* [PATCH 6.6 000/567] 6.6.130-rc1 review
@ 2026-03-23 13:38 Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 001/567] drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release Greg Kroah-Hartman
` (377 more replies)
0 siblings, 378 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.6.130 release.
There are 567 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 25 Mar 2026 13:44:33 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.130-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.6.130-rc1
Josh Law <objecting@objecting.org>
tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
Josh Law <objecting@objecting.org>
lib/bootconfig: check xbc_init_node() return in override path
Rahul Bukte <rahul.bukte@sony.com>
drm/i915/gt: Check set_default_submission() before deferencing
Hyunwoo Kim <imv4bel@gmail.com>
ksmbd: fix use-after-free in durable v2 replay of active file handles
Hyunwoo Kim <imv4bel@gmail.com>
ksmbd: fix use-after-free of share_conf in compound request
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amd/display: Fix DisplayID not-found handling in parse_edid_displayid_vrr()
Kamal Dasu <kamal.dasu@broadcom.com>
mtd: rawnand: brcmnand: skip DMA during panic write
Kamal Dasu <kamal.dasu@broadcom.com>
mtd: rawnand: serialize lock/unlock against other NAND operations
Johan Hovold <johan@kernel.org>
i2c: cp2615: fix serial string NULL-deref at probe
Justin Stitt <justinstitt@google.com>
i2c: cp2615: replace deprecated strncpy with strscpy
Florian Westphal <fw@strlen.de>
netfilter: nft_set_pipapo: split gc into unlink and reclaim phase
Kyle Meyer <kyle.meyer@hpe.com>
x86/platform/uv: Handle deconfigured sockets
Gabor Juhos <j4g8y7@gmail.com>
i2c: pxa: defer reset on Armada 3700 when recovery is used
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
i2c: fsi: Fix a potential leak in fsi_i2c_probe()
Ji-Ze Hong (Peter Hong) <peter_hong@fintek.com.tw>
USB: serial: f81232: fix incomplete serial port generation
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
Maarten Lankhorst <dev@lankhorst.se>
drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug
Sanman Pradhan <psanman@juniper.net>
hwmon: (pmbus/isl68137) Fix unchecked return value and use sysfs_emit()
Sanman Pradhan <psanman@juniper.net>
hwmon: (pmbus/mp2975) Add error check for pmbus_read_word_data() return value
Weiming Shi <bestswngs@gmail.com>
icmp: fix NULL pointer dereference in icmp_tag_validation()
Anas Iqbal <mohd.abd.6602@gmail.com>
net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths
Muhammad Hammad Ijaz <mhijaz@amazon.com>
net: mvpp2: guard flow control update with global_tx_fc in buffer switching
Weiming Shi <bestswngs@gmail.com>
nfnetlink_osf: validate individual option lengths in fingerprints
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: release flowtable after rcu grace period on error
Florian Westphal <fw@strlen.de>
netfilter: bpf: defer hook memory release until rcu readers are done
Xiang Mei <xmei5@asu.edu>
net: bonding: fix NULL deref in bond_debug_rlb_hash_show
Xiang Mei <xmei5@asu.edu>
udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
Jianbo Liu <jianbol@nvidia.com>
net/mlx5e: Fix race condition during IPSec ESN update
Jianbo Liu <jianbol@nvidia.com>
net/mlx5e: Prevent concurrent access to IPSec ASO context
Cosmin Ratiu <cratiu@nvidia.com>
net/mlx5: qos: Restrict RTNL area to avoid a lock cycle
Fedor Pchelkin <pchelkin@ispras.ru>
net: macb: fix uninitialized rx_fs_lock
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: processor: Fix previous acpi_processor_errata_piix4() fix
Guenter Roeck <linux@roeck-us.net>
wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom
Xiang Mei <xmei5@asu.edu>
wifi: mac80211: fix NULL deref in mesh_matches_local()
Petr Oros <poros@redhat.com>
iavf: fix VLAN filter lost on add/delete race
Kohei Enju <kohei@enjuk.jp>
igc: fix missing update of skb->tail in igc_xmit_frame()
Nikola Z. Ivanov <zlatistiv@gmail.com>
net: usb: aqc111: Do not perform PM inside suspend callback
Daniel Borkmann <daniel@iogearbox.net>
clsact: Fix use-after-free in init/destroy rollback asymmetry
Tobi Gaertner <tob.gaertner@me.com>
net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
Tobi Gaertner <tob.gaertner@me.com>
net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: teql: Fix double-free in teql_master_xmit
Jiayuan Chen <jiayuan.chen@shopee.com>
net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
Bart Van Assche <bvanassche@acm.org>
PM: runtime: Fix a race condition related to device removal
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
sched: idle: Consolidate the handling of two special cases
Dipayaan Roy <dipayanroy@linux.microsoft.com>
net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown
Justin Chen <justin.chen@broadcom.com>
net: bcmgenet: increase WoL poll timeout
Jenny Guanni Qu <qguanni@gmail.com>
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
Jenny Guanni Qu <qguanni@gmail.com>
netfilter: xt_time: use unsigned int for monthday bit shift
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: xt_CT: drop pending enqueued packets on template removal
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_ct: drop pending enqueued packets on removal
Andrii Melnychenko <a.melnychenko@vyos.io>
netfilter: nft_ct: add seqadj extension for natted connections
Jenny Guanni Qu <qguanni@gmail.com>
netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
Lukas Johannes Möller <research@johannes-moeller.dev>
netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
Hyunwoo Kim <imv4bel@gmail.com>
netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
Florian Westphal <fw@strlen.de>
netfilter: ctnetlink: remove refcounting in expectation dumpers
Sabrina Dubroca <sd@queasysnail.net>
mpls: add missing unregister_netdevice_notifier to mpls_init
Jiayuan Chen <jiayuan.chen@shopee.com>
net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Bluetooth: qca: fix ROM version reading on WCN3998 chips
Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: HIDP: Fix possible UAF
Michael Grzeschik <m.grzeschik@pengutronix.de>
Bluetooth: hci_sync: Fix hci_le_create_conn_sync
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: ISO: Fix defer tests being unstable
Christian Eggers <ceggers@arri.de>
Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
Christian Eggers <ceggers@arri.de>
Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU
Christian Eggers <ceggers@arri.de>
Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU
Felix Gu <ustc.gu@gmail.com>
firmware: arm_scpi: Fix device_node reference leak in probe path
Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com>
wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
Kuniyuki Iwashima <kuniyu@google.com>
wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
Richard Genoud <richard.genoud@bootlin.com>
soc: fsl: qbman: fix race condition in qman_destroy_fq
Felix Gu <ustc.gu@gmail.com>
cache: ax45mp: Fix device node reference leak in ax45mp_cache_init()
ZhengYuan Huang <gality369@gmail.com>
btrfs: tree-checker: fix misleading root drop_level error message
Filipe Manana <fdmanana@suse.com>
btrfs: log new dentries when logging parent dir of a conflicting inode
Xi Ruoyao <xry111@xry111.site>
drm/amd/display: Wrap dcn32_override_min_req_memclk() in DC_FP_{START, END}
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu: apply state adjust rules to some additional HAINAN vairants
Alex Deucher <alexander.deucher@amd.com>
drm/radeon: apply state adjust rules to some additional HAINAN vairants
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/mmhub3.0: add bounds checking for cid
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/mmhub3.0.2: add bounds checking for cid
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/mmhub3.0.1: add bounds checking for cid
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/mmhub2.3: add bounds checking for cid
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/mmhub2.0: add bounds checking for cid
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/gmc9.0: add bounds checking for cid
Maciej Andrzejewski ICEYE <maciej.andrzejewski@m-works.net>
serial: uartlite: fix PM runtime usage count underflow on probe
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
serial: 8250: Add late synchronize_irq() to shutdown to handle DW UART BUSY
Raul E Rangel <rrangel@chromium.org>
serial: 8250: Fix TX deadlock when using DMA
Martin Roukala (né Peres) <martin.roukala@mupuf.org>
serial: 8250_pci: add support for the AX99100
Guanghui Feng <guanghuifeng@linux.alibaba.com>
iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry
Finn Thain <fthain@linux-m68k.org>
mtd: Avoid boot crash in RedBoot partition table parser
Chen Ni <nichen@iscas.ac.cn>
mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in cadence_nand_init()
Olivier Sobrie <olivier@sobrie.be>
mtd: rawnand: pl353: make sure optimal timings are applied
Johan Hovold <johan@kernel.org>
spi: fix statistics allocation
Johan Hovold <johan@kernel.org>
spi: fix use-after-free on controller registration failure
Maíra Canal <mcanal@igalia.com>
pmdomain: bcm: bcm2835-power: Increase ASB control timeout
Luke Wang <ziniu.wang_1@nxp.com>
mmc: sdhci: fix timing selection for 1-bit bus width
Matthew Schwartz <matthew.schwartz@linux.dev>
mmc: sdhci-pci-gli: fix GL9750 DMA write corruption
Kevin Hao <haokexin@gmail.com>
net: macb: Reinitialize tx/rx queue pointer registers and rx ring during resume
Kevin Hao <haokexin@gmail.com>
net: macb: Introduce gem_init_rx_ring()
Vineeth Karumanchi <vineeth.karumanchi@amd.com>
net: macb: queue tie-off or disable during WOL suspend
Jeff Layton <jlayton@kernel.org>
nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
Yang Yang <n05ec@lzu.edu.cn>
batman-adv: avoid OGM aggregation when skb tailroom is insufficient
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: light: bh1780: fix PM runtime leak on error path
Filipe Manana <fdmanana@suse.com>
btrfs: fix transaction abort on file creation due to name hash collision
Filipe Manana <fdmanana@suse.com>
btrfs: fix transaction abort on set received ioctl due to item overflow
Filipe Manana <fdmanana@suse.com>
btrfs: fix transaction abort when snapshotting received subvolumes
Masami Hiramatsu (Google) <mhiramat@kernel.org>
kprobes: Remove unneeded warnings from __arm_kprobe_ftrace()
Masami Hiramatsu (Google) <mhiramat@kernel.org>
kprobes: Remove unneeded goto
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: unset conn->binding on failed binding request
Paulo Alcantara <pc@manguebit.org>
smb: client: fix krb5 mount with username option
Lukas Johannes Möller <research@johannes-moeller.dev>
Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
Lukas Johannes Möller <research@johannes-moeller.dev>
Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()
Helge Deller <deller@gmx.de>
parisc: Flush correct cache in cacheflush() syscall
Fedor Pchelkin <pchelkin@ispras.ru>
net: macb: fix use-after-free access to PTP clock
Ian Ray <ian.ray@gehealthcare.com>
NFC: nxp-nci: allow GPIOs to sleep
Tiezhu Yang <yangtiezhu@loongson.cn>
LoongArch: Give more information if kmem access failed
Ira Weiny <ira.weiny@intel.com>
nvdimm/bus: Fix potential use after free in asynchronous initialization
Jeff Layton <jlayton@kernel.org>
sunrpc: fix cache_request leak in cache_release
Chuck Lever <chuck.lever@oracle.com>
NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd
Jens Axboe <axboe@kernel.dk>
io_uring/kbuf: check if target buffer list is still legacy on recycle
David Hildenbrand (Arm) <david@kernel.org>
mm/mempolicy: fix wrong mmap_read_unlock() in migrate_to_node()
Harald Freudenberger <freude@linux.ibm.com>
s390/zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute
Heiko Carstens <hca@linux.ibm.com>
s390/stackleak: Fix __stackleak_poison() inline assembly constraint
Heiko Carstens <hca@linux.ibm.com>
s390/xor: Fix xor_xc_2() inline assembly constraints
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: in-kernel: always set ID as avail when rm endp
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
net: stmmac: remove support for lpi_intr_o
Zilin Guan <zilin@seu.edu.cn>
binfmt_misc: restore write access before closing files opened by open_exec()
Vincent Guittot <vincent.guittot@linaro.org>
sched/fair: Fix pelt clock sync when entering idle
Chao Yu <chao@kernel.org>
f2fs: zone: fix to avoid inconsistence in between SIT and SSA
Zqiang <qiang.zhang1211@gmail.com>
rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access
Antheas Kapenekakis <lkml@antheas.dev>
platform/x86/amd/pmc: Add support for Van Gogh SoC
Oleg Nesterov <oleg@redhat.com>
x86/uprobes: Fix XOL allocation failure for 32-bit tasks
Eric Dumazet <edumazet@google.com>
net: use dst_dev_rcu() in sk_setup_caps()
Eric Dumazet <edumazet@google.com>
net: dst: introduce dst->dev_rcu
Eric Dumazet <edumazet@google.com>
net: dst: add four helpers to annotate data-races around dst->dev
Jeongjun Park <aha310510@gmail.com>
drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free
Jeongjun Park <aha310510@gmail.com>
drm/exynos: vidi: fix to avoid directly dereferencing user pointer
Jeongjun Park <aha310510@gmail.com>
drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl()
Lijo Lazar <lijo.lazar@amd.com>
drm/amdgpu: Add basic validation for RAS header
Eric Dumazet <edumazet@google.com>
l2tp: do not use sock_hold() in pppol2tp_session_get_sock()
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm: Use pm_display_cfg in legacy DPM (v2)
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Add pixel_clock to amd_pp_display_configuration
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dsa: properly keep track of conduit reference
Paul Chaignon <paul.chaignon@gmail.com>
bpf: Forget ranges when refining tnum after JSET
Jibin Zhang <jibin.zhang@mediatek.com>
net: fix segmentation of forwarding fraglist GRO
Felix Fietkau <nbd@nbd.name>
net: gso: fix tcp fraglist segmentation after pull from frag_list
Felix Fietkau <nbd@nbd.name>
net: add support for segmenting TCP fraglist GSO packets
Steven Rostedt <rostedt@goodmis.org>
tracing: Add recursion protection in kernel stack trace recording
Guodong Xu <guodong@riscstar.com>
dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()
Lukas Gerlach <lukas.gerlach@cispa.de>
riscv: Sanitize syscall table indexing under speculation
Qu Wenruo <wqu@suse.com>
btrfs: do not strictly require dirty metadata threshold for metadata writepages
Christoph Hellwig <hch@lst.de>
iomap: allocate s_dio_done_wq for async reads as well
David Howells <dhowells@redhat.com>
rxrpc: Fix data-race warning and potential load/store tearing
Tom Lendacky <thomas.lendacky@amd.com>
x86/sev: Check for MWAITX and MONITORX opcodes in the #VC handler
Borislav Petkov (AMD) <bp@alien8.de>
x86/sev: Harden #VC instruction emulation somewhat
Eric Dumazet <edumazet@google.com>
ipv6: use RCU in ip6_xmit()
Mikulas Patocka <mpatocka@redhat.com>
dm-verity: disable recursive forward error correction
David Howells <dhowells@redhat.com>
rxrpc: Fix recvmsg() unconditional requeue
Jan Kara <jack@suse.cz>
ext4: always allocate blocks only from groups inode can use
Jakub Kicinski <kuba@kernel.org>
eth: bnxt: always recalculate features after XDP clearing, fix null-deref
Bjorn Andersson <quic_bjorande@quicinc.com>
usb: typec: ucsi: Move unregister out of atomic section
Trond Myklebust <trond.myklebust@hammerspace.com>
pNFS: Fix a deadlock when returning a delegation during open()
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Fix a deadlock involving nfs_release_folio()
Christoph Hellwig <hch@lst.de>
nfs: pass explicit offset/count to trace events
Eric Dumazet <edumazet@google.com>
dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
Miquel Sabaté Solà <mssola@mssola.com>
btrfs: fix NULL dereference on root when tracing inode eviction
Ryan Roberts <ryan.roberts@arm.com>
arm64: mm: Don't remap pgtables for allocate vs populate
Ryan Roberts <ryan.roberts@arm.com>
arm64: mm: Batch dsb and isb when populating pgtables
Ryan Roberts <ryan.roberts@arm.com>
arm64: mm: Don't remap pgtables per-cont(pte|pmd) block
Huacai Chen <chenhuacai@kernel.org>
net: stmmac: dwmac-loongson: Set clk_csr_i to 100-150MHz
Qu Wenruo <wqu@suse.com>
btrfs: always fallback to buffered write if the inode requires checksum
Brian Foster <bfoster@redhat.com>
ext4: fix dirtyclusters double decrement on fs shutdown
Chao Yu <chao@kernel.org>
f2fs: fix to avoid migrating empty section
Eric Biggers <ebiggers@kernel.org>
net/tcp-md5: Fix MAC comparison to be constant-time
Eric Biggers <ebiggers@kernel.org>
ksmbd: Compare MACs in constant time
Eric Biggers <ebiggers@kernel.org>
smb: client: Compare MACs in constant time
Long Li <leo.lilong@huawei.com>
xfs: ensure dquot item is deleted from AIL only after log shutdown
Long Li <leo.lilong@huawei.com>
xfs: fix integer overflow in bmap intent sort comparator
Thorsten Blum <thorsten.blum@linux.dev>
crypto: atmel-sha204a - Fix OOM ->tfm_count leak
Shyam Prasad N <sprasad@microsoft.com>
cifs: open files should not hold ref on superblock
Kevin Hao <haokexin@gmail.com>
net: macb: Shuffle the tx ring before enabling tx
Luca Ceresoli <luca.ceresoli@bootlin.com>
drm/bridge: ti-sn65dsi83: halve horizontal syncs for dual LVDS output
Thomas Fourier <fourier.thomas@gmail.com>
drm/msm: Fix dma_free_attrs() buffer size
Thorsten Blum <thorsten.blum@linux.dev>
ksmbd: Don't log keys in SMB3 signing and encryption key generation
Darrick J. Wong <djwong@kernel.org>
iomap: reject delalloc mappings during writeback
Alexander Potapenko <glider@google.com>
mm/kfence: fix KASAN hardware tag faults during late enablement
Sean Christopherson <seanjc@google.com>
KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated
Naveen N Rao <naveen@kernel.org>
KVM: SVM: Add a helper to look up the max physical ID for AVIC
Naveen N Rao <naveen@kernel.org>
KVM: SVM: Limit AVIC physical max index based on configured max_vcpu_ids
Jiasheng Jiang <jiashengjiangcool@gmail.com>
usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
Marc Kleine-Budde <mkl@pengutronix.de>
can: gs_usb: gs_can_open(): always configure bitrates before starting device
Paul Moses <p@1g4.org>
net/sched: act_gate: snapshot parameters with RCU on replace
Nathan Chancellor <nathan@kernel.org>
kbuild: Leave objtool binary around with 'make clean'
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: join: check RM_ADDR not sent over same subflow
Gang Yan <yangang@kylinos.cn>
selftests: mptcp: add a check for 'add_addr_accepted'
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: in-kernel: always mark signal+subflow endp as used
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: avoid sending RM_ADDR over same subflow
Natalie Vock <natalie.vock@gmx.de>
drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink
Andrew Lunn <andrew@lunn.ch>
net: phy: register phy led_triggers during probe to avoid AB-BA deadlock
Ankit Garg <nktgrg@google.com>
gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL
Kim Phillips <kim.phillips@amd.com>
x86/sev: Allow IBPB-on-Entry feature for SNP guests
Mario Limonciello <mario.limonciello@amd.com>
platform/x86: hp-bioscfg: Support allocations of larger data
Daniel Hodges <git@danielhodges.dev>
wifi: libertas: fix use-after-free in lbs_free_adapter()
Fedor Pchelkin <pchelkin@ispras.ru>
ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths
Ankit Garg <nktgrg@google.com>
gve: defer interrupt enabling until NAPI registration
John Ripple <john.ripple@keysight.com>
drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD
Adrian Hunter <adrian.hunter@intel.com>
i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor
Adrian Hunter <adrian.hunter@intel.com>
i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort
Adrian Hunter <adrian.hunter@intel.com>
i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors
Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
iio: imu: inv_icm42600: fix odr switch to the same value
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: gyro: mpu3050-i2c: fix pm_runtime error handling
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: gyro: mpu3050-core: fix pm_runtime error handling
Nuno Sá <nuno.sa@analog.com>
iio: buffer: Fix wait_queue not being removed
Chris Spencer <spencercw@gmail.com>
iio: chemical: bme680: Fix measurement wait duration calculation
Lukas Schmid <lukas.schmid@netcube.li>
iio: potentiometer: mcp4131: fix double application of wiper shift
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas()
SeungJu Cheon <suunj1331@gmail.com>
iio: frequency: adf4377: Fix duplicated soft reset mask
Oleksij Rempel <o.rempel@pengutronix.de>
iio: dac: ds4424: reject -128 RAW value
Filipe Manana <fdmanana@suse.com>
btrfs: abort transaction on failure to update root in the received subvol ioctl
Henrique Carvalho <henrique.carvalho@suse.com>
smb: client: fix iface port assignment in parse_server_interfaces
Bharath SM <bharathsm@microsoft.com>
smb: client: fix in-place encryption corruption in SMB2_write()
Paulo Alcantara <pc@manguebit.org>
smb: client: fix atomic open with O_DIRECT & O_SYNC
Josh Law <objecting@objecting.org>
lib/bootconfig: check bounds before writing in __xbc_open_brace()
Josh Law <objecting@objecting.org>
lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after()
Shashank Balaji <shashank.mahadasyam@sony.com>
x86/apic: Disable x2apic on resume if the kernel expects so
Junxiao Bi <junxiao.bi@oracle.com>
scsi: core: Fix error handling for scsi_alloc_sdev()
Josh Law <objecting@objecting.org>
lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error
Stefan Haberland <sth@linux.ibm.com>
s390/dasd: Copy detected format information to secondary device
Stefan Haberland <sth@linux.ibm.com>
s390/dasd: Move quiesce state with pprc swap
Darrick J. Wong <djwong@kernel.org>
xfs: fix undersized l_iclog_roundoff values
Shyam Prasad N <sprasad@microsoft.com>
cifs: make default value of retrans as zero
Calvin Owens <calvin@wbinvd.org>
tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G
Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
drm/i915: Fix potential overflow of shmem scatterlist length
Luca Ceresoli <luca.ceresoli@bootlin.com>
drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding
Mario Limonciello <mario.limonciello@amd.com>
drm/amd: Set num IP blocks to 0 if discovery fails
Alysa Liu <Alysa.Liu@amd.com>
drm/amdgpu: Fix use-after-free race in VM acquire
Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
net: dsa: microchip: Fix error path in PTP IRQ setup
Fan Wu <fanwu01@zju.edu.cn>
net: ethernet: arc: emac: quiesce interrupts before requesting IRQ
Jian Zhang <zhangjian.3032@bytedance.com>
net: ncsi: fix skb leak in error paths
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix use-after-free by using call_rcu() for oplock_info
Marios Makassikis <mmakassikis@freebox.fr>
smb: server: fix use-after-free in smb2_open()
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close()
Maíra Canal <mcanal@igalia.com>
pmdomain: bcm: bcm2835-power: Fix broken reset status read
Helge Deller <deller@gmx.de>
parisc: Check kernel mapping earlier at bootup
Helge Deller <deller@gmx.de>
parisc: Fix initial page table creation for boot
Sanman Pradhan <psanman@juniper.net>
hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
Catalin Marinas <catalin.marinas@arm.com>
arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation
Dave Airlie <airlied@redhat.com>
nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
Helge Deller <deller@gmx.de>
parisc: Increase initial mapping to 64 MB with KALLSYMS
Sven Eckelmann <sven@narfation.org>
batman-adv: Avoid double-rtnl_lock ELP metric worker
Huiwen He <hehuiwen@kylinos.cn>
tracing: Fix syscall events activation by ensuring refcount hits zero
Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
ice: fix retry for AQ command 0x06EE
Long Li <longli@microsoft.com>
net: mana: Ring doorbell at 4 CQ wraparounds
Ariel Silver <arielsilver77@gmail.com>
media: dvb-net: fix OOB access in ULE extension header tables
Luka Gejak <luka.gejak@linux.dev>
staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
Jedrzej Jagielski <jedrzej.jagielski@intel.com>
ixgbevf: fix link setup issue
Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
ice: reintroduce retry mechanism for indirect AQ
Marc Zyngier <maz@kernel.org>
irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
device property: Allow secondary lookup in fwnode_get_next_child_node()
Franz Schnyder <franz.schnyder@toradex.com>
drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used
Osama Abdelkader <osama.abdelkader@gmail.com>
drm/bridge: samsung-dsim: Fix memory leak in error path
Xu Yang <xu.yang_2@nxp.com>
Revert "tcpm: allow looking for role_sw device in the main node"
Xingui Yang <yangxingui@huawei.com>
scsi: hisi_sas: Fix NULL pointer exception during user_scan()
Yihang Li <liyihang9@huawei.com>
scsi: hisi_sas: Use macro instead of magic number
Xingui Yang <yangxingui@huawei.com>
scsi: hisi_sas: Add time interval between two H2D FIS following soft reset spec
Wang Shuaiwei <wangshuaiwei1@xiaomi.com>
scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend
Adrian Ng Ho Yin <adrianhoyin.ng@altera.com>
i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach
Steven Rostedt <rostedt@goodmis.org>
time/jiffies: Mark jiffies_64_to_clock_t() notrace
Max Kellermann <max.kellermann@ionos.com>
ceph: fix memory leaks in ceph_mdsc_build_path()
Max Kellermann <max.kellermann@ionos.com>
ceph: fix i_nlink underrun during async unlink
Ilya Dryomov <idryomov@gmail.com>
libceph: admit message frames only in CEPH_CON_S_OPEN state
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Use u32 for non-negative values in ceph_monmap_decode()
Ilya Dryomov <idryomov@gmail.com>
libceph: prevent potential out-of-bounds reads in process_message_header()
Ilya Dryomov <idryomov@gmail.com>
libceph: reject preamble if control segment is empty
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
Masami Hiramatsu (Google) <mhiramat@kernel.org>
kprobes: avoid crash when rmmod/insmod after ftrace killed
Mehul Rao <mehulrao@gmail.com>
tipc: fix divide-by-zero in tipc_sk_filter_connect()
Ravi Hothi <ravi.hothi@oss.qualcomm.com>
ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start
Penghe Geng <pgeng@nvidia.com>
mmc: core: Avoid bitfield RMW for claim/retune flags
Alexander Potapenko <glider@google.com>
mm/kfence: disable KFENCE upon KASAN HW tags enablement
Felix Gu <ustc.gu@gmail.com>
mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index()
Kalesh Singh <kaleshsingh@google.com>
mm/tracing: rss_stat: ensure curr is false from kthread context
Ziyi Guo <n7l8m4@u.northwestern.edu>
usb: image: mdc800: kill download URB on timeout
Oliver Neukum <oneukum@suse.com>
usb: mdc800: handle signal and read racing
Fan Wu <fanwu01@zju.edu.cn>
usb: renesas_usbhs: fix use-after-free in ISR during device removal
Oliver Neukum <oneukum@suse.com>
usb: class: cdc-wdm: fix reordering issue in read code path
Alan Stern <stern@rowland.harvard.edu>
USB: core: Limit the length of unkillable synchronous timeouts
Alan Stern <stern@rowland.harvard.edu>
USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts
Alan Stern <stern@rowland.harvard.edu>
USB: usbcore: Introduce usb_bulk_msg_killable()
Xu Yang <xu.yang_2@nxp.com>
usb: roles: get usb role switch from parent only for usb-b-connector
Marc Zyngier <maz@kernel.org>
usb: cdc-acm: Restore CAP_BRK functionnality to CH343
Gabor Juhos <j4g8y7@gmail.com>
usb: core: don't power off roothub PHYs if phy_set_mode() fails
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: misc: uss720: properly clean up reference in uss720_probe()
Heikki Krogerus <heikki.krogerus@linux.intel.com>
usb: dwc3: pci: add support for the Intel Nova Lake -H
Oliver Neukum <oneukum@suse.com>
usb: yurex: fix race in probe
Dayu Jiang <jiangdayu@xiaomi.com>
usb: xhci: Prevent interrupt storm on host controller error (HCE)
Zilin Guan <zilin@seu.edu.cn>
usb: xhci: Fix memory leak in xhci_disable_slot()
Vyacheslav Vahnenko <vahnenko2003@gmail.com>
USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed
Christoffer Sandberg <cs@tuxedo.de>
usb/core/quirks: Add Huawei ME906S-device to wakeup quirk
A1RM4X <dev@a1rm4x.com>
USB: add QUIRK_NO_BOS for video capture several devices
Sean Christopherson <seanjc@google.com>
KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC
Zhang Heng <zhangheng@kylinos.cn>
ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA
Oleksij Rempel <o.rempel@pengutronix.de>
net: usb: lan78xx: skip LTM configuration for LAN7850
Oleksij Rempel <o.rempel@pengutronix.de>
net: usb: lan78xx: fix TX byte statistics for small packets
Oleksij Rempel <o.rempel@pengutronix.de>
net: usb: lan78xx: fix silent drop of packets with checksum errors
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces
Mehul Rao <mehulrao@gmail.com>
ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
Qingye Zhao <zhaoqingye@honor.com>
cgroup: fix race between task migration and iteration
Sasha Levin <sashal@kernel.org>
Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on"
Seungjin Bae <eeodqql09@gmail.com>
usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
Alok Tiwari <alok.a.tiwari@oracle.com>
octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status
Przemek Kitszel <przemyslaw.kitszel@intel.com>
octeontx2-af: devlink health: use retained error fmsg API
Alok Tiwari <alok.a.tiwari@oracle.com>
octeontx2-af: devlink: fix NIX RAS reporter recovery condition
Ricardo B. Marlière <rbm@suse.com>
net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled
Casey Connolly <casey.connolly@linaro.org>
ASoC: detect empty DMI strings
Chen Ni <nichen@iscas.ac.cn>
ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition
Ben Dooks <ben.dooks@codethink.co.uk>
ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address()
Matt Vollrath <tactii@gmail.com>
e1000/e1000e: Fix leak in DMA error cleanup
Alok Tiwari <alok.a.tiwari@oracle.com>
i40e: fix src IP mask checks and memcpy argument names in cloud filter
Sungwoo Kim <iam@sung-woo.kim>
nvme-pci: Fix race bug in nvme_poll_irqdisable()
Sungwoo Kim <iam@sung-woo.kim>
nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
sched: idle: Make skipping governor callbacks more consistent
Peng Fan <peng.fan@nxp.com>
regulator: pca9450: Correct interrupt type
Frieder Schrempf <frieder.schrempf@kontron.de>
regulator: pca9450: Make IRQ optional
Yuan Tan <tanyuan98@outlook.com>
netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
Hyunwoo Kim <imv4bel@gmail.com>
netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
Hyunwoo Kim <imv4bel@gmail.com>
netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
David Dull <monderasdor@gmail.com>
netfilter: x_tables: guard option walkers against 1-byte tail reads
Jenny Guanni Qu <qguanni@gmail.com>
netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
Raju Rangoju <Raju.Rangoju@amd.com>
amd-xgbe: prevent CRC errors during RX adaptation with AN disabled
Raju Rangoju <Raju.Rangoju@amd.com>
amd-xgbe: fix link status handling in xgbe_rx_adaptation
Chengfeng Ye <dg573847474@gmail.com>
mctp: route: hold key->lock in mctp_flow_prepare_output()
Wenyuan Li <2063309626@qq.com>
can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value
Haiyue Wang <haiyuewa@163.com>
mctp: i2c: fix skb memory leak in receive path
Shuangpeng Bai <shuangpeng.kernel@gmail.com>
serial: caif: hold tty->link reference in ldisc_open and ser_release
Álvaro Fernández Rojas <noltari@gmail.com>
net: sfp: improve Huawei MA5671a fixup
Chris Morgan <macromorgan@hotmail.com>
net: sfp: add quirk for Potron SFP+ XGSPON ONU Stick
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
net: sfp: improve Nokia GPON sfp fixup
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
net: sfp: re-implement ignoring the hardware TX_FAULT signal
Sen Wang <sen@ti.com>
ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
ASoC: simple-card-utils: use __free(device_node) for device node
matteo.cotifava <cotifavamatteo@gmail.com>
ASoC: soc-core: flush delayed work before removing DAIs and widgets
matteo.cotifava <cotifavamatteo@gmail.com>
ASoC: soc-core: drop delayed_work_pending() check before flush
Weiming Shi <bestswngs@gmail.com>
net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit
Gal Pressman <gal@nvidia.com>
net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
Cosmin Ratiu <cratiu@nvidia.com>
net/mlx5: Fix deadlock between devlink lock and esw->wq
Daniel Jurgens <danielj@nvidia.com>
net/mlx5: Query to see if host PF is disabled
Daniel Jurgens <danielj@nvidia.com>
net/mlx5: IFC updates for disabled host PF
Hangbin Liu <liuhangbin@gmail.com>
bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states
Pengyu Luo <mitltlatltl@gmail.com>
drm/msm/dsi: fix pclk rate calculation for bonded dsi
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/msm/dsi: Document DSC related pclk_rate and hdisplay calculations
Mieczyslaw Nalewaj <namiltd@yahoo.com>
net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets
Eric Badger <ebadger@purestorage.com>
xprtrdma: Decrement re_receiving on the early exit paths
Guenter Roeck <linux@roeck-us.net>
smb/server: Fix another refcount leak in smb2_open()
J. Neuschäfer <j.ne@posteo.net>
powerpc: 83xx: km83xx: Fix keymile vendor prefix
Tzung-Bi Shih <tzungbi@kernel.org>
remoteproc: mediatek: Unprepare SCP clock during system suspend
Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
remoteproc: sysmon: Correct subsys_name_len type in QMI request
Christophe Leroy (CS GROUP) <chleroy@kernel.org>
powerpc/uaccess: Fix inline assembly for clang build on PPC32
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Check max frame size for implicit feedback mode, too
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0
wangshuaiwei <wangshuaiwei1@xiaomi.com>
scsi: ufs: core: Fix shift out of bounds when MAXQ=32
Peter Wang <peter.wang@mediatek.com>
scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
Charles Keepax <ckeepax@opensource.cirrus.com>
ASoC: cs42l43: Report insert for exotic peripherals
Azamat Almazbek uulu <almazbek1608@gmail.com>
ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table
Tomas Henzl <thenzl@redhat.com>
scsi: ses: Fix devices attaching to different hosts
Sofia Schneider <sofia@schn.dev>
ACPI: OSI: Add DMI quirk for Acer Aspire One D255
Ramanathan Choodamani <quic_rchoodam@quicinc.com>
wifi: mac80211: set default WMM parameters on all links
Al Viro <viro@zeniv.linux.org.uk>
unshare: fix unshare_fs() handling
Ranjan Kumar <ranjan.kumar@broadcom.com>
scsi: mpi3mr: Add NULL checks when resetting request and reply queues
Piotr Mazek <pmazek@outlook.com>
ACPI: PM: Save NVS memory on Lenovo G70-35
Jan Kiszka <jan.kiszka@siemens.com>
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
John Johansen <john.johansen@canonical.com>
apparmor: fix race between freeing data and fs accessing it
John Johansen <john.johansen@canonical.com>
apparmor: fix race on rawdata dereference
John Johansen <john.johansen@canonical.com>
apparmor: fix differential encoding verification
John Johansen <john.johansen@canonical.com>
apparmor: fix unprivileged local user can do privileged policy management
John Johansen <john.johansen@canonical.com>
apparmor: Fix double free of ns_name in aa_replace_profiles()
Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
apparmor: fix missing bounds check on DEFAULT table in verify_dfa()
Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
apparmor: fix side-effect bug in match_char() macro usage
John Johansen <john.johansen@canonical.com>
apparmor: fix: limit the number of levels of policy namespaces
Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
apparmor: replace recursive profile removal with iterative approach
Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
apparmor: fix memory leak in verify_header
Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
apparmor: validate DFA start states are in bounds in unpack_pdb
Menglong Dong <menglong8.dong@gmail.com>
net: tcp: accept old ack during closing
Victor Nogueira <victor@mojatatu.com>
net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
Guenter Roeck <linux@roeck-us.net>
tracing: Add NULL pointer check to trigger_data_free()
Yifan Wu <wuyifan50@huawei.com>
selftest/arm64: Fix sve2p1_sigill() to hwcap test
Larysa Zaremba <larysa.zaremba@intel.com>
xdp: produce a warning when calculated tailroom is negative
Larysa Zaremba <larysa.zaremba@intel.com>
i40e: use xdp.frame_sz as XDP RxQ info frag_size
Larysa Zaremba <larysa.zaremba@intel.com>
i40e: fix registering XDP RxQ info
Larysa Zaremba <larysa.zaremba@intel.com>
xsk: introduce helper to determine rxq->frag_size
Larysa Zaremba <larysa.zaremba@intel.com>
xdp: use modulo operation to calculate XDP frag tailroom
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: act_ife: Fix metalist update behavior
Jiayuan Chen <jiayuan.chen@shopee.com>
net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
Fernando Fernandez Mancera <fmancera@suse.de>
net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
Fernando Fernandez Mancera <fmancera@suse.de>
net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled
Lorenzo Bianconi <lorenzo@kernel.org>
net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup()
Ovidiu Panait <ovidiu.panait.rb@renesas.com>
net: stmmac: Fix error handling in VLAN add and delete paths
Jakub Kicinski <kuba@kernel.org>
nfc: rawsock: cancel tx_work before socket teardown
Jakub Kicinski <kuba@kernel.org>
nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback
Jakub Kicinski <kuba@kernel.org>
nfc: nci: free skb on nci_transceive early error paths
Ian Ray <ian.ray@gehealthcare.com>
net: nfc: nci: Fix zero-length proprietary notifications
Koichiro Den <den@valinux.co.jp>
net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
Sungwoo Kim <iam@sung-woo.kim>
nvme: fix memory allocation in nvme_pr_read_keys()
Stefan Hajnoczi <stefanha@redhat.com>
nvme: reject invalid pr_read_keys() num_keys values
Yujie Liu <yujie.liu@intel.com>
drm/sched: Fix kernel-doc warning for drm_sched_job_done()
Raju Rangoju <Raju.Rangoju@amd.com>
amd-xgbe: fix sleep while atomic on suspend/resume
Jakub Kicinski <kuba@kernel.org>
ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
ZhangGuoDong <zhangguodong@kylinos.cn>
smb/client: fix buffer size for smb311_posix_qinfo in SMB311_posix_query_info()
ZhangGuoDong <zhangguodong@kylinos.cn>
smb/client: fix buffer size for smb311_posix_qinfo in smb2_compound_op()
Lang Xu <xulang@uniontech.com>
bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim
Kui-Feng Lee <thinker.li@gmail.com>
bpf: export bpf_link_inc_not_zero.
David Thomson <dt@linux-mail.net>
xen/acpi-processor: fix _CST detection using undersized evaluation buffer
Allison Henderson <achender@kernel.org>
net/rds: Fix circular locking dependency in rds_tcp_tune
Eric Dumazet <edumazet@google.com>
indirect_call_wrapper: do not reevaluate function pointer
Lorenzo Bianconi <lorenzo@kernel.org>
wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()
Lorenzo Bianconi <lorenzo@kernel.org>
wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()
Bart Van Assche <bvanassche@acm.org>
wifi: wlcore: Fix a locking bug
Bart Van Assche <bvanassche@acm.org>
wifi: cw1200: Fix locking in error paths
Vimlesh Kumar <vimleshk@marvell.com>
octeon_ep: avoid compiler and IQ/OQ reordering
Vimlesh Kumar <vimleshk@marvell.com>
octeon_ep: Relocate counter updates before NAPI
Jiayuan Chen <jiayuan.chen@shopee.com>
bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded
Mieczyslaw Nalewaj <namiltd@yahoo.com>
net: dsa: realtek: rtl8365mb: fix rtl8365mb_phy_ocp_write return value
Shuvam Pandey <shuvampandey1@gmail.com>
kunit: tool: copy caller args in run_kernel to prevent mutation
Alexandre Courbot <acourbot@nvidia.com>
rust: kunit: fix warning when !CONFIG_PRINTK
Alban Bedel <alban.bedel@lht.dlh.de>
can: mcp251x: fix deadlock in error path of mcp251x_open
Oliver Hartkopp <socketcan@hartkopp.net>
can: bcm: fix locking for bcm_op runtime updates
Raju Rangoju <Raju.Rangoju@amd.com>
amd-xgbe: fix MAC_TCR_SS register width for 2.5G and 10M speeds
Jiayuan Chen <jiayuan.chen@shopee.com>
atm: lec: fix null-ptr-deref in lec_arp_clear_vccs
Guenter Roeck <linux@roeck-us.net>
dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler
Ioana Ciornei <ioana.ciornei@nxp.com>
dpaa2-switch: do not clear any interrupts automatically
Nikhil P. Rao <nikhil.rao@amd.com>
xsk: Fix zero-copy AF_XDP fragment drop
Nikhil P. Rao <nikhil.rao@amd.com>
xsk: Fix fragment node deletion to prevent buffer leak
Maciej Fijalkowski <maciej.fijalkowski@intel.com>
xsk: s/free_list_node/list_node/
Maciej Fijalkowski <maciej.fijalkowski@intel.com>
xsk: Get rid of xdp_buff_xsk::xskb_list_node
Chintan Vankar <c-vankar@ti.com>
net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling in ALE table
Francesco Lavra <flavra@baylibre.com>
drm/solomon: Fix page start when updating rectangle in page addressing mode
Javier Martinez Canillas <javierm@redhat.com>
drm/ssd130x: Replace .page_height field in device info with a constant
Javier Martinez Canillas <javierm@redhat.com>
drm/ssd130x: Store the HW buffer in the driver-private CRTC state
Geert Uytterhoeven <geert@linux-m68k.org>
drm/ssd130x: Use bool for ssd130x_deviceinfo flags
Vitaly Lifshits <vitaly.lifshits@intel.com>
e1000e: clear DPG_EN after reset to avoid autonomous power-gating
Bart Van Assche <bvanassche@acm.org>
hwmon: (it87) Check the it87_lock() return value
Felix Gu <ustc.gu@gmail.com>
pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe()
Jonathan Teh <jonathan.teh@outlook.com>
platform/x86: thinkpad_acpi: Fix errors reading battery thresholds
Florian Eckert <fe@dev.tdt.de>
pinctrl: equilibrium: fix warning trace on load
Florian Eckert <fe@dev.tdt.de>
pinctrl: equilibrium: rename irq_chip function callbacks
Hao Yu <haoyufine@gmail.com>
hwmon: (aht10) Fix initialization commands for AHT20
Akhilesh Patil <akhilesh@ee.iitb.ac.in>
hwmon: (aht10) Add support for dht20
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
ARM: clean up the memset64() C wrapper
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: join: check removing signal+subflow endp
Paolo Abeni <pabeni@redhat.com>
selftests: mptcp: more stable simult_flows tests
Junxiao Bi <junxiao.bi@oracle.com>
scsi: core: Fix refcount leak for tagset_refcnt
Thorsten Blum <thorsten.blum@linux.dev>
smb: client: Don't log plaintext credentials in cifs_set_cifscreds
Paulo Alcantara <pc@manguebit.org>
smb: client: fix broken multichannel with krb5+signing
Henrique Carvalho <henrique.carvalho@suse.com>
smb: client: fix cifs_pick_channel when channels are equally loaded
Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
drbd: fix null-pointer dereference on local read error
Lars Ellenberg <lars.ellenberg@linbit.com>
drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
Phillip Lougher <phillip@squashfs.org.uk>
Squashfs: check metadata block offset is within range
Prithvi Tambewagh <activprithvi@gmail.com>
scsi: target: Fix recursive locking in __configfs_open_file()
Davide Caratti <dcaratti@redhat.com>
net/sched: ets: fix divide by zero in the offload path
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
Jason Gunthorpe <jgg@ziepe.ca>
IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
Vahagn Vardanian <vahagn@redrays.io>
wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
Ariel Silver <arielsilver77@gmail.com>
wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration
Daniil Dulov <d.dulov@aladdin.ru>
wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
Johannes Berg <johannes.berg@intel.com>
wifi: radiotap: reject radiotap with unknown bits
Jun Seo <jun.seo.93@proton.me>
ALSA: usb-audio: Use correct version for UAC3 header validation
Kurt Borja <kuurtb@gmail.com>
platform/x86: dell-wmi: Add audio/mic mute key codes
Thorsten Blum <thorsten.blum@linux.dev>
platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data
Mike Rapoport (Microsoft) <rppt@kernel.org>
x86/efi: defer freeing of boot services memory
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
can: usb: f81604: handle bulk write errors properly
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
can: usb: f81604: handle short interrupt urb messages properly
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
can: usb: etas_es58x: correctly anchor the urb in the read bulk callback
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
can: ucan: Fix infinite loop from zero-length messages
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
can: usb: f81604: correctly anchor the urb in the read bulk callback
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net: usb: pegasus: validate USB endpoints
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net: usb: kalmia: validate USB endpoints
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net: usb: kaweth: validate USB endpoints
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
nfc: pn533: properly drop the usb interface reference on disconnect
Jens Axboe <axboe@kernel.dk>
media: dvb-core: fix wrong reinitialization of ringbuffer on reopen
Jann Horn <jannh@google.com>
eventpoll: Fix integer overflow in ep_loop_check_proc()
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu: keep vga memory on MacBooks with switchable graphics
Mario Limonciello <mario.limonciello@amd.com>
drm/amd: Drop special case for yellow carp without discovery
Ethan Nelson-Moore <enelsonmoore@gmail.com>
net: arcnet: com20020-pci: fix support for 2.5Mbit cards
Takashi Iwai <tiwai@suse.de>
ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314
Gui-Dong Han <hanguidong02@gmail.com>
hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization induced race
Takashi Iwai <tiwai@suse.de>
ALSA: hda/conexant: Add quirk for HP ZBook Studio G4
Mario Limonciello <mario.limonciello@amd.com>
drm/amd: Fix hang on amdgpu unload by using pci_dev_is_disconnected()
Thomas Richard (TI) <thomas.richard@bootlin.com>
usb: cdns3: fix role switching during resume
Théo Lebrun <theo.lebrun@bootlin.com>
usb: cdns3: call cdns_power_is_lost() only once in cdns_resume()
Hongyu Xie <xiehongyu1@kylinos.cn>
usb: cdns3: remove redundant if branch
Johan Hovold <johan@kernel.org>
clk: tegra: tegra124-emc: fix device leak on set_rate()
Shawn Lin <shawn.lin@rock-chips.com>
arm64: dts: rockchip: Fix rk356x PCIe range mappings
Johan Hovold <johan@kernel.org>
mfd: omap-usb-host: Fix OF populate on driver rebind
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
mfd: omap-usb-host: Convert to platform remove callback returning void
Johan Hovold <johan@kernel.org>
mfd: qcom-pm8xxx: Fix OF populate on driver rebind
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
mfd: qcom-pm8xxx: Convert to platform remove callback returning void
Yongjian Sun <sunyongjian1@huawei.com>
ext4: fix e4b bitmap inconsistency reports
Matthew Wilcox (Oracle) <willy@infradead.org>
ext4: convert bd_buddy_page to bd_buddy_folio
Matthew Wilcox (Oracle) <willy@infradead.org>
ext4: convert bd_bitmap_page to bd_bitmap_folio
Gou Hao <gouhao@uniontech.com>
ext4: delete redundant calculations in ext4_mb_get_buddy_page_lock()
Joonwon Kang <joonwonkang@google.com>
mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()
Anup Patel <apatel@ventanamicro.com>
mailbox: Allow controller specific mapping using fwnode
Peng Fan <peng.fan@nxp.com>
mailbox: Use guard/scoped_guard for con_mutex
Peng Fan <peng.fan@nxp.com>
mailbox: Use dev_err when there is error
Tudor Ambarus <tudor.ambarus@linaro.org>
mailbox: remove unused header files
Tudor Ambarus <tudor.ambarus@linaro.org>
mailbox: sort headers alphabetically
Tudor Ambarus <tudor.ambarus@linaro.org>
mailbox: don't protect of_parse_phandle_with_args with con_mutex
Rob Herring (Arm) <robh@kernel.org>
mailbox: Use of_property_match_string() instead of open-coding
Zhang Yi <yi.zhang@huawei.com>
ext4: drop extent cache when splitting extent fails
Zhang Yi <yi.zhang@huawei.com>
ext4: drop extent cache after doing PARTIAL_VALID1 zeroout
Zhang Yi <yi.zhang@huawei.com>
ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O
Yang Erkun <yangerkun@huawei.com>
ext4: correct the comments place for EXT4_EXT_MAY_ZEROOUT
Baokun Li <libaokun1@huawei.com>
ext4: get rid of ppath in ext4_ext_handle_unwritten_extents()
Baokun Li <libaokun1@huawei.com>
ext4: get rid of ppath in ext4_ext_convert_to_initialized()
Baokun Li <libaokun1@huawei.com>
ext4: get rid of ppath in ext4_convert_unwritten_extents_endio()
Baokun Li <libaokun1@huawei.com>
ext4: get rid of ppath in ext4_split_convert_extents()
Baokun Li <libaokun1@huawei.com>
ext4: get rid of ppath in ext4_split_extent()
Zhang Yi <yi.zhang@huawei.com>
ext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
Zhang Yi <yi.zhang@huawei.com>
ext4: subdivide EXT4_EXT_DATA_VALID1
Baokun Li <libaokun1@huawei.com>
ext4: get rid of ppath in ext4_split_extent_at()
Baokun Li <libaokun1@huawei.com>
ext4: get rid of ppath in ext4_ext_insert_extent()
Baokun Li <libaokun1@huawei.com>
ext4: get rid of ppath in ext4_ext_create_new_leaf()
Baokun Li <libaokun1@huawei.com>
ext4: get rid of ppath in ext4_find_extent()
Johan Hovold <johan@kernel.org>
bus: omap-ocp2scp: fix OF populate on driver rebind
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
bus: omap-ocp2scp: Convert to platform remove callback returning void
Johan Hovold <johan@kernel.org>
drm/tegra: dsi: fix device leak on probe
Sean Christopherson <seanjc@google.com>
KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()
Sean Christopherson <seanjc@google.com>
KVM: x86: WARN if a vCPU gets a valid wakeup that KVM can't yet inject
Zilin Guan <zilin@seu.edu.cn>
media: tegra-video: Fix memory leak in __tegra_channel_try_format()
Laurent Pinchart <laurent.pinchart@ideasonboard.com>
media: tegra-video: Use accessors for pad config 'try_*' fields
Sean Christopherson <seanjc@google.com>
KVM: x86: Return "unsupported" instead of "invalid" on access to unsupported PV MSR
Sean Christopherson <seanjc@google.com>
KVM: x86: Rename KVM_MSR_RET_INVALID to KVM_MSR_RET_UNSUPPORTED
Mathias Krause <minipli@grsecurity.net>
KVM: x86: Fix KVM_GET_MSRS stack info leak
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
PCI: Use resource_set_range() that correctly sets ->end
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
resource: Add resource set range and size helpers
Puranjay Mohan <puranjay12@gmail.com>
PCI: Use resource names in PCI log messages
Puranjay Mohan <puranjay12@gmail.com>
PCI: Update BAR # and window messages
Johan Hovold <johan@kernel.org>
memory: mtk-smi: fix device leak on larb probe
Johan Hovold <johan@kernel.org>
memory: mtk-smi: fix device leaks on common probe
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
memory: mtk-smi: Convert to platform remove callback returning void
Bjorn Helgaas <bhelgaas@google.com>
PCI: Correct PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 value
Kohei Enju <kohei@enjuk.jp>
bpf: Fix stack-out-of-bounds write in devmap
Mark Harmstone <mark@harmstone.com>
btrfs: fix compat mask in error messages in btrfs_check_features()
Mark Harmstone <mark@harmstone.com>
btrfs: fix warning in scrub_verify_one_metadata()
Mark Harmstone <mark@harmstone.com>
btrfs: fix objectid value in error message in check_extent_data_ref()
Mark Harmstone <mark@harmstone.com>
btrfs: fix incorrect key offset in error message in check_dev_extent_item()
Johannes Thumshirn <johannes.thumshirn@wdc.com>
btrfs: add support for inserting raid stripe extents
Johannes Thumshirn <johannes.thumshirn@wdc.com>
btrfs: read raid stripe tree from disk
Johannes Thumshirn <johannes.thumshirn@wdc.com>
btrfs: add raid stripe tree definitions
Josef Bacik <josef@toxicpanda.com>
btrfs: move btrfs_extref_hash into inode-item.h
Josef Bacik <josef@toxicpanda.com>
btrfs: remove btrfs_crc32c wrapper
Josef Bacik <josef@toxicpanda.com>
btrfs: move btrfs_crc32c_final into free-space-cache.c
Richard Fitzgerald <rf@opensource.cirrus.com>
ALSA: hda: cs35l56: Fix signedness error in cs35l56_hda_posture_put()
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
ALSA: pci: hda: use snd_kcontrol_chip()
Peter Zijlstra <peterz@infradead.org>
perf: Fix __perf_event_overflow() vs perf_remove_from_context() race
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Use inclusive terms
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Cap the packet size pre-calculations
Peter Wang <peter.wang@mediatek.com>
scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
rseq: Clarify rseq registration rseq_size bound check comment
Geoffrey D. Bennett <g@b4.vu>
ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices
Salomon Dushimirimana <salomondush@google.com>
scsi: pm8001: Fix use-after-free in pm8001_queue_command()
Mathias Krause <minipli@grsecurity.net>
scsi: lpfc: Properly set WC for DPP mapping
Nam Cao <namcao@linutronix.de>
irqchip/sifive-plic: Fix frozen interrupt due to affinity setting
Felix Gu <ustc.gu@gmail.com>
drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()
Ian Forbes <ian.forbes@broadcom.com>
drm/vmwgfx: Return the correct value in vmw_translate_ptr functions
Brad Spengler <brad.spengler@opensrcsec.com>
drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release
-------------
Diffstat:
Documentation/hwmon/aht10.rst | 10 +-
Makefile | 12 +-
arch/arm/include/asm/string.h | 14 +-
.../arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi | 1 -
arch/arm64/boot/dts/rockchip/rk3568.dtsi | 4 +-
arch/arm64/boot/dts/rockchip/rk356x.dtsi | 2 +-
arch/arm64/include/asm/pgtable-prot.h | 10 +-
arch/arm64/include/asm/pgtable.h | 7 +-
arch/arm64/mm/mmu.c | 92 ++--
arch/loongarch/include/asm/uaccess.h | 14 +-
arch/parisc/include/asm/pgtable.h | 2 +-
arch/parisc/kernel/cache.c | 4 +-
arch/parisc/kernel/head.S | 7 +-
arch/parisc/kernel/setup.c | 20 +-
arch/powerpc/include/asm/uaccess.h | 2 +-
arch/powerpc/platforms/83xx/km83xx.c | 4 +-
arch/riscv/kernel/traps.c | 5 +-
arch/s390/include/asm/processor.h | 2 +-
arch/s390/lib/xor.c | 4 +-
arch/x86/boot/compressed/sev.c | 5 +
arch/x86/include/asm/efi.h | 2 +-
arch/x86/include/asm/msr-index.h | 5 +-
arch/x86/kernel/apic/apic.c | 6 +
arch/x86/kernel/apic/x2apic_uv_x.c | 18 +-
arch/x86/kernel/sev-shared.c | 104 +++-
arch/x86/kernel/sev.c | 5 +-
arch/x86/kernel/uprobes.c | 24 +
arch/x86/kvm/svm/avic.c | 30 +-
arch/x86/kvm/svm/svm.c | 11 +-
arch/x86/kvm/vmx/vmx.c | 2 +-
arch/x86/kvm/x86.c | 69 ++-
arch/x86/kvm/x86.h | 15 +-
arch/x86/platform/efi/efi.c | 2 +-
arch/x86/platform/efi/quirks.c | 55 ++-
drivers/acpi/acpi_processor.c | 15 +-
drivers/acpi/osi.c | 13 +
drivers/acpi/osl.c | 2 +-
drivers/acpi/sleep.c | 8 +
drivers/base/power/runtime.c | 1 +
drivers/base/property.c | 27 +-
drivers/block/drbd/drbd_actlog.c | 53 +-
drivers/block/drbd/drbd_interval.h | 5 +-
drivers/block/drbd/drbd_req.c | 3 +-
drivers/bluetooth/btqca.c | 2 +
drivers/bus/omap-ocp2scp.c | 19 +-
drivers/cache/ax45mp_cache.c | 4 +-
drivers/clk/tegra/clk-tegra124-emc.c | 2 +-
drivers/cpuidle/cpuidle.c | 10 -
drivers/crypto/atmel-sha204a.c | 5 +-
drivers/dma/mmp_pdma.c | 6 +
drivers/firmware/arm_scpi.c | 5 +-
drivers/firmware/efi/mokvar-table.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 6 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 14 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c | 20 +-
drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 21 +-
drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c | 9 +-
drivers/gpu/drm/amd/amdgpu/mmhub_v2_3.c | 3 +-
drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c | 3 +-
drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_1.c | 3 +-
drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_2.c | 3 +-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 +-
.../drm/amd/display/amdgpu_dm/amdgpu_dm_pp_smu.c | 1 +
.../amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c | 2 +-
drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 2 +-
.../gpu/drm/amd/display/dc/dcn32/dcn32_resource.c | 2 +
drivers/gpu/drm/amd/display/dc/dm_services_types.h | 2 +-
drivers/gpu/drm/amd/include/dm_pp_interface.h | 1 +
drivers/gpu/drm/amd/pm/amdgpu_dpm_internal.c | 67 +++
drivers/gpu/drm/amd/pm/inc/amdgpu_dpm_internal.h | 2 +
drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c | 4 +-
drivers/gpu/drm/amd/pm/legacy-dpm/legacy_dpm.c | 6 +-
drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 69 +--
drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 11 +-
drivers/gpu/drm/bridge/samsung-dsim.c | 25 +-
drivers/gpu/drm/bridge/ti-sn65dsi83.c | 13 +-
drivers/gpu/drm/bridge/ti-sn65dsi86.c | 118 ++++-
drivers/gpu/drm/drm_file.c | 5 +-
drivers/gpu/drm/drm_mode_config.c | 9 +-
drivers/gpu/drm/exynos/exynos_drm_drv.h | 1 +
drivers/gpu/drm/exynos/exynos_drm_vidi.c | 72 ++-
drivers/gpu/drm/i915/gem/i915_gem_shmem.c | 12 +-
drivers/gpu/drm/i915/gt/intel_engine_cs.c | 3 +-
drivers/gpu/drm/logicvc/logicvc_drm.c | 4 +-
drivers/gpu/drm/msm/dsi/dsi_host.c | 62 ++-
drivers/gpu/drm/msm/msm_gpummu.c | 2 +-
drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +
drivers/gpu/drm/radeon/si_dpm.c | 4 +-
drivers/gpu/drm/scheduler/sched_main.c | 1 +
drivers/gpu/drm/solomon/ssd130x.c | 186 +++++--
drivers/gpu/drm/solomon/ssd130x.h | 5 +-
drivers/gpu/drm/tegra/dsi.c | 6 +-
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 4 +-
drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c | 9 +-
drivers/hid/hid-cmedia.c | 2 +-
drivers/hid/hid-creative-sb0540.c | 2 +-
drivers/hid/hid-zydacron.c | 2 +-
drivers/hwmon/Kconfig | 6 +-
drivers/hwmon/aht10.c | 21 +-
drivers/hwmon/it87.c | 5 +-
drivers/hwmon/max16065.c | 26 +-
drivers/hwmon/pmbus/isl68137.c | 7 +-
drivers/hwmon/pmbus/mp2975.c | 2 +
drivers/hwmon/pmbus/q54sj108a2.c | 19 +-
drivers/i2c/busses/i2c-cp2615.c | 5 +-
drivers/i2c/busses/i2c-fsi.c | 1 +
drivers/i2c/busses/i2c-pxa.c | 17 +-
drivers/i3c/master/dw-i3c-master.c | 4 +-
drivers/i3c/master/mipi-i3c-hci/cmd.h | 1 +
drivers/i3c/master/mipi-i3c-hci/cmd_v1.c | 2 +-
drivers/i3c/master/mipi-i3c-hci/cmd_v2.c | 2 +-
drivers/i3c/master/mipi-i3c-hci/core.c | 6 +-
drivers/i3c/master/mipi-i3c-hci/dma.c | 4 +-
drivers/iio/chemical/bme680_core.c | 2 +-
drivers/iio/chemical/sps30_i2c.c | 2 +-
drivers/iio/chemical/sps30_serial.c | 2 +-
drivers/iio/dac/ds4424.c | 2 +-
drivers/iio/frequency/adf4377.c | 2 +-
drivers/iio/gyro/mpu3050-core.c | 18 +-
drivers/iio/gyro/mpu3050-i2c.c | 3 +-
drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 2 +
drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 2 +
drivers/iio/industrialio-buffer.c | 6 +-
drivers/iio/light/bh1780.c | 4 +-
drivers/iio/potentiometer/mcp4131.c | 2 +-
drivers/infiniband/hw/irdma/verbs.c | 2 +-
drivers/infiniband/hw/mthca/mthca_provider.c | 5 +-
drivers/iommu/intel/dmar.c | 3 +-
drivers/irqchip/irq-gic-v3-its.c | 4 +
drivers/irqchip/irq-sifive-plic.c | 7 +-
drivers/mailbox/mailbox.c | 150 +++---
drivers/md/dm-verity-fec.c | 4 +-
drivers/md/dm-verity-fec.h | 3 -
drivers/media/dvb-core/dmxdev.c | 4 +-
drivers/media/dvb-core/dvb_net.c | 3 +
drivers/memory/mtk-smi.c | 13 +-
drivers/mfd/omap-usb-host.c | 11 +-
drivers/mfd/qcom-pm8xxx.c | 14 +-
drivers/mmc/host/mmci_qcom_dml.c | 1 +
drivers/mmc/host/sdhci-pci-gli.c | 9 +
drivers/mmc/host/sdhci.c | 9 +-
drivers/mtd/nand/raw/brcmnand/brcmnand.c | 6 +-
drivers/mtd/nand/raw/cadence-nand-controller.c | 2 +-
drivers/mtd/nand/raw/nand_base.c | 14 +-
drivers/mtd/nand/raw/pl35x-nand-controller.c | 3 +
drivers/mtd/parsers/redboot.c | 6 +-
drivers/net/arcnet/com20020-pci.c | 16 +-
drivers/net/bonding/bond_debugfs.c | 16 +-
drivers/net/bonding/bond_main.c | 19 +-
drivers/net/bonding/bond_options.c | 2 +
drivers/net/caif/caif_serial.c | 3 +
drivers/net/can/spi/hi311x.c | 5 +-
drivers/net/can/spi/mcp251x.c | 15 +-
drivers/net/can/usb/ems_usb.c | 7 +-
drivers/net/can/usb/etas_es58x/es58x_core.c | 8 +-
drivers/net/can/usb/f81604.c | 45 +-
drivers/net/can/usb/gs_usb.c | 22 +-
drivers/net/can/usb/ucan.c | 2 +-
drivers/net/dsa/bcm_sf2.c | 8 +-
drivers/net/dsa/microchip/ksz_ptp.c | 11 +-
drivers/net/dsa/realtek/rtl8365mb.c | 5 +-
drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 +-
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 14 +-
drivers/net/ethernet/amd/xgbe/xgbe-main.c | 1 -
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 82 +++-
drivers/net/ethernet/amd/xgbe/xgbe.h | 7 +-
drivers/net/ethernet/arc/emac_main.c | 11 +
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 25 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 2 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 7 -
drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 2 +-
drivers/net/ethernet/cadence/macb.h | 7 +
drivers/net/ethernet/cadence/macb_main.c | 184 ++++++-
drivers/net/ethernet/cadence/macb_ptp.c | 4 +-
.../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 7 +-
drivers/net/ethernet/google/gve/gve.h | 1 +
drivers/net/ethernet/google/gve/gve_main.c | 5 +-
drivers/net/ethernet/google/gve/gve_tx_dqo.c | 52 +-
drivers/net/ethernet/intel/e1000/e1000_main.c | 2 -
drivers/net/ethernet/intel/e1000e/defines.h | 1 +
drivers/net/ethernet/intel/e1000e/ich8lan.c | 9 +
drivers/net/ethernet/intel/e1000e/netdev.c | 2 -
drivers/net/ethernet/intel/i40e/i40e_main.c | 41 +-
drivers/net/ethernet/intel/i40e/i40e_txrx.c | 5 +-
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 14 +-
drivers/net/ethernet/intel/iavf/iavf_main.c | 9 +-
drivers/net/ethernet/intel/ice/ice_common.c | 13 +-
drivers/net/ethernet/intel/ice/ice_ethtool.c | 35 +-
drivers/net/ethernet/intel/igc/igc_main.c | 7 +-
drivers/net/ethernet/intel/ixgbevf/vf.c | 3 +-
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 +-
.../net/ethernet/marvell/octeon_ep/octep_main.c | 48 +-
drivers/net/ethernet/marvell/octeon_ep/octep_rx.c | 27 +-
.../ethernet/marvell/octeontx2/af/rvu_devlink.c | 468 ++++++------------
drivers/net/ethernet/mediatek/mtk_eth_soc.c | 15 +-
.../ethernet/mellanox/mlx5/core/en/reporter_tx.c | 1 -
.../ethernet/mellanox/mlx5/core/en_accel/ipsec.h | 1 +
.../mellanox/mlx5/core/en_accel/ipsec_offload.c | 52 +-
drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 23 +-
drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 30 +-
drivers/net/ethernet/mellanox/mlx5/core/eswitch.h | 3 +
.../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 18 +-
drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 +-
drivers/net/ethernet/microsoft/mana/mana_en.c | 23 +-
drivers/net/ethernet/stmicro/stmmac/common.h | 1 -
drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c | 4 -
.../net/ethernet/stmicro/stmmac/dwmac-loongson.c | 9 +-
drivers/net/ethernet/stmicro/stmmac/stmmac.h | 2 -
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 54 +--
.../net/ethernet/stmicro/stmmac/stmmac_platform.c | 8 -
drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +-
drivers/net/ethernet/ti/cpsw_ale.c | 9 +-
drivers/net/mctp/mctp-i2c.c | 1 +
drivers/net/phy/phy_device.c | 25 +-
drivers/net/phy/sfp.c | 62 ++-
drivers/net/usb/aqc111.c | 12 +-
drivers/net/usb/cdc_ncm.c | 10 +-
drivers/net/usb/kalmia.c | 7 +
drivers/net/usb/kaweth.c | 13 +
drivers/net/usb/lan78xx.c | 10 +-
drivers/net/usb/lan78xx.h | 3 +
drivers/net/usb/pegasus.c | 13 +-
drivers/net/vxlan/vxlan_core.c | 5 +
drivers/net/wireless/marvell/libertas/main.c | 4 +-
.../net/wireless/mediatek/mt76/mt76_connac_mac.c | 1 +
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 1 +
drivers/net/wireless/st/cw1200/pm.c | 2 +
drivers/net/wireless/ti/wlcore/main.c | 4 +-
drivers/net/wireless/ti/wlcore/tx.c | 2 +-
drivers/nfc/nxp-nci/i2c.c | 4 +-
drivers/nfc/pn533/usb.c | 1 +
drivers/nvdimm/bus.c | 5 +-
drivers/nvme/host/pci.c | 8 +-
drivers/nvme/host/pr.c | 10 +-
drivers/pci/iov.c | 7 +-
drivers/pci/pci.c | 85 +++-
drivers/pci/pci.h | 2 +
drivers/pci/probe.c | 32 +-
drivers/pci/quirks.c | 15 +-
drivers/pci/setup-bus.c | 30 +-
drivers/pci/setup-res.c | 72 +--
drivers/pinctrl/cirrus/pinctrl-cs42l43.c | 5 +-
drivers/pinctrl/pinctrl-equilibrium.c | 31 +-
drivers/platform/x86/amd/pmc/pmc.c | 3 +
drivers/platform/x86/amd/pmc/pmc.h | 1 +
drivers/platform/x86/dell/dell-wmi-base.c | 6 +
.../dell/dell-wmi-sysman/passwordattr-interface.c | 1 -
.../platform/x86/hp/hp-bioscfg/enum-attributes.c | 9 +-
drivers/platform/x86/thinkpad_acpi.c | 6 +-
drivers/pmdomain/bcm/bcm2835-power.c | 18 +-
drivers/regulator/pca9450-regulator.c | 41 +-
drivers/remoteproc/mtk_scp.c | 39 ++
drivers/remoteproc/qcom_sysmon.c | 2 +-
drivers/s390/block/dasd_eckd.c | 16 +
drivers/s390/crypto/zcrypt_ccamisc.c | 12 +-
drivers/s390/crypto/zcrypt_cex4.c | 3 +-
drivers/scsi/hisi_sas/hisi_sas.h | 43 +-
drivers/scsi/hisi_sas/hisi_sas_main.c | 42 +-
drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 246 ++++++----
drivers/scsi/lpfc/lpfc_init.c | 2 +
drivers/scsi/lpfc/lpfc_sli.c | 36 +-
drivers/scsi/lpfc/lpfc_sli4.h | 3 +
drivers/scsi/mpi3mr/mpi3mr_fw.c | 32 +-
drivers/scsi/pm8001/pm8001_sas.c | 5 +-
drivers/scsi/scsi_scan.c | 7 +-
drivers/scsi/ses.c | 5 +-
drivers/scsi/storvsc_drv.c | 5 +-
drivers/soc/fsl/qbman/qman.c | 24 +-
drivers/soc/qcom/pmic_glink.c | 10 +-
drivers/spi/spi.c | 25 +-
drivers/staging/media/tegra-video/vi.c | 27 +-
drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 +-
drivers/staging/rtl8723bs/core/rtw_mlme.c | 5 +-
drivers/target/target_core_configfs.c | 15 +-
drivers/tty/serial/8250/8250_dma.c | 15 +
drivers/tty/serial/8250/8250_pci.c | 17 +
drivers/tty/serial/8250/8250_port.c | 6 +
drivers/tty/serial/uartlite.c | 1 +
drivers/ufs/core/ufshcd.c | 26 +-
drivers/usb/cdns3/core.c | 11 +-
drivers/usb/class/cdc-acm.c | 5 +
drivers/usb/class/cdc-acm.h | 1 +
drivers/usb/class/cdc-wdm.c | 4 +-
drivers/usb/class/usbtmc.c | 6 +-
drivers/usb/core/message.c | 100 +++-
drivers/usb/core/phy.c | 8 +-
drivers/usb/core/quirks.c | 16 +
drivers/usb/dwc3/dwc3-pci.c | 2 +
drivers/usb/gadget/function/f_mass_storage.c | 12 +-
drivers/usb/gadget/function/f_tcm.c | 14 +
drivers/usb/host/xhci-ring.c | 1 +
drivers/usb/host/xhci.c | 4 +-
drivers/usb/image/mdc800.c | 6 +-
drivers/usb/misc/uss720.c | 2 +-
drivers/usb/misc/yurex.c | 2 +-
drivers/usb/renesas_usbhs/common.c | 9 +
drivers/usb/roles/class.c | 7 +-
drivers/usb/serial/f81232.c | 77 +--
drivers/usb/typec/tcpm/tcpm.c | 2 +-
drivers/usb/typec/ucsi/ucsi_glink.c | 27 +-
drivers/xen/xen-acpi-processor.c | 7 +-
fs/binfmt_misc.c | 4 +-
fs/btrfs/Makefile | 2 +-
fs/btrfs/accessors.h | 8 +
fs/btrfs/bio.c | 21 +
fs/btrfs/block-rsv.c | 6 +
fs/btrfs/ctree.h | 19 -
fs/btrfs/disk-io.c | 46 +-
fs/btrfs/extent-tree.c | 7 +-
fs/btrfs/extent_io.c | 3 +-
fs/btrfs/extent_io.h | 3 +-
fs/btrfs/file.c | 16 +
fs/btrfs/free-space-cache.c | 9 +-
fs/btrfs/fs.h | 1 +
fs/btrfs/inode-item.h | 7 +
fs/btrfs/inode.c | 27 +-
fs/btrfs/ioctl.c | 24 +-
fs/btrfs/locking.c | 1 +
fs/btrfs/ordered-data.c | 1 +
fs/btrfs/ordered-data.h | 2 +
fs/btrfs/raid-stripe-tree.c | 87 ++++
fs/btrfs/raid-stripe-tree.h | 35 ++
fs/btrfs/scrub.c | 2 +-
fs/btrfs/send.c | 6 +-
fs/btrfs/transaction.c | 16 +
fs/btrfs/tree-checker.c | 6 +-
fs/btrfs/tree-log.c | 6 +
fs/btrfs/uuid-tree.c | 43 ++
fs/btrfs/uuid-tree.h | 2 +
fs/btrfs/volumes.c | 4 +-
fs/btrfs/volumes.h | 16 +-
fs/ceph/dir.c | 15 +-
fs/ceph/mds_client.c | 3 +
fs/eventpoll.c | 5 +-
fs/ext4/ext4.h | 9 +-
fs/ext4/extents.c | 536 ++++++++++++---------
fs/ext4/fast_commit.c | 8 +-
fs/ext4/mballoc.c | 242 +++++-----
fs/ext4/mballoc.h | 4 +-
fs/ext4/migrate.c | 5 +-
fs/ext4/move_extent.c | 7 +-
fs/f2fs/gc.c | 19 +-
fs/iomap/buffered-io.c | 15 +-
fs/iomap/direct-io.c | 10 +-
fs/nfs/file.c | 8 +-
fs/nfs/nfs4proc.c | 6 +-
fs/nfs/nfstrace.h | 39 +-
fs/nfs/pnfs.c | 58 ++-
fs/nfs/pnfs.h | 17 +-
fs/nfs/read.c | 8 +-
fs/nfs/write.c | 43 +-
fs/nfsd/nfs4xdr.c | 9 +-
fs/nfsd/nfsctl.c | 14 +-
fs/nfsd/state.h | 17 +-
fs/smb/client/cifsencrypt.c | 3 +-
fs/smb/client/cifsfs.c | 7 +-
fs/smb/client/cifsglob.h | 11 +
fs/smb/client/cifsproto.h | 1 +
fs/smb/client/connect.c | 5 +-
fs/smb/client/dir.c | 1 +
fs/smb/client/file.c | 29 +-
fs/smb/client/fs_context.c | 2 +-
fs/smb/client/misc.c | 43 ++
fs/smb/client/smb2inode.c | 4 +-
fs/smb/client/smb2ops.c | 14 +-
fs/smb/client/smb2pdu.c | 29 +-
fs/smb/client/smb2transport.c | 4 +-
fs/smb/client/trace.h | 2 +
fs/smb/client/transport.c | 21 +-
fs/smb/server/Kconfig | 1 +
fs/smb/server/auth.c | 26 +-
fs/smb/server/oplock.c | 35 +-
fs/smb/server/oplock.h | 5 +-
fs/smb/server/smb2pdu.c | 26 +-
fs/squashfs/cache.c | 3 +
fs/xfs/xfs_bmap_item.c | 3 +-
fs/xfs/xfs_dquot.c | 8 +-
fs/xfs/xfs_log.c | 2 +
include/linux/bpf.h | 6 +
include/linux/indirect_call_wrapper.h | 18 +-
include/linux/ioport.h | 32 ++
include/linux/irqchip/arm-gic-v3.h | 1 +
include/linux/mailbox_client.h | 2 +-
include/linux/mailbox_controller.h | 9 +-
include/linux/mlx5/mlx5_ifc.h | 4 +-
include/linux/mmc/host.h | 9 +-
include/linux/nfs_fs.h | 1 +
include/linux/stmmac.h | 1 -
include/linux/trace_recursion.h | 9 +
include/linux/uprobes.h | 1 +
include/linux/usb.h | 8 +-
include/net/act_api.h | 1 +
include/net/bonding.h | 1 +
include/net/dsa.h | 1 +
include/net/dst.h | 34 +-
include/net/ip.h | 7 +-
include/net/ip6_route.h | 2 +-
include/net/netfilter/nf_tables.h | 5 +
include/net/route.h | 2 +-
include/net/sch_generic.h | 43 ++
include/net/tc_act/tc_gate.h | 33 +-
include/net/tc_act/tc_ife.h | 4 +-
include/net/udp_tunnel.h | 2 +-
include/net/xdp_sock_drv.h | 24 +-
include/net/xsk_buff_pool.h | 3 +-
include/trace/events/btrfs.h | 4 +-
include/trace/events/kmem.h | 8 +-
include/trace/events/rxrpc.h | 4 +
include/uapi/linux/btrfs.h | 1 +
include/uapi/linux/btrfs_tree.h | 29 ++
include/uapi/linux/pci_regs.h | 2 +-
io_uring/kbuf.c | 8 +-
kernel/bpf/devmap.c | 22 +-
kernel/bpf/syscall.c | 3 +-
kernel/bpf/trampoline.c | 4 +-
kernel/bpf/verifier.c | 4 +
kernel/cgroup/cgroup.c | 1 +
kernel/events/core.c | 42 +-
kernel/events/uprobes.c | 10 +-
kernel/fork.c | 2 +-
kernel/kprobes.c | 51 +-
kernel/rcu/tree_nocb.h | 5 +-
kernel/rseq.c | 5 +-
kernel/sched/fair.c | 6 -
kernel/sched/idle.c | 45 +-
kernel/time/time.c | 2 +-
kernel/trace/trace.c | 12 +-
kernel/trace/trace_events.c | 52 +-
kernel/trace/trace_events_trigger.c | 3 +
lib/bootconfig.c | 9 +-
mm/kfence/core.c | 29 +-
mm/mempolicy.c | 4 +-
net/atm/lec.c | 26 +-
net/batman-adv/bat_iv_ogm.c | 3 +
net/batman-adv/bat_v_elp.c | 10 +-
net/batman-adv/hard-interface.c | 8 +-
net/batman-adv/hard-interface.h | 1 +
net/bluetooth/hci_conn.c | 4 +-
net/bluetooth/hci_sync.c | 2 +-
net/bluetooth/hidp/core.c | 16 +-
net/bluetooth/l2cap_core.c | 51 +-
net/bluetooth/smp.c | 2 +-
net/bridge/br_device.c | 2 +-
net/bridge/br_input.c | 2 +-
net/can/bcm.c | 1 +
net/ceph/auth.c | 6 +-
net/ceph/messenger_v2.c | 31 +-
net/ceph/mon_client.c | 6 +-
net/core/dst.c | 5 +-
net/core/filter.c | 8 +-
net/core/sock.c | 16 +-
net/dsa/dsa.c | 59 ++-
net/ipv4/icmp.c | 4 +-
net/ipv4/route.c | 8 +-
net/ipv4/tcp.c | 3 +-
net/ipv4/tcp_input.c | 18 +-
net/ipv4/tcp_ipv4.c | 3 +-
net/ipv4/tcp_offload.c | 74 +++
net/ipv4/udp_offload.c | 3 +-
net/ipv6/ip6_output.c | 35 +-
net/ipv6/route.c | 15 +-
net/ipv6/tcp_ipv6.c | 3 +-
net/ipv6/tcpv6_offload.c | 65 +++
net/l2tp/l2tp_ppp.c | 25 +-
net/mac80211/debugfs.c | 14 +-
net/mac80211/link.c | 2 +
net/mac80211/mesh.c | 6 +
net/mac80211/mlme.c | 3 +
net/mctp/route.c | 13 +-
net/mpls/af_mpls.c | 1 +
net/mptcp/pm.c | 2 +-
net/mptcp/pm_netlink.c | 72 ++-
net/mptcp/protocol.h | 2 +
net/ncsi/ncsi-aen.c | 3 +-
net/ncsi/ncsi-rsp.c | 16 +-
net/netfilter/nf_bpf_link.c | 2 +-
net/netfilter/nf_conntrack_h323_asn1.c | 4 +
net/netfilter/nf_conntrack_netlink.c | 67 ++-
net/netfilter/nf_conntrack_sip.c | 6 +-
net/netfilter/nf_tables_api.c | 6 +-
net/netfilter/nfnetlink_cthelper.c | 8 +-
net/netfilter/nfnetlink_osf.c | 13 +
net/netfilter/nfnetlink_queue.c | 4 +-
net/netfilter/nft_ct.c | 9 +
net/netfilter/nft_set_pipapo.c | 54 ++-
net/netfilter/nft_set_pipapo.h | 2 +
net/netfilter/xt_CT.c | 4 +
net/netfilter/xt_IDLETIMER.c | 6 +
net/netfilter/xt_dccp.c | 4 +-
net/netfilter/xt_tcpudp.c | 6 +-
net/netfilter/xt_time.c | 4 +-
net/nfc/nci/core.c | 21 +-
net/nfc/nci/data.c | 12 +-
net/nfc/rawsock.c | 11 +
net/rds/tcp.c | 14 +-
net/rose/af_rose.c | 5 +
net/rxrpc/ar-internal.h | 9 +-
net/rxrpc/conn_event.c | 2 +-
net/rxrpc/output.c | 11 +-
net/rxrpc/peer_event.c | 17 +-
net/rxrpc/proc.c | 4 +-
net/rxrpc/recvmsg.c | 19 +-
net/rxrpc/rxkad.c | 2 +-
net/sched/act_ct.c | 6 +
net/sched/act_gate.c | 264 +++++++---
net/sched/act_ife.c | 93 ++--
net/sched/cls_api.c | 7 +
net/sched/sch_ets.c | 12 +-
net/sched/sch_generic.c | 27 --
net/sched/sch_ingress.c | 14 +-
net/sched/sch_teql.c | 8 +-
net/smc/af_smc.c | 23 +-
net/smc/smc.h | 5 +
net/smc/smc_close.c | 2 +-
net/sunrpc/cache.c | 26 +-
net/sunrpc/xprtrdma/verbs.c | 7 +-
net/tipc/socket.c | 2 +
net/wireless/core.c | 1 +
net/wireless/pmsr.c | 1 +
net/wireless/radiotap.c | 4 +-
net/xdp/xsk.c | 30 +-
net/xdp/xsk_buff_pool.c | 15 +-
rust/kernel/kunit.rs | 8 +
security/apparmor/apparmorfs.c | 225 +++++----
security/apparmor/include/label.h | 16 +-
security/apparmor/include/lib.h | 12 +
security/apparmor/include/match.h | 1 +
security/apparmor/include/policy.h | 10 +-
security/apparmor/include/policy_ns.h | 2 +
security/apparmor/include/policy_unpack.h | 83 ++--
security/apparmor/label.c | 12 +-
security/apparmor/match.c | 58 ++-
security/apparmor/policy.c | 77 ++-
security/apparmor/policy_ns.c | 2 +
security/apparmor/policy_unpack.c | 65 ++-
sound/core/pcm_native.c | 19 +-
sound/pci/hda/cs35l56_hda.c | 14 +-
sound/pci/hda/patch_conexant.c | 11 +
sound/soc/amd/acp3x-rt5682-max9836.c | 9 +-
sound/soc/amd/yc/acp6x-mach.c | 14 +
sound/soc/codecs/cs42l43-jack.c | 1 +
sound/soc/generic/simple-card-utils.c | 48 +-
sound/soc/qcom/qdsp6/q6apm-dai.c | 1 +
sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 1 +
sound/soc/qcom/qdsp6/q6apm.c | 1 +
sound/soc/soc-core.c | 11 +-
sound/usb/endpoint.c | 10 +-
sound/usb/mixer_scarlett2.c | 2 +
sound/usb/quirks.c | 4 +-
sound/usb/validate.c | 2 +-
tools/bootconfig/main.c | 7 +-
tools/objtool/Makefile | 8 +-
tools/testing/kunit/kunit_kernel.py | 6 +-
tools/testing/kunit/kunit_tool_test.py | 26 +
tools/testing/selftests/arm64/abi/hwcap.c | 4 +-
tools/testing/selftests/net/mptcp/mptcp_join.sh | 56 +++
tools/testing/selftests/net/mptcp/simult_flows.sh | 11 +-
559 files changed, 6672 insertions(+), 3263 deletions(-)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 001/567] drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 002/567] drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Greg Kroah-Hartman
` (376 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brad Spengler, Zack Rusin,
Ian Forbes, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brad Spengler <brad.spengler@opensrcsec.com>
[ Upstream commit 211ecfaaef186ee5230a77d054cdec7fbfc6724a ]
The kref_put() call uses (void *)kvfree as the release callback, which
is incorrect. kref_put() expects a function with signature
void (*release)(struct kref *), but kvfree has signature
void (*)(const void *). Calling through an incompatible function pointer
is undefined behavior.
