upper enqueue flags Greg Kroah-Hartman
` (62 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Long Li, Carlos Maiolino,
Christoph Hellwig, Carlos Maiolino
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <leo.lilong@huawei.com>
commit 186ac39b8a7d3ec7ce9c5dd45e5c2730177f375c upstream.
In xfs_qm_dqflush(), when a dquot flush fails due to corruption
(the out_abort error path), the original code removed the dquot log
item from the AIL before calling xfs_force_shutdown(). This ordering
introduces a subtle race condition that can lead to data loss after
a crash.
The AIL tracks the oldest dirty metadata in the journal. The position
of the tail item in the AIL determines the log tail LSN, which is the
oldest LSN that must be preserved for crash recovery. When an item is
removed from the AIL, the log tail can advance past the LSN of that item.
The race window is as follows: if the dquot item happens to be at
the tail of the log, removing it from the AIL allows the log tail
to advance. If a concurrent log write is sampling the tail LSN at
the same time and subsequently writes a complete checkpoint (i.e.,
one containing a commit record) to disk before the shutdown takes
effect, the journal will no longer protect the dquot's last
modification. On the next mount, log recovery will not replay the
dquot changes, even though they were never written back to disk,
resulting in silent data loss.
Fix this by calling xfs_force_shutdown() before xfs_trans_ail_delete()
in the out_abort path. Once the log is shut down, no new log writes
can complete with an updated tail LSN, making it safe to remove the
dquot item from the AIL.
Cc: stable@vger.kernel.org
Fixes: b707fffda6a3 ("xfs: abort consistently on dquot flush failure")
Signed-off-by: Long Li <leo.lilong@huawei.com>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_dquot.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/fs/xfs/xfs_dquot.c
+++ b/fs/xfs/xfs_dquot.c
@@ -1439,9 +1439,15 @@ xfs_qm_dqflush(
return 0;
out_abort:
+ /*
+ * Shut down the log before removing the dquot item from the AIL.
+ * Otherwise, the log tail may advance past this item's LSN while
+ * log writes are still in progress, making these unflushed changes
+ * unrecoverable on the next mount.
+ */
+ xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
dqp->q_flags &= ~XFS_DQFLAG_DIRTY;
xfs_trans_ail_delete(lip, 0);
- xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
xfs_dqfunlock(dqp);
return error;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 323/378] sched_ext: Fix enqueue_task_scx() truncation of upper enqueue flags
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 322/378] xfs: ensure dquot item is deleted from AIL only after log shutdown Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 324/378] s390/zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute Greg Kroah-Hartman
` (61 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrea Righi, Tejun Heo
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
commit 57ccf5ccdc56954f2a91a7f66684fd31c566bde5 upstream.
enqueue_task_scx() takes int enq_flags from the sched_class interface.
SCX enqueue flags starting at bit 32 (SCX_ENQ_PREEMPT and above) are
silently truncated when passed through activate_task(). extra_enq_flags
was added as a workaround - storing high bits in rq->scx.extra_enq_flags
and OR-ing them back in enqueue_task_scx(). However, the OR target is
still the int parameter, so the high bits are lost anyway.
The current impact is limited as the only affected flag is SCX_ENQ_PREEMPT
which is informational to the BPF scheduler - its loss means the scheduler
doesn't know about preemption but doesn't cause incorrect behavior.
Fix by renaming the int parameter to core_enq_flags and introducing a
u64 enq_flags local that merges both sources. All downstream functions
already take u64 enq_flags.
Fixes: f0e1a0643a59 ("sched_ext: Implement BPF extensible scheduler class")
Cc: stable@vger.kernel.org # v6.12+
Acked-by: Andrea Righi <arighi@nvidia.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/ext.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -1464,16 +1464,15 @@ static void clr_task_runnable(struct tas
p->scx.flags |= SCX_TASK_RESET_RUNNABLE_AT;
}
-static void enqueue_task_scx(struct rq *rq, struct task_struct *p, int enq_flags)
+static void enqueue_task_scx(struct rq *rq, struct task_struct *p, int core_enq_flags)
{
struct scx_sched *sch = scx_root;
int sticky_cpu = p->scx.sticky_cpu;
+ u64 enq_flags = core_enq_flags | rq->scx.extra_enq_flags;
if (enq_flags & ENQUEUE_WAKEUP)
rq->scx.flags |= SCX_RQ_IN_WAKEUP;
- enq_flags |= rq->scx.extra_enq_flags;
-
if (sticky_cpu >= 0)
p->scx.sticky_cpu = -1;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 324/378] s390/zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 323/378] sched_ext: Fix enqueue_task_scx() truncation of upper enqueue flags Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 325/378] dt-bindings: display: msm: Fix reg ranges and clocks on Glymur Greg Kroah-Hartman
` (60 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ingo Franzki, Harald Freudenberger,
Vasily Gorbik
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harald Freudenberger <freude@linux.ibm.com>
commit 598bbefa8032cc58b564a81d1ad68bd815c8dc0f upstream.
The serialnr sysfs attribute for CCA cards when queried always
used the default domain for sending the request down to the card.
If for any reason exactly this default domain is disabled then
the attribute code fails to retrieve the CCA info and the sysfs
entry shows an empty string. Works as designed but the serial
number is a card attribute and thus it does not matter which
domain is used for the query. So if there are other domains on
this card available, these could be used.
So extend the code to use AUTOSEL_DOM for the domain value to
address any online domain within the card for querying the cca
info and thus show the serialnr as long as there is one domain
usable regardless of the default domain setting.
Fixes: 8f291ebf3270 ("s390/zcrypt: enable card/domain autoselect on ep11 cprbs")
Suggested-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/crypto/zcrypt_ccamisc.c | 12 +++++++-----
drivers/s390/crypto/zcrypt_cex4.c | 3 +--
2 files changed, 8 insertions(+), 7 deletions(-)
--- a/drivers/s390/crypto/zcrypt_ccamisc.c
+++ b/drivers/s390/crypto/zcrypt_ccamisc.c
@@ -1639,11 +1639,13 @@ int cca_get_info(u16 cardnr, u16 domain,
memset(ci, 0, sizeof(*ci));
- /* get first info from zcrypt device driver about this apqn */
- rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
- if (rc)
- return rc;
- ci->hwtype = devstat.hwtype;
+ /* if specific domain given, fetch status and hw info for this apqn */
+ if (domain != AUTOSEL_DOM) {
+ rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
+ if (rc)
+ return rc;
+ ci->hwtype = devstat.hwtype;
+ }
/*
* Prep memory for rule array and var array use.
--- a/drivers/s390/crypto/zcrypt_cex4.c
+++ b/drivers/s390/crypto/zcrypt_cex4.c
@@ -84,8 +84,7 @@ static ssize_t cca_serialnr_show(struct
memset(&ci, 0, sizeof(ci));
- if (ap_domain_index >= 0)
- cca_get_info(ac->id, ap_domain_index, &ci, 0);
+ cca_get_info(ac->id, AUTOSEL_DOM, &ci, 0);
return sysfs_emit(buf, "%s\n", ci.serial);
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 325/378] dt-bindings: display: msm: Fix reg ranges and clocks on Glymur
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 324/378] s390/zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 326/378] ublk: fix NULL pointer dereference in ublk_ctrl_set_size() Greg Kroah-Hartman
` (59 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abel Vesa, Krzysztof Kozlowski,
Dmitry Baryshkov
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abel Vesa <abel.vesa@oss.qualcomm.com>
commit 7403e87c138475a74e5176176778f391d847f42d upstream.
The Glymur platform has four DisplayPort controllers. The hardware
supports four streams (MST) per controller. However, on Glymur the first
three controllers only have two streams wired to the display subsystem,
while the fourth controller operates in single-stream mode.
Add a dedicated clause for the Glymur compatible to require the register
ranges for all four stream blocks, while allowing either one pixel clock
(for the single-stream controller) or two pixel clocks (for the remaining
controllers).
Update the Glymur MDSS schema example by adding the missing p2, p3,
mst2link and mst3link register blocks. Without these, the bindings
validation fails. Also replace the made-up register addresses with the
actual addresses from the first controller to match the SoC devicetree
description.
Cc: stable@vger.kernel.org # v6.19
Fixes: 8f63bf908213 ("dt-bindings: display: msm: Document the Glymur DiplayPort controller")
Fixes: 1aee577bbc60 ("dt-bindings: display: msm: Document the Glymur Mobile Display SubSystem")
Signed-off-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/708518/
Link: https://lore.kernel.org/r/20260303-glymur-fix-dp-bindings-reg-clocks-v4-1-1ebd9c7c2cee@oss.qualcomm.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
.../bindings/display/msm/dp-controller.yaml | 21 ++++++++++++++++++-
.../display/msm/qcom,glymur-mdss.yaml | 16 ++++++++------
2 files changed, 30 insertions(+), 7 deletions(-)
diff --git a/Documentation/devicetree/bindings/display/msm/dp-controller.yaml b/Documentation/devicetree/bindings/display/msm/dp-controller.yaml
index ebda78db87a6..02ddfaab5f56 100644
--- a/Documentation/devicetree/bindings/display/msm/dp-controller.yaml
+++ b/Documentation/devicetree/bindings/display/msm/dp-controller.yaml
@@ -253,7 +253,6 @@ allOf:
enum:
# these platforms support 2 streams MST on some interfaces,
# others are SST only
- - qcom,glymur-dp
- qcom,sc8280xp-dp
- qcom,x1e80100-dp
then:
@@ -310,6 +309,26 @@ allOf:
minItems: 6
maxItems: 8
+ - if:
+ properties:
+ compatible:
+ contains:
+ enum:
+ # these platforms support 2 streams MST on some interfaces,
+ # others are SST only, but all controllers have 4 ports
+ - qcom,glymur-dp
+ then:
+ properties:
+ reg:
+ minItems: 9
+ maxItems: 9
+ clocks:
+ minItems: 5
+ maxItems: 6
+ clocks-names:
+ minItems: 5
+ maxItems: 6
+
unevaluatedProperties: false
examples:
diff --git a/Documentation/devicetree/bindings/display/msm/qcom,glymur-mdss.yaml b/Documentation/devicetree/bindings/display/msm/qcom,glymur-mdss.yaml
index 2329ed96e6cb..64dde43373ac 100644
--- a/Documentation/devicetree/bindings/display/msm/qcom,glymur-mdss.yaml
+++ b/Documentation/devicetree/bindings/display/msm/qcom,glymur-mdss.yaml
@@ -176,13 +176,17 @@ examples:
};
};
- displayport-controller@ae90000 {
+ displayport-controller@af54000 {
compatible = "qcom,glymur-dp";
- reg = <0xae90000 0x200>,
- <0xae90200 0x200>,
- <0xae90400 0x600>,
- <0xae91000 0x400>,
- <0xae91400 0x400>;
+ reg = <0xaf54000 0x200>,
+ <0xaf54200 0x200>,
+ <0xaf55000 0xc00>,
+ <0xaf56000 0x400>,
+ <0xaf57000 0x400>,
+ <0xaf58000 0x400>,
+ <0xaf59000 0x400>,
+ <0xaf5a000 0x600>,
+ <0xaf5b000 0x600>;
interrupt-parent = <&mdss>;
interrupts = <12>;
--
2.53.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 326/378] ublk: fix NULL pointer dereference in ublk_ctrl_set_size()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 325/378] dt-bindings: display: msm: Fix reg ranges and clocks on Glymur Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 327/378] s390/dasd: Move quiesce state with pprc swap Greg Kroah-Hartman
` (58 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mehul Rao, Ming Lei, Jens Axboe
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mehul Rao <mehulrao@gmail.com>
commit 25966fc097691e5c925ad080f64a2f19c5fd940a upstream.
ublk_ctrl_set_size() unconditionally dereferences ub->ub_disk via
set_capacity_and_notify() without checking if it is NULL.
ub->ub_disk is NULL before UBLK_CMD_START_DEV completes (it is only
assigned in ublk_ctrl_start_dev()) and after UBLK_CMD_STOP_DEV runs
(ublk_detach_disk() sets it to NULL). Since the UBLK_CMD_UPDATE_SIZE
handler performs no state validation, a user can trigger a NULL pointer
dereference by sending UPDATE_SIZE to a device that has been added but
not yet started, or one that has been stopped.
Fix this by checking ub->ub_disk under ub->mutex before dereferencing
it, and returning -ENODEV if the disk is not available.
Fixes: 98b995660bff ("ublk: Add UBLK_U_CMD_UPDATE_SIZE")
Cc: stable@vger.kernel.org
Signed-off-by: Mehul Rao <mehulrao@gmail.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/ublk_drv.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -3534,15 +3534,22 @@ static int ublk_ctrl_get_features(const
return 0;
}
-static void ublk_ctrl_set_size(struct ublk_device *ub, const struct ublksrv_ctrl_cmd *header)
+static int ublk_ctrl_set_size(struct ublk_device *ub, const struct ublksrv_ctrl_cmd *header)
{
struct ublk_param_basic *p = &ub->params.basic;
u64 new_size = header->data[0];
+ int ret = 0;
mutex_lock(&ub->mutex);
+ if (!ub->ub_disk) {
+ ret = -ENODEV;
+ goto out;
+ }
p->dev_sectors = new_size;
set_capacity_and_notify(ub->ub_disk, p->dev_sectors);
+out:
mutex_unlock(&ub->mutex);
+ return ret;
}
struct count_busy {
@@ -3853,8 +3860,7 @@ static int ublk_ctrl_uring_cmd(struct io
ret = ublk_ctrl_end_recovery(ub, &header);
break;
case UBLK_CMD_UPDATE_SIZE:
- ublk_ctrl_set_size(ub, &header);
- ret = 0;
+ ret = ublk_ctrl_set_size(ub, &header);
break;
case UBLK_CMD_QUIESCE_DEV:
ret = ublk_ctrl_quiesce_dev(ub, &header);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 327/378] s390/dasd: Move quiesce state with pprc swap
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 326/378] ublk: fix NULL pointer dereference in ublk_ctrl_set_size() Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 328/378] s390/dasd: Copy detected format information to secondary device Greg Kroah-Hartman
` (57 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Hoeppner, Stefan Haberland,
Jens Axboe
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Haberland <sth@linux.ibm.com>
commit 40e9cd4ae8ec43b107ed2bff422a8fa39dcf4e4b upstream.
Quiesce and resume is a mechanism to suspend operations on DASD devices.
In the context of a controlled copy pair swap operation, the quiesce
operation is usually issued before the actual swap and a resume
afterwards.
During the swap operation, the underlying device is exchanged. Therefore,
the quiesce flag must be moved to the secondary device to ensure a
consistent quiesce state after the swap.
The secondary device itself cannot be suspended separately because there
is no separate block device representation for it.
Fixes: 413862caad6f ("s390/dasd: add copy pair swap capability")
Cc: stable@vger.kernel.org #6.1
Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Link: https://patch.msgid.link/20260310142330.4080106-2-sth@linux.ibm.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/block/dasd_eckd.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -6182,6 +6182,11 @@ static int dasd_eckd_copy_pair_swap(stru
dev_name(&secondary->cdev->dev), rc);
}
+ if (primary->stopped & DASD_STOPPED_QUIESCE) {
+ dasd_device_set_stop_bits(secondary, DASD_STOPPED_QUIESCE);
+ dasd_device_remove_stop_bits(primary, DASD_STOPPED_QUIESCE);
+ }
+
/* re-enable device */
dasd_device_remove_stop_bits(primary, DASD_STOPPED_PPRC);
dasd_device_remove_stop_bits(secondary, DASD_STOPPED_PPRC);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 328/378] s390/dasd: Copy detected format information to secondary device
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 327/378] s390/dasd: Move quiesce state with pprc swap Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 329/378] powerpc/pseries: Correct MSI allocation tracking Greg Kroah-Hartman
` (56 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Hoeppner, Eduard Shishkin,
Stefan Haberland, Jens Axboe
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Haberland <sth@linux.ibm.com>
commit 4c527c7e030672efd788d0806d7a68972a7ba3c1 upstream.
During online processing for a DASD device an IO operation is started to
determine the format of the device. CDL format contains specifically
sized blocks at the beginning of the disk.
For a PPRC secondary device no real IO operation is possible therefore
this IO request can not be started and this step is skipped for online
processing of secondary devices. This is generally fine since the
secondary is a copy of the primary device.
In case of an additional partition detection that is run after a swap
operation the format information is needed to properly drive partition
detection IO.
Currently the information is not passed leading to IO errors during
partition detection and a wrongly detected partition table which in turn
might lead to data corruption on the disk with the wrong partition table.
Fix by passing the format information from primary to secondary device.
Fixes: 413862caad6f ("s390/dasd: add copy pair swap capability")
Cc: stable@vger.kernel.org #6.1
Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Acked-by: Eduard Shishkin <edward6@linux.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Link: https://patch.msgid.link/20260310142330.4080106-3-sth@linux.ibm.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/block/dasd_eckd.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -6135,6 +6135,7 @@ static void copy_pair_set_active(struct
static int dasd_eckd_copy_pair_swap(struct dasd_device *device, char *prim_busid,
char *sec_busid)
{
+ struct dasd_eckd_private *prim_priv, *sec_priv;
struct dasd_device *primary, *secondary;
struct dasd_copy_relation *copy;
struct dasd_block *block;
@@ -6155,6 +6156,9 @@ static int dasd_eckd_copy_pair_swap(stru
if (!secondary)
return DASD_COPYPAIRSWAP_SECONDARY;
+ prim_priv = primary->private;
+ sec_priv = secondary->private;
+
/*
* usually the device should be quiesced for swap
* for paranoia stop device and requeue requests again
@@ -6187,6 +6191,13 @@ static int dasd_eckd_copy_pair_swap(stru
dasd_device_remove_stop_bits(primary, DASD_STOPPED_QUIESCE);
}
+ /*
+ * The secondary device never got through format detection, but since it
+ * is a copy of the primary device, the format is exactly the same;
+ * therefore, the detected layout can simply be copied.
+ */
+ sec_priv->uses_cdl = prim_priv->uses_cdl;
+
/* re-enable device */
dasd_device_remove_stop_bits(primary, DASD_STOPPED_PPRC);
dasd_device_remove_stop_bits(secondary, DASD_STOPPED_PPRC);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 329/378] powerpc/pseries: Correct MSI allocation tracking
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 328/378] s390/dasd: Copy detected format information to secondary device Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 330/378] powerpc64/bpf: fix kfunc call support Greg Kroah-Hartman
` (55 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nam Cao, Mahesh Salgaonkar,
Nilay Shroff, Madhavan Srinivasan
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nam Cao <namcao@linutronix.de>
commit 35e4f2a17eb40288f9bcdb09549fa04a63a96279 upstream.
The per-device MSI allocation calculation in pseries_irq_domain_alloc()
is clearly wrong. It can still happen to work when nr_irqs is 1.
Correct it.
Fixes: c0215e2d72de ("powerpc/pseries: Fix MSI-X allocation failure when quota is exceeded")
Cc: stable@vger.kernel.org
Signed-off-by: Nam Cao <namcao@linutronix.de>
Reviewed-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>
Reviewed-by: Nilay Shroff <nilay@linux.ibm.com>
[maddy: Fixed Nilay's reviewed-by tag]
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260302003948.1452016-1-namcao@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/pseries/msi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/platforms/pseries/msi.c
+++ b/arch/powerpc/platforms/pseries/msi.c
@@ -605,7 +605,7 @@ static int pseries_irq_domain_alloc(stru
&pseries_msi_irq_chip, pseries_dev);
}
- pseries_dev->msi_used++;
+ pseries_dev->msi_used += nr_irqs;
return 0;
out:
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 330/378] powerpc64/bpf: fix kfunc call support
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 329/378] powerpc/pseries: Correct MSI allocation tracking Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 331/378] powerpc64/bpf: fix the address returned by bpf_get_func_ip Greg Kroah-Hartman
` (54 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hari Bathini, Madhavan Srinivasan
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hari Bathini <hbathini@linux.ibm.com>
commit 01b6ac72729610ae732ca2a66e3a642e23f6cd60 upstream.
Commit 61688a82e047 ("powerpc/bpf: enable kfunc call") inadvertently
enabled kfunc call support for 32-bit powerpc but that support will
not be possible until ABI mismatch between 32-bit powerpc and eBPF is
handled in 32-bit powerpc JIT code. Till then, advertise support only
for 64-bit powerpc. Also, in powerpc ABI, caller needs to extend the
arguments properly based on signedness. The JIT code is responsible
for handling this explicitly for kfunc calls as verifier can't handle
this for each architecture-specific ABI needs. But this was not taken
care of while kfunc call support was enabled for powerpc. Fix it by
handling this with bpf_jit_find_kfunc_model() and using zero_extend()
& sign_extend() helper functions.
Fixes: 61688a82e047 ("powerpc/bpf: enable kfunc call")
Cc: stable@vger.kernel.org
Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260303181031.390073-7-hbathini@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/net/bpf_jit_comp.c | 2
arch/powerpc/net/bpf_jit_comp64.c | 101 ++++++++++++++++++++++++++++++++++----
2 files changed, 94 insertions(+), 9 deletions(-)
--- a/arch/powerpc/net/bpf_jit_comp.c
+++ b/arch/powerpc/net/bpf_jit_comp.c
@@ -437,7 +437,7 @@ void bpf_jit_free(struct bpf_prog *fp)
bool bpf_jit_supports_kfunc_call(void)
{
- return true;
+ return IS_ENABLED(CONFIG_PPC64);
}
bool bpf_jit_supports_arena(void)
--- a/arch/powerpc/net/bpf_jit_comp64.c
+++ b/arch/powerpc/net/bpf_jit_comp64.c
@@ -319,6 +319,83 @@ int bpf_jit_emit_func_call_rel(u32 *imag
return 0;
}
+static int zero_extend(u32 *image, struct codegen_context *ctx, u32 src_reg, u32 dst_reg, u32 size)
+{
+ switch (size) {
+ case 1:
+ /* zero-extend 8 bits into 64 bits */
+ EMIT(PPC_RAW_RLDICL(dst_reg, src_reg, 0, 56));
+ return 0;
+ case 2:
+ /* zero-extend 16 bits into 64 bits */
+ EMIT(PPC_RAW_RLDICL(dst_reg, src_reg, 0, 48));
+ return 0;
+ case 4:
+ /* zero-extend 32 bits into 64 bits */
+ EMIT(PPC_RAW_RLDICL(dst_reg, src_reg, 0, 32));
+ fallthrough;
+ case 8:
+ /* Nothing to do */
+ return 0;
+ default:
+ return -1;
+ }
+}
+
+static int sign_extend(u32 *image, struct codegen_context *ctx, u32 src_reg, u32 dst_reg, u32 size)
+{
+ switch (size) {
+ case 1:
+ /* sign-extend 8 bits into 64 bits */
+ EMIT(PPC_RAW_EXTSB(dst_reg, src_reg));
+ return 0;
+ case 2:
+ /* sign-extend 16 bits into 64 bits */
+ EMIT(PPC_RAW_EXTSH(dst_reg, src_reg));
+ return 0;
+ case 4:
+ /* sign-extend 32 bits into 64 bits */
+ EMIT(PPC_RAW_EXTSW(dst_reg, src_reg));
+ fallthrough;
+ case 8:
+ /* Nothing to do */
+ return 0;
+ default:
+ return -1;
+ }
+}
+
+/*
+ * Handle powerpc ABI expectations from caller:
+ * - Unsigned arguments are zero-extended.
+ * - Signed arguments are sign-extended.
+ */
+static int prepare_for_kfunc_call(const struct bpf_prog *fp, u32 *image,
+ struct codegen_context *ctx,
+ const struct bpf_insn *insn)
+{
+ const struct btf_func_model *m = bpf_jit_find_kfunc_model(fp, insn);
+ int i;
+
+ if (!m)
+ return -1;
+
+ for (i = 0; i < m->nr_args; i++) {
+ /* Note that BPF ABI only allows up to 5 args for kfuncs */
+ u32 reg = bpf_to_ppc(BPF_REG_1 + i), size = m->arg_size[i];
+
+ if (!(m->arg_flags[i] & BTF_FMODEL_SIGNED_ARG)) {
+ if (zero_extend(image, ctx, reg, reg, size))
+ return -1;
+ } else {
+ if (sign_extend(image, ctx, reg, reg, size))
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
{
/*
@@ -931,14 +1008,16 @@ int bpf_jit_build_body(struct bpf_prog *
/* special mov32 for zext */
EMIT(PPC_RAW_RLWINM(dst_reg, dst_reg, 0, 0, 31));
break;
- } else if (off == 8) {
- EMIT(PPC_RAW_EXTSB(dst_reg, src_reg));
- } else if (off == 16) {
- EMIT(PPC_RAW_EXTSH(dst_reg, src_reg));
- } else if (off == 32) {
- EMIT(PPC_RAW_EXTSW(dst_reg, src_reg));
- } else if (dst_reg != src_reg)
- EMIT(PPC_RAW_MR(dst_reg, src_reg));
+ }
+ if (off == 0) {
+ /* MOV */
+ if (dst_reg != src_reg)
+ EMIT(PPC_RAW_MR(dst_reg, src_reg));
+ } else {
+ /* MOVSX: dst = (s8,s16,s32)src (off = 8,16,32) */
+ if (sign_extend(image, ctx, src_reg, dst_reg, off / 8))
+ return -1;
+ }
goto bpf_alu32_trunc;
case BPF_ALU | BPF_MOV | BPF_K: /* (u32) dst = imm */
case BPF_ALU64 | BPF_MOV | BPF_K: /* dst = (s64) imm */
@@ -1395,6 +1474,12 @@ emit_clear:
if (ret < 0)
return ret;
+ /* Take care of powerpc ABI requirements before kfunc call */
+ if (insn[i].src_reg == BPF_PSEUDO_KFUNC_CALL) {
+ if (prepare_for_kfunc_call(fp, image, ctx, &insn[i]))
+ return -1;
+ }
+
ret = bpf_jit_emit_func_call_rel(image, fimage, ctx, func_addr);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 331/378] powerpc64/bpf: fix the address returned by bpf_get_func_ip
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 330/378] powerpc64/bpf: fix kfunc call support Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 332/378] lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error Greg Kroah-Hartman
` (53 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abhishek Dubey, Venkat Rao Bagalkote,
Hari Bathini, Madhavan Srinivasan
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hari Bathini <hbathini@linux.ibm.com>
commit 157820264ac3dadfafffad63184b883eb28f9ae0 upstream.
bpf_get_func_ip() helper function returns the address of the traced
function. It relies on the IP address stored at ctx - 16 by the bpf
trampoline. On 64-bit powerpc, this address is recovered from LR
accounting for OOL trampoline. But the address stored here was off
by 4-bytes. Ensure the address is the actual start of the traced
function.