The code only worked by accident because ref_count is the first member
of vmw_bo_dirty, making the kref pointer equal to the struct pointer.
Fix this by adding a proper release callback that uses container_of()
to retrieve the containing structure before freeing.
Fixes: c1962742ffff ("drm/vmwgfx: Use kref in vmw_bo_dirty")
Signed-off-by: Brad Spengler <brad.spengler@opensrcsec.com>
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Cc: Ian Forbes <ian.forbes@broadcom.com>
Link: https://patch.msgid.link/20260107171236.3573118-1-zack.rusin@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c b/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c
index de2498749e276..5bb710824d72f 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c
@@ -274,6 +274,13 @@ int vmw_bo_dirty_add(struct vmw_bo *vbo)
return ret;
}
+static void vmw_bo_dirty_free(struct kref *kref)
+{
+ struct vmw_bo_dirty *dirty = container_of(kref, struct vmw_bo_dirty, ref_count);
+
+ kvfree(dirty);
+}
+
/**
* vmw_bo_dirty_release - Release a dirty-tracking user from a buffer object
* @vbo: The buffer object
@@ -288,7 +295,7 @@ void vmw_bo_dirty_release(struct vmw_bo *vbo)
{
struct vmw_bo_dirty *dirty = vbo->dirty;
- if (dirty && kref_put(&dirty->ref_count, (void *)kvfree))
+ if (dirty && kref_put(&dirty->ref_count, vmw_bo_dirty_free))
vbo->dirty = NULL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 002/567] drm/vmwgfx: Return the correct value in vmw_translate_ptr functions
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 001/567] drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 003/567] drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse() Greg Kroah-Hartman
` (375 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuzey Arda Bulut, Ian Forbes,
Zack Rusin, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Forbes <ian.forbes@broadcom.com>
[ Upstream commit 5023ca80f9589295cb60735016e39fc5cc714243 ]
Before the referenced fixes these functions used a lookup function that
returned a pointer. This was changed to another lookup function that
returned an error code with the pointer becoming an out parameter.
The error path when the lookup failed was not changed to reflect this
change and the code continued to return the PTR_ERR of the now
uninitialized pointer. This could cause the vmw_translate_ptr functions
to return success when they actually failed causing further uninitialized
and OOB accesses.
Reported-by: Kuzey Arda Bulut <kuzeyardabulut@gmail.com>
Fixes: a309c7194e8a ("drm/vmwgfx: Remove rcu locks from user resources")
Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
Reviewed-by: Zack Rusin <zack.rusin@broadcom.com>
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Link: https://patch.msgid.link/20260113175357.129285-1-ian.forbes@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index 92b3e44d022fe..073791d696295 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -1160,7 +1160,7 @@ static int vmw_translate_mob_ptr(struct vmw_private *dev_priv,
ret = vmw_user_bo_lookup(sw_context->filp, handle, &vmw_bo);
if (ret != 0) {
drm_dbg(&dev_priv->drm, "Could not find or use MOB buffer.\n");
- return PTR_ERR(vmw_bo);
+ return ret;
}
vmw_bo_placement_set(vmw_bo, VMW_BO_DOMAIN_MOB, VMW_BO_DOMAIN_MOB);
ret = vmw_validation_add_bo(sw_context->ctx, vmw_bo);
@@ -1216,7 +1216,7 @@ static int vmw_translate_guest_ptr(struct vmw_private *dev_priv,
ret = vmw_user_bo_lookup(sw_context->filp, handle, &vmw_bo);
if (ret != 0) {
drm_dbg(&dev_priv->drm, "Could not find or use GMR region.\n");
- return PTR_ERR(vmw_bo);
+ return ret;
}
vmw_bo_placement_set(vmw_bo, VMW_BO_DOMAIN_GMR | VMW_BO_DOMAIN_VRAM,
VMW_BO_DOMAIN_GMR | VMW_BO_DOMAIN_VRAM);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 003/567] drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 001/567] drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 002/567] drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 004/567] irqchip/sifive-plic: Fix frozen interrupt due to affinity setting Greg Kroah-Hartman
` (374 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Luca Ceresoli,
Kory Maincent, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit fef0e649f8b42bdffe4a916dd46e1b1e9ad2f207 ]
The logicvc_drm_config_parse() function calls of_get_child_by_name() to
find the "layers" node but fails to release the reference, leading to a
device node reference leak.
Fix this by using the __free(device_node) cleanup attribute to automatic
release the reference when the variable goes out of scope.
Fixes: efeeaefe9be5 ("drm: Add support for the LogiCVC display controller")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Kory Maincent <kory.maincent@bootlin.com>
Link: https://patch.msgid.link/20260130-logicvc_drm-v1-1-04366463750c@gmail.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/logicvc/logicvc_drm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/logicvc/logicvc_drm.c b/drivers/gpu/drm/logicvc/logicvc_drm.c
index 749debd3d6a57..df74572e6d2ea 100644
--- a/drivers/gpu/drm/logicvc/logicvc_drm.c
+++ b/drivers/gpu/drm/logicvc/logicvc_drm.c
@@ -90,7 +90,6 @@ static int logicvc_drm_config_parse(struct logicvc_drm *logicvc)
struct device *dev = drm_dev->dev;
struct device_node *of_node = dev->of_node;
struct logicvc_drm_config *config = &logicvc->config;
- struct device_node *layers_node;
int ret;
logicvc_of_property_parse_bool(of_node, LOGICVC_OF_PROPERTY_DITHERING,
@@ -126,7 +125,8 @@ static int logicvc_drm_config_parse(struct logicvc_drm *logicvc)
if (ret)
return ret;
- layers_node = of_get_child_by_name(of_node, "layers");
+ struct device_node *layers_node __free(device_node) =
+ of_get_child_by_name(of_node, "layers");
if (!layers_node) {
drm_err(drm_dev, "Missing non-optional layers node\n");
return -EINVAL;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 004/567] irqchip/sifive-plic: Fix frozen interrupt due to affinity setting
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-03-23 13:38 ` [PATCH 6.6 003/567] drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse() Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 005/567] scsi: lpfc: Properly set WC for DPP mapping Greg Kroah-Hartman
` (373 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nam Cao, Thomas Gleixner,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nam Cao <namcao@linutronix.de>
[ Upstream commit 1072020685f4b81f6efad3b412cdae0bd62bb043 ]
PLIC ignores interrupt completion message for disabled interrupt, explained
by the specification:
The PLIC signals it has completed executing an interrupt handler by
writing the interrupt ID it received from the claim to the
claim/complete register. The PLIC does not check whether the completion
ID is the same as the last claim ID for that target. If the completion
ID does not match an interrupt source that is currently enabled for
the target, the completion is silently ignored.
This caused problems in the past, because an interrupt can be disabled
while still being handled and plic_irq_eoi() had no effect. That was fixed
by checking if the interrupt is disabled, and if so enable it, before
sending the completion message. That check is done with irqd_irq_disabled().
However, that is not sufficient because the enable bit for the handling
hart can be zero despite irqd_irq_disabled(d) being false. This can happen
when affinity setting is changed while a hart is still handling the
interrupt.
This problem is easily reproducible by dumping a large file to uart (which
generates lots of interrupts) and at the same time keep changing the uart
interrupt's affinity setting. The uart port becomes frozen almost
instantaneously.
Fix this by checking PLIC's enable bit instead of irqd_irq_disabled().
Fixes: cc9f04f9a84f ("irqchip/sifive-plic: Implement irq_set_affinity() for SMP host")
Signed-off-by: Nam Cao <namcao@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260212114125.3148067-1-namcao@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-sifive-plic.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/irqchip/irq-sifive-plic.c b/drivers/irqchip/irq-sifive-plic.c
index a8f5cfad16f7d..794bdb6d4d1e3 100644
--- a/drivers/irqchip/irq-sifive-plic.c
+++ b/drivers/irqchip/irq-sifive-plic.c
@@ -148,8 +148,13 @@ static void plic_irq_disable(struct irq_data *d)
static void plic_irq_eoi(struct irq_data *d)
{
struct plic_handler *handler = this_cpu_ptr(&plic_handlers);
+ u32 __iomem *reg;
+ bool enabled;
+
+ reg = handler->enable_base + (d->hwirq / 32) * sizeof(u32);
+ enabled = readl(reg) & BIT(d->hwirq % 32);
- if (unlikely(irqd_irq_disabled(d))) {
+ if (unlikely(!enabled)) {
plic_toggle(handler, d->hwirq, 1);
writel(d->hwirq, handler->hart_base + CONTEXT_CLAIM);
plic_toggle(handler, d->hwirq, 0);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 005/567] scsi: lpfc: Properly set WC for DPP mapping
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-03-23 13:38 ` [PATCH 6.6 004/567] irqchip/sifive-plic: Fix frozen interrupt due to affinity setting Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 006/567] scsi: pm8001: Fix use-after-free in pm8001_queue_command() Greg Kroah-Hartman
` (372 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathias Krause, Justin Tee,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@grsecurity.net>
[ Upstream commit bffda93a51b40afd67c11bf558dc5aae83ca0943 ]
Using set_memory_wc() to enable write-combining for the DPP portion of
the MMIO mapping is wrong as set_memory_*() is meant to operate on RAM
only, not MMIO mappings. In fact, as used currently triggers a BUG_ON()
with enabled CONFIG_DEBUG_VIRTUAL.
Simply map the DPP region separately and in addition to the already
existing mappings, avoiding any possible negative side effects for
these.
Fixes: 1351e69fc6db ("scsi: lpfc: Add push-to-adapter support to sli4")
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Reviewed-by: Mathias Krause <minipli@grsecurity.net>
Link: https://patch.msgid.link/20260212192327.141104-1-justintee8345@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_init.c | 2 ++
drivers/scsi/lpfc/lpfc_sli.c | 36 +++++++++++++++++++++++++++++------
drivers/scsi/lpfc/lpfc_sli4.h | 3 +++
3 files changed, 35 insertions(+), 6 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
index b0eac09de5ad5..dc18d84c54c3c 100644
--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -12049,6 +12049,8 @@ lpfc_sli4_pci_mem_unset(struct lpfc_hba *phba)
iounmap(phba->sli4_hba.conf_regs_memmap_p);
if (phba->sli4_hba.dpp_regs_memmap_p)
iounmap(phba->sli4_hba.dpp_regs_memmap_p);
+ if (phba->sli4_hba.dpp_regs_memmap_wc_p)
+ iounmap(phba->sli4_hba.dpp_regs_memmap_wc_p);
break;
case LPFC_SLI_INTF_IF_TYPE_1:
break;
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index 4cf935b7223af..c88e224feed8a 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -15938,6 +15938,32 @@ lpfc_dual_chute_pci_bar_map(struct lpfc_hba *phba, uint16_t pci_barset)
return NULL;
}
+static __maybe_unused void __iomem *
+lpfc_dpp_wc_map(struct lpfc_hba *phba, uint8_t dpp_barset)
+{
+
+ /* DPP region is supposed to cover 64-bit BAR2 */
+ if (dpp_barset != WQ_PCI_BAR_4_AND_5) {
+ lpfc_log_msg(phba, KERN_WARNING, LOG_INIT,
+ "3273 dpp_barset x%x != WQ_PCI_BAR_4_AND_5\n",
+ dpp_barset);
+ return NULL;
+ }
+
+ if (!phba->sli4_hba.dpp_regs_memmap_wc_p) {
+ void __iomem *dpp_map;
+
+ dpp_map = ioremap_wc(phba->pci_bar2_map,
+ pci_resource_len(phba->pcidev,
+ PCI_64BIT_BAR4));
+
+ if (dpp_map)
+ phba->sli4_hba.dpp_regs_memmap_wc_p = dpp_map;
+ }
+
+ return phba->sli4_hba.dpp_regs_memmap_wc_p;
+}
+
/**
* lpfc_modify_hba_eq_delay - Modify Delay Multiplier on EQs
* @phba: HBA structure that EQs are on.
@@ -16901,9 +16927,6 @@ lpfc_wq_create(struct lpfc_hba *phba, struct lpfc_queue *wq,
uint8_t dpp_barset;
uint32_t dpp_offset;
uint8_t wq_create_version;
-#ifdef CONFIG_X86
- unsigned long pg_addr;
-#endif
/* sanity check on queue memory */
if (!wq || !cq)
@@ -17089,14 +17112,15 @@ lpfc_wq_create(struct lpfc_hba *phba, struct lpfc_queue *wq,
#ifdef CONFIG_X86
/* Enable combined writes for DPP aperture */
- pg_addr = (unsigned long)(wq->dpp_regaddr) & PAGE_MASK;
- rc = set_memory_wc(pg_addr, 1);
- if (rc) {
+ bar_memmap_p = lpfc_dpp_wc_map(phba, dpp_barset);
+ if (!bar_memmap_p) {
lpfc_printf_log(phba, KERN_ERR, LOG_INIT,
"3272 Cannot setup Combined "
"Write on WQ[%d] - disable DPP\n",
wq->queue_id);
phba->cfg_enable_dpp = 0;
+ } else {
+ wq->dpp_regaddr = bar_memmap_p + dpp_offset;
}
#else
phba->cfg_enable_dpp = 0;
diff --git a/drivers/scsi/lpfc/lpfc_sli4.h b/drivers/scsi/lpfc/lpfc_sli4.h
index 2541a8fba093f..323d3ed3272b5 100644
--- a/drivers/scsi/lpfc/lpfc_sli4.h
+++ b/drivers/scsi/lpfc/lpfc_sli4.h
@@ -783,6 +783,9 @@ struct lpfc_sli4_hba {
void __iomem *dpp_regs_memmap_p; /* Kernel memory mapped address for
* dpp registers
*/
+ void __iomem *dpp_regs_memmap_wc_p;/* Kernel memory mapped address for
+ * dpp registers with write combining
+ */
union {
struct {
/* IF Type 0, BAR 0 PCI cfg space reg mem map */
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 006/567] scsi: pm8001: Fix use-after-free in pm8001_queue_command()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-03-23 13:38 ` [PATCH 6.6 005/567] scsi: lpfc: Properly set WC for DPP mapping Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 007/567] ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices Greg Kroah-Hartman
` (371 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Salomon Dushimirimana,
Damien Le Moal, Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salomon Dushimirimana <salomondush@google.com>
[ Upstream commit 38353c26db28efd984f51d426eac2396d299cca7 ]
Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors
pm8001_queue_command(), however it introduces a potential cause of a double
free scenario when it changes the function to return -ENODEV in case of phy
down/device gone state.
In this path, pm8001_queue_command() updates task status and calls
task_done to indicate to upper layer that the task has been handled.
However, this also frees the underlying SAS task. A -ENODEV is then
returned to the caller. When libsas sas_ata_qc_issue() receives this error
value, it assumes the task wasn't handled/queued by LLDD and proceeds to
clean up and free the task again, resulting in a double free.
Since pm8001_queue_command() handles the SAS task in this case, it should
return 0 to the caller indicating that the task has been handled.
Fixes: e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()")
Signed-off-by: Salomon Dushimirimana <salomondush@google.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Link: https://patch.msgid.link/20260213192806.439432-1-salomondush@google.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/pm8001/pm8001_sas.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c
index 4daab8b6d6752..0f911228cb2f1 100644
--- a/drivers/scsi/pm8001/pm8001_sas.c
+++ b/drivers/scsi/pm8001/pm8001_sas.c
@@ -476,8 +476,9 @@ int pm8001_queue_command(struct sas_task *task, gfp_t gfp_flags)
} else {
task->task_done(task);
}
- rc = -ENODEV;
- goto err_out;
+ spin_unlock_irqrestore(&pm8001_ha->lock, flags);
+ pm8001_dbg(pm8001_ha, IO, "pm8001_task_exec device gone\n");
+ return 0;
}
ccb = pm8001_ccb_alloc(pm8001_ha, pm8001_dev, task);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 007/567] ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-03-23 13:38 ` [PATCH 6.6 006/567] scsi: pm8001: Fix use-after-free in pm8001_queue_command() Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 008/567] rseq: Clarify rseq registration rseq_size bound check comment Greg Kroah-Hartman
` (370 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geoffrey D. Bennett, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geoffrey D. Bennett <g@b4.vu>
[ Upstream commit a8cc55bf81a45772cad44c83ea7bb0e98431094a ]
Remove QUIRK_FLAG_VALIDATE_RATES for Focusrite. With the previous
commit, focusrite_valid_sample_rate() produces correct rate tables
without USB probing.
QUIRK_FLAG_VALIDATE_RATES sends SET_CUR requests for each rate (~25ms
each) and leaves the device at 192kHz. This is a problem because that
rate: 1) disables the internal mixer, so outputs are silent until an
application opens the PCM and sets a lower rate, and 2) the Air and
Safe modes get disabled.
Fixes: 5963e5262180 ("ALSA: usb-audio: Enable rate validation for Scarlett devices")
Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/09b9c012024c998c4ca14bd876ef0dce0d0b6101.1771594828.git.g@b4.vu
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index ff2bbe761ee3a..15e72c419dbc2 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -2308,7 +2308,7 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
VENDOR_FLG(0x07fd, /* MOTU */
QUIRK_FLAG_VALIDATE_RATES),
VENDOR_FLG(0x1235, /* Focusrite Novation */
- QUIRK_FLAG_VALIDATE_RATES),
+ 0),
VENDOR_FLG(0x1511, /* AURALiC */
QUIRK_FLAG_DSD_RAW),
VENDOR_FLG(0x152a, /* Thesycon devices */
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 008/567] rseq: Clarify rseq registration rseq_size bound check comment
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-03-23 13:38 ` [PATCH 6.6 007/567] ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 009/567] scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume Greg Kroah-Hartman
` (369 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers,
Peter Zijlstra (Intel), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
[ Upstream commit 26d43a90be81fc90e26688a51d3ec83188602731 ]
The rseq registration validates that the rseq_size argument is greater
or equal to 32 (the original rseq size), but the comment associated with
this check does not clearly state this.
Clarify the comment to that effect.
Fixes: ee3e3ac05c26 ("rseq: Introduce extensible rseq ABI")
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20260220200642.1317826-2-mathieu.desnoyers@efficios.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rseq.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/kernel/rseq.c b/kernel/rseq.c
index 810005f927d7c..e6ee81dd1e457 100644
--- a/kernel/rseq.c
+++ b/kernel/rseq.c
@@ -432,8 +432,9 @@ SYSCALL_DEFINE4(rseq, struct rseq __user *, rseq, u32, rseq_len,
* auxiliary vector AT_RSEQ_ALIGN. If rseq_len is the original rseq
* size, the required alignment is the original struct rseq alignment.
*
- * In order to be valid, rseq_len is either the original rseq size, or
- * large enough to contain all supported fields, as communicated to
+ * The rseq_len is required to be greater or equal to the original rseq
+ * size. In order to be valid, rseq_len is either the original rseq size,
+ * or large enough to contain all supported fields, as communicated to
* user-space through the ELF auxiliary vector AT_RSEQ_FEATURE_SIZE.
*/
if (rseq_len < ORIG_RSEQ_SIZE ||
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 009/567] scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-03-23 13:38 ` [PATCH 6.6 008/567] rseq: Clarify rseq registration rseq_size bound check comment Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 010/567] ALSA: usb-audio: Cap the packet size pre-calculations Greg Kroah-Hartman
` (368 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Wang, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Wang <peter.wang@mediatek.com>
[ Upstream commit 62c015373e1cdb1cdca824bd2dbce2dac0819467 ]
Move the link recovery trigger from ufshcd_uic_pwr_ctrl() to
__ufshcd_wl_resume(). Ensure link recovery is only attempted when hibern8
exit fails during resume, not during hibern8 enter in suspend. Improve
error handling and prevent unnecessary link recovery attempts.
Fixes: 35dabf4503b9 ("scsi: ufs: core: Use link recovery when h8 exit fails during runtime resume")
Signed-off-by: Peter Wang <peter.wang@mediatek.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260223103906.2533654-1-peter.wang@mediatek.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufshcd.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index 808b648e1f388..0b74ef63e6721 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -4289,14 +4289,6 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd)
spin_unlock_irqrestore(hba->host->host_lock, flags);
mutex_unlock(&hba->uic_cmd_mutex);
- /*
- * If the h8 exit fails during the runtime resume process, it becomes
- * stuck and cannot be recovered through the error handler. To fix
- * this, use link recovery instead of the error handler.
- */
- if (ret && hba->pm_op_in_progress)
- ret = ufshcd_link_recovery(hba);
-
return ret;
}
@@ -10016,7 +10008,15 @@ static int __ufshcd_wl_resume(struct ufs_hba *hba, enum ufs_pm_op pm_op)
} else {
dev_err(hba->dev, "%s: hibern8 exit failed %d\n",
__func__, ret);
- goto vendor_suspend;
+ /*
+ * If the h8 exit fails during the runtime resume
+ * process, it becomes stuck and cannot be recovered
+ * through the error handler. To fix this, use link
+ * recovery instead of the error handler.
+ */
+ ret = ufshcd_link_recovery(hba);
+ if (ret)
+ goto vendor_suspend;
}
} else if (ufshcd_is_link_off(hba)) {
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 010/567] ALSA: usb-audio: Cap the packet size pre-calculations
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-03-23 13:38 ` [PATCH 6.6 009/567] scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 011/567] ALSA: usb-audio: Use inclusive terms Greg Kroah-Hartman
` (367 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 7fe8dec3f628e9779f1631576f8e693370050348 ]
We calculate the possible packet sizes beforehand for adaptive and
synchronous endpoints, but we didn't take care of the max frame size
for those pre-calculated values. When a device or a bus limits the
packet size, a high sample rate or a high number of channels may lead
to the packet sizes that are larger than the given limit, which
results in an error from the USB core at submitting URBs.
As a simple workaround, just add the sanity checks of pre-calculated
packet sizes to have the upper boundary of ep->maxframesize.
Fixes: f0bd62b64016 ("ALSA: usb-audio: Improve frames size computation")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221076
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260225085233.316306-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/endpoint.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
index 1092b964167e9..d035b25f67b64 100644
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -1396,6 +1396,9 @@ int snd_usb_endpoint_set_params(struct snd_usb_audio *chip,
goto unlock;
}
+ ep->packsize[0] = min(ep->packsize[0], ep->maxframesize);
+ ep->packsize[1] = min(ep->packsize[1], ep->maxframesize);
+
/* calculate the frequency in 16.16 format */
ep->freqm = ep->freqn;
ep->freqshift = INT_MIN;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 011/567] ALSA: usb-audio: Use inclusive terms
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-03-23 13:38 ` [PATCH 6.6 010/567] ALSA: usb-audio: Cap the packet size pre-calculations Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 012/567] perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Greg Kroah-Hartman
` (366 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 4e9113c533acee2ba1f72fd68ee6ecd36b64484e ]
Replace the remaining with inclusive terms; it's only this function
name we overlooked at the previous conversion.
Fixes: 53837b4ac2bd ("ALSA: usb-audio: Replace slave/master terms")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260225085233.316306-5-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/endpoint.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
index d035b25f67b64..806755a65fc05 100644
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -160,8 +160,8 @@ int snd_usb_endpoint_implicit_feedback_sink(struct snd_usb_endpoint *ep)
* This won't be used for implicit feedback which takes the packet size
* returned from the sync source
*/
-static int slave_next_packet_size(struct snd_usb_endpoint *ep,
- unsigned int avail)
+static int synced_next_packet_size(struct snd_usb_endpoint *ep,
+ unsigned int avail)
{
unsigned long flags;
unsigned int phase;
@@ -230,7 +230,7 @@ int snd_usb_endpoint_next_packet_size(struct snd_usb_endpoint *ep,
}
if (ep->sync_source)
- return slave_next_packet_size(ep, avail);
+ return synced_next_packet_size(ep, avail);
else
return next_packet_size(ep, avail);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 012/567] perf: Fix __perf_event_overflow() vs perf_remove_from_context() race
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-03-23 13:38 ` [PATCH 6.6 011/567] ALSA: usb-audio: Use inclusive terms Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 013/567] ALSA: pci: hda: use snd_kcontrol_chip() Greg Kroah-Hartman
` (365 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simond Hu, Peter Zijlstra (Intel),
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit c9bc1753b3cc41d0e01fbca7f035258b5f4db0ae ]
Make sure that __perf_event_overflow() runs with IRQs disabled for all
possible callchains. Specifically the software events can end up running
it with only preemption disabled.
This opens up a race vs perf_event_exit_event() and friends that will go
and free various things the overflow path expects to be present, like
the BPF program.
Fixes: 592903cdcbf6 ("perf_counter: add an event_list")
Reported-by: Simond Hu <cmdhh1767@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Simond Hu <cmdhh1767@gmail.com>
Link: https://patch.msgid.link/20260224122909.GV1395416@noisy.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 42 +++++++++++++++++++++++++++++++++++++++++-
1 file changed, 41 insertions(+), 1 deletion(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 9a6be06176bb4..652baf91c629e 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -9729,6 +9729,13 @@ int perf_event_overflow(struct perf_event *event,
struct perf_sample_data *data,
struct pt_regs *regs)
{
+ /*
+ * Entry point from hardware PMI, interrupts should be disabled here.
+ * This serializes us against perf_event_remove_from_context() in
+ * things like perf_event_release_kernel().
+ */
+ lockdep_assert_irqs_disabled();
+
return __perf_event_overflow(event, 1, data, regs);
}
@@ -9809,6 +9816,19 @@ static void perf_swevent_event(struct perf_event *event, u64 nr,
{
struct hw_perf_event *hwc = &event->hw;
+ /*
+ * This is:
+ * - software preempt
+ * - tracepoint preempt
+ * - tp_target_task irq (ctx->lock)
+ * - uprobes preempt/irq
+ * - kprobes preempt/irq
+ * - hw_breakpoint irq
+ *
+ * Any of these are sufficient to hold off RCU and thus ensure @event
+ * exists.
+ */
+ lockdep_assert_preemption_disabled();
local64_add(nr, &event->count);
if (!regs)
@@ -9817,6 +9837,16 @@ static void perf_swevent_event(struct perf_event *event, u64 nr,
if (!is_sampling_event(event))
return;
+ /*
+ * Serialize against event_function_call() IPIs like normal overflow
+ * event handling. Specifically, must not allow
+ * perf_event_release_kernel() -> perf_remove_from_context() to make
+ * progress and 'release' the event from under us.
+ */
+ guard(irqsave)();
+ if (event->state != PERF_EVENT_STATE_ACTIVE)
+ return;
+
if ((event->attr.sample_type & PERF_SAMPLE_PERIOD) && !event->attr.freq) {
data->period = nr;
return perf_swevent_overflow(event, 1, data, regs);
@@ -10320,6 +10350,11 @@ void perf_tp_event(u16 event_type, u64 count, void *record, int entry_size,
struct perf_sample_data data;
struct perf_event *event;
+ /*
+ * Per being a tracepoint, this runs with preemption disabled.
+ */
+ lockdep_assert_preemption_disabled();
+
struct perf_raw_record raw = {
.frag = {
.size = entry_size,
@@ -10733,6 +10768,11 @@ void perf_bp_event(struct perf_event *bp, void *data)
struct perf_sample_data sample;
struct pt_regs *regs = data;
+ /*
+ * Exception context, will have interrupts disabled.
+ */
+ lockdep_assert_irqs_disabled();
+
perf_sample_data_init(&sample, bp->attr.bp_addr, 0);
if (!bp->hw.state && !perf_exclude_event(bp, regs))
@@ -11185,7 +11225,7 @@ static enum hrtimer_restart perf_swevent_hrtimer(struct hrtimer *hrtimer)
if (regs && !perf_exclude_event(event, regs)) {
if (!(event->attr.exclude_idle && is_idle_task(current)))
- if (__perf_event_overflow(event, 1, &data, regs))
+ if (perf_event_overflow(event, &data, regs))
ret = HRTIMER_NORESTART;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 013/567] ALSA: pci: hda: use snd_kcontrol_chip()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-03-23 13:38 ` [PATCH 6.6 012/567] perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 014/567] ALSA: hda: cs35l56: Fix signedness error in cs35l56_hda_posture_put() Greg Kroah-Hartman
` (364 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuninori Morimoto, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit 483dd12dbe34c6d4e71d4d543bcb1292bcb62d08 ]
We can use snd_kcontrol_chip(). Let's use it.
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/87plglauda.wl-kuninori.morimoto.gx@renesas.com
Stable-dep-of: 003ce8c9b2ca ("ALSA: hda: cs35l56: Fix signedness error in cs35l56_hda_posture_put()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/cs35l56_hda.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/sound/pci/hda/cs35l56_hda.c b/sound/pci/hda/cs35l56_hda.c
index b84f3b3eb1409..03b2a6a919b4d 100644
--- a/sound/pci/hda/cs35l56_hda.c
+++ b/sound/pci/hda/cs35l56_hda.c
@@ -174,7 +174,7 @@ static int cs35l56_hda_mixer_info(struct snd_kcontrol *kcontrol,
static int cs35l56_hda_mixer_get(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
{
- struct cs35l56_hda *cs35l56 = (struct cs35l56_hda *)kcontrol->private_data;
+ struct cs35l56_hda *cs35l56 = snd_kcontrol_chip(kcontrol);
unsigned int reg_val;
int i;
@@ -194,7 +194,7 @@ static int cs35l56_hda_mixer_get(struct snd_kcontrol *kcontrol,
static int cs35l56_hda_mixer_put(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
{
- struct cs35l56_hda *cs35l56 = (struct cs35l56_hda *)kcontrol->private_data;
+ struct cs35l56_hda *cs35l56 = snd_kcontrol_chip(kcontrol);
unsigned int item = ucontrol->value.enumerated.item[0];
bool changed;
@@ -221,7 +221,7 @@ static int cs35l56_hda_posture_info(struct snd_kcontrol *kcontrol,
static int cs35l56_hda_posture_get(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
{
- struct cs35l56_hda *cs35l56 = (struct cs35l56_hda *)kcontrol->private_data;
+ struct cs35l56_hda *cs35l56 = snd_kcontrol_chip(kcontrol);
unsigned int pos;
int ret;
@@ -237,7 +237,7 @@ static int cs35l56_hda_posture_get(struct snd_kcontrol *kcontrol,
static int cs35l56_hda_posture_put(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
{
- struct cs35l56_hda *cs35l56 = (struct cs35l56_hda *)kcontrol->private_data;
+ struct cs35l56_hda *cs35l56 = snd_kcontrol_chip(kcontrol);
unsigned long pos = ucontrol->value.integer.value[0];
bool changed;
int ret;
@@ -284,7 +284,7 @@ static int cs35l56_hda_vol_info(struct snd_kcontrol *kcontrol,
static int cs35l56_hda_vol_get(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
{
- struct cs35l56_hda *cs35l56 = (struct cs35l56_hda *)kcontrol->private_data;
+ struct cs35l56_hda *cs35l56 = snd_kcontrol_chip(kcontrol);
unsigned int raw_vol;
int vol;
int ret;
@@ -308,7 +308,7 @@ static int cs35l56_hda_vol_get(struct snd_kcontrol *kcontrol,
static int cs35l56_hda_vol_put(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
{
- struct cs35l56_hda *cs35l56 = (struct cs35l56_hda *)kcontrol->private_data;
+ struct cs35l56_hda *cs35l56 = snd_kcontrol_chip(kcontrol);
long vol = ucontrol->value.integer.value[0];
unsigned int raw_vol;
bool changed;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 014/567] ALSA: hda: cs35l56: Fix signedness error in cs35l56_hda_posture_put()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-03-23 13:38 ` [PATCH 6.6 013/567] ALSA: pci: hda: use snd_kcontrol_chip() Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 015/567] btrfs: move btrfs_crc32c_final into free-space-cache.c Greg Kroah-Hartman
` (363 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Fitzgerald, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Fitzgerald <rf@opensource.cirrus.com>
[ Upstream commit 003ce8c9b2ca28fbb4860651e76fb1c9a91f2ea1 ]
In cs35l56_hda_posture_put() assign ucontrol->value.integer.value[0] to
a long instead of an unsigned long. ucontrol->value.integer.value[0] is
a long.
This fixes the sparse warning:
sound/hda/codecs/side-codecs/cs35l56_hda.c:256:20: warning: unsigned value
that used to be signed checked against zero?
sound/hda/codecs/side-codecs/cs35l56_hda.c:252:29: signed value source
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Fixes: 73cfbfa9caea8 ("ALSA: hda/cs35l56: Add driver for Cirrus Logic CS35L56 amplifier")
Link: https://patch.msgid.link/20260226111728.1700431-1-rf@opensource.cirrus.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/cs35l56_hda.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/pci/hda/cs35l56_hda.c b/sound/pci/hda/cs35l56_hda.c
index 03b2a6a919b4d..8d86a13b8a960 100644
--- a/sound/pci/hda/cs35l56_hda.c
+++ b/sound/pci/hda/cs35l56_hda.c
@@ -238,7 +238,7 @@ static int cs35l56_hda_posture_put(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
{
struct cs35l56_hda *cs35l56 = snd_kcontrol_chip(kcontrol);
- unsigned long pos = ucontrol->value.integer.value[0];
+ long pos = ucontrol->value.integer.value[0];
bool changed;
int ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 015/567] btrfs: move btrfs_crc32c_final into free-space-cache.c
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-03-23 13:38 ` [PATCH 6.6 014/567] ALSA: hda: cs35l56: Fix signedness error in cs35l56_hda_posture_put() Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 016/567] btrfs: remove btrfs_crc32c wrapper Greg Kroah-Hartman
` (362 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Anand Jain,
Josef Bacik, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josef Bacik <josef@toxicpanda.com>
[ Upstream commit 102f2640a346e84cb5c2d19805a9dd38a776013c ]
This is the only place this helper is used, take it out of ctree.h and
move it into free-space-cache.c.
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: 511dc8912ae3 ("btrfs: fix incorrect key offset in error message in check_dev_extent_item()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/ctree.h | 5 -----
fs/btrfs/free-space-cache.c | 5 +++++
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
index 834af67fac231..3108852ff47d7 100644
--- a/fs/btrfs/ctree.h
+++ b/fs/btrfs/ctree.h
@@ -477,11 +477,6 @@ static inline u32 btrfs_crc32c(u32 crc, const void *address, unsigned length)
return crc32c(crc, address, length);
}
-static inline void btrfs_crc32c_final(u32 crc, u8 *result)
-{
- put_unaligned_le32(~crc, result);
-}
-
static inline u64 btrfs_name_hash(const char *name, int len)
{
return crc32c((u32)~1, name, len);
diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c
index 9a6ec9344c3e0..edf3612ba3108 100644
--- a/fs/btrfs/free-space-cache.c
+++ b/fs/btrfs/free-space-cache.c
@@ -57,6 +57,11 @@ static void bitmap_clear_bits(struct btrfs_free_space_ctl *ctl,
struct btrfs_free_space *info, u64 offset,
u64 bytes, bool update_stats);
+static void btrfs_crc32c_final(u32 crc, u8 *result)
+{
+ put_unaligned_le32(~crc, result);
+}
+
static void __btrfs_remove_free_space_cache(struct btrfs_free_space_ctl *ctl)
{
struct btrfs_free_space *info;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 016/567] btrfs: remove btrfs_crc32c wrapper
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-03-23 13:38 ` [PATCH 6.6 015/567] btrfs: move btrfs_crc32c_final into free-space-cache.c Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 017/567] btrfs: move btrfs_extref_hash into inode-item.h Greg Kroah-Hartman
` (361 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Anand Jain,
Josef Bacik, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josef Bacik <josef@toxicpanda.com>
[ Upstream commit 03e86348965a5fa13593db8682132033d663f7ee ]
This simply sends the same arguments into crc32c(), and is just used in
a few places. Remove this wrapper and directly call crc32c() in these
instances.
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: 511dc8912ae3 ("btrfs: fix incorrect key offset in error message in check_dev_extent_item()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/ctree.h | 5 -----
fs/btrfs/extent-tree.c | 6 +++---
fs/btrfs/free-space-cache.c | 4 ++--
fs/btrfs/send.c | 6 +++---
4 files changed, 8 insertions(+), 13 deletions(-)
diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
index 3108852ff47d7..11691c70ba791 100644
--- a/fs/btrfs/ctree.h
+++ b/fs/btrfs/ctree.h
@@ -472,11 +472,6 @@ static inline u32 BTRFS_MAX_XATTR_SIZE(const struct btrfs_fs_info *info)
#define BTRFS_BYTES_TO_BLKS(fs_info, bytes) \
((bytes) >> (fs_info)->sectorsize_bits)
-static inline u32 btrfs_crc32c(u32 crc, const void *address, unsigned length)
-{
- return crc32c(crc, address, length);
-}
-
static inline u64 btrfs_name_hash(const char *name, int len)
{
return crc32c((u32)~1, name, len);
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 774bdafc822c1..1528a81b2c307 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -414,11 +414,11 @@ u64 hash_extent_data_ref(u64 root_objectid, u64 owner, u64 offset)
__le64 lenum;
lenum = cpu_to_le64(root_objectid);
- high_crc = btrfs_crc32c(high_crc, &lenum, sizeof(lenum));
+ high_crc = crc32c(high_crc, &lenum, sizeof(lenum));
lenum = cpu_to_le64(owner);
- low_crc = btrfs_crc32c(low_crc, &lenum, sizeof(lenum));
+ low_crc = crc32c(low_crc, &lenum, sizeof(lenum));
lenum = cpu_to_le64(offset);
- low_crc = btrfs_crc32c(low_crc, &lenum, sizeof(lenum));
+ low_crc = crc32c(low_crc, &lenum, sizeof(lenum));
return ((u64)high_crc << 31) ^ (u64)low_crc;
}
diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c
index edf3612ba3108..c6e3b9a2921ab 100644
--- a/fs/btrfs/free-space-cache.c
+++ b/fs/btrfs/free-space-cache.c
@@ -545,7 +545,7 @@ static void io_ctl_set_crc(struct btrfs_io_ctl *io_ctl, int index)
if (index == 0)
offset = sizeof(u32) * io_ctl->num_pages;
- crc = btrfs_crc32c(crc, io_ctl->orig + offset, PAGE_SIZE - offset);
+ crc = crc32c(crc, io_ctl->orig + offset, PAGE_SIZE - offset);
btrfs_crc32c_final(crc, (u8 *)&crc);
io_ctl_unmap_page(io_ctl);
tmp = page_address(io_ctl->pages[0]);
@@ -567,7 +567,7 @@ static int io_ctl_check_crc(struct btrfs_io_ctl *io_ctl, int index)
val = *tmp;
io_ctl_map_page(io_ctl, 0);
- crc = btrfs_crc32c(crc, io_ctl->orig + offset, PAGE_SIZE - offset);
+ crc = crc32c(crc, io_ctl->orig + offset, PAGE_SIZE - offset);
btrfs_crc32c_final(crc, (u8 *)&crc);
if (val != crc) {
btrfs_err_rl(io_ctl->fs_info,
diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 6768e2231d610..4fa05ee81d434 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -814,7 +814,7 @@ static int send_cmd(struct send_ctx *sctx)
put_unaligned_le32(sctx->send_size - sizeof(*hdr), &hdr->len);
put_unaligned_le32(0, &hdr->crc);
- crc = btrfs_crc32c(0, (unsigned char *)sctx->send_buf, sctx->send_size);
+ crc = crc32c(0, (unsigned char *)sctx->send_buf, sctx->send_size);
put_unaligned_le32(crc, &hdr->crc);
ret = write_buf(sctx->send_filp, sctx->send_buf, sctx->send_size,
@@ -5740,8 +5740,8 @@ static int send_encoded_extent(struct send_ctx *sctx, struct btrfs_path *path,
hdr = (struct btrfs_cmd_header *)sctx->send_buf;
hdr->len = cpu_to_le32(sctx->send_size + disk_num_bytes - sizeof(*hdr));
hdr->crc = 0;
- crc = btrfs_crc32c(0, sctx->send_buf, sctx->send_size);
- crc = btrfs_crc32c(crc, sctx->send_buf + data_offset, disk_num_bytes);
+ crc = crc32c(0, sctx->send_buf, sctx->send_size);
+ crc = crc32c(crc, sctx->send_buf + data_offset, disk_num_bytes);
hdr->crc = cpu_to_le32(crc);
ret = write_buf(sctx->send_filp, sctx->send_buf, sctx->send_size,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 017/567] btrfs: move btrfs_extref_hash into inode-item.h
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-03-23 13:38 ` [PATCH 6.6 016/567] btrfs: remove btrfs_crc32c wrapper Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 018/567] btrfs: add raid stripe tree definitions Greg Kroah-Hartman
` (360 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Anand Jain,
Josef Bacik, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josef Bacik <josef@toxicpanda.com>
[ Upstream commit 98e4f060c4f565a3b62e8cdfe6b89f59167312b6 ]
Ideally this would be un-inlined, but that is a cleanup for later. For
now move this into inode-item.h, which is where the extref code lives.
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: 511dc8912ae3 ("btrfs: fix incorrect key offset in error message in check_dev_extent_item()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/ctree.h | 9 ---------
fs/btrfs/inode-item.h | 7 +++++++
2 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
index 11691c70ba791..1743aa21fa6e5 100644
--- a/fs/btrfs/ctree.h
+++ b/fs/btrfs/ctree.h
@@ -477,15 +477,6 @@ static inline u64 btrfs_name_hash(const char *name, int len)
return crc32c((u32)~1, name, len);
}
-/*
- * Figure the key offset of an extended inode ref
- */
-static inline u64 btrfs_extref_hash(u64 parent_objectid, const char *name,
- int len)
-{
- return (u64) crc32c(parent_objectid, name, len);
-}
-
static inline gfp_t btrfs_alloc_write_mask(struct address_space *mapping)
{
return mapping_gfp_constraint(mapping, ~__GFP_FS);
diff --git a/fs/btrfs/inode-item.h b/fs/btrfs/inode-item.h
index d43633d5620f2..0f1730dabce6d 100644
--- a/fs/btrfs/inode-item.h
+++ b/fs/btrfs/inode-item.h
@@ -4,6 +4,7 @@
#define BTRFS_INODE_ITEM_H
#include <linux/types.h>
+#include <linux/crc32c.h>
struct btrfs_trans_handle;
struct btrfs_root;
@@ -76,6 +77,12 @@ static inline void btrfs_inode_split_flags(u64 inode_item_flags,
*ro_flags = (u32)(inode_item_flags >> 32);
}
+/* Figure the key offset of an extended inode ref. */
+static inline u64 btrfs_extref_hash(u64 parent_objectid, const char *name, int len)
+{
+ return (u64)crc32c(parent_objectid, name, len);
+}
+
int btrfs_truncate_inode_items(struct btrfs_trans_handle *trans,
struct btrfs_root *root,
struct btrfs_truncate_control *control);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 018/567] btrfs: add raid stripe tree definitions
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-03-23 13:38 ` [PATCH 6.6 017/567] btrfs: move btrfs_extref_hash into inode-item.h Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 019/567] btrfs: read raid stripe tree from disk Greg Kroah-Hartman
` (359 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, David Sterba,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
[ Upstream commit ee1293308e01d359688243d665138f35a6f1f9b8 ]
Add definitions for the raid stripe tree. This tree will hold information
about the on-disk layout of the stripes in a RAID set.
Each stripe extent has a 1:1 relationship with an on-disk extent item and
is doing the logical to per-drive physical address translation for the
extent item in question.
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: 511dc8912ae3 ("btrfs: fix incorrect key offset in error message in check_dev_extent_item()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/accessors.h | 8 ++++++++
fs/btrfs/locking.c | 1 +
include/uapi/linux/btrfs_tree.h | 29 +++++++++++++++++++++++++++++
3 files changed, 38 insertions(+)
diff --git a/fs/btrfs/accessors.h b/fs/btrfs/accessors.h
index 8cfc8214109ca..341c07b4c2272 100644
--- a/fs/btrfs/accessors.h
+++ b/fs/btrfs/accessors.h
@@ -305,6 +305,14 @@ BTRFS_SETGET_FUNCS(timespec_nsec, struct btrfs_timespec, nsec, 32);
BTRFS_SETGET_STACK_FUNCS(stack_timespec_sec, struct btrfs_timespec, sec, 64);
BTRFS_SETGET_STACK_FUNCS(stack_timespec_nsec, struct btrfs_timespec, nsec, 32);
+BTRFS_SETGET_FUNCS(stripe_extent_encoding, struct btrfs_stripe_extent, encoding, 8);
+BTRFS_SETGET_FUNCS(raid_stride_devid, struct btrfs_raid_stride, devid, 64);
+BTRFS_SETGET_FUNCS(raid_stride_physical, struct btrfs_raid_stride, physical, 64);
+BTRFS_SETGET_STACK_FUNCS(stack_stripe_extent_encoding,
+ struct btrfs_stripe_extent, encoding, 8);
+BTRFS_SETGET_STACK_FUNCS(stack_raid_stride_devid, struct btrfs_raid_stride, devid, 64);
+BTRFS_SETGET_STACK_FUNCS(stack_raid_stride_physical, struct btrfs_raid_stride, physical, 64);
+
/* struct btrfs_dev_extent */
BTRFS_SETGET_FUNCS(dev_extent_chunk_tree, struct btrfs_dev_extent, chunk_tree, 64);
BTRFS_SETGET_FUNCS(dev_extent_chunk_objectid, struct btrfs_dev_extent,
diff --git a/fs/btrfs/locking.c b/fs/btrfs/locking.c
index 7979449a58d6b..51737e7350669 100644
--- a/fs/btrfs/locking.c
+++ b/fs/btrfs/locking.c
@@ -73,6 +73,7 @@ static struct btrfs_lockdep_keyset {
{ .id = BTRFS_UUID_TREE_OBJECTID, DEFINE_NAME("uuid") },
{ .id = BTRFS_FREE_SPACE_TREE_OBJECTID, DEFINE_NAME("free-space") },
{ .id = BTRFS_BLOCK_GROUP_TREE_OBJECTID, DEFINE_NAME("block-group") },
+ { .id = BTRFS_RAID_STRIPE_TREE_OBJECTID, DEFINE_NAME("raid-stripe") },
{ .id = 0, DEFINE_NAME("tree") },
};
diff --git a/include/uapi/linux/btrfs_tree.h b/include/uapi/linux/btrfs_tree.h
index fc3c32186d7eb..ca65d7b7a6ca1 100644
--- a/include/uapi/linux/btrfs_tree.h
+++ b/include/uapi/linux/btrfs_tree.h
@@ -73,6 +73,9 @@
/* Holds the block group items for extent tree v2. */
#define BTRFS_BLOCK_GROUP_TREE_OBJECTID 11ULL
+/* Tracks RAID stripes in block groups. */
+#define BTRFS_RAID_STRIPE_TREE_OBJECTID 12ULL
+
/* device stats in the device tree */
#define BTRFS_DEV_STATS_OBJECTID 0ULL
@@ -261,6 +264,8 @@
#define BTRFS_DEV_ITEM_KEY 216
#define BTRFS_CHUNK_ITEM_KEY 228
+#define BTRFS_RAID_STRIPE_KEY 230
+
/*
* Records the overall state of the qgroups.
* There's only one instance of this key present,
@@ -719,6 +724,30 @@ struct btrfs_free_space_header {
__le64 num_bitmaps;
} __attribute__ ((__packed__));
+struct btrfs_raid_stride {
+ /* The id of device this raid extent lives on. */
+ __le64 devid;
+ /* The physical location on disk. */
+ __le64 physical;
+} __attribute__ ((__packed__));
+
+/* The stripe_extent::encoding, 1:1 mapping of enum btrfs_raid_types. */
+#define BTRFS_STRIPE_RAID0 1
+#define BTRFS_STRIPE_RAID1 2
+#define BTRFS_STRIPE_DUP 3
+#define BTRFS_STRIPE_RAID10 4
+#define BTRFS_STRIPE_RAID5 5
+#define BTRFS_STRIPE_RAID6 6
+#define BTRFS_STRIPE_RAID1C3 7
+#define BTRFS_STRIPE_RAID1C4 8
+
+struct btrfs_stripe_extent {
+ __u8 encoding;
+ __u8 reserved[7];
+ /* An array of raid strides this stripe is composed of. */
+ struct btrfs_raid_stride strides[];
+} __attribute__ ((__packed__));
+
#define BTRFS_HEADER_FLAG_WRITTEN (1ULL << 0)
#define BTRFS_HEADER_FLAG_RELOC (1ULL << 1)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 019/567] btrfs: read raid stripe tree from disk
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-03-23 13:38 ` [PATCH 6.6 018/567] btrfs: add raid stripe tree definitions Greg Kroah-Hartman
@ 2026-03-23 13:38 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 020/567] btrfs: add support for inserting raid stripe extents Greg Kroah-Hartman
` (358 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, David Sterba,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
[ Upstream commit 515020900d447796bc2f0f57064663617a11b65d ]
If we find the raid-stripe-tree on mount, read it from disk. This is
a backward incompatible feature. The rescue=ignorebadroots mount option
will skip this tree.
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: 511dc8912ae3 ("btrfs: fix incorrect key offset in error message in check_dev_extent_item()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/block-rsv.c | 6 ++++++
fs/btrfs/disk-io.c | 18 ++++++++++++++++++
fs/btrfs/fs.h | 1 +
include/uapi/linux/btrfs.h | 1 +
4 files changed, 26 insertions(+)
diff --git a/fs/btrfs/block-rsv.c b/fs/btrfs/block-rsv.c
index 97084ea3af0cc..07bf07431a7f4 100644
--- a/fs/btrfs/block-rsv.c
+++ b/fs/btrfs/block-rsv.c
@@ -354,6 +354,11 @@ void btrfs_update_global_block_rsv(struct btrfs_fs_info *fs_info)
min_items++;
}
+ if (btrfs_fs_incompat(fs_info, RAID_STRIPE_TREE)) {
+ num_bytes += btrfs_root_used(&fs_info->stripe_root->root_item);
+ min_items++;
+ }
+
/*
* But we also want to reserve enough space so we can do the fallback
* global reserve for an unlink, which is an additional
@@ -405,6 +410,7 @@ void btrfs_init_root_block_rsv(struct btrfs_root *root)
case BTRFS_EXTENT_TREE_OBJECTID:
case BTRFS_FREE_SPACE_TREE_OBJECTID:
case BTRFS_BLOCK_GROUP_TREE_OBJECTID:
+ case BTRFS_RAID_STRIPE_TREE_OBJECTID:
root->block_rsv = &fs_info->delayed_refs_rsv;
break;
case BTRFS_ROOT_TREE_OBJECTID:
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 3c26e91a8055f..89e98f9cc2026 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -1179,6 +1179,8 @@ static struct btrfs_root *btrfs_get_global_root(struct btrfs_fs_info *fs_info,
return btrfs_grab_root(fs_info->block_group_root);
case BTRFS_FREE_SPACE_TREE_OBJECTID:
return btrfs_grab_root(btrfs_global_root(fs_info, &key));
+ case BTRFS_RAID_STRIPE_TREE_OBJECTID:
+ return btrfs_grab_root(fs_info->stripe_root);
default:
return NULL;
}
@@ -1259,6 +1261,7 @@ void btrfs_free_fs_info(struct btrfs_fs_info *fs_info)
btrfs_put_root(fs_info->fs_root);
btrfs_put_root(fs_info->data_reloc_root);
btrfs_put_root(fs_info->block_group_root);
+ btrfs_put_root(fs_info->stripe_root);
btrfs_check_leaked_roots(fs_info);
btrfs_extent_buffer_leak_debug_check(fs_info);
kfree(fs_info->super_copy);
@@ -1812,6 +1815,7 @@ static void free_root_pointers(struct btrfs_fs_info *info, bool free_chunk_root)
free_root_extent_buffers(info->fs_root);
free_root_extent_buffers(info->data_reloc_root);
free_root_extent_buffers(info->block_group_root);
+ free_root_extent_buffers(info->stripe_root);
if (free_chunk_root)
free_root_extent_buffers(info->chunk_root);
}
@@ -2287,6 +2291,20 @@ static int btrfs_read_roots(struct btrfs_fs_info *fs_info)
fs_info->uuid_root = root;
}
+ if (btrfs_fs_incompat(fs_info, RAID_STRIPE_TREE)) {
+ location.objectid = BTRFS_RAID_STRIPE_TREE_OBJECTID;
+ root = btrfs_read_tree_root(tree_root, &location);
+ if (IS_ERR(root)) {
+ if (!btrfs_test_opt(fs_info, IGNOREBADROOTS)) {
+ ret = PTR_ERR(root);
+ goto out;
+ }
+ } else {
+ set_bit(BTRFS_ROOT_TRACK_DIRTY, &root->state);
+ fs_info->stripe_root = root;
+ }
+ }
+
return 0;
out:
btrfs_warn(fs_info, "failed to read root (objectid=%llu): %d",
diff --git a/fs/btrfs/fs.h b/fs/btrfs/fs.h
index d24d41f7811a6..b8b9ce8921baf 100644
--- a/fs/btrfs/fs.h
+++ b/fs/btrfs/fs.h
@@ -371,6 +371,7 @@ struct btrfs_fs_info {
struct btrfs_root *uuid_root;
struct btrfs_root *data_reloc_root;
struct btrfs_root *block_group_root;
+ struct btrfs_root *stripe_root;
/* The log root tree is a directory of all the other log roots */
struct btrfs_root *log_root_tree;
diff --git a/include/uapi/linux/btrfs.h b/include/uapi/linux/btrfs.h
index 6f776faaa791c..7b499b90bb779 100644
--- a/include/uapi/linux/btrfs.h
+++ b/include/uapi/linux/btrfs.h
@@ -333,6 +333,7 @@ struct btrfs_ioctl_fs_info_args {
#define BTRFS_FEATURE_INCOMPAT_RAID1C34 (1ULL << 11)
#define BTRFS_FEATURE_INCOMPAT_ZONED (1ULL << 12)
#define BTRFS_FEATURE_INCOMPAT_EXTENT_TREE_V2 (1ULL << 13)
+#define BTRFS_FEATURE_INCOMPAT_RAID_STRIPE_TREE (1ULL << 14)
struct btrfs_ioctl_feature_flags {
__u64 compat_flags;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 020/567] btrfs: add support for inserting raid stripe extents
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-03-23 13:38 ` [PATCH 6.6 019/567] btrfs: read raid stripe tree from disk Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 021/567] btrfs: fix incorrect key offset in error message in check_dev_extent_item() Greg Kroah-Hartman
` (357 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, David Sterba,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
[ Upstream commit 02c372e1f016e5113217597ab37b399c4e407477 ]
Add support for inserting stripe extents into the raid stripe tree on
completion of every write that needs an extra logical-to-physical
translation when using RAID.
Inserting the stripe extents happens after the data I/O has completed,
this is done to
a) support zone-append and
b) rule out the possibility of a RAID-write-hole.
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: 511dc8912ae3 ("btrfs: fix incorrect key offset in error message in check_dev_extent_item()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/Makefile | 2 +-
fs/btrfs/bio.c | 21 +++++++++
fs/btrfs/extent-tree.c | 1 +
fs/btrfs/inode.c | 8 +++-
fs/btrfs/ordered-data.c | 1 +
fs/btrfs/ordered-data.h | 2 +
fs/btrfs/raid-stripe-tree.c | 87 +++++++++++++++++++++++++++++++++++++
fs/btrfs/raid-stripe-tree.h | 35 +++++++++++++++
fs/btrfs/volumes.c | 4 +-
fs/btrfs/volumes.h | 16 ++++---
10 files changed, 168 insertions(+), 9 deletions(-)
create mode 100644 fs/btrfs/raid-stripe-tree.c
create mode 100644 fs/btrfs/raid-stripe-tree.h
diff --git a/fs/btrfs/Makefile b/fs/btrfs/Makefile
index 90d53209755bf..3bb869a84e541 100644
--- a/fs/btrfs/Makefile
+++ b/fs/btrfs/Makefile
@@ -33,7 +33,7 @@ btrfs-y += super.o ctree.o extent-tree.o print-tree.o root-tree.o dir-item.o \
uuid-tree.o props.o free-space-tree.o tree-checker.o space-info.o \
block-rsv.o delalloc-space.o block-group.o discard.o reflink.o \
subpage.o tree-mod-log.o extent-io-tree.o fs.o messages.o bio.o \
- lru_cache.o
+ lru_cache.o raid-stripe-tree.o
btrfs-$(CONFIG_BTRFS_FS_POSIX_ACL) += acl.o
btrfs-$(CONFIG_BTRFS_FS_CHECK_INTEGRITY) += check-integrity.o
diff --git a/fs/btrfs/bio.c b/fs/btrfs/bio.c
index 650972895652d..6fa13be15f301 100644
--- a/fs/btrfs/bio.c
+++ b/fs/btrfs/bio.c
@@ -15,6 +15,7 @@
#include "rcu-string.h"
#include "zoned.h"
#include "file-item.h"
+#include "raid-stripe-tree.h"
static struct bio_set btrfs_bioset;
static struct bio_set btrfs_clone_bioset;
@@ -416,6 +417,9 @@ static void btrfs_orig_write_end_io(struct bio *bio)
else
bio->bi_status = BLK_STS_OK;
+ if (bio_op(bio) == REQ_OP_ZONE_APPEND && !bio->bi_status)
+ stripe->physical = bio->bi_iter.bi_sector << SECTOR_SHIFT;
+
btrfs_orig_bbio_end_io(bbio);
btrfs_put_bioc(bioc);
}
@@ -427,6 +431,8 @@ static void btrfs_clone_write_end_io(struct bio *bio)
if (bio->bi_status) {
atomic_inc(&stripe->bioc->error);
btrfs_log_dev_io_error(bio, stripe->dev);
+ } else if (bio_op(bio) == REQ_OP_ZONE_APPEND) {
+ stripe->physical = bio->bi_iter.bi_sector << SECTOR_SHIFT;
}
/* Pass on control to the original bio this one was cloned from */
@@ -490,6 +496,7 @@ static void btrfs_submit_mirrored_bio(struct btrfs_io_context *bioc, int dev_nr)
bio->bi_private = &bioc->stripes[dev_nr];
bio->bi_iter.bi_sector = bioc->stripes[dev_nr].physical >> SECTOR_SHIFT;
bioc->stripes[dev_nr].bioc = bioc;
+ bioc->size = bio->bi_iter.bi_size;
btrfs_submit_dev_bio(bioc->stripes[dev_nr].dev, bio);
}
@@ -499,6 +506,8 @@ static void __btrfs_submit_bio(struct bio *bio, struct btrfs_io_context *bioc,
if (!bioc) {
/* Single mirror read/write fast path. */
btrfs_bio(bio)->mirror_num = mirror_num;
+ if (bio_op(bio) != REQ_OP_READ)
+ btrfs_bio(bio)->orig_physical = smap->physical;
bio->bi_iter.bi_sector = smap->physical >> SECTOR_SHIFT;
if (bio_op(bio) != REQ_OP_READ)
btrfs_bio(bio)->orig_physical = smap->physical;
@@ -690,6 +699,18 @@ static bool btrfs_submit_chunk(struct btrfs_bio *bbio, int mirror_num)
bio->bi_opf |= REQ_OP_ZONE_APPEND;
}
+ if (is_data_bbio(bbio) && bioc &&
+ btrfs_need_stripe_tree_update(bioc->fs_info, bioc->map_type)) {
+ /*
+ * No locking for the list update, as we only add to
+ * the list in the I/O submission path, and list
+ * iteration only happens in the completion path, which
+ * can't happen until after the last submission.
+ */
+ btrfs_get_bioc(bioc);
+ list_add_tail(&bioc->rst_ordered_entry, &bbio->ordered->bioc_list);
+ }
+
/*
* Csum items for reloc roots have already been cloned at this
* point, so they are handled as part of the no-checksum case.
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 1528a81b2c307..04ea2b2a9383e 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -42,6 +42,7 @@
#include "file-item.h"
#include "orphan.h"
#include "tree-checker.h"
+#include "raid-stripe-tree.h"
#undef SCRAMBLE_DELAYED_REFS
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 96edac307408c..91df180e61e9b 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -71,6 +71,7 @@
#include "super.h"
#include "orphan.h"
#include "backref.h"
+#include "raid-stripe-tree.h"
struct btrfs_iget_args {
u64 ino;
@@ -3104,6 +3105,10 @@ int btrfs_finish_one_ordered(struct btrfs_ordered_extent *ordered_extent)
trans->block_rsv = &inode->block_rsv;
+ ret = btrfs_insert_raid_extent(trans, ordered_extent);
+ if (ret)
+ goto out;
+
if (test_bit(BTRFS_ORDERED_COMPRESSED, &ordered_extent->flags))
compress_type = ordered_extent->compress_type;
if (test_bit(BTRFS_ORDERED_PREALLOC, &ordered_extent->flags)) {
@@ -3252,7 +3257,8 @@ int btrfs_finish_one_ordered(struct btrfs_ordered_extent *ordered_extent)
int btrfs_finish_ordered_io(struct btrfs_ordered_extent *ordered)
{
if (btrfs_is_zoned(btrfs_sb(ordered->inode->i_sb)) &&
- !test_bit(BTRFS_ORDERED_IOERR, &ordered->flags))
+ !test_bit(BTRFS_ORDERED_IOERR, &ordered->flags) &&
+ list_empty(&ordered->bioc_list))
btrfs_finish_ordered_zoned(ordered);
return btrfs_finish_one_ordered(ordered);
}
diff --git a/fs/btrfs/ordered-data.c b/fs/btrfs/ordered-data.c
index c68e9ecbc438c..e0a2d0cfd5ebe 100644
--- a/fs/btrfs/ordered-data.c
+++ b/fs/btrfs/ordered-data.c
@@ -198,6 +198,7 @@ static struct btrfs_ordered_extent *alloc_ordered_extent(
INIT_LIST_HEAD(&entry->log_list);
INIT_LIST_HEAD(&entry->root_extent_list);
INIT_LIST_HEAD(&entry->work_list);
+ INIT_LIST_HEAD(&entry->bioc_list);
init_completion(&entry->completion);
/*
diff --git a/fs/btrfs/ordered-data.h b/fs/btrfs/ordered-data.h
index 173bd5c5df262..1c51ac57e5dfd 100644
--- a/fs/btrfs/ordered-data.h
+++ b/fs/btrfs/ordered-data.h
@@ -151,6 +151,8 @@ struct btrfs_ordered_extent {
struct completion completion;
struct btrfs_work flush_work;
struct list_head work_list;
+
+ struct list_head bioc_list;
};
static inline void
diff --git a/fs/btrfs/raid-stripe-tree.c b/fs/btrfs/raid-stripe-tree.c
new file mode 100644
index 0000000000000..c093e0bbb7be3
--- /dev/null
+++ b/fs/btrfs/raid-stripe-tree.c
@@ -0,0 +1,87 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2023 Western Digital Corporation or its affiliates.
+ */
+
+#include <linux/btrfs_tree.h>
+#include "ctree.h"
+#include "fs.h"
+#include "accessors.h"
+#include "transaction.h"
+#include "disk-io.h"
+#include "raid-stripe-tree.h"
+#include "volumes.h"
+#include "misc.h"
+#include "print-tree.h"
+
+static int btrfs_insert_one_raid_extent(struct btrfs_trans_handle *trans,
+ struct btrfs_io_context *bioc)
+{
+ struct btrfs_fs_info *fs_info = trans->fs_info;
+ struct btrfs_key stripe_key;
+ struct btrfs_root *stripe_root = fs_info->stripe_root;
+ const int num_stripes = btrfs_bg_type_to_factor(bioc->map_type);
+ u8 encoding = btrfs_bg_flags_to_raid_index(bioc->map_type);
+ struct btrfs_stripe_extent *stripe_extent;
+ const size_t item_size = struct_size(stripe_extent, strides, num_stripes);
+ int ret;
+
+ stripe_extent = kzalloc(item_size, GFP_NOFS);
+ if (!stripe_extent) {
+ btrfs_abort_transaction(trans, -ENOMEM);
+ btrfs_end_transaction(trans);
+ return -ENOMEM;
+ }
+
+ btrfs_set_stack_stripe_extent_encoding(stripe_extent, encoding);
+ for (int i = 0; i < num_stripes; i++) {
+ u64 devid = bioc->stripes[i].dev->devid;
+ u64 physical = bioc->stripes[i].physical;
+ u64 length = bioc->stripes[i].length;
+ struct btrfs_raid_stride *raid_stride = &stripe_extent->strides[i];
+
+ if (length == 0)
+ length = bioc->size;
+
+ btrfs_set_stack_raid_stride_devid(raid_stride, devid);
+ btrfs_set_stack_raid_stride_physical(raid_stride, physical);
+ }
+
+ stripe_key.objectid = bioc->logical;
+ stripe_key.type = BTRFS_RAID_STRIPE_KEY;
+ stripe_key.offset = bioc->size;
+
+ ret = btrfs_insert_item(trans, stripe_root, &stripe_key, stripe_extent,
+ item_size);
+ if (ret)
+ btrfs_abort_transaction(trans, ret);
+
+ kfree(stripe_extent);
+
+ return ret;
+}
+
+int btrfs_insert_raid_extent(struct btrfs_trans_handle *trans,
+ struct btrfs_ordered_extent *ordered_extent)
+{
+ struct btrfs_io_context *bioc;
+ int ret;
+
+ if (!btrfs_fs_incompat(trans->fs_info, RAID_STRIPE_TREE))
+ return 0;
+
+ list_for_each_entry(bioc, &ordered_extent->bioc_list, rst_ordered_entry) {
+ ret = btrfs_insert_one_raid_extent(trans, bioc);
+ if (ret)
+ return ret;
+ }
+
+ while (!list_empty(&ordered_extent->bioc_list)) {
+ bioc = list_first_entry(&ordered_extent->bioc_list,
+ typeof(*bioc), rst_ordered_entry);
+ list_del(&bioc->rst_ordered_entry);
+ btrfs_put_bioc(bioc);
+ }
+
+ return ret;
+}
diff --git a/fs/btrfs/raid-stripe-tree.h b/fs/btrfs/raid-stripe-tree.h
new file mode 100644
index 0000000000000..7a169e75ad6df
--- /dev/null
+++ b/fs/btrfs/raid-stripe-tree.h
@@ -0,0 +1,35 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) 2023 Western Digital Corporation or its affiliates.
+ */
+
+#ifndef BTRFS_RAID_STRIPE_TREE_H
+#define BTRFS_RAID_STRIPE_TREE_H
+
+struct btrfs_io_context;
+struct btrfs_io_stripe;
+struct btrfs_ordered_extent;
+struct btrfs_trans_handle;
+
+int btrfs_insert_raid_extent(struct btrfs_trans_handle *trans,
+ struct btrfs_ordered_extent *ordered_extent);
+
+static inline bool btrfs_need_stripe_tree_update(struct btrfs_fs_info *fs_info,
+ u64 map_type)
+{
+ u64 type = map_type & BTRFS_BLOCK_GROUP_TYPE_MASK;
+ u64 profile = map_type & BTRFS_BLOCK_GROUP_PROFILE_MASK;
+
+ if (!btrfs_fs_incompat(fs_info, RAID_STRIPE_TREE))
+ return false;
+
+ if (type != BTRFS_BLOCK_GROUP_DATA)
+ return false;
+
+ if (profile & BTRFS_BLOCK_GROUP_RAID1_MASK)
+ return true;
+
+ return false;
+}
+
+#endif
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index 6ce083a6ed61f..23756f1464013 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -5943,6 +5943,7 @@ static int find_live_mirror(struct btrfs_fs_info *fs_info,
}
static struct btrfs_io_context *alloc_btrfs_io_context(struct btrfs_fs_info *fs_info,
+ u64 logical,
u16 total_stripes)
{
struct btrfs_io_context *bioc;
@@ -5962,6 +5963,7 @@ static struct btrfs_io_context *alloc_btrfs_io_context(struct btrfs_fs_info *fs_
bioc->fs_info = fs_info;
bioc->replace_stripe_src = -1;
bioc->full_stripe_logical = (u64)-1;
+ bioc->logical = logical;
return bioc;
}
@@ -6498,7 +6500,7 @@ int btrfs_map_block(struct btrfs_fs_info *fs_info, enum btrfs_map_op op,
goto out;
}
- bioc = alloc_btrfs_io_context(fs_info, num_alloc_stripes);
+ bioc = alloc_btrfs_io_context(fs_info, logical, num_alloc_stripes);
if (!bioc) {
ret = -ENOMEM;
goto out;
diff --git a/fs/btrfs/volumes.h b/fs/btrfs/volumes.h
index 5203095318b02..c6c5253bf5064 100644
--- a/fs/btrfs/volumes.h
+++ b/fs/btrfs/volumes.h
@@ -387,12 +387,11 @@ struct btrfs_fs_devices {
struct btrfs_io_stripe {
struct btrfs_device *dev;
- union {
- /* Block mapping */
- u64 physical;
- /* For the endio handler */
- struct btrfs_io_context *bioc;
- };
+ /* Block mapping. */
+ u64 physical;
+ u64 length;
+ /* For the endio handler. */
+ struct btrfs_io_context *bioc;
};
struct btrfs_discard_stripe {
@@ -425,6 +424,11 @@ struct btrfs_io_context {
atomic_t error;
u16 max_errors;
+ u64 logical;
+ u64 size;
+ /* Raid stripe tree ordered entry. */
+ struct list_head rst_ordered_entry;
+
/*
* The total number of stripes, including the extra duplicated
* stripe for replace.
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 021/567] btrfs: fix incorrect key offset in error message in check_dev_extent_item()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 020/567] btrfs: add support for inserting raid stripe extents Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 022/567] btrfs: fix objectid value in error message in check_extent_data_ref() Greg Kroah-Hartman
` (356 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Mason, Qu Wenruo,
Mark Harmstone, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Harmstone <mark@harmstone.com>
[ Upstream commit 511dc8912ae3e929c1a182f5e6b2326516fd42a0 ]
Fix the error message in check_dev_extent_item(), when an overlapping
stripe is encountered. For dev extents, objectid is the disk number and
offset the physical address, so prev_key->objectid should actually be
prev_key->offset.
(I can't take any credit for this one - this was discovered by Chris and
his friend Claude.)
Reported-by: Chris Mason <clm@fb.com>
Fixes: 008e2512dc56 ("btrfs: tree-checker: add dev extent item checks")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Mark Harmstone <mark@harmstone.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/tree-checker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
index 0d93368c1691a..bca5ec4c26630 100644
--- a/fs/btrfs/tree-checker.c
+++ b/fs/btrfs/tree-checker.c
@@ -1802,7 +1802,7 @@ static int check_dev_extent_item(const struct extent_buffer *leaf,
if (unlikely(prev_key->offset + prev_len > key->offset)) {
generic_err(leaf, slot,
"dev extent overlap, prev offset %llu len %llu current offset %llu",
- prev_key->objectid, prev_len, key->offset);
+ prev_key->offset, prev_len, key->offset);
return -EUCLEAN;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 022/567] btrfs: fix objectid value in error message in check_extent_data_ref()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 021/567] btrfs: fix incorrect key offset in error message in check_dev_extent_item() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 023/567] btrfs: fix warning in scrub_verify_one_metadata() Greg Kroah-Hartman
` (355 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Mark Harmstone,
David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Harmstone <mark@harmstone.com>
[ Upstream commit a10172780526c2002e062102ad4f2aabac495889 ]
Fix a copy-paste error in check_extent_data_ref(): we're printing root
as in the message above, we should be printing objectid.
Fixes: f333a3c7e832 ("btrfs: tree-checker: validate dref root and objectid")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Mark Harmstone <mark@harmstone.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/tree-checker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
index bca5ec4c26630..e38994ac14848 100644
--- a/fs/btrfs/tree-checker.c
+++ b/fs/btrfs/tree-checker.c
@@ -1673,7 +1673,7 @@ static int check_extent_data_ref(struct extent_buffer *leaf,
objectid > BTRFS_LAST_FREE_OBJECTID)) {
extent_err(leaf, slot,
"invalid extent data backref objectid value %llu",
- root);
+ objectid);
return -EUCLEAN;
}
if (unlikely(!IS_ALIGNED(offset, leaf->fs_info->sectorsize))) {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 023/567] btrfs: fix warning in scrub_verify_one_metadata()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 022/567] btrfs: fix objectid value in error message in check_extent_data_ref() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 024/567] btrfs: fix compat mask in error messages in btrfs_check_features() Greg Kroah-Hartman
` (354 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Mark Harmstone,
David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Harmstone <mark@harmstone.com>
[ Upstream commit 44e2fda66427a0442d8d2c0e6443256fb458ab6b ]
Commit b471965fdb2d ("btrfs: fix replace/scrub failure with
metadata_uuid") fixed the comparison in scrub_verify_one_metadata() to
use metadata_uuid rather than fsid, but left the warning as it was. Fix
it so it matches what we're doing.
Fixes: b471965fdb2d ("btrfs: fix replace/scrub failure with metadata_uuid")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Mark Harmstone <mark@harmstone.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/scrub.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
index 3338e2e7a9a02..d2d2548eea05a 100644
--- a/fs/btrfs/scrub.c
+++ b/fs/btrfs/scrub.c
@@ -635,7 +635,7 @@ static void scrub_verify_one_metadata(struct scrub_stripe *stripe, int sector_nr
btrfs_warn_rl(fs_info,
"tree block %llu mirror %u has bad fsid, has %pU want %pU",
logical, stripe->mirror_num,
- header->fsid, fs_info->fs_devices->fsid);
+ header->fsid, fs_info->fs_devices->metadata_uuid);
return;
}
if (memcmp(header->chunk_tree_uuid, fs_info->chunk_tree_uuid,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 024/567] btrfs: fix compat mask in error messages in btrfs_check_features()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 023/567] btrfs: fix warning in scrub_verify_one_metadata() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 025/567] bpf: Fix stack-out-of-bounds write in devmap Greg Kroah-Hartman
` (353 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Mark Harmstone,
David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Harmstone <mark@harmstone.com>
[ Upstream commit 587bb33b10bda645a1028c1737ad3992b3d7cf61 ]
Commit d7f67ac9a928 ("btrfs: relax block-group-tree feature dependency
checks") introduced a regression when it comes to handling unsupported
incompat or compat_ro flags. Beforehand we only printed the flags that
we didn't recognize, afterwards we printed them all, which is less
useful. Fix the error handling so it behaves like it used to.
Fixes: d7f67ac9a928 ("btrfs: relax block-group-tree feature dependency checks")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Mark Harmstone <mark@harmstone.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/disk-io.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 89e98f9cc2026..23431bc81c64a 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -3094,7 +3094,7 @@ int btrfs_check_features(struct btrfs_fs_info *fs_info, bool is_rw_mount)
if (incompat & ~BTRFS_FEATURE_INCOMPAT_SUPP) {
btrfs_err(fs_info,
"cannot mount because of unknown incompat features (0x%llx)",
- incompat);
+ incompat & ~BTRFS_FEATURE_INCOMPAT_SUPP);
return -EINVAL;
}
@@ -3126,7 +3126,7 @@ int btrfs_check_features(struct btrfs_fs_info *fs_info, bool is_rw_mount)
if (compat_ro_unsupp && is_rw_mount) {
btrfs_err(fs_info,
"cannot mount read-write because of unknown compat_ro features (0x%llx)",
- compat_ro);
+ compat_ro_unsupp);
return -EINVAL;
}
@@ -3139,7 +3139,7 @@ int btrfs_check_features(struct btrfs_fs_info *fs_info, bool is_rw_mount)
!btrfs_test_opt(fs_info, NOLOGREPLAY)) {
btrfs_err(fs_info,
"cannot replay dirty log with unsupported compat_ro features (0x%llx), try rescue=nologreplay",
- compat_ro);
+ compat_ro_unsupp);
return -EINVAL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 025/567] bpf: Fix stack-out-of-bounds write in devmap
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 024/567] btrfs: fix compat mask in error messages in btrfs_check_features() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 026/567] PCI: Correct PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 value Greg Kroah-Hartman
` (352 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+10cc7f13760b31bd2e61,
Toke Høiland-Jørgensen, Kohei Enju, Alexei Starovoitov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kohei Enju <kohei@enjuk.jp>
[ Upstream commit b7bf516c3ecd9a2aae2dc2635178ab87b734fef1 ]
get_upper_ifindexes() iterates over all upper devices and writes their
indices into an array without checking bounds.
Also the callers assume that the max number of upper devices is
MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,
but that assumption is not correct and the number of upper devices could
be larger than MAX_NEST_DEV (e.g., many macvlans), causing a
stack-out-of-bounds write.
Add a max parameter to get_upper_ifindexes() to avoid the issue.
When there are too many upper devices, return -EOVERFLOW and abort the
redirect.
To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with
an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.
Then send a packet to the device to trigger the XDP redirect path.
Reported-by: syzbot+10cc7f13760b31bd2e61@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/698c4ce3.050a0220.340abe.000b.GAE@google.com/T/
Fixes: aeea1b86f936 ("bpf, devmap: Exclude XDP broadcast to master device")
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Kohei Enju <kohei@enjuk.jp>
Link: https://lore.kernel.org/r/20260225053506.4738-1-kohei@enjuk.jp
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/devmap.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index 5f2356b47b2dd..3bdec239be610 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -577,18 +577,22 @@ static inline bool is_ifindex_excluded(int *excluded, int num_excluded, int ifin
}
/* Get ifindex of each upper device. 'indexes' must be able to hold at
- * least MAX_NEST_DEV elements.
- * Returns the number of ifindexes added.
+ * least 'max' elements.
+ * Returns the number of ifindexes added, or -EOVERFLOW if there are too
+ * many upper devices.
*/
-static int get_upper_ifindexes(struct net_device *dev, int *indexes)
+static int get_upper_ifindexes(struct net_device *dev, int *indexes, int max)
{
struct net_device *upper;
struct list_head *iter;
int n = 0;
netdev_for_each_upper_dev_rcu(dev, upper, iter) {
+ if (n >= max)
+ return -EOVERFLOW;
indexes[n++] = upper->ifindex;
}
+
return n;
}
@@ -604,7 +608,11 @@ int dev_map_enqueue_multi(struct xdp_frame *xdpf, struct net_device *dev_rx,
int err;
if (exclude_ingress) {
- num_excluded = get_upper_ifindexes(dev_rx, excluded_devices);
+ num_excluded = get_upper_ifindexes(dev_rx, excluded_devices,
+ ARRAY_SIZE(excluded_devices) - 1);
+ if (num_excluded < 0)
+ return num_excluded;
+
excluded_devices[num_excluded++] = dev_rx->ifindex;
}
@@ -722,7 +730,11 @@ int dev_map_redirect_multi(struct net_device *dev, struct sk_buff *skb,
int err;
if (exclude_ingress) {
- num_excluded = get_upper_ifindexes(dev, excluded_devices);
+ num_excluded = get_upper_ifindexes(dev, excluded_devices,
+ ARRAY_SIZE(excluded_devices) - 1);
+ if (num_excluded < 0)
+ return num_excluded;
+
excluded_devices[num_excluded++] = dev->ifindex;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 026/567] PCI: Correct PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 value
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 025/567] bpf: Fix stack-out-of-bounds write in devmap Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 027/567] memory: mtk-smi: Convert to platform remove callback returning void Greg Kroah-Hartman
` (351 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Woodhouse, Bjorn Helgaas,
Krzysztof Wilczyński, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <bhelgaas@google.com>
[ Upstream commit 39195990e4c093c9eecf88f29811c6de29265214 ]
fb82437fdd8c ("PCI: Change capability register offsets to hex") incorrectly
converted the PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 value from decimal 52 to hex
0x32:
-#define PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 52 /* v2 endpoints with link end here */
+#define PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 0x32 /* end of v2 EPs w/ link */
This broke PCI capabilities in a VMM because subsequent ones weren't
DWORD-aligned.
Change PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 to the correct value of 0x34.
fb82437fdd8c was from Baruch Siach <baruch@tkos.co.il>, but this was not
Baruch's fault; it's a mistake I made when applying the patch.
Fixes: fb82437fdd8c ("PCI: Change capability register offsets to hex")
Reported-by: David Woodhouse <dwmw2@infradead.org>
Closes: https://lore.kernel.org/all/3ae392a0158e9d9ab09a1d42150429dd8ca42791.camel@infradead.org
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/pci_regs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/pci_regs.h b/include/uapi/linux/pci_regs.h
index ade8dabf62108..036991bee1a74 100644
--- a/include/uapi/linux/pci_regs.h
+++ b/include/uapi/linux/pci_regs.h
@@ -694,7 +694,7 @@
#define PCI_EXP_LNKCTL2_HASD 0x0020 /* HW Autonomous Speed Disable */
#define PCI_EXP_LNKSTA2 0x32 /* Link Status 2 */
#define PCI_EXP_LNKSTA2_FLIT 0x0400 /* Flit Mode Status */
-#define PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 0x32 /* end of v2 EPs w/ link */
+#define PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 0x34 /* end of v2 EPs w/ link */
#define PCI_EXP_SLTCAP2 0x34 /* Slot Capabilities 2 */
#define PCI_EXP_SLTCAP2_IBPD 0x00000001 /* In-band PD Disable Supported */
#define PCI_EXP_SLTCTL2 0x38 /* Slot Control 2 */
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 027/567] memory: mtk-smi: Convert to platform remove callback returning void
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 026/567] PCI: Correct PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 value Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 028/567] memory: mtk-smi: fix device leaks on common probe Greg Kroah-Hartman
` (350 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Krzysztof Kozlowski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 08c1aeaa45ce0fd18912e92c6705586c8aa5240f ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is ignored (apart
from emitting a warning) and this typically results in resource leaks.
To improve here there is a quest to make the remove callback return
void. In the first step of this quest all drivers are converted to
.remove_new(), which already returns void. Eventually after all drivers
are converted, .remove_new() will be renamed to .remove().
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/5c35a33cfdc359842e034ddd2e9358f10e91fa1f.1702822744.git.u.kleine-koenig@pengutronix.de
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Stable-dep-of: 6cfa038bddd7 ("memory: mtk-smi: fix device leaks on common probe")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/memory/mtk-smi.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/drivers/memory/mtk-smi.c b/drivers/memory/mtk-smi.c
index 6523cb5105182..572c7fbdcfd3a 100644
--- a/drivers/memory/mtk-smi.c
+++ b/drivers/memory/mtk-smi.c
@@ -566,14 +566,13 @@ static int mtk_smi_larb_probe(struct platform_device *pdev)
return ret;
}
-static int mtk_smi_larb_remove(struct platform_device *pdev)
+static void mtk_smi_larb_remove(struct platform_device *pdev)
{
struct mtk_smi_larb *larb = platform_get_drvdata(pdev);
device_link_remove(&pdev->dev, larb->smi_common_dev);
pm_runtime_disable(&pdev->dev);
component_del(&pdev->dev, &mtk_smi_larb_component_ops);
- return 0;
}
static int __maybe_unused mtk_smi_larb_resume(struct device *dev)
@@ -616,7 +615,7 @@ static const struct dev_pm_ops smi_larb_pm_ops = {
static struct platform_driver mtk_smi_larb_driver = {
.probe = mtk_smi_larb_probe,
- .remove = mtk_smi_larb_remove,
+ .remove_new = mtk_smi_larb_remove,
.driver = {
.name = "mtk-smi-larb",
.of_match_table = mtk_smi_larb_of_ids,
@@ -795,14 +794,13 @@ static int mtk_smi_common_probe(struct platform_device *pdev)
return 0;
}
-static int mtk_smi_common_remove(struct platform_device *pdev)
+static void mtk_smi_common_remove(struct platform_device *pdev)
{
struct mtk_smi *common = dev_get_drvdata(&pdev->dev);
if (common->plat->type == MTK_SMI_GEN2_SUB_COMM)
device_link_remove(&pdev->dev, common->smi_common_dev);
pm_runtime_disable(&pdev->dev);
- return 0;
}
static int __maybe_unused mtk_smi_common_resume(struct device *dev)
@@ -842,7 +840,7 @@ static const struct dev_pm_ops smi_common_pm_ops = {
static struct platform_driver mtk_smi_common_driver = {
.probe = mtk_smi_common_probe,
- .remove = mtk_smi_common_remove,
+ .remove_new = mtk_smi_common_remove,
.driver = {
.name = "mtk-smi-common",
.of_match_table = mtk_smi_common_of_ids,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 028/567] memory: mtk-smi: fix device leaks on common probe
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 027/567] memory: mtk-smi: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 029/567] memory: mtk-smi: fix device leak on larb probe Greg Kroah-Hartman
` (349 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yong Wu, Miaoqian Lin, Johan Hovold,
Krzysztof Kozlowski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 6cfa038bddd710f544076ea2ef7792fc82fbedd6 ]
Make sure to drop the reference taken when looking up the SMI device
during common probe on late probe failure (e.g. probe deferral) and on
driver unbind.
Fixes: 47404757702e ("memory: mtk-smi: Add device link for smi-sub-common")
Fixes: 038ae37c510f ("memory: mtk-smi: add missing put_device() call in mtk_smi_device_link_common")
Cc: stable@vger.kernel.org # 5.16: 038ae37c510f
Cc: stable@vger.kernel.org # 5.16
Cc: Yong Wu <yong.wu@mediatek.com>
Cc: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251121164624.13685-2-johan@kernel.org
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/memory/mtk-smi.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/memory/mtk-smi.c b/drivers/memory/mtk-smi.c
index 572c7fbdcfd3a..668afd12e4c51 100644
--- a/drivers/memory/mtk-smi.c
+++ b/drivers/memory/mtk-smi.c
@@ -563,6 +563,7 @@ static int mtk_smi_larb_probe(struct platform_device *pdev)
err_pm_disable:
pm_runtime_disable(dev);
device_link_remove(dev, larb->smi_common_dev);
+ put_device(larb->smi_common_dev);
return ret;
}
@@ -801,6 +802,7 @@ static void mtk_smi_common_remove(struct platform_device *pdev)
if (common->plat->type == MTK_SMI_GEN2_SUB_COMM)
device_link_remove(&pdev->dev, common->smi_common_dev);
pm_runtime_disable(&pdev->dev);
+ put_device(common->smi_common_dev);
}
static int __maybe_unused mtk_smi_common_resume(struct device *dev)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 029/567] memory: mtk-smi: fix device leak on larb probe
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 028/567] memory: mtk-smi: fix device leaks on common probe Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 030/567] PCI: Update BAR # and window messages Greg Kroah-Hartman
` (348 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yong Wu, Miaoqian Lin, Johan Hovold,
Krzysztof Kozlowski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 9dae65913b32d05dbc8ff4b8a6bf04a0e49a8eb6 ]
Make sure to drop the reference taken when looking up the SMI device
during larb probe on late probe failure (e.g. probe deferral) and on
driver unbind.
Fixes: cc8bbe1a8312 ("memory: mediatek: Add SMI driver")
Fixes: 038ae37c510f ("memory: mtk-smi: add missing put_device() call in mtk_smi_device_link_common")
Cc: stable@vger.kernel.org # 4.6: 038ae37c510f
Cc: stable@vger.kernel.org # 4.6
Cc: Yong Wu <yong.wu@mediatek.com>
Cc: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251121164624.13685-3-johan@kernel.org
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/memory/mtk-smi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/memory/mtk-smi.c b/drivers/memory/mtk-smi.c
index 668afd12e4c51..5ca197e15eb28 100644
--- a/drivers/memory/mtk-smi.c
+++ b/drivers/memory/mtk-smi.c
@@ -574,6 +574,7 @@ static void mtk_smi_larb_remove(struct platform_device *pdev)
device_link_remove(&pdev->dev, larb->smi_common_dev);
pm_runtime_disable(&pdev->dev);
component_del(&pdev->dev, &mtk_smi_larb_component_ops);
+ put_device(larb->smi_common_dev);
}
static int __maybe_unused mtk_smi_larb_resume(struct device *dev)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 030/567] PCI: Update BAR # and window messages
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 029/567] memory: mtk-smi: fix device leak on larb probe Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 031/567] PCI: Use resource names in PCI log messages Greg Kroah-Hartman
` (347 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Puranjay Mohan, Bjorn Helgaas,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puranjay Mohan <puranjay12@gmail.com>
[ Upstream commit 65f8e0beac5a495b8f3b387add1f9f4470678cb5 ]
The PCI log messages print the register offsets at some places and BAR
numbers at other places. There is no uniformity in this logging mechanism.
It would be better to print names than register offsets.
Add a helper function that aids in printing more meaningful information
about the BAR numbers like "VF BAR", "ROM", "bridge window", etc. This
function can be called while printing PCI log messages.
[bhelgaas: fold in Lukas' static array suggestion from
https: //lore.kernel.org/all/20211106115831.GA7452@wunner.de/]
Link: https://lore.kernel.org/r/20211106112606.192563-2-puranjay12@gmail.com
Signed-off-by: Puranjay Mohan <puranjay12@gmail.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Stable-dep-of: 11721c45a826 ("PCI: Use resource_set_range() that correctly sets ->end")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pci.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++
drivers/pci/pci.h | 2 ++
2 files changed, 62 insertions(+)
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index d7d7913eb0ee9..e3612e0e35639 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -850,6 +850,66 @@ struct resource *pci_find_resource(struct pci_dev *dev, struct resource *res)
}
EXPORT_SYMBOL(pci_find_resource);
+/**
+ * pci_resource_name - Return the name of the PCI resource
+ * @dev: PCI device to query
+ * @i: index of the resource
+ *
+ * Return the standard PCI resource (BAR) name according to their index.
+ */
+const char *pci_resource_name(struct pci_dev *dev, unsigned int i)
+{
+ static const char * const bar_name[] = {
+ "BAR 0",
+ "BAR 1",
+ "BAR 2",
+ "BAR 3",
+ "BAR 4",
+ "BAR 5",
+ "ROM",
+#ifdef CONFIG_PCI_IOV
+ "VF BAR 0",
+ "VF BAR 1",
+ "VF BAR 2",
+ "VF BAR 3",
+ "VF BAR 4",
+ "VF BAR 5",
+#endif
+ "bridge window", /* "io" included in %pR */
+ "bridge window", /* "mem" included in %pR */
+ "bridge window", /* "mem pref" included in %pR */
+ };
+ static const char * const cardbus_name[] = {
+ "BAR 1",
+ "unknown",
+ "unknown",
+ "unknown",
+ "unknown",
+ "unknown",
+#ifdef CONFIG_PCI_IOV
+ "unknown",
+ "unknown",
+ "unknown",
+ "unknown",
+ "unknown",
+ "unknown",
+#endif
+ "CardBus bridge window 0", /* I/O */
+ "CardBus bridge window 1", /* I/O */
+ "CardBus bridge window 0", /* mem */
+ "CardBus bridge window 1", /* mem */
+ };
+
+ if (dev->hdr_type == PCI_HEADER_TYPE_CARDBUS &&
+ i < ARRAY_SIZE(cardbus_name))
+ return cardbus_name[i];
+
+ if (i < ARRAY_SIZE(bar_name))
+ return bar_name[i];
+
+ return "unknown";
+}
+
/**
* pci_wait_for_pending - wait for @mask bit(s) to clear in status word @pos
* @dev: the PCI device to operate on
diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
index 485f917641e11..dae7b98536f7a 100644
--- a/drivers/pci/pci.h
+++ b/drivers/pci/pci.h
@@ -281,6 +281,8 @@ void __pci_bus_assign_resources(const struct pci_bus *bus,
struct list_head *fail_head);
bool pci_bus_clip_resource(struct pci_dev *dev, int idx);
+const char *pci_resource_name(struct pci_dev *dev, unsigned int i);
+
void pci_reassigndev_resource_alignment(struct pci_dev *dev);
void pci_disable_bridge_window(struct pci_dev *dev);
struct pci_bus *pci_bus_get(struct pci_bus *bus);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 031/567] PCI: Use resource names in PCI log messages
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 030/567] PCI: Update BAR # and window messages Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 032/567] resource: Add resource set range and size helpers Greg Kroah-Hartman
` (346 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Puranjay Mohan, Bjorn Helgaas,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puranjay Mohan <puranjay12@gmail.com>
[ Upstream commit dc4e6f21c3f844ebc1c52b6920b8ec5dfc73f4e8 ]
Use the pci_resource_name() to get the name of the resource and use it
while printing log messages.
[bhelgaas: rename to match struct resource * names, also use names in other
BAR messages]
Link: https://lore.kernel.org/r/20211106112606.192563-3-puranjay12@gmail.com
Signed-off-by: Puranjay Mohan <puranjay12@gmail.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Stable-dep-of: 11721c45a826 ("PCI: Use resource_set_range() that correctly sets ->end")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/iov.c | 7 ++--
drivers/pci/pci.c | 25 +++++++-------
drivers/pci/probe.c | 26 +++++++--------
drivers/pci/quirks.c | 15 ++++++---
drivers/pci/setup-bus.c | 30 +++++++++++------
drivers/pci/setup-res.c | 72 +++++++++++++++++++++++------------------
6 files changed, 103 insertions(+), 72 deletions(-)
diff --git a/drivers/pci/iov.c b/drivers/pci/iov.c
index b8bce45a59986..d595a345a7d47 100644
--- a/drivers/pci/iov.c
+++ b/drivers/pci/iov.c
@@ -749,6 +749,7 @@ static int sriov_init(struct pci_dev *dev, int pos)
u16 ctrl, total;
struct pci_sriov *iov;
struct resource *res;
+ const char *res_name;
struct pci_dev *pdev;
pci_read_config_word(dev, pos + PCI_SRIOV_CTRL, &ctrl);
@@ -789,6 +790,8 @@ static int sriov_init(struct pci_dev *dev, int pos)
nres = 0;
for (i = 0; i < PCI_SRIOV_NUM_BARS; i++) {
res = &dev->resource[i + PCI_IOV_RESOURCES];
+ res_name = pci_resource_name(dev, i + PCI_IOV_RESOURCES);
+
/*
* If it is already FIXED, don't change it, something
* (perhaps EA or header fixups) wants it this way.
@@ -806,8 +809,8 @@ static int sriov_init(struct pci_dev *dev, int pos)
}
iov->barsz[i] = resource_size(res);
res->end = res->start + resource_size(res) * total - 1;
- pci_info(dev, "VF(n) BAR%d space: %pR (contains BAR%d for %d VFs)\n",
- i, res, i, total);
+ pci_info(dev, "%s %pR: contains BAR %d for %d VFs\n",
+ res_name, res, i, total);
i += bar64;
nres++;
}
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index e3612e0e35639..d015df77ddff5 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -3419,6 +3419,7 @@ static struct resource *pci_ea_get_resource(struct pci_dev *dev, u8 bei,
static int pci_ea_read(struct pci_dev *dev, int offset)
{
struct resource *res;
+ const char *res_name;
int ent_size, ent_offset = offset;
resource_size_t start, end;
unsigned long flags;
@@ -3448,6 +3449,7 @@ static int pci_ea_read(struct pci_dev *dev, int offset)
goto out;
res = pci_ea_get_resource(dev, bei, prop);
+ res_name = pci_resource_name(dev, bei);
if (!res) {
pci_err(dev, "Unsupported EA entry BEI: %u\n", bei);
goto out;
@@ -3521,16 +3523,16 @@ static int pci_ea_read(struct pci_dev *dev, int offset)
res->flags = flags;
if (bei <= PCI_EA_BEI_BAR5)
- pci_info(dev, "BAR %d: %pR (from Enhanced Allocation, properties %#02x)\n",
- bei, res, prop);
+ pci_info(dev, "%s %pR: from Enhanced Allocation, properties %#02x\n",
+ res_name, res, prop);
else if (bei == PCI_EA_BEI_ROM)
- pci_info(dev, "ROM: %pR (from Enhanced Allocation, properties %#02x)\n",
- res, prop);
+ pci_info(dev, "%s %pR: from Enhanced Allocation, properties %#02x\n",
+ res_name, res, prop);
else if (bei >= PCI_EA_BEI_VF_BAR0 && bei <= PCI_EA_BEI_VF_BAR5)
- pci_info(dev, "VF BAR %d: %pR (from Enhanced Allocation, properties %#02x)\n",
- bei - PCI_EA_BEI_VF_BAR0, res, prop);
+ pci_info(dev, "%s %pR: from Enhanced Allocation, properties %#02x\n",
+ res_name, res, prop);
else
- pci_info(dev, "BEI %d res: %pR (from Enhanced Allocation, properties %#02x)\n",
+ pci_info(dev, "BEI %d %pR: from Enhanced Allocation, properties %#02x\n",
bei, res, prop);
out:
@@ -6840,14 +6842,15 @@ static void pci_request_resource_alignment(struct pci_dev *dev, int bar,
resource_size_t align, bool resize)
{
struct resource *r = &dev->resource[bar];
+ const char *r_name = pci_resource_name(dev, bar);
resource_size_t size;
if (!(r->flags & IORESOURCE_MEM))
return;
if (r->flags & IORESOURCE_PCI_FIXED) {
- pci_info(dev, "BAR%d %pR: ignoring requested alignment %#llx\n",
- bar, r, (unsigned long long)align);
+ pci_info(dev, "%s %pR: ignoring requested alignment %#llx\n",
+ r_name, r, (unsigned long long)align);
return;
}
@@ -6883,8 +6886,8 @@ static void pci_request_resource_alignment(struct pci_dev *dev, int bar,
* devices and we use the second.
*/
- pci_info(dev, "BAR%d %pR: requesting alignment to %#llx\n",
- bar, r, (unsigned long long)align);
+ pci_info(dev, "%s %pR: requesting alignment to %#llx\n",
+ r_name, r, (unsigned long long)align);
if (resize) {
r->start = 0;
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index cc56bf47c4a3f..92f1902afa3b7 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -180,6 +180,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
u64 l64, sz64, mask64;
u16 orig_cmd;
struct pci_bus_region region, inverted_region;
+ const char *res_name = pci_resource_name(dev, res - dev->resource);
mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
@@ -254,8 +255,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
sz64 = pci_size(l64, sz64, mask64);
if (!sz64) {
- pci_info(dev, FW_BUG "reg 0x%x: invalid BAR (can't size)\n",
- pos);
+ pci_info(dev, FW_BUG "%s: invalid; can't size\n", res_name);
goto fail;
}
@@ -265,8 +265,8 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
res->flags |= IORESOURCE_UNSET | IORESOURCE_DISABLED;
res->start = 0;
res->end = 0;
- pci_err(dev, "reg 0x%x: can't handle BAR larger than 4GB (size %#010llx)\n",
- pos, (unsigned long long)sz64);
+ pci_err(dev, "%s: can't handle BAR larger than 4GB (size %#010llx)\n",
+ res_name, (unsigned long long)sz64);
goto out;
}
@@ -275,8 +275,8 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
res->flags |= IORESOURCE_UNSET;
res->start = 0;
res->end = sz64 - 1;
- pci_info(dev, "reg 0x%x: can't handle BAR above 4GB (bus address %#010llx)\n",
- pos, (unsigned long long)l64);
+ pci_info(dev, "%s: can't handle BAR above 4GB (bus address %#010llx)\n",
+ res_name, (unsigned long long)l64);
goto out;
}
}
@@ -302,8 +302,8 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
res->flags |= IORESOURCE_UNSET;
res->start = 0;
res->end = region.end - region.start;
- pci_info(dev, "reg 0x%x: initial BAR value %#010llx invalid\n",
- pos, (unsigned long long)region.start);
+ pci_info(dev, "%s: initial BAR value %#010llx invalid\n",
+ res_name, (unsigned long long)region.start);
}
goto out;
@@ -313,7 +313,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
res->flags = 0;
out:
if (res->flags)
- pci_info(dev, "reg 0x%x: %pR\n", pos, res);
+ pci_info(dev, "%s %pR\n", res_name, res);
return (res->flags & IORESOURCE_MEM_64) ? 1 : 0;
}
@@ -1968,14 +1968,14 @@ int pci_setup_device(struct pci_dev *dev)
res = &dev->resource[0];
res->flags = LEGACY_IO_RESOURCE;
pcibios_bus_to_resource(dev->bus, res, ®ion);
- pci_info(dev, "legacy IDE quirk: reg 0x10: %pR\n",
+ pci_info(dev, "BAR 0 %pR: legacy IDE quirk\n",
res);
region.start = 0x3F6;
region.end = 0x3F6;
res = &dev->resource[1];
res->flags = LEGACY_IO_RESOURCE;
pcibios_bus_to_resource(dev->bus, res, ®ion);
- pci_info(dev, "legacy IDE quirk: reg 0x14: %pR\n",
+ pci_info(dev, "BAR 1 %pR: legacy IDE quirk\n",
res);
}
if ((progif & 4) == 0) {
@@ -1984,14 +1984,14 @@ int pci_setup_device(struct pci_dev *dev)
res = &dev->resource[2];
res->flags = LEGACY_IO_RESOURCE;
pcibios_bus_to_resource(dev->bus, res, ®ion);
- pci_info(dev, "legacy IDE quirk: reg 0x18: %pR\n",
+ pci_info(dev, "BAR 2 %pR: legacy IDE quirk\n",
res);
region.start = 0x376;
region.end = 0x376;
res = &dev->resource[3];
res->flags = LEGACY_IO_RESOURCE;
pcibios_bus_to_resource(dev->bus, res, ®ion);
- pci_info(dev, "legacy IDE quirk: reg 0x1c: %pR\n",
+ pci_info(dev, "BAR 3 %pR: legacy IDE quirk\n",
res);
}
}
diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
index cab4cdbb31387..5df3a6ea66018 100644
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -583,13 +583,14 @@ static void quirk_extend_bar_to_page(struct pci_dev *dev)
for (i = 0; i < PCI_STD_NUM_BARS; i++) {
struct resource *r = &dev->resource[i];
+ const char *r_name = pci_resource_name(dev, i);
if (r->flags & IORESOURCE_MEM && resource_size(r) < PAGE_SIZE) {
r->end = PAGE_SIZE - 1;
r->start = 0;
r->flags |= IORESOURCE_UNSET;
- pci_info(dev, "expanded BAR %d to page size: %pR\n",
- i, r);
+ pci_info(dev, "%s %pR: expanded to page size\n",
+ r_name, r);
}
}
}
@@ -618,6 +619,7 @@ static void quirk_io(struct pci_dev *dev, int pos, unsigned int size,
u32 region;
struct pci_bus_region bus_region;
struct resource *res = dev->resource + pos;
+ const char *res_name = pci_resource_name(dev, pos);
pci_read_config_dword(dev, PCI_BASE_ADDRESS_0 + (pos << 2), ®ion);
@@ -635,8 +637,7 @@ static void quirk_io(struct pci_dev *dev, int pos, unsigned int size,
bus_region.end = region + size - 1;
pcibios_bus_to_resource(dev->bus, res, &bus_region);
- pci_info(dev, FW_BUG "%s quirk: reg 0x%x: %pR\n",
- name, PCI_BASE_ADDRESS_0 + (pos << 2), res);
+ pci_info(dev, FW_BUG "%s %pR: %s quirk\n", res_name, res, name);
}
/*
@@ -683,6 +684,12 @@ static void quirk_io_region(struct pci_dev *dev, int port,
bus_region.end = region + size - 1;
pcibios_bus_to_resource(dev->bus, res, &bus_region);
+ /*
+ * "res" is typically a bridge window resource that's not being
+ * used for a bridge window, so it's just a place to stash this
+ * non-standard resource. Printing "nr" or pci_resource_name() of
+ * it doesn't really make sense.
+ */
if (!pci_claim_resource(dev, nr))
pci_info(dev, "quirk: %pR claimed by %s\n", res, name);
}
diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c
index 3f40be417856e..d07c1d9ed0620 100644
--- a/drivers/pci/setup-bus.c
+++ b/drivers/pci/setup-bus.c
@@ -213,6 +213,7 @@ static void reassign_resources_sorted(struct list_head *realloc_head,
struct list_head *head)
{
struct resource *res;
+ const char *res_name;
struct pci_dev_resource *add_res, *tmp;
struct pci_dev_resource *dev_res;
resource_size_t add_size, align;
@@ -222,6 +223,7 @@ static void reassign_resources_sorted(struct list_head *realloc_head,
bool found_match = false;
res = add_res->res;
+
/* Skip resource that has been reset */
if (!res->flags)
goto out;
@@ -237,6 +239,7 @@ static void reassign_resources_sorted(struct list_head *realloc_head,
continue;
idx = res - &add_res->dev->resource[0];
+ res_name = pci_resource_name(add_res->dev, idx);
add_size = add_res->add_size;
align = add_res->min_align;
if (!resource_size(res)) {
@@ -249,9 +252,9 @@ static void reassign_resources_sorted(struct list_head *realloc_head,
(IORESOURCE_STARTALIGN|IORESOURCE_SIZEALIGN);
if (pci_reassign_resource(add_res->dev, idx,
add_size, align))
- pci_info(add_res->dev, "failed to add %llx res[%d]=%pR\n",
- (unsigned long long) add_size, idx,
- res);
+ pci_info(add_res->dev, "%s %pR: failed to add %llx\n",
+ res_name, res,
+ (unsigned long long) add_size);
}
out:
list_del(&add_res->list);
@@ -571,6 +574,7 @@ EXPORT_SYMBOL(pci_setup_cardbus);
static void pci_setup_bridge_io(struct pci_dev *bridge)
{
struct resource *res;
+ const char *res_name;
struct pci_bus_region region;
unsigned long io_mask;
u8 io_base_lo, io_limit_lo;
@@ -583,6 +587,7 @@ static void pci_setup_bridge_io(struct pci_dev *bridge)
/* Set up the top and bottom of the PCI I/O segment for this bus */
res = &bridge->resource[PCI_BRIDGE_IO_WINDOW];
+ res_name = pci_resource_name(bridge, PCI_BRIDGE_IO_WINDOW);
pcibios_resource_to_bus(bridge->bus, ®ion, res);
if (res->flags & IORESOURCE_IO) {
pci_read_config_word(bridge, PCI_IO_BASE, &l);
@@ -591,7 +596,7 @@ static void pci_setup_bridge_io(struct pci_dev *bridge)
l = ((u16) io_limit_lo << 8) | io_base_lo;
/* Set up upper 16 bits of I/O base/limit */
io_upper16 = (region.end & 0xffff0000) | (region.start >> 16);
- pci_info(bridge, " bridge window %pR\n", res);
+ pci_info(bridge, " %s %pR\n", res_name, res);
} else {
/* Clear upper 16 bits of I/O base/limit */
io_upper16 = 0;
@@ -608,16 +613,18 @@ static void pci_setup_bridge_io(struct pci_dev *bridge)
static void pci_setup_bridge_mmio(struct pci_dev *bridge)
{
struct resource *res;
+ const char *res_name;
struct pci_bus_region region;
u32 l;
/* Set up the top and bottom of the PCI Memory segment for this bus */
res = &bridge->resource[PCI_BRIDGE_MEM_WINDOW];
+ res_name = pci_resource_name(bridge, PCI_BRIDGE_MEM_WINDOW);
pcibios_resource_to_bus(bridge->bus, ®ion, res);
if (res->flags & IORESOURCE_MEM) {
l = (region.start >> 16) & 0xfff0;
l |= region.end & 0xfff00000;
- pci_info(bridge, " bridge window %pR\n", res);
+ pci_info(bridge, " %s %pR\n", res_name, res);
} else {
l = 0x0000fff0;
}
@@ -627,6 +634,7 @@ static void pci_setup_bridge_mmio(struct pci_dev *bridge)
static void pci_setup_bridge_mmio_pref(struct pci_dev *bridge)
{
struct resource *res;
+ const char *res_name;
struct pci_bus_region region;
u32 l, bu, lu;
@@ -640,6 +648,7 @@ static void pci_setup_bridge_mmio_pref(struct pci_dev *bridge)
/* Set up PREF base/limit */
bu = lu = 0;
res = &bridge->resource[PCI_BRIDGE_PREF_MEM_WINDOW];
+ res_name = pci_resource_name(bridge, PCI_BRIDGE_PREF_MEM_WINDOW);
pcibios_resource_to_bus(bridge->bus, ®ion, res);
if (res->flags & IORESOURCE_PREFETCH) {
l = (region.start >> 16) & 0xfff0;
@@ -648,7 +657,7 @@ static void pci_setup_bridge_mmio_pref(struct pci_dev *bridge)
bu = upper_32_bits(region.start);
lu = upper_32_bits(region.end);
}
- pci_info(bridge, " bridge window %pR\n", res);
+ pci_info(bridge, " %s %pR\n", res_name, res);
} else {
l = 0x0000fff0;
}
@@ -1009,6 +1018,7 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask,
int i;
pci_dev_for_each_resource(dev, r, i) {
+ const char *r_name = pci_resource_name(dev, i);
resource_size_t r_size;
if (r->parent || (r->flags & IORESOURCE_PCI_FIXED) ||
@@ -1039,8 +1049,8 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask,
if (order < 0)
order = 0;
if (order >= ARRAY_SIZE(aligns)) {
- pci_warn(dev, "disabling BAR %d: %pR (bad alignment %#llx)\n",
- i, r, (unsigned long long) align);
+ pci_warn(dev, "%s %pR: disabling; bad alignment %#llx\n",
+ r_name, r, (unsigned long long) align);
r->flags = 0;
continue;
}
@@ -2230,6 +2240,7 @@ int pci_reassign_bridge_resources(struct pci_dev *bridge, unsigned long type)
for (i = PCI_BRIDGE_RESOURCES; i < PCI_BRIDGE_RESOURCE_END;
i++) {
struct resource *res = &bridge->resource[i];
+ const char *res_name = pci_resource_name(bridge, i);
if ((res->flags ^ type) & PCI_RES_TYPE_MASK)
continue;
@@ -2242,8 +2253,7 @@ int pci_reassign_bridge_resources(struct pci_dev *bridge, unsigned long type)
if (ret)
goto cleanup;
- pci_info(bridge, "BAR %d: releasing %pR\n",
- i, res);
+ pci_info(bridge, "%s %pR: releasing\n", res_name, res);
if (res->parent)
release_resource(res);
diff --git a/drivers/pci/setup-res.c b/drivers/pci/setup-res.c
index ceaa69491f5ef..c6d933ddfd464 100644
--- a/drivers/pci/setup-res.c
+++ b/drivers/pci/setup-res.c
@@ -30,6 +30,7 @@ static void pci_std_update_resource(struct pci_dev *dev, int resno)
u32 new, check, mask;
int reg;
struct resource *res = dev->resource + resno;
+ const char *res_name = pci_resource_name(dev, resno);
/* Per SR-IOV spec 3.4.1.11, VF BARs are RO zero */
if (dev->is_virtfn)
@@ -104,8 +105,8 @@ static void pci_std_update_resource(struct pci_dev *dev, int resno)
pci_read_config_dword(dev, reg, &check);
if ((new ^ check) & mask) {
- pci_err(dev, "BAR %d: error updating (%#010x != %#010x)\n",
- resno, new, check);
+ pci_err(dev, "%s: error updating (%#010x != %#010x)\n",
+ res_name, new, check);
}
if (res->flags & IORESOURCE_MEM_64) {
@@ -113,8 +114,8 @@ static void pci_std_update_resource(struct pci_dev *dev, int resno)
pci_write_config_dword(dev, reg + 4, new);
pci_read_config_dword(dev, reg + 4, &check);
if (check != new) {
- pci_err(dev, "BAR %d: error updating (high %#010x != %#010x)\n",
- resno, new, check);
+ pci_err(dev, "%s: error updating (high %#010x != %#010x)\n",
+ res_name, new, check);
}
}
@@ -135,11 +136,12 @@ void pci_update_resource(struct pci_dev *dev, int resno)
int pci_claim_resource(struct pci_dev *dev, int resource)
{
struct resource *res = &dev->resource[resource];
+ const char *res_name = pci_resource_name(dev, resource);
struct resource *root, *conflict;
if (res->flags & IORESOURCE_UNSET) {
- pci_info(dev, "can't claim BAR %d %pR: no address assigned\n",
- resource, res);
+ pci_info(dev, "%s %pR: can't claim; no address assigned\n",
+ res_name, res);
return -EINVAL;
}
@@ -153,16 +155,16 @@ int pci_claim_resource(struct pci_dev *dev, int resource)
root = pci_find_parent_resource(dev, res);
if (!root) {
- pci_info(dev, "can't claim BAR %d %pR: no compatible bridge window\n",
- resource, res);
+ pci_info(dev, "%s %pR: can't claim; no compatible bridge window\n",
+ res_name, res);
res->flags |= IORESOURCE_UNSET;
return -EINVAL;
}
conflict = request_resource_conflict(root, res);
if (conflict) {
- pci_info(dev, "can't claim BAR %d %pR: address conflict with %s %pR\n",
- resource, res, conflict->name, conflict);
+ pci_info(dev, "%s %pR: can't claim; address conflict with %s %pR\n",
+ res_name, res, conflict->name, conflict);
res->flags |= IORESOURCE_UNSET;
return -EBUSY;
}
@@ -201,6 +203,7 @@ static int pci_revert_fw_address(struct resource *res, struct pci_dev *dev,
{
struct resource *root, *conflict;
resource_size_t fw_addr, start, end;
+ const char *res_name = pci_resource_name(dev, resno);
fw_addr = pcibios_retrieve_fw_addr(dev, resno);
if (!fw_addr)
@@ -231,12 +234,11 @@ static int pci_revert_fw_address(struct resource *res, struct pci_dev *dev,
root = &iomem_resource;
}
- pci_info(dev, "BAR %d: trying firmware assignment %pR\n",
- resno, res);
+ pci_info(dev, "%s: trying firmware assignment %pR\n", res_name, res);
conflict = request_resource_conflict(root, res);
if (conflict) {
- pci_info(dev, "BAR %d: %pR conflicts with %s %pR\n",
- resno, res, conflict->name, conflict);
+ pci_info(dev, "%s %pR: conflicts with %s %pR\n", res_name, res,
+ conflict->name, conflict);
res->start = start;
res->end = end;
res->flags |= IORESOURCE_UNSET;
@@ -325,6 +327,7 @@ static int _pci_assign_resource(struct pci_dev *dev, int resno,
int pci_assign_resource(struct pci_dev *dev, int resno)
{
struct resource *res = dev->resource + resno;
+ const char *res_name = pci_resource_name(dev, resno);
resource_size_t align, size;
int ret;
@@ -334,8 +337,8 @@ int pci_assign_resource(struct pci_dev *dev, int resno)
res->flags |= IORESOURCE_UNSET;
align = pci_resource_alignment(dev, res);
if (!align) {
- pci_info(dev, "BAR %d: can't assign %pR (bogus alignment)\n",
- resno, res);
+ pci_info(dev, "%s %pR: can't assign; bogus alignment\n",
+ res_name, res);
return -EINVAL;
}
@@ -348,18 +351,18 @@ int pci_assign_resource(struct pci_dev *dev, int resno)
* working, which is better than just leaving it disabled.
*/
if (ret < 0) {
- pci_info(dev, "BAR %d: no space for %pR\n", resno, res);
+ pci_info(dev, "%s %pR: can't assign; no space\n", res_name, res);
ret = pci_revert_fw_address(res, dev, resno, size);
}
if (ret < 0) {
- pci_info(dev, "BAR %d: failed to assign %pR\n", resno, res);
+ pci_info(dev, "%s %pR: failed to assign\n", res_name, res);
return ret;
}
res->flags &= ~IORESOURCE_UNSET;
res->flags &= ~IORESOURCE_STARTALIGN;
- pci_info(dev, "BAR %d: assigned %pR\n", resno, res);
+ pci_info(dev, "%s %pR: assigned\n", res_name, res);
if (resno < PCI_BRIDGE_RESOURCES)
pci_update_resource(dev, resno);
@@ -367,10 +370,11 @@ int pci_assign_resource(struct pci_dev *dev, int resno)
}
EXPORT_SYMBOL(pci_assign_resource);
-int pci_reassign_resource(struct pci_dev *dev, int resno, resource_size_t addsize,
- resource_size_t min_align)
+int pci_reassign_resource(struct pci_dev *dev, int resno,
+ resource_size_t addsize, resource_size_t min_align)
{
struct resource *res = dev->resource + resno;
+ const char *res_name = pci_resource_name(dev, resno);
unsigned long flags;
resource_size_t new_size;
int ret;
@@ -381,8 +385,8 @@ int pci_reassign_resource(struct pci_dev *dev, int resno, resource_size_t addsiz
flags = res->flags;
res->flags |= IORESOURCE_UNSET;
if (!res->parent) {
- pci_info(dev, "BAR %d: can't reassign an unassigned resource %pR\n",
- resno, res);
+ pci_info(dev, "%s %pR: can't reassign; unassigned resource\n",
+ res_name, res);
return -EINVAL;
}
@@ -391,15 +395,15 @@ int pci_reassign_resource(struct pci_dev *dev, int resno, resource_size_t addsiz
ret = _pci_assign_resource(dev, resno, new_size, min_align);
if (ret) {
res->flags = flags;
- pci_info(dev, "BAR %d: %pR (failed to expand by %#llx)\n",
- resno, res, (unsigned long long) addsize);
+ pci_info(dev, "%s %pR: failed to expand by %#llx\n",
+ res_name, res, (unsigned long long) addsize);
return ret;
}
res->flags &= ~IORESOURCE_UNSET;
res->flags &= ~IORESOURCE_STARTALIGN;
- pci_info(dev, "BAR %d: reassigned %pR (expanded by %#llx)\n",
- resno, res, (unsigned long long) addsize);
+ pci_info(dev, "%s %pR: reassigned; expanded by %#llx\n",
+ res_name, res, (unsigned long long) addsize);
if (resno < PCI_BRIDGE_RESOURCES)
pci_update_resource(dev, resno);
@@ -409,8 +413,9 @@ int pci_reassign_resource(struct pci_dev *dev, int resno, resource_size_t addsiz
void pci_release_resource(struct pci_dev *dev, int resno)
{
struct resource *res = dev->resource + resno;
+ const char *res_name = pci_resource_name(dev, resno);
- pci_info(dev, "BAR %d: releasing %pR\n", resno, res);
+ pci_info(dev, "%s %pR: releasing\n", res_name, res);
if (!res->parent)
return;
@@ -480,6 +485,7 @@ int pci_enable_resources(struct pci_dev *dev, int mask)
u16 cmd, old_cmd;
int i;
struct resource *r;
+ const char *r_name;
pci_read_config_word(dev, PCI_COMMAND, &cmd);
old_cmd = cmd;
@@ -488,6 +494,8 @@ int pci_enable_resources(struct pci_dev *dev, int mask)
if (!(mask & (1 << i)))
continue;
+ r_name = pci_resource_name(dev, i);
+
if (!(r->flags & (IORESOURCE_IO | IORESOURCE_MEM)))
continue;
if ((i == PCI_ROM_RESOURCE) &&
@@ -495,14 +503,14 @@ int pci_enable_resources(struct pci_dev *dev, int mask)
continue;
if (r->flags & IORESOURCE_UNSET) {
- pci_err(dev, "can't enable device: BAR %d %pR not assigned\n",
- i, r);
+ pci_err(dev, "%s %pR: not assigned; can't enable device\n",
+ r_name, r);
return -EINVAL;
}
if (!r->parent) {
- pci_err(dev, "can't enable device: BAR %d %pR not claimed\n",
- i, r);
+ pci_err(dev, "%s %pR: not claimed; can't enable device\n",
+ r_name, r);
return -EINVAL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 032/567] resource: Add resource set range and size helpers
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 031/567] PCI: Use resource names in PCI log messages Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 033/567] PCI: Use resource_set_range() that correctly sets ->end Greg Kroah-Hartman
` (345 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen, Bjorn Helgaas,
Jonathan Cameron, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
[ Upstream commit 9fb6fef0fb49124291837af1da5028f79d53f98e ]
Setting the end address for a resource with a given size lacks a helper and
is therefore coded manually unlike the getter side which has a helper for
resource size calculation. Also, almost all callsites that calculate the
end address for a resource also set the start address right before it like
this:
res->start = start_addr;
res->end = res->start + size - 1;
Add resource_set_range(res, start_addr, size) that sets the start address
and calculates the end address to simplify this often repeated fragment.
Also add resource_set_size() for the cases where setting the start address
of the resource is not necessary but mention in its kerneldoc that
resource_set_range() is preferred when setting both addresses.
Link: https://lore.kernel.org/r/20240614100606.15830-2-ilpo.jarvinen@linux.intel.com
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: 11721c45a826 ("PCI: Use resource_set_range() that correctly sets ->end")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/ioport.h | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/include/linux/ioport.h b/include/linux/ioport.h
index 25d768d489701..d10749797f18d 100644
--- a/include/linux/ioport.h
+++ b/include/linux/ioport.h
@@ -216,6 +216,38 @@ struct resource *lookup_resource(struct resource *root, resource_size_t start);
int adjust_resource(struct resource *res, resource_size_t start,
resource_size_t size);
resource_size_t resource_alignment(struct resource *res);
+
+/**
+ * resource_set_size - Calculate resource end address from size and start
+ * @res: Resource descriptor
+ * @size: Size of the resource
+ *
+ * Calculate the end address for @res based on @size.
+ *
+ * Note: The start address of @res must be set when calling this function.
+ * Prefer resource_set_range() if setting both the start address and @size.
+ */
+static inline void resource_set_size(struct resource *res, resource_size_t size)
+{
+ res->end = res->start + size - 1;
+}
+
+/**
+ * resource_set_range - Set resource start and end addresses
+ * @res: Resource descriptor
+ * @start: Start address for the resource
+ * @size: Size of the resource
+ *
+ * Set @res start address and calculate the end address based on @size.
+ */
+static inline void resource_set_range(struct resource *res,
+ resource_size_t start,
+ resource_size_t size)
+{
+ res->start = start;
+ resource_set_size(res, size);
+}
+
static inline resource_size_t resource_size(const struct resource *res)
{
return res->end - res->start + 1;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 033/567] PCI: Use resource_set_range() that correctly sets ->end
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 032/567] resource: Add resource set range and size helpers Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 034/567] KVM: x86: Fix KVM_GET_MSRS stack info leak Greg Kroah-Hartman
` (344 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen, Bjorn Helgaas,
Andy Shevchenko, Christian Marangi, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
[ Upstream commit 11721c45a8266a9d0c9684153d20e37159465f96 ]
__pci_read_base() sets resource start and end addresses when resource
is larger than 4G but pci_bus_addr_t or resource_size_t are not capable
of representing 64-bit PCI addresses. This creates a problematic
resource that has non-zero flags but the start and end addresses do not
yield to resource size of 0 but 1.
Replace custom resource addresses setup with resource_set_range()
that correctly sets end address as -1 which results in resource_size()
returning 0.
For consistency, also use resource_set_range() in the other branch that
does size based resource setup.
Fixes: 23b13bc76f35 ("PCI: Fail safely if we can't handle BARs larger than 4GB")
Link: https://lore.kernel.org/all/20251207215359.28895-1-ansuelsmth@gmail.com/T/#m990492684913c5a158ff0e5fc90697d8ad95351b
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: stable@vger.kernel.org
Cc: Christian Marangi <ansuelsmth@gmail.com>
Link: https://patch.msgid.link/20251208145654.5294-1-ilpo.jarvinen@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/probe.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 92f1902afa3b7..d90ffbb47f0e2 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -263,8 +263,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
if ((sizeof(pci_bus_addr_t) < 8 || sizeof(resource_size_t) < 8)
&& sz64 > 0x100000000ULL) {
res->flags |= IORESOURCE_UNSET | IORESOURCE_DISABLED;
- res->start = 0;
- res->end = 0;
+ resource_set_range(res, 0, 0);
pci_err(dev, "%s: can't handle BAR larger than 4GB (size %#010llx)\n",
res_name, (unsigned long long)sz64);
goto out;
@@ -273,8 +272,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
if ((sizeof(pci_bus_addr_t) < 8) && l) {
/* Above 32-bit boundary; try to reallocate */
res->flags |= IORESOURCE_UNSET;
- res->start = 0;
- res->end = sz64 - 1;
+ resource_set_range(res, 0, sz64);
pci_info(dev, "%s: can't handle BAR above 4GB (bus address %#010llx)\n",
res_name, (unsigned long long)l64);
goto out;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 034/567] KVM: x86: Fix KVM_GET_MSRS stack info leak
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 033/567] PCI: Use resource_set_range() that correctly sets ->end Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 035/567] KVM: x86: Rename KVM_MSR_RET_INVALID to KVM_MSR_RET_UNSUPPORTED Greg Kroah-Hartman
` (343 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathias Krause, Xiaoyao Li,
Sean Christopherson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@grsecurity.net>
[ Upstream commit 3376ca3f1a2075eaa23c5576c47d04d7e8a4adda ]
Commit 6abe9c1386e5 ("KVM: X86: Move ignore_msrs handling upper the
stack") changed the 'ignore_msrs' handling, including sanitizing return
values to the caller. This was fine until commit 12bc2132b15e ("KVM:
X86: Do the same ignore_msrs check for feature msrs") which allowed
non-existing feature MSRs to be ignored, i.e. to not generate an error
on the ioctl() level. It even tried to preserve the sanitization of the
return value. However, the logic is flawed, as '*data' will be
overwritten again with the uninitialized stack value of msr.data.
Fix this by simplifying the logic and always initializing msr.data,
vanishing the need for an additional error exit path.
Fixes: 12bc2132b15e ("KVM: X86: Do the same ignore_msrs check for feature msrs")
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Link: https://lore.kernel.org/r/20240203124522.592778-2-minipli@grsecurity.net
Signed-off-by: Sean Christopherson <seanjc@google.com>
Stable-dep-of: 5bb9ac186512 ("KVM: x86: Return "unsupported" instead of "invalid" on access to unsupported PV MSR")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/x86.c | 15 +++++----------
1 file changed, 5 insertions(+), 10 deletions(-)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 00bbee40dbec2..275dd7dc1d68b 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1719,22 +1719,17 @@ static int do_get_msr_feature(struct kvm_vcpu *vcpu, unsigned index, u64 *data)
struct kvm_msr_entry msr;
int r;
+ /* Unconditionally clear the output for simplicity */
+ msr.data = 0;
msr.index = index;
r = kvm_get_msr_feature(&msr);
- if (r == KVM_MSR_RET_INVALID) {
- /* Unconditionally clear the output for simplicity */
- *data = 0;
- if (kvm_msr_ignored_check(index, 0, false))
- r = 0;
- }
-
- if (r)
- return r;
+ if (r == KVM_MSR_RET_INVALID && kvm_msr_ignored_check(index, 0, false))
+ r = 0;
*data = msr.data;
- return 0;
+ return r;
}
static bool __kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 035/567] KVM: x86: Rename KVM_MSR_RET_INVALID to KVM_MSR_RET_UNSUPPORTED
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 034/567] KVM: x86: Fix KVM_GET_MSRS stack info leak Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 036/567] KVM: x86: Return "unsupported" instead of "invalid" on access to unsupported PV MSR Greg Kroah-Hartman
` (342 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit aaecae7b6a2b19a874a7df0d474f44f3a5b5a74e ]
Rename the "INVALID" internal MSR error return code to "UNSUPPORTED" to
try and make it more clear that access was denied because the MSR itself
is unsupported/unknown. "INVALID" is too ambiguous, as it could just as
easily mean the value for WRMSR as invalid.
Avoid UNKNOWN and UNIMPLEMENTED, as the error code is used for MSRs that
_are_ actually implemented by KVM, e.g. if the MSR is unsupported because
an associated feature flag is not present in guest CPUID.
Opportunistically beef up the comments for the internal MSR error codes.
Link: https://lore.kernel.org/r/20240802181935.292540-4-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Stable-dep-of: 5bb9ac186512 ("KVM: x86: Return "unsupported" instead of "invalid" on access to unsupported PV MSR")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/svm/svm.c | 2 +-
arch/x86/kvm/vmx/vmx.c | 2 +-
arch/x86/kvm/x86.c | 12 ++++++------
arch/x86/kvm/x86.h | 15 +++++++++++----
4 files changed, 19 insertions(+), 12 deletions(-)
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 9ddd1ee5f3123..a48616242affe 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -2848,7 +2848,7 @@ static int svm_get_msr_feature(struct kvm_msr_entry *msr)
msr->data |= MSR_AMD64_DE_CFG_LFENCE_SERIALIZE;
break;
default:
- return KVM_MSR_RET_INVALID;
+ return KVM_MSR_RET_UNSUPPORTED;
}
return 0;
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 4dd3f64a1a8c7..b68fb5329a13e 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -1981,7 +1981,7 @@ static int vmx_get_msr_feature(struct kvm_msr_entry *msr)
return 1;
return vmx_get_vmx_msr(&vmcs_config.nested, msr->index, &msr->data);
default:
- return KVM_MSR_RET_INVALID;
+ return KVM_MSR_RET_UNSUPPORTED;
}
}
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 275dd7dc1d68b..3e16513a4d9fd 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1724,7 +1724,7 @@ static int do_get_msr_feature(struct kvm_vcpu *vcpu, unsigned index, u64 *data)
msr.index = index;
r = kvm_get_msr_feature(&msr);
- if (r == KVM_MSR_RET_INVALID && kvm_msr_ignored_check(index, 0, false))
+ if (r == KVM_MSR_RET_UNSUPPORTED && kvm_msr_ignored_check(index, 0, false))
r = 0;
*data = msr.data;
@@ -1917,7 +1917,7 @@ static int kvm_set_msr_ignored_check(struct kvm_vcpu *vcpu,
{
int ret = __kvm_set_msr(vcpu, index, data, host_initiated);
- if (ret == KVM_MSR_RET_INVALID)
+ if (ret == KVM_MSR_RET_UNSUPPORTED)
if (kvm_msr_ignored_check(index, data, true))
ret = 0;
@@ -1962,7 +1962,7 @@ static int kvm_get_msr_ignored_check(struct kvm_vcpu *vcpu,
{
int ret = __kvm_get_msr(vcpu, index, data, host_initiated);
- if (ret == KVM_MSR_RET_INVALID) {
+ if (ret == KVM_MSR_RET_UNSUPPORTED) {
/* Unconditionally clear *data for simplicity */
*data = 0;
if (kvm_msr_ignored_check(index, 0, false))
@@ -2031,7 +2031,7 @@ static int complete_fast_rdmsr(struct kvm_vcpu *vcpu)
static u64 kvm_msr_reason(int r)
{
switch (r) {
- case KVM_MSR_RET_INVALID:
+ case KVM_MSR_RET_UNSUPPORTED:
return KVM_MSR_EXIT_REASON_UNKNOWN;
case KVM_MSR_RET_FILTERED:
return KVM_MSR_EXIT_REASON_FILTER;
@@ -3997,7 +3997,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
kvm_is_msr_to_save(msr))
break;
- return KVM_MSR_RET_INVALID;
+ return KVM_MSR_RET_UNSUPPORTED;
}
return 0;
}
@@ -4356,7 +4356,7 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
break;
}
- return KVM_MSR_RET_INVALID;
+ return KVM_MSR_RET_UNSUPPORTED;
}
return 0;
}
diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
index 1e7be1f6ab299..1222e5b3d5580 100644
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -501,11 +501,18 @@ bool kvm_msr_allowed(struct kvm_vcpu *vcpu, u32 index, u32 type);
/*
* Internal error codes that are used to indicate that MSR emulation encountered
- * an error that should result in #GP in the guest, unless userspace
- * handles it.
+ * an error that should result in #GP in the guest, unless userspace handles it.
+ * Note, '1', '0', and negative numbers are off limits, as they are used by KVM
+ * as part of KVM's lightly documented internal KVM_RUN return codes.
+ *
+ * UNSUPPORTED - The MSR isn't supported, either because it is completely
+ * unknown to KVM, or because the MSR should not exist according
+ * to the vCPU model.
+ *
+ * FILTERED - Access to the MSR is denied by a userspace MSR filter.
*/
-#define KVM_MSR_RET_INVALID 2 /* in-kernel MSR emulation #GP condition */
-#define KVM_MSR_RET_FILTERED 3 /* #GP due to userspace MSR filter */
+#define KVM_MSR_RET_UNSUPPORTED 2
+#define KVM_MSR_RET_FILTERED 3
#define __cr4_reserved_bits(__cpu_has, __c) \
({ \
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 036/567] KVM: x86: Return "unsupported" instead of "invalid" on access to unsupported PV MSR
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 035/567] KVM: x86: Rename KVM_MSR_RET_INVALID to KVM_MSR_RET_UNSUPPORTED Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 037/567] media: tegra-video: Use accessors for pad config try_* fields Greg Kroah-Hartman
` (341 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jim Mattson, Sean Christopherson,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 5bb9ac1865123356337a389af935d3913ee917ed ]
Return KVM_MSR_RET_UNSUPPORTED instead of '1' (which for all intents and
purposes means "invalid") when rejecting accesses to KVM PV MSRs to adhere
to KVM's ABI of allowing host reads and writes of '0' to MSRs that are
advertised to userspace via KVM_GET_MSR_INDEX_LIST, even if the vCPU model
doesn't support the MSR.
E.g. running a QEMU VM with
-cpu host,-kvmclock,kvm-pv-enforce-cpuid
yields:
qemu: error: failed to set MSR 0x12 to 0x0
qemu: target/i386/kvm/kvm.c:3301: kvm_buf_set_msrs:
Assertion `ret == cpu->kvm_msr_buf->nmsrs' failed.
Fixes: 66570e966dd9 ("kvm: x86: only provide PV features if enabled in guest's CPUID")
Cc: stable@vger.kernel.org
Reviewed-by: Jim Mattson <jmattson@google.com>
Link: https://patch.msgid.link/20251230205948.4094097-1-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/x86.c | 40 ++++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 3e16513a4d9fd..19cae03e423b1 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3812,47 +3812,47 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
break;
case MSR_KVM_WALL_CLOCK_NEW:
if (!guest_pv_has(vcpu, KVM_FEATURE_CLOCKSOURCE2))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
vcpu->kvm->arch.wall_clock = data;
kvm_write_wall_clock(vcpu->kvm, data, 0);
break;
case MSR_KVM_WALL_CLOCK:
if (!guest_pv_has(vcpu, KVM_FEATURE_CLOCKSOURCE))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
vcpu->kvm->arch.wall_clock = data;
kvm_write_wall_clock(vcpu->kvm, data, 0);
break;
case MSR_KVM_SYSTEM_TIME_NEW:
if (!guest_pv_has(vcpu, KVM_FEATURE_CLOCKSOURCE2))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
kvm_write_system_time(vcpu, data, false, msr_info->host_initiated);
break;
case MSR_KVM_SYSTEM_TIME:
if (!guest_pv_has(vcpu, KVM_FEATURE_CLOCKSOURCE))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
kvm_write_system_time(vcpu, data, true, msr_info->host_initiated);
break;
case MSR_KVM_ASYNC_PF_EN:
if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
if (kvm_pv_enable_async_pf(vcpu, data))
return 1;
break;
case MSR_KVM_ASYNC_PF_INT:
if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF_INT))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
if (kvm_pv_enable_async_pf_int(vcpu, data))
return 1;
break;
case MSR_KVM_ASYNC_PF_ACK:
if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF_INT))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
if (data & 0x1) {
vcpu->arch.apf.pageready_pending = false;
kvm_check_async_pf_completion(vcpu);
@@ -3860,7 +3860,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
break;
case MSR_KVM_STEAL_TIME:
if (!guest_pv_has(vcpu, KVM_FEATURE_STEAL_TIME))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
if (unlikely(!sched_info_on()))
return 1;
@@ -3878,7 +3878,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
break;
case MSR_KVM_PV_EOI_EN:
if (!guest_pv_has(vcpu, KVM_FEATURE_PV_EOI))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
if (kvm_lapic_set_pv_eoi(vcpu, data, sizeof(u8)))
return 1;
@@ -3886,7 +3886,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
case MSR_KVM_POLL_CONTROL:
if (!guest_pv_has(vcpu, KVM_FEATURE_POLL_CONTROL))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
/* only enable bit supported */
if (data & (-1ULL << 1))
@@ -4193,61 +4193,61 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
break;
case MSR_KVM_WALL_CLOCK:
if (!guest_pv_has(vcpu, KVM_FEATURE_CLOCKSOURCE))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = vcpu->kvm->arch.wall_clock;
break;
case MSR_KVM_WALL_CLOCK_NEW:
if (!guest_pv_has(vcpu, KVM_FEATURE_CLOCKSOURCE2))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = vcpu->kvm->arch.wall_clock;
break;
case MSR_KVM_SYSTEM_TIME:
if (!guest_pv_has(vcpu, KVM_FEATURE_CLOCKSOURCE))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = vcpu->arch.time;
break;
case MSR_KVM_SYSTEM_TIME_NEW:
if (!guest_pv_has(vcpu, KVM_FEATURE_CLOCKSOURCE2))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = vcpu->arch.time;
break;
case MSR_KVM_ASYNC_PF_EN:
if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = vcpu->arch.apf.msr_en_val;
break;
case MSR_KVM_ASYNC_PF_INT:
if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF_INT))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = vcpu->arch.apf.msr_int_val;
break;
case MSR_KVM_ASYNC_PF_ACK:
if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF_INT))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = 0;
break;
case MSR_KVM_STEAL_TIME:
if (!guest_pv_has(vcpu, KVM_FEATURE_STEAL_TIME))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = vcpu->arch.st.msr_val;
break;
case MSR_KVM_PV_EOI_EN:
if (!guest_pv_has(vcpu, KVM_FEATURE_PV_EOI))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = vcpu->arch.pv_eoi.msr_val;
break;
case MSR_KVM_POLL_CONTROL:
if (!guest_pv_has(vcpu, KVM_FEATURE_POLL_CONTROL))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = vcpu->arch.msr_kvm_poll_control;
break;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 037/567] media: tegra-video: Use accessors for pad config try_* fields
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 036/567] KVM: x86: Return "unsupported" instead of "invalid" on access to unsupported PV MSR Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 038/567] media: tegra-video: Fix memory leak in __tegra_channel_try_format() Greg Kroah-Hartman
` (340 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Luca Ceresoli,
Sakari Ailus, Mauro Carvalho Chehab, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
[ Upstream commit 0623979d8352efe18f83c4fad95a2e61df17b3e7 ]
The 'try_*' fields of the v4l2_subdev_pad_config structure are meant to
be accessed through helper functions. Replace direct access with usage
of the v4l2_subdev_get_pad_format(), v4l2_subdev_get_pad_crop() and
v4l2_subdev_get_pad_compose() helpers.
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Stable-dep-of: 43e5302d2233 ("media: tegra-video: Fix memory leak in __tegra_channel_try_format()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/media/tegra-video/vi.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/drivers/staging/media/tegra-video/vi.c b/drivers/staging/media/tegra-video/vi.c
index 94171e62dee9e..a2f21c70a5bc8 100644
--- a/drivers/staging/media/tegra-video/vi.c
+++ b/drivers/staging/media/tegra-video/vi.c
@@ -439,6 +439,7 @@ static int __tegra_channel_try_format(struct tegra_vi_channel *chan,
.which = V4L2_SUBDEV_FORMAT_ACTIVE,
.target = V4L2_SEL_TGT_CROP_BOUNDS,
};
+ struct v4l2_rect *try_crop;
int ret;
subdev = tegra_channel_get_remote_source_subdev(chan);
@@ -473,24 +474,25 @@ static int __tegra_channel_try_format(struct tegra_vi_channel *chan,
* Attempt to obtain the format size from subdev.
* If not available, try to get crop boundary from subdev.
*/
+ try_crop = v4l2_subdev_get_pad_crop(subdev, sd_state, 0);
fse.code = fmtinfo->code;
ret = v4l2_subdev_call(subdev, pad, enum_frame_size, sd_state, &fse);
if (ret) {
if (!v4l2_subdev_has_op(subdev, pad, get_selection)) {
- sd_state->pads->try_crop.width = 0;
- sd_state->pads->try_crop.height = 0;
+ try_crop->width = 0;
+ try_crop->height = 0;
} else {
ret = v4l2_subdev_call(subdev, pad, get_selection,
NULL, &sdsel);
if (ret)
return -EINVAL;
- sd_state->pads->try_crop.width = sdsel.r.width;
- sd_state->pads->try_crop.height = sdsel.r.height;
+ try_crop->width = sdsel.r.width;
+ try_crop->height = sdsel.r.height;
}
} else {
- sd_state->pads->try_crop.width = fse.max_width;
- sd_state->pads->try_crop.height = fse.max_height;
+ try_crop->width = fse.max_width;
+ try_crop->height = fse.max_height;
}
ret = v4l2_subdev_call(subdev, pad, set_fmt, sd_state, &fmt);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 038/567] media: tegra-video: Fix memory leak in __tegra_channel_try_format()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 037/567] media: tegra-video: Use accessors for pad config try_* fields Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 039/567] KVM: x86: WARN if a vCPU gets a valid wakeup that KVM cant yet inject Greg Kroah-Hartman
` (339 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zilin Guan, Hans Verkuil,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 43e5302d22334f1183dec3e0d5d8007eefe2817c ]
The state object allocated by __v4l2_subdev_state_alloc() must be freed
with __v4l2_subdev_state_free() when it is no longer needed.
In __tegra_channel_try_format(), two error paths return directly after
v4l2_subdev_call() fails, without freeing the allocated 'sd_state'
object. This violates the requirement and causes a memory leak.
Fix this by introducing a cleanup label and using goto statements in the
error paths to ensure that __v4l2_subdev_state_free() is always called
before the function returns.
Fixes: 56f64b82356b7 ("media: tegra-video: Use zero crop settings if subdev has no get_selection")
Fixes: 1ebaeb09830f3 ("media: tegra-video: Add support for external sensor capture")
Cc: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/media/tegra-video/vi.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/media/tegra-video/vi.c b/drivers/staging/media/tegra-video/vi.c
index a2f21c70a5bc8..e8ba23e5bcde0 100644
--- a/drivers/staging/media/tegra-video/vi.c
+++ b/drivers/staging/media/tegra-video/vi.c
@@ -440,7 +440,7 @@ static int __tegra_channel_try_format(struct tegra_vi_channel *chan,
.target = V4L2_SEL_TGT_CROP_BOUNDS,
};
struct v4l2_rect *try_crop;
- int ret;
+ int ret = 0;
subdev = tegra_channel_get_remote_source_subdev(chan);
if (!subdev)
@@ -484,8 +484,10 @@ static int __tegra_channel_try_format(struct tegra_vi_channel *chan,
} else {
ret = v4l2_subdev_call(subdev, pad, get_selection,
NULL, &sdsel);
- if (ret)
- return -EINVAL;
+ if (ret) {
+ ret = -EINVAL;
+ goto out_free;
+ }
try_crop->width = sdsel.r.width;
try_crop->height = sdsel.r.height;
@@ -497,14 +499,15 @@ static int __tegra_channel_try_format(struct tegra_vi_channel *chan,
ret = v4l2_subdev_call(subdev, pad, set_fmt, sd_state, &fmt);
if (ret < 0)
- return ret;
+ goto out_free;
v4l2_fill_pix_format(pix, &fmt.format);
chan->vi->ops->vi_fmt_align(pix, fmtinfo->bpp);
+out_free:
__v4l2_subdev_state_free(sd_state);
- return 0;
+ return ret;
}
static int tegra_channel_try_format(struct file *file, void *fh,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 039/567] KVM: x86: WARN if a vCPU gets a valid wakeup that KVM cant yet inject
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 038/567] media: tegra-video: Fix memory leak in __tegra_channel_try_format() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 040/567] KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block() Greg Kroah-Hartman
` (338 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 45405155d876c326da89162b8173b8cc9ab7ed75 ]
WARN if a blocking vCPU is awakened by a valid wake event that KVM can't
inject, e.g. because KVM needs to complete a nested VM-enter, or needs to
re-inject an exception. For the nested VM-Enter case, KVM is supposed to
clear "nested_run_pending" if L1 puts L2 into HLT, i.e. entering HLT
"completes" the nested VM-Enter. And for already-injected exceptions, it
should be impossible for the vCPU to be in a blocking state if a VM-Exit
occurred while an exception was being vectored.
Link: https://lore.kernel.org/r/20240607172609.3205077-7-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Stable-dep-of: ead63640d4e7 ("KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/x86.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 19cae03e423b1..3edfcb4090b18 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -11003,7 +11003,10 @@ static inline int vcpu_block(struct kvm_vcpu *vcpu)
* causes a spurious wakeup from HLT).
*/
if (is_guest_mode(vcpu)) {
- if (kvm_check_nested_events(vcpu) < 0)
+ int r = kvm_check_nested_events(vcpu);
+
+ WARN_ON_ONCE(r == -EBUSY);
+ if (r < 0)
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 040/567] KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 039/567] KVM: x86: WARN if a vCPU gets a valid wakeup that KVM cant yet inject Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 041/567] drm/tegra: dsi: fix device leak on probe Greg Kroah-Hartman
` (337 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alessandro Ratti,
syzbot+1522459a74d26b0ac33a, Sean Christopherson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit ead63640d4e72e6f6d464f4e31f7fecb79af8869 ]
Ignore -EBUSY when checking nested events after exiting a blocking state
while L2 is active, as exiting to userspace will generate a spurious
userspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM's
demise. Continuing with the wakeup isn't perfect either, as *something*
has gone sideways if a vCPU is awakened in L2 with an injected event (or
worse, a nested run pending), but continuing on gives the VM a decent
chance of surviving without any major side effects.
As explained in the Fixes commits, it _should_ be impossible for a vCPU to
be put into a blocking state with an already-injected event (exception,
IRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injected
events, and thus put the vCPU into what should be an impossible state.
Don't bother trying to preserve the WARN, e.g. with an anti-syzkaller
Kconfig, as WARNs can (hopefully) be added in paths where _KVM_ would be
violating x86 architecture, e.g. by WARNing if KVM attempts to inject an
exception or interrupt while the vCPU isn't running.
Cc: Alessandro Ratti <alessandro@0x65c.net>
Cc: stable@vger.kernel.org
Fixes: 26844fee6ade ("KVM: x86: never write to memory from kvm_vcpu_check_block()")
Fixes: 45405155d876 ("KVM: x86: WARN if a vCPU gets a valid wakeup that KVM can't yet inject")
Link: https://syzkaller.appspot.com/text?tag=ReproC&x=10d4261a580000
Reported-by: syzbot+1522459a74d26b0ac33a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/671bc7a7.050a0220.455e8.022a.GAE@google.com
Link: https://patch.msgid.link/20260109030657.994759-1-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/x86.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 3edfcb4090b18..ac0b458582c38 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -11005,8 +11005,7 @@ static inline int vcpu_block(struct kvm_vcpu *vcpu)
if (is_guest_mode(vcpu)) {
int r = kvm_check_nested_events(vcpu);
- WARN_ON_ONCE(r == -EBUSY);
- if (r < 0)
+ if (r < 0 && r != -EBUSY)
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 041/567] drm/tegra: dsi: fix device leak on probe
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 040/567] KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 042/567] bus: omap-ocp2scp: Convert to platform remove callback returning void Greg Kroah-Hartman
` (336 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thierry Reding, Johan Hovold,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit bfef062695570842cf96358f2f46f4c6642c6689 ]
Make sure to drop the reference taken when looking up the companion
(ganged) device and its driver data during probe().
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Fixes: e94236cde4d5 ("drm/tegra: dsi: Add ganged mode support")
Fixes: 221e3638feb8 ("drm/tegra: Fix reference leak in tegra_dsi_ganged_probe")
Cc: stable@vger.kernel.org # 3.19: 221e3638feb8
Cc: Thierry Reding <treding@nvidia.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Link: https://patch.msgid.link/20251121164201.13188-1-johan@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/tegra/dsi.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c
index 49fc4690c63af..e98eb8d0c4d77 100644
--- a/drivers/gpu/drm/tegra/dsi.c
+++ b/drivers/gpu/drm/tegra/dsi.c
@@ -1539,11 +1539,9 @@ static int tegra_dsi_ganged_probe(struct tegra_dsi *dsi)
return -EPROBE_DEFER;
dsi->slave = platform_get_drvdata(gangster);
-
- if (!dsi->slave) {
- put_device(&gangster->dev);
+ put_device(&gangster->dev);
+ if (!dsi->slave)
return -EPROBE_DEFER;
- }
dsi->slave->master = dsi;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 042/567] bus: omap-ocp2scp: Convert to platform remove callback returning void
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 041/567] drm/tegra: dsi: fix device leak on probe Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 043/567] bus: omap-ocp2scp: fix OF populate on driver rebind Greg Kroah-Hartman
` (335 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 854f89a5b56354ba4135e0e1f0e57ab2caee59ee ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is ignored (apart
from emitting a warning) and this typically results in resource leaks.
To improve here there is a quest to make the remove callback return
void. In the first step of this quest all drivers are converted to
.remove_new(), which already returns void. Eventually after all drivers
are converted, .remove_new() will be renamed to .remove().
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Link: https://lore.kernel.org/r/20231109202830.4124591-3-u.kleine-koenig@pengutronix.de
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Stable-dep-of: 5eb63e9bb65d ("bus: omap-ocp2scp: fix OF populate on driver rebind")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bus/omap-ocp2scp.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/bus/omap-ocp2scp.c b/drivers/bus/omap-ocp2scp.c
index e02d0656242b8..7d7479ba0a759 100644
--- a/drivers/bus/omap-ocp2scp.c
+++ b/drivers/bus/omap-ocp2scp.c
@@ -84,12 +84,10 @@ static int omap_ocp2scp_probe(struct platform_device *pdev)
return ret;
}
-static int omap_ocp2scp_remove(struct platform_device *pdev)
+static void omap_ocp2scp_remove(struct platform_device *pdev)
{
pm_runtime_disable(&pdev->dev);
device_for_each_child(&pdev->dev, NULL, ocp2scp_remove_devices);
-
- return 0;
}
#ifdef CONFIG_OF
@@ -103,7 +101,7 @@ MODULE_DEVICE_TABLE(of, omap_ocp2scp_id_table);
static struct platform_driver omap_ocp2scp_driver = {
.probe = omap_ocp2scp_probe,
- .remove = omap_ocp2scp_remove,
+ .remove_new = omap_ocp2scp_remove,
.driver = {
.name = "omap-ocp2scp",
.of_match_table = of_match_ptr(omap_ocp2scp_id_table),
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 043/567] bus: omap-ocp2scp: fix OF populate on driver rebind
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 042/567] bus: omap-ocp2scp: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 044/567] ext4: get rid of ppath in ext4_find_extent() Greg Kroah-Hartman
` (334 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Kevin Hilman,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 5eb63e9bb65d88abde647ced50fe6ad40c11de1a ]
Since commit c6e126de43e7 ("of: Keep track of populated platform
devices") child devices will not be created by of_platform_populate()
if the devices had previously been deregistered individually so that the
OF_POPULATED flag is still set in the corresponding OF nodes.
Switch to using of_platform_depopulate() instead of open coding so that
the child devices are created if the driver is rebound.
Fixes: c6e126de43e7 ("of: Keep track of populated platform devices")
Cc: stable@vger.kernel.org # 3.16
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251219110119.23507-1-johan@kernel.org
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bus/omap-ocp2scp.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)
diff --git a/drivers/bus/omap-ocp2scp.c b/drivers/bus/omap-ocp2scp.c
index 7d7479ba0a759..87e290a3dc817 100644
--- a/drivers/bus/omap-ocp2scp.c
+++ b/drivers/bus/omap-ocp2scp.c
@@ -17,15 +17,6 @@
#define OCP2SCP_TIMING 0x18
#define SYNC2_MASK 0xf
-static int ocp2scp_remove_devices(struct device *dev, void *c)
-{
- struct platform_device *pdev = to_platform_device(dev);
-
- platform_device_unregister(pdev);
-
- return 0;
-}
-
static int omap_ocp2scp_probe(struct platform_device *pdev)
{
int ret;
@@ -79,7 +70,7 @@ static int omap_ocp2scp_probe(struct platform_device *pdev)
pm_runtime_disable(&pdev->dev);
err0:
- device_for_each_child(&pdev->dev, NULL, ocp2scp_remove_devices);
+ of_platform_depopulate(&pdev->dev);
return ret;
}
@@ -87,7 +78,7 @@ static int omap_ocp2scp_probe(struct platform_device *pdev)
static void omap_ocp2scp_remove(struct platform_device *pdev)
{
pm_runtime_disable(&pdev->dev);
- device_for_each_child(&pdev->dev, NULL, ocp2scp_remove_devices);
+ of_platform_depopulate(&pdev->dev);
}
#ifdef CONFIG_OF
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 044/567] ext4: get rid of ppath in ext4_find_extent()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 043/567] bus: omap-ocp2scp: fix OF populate on driver rebind Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 045/567] ext4: get rid of ppath in ext4_ext_create_new_leaf() Greg Kroah-Hartman
` (333 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Ojaswin Mujoo,
Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit 0be4c0c2f17bd10ae16c852f02d51a6a7b318aca ]
The use of path and ppath is now very confusing, so to make the code more
readable, pass path between functions uniformly, and get rid of ppath.
Getting rid of ppath in ext4_find_extent() requires its caller to update
ppath. These ppaths will also be dropped later. No functional changes.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-12-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: 22784ca541c0 ("ext4: subdivide EXT4_EXT_DATA_VALID1")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/ext4.h | 2 +-
fs/ext4/extents.c | 55 +++++++++++++++++++++++--------------------
fs/ext4/move_extent.c | 7 +++---
3 files changed, 34 insertions(+), 30 deletions(-)
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 85ba12a48f26a..dd0317d66c1db 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -3712,7 +3712,7 @@ extern int ext4_ext_insert_extent(handle_t *, struct inode *,
struct ext4_ext_path **,
struct ext4_extent *, int);
extern struct ext4_ext_path *ext4_find_extent(struct inode *, ext4_lblk_t,
- struct ext4_ext_path **,
+ struct ext4_ext_path *,
int flags);
extern void ext4_free_ext_path(struct ext4_ext_path *);
extern int ext4_ext_check_inode(struct inode *inode);
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 8d9cd6574d326..cd5f679648cea 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -881,11 +881,10 @@ void ext4_ext_tree_init(handle_t *handle, struct inode *inode)
struct ext4_ext_path *
ext4_find_extent(struct inode *inode, ext4_lblk_t block,
- struct ext4_ext_path **orig_path, int flags)
+ struct ext4_ext_path *path, int flags)
{
struct ext4_extent_header *eh;
struct buffer_head *bh;
- struct ext4_ext_path *path = orig_path ? *orig_path : NULL;
short int depth, i, ppos = 0;
int ret;
gfp_t gfp_flags = GFP_NOFS;
@@ -906,7 +905,7 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
ext4_ext_drop_refs(path);
if (depth > path[0].p_maxdepth) {
kfree(path);
- *orig_path = path = NULL;
+ path = NULL;
}
}
if (!path) {
@@ -957,14 +956,10 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
ext4_ext_show_path(inode, path);
- if (orig_path)
- *orig_path = path;
return path;
err:
ext4_free_ext_path(path);
- if (orig_path)
- *orig_path = NULL;
return ERR_PTR(ret);
}
@@ -1429,7 +1424,7 @@ static int ext4_ext_create_new_leaf(handle_t *handle, struct inode *inode,
/* refill path */
path = ext4_find_extent(inode,
(ext4_lblk_t)le32_to_cpu(newext->ee_block),
- ppath, gb_flags);
+ path, gb_flags);
if (IS_ERR(path))
err = PTR_ERR(path);
} else {
@@ -1441,7 +1436,7 @@ static int ext4_ext_create_new_leaf(handle_t *handle, struct inode *inode,
/* refill path */
path = ext4_find_extent(inode,
(ext4_lblk_t)le32_to_cpu(newext->ee_block),
- ppath, gb_flags);
+ path, gb_flags);
if (IS_ERR(path)) {
err = PTR_ERR(path);
goto out;
@@ -1457,8 +1452,8 @@ static int ext4_ext_create_new_leaf(handle_t *handle, struct inode *inode,
goto repeat;
}
}
-
out:
+ *ppath = IS_ERR(path) ? NULL : path;
return err;
}
@@ -3246,15 +3241,17 @@ static int ext4_split_extent_at(handle_t *handle,
* WARN_ON may be triggered in ext4_da_update_reserve_space() due to
* an incorrect ee_len causing the i_reserved_data_blocks exception.
*/
- path = ext4_find_extent(inode, ee_block, ppath,
+ path = ext4_find_extent(inode, ee_block, *ppath,
flags | EXT4_EX_NOFAIL);
if (IS_ERR(path)) {
EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld",
split, PTR_ERR(path));
+ *ppath = NULL;
return PTR_ERR(path);
}
depth = ext_depth(inode);
ex = path[depth].p_ext;
+ *ppath = path;
if (EXT4_EXT_MAY_ZEROOUT & split_flag) {
if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {
@@ -3367,9 +3364,12 @@ static int ext4_split_extent(handle_t *handle,
* Update path is required because previous ext4_split_extent_at() may
* result in split of original leaf or extent zeroout.
*/
- path = ext4_find_extent(inode, map->m_lblk, ppath, flags);
- if (IS_ERR(path))
+ path = ext4_find_extent(inode, map->m_lblk, *ppath, flags);
+ if (IS_ERR(path)) {
+ *ppath = NULL;
return PTR_ERR(path);
+ }
+ *ppath = path;
depth = ext_depth(inode);
ex = path[depth].p_ext;
if (!ex) {
@@ -3755,9 +3755,12 @@ static int ext4_convert_unwritten_extents_endio(handle_t *handle,
EXT4_GET_BLOCKS_CONVERT);
if (err < 0)
return err;
- path = ext4_find_extent(inode, map->m_lblk, ppath, 0);
- if (IS_ERR(path))
+ path = ext4_find_extent(inode, map->m_lblk, *ppath, 0);
+ if (IS_ERR(path)) {
+ *ppath = NULL;
return PTR_ERR(path);
+ }
+ *ppath = path;
depth = ext_depth(inode);
ex = path[depth].p_ext;
}
@@ -3813,9 +3816,12 @@ convert_initialized_extent(handle_t *handle, struct inode *inode,
EXT4_GET_BLOCKS_CONVERT_UNWRITTEN);
if (err < 0)
return err;
- path = ext4_find_extent(inode, map->m_lblk, ppath, 0);
- if (IS_ERR(path))
+ path = ext4_find_extent(inode, map->m_lblk, *ppath, 0);
+ if (IS_ERR(path)) {
+ *ppath = NULL;
return PTR_ERR(path);
+ }
+ *ppath = path;
depth = ext_depth(inode);
ex = path[depth].p_ext;
if (!ex) {
@@ -5200,7 +5206,7 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle,
* won't be shifted beyond EXT_MAX_BLOCKS.
*/
if (SHIFT == SHIFT_LEFT) {
- path = ext4_find_extent(inode, start - 1, &path,
+ path = ext4_find_extent(inode, start - 1, path,
EXT4_EX_NOCACHE);
if (IS_ERR(path))
return PTR_ERR(path);
@@ -5249,7 +5255,7 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle,
* becomes NULL to indicate the end of the loop.
*/
while (iterator && start <= stop) {
- path = ext4_find_extent(inode, *iterator, &path,
+ path = ext4_find_extent(inode, *iterator, path,
EXT4_EX_NOCACHE);
if (IS_ERR(path))
return PTR_ERR(path);
@@ -5832,11 +5838,8 @@ int ext4_clu_mapped(struct inode *inode, ext4_lblk_t lclu)
/* search for the extent closest to the first block in the cluster */
path = ext4_find_extent(inode, EXT4_C2B(sbi, lclu), NULL, 0);
- if (IS_ERR(path)) {
- err = PTR_ERR(path);
- path = NULL;
- goto out;
- }
+ if (IS_ERR(path))
+ return PTR_ERR(path);
depth = ext_depth(inode);
@@ -5920,7 +5923,7 @@ int ext4_ext_replay_update_ex(struct inode *inode, ext4_lblk_t start,
if (ret)
goto out;
- path = ext4_find_extent(inode, start, &path, 0);
+ path = ext4_find_extent(inode, start, path, 0);
if (IS_ERR(path))
return PTR_ERR(path);
ex = path[path->p_depth].p_ext;
@@ -5934,7 +5937,7 @@ int ext4_ext_replay_update_ex(struct inode *inode, ext4_lblk_t start,
if (ret)
goto out;
- path = ext4_find_extent(inode, start, &path, 0);
+ path = ext4_find_extent(inode, start, path, 0);
if (IS_ERR(path))
return PTR_ERR(path);
ex = path[path->p_depth].p_ext;
diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c
index a3b0acca02ca5..d5636a2a718a8 100644
--- a/fs/ext4/move_extent.c
+++ b/fs/ext4/move_extent.c
@@ -26,16 +26,17 @@ static inline int
get_ext_path(struct inode *inode, ext4_lblk_t lblock,
struct ext4_ext_path **ppath)
{
- struct ext4_ext_path *path;
+ struct ext4_ext_path *path = *ppath;
- path = ext4_find_extent(inode, lblock, ppath, EXT4_EX_NOCACHE);
+ *ppath = NULL;
+ path = ext4_find_extent(inode, lblock, path, EXT4_EX_NOCACHE);
if (IS_ERR(path))
return PTR_ERR(path);
if (path[ext_depth(inode)].p_ext == NULL) {
ext4_free_ext_path(path);
- *ppath = NULL;
return -ENODATA;
}
+ *ppath = path;
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 045/567] ext4: get rid of ppath in ext4_ext_create_new_leaf()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 044/567] ext4: get rid of ppath in ext4_find_extent() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 046/567] ext4: get rid of ppath in ext4_ext_insert_extent() Greg Kroah-Hartman
` (332 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Ojaswin Mujoo,
Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit a000bc8678cc2bb10a5b80b4e991e77c7b4612fd ]
The use of path and ppath is now very confusing, so to make the code more
readable, pass path between functions uniformly, and get rid of ppath.
To get rid of the ppath in ext4_ext_create_new_leaf(), the following is
done here:
* Free the extents path when an error is encountered.
* Its caller needs to update ppath if it uses ppath.
No functional changes.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-14-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: 22784ca541c0 ("ext4: subdivide EXT4_EXT_DATA_VALID1")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 43 ++++++++++++++++++++++---------------------
1 file changed, 22 insertions(+), 21 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index cd5f679648cea..7c2bc5c2c7664 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -1392,13 +1392,12 @@ static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode,
* finds empty index and adds new leaf.
* if no free index is found, then it requests in-depth growing.
*/
-static int ext4_ext_create_new_leaf(handle_t *handle, struct inode *inode,
- unsigned int mb_flags,
- unsigned int gb_flags,
- struct ext4_ext_path **ppath,
- struct ext4_extent *newext)
+static struct ext4_ext_path *
+ext4_ext_create_new_leaf(handle_t *handle, struct inode *inode,
+ unsigned int mb_flags, unsigned int gb_flags,
+ struct ext4_ext_path *path,
+ struct ext4_extent *newext)
{
- struct ext4_ext_path *path = *ppath;
struct ext4_ext_path *curp;
int depth, i, err = 0;
@@ -1419,28 +1418,25 @@ static int ext4_ext_create_new_leaf(handle_t *handle, struct inode *inode,
* entry: create all needed subtree and add new leaf */
err = ext4_ext_split(handle, inode, mb_flags, path, newext, i);
if (err)
- goto out;
+ goto errout;
/* refill path */
path = ext4_find_extent(inode,
(ext4_lblk_t)le32_to_cpu(newext->ee_block),
path, gb_flags);
- if (IS_ERR(path))
- err = PTR_ERR(path);
+ return path;
} else {
/* tree is full, time to grow in depth */
err = ext4_ext_grow_indepth(handle, inode, mb_flags);
if (err)
- goto out;
+ goto errout;
/* refill path */
path = ext4_find_extent(inode,
(ext4_lblk_t)le32_to_cpu(newext->ee_block),
path, gb_flags);
- if (IS_ERR(path)) {
- err = PTR_ERR(path);
- goto out;
- }
+ if (IS_ERR(path))
+ return path;
/*
* only first (depth 0 -> 1) produces free space;
@@ -1452,9 +1448,11 @@ static int ext4_ext_create_new_leaf(handle_t *handle, struct inode *inode,
goto repeat;
}
}
-out:
- *ppath = IS_ERR(path) ? NULL : path;
- return err;
+ return path;
+
+errout:
+ ext4_free_ext_path(path);
+ return ERR_PTR(err);
}
/*
@@ -2097,11 +2095,14 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
*/
if (gb_flags & EXT4_GET_BLOCKS_METADATA_NOFAIL)
mb_flags |= EXT4_MB_USE_RESERVED;
- err = ext4_ext_create_new_leaf(handle, inode, mb_flags, gb_flags,
- ppath, newext);
- if (err)
+ path = ext4_ext_create_new_leaf(handle, inode, mb_flags, gb_flags,
+ path, newext);
+ if (IS_ERR(path)) {
+ *ppath = NULL;
+ err = PTR_ERR(path);
goto cleanup;
- path = *ppath;
+ }
+ *ppath = path;
depth = ext_depth(inode);
eh = path[depth].p_hdr;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 046/567] ext4: get rid of ppath in ext4_ext_insert_extent()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 045/567] ext4: get rid of ppath in ext4_ext_create_new_leaf() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 047/567] ext4: get rid of ppath in ext4_split_extent_at() Greg Kroah-Hartman
` (331 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Ojaswin Mujoo,
Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit f7d1331f16a869c76a5102caebb58e840e1d509c ]
The use of path and ppath is now very confusing, so to make the code more
readable, pass path between functions uniformly, and get rid of ppath.
To get rid of the ppath in ext4_ext_insert_extent(), the following is done
here:
* Free the extents path when an error is encountered.
* Its caller needs to update ppath if it uses ppath.
* Free path when npath is used, free npath when it is not used.
* The got_allocated_blocks label in ext4_ext_map_blocks() does not
update err now, so err is updated to 0 if the err returned by
ext4_ext_search_right() is greater than 0 and is about to enter
got_allocated_blocks.
No functional changes.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-15-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: 22784ca541c0 ("ext4: subdivide EXT4_EXT_DATA_VALID1")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/ext4.h | 7 ++--
fs/ext4/extents.c | 88 ++++++++++++++++++++++++-------------------
fs/ext4/fast_commit.c | 8 ++--
fs/ext4/migrate.c | 5 ++-
4 files changed, 61 insertions(+), 47 deletions(-)
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index dd0317d66c1db..ce8bd312c1b84 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -3708,9 +3708,10 @@ extern int ext4_map_blocks(handle_t *handle, struct inode *inode,
extern int ext4_ext_calc_credits_for_single_extent(struct inode *inode,
int num,
struct ext4_ext_path *path);
-extern int ext4_ext_insert_extent(handle_t *, struct inode *,
- struct ext4_ext_path **,
- struct ext4_extent *, int);
+extern struct ext4_ext_path *ext4_ext_insert_extent(
+ handle_t *handle, struct inode *inode,
+ struct ext4_ext_path *path,
+ struct ext4_extent *newext, int gb_flags);
extern struct ext4_ext_path *ext4_find_extent(struct inode *, ext4_lblk_t,
struct ext4_ext_path *,
int flags);
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 7c2bc5c2c7664..4f15c26bafe53 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -1960,16 +1960,15 @@ static unsigned int ext4_ext_check_overlap(struct ext4_sb_info *sbi,
* inserts requested extent as new one into the tree,
* creating new leaf in the no-space case.