Reported-by: Abhishek Dubey <adubey@linux.ibm.com>
Fixes: d243b62b7bd3 ("powerpc64/bpf: Add support for bpf trampolines")
Cc: stable@vger.kernel.org
Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260303181031.390073-3-hbathini@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/net/bpf_jit_comp.c | 28 +++++++++++++++++++---------
1 file changed, 19 insertions(+), 9 deletions(-)
--- a/arch/powerpc/net/bpf_jit_comp.c
+++ b/arch/powerpc/net/bpf_jit_comp.c
@@ -722,9 +722,9 @@ static int __arch_prepare_bpf_trampoline
* retval_off [ return value ]
* [ reg argN ]
* [ ... ]
- * regs_off [ reg_arg1 ] prog ctx context
- * nregs_off [ args count ]
- * ip_off [ traced function ]
+ * regs_off [ reg_arg1 ] prog_ctx
+ * nregs_off [ args count ] ((u64 *)prog_ctx)[-1]
+ * ip_off [ traced function ] ((u64 *)prog_ctx)[-2]
* [ ... ]
* run_ctx_off [ bpf_tramp_run_ctx ]
* [ reg argN ]
@@ -824,7 +824,7 @@ static int __arch_prepare_bpf_trampoline
bpf_trampoline_save_args(image, ctx, func_frame_offset, nr_regs, regs_off);
- /* Save our return address */
+ /* Save our LR/return address */
EMIT(PPC_RAW_MFLR(_R3));
if (IS_ENABLED(CONFIG_PPC_FTRACE_OUT_OF_LINE))
EMIT(PPC_RAW_STL(_R3, _R1, alt_lr_off));
@@ -832,24 +832,34 @@ static int __arch_prepare_bpf_trampoline
EMIT(PPC_RAW_STL(_R3, _R1, bpf_frame_size + PPC_LR_STKOFF));
/*
- * Save ip address of the traced function.
- * We could recover this from LR, but we will need to address for OOL trampoline,
- * and optional GEP area.
+ * Derive IP address of the traced function.
+ * In case of CONFIG_PPC_FTRACE_OUT_OF_LINE or BPF program, LR points to the instruction
+ * after the 'bl' instruction in the OOL stub. Refer to ftrace_init_ool_stub() and
+ * bpf_arch_text_poke() for OOL stub of kernel functions and bpf programs respectively.
+ * Relevant stub sequence:
+ *
+ * bl <tramp>
+ * LR (R3) => mtlr r0
+ * b <func_addr+4>
+ *
+ * Recover kernel function/bpf program address from the unconditional
+ * branch instruction at the end of OOL stub.
*/
if (IS_ENABLED(CONFIG_PPC_FTRACE_OUT_OF_LINE) || flags & BPF_TRAMP_F_IP_ARG) {
EMIT(PPC_RAW_LWZ(_R4, _R3, 4));
EMIT(PPC_RAW_SLWI(_R4, _R4, 6));
EMIT(PPC_RAW_SRAWI(_R4, _R4, 6));
EMIT(PPC_RAW_ADD(_R3, _R3, _R4));
- EMIT(PPC_RAW_ADDI(_R3, _R3, 4));
}
if (flags & BPF_TRAMP_F_IP_ARG)
EMIT(PPC_RAW_STL(_R3, _R1, ip_off));
- if (IS_ENABLED(CONFIG_PPC_FTRACE_OUT_OF_LINE))
+ if (IS_ENABLED(CONFIG_PPC_FTRACE_OUT_OF_LINE)) {
/* Fake our LR for unwind */
+ EMIT(PPC_RAW_ADDI(_R3, _R3, 4));
EMIT(PPC_RAW_STL(_R3, _R1, bpf_frame_size + PPC_LR_STKOFF));
+ }
/* Save function arg count -- see bpf_get_func_arg_cnt() */
EMIT(PPC_RAW_LI(_R3, nr_regs));
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 332/378] lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 331/378] powerpc64/bpf: fix the address returned by bpf_get_func_ip Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 333/378] scsi: core: Fix error handling for scsi_alloc_sdev() Greg Kroah-Hartman
` (52 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josh Law, Steven Rostedt (Google),
Masami Hiramatsu (Google)
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Law <objecting@objecting.org>
commit 39ebc8d7f561e1b64eca87353ef9b18e2825e591 upstream.
__xbc_open_brace() pushes entries with post-increment
(open_brace[brace_index++]), so brace_index always points one past
the last valid entry. xbc_verify_tree() reads open_brace[brace_index]
to report which brace is unclosed, but this is one past the last
pushed entry and contains stale/zero data, causing the error message
to reference the wrong node.
Use open_brace[brace_index - 1] to correctly identify the unclosed
brace. brace_index is known to be > 0 here since we are inside the
if (brace_index) guard.
Link: https://lore.kernel.org/all/20260312191143.28719-2-objecting@objecting.org/
Fixes: ead1e19ad905 ("lib/bootconfig: Fix a bug of breaking existing tree nodes")
Cc: stable@vger.kernel.org
Signed-off-by: Josh Law <objecting@objecting.org>
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/bootconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -791,7 +791,7 @@ static int __init xbc_verify_tree(void)
/* Brace closing */
if (brace_index) {
- n = &xbc_nodes[open_brace[brace_index]];
+ n = &xbc_nodes[open_brace[brace_index - 1]];
return xbc_parse_error("Brace is not closed",
xbc_node_get_data(n));
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 333/378] scsi: core: Fix error handling for scsi_alloc_sdev()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 332/378] lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 334/378] x86/apic: Disable x2apic on resume if the kernel expects so Greg Kroah-Hartman
` (51 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junxiao Bi, John Garry,
Bart Van Assche, Martin K. Petersen
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junxiao Bi <junxiao.bi@oracle.com>
commit 4ce7ada40c008fa21b7e52ab9d04e8746e2e9325 upstream.
After scsi_sysfs_device_initialize() was called, error paths must call
__scsi_remove_device().
Fixes: 1ac22c8eae81 ("scsi: core: Fix refcount leak for tagset_refcnt")
Cc: stable@vger.kernel.org
Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260304164603.51528-1-junxiao.bi@oracle.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/scsi_scan.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -360,12 +360,8 @@ static struct scsi_device *scsi_alloc_sd
* default device queue depth to figure out sbitmap shift
* since we use this queue depth most of times.
*/
- if (scsi_realloc_sdev_budget_map(sdev, depth)) {
- kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags);
- put_device(&starget->dev);
- kfree(sdev);
- goto out;
- }
+ if (scsi_realloc_sdev_budget_map(sdev, depth))
+ goto out_device_destroy;
scsi_change_queue_depth(sdev, depth);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 334/378] x86/apic: Disable x2apic on resume if the kernel expects so
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 333/378] scsi: core: Fix error handling for scsi_alloc_sdev() Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 335/378] kprobes: Remove unneeded warnings from __arm_kprobe_ftrace() Greg Kroah-Hartman
` (50 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rahul Bukte, Shashank Balaji,
Borislav Petkov (AMD), Thomas Gleixner, Sohil Mehta
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shashank Balaji <shashank.mahadasyam@sony.com>
commit 8cc7dd77a1466f0ec58c03478b2e735a5b289b96 upstream.
When resuming from s2ram, firmware may re-enable x2apic mode, which may have
been disabled by the kernel during boot either because it doesn't support IRQ
remapping or for other reasons. This causes the kernel to continue using the
xapic interface, while the hardware is in x2apic mode, which causes hangs.
This happens on defconfig + bare metal + s2ram.
Fix this in lapic_resume() by disabling x2apic if the kernel expects it to be
disabled, i.e. when x2apic_mode = 0.
The ACPI v6.6 spec, Section 16.3 [1] says firmware restores either the
pre-sleep configuration or initial boot configuration for each CPU, including
MSR state:
When executing from the power-on reset vector as a result of waking from an
S2 or S3 sleep state, the platform firmware performs only the hardware
initialization required to restore the system to either the state the
platform was in prior to the initial operating system boot, or to the
pre-sleep configuration state. In multiprocessor systems, non-boot
processors should be placed in the same state as prior to the initial
operating system boot.
(further ahead)
If this is an S2 or S3 wake, then the platform runtime firmware restores
minimum context of the system before jumping to the waking vector. This
includes:
CPU configuration. Platform runtime firmware restores the pre-sleep
configuration or initial boot configuration of each CPU (MSR, MTRR,
firmware update, SMBase, and so on). Interrupts must be disabled (for
IA-32 processors, disabled by CLI instruction).
(and other things)
So at least as per the spec, re-enablement of x2apic by the firmware is
allowed if "x2apic on" is a part of the initial boot configuration.
[1] https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization
[ bp: Massage. ]
Fixes: 6e1cb38a2aef ("x64, x2apic/intr-remap: add x2apic support, including enabling interrupt-remapping")
Co-developed-by: Rahul Bukte <rahul.bukte@sony.com>
Signed-off-by: Rahul Bukte <rahul.bukte@sony.com>
Signed-off-by: Shashank Balaji <shashank.mahadasyam@sony.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Sohil Mehta <sohil.mehta@intel.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260306-x2apic-fix-v2-1-bee99c12efa3@sony.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/apic/apic.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -1894,6 +1894,7 @@ void __init check_x2apic(void)
static inline void try_to_enable_x2apic(int remap_mode) { }
static inline void __x2apic_enable(void) { }
+static inline void __x2apic_disable(void) { }
#endif /* !CONFIG_X86_X2APIC */
void __init enable_IR_x2apic(void)
@@ -2456,6 +2457,11 @@ static void lapic_resume(void *data)
if (x2apic_mode) {
__x2apic_enable();
} else {
+ if (x2apic_enabled()) {
+ pr_warn_once("x2apic: re-enabled by firmware during resume. Disabling\n");
+ __x2apic_disable();
+ }
+
/*
* Make sure the APICBASE points to the right address
*
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 335/378] kprobes: Remove unneeded warnings from __arm_kprobe_ftrace()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 334/378] x86/apic: Disable x2apic on resume if the kernel expects so Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 336/378] lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after() Greg Kroah-Hartman
` (49 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zw Tang, Masami Hiramatsu (Google)
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
commit 5ef268cb7a0aac55521fd9881f1939fa94a8988e upstream.
Remove unneeded warnings for handled errors from __arm_kprobe_ftrace()
because all caller handled the error correctly.
Link: https://lore.kernel.org/all/177261531182.1312989.8737778408503961141.stgit@mhiramat.tok.corp.google.com/
Reported-by: Zw Tang <shicenci@gmail.com>
Closes: https://lore.kernel.org/all/CAPHJ_V+J6YDb_wX2nhXU6kh466Dt_nyDSas-1i_Y8s7tqY-Mzw@mail.gmail.com/
Fixes: 9c89bb8e3272 ("kprobes: treewide: Cleanup the error messages for kprobes")
Cc: stable@vger.kernel.org
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/kprobes.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1070,12 +1070,12 @@ static int __arm_kprobe_ftrace(struct kp
lockdep_assert_held(&kprobe_mutex);
ret = ftrace_set_filter_ip(ops, (unsigned long)p->addr, 0, 0);
- if (WARN_ONCE(ret < 0, "Failed to arm kprobe-ftrace at %pS (error %d)\n", p->addr, ret))
+ if (ret < 0)
return ret;
if (*cnt == 0) {
ret = register_ftrace_function(ops);
- if (WARN(ret < 0, "Failed to register kprobe-ftrace (error %d)\n", ret)) {
+ if (ret < 0) {
/*
* At this point, sinec ops is not registered, we should be sefe from
* registering empty filter.
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 336/378] lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 335/378] kprobes: Remove unneeded warnings from __arm_kprobe_ftrace() Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 337/378] lib/bootconfig: check bounds before writing in __xbc_open_brace() Greg Kroah-Hartman
` (48 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josh Law, Masami Hiramatsu (Google)
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Law <objecting@objecting.org>
commit 1120a36bb1e9b9e22de75ecb4ef0b998f73a97f1 upstream.
snprintf() returns the number of characters that would have been
written excluding the NUL terminator. Output is truncated when the
return value is >= the buffer size, not just > the buffer size.
When ret == size, the current code takes the non-truncated path,
advancing buf by ret and reducing size to 0. This is wrong because
the output was actually truncated (the last character was replaced by
NUL). Fix by using >= so the truncation path is taken correctly.
Link: https://lore.kernel.org/all/20260312191143.28719-4-objecting@objecting.org/
Fixes: 76db5a27a827 ("bootconfig: Add Extra Boot Config support")
Cc: stable@vger.kernel.org
Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/bootconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -316,7 +316,7 @@ int __init xbc_node_compose_key_after(st
depth ? "." : "");
if (ret < 0)
return ret;
- if (ret > size) {
+ if (ret >= size) {
size = 0;
} else {
size -= ret;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 337/378] lib/bootconfig: check bounds before writing in __xbc_open_brace()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 336/378] lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after() Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 338/378] smb: client: fix atomic open with O_DIRECT & O_SYNC Greg Kroah-Hartman
` (47 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josh Law, Masami Hiramatsu (Google)
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Law <objecting@objecting.org>
commit 560f763baa0f2c9a44da4294c06af071405ac46f upstream.
The bounds check for brace_index happens after the array write.
While the current call pattern prevents an actual out-of-bounds
access (the previous call would have returned an error), the
write-before-check pattern is fragile and would become a real
out-of-bounds write if the error return were ever not propagated.
Move the bounds check before the array write so the function is
self-contained and safe regardless of caller behavior.
Link: https://lore.kernel.org/all/20260312191143.28719-3-objecting@objecting.org/
Fixes: ead1e19ad905 ("lib/bootconfig: Fix a bug of breaking existing tree nodes")
Cc: stable@vger.kernel.org
Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/bootconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -532,9 +532,9 @@ static char *skip_spaces_until_newline(c
static int __init __xbc_open_brace(char *p)
{
/* Push the last key as open brace */
- open_brace[brace_index++] = xbc_node_index(last_parent);
if (brace_index >= XBC_DEPTH_MAX)
return xbc_parse_error("Exceed max depth of braces", p);
+ open_brace[brace_index++] = xbc_node_index(last_parent);
return 0;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 338/378] smb: client: fix atomic open with O_DIRECT & O_SYNC
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 337/378] lib/bootconfig: check bounds before writing in __xbc_open_brace() Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 339/378] smb: client: fix in-place encryption corruption in SMB2_write() Greg Kroah-Hartman
` (46 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (Red Hat),
David Howells, Henrique Carvalho, Tom Talpey, linux-cifs,
Steve French
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.org>
commit 4a7d2729dc99437dbb880a64c47828c0d191b308 upstream.
When user application requests O_DIRECT|O_SYNC along with O_CREAT on
open(2), CREATE_NO_BUFFER and CREATE_WRITE_THROUGH bits were missed in
CREATE request when performing an atomic open, thus leading to
potentially data integrity issues.
Fix this by setting those missing bits in CREATE request when
O_DIRECT|O_SYNC has been specified in cifs_do_create().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Acked-by: Henrique Carvalho <henrique.carvalho@suse.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: linux-cifs@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsglob.h | 11 +++++++++++
fs/smb/client/dir.c | 1 +
fs/smb/client/file.c | 18 +++---------------
3 files changed, 15 insertions(+), 15 deletions(-)
--- a/fs/smb/client/cifsglob.h
+++ b/fs/smb/client/cifsglob.h
@@ -20,6 +20,7 @@
#include <linux/utsname.h>
#include <linux/sched/mm.h>
#include <linux/netfs.h>
+#include <linux/fcntl.h>
#include "cifs_fs_sb.h"
#include "cifsacl.h"
#include <crypto/internal/hash.h>
@@ -2313,4 +2314,14 @@ static inline void cifs_requeue_server_r
queue_delayed_work(cifsiod_wq, &server->reconnect, delay * HZ);
}
+static inline int cifs_open_create_options(unsigned int oflags, int opts)
+{
+ /* O_SYNC also has bit for O_DSYNC so following check picks up either */
+ if (oflags & O_SYNC)
+ opts |= CREATE_WRITE_THROUGH;
+ if (oflags & O_DIRECT)
+ opts |= CREATE_NO_BUFFER;
+ return opts;
+}
+
#endif /* _CIFS_GLOB_H */
--- a/fs/smb/client/dir.c
+++ b/fs/smb/client/dir.c
@@ -307,6 +307,7 @@ static int cifs_do_create(struct inode *
goto out;
}
+ create_options |= cifs_open_create_options(oflags, create_options);
/*
* if we're not using unix extensions, see if we need to set
* ATTR_READONLY on the create call
--- a/fs/smb/client/file.c
+++ b/fs/smb/client/file.c
@@ -585,15 +585,8 @@ static int cifs_nt_open(const char *full
*********************************************************************/
disposition = cifs_get_disposition(f_flags);
-
/* BB pass O_SYNC flag through on file attributes .. BB */
-
- /* O_SYNC also has bit for O_DSYNC so following check picks up either */
- if (f_flags & O_SYNC)
- create_options |= CREATE_WRITE_THROUGH;
-
- if (f_flags & O_DIRECT)
- create_options |= CREATE_NO_BUFFER;
+ create_options |= cifs_open_create_options(f_flags, create_options);
retry_open:
oparms = (struct cifs_open_parms) {
@@ -1319,13 +1312,8 @@ cifs_reopen_file(struct cifsFileInfo *cf
rdwr_for_fscache = 1;
desired_access = cifs_convert_flags(cfile->f_flags, rdwr_for_fscache);
-
- /* O_SYNC also has bit for O_DSYNC so following check picks up either */
- if (cfile->f_flags & O_SYNC)
- create_options |= CREATE_WRITE_THROUGH;
-
- if (cfile->f_flags & O_DIRECT)
- create_options |= CREATE_NO_BUFFER;
+ create_options |= cifs_open_create_options(cfile->f_flags,
+ create_options);
if (server->ops->get_lease_key)
server->ops->get_lease_key(inode, &cfile->fid);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 339/378] smb: client: fix in-place encryption corruption in SMB2_write()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 338/378] smb: client: fix atomic open with O_DIRECT & O_SYNC Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 340/378] smb: client: fix iface port assignment in parse_server_interfaces Greg Kroah-Hartman
` (45 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henrique Carvalho, Shyam Prasad N,
Paulo Alcantara (Red Hat), Bharath SM, Steve French
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bharath SM <bharathsm@microsoft.com>
commit d78840a6a38d312dc1a51a65317bb67e46f0b929 upstream.
SMB2_write() places write payload in iov[1..n] as part of rq_iov.
smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()
encrypts iov[1] in-place, replacing the original plaintext with
ciphertext. On a replayable error, the retry sends the same iov[1]
which now contains ciphertext instead of the original data,
resulting in corruption.
The corruption is most likely to be observed when connections are
unstable, as reconnects trigger write retries that re-send the
already-encrypted data.
This affects SFU mknod, MF symlinks, etc. On kernels before
6.10 (prior to the netfs conversion), sync writes also used
this path and were similarly affected. The async write path
wasn't unaffected as it uses rq_iter which gets deep-copied.
Fix by moving the write payload into rq_iter via iov_iter_kvec(),
so smb3_init_transform_rq() deep-copies it before encryption.
Cc: stable@vger.kernel.org #6.3+
Acked-by: Henrique Carvalho <henrique.carvalho@suse.com>
Acked-by: Shyam Prasad N <sprasad@microsoft.com>
Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2pdu.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -5237,7 +5237,10 @@ replay_again:
memset(&rqst, 0, sizeof(struct smb_rqst));
rqst.rq_iov = iov;
- rqst.rq_nvec = n_vec + 1;
+ /* iov[0] is the SMB header; move payload to rq_iter for encryption safety */
+ rqst.rq_nvec = 1;
+ iov_iter_kvec(&rqst.rq_iter, ITER_SOURCE, &iov[1], n_vec,
+ io_parms->length);
if (retries)
smb2_set_replay(server, &rqst);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 340/378] smb: client: fix iface port assignment in parse_server_interfaces
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 339/378] smb: client: fix in-place encryption corruption in SMB2_write() Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 341/378] btrfs: fix transaction abort when snapshotting received subvolumes Greg Kroah-Hartman
` (44 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dr. Thomas Orgis, Enzo Matsumiya,
Henrique Carvalho, Steve French
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henrique Carvalho <henrique.carvalho@suse.com>
commit d4c7210d2f3ea481a6481f03040a64d9077a6172 upstream.
parse_server_interfaces() initializes interface socket addresses with
CIFS_PORT. When the mount uses a non-default port this overwrites the
configured destination port.
Later, cifs_chan_update_iface() copies this sockaddr into server->dstaddr,
causing reconnect attempts to use the wrong port after server interface
updates.
Use the existing port from server->dstaddr instead.
Cc: stable@vger.kernel.org
Fixes: fe856be475f7 ("CIFS: parse and store info on iface queries")
Tested-by: Dr. Thomas Orgis <thomas.orgis@uni-hamburg.de>
Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2ops.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -628,6 +628,7 @@ parse_server_interfaces(struct network_i
struct smb_sockaddr_in6 *p6;
struct cifs_server_iface *info = NULL, *iface = NULL, *niface = NULL;
struct cifs_server_iface tmp_iface;
+ __be16 port;
ssize_t bytes_left;
size_t next = 0;
int nb_iface = 0;
@@ -662,6 +663,15 @@ parse_server_interfaces(struct network_i
goto out;
}
+ spin_lock(&ses->server->srv_lock);
+ if (ses->server->dstaddr.ss_family == AF_INET)
+ port = ((struct sockaddr_in *)&ses->server->dstaddr)->sin_port;
+ else if (ses->server->dstaddr.ss_family == AF_INET6)
+ port = ((struct sockaddr_in6 *)&ses->server->dstaddr)->sin6_port;
+ else
+ port = cpu_to_be16(CIFS_PORT);
+ spin_unlock(&ses->server->srv_lock);
+
while (bytes_left >= (ssize_t)sizeof(*p)) {
memset(&tmp_iface, 0, sizeof(tmp_iface));
/* default to 1Gbps when link speed is unset */
@@ -682,7 +692,7 @@ parse_server_interfaces(struct network_i
memcpy(&addr4->sin_addr, &p4->IPv4Address, 4);
/* [MS-SMB2] 2.2.32.5.1.1 Clients MUST ignore these */
- addr4->sin_port = cpu_to_be16(CIFS_PORT);
+ addr4->sin_port = port;
cifs_dbg(FYI, "%s: ipv4 %pI4\n", __func__,
&addr4->sin_addr);
@@ -696,7 +706,7 @@ parse_server_interfaces(struct network_i
/* [MS-SMB2] 2.2.32.5.1.2 Clients MUST ignore these */
addr6->sin6_flowinfo = 0;
addr6->sin6_scope_id = 0;
- addr6->sin6_port = cpu_to_be16(CIFS_PORT);
+ addr6->sin6_port = port;
cifs_dbg(FYI, "%s: ipv6 %pI6\n", __func__,
&addr6->sin6_addr);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 341/378] btrfs: fix transaction abort when snapshotting received subvolumes
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 340/378] smb: client: fix iface port assignment in parse_server_interfaces Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 342/378] btrfs: fix transaction abort on file creation due to name hash collision Greg Kroah-Hartman
` (43 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boris Burkov, Qu Wenruo,
Filipe Manana, David Sterba
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit e1b18b959025e6b5dbad668f391f65d34b39595a upstream.
Currently a user can trigger a transaction abort by snapshotting a
previously received snapshot a bunch of times until we reach a
BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we
can store in a leaf). This is very likely not common in practice, but
if it happens, it turns the filesystem into RO mode. The snapshot, send
and set_received_subvol and subvol_setflags (used by receive) don't
require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user
could use this to turn a filesystem into RO mode and disrupt a system.
Reproducer script:
$ cat test.sh
#!/bin/bash
DEV=/dev/sdi
MNT=/mnt/sdi
# Use smallest node size to make the test faster.
mkfs.btrfs -f --nodesize 4K $DEV
mount $DEV $MNT
# Create a subvolume and set it to RO so that it can be used for send.
btrfs subvolume create $MNT/sv
touch $MNT/sv/foo
btrfs property set $MNT/sv ro true
# Send and receive the subvolume into snaps/sv.
mkdir $MNT/snaps
btrfs send $MNT/sv | btrfs receive $MNT/snaps
# Now snapshot the received subvolume, which has a received_uuid, a
# lot of times to trigger the leaf overflow.
total=500
for ((i = 1; i <= $total; i++)); do
echo -ne "\rCreating snapshot $i/$total"
btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null
done
echo
umount $MNT
When running the test:
$ ./test.sh
(...)
Create subvolume '/mnt/sdi/sv'
At subvol /mnt/sdi/sv
At subvol sv
Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type
Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system
Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system
Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system
Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system
And in dmesg/syslog:
$ dmesg
(...)
[251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!
[251067.629212] ------------[ cut here ]------------
[251067.630033] BTRFS: Transaction aborted (error -75)
[251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235
[251067.632851] Modules linked in: btrfs dm_zero (...)
[251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)
[251067.646165] Tainted: [W]=WARN
[251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]
[251067.649984] Code: f0 48 0f (...)
[251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292
[251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3
[251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750
[251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820
[251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0
[251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5
[251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000
[251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0
[251067.661972] Call Trace:
[251067.662292] <TASK>
[251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs]
[251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs]
[251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]
[251067.665238] ? _raw_spin_unlock+0x15/0x30
[251067.665837] ? record_root_in_trans+0xa2/0xd0 [btrfs]
[251067.666531] btrfs_mksubvol+0x330/0x580 [btrfs]
[251067.667145] btrfs_mksnapshot+0x74/0xa0 [btrfs]
[251067.667827] __btrfs_ioctl_snap_create+0x194/0x1d0 [btrfs]
[251067.668595] btrfs_ioctl_snap_create_v2+0x107/0x130 [btrfs]
[251067.669479] btrfs_ioctl+0x1580/0x2690 [btrfs]
[251067.670093] ? count_memcg_events+0x6d/0x180
[251067.670849] ? handle_mm_fault+0x1a0/0x2a0
[251067.671652] __x64_sys_ioctl+0x92/0xe0
[251067.672406] do_syscall_64+0x50/0xf20
[251067.673129] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[251067.674096] RIP: 0033:0x7f2a495648db
[251067.674812] Code: 00 48 89 (...)