*/
-int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
- struct ext4_ext_path **ppath,
- struct ext4_extent *newext, int gb_flags)
+struct ext4_ext_path *
+ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
+ struct ext4_ext_path *path,
+ struct ext4_extent *newext, int gb_flags)
{
- struct ext4_ext_path *path = *ppath;
struct ext4_extent_header *eh;
struct ext4_extent *ex, *fex;
struct ext4_extent *nearex; /* nearest extent */
- struct ext4_ext_path *npath = NULL;
- int depth, len, err;
+ int depth, len, err = 0;
ext4_lblk_t next;
int mb_flags = 0, unwritten;
@@ -1977,14 +1976,16 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
mb_flags |= EXT4_MB_DELALLOC_RESERVED;
if (unlikely(ext4_ext_get_actual_len(newext) == 0)) {
EXT4_ERROR_INODE(inode, "ext4_ext_get_actual_len(newext) == 0");
- return -EFSCORRUPTED;
+ err = -EFSCORRUPTED;
+ goto errout;
}
depth = ext_depth(inode);
ex = path[depth].p_ext;
eh = path[depth].p_hdr;
if (unlikely(path[depth].p_hdr == NULL)) {
EXT4_ERROR_INODE(inode, "path[%d].p_hdr == NULL", depth);
- return -EFSCORRUPTED;
+ err = -EFSCORRUPTED;
+ goto errout;
}
/* try to insert block into found extent and return */
@@ -2022,7 +2023,7 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
err = ext4_ext_get_access(handle, inode,
path + depth);
if (err)
- return err;
+ goto errout;
unwritten = ext4_ext_is_unwritten(ex);
ex->ee_len = cpu_to_le16(ext4_ext_get_actual_len(ex)
+ ext4_ext_get_actual_len(newext));
@@ -2047,7 +2048,7 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
err = ext4_ext_get_access(handle, inode,
path + depth);
if (err)
- return err;
+ goto errout;
unwritten = ext4_ext_is_unwritten(ex);
ex->ee_block = newext->ee_block;
@@ -2072,21 +2073,26 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
if (le32_to_cpu(newext->ee_block) > le32_to_cpu(fex->ee_block))
next = ext4_ext_next_leaf_block(path);
if (next != EXT_MAX_BLOCKS) {
+ struct ext4_ext_path *npath;
+
ext_debug(inode, "next leaf block - %u\n", next);
- BUG_ON(npath != NULL);
npath = ext4_find_extent(inode, next, NULL, gb_flags);
- if (IS_ERR(npath))
- return PTR_ERR(npath);
+ if (IS_ERR(npath)) {
+ err = PTR_ERR(npath);
+ goto errout;
+ }
BUG_ON(npath->p_depth != path->p_depth);
eh = npath[depth].p_hdr;
if (le16_to_cpu(eh->eh_entries) < le16_to_cpu(eh->eh_max)) {
ext_debug(inode, "next leaf isn't full(%d)\n",
le16_to_cpu(eh->eh_entries));
+ ext4_free_ext_path(path);
path = npath;
goto has_space;
}
ext_debug(inode, "next leaf has no free space(%d,%d)\n",
le16_to_cpu(eh->eh_entries), le16_to_cpu(eh->eh_max));
+ ext4_free_ext_path(npath);
}
/*
@@ -2097,12 +2103,8 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
mb_flags |= EXT4_MB_USE_RESERVED;
path = ext4_ext_create_new_leaf(handle, inode, mb_flags, gb_flags,
path, newext);
- if (IS_ERR(path)) {
- *ppath = NULL;
- err = PTR_ERR(path);
- goto cleanup;
- }
- *ppath = path;
+ if (IS_ERR(path))
+ return path;
depth = ext_depth(inode);
eh = path[depth].p_hdr;
@@ -2111,7 +2113,7 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
err = ext4_ext_get_access(handle, inode, path + depth);
if (err)
- goto cleanup;
+ goto errout;
if (!nearex) {
/* there is no extent in this leaf, create first one */
@@ -2169,17 +2171,20 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
if (!(gb_flags & EXT4_GET_BLOCKS_PRE_IO))
ext4_ext_try_to_merge(handle, inode, path, nearex);
-
/* time to correct all indexes above */
err = ext4_ext_correct_indexes(handle, inode, path);
if (err)
- goto cleanup;
+ goto errout;
err = ext4_ext_dirty(handle, inode, path + path->p_depth);
+ if (err)
+ goto errout;
-cleanup:
- ext4_free_ext_path(npath);
- return err;
+ return path;
+
+errout:
+ ext4_free_ext_path(path);
+ return ERR_PTR(err);
}
static int ext4_fill_es_cache_info(struct inode *inode,
@@ -3230,24 +3235,29 @@ static int ext4_split_extent_at(handle_t *handle,
if (split_flag & EXT4_EXT_MARK_UNWRIT2)
ext4_ext_mark_unwritten(ex2);
- err = ext4_ext_insert_extent(handle, inode, ppath, &newex, flags);
- if (err != -ENOSPC && err != -EDQUOT && err != -ENOMEM)
+ path = ext4_ext_insert_extent(handle, inode, path, &newex, flags);
+ if (!IS_ERR(path)) {
+ *ppath = path;
goto out;
+ }
+ *ppath = NULL;
+ err = PTR_ERR(path);
+ if (err != -ENOSPC && err != -EDQUOT && err != -ENOMEM)
+ return err;
/*
- * Update path is required because previous ext4_ext_insert_extent()
- * may have freed or reallocated the path. Using EXT4_EX_NOFAIL
- * guarantees that ext4_find_extent() will not return -ENOMEM,
- * otherwise -ENOMEM will cause a retry in do_writepages(), and a
- * WARN_ON may be triggered in ext4_da_update_reserve_space() due to
- * an incorrect ee_len causing the i_reserved_data_blocks exception.
+ * Get a new path to try to zeroout or fix the extent length.
+ * Using EXT4_EX_NOFAIL guarantees that ext4_find_extent()
+ * will not return -ENOMEM, otherwise -ENOMEM will cause a
+ * retry in do_writepages(), and a WARN_ON may be triggered
+ * in ext4_da_update_reserve_space() due to an incorrect
+ * ee_len causing the i_reserved_data_blocks exception.
*/
- path = ext4_find_extent(inode, ee_block, *ppath,
+ path = ext4_find_extent(inode, ee_block, NULL,
flags | EXT4_EX_NOFAIL);
if (IS_ERR(path)) {
EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld",
split, PTR_ERR(path));
- *ppath = NULL;
return PTR_ERR(path);
}
depth = ext_depth(inode);
@@ -3306,7 +3316,7 @@ static int ext4_split_extent_at(handle_t *handle,
ext4_ext_dirty(handle, inode, path + path->p_depth);
return err;
out:
- ext4_ext_show_leaf(inode, *ppath);
+ ext4_ext_show_leaf(inode, path);
return err;
}
@@ -4296,6 +4306,7 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode,
get_implied_cluster_alloc(inode->i_sb, map, &ex2, path)) {
ar.len = allocated = map->m_len;
newblock = map->m_pblk;
+ err = 0;
goto got_allocated_blocks;
}
@@ -4368,8 +4379,9 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode,
map->m_flags |= EXT4_MAP_UNWRITTEN;
}
- err = ext4_ext_insert_extent(handle, inode, &path, &newex, flags);
- if (err) {
+ path = ext4_ext_insert_extent(handle, inode, path, &newex, flags);
+ if (IS_ERR(path)) {
+ err = PTR_ERR(path);
if (allocated_clusters) {
int fb_flags = 0;
diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c
index 62a6960242c5a..be65b5f51d9e2 100644
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -1806,12 +1806,12 @@ static int ext4_fc_replay_add_range(struct super_block *sb,
if (ext4_ext_is_unwritten(ex))
ext4_ext_mark_unwritten(&newex);
down_write(&EXT4_I(inode)->i_data_sem);
- ret = ext4_ext_insert_extent(
- NULL, inode, &path, &newex, 0);
+ path = ext4_ext_insert_extent(NULL, inode,
+ path, &newex, 0);
up_write((&EXT4_I(inode)->i_data_sem));
- ext4_free_ext_path(path);
- if (ret)
+ if (IS_ERR(path))
goto out;
+ ext4_free_ext_path(path);
goto next;
}
diff --git a/fs/ext4/migrate.c b/fs/ext4/migrate.c
index a5e1492bbaaa5..1b0dfd963d3f0 100644
--- a/fs/ext4/migrate.c
+++ b/fs/ext4/migrate.c
@@ -37,7 +37,6 @@ static int finish_range(handle_t *handle, struct inode *inode,
path = ext4_find_extent(inode, lb->first_block, NULL, 0);
if (IS_ERR(path)) {
retval = PTR_ERR(path);
- path = NULL;
goto err_out;
}
@@ -53,7 +52,9 @@ static int finish_range(handle_t *handle, struct inode *inode,
retval = ext4_datasem_ensure_credits(handle, inode, needed, needed, 0);
if (retval < 0)
goto err_out;
- retval = ext4_ext_insert_extent(handle, inode, &path, &newext, 0);
+ path = ext4_ext_insert_extent(handle, inode, path, &newext, 0);
+ if (IS_ERR(path))
+ retval = PTR_ERR(path);
err_out:
up_write((&EXT4_I(inode)->i_data_sem));
ext4_free_ext_path(path);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 047/567] ext4: get rid of ppath in ext4_split_extent_at()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 046/567] ext4: get rid of ppath in ext4_ext_insert_extent() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 048/567] ext4: subdivide EXT4_EXT_DATA_VALID1 Greg Kroah-Hartman
` (330 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Ojaswin Mujoo,
Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit 1de82b1b60d4613753254bf3cbf622a4c02c945c ]
The use of path and ppath is now very confusing, so to make the code more
readable, pass path between functions uniformly, and get rid of ppath.
To get rid of the ppath in ext4_split_extent_at(), the following is done
here:
* Free the extents path when an error is encountered.
* Its caller needs to update ppath if it uses ppath.
* Teach ext4_ext_show_leaf() to skip error pointer.
No functional changes.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-16-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: 22784ca541c0 ("ext4: subdivide EXT4_EXT_DATA_VALID1")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 85 ++++++++++++++++++++++++++---------------------
1 file changed, 47 insertions(+), 38 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 4f15c26bafe53..33ed753ea82e9 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -84,12 +84,11 @@ static void ext4_extent_block_csum_set(struct inode *inode,
et->et_checksum = ext4_extent_block_csum(inode, eh);
}
-static int ext4_split_extent_at(handle_t *handle,
- struct inode *inode,
- struct ext4_ext_path **ppath,
- ext4_lblk_t split,
- int split_flag,
- int flags);
+static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle,
+ struct inode *inode,
+ struct ext4_ext_path *path,
+ ext4_lblk_t split,
+ int split_flag, int flags);
static int ext4_ext_trunc_restart_fn(struct inode *inode, int *dropped)
{
@@ -335,9 +334,15 @@ ext4_force_split_extent_at(handle_t *handle, struct inode *inode,
if (nofail)
flags |= EXT4_GET_BLOCKS_METADATA_NOFAIL | EXT4_EX_NOFAIL;
- return ext4_split_extent_at(handle, inode, ppath, lblk, unwritten ?
+ path = ext4_split_extent_at(handle, inode, path, lblk, unwritten ?
EXT4_EXT_MARK_UNWRIT1|EXT4_EXT_MARK_UNWRIT2 : 0,
flags);
+ if (IS_ERR(path)) {
+ *ppath = NULL;
+ return PTR_ERR(path);
+ }
+ *ppath = path;
+ return 0;
}
static int
@@ -689,7 +694,7 @@ static void ext4_ext_show_leaf(struct inode *inode, struct ext4_ext_path *path)
struct ext4_extent *ex;
int i;
- if (!path)
+ if (IS_ERR_OR_NULL(path))
return;
eh = path[depth].p_hdr;
@@ -3153,16 +3158,14 @@ static int ext4_ext_zeroout(struct inode *inode, struct ext4_extent *ex)
* a> the extent are splitted into two extent.
* b> split is not needed, and just mark the extent.
*
- * return 0 on success.
+ * Return an extent path pointer on success, or an error pointer on failure.
*/
-static int ext4_split_extent_at(handle_t *handle,
- struct inode *inode,
- struct ext4_ext_path **ppath,
- ext4_lblk_t split,
- int split_flag,
- int flags)
+static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle,
+ struct inode *inode,
+ struct ext4_ext_path *path,
+ ext4_lblk_t split,
+ int split_flag, int flags)
{
- struct ext4_ext_path *path = *ppath;
ext4_fsblk_t newblock;
ext4_lblk_t ee_block;
struct ext4_extent *ex, newex, orig_ex, zero_ex;
@@ -3236,14 +3239,12 @@ static int ext4_split_extent_at(handle_t *handle,
ext4_ext_mark_unwritten(ex2);
path = ext4_ext_insert_extent(handle, inode, path, &newex, flags);
- if (!IS_ERR(path)) {
- *ppath = path;
+ if (!IS_ERR(path))
goto out;
- }
- *ppath = NULL;
+
err = PTR_ERR(path);
if (err != -ENOSPC && err != -EDQUOT && err != -ENOMEM)
- return err;
+ return path;
/*
* Get a new path to try to zeroout or fix the extent length.
@@ -3253,16 +3254,14 @@ static int ext4_split_extent_at(handle_t *handle,
* in ext4_da_update_reserve_space() due to an incorrect
* ee_len causing the i_reserved_data_blocks exception.
*/
- path = ext4_find_extent(inode, ee_block, NULL,
- flags | EXT4_EX_NOFAIL);
+ path = ext4_find_extent(inode, ee_block, NULL, flags | EXT4_EX_NOFAIL);
if (IS_ERR(path)) {
EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld",
split, PTR_ERR(path));
- return PTR_ERR(path);
+ return path;
}
depth = ext_depth(inode);
ex = path[depth].p_ext;
- *ppath = path;
if (EXT4_EXT_MAY_ZEROOUT & split_flag) {
if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {
@@ -3314,10 +3313,13 @@ static int ext4_split_extent_at(handle_t *handle,
* and err is a non-zero error code.
*/
ext4_ext_dirty(handle, inode, path + path->p_depth);
- return err;
out:
+ if (err) {
+ ext4_free_ext_path(path);
+ path = ERR_PTR(err);
+ }
ext4_ext_show_leaf(inode, path);
- return err;
+ return path;
}
/*
@@ -3364,10 +3366,14 @@ static int ext4_split_extent(handle_t *handle,
EXT4_EXT_MARK_UNWRIT2;
if (split_flag & EXT4_EXT_DATA_VALID2)
split_flag1 |= EXT4_EXT_DATA_VALID1;
- err = ext4_split_extent_at(handle, inode, ppath,
+ path = ext4_split_extent_at(handle, inode, path,
map->m_lblk + map->m_len, split_flag1, flags1);
- if (err)
+ if (IS_ERR(path)) {
+ err = PTR_ERR(path);
+ *ppath = NULL;
goto out;
+ }
+ *ppath = path;
} else {
allocated = ee_len - (map->m_lblk - ee_block);
}
@@ -3375,7 +3381,7 @@ static int ext4_split_extent(handle_t *handle,
* Update path is required because previous ext4_split_extent_at() may
* result in split of original leaf or extent zeroout.
*/
- path = ext4_find_extent(inode, map->m_lblk, *ppath, flags);
+ path = ext4_find_extent(inode, map->m_lblk, path, flags);
if (IS_ERR(path)) {
*ppath = NULL;
return PTR_ERR(path);
@@ -3397,13 +3403,17 @@ static int ext4_split_extent(handle_t *handle,
split_flag1 |= split_flag & (EXT4_EXT_MAY_ZEROOUT |
EXT4_EXT_MARK_UNWRIT2);
}
- err = ext4_split_extent_at(handle, inode, ppath,
+ path = ext4_split_extent_at(handle, inode, path,
map->m_lblk, split_flag1, flags);
- if (err)
+ if (IS_ERR(path)) {
+ err = PTR_ERR(path);
+ *ppath = NULL;
goto out;
+ }
+ *ppath = path;
}
- ext4_ext_show_leaf(inode, *ppath);
+ ext4_ext_show_leaf(inode, path);
out:
return err ? err : allocated;
}
@@ -5590,22 +5600,21 @@ static int ext4_insert_range(struct file *file, loff_t offset, loff_t len)
if (ext4_ext_is_unwritten(extent))
split_flag = EXT4_EXT_MARK_UNWRIT1 |
EXT4_EXT_MARK_UNWRIT2;
- ret = ext4_split_extent_at(handle, inode, &path,
+ path = ext4_split_extent_at(handle, inode, path,
offset_lblk, split_flag,
EXT4_EX_NOCACHE |
EXT4_GET_BLOCKS_PRE_IO |
EXT4_GET_BLOCKS_METADATA_NOFAIL);
}
- ext4_free_ext_path(path);
- if (ret < 0) {
+ if (IS_ERR(path)) {
up_write(&EXT4_I(inode)->i_data_sem);
+ ret = PTR_ERR(path);
goto out_stop;
}
- } else {
- ext4_free_ext_path(path);
}
+ ext4_free_ext_path(path);
ext4_es_remove_extent(inode, offset_lblk, EXT_MAX_BLOCKS - offset_lblk);
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 048/567] ext4: subdivide EXT4_EXT_DATA_VALID1
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 047/567] ext4: get rid of ppath in ext4_split_extent_at() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 049/567] ext4: dont zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1 Greg Kroah-Hartman
` (329 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Yi, Ojaswin Mujoo, Baokun Li,
stable, Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
[ Upstream commit 22784ca541c0f01c5ebad14e8228298dc0a390ed ]
When splitting an extent, if the EXT4_GET_BLOCKS_CONVERT flag is set and
it is necessary to split the target extent in the middle,
ext4_split_extent() first handles splitting the latter half of the
extent and passes the EXT4_EXT_DATA_VALID1 flag. This flag implies that
all blocks before the split point contain valid data; however, this
assumption is incorrect.
Therefore, subdivid EXT4_EXT_DATA_VALID1 into
EXT4_EXT_DATA_ENTIRE_VALID1 and EXT4_EXT_DATA_PARTIAL_VALID1, which
indicate that the first half of the extent is either entirely valid or
only partially valid, respectively. These two flags cannot be set
simultaneously.
This patch does not use EXT4_EXT_DATA_PARTIAL_VALID1, it only replaces
EXT4_EXT_DATA_VALID1 with EXT4_EXT_DATA_ENTIRE_VALID1 at the location
where it is set, no logical changes.
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Cc: stable@kernel.org
Message-ID: <20251129103247.686136-2-yi.zhang@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 33ed753ea82e9..18520281e1b5f 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -43,8 +43,13 @@
#define EXT4_EXT_MARK_UNWRIT1 0x2 /* mark first half unwritten */
#define EXT4_EXT_MARK_UNWRIT2 0x4 /* mark second half unwritten */
-#define EXT4_EXT_DATA_VALID1 0x8 /* first half contains valid data */
-#define EXT4_EXT_DATA_VALID2 0x10 /* second half contains valid data */
+/* first half contains valid data */
+#define EXT4_EXT_DATA_ENTIRE_VALID1 0x8 /* has entirely valid data */
+#define EXT4_EXT_DATA_PARTIAL_VALID1 0x10 /* has partially valid data */
+#define EXT4_EXT_DATA_VALID1 (EXT4_EXT_DATA_ENTIRE_VALID1 | \
+ EXT4_EXT_DATA_PARTIAL_VALID1)
+
+#define EXT4_EXT_DATA_VALID2 0x20 /* second half contains valid data */
static __le32 ext4_extent_block_csum(struct inode *inode,
struct ext4_extent_header *eh)
@@ -3173,8 +3178,9 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle,
unsigned int ee_len, depth;
int err = 0;
- BUG_ON((split_flag & (EXT4_EXT_DATA_VALID1 | EXT4_EXT_DATA_VALID2)) ==
- (EXT4_EXT_DATA_VALID1 | EXT4_EXT_DATA_VALID2));
+ BUG_ON((split_flag & EXT4_EXT_DATA_VALID1) == EXT4_EXT_DATA_VALID1);
+ BUG_ON((split_flag & EXT4_EXT_DATA_VALID1) &&
+ (split_flag & EXT4_EXT_DATA_VALID2));
/* Do not cache extents that are in the process of being modified. */
flags |= EXT4_EX_NOCACHE;
@@ -3365,7 +3371,7 @@ static int ext4_split_extent(handle_t *handle,
split_flag1 |= EXT4_EXT_MARK_UNWRIT1 |
EXT4_EXT_MARK_UNWRIT2;
if (split_flag & EXT4_EXT_DATA_VALID2)
- split_flag1 |= EXT4_EXT_DATA_VALID1;
+ split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1;
path = ext4_split_extent_at(handle, inode, path,
map->m_lblk + map->m_len, split_flag1, flags1);
if (IS_ERR(path)) {
@@ -3728,7 +3734,7 @@ static int ext4_split_convert_extents(handle_t *handle,
/* Convert to unwritten */
if (flags & EXT4_GET_BLOCKS_CONVERT_UNWRITTEN) {
- split_flag |= EXT4_EXT_DATA_VALID1;
+ split_flag |= EXT4_EXT_DATA_ENTIRE_VALID1;
/* Convert to initialized */
} else if (flags & EXT4_GET_BLOCKS_CONVERT) {
split_flag |= ee_block + ee_len <= eof_block ?
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 049/567] ext4: dont zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 048/567] ext4: subdivide EXT4_EXT_DATA_VALID1 Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 050/567] ext4: get rid of ppath in ext4_split_extent() Greg Kroah-Hartman
` (328 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Yi, Ojaswin Mujoo, Baokun Li,
stable, Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
[ Upstream commit 1bf6974822d1dba86cf11b5f05498581cf3488a2 ]
When allocating initialized blocks from a large unwritten extent, or
when splitting an unwritten extent during end I/O and converting it to
initialized, there is currently a potential issue of stale data if the
extent needs to be split in the middle.
0 A B N
[UUUUUUUUUUUU] U: unwritten extent
[--DDDDDDDD--] D: valid data
|<- ->| ----> this range needs to be initialized
ext4_split_extent() first try to split this extent at B with
EXT4_EXT_DATA_ENTIRE_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but
ext4_split_extent_at() failed to split this extent due to temporary lack
of space. It zeroout B to N and mark the entire extent from 0 to N
as written.
0 A B N
[WWWWWWWWWWWW] W: written extent
[SSDDDDDDDDZZ] Z: zeroed, S: stale data
ext4_split_extent() then try to split this extent at A with
EXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and left
a stale written extent from 0 to A.
0 A B N
[WW|WWWWWWWWWW]
[SS|DDDDDDDDZZ]
Fix this by pass EXT4_EXT_DATA_PARTIAL_VALID1 to ext4_split_extent_at()
when splitting at B, don't convert the entire extent to written and left
it as unwritten after zeroing out B to N. The remaining work is just
like the standard two-part split. ext4_split_extent() will pass the
EXT4_EXT_DATA_VALID2 flag when it calls ext4_split_extent_at() for the
second time, allowing it to properly handle the split. If the split is
successful, it will keep extent from 0 to A as unwritten.
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Cc: stable@kernel.org
Message-ID: <20251129103247.686136-3-yi.zhang@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 18520281e1b5f..fd9517dbf633e 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -3296,6 +3296,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle,
}
if (!err) {
+ /*
+ * The first half contains partially valid data, the
+ * splitting of this extent has not been completed, fix
+ * extent length and ext4_split_extent() split will the
+ * first half again.
+ */
+ if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1)
+ goto fix_extent_len;
+
/* update the extent length and mark as initialized */
ex->ee_len = cpu_to_le16(ee_len);
ext4_ext_try_to_merge(handle, inode, path, ex);
@@ -3371,7 +3380,9 @@ static int ext4_split_extent(handle_t *handle,
split_flag1 |= EXT4_EXT_MARK_UNWRIT1 |
EXT4_EXT_MARK_UNWRIT2;
if (split_flag & EXT4_EXT_DATA_VALID2)
- split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1;
+ split_flag1 |= map->m_lblk > ee_block ?
+ EXT4_EXT_DATA_PARTIAL_VALID1 :
+ EXT4_EXT_DATA_ENTIRE_VALID1;
path = ext4_split_extent_at(handle, inode, path,
map->m_lblk + map->m_len, split_flag1, flags1);
if (IS_ERR(path)) {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 050/567] ext4: get rid of ppath in ext4_split_extent()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 049/567] ext4: dont zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1 Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 051/567] ext4: get rid of ppath in ext4_split_convert_extents() Greg Kroah-Hartman
` (327 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Ojaswin Mujoo,
Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit f74cde045617cc275c848c9692feac249ff7a3e7 ]
The use of path and ppath is now very confusing, so to make the code more
readable, pass path between functions uniformly, and get rid of ppath.
To get rid of the ppath in ext4_split_extent(), the following is done here:
* The 'allocated' is changed from passing a value to passing an address.
* Its caller needs to update ppath if it uses ppath.
No functional changes.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-18-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: feaf2a80e78f ("ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 97 ++++++++++++++++++++++++-----------------------
1 file changed, 50 insertions(+), 47 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index fd9517dbf633e..89d3baac7a79c 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -3348,21 +3348,18 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle,
* c> Splits in three extents: Somone is splitting in middle of the extent
*
*/
-static int ext4_split_extent(handle_t *handle,
- struct inode *inode,
- struct ext4_ext_path **ppath,
- struct ext4_map_blocks *map,
- int split_flag,
- int flags)
+static struct ext4_ext_path *ext4_split_extent(handle_t *handle,
+ struct inode *inode,
+ struct ext4_ext_path *path,
+ struct ext4_map_blocks *map,
+ int split_flag, int flags,
+ unsigned int *allocated)
{
- struct ext4_ext_path *path = *ppath;
ext4_lblk_t ee_block;
struct ext4_extent *ex;
unsigned int ee_len, depth;
- int err = 0;
int unwritten;
int split_flag1, flags1;
- int allocated = map->m_len;
depth = ext_depth(inode);
ex = path[depth].p_ext;
@@ -3385,33 +3382,25 @@ static int ext4_split_extent(handle_t *handle,
EXT4_EXT_DATA_ENTIRE_VALID1;
path = ext4_split_extent_at(handle, inode, path,
map->m_lblk + map->m_len, split_flag1, flags1);
- if (IS_ERR(path)) {
- err = PTR_ERR(path);
- *ppath = NULL;
- goto out;
+ if (IS_ERR(path))
+ return path;
+ /*
+ * Update path is required because previous ext4_split_extent_at
+ * may result in split of original leaf or extent zeroout.
+ */
+ path = ext4_find_extent(inode, map->m_lblk, path, flags);
+ if (IS_ERR(path))
+ return path;
+ depth = ext_depth(inode);
+ ex = path[depth].p_ext;
+ if (!ex) {
+ EXT4_ERROR_INODE(inode, "unexpected hole at %lu",
+ (unsigned long) map->m_lblk);
+ ext4_free_ext_path(path);
+ return ERR_PTR(-EFSCORRUPTED);
}
- *ppath = path;
- } else {
- allocated = ee_len - (map->m_lblk - ee_block);
- }
- /*
- * Update path is required because previous ext4_split_extent_at() may
- * result in split of original leaf or extent zeroout.
- */
- path = ext4_find_extent(inode, map->m_lblk, path, flags);
- if (IS_ERR(path)) {
- *ppath = NULL;
- return PTR_ERR(path);
- }
- *ppath = path;
- depth = ext_depth(inode);
- ex = path[depth].p_ext;
- if (!ex) {
- EXT4_ERROR_INODE(inode, "unexpected hole at %lu",
- (unsigned long) map->m_lblk);
- return -EFSCORRUPTED;
+ unwritten = ext4_ext_is_unwritten(ex);
}
- unwritten = ext4_ext_is_unwritten(ex);
if (map->m_lblk >= ee_block) {
split_flag1 = split_flag & EXT4_EXT_DATA_VALID2;
@@ -3422,17 +3411,18 @@ static int ext4_split_extent(handle_t *handle,
}
path = ext4_split_extent_at(handle, inode, path,
map->m_lblk, split_flag1, flags);
- if (IS_ERR(path)) {
- err = PTR_ERR(path);
- *ppath = NULL;
- goto out;
- }
- *ppath = path;
+ if (IS_ERR(path))
+ return path;
}
+ if (allocated) {
+ if (map->m_lblk + map->m_len > ee_block + ee_len)
+ *allocated = ee_len - (map->m_lblk - ee_block);
+ else
+ *allocated = map->m_len;
+ }
ext4_ext_show_leaf(inode, path);
-out:
- return err ? err : allocated;
+ return path;
}
/*
@@ -3677,10 +3667,15 @@ static int ext4_ext_convert_to_initialized(handle_t *handle,
}
fallback:
- err = ext4_split_extent(handle, inode, ppath, &split_map, split_flag,
- flags);
- if (err > 0)
- err = 0;
+ path = ext4_split_extent(handle, inode, path, &split_map, split_flag,
+ flags, NULL);
+ if (IS_ERR(path)) {
+ err = PTR_ERR(path);
+ *ppath = NULL;
+ goto out;
+ }
+ err = 0;
+ *ppath = path;
out:
/* If we have gotten a failure, don't zero out status tree */
if (!err) {
@@ -3726,6 +3721,7 @@ static int ext4_split_convert_extents(handle_t *handle,
struct ext4_extent *ex;
unsigned int ee_len;
int split_flag = 0, depth;
+ unsigned int allocated = 0;
ext_debug(inode, "logical block %llu, max_blocks %u\n",
(unsigned long long)map->m_lblk, map->m_len);
@@ -3753,7 +3749,14 @@ static int ext4_split_convert_extents(handle_t *handle,
split_flag |= (EXT4_EXT_MARK_UNWRIT2 | EXT4_EXT_DATA_VALID2);
}
flags |= EXT4_GET_BLOCKS_PRE_IO;
- return ext4_split_extent(handle, inode, ppath, map, split_flag, flags);
+ path = ext4_split_extent(handle, inode, path, map, split_flag, flags,
+ &allocated);
+ if (IS_ERR(path)) {
+ *ppath = NULL;
+ return PTR_ERR(path);
+ }
+ *ppath = path;
+ return allocated;
}
static int ext4_convert_unwritten_extents_endio(handle_t *handle,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 051/567] ext4: get rid of ppath in ext4_split_convert_extents()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 050/567] ext4: get rid of ppath in ext4_split_extent() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 052/567] ext4: get rid of ppath in ext4_convert_unwritten_extents_endio() Greg Kroah-Hartman
` (326 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Ojaswin Mujoo,
Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit 225057b1af381567ffa4eb813f4a28a5c38a25cf ]
The use of path and ppath is now very confusing, so to make the code more
readable, pass path between functions uniformly, and get rid of ppath.
To get rid of the ppath in ext4_split_convert_extents(), the following is
done here:
* Its caller needs to update ppath if it uses ppath.
No functional changes.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-19-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: feaf2a80e78f ("ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 65 ++++++++++++++++++++++++-----------------------
1 file changed, 33 insertions(+), 32 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 89d3baac7a79c..27bacfa7d492c 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -3707,21 +3707,21 @@ static int ext4_ext_convert_to_initialized(handle_t *handle,
* being filled will be convert to initialized by the end_io callback function
* via ext4_convert_unwritten_extents().
*
- * Returns the size of unwritten extent to be written on success.
+ * The size of unwritten extent to be written is passed to the caller via the
+ * allocated pointer. Return an extent path pointer on success, or an error
+ * pointer on failure.
*/
-static int ext4_split_convert_extents(handle_t *handle,
+static struct ext4_ext_path *ext4_split_convert_extents(handle_t *handle,
struct inode *inode,
struct ext4_map_blocks *map,
- struct ext4_ext_path **ppath,
- int flags)
+ struct ext4_ext_path *path,
+ int flags, unsigned int *allocated)
{
- struct ext4_ext_path *path = *ppath;
ext4_lblk_t eof_block;
ext4_lblk_t ee_block;
struct ext4_extent *ex;
unsigned int ee_len;
int split_flag = 0, depth;
- unsigned int allocated = 0;
ext_debug(inode, "logical block %llu, max_blocks %u\n",
(unsigned long long)map->m_lblk, map->m_len);
@@ -3749,14 +3749,8 @@ static int ext4_split_convert_extents(handle_t *handle,
split_flag |= (EXT4_EXT_MARK_UNWRIT2 | EXT4_EXT_DATA_VALID2);
}
flags |= EXT4_GET_BLOCKS_PRE_IO;
- path = ext4_split_extent(handle, inode, path, map, split_flag, flags,
- &allocated);
- if (IS_ERR(path)) {
- *ppath = NULL;
- return PTR_ERR(path);
- }
- *ppath = path;
- return allocated;
+ return ext4_split_extent(handle, inode, path, map, split_flag, flags,
+ allocated);
}
static int ext4_convert_unwritten_extents_endio(handle_t *handle,
@@ -3792,11 +3786,14 @@ static int ext4_convert_unwritten_extents_endio(handle_t *handle,
inode->i_ino, (unsigned long long)ee_block, ee_len,
(unsigned long long)map->m_lblk, map->m_len);
#endif
- err = ext4_split_convert_extents(handle, inode, map, ppath,
- EXT4_GET_BLOCKS_CONVERT);
- if (err < 0)
- return err;
- path = ext4_find_extent(inode, map->m_lblk, *ppath, 0);
+ path = ext4_split_convert_extents(handle, inode, map, path,
+ EXT4_GET_BLOCKS_CONVERT, NULL);
+ if (IS_ERR(path)) {
+ *ppath = NULL;
+ return PTR_ERR(path);
+ }
+
+ path = ext4_find_extent(inode, map->m_lblk, path, 0);
if (IS_ERR(path)) {
*ppath = NULL;
return PTR_ERR(path);
@@ -3853,11 +3850,14 @@ convert_initialized_extent(handle_t *handle, struct inode *inode,
(unsigned long long)ee_block, ee_len);
if (ee_block != map->m_lblk || ee_len > map->m_len) {
- err = ext4_split_convert_extents(handle, inode, map, ppath,
- EXT4_GET_BLOCKS_CONVERT_UNWRITTEN);
- if (err < 0)
- return err;
- path = ext4_find_extent(inode, map->m_lblk, *ppath, 0);
+ path = ext4_split_convert_extents(handle, inode, map, path,
+ EXT4_GET_BLOCKS_CONVERT_UNWRITTEN, NULL);
+ if (IS_ERR(path)) {
+ *ppath = NULL;
+ return PTR_ERR(path);
+ }
+
+ path = ext4_find_extent(inode, map->m_lblk, path, 0);
if (IS_ERR(path)) {
*ppath = NULL;
return PTR_ERR(path);
@@ -3923,19 +3923,20 @@ ext4_ext_handle_unwritten_extents(handle_t *handle, struct inode *inode,
/* get_block() before submitting IO, split the extent */
if (flags & EXT4_GET_BLOCKS_PRE_IO) {
- ret = ext4_split_convert_extents(handle, inode, map, ppath,
- flags | EXT4_GET_BLOCKS_CONVERT);
- if (ret < 0) {
- err = ret;
+ *ppath = ext4_split_convert_extents(handle, inode, map, *ppath,
+ flags | EXT4_GET_BLOCKS_CONVERT, &allocated);
+ if (IS_ERR(*ppath)) {
+ err = PTR_ERR(*ppath);
+ *ppath = NULL;
goto out2;
}
/*
- * shouldn't get a 0 return when splitting an extent unless
+ * shouldn't get a 0 allocated when splitting an extent unless
* m_len is 0 (bug) or extent has been corrupted
*/
- if (unlikely(ret == 0)) {
+ if (unlikely(allocated == 0)) {
EXT4_ERROR_INODE(inode,
- "unexpected ret == 0, m_len = %u",
+ "unexpected allocated == 0, m_len = %u",
map->m_len);
err = -EFSCORRUPTED;
goto out2;
@@ -3996,9 +3997,9 @@ ext4_ext_handle_unwritten_extents(handle_t *handle, struct inode *inode,
err = -EFSCORRUPTED;
goto out2;
}
+ allocated = ret;
out:
- allocated = ret;
map->m_flags |= EXT4_MAP_NEW;
map_out:
map->m_flags |= EXT4_MAP_MAPPED;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 052/567] ext4: get rid of ppath in ext4_convert_unwritten_extents_endio()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 051/567] ext4: get rid of ppath in ext4_split_convert_extents() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 053/567] ext4: get rid of ppath in ext4_ext_convert_to_initialized() Greg Kroah-Hartman
` (325 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Ojaswin Mujoo,
Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit 8d5ad7b08f9234bc92b9567cfe52e521df5f6626 ]
The use of path and ppath is now very confusing, so to make the code more
readable, pass path between functions uniformly, and get rid of ppath.
To get rid of the ppath in ext4_convert_unwritten_extents_endio(), the
following is done here:
* Free the extents path when an error is encountered.
* Its caller needs to update ppath if it uses ppath.
No functional changes.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-20-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: feaf2a80e78f ("ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 43 +++++++++++++++++++++++--------------------
1 file changed, 23 insertions(+), 20 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 27bacfa7d492c..8eb004700437e 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -3753,12 +3753,11 @@ static struct ext4_ext_path *ext4_split_convert_extents(handle_t *handle,
allocated);
}
-static int ext4_convert_unwritten_extents_endio(handle_t *handle,
- struct inode *inode,
- struct ext4_map_blocks *map,
- struct ext4_ext_path **ppath)
+static struct ext4_ext_path *
+ext4_convert_unwritten_extents_endio(handle_t *handle, struct inode *inode,
+ struct ext4_map_blocks *map,
+ struct ext4_ext_path *path)
{
- struct ext4_ext_path *path = *ppath;
struct ext4_extent *ex;
ext4_lblk_t ee_block;
unsigned int ee_len;
@@ -3788,24 +3787,19 @@ static int ext4_convert_unwritten_extents_endio(handle_t *handle,
#endif
path = ext4_split_convert_extents(handle, inode, map, path,
EXT4_GET_BLOCKS_CONVERT, NULL);
- if (IS_ERR(path)) {
- *ppath = NULL;
- return PTR_ERR(path);
- }
+ if (IS_ERR(path))
+ return path;
path = ext4_find_extent(inode, map->m_lblk, path, 0);
- if (IS_ERR(path)) {
- *ppath = NULL;
- return PTR_ERR(path);
- }
- *ppath = path;
+ if (IS_ERR(path))
+ return path;
depth = ext_depth(inode);
ex = path[depth].p_ext;
}
err = ext4_ext_get_access(handle, inode, path + depth);
if (err)
- goto out;
+ goto errout;
/* first mark the extent as initialized */
ext4_ext_mark_initialized(ex);
@@ -3816,9 +3810,15 @@ static int ext4_convert_unwritten_extents_endio(handle_t *handle,
/* Mark modified extent as dirty */
err = ext4_ext_dirty(handle, inode, path + path->p_depth);
-out:
+ if (err)
+ goto errout;
+
ext4_ext_show_leaf(inode, path);
- return err;
+ return path;
+
+errout:
+ ext4_free_ext_path(path);
+ return ERR_PTR(err);
}
static int
@@ -3946,10 +3946,13 @@ ext4_ext_handle_unwritten_extents(handle_t *handle, struct inode *inode,
}
/* IO end_io complete, convert the filled extent to written */
if (flags & EXT4_GET_BLOCKS_CONVERT) {
- err = ext4_convert_unwritten_extents_endio(handle, inode, map,
- ppath);
- if (err < 0)
+ *ppath = ext4_convert_unwritten_extents_endio(handle, inode,
+ map, *ppath);
+ if (IS_ERR(*ppath)) {
+ err = PTR_ERR(*ppath);
+ *ppath = NULL;
goto out2;
+ }
ext4_update_inode_fsync_trans(handle, inode, 1);
goto map_out;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 053/567] ext4: get rid of ppath in ext4_ext_convert_to_initialized()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 052/567] ext4: get rid of ppath in ext4_convert_unwritten_extents_endio() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 054/567] ext4: get rid of ppath in ext4_ext_handle_unwritten_extents() Greg Kroah-Hartman
` (324 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Ojaswin Mujoo,
Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit 33c14b8bd8a9ef8b3dfde136b0ca779e68c2f576 ]
The use of path and ppath is now very confusing, so to make the code more
readable, pass path between functions uniformly, and get rid of ppath.
To get rid of the ppath in ext4_ext_convert_to_initialized(), the following
is done here:
* Free the extents path when an error is encountered.
* Its caller needs to update ppath if it uses ppath.
* The 'allocated' is changed from passing a value to passing an address.
No functional changes.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-21-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: feaf2a80e78f ("ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 73 +++++++++++++++++++++++------------------------
1 file changed, 35 insertions(+), 38 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 8eb004700437e..fe39d86d3a7e6 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -3445,13 +3445,11 @@ static struct ext4_ext_path *ext4_split_extent(handle_t *handle,
* that are allocated and initialized.
* It is guaranteed to be >= map->m_len.
*/
-static int ext4_ext_convert_to_initialized(handle_t *handle,
- struct inode *inode,
- struct ext4_map_blocks *map,
- struct ext4_ext_path **ppath,
- int flags)
+static struct ext4_ext_path *
+ext4_ext_convert_to_initialized(handle_t *handle, struct inode *inode,
+ struct ext4_map_blocks *map, struct ext4_ext_path *path,
+ int flags, unsigned int *allocated)
{
- struct ext4_ext_path *path = *ppath;
struct ext4_sb_info *sbi;
struct ext4_extent_header *eh;
struct ext4_map_blocks split_map;
@@ -3461,7 +3459,6 @@ static int ext4_ext_convert_to_initialized(handle_t *handle,
unsigned int ee_len, depth, map_len = map->m_len;
int err = 0;
int split_flag = EXT4_EXT_DATA_VALID2;
- int allocated = 0;
unsigned int max_zeroout = 0;
ext_debug(inode, "logical block %llu, max_blocks %u\n",
@@ -3502,6 +3499,7 @@ static int ext4_ext_convert_to_initialized(handle_t *handle,
* - L2: we only attempt to merge with an extent stored in the
* same extent tree node.
*/
+ *allocated = 0;
if ((map->m_lblk == ee_block) &&
/* See if we can merge left */
(map_len < ee_len) && /*L1*/
@@ -3531,7 +3529,7 @@ static int ext4_ext_convert_to_initialized(handle_t *handle,
(prev_len < (EXT_INIT_MAX_LEN - map_len))) { /*C4*/
err = ext4_ext_get_access(handle, inode, path + depth);
if (err)
- goto out;
+ goto errout;
trace_ext4_ext_convert_to_initialized_fastpath(inode,
map, ex, abut_ex);
@@ -3546,7 +3544,7 @@ static int ext4_ext_convert_to_initialized(handle_t *handle,
abut_ex->ee_len = cpu_to_le16(prev_len + map_len);
/* Result: number of initialized blocks past m_lblk */
- allocated = map_len;
+ *allocated = map_len;
}
} else if (((map->m_lblk + map_len) == (ee_block + ee_len)) &&
(map_len < ee_len) && /*L1*/
@@ -3577,7 +3575,7 @@ static int ext4_ext_convert_to_initialized(handle_t *handle,
(next_len < (EXT_INIT_MAX_LEN - map_len))) { /*C4*/
err = ext4_ext_get_access(handle, inode, path + depth);
if (err)
- goto out;
+ goto errout;
trace_ext4_ext_convert_to_initialized_fastpath(inode,
map, ex, abut_ex);
@@ -3592,18 +3590,20 @@ static int ext4_ext_convert_to_initialized(handle_t *handle,
abut_ex->ee_len = cpu_to_le16(next_len + map_len);
/* Result: number of initialized blocks past m_lblk */
- allocated = map_len;
+ *allocated = map_len;
}
}
- if (allocated) {
+ if (*allocated) {
/* Mark the block containing both extents as dirty */
err = ext4_ext_dirty(handle, inode, path + depth);
/* Update path to point to the right extent */
path[depth].p_ext = abut_ex;
+ if (err)
+ goto errout;
goto out;
} else
- allocated = ee_len - (map->m_lblk - ee_block);
+ *allocated = ee_len - (map->m_lblk - ee_block);
WARN_ON(map->m_lblk < ee_block);
/*
@@ -3630,21 +3630,21 @@ static int ext4_ext_convert_to_initialized(handle_t *handle,
split_map.m_lblk = map->m_lblk;
split_map.m_len = map->m_len;
- if (max_zeroout && (allocated > split_map.m_len)) {
- if (allocated <= max_zeroout) {
+ if (max_zeroout && (*allocated > split_map.m_len)) {
+ if (*allocated <= max_zeroout) {
/* case 3 or 5 */
zero_ex1.ee_block =
cpu_to_le32(split_map.m_lblk +
split_map.m_len);
zero_ex1.ee_len =
- cpu_to_le16(allocated - split_map.m_len);
+ cpu_to_le16(*allocated - split_map.m_len);
ext4_ext_store_pblock(&zero_ex1,
ext4_ext_pblock(ex) + split_map.m_lblk +
split_map.m_len - ee_block);
err = ext4_ext_zeroout(inode, &zero_ex1);
if (err)
goto fallback;
- split_map.m_len = allocated;
+ split_map.m_len = *allocated;
}
if (split_map.m_lblk - ee_block + split_map.m_len <
max_zeroout) {
@@ -3662,27 +3662,24 @@ static int ext4_ext_convert_to_initialized(handle_t *handle,
split_map.m_len += split_map.m_lblk - ee_block;
split_map.m_lblk = ee_block;
- allocated = map->m_len;
+ *allocated = map->m_len;
}
}
fallback:
path = ext4_split_extent(handle, inode, path, &split_map, split_flag,
flags, NULL);
- if (IS_ERR(path)) {
- err = PTR_ERR(path);
- *ppath = NULL;
- goto out;
- }
- err = 0;
- *ppath = path;
+ if (IS_ERR(path))
+ return path;
out:
/* If we have gotten a failure, don't zero out status tree */
- if (!err) {
- ext4_zeroout_es(inode, &zero_ex1);
- ext4_zeroout_es(inode, &zero_ex2);
- }
- return err ? err : allocated;
+ ext4_zeroout_es(inode, &zero_ex1);
+ ext4_zeroout_es(inode, &zero_ex2);
+ return path;
+
+errout:
+ ext4_free_ext_path(path);
+ return ERR_PTR(err);
}
/*
@@ -3904,7 +3901,6 @@ ext4_ext_handle_unwritten_extents(handle_t *handle, struct inode *inode,
struct ext4_ext_path **ppath, int flags,
unsigned int allocated, ext4_fsblk_t newblock)
{
- int ret = 0;
int err = 0;
ext_debug(inode, "logical block %llu, max_blocks %u, flags 0x%x, allocated %u\n",
@@ -3984,23 +3980,24 @@ ext4_ext_handle_unwritten_extents(handle_t *handle, struct inode *inode,
* For buffered writes, at writepage time, etc. Convert a
* discovered unwritten extent to written.
*/
- ret = ext4_ext_convert_to_initialized(handle, inode, map, ppath, flags);
- if (ret < 0) {
- err = ret;
+ *ppath = ext4_ext_convert_to_initialized(handle, inode, map, *ppath,
+ flags, &allocated);
+ if (IS_ERR(*ppath)) {
+ err = PTR_ERR(*ppath);
+ *ppath = NULL;
goto out2;
}
ext4_update_inode_fsync_trans(handle, inode, 1);
/*
- * shouldn't get a 0 return when converting an unwritten extent
+ * shouldn't get a 0 allocated when converting an unwritten extent
* unless m_len is 0 (bug) or extent has been corrupted
*/
- if (unlikely(ret == 0)) {
- EXT4_ERROR_INODE(inode, "unexpected ret == 0, m_len = %u",
+ if (unlikely(allocated == 0)) {
+ EXT4_ERROR_INODE(inode, "unexpected allocated == 0, m_len = %u",
map->m_len);
err = -EFSCORRUPTED;
goto out2;
}
- allocated = ret;
out:
map->m_flags |= EXT4_MAP_NEW;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 054/567] ext4: get rid of ppath in ext4_ext_handle_unwritten_extents()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 053/567] ext4: get rid of ppath in ext4_ext_convert_to_initialized() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 055/567] ext4: correct the comments place for EXT4_EXT_MAY_ZEROOUT Greg Kroah-Hartman
` (323 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Ojaswin Mujoo,
Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit 2ec2e1043473b3d4a3afbe6ad7c5a5b7a6fdf480 ]
The use of path and ppath is now very confusing, so to make the code more
readable, pass path between functions uniformly, and get rid of ppath.
To get rid of the ppath in ext4_ext_handle_unwritten_extents(), the
following is done here:
* Free the extents path when an error is encountered.
* The 'allocated' is changed from passing a value to passing an address.
No functional changes.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-22-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: feaf2a80e78f ("ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 82 +++++++++++++++++++++--------------------------
1 file changed, 37 insertions(+), 45 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index fe39d86d3a7e6..86c814bede1c5 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -3895,18 +3895,18 @@ convert_initialized_extent(handle_t *handle, struct inode *inode,
return 0;
}
-static int
+static struct ext4_ext_path *
ext4_ext_handle_unwritten_extents(handle_t *handle, struct inode *inode,
struct ext4_map_blocks *map,
- struct ext4_ext_path **ppath, int flags,
- unsigned int allocated, ext4_fsblk_t newblock)
+ struct ext4_ext_path *path, int flags,
+ unsigned int *allocated, ext4_fsblk_t newblock)
{
int err = 0;
ext_debug(inode, "logical block %llu, max_blocks %u, flags 0x%x, allocated %u\n",
(unsigned long long)map->m_lblk, map->m_len, flags,
- allocated);
- ext4_ext_show_leaf(inode, *ppath);
+ *allocated);
+ ext4_ext_show_leaf(inode, path);
/*
* When writing into unwritten space, we should not fail to
@@ -3915,40 +3915,34 @@ ext4_ext_handle_unwritten_extents(handle_t *handle, struct inode *inode,
flags |= EXT4_GET_BLOCKS_METADATA_NOFAIL;
trace_ext4_ext_handle_unwritten_extents(inode, map, flags,
- allocated, newblock);
+ *allocated, newblock);
/* get_block() before submitting IO, split the extent */
if (flags & EXT4_GET_BLOCKS_PRE_IO) {
- *ppath = ext4_split_convert_extents(handle, inode, map, *ppath,
- flags | EXT4_GET_BLOCKS_CONVERT, &allocated);
- if (IS_ERR(*ppath)) {
- err = PTR_ERR(*ppath);
- *ppath = NULL;
- goto out2;
- }
+ path = ext4_split_convert_extents(handle, inode, map, path,
+ flags | EXT4_GET_BLOCKS_CONVERT, allocated);
+ if (IS_ERR(path))
+ return path;
/*
* shouldn't get a 0 allocated when splitting an extent unless
* m_len is 0 (bug) or extent has been corrupted
*/
- if (unlikely(allocated == 0)) {
+ if (unlikely(*allocated == 0)) {
EXT4_ERROR_INODE(inode,
"unexpected allocated == 0, m_len = %u",
map->m_len);
err = -EFSCORRUPTED;
- goto out2;
+ goto errout;
}
map->m_flags |= EXT4_MAP_UNWRITTEN;
goto out;
}
/* IO end_io complete, convert the filled extent to written */
if (flags & EXT4_GET_BLOCKS_CONVERT) {
- *ppath = ext4_convert_unwritten_extents_endio(handle, inode,
- map, *ppath);
- if (IS_ERR(*ppath)) {
- err = PTR_ERR(*ppath);
- *ppath = NULL;
- goto out2;
- }
+ path = ext4_convert_unwritten_extents_endio(handle, inode,
+ map, path);
+ if (IS_ERR(path))
+ return path;
ext4_update_inode_fsync_trans(handle, inode, 1);
goto map_out;
}
@@ -3980,23 +3974,20 @@ ext4_ext_handle_unwritten_extents(handle_t *handle, struct inode *inode,
* For buffered writes, at writepage time, etc. Convert a
* discovered unwritten extent to written.
*/
- *ppath = ext4_ext_convert_to_initialized(handle, inode, map, *ppath,
- flags, &allocated);
- if (IS_ERR(*ppath)) {
- err = PTR_ERR(*ppath);
- *ppath = NULL;
- goto out2;
- }
+ path = ext4_ext_convert_to_initialized(handle, inode, map, path,
+ flags, allocated);
+ if (IS_ERR(path))
+ return path;
ext4_update_inode_fsync_trans(handle, inode, 1);
/*
* shouldn't get a 0 allocated when converting an unwritten extent
* unless m_len is 0 (bug) or extent has been corrupted
*/
- if (unlikely(allocated == 0)) {
+ if (unlikely(*allocated == 0)) {
EXT4_ERROR_INODE(inode, "unexpected allocated == 0, m_len = %u",
map->m_len);
err = -EFSCORRUPTED;
- goto out2;
+ goto errout;
}
out:
@@ -4005,12 +3996,15 @@ ext4_ext_handle_unwritten_extents(handle_t *handle, struct inode *inode,
map->m_flags |= EXT4_MAP_MAPPED;
out1:
map->m_pblk = newblock;
- if (allocated > map->m_len)
- allocated = map->m_len;
- map->m_len = allocated;
- ext4_ext_show_leaf(inode, *ppath);
-out2:
- return err ? err : allocated;
+ if (*allocated > map->m_len)
+ *allocated = map->m_len;
+ map->m_len = *allocated;
+ ext4_ext_show_leaf(inode, path);
+ return path;
+
+errout:
+ ext4_free_ext_path(path);
+ return ERR_PTR(err);
}
/*
@@ -4204,7 +4198,7 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode,
struct ext4_extent newex, *ex, ex2;
struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
ext4_fsblk_t newblock = 0, pblk;
- int err = 0, depth, ret;
+ int err = 0, depth;
unsigned int allocated = 0, offset = 0;
unsigned int allocated_clusters = 0;
struct ext4_allocation_request ar;
@@ -4279,13 +4273,11 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode,
goto out;
}
- ret = ext4_ext_handle_unwritten_extents(
- handle, inode, map, &path, flags,
- allocated, newblock);
- if (ret < 0)
- err = ret;
- else
- allocated = ret;
+ path = ext4_ext_handle_unwritten_extents(
+ handle, inode, map, path, flags,
+ &allocated, newblock);
+ if (IS_ERR(path))
+ err = PTR_ERR(path);
goto out;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 055/567] ext4: correct the comments place for EXT4_EXT_MAY_ZEROOUT
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 054/567] ext4: get rid of ppath in ext4_ext_handle_unwritten_extents() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 056/567] ext4: dont set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O Greg Kroah-Hartman
` (322 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Erkun, Theodore Tso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Erkun <yangerkun@huawei.com>
[ Upstream commit cc742fd1d184bb2a11bacf50587d2c85290622e4 ]
Move the comments just before we set EXT4_EXT_MAY_ZEROOUT in
ext4_split_convert_extents.
Signed-off-by: Yang Erkun <yangerkun@huawei.com>
Message-ID: <20251112084538.1658232-4-yangerkun@huawei.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: feaf2a80e78f ("ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 86c814bede1c5..4507e42869854 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -3727,10 +3727,6 @@ static struct ext4_ext_path *ext4_split_convert_extents(handle_t *handle,
>> inode->i_sb->s_blocksize_bits;
if (eof_block < map->m_lblk + map->m_len)
eof_block = map->m_lblk + map->m_len;
- /*
- * It is safe to convert extent to initialized via explicit
- * zeroout only if extent is fully inside i_size or new_size.
- */
depth = ext_depth(inode);
ex = path[depth].p_ext;
ee_block = le32_to_cpu(ex->ee_block);
@@ -3741,6 +3737,10 @@ static struct ext4_ext_path *ext4_split_convert_extents(handle_t *handle,
split_flag |= EXT4_EXT_DATA_ENTIRE_VALID1;
/* Convert to initialized */
} else if (flags & EXT4_GET_BLOCKS_CONVERT) {
+ /*
+ * It is safe to convert extent to initialized via explicit
+ * zeroout only if extent is fully inside i_size or new_size.
+ */
split_flag |= ee_block + ee_len <= eof_block ?
EXT4_EXT_MAY_ZEROOUT : 0;
split_flag |= (EXT4_EXT_MARK_UNWRIT2 | EXT4_EXT_DATA_VALID2);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 056/567] ext4: dont set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 055/567] ext4: correct the comments place for EXT4_EXT_MAY_ZEROOUT Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 057/567] ext4: drop extent cache after doing PARTIAL_VALID1 zeroout Greg Kroah-Hartman
` (321 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Yi, Ojaswin Mujoo, Baokun Li,
stable, Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
[ Upstream commit feaf2a80e78f89ee8a3464126077ba8683b62791 ]
When allocating blocks during within-EOF DIO and writeback with
dioread_nolock enabled, EXT4_GET_BLOCKS_PRE_IO was set to split an
existing large unwritten extent. However, EXT4_GET_BLOCKS_CONVERT was
set when calling ext4_split_convert_extents(), which may potentially
result in stale data issues.
Assume we have an unwritten extent, and then DIO writes the second half.
[UUUUUUUUUUUUUUUU] on-disk extent U: unwritten extent
[UUUUUUUUUUUUUUUU] extent status tree
|<- ->| ----> dio write this range
First, ext4_iomap_alloc() call ext4_map_blocks() with
EXT4_GET_BLOCKS_PRE_IO, EXT4_GET_BLOCKS_UNWRIT_EXT and
EXT4_GET_BLOCKS_CREATE flags set. ext4_map_blocks() find this extent and
call ext4_split_convert_extents() with EXT4_GET_BLOCKS_CONVERT and the
above flags set.
Then, ext4_split_convert_extents() calls ext4_split_extent() with
EXT4_EXT_MAY_ZEROOUT, EXT4_EXT_MARK_UNWRIT2 and EXT4_EXT_DATA_VALID2
flags set, and it calls ext4_split_extent_at() to split the second half
with EXT4_EXT_DATA_VALID2, EXT4_EXT_MARK_UNWRIT1, EXT4_EXT_MAY_ZEROOUT
and EXT4_EXT_MARK_UNWRIT2 flags set. However, ext4_split_extent_at()
failed to insert extent since a temporary lack -ENOSPC. It zeroes out
the first half but convert the entire on-disk extent to written since
the EXT4_EXT_DATA_VALID2 flag set, but left the second half as unwritten
in the extent status tree.
[0000000000SSSSSS] data S: stale data, 0: zeroed
[WWWWWWWWWWWWWWWW] on-disk extent W: written extent
[WWWWWWWWWWUUUUUU] extent status tree
Finally, if the DIO failed to write data to the disk, the stale data in
the second half will be exposed once the cached extent entry is gone.
Fix this issue by not passing EXT4_GET_BLOCKS_CONVERT when splitting
an unwritten extent before submitting I/O, and make
ext4_split_convert_extents() to zero out the entire extent range
to zero for this case, and also mark the extent in the extent status
tree for consistency.
Fixes: b8a8684502a0 ("ext4: Introduce FALLOC_FL_ZERO_RANGE flag for fallocate")
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Cc: stable@kernel.org
Message-ID: <20251129103247.686136-4-yi.zhang@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 4507e42869854..ed63260d792b1 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -3735,15 +3735,19 @@ static struct ext4_ext_path *ext4_split_convert_extents(handle_t *handle,
/* Convert to unwritten */
if (flags & EXT4_GET_BLOCKS_CONVERT_UNWRITTEN) {
split_flag |= EXT4_EXT_DATA_ENTIRE_VALID1;
- /* Convert to initialized */
- } else if (flags & EXT4_GET_BLOCKS_CONVERT) {
+ /* Split the existing unwritten extent */
+ } else if (flags & (EXT4_GET_BLOCKS_UNWRIT_EXT |
+ EXT4_GET_BLOCKS_CONVERT)) {
/*
* It is safe to convert extent to initialized via explicit
* zeroout only if extent is fully inside i_size or new_size.
*/
split_flag |= ee_block + ee_len <= eof_block ?
EXT4_EXT_MAY_ZEROOUT : 0;
- split_flag |= (EXT4_EXT_MARK_UNWRIT2 | EXT4_EXT_DATA_VALID2);
+ split_flag |= EXT4_EXT_MARK_UNWRIT2;
+ /* Convert to initialized */
+ if (flags & EXT4_GET_BLOCKS_CONVERT)
+ split_flag |= EXT4_EXT_DATA_VALID2;
}
flags |= EXT4_GET_BLOCKS_PRE_IO;
return ext4_split_extent(handle, inode, path, map, split_flag, flags,
@@ -3920,7 +3924,7 @@ ext4_ext_handle_unwritten_extents(handle_t *handle, struct inode *inode,
/* get_block() before submitting IO, split the extent */
if (flags & EXT4_GET_BLOCKS_PRE_IO) {
path = ext4_split_convert_extents(handle, inode, map, path,
- flags | EXT4_GET_BLOCKS_CONVERT, allocated);
+ flags, allocated);
if (IS_ERR(path))
return path;
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 057/567] ext4: drop extent cache after doing PARTIAL_VALID1 zeroout
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 056/567] ext4: dont set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 058/567] ext4: drop extent cache when splitting extent fails Greg Kroah-Hartman
` (320 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Yi, Baokun Li, stable,
Ojaswin Mujoo, Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
[ Upstream commit 6d882ea3b0931b43530d44149b79fcd4ffc13030 ]
When splitting an unwritten extent in the middle and converting it to
initialized in ext4_split_extent() with the EXT4_EXT_MAY_ZEROOUT and
EXT4_EXT_DATA_VALID2 flags set, it could leave a stale unwritten extent.
Assume we have an unwritten file and buffered write in the middle of it
without dioread_nolock enabled, it will allocate blocks as written
extent.
0 A B N
[UUUUUUUUUUUU] on-disk extent U: unwritten extent
[UUUUUUUUUUUU] extent status tree
[--DDDDDDDD--] D: valid data
|<- ->| ----> this range needs to be initialized
ext4_split_extent() first try to split this extent at B with
EXT4_EXT_DATA_PARTIAL_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but
ext4_split_extent_at() failed to split this extent due to temporary lack
of space. It zeroout B to N and leave the entire extent as unwritten.
0 A B N
[UUUUUUUUUUUU] on-disk extent
[UUUUUUUUUUUU] extent status tree
[--DDDDDDDDZZ] Z: zeroed data
ext4_split_extent() then try to split this extent at A with
EXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and
leave an written extent from A to N.
0 A B N
[UUWWWWWWWWWW] on-disk extent W: written extent
[UUUUUUUUUUUU] extent status tree
[--DDDDDDDDZZ]
Finally ext4_map_create_blocks() only insert extent A to B to the extent
status tree, and leave an stale unwritten extent in the status tree.
0 A B N
[UUWWWWWWWWWW] on-disk extent W: written extent
[UUWWWWWWWWUU] extent status tree
[--DDDDDDDDZZ]
Fix this issue by always cached extent status entry after zeroing out
the second part.
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Cc: stable@kernel.org
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Message-ID: <20251129103247.686136-7-yi.zhang@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index ed63260d792b1..2818d297ce464 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -3302,8 +3302,16 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle,
* extent length and ext4_split_extent() split will the
* first half again.
*/
- if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1)
+ if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) {
+ /*
+ * Drop extent cache to prevent stale unwritten
+ * extents remaining after zeroing out.
+ */
+ ext4_es_remove_extent(inode,
+ le32_to_cpu(zero_ex.ee_block),
+ ext4_ext_get_actual_len(&zero_ex));
goto fix_extent_len;
+ }
/* update the extent length and mark as initialized */
ex->ee_len = cpu_to_le16(ee_len);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 058/567] ext4: drop extent cache when splitting extent fails
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 057/567] ext4: drop extent cache after doing PARTIAL_VALID1 zeroout Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 059/567] mailbox: Use of_property_match_string() instead of open-coding Greg Kroah-Hartman
` (319 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Yi, Baokun Li, stable,
Ojaswin Mujoo, Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
[ Upstream commit 79b592e8f1b435796cbc2722190368e3e8ffd7a1 ]
When the split extent fails, we might leave some extents still being
processed and return an error directly, which will result in stale
extent entries remaining in the extent status tree. So drop all of the
remaining potentially stale extents if the splitting fails.
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Cc: stable@kernel.org
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Message-ID: <20251129103247.686136-8-yi.zhang@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 2818d297ce464..b7e9cbe832121 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -3250,7 +3250,7 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle,
err = PTR_ERR(path);
if (err != -ENOSPC && err != -EDQUOT && err != -ENOMEM)
- return path;
+ goto out_path;
/*
* Get a new path to try to zeroout or fix the extent length.
@@ -3264,7 +3264,7 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle,
if (IS_ERR(path)) {
EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld",
split, PTR_ERR(path));
- return path;
+ goto out_path;
}
depth = ext_depth(inode);
ex = path[depth].p_ext;
@@ -3341,6 +3341,10 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle,
ext4_free_ext_path(path);
path = ERR_PTR(err);
}
+out_path:
+ if (IS_ERR(path))
+ /* Remove all remaining potentially stale extents. */
+ ext4_es_remove_extent(inode, ee_block, ee_len);
ext4_ext_show_leaf(inode, path);
return path;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 059/567] mailbox: Use of_property_match_string() instead of open-coding
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 058/567] ext4: drop extent cache when splitting extent fails Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 060/567] mailbox: dont protect of_parse_phandle_with_args with con_mutex Greg Kroah-Hartman
` (318 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rob Herring (Arm), Jassi Brar,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Herring (Arm) <robh@kernel.org>
[ Upstream commit 263dbd3cc88da7ea7413494eea66418b4f1b2e6d ]
Use of_property_match_string() instead of open-coding the search. With
this, of_get_property() can be removed as there is no need to check for
"mbox-names" presence first.
This is part of a larger effort to remove callers of of_get_property()
and similar functions. of_get_property() leaks the DT property data
pointer which is a problem for dynamically allocated nodes which may
be freed.
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Stable-dep-of: fcd7f96c7836 ("mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox.c | 22 ++++++----------------
1 file changed, 6 insertions(+), 16 deletions(-)
diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c
index cb59b4dbad626..92c2fb618c8e1 100644
--- a/drivers/mailbox/mailbox.c
+++ b/drivers/mailbox/mailbox.c
@@ -451,30 +451,20 @@ struct mbox_chan *mbox_request_channel_byname(struct mbox_client *cl,
const char *name)
{
struct device_node *np = cl->dev->of_node;
- struct property *prop;
- const char *mbox_name;
- int index = 0;
+ int index;
if (!np) {
dev_err(cl->dev, "%s() currently only supports DT\n", __func__);
return ERR_PTR(-EINVAL);
}
- if (!of_get_property(np, "mbox-names", NULL)) {
- dev_err(cl->dev,
- "%s() requires an \"mbox-names\" property\n", __func__);
+ index = of_property_match_string(np, "mbox-names", name);
+ if (index < 0) {
+ dev_err(cl->dev, "%s() could not locate channel named \"%s\"\n",
+ __func__, name);
return ERR_PTR(-EINVAL);
}
-
- of_property_for_each_string(np, "mbox-names", prop, mbox_name) {
- if (!strncmp(name, mbox_name, strlen(name)))
- return mbox_request_channel(cl, index);
- index++;
- }
-
- dev_err(cl->dev, "%s() could not locate channel named \"%s\"\n",
- __func__, name);
- return ERR_PTR(-EINVAL);
+ return mbox_request_channel(cl, index);
}
EXPORT_SYMBOL_GPL(mbox_request_channel_byname);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 060/567] mailbox: dont protect of_parse_phandle_with_args with con_mutex
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 059/567] mailbox: Use of_property_match_string() instead of open-coding Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 061/567] mailbox: sort headers alphabetically Greg Kroah-Hartman
` (317 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tudor Ambarus, Jassi Brar,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tudor Ambarus <tudor.ambarus@linaro.org>
[ Upstream commit 8c71c61fc613657d785a3377b4b34484bd978374 ]
There are no concurrency problems if multiple consumers parse the
phandle, don't gratuiously protect the parsing with the mutex used
for the controllers list.
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Stable-dep-of: fcd7f96c7836 ("mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c
index 92c2fb618c8e1..87de408fb068c 100644
--- a/drivers/mailbox/mailbox.c
+++ b/drivers/mailbox/mailbox.c
@@ -413,16 +413,15 @@ struct mbox_chan *mbox_request_channel(struct mbox_client *cl, int index)
return ERR_PTR(-ENODEV);
}
- mutex_lock(&con_mutex);
-
ret = of_parse_phandle_with_args(dev->of_node, "mboxes", "#mbox-cells",
index, &spec);
if (ret) {
dev_dbg(dev, "%s: can't parse \"mboxes\" property\n", __func__);
- mutex_unlock(&con_mutex);
return ERR_PTR(ret);
}
+ mutex_lock(&con_mutex);
+
chan = ERR_PTR(-EPROBE_DEFER);
list_for_each_entry(mbox, &mbox_cons, node)
if (mbox->dev->of_node == spec.np) {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 061/567] mailbox: sort headers alphabetically
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 060/567] mailbox: dont protect of_parse_phandle_with_args with con_mutex Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 062/567] mailbox: remove unused header files Greg Kroah-Hartman
` (316 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tudor Ambarus, Jassi Brar,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tudor Ambarus <tudor.ambarus@linaro.org>
[ Upstream commit db824c1119fc16556a84cb7a771ca6553b3c3a45 ]
Sorting headers alphabetically helps locating duplicates,
and makes it easier to figure out where to insert new headers.
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Stable-dep-of: fcd7f96c7836 ("mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox.c | 14 +++++++-------
include/linux/mailbox_client.h | 2 +-
include/linux/mailbox_controller.h | 6 +++---
3 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c
index 87de408fb068c..c7134ece6d5dd 100644
--- a/drivers/mailbox/mailbox.c
+++ b/drivers/mailbox/mailbox.c
@@ -6,18 +6,18 @@
* Author: Jassi Brar <jassisinghbrar@gmail.com>
*/
-#include <linux/interrupt.h>
-#include <linux/spinlock.h>
-#include <linux/mutex.h>
+#include <linux/bitops.h>
#include <linux/delay.h>
-#include <linux/slab.h>
-#include <linux/err.h>
-#include <linux/module.h>
#include <linux/device.h>
-#include <linux/bitops.h>
+#include <linux/err.h>
+#include <linux/interrupt.h>
#include <linux/mailbox_client.h>
#include <linux/mailbox_controller.h>
+#include <linux/module.h>
+#include <linux/mutex.h>
#include <linux/of.h>
+#include <linux/slab.h>
+#include <linux/spinlock.h>
#include "mailbox.h"
diff --git a/include/linux/mailbox_client.h b/include/linux/mailbox_client.h
index 734694912ef74..c6eea9afb943d 100644
--- a/include/linux/mailbox_client.h
+++ b/include/linux/mailbox_client.h
@@ -7,8 +7,8 @@
#ifndef __MAILBOX_CLIENT_H
#define __MAILBOX_CLIENT_H
-#include <linux/of.h>
#include <linux/device.h>
+#include <linux/of.h>
struct mbox_chan;
diff --git a/include/linux/mailbox_controller.h b/include/linux/mailbox_controller.h
index 6fee33cb52f58..5fb0b65f45a2c 100644
--- a/include/linux/mailbox_controller.h
+++ b/include/linux/mailbox_controller.h
@@ -3,11 +3,11 @@
#ifndef __MAILBOX_CONTROLLER_H
#define __MAILBOX_CONTROLLER_H
+#include <linux/completion.h>
+#include <linux/device.h>
+#include <linux/hrtimer.h>
#include <linux/of.h>
#include <linux/types.h>
-#include <linux/hrtimer.h>
-#include <linux/device.h>
-#include <linux/completion.h>
struct mbox_chan;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 000/481] 6.1.167-rc1 review
@ 2026-03-23 13:39 Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 001/481] drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release Greg Kroah-Hartman
` (315 more replies)
0 siblings, 316 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.1.167 release.
There are 481 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 25 Mar 2026 13:44:33 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.167-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.1.167-rc1
Nathan Gao <zcgao@amazon.com>
Revert "selftests: net: amt: wait longer for connection before sending packets"
Jaskaran Singh <jsingh@cloudlinux.com>
nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()
Jaskaran Singh <jsingh@cloudlinux.com>
Revert "nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()"
Johan Hovold <johan@kernel.org>
i2c: cp2615: fix serial string NULL-deref at probe
Justin Stitt <justinstitt@google.com>
i2c: cp2615: replace deprecated strncpy with strscpy
Chunyan Zhang <zhangchunyan@iscas.ac.cn>
riscv: stacktrace: Disable KASAN checks for non-current tasks
Duoming Zhou <duoming@zju.edu.cn>
wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_set_pipapo: prevent overflow in lookup table allocation
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: missing objects with no memcg accounting
Alexander Aring <aahringo@redhat.com>
dlm: fix possible lkb_resource null dereference
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: in-kernel: always set ID as avail when rm endp
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
net: stmmac: fix TSO DMA API usage causing oops
Chao Yu <chao@kernel.org>
f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode
Keith Busch <kbusch@kernel.org>
nvme: fix admin request_queue lifetime
Pedro Demarchi Gomes <pedrodemargomes@gmail.com>
ntfs: set dummy blocksize to read boot_block when mounting
Zqiang <qiang.zhang1211@gmail.com>
rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access
Jibin Zhang <jibin.zhang@mediatek.com>
net: fix segmentation of forwarding fraglist GRO
Felix Fietkau <nbd@nbd.name>
net: gso: fix tcp fraglist segmentation after pull from frag_list
Felix Fietkau <nbd@nbd.name>
net: add support for segmenting TCP fraglist GSO packets
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm: Use pm_display_cfg in legacy DPM (v2)
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Add pixel_clock to amd_pp_display_configuration
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu: clarify DC checks
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu: use proper DC check in amdgpu_display_supported_domains()
Jakub Kicinski <kuba@kernel.org>
net: clear the dst when changing skb protocol
Heiko Carstens <hca@linux.ibm.com>
s390/xor: Fix xor_xc_2() inline assembly constraints
Guodong Xu <guodong@riscstar.com>
dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()
Florian Westphal <fw@strlen.de>
netfilter: nft_set_pipapo: split gc into unlink and reclaim phase
Florian Westphal <fw@strlen.de>
netfilter: nf_tables: de-constify set commit ops function argument
Josh Law <objecting@objecting.org>
tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
Josh Law <objecting@objecting.org>
lib/bootconfig: check xbc_init_node() return in override path
Rahul Bukte <rahul.bukte@sony.com>
drm/i915/gt: Check set_default_submission() before deferencing
Hyunwoo Kim <imv4bel@gmail.com>
ksmbd: fix use-after-free of share_conf in compound request
Kamal Dasu <kamal.dasu@broadcom.com>
mtd: rawnand: brcmnand: skip DMA during panic write
Kamal Dasu <kamal.dasu@broadcom.com>
mtd: rawnand: serialize lock/unlock against other NAND operations
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
i2c: fsi: Fix a potential leak in fsi_i2c_probe()
Ji-Ze Hong (Peter Hong) <peter_hong@fintek.com.tw>
USB: serial: f81232: fix incomplete serial port generation
Vincent Guittot <vincent.guittot@linaro.org>
sched/fair: Fix pelt clock sync when entering idle
Joonwon Kang <joonwonkang@google.com>
mailbox: Prevent out-of-bounds access in of_mbox_index_xlate()
Kuniyuki Iwashima <kuniyu@google.com>
Bluetooth: hci_core: Fix use-after-free in vhci_flush()
Maarten Lankhorst <dev@lankhorst.se>
drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
Sanman Pradhan <psanman@juniper.net>
hwmon: (pmbus/isl68137) Fix unchecked return value and use sysfs_emit()
Weiming Shi <bestswngs@gmail.com>
icmp: fix NULL pointer dereference in icmp_tag_validation()
Anas Iqbal <mohd.abd.6602@gmail.com>
net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths
Muhammad Hammad Ijaz <mhijaz@amazon.com>
net: mvpp2: guard flow control update with global_tx_fc in buffer switching
Weiming Shi <bestswngs@gmail.com>
nfnetlink_osf: validate individual option lengths in fingerprints
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: release flowtable after rcu grace period on error
Xiang Mei <xmei5@asu.edu>
net: bonding: fix NULL deref in bond_debug_rlb_hash_show
Xiang Mei <xmei5@asu.edu>
udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
Fedor Pchelkin <pchelkin@ispras.ru>
net: macb: fix uninitialized rx_fs_lock
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: processor: Fix previous acpi_processor_errata_piix4() fix
Guenter Roeck <linux@roeck-us.net>
wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom
Xiang Mei <xmei5@asu.edu>
wifi: mac80211: fix NULL deref in mesh_matches_local()
Petr Oros <poros@redhat.com>
iavf: fix VLAN filter lost on add/delete race
Kohei Enju <kohei@enjuk.jp>
igc: fix missing update of skb->tail in igc_xmit_frame()
Nikola Z. Ivanov <zlatistiv@gmail.com>
net: usb: aqc111: Do not perform PM inside suspend callback
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: teql: Fix double-free in teql_master_xmit
Jiayuan Chen <jiayuan.chen@shopee.com>
net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
Bart Van Assche <bvanassche@acm.org>
PM: runtime: Fix a race condition related to device removal
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
sched: idle: Consolidate the handling of two special cases
Dipayaan Roy <dipayanroy@linux.microsoft.com>
net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown
Justin Chen <justin.chen@broadcom.com>
net: bcmgenet: increase WoL poll timeout
Jenny Guanni Qu <qguanni@gmail.com>
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
Jenny Guanni Qu <qguanni@gmail.com>
netfilter: xt_time: use unsigned int for monthday bit shift
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: xt_CT: drop pending enqueued packets on template removal
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_ct: drop pending enqueued packets on removal
Andrii Melnychenko <a.melnychenko@vyos.io>
netfilter: nft_ct: add seqadj extension for natted connections
Jenny Guanni Qu <qguanni@gmail.com>
netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
Lukas Johannes Möller <research@johannes-moeller.dev>
netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
Hyunwoo Kim <imv4bel@gmail.com>
netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
Florian Westphal <fw@strlen.de>
netfilter: ctnetlink: remove refcounting in expectation dumpers
Jiayuan Chen <jiayuan.chen@shopee.com>
net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Bluetooth: qca: fix ROM version reading on WCN3998 chips
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: HIDP: Fix possible UAF
Michael Grzeschik <m.grzeschik@pengutronix.de>
Bluetooth: hci_sync: Fix hci_le_create_conn_sync
Christian Eggers <ceggers@arri.de>
Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
Christian Eggers <ceggers@arri.de>
Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU
Christian Eggers <ceggers@arri.de>
Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU
Felix Gu <ustc.gu@gmail.com>
firmware: arm_scpi: Fix device_node reference leak in probe path
Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com>
wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
Kuniyuki Iwashima <kuniyu@google.com>
wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
Richard Genoud <richard.genoud@bootlin.com>
soc: fsl: qbman: fix race condition in qman_destroy_fq
ZhengYuan Huang <gality369@gmail.com>
btrfs: tree-checker: fix misleading root drop_level error message
Zilin Guan <zilin@seu.edu.cn>
binfmt_misc: restore write access before closing files opened by open_exec()
Håkon Bugge <haakon.bugge@oracle.com>
PCI/ACPI: Restrict program_hpx_type2() to AER bits
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
net: stmmac: remove support for lpi_intr_o
Guchun Chen <guchun.chen@amd.com>
drm/amdgpu: drop redundant sched job cleanup when cs is aborted
Khairul Anuar Romli <khairul.anuar.romli@altera.com>
spi: cadence-quadspi: Implement refcount to handle unbind during busy
Jakub Kicinski <kuba@kernel.org>
eth: bnxt: always recalculate features after XDP clearing, fix null-deref
Qu Wenruo <wqu@suse.com>
btrfs: do not strictly require dirty metadata threshold for metadata writepages
Qu Wenruo <wqu@suse.com>
btrfs: send: check for inline extents in range_is_hole_in_parent()
Oleg Nesterov <oleg@redhat.com>
x86/uprobes: Fix XOL allocation failure for 32-bit tasks
Jeongjun Park <aha310510@gmail.com>
drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free
Jeongjun Park <aha310510@gmail.com>
drm/exynos: vidi: fix to avoid directly dereferencing user pointer
Jeongjun Park <aha310510@gmail.com>
drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl()
Ankit Garg <nktgrg@google.com>
gve: defer interrupt enabling until NAPI registration
Frederic Weisbecker <frederic@kernel.org>
net: Handle napi_schedule() calls from non-interrupt
Huacai Chen <chenhuacai@kernel.org>
net: stmmac: dwmac-loongson: Set clk_csr_i to 100-150MHz
Bart Van Assche <bvanassche@acm.org>
scsi: ufs: core: Fix handling of lrbp->cmd
Eric Dumazet <edumazet@google.com>
net/sched: cls_u32: use skb_header_pointer_careful()
Eric Dumazet <edumazet@google.com>
net: add skb_header_pointer_careful() helper
Mikulas Patocka <mpatocka@redhat.com>
dm-verity: disable recursive forward error correction
Wei Fang <wei.fang@nxp.com>
net: enetc: allocate vf_state during PF probes
Vladimir Oltean <vladimir.oltean@nxp.com>
net: enetc: reimplement RFS/RSS memory clearing as PCI quirk
Daniel Golle <daniel@makrotopia.org>
mtd: spinand: macronix: use scratch buffer for DMA operation
Eric Biggers <ebiggers@kernel.org>
net/tcp-md5: Fix MAC comparison to be constant-time
Eric Biggers <ebiggers@kernel.org>
ksmbd: Compare MACs in constant time
Eric Biggers <ebiggers@kernel.org>
smb: client: Compare MACs in constant time
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: No more self recovery
Kevin Groeneveld <kgroeneveld@lenbrook.com>
net: fec: handle page_pool_dev_alloc_pages error
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dsa: improve shutdown sequence
Lang Yu <Lang.Yu@amd.com>
drm/amdgpu: unmap and remove csa_va properly
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Kill timer properly at removal
Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
iio: imu: inv_icm42600: fix odr switch when turning buffer off
Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
ice: reintroduce retry mechanism for indirect AQ
Michal Schmidt <mschmidt@redhat.com>
ice: sleep, don't busy-wait, in the SQ send retry loop
Michal Schmidt <mschmidt@redhat.com>
ice: remove unused buffer copy code in ice_sq_send_cmd_retry()
Maíra Canal <mcanal@igalia.com>
pmdomain: bcm: bcm2835-power: Increase ASB control timeout
Kevin Hao <haokexin@gmail.com>
net: macb: Reinitialize tx/rx queue pointer registers and rx ring during resume
Kevin Hao <haokexin@gmail.com>
net: macb: Introduce gem_init_rx_ring()
Vineeth Karumanchi <vineeth.karumanchi@amd.com>
net: macb: queue tie-off or disable during WOL suspend
Jeff Layton <jlayton@kernel.org>
nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
Chuck Lever <chuck.lever@oracle.com>
NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd
Tom Rix <trix@redhat.com>
nfsd: define exports_proc_ops with CONFIG_PROC_FS
Yang Yang <n05ec@lzu.edu.cn>
batman-adv: avoid OGM aggregation when skb tailroom is insufficient
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: light: bh1780: fix PM runtime leak on error path
Filipe Manana <fdmanana@suse.com>
btrfs: fix transaction abort on set received ioctl due to item overflow
Filipe Manana <fdmanana@suse.com>
btrfs: fix transaction abort when snapshotting received subvolumes
Nuno Sá <nuno.sa@analog.com>
iio: buffer: Fix wait_queue not being removed
Nuno Sá <nuno.sa@analog.com>
iio: buffer: fix coding style warnings
Masami Hiramatsu (Google) <mhiramat@kernel.org>
kprobes: Remove unneeded warnings from __arm_kprobe_ftrace()
Masami Hiramatsu (Google) <mhiramat@kernel.org>
kprobes: Remove unneeded goto
Shyam Prasad N <sprasad@microsoft.com>
cifs: open files should not hold ref on superblock
Thorsten Blum <thorsten.blum@linux.dev>
crypto: atmel-sha204a - Fix OOM ->tfm_count leak
Long Li <leo.lilong@huawei.com>
xfs: ensure dquot item is deleted from AIL only after log shutdown
Long Li <leo.lilong@huawei.com>
xfs: fix integer overflow in bmap intent sort comparator
Harald Freudenberger <freude@linux.ibm.com>
s390/zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute
Kevin Hao <haokexin@gmail.com>
net: macb: Shuffle the tx ring before enabling tx
Luca Ceresoli <luca.ceresoli@bootlin.com>
drm/bridge: ti-sn65dsi83: halve horizontal syncs for dual LVDS output
Thomas Fourier <fourier.thomas@gmail.com>
drm/msm: Fix dma_free_attrs() buffer size
Thorsten Blum <thorsten.blum@linux.dev>
ksmbd: Don't log keys in SMB3 signing and encryption key generation
Catalin Marinas <catalin.marinas@arm.com>
arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation
Joey Gouly <joey.gouly@arm.com>
arm64: reorganise PAGE_/PROT_ macros
Maíra Canal <mcanal@igalia.com>
pmdomain: bcm: bcm2835-power: Fix broken reset status read
Huiwen He <hehuiwen@kylinos.cn>
tracing: Fix syscall events activation by ensuring refcount hits zero
Darrick J. Wong <djwong@kernel.org>
iomap: reject delalloc mappings during writeback
Alexander Potapenko <glider@google.com>
mm/kfence: disable KFENCE upon KASAN HW tags enablement
Alexander Potapenko <glider@google.com>
mm/kfence: fix KASAN hardware tag faults during late enablement
Ravi Hothi <ravi.hothi@oss.qualcomm.com>
ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start
Xu Yang <xu.yang_2@nxp.com>
usb: roles: get usb role switch from parent only for usb-b-connector
Jiasheng Jiang <jiashengjiangcool@gmail.com>
usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
Sean Christopherson <seanjc@google.com>
KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated
Marc Kleine-Budde <mkl@pengutronix.de>
can: gs_usb: gs_can_open(): always configure bitrates before starting device
Mehul Rao <mehulrao@gmail.com>
ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
ALSA: pcm: fix wait_time calculations
Paul Moses <p@1g4.org>
net/sched: act_gate: snapshot parameters with RCU on replace
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: join: check RM_ADDR not sent over same subflow
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: in-kernel: always mark signal+subflow endp as used
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: avoid sending RM_ADDR over same subflow
Natalie Vock <natalie.vock@gmx.de>
drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink
Andrew Lunn <andrew@lunn.ch>
net: phy: register phy led_triggers during probe to avoid AB-BA deadlock
Kim Phillips <kim.phillips@amd.com>
x86/sev: Allow IBPB-on-Entry feature for SNP guests
Daniil Dulov <d.dulov@aladdin.ru>
wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
Johannes Berg <johannes.berg@intel.com>
wifi: cfg80211: move scan done work to wiphy work
Daniel Hodges <git@danielhodges.dev>
wifi: libertas: fix use-after-free in lbs_free_adapter()
Jan Kara <jack@suse.cz>
ext4: always allocate blocks only from groups inode can use
Brian Foster <bfoster@redhat.com>
ext4: fix dirtyclusters double decrement on fs shutdown
Fedor Pchelkin <pchelkin@ispras.ru>
ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths
David Hildenbrand (Red Hat) <david@kernel.org>
mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather
David Hildenbrand (Red Hat) <david@kernel.org>
mm/hugetlb: fix two comments related to huge_pmd_unshare()
David Hildenbrand (Red Hat) <david@kernel.org>
mm/hugetlb: fix hugetlb_pmd_shared()
Jane Chu <jane.chu@oracle.com>
mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu: apply state adjust rules to some additional HAINAN vairants
Alex Deucher <alexander.deucher@amd.com>
drm/radeon: apply state adjust rules to some additional HAINAN vairants
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/mmhub3.0: add bounds checking for cid
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/mmhub3.0.2: add bounds checking for cid
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/mmhub3.0.1: add bounds checking for cid
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/mmhub2.3: add bounds checking for cid
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/mmhub2.0: add bounds checking for cid
Maciej Andrzejewski ICEYE <maciej.andrzejewski@m-works.net>
serial: uartlite: fix PM runtime usage count underflow on probe
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
serial: 8250: Add late synchronize_irq() to shutdown to handle DW UART BUSY
Raul E Rangel <rrangel@chromium.org>
serial: 8250: Fix TX deadlock when using DMA
Martin Roukala (né Peres) <martin.roukala@mupuf.org>
serial: 8250_pci: add support for the AX99100
Guanghui Feng <guanghuifeng@linux.alibaba.com>
iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry
Finn Thain <fthain@linux-m68k.org>
mtd: Avoid boot crash in RedBoot partition table parser
Chen Ni <nichen@iscas.ac.cn>
mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in cadence_nand_init()
Olivier Sobrie <olivier@sobrie.be>
mtd: rawnand: pl353: make sure optimal timings are applied
Johan Hovold <johan@kernel.org>
spi: fix statistics allocation
Johan Hovold <johan@kernel.org>
spi: fix use-after-free on controller registration failure
Luke Wang <ziniu.wang_1@nxp.com>
mmc: sdhci: fix timing selection for 1-bit bus width
Matthew Schwartz <matthew.schwartz@linux.dev>
mmc: sdhci-pci-gli: fix GL9750 DMA write corruption
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: unset conn->binding on failed binding request
Paulo Alcantara <pc@manguebit.org>
smb: client: fix krb5 mount with username option
Lukas Johannes Möller <research@johannes-moeller.dev>
Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
Lukas Johannes Möller <research@johannes-moeller.dev>
Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()
Fedor Pchelkin <pchelkin@ispras.ru>
net: macb: fix use-after-free access to PTP clock
Ian Ray <ian.ray@gehealthcare.com>
NFC: nxp-nci: allow GPIOs to sleep
Tiezhu Yang <yangtiezhu@loongson.cn>
LoongArch: Give more information if kmem access failed
Ira Weiny <ira.weiny@intel.com>
nvdimm/bus: Fix potential use after free in asynchronous initialization
Jeff Layton <jlayton@kernel.org>
sunrpc: fix cache_request leak in cache_release
Jens Axboe <axboe@kernel.dk>
io_uring/kbuf: check if target buffer list is still legacy on recycle
Jens Axboe <axboe@kernel.dk>
io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop
Eric Dumazet <edumazet@google.com>
l2tp: do not use sock_hold() in pppol2tp_session_get_sock()
Paul Chaignon <paul.chaignon@gmail.com>
bpf: Forget ranges when refining tnum after JSET
Eric Dumazet <edumazet@google.com>
ipv6: use RCU in ip6_xmit()
John Ripple <john.ripple@keysight.com>
drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD
Adrian Hunter <adrian.hunter@intel.com>
i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor
Adrian Hunter <adrian.hunter@intel.com>
i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort
Adrian Hunter <adrian.hunter@intel.com>
i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors
Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
iio: imu: inv_icm42600: fix odr switch to the same value
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: gyro: mpu3050-i2c: fix pm_runtime error handling
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: gyro: mpu3050-core: fix pm_runtime error handling
Chris Spencer <spencercw@gmail.com>
iio: chemical: bme680: Fix measurement wait duration calculation
Lukas Schmid <lukas.schmid@netcube.li>
iio: potentiometer: mcp4131: fix double application of wiper shift
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas()
Oleksij Rempel <linux@rempel-privat.de>
iio: dac: ds4424: reject -128 RAW value
Filipe Manana <fdmanana@suse.com>
btrfs: abort transaction on failure to update root in the received subvol ioctl
Filipe Manana <fdmanana@suse.com>
btrfs: fix transaction abort on file creation due to name hash collision
Henrique Carvalho <henrique.carvalho@suse.com>
smb: client: fix iface port assignment in parse_server_interfaces
Paulo Alcantara <pc@manguebit.org>
smb: client: fix atomic open with O_DIRECT & O_SYNC
Josh Law <objecting@objecting.org>
lib/bootconfig: check bounds before writing in __xbc_open_brace()
Josh Law <objecting@objecting.org>
lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after()
Shashank Balaji <shashank.mahadasyam@sony.com>
x86/apic: Disable x2apic on resume if the kernel expects so
Junxiao Bi <junxiao.bi@oracle.com>
scsi: core: Fix error handling for scsi_alloc_sdev()
Josh Law <objecting@objecting.org>
lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error
Stefan Haberland <sth@linux.ibm.com>
s390/dasd: Copy detected format information to secondary device
Stefan Haberland <sth@linux.ibm.com>
s390/dasd: Move quiesce state with pprc swap
Darrick J. Wong <djwong@kernel.org>
xfs: fix undersized l_iclog_roundoff values
Calvin Owens <calvin@wbinvd.org>
tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G
Luca Ceresoli <luca.ceresoli@bootlin.com>
drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding
Mario Limonciello <mario.limonciello@amd.com>
drm/amd: Set num IP blocks to 0 if discovery fails
Alysa Liu <Alysa.Liu@amd.com>
drm/amdgpu: Fix use-after-free race in VM acquire
Fan Wu <fanwu01@zju.edu.cn>
net: ethernet: arc: emac: quiesce interrupts before requesting IRQ
Jian Zhang <zhangjian.3032@bytedance.com>
net: ncsi: fix skb leak in error paths
Marios Makassikis <mmakassikis@freebox.fr>
smb: server: fix use-after-free in smb2_open()
Helge Deller <deller@gmx.de>
parisc: Check kernel mapping earlier at bootup
Helge Deller <deller@gmx.de>
parisc: Fix initial page table creation for boot
Sanman Pradhan <psanman@juniper.net>
hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
Dave Airlie <airlied@redhat.com>
nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
Helge Deller <deller@gmx.de>
parisc: Increase initial mapping to 64 MB with KALLSYMS
Sven Eckelmann <sven@narfation.org>
batman-adv: Avoid double-rtnl_lock ELP metric worker
Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
ice: fix retry for AQ command 0x06EE
Long Li <longli@microsoft.com>
net: mana: Ring doorbell at 4 CQ wraparounds
Ariel Silver <arielsilver77@gmail.com>
media: dvb-net: fix OOB access in ULE extension header tables
Luka Gejak <luka.gejak@linux.dev>
staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
Jedrzej Jagielski <jedrzej.jagielski@intel.com>
ixgbevf: fix link setup issue
Marc Zyngier <maz@kernel.org>
irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
device property: Allow secondary lookup in fwnode_get_next_child_node()
Franz Schnyder <franz.schnyder@toradex.com>
drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used
Steven Rostedt <rostedt@goodmis.org>
time/jiffies: Mark jiffies_64_to_clock_t() notrace
Randy Dunlap <rdunlap@infradead.org>
time: add kernel-doc in time.c
Max Kellermann <max.kellermann@ionos.com>
ceph: fix i_nlink underrun during async unlink
Ilya Dryomov <idryomov@gmail.com>
libceph: admit message frames only in CEPH_CON_S_OPEN state
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Use u32 for non-negative values in ceph_monmap_decode()
Ilya Dryomov <idryomov@gmail.com>
libceph: prevent potential out-of-bounds reads in process_message_header()
Ilya Dryomov <idryomov@gmail.com>
libceph: reject preamble if control segment is empty
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
Mehul Rao <mehulrao@gmail.com>
tipc: fix divide-by-zero in tipc_sk_filter_connect()
Penghe Geng <pgeng@nvidia.com>
mmc: core: Avoid bitfield RMW for claim/retune flags
Felix Gu <ustc.gu@gmail.com>
mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index()
Kalesh Singh <kaleshsingh@google.com>
mm/tracing: rss_stat: ensure curr is false from kthread context
Ziyi Guo <n7l8m4@u.northwestern.edu>
usb: image: mdc800: kill download URB on timeout
Oliver Neukum <oneukum@suse.com>
usb: mdc800: handle signal and read racing
Fan Wu <fanwu01@zju.edu.cn>
usb: renesas_usbhs: fix use-after-free in ISR during device removal
Oliver Neukum <oneukum@suse.com>
usb: class: cdc-wdm: fix reordering issue in read code path
Alan Stern <stern@rowland.harvard.edu>
USB: core: Limit the length of unkillable synchronous timeouts
Alan Stern <stern@rowland.harvard.edu>
USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts
Alan Stern <stern@rowland.harvard.edu>
USB: usbcore: Introduce usb_bulk_msg_killable()
Marc Zyngier <maz@kernel.org>
usb: cdc-acm: Restore CAP_BRK functionnality to CH343
Gabor Juhos <j4g8y7@gmail.com>
usb: core: don't power off roothub PHYs if phy_set_mode() fails
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: misc: uss720: properly clean up reference in uss720_probe()
Oliver Neukum <oneukum@suse.com>
usb: yurex: fix race in probe
Zilin Guan <zilin@seu.edu.cn>
usb: xhci: Fix memory leak in xhci_disable_slot()
Vyacheslav Vahnenko <vahnenko2003@gmail.com>
USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed
Christoffer Sandberg <cs@tuxedo.de>
usb/core/quirks: Add Huawei ME906S-device to wakeup quirk
A1RM4X <dev@a1rm4x.com>
USB: add QUIRK_NO_BOS for video capture several devices
Sean Christopherson <seanjc@google.com>
KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC
Zhang Heng <zhangheng@kylinos.cn>
ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA
Oleksij Rempel <linux@rempel-privat.de>
net: usb: lan78xx: skip LTM configuration for LAN7850
Oleksij Rempel <linux@rempel-privat.de>
net: usb: lan78xx: fix TX byte statistics for small packets
Oleksij Rempel <linux@rempel-privat.de>
net: usb: lan78xx: fix silent drop of packets with checksum errors
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces
Qingye Zhao <zhaoqingye@honor.com>
cgroup: fix race between task migration and iteration
Sasha Levin <sashal@kernel.org>
Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on"
Seungjin Bae <eeodqql09@gmail.com>
usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
Alok Tiwari <alok.a.tiwari@oracle.com>
octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status
Przemek Kitszel <przemyslaw.kitszel@intel.com>
octeontx2-af: devlink health: use retained error fmsg API
Alok Tiwari <alok.a.tiwari@oracle.com>
octeontx2-af: devlink: fix NIX RAS reporter recovery condition
Ricardo B. Marlière <rbm@suse.com>
net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled
Casey Connolly <casey.connolly@linaro.org>
ASoC: detect empty DMI strings
Chen Ni <nichen@iscas.ac.cn>
ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition
Ben Dooks <ben.dooks@codethink.co.uk>
ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address()
Matt Vollrath <tactii@gmail.com>
e1000/e1000e: Fix leak in DMA error cleanup
Alok Tiwari <alok.a.tiwari@oracle.com>
i40e: fix src IP mask checks and memcpy argument names in cloud filter
Sungwoo Kim <iam@sung-woo.kim>
nvme-pci: Fix race bug in nvme_poll_irqdisable()
Sungwoo Kim <iam@sung-woo.kim>
nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
sched: idle: Make skipping governor callbacks more consistent
Peng Fan <peng.fan@nxp.com>
regulator: pca9450: Correct interrupt type
Frieder Schrempf <frieder.schrempf@kontron.de>
regulator: pca9450: Make IRQ optional
Yuan Tan <tanyuan98@outlook.com>
netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
Hyunwoo Kim <imv4bel@gmail.com>
netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
Hyunwoo Kim <imv4bel@gmail.com>
netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
David Dull <monderasdor@gmail.com>
netfilter: x_tables: guard option walkers against 1-byte tail reads
Jenny Guanni Qu <qguanni@gmail.com>
netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
Chengfeng Ye <dg573847474@gmail.com>
mctp: route: hold key->lock in mctp_flow_prepare_output()
Wenyuan Li <2063309626@qq.com>
can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value
Haiyue Wang <haiyuewa@163.com>
mctp: i2c: fix skb memory leak in receive path
Shuangpeng Bai <shuangpeng.kernel@gmail.com>
serial: caif: hold tty->link reference in ldisc_open and ser_release
matteo.cotifava <cotifavamatteo@gmail.com>
ASoC: soc-core: flush delayed work before removing DAIs and widgets
Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
ASoC: core: Do not call link_exit() on uninitialized rtd objects
Cezary Rojewski <cezary.rojewski@intel.com>
ASoC: core: Exit all links before removing their components
matteo.cotifava <cotifavamatteo@gmail.com>
ASoC: soc-core: drop delayed_work_pending() check before flush
Weiming Shi <bestswngs@gmail.com>
net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit
Gal Pressman <gal@nvidia.com>
net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
Cosmin Ratiu <cratiu@nvidia.com>
net/mlx5: Fix deadlock between devlink lock and esw->wq
Daniel Jurgens <danielj@nvidia.com>
net/mlx5: Query to see if host PF is disabled
Daniel Jurgens <danielj@nvidia.com>
net/mlx5: IFC updates for disabled host PF
Hangbin Liu <liuhangbin@gmail.com>
bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states
Mieczyslaw Nalewaj <namiltd@yahoo.com>
net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets
Eric Badger <ebadger@purestorage.com>
xprtrdma: Decrement re_receiving on the early exit paths
J. Neuschäfer <j.ne@posteo.net>
powerpc: 83xx: km83xx: Fix keymile vendor prefix
Tzung-Bi Shih <tzungbi@kernel.org>
remoteproc: mediatek: Unprepare SCP clock during system suspend
Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
remoteproc: sysmon: Correct subsys_name_len type in QMI request
Christophe Leroy (CS GROUP) <chleroy@kernel.org>
powerpc/uaccess: Fix inline assembly for clang build on PPC32
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Check max frame size for implicit feedback mode, too
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0
Azamat Almazbek uulu <almazbek1608@gmail.com>
ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table
Tomas Henzl <thenzl@redhat.com>
scsi: ses: Fix devices attaching to different hosts
Sofia Schneider <sofia@schn.dev>
ACPI: OSI: Add DMI quirk for Acer Aspire One D255
Ramanathan Choodamani <quic_rchoodam@quicinc.com>
wifi: mac80211: set default WMM parameters on all links
Al Viro <viro@zeniv.linux.org.uk>
unshare: fix unshare_fs() handling
Ranjan Kumar <ranjan.kumar@broadcom.com>
scsi: mpi3mr: Add NULL checks when resetting request and reply queues
Piotr Mazek <pmazek@outlook.com>
ACPI: PM: Save NVS memory on Lenovo G70-35
Jan Kiszka <jan.kiszka@siemens.com>
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
Menglong Dong <menglong8.dong@gmail.com>
net: tcp: accept old ack during closing
Victor Nogueira <victor@mojatatu.com>
net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
Guenter Roeck <linux@roeck-us.net>
tracing: Add NULL pointer check to trigger_data_free()
Larysa Zaremba <larysa.zaremba@intel.com>
xdp: produce a warning when calculated tailroom is negative
Larysa Zaremba <larysa.zaremba@intel.com>
xdp: use modulo operation to calculate XDP frag tailroom
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: act_ife: Fix metalist update behavior
Jiayuan Chen <jiayuan.chen@shopee.com>
net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
Fernando Fernandez Mancera <fmancera@suse.de>
net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
Fernando Fernandez Mancera <fmancera@suse.de>
net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled
Lorenzo Bianconi <lorenzo@kernel.org>
net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup()
Ovidiu Panait <ovidiu.panait.rb@renesas.com>
net: stmmac: Fix error handling in VLAN add and delete paths
Jakub Kicinski <kuba@kernel.org>
nfc: rawsock: cancel tx_work before socket teardown
Jakub Kicinski <kuba@kernel.org>
nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback
Jakub Kicinski <kuba@kernel.org>
nfc: nci: free skb on nci_transceive early error paths
Ian Ray <ian.ray@gehealthcare.com>
net: nfc: nci: Fix zero-length proprietary notifications
Koichiro Den <den@valinux.co.jp>
net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
Raju Rangoju <Raju.Rangoju@amd.com>
amd-xgbe: fix sleep while atomic on suspend/resume
Jakub Kicinski <kuba@kernel.org>
ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
Lang Xu <xulang@uniontech.com>
bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim
Kui-Feng Lee <thinker.li@gmail.com>
bpf: export bpf_link_inc_not_zero.
David Thomson <dt@linux-mail.net>
xen/acpi-processor: fix _CST detection using undersized evaluation buffer
Eric Dumazet <edumazet@google.com>
indirect_call_wrapper: do not reevaluate function pointer
Lorenzo Bianconi <lorenzo@kernel.org>
wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()
Bart Van Assche <bvanassche@acm.org>
wifi: wlcore: Fix a locking bug
Bart Van Assche <bvanassche@acm.org>
wifi: cw1200: Fix locking in error paths
Vimlesh Kumar <vimleshk@marvell.com>
octeon_ep: avoid compiler and IQ/OQ reordering
Vimlesh Kumar <vimleshk@marvell.com>
octeon_ep: Relocate counter updates before NAPI
Mieczyslaw Nalewaj <namiltd@yahoo.com>
net: dsa: realtek: rtl8365mb: fix rtl8365mb_phy_ocp_write return value
Shuvam Pandey <shuvampandey1@gmail.com>
kunit: tool: copy caller args in run_kernel to prevent mutation
Rae Moar <rmoar@google.com>
kunit: tool: Add command line interface to filter and report attributes
Daniel Latypov <dlatypov@google.com>
kunit: tool: fix pre-existing `mypy --strict` errors and update run_checks.py
Daniel Latypov <dlatypov@google.com>
kunit: tool: remove unused imports and variables
Alexander Pantyukhin <apantykhin@gmail.com>
kunit: kunit.py extract handlers
Daniel Latypov <dlatypov@google.com>
kunit: tool: make parser preserve whitespace when printing test log
Daniel Latypov <dlatypov@google.com>
kunit: tool: don't include KTAP headers and the like in the test log
Rae Moar <rmoar@google.com>
kunit: tool: parse KTAP compliant test output
Daniel Latypov <dlatypov@google.com>
kunit: tool: make --json do nothing if --raw_ouput is set
Daniel Latypov <dlatypov@google.com>
kunit: tool: print summary of failed tests if a few failed out of a lot
Alban Bedel <alban.bedel@lht.dlh.de>
can: mcp251x: fix deadlock in error path of mcp251x_open
Oliver Hartkopp <socketcan@hartkopp.net>
can: bcm: fix locking for bcm_op runtime updates
Jiayuan Chen <jiayuan.chen@shopee.com>
atm: lec: fix null-ptr-deref in lec_arp_clear_vccs
Guenter Roeck <linux@roeck-us.net>
dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler
Ioana Ciornei <ioana.ciornei@nxp.com>
dpaa2-switch: do not clear any interrupts automatically
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dpaa2-switch: serialize changes to priv->mac with a mutex
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dpaa2-switch replace direct MAC access with dpaa2_switch_port_has_mac()
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dpaa2-switch: assign port_priv->mac after dpaa2_mac_connect() call
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dpaa2: replace dpaa2_mac_is_type_fixed() with dpaa2_mac_is_type_phy()
Chintan Vankar <c-vankar@ti.com>
net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling in ALE table
Jonathan Teh <jonathan.teh@outlook.com>
platform/x86: thinkpad_acpi: Fix errors reading battery thresholds
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
ARM: clean up the memset64() C wrapper
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: join: check removing signal+subflow endp
Paolo Abeni <pabeni@redhat.com>
selftests: mptcp: more stable simult_flows tests
Junxiao Bi <junxiao.bi@oracle.com>
scsi: core: Fix refcount leak for tagset_refcnt
Thorsten Blum <thorsten.blum@linux.dev>
smb: client: Don't log plaintext credentials in cifs_set_cifscreds
Paulo Alcantara <pc@manguebit.org>
smb: client: fix broken multichannel with krb5+signing
Lars Ellenberg <lars.ellenberg@linbit.com>
drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
Phillip Lougher <phillip@squashfs.org.uk>
Squashfs: check metadata block offset is within range
Prithvi Tambewagh <activprithvi@gmail.com>
scsi: target: Fix recursive locking in __configfs_open_file()
Davide Caratti <dcaratti@redhat.com>
net/sched: ets: fix divide by zero in the offload path
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
Jason Gunthorpe <jgg@ziepe.ca>
IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
Vahagn Vardanian <vahagn@redrays.io>
wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
Johannes Berg <johannes.berg@intel.com>
wifi: radiotap: reject radiotap with unknown bits
Jun Seo <jun.seo.93@proton.me>
ALSA: usb-audio: Use correct version for UAC3 header validation
Kurt Borja <kuurtb@gmail.com>
platform/x86: dell-wmi: Add audio/mic mute key codes
Thorsten Blum <thorsten.blum@linux.dev>
platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data
Mike Rapoport (Microsoft) <rppt@kernel.org>
x86/efi: defer freeing of boot services memory
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
can: usb: etas_es58x: correctly anchor the urb in the read bulk callback
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
can: ucan: Fix infinite loop from zero-length messages
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net: usb: pegasus: validate USB endpoints
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net: usb: kalmia: validate USB endpoints
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net: usb: kaweth: validate USB endpoints
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
nfc: pn533: properly drop the usb interface reference on disconnect
Jens Axboe <axboe@kernel.dk>
media: dvb-core: fix wrong reinitialization of ringbuffer on reopen
Jann Horn <jannh@google.com>
eventpoll: Fix integer overflow in ep_loop_check_proc()
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu: keep vga memory on MacBooks with switchable graphics
Mario Limonciello <mario.limonciello@amd.com>
drm/amd: Drop special case for yellow carp without discovery
Ethan Nelson-Moore <enelsonmoore@gmail.com>
net: arcnet: com20020-pci: fix support for 2.5Mbit cards
Takashi Iwai <tiwai@suse.de>
ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314
Gui-Dong Han <hanguidong02@gmail.com>
hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization induced race
Takashi Iwai <tiwai@suse.de>
ALSA: hda/conexant: Add quirk for HP ZBook Studio G4
Thomas Richard (TI) <thomas.richard@bootlin.com>
usb: cdns3: fix role switching during resume
Théo Lebrun <theo.lebrun@bootlin.com>
usb: cdns3: call cdns_power_is_lost() only once in cdns_resume()
Hongyu Xie <xiehongyu1@kylinos.cn>
usb: cdns3: remove redundant if branch
Johan Hovold <johan@kernel.org>
clk: tegra: tegra124-emc: fix device leak on set_rate()
Shawn Lin <shawn.lin@rock-chips.com>
arm64: dts: rockchip: Fix rk356x PCIe range mappings
Johan Hovold <johan@kernel.org>
mfd: omap-usb-host: Fix OF populate on driver rebind
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
mfd: omap-usb-host: Convert to platform remove callback returning void
Johan Hovold <johan@kernel.org>
mfd: qcom-pm8xxx: Fix OF populate on driver rebind
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
mfd: qcom-pm8xxx: Convert to platform remove callback returning void
Yongjian Sun <sunyongjian1@huawei.com>
ext4: fix e4b bitmap inconsistency reports
Matthew Wilcox (Oracle) <willy@infradead.org>
ext4: convert bd_buddy_page to bd_buddy_folio
Matthew Wilcox (Oracle) <willy@infradead.org>
ext4: convert bd_bitmap_page to bd_bitmap_folio
Gou Hao <gouhao@uniontech.com>
ext4: delete redundant calculations in ext4_mb_get_buddy_page_lock()
Theodore Ts'o <tytso@mit.edu>
ext4: convert some BUG_ON's in mballoc to use WARN_RATELIMITED instead
Kemeng Shi <shikemeng@huaweicloud.com>
ext4: remove unnecessary e4b->bd_buddy_page check in ext4_mb_load_buddy_gfp
Zhang Yi <yi.zhang@huawei.com>
ext4: drop extent cache when splitting extent fails
Zhang Yi <yi.zhang@huawei.com>
ext4: drop extent cache after doing PARTIAL_VALID1 zeroout
Zhang Yi <yi.zhang@huawei.com>
ext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
Zhang Yi <yi.zhang@huawei.com>
ext4: subdivide EXT4_EXT_DATA_VALID1
Baokun Li <libaokun1@huawei.com>
ext4: get rid of ppath in ext4_split_extent_at()
Baokun Li <libaokun1@huawei.com>
ext4: get rid of ppath in ext4_ext_insert_extent()
Baokun Li <libaokun1@huawei.com>
ext4: get rid of ppath in ext4_ext_create_new_leaf()
Baokun Li <libaokun1@huawei.com>
ext4: get rid of ppath in ext4_find_extent()
Baokun Li <libaokun1@huawei.com>
ext4: make ext4_es_remove_extent() return void
Johan Hovold <johan@kernel.org>
bus: omap-ocp2scp: fix OF populate on driver rebind
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
bus: omap-ocp2scp: Convert to platform remove callback returning void
Johan Hovold <johan@kernel.org>
drm/tegra: dsi: fix device leak on probe
Sean Christopherson <seanjc@google.com>
KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()
Sean Christopherson <seanjc@google.com>
KVM: x86: WARN if a vCPU gets a valid wakeup that KVM can't yet inject
Alper Ak <alperyasinak1@gmail.com>
media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update()
Milen Mitkov <quic_mmitkov@quicinc.com>
media: camss: vfe-480: Multiple outputs support for SM8250
Zilin Guan <zilin@seu.edu.cn>
media: tegra-video: Fix memory leak in __tegra_channel_try_format()
Laurent Pinchart <laurent.pinchart@ideasonboard.com>
media: tegra-video: Use accessors for pad config 'try_*' fields
Sean Christopherson <seanjc@google.com>
KVM: x86: Return "unsupported" instead of "invalid" on access to unsupported PV MSR
Sean Christopherson <seanjc@google.com>
KVM: x86: Rename KVM_MSR_RET_INVALID to KVM_MSR_RET_UNSUPPORTED
Mathias Krause <minipli@grsecurity.net>
KVM: x86: Fix KVM_GET_MSRS stack info leak
Sean Christopherson <seanjc@google.com>
KVM: x86/pmu: Provide "error" semantics for unsupported-but-known PMU MSRs
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
PCI: Use resource_set_range() that correctly sets ->end
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
resource: Add resource set range and size helpers
Puranjay Mohan <puranjay12@gmail.com>
PCI: Use resource names in PCI log messages
Puranjay Mohan <puranjay12@gmail.com>
PCI: Update BAR # and window messages
Bjorn Helgaas <bhelgaas@google.com>
PCI: Fix printk field formatting
Mika Westerberg <mika.westerberg@linux.intel.com>
PCI: Introduce pci_dev_for_each_resource()
Johan Hovold <johan@kernel.org>
memory: mtk-smi: fix device leak on larb probe
Johan Hovold <johan@kernel.org>
memory: mtk-smi: fix device leaks on common probe
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
memory: mtk-smi: Convert to platform remove callback returning void
Kohei Enju <kohei@enjuk.jp>
bpf: Fix stack-out-of-bounds write in devmap
Mark Harmstone <mark@harmstone.com>
btrfs: fix compat mask in error messages in btrfs_check_features()
Mark Harmstone <mark@harmstone.com>
btrfs: fix incorrect key offset in error message in check_dev_extent_item()
Josef Bacik <josef@toxicpanda.com>
btrfs: move btrfs_crc32c_final into free-space-cache.c
Peter Zijlstra <peterz@infradead.org>
perf: Fix __perf_event_overflow() vs perf_remove_from_context() race
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Use inclusive terms
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Cap the packet size pre-calculations
Peter Wang <peter.wang@mediatek.com>
scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume
Bart Van Assche <bvanassche@acm.org>
scsi: ufs: core: Always initialize the UIC done completion
Geoffrey D. Bennett <g@b4.vu>
ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices
Salomon Dushimirimana <salomondush@google.com>
scsi: pm8001: Fix use-after-free in pm8001_queue_command()
Mathias Krause <minipli@grsecurity.net>
scsi: lpfc: Properly set WC for DPP mapping
Nam Cao <namcao@linutronix.de>
irqchip/sifive-plic: Fix frozen interrupt due to affinity setting
Felix Gu <ustc.gu@gmail.com>
drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()
Ian Forbes <ian.forbes@broadcom.com>
drm/vmwgfx: Return the correct value in vmw_translate_ptr functions
Brad Spengler <brad.spengler@opensrcsec.com>
drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release
-------------
Diffstat:
.clang-format | 1 +
.../ethernet/freescale/dpaa2/mac-phy-support.rst | 9 +-
Makefile | 4 +-
arch/alpha/kernel/pci.c | 5 +-
arch/arm/include/asm/string.h | 14 +-
arch/arm/kernel/bios32.c | 16 +-
arch/arm/mach-dove/pcie.c | 10 +-
arch/arm/mach-mv78xx0/pcie.c | 10 +-
arch/arm/mach-orion5x/pci.c | 10 +-
.../arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi | 1 -
arch/arm64/boot/dts/rockchip/rk3568.dtsi | 4 +-
arch/arm64/boot/dts/rockchip/rk356x.dtsi | 2 +-
arch/arm64/include/asm/pgtable-prot.h | 76 ++--
arch/loongarch/include/asm/uaccess.h | 14 +-
arch/mips/pci/ops-bcm63xx.c | 8 +-
arch/mips/pci/pci-legacy.c | 3 +-
arch/parisc/include/asm/pgtable.h | 2 +-
arch/parisc/kernel/head.S | 7 +-
arch/parisc/kernel/setup.c | 20 +-
arch/powerpc/include/asm/uaccess.h | 2 +-
arch/powerpc/kernel/pci-common.c | 21 +-
arch/powerpc/platforms/4xx/pci.c | 8 +-
arch/powerpc/platforms/52xx/mpc52xx_pci.c | 5 +-
arch/powerpc/platforms/83xx/km83xx.c | 4 +-
arch/powerpc/platforms/pseries/pci.c | 16 +-
arch/riscv/kernel/stacktrace.c | 21 +-
arch/s390/lib/xor.c | 4 +-
arch/sh/drivers/pci/pcie-sh7786.c | 10 +-
arch/sparc/kernel/leon_pci.c | 5 +-
arch/sparc/kernel/pci.c | 10 +-
arch/sparc/kernel/pcic.c | 5 +-
arch/x86/boot/compressed/sev.c | 1 +
arch/x86/include/asm/efi.h | 2 +-
arch/x86/include/asm/msr-index.h | 5 +-
arch/x86/kernel/apic/apic.c | 6 +
arch/x86/kernel/uprobes.c | 24 ++
arch/x86/kvm/svm/avic.c | 8 +-
arch/x86/kvm/svm/svm.c | 11 +-
arch/x86/kvm/vmx/vmx.c | 2 +-
arch/x86/kvm/x86.c | 120 +++---
arch/x86/kvm/x86.h | 15 +-
arch/x86/platform/efi/efi.c | 2 +-
arch/x86/platform/efi/quirks.c | 55 ++-
drivers/acpi/acpi_processor.c | 15 +-
drivers/acpi/osi.c | 13 +
drivers/acpi/osl.c | 2 +-
drivers/acpi/sleep.c | 8 +
drivers/base/power/runtime.c | 1 +
drivers/base/property.c | 27 +-
drivers/block/drbd/drbd_actlog.c | 53 +--
drivers/block/drbd/drbd_interval.h | 5 +-
drivers/bluetooth/btqca.c | 2 +
drivers/bus/omap-ocp2scp.c | 19 +-
drivers/clk/tegra/clk-tegra124-emc.c | 2 +-
drivers/cpuidle/cpuidle.c | 10 -
drivers/crypto/atmel-sha204a.c | 5 +-
drivers/dma/mmp_pdma.c | 6 +
drivers/firmware/arm_scpi.c | 5 +-
drivers/firmware/efi/mokvar-table.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu.h | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 6 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 13 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 38 ++
drivers/gpu/drm/amd/amdgpu/amdgpu_csa.h | 3 +
drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 36 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 4 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 14 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 12 +-
drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c | 9 +-
drivers/gpu/drm/amd/amdgpu/mmhub_v2_3.c | 3 +-
drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c | 3 +-
drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_1.c | 3 +-
drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_2.c | 3 +-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 1 +
.../drm/amd/display/amdgpu_dm/amdgpu_dm_pp_smu.c | 1 +
.../amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c | 2 +-
drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 2 +-
drivers/gpu/drm/amd/display/dc/dm_services_types.h | 2 +-
drivers/gpu/drm/amd/include/dm_pp_interface.h | 1 +
drivers/gpu/drm/amd/pm/amdgpu_dpm_internal.c | 67 +++
drivers/gpu/drm/amd/pm/inc/amdgpu_dpm_internal.h | 2 +
drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c | 4 +-
drivers/gpu/drm/amd/pm/legacy-dpm/legacy_dpm.c | 6 +-
drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 69 ++-
drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 13 +-
drivers/gpu/drm/bridge/ti-sn65dsi83.c | 13 +-
drivers/gpu/drm/bridge/ti-sn65dsi86.c | 118 +++++-
drivers/gpu/drm/drm_file.c | 5 +-
drivers/gpu/drm/drm_mode_config.c | 9 +-
drivers/gpu/drm/exynos/exynos_drm_drv.h | 1 +
drivers/gpu/drm/exynos/exynos_drm_vidi.c | 72 +++-
drivers/gpu/drm/i915/gt/intel_engine_cs.c | 3 +-
drivers/gpu/drm/logicvc/logicvc_drm.c | 4 +-
drivers/gpu/drm/msm/msm_gpummu.c | 2 +-
drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +
drivers/gpu/drm/radeon/si_dpm.c | 4 +-
drivers/gpu/drm/tegra/dsi.c | 6 +-
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 4 +-
drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c | 9 +-
drivers/hid/hid-cmedia.c | 2 +-
drivers/hid/hid-creative-sb0540.c | 2 +-
drivers/hid/hid-zydacron.c | 2 +-
drivers/hwmon/max16065.c | 26 +-
drivers/hwmon/pmbus/isl68137.c | 7 +-
drivers/hwmon/pmbus/q54sj108a2.c | 19 +-
drivers/i2c/busses/i2c-cp2615.c | 5 +-
drivers/i2c/busses/i2c-fsi.c | 1 +
drivers/i3c/master/mipi-i3c-hci/cmd.h | 1 +
drivers/i3c/master/mipi-i3c-hci/cmd_v1.c | 2 +-
drivers/i3c/master/mipi-i3c-hci/cmd_v2.c | 2 +-
drivers/i3c/master/mipi-i3c-hci/core.c | 6 +-
drivers/i3c/master/mipi-i3c-hci/dma.c | 4 +-
drivers/iio/chemical/bme680_core.c | 2 +-
drivers/iio/chemical/sps30_i2c.c | 2 +-
drivers/iio/chemical/sps30_serial.c | 2 +-
drivers/iio/dac/ds4424.c | 2 +-
drivers/iio/gyro/mpu3050-core.c | 18 +-
drivers/iio/gyro/mpu3050-i2c.c | 3 +-
drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 2 +
drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c | 3 +
drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 2 +
drivers/iio/industrialio-buffer.c | 102 ++---
drivers/iio/light/bh1780.c | 4 +-
drivers/iio/potentiometer/mcp4131.c | 2 +-
drivers/infiniband/hw/irdma/verbs.c | 2 +-
drivers/infiniband/hw/mthca/mthca_provider.c | 5 +-
drivers/iommu/intel/dmar.c | 3 +-
drivers/irqchip/irq-gic-v3-its.c | 4 +
drivers/irqchip/irq-sifive-plic.c | 7 +-
drivers/mailbox/mailbox.c | 6 +-
drivers/md/dm-verity-fec.c | 4 +-
drivers/md/dm-verity-fec.h | 3 -
drivers/media/dvb-core/dmxdev.c | 4 +-
drivers/media/dvb-core/dvb_net.c | 3 +
drivers/media/platform/qcom/camss/camss-vfe-480.c | 59 ++-
drivers/memory/mtk-smi.c | 13 +-
drivers/mfd/omap-usb-host.c | 11 +-
drivers/mfd/qcom-pm8xxx.c | 14 +-
drivers/mmc/host/mmci_qcom_dml.c | 1 +
drivers/mmc/host/sdhci-pci-gli.c | 9 +
drivers/mmc/host/sdhci.c | 9 +-
drivers/mtd/nand/raw/brcmnand/brcmnand.c | 6 +-
drivers/mtd/nand/raw/cadence-nand-controller.c | 2 +-
drivers/mtd/nand/raw/nand_base.c | 14 +-
drivers/mtd/nand/raw/pl35x-nand-controller.c | 3 +
drivers/mtd/nand/spi/macronix.c | 3 +-
drivers/mtd/parsers/redboot.c | 6 +-
drivers/net/arcnet/com20020-pci.c | 16 +-
drivers/net/bonding/bond_debugfs.c | 16 +-
drivers/net/bonding/bond_main.c | 10 +-
drivers/net/caif/caif_serial.c | 3 +
drivers/net/can/spi/hi311x.c | 5 +-
drivers/net/can/spi/mcp251x.c | 15 +-
drivers/net/can/usb/ems_usb.c | 7 +-
drivers/net/can/usb/etas_es58x/es58x_core.c | 8 +-
drivers/net/can/usb/gs_usb.c | 22 +-
drivers/net/can/usb/ucan.c | 2 +-
drivers/net/dsa/bcm_sf2.c | 8 +-
drivers/net/dsa/realtek/rtl8365mb.c | 5 +-
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 10 -
drivers/net/ethernet/amd/xgbe/xgbe-main.c | 1 -
drivers/net/ethernet/amd/xgbe/xgbe.h | 3 -
drivers/net/ethernet/arc/emac_main.c | 11 +
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 25 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 2 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 7 -
drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 2 +-
drivers/net/ethernet/cadence/macb.h | 7 +
drivers/net/ethernet/cadence/macb_main.c | 184 +++++++-
drivers/net/ethernet/cadence/macb_ptp.c | 4 +-
drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h | 7 +-
drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.h | 10 +-
.../freescale/dpaa2/dpaa2-switch-ethtool.c | 34 +-
.../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 57 ++-
.../net/ethernet/freescale/dpaa2/dpaa2-switch.h | 9 +-
drivers/net/ethernet/freescale/enetc/enetc_pf.c | 131 ++++--
drivers/net/ethernet/freescale/fec_main.c | 19 +-
drivers/net/ethernet/google/gve/gve.h | 1 +
drivers/net/ethernet/google/gve/gve_main.c | 5 +-
drivers/net/ethernet/intel/e1000/e1000_main.c | 2 -
drivers/net/ethernet/intel/e1000e/netdev.c | 2 -
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 14 +-
drivers/net/ethernet/intel/iavf/iavf_main.c | 9 +-
drivers/net/ethernet/intel/ice/ice_common.c | 8 +-
drivers/net/ethernet/intel/ice/ice_ethtool.c | 35 +-
drivers/net/ethernet/intel/igc/igc_main.c | 7 +-
drivers/net/ethernet/intel/ixgbevf/vf.c | 3 +-
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 +-
.../net/ethernet/marvell/octeon_ep/octep_main.c | 48 ++-
drivers/net/ethernet/marvell/octeon_ep/octep_rx.c | 27 +-
.../ethernet/marvell/octeontx2/af/rvu_devlink.c | 468 ++++++---------------
drivers/net/ethernet/mediatek/mtk_eth_soc.c | 15 +-
.../ethernet/mellanox/mlx5/core/en/reporter_tx.c | 1 -
drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 30 +-
drivers/net/ethernet/mellanox/mlx5/core/eswitch.h | 3 +
.../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 18 +-
drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 +-
drivers/net/ethernet/microsoft/mana/mana_en.c | 23 +-
drivers/net/ethernet/stmicro/stmmac/common.h | 1 -
drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c | 4 -
.../net/ethernet/stmicro/stmmac/dwmac-loongson.c | 9 +-
drivers/net/ethernet/stmicro/stmmac/stmmac.h | 2 -
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 61 +--
.../net/ethernet/stmicro/stmmac/stmmac_platform.c | 8 -
drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +-
drivers/net/ethernet/ti/cpsw_ale.c | 9 +-
drivers/net/mctp/mctp-i2c.c | 1 +
drivers/net/phy/phy_device.c | 13 +-
drivers/net/usb/aqc111.c | 12 +-
drivers/net/usb/kalmia.c | 7 +
drivers/net/usb/kaweth.c | 13 +
drivers/net/usb/lan78xx.c | 10 +-
drivers/net/usb/lan78xx.h | 3 +
drivers/net/usb/pegasus.c | 13 +-
drivers/net/vxlan/vxlan_core.c | 5 +
.../wireless/broadcom/brcm80211/brcmfmac/btcoex.c | 6 +-
drivers/net/wireless/marvell/libertas/main.c | 4 +-
.../net/wireless/mediatek/mt76/mt76_connac_mac.c | 1 +
drivers/net/wireless/st/cw1200/pm.c | 2 +
drivers/net/wireless/ti/wlcore/main.c | 4 +-
drivers/net/wireless/ti/wlcore/tx.c | 2 +-
drivers/nfc/nxp-nci/i2c.c | 4 +-
drivers/nfc/pn533/usb.c | 1 +
drivers/nvdimm/bus.c | 5 +-
drivers/nvme/host/core.c | 2 +
drivers/nvme/host/fc.c | 2 +-
drivers/nvme/host/pci.c | 8 +-
drivers/pci/iov.c | 7 +-
drivers/pci/pci-acpi.c | 59 ++-
drivers/pci/pci.c | 85 +++-
drivers/pci/pci.h | 5 +
drivers/pci/pcie/aer.c | 3 -
drivers/pci/probe.c | 32 +-
drivers/pci/quirks.c | 15 +-
drivers/pci/remove.c | 5 +-
drivers/pci/setup-bus.c | 57 +--
drivers/pci/setup-res.c | 74 ++--
drivers/pci/vgaarb.c | 17 +-
drivers/pci/xen-pcifront.c | 4 +-
drivers/platform/x86/dell/dell-wmi-base.c | 6 +
.../dell/dell-wmi-sysman/passwordattr-interface.c | 1 -
drivers/platform/x86/thinkpad_acpi.c | 6 +-
drivers/pnp/quirks.c | 29 +-
drivers/regulator/pca9450-regulator.c | 41 +-
drivers/remoteproc/mtk_scp.c | 39 ++
drivers/remoteproc/qcom_sysmon.c | 2 +-
drivers/s390/block/dasd_eckd.c | 16 +
drivers/s390/crypto/zcrypt_ccamisc.c | 12 +-
drivers/s390/crypto/zcrypt_cex4.c | 3 +-
drivers/scsi/lpfc/lpfc_init.c | 2 +
drivers/scsi/lpfc/lpfc_sli.c | 36 +-
drivers/scsi/lpfc/lpfc_sli4.h | 3 +
drivers/scsi/mpi3mr/mpi3mr_fw.c | 32 +-
drivers/scsi/pm8001/pm8001_sas.c | 5 +-
drivers/scsi/scsi_scan.c | 7 +-
drivers/scsi/ses.c | 5 +-
drivers/scsi/storvsc_drv.c | 5 +-
drivers/soc/bcm/bcm2835-power.c | 18 +-
drivers/soc/fsl/qbman/qman.c | 24 +-
drivers/spi/spi-cadence-quadspi.c | 34 ++
drivers/spi/spi.c | 25 +-
drivers/staging/media/tegra-video/vi.c | 27 +-
drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 +-
drivers/staging/rtl8723bs/core/rtw_mlme.c | 5 +-
drivers/target/target_core_configfs.c | 15 +-
drivers/tty/serial/8250/8250_dma.c | 15 +
drivers/tty/serial/8250/8250_pci.c | 17 +
drivers/tty/serial/8250/8250_port.c | 6 +
drivers/tty/serial/uartlite.c | 1 +
drivers/ufs/core/ufshcd.c | 35 +-
drivers/usb/cdns3/core.c | 11 +-
drivers/usb/class/cdc-acm.c | 5 +
drivers/usb/class/cdc-acm.h | 1 +
drivers/usb/class/cdc-wdm.c | 4 +-
drivers/usb/class/usbtmc.c | 6 +-
drivers/usb/core/message.c | 100 ++++-
drivers/usb/core/phy.c | 8 +-
drivers/usb/core/quirks.c | 16 +
drivers/usb/gadget/function/f_mass_storage.c | 12 +-
drivers/usb/gadget/function/f_tcm.c | 14 +
drivers/usb/host/xhci.c | 4 +-
drivers/usb/image/mdc800.c | 6 +-
drivers/usb/misc/uss720.c | 2 +-
drivers/usb/misc/yurex.c | 2 +-
drivers/usb/renesas_usbhs/common.c | 9 +
drivers/usb/roles/class.c | 7 +-
drivers/usb/serial/f81232.c | 77 ++--
drivers/xen/xen-acpi-processor.c | 7 +-
fs/binfmt_misc.c | 4 +-
fs/btrfs/ctree.h | 7 +-
fs/btrfs/disk-io.c | 28 +-
fs/btrfs/extent_io.c | 3 +-
fs/btrfs/extent_io.h | 3 +-
fs/btrfs/free-space-cache.c | 5 +
fs/btrfs/inode.c | 19 +
fs/btrfs/ioctl.c | 24 +-
fs/btrfs/send.c | 4 +
fs/btrfs/transaction.c | 16 +
fs/btrfs/tree-checker.c | 4 +-
fs/btrfs/uuid-tree.c | 46 ++
fs/ceph/dir.c | 15 +-
fs/dlm/lock.c | 10 +-
fs/eventpoll.c | 5 +-
fs/ext4/ext4.h | 9 +-
fs/ext4/extents.c | 312 ++++++++------
fs/ext4/extents_status.c | 12 +-
fs/ext4/extents_status.h | 4 +-
fs/ext4/fast_commit.c | 8 +-
fs/ext4/inline.c | 12 +-
fs/ext4/inode.c | 8 +-
fs/ext4/mballoc.c | 258 ++++++------
fs/ext4/mballoc.h | 4 +-
fs/ext4/migrate.c | 5 +-
fs/ext4/move_extent.c | 7 +-
fs/f2fs/data.c | 5 +-
fs/gfs2/util.c | 31 +-
fs/iomap/buffered-io.c | 7 +-
fs/nfsd/nfs4xdr.c | 9 +-
fs/nfsd/nfsctl.c | 31 +-
fs/nfsd/state.h | 17 +-
fs/ntfs3/super.c | 5 +
fs/smb/client/cifsencrypt.c | 3 +-
fs/smb/client/cifsfs.c | 9 +-
fs/smb/client/cifsglob.h | 11 +
fs/smb/client/cifsproto.h | 1 +
fs/smb/client/connect.c | 5 +-
fs/smb/client/dir.c | 1 +
fs/smb/client/file.c | 29 +-
fs/smb/client/misc.c | 41 ++
fs/smb/client/smb2ops.c | 14 +-
fs/smb/client/smb2pdu.c | 22 +-
fs/smb/client/smb2transport.c | 4 +-
fs/smb/server/auth.c | 26 +-
fs/smb/server/smb2pdu.c | 17 +-
fs/squashfs/cache.c | 3 +
fs/xfs/xfs_bmap_item.c | 3 +-
fs/xfs/xfs_dquot.c | 8 +-
fs/xfs/xfs_log.c | 2 +
include/asm-generic/tlb.h | 77 +++-
include/linux/bpf.h | 6 +
include/linux/hugetlb.h | 17 +-
include/linux/indirect_call_wrapper.h | 18 +-
include/linux/ioport.h | 32 ++
include/linux/irqchip/arm-gic-v3.h | 1 +
include/linux/mlx5/mlx5_ifc.h | 4 +-
include/linux/mm_types.h | 1 +
include/linux/mmc/host.h | 9 +-
include/linux/pci.h | 14 +
include/linux/skbuff.h | 12 +
include/linux/stmmac.h | 1 -
include/linux/uprobes.h | 1 +
include/linux/usb.h | 8 +-
include/net/act_api.h | 1 +
include/net/bluetooth/hci_core.h | 3 +
include/net/netfilter/nf_tables.h | 7 +-
include/net/sch_generic.h | 38 ++
include/net/tc_act/tc_gate.h | 33 +-
include/net/tc_act/tc_ife.h | 4 +-
include/net/udp_tunnel.h | 2 +-
include/sound/soc.h | 2 +
include/trace/events/kmem.h | 8 +-
io_uring/io-wq.c | 2 +-
io_uring/kbuf.c | 8 +-
kernel/bpf/devmap.c | 22 +-
kernel/bpf/syscall.c | 3 +-
kernel/bpf/trampoline.c | 4 +-
kernel/bpf/verifier.c | 4 +
kernel/cgroup/cgroup.c | 1 +
kernel/events/core.c | 42 +-
kernel/events/uprobes.c | 10 +-
kernel/fork.c | 2 +-
kernel/kprobes.c | 47 +--
kernel/rcu/tree_nocb.h | 5 +-
kernel/sched/fair.c | 6 -
kernel/sched/idle.c | 45 +-
kernel/time/time.c | 171 +++++++-
kernel/trace/trace.c | 6 +-
kernel/trace/trace_events.c | 51 ++-
kernel/trace/trace_events_trigger.c | 3 +
lib/bootconfig.c | 9 +-
mm/hugetlb.c | 143 ++++---
mm/kfence/core.c | 22 +-
mm/mmu_gather.c | 33 ++
mm/rmap.c | 25 +-
net/atm/lec.c | 26 +-
net/batman-adv/bat_iv_ogm.c | 3 +
net/batman-adv/bat_v_elp.c | 10 +-
net/batman-adv/hard-interface.c | 8 +-
net/batman-adv/hard-interface.h | 1 +
net/bluetooth/hci_core.c | 34 +-
net/bluetooth/hci_sync.c | 2 +-
net/bluetooth/hidp/core.c | 16 +-
net/bluetooth/l2cap_core.c | 31 +-
net/bluetooth/smp.c | 2 +-
net/bridge/br_device.c | 2 +-
net/bridge/br_input.c | 2 +-
net/can/bcm.c | 1 +
net/ceph/auth.c | 6 +-
net/ceph/messenger_v2.c | 31 +-
net/ceph/mon_client.c | 6 +-
net/core/dev.c | 2 +-
net/core/filter.c | 23 +-
net/dsa/dsa2.c | 7 +
net/ipv4/icmp.c | 4 +-
net/ipv4/tcp.c | 3 +-
net/ipv4/tcp_input.c | 18 +-
net/ipv4/tcp_ipv4.c | 3 +-
net/ipv4/tcp_offload.c | 74 ++++
net/ipv4/udp_offload.c | 3 +-
net/ipv6/ip6_output.c | 35 +-
net/ipv6/route.c | 11 +-
net/ipv6/tcp_ipv6.c | 3 +-
net/ipv6/tcpv6_offload.c | 65 +++
net/l2tp/l2tp_ppp.c | 25 +-
net/mac80211/debugfs.c | 14 +-
net/mac80211/link.c | 2 +
net/mac80211/mesh.c | 6 +
net/mctp/route.c | 13 +-
net/mptcp/pm.c | 2 +-
net/mptcp/pm_netlink.c | 72 +++-
net/mptcp/protocol.h | 2 +
net/ncsi/ncsi-aen.c | 3 +-
net/ncsi/ncsi-rsp.c | 16 +-
net/netfilter/nf_conntrack_h323_asn1.c | 4 +
net/netfilter/nf_conntrack_netlink.c | 67 +--
net/netfilter/nf_conntrack_sip.c | 6 +-
net/netfilter/nf_tables_api.c | 8 +-
net/netfilter/nfnetlink_cthelper.c | 8 +-
net/netfilter/nfnetlink_osf.c | 13 +
net/netfilter/nfnetlink_queue.c | 4 +-
net/netfilter/nft_compat.c | 6 +-
net/netfilter/nft_ct.c | 9 +
net/netfilter/nft_log.c | 2 +-
net/netfilter/nft_meta.c | 2 +-
net/netfilter/nft_numgen.c | 2 +-
net/netfilter/nft_set_pipapo.c | 123 ++++--
net/netfilter/nft_set_pipapo.h | 2 +
net/netfilter/nft_tunnel.c | 5 +-
net/netfilter/xt_CT.c | 4 +
net/netfilter/xt_IDLETIMER.c | 6 +
net/netfilter/xt_dccp.c | 4 +-
net/netfilter/xt_tcpudp.c | 6 +-
net/netfilter/xt_time.c | 4 +-
net/nfc/nci/core.c | 21 +-
net/nfc/nci/data.c | 12 +-
net/nfc/rawsock.c | 11 +
net/rose/af_rose.c | 5 +
net/sched/act_ct.c | 6 +
net/sched/act_gate.c | 264 ++++++++----
net/sched/act_ife.c | 93 ++--
net/sched/cls_api.c | 7 +
net/sched/cls_u32.c | 13 +-
net/sched/sch_ets.c | 12 +-
net/sched/sch_generic.c | 27 --
net/sched/sch_teql.c | 8 +-
net/smc/af_smc.c | 23 +-
net/smc/smc.h | 5 +
net/smc/smc_close.c | 2 +-
net/sunrpc/cache.c | 26 +-
net/sunrpc/xprtrdma/verbs.c | 7 +-
net/tipc/socket.c | 2 +
net/wireless/core.c | 4 +-
net/wireless/core.h | 4 +-
net/wireless/pmsr.c | 1 +
net/wireless/radiotap.c | 4 +-
net/wireless/scan.c | 14 +-
sound/core/pcm_lib.c | 11 +-
sound/core/pcm_native.c | 25 +-
sound/pci/hda/patch_conexant.c | 11 +
sound/soc/amd/acp3x-rt5682-max9836.c | 9 +-
sound/soc/amd/yc/acp6x-mach.c | 14 +
sound/soc/qcom/qdsp6/q6apm-dai.c | 1 +
sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 1 +
sound/soc/qcom/qdsp6/q6apm.c | 1 +
sound/soc/soc-core.c | 35 +-
sound/usb/endpoint.c | 10 +-
sound/usb/midi.c | 3 +-
sound/usb/mixer_scarlett2.c | 2 +
sound/usb/quirks.c | 4 +-
sound/usb/validate.c | 2 +-
tools/bootconfig/main.c | 7 +-
tools/testing/kunit/kunit.py | 279 +++++++-----
tools/testing/kunit/kunit_config.py | 4 +-
tools/testing/kunit/kunit_kernel.py | 42 +-
tools/testing/kunit/kunit_parser.py | 171 +++++---
tools/testing/kunit/kunit_tool_test.py | 120 +++++-
tools/testing/kunit/run_checks.py | 4 +-
.../kunit/test_data/test_parse_ktap_output.log | 8 +
.../kunit/test_data/test_parse_subtest_header.log | 7 +
tools/testing/selftests/net/amt.sh | 7 +-
tools/testing/selftests/net/mptcp/mptcp_join.sh | 49 +++
tools/testing/selftests/net/mptcp/simult_flows.sh | 11 +-
495 files changed, 5835 insertions(+), 3013 deletions(-)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 062/567] mailbox: remove unused header files
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 061/567] mailbox: sort headers alphabetically Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 063/567] mailbox: Use dev_err when there is error Greg Kroah-Hartman
` (315 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tudor Ambarus, Jassi Brar,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tudor Ambarus <tudor.ambarus@linaro.org>
[ Upstream commit 4de14ec76b5e67d824896f774b3a23d86a2ebc87 ]
There's nothing used from these header files, remove their inclusion.
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Stable-dep-of: fcd7f96c7836 ("mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c
index c7134ece6d5dd..693975a87e19e 100644
--- a/drivers/mailbox/mailbox.c
+++ b/drivers/mailbox/mailbox.c
@@ -6,17 +6,14 @@
* Author: Jassi Brar <jassisinghbrar@gmail.com>
*/
-#include <linux/bitops.h>
#include <linux/delay.h>
#include <linux/device.h>
#include <linux/err.h>
-#include <linux/interrupt.h>
#include <linux/mailbox_client.h>
#include <linux/mailbox_controller.h>
#include <linux/module.h>
#include <linux/mutex.h>
#include <linux/of.h>
-#include <linux/slab.h>
#include <linux/spinlock.h>
#include "mailbox.h"
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 001/481] drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 002/481] drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Greg Kroah-Hartman
` (314 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brad Spengler, Zack Rusin,
Ian Forbes, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brad Spengler <brad.spengler@opensrcsec.com>
[ Upstream commit 211ecfaaef186ee5230a77d054cdec7fbfc6724a ]
The kref_put() call uses (void *)kvfree as the release callback, which
is incorrect. kref_put() expects a function with signature
void (*release)(struct kref *), but kvfree has signature
void (*)(const void *). Calling through an incompatible function pointer
is undefined behavior.
The code only worked by accident because ref_count is the first member
of vmw_bo_dirty, making the kref pointer equal to the struct pointer.
Fix this by adding a proper release callback that uses container_of()
to retrieve the containing structure before freeing.
Fixes: c1962742ffff ("drm/vmwgfx: Use kref in vmw_bo_dirty")
Signed-off-by: Brad Spengler <brad.spengler@opensrcsec.com>
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Cc: Ian Forbes <ian.forbes@broadcom.com>
Link: https://patch.msgid.link/20260107171236.3573118-1-zack.rusin@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c b/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c
index 09e938498442c..84d1d05346185 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c
@@ -274,6 +274,13 @@ int vmw_bo_dirty_add(struct vmw_buffer_object *vbo)
return ret;
}
+static void vmw_bo_dirty_free(struct kref *kref)
+{
+ struct vmw_bo_dirty *dirty = container_of(kref, struct vmw_bo_dirty, ref_count);
+
+ kvfree(dirty);
+}
+
/**
* vmw_bo_dirty_release - Release a dirty-tracking user from a buffer object
* @vbo: The buffer object
@@ -288,7 +295,7 @@ void vmw_bo_dirty_release(struct vmw_buffer_object *vbo)
{
struct vmw_bo_dirty *dirty = vbo->dirty;
- if (dirty && kref_put(&dirty->ref_count, (void *)kvfree))
+ if (dirty && kref_put(&dirty->ref_count, vmw_bo_dirty_free))
vbo->dirty = NULL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 063/567] mailbox: Use dev_err when there is error
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 062/567] mailbox: remove unused header files Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 064/567] mailbox: Use guard/scoped_guard for con_mutex Greg Kroah-Hartman
` (314 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Jassi Brar, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 8da4988b6e645f3eaa590ea16f433583364fd09c ]
Use dev_err to show the error log instead of using dev_dbg.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Stable-dep-of: fcd7f96c7836 ("mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c
index 693975a87e19e..4c27de9514e55 100644
--- a/drivers/mailbox/mailbox.c
+++ b/drivers/mailbox/mailbox.c
@@ -322,7 +322,7 @@ static int __mbox_bind_client(struct mbox_chan *chan, struct mbox_client *cl)
int ret;
if (chan->cl || !try_module_get(chan->mbox->dev->driver->owner)) {
- dev_dbg(dev, "%s: mailbox not free\n", __func__);
+ dev_err(dev, "%s: mailbox not free\n", __func__);
return -EBUSY;
}
@@ -413,7 +413,7 @@ struct mbox_chan *mbox_request_channel(struct mbox_client *cl, int index)
ret = of_parse_phandle_with_args(dev->of_node, "mboxes", "#mbox-cells",
index, &spec);
if (ret) {
- dev_dbg(dev, "%s: can't parse \"mboxes\" property\n", __func__);
+ dev_err(dev, "%s: can't parse \"mboxes\" property\n", __func__);
return ERR_PTR(ret);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 002/481] drm/vmwgfx: Return the correct value in vmw_translate_ptr functions
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 001/481] drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 003/481] drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse() Greg Kroah-Hartman
` (313 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuzey Arda Bulut, Ian Forbes,
Zack Rusin, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Forbes <ian.forbes@broadcom.com>
[ Upstream commit 5023ca80f9589295cb60735016e39fc5cc714243 ]
Before the referenced fixes these functions used a lookup function that
returned a pointer. This was changed to another lookup function that
returned an error code with the pointer becoming an out parameter.
The error path when the lookup failed was not changed to reflect this
change and the code continued to return the PTR_ERR of the now
uninitialized pointer. This could cause the vmw_translate_ptr functions
to return success when they actually failed causing further uninitialized
and OOB accesses.
Reported-by: Kuzey Arda Bulut <kuzeyardabulut@gmail.com>
Fixes: a309c7194e8a ("drm/vmwgfx: Remove rcu locks from user resources")
Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
Reviewed-by: Zack Rusin <zack.rusin@broadcom.com>
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Link: https://patch.msgid.link/20260113175357.129285-1-ian.forbes@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index d8cc99ef7e2a0..34b9161ec7e81 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -1156,7 +1156,7 @@ static int vmw_translate_mob_ptr(struct vmw_private *dev_priv,
ret = vmw_user_bo_lookup(sw_context->filp, handle, &vmw_bo);
if (ret != 0) {
drm_dbg(&dev_priv->drm, "Could not find or use MOB buffer.\n");
- return PTR_ERR(vmw_bo);
+ return ret;
}
ret = vmw_validation_add_bo(sw_context->ctx, vmw_bo, true, false);
tmp_bo = vmw_bo;
@@ -1211,7 +1211,7 @@ static int vmw_translate_guest_ptr(struct vmw_private *dev_priv,
ret = vmw_user_bo_lookup(sw_context->filp, handle, &vmw_bo);
if (ret != 0) {
drm_dbg(&dev_priv->drm, "Could not find or use GMR region.\n");
- return PTR_ERR(vmw_bo);
+ return ret;
}
ret = vmw_validation_add_bo(sw_context->ctx, vmw_bo, false, false);
tmp_bo = vmw_bo;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 064/567] mailbox: Use guard/scoped_guard for con_mutex
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 063/567] mailbox: Use dev_err when there is error Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 065/567] mailbox: Allow controller specific mapping using fwnode Greg Kroah-Hartman
` (313 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Jassi Brar, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 16da9a653c5bf5d97fb296420899fe9735aa9c3c ]
Use guard and scoped_guard for con_mutex to simplify code.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Stable-dep-of: fcd7f96c7836 ("mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox.c | 61 +++++++++++++++++----------------------
1 file changed, 26 insertions(+), 35 deletions(-)
diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c
index 4c27de9514e55..7dcbca48d1a0f 100644
--- a/drivers/mailbox/mailbox.c
+++ b/drivers/mailbox/mailbox.c
@@ -6,6 +6,7 @@
* Author: Jassi Brar <jassisinghbrar@gmail.com>
*/
+#include <linux/cleanup.h>
#include <linux/delay.h>
#include <linux/device.h>
#include <linux/err.h>
@@ -370,13 +371,9 @@ static int __mbox_bind_client(struct mbox_chan *chan, struct mbox_client *cl)
*/
int mbox_bind_client(struct mbox_chan *chan, struct mbox_client *cl)
{
- int ret;
-
- mutex_lock(&con_mutex);
- ret = __mbox_bind_client(chan, cl);
- mutex_unlock(&con_mutex);
+ guard(mutex)(&con_mutex);
- return ret;
+ return __mbox_bind_client(chan, cl);
}
EXPORT_SYMBOL_GPL(mbox_bind_client);
@@ -417,28 +414,25 @@ struct mbox_chan *mbox_request_channel(struct mbox_client *cl, int index)
return ERR_PTR(ret);
}
- mutex_lock(&con_mutex);
+ scoped_guard(mutex, &con_mutex) {
+ chan = ERR_PTR(-EPROBE_DEFER);
+ list_for_each_entry(mbox, &mbox_cons, node)
+ if (mbox->dev->of_node == spec.np) {
+ chan = mbox->of_xlate(mbox, &spec);
+ if (!IS_ERR(chan))
+ break;
+ }
- chan = ERR_PTR(-EPROBE_DEFER);
- list_for_each_entry(mbox, &mbox_cons, node)
- if (mbox->dev->of_node == spec.np) {
- chan = mbox->of_xlate(mbox, &spec);
- if (!IS_ERR(chan))
- break;
- }
+ of_node_put(spec.np);
- of_node_put(spec.np);
+ if (IS_ERR(chan))
+ return chan;
- if (IS_ERR(chan)) {
- mutex_unlock(&con_mutex);
- return chan;
+ ret = __mbox_bind_client(chan, cl);
+ if (ret)
+ chan = ERR_PTR(ret);
}
- ret = __mbox_bind_client(chan, cl);
- if (ret)
- chan = ERR_PTR(ret);
-
- mutex_unlock(&con_mutex);
return chan;
}
EXPORT_SYMBOL_GPL(mbox_request_channel);
@@ -549,9 +543,8 @@ int mbox_controller_register(struct mbox_controller *mbox)
if (!mbox->of_xlate)
mbox->of_xlate = of_mbox_index_xlate;
- mutex_lock(&con_mutex);
- list_add_tail(&mbox->node, &mbox_cons);
- mutex_unlock(&con_mutex);
+ scoped_guard(mutex, &con_mutex)
+ list_add_tail(&mbox->node, &mbox_cons);
return 0;
}
@@ -568,17 +561,15 @@ void mbox_controller_unregister(struct mbox_controller *mbox)
if (!mbox)
return;
- mutex_lock(&con_mutex);
-
- list_del(&mbox->node);
+ scoped_guard(mutex, &con_mutex) {
+ list_del(&mbox->node);
- for (i = 0; i < mbox->num_chans; i++)
- mbox_free_channel(&mbox->chans[i]);
+ for (i = 0; i < mbox->num_chans; i++)
+ mbox_free_channel(&mbox->chans[i]);
- if (mbox->txdone_poll)
- hrtimer_cancel(&mbox->poll_hrt);
-
- mutex_unlock(&con_mutex);
+ if (mbox->txdone_poll)
+ hrtimer_cancel(&mbox->poll_hrt);
+ }
}
EXPORT_SYMBOL_GPL(mbox_controller_unregister);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 003/481] drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 001/481] drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 002/481] drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 004/481] irqchip/sifive-plic: Fix frozen interrupt due to affinity setting Greg Kroah-Hartman
` (312 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Luca Ceresoli,
Kory Maincent, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit fef0e649f8b42bdffe4a916dd46e1b1e9ad2f207 ]
The logicvc_drm_config_parse() function calls of_get_child_by_name() to
find the "layers" node but fails to release the reference, leading to a
device node reference leak.
Fix this by using the __free(device_node) cleanup attribute to automatic
release the reference when the variable goes out of scope.
Fixes: efeeaefe9be5 ("drm: Add support for the LogiCVC display controller")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Kory Maincent <kory.maincent@bootlin.com>
Link: https://patch.msgid.link/20260130-logicvc_drm-v1-1-04366463750c@gmail.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/logicvc/logicvc_drm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/logicvc/logicvc_drm.c b/drivers/gpu/drm/logicvc/logicvc_drm.c
index cc9a4e965f779..8cbf4f2debf7d 100644
--- a/drivers/gpu/drm/logicvc/logicvc_drm.c
+++ b/drivers/gpu/drm/logicvc/logicvc_drm.c
@@ -90,7 +90,6 @@ static int logicvc_drm_config_parse(struct logicvc_drm *logicvc)
struct device *dev = drm_dev->dev;
struct device_node *of_node = dev->of_node;
struct logicvc_drm_config *config = &logicvc->config;
- struct device_node *layers_node;
int ret;
logicvc_of_property_parse_bool(of_node, LOGICVC_OF_PROPERTY_DITHERING,
@@ -126,7 +125,8 @@ static int logicvc_drm_config_parse(struct logicvc_drm *logicvc)
if (ret)
return ret;
- layers_node = of_get_child_by_name(of_node, "layers");
+ struct device_node *layers_node __free(device_node) =
+ of_get_child_by_name(of_node, "layers");
if (!layers_node) {
drm_err(drm_dev, "Missing non-optional layers node\n");
return -EINVAL;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 065/567] mailbox: Allow controller specific mapping using fwnode
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 064/567] mailbox: Use guard/scoped_guard for con_mutex Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 066/567] mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate() Greg Kroah-Hartman
` (312 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jassi Brar, Andy Shevchenko,
Anup Patel, Paul Walmsley, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anup Patel <apatel@ventanamicro.com>
[ Upstream commit ba879dfc0574878f3e08f217b2b4fdf845c426c0 ]
Introduce optional fw_node() callback which allows a mailbox controller
driver to provide controller specific mapping using fwnode.
The Linux OF framework already implements fwnode operations for the
Linux DD framework so the fw_xlate() callback works fine with device
tree as well.
Acked-by: Jassi Brar <jassisinghbrar@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Anup Patel <apatel@ventanamicro.com>
Link: https://lore.kernel.org/r/20250818040920.272664-6-apatel@ventanamicro.com
Signed-off-by: Paul Walmsley <pjw@kernel.org>
Stable-dep-of: fcd7f96c7836 ("mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox.c | 65 ++++++++++++++++++------------
include/linux/mailbox_controller.h | 3 ++
2 files changed, 43 insertions(+), 25 deletions(-)
diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c
index 7dcbca48d1a0f..892aa0a048e0f 100644
--- a/drivers/mailbox/mailbox.c
+++ b/drivers/mailbox/mailbox.c
@@ -15,6 +15,7 @@
#include <linux/module.h>
#include <linux/mutex.h>
#include <linux/of.h>
+#include <linux/property.h>
#include <linux/spinlock.h>
#include "mailbox.h"
@@ -396,34 +397,56 @@ EXPORT_SYMBOL_GPL(mbox_bind_client);
*/
struct mbox_chan *mbox_request_channel(struct mbox_client *cl, int index)
{
- struct device *dev = cl->dev;
+ struct fwnode_reference_args fwspec;
+ struct fwnode_handle *fwnode;
struct mbox_controller *mbox;
struct of_phandle_args spec;
struct mbox_chan *chan;
+ struct device *dev;
+ unsigned int i;
int ret;
- if (!dev || !dev->of_node) {
- pr_debug("%s: No owner device node\n", __func__);
+ dev = cl->dev;
+ if (!dev) {
+ pr_debug("No owner device\n");
return ERR_PTR(-ENODEV);
}
- ret = of_parse_phandle_with_args(dev->of_node, "mboxes", "#mbox-cells",
- index, &spec);
+ fwnode = dev_fwnode(dev);
+ if (!fwnode) {
+ dev_dbg(dev, "No owner fwnode\n");
+ return ERR_PTR(-ENODEV);
+ }
+
+ ret = fwnode_property_get_reference_args(fwnode, "mboxes", "#mbox-cells",
+ 0, index, &fwspec);
if (ret) {
- dev_err(dev, "%s: can't parse \"mboxes\" property\n", __func__);
+ dev_err(dev, "%s: can't parse \"%s\" property\n", __func__, "mboxes");
return ERR_PTR(ret);
}
+ spec.np = to_of_node(fwspec.fwnode);
+ spec.args_count = fwspec.nargs;
+ for (i = 0; i < spec.args_count; i++)
+ spec.args[i] = fwspec.args[i];
+
scoped_guard(mutex, &con_mutex) {
chan = ERR_PTR(-EPROBE_DEFER);
- list_for_each_entry(mbox, &mbox_cons, node)
- if (mbox->dev->of_node == spec.np) {
- chan = mbox->of_xlate(mbox, &spec);
- if (!IS_ERR(chan))
- break;
+ list_for_each_entry(mbox, &mbox_cons, node) {
+ if (device_match_fwnode(mbox->dev, fwspec.fwnode)) {
+ if (mbox->fw_xlate) {
+ chan = mbox->fw_xlate(mbox, &fwspec);
+ if (!IS_ERR(chan))
+ break;
+ } else if (mbox->of_xlate) {
+ chan = mbox->of_xlate(mbox, &spec);
+ if (!IS_ERR(chan))
+ break;
+ }
}
+ }
- of_node_put(spec.np);
+ fwnode_handle_put(fwspec.fwnode);
if (IS_ERR(chan))
return chan;
@@ -440,15 +463,8 @@ EXPORT_SYMBOL_GPL(mbox_request_channel);
struct mbox_chan *mbox_request_channel_byname(struct mbox_client *cl,
const char *name)
{
- struct device_node *np = cl->dev->of_node;
- int index;
-
- if (!np) {
- dev_err(cl->dev, "%s() currently only supports DT\n", __func__);
- return ERR_PTR(-EINVAL);
- }
+ int index = device_property_match_string(cl->dev, "mbox-names", name);
- index = of_property_match_string(np, "mbox-names", name);
if (index < 0) {
dev_err(cl->dev, "%s() could not locate channel named \"%s\"\n",
__func__, name);
@@ -485,9 +501,8 @@ void mbox_free_channel(struct mbox_chan *chan)
}
EXPORT_SYMBOL_GPL(mbox_free_channel);
-static struct mbox_chan *
-of_mbox_index_xlate(struct mbox_controller *mbox,
- const struct of_phandle_args *sp)
+static struct mbox_chan *fw_mbox_index_xlate(struct mbox_controller *mbox,
+ const struct fwnode_reference_args *sp)
{
int ind = sp->args[0];
@@ -540,8 +555,8 @@ int mbox_controller_register(struct mbox_controller *mbox)
spin_lock_init(&chan->lock);
}
- if (!mbox->of_xlate)
- mbox->of_xlate = of_mbox_index_xlate;
+ if (!mbox->fw_xlate && !mbox->of_xlate)
+ mbox->fw_xlate = fw_mbox_index_xlate;
scoped_guard(mutex, &con_mutex)
list_add_tail(&mbox->node, &mbox_cons);
diff --git a/include/linux/mailbox_controller.h b/include/linux/mailbox_controller.h
index 5fb0b65f45a2c..b91379922cb33 100644
--- a/include/linux/mailbox_controller.h
+++ b/include/linux/mailbox_controller.h
@@ -66,6 +66,7 @@ struct mbox_chan_ops {
* no interrupt rises. Ignored if 'txdone_irq' is set.
* @txpoll_period: If 'txdone_poll' is in effect, the API polls for
* last TX's status after these many millisecs
+ * @fw_xlate: Controller driver specific mapping of channel via fwnode
* @of_xlate: Controller driver specific mapping of channel via DT
* @poll_hrt: API private. hrtimer used to poll for TXDONE on all
* channels.
@@ -79,6 +80,8 @@ struct mbox_controller {
bool txdone_irq;
bool txdone_poll;
unsigned txpoll_period;
+ struct mbox_chan *(*fw_xlate)(struct mbox_controller *mbox,
+ const struct fwnode_reference_args *sp);
struct mbox_chan *(*of_xlate)(struct mbox_controller *mbox,
const struct of_phandle_args *sp);
/* Internal to API */
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 004/481] irqchip/sifive-plic: Fix frozen interrupt due to affinity setting
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.1 003/481] drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 005/481] scsi: lpfc: Properly set WC for DPP mapping Greg Kroah-Hartman
` (311 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nam Cao, Thomas Gleixner,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nam Cao <namcao@linutronix.de>
[ Upstream commit 1072020685f4b81f6efad3b412cdae0bd62bb043 ]
PLIC ignores interrupt completion message for disabled interrupt, explained
by the specification:
The PLIC signals it has completed executing an interrupt handler by
writing the interrupt ID it received from the claim to the
claim/complete register. The PLIC does not check whether the completion
ID is the same as the last claim ID for that target. If the completion
ID does not match an interrupt source that is currently enabled for
the target, the completion is silently ignored.
This caused problems in the past, because an interrupt can be disabled
while still being handled and plic_irq_eoi() had no effect. That was fixed
by checking if the interrupt is disabled, and if so enable it, before
sending the completion message. That check is done with irqd_irq_disabled().
However, that is not sufficient because the enable bit for the handling
hart can be zero despite irqd_irq_disabled(d) being false. This can happen
when affinity setting is changed while a hart is still handling the
interrupt.
This problem is easily reproducible by dumping a large file to uart (which
generates lots of interrupts) and at the same time keep changing the uart
interrupt's affinity setting. The uart port becomes frozen almost
instantaneously.
Fix this by checking PLIC's enable bit instead of irqd_irq_disabled().
Fixes: cc9f04f9a84f ("irqchip/sifive-plic: Implement irq_set_affinity() for SMP host")
Signed-off-by: Nam Cao <namcao@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260212114125.3148067-1-namcao@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-sifive-plic.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/irqchip/irq-sifive-plic.c b/drivers/irqchip/irq-sifive-plic.c
index 36de764ee2b61..fb1dae22ab17f 100644
--- a/drivers/irqchip/irq-sifive-plic.c
+++ b/drivers/irqchip/irq-sifive-plic.c
@@ -144,8 +144,13 @@ static void plic_irq_disable(struct irq_data *d)
static void plic_irq_eoi(struct irq_data *d)
{
struct plic_handler *handler = this_cpu_ptr(&plic_handlers);
+ u32 __iomem *reg;
+ bool enabled;
- if (unlikely(irqd_irq_disabled(d))) {
+ reg = handler->enable_base + (d->hwirq / 32) * sizeof(u32);
+ enabled = readl(reg) & BIT(d->hwirq % 32);
+
+ if (unlikely(!enabled)) {
plic_toggle(handler, d->hwirq, 1);
writel(d->hwirq, handler->hart_base + CONTEXT_CLAIM);
plic_toggle(handler, d->hwirq, 0);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 066/567] mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 065/567] mailbox: Allow controller specific mapping using fwnode Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 067/567] ext4: delete redundant calculations in ext4_mb_get_buddy_page_lock() Greg Kroah-Hartman
` (311 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joonwon Kang, Jassi Brar,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joonwon Kang <joonwonkang@google.com>
[ Upstream commit fcd7f96c783626c07ee3ed75fa3739a8a2052310 ]
Although it is guided that `#mbox-cells` must be at least 1, there are
many instances of `#mbox-cells = <0>;` in the device tree. If that is
the case and the corresponding mailbox controller does not provide
`fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will
be used by default and out-of-bounds accesses could occur due to lack of
bounds check in that function.
Cc: stable@vger.kernel.org
Signed-off-by: Joonwon Kang <joonwonkang@google.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c
index 892aa0a048e0f..b4d52b814055b 100644
--- a/drivers/mailbox/mailbox.c
+++ b/drivers/mailbox/mailbox.c
@@ -504,12 +504,10 @@ EXPORT_SYMBOL_GPL(mbox_free_channel);
static struct mbox_chan *fw_mbox_index_xlate(struct mbox_controller *mbox,
const struct fwnode_reference_args *sp)
{
- int ind = sp->args[0];
-
- if (ind >= mbox->num_chans)
+ if (sp->nargs < 1 || sp->args[0] >= mbox->num_chans)
return ERR_PTR(-EINVAL);
- return &mbox->chans[ind];
+ return &mbox->chans[sp->args[0]];
}
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 005/481] scsi: lpfc: Properly set WC for DPP mapping
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.1 004/481] irqchip/sifive-plic: Fix frozen interrupt due to affinity setting Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 006/481] scsi: pm8001: Fix use-after-free in pm8001_queue_command() Greg Kroah-Hartman
` (310 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathias Krause, Justin Tee,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@grsecurity.net>
[ Upstream commit bffda93a51b40afd67c11bf558dc5aae83ca0943 ]
Using set_memory_wc() to enable write-combining for the DPP portion of
the MMIO mapping is wrong as set_memory_*() is meant to operate on RAM
only, not MMIO mappings. In fact, as used currently triggers a BUG_ON()
with enabled CONFIG_DEBUG_VIRTUAL.
Simply map the DPP region separately and in addition to the already
existing mappings, avoiding any possible negative side effects for
these.
Fixes: 1351e69fc6db ("scsi: lpfc: Add push-to-adapter support to sli4")
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Reviewed-by: Mathias Krause <minipli@grsecurity.net>
Link: https://patch.msgid.link/20260212192327.141104-1-justintee8345@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_init.c | 2 ++
drivers/scsi/lpfc/lpfc_sli.c | 36 +++++++++++++++++++++++++++++------
drivers/scsi/lpfc/lpfc_sli4.h | 3 +++
3 files changed, 35 insertions(+), 6 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
index 6535474fe8a7f..12a362eab1cb2 100644
--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -12059,6 +12059,8 @@ lpfc_sli4_pci_mem_unset(struct lpfc_hba *phba)
iounmap(phba->sli4_hba.conf_regs_memmap_p);
if (phba->sli4_hba.dpp_regs_memmap_p)
iounmap(phba->sli4_hba.dpp_regs_memmap_p);
+ if (phba->sli4_hba.dpp_regs_memmap_wc_p)
+ iounmap(phba->sli4_hba.dpp_regs_memmap_wc_p);
break;
case LPFC_SLI_INTF_IF_TYPE_1:
default:
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index d5e21e74888a7..90213058b8356 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -15910,6 +15910,32 @@ lpfc_dual_chute_pci_bar_map(struct lpfc_hba *phba, uint16_t pci_barset)
return NULL;
}
+static __maybe_unused void __iomem *
+lpfc_dpp_wc_map(struct lpfc_hba *phba, uint8_t dpp_barset)
+{
+
+ /* DPP region is supposed to cover 64-bit BAR2 */
+ if (dpp_barset != WQ_PCI_BAR_4_AND_5) {
+ lpfc_log_msg(phba, KERN_WARNING, LOG_INIT,
+ "3273 dpp_barset x%x != WQ_PCI_BAR_4_AND_5\n",
+ dpp_barset);
+ return NULL;
+ }
+
+ if (!phba->sli4_hba.dpp_regs_memmap_wc_p) {
+ void __iomem *dpp_map;
+
+ dpp_map = ioremap_wc(phba->pci_bar2_map,
+ pci_resource_len(phba->pcidev,
+ PCI_64BIT_BAR4));
+
+ if (dpp_map)
+ phba->sli4_hba.dpp_regs_memmap_wc_p = dpp_map;
+ }
+
+ return phba->sli4_hba.dpp_regs_memmap_wc_p;
+}
+
/**
* lpfc_modify_hba_eq_delay - Modify Delay Multiplier on EQs
* @phba: HBA structure that EQs are on.