[251067.678227] RSP: 002b:00007ffc5aa57840 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[251067.679691] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f2a495648db
[251067.681145] RDX: 00007ffc5aa588b0 RSI: 0000000050009417 RDI: 0000000000000004
[251067.682511] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
[251067.683842] R10: 000000000000000a R11: 0000000000000246 R12: 00007ffc5aa59910
[251067.685176] R13: 00007ffc5aa588b0 R14: 0000000000000004 R15: 0000000000000006
[251067.686524] </TASK>
[251067.686972] ---[ end trace 0000000000000000 ]---
[251067.687890] BTRFS: error (device sdi state A) in create_pending_snapshot:1907: errno=-75 unknown
[251067.689049] BTRFS info (device sdi state EA): forced readonly
[251067.689054] BTRFS warning (device sdi state EA): Skipping commit of aborted transaction.
[251067.690119] BTRFS: error (device sdi state EA) in cleanup_transaction:2043: errno=-75 unknown
[251067.702028] BTRFS info (device sdi state EA): last unmount of filesystem 46dc3975-30a2-4a69-a18f-418b859cccda
Fix this by ignoring -EOVERFLOW errors from btrfs_uuid_tree_add() in the
snapshot creation code when attempting to add the
BTRFS_UUID_KEY_RECEIVED_SUBVOL item. This is OK because it's not critical
and we are still able to delete the snapshot, as snapshot/subvolume
deletion ignores if a BTRFS_UUID_KEY_RECEIVED_SUBVOL is missing (see
inode.c:btrfs_delete_subvolume()). As for send/receive, we can still do
send/receive operations since it always peeks the first root ID in the
existing BTRFS_UUID_KEY_RECEIVED_SUBVOL (it could peek any since all
snapshots have the same content), and even if the key is missing, it
falls back to searching by BTRFS_UUID_KEY_SUBVOL key.
A test case for fstests will be sent soon.
Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
CC: stable@vger.kernel.org # 3.12+
Reviewed-by: Boris Burkov <boris@bur.io>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/transaction.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/fs/btrfs/transaction.c
+++ b/fs/btrfs/transaction.c
@@ -1904,6 +1904,22 @@ static noinline int create_pending_snaps
ret = btrfs_uuid_tree_add(trans, new_root_item->received_uuid,
BTRFS_UUID_KEY_RECEIVED_SUBVOL,
objectid);
+ /*
+ * We are creating of lot of snapshots of the same root that was
+ * received (has a received UUID) and reached a leaf's limit for
+ * an item. We can safely ignore this and avoid a transaction
+ * abort. A deletion of this snapshot will still work since we
+ * ignore if an item with a BTRFS_UUID_KEY_RECEIVED_SUBVOL key
+ * is missing (see btrfs_delete_subvolume()). Send/receive will
+ * work too since it peeks the first root id from the existing
+ * item (it could peek any), and in case it's missing it
+ * falls back to search by BTRFS_UUID_KEY_SUBVOL keys.
+ * Creation of a snapshot does not require CAP_SYS_ADMIN, so
+ * we don't want users triggering transaction aborts, either
+ * intentionally or not.
+ */
+ if (ret == -EOVERFLOW)
+ ret = 0;
if (unlikely(ret && ret != -EEXIST)) {
btrfs_abort_transaction(trans, ret);
goto fail;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 342/378] btrfs: fix transaction abort on file creation due to name hash collision
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 341/378] btrfs: fix transaction abort when snapshotting received subvolumes Greg Kroah-Hartman
@ 2026-03-17 16:34 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 343/378] btrfs: fix transaction abort on set received ioctl due to item overflow Greg Kroah-Hartman
` (42 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boris Burkov, Qu Wenruo,
Filipe Manana, David Sterba
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 2d1ababdedd4ba38867c2500eb7f95af5ddeeef7 upstream.
If we attempt to create several files with names that result in the same
hash, we have to pack them in same dir item and that has a limit inherent
to the leaf size. However if we reach that limit, we trigger a transaction
abort and turns the filesystem into RO mode. This allows for a malicious
user to disrupt a system, without the need to have administration
privileges/capabilities.
Reproducer:
$ cat exploit-hash-collisions.sh
#!/bin/bash
DEV=/dev/sdi
MNT=/mnt/sdi
# Use smallest node size to make the test faster and require fewer file
# names that result in hash collision.
mkfs.btrfs -f --nodesize 4K $DEV
mount $DEV $MNT
# List of names that result in the same crc32c hash for btrfs.
declare -a names=(
'foobar'
'%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC'
'AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z'
'CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4'
'ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:'
'HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO'
'Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us'
'KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY'
'NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO'
'Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU'
'Ono7avN5GjC:_6dBJ_'
'WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am'
'WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd--e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k'
'XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2'
'd3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd'
'ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm'
'evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ'
'gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky'
'hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS'
'isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz'
'kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu'
'lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA--@WqWLIuX7o1S_SfS@2FSiUZN'
'rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4='
'uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn'
'UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C'
'y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW'
'8-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc'
'YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mCaaKGxb990jzaagRktDTyp'
'9hD2ApKa_t_7x-a@GCG28kY:7$M@5udI1myQ$x5udtggvagmCQcq9QXWRC5hoB0o-_zHQUqZI5rMcz_kbMgvN5jr63LeYA4Cj-c6F5Ugmx6DgVf@2Jqm%MafecpgooqreJ53P-QTS'
)
# Now create files with all those names in the same parent directory.
# It should not fail since a 4K leaf has enough space for them.
for name in "${names[@]}"; do
touch $MNT/$name
done
# Now add one more file name that causes a crc32c hash collision.
# This should fail, but it should not turn the filesystem into RO mode
# (which could be exploited by malicious users) due to a transaction
# abort.
touch $MNT/'W6tIm-VK2@BGC@IBfcgg6j_p:pxp_QUqtWpGD5Ok_GmijKOJJt'
# Check that we are able to create another file, with a name that does not cause
# a crc32c hash collision.
echo -n "hello world" > $MNT/baz
# Unmount and mount again, verify file baz exists and with the right content.
umount $MNT
mount $DEV $MNT
echo "File baz content: $(cat $MNT/baz)"
umount $MNT
When running the reproducer:
$ ./exploit-hash-collisions.sh
(...)
touch: cannot touch '/mnt/sdi/W6tIm-VK2@BGC@IBfcgg6j_p:pxp_QUqtWpGD5Ok_GmijKOJJt': Value too large for defined data type
./exploit-hash-collisions.sh: line 57: /mnt/sdi/baz: Read-only file system
cat: /mnt/sdi/baz: No such file or directory
File baz content:
And the transaction abort stack trace in dmesg/syslog:
$ dmesg
(...)
[758240.509761] ------------[ cut here ]------------
[758240.510668] BTRFS: Transaction aborted (error -75)
[758240.511577] WARNING: fs/btrfs/inode.c:6854 at btrfs_create_new_inode+0x805/0xb50 [btrfs], CPU#6: touch/888644
[758240.513513] Modules linked in: btrfs dm_zero (...)
[758240.523221] CPU: 6 UID: 0 PID: 888644 Comm: touch Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)
[758240.524621] Tainted: [W]=WARN
[758240.525037] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[758240.526331] RIP: 0010:btrfs_create_new_inode+0x80b/0xb50 [btrfs]
[758240.527093] Code: 0f 82 cf (...)
[758240.529211] RSP: 0018:ffffce64418fbb48 EFLAGS: 00010292
[758240.529935] RAX: 00000000ffffffd3 RBX: 0000000000000000 RCX: 00000000ffffffb5
[758240.531040] RDX: 0000000d04f33e06 RSI: 00000000ffffffb5 RDI: ffffffffc0919dd0
[758240.531920] RBP: ffffce64418fbc10 R08: 0000000000000000 R09: 00000000ffffffb5
[758240.532928] R10: 0000000000000000 R11: ffff8e52c0000000 R12: ffff8e53eee7d0f0
[758240.533818] R13: ffff8e57f70932a0 R14: ffff8e5417629568 R15: 0000000000000000
[758240.534664] FS: 00007f1959a2a740(0000) GS:ffff8e5b27cae000(0000) knlGS:0000000000000000
[758240.535821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[758240.536644] CR2: 00007f1959b10ce0 CR3: 000000012a2cc005 CR4: 0000000000370ef0
[758240.537517] Call Trace:
[758240.537828] <TASK>
[758240.538099] btrfs_create_common+0xbf/0x140 [btrfs]
[758240.538760] path_openat+0x111a/0x15b0
[758240.539252] do_filp_open+0xc2/0x170
[758240.539699] ? preempt_count_add+0x47/0xa0
[758240.540200] ? __virt_addr_valid+0xe4/0x1a0
[758240.540800] ? __check_object_size+0x1b3/0x230
[758240.541661] ? alloc_fd+0x118/0x180
[758240.542315] do_sys_openat2+0x70/0xd0
[758240.543012] __x64_sys_openat+0x50/0xa0
[758240.543723] do_syscall_64+0x50/0xf20
[758240.544462] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[758240.545397] RIP: 0033:0x7f1959abc687
[758240.546019] Code: 48 89 fa (...)
[758240.548522] RSP: 002b:00007ffe16ff8690 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
[758240.566278] RAX: ffffffffffffffda RBX: 00007f1959a2a740 RCX: 00007f1959abc687
[758240.567068] RDX: 0000000000000941 RSI: 00007ffe16ffa333 RDI: ffffffffffffff9c
[758240.567860] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[758240.568707] R10: 00000000000001b6 R11: 0000000000000202 R12: 0000561eec7c4b90
[758240.569712] R13: 0000561eec7c311f R14: 00007ffe16ffa333 R15: 0000000000000000
[758240.570758] </TASK>
[758240.571040] ---[ end trace 0000000000000000 ]---
[758240.571681] BTRFS: error (device sdi state A) in btrfs_create_new_inode:6854: errno=-75 unknown
[758240.572899] BTRFS info (device sdi state EA): forced readonly
Fix this by checking for hash collision, and if the adding a new name is
possible, early in btrfs_create_new_inode() before we do any tree updates,
so that we don't need to abort the transaction if we cannot add the new
name due to the leaf size limit.
A test case for fstests will be sent soon.
Fixes: caae78e03234 ("btrfs: move common inode creation code into btrfs_create_new_inode()")
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Boris Burkov <boris@bur.io>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/inode.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -6542,6 +6542,25 @@ int btrfs_create_new_inode(struct btrfs_
int ret;
bool xa_reserved = false;
+ if (!args->orphan && !args->subvol) {
+ /*
+ * Before anything else, check if we can add the name to the
+ * parent directory. We want to avoid a dir item overflow in
+ * case we have an existing dir item due to existing name
+ * hash collisions. We do this check here before we call
+ * btrfs_add_link() down below so that we can avoid a
+ * transaction abort (which could be exploited by malicious
+ * users).
+ *
+ * For subvolumes we already do this in btrfs_mksubvol().
+ */
+ ret = btrfs_check_dir_item_collision(BTRFS_I(dir)->root,
+ btrfs_ino(BTRFS_I(dir)),
+ name);
+ if (ret < 0)
+ return ret;
+ }
+
path = btrfs_alloc_path();
if (!path)
return -ENOMEM;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 343/378] btrfs: fix transaction abort on set received ioctl due to item overflow
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2026-03-17 16:34 ` [PATCH 6.19 342/378] btrfs: fix transaction abort on file creation due to name hash collision Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 344/378] btrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer() Greg Kroah-Hartman
` (41 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Anand Jain, Filipe Manana,
David Sterba
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 87f2c46003fce4d739138aab4af1942b1afdadac upstream.
If the set received ioctl fails due to an item overflow when attempting to
add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction
since we did some metadata updates before.
This means that if a user calls this ioctl with the same received UUID
field for a lot of subvolumes, we will hit the overflow, trigger the
transaction abort and turn the filesystem into RO mode. A malicious user
could exploit this, and this ioctl does not even requires that a user
has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.
Fix this by doing an early check for item overflow before starting a
transaction. This is also race safe because we are holding the subvol_sem
semaphore in exclusive (write) mode.
A test case for fstests will follow soon.
Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
CC: stable@vger.kernel.org # 3.12+
Reviewed-by: Anand Jain <asj@kernel.org>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 21 +++++++++++++++++++--
fs/btrfs/uuid-tree.c | 38 ++++++++++++++++++++++++++++++++++++++
fs/btrfs/uuid-tree.h | 2 ++
3 files changed, 59 insertions(+), 2 deletions(-)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3932,6 +3932,25 @@ static long _btrfs_ioctl_set_received_su
goto out;
}
+ received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid,
+ BTRFS_UUID_SIZE);
+
+ /*
+ * Before we attempt to add the new received uuid, check if we have room
+ * for it in case there's already an item. If the size of the existing
+ * item plus this root's ID (u64) exceeds the maximum item size, we can
+ * return here without the need to abort a transaction. If we don't do
+ * this check, the btrfs_uuid_tree_add() call below would fail with
+ * -EOVERFLOW and result in a transaction abort. Malicious users could
+ * exploit this to turn the fs into RO mode.
+ */
+ if (received_uuid_changed && !btrfs_is_empty_uuid(sa->uuid)) {
+ ret = btrfs_uuid_tree_check_overflow(fs_info, sa->uuid,
+ BTRFS_UUID_KEY_RECEIVED_SUBVOL);
+ if (ret < 0)
+ goto out;
+ }
+
/*
* 1 - root item
* 2 - uuid items (received uuid + subvol uuid)
@@ -3947,8 +3966,6 @@ static long _btrfs_ioctl_set_received_su
sa->rtime.sec = ct.tv_sec;
sa->rtime.nsec = ct.tv_nsec;
- received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid,
- BTRFS_UUID_SIZE);
if (received_uuid_changed &&
!btrfs_is_empty_uuid(root_item->received_uuid)) {
ret = btrfs_uuid_tree_remove(trans, root_item->received_uuid,
--- a/fs/btrfs/uuid-tree.c
+++ b/fs/btrfs/uuid-tree.c
@@ -199,6 +199,44 @@ int btrfs_uuid_tree_remove(struct btrfs_
return 0;
}
+/*
+ * Check if we can add one root ID to a UUID key.
+ * If the key does not yet exists, we can, otherwise only if extended item does
+ * not exceeds the maximum item size permitted by the leaf size.
+ *
+ * Returns 0 on success, negative value on error.
+ */
+int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info,
+ const u8 *uuid, u8 type)
+{
+ BTRFS_PATH_AUTO_FREE(path);
+ int ret;
+ u32 item_size;
+ struct btrfs_key key;
+
+ if (WARN_ON_ONCE(!fs_info->uuid_root))
+ return -EINVAL;
+
+ path = btrfs_alloc_path();
+ if (!path)
+ return -ENOMEM;
+
+ btrfs_uuid_to_key(uuid, type, &key);
+ ret = btrfs_search_slot(NULL, fs_info->uuid_root, &key, path, 0, 0);
+ if (ret < 0)
+ return ret;
+ if (ret > 0)
+ return 0;
+
+ item_size = btrfs_item_size(path->nodes[0], path->slots[0]);
+
+ if (sizeof(struct btrfs_item) + item_size + sizeof(u64) >
+ BTRFS_LEAF_DATA_SIZE(fs_info))
+ return -EOVERFLOW;
+
+ return 0;
+}
+
static int btrfs_uuid_iter_rem(struct btrfs_root *uuid_root, u8 *uuid, u8 type,
u64 subid)
{
--- a/fs/btrfs/uuid-tree.h
+++ b/fs/btrfs/uuid-tree.h
@@ -12,6 +12,8 @@ int btrfs_uuid_tree_add(struct btrfs_tra
u64 subid);
int btrfs_uuid_tree_remove(struct btrfs_trans_handle *trans, const u8 *uuid, u8 type,
u64 subid);
+int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info,
+ const u8 *uuid, u8 type);
int btrfs_uuid_tree_iterate(struct btrfs_fs_info *fs_info);
int btrfs_create_uuid_tree(struct btrfs_fs_info *fs_info);
int btrfs_uuid_scan_kthread(void *data);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 344/378] btrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 343/378] btrfs: fix transaction abort on set received ioctl due to item overflow Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 345/378] btrfs: abort transaction on failure to update root in the received subvol ioctl Greg Kroah-Hartman
` (40 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Boris Burkov,
Bart Van Assche, David Sterba
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
commit b2840e33127ce0eea880504b7f133e780f567a9b upstream.
Call rcu_read_lock() before exiting the loop in
try_release_subpage_extent_buffer() because there is a rcu_read_unlock()
call past the loop.
This has been detected by the Clang thread-safety analyzer.
Fixes: ad580dfa388f ("btrfs: fix subpage deadlock in try_release_subpage_extent_buffer()")
CC: stable@vger.kernel.org # 6.18+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/extent_io.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -4475,6 +4475,7 @@ static int try_release_subpage_extent_bu
*/
if (!test_and_clear_bit(EXTENT_BUFFER_TREE_REF, &eb->bflags)) {
spin_unlock(&eb->refs_lock);
+ rcu_read_lock();
break;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 345/378] btrfs: abort transaction on failure to update root in the received subvol ioctl
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 344/378] btrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer() Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 346/378] iio: dac: ds4424: reject -128 RAW value Greg Kroah-Hartman
` (39 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Anand Jain, Filipe Manana,
David Sterba
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 0f475ee0ebce5c9492b260027cd95270191675fa upstream.
If we failed to update the root we don't abort the transaction, which is
wrong since we already used the transaction to remove an item from the
uuid tree.
Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
CC: stable@vger.kernel.org # 3.12+
Reviewed-by: Anand Jain <asj@kernel.org>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3987,7 +3987,8 @@ static long _btrfs_ioctl_set_received_su
ret = btrfs_update_root(trans, fs_info->tree_root,
&root->root_key, &root->root_item);
- if (ret < 0) {
+ if (unlikely(ret < 0)) {
+ btrfs_abort_transaction(trans, ret);
btrfs_end_transaction(trans);
goto out;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 346/378] iio: dac: ds4424: reject -128 RAW value
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 345/378] btrfs: abort transaction on failure to update root in the received subvol ioctl Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 347/378] iio: frequency: adf4377: Fix duplicated soft reset mask Greg Kroah-Hartman
` (38 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Andy Shevchenko,
Jonathan Cameron
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit 5187e03b817c26c1c3bcb2645a612ea935c4be89 upstream.
The DS442x DAC uses sign-magnitude encoding, so -128 cannot be represented
in hardware (7-bit magnitude).
Previously, passing -128 resulted in a truncated value that programmed
0mA (magnitude 0) instead of the expected maximum negative current,
effectively failing silently.
Reject -128 to avoid producing the wrong current.
Fixes: d632a2bd8ffc ("iio: dac: ds4422/ds4424 dac driver")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ds4424.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/dac/ds4424.c
+++ b/drivers/iio/dac/ds4424.c
@@ -141,7 +141,7 @@ static int ds4424_write_raw(struct iio_d
switch (mask) {
case IIO_CHAN_INFO_RAW:
- if (val < S8_MIN || val > S8_MAX)
+ if (val <= S8_MIN || val > S8_MAX)
return -EINVAL;
if (val > 0) {
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 347/378] iio: frequency: adf4377: Fix duplicated soft reset mask
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 346/378] iio: dac: ds4424: reject -128 RAW value Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 348/378] iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas() Greg Kroah-Hartman
` (37 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeungJu Cheon, Stable,
Jonathan Cameron
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeungJu Cheon <suunj1331@gmail.com>
commit 6c8bf4b604a8a6346ca71f1c027fa01c2c2e04cb upstream.
The regmap_read_poll_timeout() uses ADF4377_0000_SOFT_RESET_R_MSK
twice instead of checking both SOFT_RESET_MSK (bit 0) and
SOFT_RESET_R_MSK (bit 7). This causes an incomplete reset status check.
The code first sets both SOFT_RESET and SOFT_RESET_R bits to 1 via
regmap_update_bits(), then polls for them to be cleared. Since we set
both bits before polling, we should be waiting for both to clear.
Fix by using both masks as done in regmap_update_bits() above.
Fixes: eda549e2e524 ("iio: frequency: adf4377: add support for ADF4377")
Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
Cc: Stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/frequency/adf4377.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/frequency/adf4377.c
+++ b/drivers/iio/frequency/adf4377.c
@@ -501,7 +501,7 @@ static int adf4377_soft_reset(struct adf
return ret;
return regmap_read_poll_timeout(st->regmap, 0x0, read_val,
- !(read_val & (ADF4377_0000_SOFT_RESET_R_MSK |
+ !(read_val & (ADF4377_0000_SOFT_RESET_MSK |
ADF4377_0000_SOFT_RESET_R_MSK)), 200, 200 * 100);
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 348/378] iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 347/378] iio: frequency: adf4377: Fix duplicated soft reset mask Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 349/378] iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() Greg Kroah-Hartman
` (36 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Tomasz Duszynski,
Andy Shevchenko, Stable, Jonathan Cameron
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit c3914ce1963c4db25e186112c90fa5d2361e9e0a upstream.
sizeof(num) evaluates to sizeof(size_t) which is 8 bytes on 64-bit,
but the buffer elements are only 4 bytes. The same function already
uses sizeof(*meas) on line 312, making the mismatch evident. Use
sizeof(*meas) consistently.
Fixes: b2e171f5a5c6 ("iio: sps30: add support for serial interface")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Acked-by: Tomasz Duszynski <tduszyns@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/sps30_serial.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/chemical/sps30_serial.c
+++ b/drivers/iio/chemical/sps30_serial.c
@@ -303,7 +303,7 @@ static int sps30_serial_read_meas(struct
if (msleep_interruptible(1000))
return -EINTR;
- ret = sps30_serial_command(state, SPS30_SERIAL_READ_MEAS, NULL, 0, meas, num * sizeof(num));
+ ret = sps30_serial_command(state, SPS30_SERIAL_READ_MEAS, NULL, 0, meas, num * sizeof(*meas));
if (ret < 0)
return ret;
/* if measurements aren't ready sensor returns empty frame */
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 349/378] iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 348/378] iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas() Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 350/378] iio: magnetometer: tlv493d: remove erroneous shift in X-axis data Greg Kroah-Hartman
` (35 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Tomasz Duszynski,
Andy Shevchenko, Stable, Jonathan Cameron
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit 216345f98cae7fcc84f49728c67478ac00321c87 upstream.
sizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) instead
of the intended __be32 element size (4 bytes). Use sizeof(*meas) to
correctly match the buffer element type.
Fixes: 8f3f13085278 ("iio: sps30: separate core and interface specific code")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Acked-by: Tomasz Duszynski <tduszyns@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/sps30_i2c.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/chemical/sps30_i2c.c
+++ b/drivers/iio/chemical/sps30_i2c.c
@@ -171,7 +171,7 @@ static int sps30_i2c_read_meas(struct sp
if (!sps30_i2c_meas_ready(state))
return -ETIMEDOUT;
- return sps30_i2c_command(state, SPS30_I2C_READ_MEAS, NULL, 0, meas, sizeof(num) * num);
+ return sps30_i2c_command(state, SPS30_I2C_READ_MEAS, NULL, 0, meas, sizeof(*meas) * num);
}
static int sps30_i2c_clean_fan(struct sps30_state *state)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 350/378] iio: magnetometer: tlv493d: remove erroneous shift in X-axis data
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 349/378] iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 351/378] iio: potentiometer: mcp4131: fix double application of wiper shift Greg Kroah-Hartman
` (34 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Stable,
Jonathan Cameron
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit 82ee91d6b15f06b6094eea2c26afe0032fe8e177 upstream.
TLV493D_BX2_MAG_X_AXIS_LSB is defined as GENMASK(7, 4). FIELD_GET()
already right-shifts bits [7:4] to [3:0], so the additional >> 4
discards most of the X-axis low nibble. The Y and Z axes correctly
omit this extra shift. Remove it.
Fixes: 106511d280c7 ("iio: magnetometer: add support for Infineon TLV493D 3D Magentic sensor")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/magnetometer/tlv493d.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/magnetometer/tlv493d.c
+++ b/drivers/iio/magnetometer/tlv493d.c
@@ -171,7 +171,7 @@ static s16 tlv493d_get_channel_data(u8 *
switch (ch) {
case TLV493D_AXIS_X:
val = FIELD_GET(TLV493D_BX_MAG_X_AXIS_MSB, b[TLV493D_RD_REG_BX]) << 4 |
- FIELD_GET(TLV493D_BX2_MAG_X_AXIS_LSB, b[TLV493D_RD_REG_BX2]) >> 4;
+ FIELD_GET(TLV493D_BX2_MAG_X_AXIS_LSB, b[TLV493D_RD_REG_BX2]);
break;
case TLV493D_AXIS_Y:
val = FIELD_GET(TLV493D_BY_MAG_Y_AXIS_MSB, b[TLV493D_RD_REG_BY]) << 4 |
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 351/378] iio: potentiometer: mcp4131: fix double application of wiper shift
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 350/378] iio: magnetometer: tlv493d: remove erroneous shift in X-axis data Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 352/378] iio: chemical: bme680: Fix measurement wait duration calculation Greg Kroah-Hartman
` (33 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Jonathan Cameron,
Lukas Schmid
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Schmid <lukas.schmid@netcube.li>
commit 85e4614524dca6c0a43874f475a17de2b9725648 upstream.
The MCP4131 wiper address is shifted twice when preparing the SPI
command in mcp4131_write_raw().
The address is already shifted when assigned to the local variable
"address", but is then shifted again when written to data->buf[0].
This results in an incorrect command being sent to the device and
breaks wiper writes to the second channel.
Remove the second shift and use the pre-shifted address directly
when composing the SPI transfer.
Fixes: 22d199a53910 ("iio: potentiometer: add driver for Microchip MCP413X/414X/415X/416X/423X/424X/425X/426X")
Signed-off-by: Lukas Schmid <lukas.schmid@netcube.li>#
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/potentiometer/mcp4131.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/potentiometer/mcp4131.c
+++ b/drivers/iio/potentiometer/mcp4131.c
@@ -221,7 +221,7 @@ static int mcp4131_write_raw(struct iio_
mutex_lock(&data->lock);
- data->buf[0] = address << MCP4131_WIPER_SHIFT;
+ data->buf[0] = address;
data->buf[0] |= MCP4131_WRITE | (val >> 8);
data->buf[1] = val & 0xFF; /* 8 bits here */
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 352/378] iio: chemical: bme680: Fix measurement wait duration calculation
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 351/378] iio: potentiometer: mcp4131: fix double application of wiper shift Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 353/378] iio: buffer: Fix wait_queue not being removed Greg Kroah-Hartman
` (32 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Spencer, Vasileios Amoiridis,
Jonathan Cameron
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Spencer <spencercw@gmail.com>
commit f55b9510cd9437da3a0efa08b089caeb47595ff1 upstream.
This function refers to the Bosch BME680 API as the source of the
calculation, but one of the constants does not match the Bosch
implementation. This appears to be a simple transposition of two digits,
resulting in a wait time that is too short. This can cause the following
'device measurement cycle incomplete' check to occasionally fail, returning
EBUSY to user space.