@@ -16819,9 +16845,6 @@ lpfc_wq_create(struct lpfc_hba *phba, struct lpfc_queue *wq,
uint8_t dpp_barset;
uint32_t dpp_offset;
uint8_t wq_create_version;
-#ifdef CONFIG_X86
- unsigned long pg_addr;
-#endif
/* sanity check on queue memory */
if (!wq || !cq)
@@ -17007,14 +17030,15 @@ lpfc_wq_create(struct lpfc_hba *phba, struct lpfc_queue *wq,
#ifdef CONFIG_X86
/* Enable combined writes for DPP aperture */
- pg_addr = (unsigned long)(wq->dpp_regaddr) & PAGE_MASK;
- rc = set_memory_wc(pg_addr, 1);
- if (rc) {
+ bar_memmap_p = lpfc_dpp_wc_map(phba, dpp_barset);
+ if (!bar_memmap_p) {
lpfc_printf_log(phba, KERN_ERR, LOG_INIT,
"3272 Cannot setup Combined "
"Write on WQ[%d] - disable DPP\n",
wq->queue_id);
phba->cfg_enable_dpp = 0;
+ } else {
+ wq->dpp_regaddr = bar_memmap_p + dpp_offset;
}
#else
phba->cfg_enable_dpp = 0;
diff --git a/drivers/scsi/lpfc/lpfc_sli4.h b/drivers/scsi/lpfc/lpfc_sli4.h
index cbb1aa1cf025b..db6a42147c895 100644
--- a/drivers/scsi/lpfc/lpfc_sli4.h
+++ b/drivers/scsi/lpfc/lpfc_sli4.h
@@ -783,6 +783,9 @@ struct lpfc_sli4_hba {
void __iomem *dpp_regs_memmap_p; /* Kernel memory mapped address for
* dpp registers
*/
+ void __iomem *dpp_regs_memmap_wc_p;/* Kernel memory mapped address for
+ * dpp registers with write combining
+ */
union {
struct {
/* IF Type 0, BAR 0 PCI cfg space reg mem map */
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 067/567] ext4: delete redundant calculations in ext4_mb_get_buddy_page_lock()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 066/567] mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 068/567] ext4: convert bd_bitmap_page to bd_bitmap_folio Greg Kroah-Hartman
` (310 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gou Hao, Jan Kara, Theodore Tso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gou Hao <gouhao@uniontech.com>
[ Upstream commit f2fec3e99a32d7c14dbf63c824f8286ebc94b18d ]
'blocks_per_page' is always 1 after 'if (blocks_per_page >= 2)',
'pnum' and 'block' are equal in this case.
Signed-off-by: Gou Hao <gouhao@uniontech.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20231024035215.29474-1-gouhao@uniontech.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: bdc56a9c46b2 ("ext4: fix e4b bitmap inconsistency reports")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index d095c4a218a3a..ade2090155c1c 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1486,9 +1486,8 @@ static int ext4_mb_get_buddy_page_lock(struct super_block *sb,
return 0;
}
- block++;
- pnum = block / blocks_per_page;
- page = find_or_create_page(inode->i_mapping, pnum, gfp);
+ /* blocks_per_page == 1, hence we need another page for the buddy */
+ page = find_or_create_page(inode->i_mapping, block + 1, gfp);
if (!page)
return -ENOMEM;
BUG_ON(page->mapping != inode->i_mapping);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 006/481] scsi: pm8001: Fix use-after-free in pm8001_queue_command()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.1 005/481] scsi: lpfc: Properly set WC for DPP mapping Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 007/481] ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices Greg Kroah-Hartman
` (309 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Salomon Dushimirimana,
Damien Le Moal, Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salomon Dushimirimana <salomondush@google.com>
[ Upstream commit 38353c26db28efd984f51d426eac2396d299cca7 ]
Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors
pm8001_queue_command(), however it introduces a potential cause of a double
free scenario when it changes the function to return -ENODEV in case of phy
down/device gone state.
In this path, pm8001_queue_command() updates task status and calls
task_done to indicate to upper layer that the task has been handled.
However, this also frees the underlying SAS task. A -ENODEV is then
returned to the caller. When libsas sas_ata_qc_issue() receives this error
value, it assumes the task wasn't handled/queued by LLDD and proceeds to
clean up and free the task again, resulting in a double free.
Since pm8001_queue_command() handles the SAS task in this case, it should
return 0 to the caller indicating that the task has been handled.
Fixes: e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()")
Signed-off-by: Salomon Dushimirimana <salomondush@google.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Link: https://patch.msgid.link/20260213192806.439432-1-salomondush@google.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/pm8001/pm8001_sas.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c
index 4cd648be68dde..e416cabbea4a2 100644
--- a/drivers/scsi/pm8001/pm8001_sas.c
+++ b/drivers/scsi/pm8001/pm8001_sas.c
@@ -467,8 +467,9 @@ int pm8001_queue_command(struct sas_task *task, gfp_t gfp_flags)
} else {
task->task_done(task);
}
- rc = -ENODEV;
- goto err_out;
+ spin_unlock_irqrestore(&pm8001_ha->lock, flags);
+ pm8001_dbg(pm8001_ha, IO, "pm8001_task_exec device gone\n");
+ return 0;
}
ccb = pm8001_ccb_alloc(pm8001_ha, pm8001_dev, task);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 068/567] ext4: convert bd_bitmap_page to bd_bitmap_folio
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 067/567] ext4: delete redundant calculations in ext4_mb_get_buddy_page_lock() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 069/567] ext4: convert bd_buddy_page to bd_buddy_folio Greg Kroah-Hartman
` (309 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
[ Upstream commit 99b150d84e4939735cfce245e32e3d29312c68ec ]
There is no need to make this a multi-page folio, so leave all the
infrastructure around it in pages. But since we're locking it, playing
with its refcount and checking whether it's uptodate, it needs to move
to the folio API.
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Link: https://lore.kernel.org/r/20240416172900.244637-2-willy@infradead.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: bdc56a9c46b2 ("ext4: fix e4b bitmap inconsistency reports")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 98 ++++++++++++++++++++++++-----------------------
fs/ext4/mballoc.h | 2 +-
2 files changed, 52 insertions(+), 48 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index ade2090155c1c..b5a5b89dfc98f 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1461,9 +1461,10 @@ static int ext4_mb_get_buddy_page_lock(struct super_block *sb,
int block, pnum, poff;
int blocks_per_page;
struct page *page;
+ struct folio *folio;
e4b->bd_buddy_page = NULL;
- e4b->bd_bitmap_page = NULL;
+ e4b->bd_bitmap_folio = NULL;
blocks_per_page = PAGE_SIZE / sb->s_blocksize;
/*
@@ -1474,12 +1475,13 @@ static int ext4_mb_get_buddy_page_lock(struct super_block *sb,
block = group * 2;
pnum = block / blocks_per_page;
poff = block % blocks_per_page;
- page = find_or_create_page(inode->i_mapping, pnum, gfp);
- if (!page)
- return -ENOMEM;
- BUG_ON(page->mapping != inode->i_mapping);
- e4b->bd_bitmap_page = page;
- e4b->bd_bitmap = page_address(page) + (poff * sb->s_blocksize);
+ folio = __filemap_get_folio(inode->i_mapping, pnum,
+ FGP_LOCK | FGP_ACCESSED | FGP_CREAT, gfp);
+ if (IS_ERR(folio))
+ return PTR_ERR(folio);
+ BUG_ON(folio->mapping != inode->i_mapping);
+ e4b->bd_bitmap_folio = folio;
+ e4b->bd_bitmap = folio_address(folio) + (poff * sb->s_blocksize);
if (blocks_per_page >= 2) {
/* buddy and bitmap are on the same page */
@@ -1497,9 +1499,9 @@ static int ext4_mb_get_buddy_page_lock(struct super_block *sb,
static void ext4_mb_put_buddy_page_lock(struct ext4_buddy *e4b)
{
- if (e4b->bd_bitmap_page) {
- unlock_page(e4b->bd_bitmap_page);
- put_page(e4b->bd_bitmap_page);
+ if (e4b->bd_bitmap_folio) {
+ folio_unlock(e4b->bd_bitmap_folio);
+ folio_put(e4b->bd_bitmap_folio);
}
if (e4b->bd_buddy_page) {
unlock_page(e4b->bd_buddy_page);
@@ -1519,6 +1521,7 @@ int ext4_mb_init_group(struct super_block *sb, ext4_group_t group, gfp_t gfp)
struct ext4_group_info *this_grp;
struct ext4_buddy e4b;
struct page *page;
+ struct folio *folio;
int ret = 0;
might_sleep();
@@ -1545,11 +1548,11 @@ int ext4_mb_init_group(struct super_block *sb, ext4_group_t group, gfp_t gfp)
goto err;
}
- page = e4b.bd_bitmap_page;
- ret = ext4_mb_init_cache(page, NULL, gfp);
+ folio = e4b.bd_bitmap_folio;
+ ret = ext4_mb_init_cache(&folio->page, NULL, gfp);
if (ret)
goto err;
- if (!PageUptodate(page)) {
+ if (!folio_test_uptodate(folio)) {
ret = -EIO;
goto err;
}
@@ -1591,6 +1594,7 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
int pnum;
int poff;
struct page *page;
+ struct folio *folio;
int ret;
struct ext4_group_info *grp;
struct ext4_sb_info *sbi = EXT4_SB(sb);
@@ -1609,7 +1613,7 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
e4b->bd_sb = sb;
e4b->bd_group = group;
e4b->bd_buddy_page = NULL;
- e4b->bd_bitmap_page = NULL;
+ e4b->bd_bitmap_folio = NULL;
if (unlikely(EXT4_MB_GRP_NEED_INIT(grp))) {
/*
@@ -1630,53 +1634,53 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
pnum = block / blocks_per_page;
poff = block % blocks_per_page;
- /* we could use find_or_create_page(), but it locks page
- * what we'd like to avoid in fast path ... */
- page = find_get_page_flags(inode->i_mapping, pnum, FGP_ACCESSED);
- if (page == NULL || !PageUptodate(page)) {
- if (page)
+ /* Avoid locking the folio in the fast path ... */
+ folio = __filemap_get_folio(inode->i_mapping, pnum, FGP_ACCESSED, 0);
+ if (IS_ERR(folio) || !folio_test_uptodate(folio)) {
+ if (!IS_ERR(folio))
/*
- * drop the page reference and try
- * to get the page with lock. If we
+ * drop the folio reference and try
+ * to get the folio with lock. If we
* are not uptodate that implies
- * somebody just created the page but
- * is yet to initialize the same. So
+ * somebody just created the folio but
+ * is yet to initialize it. So
* wait for it to initialize.
*/
- put_page(page);
- page = find_or_create_page(inode->i_mapping, pnum, gfp);
- if (page) {
- if (WARN_RATELIMIT(page->mapping != inode->i_mapping,
- "ext4: bitmap's paging->mapping != inode->i_mapping\n")) {
+ folio_put(folio);
+ folio = __filemap_get_folio(inode->i_mapping, pnum,
+ FGP_LOCK | FGP_ACCESSED | FGP_CREAT, gfp);
+ if (!IS_ERR(folio)) {
+ if (WARN_RATELIMIT(folio->mapping != inode->i_mapping,
+ "ext4: bitmap's mapping != inode->i_mapping\n")) {
/* should never happen */
- unlock_page(page);
+ folio_unlock(folio);
ret = -EINVAL;
goto err;
}
- if (!PageUptodate(page)) {
- ret = ext4_mb_init_cache(page, NULL, gfp);
+ if (!folio_test_uptodate(folio)) {
+ ret = ext4_mb_init_cache(&folio->page, NULL, gfp);
if (ret) {
- unlock_page(page);
+ folio_unlock(folio);
goto err;
}
- mb_cmp_bitmaps(e4b, page_address(page) +
+ mb_cmp_bitmaps(e4b, folio_address(folio) +
(poff * sb->s_blocksize));
}
- unlock_page(page);
+ folio_unlock(folio);
}
}
- if (page == NULL) {
- ret = -ENOMEM;
+ if (IS_ERR(folio)) {
+ ret = PTR_ERR(folio);
goto err;
}
- if (!PageUptodate(page)) {
+ if (!folio_test_uptodate(folio)) {
ret = -EIO;
goto err;
}
/* Pages marked accessed already */
- e4b->bd_bitmap_page = page;
- e4b->bd_bitmap = page_address(page) + (poff * sb->s_blocksize);
+ e4b->bd_bitmap_folio = folio;
+ e4b->bd_bitmap = folio_address(folio) + (poff * sb->s_blocksize);
block++;
pnum = block / blocks_per_page;
@@ -1724,8 +1728,8 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
err:
if (page)
put_page(page);
- if (e4b->bd_bitmap_page)
- put_page(e4b->bd_bitmap_page);
+ if (e4b->bd_bitmap_folio)
+ folio_put(e4b->bd_bitmap_folio);
e4b->bd_buddy = NULL;
e4b->bd_bitmap = NULL;
@@ -1740,8 +1744,8 @@ static int ext4_mb_load_buddy(struct super_block *sb, ext4_group_t group,
static void ext4_mb_unload_buddy(struct ext4_buddy *e4b)
{
- if (e4b->bd_bitmap_page)
- put_page(e4b->bd_bitmap_page);
+ if (e4b->bd_bitmap_folio)
+ folio_put(e4b->bd_bitmap_folio);
if (e4b->bd_buddy_page)
put_page(e4b->bd_buddy_page);
}
@@ -2167,7 +2171,7 @@ static void ext4_mb_use_best_found(struct ext4_allocation_context *ac,
* double allocate blocks. The reference is dropped
* in ext4_mb_release_context
*/
- ac->ac_bitmap_page = e4b->bd_bitmap_page;
+ ac->ac_bitmap_page = &e4b->bd_bitmap_folio->page;
get_page(ac->ac_bitmap_page);
ac->ac_buddy_page = e4b->bd_buddy_page;
get_page(ac->ac_buddy_page);
@@ -3902,7 +3906,7 @@ static void ext4_free_data_in_buddy(struct super_block *sb,
* balance refcounts from ext4_mb_free_metadata()
*/
put_page(e4b.bd_buddy_page);
- put_page(e4b.bd_bitmap_page);
+ folio_put(e4b.bd_bitmap_folio);
}
ext4_unlock_group(sb, entry->efd_group);
ext4_mb_unload_buddy(&e4b);
@@ -6348,7 +6352,7 @@ ext4_mb_free_metadata(handle_t *handle, struct ext4_buddy *e4b,
struct rb_node *parent = NULL, *new_node;
BUG_ON(!ext4_handle_valid(handle));
- BUG_ON(e4b->bd_bitmap_page == NULL);
+ BUG_ON(e4b->bd_bitmap_folio == NULL);
BUG_ON(e4b->bd_buddy_page == NULL);
new_node = &new_entry->efd_node;
@@ -6361,7 +6365,7 @@ ext4_mb_free_metadata(handle_t *handle, struct ext4_buddy *e4b,
* on-disk bitmap and lose not-yet-available
* blocks */
get_page(e4b->bd_buddy_page);
- get_page(e4b->bd_bitmap_page);
+ folio_get(e4b->bd_bitmap_folio);
}
while (*n) {
parent = *n;
diff --git a/fs/ext4/mballoc.h b/fs/ext4/mballoc.h
index dd16050022f52..2d0aca8dc02e8 100644
--- a/fs/ext4/mballoc.h
+++ b/fs/ext4/mballoc.h
@@ -218,7 +218,7 @@ struct ext4_allocation_context {
struct ext4_buddy {
struct page *bd_buddy_page;
void *bd_buddy;
- struct page *bd_bitmap_page;
+ struct folio *bd_bitmap_folio;
void *bd_bitmap;
struct ext4_group_info *bd_info;
struct super_block *bd_sb;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 007/481] ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.1 006/481] scsi: pm8001: Fix use-after-free in pm8001_queue_command() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 008/481] scsi: ufs: core: Always initialize the UIC done completion Greg Kroah-Hartman
` (308 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geoffrey D. Bennett, Takashi Iwai,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geoffrey D. Bennett <g@b4.vu>
[ Upstream commit a8cc55bf81a45772cad44c83ea7bb0e98431094a ]
Remove QUIRK_FLAG_VALIDATE_RATES for Focusrite. With the previous
commit, focusrite_valid_sample_rate() produces correct rate tables
without USB probing.
QUIRK_FLAG_VALIDATE_RATES sends SET_CUR requests for each rate (~25ms
each) and leaves the device at 192kHz. This is a problem because that
rate: 1) disables the internal mixer, so outputs are silent until an
application opens the PCM and sets a lower rate, and 2) the Air and
Safe modes get disabled.
Fixes: 5963e5262180 ("ALSA: usb-audio: Enable rate validation for Scarlett devices")
Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/09b9c012024c998c4ca14bd876ef0dce0d0b6101.1771594828.git.g@b4.vu
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index 755ba2fe05b5a..f9e998fad773c 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -2298,7 +2298,7 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
VENDOR_FLG(0x07fd, /* MOTU */
QUIRK_FLAG_VALIDATE_RATES),
VENDOR_FLG(0x1235, /* Focusrite Novation */
- QUIRK_FLAG_VALIDATE_RATES),
+ 0),
VENDOR_FLG(0x1511, /* AURALiC */
QUIRK_FLAG_DSD_RAW),
VENDOR_FLG(0x152a, /* Thesycon devices */
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 069/567] ext4: convert bd_buddy_page to bd_buddy_folio
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 068/567] ext4: convert bd_bitmap_page to bd_bitmap_folio Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 070/567] ext4: fix e4b bitmap inconsistency reports Greg Kroah-Hartman
` (308 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
[ Upstream commit 5eea586b47f05b5f5518cf8f9dd9283a01a8066d ]
There is no need to make this a multi-page folio, so leave all the
infrastructure around it in pages. But since we're locking it, playing
with its refcount and checking whether it's uptodate, it needs to move
to the folio API.
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Link: https://lore.kernel.org/r/20240416172900.244637-3-willy@infradead.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: bdc56a9c46b2 ("ext4: fix e4b bitmap inconsistency reports")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 91 +++++++++++++++++++++++------------------------
fs/ext4/mballoc.h | 2 +-
2 files changed, 46 insertions(+), 47 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index b5a5b89dfc98f..877b336c651f7 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1452,7 +1452,7 @@ static int ext4_mb_init_cache(struct page *page, char *incore, gfp_t gfp)
* Lock the buddy and bitmap pages. This make sure other parallel init_group
* on the same buddy page doesn't happen whild holding the buddy page lock.
* Return locked buddy and bitmap pages on e4b struct. If buddy and bitmap
- * are on the same page e4b->bd_buddy_page is NULL and return value is 0.
+ * are on the same page e4b->bd_buddy_folio is NULL and return value is 0.
*/
static int ext4_mb_get_buddy_page_lock(struct super_block *sb,
ext4_group_t group, struct ext4_buddy *e4b, gfp_t gfp)
@@ -1460,10 +1460,9 @@ static int ext4_mb_get_buddy_page_lock(struct super_block *sb,
struct inode *inode = EXT4_SB(sb)->s_buddy_cache;
int block, pnum, poff;
int blocks_per_page;
- struct page *page;
struct folio *folio;
- e4b->bd_buddy_page = NULL;
+ e4b->bd_buddy_folio = NULL;
e4b->bd_bitmap_folio = NULL;
blocks_per_page = PAGE_SIZE / sb->s_blocksize;
@@ -1489,11 +1488,12 @@ static int ext4_mb_get_buddy_page_lock(struct super_block *sb,
}
/* blocks_per_page == 1, hence we need another page for the buddy */
- page = find_or_create_page(inode->i_mapping, block + 1, gfp);
- if (!page)
- return -ENOMEM;
- BUG_ON(page->mapping != inode->i_mapping);
- e4b->bd_buddy_page = page;
+ folio = __filemap_get_folio(inode->i_mapping, block + 1,
+ FGP_LOCK | FGP_ACCESSED | FGP_CREAT, gfp);
+ if (IS_ERR(folio))
+ return PTR_ERR(folio);
+ BUG_ON(folio->mapping != inode->i_mapping);
+ e4b->bd_buddy_folio = folio;
return 0;
}
@@ -1503,9 +1503,9 @@ static void ext4_mb_put_buddy_page_lock(struct ext4_buddy *e4b)
folio_unlock(e4b->bd_bitmap_folio);
folio_put(e4b->bd_bitmap_folio);
}
- if (e4b->bd_buddy_page) {
- unlock_page(e4b->bd_buddy_page);
- put_page(e4b->bd_buddy_page);
+ if (e4b->bd_buddy_folio) {
+ folio_unlock(e4b->bd_buddy_folio);
+ folio_put(e4b->bd_buddy_folio);
}
}
@@ -1520,7 +1520,6 @@ int ext4_mb_init_group(struct super_block *sb, ext4_group_t group, gfp_t gfp)
struct ext4_group_info *this_grp;
struct ext4_buddy e4b;
- struct page *page;
struct folio *folio;
int ret = 0;
@@ -1557,7 +1556,7 @@ int ext4_mb_init_group(struct super_block *sb, ext4_group_t group, gfp_t gfp)
goto err;
}
- if (e4b.bd_buddy_page == NULL) {
+ if (e4b.bd_buddy_folio == NULL) {
/*
* If both the bitmap and buddy are in
* the same page we don't need to force
@@ -1567,11 +1566,11 @@ int ext4_mb_init_group(struct super_block *sb, ext4_group_t group, gfp_t gfp)
goto err;
}
/* init buddy cache */
- page = e4b.bd_buddy_page;
- ret = ext4_mb_init_cache(page, e4b.bd_bitmap, gfp);
+ folio = e4b.bd_buddy_folio;
+ ret = ext4_mb_init_cache(&folio->page, e4b.bd_bitmap, gfp);
if (ret)
goto err;
- if (!PageUptodate(page)) {
+ if (!folio_test_uptodate(folio)) {
ret = -EIO;
goto err;
}
@@ -1593,7 +1592,6 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
int block;
int pnum;
int poff;
- struct page *page;
struct folio *folio;
int ret;
struct ext4_group_info *grp;
@@ -1612,7 +1610,7 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
e4b->bd_info = grp;
e4b->bd_sb = sb;
e4b->bd_group = group;
- e4b->bd_buddy_page = NULL;
+ e4b->bd_buddy_folio = NULL;
e4b->bd_bitmap_folio = NULL;
if (unlikely(EXT4_MB_GRP_NEED_INIT(grp))) {
@@ -1678,7 +1676,7 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
goto err;
}
- /* Pages marked accessed already */
+ /* Folios marked accessed already */
e4b->bd_bitmap_folio = folio;
e4b->bd_bitmap = folio_address(folio) + (poff * sb->s_blocksize);
@@ -1686,48 +1684,49 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
pnum = block / blocks_per_page;
poff = block % blocks_per_page;
- page = find_get_page_flags(inode->i_mapping, pnum, FGP_ACCESSED);
- if (page == NULL || !PageUptodate(page)) {
- if (page)
- put_page(page);
- page = find_or_create_page(inode->i_mapping, pnum, gfp);
- if (page) {
- if (WARN_RATELIMIT(page->mapping != inode->i_mapping,
- "ext4: buddy bitmap's page->mapping != inode->i_mapping\n")) {
+ folio = __filemap_get_folio(inode->i_mapping, pnum, FGP_ACCESSED, 0);
+ if (IS_ERR(folio) || !folio_test_uptodate(folio)) {
+ if (!IS_ERR(folio))
+ folio_put(folio);
+ folio = __filemap_get_folio(inode->i_mapping, pnum,
+ FGP_LOCK | FGP_ACCESSED | FGP_CREAT, gfp);
+ if (!IS_ERR(folio)) {
+ if (WARN_RATELIMIT(folio->mapping != inode->i_mapping,
+ "ext4: buddy bitmap's mapping != inode->i_mapping\n")) {
/* should never happen */
- unlock_page(page);
+ folio_unlock(folio);
ret = -EINVAL;
goto err;
}
- if (!PageUptodate(page)) {
- ret = ext4_mb_init_cache(page, e4b->bd_bitmap,
+ if (!folio_test_uptodate(folio)) {
+ ret = ext4_mb_init_cache(&folio->page, e4b->bd_bitmap,
gfp);
if (ret) {
- unlock_page(page);
+ folio_unlock(folio);
goto err;
}
}
- unlock_page(page);
+ folio_unlock(folio);
}
}
- if (page == NULL) {
- ret = -ENOMEM;
+ if (IS_ERR(folio)) {
+ ret = PTR_ERR(folio);
goto err;
}
- if (!PageUptodate(page)) {
+ if (!folio_test_uptodate(folio)) {
ret = -EIO;
goto err;
}
- /* Pages marked accessed already */
- e4b->bd_buddy_page = page;
- e4b->bd_buddy = page_address(page) + (poff * sb->s_blocksize);
+ /* Folios marked accessed already */
+ e4b->bd_buddy_folio = folio;
+ e4b->bd_buddy = folio_address(folio) + (poff * sb->s_blocksize);
return 0;
err:
- if (page)
- put_page(page);
+ if (folio)
+ folio_put(folio);
if (e4b->bd_bitmap_folio)
folio_put(e4b->bd_bitmap_folio);
@@ -1746,8 +1745,8 @@ static void ext4_mb_unload_buddy(struct ext4_buddy *e4b)
{
if (e4b->bd_bitmap_folio)
folio_put(e4b->bd_bitmap_folio);
- if (e4b->bd_buddy_page)
- put_page(e4b->bd_buddy_page);
+ if (e4b->bd_buddy_folio)
+ folio_put(e4b->bd_buddy_folio);
}
@@ -2173,7 +2172,7 @@ static void ext4_mb_use_best_found(struct ext4_allocation_context *ac,
*/
ac->ac_bitmap_page = &e4b->bd_bitmap_folio->page;
get_page(ac->ac_bitmap_page);
- ac->ac_buddy_page = e4b->bd_buddy_page;
+ ac->ac_buddy_page = &e4b->bd_buddy_folio->page;
get_page(ac->ac_buddy_page);
/* store last allocated for subsequent stream allocation */
if (ac->ac_flags & EXT4_MB_STREAM_ALLOC) {
@@ -3905,7 +3904,7 @@ static void ext4_free_data_in_buddy(struct super_block *sb,
/* No more items in the per group rb tree
* balance refcounts from ext4_mb_free_metadata()
*/
- put_page(e4b.bd_buddy_page);
+ folio_put(e4b.bd_buddy_folio);
folio_put(e4b.bd_bitmap_folio);
}
ext4_unlock_group(sb, entry->efd_group);
@@ -6353,7 +6352,7 @@ ext4_mb_free_metadata(handle_t *handle, struct ext4_buddy *e4b,
BUG_ON(!ext4_handle_valid(handle));
BUG_ON(e4b->bd_bitmap_folio == NULL);
- BUG_ON(e4b->bd_buddy_page == NULL);
+ BUG_ON(e4b->bd_buddy_folio == NULL);
new_node = &new_entry->efd_node;
cluster = new_entry->efd_start_cluster;
@@ -6364,7 +6363,7 @@ ext4_mb_free_metadata(handle_t *handle, struct ext4_buddy *e4b,
* otherwise we'll refresh it from
* on-disk bitmap and lose not-yet-available
* blocks */
- get_page(e4b->bd_buddy_page);
+ folio_get(e4b->bd_buddy_folio);
folio_get(e4b->bd_bitmap_folio);
}
while (*n) {
diff --git a/fs/ext4/mballoc.h b/fs/ext4/mballoc.h
index 2d0aca8dc02e8..0dd6bc69ab611 100644
--- a/fs/ext4/mballoc.h
+++ b/fs/ext4/mballoc.h
@@ -216,7 +216,7 @@ struct ext4_allocation_context {
#define AC_STATUS_BREAK 3
struct ext4_buddy {
- struct page *bd_buddy_page;
+ struct folio *bd_buddy_folio;
void *bd_buddy;
struct folio *bd_bitmap_folio;
void *bd_bitmap;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 008/481] scsi: ufs: core: Always initialize the UIC done completion
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.1 007/481] ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 009/481] scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume Greg Kroah-Hartman
` (307 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Wang, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit b1e8c53749adb795bfb0bf4e2f7836e26684bb90 ]
Simplify __ufshcd_send_uic_cmd() by always initializing the
uic_cmd::done completion. This is fine since the time required to
initialize a completion is small compared to the time required to
process an UIC command.
Reviewed-by: Peter Wang <peter.wang@mediatek.com>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Link: https://lore.kernel.org/r/20240912223019.3510966-5-bvanassche@acm.org
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Stable-dep-of: 62c015373e1c ("scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufshcd.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index 01927facaa203..6d44c2adb251a 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -2340,13 +2340,11 @@ ufshcd_wait_for_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd)
* __ufshcd_send_uic_cmd - Send UIC commands and retrieve the result
* @hba: per adapter instance
* @uic_cmd: UIC command
- * @completion: initialize the completion only if this is set to true
*
* Returns 0 only if success.
*/
static int
-__ufshcd_send_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd,
- bool completion)
+__ufshcd_send_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd)
{
lockdep_assert_held(&hba->uic_cmd_mutex);
@@ -2356,8 +2354,7 @@ __ufshcd_send_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd,
return -EIO;
}
- if (completion)
- init_completion(&uic_cmd->done);
+ init_completion(&uic_cmd->done);
uic_cmd->cmd_active = 1;
ufshcd_dispatch_uic_cmd(hba, uic_cmd);
@@ -2383,7 +2380,7 @@ int ufshcd_send_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd)
mutex_lock(&hba->uic_cmd_mutex);
ufshcd_add_delay_before_dme_cmd(hba);
- ret = __ufshcd_send_uic_cmd(hba, uic_cmd, true);
+ ret = __ufshcd_send_uic_cmd(hba, uic_cmd);
if (!ret)
ret = ufshcd_wait_for_uic_cmd(hba, uic_cmd);
@@ -4081,7 +4078,7 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd)
reenable_intr = true;
}
spin_unlock_irqrestore(hba->host->host_lock, flags);
- ret = __ufshcd_send_uic_cmd(hba, cmd, false);
+ ret = __ufshcd_send_uic_cmd(hba, cmd);
if (ret) {
dev_err(hba->dev,
"pwr ctrl cmd 0x%x with mode 0x%x uic error %d\n",
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 070/567] ext4: fix e4b bitmap inconsistency reports
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 069/567] ext4: convert bd_buddy_page to bd_buddy_folio Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 071/567] mfd: qcom-pm8xxx: Convert to platform remove callback returning void Greg Kroah-Hartman
` (307 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yongjian Sun, Zhang Yi, Baokun Li,
Jan Kara, Theodore Tso, stable, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongjian Sun <sunyongjian1@huawei.com>
[ Upstream commit bdc56a9c46b2a99c12313122b9352b619a2e719e ]
A bitmap inconsistency issue was observed during stress tests under
mixed huge-page workloads. Ext4 reported multiple e4b bitmap check
failures like:
ext4_mb_complex_scan_group:2508: group 350, 8179 free clusters as
per group info. But got 8192 blocks
Analysis and experimentation confirmed that the issue is caused by a
race condition between page migration and bitmap modification. Although
this timing window is extremely narrow, it is still hit in practice:
folio_lock ext4_mb_load_buddy
__migrate_folio
check ref count
folio_mc_copy __filemap_get_folio
folio_try_get(folio)
......
mb_mark_used
ext4_mb_unload_buddy
__folio_migrate_mapping
folio_ref_freeze
folio_unlock
The root cause of this issue is that the fast path of load_buddy only
increments the folio's reference count, which is insufficient to prevent
concurrent folio migration. We observed that the folio migration process
acquires the folio lock. Therefore, we can determine whether to take the
fast path in load_buddy by checking the lock status. If the folio is
locked, we opt for the slow path (which acquires the lock) to close this
concurrency window.
Additionally, this change addresses the following issues:
When the DOUBLE_CHECK macro is enabled to inspect bitmap-related
issues, the following error may be triggered:
corruption in group 324 at byte 784(6272): f in copy != ff on
disk/prealloc
Analysis reveals that this is a false positive. There is a specific race
window where the bitmap and the group descriptor become momentarily
inconsistent, leading to this error report:
ext4_mb_load_buddy ext4_mb_load_buddy
__filemap_get_folio(create|lock)
folio_lock
ext4_mb_init_cache
folio_mark_uptodate
__filemap_get_folio(no lock)
......
mb_mark_used
mb_mark_used_double
mb_cmp_bitmaps
mb_set_bits(e4b->bd_bitmap)
folio_unlock
The original logic assumed that since mb_cmp_bitmaps is called when the
bitmap is newly loaded from disk, the folio lock would be sufficient to
prevent concurrent access. However, this overlooks a specific race
condition: if another process attempts to load buddy and finds the folio
is already in an uptodate state, it will immediately begin using it without
holding folio lock.
Signed-off-by: Yongjian Sun <sunyongjian1@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20260106090820.836242-1-sunyongjian@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 877b336c651f7..d0f4e5905bf12 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1634,16 +1634,17 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
/* Avoid locking the folio in the fast path ... */
folio = __filemap_get_folio(inode->i_mapping, pnum, FGP_ACCESSED, 0);
- if (IS_ERR(folio) || !folio_test_uptodate(folio)) {
+ if (IS_ERR(folio) || !folio_test_uptodate(folio) || folio_test_locked(folio)) {
+ /*
+ * folio_test_locked is employed to detect ongoing folio
+ * migrations, since concurrent migrations can lead to
+ * bitmap inconsistency. And if we are not uptodate that
+ * implies somebody just created the folio but is yet to
+ * initialize it. We can drop the folio reference and
+ * try to get the folio with lock in both cases to avoid
+ * concurrency.
+ */
if (!IS_ERR(folio))
- /*
- * drop the folio reference and try
- * to get the folio with lock. If we
- * are not uptodate that implies
- * somebody just created the folio but
- * is yet to initialize it. So
- * wait for it to initialize.
- */
folio_put(folio);
folio = __filemap_get_folio(inode->i_mapping, pnum,
FGP_LOCK | FGP_ACCESSED | FGP_CREAT, gfp);
@@ -1685,7 +1686,7 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
poff = block % blocks_per_page;
folio = __filemap_get_folio(inode->i_mapping, pnum, FGP_ACCESSED, 0);
- if (IS_ERR(folio) || !folio_test_uptodate(folio)) {
+ if (IS_ERR(folio) || !folio_test_uptodate(folio) || folio_test_locked(folio)) {
if (!IS_ERR(folio))
folio_put(folio);
folio = __filemap_get_folio(inode->i_mapping, pnum,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 009/481] scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.1 008/481] scsi: ufs: core: Always initialize the UIC done completion Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 010/481] ALSA: usb-audio: Cap the packet size pre-calculations Greg Kroah-Hartman
` (306 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Wang, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Wang <peter.wang@mediatek.com>
[ Upstream commit 62c015373e1cdb1cdca824bd2dbce2dac0819467 ]
Move the link recovery trigger from ufshcd_uic_pwr_ctrl() to
__ufshcd_wl_resume(). Ensure link recovery is only attempted when hibern8
exit fails during resume, not during hibern8 enter in suspend. Improve
error handling and prevent unnecessary link recovery attempts.
Fixes: 35dabf4503b9 ("scsi: ufs: core: Use link recovery when h8 exit fails during runtime resume")
Signed-off-by: Peter Wang <peter.wang@mediatek.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260223103906.2533654-1-peter.wang@mediatek.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufshcd.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index 6d44c2adb251a..29f232894372c 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -4130,14 +4130,6 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd)
spin_unlock_irqrestore(hba->host->host_lock, flags);
mutex_unlock(&hba->uic_cmd_mutex);
- /*
- * If the h8 exit fails during the runtime resume process, it becomes
- * stuck and cannot be recovered through the error handler. To fix
- * this, use link recovery instead of the error handler.
- */
- if (ret && hba->pm_op_in_progress)
- ret = ufshcd_link_recovery(hba);
-
return ret;
}
@@ -9250,7 +9242,15 @@ static int __ufshcd_wl_resume(struct ufs_hba *hba, enum ufs_pm_op pm_op)
} else {
dev_err(hba->dev, "%s: hibern8 exit failed %d\n",
__func__, ret);
- goto vendor_suspend;
+ /*
+ * If the h8 exit fails during the runtime resume
+ * process, it becomes stuck and cannot be recovered
+ * through the error handler. To fix this, use link
+ * recovery instead of the error handler.
+ */
+ ret = ufshcd_link_recovery(hba);
+ if (ret)
+ goto vendor_suspend;
}
} else if (ufshcd_is_link_off(hba)) {
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 071/567] mfd: qcom-pm8xxx: Convert to platform remove callback returning void
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 070/567] ext4: fix e4b bitmap inconsistency reports Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 072/567] mfd: qcom-pm8xxx: Fix OF populate on driver rebind Greg Kroah-Hartman
` (306 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Uwe Kleine-König,
Lee Jones, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 19ea1d3953017518d85db35b69b5aea9bc64d630 ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is ignored (apart
from emitting a warning) and this typically results in resource leaks.
To improve here there is a quest to make the remove callback return
void. In the first step of this quest all drivers are converted to
.remove_new(), which already returns void. Eventually after all drivers
are converted, .remove_new() will be renamed to .remove().
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20231123165627.492259-14-u.kleine-koenig@pengutronix.de
Signed-off-by: Lee Jones <lee@kernel.org>
Stable-dep-of: 27a8acea47a9 ("mfd: qcom-pm8xxx: Fix OF populate on driver rebind")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/qcom-pm8xxx.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/mfd/qcom-pm8xxx.c b/drivers/mfd/qcom-pm8xxx.c
index 07c531bd1236e..8b6285f687da5 100644
--- a/drivers/mfd/qcom-pm8xxx.c
+++ b/drivers/mfd/qcom-pm8xxx.c
@@ -585,19 +585,17 @@ static int pm8xxx_remove_child(struct device *dev, void *unused)
return 0;
}
-static int pm8xxx_remove(struct platform_device *pdev)
+static void pm8xxx_remove(struct platform_device *pdev)
{
struct pm_irq_chip *chip = platform_get_drvdata(pdev);
device_for_each_child(&pdev->dev, NULL, pm8xxx_remove_child);
irq_domain_remove(chip->irqdomain);
-
- return 0;
}
static struct platform_driver pm8xxx_driver = {
.probe = pm8xxx_probe,
- .remove = pm8xxx_remove,
+ .remove_new = pm8xxx_remove,
.driver = {
.name = "pm8xxx-core",
.of_match_table = pm8xxx_id_table,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 010/481] ALSA: usb-audio: Cap the packet size pre-calculations
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.1 009/481] scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 011/481] ALSA: usb-audio: Use inclusive terms Greg Kroah-Hartman
` (305 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 7fe8dec3f628e9779f1631576f8e693370050348 ]
We calculate the possible packet sizes beforehand for adaptive and
synchronous endpoints, but we didn't take care of the max frame size
for those pre-calculated values. When a device or a bus limits the
packet size, a high sample rate or a high number of channels may lead
to the packet sizes that are larger than the given limit, which
results in an error from the USB core at submitting URBs.
As a simple workaround, just add the sanity checks of pre-calculated
packet sizes to have the upper boundary of ep->maxframesize.
Fixes: f0bd62b64016 ("ALSA: usb-audio: Improve frames size computation")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221076
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260225085233.316306-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/endpoint.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
index 86a8624e8781e..8f486c5c938f2 100644
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -1392,6 +1392,9 @@ int snd_usb_endpoint_set_params(struct snd_usb_audio *chip,
goto unlock;
}
+ ep->packsize[0] = min(ep->packsize[0], ep->maxframesize);
+ ep->packsize[1] = min(ep->packsize[1], ep->maxframesize);
+
/* calculate the frequency in 16.16 format */
ep->freqm = ep->freqn;
ep->freqshift = INT_MIN;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 072/567] mfd: qcom-pm8xxx: Fix OF populate on driver rebind
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 071/567] mfd: qcom-pm8xxx: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 073/567] mfd: omap-usb-host: Convert to platform remove callback returning void Greg Kroah-Hartman
` (305 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Dmitry Baryshkov,
Konrad Dybcio, Lee Jones, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 27a8acea47a93fea6ad0e2df4c20a9b51490e4d9 ]
Since commit c6e126de43e7 ("of: Keep track of populated platform
devices") child devices will not be created by of_platform_populate()
if the devices had previously been deregistered individually so that the
OF_POPULATED flag is still set in the corresponding OF nodes.
Switch to using of_platform_depopulate() instead of open coding so that
the child devices are created if the driver is rebound.
Fixes: c6e126de43e7 ("of: Keep track of populated platform devices")
Cc: stable@vger.kernel.org # 3.16
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://patch.msgid.link/20251219110947.24101-1-johan@kernel.org
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/qcom-pm8xxx.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/drivers/mfd/qcom-pm8xxx.c b/drivers/mfd/qcom-pm8xxx.c
index 8b6285f687da5..0e490591177a2 100644
--- a/drivers/mfd/qcom-pm8xxx.c
+++ b/drivers/mfd/qcom-pm8xxx.c
@@ -579,17 +579,11 @@ static int pm8xxx_probe(struct platform_device *pdev)
return rc;
}
-static int pm8xxx_remove_child(struct device *dev, void *unused)
-{
- platform_device_unregister(to_platform_device(dev));
- return 0;
-}
-
static void pm8xxx_remove(struct platform_device *pdev)
{
struct pm_irq_chip *chip = platform_get_drvdata(pdev);
- device_for_each_child(&pdev->dev, NULL, pm8xxx_remove_child);
+ of_platform_depopulate(&pdev->dev);
irq_domain_remove(chip->irqdomain);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 011/481] ALSA: usb-audio: Use inclusive terms
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.1 010/481] ALSA: usb-audio: Cap the packet size pre-calculations Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 012/481] perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Greg Kroah-Hartman
` (304 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 4e9113c533acee2ba1f72fd68ee6ecd36b64484e ]
Replace the remaining with inclusive terms; it's only this function
name we overlooked at the previous conversion.
Fixes: 53837b4ac2bd ("ALSA: usb-audio: Replace slave/master terms")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260225085233.316306-5-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/endpoint.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
index 8f486c5c938f2..b5af8dc1e48de 100644
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -160,8 +160,8 @@ int snd_usb_endpoint_implicit_feedback_sink(struct snd_usb_endpoint *ep)
* This won't be used for implicit feedback which takes the packet size
* returned from the sync source
*/
-static int slave_next_packet_size(struct snd_usb_endpoint *ep,
- unsigned int avail)
+static int synced_next_packet_size(struct snd_usb_endpoint *ep,
+ unsigned int avail)
{
unsigned long flags;
unsigned int phase;
@@ -230,7 +230,7 @@ int snd_usb_endpoint_next_packet_size(struct snd_usb_endpoint *ep,
}
if (ep->sync_source)
- return slave_next_packet_size(ep, avail);
+ return synced_next_packet_size(ep, avail);
else
return next_packet_size(ep, avail);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 073/567] mfd: omap-usb-host: Convert to platform remove callback returning void
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 072/567] mfd: qcom-pm8xxx: Fix OF populate on driver rebind Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 074/567] mfd: omap-usb-host: Fix OF populate on driver rebind Greg Kroah-Hartman
` (304 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Lee Jones,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 418d1e74f8597e0b2d5d0d6e1be8f1f47e68f0a4 ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is ignored (apart
from emitting a warning) and this typically results in resource leaks.
To improve here there is a quest to make the remove callback return
void. In the first step of this quest all drivers are converted to
.remove_new(), which already returns void. Eventually after all drivers
are converted, .remove_new() will be renamed to .remove().
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20231123165627.492259-11-u.kleine-koenig@pengutronix.de
Signed-off-by: Lee Jones <lee@kernel.org>
Stable-dep-of: 24804ba508a3 ("mfd: omap-usb-host: Fix OF populate on driver rebind")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/omap-usb-host.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/mfd/omap-usb-host.c b/drivers/mfd/omap-usb-host.c
index 78f1bb55dbc0f..ebc62033db169 100644
--- a/drivers/mfd/omap-usb-host.c
+++ b/drivers/mfd/omap-usb-host.c
@@ -816,13 +816,12 @@ static int usbhs_omap_remove_child(struct device *dev, void *data)
*
* Reverses the effect of usbhs_omap_probe().
*/
-static int usbhs_omap_remove(struct platform_device *pdev)
+static void usbhs_omap_remove(struct platform_device *pdev)
{
pm_runtime_disable(&pdev->dev);
/* remove children */
device_for_each_child(&pdev->dev, NULL, usbhs_omap_remove_child);
- return 0;
}
static const struct dev_pm_ops usbhsomap_dev_pm_ops = {
@@ -845,7 +844,7 @@ static struct platform_driver usbhs_omap_driver = {
.of_match_table = usbhs_omap_dt_ids,
},
.probe = usbhs_omap_probe,
- .remove = usbhs_omap_remove,
+ .remove_new = usbhs_omap_remove,
};
MODULE_AUTHOR("Keshava Munegowda <keshava_mgowda@ti.com>");
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 012/481] perf: Fix __perf_event_overflow() vs perf_remove_from_context() race
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.1 011/481] ALSA: usb-audio: Use inclusive terms Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 013/481] btrfs: move btrfs_crc32c_final into free-space-cache.c Greg Kroah-Hartman
` (303 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simond Hu, Peter Zijlstra (Intel),
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit c9bc1753b3cc41d0e01fbca7f035258b5f4db0ae ]
Make sure that __perf_event_overflow() runs with IRQs disabled for all
possible callchains. Specifically the software events can end up running
it with only preemption disabled.
This opens up a race vs perf_event_exit_event() and friends that will go
and free various things the overflow path expects to be present, like
the BPF program.
Fixes: 592903cdcbf6 ("perf_counter: add an event_list")
Reported-by: Simond Hu <cmdhh1767@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Simond Hu <cmdhh1767@gmail.com>
Link: https://patch.msgid.link/20260224122909.GV1395416@noisy.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 42 +++++++++++++++++++++++++++++++++++++++++-
1 file changed, 41 insertions(+), 1 deletion(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 4d7bf0536348f..146b37e97832a 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -9507,6 +9507,13 @@ int perf_event_overflow(struct perf_event *event,
struct perf_sample_data *data,
struct pt_regs *regs)
{
+ /*
+ * Entry point from hardware PMI, interrupts should be disabled here.
+ * This serializes us against perf_event_remove_from_context() in
+ * things like perf_event_release_kernel().
+ */
+ lockdep_assert_irqs_disabled();
+
return __perf_event_overflow(event, 1, data, regs);
}
@@ -9587,6 +9594,19 @@ static void perf_swevent_event(struct perf_event *event, u64 nr,
{
struct hw_perf_event *hwc = &event->hw;
+ /*
+ * This is:
+ * - software preempt
+ * - tracepoint preempt
+ * - tp_target_task irq (ctx->lock)
+ * - uprobes preempt/irq
+ * - kprobes preempt/irq
+ * - hw_breakpoint irq
+ *
+ * Any of these are sufficient to hold off RCU and thus ensure @event
+ * exists.
+ */
+ lockdep_assert_preemption_disabled();
local64_add(nr, &event->count);
if (!regs)
@@ -9595,6 +9615,16 @@ static void perf_swevent_event(struct perf_event *event, u64 nr,
if (!is_sampling_event(event))
return;
+ /*
+ * Serialize against event_function_call() IPIs like normal overflow
+ * event handling. Specifically, must not allow
+ * perf_event_release_kernel() -> perf_remove_from_context() to make
+ * progress and 'release' the event from under us.
+ */
+ guard(irqsave)();
+ if (event->state != PERF_EVENT_STATE_ACTIVE)
+ return;
+
if ((event->attr.sample_type & PERF_SAMPLE_PERIOD) && !event->attr.freq) {
data->period = nr;
return perf_swevent_overflow(event, 1, data, regs);
@@ -10011,6 +10041,11 @@ void perf_tp_event(u16 event_type, u64 count, void *record, int entry_size,
struct perf_sample_data data;
struct perf_event *event;
+ /*
+ * Per being a tracepoint, this runs with preemption disabled.
+ */
+ lockdep_assert_preemption_disabled();
+
struct perf_raw_record raw = {
.frag = {
.size = entry_size,
@@ -10472,6 +10507,11 @@ void perf_bp_event(struct perf_event *bp, void *data)
struct perf_sample_data sample;
struct pt_regs *regs = data;
+ /*
+ * Exception context, will have interrupts disabled.
+ */
+ lockdep_assert_irqs_disabled();
+
perf_sample_data_init(&sample, bp->attr.bp_addr, 0);
if (!bp->hw.state && !perf_exclude_event(bp, regs))
@@ -10924,7 +10964,7 @@ static enum hrtimer_restart perf_swevent_hrtimer(struct hrtimer *hrtimer)
if (regs && !perf_exclude_event(event, regs)) {
if (!(event->attr.exclude_idle && is_idle_task(current)))
- if (__perf_event_overflow(event, 1, &data, regs))
+ if (perf_event_overflow(event, &data, regs))
ret = HRTIMER_NORESTART;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 074/567] mfd: omap-usb-host: Fix OF populate on driver rebind
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 073/567] mfd: omap-usb-host: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 075/567] arm64: dts: rockchip: Fix rk356x PCIe range mappings Greg Kroah-Hartman
` (303 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Andreas Kemnade,
Lee Jones, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 24804ba508a3e240501c521685a1c4eb9f574f8e ]
Since commit c6e126de43e7 ("of: Keep track of populated platform
devices") child devices will not be created by of_platform_populate()
if the devices had previously been deregistered individually so that the
OF_POPULATED flag is still set in the corresponding OF nodes.
Switch to using of_platform_depopulate() instead of open coding so that
the child devices are created if the driver is rebound.
Fixes: c6e126de43e7 ("of: Keep track of populated platform devices")
Cc: stable@vger.kernel.org # 3.16
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Andreas Kemnade <andreas@kemnade.info>
Link: https://patch.msgid.link/20251219110714.23919-1-johan@kernel.org
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/omap-usb-host.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/mfd/omap-usb-host.c b/drivers/mfd/omap-usb-host.c
index ebc62033db169..e3aae10295a15 100644
--- a/drivers/mfd/omap-usb-host.c
+++ b/drivers/mfd/omap-usb-host.c
@@ -820,8 +820,10 @@ static void usbhs_omap_remove(struct platform_device *pdev)
{
pm_runtime_disable(&pdev->dev);
- /* remove children */
- device_for_each_child(&pdev->dev, NULL, usbhs_omap_remove_child);
+ if (pdev->dev.of_node)
+ of_platform_depopulate(&pdev->dev);
+ else
+ device_for_each_child(&pdev->dev, NULL, usbhs_omap_remove_child);
}
static const struct dev_pm_ops usbhsomap_dev_pm_ops = {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 013/481] btrfs: move btrfs_crc32c_final into free-space-cache.c
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.1 012/481] perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 014/481] btrfs: fix incorrect key offset in error message in check_dev_extent_item() Greg Kroah-Hartman
` (302 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Anand Jain,
Josef Bacik, David Sterba, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josef Bacik <josef@toxicpanda.com>
[ Upstream commit 102f2640a346e84cb5c2d19805a9dd38a776013c ]
This is the only place this helper is used, take it out of ctree.h and
move it into free-space-cache.c.
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: 511dc8912ae3 ("btrfs: fix incorrect key offset in error message in check_dev_extent_item()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/ctree.h | 5 -----
fs/btrfs/free-space-cache.c | 5 +++++
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
index bd84a8b774a68..96146b920bdd3 100644
--- a/fs/btrfs/ctree.h
+++ b/fs/btrfs/ctree.h
@@ -2827,11 +2827,6 @@ static inline u32 btrfs_crc32c(u32 crc, const void *address, unsigned length)
return crc32c(crc, address, length);
}
-static inline void btrfs_crc32c_final(u32 crc, u8 *result)
-{
- put_unaligned_le32(~crc, result);
-}
-
static inline u64 btrfs_name_hash(const char *name, int len)
{
return crc32c((u32)~1, name, len);
diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c
index 75ad735322c4a..9f4dae426037b 100644
--- a/fs/btrfs/free-space-cache.c
+++ b/fs/btrfs/free-space-cache.c
@@ -48,6 +48,11 @@ static void bitmap_clear_bits(struct btrfs_free_space_ctl *ctl,
struct btrfs_free_space *info, u64 offset,
u64 bytes, bool update_stats);
+static void btrfs_crc32c_final(u32 crc, u8 *result)
+{
+ put_unaligned_le32(~crc, result);
+}
+
static void __btrfs_remove_free_space_cache(struct btrfs_free_space_ctl *ctl)
{
struct btrfs_free_space *info;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 075/567] arm64: dts: rockchip: Fix rk356x PCIe range mappings
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 074/567] mfd: omap-usb-host: Fix OF populate on driver rebind Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 076/567] clk: tegra: tegra124-emc: fix device leak on set_rate() Greg Kroah-Hartman
` (302 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Powers-Holmes, Shawn Lin,
Heiko Stuebner, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shawn Lin <shawn.lin@rock-chips.com>
[ Upstream commit f63ea193a404481f080ca2958f73e9f364682db9 ]
The pcie bus address should be mapped 1:1 to the cpu side MMIO address, so
that there is no same address allocated from normal system memory. Otherwise
it's broken if the same address assigned to the EP for DMA purpose.Fix it to
sync with the vendor BSP.
Fixes: 568a67e742df ("arm64: dts: rockchip: Fix rk356x PCIe register and range mappings")
Fixes: 66b51ea7d70f ("arm64: dts: rockchip: Add rk3568 PCIe2x1 controller")
Cc: stable@vger.kernel.org
Cc: Andrew Powers-Holmes <aholmes@omnom.net>
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Link: https://patch.msgid.link/1767600929-195341-1-git-send-email-shawn.lin@rock-chips.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3568.dtsi | 4 ++--
arch/arm64/boot/dts/rockchip/rk356x.dtsi | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3568.dtsi b/arch/arm64/boot/dts/rockchip/rk3568.dtsi
index f1be76a54ceb0..4305fd20b5c32 100644
--- a/arch/arm64/boot/dts/rockchip/rk3568.dtsi
+++ b/arch/arm64/boot/dts/rockchip/rk3568.dtsi
@@ -97,7 +97,7 @@ pcie3x1: pcie@fe270000 {
<0x0 0xf2000000 0x0 0x00100000>;
ranges = <0x01000000 0x0 0xf2100000 0x0 0xf2100000 0x0 0x00100000>,
<0x02000000 0x0 0xf2200000 0x0 0xf2200000 0x0 0x01e00000>,
- <0x03000000 0x0 0x40000000 0x3 0x40000000 0x0 0x40000000>;
+ <0x03000000 0x3 0x40000000 0x3 0x40000000 0x0 0x40000000>;
reg-names = "dbi", "apb", "config";
resets = <&cru SRST_PCIE30X1_POWERUP>;
reset-names = "pipe";
@@ -150,7 +150,7 @@ pcie3x2: pcie@fe280000 {
<0x0 0xf0000000 0x0 0x00100000>;
ranges = <0x01000000 0x0 0xf0100000 0x0 0xf0100000 0x0 0x00100000>,
<0x02000000 0x0 0xf0200000 0x0 0xf0200000 0x0 0x01e00000>,
- <0x03000000 0x0 0x40000000 0x3 0x80000000 0x0 0x40000000>;
+ <0x03000000 0x3 0x80000000 0x3 0x80000000 0x0 0x40000000>;
reg-names = "dbi", "apb", "config";
resets = <&cru SRST_PCIE30X2_POWERUP>;
reset-names = "pipe";
diff --git a/arch/arm64/boot/dts/rockchip/rk356x.dtsi b/arch/arm64/boot/dts/rockchip/rk356x.dtsi
index 2f885bc3665b5..6377f2a0b4017 100644
--- a/arch/arm64/boot/dts/rockchip/rk356x.dtsi
+++ b/arch/arm64/boot/dts/rockchip/rk356x.dtsi
@@ -997,7 +997,7 @@ pcie2x1: pcie@fe260000 {
power-domains = <&power RK3568_PD_PIPE>;
ranges = <0x01000000 0x0 0xf4100000 0x0 0xf4100000 0x0 0x00100000>,
<0x02000000 0x0 0xf4200000 0x0 0xf4200000 0x0 0x01e00000>,
- <0x03000000 0x0 0x40000000 0x3 0x00000000 0x0 0x40000000>;
+ <0x03000000 0x3 0x00000000 0x3 0x00000000 0x0 0x40000000>;
resets = <&cru SRST_PCIE20_POWERUP>;
reset-names = "pipe";
#address-cells = <3>;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 000/460] 6.12.78-rc1 review
@ 2026-03-23 13:39 Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.12 001/460] scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT Greg Kroah-Hartman
` (302 more replies)
0 siblings, 303 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.12.78 release.
There are 460 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 25 Mar 2026 13:44:33 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.78-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.12.78-rc1
Dapeng Mi <dapeng1.mi@linux.intel.com>
perf/x86/intel: Add missing branch counters constraint apply
Guenter Roeck <linux@roeck-us.net>
hwmon: (max6639) Fix pulses-per-revolution implementation
Josh Law <objecting@objecting.org>
tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
Josh Law <objecting@objecting.org>
lib/bootconfig: check xbc_init_node() return in override path
Kees Cook <kees@kernel.org>
fs/tests: exec: Remove bad test vector
Rahul Bukte <rahul.bukte@sony.com>
drm/i915/gt: Check set_default_submission() before deferencing
Hyunwoo Kim <imv4bel@gmail.com>
ksmbd: fix use-after-free in durable v2 replay of active file handles
Hyunwoo Kim <imv4bel@gmail.com>
ksmbd: fix use-after-free of share_conf in compound request
Andy Nguyen <theofficialflow1996@gmail.com>
drm/amd: fix dcn 2.01 check
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amd/display: Fix DisplayID not-found handling in parse_edid_displayid_vrr()
Kamal Dasu <kamal.dasu@broadcom.com>
mtd: rawnand: brcmnand: skip DMA during panic write
Kamal Dasu <kamal.dasu@broadcom.com>
mtd: rawnand: serialize lock/unlock against other NAND operations
Kairui Song <kasong@tencent.com>
mm/shmem, swap: avoid redundant Xarray lookup during swapin
Kairui Song <kasong@tencent.com>
mm/shmem, swap: improve cached mTHP handling and fix potential hang
Kemeng Shi <shikemeng@huaweicloud.com>
mm: shmem: avoid unpaired folio_unlock() in shmem_swapin_folio()
Baolin Wang <baolin.wang@linux.alibaba.com>
mm: shmem: fix potential data corruption during shmem swapin
Pratyush Yadav <p.yadav@ti.com>
mtd: spi-nor: core: avoid odd length/address writes in 8D-8D-8D mode
Pratyush Yadav <p.yadav@ti.com>
mtd: spi-nor: core: avoid odd length/address reads on 8D-8D-8D mode
Kyle Meyer <kyle.meyer@hpe.com>
x86/platform/uv: Handle deconfigured sockets
Masami Hiramatsu (Google) <mhiramat@kernel.org>
ring-buffer: Fix to update per-subbuf entries of persistent ring buffer
Gabor Juhos <j4g8y7@gmail.com>
i2c: pxa: defer reset on Armada 3700 when recovery is used
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
i2c: fsi: Fix a potential leak in fsi_i2c_probe()
Johan Hovold <johan@kernel.org>
i2c: cp2615: fix serial string NULL-deref at probe
Ji-Ze Hong (Peter Hong) <peter_hong@fintek.com.tw>
USB: serial: f81232: fix incomplete serial port generation
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Compute PSR entry_setup_frames into intel_crtc_state
Sanman Pradhan <psanman@juniper.net>
hwmon: (pmbus/isl68137) Fix unchecked return value and use sysfs_emit()
Sanman Pradhan <psanman@juniper.net>
hwmon: (pmbus/mp2975) Add error check for pmbus_read_word_data() return value
Weiming Shi <bestswngs@gmail.com>
icmp: fix NULL pointer dereference in icmp_tag_validation()
Anas Iqbal <mohd.abd.6602@gmail.com>
net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths
Muhammad Hammad Ijaz <mhijaz@amazon.com>
net: mvpp2: guard flow control update with global_tx_fc in buffer switching
Weiming Shi <bestswngs@gmail.com>
nfnetlink_osf: validate individual option lengths in fingerprints
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: release flowtable after rcu grace period on error
Florian Westphal <fw@strlen.de>
netfilter: bpf: defer hook memory release until rcu readers are done
Xiang Mei <xmei5@asu.edu>
net: bonding: fix NULL deref in bond_debug_rlb_hash_show
Xiang Mei <xmei5@asu.edu>
udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
Jianbo Liu <jianbol@nvidia.com>
net/mlx5e: Fix race condition during IPSec ESN update
Jianbo Liu <jianbol@nvidia.com>
net/mlx5e: Prevent concurrent access to IPSec ASO context
Cosmin Ratiu <cratiu@nvidia.com>
net/mlx5: qos: Restrict RTNL area to avoid a lock cycle
Fedor Pchelkin <pchelkin@ispras.ru>
net: macb: fix uninitialized rx_fs_lock
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: processor: Fix previous acpi_processor_errata_piix4() fix
Guenter Roeck <linux@roeck-us.net>
wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom
Xiang Mei <xmei5@asu.edu>
wifi: mac80211: fix NULL deref in mesh_matches_local()
Petr Oros <poros@redhat.com>
iavf: fix VLAN filter lost on add/delete race
Zdenek Bouska <zdenek.bouska@siemens.com>
igc: fix page fault in XDP TX timestamps handling
Kohei Enju <kohei@enjuk.jp>
igc: fix missing update of skb->tail in igc_xmit_frame()
Nikola Z. Ivanov <zlatistiv@gmail.com>
net: usb: aqc111: Do not perform PM inside suspend callback
Daniel Borkmann <daniel@iogearbox.net>
clsact: Fix use-after-free in init/destroy rollback asymmetry
Tobi Gaertner <tob.gaertner@me.com>
net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
Tobi Gaertner <tob.gaertner@me.com>
net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Remove airoha_dev_stop() in airoha_remove()
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Read completion queue data in airoha_qdma_tx_napi_poll()
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: fix PSE memory configuration in airoha_fe_pse_ports_init()
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: read default PSE reserved pages value before updating
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: teql: Fix double-free in teql_master_xmit
Jiayuan Chen <jiayuan.chen@shopee.com>
net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
Eric Dumazet <edumazet@google.com>
bonding: prevent potential infinite loop in bond_header_parse()
Bart Van Assche <bvanassche@acm.org>
PM: runtime: Fix a race condition related to device removal
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
sched: idle: Consolidate the handling of two special cases
Dipayaan Roy <dipayanroy@linux.microsoft.com>
net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown
Justin Chen <justin.chen@broadcom.com>
net: bcmgenet: increase WoL poll timeout
Jenny Guanni Qu <qguanni@gmail.com>
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
Jenny Guanni Qu <qguanni@gmail.com>
netfilter: xt_time: use unsigned int for monthday bit shift
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: xt_CT: drop pending enqueued packets on template removal
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_ct: drop pending enqueued packets on removal
Pablo Neira Ayuso <pablo@netfilter.org>
nf_tables: nft_dynset: fix possible stateful expression memleak in error path
Jenny Guanni Qu <qguanni@gmail.com>
netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
Lukas Johannes Möller <research@johannes-moeller.dev>
netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
Hyunwoo Kim <imv4bel@gmail.com>
netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
Florian Westphal <fw@strlen.de>
netfilter: ctnetlink: remove refcounting in expectation dumpers
Sabrina Dubroca <sd@queasysnail.net>
mpls: add missing unregister_netdevice_notifier to mpls_init
Jiayuan Chen <jiayuan.chen@shopee.com>
net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
Hyunwoo Kim <imv4bel@gmail.com>
bridge: cfm: Fix race condition in peer_mep deletion
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Bluetooth: qca: fix ROM version reading on WCN3998 chips
Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: HIDP: Fix possible UAF
Wang Tao <wangtao554@huawei.com>
Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers
Michael Grzeschik <m.grzeschik@pengutronix.de>
Bluetooth: hci_sync: Fix hci_le_create_conn_sync
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: ISO: Fix defer tests being unstable
Christian Eggers <ceggers@arri.de>
Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
Christian Eggers <ceggers@arri.de>
Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU
Christian Eggers <ceggers@arri.de>
Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU
Felix Gu <ustc.gu@gmail.com>
firmware: arm_scpi: Fix device_node reference leak in probe path
Yeoreum Yun <yeoreum.yun@arm.com>
firmware: arm_ffa: Remove vm_id argument in ffa_rxtx_unmap()
Fabrizio Castro <fabrizio.castro.jz@renesas.com>
arm64: dts: renesas: r9a09g057: Remove wdt{0,2,3} nodes
Ovidiu Panait <ovidiu.panait.rb@renesas.com>
arm64: dts: renesas: r9a09g057: Add RTC node
Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com>
wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
Kuniyuki Iwashima <kuniyu@google.com>
wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
Chen Ni <nichen@iscas.ac.cn>
soc: fsl: cpm1: qmc: Fix error check for devm_ioremap_resource() in qmc_qe_init_resources()
Richard Genoud <richard.genoud@bootlin.com>
soc: fsl: qbman: fix race condition in qman_destroy_fq
Shawn Lin <shawn.lin@rock-chips.com>
soc: rockchip: grf: Add missing of_node_put() when returning
Felix Gu <ustc.gu@gmail.com>
cache: ax45mp: Fix device node reference leak in ax45mp_cache_init()
Felix Gu <ustc.gu@gmail.com>
cache: starfive: fix device node leak in starlink_cache_init()
Zilin Guan <zilin@seu.edu.cn>
soc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe()
ZhengYuan Huang <gality369@gmail.com>
btrfs: tree-checker: fix misleading root drop_level error message
Filipe Manana <fdmanana@suse.com>
btrfs: log new dentries when logging parent dir of a conflicting inode
Damien Le Moal <dlemoal@kernel.org>
ata: libata-scsi: report correct sense field pointer in ata_scsiop_maint_in()
Damien Le Moal <dlemoal@kernel.org>
ata: libata-scsi: Return residual for emulated SCSI commands
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
Matthew Brost <matthew.brost@intel.com>
drm/xe: Open-code GGTT MMIO access protection
Ashutosh Dixit <ashutosh.dixit@intel.com>
drm/xe/oa: Allow reading after disabling OA stream
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu: apply state adjust rules to some additional HAINAN vairants
Alex Deucher <alexander.deucher@amd.com>
drm/radeon: apply state adjust rules to some additional HAINAN vairants
Alessio Belle <alessio.belle@imgtec.com>
drm/imagination: Fix deadlock in soft reset sequence
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/mmhub4.1.0: add bounds checking for cid
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/mmhub3.0: add bounds checking for cid
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/mmhub3.0.2: add bounds checking for cid
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/mmhub3.0.1: add bounds checking for cid
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/mmhub2.3: add bounds checking for cid
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/mmhub2.0: add bounds checking for cid
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/gmc9.0: add bounds checking for cid
Xi Ruoyao <xry111@xry111.site>
drm/amd/display: Wrap dcn32_override_min_req_memclk() in DC_FP_{START, END}
Maarten Lankhorst <dev@lankhorst.se>
drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug
Jens Axboe <axboe@kernel.dk>
io_uring/kbuf: propagate BUF_MORE through early buffer commit path
Maciej Andrzejewski ICEYE <maciej.andrzejewski@m-works.net>
serial: uartlite: fix PM runtime usage count underflow on probe
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
serial: 8250: Add late synchronize_irq() to shutdown to handle DW UART BUSY
Raul E Rangel <rrangel@chromium.org>
serial: 8250: Fix TX deadlock when using DMA
Martin Roukala (né Peres) <martin.roukala@mupuf.org>
serial: 8250_pci: add support for the AX99100
Guanghui Feng <guanghuifeng@linux.alibaba.com>
iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry
Finn Thain <fthain@linux-m68k.org>
mtd: Avoid boot crash in RedBoot partition table parser
Chen Ni <nichen@iscas.ac.cn>
mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in cadence_nand_init()
Olivier Sobrie <olivier@sobrie.be>
mtd: rawnand: pl353: make sure optimal timings are applied
Johan Hovold <johan@kernel.org>
spi: fix statistics allocation
Johan Hovold <johan@kernel.org>
spi: fix use-after-free on controller registration failure
Maíra Canal <mcanal@igalia.com>
pmdomain: bcm: bcm2835-power: Increase ASB control timeout
Luke Wang <ziniu.wang_1@nxp.com>
mmc: sdhci: fix timing selection for 1-bit bus width
Matthew Schwartz <matthew.schwartz@linux.dev>
mmc: sdhci-pci-gli: fix GL9750 DMA write corruption
Damien Le Moal <dlemoal@kernel.org>
ata: libata-core: disable LPM on ADATA SU680 SSD
Kevin Hao <haokexin@gmail.com>
net: macb: Reinitialize tx/rx queue pointer registers and rx ring during resume
Kevin Hao <haokexin@gmail.com>
net: macb: Introduce gem_init_rx_ring()
Yang Yang <n05ec@lzu.edu.cn>
batman-adv: avoid OGM aggregation when skb tailroom is insufficient
Filipe Manana <fdmanana@suse.com>
btrfs: fix transaction abort when snapshotting received subvolumes
Masami Hiramatsu (Google) <mhiramat@kernel.org>
kprobes: Remove unneeded warnings from __arm_kprobe_ftrace()
Masami Hiramatsu (Google) <mhiramat@kernel.org>
kprobes: Remove unneeded goto
Hari Bathini <hbathini@linux.ibm.com>
powerpc64/bpf: fix kfunc call support
Naveen N Rao <naveen@kernel.org>
powerpc64/bpf: Fold bpf_jit_emit_func_call_hlp() into bpf_jit_emit_func_call_rel()
Harald Freudenberger <freude@linux.ibm.com>
s390/zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Write DSC parameters on Selective Update in ET mode
Jouni Högander <jouni.hogander@intel.com>
drm/i915/dsc: Add helper for writing DSC Selective Update ET parameters
Jouni Högander <jouni.hogander@intel.com>
drm/i915/dsc: Add Selective Update register definitions
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: use volume UUID in FS_OBJECT_ID_INFORMATION
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: unset conn->binding on failed binding request
Paulo Alcantara <pc@manguebit.org>
smb: client: fix krb5 mount with username option
Lukas Johannes Möller <research@johannes-moeller.dev>
Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
Lukas Johannes Möller <research@johannes-moeller.dev>
Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()
Felix Fietkau <nbd@nbd.name>
mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations
Helge Deller <deller@gmx.de>
parisc: Flush correct cache in cacheflush() syscall
Fedor Pchelkin <pchelkin@ispras.ru>
net: macb: fix use-after-free access to PTP clock
Ian Ray <ian.ray@gehealthcare.com>
NFC: nxp-nci: allow GPIOs to sleep
Tiezhu Yang <yangtiezhu@loongson.cn>
LoongArch: Give more information if kmem access failed
Ira Weiny <ira.weiny@intel.com>
nvdimm/bus: Fix potential use after free in asynchronous initialization
Jeff Layton <jlayton@kernel.org>
sunrpc: fix cache_request leak in cache_release
Benjamin Tissoires <bentiss@kernel.org>
HID: bpf: prevent buffer overflow in hid_hw_request
Benjamin Tissoires <bentiss@kernel.org>
selftests/hid: fix compilation when bpf_wq and hid_device are not exported
Jeff Layton <jlayton@kernel.org>
nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
Chuck Lever <chuck.lever@oracle.com>
NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd
Lijo Lazar <lijo.lazar@amd.com>
drm/amdgpu: Add basic validation for RAS header
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm: Use pm_display_cfg in legacy DPM (v2)
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Add pixel_clock to amd_pp_display_configuration
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Repeat Selective Update area alignment
Jouni Högander <jouni.hogander@intel.com>
drm/i915/alpm: ALPM disable fixes
Heiko Carstens <hca@linux.ibm.com>
s390/xor: Fix xor_xc_2() inline assembly constraints
Heiko Carstens <hca@linux.ibm.com>
s390/stackleak: Fix __stackleak_poison() inline assembly constraint
Peter Zijlstra <peterz@infradead.org>
sched/fair: Fix zero_vruntime tracking
Jens Axboe <axboe@kernel.dk>
io_uring/kbuf: check if target buffer list is still legacy on recycle
Cheng-Yang Chou <yphbchou0911@gmail.com>
sched_ext: Remove redundant css_put() in scx_cgroup_init()
Deepanshu Kartikey <kartikey406@gmail.com>
mm: thp: deny THP for files on anonymous inodes
Gao Xiang <xiang@kernel.org>
erofs: fix inline data read failure for ztailpacking pclusters
Darrick J. Wong <djwong@kernel.org>
xfs: get rid of the xchk_xfile_*_descr calls
Zilin Guan <zilin@seu.edu.cn>
binfmt_misc: restore write access before closing files opened by open_exec()
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dsa: properly keep track of conduit reference
Guodong Xu <guodong@riscstar.com>
dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()
Han Guangjiang <hanguangjiang@lixiang.com>
blk-throttle: fix access race during throttle policy activation
Chao Yu <chao@kernel.org>
f2fs: fix to avoid migrating empty section
Zhiguo Niu <zhiguo.niu@unisoc.com>
f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic
Zhiguo Niu <zhiguo.niu@unisoc.com>
f2fs: compress: change the first parameter of page_array_{alloc,free} to sbi
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
net: stmmac: remove support for lpi_intr_o
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: in-kernel: always set ID as avail when rm endp
Antheas Kapenekakis <lkml@antheas.dev>
platform/x86/amd/pmc: Add support for Van Gogh SoC
Oleg Nesterov <oleg@redhat.com>
x86/uprobes: Fix XOL allocation failure for 32-bit tasks
Asbjørn Sloth Tønnesen <ast@fiberby.net>
io_uring/uring_cmd: fix too strict requirement on ioctl
Hariprasad Kelam <hkelam@marvell.com>
Octeontx2-af: Add proper checks for fwdata
Steven Rostedt <rostedt@goodmis.org>
tracing: Add recursion protection in kernel stack trace recording
Paul Greenwalt <paul.greenwalt@intel.com>
ice: fix devlink reload call trace
Qu Wenruo <wqu@suse.com>
btrfs: do not strictly require dirty metadata threshold for metadata writepages
David Howells <dhowells@redhat.com>
rxrpc: Fix recvmsg() unconditional requeue
Mikulas Patocka <mpatocka@redhat.com>
dm-verity: disable recursive forward error correction
Eric Dumazet <edumazet@google.com>
ipv6: use RCU in ip6_xmit()
Shuicheng Lin <shuicheng.lin@intel.com>
drm/xe/sync: Cleanup partially initialized sync on parse failure
Long Li <leo.lilong@huawei.com>
xfs: fix integer overflow in bmap intent sort comparator
Thorsten Blum <thorsten.blum@linux.dev>
crypto: atmel-sha204a - Fix OOM ->tfm_count leak
Shyam Prasad N <sprasad@microsoft.com>
cifs: open files should not hold ref on superblock
Kevin Hao <haokexin@gmail.com>
net: macb: Shuffle the tx ring before enabling tx
Luca Ceresoli <luca.ceresoli@bootlin.com>
drm/bridge: ti-sn65dsi83: halve horizontal syncs for dual LVDS output
Thorsten Blum <thorsten.blum@linux.dev>
ksmbd: Don't log keys in SMB3 signing and encryption key generation
Jim Mattson <jmattson@google.com>
KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM
Chao Gao <chao.gao@intel.com>
KVM: nVMX: Add consistency checks for CR0.WP and CR4.CET
Yan Zhao <yan.y.zhao@intel.com>
KVM: x86: Introduce Intel specific quirk KVM_X86_QUIRK_IGNORE_GUEST_PAT
Yan Zhao <yan.y.zhao@intel.com>
KVM: x86: Introduce supported_quirks to block disabling quirks
Paolo Bonzini <pbonzini@redhat.com>
KVM: x86: Allow vendor code to disable quirks
Paolo Bonzini <pbonzini@redhat.com>
KVM: x86: do not allow re-enabling quirks
Sean Christopherson <seanjc@google.com>
KVM: x86: Quirk initialization of feature MSRs to KVM's max configuration
Sean Christopherson <seanjc@google.com>
KVM: x86: Co-locate initialization of feature MSRs in kvm_arch_vcpu_create()
Shengming Hu <hu.shengming@zte.com.cn>
fgraph: Fix thresh_return clear per-task notrace
Darrick J. Wong <djwong@kernel.org>
iomap: reject delalloc mappings during writeback
Tejun Heo <tj@kernel.org>
sched_ext: Fix starvation of scx_enable() under fair-class saturation
Tejun Heo <tj@kernel.org>
sched_ext: Disable preemption between scx_claim_exit() and kicking helper work
Christian Brauner <brauner@kernel.org>
nsfs: tighten permission checks for ns iteration ioctls
Alexander Potapenko <glider@google.com>
mm/kfence: fix KASAN hardware tag faults during late enablement
David Hildenbrand <david@redhat.com>
mm/page_alloc: forward the gfp flags from alloc_contig_range() to post_alloc_hook()
David Hildenbrand <david@redhat.com>
mm/page_alloc: sort out the alloc_contig_range() gfp flags mess
Matthew Wilcox (Oracle) <willy@infradead.org>
mm/page_alloc: move set_page_refcounted() to callers of post_alloc_hook()
Shawn Lin <shawn.lin@rock-chips.com>
mmc: dw_mmc-rockchip: Fix runtime PM support for internal phase support
Shawn Lin <shawn.lin@rock-chips.com>
mmc: dw_mmc-rockchip: Add memory clock auto-gating support
Jisheng Zhang <jszhang@kernel.org>
mmc: dw_mmc-rockchip: use modern PM macros
Sean Christopherson <seanjc@google.com>
KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated
Naveen N Rao <naveen@kernel.org>
KVM: SVM: Add a helper to look up the max physical ID for AVIC
Naveen N Rao <naveen@kernel.org>
KVM: SVM: Limit AVIC physical max index based on configured max_vcpu_ids
Jiasheng Jiang <jiashengjiangcool@gmail.com>
usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
Kuen-Han Tsai <khtsai@google.com>
usb: gadget: f_ncm: Fix net_device lifecycle with device_move
Thomas Gleixner <tglx@linutronix.de>
cleanup: Provide retain_and_null_ptr()
Marc Kleine-Budde <mkl@pengutronix.de>
can: gs_usb: gs_can_open(): always configure bitrates before starting device
Ethan Tidmore <ethantidmore06@gmail.com>
xfs: Fix error pointer dereference
Paul Moses <p@1g4.org>
net/sched: act_gate: snapshot parameters with RCU on replace
Nathan Chancellor <nathan@kernel.org>
kbuild: Leave objtool binary around with 'make clean'
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: join: check RM_ADDR not sent over same subflow
Gang Yan <yangang@kylinos.cn>
selftests: mptcp: add a check for 'add_addr_accepted'
Natalie Vock <natalie.vock@gmx.de>
drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: avoid sending RM_ADDR over same subflow
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: in-kernel: always mark signal+subflow endp as used
Zide Chen <zide.chen@intel.com>
perf/x86/intel/uncore: Add per-scheduler IMC CAS count events
Kan Liang <kan.liang@linux.intel.com>
perf/x86/intel/uncore: Support more units on Granite Rapids
Daniel Hodges <git@danielhodges.dev>
wifi: libertas: fix use-after-free in lbs_free_adapter()
Mario Limonciello <mario.limonciello@amd.com>
platform/x86: hp-bioscfg: Support allocations of larger data
Kim Phillips <kim.phillips@amd.com>
x86/sev: Allow IBPB-on-Entry feature for SNP guests
Andrew Lunn <andrew@lunn.ch>
net: phy: register phy led_triggers during probe to avoid AB-BA deadlock
Ankit Garg <nktgrg@google.com>
gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL
Khairul Anuar Romli <khairul.anuar.romli@altera.com>
spi: cadence-quadspi: Implement refcount to handle unbind during busy
Fedor Pchelkin <pchelkin@ispras.ru>
ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths
Eric Dumazet <edumazet@google.com>
dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
Eric Biggers <ebiggers@kernel.org>
smb: client: Compare MACs in constant time
Eric Biggers <ebiggers@kernel.org>
ksmbd: Compare MACs in constant time
Eric Biggers <ebiggers@kernel.org>
net/tcp-md5: Fix MAC comparison to be constant-time
John Ripple <john.ripple@keysight.com>
drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD
Adrian Hunter <adrian.hunter@intel.com>
i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor
Adrian Hunter <adrian.hunter@intel.com>
i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort
Adrian Hunter <adrian.hunter@intel.com>
i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors
Yasin Lee <yasin.lee.x@gmail.com>
iio: proximity: hx9023s: Protect against division by zero in set_samp_freq
Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
iio: imu: inv_icm42600: fix odr switch when turning buffer off
Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
iio: imu: inv_icm42600: fix odr switch to the same value
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: gyro: mpu3050-i2c: fix pm_runtime error handling
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: gyro: mpu3050-core: fix pm_runtime error handling
Nuno Sá <nuno.sa@analog.com>
iio: buffer: Fix wait_queue not being removed
Chris Spencer <spencercw@gmail.com>
iio: chemical: bme680: Fix measurement wait duration calculation
Lukas Schmid <lukas.schmid@netcube.li>
iio: potentiometer: mcp4131: fix double application of wiper shift
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas()
SeungJu Cheon <suunj1331@gmail.com>
iio: frequency: adf4377: Fix duplicated soft reset mask
Oleksij Rempel <o.rempel@pengutronix.de>
iio: dac: ds4424: reject -128 RAW value
Filipe Manana <fdmanana@suse.com>
btrfs: abort transaction on failure to update root in the received subvol ioctl
Filipe Manana <fdmanana@suse.com>
btrfs: fix transaction abort on set received ioctl due to item overflow
Filipe Manana <fdmanana@suse.com>
btrfs: fix transaction abort on file creation due to name hash collision
Henrique Carvalho <henrique.carvalho@suse.com>
smb: client: fix iface port assignment in parse_server_interfaces
Bharath SM <bharathsm@microsoft.com>
smb: client: fix in-place encryption corruption in SMB2_write()
Paulo Alcantara <pc@manguebit.org>
smb: client: fix atomic open with O_DIRECT & O_SYNC
Josh Law <objecting@objecting.org>
lib/bootconfig: check bounds before writing in __xbc_open_brace()
Josh Law <objecting@objecting.org>
lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after()
Shashank Balaji <shashank.mahadasyam@sony.com>
x86/apic: Disable x2apic on resume if the kernel expects so
Junxiao Bi <junxiao.bi@oracle.com>
scsi: core: Fix error handling for scsi_alloc_sdev()
Josh Law <objecting@objecting.org>
lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error
Stefan Haberland <sth@linux.ibm.com>
s390/dasd: Copy detected format information to secondary device
Stefan Haberland <sth@linux.ibm.com>
s390/dasd: Move quiesce state with pprc swap
Long Li <leo.lilong@huawei.com>
xfs: ensure dquot item is deleted from AIL only after log shutdown
Darrick J. Wong <djwong@kernel.org>
xfs: fix undersized l_iclog_roundoff values
Carlos Maiolino <cem@kernel.org>
xfs: fix returned valued from xfs_defer_can_append
Shyam Prasad N <sprasad@microsoft.com>
cifs: make default value of retrans as zero
Laurent Vivier <lvivier@redhat.com>
qmi_wwan: allow max_mtu above hard_mtu to control rx_urb_size
Calvin Owens <calvin@wbinvd.org>
tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G
Andrei-Alexandru Tachici <andrei-alexandru.tachici@oss.qualcomm.com>
tracing: Fix enabling multiple events on the kernel command line and bootconfig
Thomas Fourier <fourier.thomas@gmail.com>
drm/msm: Fix dma_free_attrs() buffer size
Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
drm/i915: Fix potential overflow of shmem scatterlist length
Luca Ceresoli <luca.ceresoli@bootlin.com>
drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding
Mario Limonciello <mario.limonciello@amd.com>
drm/amd: Set num IP blocks to 0 if discovery fails
Alysa Liu <Alysa.Liu@amd.com>
drm/amdgpu: Fix use-after-free race in VM acquire
Yang Wang <kevinyang.wang@amd.com>
drm/amd/pm: remove invalid gpu_metrics.energy_accumulator on smu v13.0.x
Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
net: dsa: microchip: Fix error path in PTP IRQ setup
Fan Wu <fanwu01@zju.edu.cn>
net: ethernet: arc: emac: quiesce interrupts before requesting IRQ
Jian Zhang <zhangjian.3032@bytedance.com>
net: ncsi: fix skb leak in error paths
Mehul Rao <mehulrao@gmail.com>
net: nexthop: fix percpu use-after-free in remove_nh_grp_entry
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix use-after-free by using call_rcu() for oplock_info
Marios Makassikis <mmakassikis@freebox.fr>
smb: server: fix use-after-free in smb2_open()
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close()
Dillon Varone <Dillon.Varone@amd.com>
drm/amd/display: Fallback to boot snapshot for dispclk
Maximilian Pezzullo <maximilianpezzullo@gmail.com>
ata: libata-core: Disable LPM on ST1000DM010-2EP102
Maíra Canal <mcanal@igalia.com>
pmdomain: bcm: bcm2835-power: Fix broken reset status read
Helge Deller <deller@gmx.de>
parisc: Check kernel mapping earlier at bootup
Piotr Jaroszynski <pjaroszynski@nvidia.com>
arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults
Helge Deller <deller@gmx.de>
parisc: Fix initial page table creation for boot
Sanman Pradhan <psanman@juniper.net>
hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
Catalin Marinas <catalin.marinas@arm.com>
arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation
Dave Airlie <airlied@redhat.com>
nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
Helge Deller <deller@gmx.de>
parisc: Increase initial mapping to 64 MB with KALLSYMS
Sven Eckelmann <sven@narfation.org>
batman-adv: Avoid double-rtnl_lock ELP metric worker
Eric Biggers <ebiggers@kernel.org>
net/tcp-ao: Fix MAC comparison to be constant-time
Huiwen He <hehuiwen@kylinos.cn>
tracing: Fix syscall events activation by ensuring refcount hits zero
Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
ice: fix retry for AQ command 0x06EE
Long Li <longli@microsoft.com>
net: mana: Ring doorbell at 4 CQ wraparounds
Ariel Silver <arielsilver77@gmail.com>
media: dvb-net: fix OOB access in ULE extension header tables
Luka Gejak <luka.gejak@linux.dev>
staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
Jedrzej Jagielski <jedrzej.jagielski@intel.com>
ixgbevf: fix link setup issue
Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
ice: reintroduce retry mechanism for indirect AQ
Mark Harmstone <mark@harmstone.com>
btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies()
Marc Zyngier <maz@kernel.org>
irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
device property: Allow secondary lookup in fwnode_get_next_child_node()
Kuniyuki Iwashima <kuniyu@google.com>
nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit().
Alexander Gordeev <agordeev@linux.ibm.com>
s390/pfault: Fix virtual vs physical address confusion
Franz Schnyder <franz.schnyder@toradex.com>
drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used
Osama Abdelkader <osama.abdelkader@gmail.com>
drm/bridge: samsung-dsim: Fix memory leak in error path
Mario Limonciello <mario.limonciello@amd.com>
drm/amd: Disable MES LR compute W/A
Xu Yang <xu.yang_2@nxp.com>
Revert "tcpm: allow looking for role_sw device in the main node"
Linus Torvalds <torvalds@linux-foundation.org>
Fix CC_HAS_ASM_GOTO_OUTPUT on non-x86 architectures
Thomas Gleixner <tglx@linutronix.de>
kbuild: Disable CC_HAS_ASM_GOTO_OUTPUT on clang < 17
Xingui Yang <yangxingui@huawei.com>
scsi: hisi_sas: Fix NULL pointer exception during user_scan()
Yihang Li <liyihang9@huawei.com>
scsi: hisi_sas: Use macro instead of magic number
Xingui Yang <yangxingui@huawei.com>
scsi: hisi_sas: Add time interval between two H2D FIS following soft reset spec
Wang Shuaiwei <wangshuaiwei1@xiaomi.com>
scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend
Adrian Ng Ho Yin <adrianhoyin.ng@altera.com>
i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach
Steven Rostedt <rostedt@goodmis.org>
time/jiffies: Mark jiffies_64_to_clock_t() notrace
Max Kellermann <max.kellermann@ionos.com>
ceph: fix memory leaks in ceph_mdsc_build_path()
Max Kellermann <max.kellermann@ionos.com>
ceph: fix i_nlink underrun during async unlink
Ilya Dryomov <idryomov@gmail.com>
libceph: admit message frames only in CEPH_CON_S_OPEN state
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Use u32 for non-negative values in ceph_monmap_decode()
Ilya Dryomov <idryomov@gmail.com>
libceph: prevent potential out-of-bounds reads in process_message_header()
Ilya Dryomov <idryomov@gmail.com>
libceph: reject preamble if control segment is empty
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
Max Kellermann <max.kellermann@ionos.com>
ceph: add a bunch of missing ceph_path_info initializers
Masami Hiramatsu (Google) <mhiramat@kernel.org>
kprobes: avoid crash when rmmod/insmod after ftrace killed
Mehul Rao <mehulrao@gmail.com>
tipc: fix divide-by-zero in tipc_sk_filter_connect()
Ravi Hothi <ravi.hothi@oss.qualcomm.com>
ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start
Penghe Geng <pgeng@nvidia.com>
mmc: core: Avoid bitfield RMW for claim/retune flags
Alexander Potapenko <glider@google.com>
mm/kfence: disable KFENCE upon KASAN HW tags enablement
Felix Gu <ustc.gu@gmail.com>
mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index()
Kalesh Singh <kaleshsingh@google.com>
mm/tracing: rss_stat: ensure curr is false from kthread context
Miguel Ojeda <ojeda@kernel.org>
rust: kbuild: allow `unused_features`
Ziyi Guo <n7l8m4@u.northwestern.edu>
usb: image: mdc800: kill download URB on timeout
Oliver Neukum <oneukum@suse.com>
usb: mdc800: handle signal and read racing
Fan Wu <fanwu01@zju.edu.cn>
usb: renesas_usbhs: fix use-after-free in ISR during device removal
Oliver Neukum <oneukum@suse.com>
usb: class: cdc-wdm: fix reordering issue in read code path
Alan Stern <stern@rowland.harvard.edu>
USB: core: Limit the length of unkillable synchronous timeouts
Alan Stern <stern@rowland.harvard.edu>
USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts
Alan Stern <stern@rowland.harvard.edu>
USB: usbcore: Introduce usb_bulk_msg_killable()
RD Babiera <rdbabiera@google.com>
usb: typec: altmode/displayport: set displayport signaling rate in configure message
Xu Yang <xu.yang_2@nxp.com>
usb: roles: get usb role switch from parent only for usb-b-connector
Marc Zyngier <maz@kernel.org>
usb: cdc-acm: Restore CAP_BRK functionnality to CH343
Gabor Juhos <j4g8y7@gmail.com>
usb: core: don't power off roothub PHYs if phy_set_mode() fails
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: misc: uss720: properly clean up reference in uss720_probe()
Heikki Krogerus <heikki.krogerus@linux.intel.com>
usb: dwc3: pci: add support for the Intel Nova Lake -H
Oliver Neukum <oneukum@suse.com>
usb: yurex: fix race in probe
Dayu Jiang <jiangdayu@xiaomi.com>
usb: xhci: Prevent interrupt storm on host controller error (HCE)
Zilin Guan <zilin@seu.edu.cn>
usb: xhci: Fix memory leak in xhci_disable_slot()
Vyacheslav Vahnenko <vahnenko2003@gmail.com>
USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed
Christoffer Sandberg <cs@tuxedo.de>
usb/core/quirks: Add Huawei ME906S-device to wakeup quirk
A1RM4X <dev@a1rm4x.com>
USB: add QUIRK_NO_BOS for video capture several devices
Sean Christopherson <seanjc@google.com>
KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC
Zhang Heng <zhangheng@kylinos.cn>
ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA
Pedro Falcato <pfalcato@suse.de>
ata: libata-core: Add BRIDGE_OK quirk for QEMU drives
Oleksij Rempel <o.rempel@pengutronix.de>
net: usb: lan78xx: skip LTM configuration for LAN7850
Oleksij Rempel <o.rempel@pengutronix.de>
net: usb: lan78xx: fix TX byte statistics for small packets
Oleksij Rempel <o.rempel@pengutronix.de>
net: usb: lan78xx: fix silent drop of packets with checksum errors
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces
Mehul Rao <mehulrao@gmail.com>
ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
Qingye Zhao <zhaoqingye@honor.com>
cgroup: fix race between task migration and iteration
Sasha Levin <sashal@kernel.org>
Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on"
Seungjin Bae <eeodqql09@gmail.com>
usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
Andreas Kemnade <andreas@kemnade.info>
iio: imu: inv-mpu9150: fix irq ack preventing irq storms
Eric Dumazet <edumazet@google.com>
net: prevent NULL deref in ip[6]tunnel_xmit()
Alok Tiwari <alok.a.tiwari@oracle.com>
octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status
Alok Tiwari <alok.a.tiwari@oracle.com>
octeontx2-af: devlink: fix NIX RAS reporter recovery condition
Marek Behún <kabel@kernel.org>
net: dsa: realtek: Fix LED group port bit for non-zero LED group
Ricardo B. Marlière <rbm@suse.com>
net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled
Philip Yang <Philip.Yang@amd.com>
drm/amdkfd: Unreserve bo if queue update failed
Casey Connolly <casey.connolly@linaro.org>
ASoC: detect empty DMI strings
Chen Ni <nichen@iscas.ac.cn>
ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition
Ben Dooks <ben.dooks@codethink.co.uk>
ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address()
Nicolai Buchwitz <nb@tipi-net.de>
net: bcmgenet: fix broken EEE by converting to phylib-managed state
Matt Vollrath <tactii@gmail.com>
e1000/e1000e: Fix leak in DMA error cleanup
Alok Tiwari <alok.a.tiwari@oracle.com>
i40e: fix src IP mask checks and memcpy argument names in cloud filter
Sungwoo Kim <iam@sung-woo.kim>
nvme-pci: Fix race bug in nvme_poll_irqdisable()
Sungwoo Kim <iam@sung-woo.kim>
nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
sched: idle: Make skipping governor callbacks more consistent
Chen Ni <nichen@iscas.ac.cn>
perf ftrace: Fix hashmap__new() error checking
Peng Fan <peng.fan@nxp.com>
regulator: pca9450: Correct interrupt type
Chen Ni <nichen@iscas.ac.cn>
perf annotate: Fix hashmap__new() error checking
Yuan Tan <tanyuan98@outlook.com>
netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
Hyunwoo Kim <imv4bel@gmail.com>
netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
Hyunwoo Kim <imv4bel@gmail.com>
netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
David Dull <monderasdor@gmail.com>
netfilter: x_tables: guard option walkers against 1-byte tail reads
Jenny Guanni Qu <qguanni@gmail.com>
netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
Florian Westphal <fw@strlen.de>
netfilter: nf_tables: always walk all pending catchall elements
Weiming Shi <bestswngs@gmail.com>
net: add xmit recursion limit to tunnel xmit functions
Toke Høiland-Jørgensen <toke@redhat.com>
xdp: register system page pool as an XDP memory model
Alexander Lobakin <aleksander.lobakin@intel.com>
xdp: allow attaching already registered memory model to xdp_rxq_info
Raju Rangoju <Raju.Rangoju@amd.com>
amd-xgbe: prevent CRC errors during RX adaptation with AN disabled
Raju Rangoju <Raju.Rangoju@amd.com>
amd-xgbe: fix link status handling in xgbe_rx_adaptation
Chengfeng Ye <dg573847474@gmail.com>
mctp: route: hold key->lock in mctp_flow_prepare_output()
Jiayuan Chen <jiayuan.chen@shopee.com>
bonding: fix type confusion in bond_setup_by_slave()
Hangbin Liu <liuhangbin@gmail.com>
bonding: use common function to compute the features
Hangbin Liu <liuhangbin@gmail.com>
net: add a common function to compute features for upper devices
Cosmin Ratiu <cratiu@nvidia.com>
bonding: Correctly support GSO ESP offload
Jianbo Liu <jianbol@nvidia.com>
bonding: add ESP offload features when slaves support
Wenyuan Li <2063309626@qq.com>
can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value
Haiyue Wang <haiyuewa@163.com>
mctp: i2c: fix skb memory leak in receive path
Pavan Chebbi <pavan.chebbi@broadcom.com>
bnxt_en: Fix RSS table size check when changing ethtool channels
Shuangpeng Bai <shuangpeng.kernel@gmail.com>
serial: caif: hold tty->link reference in ldisc_open and ser_release
Álvaro Fernández Rojas <noltari@gmail.com>
net: sfp: improve Huawei MA5671a fixup
Sen Wang <sen@ti.com>
ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
ASoC: simple-card-utils: use __free(device_node) for device node
matteo.cotifava <cotifavamatteo@gmail.com>
ASoC: soc-core: flush delayed work before removing DAIs and widgets
matteo.cotifava <cotifavamatteo@gmail.com>
ASoC: soc-core: drop delayed_work_pending() check before flush
David Lechner <dlechner@baylibre.com>
drm/sitronix/st7586: fix bad pixel data due to byte swap
Weiming Shi <bestswngs@gmail.com>
net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit
Gal Pressman <gal@nvidia.com>
net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
Patrisious Haddad <phaddad@nvidia.com>
net/mlx5: Fix crash when moving to switchdev mode
Cosmin Ratiu <cratiu@nvidia.com>
net/mlx5: Fix deadlock between devlink lock and esw->wq
Daniel Jurgens <danielj@nvidia.com>
net/mlx5: Query to see if host PF is disabled
Daniel Jurgens <danielj@nvidia.com>
net/mlx5: IFC updates for disabled host PF
Hangbin Liu <liuhangbin@gmail.com>
bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states
Yang Wang <kevinyang.wang@amd.com>
drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v14
Pengyu Luo <mitltlatltl@gmail.com>
drm/msm/dsi: fix pclk rate calculation for bonded dsi
Mieczyslaw Nalewaj <namiltd@yahoo.com>
net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets
Peter Collingbourne <pcc@google.com>
perf disasm: Fix off-by-one bug in outside check
Breno Leitao <leitao@debian.org>
workqueue: Use POOL_BH instead of WQ_BH when checking pool flags
Sun YangKai <sunk67188@gmail.com>
btrfs: hold space_info->lock when clearing periodic reclaim ready
Eric Badger <ebadger@purestorage.com>
xprtrdma: Decrement re_receiving on the early exit paths
Pengyu Luo <mitltlatltl@gmail.com>
drm/msm/dsi: fix hdisplay calculation when programming dsi registers
Roberto Bergantinos Corpas <rbergant@redhat.com>
nfs: return EISDIR on nfs3_proc_create if d_alias is a dir
Guenter Roeck <linux@roeck-us.net>
smb/server: Fix another refcount leak in smb2_open()
J. Neuschäfer <j.ne@posteo.net>
powerpc: 83xx: km83xx: Fix keymile vendor prefix
Tzung-Bi Shih <tzungbi@kernel.org>
remoteproc: mediatek: Unprepare SCP clock during system suspend
Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
remoteproc: sysmon: Correct subsys_name_len type in QMI request
Sourabh Jain <sourabhjain@linux.ibm.com>
powerpc/crash: adjust the elfcorehdr size
Sourabh Jain <sourabhjain@linux.ibm.com>
powerpc/kexec/core: use big-endian types for crash variables
Ben Collins <bcollins@kernel.org>
kexec: Include kernel-end even without crashkernel
Eliav Farber <farbere@amazon.com>
kexec: Consolidate machine_kexec_mask_interrupts() implementation
Christophe Leroy (CS GROUP) <chleroy@kernel.org>
powerpc/uaccess: Fix inline assembly for clang build on PPC32
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Check max frame size for implicit feedback mode, too
sguttula <suresh.guttula@amd.com>
drm/amdgpu/vcn5: Add SMU dpm interface type
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0
wangshuaiwei <wangshuaiwei1@xiaomi.com>
scsi: ufs: core: Fix shift out of bounds when MAXQ=32
Peter Wang <peter.wang@mediatek.com>
scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
Charles Keepax <ckeepax@opensource.cirrus.com>
ASoC: cs42l43: Report insert for exotic peripherals
Azamat Almazbek uulu <almazbek1608@gmail.com>
ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table
Tomas Henzl <thenzl@redhat.com>
scsi: ses: Fix devices attaching to different hosts
Sofia Schneider <sofia@schn.dev>
ACPI: OSI: Add DMI quirk for Acer Aspire One D255
Ramanathan Choodamani <quic_rchoodam@quicinc.com>
wifi: mac80211: set default WMM parameters on all links
Al Viro <viro@zeniv.linux.org.uk>
unshare: fix unshare_fs() handling
Sean Rhodes <sean@starlabs.systems>
ALSA: hda/realtek: Fix speaker pop on Star Labs StarFighter
Ranjan Kumar <ranjan.kumar@broadcom.com>
scsi: mpi3mr: Add NULL checks when resetting request and reply queues
Piotr Mazek <pmazek@outlook.com>
ACPI: PM: Save NVS memory on Lenovo G70-35
Jan Kiszka <jan.kiszka@siemens.com>
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
-------------
Diffstat:
Documentation/virt/kvm/api.rst | 52 ++++
Makefile | 13 +-
arch/arm/kernel/machine_kexec.c | 23 --
arch/arm64/Kconfig | 1 +
.../arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi | 1 -
arch/arm64/boot/dts/renesas/r9a09g057.dtsi | 37 +--
arch/arm64/include/asm/pgtable-prot.h | 10 +-
arch/arm64/kernel/machine_kexec.c | 31 ---
arch/arm64/mm/contpte.c | 53 ++++-
arch/loongarch/include/asm/uaccess.h | 14 +-
arch/parisc/include/asm/pgtable.h | 2 +-
arch/parisc/kernel/cache.c | 4 +-
arch/parisc/kernel/head.S | 7 +-
arch/parisc/kernel/setup.c | 20 +-
arch/powerpc/include/asm/kexec.h | 1 -
arch/powerpc/include/asm/uaccess.h | 2 +-
arch/powerpc/kexec/core.c | 60 ++---
arch/powerpc/kexec/core_32.c | 1 +
arch/powerpc/kexec/file_load_64.c | 14 +-
arch/powerpc/net/bpf_jit_comp.c | 2 +-
arch/powerpc/net/bpf_jit_comp64.c | 140 +++++++----
arch/powerpc/platforms/83xx/km83xx.c | 4 +-
arch/riscv/kernel/machine_kexec.c | 23 --
arch/s390/include/asm/processor.h | 2 +-
arch/s390/lib/xor.c | 4 +-
arch/s390/mm/pfault.c | 4 +-
arch/x86/boot/compressed/sev.c | 1 +
arch/x86/coco/sev/core.c | 1 +
arch/x86/events/intel/core.c | 25 +-
arch/x86/events/intel/uncore_snbep.c | 78 ++++--
arch/x86/include/asm/kvm_host.h | 9 +-
arch/x86/include/asm/msr-index.h | 5 +-
arch/x86/include/uapi/asm/kvm.h | 3 +
arch/x86/kernel/apic/apic.c | 6 +
arch/x86/kernel/apic/x2apic_uv_x.c | 18 +-
arch/x86/kernel/uprobes.c | 24 ++
arch/x86/kvm/mmu.h | 2 +-
arch/x86/kvm/mmu/mmu.c | 10 +-
arch/x86/kvm/svm/avic.c | 30 ++-
arch/x86/kvm/svm/svm.c | 14 +-
arch/x86/kvm/vmx/nested.c | 26 +-
arch/x86/kvm/vmx/vmx.c | 50 +++-
arch/x86/kvm/x86.c | 23 +-
arch/x86/kvm/x86.h | 3 +
block/blk-cgroup.c | 6 -
block/blk-cgroup.h | 6 +
block/blk-throttle.c | 6 +-
block/blk-throttle.h | 18 +-
drivers/acpi/acpi_processor.c | 15 +-
drivers/acpi/osi.c | 13 +
drivers/acpi/osl.c | 2 +-
drivers/acpi/sleep.c | 8 +
drivers/ata/libata-core.c | 5 +
drivers/ata/libata-scsi.c | 83 ++++---
drivers/base/power/runtime.c | 1 +
drivers/base/property.c | 27 +--
drivers/bluetooth/btqca.c | 2 +
drivers/cache/ax45mp_cache.c | 4 +-
drivers/cache/starfive_starlink_cache.c | 4 +-
drivers/cpuidle/cpuidle.c | 10 -
drivers/crypto/atmel-sha204a.c | 5 +-
drivers/dma/mmp_pdma.c | 6 +
drivers/firewire/net.c | 5 +-
drivers/firmware/arm_ffa/driver.c | 8 +-
drivers/firmware/arm_scpi.c | 5 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 6 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c | 20 +-
drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 21 +-
drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 5 -
drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 5 -
drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c | 9 +-
drivers/gpu/drm/amd/amdgpu/mmhub_v2_3.c | 3 +-
drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c | 3 +-
drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_1.c | 3 +-
drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_2.c | 3 +-
drivers/gpu/drm/amd/amdgpu/mmhub_v4_1_0.c | 3 +-
drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c | 4 +
.../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 1 +
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 +-
.../drm/amd/display/amdgpu_dm/amdgpu_dm_pp_smu.c | 1 +
drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c | 8 +-
.../amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c | 2 +-
drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 2 +-
drivers/gpu/drm/amd/display/dc/dm_services_types.h | 2 +-
.../drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 6 +-
.../amd/display/dc/resource/dcn32/dcn32_resource.c | 3 +
drivers/gpu/drm/amd/include/dm_pp_interface.h | 1 +
drivers/gpu/drm/amd/pm/amdgpu_dpm_internal.c | 67 ++++++
drivers/gpu/drm/amd/pm/inc/amdgpu_dpm_internal.h | 2 +
drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c | 4 +-
drivers/gpu/drm/amd/pm/legacy-dpm/legacy_dpm.c | 6 +-
drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 69 ++----
drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 11 +-
.../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 8 +-
.../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 3 +-
.../gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 3 +-
drivers/gpu/drm/bridge/samsung-dsim.c | 25 +-
drivers/gpu/drm/bridge/ti-sn65dsi83.c | 13 +-
drivers/gpu/drm/bridge/ti-sn65dsi86.c | 118 ++++++++-
drivers/gpu/drm/drm_file.c | 5 +-
drivers/gpu/drm/drm_mode_config.c | 9 +-
drivers/gpu/drm/i915/display/intel_display_types.h | 1 +
drivers/gpu/drm/i915/display/intel_psr.c | 71 ++++--
drivers/gpu/drm/i915/display/intel_vdsc.c | 23 ++
drivers/gpu/drm/i915/display/intel_vdsc.h | 3 +
drivers/gpu/drm/i915/display/intel_vdsc_regs.h | 12 +
drivers/gpu/drm/i915/gem/i915_gem_shmem.c | 12 +-
drivers/gpu/drm/i915/gt/intel_engine_cs.c | 3 +-
drivers/gpu/drm/imagination/pvr_power.c | 11 +-
drivers/gpu/drm/msm/adreno/a2xx_gpummu.c | 2 +-
drivers/gpu/drm/msm/dsi/dsi_host.c | 43 +++-
drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +
drivers/gpu/drm/radeon/si_dpm.c | 4 +-
drivers/gpu/drm/tiny/st7586.c | 15 +-
drivers/gpu/drm/xe/xe_ggtt.c | 10 +-
drivers/gpu/drm/xe/xe_ggtt_types.h | 5 +-
drivers/gpu/drm/xe/xe_oa.c | 7 +-
drivers/gpu/drm/xe/xe_sync.c | 24 +-
drivers/hid/bpf/hid_bpf_dispatch.c | 2 +
drivers/hwmon/max6639.c | 10 +-
drivers/hwmon/pmbus/isl68137.c | 7 +-
drivers/hwmon/pmbus/mp2975.c | 2 +
drivers/hwmon/pmbus/q54sj108a2.c | 19 +-
drivers/i2c/busses/i2c-cp2615.c | 3 +
drivers/i2c/busses/i2c-fsi.c | 1 +
drivers/i2c/busses/i2c-pxa.c | 17 +-
drivers/i3c/master/dw-i3c-master.c | 4 +-
drivers/i3c/master/mipi-i3c-hci/cmd.h | 1 +
drivers/i3c/master/mipi-i3c-hci/cmd_v1.c | 2 +-
drivers/i3c/master/mipi-i3c-hci/cmd_v2.c | 2 +-
drivers/i3c/master/mipi-i3c-hci/core.c | 6 +-
drivers/i3c/master/mipi-i3c-hci/dma.c | 4 +-
drivers/iio/chemical/bme680_core.c | 2 +-
drivers/iio/chemical/sps30_i2c.c | 2 +-
drivers/iio/chemical/sps30_serial.c | 2 +-
drivers/iio/dac/ds4424.c | 2 +-
drivers/iio/frequency/adf4377.c | 2 +-
drivers/iio/gyro/mpu3050-core.c | 18 +-
drivers/iio/gyro/mpu3050-i2c.c | 3 +-
drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 2 +
drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c | 4 +
drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 2 +
drivers/iio/imu/inv_mpu6050/inv_mpu_core.c | 8 +
drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h | 2 +
drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c | 5 +-
drivers/iio/industrialio-buffer.c | 6 +-
drivers/iio/potentiometer/mcp4131.c | 2 +-
drivers/iio/proximity/hx9023s.c | 3 +
drivers/iommu/intel/dmar.c | 3 +-
drivers/irqchip/irq-gic-v3-its.c | 4 +
drivers/md/dm-verity-fec.c | 4 +-
drivers/md/dm-verity-fec.h | 3 -
drivers/media/dvb-core/dvb_net.c | 3 +
drivers/mmc/host/dw_mmc-rockchip.c | 51 +++-
drivers/mmc/host/mmci_qcom_dml.c | 1 +
drivers/mmc/host/sdhci-pci-gli.c | 9 +
drivers/mmc/host/sdhci.c | 9 +-
drivers/mtd/nand/raw/brcmnand/brcmnand.c | 6 +-
drivers/mtd/nand/raw/cadence-nand-controller.c | 2 +-
drivers/mtd/nand/raw/nand_base.c | 14 +-
drivers/mtd/nand/raw/pl35x-nand-controller.c | 3 +
drivers/mtd/parsers/redboot.c | 6 +-
drivers/mtd/spi-nor/core.c | 145 ++++++++++-
drivers/net/bonding/bond_debugfs.c | 16 +-
drivers/net/bonding/bond_main.c | 138 +++++------
drivers/net/caif/caif_serial.c | 3 +
drivers/net/can/spi/hi311x.c | 5 +-
drivers/net/can/usb/gs_usb.c | 22 +-
drivers/net/dsa/bcm_sf2.c | 8 +-
drivers/net/dsa/microchip/ksz_ptp.c | 11 +-
drivers/net/dsa/realtek/rtl8365mb.c | 3 +-
drivers/net/dsa/realtek/rtl8366rb-leds.c | 6 +-
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 4 +
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 82 ++++++-
drivers/net/ethernet/amd/xgbe/xgbe.h | 4 +
drivers/net/ethernet/arc/emac_main.c | 11 +
drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 4 +-
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 31 +--
drivers/net/ethernet/broadcom/genet/bcmgenet.h | 5 +-
drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 2 +-
drivers/net/ethernet/broadcom/genet/bcmmii.c | 10 +-
drivers/net/ethernet/cadence/macb_main.c | 124 +++++++++-
drivers/net/ethernet/cadence/macb_ptp.c | 4 +-
drivers/net/ethernet/google/gve/gve_tx_dqo.c | 52 ++--
drivers/net/ethernet/intel/e1000/e1000_main.c | 2 -
drivers/net/ethernet/intel/e1000e/netdev.c | 2 -
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 14 +-
drivers/net/ethernet/intel/iavf/iavf_main.c | 9 +-
drivers/net/ethernet/intel/ice/ice_common.c | 13 +-
drivers/net/ethernet/intel/ice/ice_ethtool.c | 35 ++-
drivers/net/ethernet/intel/ice/ice_main.c | 3 +-
drivers/net/ethernet/intel/igc/igc.h | 2 +
drivers/net/ethernet/intel/igc/igc_main.c | 14 +-
drivers/net/ethernet/intel/igc/igc_ptp.c | 33 +++
drivers/net/ethernet/intel/ixgbevf/vf.c | 3 +-
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 +-
.../net/ethernet/marvell/octeontx2/af/rvu_cgx.c | 3 +
.../ethernet/marvell/octeontx2/af/rvu_devlink.c | 6 +-
.../net/ethernet/marvell/octeontx2/af/rvu_sdp.c | 2 +-
drivers/net/ethernet/mediatek/airoha_eth.c | 52 ++--
.../ethernet/mellanox/mlx5/core/en/reporter_tx.c | 1 -
.../ethernet/mellanox/mlx5/core/en_accel/ipsec.h | 1 +
.../mellanox/mlx5/core/en_accel/ipsec_fs.c | 2 +-
.../mellanox/mlx5/core/en_accel/ipsec_offload.c | 52 ++--
drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 23 +-
drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 30 ++-
drivers/net/ethernet/mellanox/mlx5/core/eswitch.h | 3 +
.../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 18 +-
drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 +-
drivers/net/ethernet/microsoft/mana/mana_en.c | 23 +-
drivers/net/ethernet/stmicro/stmmac/common.h | 1 -
drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c | 4 -
.../net/ethernet/stmicro/stmmac/dwmac-loongson.c | 7 -
drivers/net/ethernet/stmicro/stmmac/stmmac.h | 2 -
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 36 ---
.../net/ethernet/stmicro/stmmac/stmmac_platform.c | 8 -
drivers/net/mctp/mctp-i2c.c | 1 +
drivers/net/phy/phy_device.c | 25 +-
drivers/net/phy/sfp.c | 8 +-
drivers/net/usb/aqc111.c | 12 +-
drivers/net/usb/cdc_ncm.c | 10 +-
drivers/net/usb/lan78xx.c | 10 +-
drivers/net/usb/lan78xx.h | 3 +
drivers/net/usb/qmi_wwan.c | 4 +-
drivers/net/usb/usbnet.c | 7 +-
drivers/net/wireless/marvell/libertas/main.c | 4 +-
drivers/net/wireless/ti/wlcore/tx.c | 2 +-
drivers/nfc/nxp-nci/i2c.c | 4 +-
drivers/nvdimm/bus.c | 5 +-
drivers/nvme/host/pci.c | 8 +-
drivers/platform/x86/amd/pmc/pmc.c | 3 +
drivers/platform/x86/amd/pmc/pmc.h | 1 +
.../platform/x86/hp/hp-bioscfg/enum-attributes.c | 9 +-
drivers/pmdomain/bcm/bcm2835-power.c | 18 +-
drivers/regulator/pca9450-regulator.c | 2 +-
drivers/remoteproc/mtk_scp.c | 39 +++
drivers/remoteproc/qcom_sysmon.c | 2 +-
drivers/s390/block/dasd_eckd.c | 16 ++
drivers/s390/crypto/zcrypt_ccamisc.c | 12 +-
drivers/s390/crypto/zcrypt_cex4.c | 3 +-
drivers/scsi/hisi_sas/hisi_sas.h | 43 +++-
drivers/scsi/hisi_sas/hisi_sas_main.c | 42 +++-
drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 246 ++++++++++++-------
drivers/scsi/mpi3mr/mpi3mr_fw.c | 32 +--
drivers/scsi/scsi_scan.c | 8 +-
drivers/scsi/ses.c | 5 +-
drivers/scsi/storvsc_drv.c | 5 +-
drivers/soc/fsl/qbman/qman.c | 24 +-
drivers/soc/fsl/qe/qmc.c | 4 +-
drivers/soc/microchip/mpfs-sys-controller.c | 13 +-
drivers/soc/rockchip/grf.c | 1 +
drivers/spi/spi-cadence-quadspi.c | 33 +++
drivers/spi/spi.c | 25 +-
drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 +-
drivers/staging/rtl8723bs/core/rtw_mlme.c | 5 +-
drivers/tty/serial/8250/8250_dma.c | 15 ++
drivers/tty/serial/8250/8250_pci.c | 17 ++
drivers/tty/serial/8250/8250_port.c | 6 +
drivers/tty/serial/uartlite.c | 1 +
drivers/ufs/core/ufshcd.c | 8 +-
drivers/usb/class/cdc-acm.c | 5 +
drivers/usb/class/cdc-acm.h | 1 +
drivers/usb/class/cdc-wdm.c | 4 +-
drivers/usb/class/usbtmc.c | 6 +-
drivers/usb/core/message.c | 100 ++++++--
drivers/usb/core/phy.c | 8 +-
drivers/usb/core/quirks.c | 16 ++
drivers/usb/dwc3/dwc3-pci.c | 2 +
drivers/usb/gadget/function/f_mass_storage.c | 12 +-
drivers/usb/gadget/function/f_ncm.c | 36 ++-
drivers/usb/gadget/function/f_tcm.c | 14 ++
drivers/usb/gadget/function/u_ether.c | 22 ++
drivers/usb/gadget/function/u_ether.h | 26 ++
drivers/usb/gadget/function/u_ncm.h | 2 +-
drivers/usb/host/xhci-ring.c | 1 +
drivers/usb/host/xhci.c | 4 +-
drivers/usb/image/mdc800.c | 6 +-
drivers/usb/misc/uss720.c | 2 +-
drivers/usb/misc/yurex.c | 2 +-
drivers/usb/renesas_usbhs/common.c | 9 +
drivers/usb/roles/class.c | 7 +-
drivers/usb/serial/f81232.c | 77 +++---
drivers/usb/typec/altmodes/displayport.c | 7 +-
drivers/usb/typec/tcpm/tcpm.c | 2 +-
fs/binfmt_misc.c | 4 +-
fs/btrfs/disk-io.c | 22 --
fs/btrfs/extent_io.c | 3 +-
fs/btrfs/extent_io.h | 3 +-
fs/btrfs/inode.c | 19 ++
fs/btrfs/ioctl.c | 24 +-
fs/btrfs/space-info.c | 5 +-
fs/btrfs/transaction.c | 16 ++
fs/btrfs/tree-checker.c | 2 +-
fs/btrfs/tree-log.c | 6 +
fs/btrfs/uuid-tree.c | 38 +++
fs/btrfs/uuid-tree.h | 2 +
fs/btrfs/volumes.c | 6 +-
fs/ceph/debugfs.c | 4 +-
fs/ceph/dir.c | 17 +-
fs/ceph/file.c | 4 +-
fs/ceph/inode.c | 2 +-
fs/ceph/mds_client.c | 3 +
fs/erofs/zdata.c | 21 +-
fs/f2fs/compress.c | 74 +++---
fs/f2fs/f2fs.h | 2 +
fs/f2fs/gc.c | 16 +-
fs/iomap/buffered-io.c | 15 +-
fs/nfs/nfs3proc.c | 7 +-
fs/nfsd/nfs4xdr.c | 9 +-
fs/nfsd/nfsctl.c | 16 +-
fs/nfsd/state.h | 17 +-
fs/nsfs.c | 21 ++
fs/smb/client/cifsencrypt.c | 3 +-
fs/smb/client/cifsfs.c | 7 +-
fs/smb/client/cifsglob.h | 11 +
fs/smb/client/cifsproto.h | 1 +
fs/smb/client/connect.c | 4 +
fs/smb/client/dir.c | 1 +
fs/smb/client/file.c | 29 +--
fs/smb/client/fs_context.c | 2 +-
fs/smb/client/misc.c | 42 ++++
fs/smb/client/smb2ops.c | 14 +-
fs/smb/client/smb2pdu.c | 5 +-
fs/smb/client/smb2transport.c | 4 +-
fs/smb/client/trace.h | 2 +
fs/smb/server/Kconfig | 1 +
fs/smb/server/auth.c | 26 +-
fs/smb/server/oplock.c | 35 ++-
fs/smb/server/oplock.h | 5 +-
fs/smb/server/smb2pdu.c | 34 ++-
fs/tests/exec_kunit.c | 3 -
fs/xfs/libxfs/xfs_defer.c | 2 +-
fs/xfs/scrub/agheader_repair.c | 13 +-
fs/xfs/scrub/alloc_repair.c | 5 +-
fs/xfs/scrub/attr_repair.c | 20 +-
fs/xfs/scrub/bmap_repair.c | 6 +-
fs/xfs/scrub/common.h | 18 --
fs/xfs/scrub/dir.c | 13 +-
fs/xfs/scrub/dir_repair.c | 11 +-
fs/xfs/scrub/dirtree.c | 11 +-
fs/xfs/scrub/ialloc_repair.c | 5 +-
fs/xfs/scrub/nlinks.c | 6 +-
fs/xfs/scrub/orphanage.c | 7 +-
fs/xfs/scrub/parent.c | 11 +-
fs/xfs/scrub/parent_repair.c | 23 +-
fs/xfs/scrub/quotacheck.c | 13 +-
fs/xfs/scrub/refcount_repair.c | 13 +-
fs/xfs/scrub/rmap_repair.c | 5 +-
fs/xfs/scrub/rtsummary.c | 7 +-
fs/xfs/xfs_bmap_item.c | 3 +-
fs/xfs/xfs_dquot.c | 8 +-
fs/xfs/xfs_log.c | 2 +
include/linux/cleanup.h | 19 ++
include/linux/etherdevice.h | 3 +-
include/linux/huge_mm.h | 4 +
include/linux/if_ether.h | 3 +-
include/linux/io_uring_types.h | 3 +
include/linux/irq.h | 3 +
include/linux/irqchip/arm-gic-v3.h | 1 +
include/linux/mlx5/mlx5_ifc.h | 4 +-
include/linux/mmc/host.h | 9 +-
include/linux/netdev_features.h | 18 ++
include/linux/netdevice.h | 40 +++-
include/linux/stmmac.h | 1 -
include/linux/trace_recursion.h | 9 +
include/linux/uprobes.h | 1 +
include/linux/usb.h | 8 +-
include/linux/usb/usbnet.h | 1 +
include/net/dsa.h | 1 +
include/net/ip6_tunnel.h | 14 ++
include/net/ip_tunnels.h | 7 +
include/net/netfilter/nf_tables.h | 2 +
include/net/sch_generic.h | 33 +++
include/net/tc_act/tc_gate.h | 33 ++-
include/net/udp_tunnel.h | 2 +-
include/net/xdp.h | 32 +++
include/trace/events/kmem.h | 8 +-
include/trace/events/rxrpc.h | 4 +
init/Kconfig | 3 +
io_uring/kbuf.c | 18 +-
io_uring/kbuf.h | 4 +-
io_uring/uring_cmd.c | 9 +-
kernel/cgroup/cgroup.c | 1 +
kernel/events/uprobes.c | 10 +-
kernel/fork.c | 2 +-
kernel/irq/Kconfig | 6 +
kernel/irq/Makefile | 2 +-
kernel/irq/kexec.c | 40 ++++
kernel/kprobes.c | 51 ++--
kernel/sched/ext.c | 89 +++++--
kernel/sched/fair.c | 84 ++++---
kernel/sched/idle.c | 39 ++-
kernel/time/time.c | 2 +-
kernel/trace/ring_buffer.c | 2 +-
kernel/trace/trace.c | 12 +-
kernel/trace/trace_events.c | 58 +++--
kernel/trace/trace_functions_graph.c | 6 +-
kernel/workqueue.c | 2 +-
lib/bootconfig.c | 9 +-
mm/compaction.c | 2 +
mm/internal.h | 3 +-
mm/kfence/core.c | 29 ++-
mm/page_alloc.c | 59 ++++-
mm/shmem.c | 97 ++++++--
net/batman-adv/bat_iv_ogm.c | 3 +
net/batman-adv/bat_v_elp.c | 10 +-
net/batman-adv/hard-interface.c | 8 +-
net/batman-adv/hard-interface.h | 1 +
net/bluetooth/hci_conn.c | 4 +-
net/bluetooth/hci_sync.c | 2 +-
net/bluetooth/hidp/core.c | 16 +-
net/bluetooth/l2cap_core.c | 51 ++--
net/bluetooth/mgmt.c | 7 +-
net/bluetooth/smp.c | 2 +-
net/bridge/br_cfm.c | 4 +-
net/ceph/auth.c | 6 +-
net/ceph/messenger_v2.c | 31 ++-
net/ceph/mon_client.c | 6 +-
net/core/dev.c | 98 +++++++-
net/core/dev.h | 35 ---
net/core/dst.c | 1 +
net/core/xdp.c | 56 +++++
net/dsa/dsa.c | 59 +++--
net/ethernet/eth.c | 9 +-
net/ipv4/Kconfig | 1 +
net/ipv4/icmp.c | 4 +-
net/ipv4/ip_gre.c | 3 +-
net/ipv4/ip_tunnel_core.c | 15 ++
net/ipv4/nexthop.c | 14 +-
net/ipv4/route.c | 4 +-
net/ipv4/tcp.c | 3 +-
net/ipv4/tcp_ao.c | 3 +-
net/ipv4/tcp_ipv4.c | 3 +-
net/ipv6/ip6_output.c | 35 +--
net/ipv6/route.c | 4 +-
net/ipv6/tcp_ipv6.c | 3 +-
net/mac80211/chan.c | 6 +-
net/mac80211/debugfs.c | 14 +-
net/mac80211/link.c | 2 +
net/mac80211/mesh.c | 3 +
net/mac802154/iface.c | 4 +-
net/mctp/route.c | 13 +-
net/mpls/af_mpls.c | 1 +
net/mptcp/pm.c | 2 +-
net/mptcp/pm_netlink.c | 72 ++++--
net/mptcp/protocol.h | 2 +
net/ncsi/ncsi-aen.c | 3 +-
net/ncsi/ncsi-rsp.c | 16 +-
net/netfilter/nf_bpf_link.c | 2 +-
net/netfilter/nf_conntrack_h323_asn1.c | 4 +
net/netfilter/nf_conntrack_netlink.c | 67 ++++--
net/netfilter/nf_conntrack_sip.c | 6 +-
net/netfilter/nf_tables_api.c | 7 +-
net/netfilter/nfnetlink_cthelper.c | 8 +-
net/netfilter/nfnetlink_osf.c | 13 +
net/netfilter/nfnetlink_queue.c | 4 +-
net/netfilter/nft_ct.c | 4 +
net/netfilter/nft_dynset.c | 10 +-
net/netfilter/nft_set_pipapo.c | 3 +-
net/netfilter/xt_CT.c | 4 +
net/netfilter/xt_IDLETIMER.c | 6 +
net/netfilter/xt_dccp.c | 4 +-
net/netfilter/xt_tcpudp.c | 6 +-
net/netfilter/xt_time.c | 4 +-
net/phonet/af_phonet.c | 5 +-
net/rose/af_rose.c | 5 +
net/rxrpc/recvmsg.c | 19 +-
net/sched/act_gate.c | 264 +++++++++++++++------
net/sched/sch_generic.c | 27 ---
net/sched/sch_ingress.c | 14 +-
net/sched/sch_teql.c | 8 +-
net/smc/af_smc.c | 23 +-
net/smc/smc.h | 5 +
net/smc/smc_close.c | 2 +-
net/sunrpc/cache.c | 26 +-
net/sunrpc/xprtrdma/verbs.c | 7 +-
net/tipc/socket.c | 2 +
net/wireless/pmsr.c | 1 +
sound/core/pcm_native.c | 19 +-
sound/pci/hda/patch_realtek.c | 25 ++
sound/soc/amd/acp3x-rt5682-max9836.c | 9 +-
sound/soc/amd/yc/acp6x-mach.c | 14 ++
sound/soc/codecs/cs42l43-jack.c | 1 +
sound/soc/generic/simple-card-utils.c | 48 ++--
sound/soc/qcom/qdsp6/q6apm-dai.c | 1 +
sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 1 +
sound/soc/qcom/qdsp6/q6apm.c | 1 +
sound/soc/soc-core.c | 11 +-
sound/usb/endpoint.c | 1 +
sound/usb/mixer_scarlett2.c | 2 +
sound/usb/quirks.c | 2 +
tools/bootconfig/main.c | 7 +-
tools/objtool/Makefile | 8 +-
tools/perf/builtin-ftrace.c | 9 +-
tools/perf/util/annotate.c | 5 +-
tools/perf/util/disasm.c | 2 +-
.../testing/selftests/hid/progs/hid_bpf_helpers.h | 12 +
tools/testing/selftests/net/mptcp/mptcp_join.sh | 43 ++++
500 files changed, 5178 insertions(+), 2252 deletions(-)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 014/481] btrfs: fix incorrect key offset in error message in check_dev_extent_item()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.1 013/481] btrfs: move btrfs_crc32c_final into free-space-cache.c Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 015/481] btrfs: fix compat mask in error messages in btrfs_check_features() Greg Kroah-Hartman
` (301 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Mason, Qu Wenruo,
Mark Harmstone, David Sterba, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Harmstone <mark@harmstone.com>
[ Upstream commit 511dc8912ae3e929c1a182f5e6b2326516fd42a0 ]
Fix the error message in check_dev_extent_item(), when an overlapping
stripe is encountered. For dev extents, objectid is the disk number and
offset the physical address, so prev_key->objectid should actually be
prev_key->offset.
(I can't take any credit for this one - this was discovered by Chris and
his friend Claude.)
Reported-by: Chris Mason <clm@fb.com>
Fixes: 008e2512dc56 ("btrfs: tree-checker: add dev extent item checks")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Mark Harmstone <mark@harmstone.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/tree-checker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
index 6108cfab1ba59..d1b6bb8f08dd1 100644
--- a/fs/btrfs/tree-checker.c
+++ b/fs/btrfs/tree-checker.c
@@ -1697,7 +1697,7 @@ static int check_dev_extent_item(const struct extent_buffer *leaf,
if (unlikely(prev_key->offset + prev_len > key->offset)) {
generic_err(leaf, slot,
"dev extent overlap, prev offset %llu len %llu current offset %llu",
- prev_key->objectid, prev_len, key->offset);
+ prev_key->offset, prev_len, key->offset);
return -EUCLEAN;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 076/567] clk: tegra: tegra124-emc: fix device leak on set_rate()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 075/567] arm64: dts: rockchip: Fix rk356x PCIe range mappings Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 077/567] usb: cdns3: remove redundant if branch Greg Kroah-Hartman
` (301 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikko Perttunen, Miaoqian Lin,
Johan Hovold, Stephen Boyd, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit da61439c63d34ae6503d080a847f144d587e3a48 ]
Make sure to drop the reference taken when looking up the EMC device and
its driver data on first set_rate().
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Fixes: 2db04f16b589 ("clk: tegra: Add EMC clock driver")
Fixes: 6d6ef58c2470 ("clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver")
Cc: stable@vger.kernel.org # 4.2: 6d6ef58c2470
Cc: Mikko Perttunen <mperttunen@nvidia.com>
Cc: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/tegra/clk-tegra124-emc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/tegra/clk-tegra124-emc.c b/drivers/clk/tegra/clk-tegra124-emc.c
index 0f6fb776b2298..5f1af6dfe7154 100644
--- a/drivers/clk/tegra/clk-tegra124-emc.c
+++ b/drivers/clk/tegra/clk-tegra124-emc.c
@@ -197,8 +197,8 @@ static struct tegra_emc *emc_ensure_emc_driver(struct tegra_clk_emc *tegra)
tegra->emc_node = NULL;
tegra->emc = platform_get_drvdata(pdev);
+ put_device(&pdev->dev);
if (!tegra->emc) {
- put_device(&pdev->dev);
pr_err("%s: cannot find EMC driver\n", __func__);
return NULL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 001/460] scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.12 002/460] ACPI: PM: Save NVS memory on Lenovo G70-35 Greg Kroah-Hartman
` (301 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kiszka, Florian Bezdeka,
Michael Kelley, Martin K. Petersen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kiszka <jan.kiszka@siemens.com>
[ Upstream commit 57297736c08233987e5d29ce6584c6ca2a831b12 ]
This resolves the follow splat and lock-up when running with PREEMPT_RT
enabled on Hyper-V:
[ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002
[ 415.140822] INFO: lockdep is turned off.
[ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec ghash_clmulni_intel aesni_intel rapl binfmt_misc nls_ascii nls_cp437 vfat fat snd_pcm hyperv_drm snd_timer drm_client_lib drm_shmem_helper snd sg soundcore drm_kms_helper pcspkr hv_balloon hv_utils evdev joydev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common hv_sock vmw_vsock_vmci_transport vsock vmw_vmci efivarfs autofs4 ext4 crc16 mbcache jbd2 sr_mod sd_mod cdrom hv_storvsc serio_raw hid_generic scsi_transport_fc hid_hyperv scsi_mod hid hv_netvsc hyperv_keyboard scsi_common
[ 415.140846] Preemption disabled at:
[ 415.140847] [<ffffffffc0656171>] storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]
[ 415.140854] CPU: 8 UID: 0 PID: 1048 Comm: stress-ng-iomix Not tainted 6.19.0-rc7 #30 PREEMPT_{RT,(full)}
[ 415.140856] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/04/2024
[ 415.140857] Call Trace:
[ 415.140861] <TASK>
[ 415.140861] ? storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]
[ 415.140863] dump_stack_lvl+0x91/0xb0
[ 415.140870] __schedule_bug+0x9c/0xc0
[ 415.140875] __schedule+0xdf6/0x1300
[ 415.140877] ? rtlock_slowlock_locked+0x56c/0x1980
[ 415.140879] ? rcu_is_watching+0x12/0x60
[ 415.140883] schedule_rtlock+0x21/0x40
[ 415.140885] rtlock_slowlock_locked+0x502/0x1980
[ 415.140891] rt_spin_lock+0x89/0x1e0
[ 415.140893] hv_ringbuffer_write+0x87/0x2a0
[ 415.140899] vmbus_sendpacket_mpb_desc+0xb6/0xe0
[ 415.140900] ? rcu_is_watching+0x12/0x60
[ 415.140902] storvsc_queuecommand+0x669/0xbe0 [hv_storvsc]
[ 415.140904] ? HARDIRQ_verbose+0x10/0x10
[ 415.140908] ? __rq_qos_issue+0x28/0x40
[ 415.140911] scsi_queue_rq+0x760/0xd80 [scsi_mod]
[ 415.140926] __blk_mq_issue_directly+0x4a/0xc0
[ 415.140928] blk_mq_issue_direct+0x87/0x2b0
[ 415.140931] blk_mq_dispatch_queue_requests+0x120/0x440
[ 415.140933] blk_mq_flush_plug_list+0x7a/0x1a0
[ 415.140935] __blk_flush_plug+0xf4/0x150
[ 415.140940] __submit_bio+0x2b2/0x5c0
[ 415.140944] ? submit_bio_noacct_nocheck+0x272/0x360
[ 415.140946] submit_bio_noacct_nocheck+0x272/0x360
[ 415.140951] ext4_read_bh_lock+0x3e/0x60 [ext4]
[ 415.140995] ext4_block_write_begin+0x396/0x650 [ext4]
[ 415.141018] ? __pfx_ext4_da_get_block_prep+0x10/0x10 [ext4]
[ 415.141038] ext4_da_write_begin+0x1c4/0x350 [ext4]
[ 415.141060] generic_perform_write+0x14e/0x2c0
[ 415.141065] ext4_buffered_write_iter+0x6b/0x120 [ext4]
[ 415.141083] vfs_write+0x2ca/0x570
[ 415.141087] ksys_write+0x76/0xf0
[ 415.141089] do_syscall_64+0x99/0x1490
[ 415.141093] ? rcu_is_watching+0x12/0x60
[ 415.141095] ? finish_task_switch.isra.0+0xdf/0x3d0
[ 415.141097] ? rcu_is_watching+0x12/0x60
[ 415.141098] ? lock_release+0x1f0/0x2a0
[ 415.141100] ? rcu_is_watching+0x12/0x60
[ 415.141101] ? finish_task_switch.isra.0+0xe4/0x3d0
[ 415.141103] ? rcu_is_watching+0x12/0x60
[ 415.141104] ? __schedule+0xb34/0x1300
[ 415.141106] ? hrtimer_try_to_cancel+0x1d/0x170
[ 415.141109] ? do_nanosleep+0x8b/0x160
[ 415.141111] ? hrtimer_nanosleep+0x89/0x100
[ 415.141114] ? __pfx_hrtimer_wakeup+0x10/0x10
[ 415.141116] ? xfd_validate_state+0x26/0x90
[ 415.141118] ? rcu_is_watching+0x12/0x60
[ 415.141120] ? do_syscall_64+0x1e0/0x1490
[ 415.141121] ? do_syscall_64+0x1e0/0x1490
[ 415.141123] ? rcu_is_watching+0x12/0x60
[ 415.141124] ? do_syscall_64+0x1e0/0x1490
[ 415.141125] ? do_syscall_64+0x1e0/0x1490
[ 415.141127] ? irqentry_exit+0x140/0x7e0
[ 415.141129] entry_SYSCALL_64_after_hwframe+0x76/0x7e
get_cpu() disables preemption while the spinlock hv_ringbuffer_write is
using is converted to an rt-mutex under PREEMPT_RT.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Tested-by: Florian Bezdeka <florian.bezdeka@siemens.com>
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Tested-by: Michael Kelley <mhklinux@outlook.com>
Link: https://patch.msgid.link/0c7fb5cd-fb21-4760-8593-e04bade84744@siemens.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/storvsc_drv.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
index 9dcad02ce4895..106bccaac4276 100644
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1861,8 +1861,9 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
cmd_request->payload_sz = payload_sz;
/* Invokes the vsc to start an IO */
- ret = storvsc_do_io(dev, cmd_request, get_cpu());
- put_cpu();
+ migrate_disable();
+ ret = storvsc_do_io(dev, cmd_request, smp_processor_id());
+ migrate_enable();
if (ret)
scsi_dma_unmap(scmnd);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 015/481] btrfs: fix compat mask in error messages in btrfs_check_features()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.1 014/481] btrfs: fix incorrect key offset in error message in check_dev_extent_item() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 016/481] bpf: Fix stack-out-of-bounds write in devmap Greg Kroah-Hartman
` (300 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Mark Harmstone,
David Sterba, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Harmstone <mark@harmstone.com>
[ Upstream commit 587bb33b10bda645a1028c1737ad3992b3d7cf61 ]
Commit d7f67ac9a928 ("btrfs: relax block-group-tree feature dependency
checks") introduced a regression when it comes to handling unsupported
incompat or compat_ro flags. Beforehand we only printed the flags that
we didn't recognize, afterwards we printed them all, which is less
useful. Fix the error handling so it behaves like it used to.
Fixes: d7f67ac9a928 ("btrfs: relax block-group-tree feature dependency checks")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Mark Harmstone <mark@harmstone.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/disk-io.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 52e083b63070d..0ff373022c11f 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -3356,7 +3356,7 @@ int btrfs_check_features(struct btrfs_fs_info *fs_info, bool is_rw_mount)
if (incompat & ~BTRFS_FEATURE_INCOMPAT_SUPP) {
btrfs_err(fs_info,
"cannot mount because of unknown incompat features (0x%llx)",
- incompat);
+ incompat & ~BTRFS_FEATURE_INCOMPAT_SUPP);
return -EINVAL;
}
@@ -3388,7 +3388,7 @@ int btrfs_check_features(struct btrfs_fs_info *fs_info, bool is_rw_mount)
if (compat_ro_unsupp && is_rw_mount) {
btrfs_err(fs_info,
"cannot mount read-write because of unknown compat_ro features (0x%llx)",
- compat_ro);
+ compat_ro_unsupp);
return -EINVAL;
}
@@ -3401,7 +3401,7 @@ int btrfs_check_features(struct btrfs_fs_info *fs_info, bool is_rw_mount)
!btrfs_test_opt(fs_info, NOLOGREPLAY)) {
btrfs_err(fs_info,
"cannot replay dirty log with unsupported compat_ro features (0x%llx), try rescue=nologreplay",
- compat_ro);
+ compat_ro_unsupp);
return -EINVAL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 077/567] usb: cdns3: remove redundant if branch
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 076/567] clk: tegra: tegra124-emc: fix device leak on set_rate() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 078/567] usb: cdns3: call cdns_power_is_lost() only once in cdns_resume() Greg Kroah-Hartman
` (300 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hongyu Xie, Peter Chen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongyu Xie <xiehongyu1@kylinos.cn>
[ Upstream commit dedab674428f8a99468a4864c067128ba9ea83a6 ]
cdns->role_sw->dev->driver_data gets set in routines showing below,
cdns_init
sw_desc.driver_data = cdns;
cdns->role_sw = usb_role_switch_register(dev, &sw_desc);
dev_set_drvdata(&sw->dev, desc->driver_data);
In cdns_resume,
cdns->role = cdns_role_get(cdns->role_sw); //line redundant
struct cdns *cdns = usb_role_switch_get_drvdata(sw);
dev_get_drvdata(&sw->dev)
return dev->driver_data
return cdns->role;
"line redundant" equals to,
cdns->role = cdns->role;
So fix this if branch.
Signed-off-by: Hongyu Xie <xiehongyu1@kylinos.cn>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://lore.kernel.org/r/20241231013641.23908-1-xiehongyu1@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 87e4b043b98a ("usb: cdns3: fix role switching during resume")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/cdns3/core.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/usb/cdns3/core.c b/drivers/usb/cdns3/core.c
index 465e9267b49c1..98980a23e1c22 100644
--- a/drivers/usb/cdns3/core.c
+++ b/drivers/usb/cdns3/core.c
@@ -529,9 +529,7 @@ int cdns_resume(struct cdns *cdns)
int ret = 0;
if (cdns_power_is_lost(cdns)) {
- if (cdns->role_sw) {
- cdns->role = cdns_role_get(cdns->role_sw);
- } else {
+ if (!cdns->role_sw) {
real_role = cdns_hw_role_state_machine(cdns);
if (real_role != cdns->role) {
ret = cdns_hw_role_switch(cdns);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 002/460] ACPI: PM: Save NVS memory on Lenovo G70-35
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.12 001/460] scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.12 003/460] scsi: mpi3mr: Add NULL checks when resetting request and reply queues Greg Kroah-Hartman
` (300 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Piotr Mazek, Rafael J. Wysocki,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Piotr Mazek <pmazek@outlook.com>
[ Upstream commit 023cd6d90f8aa2ef7b72d84be84a18e61ecebd64 ]
[821d6f0359b0614792ab8e2fb93b503e25a65079] prevented machines
produced later than 2012 from saving NVS region to accelerate S3.
Despite being made after 2012, Lenovo G70-35 still needs NVS memory
saving during S3. A quirk is introduced for this platform.
Signed-off-by: Piotr Mazek <pmazek@outlook.com>
[ rjw: Subject adjustment ]
Link: https://patch.msgid.link/GV2PPF3CD5B63CC2442EE3F76F8443EAD90D499A@GV2PPF3CD5B63CC.EURP251.PROD.OUTLOOK.COM
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/sleep.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c
index c8ee8e42b0f64..0b7fa4a8c379c 100644
--- a/drivers/acpi/sleep.c
+++ b/drivers/acpi/sleep.c
@@ -386,6 +386,14 @@ static const struct dmi_system_id acpisleep_dmi_table[] __initconst = {
DMI_MATCH(DMI_PRODUCT_NAME, "80E1"),
},
},
+ {
+ .callback = init_nvs_save_s3,
+ .ident = "Lenovo G70-35",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "80Q5"),
+ },
+ },
/*
* ThinkPad X1 Tablet(2016) cannot do suspend-to-idle using
* the Low Power S0 Idle firmware interface (see
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 016/481] bpf: Fix stack-out-of-bounds write in devmap
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.1 015/481] btrfs: fix compat mask in error messages in btrfs_check_features() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 017/481] memory: mtk-smi: Convert to platform remove callback returning void Greg Kroah-Hartman
` (299 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+10cc7f13760b31bd2e61,
Toke Høiland-Jørgensen, Kohei Enju, Alexei Starovoitov,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kohei Enju <kohei@enjuk.jp>
[ Upstream commit b7bf516c3ecd9a2aae2dc2635178ab87b734fef1 ]
get_upper_ifindexes() iterates over all upper devices and writes their
indices into an array without checking bounds.
Also the callers assume that the max number of upper devices is
MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,
but that assumption is not correct and the number of upper devices could
be larger than MAX_NEST_DEV (e.g., many macvlans), causing a
stack-out-of-bounds write.
Add a max parameter to get_upper_ifindexes() to avoid the issue.
When there are too many upper devices, return -EOVERFLOW and abort the
redirect.
To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with
an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.
Then send a packet to the device to trigger the XDP redirect path.
Reported-by: syzbot+10cc7f13760b31bd2e61@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/698c4ce3.050a0220.340abe.000b.GAE@google.com/T/
Fixes: aeea1b86f936 ("bpf, devmap: Exclude XDP broadcast to master device")
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Kohei Enju <kohei@enjuk.jp>
Link: https://lore.kernel.org/r/20260225053506.4738-1-kohei@enjuk.jp
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/devmap.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index ac1d5dbc89185..5e05732db2368 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -571,18 +571,22 @@ static inline bool is_ifindex_excluded(int *excluded, int num_excluded, int ifin
}
/* Get ifindex of each upper device. 'indexes' must be able to hold at
- * least MAX_NEST_DEV elements.
- * Returns the number of ifindexes added.
+ * least 'max' elements.
+ * Returns the number of ifindexes added, or -EOVERFLOW if there are too
+ * many upper devices.
*/
-static int get_upper_ifindexes(struct net_device *dev, int *indexes)
+static int get_upper_ifindexes(struct net_device *dev, int *indexes, int max)
{
struct net_device *upper;
struct list_head *iter;
int n = 0;
netdev_for_each_upper_dev_rcu(dev, upper, iter) {
+ if (n >= max)
+ return -EOVERFLOW;
indexes[n++] = upper->ifindex;
}
+
return n;
}
@@ -598,7 +602,11 @@ int dev_map_enqueue_multi(struct xdp_frame *xdpf, struct net_device *dev_rx,
int err;
if (exclude_ingress) {
- num_excluded = get_upper_ifindexes(dev_rx, excluded_devices);
+ num_excluded = get_upper_ifindexes(dev_rx, excluded_devices,
+ ARRAY_SIZE(excluded_devices) - 1);
+ if (num_excluded < 0)
+ return num_excluded;
+
excluded_devices[num_excluded++] = dev_rx->ifindex;
}
@@ -716,7 +724,11 @@ int dev_map_redirect_multi(struct net_device *dev, struct sk_buff *skb,
int err;
if (exclude_ingress) {
- num_excluded = get_upper_ifindexes(dev, excluded_devices);
+ num_excluded = get_upper_ifindexes(dev, excluded_devices,
+ ARRAY_SIZE(excluded_devices) - 1);
+ if (num_excluded < 0)
+ return num_excluded;
+
excluded_devices[num_excluded++] = dev->ifindex;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 078/567] usb: cdns3: call cdns_power_is_lost() only once in cdns_resume()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 077/567] usb: cdns3: remove redundant if branch Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 079/567] usb: cdns3: fix role switching during resume Greg Kroah-Hartman
` (299 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Théo Lebrun, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Théo Lebrun <theo.lebrun@bootlin.com>
[ Upstream commit 17c6526b333cfd89a4c888a6f7c876c8c326e5ae ]
cdns_power_is_lost() does a register read.
Call it only once rather than twice.
Signed-off-by: Théo Lebrun <theo.lebrun@bootlin.com>
Link: https://lore.kernel.org/r/20250205-s2r-cdns-v7-4-13658a271c3c@bootlin.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 87e4b043b98a ("usb: cdns3: fix role switching during resume")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/cdns3/core.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/cdns3/core.c b/drivers/usb/cdns3/core.c
index 98980a23e1c22..1243a5cea91b5 100644
--- a/drivers/usb/cdns3/core.c
+++ b/drivers/usb/cdns3/core.c
@@ -524,11 +524,12 @@ EXPORT_SYMBOL_GPL(cdns_suspend);
int cdns_resume(struct cdns *cdns)
{
+ bool power_lost = cdns_power_is_lost(cdns);
enum usb_role real_role;
bool role_changed = false;
int ret = 0;
- if (cdns_power_is_lost(cdns)) {
+ if (power_lost) {
if (!cdns->role_sw) {
real_role = cdns_hw_role_state_machine(cdns);
if (real_role != cdns->role) {
@@ -551,7 +552,7 @@ int cdns_resume(struct cdns *cdns)
}
if (cdns->roles[cdns->role]->resume)
- cdns->roles[cdns->role]->resume(cdns, cdns_power_is_lost(cdns));
+ cdns->roles[cdns->role]->resume(cdns, power_lost);
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 003/460] scsi: mpi3mr: Add NULL checks when resetting request and reply queues
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.12 001/460] scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.12 002/460] ACPI: PM: Save NVS memory on Lenovo G70-35 Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 004/460] ALSA: hda/realtek: Fix speaker pop on Star Labs StarFighter Greg Kroah-Hartman
` (299 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ranjan Kumar, Martin K. Petersen,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjan Kumar <ranjan.kumar@broadcom.com>
[ Upstream commit fa96392ebebc8fade2b878acb14cce0f71016503 ]
The driver encountered a crash during resource cleanup when the reply and
request queues were NULL due to freed memory. This issue occurred when the
creation of reply or request queues failed, and the driver freed the memory
first, but attempted to mem set the content of the freed memory, leading to
a system crash.
Add NULL pointer checks for reply and request queues before accessing the
reply/request memory during cleanup
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Link: https://patch.msgid.link/20260212070026.30263-1-ranjan.kumar@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mpi3mr/mpi3mr_fw.c | 34 ++++++++++++++++++---------------
1 file changed, 19 insertions(+), 15 deletions(-)
diff --git a/drivers/scsi/mpi3mr/mpi3mr_fw.c b/drivers/scsi/mpi3mr/mpi3mr_fw.c
index 4198830bf10b7..3a057a0f0d809 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
@@ -4677,21 +4677,25 @@ void mpi3mr_memset_buffers(struct mpi3mr_ioc *mrioc)
}
for (i = 0; i < mrioc->num_queues; i++) {
- mrioc->op_reply_qinfo[i].qid = 0;
- mrioc->op_reply_qinfo[i].ci = 0;
- mrioc->op_reply_qinfo[i].num_replies = 0;
- mrioc->op_reply_qinfo[i].ephase = 0;
- atomic_set(&mrioc->op_reply_qinfo[i].pend_ios, 0);
- atomic_set(&mrioc->op_reply_qinfo[i].in_use, 0);
- mpi3mr_memset_op_reply_q_buffers(mrioc, i);
-
- mrioc->req_qinfo[i].ci = 0;
- mrioc->req_qinfo[i].pi = 0;
- mrioc->req_qinfo[i].num_requests = 0;
- mrioc->req_qinfo[i].qid = 0;
- mrioc->req_qinfo[i].reply_qid = 0;
- spin_lock_init(&mrioc->req_qinfo[i].q_lock);
- mpi3mr_memset_op_req_q_buffers(mrioc, i);
+ if (mrioc->op_reply_qinfo) {
+ mrioc->op_reply_qinfo[i].qid = 0;
+ mrioc->op_reply_qinfo[i].ci = 0;
+ mrioc->op_reply_qinfo[i].num_replies = 0;
+ mrioc->op_reply_qinfo[i].ephase = 0;
+ atomic_set(&mrioc->op_reply_qinfo[i].pend_ios, 0);
+ atomic_set(&mrioc->op_reply_qinfo[i].in_use, 0);
+ mpi3mr_memset_op_reply_q_buffers(mrioc, i);
+ }
+
+ if (mrioc->req_qinfo) {
+ mrioc->req_qinfo[i].ci = 0;
+ mrioc->req_qinfo[i].pi = 0;
+ mrioc->req_qinfo[i].num_requests = 0;
+ mrioc->req_qinfo[i].qid = 0;
+ mrioc->req_qinfo[i].reply_qid = 0;
+ spin_lock_init(&mrioc->req_qinfo[i].q_lock);
+ mpi3mr_memset_op_req_q_buffers(mrioc, i);
+ }
}
atomic_set(&mrioc->pend_large_data_sz, 0);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 017/481] memory: mtk-smi: Convert to platform remove callback returning void
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.1 016/481] bpf: Fix stack-out-of-bounds write in devmap Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 018/481] memory: mtk-smi: fix device leaks on common probe Greg Kroah-Hartman
` (298 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Krzysztof Kozlowski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 08c1aeaa45ce0fd18912e92c6705586c8aa5240f ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is ignored (apart
from emitting a warning) and this typically results in resource leaks.
To improve here there is a quest to make the remove callback return
void. In the first step of this quest all drivers are converted to
.remove_new(), which already returns void. Eventually after all drivers
are converted, .remove_new() will be renamed to .remove().
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/5c35a33cfdc359842e034ddd2e9358f10e91fa1f.1702822744.git.u.kleine-koenig@pengutronix.de
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Stable-dep-of: 6cfa038bddd7 ("memory: mtk-smi: fix device leaks on common probe")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/memory/mtk-smi.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/drivers/memory/mtk-smi.c b/drivers/memory/mtk-smi.c
index 5a9754442bc75..c9c444d4a64ab 100644
--- a/drivers/memory/mtk-smi.c
+++ b/drivers/memory/mtk-smi.c
@@ -566,14 +566,13 @@ static int mtk_smi_larb_probe(struct platform_device *pdev)
return ret;
}
-static int mtk_smi_larb_remove(struct platform_device *pdev)
+static void mtk_smi_larb_remove(struct platform_device *pdev)
{
struct mtk_smi_larb *larb = platform_get_drvdata(pdev);
device_link_remove(&pdev->dev, larb->smi_common_dev);
pm_runtime_disable(&pdev->dev);
component_del(&pdev->dev, &mtk_smi_larb_component_ops);
- return 0;
}
static int __maybe_unused mtk_smi_larb_resume(struct device *dev)
@@ -616,7 +615,7 @@ static const struct dev_pm_ops smi_larb_pm_ops = {
static struct platform_driver mtk_smi_larb_driver = {
.probe = mtk_smi_larb_probe,
- .remove = mtk_smi_larb_remove,
+ .remove_new = mtk_smi_larb_remove,
.driver = {
.name = "mtk-smi-larb",
.of_match_table = mtk_smi_larb_of_ids,
@@ -789,14 +788,13 @@ static int mtk_smi_common_probe(struct platform_device *pdev)
return 0;
}
-static int mtk_smi_common_remove(struct platform_device *pdev)
+static void mtk_smi_common_remove(struct platform_device *pdev)
{
struct mtk_smi *common = dev_get_drvdata(&pdev->dev);
if (common->plat->type == MTK_SMI_GEN2_SUB_COMM)
device_link_remove(&pdev->dev, common->smi_common_dev);
pm_runtime_disable(&pdev->dev);
- return 0;
}
static int __maybe_unused mtk_smi_common_resume(struct device *dev)
@@ -836,7 +834,7 @@ static const struct dev_pm_ops smi_common_pm_ops = {
static struct platform_driver mtk_smi_common_driver = {
.probe = mtk_smi_common_probe,
- .remove = mtk_smi_common_remove,
+ .remove_new = mtk_smi_common_remove,
.driver = {
.name = "mtk-smi-common",
.of_match_table = mtk_smi_common_of_ids,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 079/567] usb: cdns3: fix role switching during resume
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 078/567] usb: cdns3: call cdns_power_is_lost() only once in cdns_resume() Greg Kroah-Hartman
@ 2026-03-23 13:39 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 080/567] drm/amd: Fix hang on amdgpu unload by using pci_dev_is_disconnected() Greg Kroah-Hartman
` (298 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Thomas Richard (TI),
Peter Chen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Richard (TI) <thomas.richard@bootlin.com>
[ Upstream commit 87e4b043b98a1d269be0b812f383881abee0ca45 ]
If the role change while we are suspended, the cdns3 driver switches to the
new mode during resume. However, switching to host mode in this context
causes a NULL pointer dereference.
The host role's start() operation registers a xhci-hcd device, but its
probe is deferred while we are in the resume path. The host role's resume()
operation assumes the xhci-hcd device is already probed, which is not the
case, leading to the dereference. Since the start() operation of the new
role is already called, the resume operation can be skipped.
So skip the resume operation for the new role if a role switch occurs
during resume. Once the resume sequence is complete, the xhci-hcd device
can be probed in case of host mode.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000208
Mem abort info:
...
Data abort info:
...
[0000000000000208] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] SMP
Modules linked in:
CPU: 0 UID: 0 PID: 146 Comm: sh Not tainted
6.19.0-rc7-00013-g6e64f4aabfae-dirty #135 PREEMPT
Hardware name: Texas Instruments J7200 EVM (DT)
pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : usb_hcd_is_primary_hcd+0x0/0x1c
lr : cdns_host_resume+0x24/0x5c
...
Call trace:
usb_hcd_is_primary_hcd+0x0/0x1c (P)
cdns_resume+0x6c/0xbc
cdns3_controller_resume.isra.0+0xe8/0x17c
cdns3_plat_resume+0x18/0x24
platform_pm_resume+0x2c/0x68
dpm_run_callback+0x90/0x248
device_resume+0x100/0x24c
dpm_resume+0x190/0x2ec
dpm_resume_end+0x18/0x34
suspend_devices_and_enter+0x2b0/0xa44
pm_suspend+0x16c/0x5fc
state_store+0x80/0xec
kobj_attr_store+0x18/0x2c
sysfs_kf_write+0x7c/0x94
kernfs_fop_write_iter+0x130/0x1dc
vfs_write+0x240/0x370
ksys_write+0x70/0x108
__arm64_sys_write+0x1c/0x28
invoke_syscall+0x48/0x10c
el0_svc_common.constprop.0+0x40/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x34/0x108
el0t_64_sync_handler+0xa0/0xe4
el0t_64_sync+0x198/0x19c
Code: 52800003 f9407ca5 d63f00a0 17ffffe4 (f9410401)
---[ end trace 0000000000000000 ]---
Cc: stable <stable@kernel.org>
Fixes: 2cf2581cd229 ("usb: cdns3: add power lost support for system resume")
Signed-off-by: Thomas Richard (TI) <thomas.richard@bootlin.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://patch.msgid.link/20260130-usb-cdns3-fix-role-switching-during-resume-v1-1-44c456852b52@bootlin.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/cdns3/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/cdns3/core.c b/drivers/usb/cdns3/core.c
index 1243a5cea91b5..f0e32227c0b79 100644
--- a/drivers/usb/cdns3/core.c
+++ b/drivers/usb/cdns3/core.c
@@ -551,7 +551,7 @@ int cdns_resume(struct cdns *cdns)
}
}
- if (cdns->roles[cdns->role]->resume)
+ if (!role_changed && cdns->roles[cdns->role]->resume)
cdns->roles[cdns->role]->resume(cdns, power_lost);
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 004/460] ALSA: hda/realtek: Fix speaker pop on Star Labs StarFighter
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.12 003/460] scsi: mpi3mr: Add NULL checks when resetting request and reply queues Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 005/460] unshare: fix unshare_fs() handling Greg Kroah-Hartman
` (298 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sean Rhodes,
Takashi Iwai, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Rhodes <sean@starlabs.systems>
[ Upstream commit 1cb3c20688fc8380c9b365d03aea7e84faf6a9fd ]
On Star Labs StarFighter (Realtek ALC233/235), the internal speakers can
emit an audible pop when entering or leaving runtime suspend.
Mute the speaker output paths via snd_hda_gen_shutup_speakers() in the
Realtek shutup callback before the codec is powered down.
This is enough to avoid the pop without special EAPD handling.
Test results:
- runtime PM pop fixed
- still reaches D3 (PCI 0000:00:1f.3 power_state=D3hot)
- does not address pops on cold boot (G3 exit) or around display manager
start/shutdown
journalctl -k (boot):
- snd_hda_codec_alc269 hdaudioC0D0: ALC233: picked fixup for PCI SSID
7017:2014
- snd_hda_codec_alc269 hdaudioC0D0: autoconfig for ALC233: line_outs=1
(0x1b/0x0/0x0/0x0/0x0) type:speaker
Suggested-by: Takashi Iwai <tiwai@suse.com>
Tested-by: Sean Rhodes <sean@starlabs.systems>
Signed-off-by: Sean Rhodes <sean@starlabs.systems>
Link: https://patch.msgid.link/4d5fb71b132bb283fd41c622b8413770b2065242.1771532060.git.sean@starlabs.systems
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_realtek.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index c13def0f1e1a4..cb6ff3c36c5f0 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -4164,6 +4164,24 @@ static int alc269_resume(struct hda_codec *codec)
return 0;
}
+#define STARLABS_STARFIGHTER_SHUTUP_DELAY_MS 30
+
+static void starlabs_starfighter_shutup(struct hda_codec *codec)
+{
+ if (snd_hda_gen_shutup_speakers(codec))
+ msleep(STARLABS_STARFIGHTER_SHUTUP_DELAY_MS);
+}
+
+static void alc233_fixup_starlabs_starfighter(struct hda_codec *codec,
+ const struct hda_fixup *fix,
+ int action)
+{
+ struct alc_spec *spec = codec->spec;
+
+ if (action == HDA_FIXUP_ACT_PRE_PROBE)
+ spec->shutup = starlabs_starfighter_shutup;
+}
+
static void alc269_fixup_pincfg_no_hp_to_lineout(struct hda_codec *codec,
const struct hda_fixup *fix, int action)
{
@@ -8203,6 +8221,7 @@ enum {
ALC245_FIXUP_CLEVO_NOISY_MIC,
ALC269_FIXUP_VAIO_VJFH52_MIC_NO_PRESENCE,
ALC233_FIXUP_MEDION_MTL_SPK,
+ ALC233_FIXUP_STARLABS_STARFIGHTER,
ALC294_FIXUP_BASS_SPEAKER_15,
ALC283_FIXUP_DELL_HP_RESUME,
ALC294_FIXUP_ASUS_CS35L41_SPI_2,
@@ -10591,6 +10610,10 @@ static const struct hda_fixup alc269_fixups[] = {
{ }
},
},
+ [ALC233_FIXUP_STARLABS_STARFIGHTER] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc233_fixup_starlabs_starfighter,
+ },
[ALC294_FIXUP_BASS_SPEAKER_15] = {
.type = HDA_FIXUP_FUNC,
.v.func = alc294_fixup_bass_speaker_15,
@@ -11606,6 +11629,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x2782, 0x1705, "MEDION E15433", ALC269VC_FIXUP_INFINIX_Y4_MAX),
SND_PCI_QUIRK(0x2782, 0x1707, "Vaio VJFE-ADL", ALC298_FIXUP_SPK_VOLUME),
SND_PCI_QUIRK(0x2782, 0x4900, "MEDION E15443", ALC233_FIXUP_MEDION_MTL_SPK),
+ SND_PCI_QUIRK(0x7017, 0x2014, "Star Labs StarFighter", ALC233_FIXUP_STARLABS_STARFIGHTER),
SND_PCI_QUIRK(0x8086, 0x2074, "Intel NUC 8", ALC233_FIXUP_INTEL_NUC8_DMIC),
SND_PCI_QUIRK(0x8086, 0x2080, "Intel NUC 8 Rugged", ALC256_FIXUP_INTEL_NUC8_RUGGED),
SND_PCI_QUIRK(0x8086, 0x2081, "Intel NUC 10", ALC256_FIXUP_INTEL_NUC10),
@@ -11702,6 +11726,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = {
{.id = ALC298_FIXUP_TPT470_DOCK_FIX, .name = "tpt470-dock-fix"},
{.id = ALC298_FIXUP_TPT470_DOCK, .name = "tpt470-dock"},
{.id = ALC233_FIXUP_LENOVO_MULTI_CODECS, .name = "dual-codecs"},
+ {.id = ALC233_FIXUP_STARLABS_STARFIGHTER, .name = "starlabs-starfighter"},
{.id = ALC700_FIXUP_INTEL_REFERENCE, .name = "alc700-ref"},
{.id = ALC269_FIXUP_SONY_VAIO, .name = "vaio"},
{.id = ALC269_FIXUP_DELL_M101Z, .name = "dell-m101z"},
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 018/481] memory: mtk-smi: fix device leaks on common probe
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.1 017/481] memory: mtk-smi: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 019/481] memory: mtk-smi: fix device leak on larb probe Greg Kroah-Hartman
` (297 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yong Wu, Miaoqian Lin, Johan Hovold,
Krzysztof Kozlowski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 6cfa038bddd710f544076ea2ef7792fc82fbedd6 ]
Make sure to drop the reference taken when looking up the SMI device
during common probe on late probe failure (e.g. probe deferral) and on
driver unbind.
Fixes: 47404757702e ("memory: mtk-smi: Add device link for smi-sub-common")
Fixes: 038ae37c510f ("memory: mtk-smi: add missing put_device() call in mtk_smi_device_link_common")
Cc: stable@vger.kernel.org # 5.16: 038ae37c510f
Cc: stable@vger.kernel.org # 5.16
Cc: Yong Wu <yong.wu@mediatek.com>
Cc: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251121164624.13685-2-johan@kernel.org
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/memory/mtk-smi.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/memory/mtk-smi.c b/drivers/memory/mtk-smi.c
index c9c444d4a64ab..1326119288c98 100644
--- a/drivers/memory/mtk-smi.c
+++ b/drivers/memory/mtk-smi.c
@@ -563,6 +563,7 @@ static int mtk_smi_larb_probe(struct platform_device *pdev)
err_pm_disable:
pm_runtime_disable(dev);
device_link_remove(dev, larb->smi_common_dev);
+ put_device(larb->smi_common_dev);
return ret;
}
@@ -795,6 +796,7 @@ static void mtk_smi_common_remove(struct platform_device *pdev)
if (common->plat->type == MTK_SMI_GEN2_SUB_COMM)
device_link_remove(&pdev->dev, common->smi_common_dev);
pm_runtime_disable(&pdev->dev);
+ put_device(common->smi_common_dev);
}
static int __maybe_unused mtk_smi_common_resume(struct device *dev)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 080/567] drm/amd: Fix hang on amdgpu unload by using pci_dev_is_disconnected()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-03-23 13:39 ` [PATCH 6.6 079/567] usb: cdns3: fix role switching during resume Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 081/567] ALSA: hda/conexant: Add quirk for HP ZBook Studio G4 Greg Kroah-Hartman
` (297 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cal Peake, Alex Deucher,
Mario Limonciello, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit f7afda7fcd169a9168695247d07ad94cf7b9798f ]
The commit 6a23e7b4332c ("drm/amd: Clean up kfd node on surprise
disconnect") introduced early KFD cleanup when drm_dev_is_unplugged()
returns true. However, this causes hangs during normal module unload
(rmmod amdgpu).
The issue occurs because drm_dev_unplug() is called in amdgpu_pci_remove()
for all removal scenarios, not just surprise disconnects. This was done
intentionally in commit 39934d3ed572 ("Revert "drm/amdgpu: TA unload
messages are not actually sent to psp when amdgpu is uninstalled"") to
fix IGT PCI software unplug test failures. As a result,
drm_dev_is_unplugged() returns true even during normal module unload,
triggering the early KFD cleanup inappropriately.
The correct check should distinguish between:
- Actual surprise disconnect (eGPU unplugged): pci_dev_is_disconnected()
returns true
- Normal module unload (rmmod): pci_dev_is_disconnected() returns false
Replace drm_dev_is_unplugged() with pci_dev_is_disconnected() to ensure
the early cleanup only happens during true hardware disconnect events.
Cc: stable@vger.kernel.org
Reported-by: Cal Peake <cp@absolutedigital.net>
Closes: https://lore.kernel.org/all/b0c22deb-c0fa-3343-33cf-fd9a77d7db99@absolutedigital.net/
Fixes: 6a23e7b4332c ("drm/amd: Clean up kfd node on surprise disconnect")
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
index 9481d450809b5..1251303b52d21 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -4034,7 +4034,7 @@ void amdgpu_device_fini_hw(struct amdgpu_device *adev)
* before ip_fini_early to prevent kfd locking refcount issues by calling
* amdgpu_amdkfd_suspend()
*/
- if (drm_dev_is_unplugged(adev_to_drm(adev)))
+ if (pci_dev_is_disconnected(adev->pdev))
amdgpu_amdkfd_device_fini_sw(adev);
amdgpu_device_ip_fini_early(adev);
@@ -4046,7 +4046,7 @@ void amdgpu_device_fini_hw(struct amdgpu_device *adev)
amdgpu_gart_dummy_page_fini(adev);
- if (drm_dev_is_unplugged(adev_to_drm(adev)))
+ if (pci_dev_is_disconnected(adev->pdev))
amdgpu_device_unmap_mmio(adev);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 005/460] unshare: fix unshare_fs() handling
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 004/460] ALSA: hda/realtek: Fix speaker pop on Star Labs StarFighter Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 006/460] wifi: mac80211: set default WMM parameters on all links Greg Kroah-Hartman
` (297 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Al Viro, Waiman Long,
Christian Brauner, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 6c4b2243cb6c0755159bd567130d5e12e7b10d9f ]
There's an unpleasant corner case in unshare(2), when we have a
CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that
case copy_mnt_ns() gets passed current->fs instead of a private copy,
which causes interesting warts in proof of correctness]
> I guess if private means fs->users == 1, the condition could still be true.