Adjust the constant to match the Bosch implementation and resolve the EBUSY
errors.
Fixes: 4241665e6ea0 ("iio: chemical: bme680: Fix sensor data read operation")
Link: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x.c#L521
Signed-off-by: Chris Spencer <spencercw@gmail.com>
Acked-by: Vasileios Amoiridis <vassilisamir@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/bme680_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/chemical/bme680_core.c
+++ b/drivers/iio/chemical/bme680_core.c
@@ -613,7 +613,7 @@ static int bme680_wait_for_eoc(struct bm
* + heater duration
*/
int wait_eoc_us = ((data->oversampling_temp + data->oversampling_press +
- data->oversampling_humid) * 1936) + (477 * 4) +
+ data->oversampling_humid) * 1963) + (477 * 4) +
(477 * 5) + 1000 + (data->heater_dur * 1000);
fsleep(wait_eoc_us);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 353/378] iio: buffer: Fix wait_queue not being removed
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 352/378] iio: chemical: bme680: Fix measurement wait duration calculation Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 354/378] iio: gyro: mpu3050-core: fix pm_runtime error handling Greg Kroah-Hartman
` (31 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nuno Sá, David Lechner, Stable,
Jonathan Cameron
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nuno Sá <nuno.sa@analog.com>
commit 064234044056c93a3719d6893e6e5a26a94a61b6 upstream.
In the edge case where the IIO device is unregistered while we're
buffering, we were directly returning an error without removing the wait
queue. Instead, set 'ret' and break out of the loop.
Fixes: 9eeee3b0bf19 ("iio: Add output buffer support")
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-buffer.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -228,8 +228,10 @@ static ssize_t iio_buffer_write(struct f
written = 0;
add_wait_queue(&rb->pollq, &wait);
do {
- if (!indio_dev->info)
- return -ENODEV;
+ if (!indio_dev->info) {
+ ret = -ENODEV;
+ break;
+ }
if (!iio_buffer_space_available(rb)) {
if (signal_pending(current)) {
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 354/378] iio: gyro: mpu3050-core: fix pm_runtime error handling
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 353/378] iio: buffer: Fix wait_queue not being removed Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 355/378] iio: imu: adis: Fix NULL pointer dereference in adis_init Greg Kroah-Hartman
` (30 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Antoniu Miclaus,
Stable, Jonathan Cameron
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit acc3949aab3e8094641a9c7c2768de1958c88378 upstream.
The return value of pm_runtime_get_sync() is not checked, allowing
the driver to access hardware that may fail to resume. The device
usage count is also unconditionally incremented. Use
pm_runtime_resume_and_get() which propagates errors and avoids
incrementing the usage count on failure.
In preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate()
failure since postdisable does not run when preenable fails.
Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope")
Reviewed-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/gyro/mpu3050-core.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
--- a/drivers/iio/gyro/mpu3050-core.c
+++ b/drivers/iio/gyro/mpu3050-core.c
@@ -322,7 +322,9 @@ static int mpu3050_read_raw(struct iio_d
}
case IIO_CHAN_INFO_RAW:
/* Resume device */
- pm_runtime_get_sync(mpu3050->dev);
+ ret = pm_runtime_resume_and_get(mpu3050->dev);
+ if (ret)
+ return ret;
mutex_lock(&mpu3050->lock);
ret = mpu3050_set_8khz_samplerate(mpu3050);
@@ -647,14 +649,20 @@ out_trigger_unlock:
static int mpu3050_buffer_preenable(struct iio_dev *indio_dev)
{
struct mpu3050 *mpu3050 = iio_priv(indio_dev);
+ int ret;
- pm_runtime_get_sync(mpu3050->dev);
+ ret = pm_runtime_resume_and_get(mpu3050->dev);
+ if (ret)
+ return ret;
/* Unless we have OUR trigger active, run at full speed */
- if (!mpu3050->hw_irq_trigger)
- return mpu3050_set_8khz_samplerate(mpu3050);
+ if (!mpu3050->hw_irq_trigger) {
+ ret = mpu3050_set_8khz_samplerate(mpu3050);
+ if (ret)
+ pm_runtime_put_autosuspend(mpu3050->dev);
+ }
- return 0;
+ return ret;
}
static int mpu3050_buffer_postdisable(struct iio_dev *indio_dev)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 355/378] iio: imu: adis: Fix NULL pointer dereference in adis_init
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 354/378] iio: gyro: mpu3050-core: fix pm_runtime error handling Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 356/378] iio: gyro: mpu3050-i2c: fix pm_runtime error handling Greg Kroah-Hartman
` (29 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Radu Sabau, Andy Shevchenko,
Antoniu Miclaus, Stable, Jonathan Cameron
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Radu Sabau <radu.sabau@analog.com>
commit 9990cd4f8827bd1ae3fb6eb7407630d8d463c430 upstream.
The adis_init() function dereferences adis->ops to check if the
individual function pointers (write, read, reset) are NULL, but does
not first check if adis->ops itself is NULL.
Drivers like adis16480, adis16490, adis16545 and others do not set
custom ops and rely on adis_init() assigning the defaults. Since struct
adis is zero-initialized by devm_iio_device_alloc(), adis->ops is NULL
when adis_init() is called, causing a NULL pointer dereference:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
pc : adis_init+0xc0/0x118
Call trace:
adis_init+0xc0/0x118
adis16480_probe+0xe0/0x670
Fix this by checking if adis->ops is NULL before dereferencing it,
falling through to assign the default ops in that case.
Fixes: 3b29bcee8f6f ("iio: imu: adis: Add custom ops struct")
Signed-off-by: Radu Sabau <radu.sabau@analog.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/adis.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/imu/adis.c
+++ b/drivers/iio/imu/adis.c
@@ -526,7 +526,7 @@ int adis_init(struct adis *adis, struct
adis->spi = spi;
adis->data = data;
- if (!adis->ops->write && !adis->ops->read && !adis->ops->reset)
+ if (!adis->ops)
adis->ops = &adis_default_ops;
else if (!adis->ops->write || !adis->ops->read || !adis->ops->reset)
return -EINVAL;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 356/378] iio: gyro: mpu3050-i2c: fix pm_runtime error handling
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 355/378] iio: imu: adis: Fix NULL pointer dereference in adis_init Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 357/378] iio: imu: inv_icm45600: fix regulator put warning when probe fails Greg Kroah-Hartman
` (28 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Stable,
Jonathan Cameron
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit 91f950b4cbb1aa9ea4eb3999f1463e8044b717fb upstream.
The return value of pm_runtime_get_sync() is not checked, and the
function always returns success. This allows I2C mux operations to
proceed even when the device fails to resume.
Use pm_runtime_resume_and_get() and propagate its return value to
properly handle resume failures.
Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/gyro/mpu3050-i2c.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/iio/gyro/mpu3050-i2c.c
+++ b/drivers/iio/gyro/mpu3050-i2c.c
@@ -19,8 +19,7 @@ static int mpu3050_i2c_bypass_select(str
struct mpu3050 *mpu3050 = i2c_mux_priv(mux);
/* Just power up the device, that is all that is needed */
- pm_runtime_get_sync(mpu3050->dev);
- return 0;
+ return pm_runtime_resume_and_get(mpu3050->dev);
}
static int mpu3050_i2c_bypass_deselect(struct i2c_mux_core *mux, u32 chan_id)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 357/378] iio: imu: inv_icm45600: fix regulator put warning when probe fails
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 356/378] iio: gyro: mpu3050-i2c: fix pm_runtime error handling Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 358/378] iio: light: bh1780: fix PM runtime leak on error path Greg Kroah-Hartman
` (27 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean-Baptiste Maneyrol,
Jonathan Cameron
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
commit 2617595538be8a2f270ad13fccb9f56007b292d7 upstream.
When the driver probe fails we encounter a regulator put warning
because vddio regulator is not stopped before release. The issue
comes from pm_runtime not already setup when core probe fails and
the vddio regulator disable callback is called.
Fix the issue by setting pm_runtime active early before vddio
regulator resource cleanup. This requires to cut pm_runtime
set_active and enable in 2 function calls.
Fixes: 7ff021a3faca ("iio: imu: inv_icm45600: add new inv_icm45600 driver")
Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/inv_icm45600/inv_icm45600_core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/iio/imu/inv_icm45600/inv_icm45600_core.c b/drivers/iio/imu/inv_icm45600/inv_icm45600_core.c
index e4638926a10c..d49053161a65 100644
--- a/drivers/iio/imu/inv_icm45600/inv_icm45600_core.c
+++ b/drivers/iio/imu/inv_icm45600/inv_icm45600_core.c
@@ -744,6 +744,11 @@ int inv_icm45600_core_probe(struct regmap *regmap, const struct inv_icm45600_chi
*/
fsleep(5 * USEC_PER_MSEC);
+ /* set pm_runtime active early for disable vddio resource cleanup */
+ ret = pm_runtime_set_active(dev);
+ if (ret)
+ return ret;
+
ret = inv_icm45600_enable_regulator_vddio(st);
if (ret)
return ret;
@@ -776,7 +781,7 @@ int inv_icm45600_core_probe(struct regmap *regmap, const struct inv_icm45600_chi
if (ret)
return ret;
- ret = devm_pm_runtime_set_active_enabled(dev);
+ ret = devm_pm_runtime_enable(dev);
if (ret)
return ret;
--
2.53.0
^ permalink raw reply related [flat|nested] 396+ messages in thread
* [PATCH 6.19 358/378] iio: light: bh1780: fix PM runtime leak on error path
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 357/378] iio: imu: inv_icm45600: fix regulator put warning when probe fails Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 359/378] iio: imu: inv_icm45600: fix INT1 drive bit inverted Greg Kroah-Hartman
` (26 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Linus Walleij,
Stable, Jonathan Cameron
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit dd72e6c3cdea05cad24e99710939086f7a113fb5 upstream.
Move pm_runtime_put_autosuspend() before the error check to ensure
the PM runtime reference count is always decremented after
pm_runtime_get_sync(), regardless of whether the read operation
succeeds or fails.
Fixes: 1f0477f18306 ("iio: light: new driver for the ROHM BH1780")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/bh1780.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/light/bh1780.c
+++ b/drivers/iio/light/bh1780.c
@@ -109,9 +109,9 @@ static int bh1780_read_raw(struct iio_de
case IIO_LIGHT:
pm_runtime_get_sync(&bh1780->client->dev);
value = bh1780_read_word(bh1780, BH1780_REG_DLOW);
+ pm_runtime_put_autosuspend(&bh1780->client->dev);
if (value < 0)
return value;
- pm_runtime_put_autosuspend(&bh1780->client->dev);
*val = value;
return IIO_VAL_INT;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 359/378] iio: imu: inv_icm45600: fix INT1 drive bit inverted
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 358/378] iio: light: bh1780: fix PM runtime leak on error path Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 360/378] iio: imu: inv_icm42600: fix odr switch to the same value Greg Kroah-Hartman
` (25 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean-Baptiste Maneyrol,
Andy Shevchenko, Jonathan Cameron
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
commit 7ef74d961d1ad6ec72b50887ca119d7f98f07717 upstream.
Drive bit must be set for open-drain mode and be cleared for push-pull
mode.
Referring to datasheet DS-000576_ICM-45605.pdf section 17.23
INT1_CONFIG2.
Fixes: 06674a72cf7a ("iio: imu: inv_icm45600: add buffer support in iio devices")
Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/inv_icm45600/inv_icm45600.h | 2 +-
drivers/iio/imu/inv_icm45600/inv_icm45600_core.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/iio/imu/inv_icm45600/inv_icm45600.h
+++ b/drivers/iio/imu/inv_icm45600/inv_icm45600.h
@@ -205,7 +205,7 @@ struct inv_icm45600_sensor_state {
#define INV_ICM45600_SPI_SLEW_RATE_38NS 0
#define INV_ICM45600_REG_INT1_CONFIG2 0x0018
-#define INV_ICM45600_INT1_CONFIG2_PUSH_PULL BIT(2)
+#define INV_ICM45600_INT1_CONFIG2_OPEN_DRAIN BIT(2)
#define INV_ICM45600_INT1_CONFIG2_LATCHED BIT(1)
#define INV_ICM45600_INT1_CONFIG2_ACTIVE_HIGH BIT(0)
#define INV_ICM45600_INT1_CONFIG2_ACTIVE_LOW 0x00
--- a/drivers/iio/imu/inv_icm45600/inv_icm45600_core.c
+++ b/drivers/iio/imu/inv_icm45600/inv_icm45600_core.c
@@ -637,8 +637,8 @@ static int inv_icm45600_irq_init(struct
break;
}
- if (!open_drain)
- val |= INV_ICM45600_INT1_CONFIG2_PUSH_PULL;
+ if (open_drain)
+ val |= INV_ICM45600_INT1_CONFIG2_OPEN_DRAIN;
ret = regmap_write(st->map, INV_ICM45600_REG_INT1_CONFIG2, val);
if (ret)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 360/378] iio: imu: inv_icm42600: fix odr switch to the same value
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 359/378] iio: imu: inv_icm45600: fix INT1 drive bit inverted Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 361/378] iio: imu: inv_icm42600: fix odr switch when turning buffer off Greg Kroah-Hartman
` (24 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean-Baptiste Maneyrol,
Jonathan Cameron
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
commit c9f3a593137d862d424130343e77d4b5260a4f5a upstream.
ODR switch is done in 2 steps when FIFO is on : change the ODR register
value and acknowledge change when reading the FIFO ODR change flag.
When we are switching to the same odr value, we end up waiting for a
FIFO ODR flag that is never happening.
Fix the issue by doing nothing and exiting properly when we are
switching to the same ODR value.
Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping")
Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 2 ++
drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 2 ++
2 files changed, 4 insertions(+)
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c
@@ -651,6 +651,8 @@ static int inv_icm42600_accel_write_odr(
return -EINVAL;
conf.odr = inv_icm42600_accel_odr_conv[idx / 2];
+ if (conf.odr == st->conf.accel.odr)
+ return 0;
pm_runtime_get_sync(dev);
mutex_lock(&st->lock);
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c
@@ -358,6 +358,8 @@ static int inv_icm42600_gyro_write_odr(s
return -EINVAL;
conf.odr = inv_icm42600_gyro_odr_conv[idx / 2];
+ if (conf.odr == st->conf.gyro.odr)
+ return 0;
pm_runtime_get_sync(dev);
mutex_lock(&st->lock);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 361/378] iio: imu: inv_icm42600: fix odr switch when turning buffer off
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 360/378] iio: imu: inv_icm42600: fix odr switch to the same value Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 362/378] iio: proximity: hx9023s: fix assignment order for __counted_by Greg Kroah-Hartman
` (23 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean-Baptiste Maneyrol,
Jonathan Cameron
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
commit ffd32db8263d2d785a2c419486a450dc80693235 upstream.
ODR switch is done in 2 steps when FIFO is on : change the ODR register
value and acknowledge change when reading the FIFO ODR change flag.
When we are switching odr and turning buffer off just afterward, we are
losing the FIFO ODR change flag and ODR switch is blocked.
Fix the issue by force applying any waiting ODR change when turning
buffer off.
Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping")
Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c
@@ -371,6 +371,8 @@ static int inv_icm42600_buffer_predisabl
static int inv_icm42600_buffer_postdisable(struct iio_dev *indio_dev)
{
struct inv_icm42600_state *st = iio_device_get_drvdata(indio_dev);
+ struct inv_icm42600_sensor_state *sensor_st = iio_priv(indio_dev);
+ struct inv_sensors_timestamp *ts = &sensor_st->ts;
struct device *dev = regmap_get_device(st->map);
unsigned int sensor;
unsigned int *watermark;
@@ -392,6 +394,8 @@ static int inv_icm42600_buffer_postdisab
mutex_lock(&st->lock);
+ inv_sensors_timestamp_apply_odr(ts, 0, 0, 0);
+
ret = inv_icm42600_buffer_set_fifo_en(st, st->fifo.en & ~sensor);
if (ret)
goto out_unlock;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 362/378] iio: proximity: hx9023s: fix assignment order for __counted_by
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 361/378] iio: imu: inv_icm42600: fix odr switch when turning buffer off Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 363/378] iio: proximity: hx9023s: Protect against division by zero in set_samp_freq Greg Kroah-Hartman
` (22 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yasin Lee, Andy Shevchenko, Stable,
Jonathan Cameron
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yasin Lee <yasin.lee.x@gmail.com>
commit 585b90c0161ab77416fe3acdbdc55b978e33e16c upstream.
Initialize fw_size before copying firmware data into the flexible
array member to match the __counted_by() annotation. This fixes the
incorrect assignment order that triggers runtime safety checks.
Fixes: e9ed97be4fcc ("iio: proximity: hx9023s: Added firmware file parsing functionality")
Signed-off-by: Yasin Lee <yasin.lee.x@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/proximity/hx9023s.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/iio/proximity/hx9023s.c
+++ b/drivers/iio/proximity/hx9023s.c
@@ -1034,9 +1034,8 @@ static int hx9023s_send_cfg(const struct
if (!bin)
return -ENOMEM;
- memcpy(bin->data, fw->data, fw->size);
-
bin->fw_size = fw->size;
+ memcpy(bin->data, fw->data, bin->fw_size);
bin->fw_ver = bin->data[FW_VER_OFFSET];
bin->reg_count = get_unaligned_le16(bin->data + FW_REG_CNT_OFFSET);
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 363/378] iio: proximity: hx9023s: Protect against division by zero in set_samp_freq
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 362/378] iio: proximity: hx9023s: fix assignment order for __counted_by Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 364/378] i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors Greg Kroah-Hartman
` (21 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yasin Lee, Andy Shevchenko, Stable,
Jonathan Cameron
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yasin Lee <yasin.lee.x@gmail.com>
commit a318cfc0853706f1d6ce682dba660bc455d674ef upstream.
Avoid division by zero when sampling frequency is unspecified.
Fixes: 60df548277b7 ("iio: proximity: Add driver support for TYHX's HX9023S capacitive proximity sensor")
Signed-off-by: Yasin Lee <yasin.lee.x@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/proximity/hx9023s.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/iio/proximity/hx9023s.c
+++ b/drivers/iio/proximity/hx9023s.c
@@ -719,6 +719,9 @@ static int hx9023s_set_samp_freq(struct
struct device *dev = regmap_get_device(data->regmap);
unsigned int i, period_ms;
+ if (!val && !val2)
+ return -EINVAL;
+
period_ms = div_u64(NANO, (val * MEGA + val2));
for (i = 0; i < ARRAY_SIZE(hx9023s_samp_freq_table); i++) {
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 364/378] i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 363/378] iio: proximity: hx9023s: Protect against division by zero in set_samp_freq Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 365/378] i3c: mipi-i3c-hci: Factor out DMA mapping from queuing path Greg Kroah-Hartman
` (20 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Alexandre Belloni
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit 4167b8914463132654e01e16259847d097f8a7f7 upstream.
The MIPI I3C HCI driver currently returns -ETIME for various timeout
conditions, while other I3C master drivers consistently use -ETIMEDOUT
for the same class of errors. Align the HCI driver with the rest of the
subsystem by replacing all uses of -ETIME with -ETIMEDOUT.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-2-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/mipi-i3c-hci/cmd_v1.c | 2 +-
drivers/i3c/master/mipi-i3c-hci/cmd_v2.c | 2 +-
drivers/i3c/master/mipi-i3c-hci/core.c | 6 +++---
3 files changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/i3c/master/mipi-i3c-hci/cmd_v1.c
+++ b/drivers/i3c/master/mipi-i3c-hci/cmd_v1.c
@@ -336,7 +336,7 @@ static int hci_cmd_v1_daa(struct i3c_hci
hci->io->queue_xfer(hci, xfer, 1);
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, 1)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
break;
}
if ((RESP_STATUS(xfer->response) == RESP_ERR_ADDR_HEADER ||
--- a/drivers/i3c/master/mipi-i3c-hci/cmd_v2.c
+++ b/drivers/i3c/master/mipi-i3c-hci/cmd_v2.c
@@ -277,7 +277,7 @@ static int hci_cmd_v2_daa(struct i3c_hci
hci->io->queue_xfer(hci, xfer, 2);
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, 2)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
break;
}
if (RESP_STATUS(xfer[0].response) != RESP_SUCCESS) {
--- a/drivers/i3c/master/mipi-i3c-hci/core.c
+++ b/drivers/i3c/master/mipi-i3c-hci/core.c
@@ -230,7 +230,7 @@ static int i3c_hci_send_ccc_cmd(struct i
goto out;
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, nxfers)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
goto out;
}
for (i = prefixed; i < nxfers; i++) {
@@ -309,7 +309,7 @@ static int i3c_hci_i3c_xfers(struct i3c_
goto out;
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, nxfers)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
goto out;
}
for (i = 0; i < nxfers; i++) {
@@ -357,7 +357,7 @@ static int i3c_hci_i2c_xfers(struct i2c_
goto out;
if (!wait_for_completion_timeout(&done, m->i2c.timeout) &&
hci->io->dequeue_xfer(hci, xfer, nxfers)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
goto out;
}
for (i = 0; i < nxfers; i++) {
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 365/378] i3c: mipi-i3c-hci: Factor out DMA mapping from queuing path
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 364/378] i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 366/378] i3c: mipi-i3c-hci: Consolidate spinlocks Greg Kroah-Hartman
` (19 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Alexandre Belloni
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit f3bcbfe1b8b0b836b772927f75f8cb6e759eb00a upstream.
Prepare for fixing a race in the DMA ring enqueue path when handling
parallel transfers. Move all DMA mapping out of hci_dma_queue_xfer()
and into a new helper that performs the mapping up front.
This refactoring allows the upcoming fix to extend the spinlock coverage
around the enqueue operation without performing DMA mapping under the
spinlock.
No functional change is intended in this patch.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-4-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/mipi-i3c-hci/dma.c | 49 ++++++++++++++++++++++------------
1 file changed, 33 insertions(+), 16 deletions(-)
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -375,6 +375,33 @@ static void hci_dma_unmap_xfer(struct i3
}
}
+static struct i3c_dma *hci_dma_map_xfer(struct device *dev, struct hci_xfer *xfer)
+{
+ enum dma_data_direction dir = xfer->rnw ? DMA_FROM_DEVICE : DMA_TO_DEVICE;
+ bool need_bounce = device_iommu_mapped(dev) && xfer->rnw && (xfer->data_len & 3);
+
+ return i3c_master_dma_map_single(dev, xfer->data, xfer->data_len, need_bounce, dir);
+}
+
+static int hci_dma_map_xfer_list(struct i3c_hci *hci, struct device *dev,
+ struct hci_xfer *xfer_list, int n)
+{
+ for (int i = 0; i < n; i++) {
+ struct hci_xfer *xfer = xfer_list + i;
+
+ if (!xfer->data)
+ continue;
+
+ xfer->dma = hci_dma_map_xfer(dev, xfer);
+ if (!xfer->dma) {
+ hci_dma_unmap_xfer(hci, xfer_list, i);
+ return -ENOMEM;
+ }
+ }
+
+ return 0;
+}
+
static int hci_dma_queue_xfer(struct i3c_hci *hci,
struct hci_xfer *xfer_list, int n)
{
@@ -382,6 +409,11 @@ static int hci_dma_queue_xfer(struct i3c
struct hci_rh_data *rh;
unsigned int i, ring, enqueue_ptr;
u32 op1_val, op2_val;
+ int ret;
+
+ ret = hci_dma_map_xfer_list(hci, rings->sysdev, xfer_list, n);
+ if (ret)
+ return ret;
/* For now we only use ring 0 */
ring = 0;
@@ -392,9 +424,6 @@ static int hci_dma_queue_xfer(struct i3c
for (i = 0; i < n; i++) {
struct hci_xfer *xfer = xfer_list + i;
u32 *ring_data = rh->xfer + rh->xfer_struct_sz * enqueue_ptr;
- enum dma_data_direction dir = xfer->rnw ? DMA_FROM_DEVICE :
- DMA_TO_DEVICE;
- bool need_bounce;
/* store cmd descriptor */
*ring_data++ = xfer->cmd_desc[0];
@@ -413,18 +442,6 @@ static int hci_dma_queue_xfer(struct i3c
/* 2nd and 3rd words of Data Buffer Descriptor Structure */
if (xfer->data) {
- need_bounce = device_iommu_mapped(rings->sysdev) &&
- xfer->rnw &&
- xfer->data_len != ALIGN(xfer->data_len, 4);
- xfer->dma = i3c_master_dma_map_single(rings->sysdev,
- xfer->data,
- xfer->data_len,
- need_bounce,
- dir);
- if (!xfer->dma) {
- hci_dma_unmap_xfer(hci, xfer_list, i);
- return -ENOMEM;
- }
*ring_data++ = lower_32_bits(xfer->dma->addr);
*ring_data++ = upper_32_bits(xfer->dma->addr);
} else {
@@ -447,7 +464,7 @@ static int hci_dma_queue_xfer(struct i3c
op2_val = rh_reg_read(RING_OPERATION2);
if (enqueue_ptr == FIELD_GET(RING_OP2_CR_DEQ_PTR, op2_val)) {
/* the ring is full */
- hci_dma_unmap_xfer(hci, xfer_list, i + 1);
+ hci_dma_unmap_xfer(hci, xfer_list, n);
return -EBUSY;
}
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 366/378] i3c: mipi-i3c-hci: Consolidate spinlocks
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 365/378] i3c: mipi-i3c-hci: Factor out DMA mapping from queuing path Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 367/378] i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort Greg Kroah-Hartman
` (18 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Alexandre Belloni
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit fa12bb903bc3ed1826e355d267fe134bde95e23c upstream.
The MIPI I3C HCI driver currently uses separate spinlocks for different
contexts (PIO vs. DMA rings). This split is unnecessary and complicates
upcoming fixes. The driver does not support concurrent PIO and DMA
operation, and it only supports a single DMA ring, so a single lock is
sufficient for all paths.
Introduce a unified spinlock in struct i3c_hci, switch both PIO and DMA
code to use it, and remove the per-context locks.
No functional change is intended in this patch.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-5-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/mipi-i3c-hci/core.c | 2 ++
drivers/i3c/master/mipi-i3c-hci/dma.c | 14 ++++++--------
drivers/i3c/master/mipi-i3c-hci/hci.h | 1 +
drivers/i3c/master/mipi-i3c-hci/pio.c | 16 +++++++---------
4 files changed, 16 insertions(+), 17 deletions(-)
--- a/drivers/i3c/master/mipi-i3c-hci/core.c
+++ b/drivers/i3c/master/mipi-i3c-hci/core.c
@@ -631,6 +631,8 @@ static int i3c_hci_init(struct i3c_hci *
if (ret)
return ret;
+ spin_lock_init(&hci->lock);
+
/*
* Now let's reset the hardware.