Unfortunately, it's worse than just a convoluted proof of correctness.
Consider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS
(and current->fs->users == 1).
We pass current->fs to copy_mnt_ns(), all right. Suppose it succeeds and
flips current->fs->{pwd,root} to corresponding locations in the new namespace.
Now we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM).
We call put_mnt_ns() on the namespace created by copy_mnt_ns(), it's
destroyed and its mount tree is dissolved, but... current->fs->root and
current->fs->pwd are both left pointing to now detached mounts.
They are pinning those, so it's not a UAF, but it leaves the calling
process with unshare(2) failing with -ENOMEM _and_ leaving it with
pwd and root on detached isolated mounts. The last part is clearly a bug.
There is other fun related to that mess (races with pivot_root(), including
the one between pivot_root() and fork(), of all things), but this one
is easy to isolate and fix - treat CLONE_NEWNS as "allocate a new
fs_struct even if it hadn't been shared in the first place". Sure, we could
go for something like "if both CLONE_NEWNS *and* one of the things that might
end up failing after copy_mnt_ns() call in create_new_namespaces() are set,
force allocation of new fs_struct", but let's keep it simple - the cost
of copy_fs_struct() is trivial.
Another benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets
a freshly allocated fs_struct, yet to be attached to anything. That
seriously simplifies the analysis...
FWIW, that bug had been there since the introduction of unshare(2) ;-/
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Link: https://patch.msgid.link/20260207082524.GE3183987@ZenIV
Tested-by: Waiman Long <longman@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/fork.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/fork.c b/kernel/fork.c
index e5ec098a6f61e..55086df4d24cb 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -3248,7 +3248,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
return 0;
/* don't need lock here; in the worst case we'll do useless copy */
- if (fs->users == 1)
+ if (!(unshare_flags & CLONE_NEWNS) && fs->users == 1)
return 0;
*new_fsp = copy_fs_struct(fs);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 019/481] memory: mtk-smi: fix device leak on larb probe
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 018/481] memory: mtk-smi: fix device leaks on common probe Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 020/481] PCI: Introduce pci_dev_for_each_resource() Greg Kroah-Hartman
` (296 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yong Wu, Miaoqian Lin, Johan Hovold,
Krzysztof Kozlowski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 9dae65913b32d05dbc8ff4b8a6bf04a0e49a8eb6 ]
Make sure to drop the reference taken when looking up the SMI device
during larb probe on late probe failure (e.g. probe deferral) and on
driver unbind.
Fixes: cc8bbe1a8312 ("memory: mediatek: Add SMI driver")
Fixes: 038ae37c510f ("memory: mtk-smi: add missing put_device() call in mtk_smi_device_link_common")
Cc: stable@vger.kernel.org # 4.6: 038ae37c510f
Cc: stable@vger.kernel.org # 4.6
Cc: Yong Wu <yong.wu@mediatek.com>
Cc: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251121164624.13685-3-johan@kernel.org
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/memory/mtk-smi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/memory/mtk-smi.c b/drivers/memory/mtk-smi.c
index 1326119288c98..95f1bf2c37785 100644
--- a/drivers/memory/mtk-smi.c
+++ b/drivers/memory/mtk-smi.c
@@ -574,6 +574,7 @@ static void mtk_smi_larb_remove(struct platform_device *pdev)
device_link_remove(&pdev->dev, larb->smi_common_dev);
pm_runtime_disable(&pdev->dev);
component_del(&pdev->dev, &mtk_smi_larb_component_ops);
+ put_device(larb->smi_common_dev);
}
static int __maybe_unused mtk_smi_larb_resume(struct device *dev)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 081/567] ALSA: hda/conexant: Add quirk for HP ZBook Studio G4
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 080/567] drm/amd: Fix hang on amdgpu unload by using pci_dev_is_disconnected() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 082/567] hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization induced race Greg Kroah-Hartman
` (296 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 1585cf83e98db32463e5d54161b06a5f01fe9976 ]
It was reported that we need the same quirk for HP ZBook Studio G4
(SSID 103c:826b) as other HP models to make the mute-LED working.
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/64d78753-b9ff-4c64-8920-64d8d31cd20c@gmail.com
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221002
Link: https://patch.msgid.link/20260207131324.2428030-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_conexant.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
index fd141185ce2b9..192d13f829e19 100644
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -1085,6 +1085,7 @@ static const struct hda_quirk cxt5066_fixups[] = {
SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
SND_PCI_QUIRK(0x103c, 0x822e, "HP ProBook 440 G4", CXT_FIXUP_MUTE_LED_GPIO),
SND_PCI_QUIRK(0x103c, 0x8231, "HP ProBook 450 G4", CXT_FIXUP_MUTE_LED_GPIO),
+ SND_PCI_QUIRK(0x103c, 0x826b, "HP ZBook Studio G4", CXT_FIXUP_MUTE_LED_GPIO),
SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK),
SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE),
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 006/460] wifi: mac80211: set default WMM parameters on all links
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 005/460] unshare: fix unshare_fs() handling Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 007/460] ACPI: OSI: Add DMI quirk for Acer Aspire One D255 Greg Kroah-Hartman
` (296 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ramanathan Choodamani, Aishwarya R,
Johannes Berg, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ramanathan Choodamani <quic_rchoodam@quicinc.com>
[ Upstream commit 2259d14499d16b115ef8d5d2ddc867e2be7cb5b5 ]
Currently, mac80211 only initializes default WMM parameters
on the deflink during do_open(). For MLO cases, this
leaves the additional links without proper WMM defaults
if hostapd does not supply per-link WMM parameters, leading
to inconsistent QoS behavior across links.
Set default WMM parameters for each link during
ieee80211_vif_update_links(), because this ensures all
individual links in an MLD have valid WMM settings during
bring-up and behave consistently across different BSS.
Signed-off-by: Ramanathan Choodamani <quic_rchoodam@quicinc.com>
Signed-off-by: Aishwarya R <aishwarya.r@oss.qualcomm.com>
Link: https://patch.msgid.link/20260205094216.3093542-1-aishwarya.r@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/link.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/mac80211/link.c b/net/mac80211/link.c
index 28ce41356341f..df303496914ca 100644
--- a/net/mac80211/link.c
+++ b/net/mac80211/link.c
@@ -283,6 +283,7 @@ static int ieee80211_vif_update_links(struct ieee80211_sub_if_data *sdata,
struct ieee80211_bss_conf *old[IEEE80211_MLD_MAX_NUM_LINKS];
struct ieee80211_link_data *old_data[IEEE80211_MLD_MAX_NUM_LINKS];
bool use_deflink = old_links == 0; /* set for error case */
+ bool non_sta = sdata->vif.type != NL80211_IFTYPE_STATION;
lockdep_assert_wiphy(sdata->local->hw.wiphy);
@@ -339,6 +340,7 @@ static int ieee80211_vif_update_links(struct ieee80211_sub_if_data *sdata,
link = links[link_id];
ieee80211_link_init(sdata, link_id, &link->data, &link->conf);
ieee80211_link_setup(&link->data);
+ ieee80211_set_wmm_default(&link->data, true, non_sta);
}
if (new_links == 0)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 020/481] PCI: Introduce pci_dev_for_each_resource()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 019/481] memory: mtk-smi: fix device leak on larb probe Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 021/481] PCI: Fix printk field formatting Greg Kroah-Hartman
` (295 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Mika Westerberg,
Bjorn Helgaas, Krzysztof Wilczyński, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mika Westerberg <mika.westerberg@linux.intel.com>
[ Upstream commit 09cc900632400079619e9154604fd299c2cc9a5a ]
Instead of open-coding it everywhere introduce a tiny helper that can be
used to iterate over each resource of a PCI device, and convert the most
obvious users into it.
While at it drop doubled empty line before pdev_sort_resources().
No functional changes intended.
Suggested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20230330162434.35055-4-andriy.shevchenko@linux.intel.com
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Krzysztof Wilczyński <kw@linux.com>
Stable-dep-of: 11721c45a826 ("PCI: Use resource_set_range() that correctly sets ->end")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.clang-format | 1 +
arch/alpha/kernel/pci.c | 5 ++--
arch/arm/kernel/bios32.c | 16 ++++++-------
arch/arm/mach-dove/pcie.c | 10 ++++----
arch/arm/mach-mv78xx0/pcie.c | 10 ++++----
arch/arm/mach-orion5x/pci.c | 10 ++++----
arch/mips/pci/ops-bcm63xx.c | 8 +++----
arch/mips/pci/pci-legacy.c | 3 +--
arch/powerpc/kernel/pci-common.c | 21 ++++++++--------
arch/powerpc/platforms/4xx/pci.c | 8 +++----
arch/powerpc/platforms/52xx/mpc52xx_pci.c | 5 ++--
arch/powerpc/platforms/pseries/pci.c | 16 ++++++-------
arch/sh/drivers/pci/pcie-sh7786.c | 10 ++++----
arch/sparc/kernel/leon_pci.c | 5 ++--
arch/sparc/kernel/pci.c | 10 ++++----
arch/sparc/kernel/pcic.c | 5 ++--
drivers/pci/remove.c | 5 ++--
drivers/pci/setup-bus.c | 27 ++++++++-------------
drivers/pci/setup-res.c | 4 +---
drivers/pci/vgaarb.c | 17 ++++---------
drivers/pci/xen-pcifront.c | 4 +---
drivers/pnp/quirks.c | 29 ++++++++---------------
include/linux/pci.h | 14 +++++++++++
23 files changed, 111 insertions(+), 132 deletions(-)
diff --git a/.clang-format b/.clang-format
index 8d01225bfcb7d..d4e2dcb76609a 100644
--- a/.clang-format
+++ b/.clang-format
@@ -516,6 +516,7 @@ ForEachMacros:
- 'of_property_for_each_string'
- 'of_property_for_each_u32'
- 'pci_bus_for_each_resource'
+ - 'pci_dev_for_each_resource'
- 'pci_doe_for_each_off'
- 'pcl_for_each_chunk'
- 'pcl_for_each_segment'
diff --git a/arch/alpha/kernel/pci.c b/arch/alpha/kernel/pci.c
index 64fbfb0763b29..4458eb7f44f0c 100644
--- a/arch/alpha/kernel/pci.c
+++ b/arch/alpha/kernel/pci.c
@@ -288,11 +288,10 @@ pcibios_claim_one_bus(struct pci_bus *b)
struct pci_bus *child_bus;
list_for_each_entry(dev, &b->devices, bus_list) {
+ struct resource *r;
int i;
- for (i = 0; i < PCI_NUM_RESOURCES; i++) {
- struct resource *r = &dev->resource[i];
-
+ pci_dev_for_each_resource(dev, r, i) {
if (r->parent || !r->start || !r->flags)
continue;
if (pci_has_flag(PCI_PROBE_ONLY) ||
diff --git a/arch/arm/kernel/bios32.c b/arch/arm/kernel/bios32.c
index e7ef2b5bea9c2..d334c7fb672b7 100644
--- a/arch/arm/kernel/bios32.c
+++ b/arch/arm/kernel/bios32.c
@@ -142,15 +142,15 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_WINBOND2, PCI_DEVICE_ID_WINBOND2_89C940F,
*/
static void pci_fixup_dec21285(struct pci_dev *dev)
{
- int i;
-
if (dev->devfn == 0) {
+ struct resource *r;
+
dev->class &= 0xff;
dev->class |= PCI_CLASS_BRIDGE_HOST << 8;
- for (i = 0; i < PCI_NUM_RESOURCES; i++) {
- dev->resource[i].start = 0;
- dev->resource[i].end = 0;
- dev->resource[i].flags = 0;
+ pci_dev_for_each_resource(dev, r) {
+ r->start = 0;
+ r->end = 0;
+ r->flags = 0;
}
}
}
@@ -162,13 +162,11 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_DEC, PCI_DEVICE_ID_DEC_21285, pci_fixup_d
static void pci_fixup_ide_bases(struct pci_dev *dev)
{
struct resource *r;
- int i;
if ((dev->class >> 8) != PCI_CLASS_STORAGE_IDE)
return;
- for (i = 0; i < PCI_NUM_RESOURCES; i++) {
- r = dev->resource + i;
+ pci_dev_for_each_resource(dev, r) {
if ((r->start & ~0x80) == 0x374) {
r->start |= 2;
r->end = r->start;
diff --git a/arch/arm/mach-dove/pcie.c b/arch/arm/mach-dove/pcie.c
index 754ca381f600a..3044b7e038901 100644
--- a/arch/arm/mach-dove/pcie.c
+++ b/arch/arm/mach-dove/pcie.c
@@ -142,14 +142,14 @@ static struct pci_ops pcie_ops = {
static void rc_pci_fixup(struct pci_dev *dev)
{
if (dev->bus->parent == NULL && dev->devfn == 0) {
- int i;
+ struct resource *r;
dev->class &= 0xff;
dev->class |= PCI_CLASS_BRIDGE_HOST << 8;
- for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) {
- dev->resource[i].start = 0;
- dev->resource[i].end = 0;
- dev->resource[i].flags = 0;
+ pci_dev_for_each_resource(dev, r) {
+ r->start = 0;
+ r->end = 0;
+ r->flags = 0;
}
}
}
diff --git a/arch/arm/mach-mv78xx0/pcie.c b/arch/arm/mach-mv78xx0/pcie.c
index 6190f538a124f..0ebc909ea273f 100644
--- a/arch/arm/mach-mv78xx0/pcie.c
+++ b/arch/arm/mach-mv78xx0/pcie.c
@@ -186,14 +186,14 @@ static struct pci_ops pcie_ops = {
static void rc_pci_fixup(struct pci_dev *dev)
{
if (dev->bus->parent == NULL && dev->devfn == 0) {
- int i;
+ struct resource *r;
dev->class &= 0xff;
dev->class |= PCI_CLASS_BRIDGE_HOST << 8;
- for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) {
- dev->resource[i].start = 0;
- dev->resource[i].end = 0;
- dev->resource[i].flags = 0;
+ pci_dev_for_each_resource(dev, r) {
+ r->start = 0;
+ r->end = 0;
+ r->flags = 0;
}
}
}
diff --git a/arch/arm/mach-orion5x/pci.c b/arch/arm/mach-orion5x/pci.c
index 888fdc9099c52..3313bc5a63ea6 100644
--- a/arch/arm/mach-orion5x/pci.c
+++ b/arch/arm/mach-orion5x/pci.c
@@ -522,14 +522,14 @@ static int __init pci_setup(struct pci_sys_data *sys)
static void rc_pci_fixup(struct pci_dev *dev)
{
if (dev->bus->parent == NULL && dev->devfn == 0) {
- int i;
+ struct resource *r;
dev->class &= 0xff;
dev->class |= PCI_CLASS_BRIDGE_HOST << 8;
- for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) {
- dev->resource[i].start = 0;
- dev->resource[i].end = 0;
- dev->resource[i].flags = 0;
+ pci_dev_for_each_resource(dev, r) {
+ r->start = 0;
+ r->end = 0;
+ r->flags = 0;
}
}
}
diff --git a/arch/mips/pci/ops-bcm63xx.c b/arch/mips/pci/ops-bcm63xx.c
index dc6dc2741272e..b0ea023c47c02 100644
--- a/arch/mips/pci/ops-bcm63xx.c
+++ b/arch/mips/pci/ops-bcm63xx.c
@@ -413,18 +413,18 @@ struct pci_ops bcm63xx_cb_ops = {
static void bcm63xx_fixup(struct pci_dev *dev)
{
static int io_window = -1;
- int i, found, new_io_window;
+ int found, new_io_window;
+ struct resource *r;
u32 val;
/* look for any io resource */
found = 0;
- for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) {
- if (pci_resource_flags(dev, i) & IORESOURCE_IO) {
+ pci_dev_for_each_resource(dev, r) {
+ if (resource_type(r) == IORESOURCE_IO) {
found = 1;
break;
}
}
-
if (!found)
return;
diff --git a/arch/mips/pci/pci-legacy.c b/arch/mips/pci/pci-legacy.c
index 468722c8a5c61..ec2567f8efd83 100644
--- a/arch/mips/pci/pci-legacy.c
+++ b/arch/mips/pci/pci-legacy.c
@@ -249,12 +249,11 @@ static int pcibios_enable_resources(struct pci_dev *dev, int mask)
pci_read_config_word(dev, PCI_COMMAND, &cmd);
old_cmd = cmd;
- for (idx = 0; idx < PCI_NUM_RESOURCES; idx++) {
+ pci_dev_for_each_resource(dev, r, idx) {
/* Only set up the requested stuff */
if (!(mask & (1<<idx)))
continue;
- r = &dev->resource[idx];
if (!(r->flags & (IORESOURCE_IO | IORESOURCE_MEM)))
continue;
if ((idx == PCI_ROM_RESOURCE) &&
diff --git a/arch/powerpc/kernel/pci-common.c b/arch/powerpc/kernel/pci-common.c
index d67cf79bf5d03..e88d7c9feeec3 100644
--- a/arch/powerpc/kernel/pci-common.c
+++ b/arch/powerpc/kernel/pci-common.c
@@ -880,6 +880,7 @@ int pcibios_root_bridge_prepare(struct pci_host_bridge *bridge)
static void pcibios_fixup_resources(struct pci_dev *dev)
{
struct pci_controller *hose = pci_bus_to_host(dev->bus);
+ struct resource *res;
int i;
if (!hose) {
@@ -891,9 +892,9 @@ static void pcibios_fixup_resources(struct pci_dev *dev)
if (dev->is_virtfn)
return;
- for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) {
- struct resource *res = dev->resource + i;
+ pci_dev_for_each_resource(dev, res, i) {
struct pci_bus_region reg;
+
if (!res->flags)
continue;
@@ -1452,11 +1453,10 @@ void pcibios_claim_one_bus(struct pci_bus *bus)
struct pci_bus *child_bus;
list_for_each_entry(dev, &bus->devices, bus_list) {
+ struct resource *r;
int i;
- for (i = 0; i < PCI_NUM_RESOURCES; i++) {
- struct resource *r = &dev->resource[i];
-
+ pci_dev_for_each_resource(dev, r, i) {
if (r->parent || !r->start || !r->flags)
continue;
@@ -1705,19 +1705,20 @@ EXPORT_SYMBOL_GPL(pcibios_scan_phb);
static void fixup_hide_host_resource_fsl(struct pci_dev *dev)
{
- int i, class = dev->class >> 8;
+ int class = dev->class >> 8;
/* When configured as agent, programming interface = 1 */
int prog_if = dev->class & 0xf;
+ struct resource *r;
if ((class == PCI_CLASS_PROCESSOR_POWERPC ||
class == PCI_CLASS_BRIDGE_OTHER) &&
(dev->hdr_type == PCI_HEADER_TYPE_NORMAL) &&
(prog_if == 0) &&
(dev->bus->parent == NULL)) {
- for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) {
- dev->resource[i].start = 0;
- dev->resource[i].end = 0;
- dev->resource[i].flags = 0;
+ pci_dev_for_each_resource(dev, r) {
+ r->start = 0;
+ r->end = 0;
+ r->flags = 0;
}
}
}
diff --git a/arch/powerpc/platforms/4xx/pci.c b/arch/powerpc/platforms/4xx/pci.c
index ca5dd7a5842ac..07dcc2b8007f9 100644
--- a/arch/powerpc/platforms/4xx/pci.c
+++ b/arch/powerpc/platforms/4xx/pci.c
@@ -57,7 +57,7 @@ static inline int ppc440spe_revA(void)
static void fixup_ppc4xx_pci_bridge(struct pci_dev *dev)
{
struct pci_controller *hose;
- int i;
+ struct resource *r;
if (dev->devfn != 0 || dev->bus->self != NULL)
return;
@@ -79,9 +79,9 @@ static void fixup_ppc4xx_pci_bridge(struct pci_dev *dev)
/* Hide the PCI host BARs from the kernel as their content doesn't
* fit well in the resource management
*/
- for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) {
- dev->resource[i].start = dev->resource[i].end = 0;
- dev->resource[i].flags = 0;
+ pci_dev_for_each_resource(dev, r) {
+ r->start = r->end = 0;
+ r->flags = 0;
}
printk(KERN_INFO "PCI: Hiding 4xx host bridge resources %s\n",
diff --git a/arch/powerpc/platforms/52xx/mpc52xx_pci.c b/arch/powerpc/platforms/52xx/mpc52xx_pci.c
index 859e2818c43d5..0ca4401ba7819 100644
--- a/arch/powerpc/platforms/52xx/mpc52xx_pci.c
+++ b/arch/powerpc/platforms/52xx/mpc52xx_pci.c
@@ -327,14 +327,13 @@ mpc52xx_pci_setup(struct pci_controller *hose,
static void
mpc52xx_pci_fixup_resources(struct pci_dev *dev)
{
- int i;
+ struct resource *res;
pr_debug("%s() %.4x:%.4x\n", __func__, dev->vendor, dev->device);
/* We don't rely on boot loader for PCI and resets all
devices */
- for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) {
- struct resource *res = &dev->resource[i];
+ pci_dev_for_each_resource(dev, res) {
if (res->end > res->start) { /* Only valid resources */
res->end -= res->start;
res->start = 0;
diff --git a/arch/powerpc/platforms/pseries/pci.c b/arch/powerpc/platforms/pseries/pci.c
index 6e671c3809ecf..f6cd534797864 100644
--- a/arch/powerpc/platforms/pseries/pci.c
+++ b/arch/powerpc/platforms/pseries/pci.c
@@ -240,7 +240,7 @@ void __init pSeries_final_fixup(void)
*/
static void fixup_winbond_82c105(struct pci_dev* dev)
{
- int i;
+ struct resource *r;
unsigned int reg;
if (!machine_is(pseries))
@@ -251,14 +251,14 @@ static void fixup_winbond_82c105(struct pci_dev* dev)
/* Enable LEGIRQ to use INTC instead of ISA interrupts */
pci_write_config_dword(dev, 0x40, reg | (1<<11));
- for (i = 0; i < DEVICE_COUNT_RESOURCE; ++i) {
+ pci_dev_for_each_resource(dev, r) {
/* zap the 2nd function of the winbond chip */
- if (dev->resource[i].flags & IORESOURCE_IO
- && dev->bus->number == 0 && dev->devfn == 0x81)
- dev->resource[i].flags &= ~IORESOURCE_IO;
- if (dev->resource[i].start == 0 && dev->resource[i].end) {
- dev->resource[i].flags = 0;
- dev->resource[i].end = 0;
+ if (dev->bus->number == 0 && dev->devfn == 0x81 &&
+ r->flags & IORESOURCE_IO)
+ r->flags &= ~IORESOURCE_IO;
+ if (r->start == 0 && r->end) {
+ r->flags = 0;
+ r->end = 0;
}
}
}
diff --git a/arch/sh/drivers/pci/pcie-sh7786.c b/arch/sh/drivers/pci/pcie-sh7786.c
index b0c2a5238d049..4f5e49f10805e 100644
--- a/arch/sh/drivers/pci/pcie-sh7786.c
+++ b/arch/sh/drivers/pci/pcie-sh7786.c
@@ -140,12 +140,12 @@ static void sh7786_pci_fixup(struct pci_dev *dev)
* Prevent enumeration of root complex resources.
*/
if (pci_is_root_bus(dev->bus) && dev->devfn == 0) {
- int i;
+ struct resource *r;
- for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) {
- dev->resource[i].start = 0;
- dev->resource[i].end = 0;
- dev->resource[i].flags = 0;
+ pci_dev_for_each_resource(dev, r) {
+ r->start = 0;
+ r->end = 0;
+ r->flags = 0;
}
}
}
diff --git a/arch/sparc/kernel/leon_pci.c b/arch/sparc/kernel/leon_pci.c
index 3a73bc466f95d..8de6646e9ce85 100644
--- a/arch/sparc/kernel/leon_pci.c
+++ b/arch/sparc/kernel/leon_pci.c
@@ -63,15 +63,14 @@ void leon_pci_init(struct platform_device *ofdev, struct leon_pci_info *info)
int pcibios_enable_device(struct pci_dev *dev, int mask)
{
+ struct resource *res;
u16 cmd, oldcmd;
int i;
pci_read_config_word(dev, PCI_COMMAND, &cmd);
oldcmd = cmd;
- for (i = 0; i < PCI_NUM_RESOURCES; i++) {
- struct resource *res = &dev->resource[i];
-
+ pci_dev_for_each_resource(dev, res, i) {
/* Only set up the requested stuff */
if (!(mask & (1<<i)))
continue;
diff --git a/arch/sparc/kernel/pci.c b/arch/sparc/kernel/pci.c
index 5637b37ba9114..f66005ce4cb56 100644
--- a/arch/sparc/kernel/pci.c
+++ b/arch/sparc/kernel/pci.c
@@ -664,11 +664,10 @@ static void pci_claim_bus_resources(struct pci_bus *bus)
struct pci_dev *dev;
list_for_each_entry(dev, &bus->devices, bus_list) {
+ struct resource *r;
int i;
- for (i = 0; i < PCI_NUM_RESOURCES; i++) {
- struct resource *r = &dev->resource[i];
-
+ pci_dev_for_each_resource(dev, r, i) {
if (r->parent || !r->start || !r->flags)
continue;
@@ -725,15 +724,14 @@ struct pci_bus *pci_scan_one_pbm(struct pci_pbm_info *pbm,
int pcibios_enable_device(struct pci_dev *dev, int mask)
{
+ struct resource *res;
u16 cmd, oldcmd;
int i;
pci_read_config_word(dev, PCI_COMMAND, &cmd);
oldcmd = cmd;
- for (i = 0; i < PCI_NUM_RESOURCES; i++) {
- struct resource *res = &dev->resource[i];
-
+ pci_dev_for_each_resource(dev, res, i) {
/* Only set up the requested stuff */
if (!(mask & (1<<i)))
continue;
diff --git a/arch/sparc/kernel/pcic.c b/arch/sparc/kernel/pcic.c
index ee4c9a9a171cc..25fe0a0617325 100644
--- a/arch/sparc/kernel/pcic.c
+++ b/arch/sparc/kernel/pcic.c
@@ -643,15 +643,14 @@ void pcibios_fixup_bus(struct pci_bus *bus)
int pcibios_enable_device(struct pci_dev *dev, int mask)
{
+ struct resource *res;
u16 cmd, oldcmd;
int i;
pci_read_config_word(dev, PCI_COMMAND, &cmd);
oldcmd = cmd;
- for (i = 0; i < PCI_NUM_RESOURCES; i++) {
- struct resource *res = &dev->resource[i];
-
+ pci_dev_for_each_resource(dev, res, i) {
/* Only set up the requested stuff */
if (!(mask & (1<<i)))
continue;
diff --git a/drivers/pci/remove.c b/drivers/pci/remove.c
index 22d39e12b236a..30a787d45d2e5 100644
--- a/drivers/pci/remove.c
+++ b/drivers/pci/remove.c
@@ -5,10 +5,9 @@
static void pci_free_resources(struct pci_dev *dev)
{
- int i;
+ struct resource *res;
- for (i = 0; i < PCI_NUM_RESOURCES; i++) {
- struct resource *res = dev->resource + i;
+ pci_dev_for_each_resource(dev, res) {
if (res->parent)
release_resource(res);
}
diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c
index 3ce68adda9b7c..05cebc39f7642 100644
--- a/drivers/pci/setup-bus.c
+++ b/drivers/pci/setup-bus.c
@@ -124,20 +124,17 @@ static resource_size_t get_res_add_align(struct list_head *head,
return dev_res ? dev_res->min_align : 0;
}
-
/* Sort resources by alignment */
static void pdev_sort_resources(struct pci_dev *dev, struct list_head *head)
{
+ struct resource *r;
int i;
- for (i = 0; i < PCI_NUM_RESOURCES; i++) {
- struct resource *r;
+ pci_dev_for_each_resource(dev, r, i) {
struct pci_dev_resource *dev_res, *tmp;
resource_size_t r_align;
struct list_head *n;
- r = &dev->resource[i];
-
if (r->flags & IORESOURCE_PCI_FIXED)
continue;
@@ -891,10 +888,9 @@ static void pbus_size_io(struct pci_bus *bus, resource_size_t min_size,
min_align = window_alignment(bus, IORESOURCE_IO);
list_for_each_entry(dev, &bus->devices, bus_list) {
- int i;
+ struct resource *r;
- for (i = 0; i < PCI_NUM_RESOURCES; i++) {
- struct resource *r = &dev->resource[i];
+ pci_dev_for_each_resource(dev, r) {
unsigned long r_size;
if (r->parent || !(r->flags & IORESOURCE_IO))
@@ -1010,10 +1006,10 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask,
size = 0;
list_for_each_entry(dev, &bus->devices, bus_list) {
+ struct resource *r;
int i;
- for (i = 0; i < PCI_NUM_RESOURCES; i++) {
- struct resource *r = &dev->resource[i];
+ pci_dev_for_each_resource(dev, r, i) {
resource_size_t r_size;
if (r->parent || (r->flags & IORESOURCE_PCI_FIXED) ||
@@ -1354,11 +1350,10 @@ static void assign_fixed_resource_on_bus(struct pci_bus *b, struct resource *r)
*/
static void pdev_assign_fixed_resources(struct pci_dev *dev)
{
- int i;
+ struct resource *r;
- for (i = 0; i < PCI_NUM_RESOURCES; i++) {
+ pci_dev_for_each_resource(dev, r) {
struct pci_bus *b;
- struct resource *r = &dev->resource[i];
if (r->parent || !(r->flags & IORESOURCE_PCI_FIXED) ||
!(r->flags & (IORESOURCE_IO | IORESOURCE_MEM)))
@@ -1791,11 +1786,9 @@ static void remove_dev_resources(struct pci_dev *dev, struct resource *io,
struct resource *mmio,
struct resource *mmio_pref)
{
- int i;
-
- for (i = 0; i < PCI_NUM_RESOURCES; i++) {
- struct resource *res = &dev->resource[i];
+ struct resource *res;
+ pci_dev_for_each_resource(dev, res) {
if (resource_type(res) == IORESOURCE_IO) {
remove_dev_resource(io, dev, res);
} else if (resource_type(res) == IORESOURCE_MEM) {
diff --git a/drivers/pci/setup-res.c b/drivers/pci/setup-res.c
index b492e67c3d871..967f9a7589239 100644
--- a/drivers/pci/setup-res.c
+++ b/drivers/pci/setup-res.c
@@ -484,12 +484,10 @@ int pci_enable_resources(struct pci_dev *dev, int mask)
pci_read_config_word(dev, PCI_COMMAND, &cmd);
old_cmd = cmd;
- for (i = 0; i < PCI_NUM_RESOURCES; i++) {
+ pci_dev_for_each_resource(dev, r, i) {
if (!(mask & (1 << i)))
continue;
- r = &dev->resource[i];
-
if (!(r->flags & (IORESOURCE_IO | IORESOURCE_MEM)))
continue;
if ((i == PCI_ROM_RESOURCE) &&
diff --git a/drivers/pci/vgaarb.c b/drivers/pci/vgaarb.c
index f80b6ec88dc30..5a696078b382b 100644
--- a/drivers/pci/vgaarb.c
+++ b/drivers/pci/vgaarb.c
@@ -548,10 +548,8 @@ static bool vga_is_firmware_default(struct pci_dev *pdev)
#if defined(CONFIG_X86) || defined(CONFIG_IA64)
u64 base = screen_info.lfb_base;
u64 size = screen_info.lfb_size;
+ struct resource *r;
u64 limit;
- resource_size_t start, end;
- unsigned long flags;
- int i;
/* Select the device owning the boot framebuffer if there is one */
@@ -561,19 +559,14 @@ static bool vga_is_firmware_default(struct pci_dev *pdev)
limit = base + size;
/* Does firmware framebuffer belong to us? */
- for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) {
- flags = pci_resource_flags(pdev, i);
-
- if ((flags & IORESOURCE_MEM) == 0)
+ pci_dev_for_each_resource(pdev, r) {
+ if (resource_type(r) != IORESOURCE_MEM)
continue;
- start = pci_resource_start(pdev, i);
- end = pci_resource_end(pdev, i);
-
- if (!start || !end)
+ if (!r->start || !r->end)
continue;
- if (base < start || limit >= end)
+ if (base < r->start || limit >= r->end)
continue;
return true;
diff --git a/drivers/pci/xen-pcifront.c b/drivers/pci/xen-pcifront.c
index fcd029ca2eb18..83c0ab50676df 100644
--- a/drivers/pci/xen-pcifront.c
+++ b/drivers/pci/xen-pcifront.c
@@ -390,9 +390,7 @@ static int pcifront_claim_resource(struct pci_dev *dev, void *data)
int i;
struct resource *r;
- for (i = 0; i < PCI_NUM_RESOURCES; i++) {
- r = &dev->resource[i];
-
+ pci_dev_for_each_resource(dev, r, i) {
if (!r->parent && r->start && r->flags) {
dev_info(&pdev->xdev->dev, "claiming resource %s/%d\n",
pci_name(dev), i);
diff --git a/drivers/pnp/quirks.c b/drivers/pnp/quirks.c
index ac98b9919029c..6085a1471de21 100644
--- a/drivers/pnp/quirks.c
+++ b/drivers/pnp/quirks.c
@@ -229,8 +229,7 @@ static void quirk_ad1815_mpu_resources(struct pnp_dev *dev)
static void quirk_system_pci_resources(struct pnp_dev *dev)
{
struct pci_dev *pdev = NULL;
- struct resource *res;
- resource_size_t pnp_start, pnp_end, pci_start, pci_end;
+ struct resource *res, *r;
int i, j;
/*
@@ -243,32 +242,26 @@ static void quirk_system_pci_resources(struct pnp_dev *dev)
* so they won't be claimed by the PNP system driver.
*/
for_each_pci_dev(pdev) {
- for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) {
- unsigned long flags, type;
+ pci_dev_for_each_resource(pdev, r, i) {
+ unsigned long type = resource_type(r);
- flags = pci_resource_flags(pdev, i);
- type = flags & (IORESOURCE_IO | IORESOURCE_MEM);
- if (!type || pci_resource_len(pdev, i) == 0)
+ if (!(type == IORESOURCE_IO || type == IORESOURCE_MEM) ||
+ resource_size(r) == 0)
continue;
- if (flags & IORESOURCE_UNSET)
+ if (r->flags & IORESOURCE_UNSET)
continue;
- pci_start = pci_resource_start(pdev, i);
- pci_end = pci_resource_end(pdev, i);
for (j = 0;
(res = pnp_get_resource(dev, type, j)); j++) {
if (res->start == 0 && res->end == 0)
continue;
- pnp_start = res->start;
- pnp_end = res->end;
-
/*
* If the PNP region doesn't overlap the PCI
* region at all, there's no problem.
*/
- if (pnp_end < pci_start || pnp_start > pci_end)
+ if (!resource_overlaps(res, r))
continue;
/*
@@ -278,8 +271,7 @@ static void quirk_system_pci_resources(struct pnp_dev *dev)
* PNP device describes a bridge with PCI
* behind it.
*/
- if (pnp_start <= pci_start &&
- pnp_end >= pci_end)
+ if (res->start <= r->start && res->end >= r->end)
continue;
/*
@@ -288,9 +280,8 @@ static void quirk_system_pci_resources(struct pnp_dev *dev)
* driver from requesting its resources.
*/
dev_warn(&dev->dev,
- "disabling %pR because it overlaps "
- "%s BAR %d %pR\n", res,
- pci_name(pdev), i, &pdev->resource[i]);
+ "disabling %pR because it overlaps %s BAR %d %pR\n",
+ res, pci_name(pdev), i, r);
res->flags |= IORESOURCE_DISABLED;
}
}
diff --git a/include/linux/pci.h b/include/linux/pci.h
index e10b54642b7f2..8b13be1633db1 100644
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
@@ -2029,6 +2029,20 @@ int pci_iobar_pfn(struct pci_dev *pdev, int bar, struct vm_area_struct *vma);
(pci_resource_end((dev), (bar)) ? \
resource_size(pci_resource_n((dev), (bar))) : 0)
+#define __pci_dev_for_each_res0(dev, res, ...) \
+ for (unsigned int __b = 0; \
+ res = pci_resource_n(dev, __b), __b < PCI_NUM_RESOURCES; \
+ __b++)
+
+#define __pci_dev_for_each_res1(dev, res, __b) \
+ for (__b = 0; \
+ res = pci_resource_n(dev, __b), __b < PCI_NUM_RESOURCES; \
+ __b++)
+
+#define pci_dev_for_each_resource(dev, res, ...) \
+ CONCATENATE(__pci_dev_for_each_res, COUNT_ARGS(__VA_ARGS__)) \
+ (dev, res, __VA_ARGS__)
+
/*
* Similar to the helpers above, these manipulate per-pci_dev
* driver-specific data. They are really just a wrapper around
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 082/567] hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization induced race
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 081/567] ALSA: hda/conexant: Add quirk for HP ZBook Studio G4 Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 083/567] ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314 Greg Kroah-Hartman
` (295 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Hutchings, Gui-Dong Han,
Guenter Roeck, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
[ Upstream commit 007be4327e443d79c9dd9e56dc16c36f6395d208 ]
Simply copying shared data to a local variable cannot prevent data
races. The compiler is allowed to optimize away the local copy and
re-read the shared memory, causing a Time-of-Check Time-of-Use (TOCTOU)
issue if the data changes between the check and the usage.
To enforce the use of the local variable, use READ_ONCE() when reading
the shared data and WRITE_ONCE() when updating it. Apply these macros to
the three identified locations (curr_sense, adc, and fault) where local
variables are used for error validation, ensuring the value remains
consistent.
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Closes: https://lore.kernel.org/all/6fe17868327207e8b850cf9f88b7dc58b2021f73.camel@decadent.org.uk/
Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles")
Fixes: b8d5acdcf525 ("hwmon: (max16065) Use local variable to avoid TOCTOU")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://lore.kernel.org/r/20260203121443.5482-1-hanguidong02@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/max16065.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/drivers/hwmon/max16065.c b/drivers/hwmon/max16065.c
index 4c9e7892a73c1..43fbb9b26b102 100644
--- a/drivers/hwmon/max16065.c
+++ b/drivers/hwmon/max16065.c
@@ -151,27 +151,27 @@ static struct max16065_data *max16065_update_device(struct device *dev)
int i;
for (i = 0; i < data->num_adc; i++)
- data->adc[i]
- = max16065_read_adc(client, MAX16065_ADC(i));
+ WRITE_ONCE(data->adc[i],
+ max16065_read_adc(client, MAX16065_ADC(i)));
if (data->have_current) {
- data->adc[MAX16065_NUM_ADC]
- = max16065_read_adc(client, MAX16065_CSP_ADC);
- data->curr_sense
- = i2c_smbus_read_byte_data(client,
- MAX16065_CURR_SENSE);
+ WRITE_ONCE(data->adc[MAX16065_NUM_ADC],
+ max16065_read_adc(client, MAX16065_CSP_ADC));
+ WRITE_ONCE(data->curr_sense,
+ i2c_smbus_read_byte_data(client, MAX16065_CURR_SENSE));
}
for (i = 0; i < 2; i++)
- data->fault[i]
- = i2c_smbus_read_byte_data(client, MAX16065_FAULT(i));
+ WRITE_ONCE(data->fault[i],
+ i2c_smbus_read_byte_data(client, MAX16065_FAULT(i)));
/*
* MAX16067 and MAX16068 have separate undervoltage and
* overvoltage alarm bits. Squash them together.
*/
if (data->chip == max16067 || data->chip == max16068)
- data->fault[0] |= data->fault[1];
+ WRITE_ONCE(data->fault[0],
+ data->fault[0] | data->fault[1]);
data->last_updated = jiffies;
data->valid = true;
@@ -185,7 +185,7 @@ static ssize_t max16065_alarm_show(struct device *dev,
{
struct sensor_device_attribute_2 *attr2 = to_sensor_dev_attr_2(da);
struct max16065_data *data = max16065_update_device(dev);
- int val = data->fault[attr2->nr];
+ int val = READ_ONCE(data->fault[attr2->nr]);
if (val < 0)
return val;
@@ -203,7 +203,7 @@ static ssize_t max16065_input_show(struct device *dev,
{
struct sensor_device_attribute *attr = to_sensor_dev_attr(da);
struct max16065_data *data = max16065_update_device(dev);
- int adc = data->adc[attr->index];
+ int adc = READ_ONCE(data->adc[attr->index]);
if (unlikely(adc < 0))
return adc;
@@ -216,7 +216,7 @@ static ssize_t max16065_current_show(struct device *dev,
struct device_attribute *da, char *buf)
{
struct max16065_data *data = max16065_update_device(dev);
- int curr_sense = data->curr_sense;
+ int curr_sense = READ_ONCE(data->curr_sense);
if (unlikely(curr_sense < 0))
return curr_sense;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 007/460] ACPI: OSI: Add DMI quirk for Acer Aspire One D255
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 006/460] wifi: mac80211: set default WMM parameters on all links Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 008/460] scsi: ses: Fix devices attaching to different hosts Greg Kroah-Hartman
` (295 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sofia Schneider, Rafael J. Wysocki,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sofia Schneider <sofia@schn.dev>
[ Upstream commit 5ede90206273ff156a778254f0f972a55e973c89 ]
The screen backlight turns off during boot (specifically during udev device
initialization) when returning true for _OSI("Windows 2009").
Analyzing the device's DSDT reveals that the firmware takes a different
code path when Windows 7 is reported, which leads to the backlight shutoff.
Add a DMI quirk to invoke dmi_disable_osi_win7 for this model.
Signed-off-by: Sofia Schneider <sofia@schn.dev>
Link: https://patch.msgid.link/20260223025240.518509-1-sofia@schn.dev
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/osi.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/acpi/osi.c b/drivers/acpi/osi.c
index f2c943b934be0..9470f1830ff50 100644
--- a/drivers/acpi/osi.c
+++ b/drivers/acpi/osi.c
@@ -389,6 +389,19 @@ static const struct dmi_system_id acpi_osi_dmi_table[] __initconst = {
},
},
+ /*
+ * The screen backlight turns off during udev device creation
+ * when returning true for _OSI("Windows 2009")
+ */
+ {
+ .callback = dmi_disable_osi_win7,
+ .ident = "Acer Aspire One D255",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "AOD255"),
+ },
+ },
+
/*
* The wireless hotkey does not work on those machines when
* returning true for _OSI("Windows 2012")
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 083/567] ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 082/567] hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization induced race Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 084/567] net: arcnet: com20020-pci: fix support for 2.5Mbit cards Greg Kroah-Hartman
` (294 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 7bc0df86c2384bc1e2012a2c946f82305054da64 ]
Acer Swift SF314 (SSID 1025:136d) needs a bit of tweaks of the pin
configurations for NID 0x16 and 0x19 to make the headphone / headset
jack working. NID 0x17 can remain as is for the working speaker, and
the built-in mic is supported via SOF.
Cc: <stable@vger.kernel.org>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221086
Link: https://patch.msgid.link/20260217104414.62911-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_conexant.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
index 192d13f829e19..355b26583eb4e 100644
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -312,6 +312,7 @@ enum {
CXT_PINCFG_SWS_JS201D,
CXT_PINCFG_TOP_SPEAKER,
CXT_FIXUP_HP_A_U,
+ CXT_FIXUP_ACER_SWIFT_HP,
};
/* for hda_fixup_thinkpad_acpi() */
@@ -1028,6 +1029,14 @@ static const struct hda_fixup cxt_fixups[] = {
.type = HDA_FIXUP_FUNC,
.v.func = cxt_fixup_hp_a_u,
},
+ [CXT_FIXUP_ACER_SWIFT_HP] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+ { 0x16, 0x0321403f }, /* Headphone */
+ { 0x19, 0x40f001f0 }, /* Mic */
+ { }
+ },
+ },
};
static const struct hda_quirk cxt5045_fixups[] = {
@@ -1077,6 +1086,7 @@ static const struct hda_quirk cxt5066_fixups[] = {
SND_PCI_QUIRK(0x1025, 0x0543, "Acer Aspire One 522", CXT_FIXUP_STEREO_DMIC),
SND_PCI_QUIRK(0x1025, 0x054c, "Acer Aspire 3830TG", CXT_FIXUP_ASPIRE_DMIC),
SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", CXT_FIXUP_ASPIRE_DMIC),
+ SND_PCI_QUIRK(0x1025, 0x136d, "Acer Swift SF314", CXT_FIXUP_ACER_SWIFT_HP),
SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK),
SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 021/481] PCI: Fix printk field formatting
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 020/481] PCI: Introduce pci_dev_for_each_resource() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 022/481] PCI: Update BAR # and window messages Greg Kroah-Hartman
` (294 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Helgaas, Ilpo Järvinen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <bhelgaas@google.com>
[ Upstream commit 62008578b73f16e274070a232b939ba5933bb8ba ]
Previously we used "%#08x" to print a 32-bit value. This fills an
8-character field with "0x...", but of course many 32-bit values require a
10-character field "0x12345678" for this format. Fix the formats to avoid
confusion.
Link: https://lore.kernel.org/r/20230824193712.542167-5-helgaas@kernel.org
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Stable-dep-of: 11721c45a826 ("PCI: Use resource_set_range() that correctly sets ->end")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/setup-res.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/setup-res.c b/drivers/pci/setup-res.c
index 967f9a7589239..ceaa69491f5ef 100644
--- a/drivers/pci/setup-res.c
+++ b/drivers/pci/setup-res.c
@@ -104,7 +104,7 @@ static void pci_std_update_resource(struct pci_dev *dev, int resno)
pci_read_config_dword(dev, reg, &check);
if ((new ^ check) & mask) {
- pci_err(dev, "BAR %d: error updating (%#08x != %#08x)\n",
+ pci_err(dev, "BAR %d: error updating (%#010x != %#010x)\n",
resno, new, check);
}
@@ -113,7 +113,7 @@ static void pci_std_update_resource(struct pci_dev *dev, int resno)
pci_write_config_dword(dev, reg + 4, new);
pci_read_config_dword(dev, reg + 4, &check);
if (check != new) {
- pci_err(dev, "BAR %d: error updating (high %#08x != %#08x)\n",
+ pci_err(dev, "BAR %d: error updating (high %#010x != %#010x)\n",
resno, new, check);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 008/460] scsi: ses: Fix devices attaching to different hosts
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 007/460] ACPI: OSI: Add DMI quirk for Acer Aspire One D255 Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 009/460] ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table Greg Kroah-Hartman
` (294 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Jeffery, Tomas Henzl,
Martin K. Petersen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomas Henzl <thenzl@redhat.com>
[ Upstream commit 70ca8caa96ce473647054f5c7b9dab5423902402 ]
On a multipath SAS system some devices don't end up with correct symlinks
from the SCSI device to its enclosure. Some devices even have enclosure
links pointing to enclosures attached to different SCSI hosts.
ses_match_to_enclosure() calls enclosure_for_each_device() which iterates
over all enclosures on the system, not just enclosures attached to the
current SCSI host.
Replace the iteration with a direct call to ses_enclosure_find_by_addr().
Reviewed-by: David Jeffery <djeffery@redhat.com>
Signed-off-by: Tomas Henzl <thenzl@redhat.com>
Link: https://patch.msgid.link/20260210191850.36784-1-thenzl@redhat.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/ses.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index 2c61624cb4b03..50e744e891295 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -529,9 +529,8 @@ struct efd {
};
static int ses_enclosure_find_by_addr(struct enclosure_device *edev,
- void *data)
+ struct efd *efd)
{
- struct efd *efd = data;
int i;
struct ses_component *scomp;
@@ -684,7 +683,7 @@ static void ses_match_to_enclosure(struct enclosure_device *edev,
if (efd.addr) {
efd.dev = &sdev->sdev_gendev;
- enclosure_for_each_device(ses_enclosure_find_by_addr, &efd);
+ ses_enclosure_find_by_addr(edev, &efd);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 084/567] net: arcnet: com20020-pci: fix support for 2.5Mbit cards
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 083/567] ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314 Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 085/567] drm/amd: Drop special case for yellow carp without discovery Greg Kroah-Hartman
` (293 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Ethan Nelson-Moore,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Nelson-Moore <enelsonmoore@gmail.com>
[ Upstream commit c7d9be66b71af490446127c6ffcb66d6bb71b8b9 ]
Commit 8c14f9c70327 ("ARCNET: add com20020 PCI IDs with metadata")
converted the com20020-pci driver to use a card info structure instead
of a single flag mask in driver_data. However, it failed to take into
account that in the original code, driver_data of 0 indicates a card
with no special flags, not a card that should not have any card info
structure. This introduced a null pointer dereference when cards with
no flags were probed.
Commit bd6f1fd5d33d ("net: arcnet: com20020: Fix null-ptr-deref in
com20020pci_probe()") then papered over this issue by rejecting cards
with no driver_data instead of resolving the problem at its source.
Fix the original issue by introducing a new card info structure for
2.5Mbit cards that does not set any flags and using it if no
driver_data is present.
Fixes: 8c14f9c70327 ("ARCNET: add com20020 PCI IDs with metadata")
Fixes: bd6f1fd5d33d ("net: arcnet: com20020: Fix null-ptr-deref in com20020pci_probe()")
Cc: stable@vger.kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
Link: https://patch.msgid.link/20260213045510.32368-1-enelsonmoore@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/arcnet/com20020-pci.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/drivers/net/arcnet/com20020-pci.c b/drivers/net/arcnet/com20020-pci.c
index e7db6a4e4dc9d..e9ee32b091a41 100644
--- a/drivers/net/arcnet/com20020-pci.c
+++ b/drivers/net/arcnet/com20020-pci.c
@@ -114,6 +114,8 @@ static const struct attribute_group com20020_state_group = {
.attrs = com20020_state_attrs,
};
+static struct com20020_pci_card_info card_info_2p5mbit;
+
static void com20020pci_remove(struct pci_dev *pdev);
static int com20020pci_probe(struct pci_dev *pdev,
@@ -139,7 +141,7 @@ static int com20020pci_probe(struct pci_dev *pdev,
ci = (struct com20020_pci_card_info *)id->driver_data;
if (!ci)
- return -EINVAL;
+ ci = &card_info_2p5mbit;
priv->ci = ci;
mm = &ci->misc_map;
@@ -346,6 +348,18 @@ static struct com20020_pci_card_info card_info_5mbit = {
.flags = ARC_IS_5MBIT,
};
+static struct com20020_pci_card_info card_info_2p5mbit = {
+ .name = "ARC-PCI",
+ .devcount = 1,
+ .chan_map_tbl = {
+ {
+ .bar = 2,
+ .offset = 0x00,
+ .size = 0x08,
+ },
+ },
+};
+
static struct com20020_pci_card_info card_info_sohard = {
.name = "SOHARD SH ARC-PCI",
.devcount = 1,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 022/481] PCI: Update BAR # and window messages
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 021/481] PCI: Fix printk field formatting Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 023/481] PCI: Use resource names in PCI log messages Greg Kroah-Hartman
` (293 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Puranjay Mohan, Bjorn Helgaas,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puranjay Mohan <puranjay12@gmail.com>
[ Upstream commit 65f8e0beac5a495b8f3b387add1f9f4470678cb5 ]
The PCI log messages print the register offsets at some places and BAR
numbers at other places. There is no uniformity in this logging mechanism.
It would be better to print names than register offsets.
Add a helper function that aids in printing more meaningful information
about the BAR numbers like "VF BAR", "ROM", "bridge window", etc. This
function can be called while printing PCI log messages.
[bhelgaas: fold in Lukas' static array suggestion from
https: //lore.kernel.org/all/20211106115831.GA7452@wunner.de/]
Link: https://lore.kernel.org/r/20211106112606.192563-2-puranjay12@gmail.com
Signed-off-by: Puranjay Mohan <puranjay12@gmail.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Stable-dep-of: 11721c45a826 ("PCI: Use resource_set_range() that correctly sets ->end")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pci.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++
drivers/pci/pci.h | 2 ++
2 files changed, 62 insertions(+)
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index 516eaec6488de..2975a5c781df4 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -844,6 +844,66 @@ struct resource *pci_find_resource(struct pci_dev *dev, struct resource *res)
}
EXPORT_SYMBOL(pci_find_resource);
+/**
+ * pci_resource_name - Return the name of the PCI resource
+ * @dev: PCI device to query
+ * @i: index of the resource
+ *
+ * Return the standard PCI resource (BAR) name according to their index.
+ */
+const char *pci_resource_name(struct pci_dev *dev, unsigned int i)
+{
+ static const char * const bar_name[] = {
+ "BAR 0",
+ "BAR 1",
+ "BAR 2",
+ "BAR 3",
+ "BAR 4",
+ "BAR 5",
+ "ROM",
+#ifdef CONFIG_PCI_IOV
+ "VF BAR 0",
+ "VF BAR 1",
+ "VF BAR 2",
+ "VF BAR 3",
+ "VF BAR 4",
+ "VF BAR 5",
+#endif
+ "bridge window", /* "io" included in %pR */
+ "bridge window", /* "mem" included in %pR */
+ "bridge window", /* "mem pref" included in %pR */
+ };
+ static const char * const cardbus_name[] = {
+ "BAR 1",
+ "unknown",
+ "unknown",
+ "unknown",
+ "unknown",
+ "unknown",
+#ifdef CONFIG_PCI_IOV
+ "unknown",
+ "unknown",
+ "unknown",
+ "unknown",
+ "unknown",
+ "unknown",
+#endif
+ "CardBus bridge window 0", /* I/O */
+ "CardBus bridge window 1", /* I/O */
+ "CardBus bridge window 0", /* mem */
+ "CardBus bridge window 1", /* mem */
+ };
+
+ if (dev->hdr_type == PCI_HEADER_TYPE_CARDBUS &&
+ i < ARRAY_SIZE(cardbus_name))
+ return cardbus_name[i];
+
+ if (i < ARRAY_SIZE(bar_name))
+ return bar_name[i];
+
+ return "unknown";
+}
+
/**
* pci_wait_for_pending - wait for @mask bit(s) to clear in status word @pos
* @dev: the PCI device to operate on
diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
index fc760fd3ad948..4fb02de24271b 100644
--- a/drivers/pci/pci.h
+++ b/drivers/pci/pci.h
@@ -251,6 +251,8 @@ void __pci_bus_assign_resources(const struct pci_bus *bus,
struct list_head *fail_head);
bool pci_bus_clip_resource(struct pci_dev *dev, int idx);
+const char *pci_resource_name(struct pci_dev *dev, unsigned int i);
+
void pci_reassigndev_resource_alignment(struct pci_dev *dev);
void pci_disable_bridge_window(struct pci_dev *dev);
struct pci_bus *pci_bus_get(struct pci_bus *bus);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 009/460] ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 008/460] scsi: ses: Fix devices attaching to different hosts Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 010/460] ASoC: cs42l43: Report insert for exotic peripherals Greg Kroah-Hartman
` (293 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Azamat Almazbek uulu,
Vijendar Mukunda, Mark Brown, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Azamat Almazbek uulu <almazbek1608@gmail.com>
[ Upstream commit 32fc4168fa56f6301d858c778a3d712774e9657e ]
The ASUS ExpertBook BM1503CDA (Ryzen 5 7535U, Barcelo-R) has an
internal DMIC connected through the AMD ACP (Audio CoProcessor)
but is missing from the DMI quirk table, so the acp6x machine
driver probe returns -ENODEV and no DMIC capture device is created.
Add the DMI entry so the internal microphone works out of the box.
Signed-off-by: Azamat Almazbek uulu <almazbek1608@gmail.com>
Reviewed-by: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
Link: https://patch.msgid.link/20260221114813.5610-1-almazbek1608@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
index f33946fb895da..b4f38d2245ec7 100644
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -696,6 +696,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "Vivobook_ASUSLaptop M6501RR_M6501RR"),
}
},
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "ASUS EXPERTBOOK BM1503CDA"),
+ }
+ },
{}
};
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 085/567] drm/amd: Drop special case for yellow carp without discovery
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 084/567] net: arcnet: com20020-pci: fix support for 2.5Mbit cards Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 086/567] drm/amdgpu: keep vga memory on MacBooks with switchable graphics Greg Kroah-Hartman
` (292 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit 3ef07651a5756e7de65615e18eacbf8822c23016 ]
`amdgpu_gmc_get_vbios_allocations` has a special case for how to
bring up yellow carp when amdgpu discovery is turned off. As this ASIC
ships with discovery turned on, it's generally dead code and worse it
causes `adev->mman.keep_stolen_vga_memory` to not be initialized for
yellow carp.
Remove it.
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Stable-dep-of: 096bb75e13cc ("drm/amdgpu: keep vga memory on MacBooks with switchable graphics")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
index 3c24637f3d6e9..7d120d4175499 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
@@ -728,12 +728,6 @@ void amdgpu_gmc_get_vbios_allocations(struct amdgpu_device *adev)
case CHIP_RENOIR:
adev->mman.keep_stolen_vga_memory = true;
break;
- case CHIP_YELLOW_CARP:
- if (amdgpu_discovery == 0) {
- adev->mman.stolen_reserved_offset = 0x1ffb0000;
- adev->mman.stolen_reserved_size = 64 * PAGE_SIZE;
- }
- break;
default:
adev->mman.keep_stolen_vga_memory = false;
break;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 023/481] PCI: Use resource names in PCI log messages
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 022/481] PCI: Update BAR # and window messages Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 024/481] resource: Add resource set range and size helpers Greg Kroah-Hartman
` (292 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Puranjay Mohan, Bjorn Helgaas,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puranjay Mohan <puranjay12@gmail.com>
[ Upstream commit dc4e6f21c3f844ebc1c52b6920b8ec5dfc73f4e8 ]
Use the pci_resource_name() to get the name of the resource and use it
while printing log messages.
[bhelgaas: rename to match struct resource * names, also use names in other
BAR messages]
Link: https://lore.kernel.org/r/20211106112606.192563-3-puranjay12@gmail.com
Signed-off-by: Puranjay Mohan <puranjay12@gmail.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Stable-dep-of: 11721c45a826 ("PCI: Use resource_set_range() that correctly sets ->end")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/iov.c | 7 ++--
drivers/pci/pci.c | 25 +++++++-------
drivers/pci/probe.c | 26 +++++++--------
drivers/pci/quirks.c | 15 ++++++---
drivers/pci/setup-bus.c | 30 +++++++++++------
drivers/pci/setup-res.c | 72 +++++++++++++++++++++++------------------
6 files changed, 103 insertions(+), 72 deletions(-)
diff --git a/drivers/pci/iov.c b/drivers/pci/iov.c
index 132bd4447534c..3965e003d7b57 100644
--- a/drivers/pci/iov.c
+++ b/drivers/pci/iov.c
@@ -750,6 +750,7 @@ static int sriov_init(struct pci_dev *dev, int pos)
u16 ctrl, total;
struct pci_sriov *iov;
struct resource *res;
+ const char *res_name;
struct pci_dev *pdev;
pci_read_config_word(dev, pos + PCI_SRIOV_CTRL, &ctrl);
@@ -790,6 +791,8 @@ static int sriov_init(struct pci_dev *dev, int pos)
nres = 0;
for (i = 0; i < PCI_SRIOV_NUM_BARS; i++) {
res = &dev->resource[i + PCI_IOV_RESOURCES];
+ res_name = pci_resource_name(dev, i + PCI_IOV_RESOURCES);
+
/*
* If it is already FIXED, don't change it, something
* (perhaps EA or header fixups) wants it this way.
@@ -807,8 +810,8 @@ static int sriov_init(struct pci_dev *dev, int pos)
}
iov->barsz[i] = resource_size(res);
res->end = res->start + resource_size(res) * total - 1;
- pci_info(dev, "VF(n) BAR%d space: %pR (contains BAR%d for %d VFs)\n",
- i, res, i, total);
+ pci_info(dev, "%s %pR: contains BAR %d for %d VFs\n",
+ res_name, res, i, total);
i += bar64;
nres++;
}
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index 2975a5c781df4..d2d6b7da8c66c 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -3373,6 +3373,7 @@ static struct resource *pci_ea_get_resource(struct pci_dev *dev, u8 bei,
static int pci_ea_read(struct pci_dev *dev, int offset)
{
struct resource *res;
+ const char *res_name;
int ent_size, ent_offset = offset;
resource_size_t start, end;
unsigned long flags;
@@ -3402,6 +3403,7 @@ static int pci_ea_read(struct pci_dev *dev, int offset)
goto out;
res = pci_ea_get_resource(dev, bei, prop);
+ res_name = pci_resource_name(dev, bei);
if (!res) {
pci_err(dev, "Unsupported EA entry BEI: %u\n", bei);
goto out;
@@ -3475,16 +3477,16 @@ static int pci_ea_read(struct pci_dev *dev, int offset)
res->flags = flags;
if (bei <= PCI_EA_BEI_BAR5)
- pci_info(dev, "BAR %d: %pR (from Enhanced Allocation, properties %#02x)\n",
- bei, res, prop);
+ pci_info(dev, "%s %pR: from Enhanced Allocation, properties %#02x\n",
+ res_name, res, prop);
else if (bei == PCI_EA_BEI_ROM)
- pci_info(dev, "ROM: %pR (from Enhanced Allocation, properties %#02x)\n",
- res, prop);
+ pci_info(dev, "%s %pR: from Enhanced Allocation, properties %#02x\n",
+ res_name, res, prop);
else if (bei >= PCI_EA_BEI_VF_BAR0 && bei <= PCI_EA_BEI_VF_BAR5)
- pci_info(dev, "VF BAR %d: %pR (from Enhanced Allocation, properties %#02x)\n",
- bei - PCI_EA_BEI_VF_BAR0, res, prop);
+ pci_info(dev, "%s %pR: from Enhanced Allocation, properties %#02x\n",
+ res_name, res, prop);
else
- pci_info(dev, "BEI %d res: %pR (from Enhanced Allocation, properties %#02x)\n",
+ pci_info(dev, "BEI %d %pR: from Enhanced Allocation, properties %#02x\n",
bei, res, prop);
out:
@@ -6704,14 +6706,15 @@ static void pci_request_resource_alignment(struct pci_dev *dev, int bar,
resource_size_t align, bool resize)
{
struct resource *r = &dev->resource[bar];
+ const char *r_name = pci_resource_name(dev, bar);
resource_size_t size;
if (!(r->flags & IORESOURCE_MEM))
return;
if (r->flags & IORESOURCE_PCI_FIXED) {
- pci_info(dev, "BAR%d %pR: ignoring requested alignment %#llx\n",
- bar, r, (unsigned long long)align);
+ pci_info(dev, "%s %pR: ignoring requested alignment %#llx\n",
+ r_name, r, (unsigned long long)align);
return;
}
@@ -6747,8 +6750,8 @@ static void pci_request_resource_alignment(struct pci_dev *dev, int bar,
* devices and we use the second.
*/
- pci_info(dev, "BAR%d %pR: requesting alignment to %#llx\n",
- bar, r, (unsigned long long)align);
+ pci_info(dev, "%s %pR: requesting alignment to %#llx\n",
+ r_name, r, (unsigned long long)align);
if (resize) {
r->start = 0;
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index ea7db1bd21143..8f99607e0a526 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -181,6 +181,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
u64 l64, sz64, mask64;
u16 orig_cmd;
struct pci_bus_region region, inverted_region;
+ const char *res_name = pci_resource_name(dev, res - dev->resource);
mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
@@ -255,8 +256,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
sz64 = pci_size(l64, sz64, mask64);
if (!sz64) {
- pci_info(dev, FW_BUG "reg 0x%x: invalid BAR (can't size)\n",
- pos);
+ pci_info(dev, FW_BUG "%s: invalid; can't size\n", res_name);
goto fail;
}
@@ -266,8 +266,8 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
res->flags |= IORESOURCE_UNSET | IORESOURCE_DISABLED;
res->start = 0;
res->end = 0;
- pci_err(dev, "reg 0x%x: can't handle BAR larger than 4GB (size %#010llx)\n",
- pos, (unsigned long long)sz64);
+ pci_err(dev, "%s: can't handle BAR larger than 4GB (size %#010llx)\n",
+ res_name, (unsigned long long)sz64);
goto out;
}
@@ -276,8 +276,8 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
res->flags |= IORESOURCE_UNSET;
res->start = 0;
res->end = sz64 - 1;
- pci_info(dev, "reg 0x%x: can't handle BAR above 4GB (bus address %#010llx)\n",
- pos, (unsigned long long)l64);
+ pci_info(dev, "%s: can't handle BAR above 4GB (bus address %#010llx)\n",
+ res_name, (unsigned long long)l64);
goto out;
}
}
@@ -303,8 +303,8 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
res->flags |= IORESOURCE_UNSET;
res->start = 0;
res->end = region.end - region.start;
- pci_info(dev, "reg 0x%x: initial BAR value %#010llx invalid\n",
- pos, (unsigned long long)region.start);
+ pci_info(dev, "%s: initial BAR value %#010llx invalid\n",
+ res_name, (unsigned long long)region.start);
}
goto out;
@@ -314,7 +314,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
res->flags = 0;
out:
if (res->flags)
- pci_info(dev, "reg 0x%x: %pR\n", pos, res);
+ pci_info(dev, "%s %pR\n", res_name, res);
return (res->flags & IORESOURCE_MEM_64) ? 1 : 0;
}
@@ -1948,14 +1948,14 @@ int pci_setup_device(struct pci_dev *dev)
res = &dev->resource[0];
res->flags = LEGACY_IO_RESOURCE;
pcibios_bus_to_resource(dev->bus, res, ®ion);
- pci_info(dev, "legacy IDE quirk: reg 0x10: %pR\n",
+ pci_info(dev, "BAR 0 %pR: legacy IDE quirk\n",
res);
region.start = 0x3F6;
region.end = 0x3F6;
res = &dev->resource[1];
res->flags = LEGACY_IO_RESOURCE;
pcibios_bus_to_resource(dev->bus, res, ®ion);
- pci_info(dev, "legacy IDE quirk: reg 0x14: %pR\n",
+ pci_info(dev, "BAR 1 %pR: legacy IDE quirk\n",
res);
}
if ((progif & 4) == 0) {
@@ -1964,14 +1964,14 @@ int pci_setup_device(struct pci_dev *dev)
res = &dev->resource[2];
res->flags = LEGACY_IO_RESOURCE;
pcibios_bus_to_resource(dev->bus, res, ®ion);
- pci_info(dev, "legacy IDE quirk: reg 0x18: %pR\n",
+ pci_info(dev, "BAR 2 %pR: legacy IDE quirk\n",
res);
region.start = 0x376;
region.end = 0x376;
res = &dev->resource[3];
res->flags = LEGACY_IO_RESOURCE;
pcibios_bus_to_resource(dev->bus, res, ®ion);
- pci_info(dev, "legacy IDE quirk: reg 0x1c: %pR\n",
+ pci_info(dev, "BAR 3 %pR: legacy IDE quirk\n",
res);
}
}
diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
index ce57d59a047e4..9a325e1128ed6 100644
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -475,13 +475,14 @@ static void quirk_extend_bar_to_page(struct pci_dev *dev)
for (i = 0; i < PCI_STD_NUM_BARS; i++) {
struct resource *r = &dev->resource[i];
+ const char *r_name = pci_resource_name(dev, i);
if (r->flags & IORESOURCE_MEM && resource_size(r) < PAGE_SIZE) {
r->end = PAGE_SIZE - 1;
r->start = 0;
r->flags |= IORESOURCE_UNSET;
- pci_info(dev, "expanded BAR %d to page size: %pR\n",
- i, r);
+ pci_info(dev, "%s %pR: expanded to page size\n",
+ r_name, r);
}
}
}
@@ -510,6 +511,7 @@ static void quirk_io(struct pci_dev *dev, int pos, unsigned int size,
u32 region;
struct pci_bus_region bus_region;
struct resource *res = dev->resource + pos;
+ const char *res_name = pci_resource_name(dev, pos);
pci_read_config_dword(dev, PCI_BASE_ADDRESS_0 + (pos << 2), ®ion);
@@ -527,8 +529,7 @@ static void quirk_io(struct pci_dev *dev, int pos, unsigned int size,
bus_region.end = region + size - 1;
pcibios_bus_to_resource(dev->bus, res, &bus_region);
- pci_info(dev, FW_BUG "%s quirk: reg 0x%x: %pR\n",
- name, PCI_BASE_ADDRESS_0 + (pos << 2), res);
+ pci_info(dev, FW_BUG "%s %pR: %s quirk\n", res_name, res, name);
}
/*
@@ -575,6 +576,12 @@ static void quirk_io_region(struct pci_dev *dev, int port,
bus_region.end = region + size - 1;
pcibios_bus_to_resource(dev->bus, res, &bus_region);
+ /*
+ * "res" is typically a bridge window resource that's not being
+ * used for a bridge window, so it's just a place to stash this
+ * non-standard resource. Printing "nr" or pci_resource_name() of
+ * it doesn't really make sense.
+ */
if (!pci_claim_resource(dev, nr))
pci_info(dev, "quirk: %pR claimed by %s\n", res, name);
}
diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c
index 05cebc39f7642..9c078af9e166b 100644
--- a/drivers/pci/setup-bus.c
+++ b/drivers/pci/setup-bus.c
@@ -213,6 +213,7 @@ static void reassign_resources_sorted(struct list_head *realloc_head,
struct list_head *head)
{
struct resource *res;
+ const char *res_name;
struct pci_dev_resource *add_res, *tmp;
struct pci_dev_resource *dev_res;
resource_size_t add_size, align;
@@ -222,6 +223,7 @@ static void reassign_resources_sorted(struct list_head *realloc_head,
bool found_match = false;
res = add_res->res;
+
/* Skip resource that has been reset */
if (!res->flags)
goto out;
@@ -237,6 +239,7 @@ static void reassign_resources_sorted(struct list_head *realloc_head,
continue;
idx = res - &add_res->dev->resource[0];
+ res_name = pci_resource_name(add_res->dev, idx);
add_size = add_res->add_size;
align = add_res->min_align;
if (!resource_size(res)) {
@@ -249,9 +252,9 @@ static void reassign_resources_sorted(struct list_head *realloc_head,
(IORESOURCE_STARTALIGN|IORESOURCE_SIZEALIGN);
if (pci_reassign_resource(add_res->dev, idx,
add_size, align))
- pci_info(add_res->dev, "failed to add %llx res[%d]=%pR\n",
- (unsigned long long) add_size, idx,
- res);
+ pci_info(add_res->dev, "%s %pR: failed to add %llx\n",
+ res_name, res,
+ (unsigned long long) add_size);
}
out:
list_del(&add_res->list);
@@ -571,6 +574,7 @@ EXPORT_SYMBOL(pci_setup_cardbus);
static void pci_setup_bridge_io(struct pci_dev *bridge)
{
struct resource *res;
+ const char *res_name;
struct pci_bus_region region;
unsigned long io_mask;
u8 io_base_lo, io_limit_lo;
@@ -583,6 +587,7 @@ static void pci_setup_bridge_io(struct pci_dev *bridge)
/* Set up the top and bottom of the PCI I/O segment for this bus */
res = &bridge->resource[PCI_BRIDGE_IO_WINDOW];
+ res_name = pci_resource_name(bridge, PCI_BRIDGE_IO_WINDOW);
pcibios_resource_to_bus(bridge->bus, ®ion, res);
if (res->flags & IORESOURCE_IO) {
pci_read_config_word(bridge, PCI_IO_BASE, &l);
@@ -591,7 +596,7 @@ static void pci_setup_bridge_io(struct pci_dev *bridge)
l = ((u16) io_limit_lo << 8) | io_base_lo;
/* Set up upper 16 bits of I/O base/limit */
io_upper16 = (region.end & 0xffff0000) | (region.start >> 16);
- pci_info(bridge, " bridge window %pR\n", res);
+ pci_info(bridge, " %s %pR\n", res_name, res);
} else {
/* Clear upper 16 bits of I/O base/limit */
io_upper16 = 0;
@@ -608,16 +613,18 @@ static void pci_setup_bridge_io(struct pci_dev *bridge)
static void pci_setup_bridge_mmio(struct pci_dev *bridge)
{
struct resource *res;
+ const char *res_name;
struct pci_bus_region region;
u32 l;
/* Set up the top and bottom of the PCI Memory segment for this bus */
res = &bridge->resource[PCI_BRIDGE_MEM_WINDOW];
+ res_name = pci_resource_name(bridge, PCI_BRIDGE_MEM_WINDOW);
pcibios_resource_to_bus(bridge->bus, ®ion, res);
if (res->flags & IORESOURCE_MEM) {
l = (region.start >> 16) & 0xfff0;
l |= region.end & 0xfff00000;
- pci_info(bridge, " bridge window %pR\n", res);
+ pci_info(bridge, " %s %pR\n", res_name, res);
} else {
l = 0x0000fff0;
}
@@ -627,6 +634,7 @@ static void pci_setup_bridge_mmio(struct pci_dev *bridge)
static void pci_setup_bridge_mmio_pref(struct pci_dev *bridge)
{
struct resource *res;
+ const char *res_name;
struct pci_bus_region region;
u32 l, bu, lu;
@@ -640,6 +648,7 @@ static void pci_setup_bridge_mmio_pref(struct pci_dev *bridge)
/* Set up PREF base/limit */
bu = lu = 0;
res = &bridge->resource[PCI_BRIDGE_PREF_MEM_WINDOW];
+ res_name = pci_resource_name(bridge, PCI_BRIDGE_PREF_MEM_WINDOW);
pcibios_resource_to_bus(bridge->bus, ®ion, res);
if (res->flags & IORESOURCE_PREFETCH) {
l = (region.start >> 16) & 0xfff0;
@@ -648,7 +657,7 @@ static void pci_setup_bridge_mmio_pref(struct pci_dev *bridge)
bu = upper_32_bits(region.start);
lu = upper_32_bits(region.end);
}
- pci_info(bridge, " bridge window %pR\n", res);
+ pci_info(bridge, " %s %pR\n", res_name, res);
} else {
l = 0x0000fff0;
}
@@ -1010,6 +1019,7 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask,
int i;
pci_dev_for_each_resource(dev, r, i) {
+ const char *r_name = pci_resource_name(dev, i);
resource_size_t r_size;
if (r->parent || (r->flags & IORESOURCE_PCI_FIXED) ||
@@ -1040,8 +1050,8 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask,
if (order < 0)
order = 0;
if (order >= ARRAY_SIZE(aligns)) {
- pci_warn(dev, "disabling BAR %d: %pR (bad alignment %#llx)\n",
- i, r, (unsigned long long) align);
+ pci_warn(dev, "%s %pR: disabling; bad alignment %#llx\n",
+ r_name, r, (unsigned long long) align);
r->flags = 0;
continue;
}
@@ -2232,6 +2242,7 @@ int pci_reassign_bridge_resources(struct pci_dev *bridge, unsigned long type)
for (i = PCI_BRIDGE_RESOURCES; i < PCI_BRIDGE_RESOURCE_END;
i++) {
struct resource *res = &bridge->resource[i];
+ const char *res_name = pci_resource_name(bridge, i);
if ((res->flags ^ type) & PCI_RES_TYPE_MASK)
continue;
@@ -2244,8 +2255,7 @@ int pci_reassign_bridge_resources(struct pci_dev *bridge, unsigned long type)
if (ret)
goto cleanup;
- pci_info(bridge, "BAR %d: releasing %pR\n",
- i, res);
+ pci_info(bridge, "%s %pR: releasing\n", res_name, res);
if (res->parent)
release_resource(res);
diff --git a/drivers/pci/setup-res.c b/drivers/pci/setup-res.c
index ceaa69491f5ef..c6d933ddfd464 100644
--- a/drivers/pci/setup-res.c
+++ b/drivers/pci/setup-res.c
@@ -30,6 +30,7 @@ static void pci_std_update_resource(struct pci_dev *dev, int resno)
u32 new, check, mask;
int reg;
struct resource *res = dev->resource + resno;
+ const char *res_name = pci_resource_name(dev, resno);
/* Per SR-IOV spec 3.4.1.11, VF BARs are RO zero */
if (dev->is_virtfn)
@@ -104,8 +105,8 @@ static void pci_std_update_resource(struct pci_dev *dev, int resno)
pci_read_config_dword(dev, reg, &check);
if ((new ^ check) & mask) {
- pci_err(dev, "BAR %d: error updating (%#010x != %#010x)\n",
- resno, new, check);
+ pci_err(dev, "%s: error updating (%#010x != %#010x)\n",
+ res_name, new, check);
}
if (res->flags & IORESOURCE_MEM_64) {
@@ -113,8 +114,8 @@ static void pci_std_update_resource(struct pci_dev *dev, int resno)
pci_write_config_dword(dev, reg + 4, new);
pci_read_config_dword(dev, reg + 4, &check);
if (check != new) {
- pci_err(dev, "BAR %d: error updating (high %#010x != %#010x)\n",
- resno, new, check);
+ pci_err(dev, "%s: error updating (high %#010x != %#010x)\n",
+ res_name, new, check);
}
}
@@ -135,11 +136,12 @@ void pci_update_resource(struct pci_dev *dev, int resno)
int pci_claim_resource(struct pci_dev *dev, int resource)
{
struct resource *res = &dev->resource[resource];
+ const char *res_name = pci_resource_name(dev, resource);
struct resource *root, *conflict;
if (res->flags & IORESOURCE_UNSET) {
- pci_info(dev, "can't claim BAR %d %pR: no address assigned\n",
- resource, res);
+ pci_info(dev, "%s %pR: can't claim; no address assigned\n",
+ res_name, res);
return -EINVAL;
}
@@ -153,16 +155,16 @@ int pci_claim_resource(struct pci_dev *dev, int resource)
root = pci_find_parent_resource(dev, res);
if (!root) {
- pci_info(dev, "can't claim BAR %d %pR: no compatible bridge window\n",
- resource, res);
+ pci_info(dev, "%s %pR: can't claim; no compatible bridge window\n",
+ res_name, res);
res->flags |= IORESOURCE_UNSET;
return -EINVAL;
}
conflict = request_resource_conflict(root, res);
if (conflict) {
- pci_info(dev, "can't claim BAR %d %pR: address conflict with %s %pR\n",
- resource, res, conflict->name, conflict);
+ pci_info(dev, "%s %pR: can't claim; address conflict with %s %pR\n",
+ res_name, res, conflict->name, conflict);
res->flags |= IORESOURCE_UNSET;
return -EBUSY;
}
@@ -201,6 +203,7 @@ static int pci_revert_fw_address(struct resource *res, struct pci_dev *dev,
{
struct resource *root, *conflict;
resource_size_t fw_addr, start, end;
+ const char *res_name = pci_resource_name(dev, resno);
fw_addr = pcibios_retrieve_fw_addr(dev, resno);
if (!fw_addr)
@@ -231,12 +234,11 @@ static int pci_revert_fw_address(struct resource *res, struct pci_dev *dev,
root = &iomem_resource;
}
- pci_info(dev, "BAR %d: trying firmware assignment %pR\n",
- resno, res);
+ pci_info(dev, "%s: trying firmware assignment %pR\n", res_name, res);
conflict = request_resource_conflict(root, res);
if (conflict) {
- pci_info(dev, "BAR %d: %pR conflicts with %s %pR\n",
- resno, res, conflict->name, conflict);
+ pci_info(dev, "%s %pR: conflicts with %s %pR\n", res_name, res,
+ conflict->name, conflict);
res->start = start;
res->end = end;
res->flags |= IORESOURCE_UNSET;
@@ -325,6 +327,7 @@ static int _pci_assign_resource(struct pci_dev *dev, int resno,
int pci_assign_resource(struct pci_dev *dev, int resno)
{
struct resource *res = dev->resource + resno;
+ const char *res_name = pci_resource_name(dev, resno);
resource_size_t align, size;
int ret;
@@ -334,8 +337,8 @@ int pci_assign_resource(struct pci_dev *dev, int resno)
res->flags |= IORESOURCE_UNSET;
align = pci_resource_alignment(dev, res);
if (!align) {
- pci_info(dev, "BAR %d: can't assign %pR (bogus alignment)\n",
- resno, res);
+ pci_info(dev, "%s %pR: can't assign; bogus alignment\n",
+ res_name, res);
return -EINVAL;
}
@@ -348,18 +351,18 @@ int pci_assign_resource(struct pci_dev *dev, int resno)
* working, which is better than just leaving it disabled.
*/
if (ret < 0) {
- pci_info(dev, "BAR %d: no space for %pR\n", resno, res);
+ pci_info(dev, "%s %pR: can't assign; no space\n", res_name, res);
ret = pci_revert_fw_address(res, dev, resno, size);
}
if (ret < 0) {
- pci_info(dev, "BAR %d: failed to assign %pR\n", resno, res);
+ pci_info(dev, "%s %pR: failed to assign\n", res_name, res);
return ret;
}
res->flags &= ~IORESOURCE_UNSET;
res->flags &= ~IORESOURCE_STARTALIGN;
- pci_info(dev, "BAR %d: assigned %pR\n", resno, res);
+ pci_info(dev, "%s %pR: assigned\n", res_name, res);
if (resno < PCI_BRIDGE_RESOURCES)
pci_update_resource(dev, resno);
@@ -367,10 +370,11 @@ int pci_assign_resource(struct pci_dev *dev, int resno)
}
EXPORT_SYMBOL(pci_assign_resource);
-int pci_reassign_resource(struct pci_dev *dev, int resno, resource_size_t addsize,
- resource_size_t min_align)
+int pci_reassign_resource(struct pci_dev *dev, int resno,
+ resource_size_t addsize, resource_size_t min_align)
{
struct resource *res = dev->resource + resno;
+ const char *res_name = pci_resource_name(dev, resno);
unsigned long flags;
resource_size_t new_size;
int ret;
@@ -381,8 +385,8 @@ int pci_reassign_resource(struct pci_dev *dev, int resno, resource_size_t addsiz
flags = res->flags;
res->flags |= IORESOURCE_UNSET;
if (!res->parent) {
- pci_info(dev, "BAR %d: can't reassign an unassigned resource %pR\n",
- resno, res);
+ pci_info(dev, "%s %pR: can't reassign; unassigned resource\n",
+ res_name, res);
return -EINVAL;
}
@@ -391,15 +395,15 @@ int pci_reassign_resource(struct pci_dev *dev, int resno, resource_size_t addsiz
ret = _pci_assign_resource(dev, resno, new_size, min_align);
if (ret) {
res->flags = flags;
- pci_info(dev, "BAR %d: %pR (failed to expand by %#llx)\n",
- resno, res, (unsigned long long) addsize);
+ pci_info(dev, "%s %pR: failed to expand by %#llx\n",
+ res_name, res, (unsigned long long) addsize);
return ret;
}
res->flags &= ~IORESOURCE_UNSET;
res->flags &= ~IORESOURCE_STARTALIGN;
- pci_info(dev, "BAR %d: reassigned %pR (expanded by %#llx)\n",
- resno, res, (unsigned long long) addsize);
+ pci_info(dev, "%s %pR: reassigned; expanded by %#llx\n",
+ res_name, res, (unsigned long long) addsize);
if (resno < PCI_BRIDGE_RESOURCES)
pci_update_resource(dev, resno);
@@ -409,8 +413,9 @@ int pci_reassign_resource(struct pci_dev *dev, int resno, resource_size_t addsiz
void pci_release_resource(struct pci_dev *dev, int resno)
{
struct resource *res = dev->resource + resno;
+ const char *res_name = pci_resource_name(dev, resno);
- pci_info(dev, "BAR %d: releasing %pR\n", resno, res);
+ pci_info(dev, "%s %pR: releasing\n", res_name, res);
if (!res->parent)
return;
@@ -480,6 +485,7 @@ int pci_enable_resources(struct pci_dev *dev, int mask)
u16 cmd, old_cmd;
int i;
struct resource *r;
+ const char *r_name;
pci_read_config_word(dev, PCI_COMMAND, &cmd);
old_cmd = cmd;
@@ -488,6 +494,8 @@ int pci_enable_resources