* SOFT_RST must be clear before we write to it.
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -133,7 +133,6 @@ struct hci_rh_data {
unsigned int xfer_struct_sz, resp_struct_sz, ibi_status_sz, ibi_chunk_sz;
unsigned int done_ptr, ibi_chunk_ptr;
struct hci_xfer **src_xfers;
- spinlock_t lock;
struct completion op_done;
};
@@ -240,7 +239,6 @@ static int hci_dma_init(struct i3c_hci *
goto err_out;
rh = &rings->headers[i];
rh->regs = hci->base_regs + offset;
- spin_lock_init(&rh->lock);
init_completion(&rh->op_done);
rh->xfer_entries = XFER_RING_ENTRIES;
@@ -470,12 +468,12 @@ static int hci_dma_queue_xfer(struct i3c
}
/* take care to update the hardware enqueue pointer atomically */
- spin_lock_irq(&rh->lock);
+ spin_lock_irq(&hci->lock);
op1_val = rh_reg_read(RING_OPERATION1);
op1_val &= ~RING_OP1_CR_ENQ_PTR;
op1_val |= FIELD_PREP(RING_OP1_CR_ENQ_PTR, enqueue_ptr);
rh_reg_write(RING_OPERATION1, op1_val);
- spin_unlock_irq(&rh->lock);
+ spin_unlock_irq(&hci->lock);
return 0;
}
@@ -573,12 +571,12 @@ static void hci_dma_xfer_done(struct i3c
}
/* take care to update the software dequeue pointer atomically */
- spin_lock(&rh->lock);
+ spin_lock(&hci->lock);
op1_val = rh_reg_read(RING_OPERATION1);
op1_val &= ~RING_OP1_CR_SW_DEQ_PTR;
op1_val |= FIELD_PREP(RING_OP1_CR_SW_DEQ_PTR, done_ptr);
rh_reg_write(RING_OPERATION1, op1_val);
- spin_unlock(&rh->lock);
+ spin_unlock(&hci->lock);
}
static int hci_dma_request_ibi(struct i3c_hci *hci, struct i3c_dev_desc *dev,
@@ -759,12 +757,12 @@ static void hci_dma_process_ibi(struct i
done:
/* take care to update the ibi dequeue pointer atomically */
- spin_lock(&rh->lock);
+ spin_lock(&hci->lock);
op1_val = rh_reg_read(RING_OPERATION1);
op1_val &= ~RING_OP1_IBI_DEQ_PTR;
op1_val |= FIELD_PREP(RING_OP1_IBI_DEQ_PTR, deq_ptr);
rh_reg_write(RING_OPERATION1, op1_val);
- spin_unlock(&rh->lock);
+ spin_unlock(&hci->lock);
/* update the chunk pointer */
rh->ibi_chunk_ptr += ibi_chunks;
--- a/drivers/i3c/master/mipi-i3c-hci/hci.h
+++ b/drivers/i3c/master/mipi-i3c-hci/hci.h
@@ -45,6 +45,7 @@ struct i3c_hci {
const struct hci_io_ops *io;
void *io_data;
const struct hci_cmd_ops *cmd;
+ spinlock_t lock;
atomic_t next_cmd_tid;
u32 caps;
unsigned int quirks;
--- a/drivers/i3c/master/mipi-i3c-hci/pio.c
+++ b/drivers/i3c/master/mipi-i3c-hci/pio.c
@@ -124,7 +124,6 @@ struct hci_pio_ibi_data {
};
struct hci_pio_data {
- spinlock_t lock;
struct hci_xfer *curr_xfer, *xfer_queue;
struct hci_xfer *curr_rx, *rx_queue;
struct hci_xfer *curr_tx, *tx_queue;
@@ -146,7 +145,6 @@ static int hci_pio_init(struct i3c_hci *
return -ENOMEM;
hci->io_data = pio;
- spin_lock_init(&pio->lock);
size_val = pio_reg_read(QUEUE_SIZE);
dev_info(&hci->master.dev, "CMD/RESP FIFO = %ld entries\n",
@@ -609,7 +607,7 @@ static int hci_pio_queue_xfer(struct i3c
xfer[i].data_left = xfer[i].data_len;
}
- spin_lock_irq(&pio->lock);
+ spin_lock_irq(&hci->lock);
prev_queue_tail = pio->xfer_queue;
pio->xfer_queue = &xfer[n - 1];
if (pio->curr_xfer) {
@@ -623,7 +621,7 @@ static int hci_pio_queue_xfer(struct i3c
pio_reg_read(INTR_STATUS),
pio_reg_read(INTR_SIGNAL_ENABLE));
}
- spin_unlock_irq(&pio->lock);
+ spin_unlock_irq(&hci->lock);
return 0;
}
@@ -694,14 +692,14 @@ static bool hci_pio_dequeue_xfer(struct
struct hci_pio_data *pio = hci->io_data;
int ret;
- spin_lock_irq(&pio->lock);
+ spin_lock_irq(&hci->lock);
dev_dbg(&hci->master.dev, "n=%d status=%#x/%#x", n,
pio_reg_read(INTR_STATUS), pio_reg_read(INTR_SIGNAL_ENABLE));
dev_dbg(&hci->master.dev, "main_status = %#x/%#x",
readl(hci->base_regs + 0x20), readl(hci->base_regs + 0x28));
ret = hci_pio_dequeue_xfer_common(hci, pio, xfer, n);
- spin_unlock_irq(&pio->lock);
+ spin_unlock_irq(&hci->lock);
return ret;
}
@@ -994,13 +992,13 @@ static bool hci_pio_irq_handler(struct i
struct hci_pio_data *pio = hci->io_data;
u32 status;
- spin_lock(&pio->lock);
+ spin_lock(&hci->lock);
status = pio_reg_read(INTR_STATUS);
dev_dbg(&hci->master.dev, "PIO_INTR_STATUS %#x/%#x",
status, pio->enabled_irqs);
status &= pio->enabled_irqs | STAT_LATENCY_WARNINGS;
if (!status) {
- spin_unlock(&pio->lock);
+ spin_unlock(&hci->lock);
return false;
}
@@ -1036,7 +1034,7 @@ static bool hci_pio_irq_handler(struct i
pio_reg_write(INTR_SIGNAL_ENABLE, pio->enabled_irqs);
dev_dbg(&hci->master.dev, "PIO_INTR_STATUS %#x/%#x",
pio_reg_read(INTR_STATUS), pio_reg_read(INTR_SIGNAL_ENABLE));
- spin_unlock(&pio->lock);
+ spin_unlock(&hci->lock);
return true;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 367/378] i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 366/378] i3c: mipi-i3c-hci: Consolidate spinlocks Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 368/378] i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor Greg Kroah-Hartman
` (17 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Alexandre Belloni
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit b6d586431ae20d5157ee468d0ef62ad26798ef13 upstream.
The DMA dequeue path attempts to restart the ring after aborting an
in-flight transfer, but the current sequence is incomplete. The controller
must be brought out of the aborted state and the ring control registers
must be programmed in the correct order: first clearing ABORT, then
re-enabling the ring and asserting RUN_STOP to resume operation.
Add the missing controller resume step and update the ring control writes
so that the ring is restarted using the proper sequence.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-11-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/mipi-i3c-hci/dma.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -528,7 +528,9 @@ static bool hci_dma_dequeue_xfer(struct
}
/* restart the ring */
+ mipi_i3c_hci_resume(hci);
rh_reg_write(RING_CONTROL, RING_CTRL_ENABLE);
+ rh_reg_write(RING_CONTROL, RING_CTRL_ENABLE | RING_CTRL_RUN_STOP);
return did_unqueue;
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 368/378] i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 367/378] i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 369/378] i3c: mipi-i3c-hci: Fix race in DMA ring dequeue Greg Kroah-Hartman
` (16 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Alexandre Belloni
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit ec3cfd835f7c4bbd23bc9ad909d2fdc772a578bb upstream.
The internal control command descriptor used for no-op commands includes a
Transaction ID (TID) field, but the no-op command constructed in
hci_dma_dequeue_xfer() omitted it. As a result, the hardware receives a
no-op descriptor without the expected TID.
This bug has gone unnoticed because the TID is currently not validated in
the no-op completion path, but the descriptor format requires it to be
present.
Add the missing TID field when generating a no-op descriptor so that its
layout matches the defined command structure.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-10-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/mipi-i3c-hci/cmd.h | 1 +
drivers/i3c/master/mipi-i3c-hci/dma.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/i3c/master/mipi-i3c-hci/cmd.h
+++ b/drivers/i3c/master/mipi-i3c-hci/cmd.h
@@ -17,6 +17,7 @@
#define CMD_0_TOC W0_BIT_(31)
#define CMD_0_ROC W0_BIT_(30)
#define CMD_0_ATTR W0_MASK(2, 0)
+#define CMD_0_TID W0_MASK(6, 3)
/*
* Response Descriptor Structure
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -510,7 +510,7 @@ static bool hci_dma_dequeue_xfer(struct
u32 *ring_data = rh->xfer + rh->xfer_struct_sz * idx;
/* store no-op cmd descriptor */
- *ring_data++ = FIELD_PREP(CMD_0_ATTR, 0x7);
+ *ring_data++ = FIELD_PREP(CMD_0_ATTR, 0x7) | FIELD_PREP(CMD_0_TID, xfer->cmd_tid);
*ring_data++ = 0;
if (hci->cmd == &mipi_i3c_hci_cmd_v2) {
*ring_data++ = 0;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 369/378] i3c: mipi-i3c-hci: Fix race in DMA ring dequeue
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 368/378] i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 370/378] i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue Greg Kroah-Hartman
` (15 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Alexandre Belloni
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit 1dca8aee80eea76d2aae21265de5dd64f6ba0f09 upstream.
The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for
multiple transfers that timeout around the same time. However, the
function is not serialized and can race with itself.
When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes
incomplete transfers, and then restarts the ring. If another timeout
triggers a parallel call into the same function, the two instances may
interfere with each other - stopping or restarting the ring at unexpected
times.
Add a mutex so that hci_dma_dequeue_xfer() is serialized with respect to
itself.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-7-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/mipi-i3c-hci/core.c | 1 +
drivers/i3c/master/mipi-i3c-hci/dma.c | 2 ++
drivers/i3c/master/mipi-i3c-hci/hci.h | 1 +
3 files changed, 4 insertions(+)
--- a/drivers/i3c/master/mipi-i3c-hci/core.c
+++ b/drivers/i3c/master/mipi-i3c-hci/core.c
@@ -632,6 +632,7 @@ static int i3c_hci_init(struct i3c_hci *
return ret;
spin_lock_init(&hci->lock);
+ mutex_init(&hci->control_mutex);
/*
* Now let's reset the hardware.
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -486,6 +486,8 @@ static bool hci_dma_dequeue_xfer(struct
unsigned int i;
bool did_unqueue = false;
+ guard(mutex)(&hci->control_mutex);
+
/* stop the ring */
rh_reg_write(RING_CONTROL, RING_CTRL_ABORT);
if (wait_for_completion_timeout(&rh->op_done, HZ) == 0) {
--- a/drivers/i3c/master/mipi-i3c-hci/hci.h
+++ b/drivers/i3c/master/mipi-i3c-hci/hci.h
@@ -46,6 +46,7 @@ struct i3c_hci {
void *io_data;
const struct hci_cmd_ops *cmd;
spinlock_t lock;
+ struct mutex control_mutex;
atomic_t next_cmd_tid;
u32 caps;
unsigned int quirks;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 370/378] i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 369/378] i3c: mipi-i3c-hci: Fix race in DMA ring dequeue Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 371/378] mm/damon: rename DAMON_MIN_REGION to DAMON_MIN_REGION_SZ Greg Kroah-Hartman
` (14 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Alexandre Belloni
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit b795e68bf3073d67bebbb5a44d93f49efc5b8cc7 upstream.
The logic used to abort the DMA ring contains several flaws:
1. The driver unconditionally issues a ring abort even when the ring has
already stopped.
2. The completion used to wait for abort completion is never
re-initialized, resulting in incorrect wait behavior.
3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which
resets hardware ring pointers and disrupts the controller state.
4. If the ring is already stopped, the abort operation should be
considered successful without attempting further action.
Fix the abort handling by checking whether the ring is running before
issuing an abort, re-initializing the completion when needed, ensuring that
RING_CTRL_ENABLE remains asserted during abort, and treating an already
stopped ring as a successful condition.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-9-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/mipi-i3c-hci/dma.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -485,18 +485,25 @@ static bool hci_dma_dequeue_xfer(struct
struct hci_rh_data *rh = &rings->headers[xfer_list[0].ring_number];
unsigned int i;
bool did_unqueue = false;
+ u32 ring_status;
guard(mutex)(&hci->control_mutex);
- /* stop the ring */
- rh_reg_write(RING_CONTROL, RING_CTRL_ABORT);
- if (wait_for_completion_timeout(&rh->op_done, HZ) == 0) {
- /*
- * We're deep in it if ever this condition is ever met.
- * Hardware might still be writing to memory, etc.
- */
- dev_crit(&hci->master.dev, "unable to abort the ring\n");
- WARN_ON(1);
+ ring_status = rh_reg_read(RING_STATUS);
+ if (ring_status & RING_STATUS_RUNNING) {
+ /* stop the ring */
+ reinit_completion(&rh->op_done);
+ rh_reg_write(RING_CONTROL, RING_CTRL_ENABLE | RING_CTRL_ABORT);
+ wait_for_completion_timeout(&rh->op_done, HZ);
+ ring_status = rh_reg_read(RING_STATUS);
+ if (ring_status & RING_STATUS_RUNNING) {
+ /*
+ * We're deep in it if ever this condition is ever met.
+ * Hardware might still be writing to memory, etc.
+ */
+ dev_crit(&hci->master.dev, "unable to abort the ring\n");
+ WARN_ON(1);
+ }
}
for (i = 0; i < n; i++) {
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 371/378] mm/damon: rename DAMON_MIN_REGION to DAMON_MIN_REGION_SZ
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 370/378] i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 372/378] mm/damon: rename min_sz_region of damon_ctx to min_region_sz Greg Kroah-Hartman
` (13 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Andrew Morton,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
[ Upstream commit dfb1b0c9dc0d61e422905640e1e7334b3cf6f384 ]
The macro is for the default minimum size of each DAMON region. There was
a case that a reader was confused if it is the minimum number of total
DAMON regions, which is set on damon_attrs->min_nr_regions. Make the name
more explicit.
Link: https://lkml.kernel.org/r/20260117175256.82826-8-sj@kernel.org
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: c80f46ac228b ("mm/damon/core: disallow non-power of two min_region_sz")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/damon.h | 2 +-
mm/damon/core.c | 2 +-
mm/damon/lru_sort.c | 2 +-
mm/damon/reclaim.c | 2 +-
mm/damon/sysfs.c | 2 +-
mm/damon/tests/vaddr-kunit.h | 2 +-
mm/damon/vaddr.c | 24 ++++++++++++------------
7 files changed, 18 insertions(+), 18 deletions(-)
--- a/include/linux/damon.h
+++ b/include/linux/damon.h
@@ -15,7 +15,7 @@
#include <linux/random.h>
/* Minimal region size. Every damon_region is aligned by this. */
-#define DAMON_MIN_REGION PAGE_SIZE
+#define DAMON_MIN_REGION_SZ PAGE_SIZE
/* Max priority score for DAMON-based operation schemes */
#define DAMOS_MAX_SCORE (99)
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -546,7 +546,7 @@ struct damon_ctx *damon_new_ctx(void)
ctx->attrs.max_nr_regions = 1000;
ctx->addr_unit = 1;
- ctx->min_sz_region = DAMON_MIN_REGION;
+ ctx->min_sz_region = DAMON_MIN_REGION_SZ;
INIT_LIST_HEAD(&ctx->adaptive_targets);
INIT_LIST_HEAD(&ctx->schemes);
--- a/mm/damon/lru_sort.c
+++ b/mm/damon/lru_sort.c
@@ -212,7 +212,7 @@ static int damon_lru_sort_apply_paramete
if (!monitor_region_start && !monitor_region_end)
addr_unit = 1;
param_ctx->addr_unit = addr_unit;
- param_ctx->min_sz_region = max(DAMON_MIN_REGION / addr_unit, 1);
+ param_ctx->min_sz_region = max(DAMON_MIN_REGION_SZ / addr_unit, 1);
if (!damon_lru_sort_mon_attrs.sample_interval) {
err = -EINVAL;
--- a/mm/damon/reclaim.c
+++ b/mm/damon/reclaim.c
@@ -208,7 +208,7 @@ static int damon_reclaim_apply_parameter
if (!monitor_region_start && !monitor_region_end)
addr_unit = 1;
param_ctx->addr_unit = addr_unit;
- param_ctx->min_sz_region = max(DAMON_MIN_REGION / addr_unit, 1);
+ param_ctx->min_sz_region = max(DAMON_MIN_REGION_SZ / addr_unit, 1);
if (!damon_reclaim_mon_attrs.aggr_interval) {
err = -EINVAL;
--- a/mm/damon/sysfs.c
+++ b/mm/damon/sysfs.c
@@ -1470,7 +1470,7 @@ static int damon_sysfs_apply_inputs(stru
/* addr_unit is respected by only DAMON_OPS_PADDR */
if (sys_ctx->ops_id == DAMON_OPS_PADDR)
ctx->min_sz_region = max(
- DAMON_MIN_REGION / sys_ctx->addr_unit, 1);
+ DAMON_MIN_REGION_SZ / sys_ctx->addr_unit, 1);
err = damon_sysfs_set_attrs(ctx, sys_ctx->attrs);
if (err)
return err;
--- a/mm/damon/tests/vaddr-kunit.h
+++ b/mm/damon/tests/vaddr-kunit.h
@@ -147,7 +147,7 @@ static void damon_do_test_apply_three_re
damon_add_region(r, t);
}
- damon_set_regions(t, three_regions, 3, DAMON_MIN_REGION);
+ damon_set_regions(t, three_regions, 3, DAMON_MIN_REGION_SZ);
for (i = 0; i < nr_expected / 2; i++) {
r = __nth_region_of(t, i);
--- a/mm/damon/vaddr.c
+++ b/mm/damon/vaddr.c
@@ -19,8 +19,8 @@
#include "ops-common.h"
#ifdef CONFIG_DAMON_VADDR_KUNIT_TEST
-#undef DAMON_MIN_REGION
-#define DAMON_MIN_REGION 1
+#undef DAMON_MIN_REGION_SZ
+#define DAMON_MIN_REGION_SZ 1
#endif
/*
@@ -78,7 +78,7 @@ static int damon_va_evenly_split_region(
orig_end = r->ar.end;
sz_orig = damon_sz_region(r);
- sz_piece = ALIGN_DOWN(sz_orig / nr_pieces, DAMON_MIN_REGION);
+ sz_piece = ALIGN_DOWN(sz_orig / nr_pieces, DAMON_MIN_REGION_SZ);
if (!sz_piece)
return -EINVAL;
@@ -161,12 +161,12 @@ next:
swap(first_gap, second_gap);
/* Store the result */
- regions[0].start = ALIGN(start, DAMON_MIN_REGION);
- regions[0].end = ALIGN(first_gap.start, DAMON_MIN_REGION);
- regions[1].start = ALIGN(first_gap.end, DAMON_MIN_REGION);
- regions[1].end = ALIGN(second_gap.start, DAMON_MIN_REGION);
- regions[2].start = ALIGN(second_gap.end, DAMON_MIN_REGION);
- regions[2].end = ALIGN(prev->vm_end, DAMON_MIN_REGION);
+ regions[0].start = ALIGN(start, DAMON_MIN_REGION_SZ);
+ regions[0].end = ALIGN(first_gap.start, DAMON_MIN_REGION_SZ);
+ regions[1].start = ALIGN(first_gap.end, DAMON_MIN_REGION_SZ);
+ regions[1].end = ALIGN(second_gap.start, DAMON_MIN_REGION_SZ);
+ regions[2].start = ALIGN(second_gap.end, DAMON_MIN_REGION_SZ);
+ regions[2].end = ALIGN(prev->vm_end, DAMON_MIN_REGION_SZ);
return 0;
}
@@ -259,8 +259,8 @@ static void __damon_va_init_regions(stru
sz += regions[i].end - regions[i].start;
if (ctx->attrs.min_nr_regions)
sz /= ctx->attrs.min_nr_regions;
- if (sz < DAMON_MIN_REGION)
- sz = DAMON_MIN_REGION;
+ if (sz < DAMON_MIN_REGION_SZ)
+ sz = DAMON_MIN_REGION_SZ;
/* Set the initial three regions of the target */
for (i = 0; i < 3; i++) {
@@ -299,7 +299,7 @@ static void damon_va_update(struct damon
damon_for_each_target(t, ctx) {
if (damon_va_three_regions(t, three_regions))
continue;
- damon_set_regions(t, three_regions, 3, DAMON_MIN_REGION);
+ damon_set_regions(t, three_regions, 3, DAMON_MIN_REGION_SZ);
}
}
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 372/378] mm/damon: rename min_sz_region of damon_ctx to min_region_sz
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 371/378] mm/damon: rename DAMON_MIN_REGION to DAMON_MIN_REGION_SZ Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 373/378] mm/damon/core: disallow non-power of two min_region_sz Greg Kroah-Hartman
` (12 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Andrew Morton,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
[ Upstream commit cc1db8dff8e751ec3ab352483de366b7f23aefe2 ]
'min_sz_region' field of 'struct damon_ctx' represents the minimum size of
each DAMON region for the context. 'struct damos_access_pattern' has a
field of the same name. It confuses readers and makes 'grep' less optimal
for them. Rename it to 'min_region_sz'.
Link: https://lkml.kernel.org/r/20260117175256.82826-9-sj@kernel.org
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: c80f46ac228b ("mm/damon/core: disallow non-power of two min_region_sz")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/damon.h | 8 ++---
mm/damon/core.c | 69 +++++++++++++++++++++++++-------------------------
mm/damon/lru_sort.c | 4 +-
mm/damon/reclaim.c | 4 +-
mm/damon/stat.c | 2 -
mm/damon/sysfs.c | 9 +++---
6 files changed, 49 insertions(+), 47 deletions(-)
--- a/include/linux/damon.h
+++ b/include/linux/damon.h
@@ -769,7 +769,7 @@ struct damon_attrs {
*
* @ops: Set of monitoring operations for given use cases.
* @addr_unit: Scale factor for core to ops address conversion.
- * @min_sz_region: Minimum region size.
+ * @min_region_sz: Minimum region size.
* @adaptive_targets: Head of monitoring targets (&damon_target) list.
* @schemes: Head of schemes (&damos) list.
*/
@@ -812,7 +812,7 @@ struct damon_ctx {
struct damon_operations ops;
unsigned long addr_unit;
- unsigned long min_sz_region;
+ unsigned long min_region_sz;
struct list_head adaptive_targets;
struct list_head schemes;
@@ -901,7 +901,7 @@ static inline void damon_insert_region(s
void damon_add_region(struct damon_region *r, struct damon_target *t);
void damon_destroy_region(struct damon_region *r, struct damon_target *t);
int damon_set_regions(struct damon_target *t, struct damon_addr_range *ranges,
- unsigned int nr_ranges, unsigned long min_sz_region);
+ unsigned int nr_ranges, unsigned long min_region_sz);
void damon_update_region_access_rate(struct damon_region *r, bool accessed,
struct damon_attrs *attrs);
@@ -968,7 +968,7 @@ int damos_walk(struct damon_ctx *ctx, st
int damon_set_region_biggest_system_ram_default(struct damon_target *t,
unsigned long *start, unsigned long *end,
- unsigned long min_sz_region);
+ unsigned long min_region_sz);
#endif /* CONFIG_DAMON */
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -197,7 +197,7 @@ static int damon_fill_regions_holes(stru
* @t: the given target.
* @ranges: array of new monitoring target ranges.
* @nr_ranges: length of @ranges.
- * @min_sz_region: minimum region size.
+ * @min_region_sz: minimum region size.
*
* This function adds new regions to, or modify existing regions of a
* monitoring target to fit in specific ranges.
@@ -205,7 +205,7 @@ static int damon_fill_regions_holes(stru
* Return: 0 if success, or negative error code otherwise.
*/
int damon_set_regions(struct damon_target *t, struct damon_addr_range *ranges,
- unsigned int nr_ranges, unsigned long min_sz_region)
+ unsigned int nr_ranges, unsigned long min_region_sz)
{
struct damon_region *r, *next;
unsigned int i;
@@ -242,16 +242,16 @@ int damon_set_regions(struct damon_targe
/* no region intersects with this range */
newr = damon_new_region(
ALIGN_DOWN(range->start,
- min_sz_region),
- ALIGN(range->end, min_sz_region));
+ min_region_sz),
+ ALIGN(range->end, min_region_sz));
if (!newr)
return -ENOMEM;
damon_insert_region(newr, damon_prev_region(r), r, t);
} else {
/* resize intersecting regions to fit in this range */
first->ar.start = ALIGN_DOWN(range->start,
- min_sz_region);
- last->ar.end = ALIGN(range->end, min_sz_region);
+ min_region_sz);
+ last->ar.end = ALIGN(range->end, min_region_sz);
/* fill possible holes in the range */
err = damon_fill_regions_holes(first, last, t);
@@ -546,7 +546,7 @@ struct damon_ctx *damon_new_ctx(void)
ctx->attrs.max_nr_regions = 1000;
ctx->addr_unit = 1;
- ctx->min_sz_region = DAMON_MIN_REGION_SZ;
+ ctx->min_region_sz = DAMON_MIN_REGION_SZ;
INIT_LIST_HEAD(&ctx->adaptive_targets);
INIT_LIST_HEAD(&ctx->schemes);
@@ -1131,7 +1131,7 @@ static struct damon_target *damon_nth_ta
* If @src has no region, @dst keeps current regions.
*/
static int damon_commit_target_regions(struct damon_target *dst,
- struct damon_target *src, unsigned long src_min_sz_region)
+ struct damon_target *src, unsigned long src_min_region_sz)
{
struct damon_region *src_region;
struct damon_addr_range *ranges;
@@ -1148,7 +1148,7 @@ static int damon_commit_target_regions(s
i = 0;
damon_for_each_region(src_region, src)
ranges[i++] = src_region->ar;
- err = damon_set_regions(dst, ranges, i, src_min_sz_region);
+ err = damon_set_regions(dst, ranges, i, src_min_region_sz);
kfree(ranges);
return err;
}
@@ -1156,11 +1156,11 @@ static int damon_commit_target_regions(s
static int damon_commit_target(
struct damon_target *dst, bool dst_has_pid,
struct damon_target *src, bool src_has_pid,
- unsigned long src_min_sz_region)
+ unsigned long src_min_region_sz)
{
int err;
- err = damon_commit_target_regions(dst, src, src_min_sz_region);
+ err = damon_commit_target_regions(dst, src, src_min_region_sz);
if (err)
return err;
if (dst_has_pid)
@@ -1187,7 +1187,7 @@ static int damon_commit_targets(
err = damon_commit_target(
dst_target, damon_target_has_pid(dst),
src_target, damon_target_has_pid(src),
- src->min_sz_region);
+ src->min_region_sz);
if (err)
return err;
} else {
@@ -1214,7 +1214,7 @@ static int damon_commit_targets(
return -ENOMEM;
err = damon_commit_target(new_target, false,
src_target, damon_target_has_pid(src),
- src->min_sz_region);
+ src->min_region_sz);
if (err) {
damon_destroy_target(new_target, NULL);
return err;
@@ -1261,7 +1261,7 @@ int damon_commit_ctx(struct damon_ctx *d
}
dst->ops = src->ops;
dst->addr_unit = src->addr_unit;
- dst->min_sz_region = src->min_sz_region;
+ dst->min_region_sz = src->min_region_sz;
return 0;
}
@@ -1294,8 +1294,8 @@ static unsigned long damon_region_sz_lim
if (ctx->attrs.min_nr_regions)
sz /= ctx->attrs.min_nr_regions;
- if (sz < ctx->min_sz_region)
- sz = ctx->min_sz_region;
+ if (sz < ctx->min_region_sz)
+ sz = ctx->min_region_sz;
return sz;
}
@@ -1673,7 +1673,7 @@ static bool damos_valid_target(struct da
* @t: The target of the region.
* @rp: The pointer to the region.
* @s: The scheme to be applied.
- * @min_sz_region: minimum region size.
+ * @min_region_sz: minimum region size.
*
* If a quota of a scheme has exceeded in a quota charge window, the scheme's
* action would applied to only a part of the target access pattern fulfilling
@@ -1691,7 +1691,8 @@ static bool damos_valid_target(struct da
* Return: true if the region should be entirely skipped, false otherwise.
*/
static bool damos_skip_charged_region(struct damon_target *t,
- struct damon_region **rp, struct damos *s, unsigned long min_sz_region)
+ struct damon_region **rp, struct damos *s,
+ unsigned long min_region_sz)
{
struct damon_region *r = *rp;
struct damos_quota *quota = &s->quota;
@@ -1713,11 +1714,11 @@ static bool damos_skip_charged_region(st
if (quota->charge_addr_from && r->ar.start <
quota->charge_addr_from) {
sz_to_skip = ALIGN_DOWN(quota->charge_addr_from -
- r->ar.start, min_sz_region);
+ r->ar.start, min_region_sz);
if (!sz_to_skip) {
- if (damon_sz_region(r) <= min_sz_region)
+ if (damon_sz_region(r) <= min_region_sz)
return true;
- sz_to_skip = min_sz_region;
+ sz_to_skip = min_region_sz;
}
damon_split_region_at(t, r, sz_to_skip);
r = damon_next_region(r);
@@ -1743,7 +1744,7 @@ static void damos_update_stat(struct dam
static bool damos_filter_match(struct damon_ctx *ctx, struct damon_target *t,
struct damon_region *r, struct damos_filter *filter,
- unsigned long min_sz_region)
+ unsigned long min_region_sz)
{
bool matched = false;
struct damon_target *ti;
@@ -1760,8 +1761,8 @@ static bool damos_filter_match(struct da
matched = target_idx == filter->target_idx;
break;
case DAMOS_FILTER_TYPE_ADDR:
- start = ALIGN_DOWN(filter->addr_range.start, min_sz_region);
- end = ALIGN_DOWN(filter->addr_range.end, min_sz_region);
+ start = ALIGN_DOWN(filter->addr_range.start, min_region_sz);
+ end = ALIGN_DOWN(filter->addr_range.end, min_region_sz);
/* inside the range */
if (start <= r->ar.start && r->ar.end <= end) {
@@ -1797,7 +1798,7 @@ static bool damos_filter_out(struct damo
s->core_filters_allowed = false;
damos_for_each_core_filter(filter, s) {
- if (damos_filter_match(ctx, t, r, filter, ctx->min_sz_region)) {
+ if (damos_filter_match(ctx, t, r, filter, ctx->min_region_sz)) {
if (filter->allow)
s->core_filters_allowed = true;
return !filter->allow;
@@ -1932,7 +1933,7 @@ static void damos_apply_scheme(struct da
if (c->ops.apply_scheme) {
if (quota->esz && quota->charged_sz + sz > quota->esz) {
sz = ALIGN_DOWN(quota->esz - quota->charged_sz,
- c->min_sz_region);
+ c->min_region_sz);
if (!sz)
goto update_stat;
damon_split_region_at(t, r, sz);
@@ -1980,7 +1981,7 @@ static void damon_do_apply_schemes(struc
if (quota->esz && quota->charged_sz >= quota->esz)
continue;
- if (damos_skip_charged_region(t, &r, s, c->min_sz_region))
+ if (damos_skip_charged_region(t, &r, s, c->min_region_sz))
continue;
if (!damos_valid_target(c, t, r, s))
@@ -2429,7 +2430,7 @@ static void damon_split_region_at(struct
/* Split every region in the given target into 'nr_subs' regions */
static void damon_split_regions_of(struct damon_target *t, int nr_subs,
- unsigned long min_sz_region)
+ unsigned long min_region_sz)
{
struct damon_region *r, *next;
unsigned long sz_region, sz_sub = 0;
@@ -2439,13 +2440,13 @@ static void damon_split_regions_of(struc
sz_region = damon_sz_region(r);
for (i = 0; i < nr_subs - 1 &&
- sz_region > 2 * min_sz_region; i++) {
+ sz_region > 2 * min_region_sz; i++) {
/*
* Randomly select size of left sub-region to be at
* least 10 percent and at most 90% of original region
*/
sz_sub = ALIGN_DOWN(damon_rand(1, 10) *
- sz_region / 10, min_sz_region);
+ sz_region / 10, min_region_sz);
/* Do not allow blank region */
if (sz_sub == 0 || sz_sub >= sz_region)
continue;
@@ -2485,7 +2486,7 @@ static void kdamond_split_regions(struct
nr_subregions = 3;
damon_for_each_target(t, ctx)
- damon_split_regions_of(t, nr_subregions, ctx->min_sz_region);
+ damon_split_regions_of(t, nr_subregions, ctx->min_region_sz);
last_nr_regions = nr_regions;
}
@@ -2855,7 +2856,7 @@ static bool damon_find_biggest_system_ra
* @t: The monitoring target to set the region.
* @start: The pointer to the start address of the region.
* @end: The pointer to the end address of the region.
- * @min_sz_region: Minimum region size.
+ * @min_region_sz: Minimum region size.
*
* This function sets the region of @t as requested by @start and @end. If the
* values of @start and @end are zero, however, this function finds the biggest
@@ -2867,7 +2868,7 @@ static bool damon_find_biggest_system_ra
*/
int damon_set_region_biggest_system_ram_default(struct damon_target *t,
unsigned long *start, unsigned long *end,
- unsigned long min_sz_region)
+ unsigned long min_region_sz)
{
struct damon_addr_range addr_range;
@@ -2880,7 +2881,7 @@ int damon_set_region_biggest_system_ram_
addr_range.start = *start;
addr_range.end = *end;
- return damon_set_regions(t, &addr_range, 1, min_sz_region);
+ return damon_set_regions(t, &addr_range, 1, min_region_sz);
}
/*
--- a/mm/damon/lru_sort.c
+++ b/mm/damon/lru_sort.c
@@ -212,7 +212,7 @@ static int damon_lru_sort_apply_paramete
if (!monitor_region_start && !monitor_region_end)
addr_unit = 1;
param_ctx->addr_unit = addr_unit;
- param_ctx->min_sz_region = max(DAMON_MIN_REGION_SZ / addr_unit, 1);
+ param_ctx->min_region_sz = max(DAMON_MIN_REGION_SZ / addr_unit, 1);
if (!damon_lru_sort_mon_attrs.sample_interval) {
err = -EINVAL;
@@ -243,7 +243,7 @@ static int damon_lru_sort_apply_paramete
err = damon_set_region_biggest_system_ram_default(param_target,
&monitor_region_start,
&monitor_region_end,
- param_ctx->min_sz_region);
+ param_ctx->min_region_sz);
if (err)
goto out;
err = damon_commit_ctx(ctx, param_ctx);
--- a/mm/damon/reclaim.c
+++ b/mm/damon/reclaim.c
@@ -208,7 +208,7 @@ static int damon_reclaim_apply_parameter
if (!monitor_region_start && !monitor_region_end)
addr_unit = 1;
param_ctx->addr_unit = addr_unit;
- param_ctx->min_sz_region = max(DAMON_MIN_REGION_SZ / addr_unit, 1);
+ param_ctx->min_region_sz = max(DAMON_MIN_REGION_SZ / addr_unit, 1);
if (!damon_reclaim_mon_attrs.aggr_interval) {
err = -EINVAL;
@@ -251,7 +251,7 @@ static int damon_reclaim_apply_parameter
err = damon_set_region_biggest_system_ram_default(param_target,
&monitor_region_start,
&monitor_region_end,
- param_ctx->min_sz_region);
+ param_ctx->min_region_sz);
if (err)
goto out;
err = damon_commit_ctx(ctx, param_ctx);
--- a/mm/damon/stat.c
+++ b/mm/damon/stat.c
@@ -189,7 +189,7 @@ static struct damon_ctx *damon_stat_buil
goto free_out;
damon_add_target(ctx, target);
if (damon_set_region_biggest_system_ram_default(target, &start, &end,
- ctx->min_sz_region))
+ ctx->min_region_sz))
goto free_out;
return ctx;
free_out:
--- a/mm/damon/sysfs.c
+++ b/mm/damon/sysfs.c
@@ -1365,7 +1365,7 @@ static int damon_sysfs_set_attrs(struct
static int damon_sysfs_set_regions(struct damon_target *t,
struct damon_sysfs_regions *sysfs_regions,
- unsigned long min_sz_region)
+ unsigned long min_region_sz)
{
struct damon_addr_range *ranges = kmalloc_array(sysfs_regions->nr,
sizeof(*ranges), GFP_KERNEL | __GFP_NOWARN);
@@ -1387,7 +1387,7 @@ static int damon_sysfs_set_regions(struc
if (ranges[i - 1].end > ranges[i].start)
goto out;
}
- err = damon_set_regions(t, ranges, sysfs_regions->nr, min_sz_region);
+ err = damon_set_regions(t, ranges, sysfs_regions->nr, min_region_sz);
out:
kfree(ranges);
return err;
@@ -1409,7 +1409,8 @@ static int damon_sysfs_add_target(struct
return -EINVAL;
}
t->obsolete = sys_target->obsolete;
- return damon_sysfs_set_regions(t, sys_target->regions, ctx->min_sz_region);
+ return damon_sysfs_set_regions(t, sys_target->regions,
+ ctx->min_region_sz);
}
static int damon_sysfs_add_targets(struct damon_ctx *ctx,
@@ -1469,7 +1470,7 @@ static int damon_sysfs_apply_inputs(stru
ctx->addr_unit = sys_ctx->addr_unit;
/* addr_unit is respected by only DAMON_OPS_PADDR */
if (sys_ctx->ops_id == DAMON_OPS_PADDR)
- ctx->min_sz_region = max(
+ ctx->min_region_sz = max(
DAMON_MIN_REGION_SZ / sys_ctx->addr_unit, 1);
err = damon_sysfs_set_attrs(ctx, sys_ctx->attrs);
if (err)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 373/378] mm/damon/core: disallow non-power of two min_region_sz
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 372/378] mm/damon: rename min_sz_region of damon_ctx to min_region_sz Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 374/378] KVM: arm64: gic: Set vgic_model before initing private IRQs Greg Kroah-Hartman
` (11 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Quanmin Yan,
Andrew Morton, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
[ Upstream commit c80f46ac228b48403866d65391ad09bdf0e8562a ]
DAMON core uses min_region_sz parameter value as the DAMON region
alignment. The alignment is made using ALIGN() and ALIGN_DOWN(), which
support only the power of two alignments. But DAMON core API callers can
set min_region_sz to an arbitrary number. Users can also set it
indirectly, using addr_unit.
When the alignment is not properly set, DAMON behavior becomes difficult
to expect and understand, makes it effectively broken. It doesn't cause a
kernel crash-like significant issue, though.
Fix the issue by disallowing min_region_sz input that is not a power of
two. Add the check to damon_commit_ctx(), as all DAMON API callers who
set min_region_sz uses the function.
This can be a sort of behavioral change, but it does not break users, for
the following reasons. As the symptom is making DAMON effectively broken,
it is not reasonable to believe there are real use cases of non-power of
two min_region_sz. There is no known use case or issue reports from the
setup, either.
In future, if we find real use cases of non-power of two alignments and we
can support it with low enough overhead, we can consider moving the
restriction. But, for now, simply disallowing the corner case should be
good enough as a hot fix.
Link: https://lkml.kernel.org/r/20260214214124.87689-1-sj@kernel.org
Fixes: d8f867fa0825 ("mm/damon: add damon_ctx->min_sz_region")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Quanmin Yan <yanquanmin1@huawei.com>
Cc: <stable@vger.kernel.org> [6.18+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -1241,6 +1241,9 @@ int damon_commit_ctx(struct damon_ctx *d
{
int err;
+ if (!is_power_of_2(src->min_region_sz))
+ return -EINVAL;
+
err = damon_commit_schemes(dst, src);
if (err)
return err;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 374/378] KVM: arm64: gic: Set vgic_model before initing private IRQs
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 373/378] mm/damon/core: disallow non-power of two min_region_sz Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 375/378] KVM: arm64: Eagerly init vgic dist/redist on vgic creation Greg Kroah-Hartman
` (10 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sascha Bischoff, Jonathan Cameron,
Marc Zyngier, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sascha Bischoff <Sascha.Bischoff@arm.com>
[ Upstream commit 9435c1e1431003e23aa34ef8e46c30d09c3dbcb5 ]
Different GIC types require the private IRQs to be initialised
differently. GICv5 is the culprit as it supports both a different
number of private IRQs, and all of these are PPIs (there are no
SGIs). Moreover, as GICv5 uses the top bits of the interrupt ID to
encode the type, the intid also needs to computed differently.
Up until now, the GIC model has been set after initialising the
private IRQs for a VCPU. Move this earlier to ensure that the GIC
model is available when configuring the private IRQs. While we're at
it, also move the setting of the in_kernel flag and implementation
revision to keep them grouped together as before.
Signed-off-by: Sascha Bischoff <sascha.bischoff@arm.com>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Link: https://patch.msgid.link/20260128175919.3828384-7-sascha.bischoff@arm.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Stable-dep-of: ac6769c8f948 ("KVM: arm64: Eagerly init vgic dist/redist on vgic creation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/vgic/vgic-init.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/arm64/kvm/vgic/vgic-init.c
+++ b/arch/arm64/kvm/vgic/vgic-init.c
@@ -140,6 +140,10 @@ int kvm_vgic_create(struct kvm *kvm, u32
goto out_unlock;
}
+ kvm->arch.vgic.in_kernel = true;
+ kvm->arch.vgic.vgic_model = type;
+ kvm->arch.vgic.implementation_rev = KVM_VGIC_IMP_REV_LATEST;
+
kvm_for_each_vcpu(i, vcpu, kvm) {
ret = vgic_allocate_private_irqs_locked(vcpu, type);
if (ret)
@@ -156,10 +160,6 @@ int kvm_vgic_create(struct kvm *kvm, u32
goto out_unlock;
}
- kvm->arch.vgic.in_kernel = true;
- kvm->arch.vgic.vgic_model = type;
- kvm->arch.vgic.implementation_rev = KVM_VGIC_IMP_REV_LATEST;
-
kvm->arch.vgic.vgic_dist_base = VGIC_ADDR_UNDEF;
aa64pfr0 = kvm_read_vm_id_reg(kvm, SYS_ID_AA64PFR0_EL1) & ~ID_AA64PFR0_EL1_GIC;
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 375/378] KVM: arm64: Eagerly init vgic dist/redist on vgic creation
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 374/378] KVM: arm64: gic: Set vgic_model before initing private IRQs Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 376/378] io_uring: ensure ctx->rings is stable for task work flags manipulation Greg Kroah-Hartman
` (9 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f6a46b038fc243ac0175,
Marc Zyngier, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
[ Upstream commit ac6769c8f948dff33265c50e524aebf9aa6f1be0 ]
If vgic_allocate_private_irqs_locked() fails for any odd reason,
we exit kvm_vgic_create() early, leaving dist->rd_regions uninitialised.
kvm_vgic_dist_destroy() then comes along and walks into the weeds
trying to free the RDs. Got to love this stuff.
Solve it by moving all the static initialisation early, and make
sure that if we fail halfway, we're in a reasonable shape to
perform the rest of the teardown. While at it, reset the vgic model
on failure, just in case...
Reported-by: syzbot+f6a46b038fc243ac0175@syzkaller.appspotmail.com
Tested-by: syzbot+f6a46b038fc243ac0175@syzkaller.appspotmail.com
Fixes: b3aa9283c0c50 ("KVM: arm64: vgic: Hoist SGI/PPI alloc from vgic_init() to kvm_create_vgic()")
Link: https://lore.kernel.org/r/69a2d58c.050a0220.3a55be.003b.GAE@google.com
Link: https://patch.msgid.link/20260228164559.936268-1-maz@kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/vgic/vgic-init.c | 32 ++++++++++++++++----------------
1 file changed, 16 insertions(+), 16 deletions(-)
--- a/arch/arm64/kvm/vgic/vgic-init.c
+++ b/arch/arm64/kvm/vgic/vgic-init.c
@@ -143,6 +143,21 @@ int kvm_vgic_create(struct kvm *kvm, u32
kvm->arch.vgic.in_kernel = true;
kvm->arch.vgic.vgic_model = type;
kvm->arch.vgic.implementation_rev = KVM_VGIC_IMP_REV_LATEST;
+ kvm->arch.vgic.vgic_dist_base = VGIC_ADDR_UNDEF;
+
+ aa64pfr0 = kvm_read_vm_id_reg(kvm, SYS_ID_AA64PFR0_EL1) & ~ID_AA64PFR0_EL1_GIC;
+ pfr1 = kvm_read_vm_id_reg(kvm, SYS_ID_PFR1_EL1) & ~ID_PFR1_EL1_GIC;
+
+ if (type == KVM_DEV_TYPE_ARM_VGIC_V2) {
+ kvm->arch.vgic.vgic_cpu_base = VGIC_ADDR_UNDEF;
+ } else {
+ INIT_LIST_HEAD(&kvm->arch.vgic.rd_regions);
+ aa64pfr0 |= SYS_FIELD_PREP_ENUM(ID_AA64PFR0_EL1, GIC, IMP);
+ pfr1 |= SYS_FIELD_PREP_ENUM(ID_PFR1_EL1, GIC, GICv3);
+ }
+
+ kvm_set_vm_id_reg(kvm, SYS_ID_AA64PFR0_EL1, aa64pfr0);
+ kvm_set_vm_id_reg(kvm, SYS_ID_PFR1_EL1, pfr1);
kvm_for_each_vcpu(i, vcpu, kvm) {
ret = vgic_allocate_private_irqs_locked(vcpu, type);
@@ -157,25 +172,10 @@ int kvm_vgic_create(struct kvm *kvm, u32
vgic_cpu->private_irqs = NULL;
}
+ kvm->arch.vgic.vgic_model = 0;
goto out_unlock;
}
- kvm->arch.vgic.vgic_dist_base = VGIC_ADDR_UNDEF;
-
- aa64pfr0 = kvm_read_vm_id_reg(kvm, SYS_ID_AA64PFR0_EL1) & ~ID_AA64PFR0_EL1_GIC;
- pfr1 = kvm_read_vm_id_reg(kvm, SYS_ID_PFR1_EL1) & ~ID_PFR1_EL1_GIC;
-
- if (type == KVM_DEV_TYPE_ARM_VGIC_V2) {
- kvm->arch.vgic.vgic_cpu_base = VGIC_ADDR_UNDEF;
- } else {
- INIT_LIST_HEAD(&kvm->arch.vgic.rd_regions);
- aa64pfr0 |= SYS_FIELD_PREP_ENUM(ID_AA64PFR0_EL1, GIC, IMP);
- pfr1 |= SYS_FIELD_PREP_ENUM(ID_PFR1_EL1, GIC, GICv3);
- }
-
- kvm_set_vm_id_reg(kvm, SYS_ID_AA64PFR0_EL1, aa64pfr0);
- kvm_set_vm_id_reg(kvm, SYS_ID_PFR1_EL1, pfr1);
-
if (type == KVM_DEV_TYPE_ARM_VGIC_V3)
kvm->arch.vgic.nassgicap = system_supports_direct_sgis();
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 376/378] io_uring: ensure ctx->rings is stable for task work flags manipulation
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 375/378] KVM: arm64: Eagerly init vgic dist/redist on vgic creation Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 377/378] io_uring/eventfd: use ctx->rings_rcu for flags checking Greg Kroah-Hartman
` (8 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hao-Yu Yang, Pavel Begunkov,
Jens Axboe
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
Commit 96189080265e6bb5dde3a4afbaf947af493e3f82 upstream.
If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while
the ring is being resized, it's possible for the OR'ing of
IORING_SQ_TASKRUN to happen in the small window of swapping into the
new rings and the old rings being freed.
Prevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is
protected by RCU. The task work flags manipulation is inside RCU
already, and if the resize ring freeing is done post an RCU synchronize,
then there's no need to add locking to the fast path of task work
additions.
Note: this is only done for DEFER_TASKRUN, as that's the only setup mode
that supports ring resizing. If this ever changes, then they too need to
use the io_ctx_mark_taskrun() helper.
Link: https://lore.kernel.org/io-uring/20260309062759.482210-1-naup96721@gmail.com/
Cc: stable@vger.kernel.org
Fixes: 79cfe9e59c2a ("io_uring/register: add IORING_REGISTER_RESIZE_RINGS")
Reported-by: Hao-Yu Yang <naup96721@gmail.com>
Suggested-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/io_uring_types.h | 1 +
io_uring/io_uring.c | 24 ++++++++++++++++++++++--
io_uring/register.c | 12 ++++++++++++
3 files changed, 35 insertions(+), 2 deletions(-)
--- a/include/linux/io_uring_types.h
+++ b/include/linux/io_uring_types.h
@@ -371,6 +371,7 @@ struct io_ring_ctx {
* regularly bounce b/w CPUs.
*/
struct {
+ struct io_rings __rcu *rings_rcu;
struct llist_head work_llist;
struct llist_head retry_llist;
unsigned long check_cq;
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -1202,6 +1202,21 @@ void tctx_task_work(struct callback_head
WARN_ON_ONCE(ret);
}
+/*
+ * Sets IORING_SQ_TASKRUN in the sq_flags shared with userspace, using the
+ * RCU protected rings pointer to be safe against concurrent ring resizing.
+ */
+static void io_ctx_mark_taskrun(struct io_ring_ctx *ctx)
+{
+ lockdep_assert_in_rcu_read_lock();
+
+ if (ctx->flags & IORING_SETUP_TASKRUN_FLAG) {
+ struct io_rings *rings = rcu_dereference(ctx->rings_rcu);
+
+ atomic_or(IORING_SQ_TASKRUN, &rings->sq_flags);
+ }
+}
+
static void io_req_local_work_add(struct io_kiocb *req, unsigned flags)
{
struct io_ring_ctx *ctx = req->ctx;
@@ -1256,8 +1271,7 @@ static void io_req_local_work_add(struct
*/
if (!head) {
- if (ctx->flags & IORING_SETUP_TASKRUN_FLAG)
- atomic_or(IORING_SQ_TASKRUN, &ctx->rings->sq_flags);
+ io_ctx_mark_taskrun(ctx);
if (ctx->has_evfd)
io_eventfd_signal(ctx, false);
}
@@ -1281,6 +1295,10 @@ static void io_req_normal_work_add(struc
if (!llist_add(&req->io_task_work.node, &tctx->task_list))
return;
+ /*
+ * Doesn't need to use ->rings_rcu, as resizing isn't supported for
+ * !DEFER_TASKRUN.
+ */
if (ctx->flags & IORING_SETUP_TASKRUN_FLAG)
atomic_or(IORING_SQ_TASKRUN, &ctx->rings->sq_flags);
@@ -2760,6 +2778,7 @@ static void io_rings_free(struct io_ring
io_free_region(ctx->user, &ctx->sq_region);
io_free_region(ctx->user, &ctx->ring_region);
ctx->rings = NULL;
+ RCU_INIT_POINTER(ctx->rings_rcu, NULL);
ctx->sq_sqes = NULL;
}
@@ -3389,6 +3408,7 @@ static __cold int io_allocate_scq_urings
if (ret)
return ret;
ctx->rings = rings = io_region_get_ptr(&ctx->ring_region);
+ rcu_assign_pointer(ctx->rings_rcu, rings);
if (!(ctx->flags & IORING_SETUP_NO_SQARRAY))
ctx->sq_array = (u32 *)((char *)rings + rl->sq_array_offset);
--- a/io_uring/register.c
+++ b/io_uring/register.c
@@ -545,7 +545,15 @@ overflow:
ctx->sq_entries = p->sq_entries;
ctx->cq_entries = p->cq_entries;
+ /*
+ * Just mark any flag we may have missed and that the application
+ * should act on unconditionally. Worst case it'll be an extra
+ * syscall.
+ */
+ atomic_or(IORING_SQ_TASKRUN | IORING_SQ_NEED_WAKEUP, &n.rings->sq_flags);
ctx->rings = n.rings;
+ rcu_assign_pointer(ctx->rings_rcu, n.rings);
+
ctx->sq_sqes = n.sq_sqes;
swap_old(ctx, o, n, ring_region);
swap_old(ctx, o, n, sq_region);
@@ -554,6 +562,10 @@ overflow:
out:
spin_unlock(&ctx->completion_lock);
mutex_unlock(&ctx->mmap_lock);
+
+ /* Wait for concurrent io_ctx_mark_taskrun() */
+ if (to_free == &o)
+ synchronize_rcu_expedited();
io_register_free_rings(ctx, to_free);
if (ctx->sq_data)
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 377/378] io_uring/eventfd: use ctx->rings_rcu for flags checking
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 376/378] io_uring: ensure ctx->rings is stable for task work flags manipulation Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 378/378] cxl/acpi: Fix CXL_ACPI and CXL_PMEM Kconfig tristate mismatch Greg Kroah-Hartman
` (7 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
Commit 177c69432161f6e4bab07ccacf8a1748a6898a6b upstream.
Similarly to what commit e78f7b70e837 did for local task work additions,
use ->rings_rcu under RCU rather than dereference ->rings directly. See
that commit for more details.
Cc: stable@vger.kernel.org
Fixes: 79cfe9e59c2a ("io_uring/register: add IORING_REGISTER_RESIZE_RINGS")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/eventfd.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/io_uring/eventfd.c
+++ b/io_uring/eventfd.c
@@ -76,11 +76,15 @@ void io_eventfd_signal(struct io_ring_ct
{
bool skip = false;
struct io_ev_fd *ev_fd;
-
- if (READ_ONCE(ctx->rings->cq_flags) & IORING_CQ_EVENTFD_DISABLED)
- return;
+ struct io_rings *rings;
guard(rcu)();
+
+ rings = rcu_dereference(ctx->rings_rcu);
+ if (!rings)
+ return;
+ if (READ_ONCE(rings->cq_flags) & IORING_CQ_EVENTFD_DISABLED)
+ return;
ev_fd = rcu_dereference(ctx->io_ev_fd);
/*
* Check again if ev_fd exists in case an io_eventfd_unregister call
^ permalink raw reply [flat|nested] 396+ messages in thread
* [PATCH 6.19 378/378] cxl/acpi: Fix CXL_ACPI and CXL_PMEM Kconfig tristate mismatch
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 377/378] io_uring/eventfd: use ctx->rings_rcu for flags checking Greg Kroah-Hartman
@ 2026-03-17 16:35 ` Greg Kroah-Hartman
2026-03-24 16:45 ` Keith Busch
2026-03-17 17:47 ` [PATCH 6.19 000/378] 6.19.9-rc1 review Ronald Warsow
` (6 subsequent siblings)
384 siblings, 1 reply; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-17 16:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Keith Busch, Jonathan Cameron,
Dan Williams, Dave Jiang
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keith Busch <kbusch@kernel.org>
commit 93d0fcdddc9e7be9d4f42acbe57bc90dbb0fe75d upstream.
Commit e7e222ad73d9 ("cxl: Move devm_cxl_add_nvdimm_bridge() to
cxl_pmem.ko") moves devm_cxl_add_nvdimm_bridge() into the cxl_pmem file,
which has independent config compile options for built-in or module. The
call from cxl_acpi_probe() is guarded by IS_ENABLED(CONFIG_CXL_PMEM),
which evaluates to true for both =y and =m.
When CONFIG_CXL_PMEM=m, a built-in cxl_acpi attempts to reference a
symbol exported by a module, which fails to link. CXL_PMEM cannot simply
be promoted to =y in this configuration because it depends on LIBNVDIMM,
which may itself be =m.
Add a Kconfig dependency to prevent CXL_ACPI from being built-in when
CXL_PMEM is a module. This contrains CXL_ACPI to =m when CXL_PMEM=m,
while still allowing CXL_ACPI to be freely configured when CXL_PMEM is
either built-in or disabled.
[ dj: Fix up commit reference formatting. ]
Fixes: e7e222ad73d9 ("cxl: Move devm_cxl_add_nvdimm_bridge() to cxl_pmem.ko")
Signed-off-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Reviewed-by: Dan Williams <dan.j.williams@intel.com>
Link: https://patch.msgid.link/20260305204057.1516948-1-kbusch@meta.com
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cxl/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/cxl/Kconfig
+++ b/drivers/cxl/Kconfig
@@ -58,6 +58,7 @@ config CXL_ACPI
tristate "CXL ACPI: Platform Support"
depends on ACPI
depends on ACPI_NUMA
+ depends on CXL_PMEM || !CXL_PMEM
default CXL_BUS
select ACPI_TABLE_LIB
select ACPI_HMAT
^ permalink raw reply [flat|nested] 396+ messages in thread
* Re: [PATCH 6.19 028/378] drm/msm/dsi: fix hdisplay calculation when programming dsi registers
2026-03-17 16:29 ` [PATCH 6.19 028/378] drm/msm/dsi: fix hdisplay calculation when programming dsi registers Greg Kroah-Hartman
@ 2026-03-17 16:44 ` Pengyu Luo
0 siblings, 0 replies; 396+ messages in thread
From: Pengyu Luo @ 2026-03-17 16:44 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: stable, patches, Dmitry Baryshkov, Sasha Levin
On Wed, Mar 18, 2026 at 12:40 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> 6.19-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Pengyu Luo <mitltlatltl@gmail.com>
>
> [ Upstream commit ac47870fd795549f03d57e0879fc730c79119f4b ]
>
> Recently, the hdisplay calculation is working for 3:1 compressed ratio
> only. If we have a video panel with DSC BPP = 8, and BPC = 10, we still
> use the default bits_per_pclk = 24, then we get the wrong hdisplay. We
> can draw the conclusion by cross-comparing the calculation with the
> calculation in dsi_adjust_pclk_for_compression().
>
> Since CMD mode does not use this, we can remove
> !(msm_host->mode_flags & MIPI_DSI_MODE_VIDEO) safely.
>
> Fixes: efcbd6f9cdeb ("drm/msm/dsi: Enable widebus for DSI")
> Signed-off-by: Pengyu Luo <mitltlatltl@gmail.com>
> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
> Patchwork: https://patchwork.freedesktop.org/patch/704822/
> Link: https://lore.kernel.org/r/20260214105145.105308-1-mitltlatltl@gmail.com
> Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
Hi, Greg. You just told me you dropped it. Please drop this patch for
all stable trees.
Best wishes,
Pengyu
> drivers/gpu/drm/msm/dsi/dsi_host.c | 14 ++++++++------
> 1 file changed, 8 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
> index e0de545d40775..e8e83ee61eb09 100644
> --- a/drivers/gpu/drm/msm/dsi/dsi_host.c
> +++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
> @@ -993,7 +993,7 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi)
>
> if (msm_host->dsc) {
> struct drm_dsc_config *dsc = msm_host->dsc;
> - u32 bytes_per_pclk;
> + u32 bits_per_pclk;
>
> /* update dsc params with timing params */
> if (!dsc || !mode->hdisplay || !mode->vdisplay) {
> @@ -1015,7 +1015,9 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi)
>
> /*
> * DPU sends 3 bytes per pclk cycle to DSI. If widebus is
> - * enabled, bus width is extended to 6 bytes.
> + * enabled, MDP always sends out 48-bit compressed data per
> + * pclk and on average, DSI consumes an amount of compressed
> + * data equivalent to the uncompressed pixel depth per pclk.
> *
> * Calculate the number of pclks needed to transmit one line of
> * the compressed data.
> @@ -1027,12 +1029,12 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi)
> * unused anyway.
> */
> h_total -= hdisplay;
> - if (wide_bus_enabled && !(msm_host->mode_flags & MIPI_DSI_MODE_VIDEO))
> - bytes_per_pclk = 6;
> + if (wide_bus_enabled)
> + bits_per_pclk = mipi_dsi_pixel_format_to_bpp(msm_host->format);
> else
> - bytes_per_pclk = 3;
> + bits_per_pclk = 24;
>
> - hdisplay = DIV_ROUND_UP(msm_dsc_get_bytes_per_line(msm_host->dsc), bytes_per_pclk);
> + hdisplay = DIV_ROUND_UP(msm_dsc_get_bytes_per_line(msm_host->dsc) * 8, bits_per_pclk);
>
> h_total += hdisplay;
> ha_end = ha_start + hdisplay;
> --
> 2.51.0
>
>
>
^ permalink raw reply [flat|nested] 396+ messages in thread
* Re: [PATCH 6.19 000/378] 6.19.9-rc1 review
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2026-03-17 16:35 ` [PATCH 6.19 378/378] cxl/acpi: Fix CXL_ACPI and CXL_PMEM Kconfig tristate mismatch Greg Kroah-Hartman
@ 2026-03-17 17:47 ` Ronald Warsow
2026-03-17 20:12 ` Peter Schneider
2026-03-18 11:54 ` Greg Kroah-Hartman
2026-03-17 20:18 ` Brett A C Sheffield
` (5 subsequent siblings)
384 siblings, 2 replies; 396+ messages in thread
From: Ronald Warsow @ 2026-03-17 17:47 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
conor, hargar, broonie, achill, sr
Hi
compile runs in an error:
LD vmlinux.unstripped
BTFIDS vmlinux.unstripped
WARN: resolve_btfids: unresolved symbol kthread_exit
make[2]: *** [scripts/Makefile.vmlinux:72: vmlinux.unstripped] Error 255
make[2]: *** Deleting file 'vmlinux.unstripped'
make[1]: *** [/home/DATA/DEVEL/linux/Makefile:1277: vmlinux] Error 2
make: *** [Makefile:248: __sub-make] Error 2
if I do:
git revert f5ee297b23d843d4ae690595aa29e8f5baeaecf9 --no-edit
see:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=linux-6.19.y&id=f5ee297b23d843d4ae690595aa29e8f5baeaecf9
all is fine here on x86_64 (Intel 11th Gen. CPU)
Thanks
Tested-by: Ronald Warsow <rwarsow@gmx.de>
^ permalink raw reply [flat|nested] 396+ messages in thread
* Re: [PATCH 6.19 000/378] 6.19.9-rc1 review
2026-03-17 17:47 ` [PATCH 6.19 000/378] 6.19.9-rc1 review Ronald Warsow
@ 2026-03-17 20:12 ` Peter Schneider
2026-03-18 11:54 ` Greg Kroah-Hartman
1 sibling, 0 replies; 396+ messages in thread
From: Peter Schneider @ 2026-03-17 20:12 UTC (permalink / raw)
To: Ronald Warsow, Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
conor, hargar, broonie, achill, sr
Am 17.03.2026 um 18:47 schrieb Ronald Warsow:
> Hi
>
> compile runs in an error:
>
> LD vmlinux.unstripped
> BTFIDS vmlinux.unstripped
> WARN: resolve_btfids: unresolved symbol kthread_exit
> make[2]: *** [scripts/Makefile.vmlinux:72: vmlinux.unstripped] Error 255
> make[2]: *** Deleting file 'vmlinux.unstripped'
> make[1]: *** [/home/DATA/DEVEL/linux/Makefile:1277: vmlinux] Error 2
> make: *** [Makefile:248: __sub-make] Error 2
>
>
> if I do:
>
> git revert f5ee297b23d843d4ae690595aa29e8f5baeaecf9 --no-edit
>
> see:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?
> h=linux-6.19.y&id=f5ee297b23d843d4ae690595aa29e8f5baeaecf9
>
>
>
> all is fine here on x86_64 (Intel 11th Gen. CPU)
>
> Thanks
>
> Tested-by: Ronald Warsow <rwarsow@gmx.de>
I can confirm Ronald's finding. I see the same error on my 2-socket Ivy Bridge Xeon E5-2697 v2 server, and the same
revert helps.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 396+ messages in thread
* Re: [PATCH 6.19 000/378] 6.19.9-rc1 review
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2026-03-17 17:47 ` [PATCH 6.19 000/378] 6.19.9-rc1 review Ronald Warsow
@ 2026-03-17 20:18 ` Brett A C Sheffield
2026-03-18 0:50 ` Miguel Ojeda
` (4 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Brett A C Sheffield @ 2026-03-17 20:18 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 6.19.9-rc1-g4f987e117969 #2 SMP PREEMPT_DYNAMIC Tue Mar 17 20:08:14 -00 2026 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 396+ messages in thread
* Re: [PATCH 6.19 000/378] 6.19.9-rc1 review
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2026-03-17 20:18 ` Brett A C Sheffield
@ 2026-03-18 0:50 ` Miguel Ojeda
2026-03-18 7:16 ` Shung-Hsi Yu
` (3 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Miguel Ojeda @ 2026-03-18 0:50 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda
On Tue, 17 Mar 2026 17:29:17 +0100 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.19.9 release.
> There are 378 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 19 Mar 2026 16:28:59 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64, arm64 and riscv64; built-tested
for loongarch64:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 396+ messages in thread
* Re: [PATCH 6.19 000/378] 6.19.9-rc1 review
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2026-03-18 0:50 ` Miguel Ojeda
@ 2026-03-18 7:16 ` Shung-Hsi Yu
2026-03-18 8:17 ` Jon Hunter
` (2 subsequent siblings)
384 siblings, 0 replies; 396+ messages in thread
From: Shung-Hsi Yu @ 2026-03-18 7:16 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Tue, Mar 17, 2026 at 05:29:17PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.19.9 release.
> There are 378 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 19 Mar 2026 16:28:59 +0000.
> Anything received after that time might be too late.
test_progs, test_progs-no_alu32, test_progs-cpuv4, test_maps,
test_verifier in BPF selftests all passes[1] on x86_64.
Tested-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
1: https://github.com/shunghsiyu/libbpf/actions/runs/23211625016/job/67531397718
[...]
^ permalink raw reply [flat|nested] 396+ messages in thread
* Re: [PATCH 6.19 000/378] 6.19.9-rc1 review
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2026-03-18 7:16 ` Shung-Hsi Yu
@ 2026-03-18 8:17 ` Jon Hunter
2026-03-18 9:02 ` Ron Economos
2026-03-18 11:47 ` Takeshi Ogasawara
384 siblings, 0 replies; 396+ messages in thread
From: Jon Hunter @ 2026-03-18 8:17 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
linux-tegra, stable
On Tue, 17 Mar 2026 17:29:17 +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.19.9 release.
> There are 378 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 19 Mar 2026 16:28:59 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.19.9-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v6.19:
11 builds: 11 pass, 0 fail
28 boots: 28 pass, 0 fail
133 tests: 133 pass, 0 fail
Linux version: 6.19.9-rc1-g4f987e117969
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra186-p3509-0000+p3636-0001, tegra194-p2972-0000,
tegra194-p3509-0000+p3668-0000, tegra20-ventana,
tegra210-p2371-2180, tegra210-p3450-0000,
tegra234-p3737-0000+p3701-0000,
tegra234-p3768-0000+p3767-0005, tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 396+ messages in thread
* Re: [PATCH 6.19 000/378] 6.19.9-rc1 review
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2026-03-18 8:17 ` Jon Hunter
@ 2026-03-18 9:02 ` Ron Economos
2026-03-18 10:22 ` Luna Jernberg
2026-03-18 11:47 ` Takeshi Ogasawara
384 siblings, 1 reply; 396+ messages in thread
From: Ron Economos @ 2026-03-18 9:02 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
On 3/17/26 09:29, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.19.9 release.
> There are 378 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 19 Mar 2026 16:28:59 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.19.9-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 396+ messages in thread
* Re: [PATCH 6.19 000/378] 6.19.9-rc1 review
2026-03-18 9:02 ` Ron Economos
@ 2026-03-18 10:22 ` Luna Jernberg
0 siblings, 0 replies; 396+ messages in thread
From: Luna Jernberg @ 2026-03-18 10:22 UTC (permalink / raw)
To: Ron Economos, Luna Jernberg
Cc: Greg Kroah-Hartman, stable, patches, linux-kernel, torvalds, akpm,
linux, shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
Tested-by: Luna Jernberg <droidbittin@gmail.com>
AMD Ryzen 5 5600 6-Core Processor:
https://www.inet.se/produkt/5304697/amd-ryzen-5-5600-3-5-ghz-35mb on a
https://www.gigabyte.com/Motherboard/B550-AORUS-ELITE-V2-rev-12
https://www.inet.se/produkt/1903406/gigabyte-b550-aorus-elite-v2
motherboard :)
running Arch Linux with the testing repos enabled:
https://archlinux.org/ https://archboot.com/
https://wiki.archlinux.org/title/Arch_Testing_Team
Den ons 18 mars 2026 kl 10:04 skrev Ron Economos <re@w6rz.net>:
>
> On 3/17/26 09:29, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 6.19.9 release.
> > There are 378 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Thu, 19 Mar 2026 16:28:59 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.19.9-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.19.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
>
> Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
>
> Tested-by: Ron Economos <re@w6rz.net>
>
>
^ permalink raw reply [flat|nested] 396+ messages in thread
* Re: [PATCH 6.19 000/378] 6.19.9-rc1 review
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
` (383 preceding siblings ...)
2026-03-18 9:02 ` Ron Economos
@ 2026-03-18 11:47 ` Takeshi Ogasawara
384 siblings, 0 replies; 396+ messages in thread
From: Takeshi Ogasawara @ 2026-03-18 11:47 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
Hi Greg
On Wed, Mar 18, 2026 at 1:43 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.19.9 release.
> There are 378 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 19 Mar 2026 16:28:59 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.19.9-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
6.19.9-rc1 tested.
Build successfully completed.
Boot successfully completed.
No dmesg regressions.
Video output normal.
Sound output normal.
Lenovo ThinkPad X1 Carbon Gen10(Intel i7-1260P(x86_64) arch linux)
[ 0.000000] Linux version 6.19.9-rc1rv-g4f987e117969
(takeshi@ThinkPadX1Gen10J0764) (gcc (GCC) 15.2.1 20260209, GNU ld (GNU
Binutils) 2.46) #1 SMP PREEMPT_DYNAMIC Wed Mar 18 18:51:42 JST 2026
Thanks
Tested-by: Takeshi Ogasawara <takeshi.ogasawara@futuring-girl.com>
^ permalink raw reply [flat|nested] 396+ messages in thread
* Re: [PATCH 6.19 000/378] 6.19.9-rc1 review
2026-03-17 17:47 ` [PATCH 6.19 000/378] 6.19.9-rc1 review Ronald Warsow
2026-03-17 20:12 ` Peter Schneider
@ 2026-03-18 11:54 ` Greg Kroah-Hartman
1 sibling, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-18 11:54 UTC (permalink / raw)
To: Ronald Warsow
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, conor, hargar, broonie, achill, sr
On Tue, Mar 17, 2026 at 06:47:30PM +0100, Ronald Warsow wrote:
> Hi
>
> compile runs in an error:
>
> LD vmlinux.unstripped
> BTFIDS vmlinux.unstripped
> WARN: resolve_btfids: unresolved symbol kthread_exit
> make[2]: *** [scripts/Makefile.vmlinux:72: vmlinux.unstripped] Error 255
> make[2]: *** Deleting file 'vmlinux.unstripped'
> make[1]: *** [/home/DATA/DEVEL/linux/Makefile:1277: vmlinux] Error 2
> make: *** [Makefile:248: __sub-make] Error 2
>
>
> if I do:
>
> git revert f5ee297b23d843d4ae690595aa29e8f5baeaecf9 --no-edit
>
> see:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=linux-6.19.y&id=f5ee297b23d843d4ae690595aa29e8f5baeaecf9
>
>
>
> all is fine here on x86_64 (Intel 11th Gen. CPU)
>
> Thanks
>
> Tested-by: Ronald Warsow <rwarsow@gmx.de>
>
I've fixed this now, thanks!
greg k-h
^ permalink raw reply [flat|nested] 396+ messages in thread
* Re: [PATCH 6.19 240/378] sched_ext: Fix starvation of scx_enable() under fair-class saturation
2026-03-17 16:33 ` [PATCH 6.19 240/378] sched_ext: Fix starvation of scx_enable() under fair-class saturation Greg Kroah-Hartman
@ 2026-03-19 7:11 ` Jiri Slaby
2026-03-19 9:29 ` Greg Kroah-Hartman
0 siblings, 1 reply; 396+ messages in thread
From: Jiri Slaby @ 2026-03-19 7:11 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable; +Cc: patches, Tejun Heo
On 17. 03. 26, 17:33, Greg Kroah-Hartman wrote:
> 6.19-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Tejun Heo <tj@kernel.org>
>
> commit b06ccbabe2506fd70b9167a644978b049150224a upstream.
This one likely needs also:
2fcfe5951eb2 sched_ext: Use WRITE_ONCE() for the write side of
scx_enable helper pointer
thanks,
--
js
suse labs
^ permalink raw reply [flat|nested] 396+ messages in thread
* Re: [PATCH 6.19 240/378] sched_ext: Fix starvation of scx_enable() under fair-class saturation
2026-03-19 7:11 ` Jiri Slaby
@ 2026-03-19 9:29 ` Greg Kroah-Hartman
0 siblings, 0 replies; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-19 9:29 UTC (permalink / raw)
To: Jiri Slaby; +Cc: stable, patches, Tejun Heo
On Thu, Mar 19, 2026 at 08:11:39AM +0100, Jiri Slaby wrote:
> On 17. 03. 26, 17:33, Greg Kroah-Hartman wrote:
> > 6.19-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Tejun Heo <tj@kernel.org>
> >
> > commit b06ccbabe2506fd70b9167a644978b049150224a upstream.
>
> This one likely needs also:
> 2fcfe5951eb2 sched_ext: Use WRITE_ONCE() for the write side of scx_enable
> helper pointer
Ugh, I missed that, thanks for catching it!
greg k-h
^ permalink raw reply [flat|nested] 396+ messages in thread
* Re: [PATCH 6.19 378/378] cxl/acpi: Fix CXL_ACPI and CXL_PMEM Kconfig tristate mismatch
2026-03-17 16:35 ` [PATCH 6.19 378/378] cxl/acpi: Fix CXL_ACPI and CXL_PMEM Kconfig tristate mismatch Greg Kroah-Hartman
@ 2026-03-24 16:45 ` Keith Busch
2026-03-24 16:49 ` Dave Jiang
0 siblings, 1 reply; 396+ messages in thread
From: Keith Busch @ 2026-03-24 16:45 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Jonathan Cameron, Dan Williams, Dave Jiang
On Tue, Mar 17, 2026 at 05:35:35PM +0100, Greg Kroah-Hartman wrote:
> 6.19-stable review patch. If anyone has any objections, please let me know.
No objection, but a little confused how this got to stable before
landing in Linus' tree. Does stable pull directly from downstream
subsystems now?
Speaking of upstream, will the CXL maintainers be submitting a pull
request for the staged fixes soon? I'm just getting new bug reports from
people testing 7.0-rc, so wanted to check in on that.
^ permalink raw reply [flat|nested] 396+ messages in thread
* Re: [PATCH 6.19 378/378] cxl/acpi: Fix CXL_ACPI and CXL_PMEM Kconfig tristate mismatch
2026-03-24 16:45 ` Keith Busch
@ 2026-03-24 16:49 ` Dave Jiang
2026-03-25 8:56 ` Greg Kroah-Hartman
0 siblings, 1 reply; 396+ messages in thread
From: Dave Jiang @ 2026-03-24 16:49 UTC (permalink / raw)
To: Keith Busch, Greg Kroah-Hartman
Cc: stable, patches, Jonathan Cameron, Dan Williams
On 3/24/26 9:45 AM, Keith Busch wrote:
> On Tue, Mar 17, 2026 at 05:35:35PM +0100, Greg Kroah-Hartman wrote:
>> 6.19-stable review patch. If anyone has any objections, please let me know.
>
> No objection, but a little confused how this got to stable before
> landing in Linus' tree. Does stable pull directly from downstream
> subsystems now?
>
> Speaking of upstream, will the CXL maintainers be submitting a pull
> request for the staged fixes soon? I'm just getting new bug reports from
> people testing 7.0-rc, so wanted to check in on that.
I can send it today. Looks like I got enough days in linux-next soaking for the PR.
^ permalink raw reply [flat|nested] 396+ messages in thread
* Re: [PATCH 6.19 378/378] cxl/acpi: Fix CXL_ACPI and CXL_PMEM Kconfig tristate mismatch
2026-03-24 16:49 ` Dave Jiang
@ 2026-03-25 8:56 ` Greg Kroah-Hartman
2026-03-25 15:00 ` Dave Jiang
0 siblings, 1 reply; 396+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-25 8:56 UTC (permalink / raw)
To: Dave Jiang; +Cc: Keith Busch, stable, patches, Jonathan Cameron, Dan Williams
On Tue, Mar 24, 2026 at 09:49:43AM -0700, Dave Jiang wrote:
>
>
> On 3/24/26 9:45 AM, Keith Busch wrote:
> > On Tue, Mar 17, 2026 at 05:35:35PM +0100, Greg Kroah-Hartman wrote:
> >> 6.19-stable review patch. If anyone has any objections, please let me know.
> >
> > No objection, but a little confused how this got to stable before
> > landing in Linus' tree. Does stable pull directly from downstream
> > subsystems now?
> >
> > Speaking of upstream, will the CXL maintainers be submitting a pull
> > request for the staged fixes soon? I'm just getting new bug reports from
> > people testing 7.0-rc, so wanted to check in on that.
>
> I can send it today. Looks like I got enough days in linux-next soaking for the PR.
>
I took it as it was "obviously" correct, fixed reported regressions, and
it was in linux-next and going to Linus "soon".
thanks,
greg k-h
^ permalink raw reply [flat|nested] 396+ messages in thread
* Re: [PATCH 6.19 378/378] cxl/acpi: Fix CXL_ACPI and CXL_PMEM Kconfig tristate mismatch
2026-03-25 8:56 ` Greg Kroah-Hartman
@ 2026-03-25 15:00 ` Dave Jiang
0 siblings, 0 replies; 396+ messages in thread
From: Dave Jiang @ 2026-03-25 15:00 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Keith Busch, stable, patches, Jonathan Cameron, Dan Williams
On 3/25/26 1:56 AM, Greg Kroah-Hartman wrote:
> On Tue, Mar 24, 2026 at 09:49:43AM -0700, Dave Jiang wrote:
>>
>>
>> On 3/24/26 9:45 AM, Keith Busch wrote:
>>> On Tue, Mar 17, 2026 at 05:35:35PM +0100, Greg Kroah-Hartman wrote:
>>>> 6.19-stable review patch. If anyone has any objections, please let me know.
>>>
>>> No objection, but a little confused how this got to stable before
>>> landing in Linus' tree. Does stable pull directly from downstream
>>> subsystems now?
>>>
>>> Speaking of upstream, will the CXL maintainers be submitting a pull
>>> request for the staged fixes soon? I'm just getting new bug reports from
>>> people testing 7.0-rc, so wanted to check in on that.
>>
>> I can send it today. Looks like I got enough days in linux-next soaking for the PR.
>>
>
> I took it as it was "obviously" correct, fixed reported regressions, and
> it was in linux-next and going to Linus "soon".
It's now in Linus's tree as of yesterday. We are all good.
>
> thanks,
>
> greg k-h
^ permalink raw reply [flat|nested] 396+ messages in thread
end of thread, other threads:[~2026-03-25 15:00 UTC | newest]
Thread overview: 396+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-17 16:29 [PATCH 6.19 000/378] 6.19.9-rc1 review Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 001/378] remoteproc: qcom_wcnss: Fix reserved region mapping failure Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 002/378] powerpc/uaccess: Fix inline assembly for clang build on PPC32 Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 003/378] powerpc/kexec/core: use big-endian types for crash variables Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 004/378] powerpc/crash: adjust the elfcorehdr size Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 005/378] remoteproc: sysmon: Correct subsys_name_len type in QMI request Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 006/378] remoteproc: mediatek: Unprepare SCP clock during system suspend Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 007/378] powerpc: 83xx: km83xx: Fix keymile vendor prefix Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 008/378] smb/server: Fix another refcount leak in smb2_open() Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 009/378] scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 010/378] ACPI: PM: Save NVS memory on Lenovo G70-35 Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 011/378] scsi: ufs: core: Reset urgent_bkops_lvl to allow runtime PM power mode Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 012/378] fs: init flags_valid before calling vfs_fileattr_get Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 013/378] scsi: mpi3mr: Add NULL checks when resetting request and reply queues Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 014/378] ALSA: hda/realtek: Fix speaker pop on Star Labs StarFighter Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 015/378] unshare: fix unshare_fs() handling Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 016/378] wifi: mac80211: set default WMM parameters on all links Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 017/378] ACPI: OSI: Add DMI quirk for Acer Aspire One D255 Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 018/378] scsi: ses: Fix devices attaching to different hosts Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 019/378] ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 020/378] ASoC: cs42l43: Report insert for exotic peripherals Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 021/378] scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 022/378] scsi: ufs: core: Fix shift out of bounds when MAXQ=32 Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 023/378] ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0 Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 024/378] drm/amdgpu/vcn5: Add SMU dpm interface type Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 025/378] ALSA: usb-audio: Check max frame size for implicit feedback mode, too Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 026/378] nfs: return EISDIR on nfs3_proc_create if d_alias is a dir Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 027/378] drm/msm/dpu: Fix LM size on a number of platforms Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 028/378] drm/msm/dsi: fix hdisplay calculation when programming dsi registers Greg Kroah-Hartman
2026-03-17 16:44 ` Pengyu Luo
2026-03-17 16:29 ` [PATCH 6.19 029/378] xprtrdma: Decrement re_receiving on the early exit paths Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 030/378] btrfs: hold space_info->lock when clearing periodic reclaim ready Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 031/378] drm/msm/a6xx: Fix the bogus protect error on X2-85 Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 032/378] workqueue: Use POOL_BH instead of WQ_BH when checking pool flags Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 033/378] perf disasm: Fix off-by-one bug in outside check Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 034/378] drm/msm/a8xx: Fix ubwc config related to swizzling Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 035/378] dt-bindings: display/msm: qcom,sm8750-mdss: Fix model typo Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 036/378] net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 037/378] drm/msm/dsi: fix pclk rate calculation for bonded dsi Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 038/378] drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v13 Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 039/378] drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v14 Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 040/378] drm/amdgpu: Fix kernel-doc comments for some LUT properties Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 041/378] bonding: do not set usable_slaves for broadcast mode Greg Kroah-Hartman
2026-03-17 16:29 ` [PATCH 6.19 042/378] bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 043/378] net/mlx5: Fix deadlock between devlink lock and esw->wq Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 044/378] net/mlx5: Fix crash when moving to switchdev mode Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 045/378] net/mlx5: Fix peer miss rules host disabled checks Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 046/378] net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 047/378] net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 048/378] net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 049/378] net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 050/378] rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer() Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 051/378] net: spacemit: Fix error handling in emac_alloc_rx_desc_buffers() Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 052/378] net: spacemit: Fix error handling in emac_tx_mem_map() Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 053/378] drm/sitronix/st7586: fix bad pixel data due to byte swap Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 054/378] firmware: cs_dsp: Fix fragmentation regression in firmware download Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 055/378] spi: amlogic: spifc-a4: Fix DMA mapping error handling Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 056/378] spi: rockchip-sfc: Fix double-free in remove() callback Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 057/378] ASoC: soc-core: drop delayed_work_pending() check before flush Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 058/378] ASoC: soc-core: flush delayed work before removing DAIs and widgets Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 059/378] ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 060/378] net: sfp: improve Huawei MA5671a fixup Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 061/378] serial: caif: hold tty->link reference in ldisc_open and ser_release Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 062/378] bnxt_en: Fix RSS table size check when changing ethtool channels Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 063/378] drm/i915/dp: Read ALPM caps after DPCD init Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 064/378] net: enetc: fix incorrect fallback PHY address handling Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 065/378] net: enetc: do not skip setting LaBCR[MDIO_PHYAD_PRTAD] for addr 0 Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 066/378] mctp: i2c: fix skb memory leak in receive path Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 067/378] can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 068/378] bonding: fix type confusion in bond_setup_by_slave() Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 069/378] mctp: route: hold key->lock in mctp_flow_prepare_output() Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 070/378] amd-xgbe: fix link status handling in xgbe_rx_adaptation Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 071/378] amd-xgbe: prevent CRC errors during RX adaptation with AN disabled Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 072/378] amd-xgbe: reset PHY settings before starting PHY Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 073/378] net: add xmit recursion limit to tunnel xmit functions Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 074/378] netfilter: nf_tables: Fix for duplicate device in netdev hooks Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 075/378] netfilter: nf_tables: always walk all pending catchall elements Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 076/378] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 077/378] netfilter: x_tables: guard option walkers against 1-byte tail reads Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 078/378] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 079/378] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 080/378] netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 081/378] perf annotate: Fix hashmap__new() error checking Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 082/378] regulator: pca9450: Correct interrupt type Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 083/378] regulator: pca9450: Correct probed name for PCA9452 Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 084/378] perf ftrace: Fix hashmap__new() error checking Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 085/378] sched: idle: Make skipping governor callbacks more consistent Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 086/378] nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 087/378] nvme-pci: Fix race bug in nvme_poll_irqdisable() Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 088/378] drivers: net: ice: fix devlink parameters get without irdma Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 089/378] iavf: fix PTP use-after-free during reset Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 090/378] iavf: fix incorrect reset handling in callbacks Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 091/378] accel/amdxdna: Fix runtime suspend deadlock when there is pending job Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 092/378] ASoC: codecs: rt1011: Use component to get the dapm context in spk_mode_put Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 093/378] i40e: fix src IP mask checks and memcpy argument names in cloud filter Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 094/378] e1000/e1000e: Fix leak in DMA error cleanup Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 095/378] page_pool: store detach_time as ktime_t to avoid false-negatives Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 096/378] net: bcmgenet: fix broken EEE by converting to phylib-managed state Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 097/378] ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address() Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 098/378] ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 099/378] ASoC: detect empty DMI strings Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 100/378] drm/amdkfd: Unreserve bo if queue update failed Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 101/378] ASoC: amd: acp-mach-common: Add missing error check for clock acquisition Greg Kroah-Hartman
2026-03-17 16:30 ` [PATCH 6.19 102/378] io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 103/378] perf synthetic-events: Fix stale build ID in module MMAP2 records Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 104/378] net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 105/378] net: dsa: realtek: Fix LED group port bit for non-zero LED group Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 106/378] neighbour: restore protocol != 0 check in pneigh update Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 107/378] net/mana: Null service_wq on setup error to prevent double destroy Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 108/378] net: ethernet: ti: am65-cpsw-nuss: Fix rx_filter value for PTP support Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 109/378] octeontx2-af: devlink: fix NIX RAS reporter recovery condition Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 110/378] octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 111/378] net: prevent NULL deref in ip[6]tunnel_xmit() Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 112/378] iio: imu: inv-mpu9150: fix irq ack preventing irq storms Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 113/378] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 114/378] drm/amdgpu: ensure no_hw_access is visible before MMIO Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 115/378] cgroup: fix race between task migration and iteration Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 116/378] sched_ext: Remove redundant css_put() in scx_cgroup_init() Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 117/378] cgroup: Dont expose dead tasks in cgroup Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 118/378] ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 119/378] ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 120/378] can: gs_usb: gs_can_open(): always configure bitrates before starting device Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 121/378] net: usb: lan78xx: fix silent drop of packets with checksum errors Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 122/378] net: usb: lan78xx: fix TX byte statistics for small packets Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 123/378] net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 124/378] net: usb: lan78xx: skip LTM configuration for LAN7850 Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 125/378] gpib: lpvo_usb: fix unintended binding of FTDI 8U232AM devices Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 126/378] rust_binder: fix oneway spam detection Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 127/378] rust_binder: check ownership before using vma Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 128/378] rust_binder: avoid reading the written value in offsets array Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 129/378] rust_binder: call set_notification_done() without proc lock Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 130/378] rust: kbuild: allow `unused_features` Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 131/378] rust: kbuild: emit dep-info into $(depfile) directly Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 132/378] rust: str: make NullTerminatedFormatter public Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 133/378] ata: libata-core: Add BRIDGE_OK quirk for QEMU drives Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 134/378] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 135/378] KVM: arm64: Fix protected mode handling of pages larger than 4kB Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 136/378] KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 137/378] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 138/378] KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 139/378] KVM: arm64: pkvm: Fallback to level-3 mapping on host stage-2 fault Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 140/378] KVM: arm64: vgic: Pick EOIcount deactivations from AP-list tail Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 141/378] KVM: arm64: pkvm: Dont reprobe for ICH_VTR_EL2.TDS on CPU hotplug Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 142/378] USB: add QUIRK_NO_BOS for video capture several devices Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 143/378] usb/core/quirks: Add Huawei ME906S-device to wakeup quirk Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 144/378] USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 145/378] usb: xhci: Fix memory leak in xhci_disable_slot() Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 146/378] usb: xhci: Prevent interrupt storm on host controller error (HCE) Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 147/378] xhci: Fix NULL pointer dereference when reading portli debugfs files Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 148/378] usb: yurex: fix race in probe Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 149/378] usb: dwc3: pci: add support for the Intel Nova Lake -H Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 150/378] usb: misc: uss720: properly clean up reference in uss720_probe() Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 151/378] usb: core: dont power off roothub PHYs if phy_set_mode() fails Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 152/378] usb: cdc-acm: Restore CAP_BRK functionnality to CH343 Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 153/378] usb: roles: get usb role switch from parent only for usb-b-connector Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 154/378] usb: typec: altmode/displayport: set displayport signaling rate in configure message Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 155/378] USB: usbcore: Introduce usb_bulk_msg_killable() Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 156/378] USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 157/378] USB: core: Limit the length of unkillable synchronous timeouts Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 158/378] usb: class: cdc-wdm: fix reordering issue in read code path Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 159/378] usb: renesas_usbhs: fix use-after-free in ISR during device removal Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 160/378] usb: gadget: f_hid: fix SuperSpeed descriptors Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 161/378] usb: mdc800: handle signal and read racing Greg Kroah-Hartman
2026-03-17 16:31 ` [PATCH 6.19 162/378] usb: gadget: uvc: fix interval_duration calculation Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 163/378] usb: image: mdc800: kill download URB on timeout Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 164/378] usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 165/378] usb: gadget: f_ncm: Fix atomic context locking issue Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 166/378] usb: legacy: ncm: Fix NPE in gncm_bind Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 167/378] Revert "usb: gadget: f_ncm: Fix atomic context locking issue" Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 168/378] Revert "usb: legacy: ncm: Fix NPE in gncm_bind" Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 169/378] Revert "usb: gadget: u_ether: Add auto-cleanup helper for freeing net_device" Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 170/378] Revert "usb: gadget: f_ncm: align net_device lifecycle with bind/unbind" Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 171/378] Revert "usb: gadget: u_ether: add gether_opts for config caching" Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 172/378] usb: gadget: f_ncm: Fix net_device lifecycle with device_move Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 173/378] mm/tracing: rss_stat: ensure curr is false from kthread context Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 174/378] ceph: fix i_nlink underrun during async unlink Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 175/378] ceph: do not skip the first folio of the next object in writeback Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 176/378] ceph: fix memory leaks in ceph_mdsc_build_path() Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 177/378] ALSA: usb-audio: Improve Focusrite sample rate filtering Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 178/378] objtool/klp: Fix detection of corrupt static branch/call entries Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 179/378] objtool: Fix data alignment in elf_add_data() Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 180/378] objtool: Fix another stack overflow in validate_branch() Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 181/378] irqchip/riscv-aplic: Preserve APLIC states across suspend/resume Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 182/378] irqchip/riscv-aplic: Do not clear ACPI dependencies on probe failure Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 183/378] irqchip/riscv-aplic: Register syscore operations only once Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 184/378] time/jiffies: Mark jiffies_64_to_clock_t() notrace Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 185/378] sched/mmcid: Prevent CID stalls due to concurrent forks Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 186/378] sched/mmcid: Handle vfork()/CLONE_VM correctly Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 187/378] sched/mmcid: Remove pointless preempt guard Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 188/378] sched/mmcid: Avoid full tasklist walks Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 189/378] i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 190/378] powerpc, perf: Check that current->mm is alive before getting user callchain Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 191/378] scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 192/378] scsi: qla2xxx: Completely fix fcport double free Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 193/378] scsi: hisi_sas: Fix NULL pointer exception during user_scan() Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 194/378] mm/kfence: fix KASAN hardware tag faults during late enablement Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 195/378] mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index() Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 196/378] mm/kfence: disable KFENCE upon KASAN HW tags enablement Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 197/378] mmc: sdhci-brcmstb: use correct register offset for V1 pin_sel restore Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 198/378] mmc: dw_mmc-rockchip: Fix runtime PM support for internal phase support Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 199/378] mmc: core: Avoid bitfield RMW for claim/retune flags Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 200/378] ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 201/378] tipc: fix divide-by-zero in tipc_sk_filter_connect() Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 202/378] firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 203/378] kprobes: avoid crash when rmmod/insmod after ftrace killed Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 204/378] ceph: add a bunch of missing ceph_path_info initializers Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 205/378] libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 206/378] libceph: reject preamble if control segment is empty Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 207/378] libceph: prevent potential out-of-bounds reads in process_message_header() Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 208/378] libceph: Use u32 for non-negative values in ceph_monmap_decode() Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 209/378] libceph: admit message frames only in CEPH_CON_S_OPEN state Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 210/378] Revert "tcpm: allow looking for role_sw device in the main node" Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 211/378] Revert "ptdesc: remove references to folios from __pagetable_ctor() and pagetable_dtor()" Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 212/378] mm: Fix a hmm_range_fault() livelock / starvation problem Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 213/378] nsfs: tighten permission checks for ns iteration ioctls Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 214/378] liveupdate: luo_file: remember retrieve() status Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 215/378] kthread: consolidate kthread exit paths to prevent use-after-free Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 216/378] cpufreq: intel_pstate: Fix NULL pointer dereference in update_cpu_qos_request() Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 217/378] drm/amdgpu: add upper bound check on user inputs in signal ioctl Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 218/378] drm/amdgpu/userq: Fix reference leak in amdgpu_userq_wait_ioctl Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 219/378] drm/amdgpu: add upper bound check on user inputs in wait ioctl Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 220/378] drm/amd: Disable MES LR compute W/A Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 221/378] ipmi:si: Dont block module unload if the BMC is messed up Greg Kroah-Hartman
2026-03-17 16:32 ` [PATCH 6.19 222/378] ipmi:si: Use a long timeout when the BMC is misbehaving Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 223/378] drm/bridge: samsung-dsim: Fix memory leak in error path Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 224/378] drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 225/378] ipmi:si: Handle waiting messages when BMC failure detected Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 226/378] nouveau/gsp: drop WARN_ON in ACPI probes Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 227/378] drm/i915/alpm: ALPM disable fixes Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 228/378] gpiolib: normalize the return value of gc->get() on behalf of buggy drivers Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 229/378] ipmi:si: Fix check for a misbehaving BMC Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 230/378] drm/xe/sync: Fix user fence leak on alloc failure Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 231/378] drm/xe/sync: Cleanup partially initialized sync on parse failure Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 232/378] s390/pfault: Fix virtual vs physical address confusion Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 233/378] bpf: Fix kprobe_multi cookies access in show_fdinfo callback Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 234/378] arm64: gcs: Honour mprotect(PROT_NONE) on shadow stack mappings Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 235/378] nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit() Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 236/378] device property: Allow secondary lookup in fwnode_get_next_child_node() Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 237/378] irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 238/378] btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies() Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 239/378] sched_ext: Disable preemption between scx_claim_exit() and kicking helper work Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 240/378] sched_ext: Fix starvation of scx_enable() under fair-class saturation Greg Kroah-Hartman
2026-03-19 7:11 ` Jiri Slaby
2026-03-19 9:29 ` Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 241/378] iomap: dont mark folio uptodate if read IO has bytes pending Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 242/378] iomap: reject delalloc mappings during writeback Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 243/378] nsfs: tighten permission checks for handle opening Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 244/378] nstree: tighten permission checks for listing Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 245/378] ice: reintroduce retry mechanism for indirect AQ Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 246/378] kunit: irq: Ensure timer doesnt fire too frequently Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 247/378] ixgbevf: fix link setup issue Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 248/378] mm: memfd_luo: always make all folios uptodate Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 249/378] mm: memfd_luo: always dirty all folios Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 250/378] mm/huge_memory: fix a folio_split() race condition with folio_try_get() Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 251/378] mm/damon/core: clear walk_control on inactive context in damos_walk() Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 252/378] mm/slab: fix an incorrect check in obj_exts_alloc_size() Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 253/378] staging: sm750fb: add missing pci_release_region on error and removal Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 254/378] staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 255/378] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 256/378] pinctrl: cy8c95x0: Dont miss reading the last bank registers Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 257/378] selftests: fix mntns iteration selftests Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 258/378] media: dvb-net: fix OOB access in ULE extension header tables Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 259/378] net: mana: Ring doorbell at 4 CQ wraparounds Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 260/378] net: Fix rcu_tasks stall in threaded busypoll Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 261/378] ice: fix retry for AQ command 0x06EE Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 262/378] fgraph: Fix thresh_return clear per-task notrace Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 263/378] tracing: Fix syscall events activation by ensuring refcount hits zero Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 264/378] net/tcp-ao: Fix MAC comparison to be constant-time Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 265/378] fgraph: Fix thresh_return nosleeptime double-adjust Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 266/378] net/tcp-md5: Fix MAC comparison to be constant-time Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 267/378] batman-adv: Avoid double-rtnl_lock ELP metric worker Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 268/378] drm/xe/xe2_hpg: Correct implementation of Wa_16025250150 Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 269/378] pmdomain: rockchip: Fix PD_VCODEC for RK3588 Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 270/378] parisc: Increase initial mapping to 64 MB with KALLSYMS Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 271/378] nouveau/dpcd: return EBUSY for aux xfer if the device is asleep Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 272/378] arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 273/378] hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 274/378] io_uring/zcrx: use READ_ONCE with user shared RQEs Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 275/378] parisc: Fix initial page table creation for boot Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 276/378] arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 277/378] parisc: Check kernel mapping earlier at bootup Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 278/378] io_uring/net: reject SEND_VECTORIZED when unsupported Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 279/378] regulator: pf9453: Respect IRQ trigger settings from firmware Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 280/378] pmdomain: bcm: bcm2835-power: Fix broken reset status read Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 281/378] drm/ttm: Fix ttm_pool_beneficial_order() return type Greg Kroah-Hartman
2026-03-17 16:33 ` [PATCH 6.19 282/378] crypto: ccp - allow callers to use HV-Fixed page API when SEV is disabled Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 283/378] s390/stackleak: Fix __stackleak_poison() inline assembly constraint Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 284/378] ata: libata-core: Disable LPM on ST1000DM010-2EP102 Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 285/378] s390/xor: Fix xor_xc_2() inline assembly constraints Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 286/378] drm/amd/display: Fallback to boot snapshot for dispclk Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 287/378] s390/xor: Fix xor_xc_5() inline assembly Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 288/378] slab: distinguish lock and trylock for sheaf_flush_main() Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 289/378] memcg: fix slab accounting in refill_obj_stock() trylock path Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 290/378] ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 291/378] smb: server: fix use-after-free in smb2_open() Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 292/378] ksmbd: Dont log keys in SMB3 signing and encryption key generation Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 293/378] ksmbd: fix use-after-free by using call_rcu() for oplock_info Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 294/378] net: mctp: fix device leak on probe failure Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 295/378] net: nexthop: fix percpu use-after-free in remove_nh_grp_entry Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 296/378] net: ncsi: fix skb leak in error paths Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 297/378] net: ethernet: arc: emac: quiesce interrupts before requesting IRQ Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 298/378] net: dsa: microchip: Fix error path in PTP IRQ setup Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 299/378] net: macb: Shuffle the tx ring before enabling tx Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 300/378] drm/amd/pm: remove invalid gpu_metrics.energy_accumulator on smu v13.0.x Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 301/378] drm/amdgpu: Fix use-after-free race in VM acquire Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 302/378] drm/amd: Set num IP blocks to 0 if discovery fails Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 303/378] drm/amd: Fix NULL pointer dereference in device cleanup Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 304/378] drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 305/378] drm/bridge: ti-sn65dsi83: halve horizontal syncs for dual LVDS output Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 306/378] drm/i915: Fix potential overflow of shmem scatterlist length Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 307/378] drm/i915/psr: Repeat Selective Update area alignment Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 308/378] drm/msm: Fix dma_free_attrs() buffer size Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 309/378] drm/amd: Fix a few more NULL pointer dereference in device cleanup Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 310/378] drm/msm/dpu: Correct the SA8775P intr_underrun/intr_underrun index Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 311/378] drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 312/378] tracing: Fix enabling multiple events on the kernel command line and bootconfig Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 313/378] tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 314/378] net-shapers: dont free reply skb after genlmsg_reply() Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 315/378] qmi_wwan: allow max_mtu above hard_mtu to control rx_urb_size Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 316/378] can: dev: keep the max bitrate error at 5% Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 317/378] io_uring/kbuf: check if target buffer list is still legacy on recycle Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 318/378] cifs: make default value of retrans as zero Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 319/378] xfs: fix integer overflow in bmap intent sort comparator Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 320/378] xfs: fix returned valued from xfs_defer_can_append Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 321/378] xfs: fix undersized l_iclog_roundoff values Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 322/378] xfs: ensure dquot item is deleted from AIL only after log shutdown Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 323/378] sched_ext: Fix enqueue_task_scx() truncation of upper enqueue flags Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 324/378] s390/zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 325/378] dt-bindings: display: msm: Fix reg ranges and clocks on Glymur Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 326/378] ublk: fix NULL pointer dereference in ublk_ctrl_set_size() Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 327/378] s390/dasd: Move quiesce state with pprc swap Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 328/378] s390/dasd: Copy detected format information to secondary device Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 329/378] powerpc/pseries: Correct MSI allocation tracking Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 330/378] powerpc64/bpf: fix kfunc call support Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 331/378] powerpc64/bpf: fix the address returned by bpf_get_func_ip Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 332/378] lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 333/378] scsi: core: Fix error handling for scsi_alloc_sdev() Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 334/378] x86/apic: Disable x2apic on resume if the kernel expects so Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 335/378] kprobes: Remove unneeded warnings from __arm_kprobe_ftrace() Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 336/378] lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after() Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 337/378] lib/bootconfig: check bounds before writing in __xbc_open_brace() Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 338/378] smb: client: fix atomic open with O_DIRECT & O_SYNC Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 339/378] smb: client: fix in-place encryption corruption in SMB2_write() Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 340/378] smb: client: fix iface port assignment in parse_server_interfaces Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 341/378] btrfs: fix transaction abort when snapshotting received subvolumes Greg Kroah-Hartman
2026-03-17 16:34 ` [PATCH 6.19 342/378] btrfs: fix transaction abort on file creation due to name hash collision Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 343/378] btrfs: fix transaction abort on set received ioctl due to item overflow Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 344/378] btrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer() Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 345/378] btrfs: abort transaction on failure to update root in the received subvol ioctl Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 346/378] iio: dac: ds4424: reject -128 RAW value Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 347/378] iio: frequency: adf4377: Fix duplicated soft reset mask Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 348/378] iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas() Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 349/378] iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 350/378] iio: magnetometer: tlv493d: remove erroneous shift in X-axis data Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 351/378] iio: potentiometer: mcp4131: fix double application of wiper shift Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 352/378] iio: chemical: bme680: Fix measurement wait duration calculation Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 353/378] iio: buffer: Fix wait_queue not being removed Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 354/378] iio: gyro: mpu3050-core: fix pm_runtime error handling Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 355/378] iio: imu: adis: Fix NULL pointer dereference in adis_init Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 356/378] iio: gyro: mpu3050-i2c: fix pm_runtime error handling Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 357/378] iio: imu: inv_icm45600: fix regulator put warning when probe fails Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 358/378] iio: light: bh1780: fix PM runtime leak on error path Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 359/378] iio: imu: inv_icm45600: fix INT1 drive bit inverted Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 360/378] iio: imu: inv_icm42600: fix odr switch to the same value Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 361/378] iio: imu: inv_icm42600: fix odr switch when turning buffer off Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 362/378] iio: proximity: hx9023s: fix assignment order for __counted_by Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 363/378] iio: proximity: hx9023s: Protect against division by zero in set_samp_freq Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 364/378] i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 365/378] i3c: mipi-i3c-hci: Factor out DMA mapping from queuing path Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 366/378] i3c: mipi-i3c-hci: Consolidate spinlocks Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 367/378] i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 368/378] i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 369/378] i3c: mipi-i3c-hci: Fix race in DMA ring dequeue Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 370/378] i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 371/378] mm/damon: rename DAMON_MIN_REGION to DAMON_MIN_REGION_SZ Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 372/378] mm/damon: rename min_sz_region of damon_ctx to min_region_sz Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 373/378] mm/damon/core: disallow non-power of two min_region_sz Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 374/378] KVM: arm64: gic: Set vgic_model before initing private IRQs Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 375/378] KVM: arm64: Eagerly init vgic dist/redist on vgic creation Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 376/378] io_uring: ensure ctx->rings is stable for task work flags manipulation Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 377/378] io_uring/eventfd: use ctx->rings_rcu for flags checking Greg Kroah-Hartman
2026-03-17 16:35 ` [PATCH 6.19 378/378] cxl/acpi: Fix CXL_ACPI and CXL_PMEM Kconfig tristate mismatch Greg Kroah-Hartman
2026-03-24 16:45 ` Keith Busch
2026-03-24 16:49 ` Dave Jiang
2026-03-25 8:56 ` Greg Kroah-Hartman
2026-03-25 15:00 ` Dave Jiang
2026-03-17 17:47 ` [PATCH 6.19 000/378] 6.19.9-rc1 review Ronald Warsow
2026-03-17 20:12 ` Peter Schneider
2026-03-18 11:54 ` Greg Kroah-Hartman
2026-03-17 20:18 ` Brett A C Sheffield
2026-03-18 0:50 ` Miguel Ojeda
2026-03-18 7:16 ` Shung-Hsi Yu
2026-03-18 8:17 ` Jon Hunter
2026-03-18 9:02 ` Ron Economos
2026-03-18 10:22 ` Luna Jernberg
2026-03-18 11:47 ` Takeshi Ogasawara
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox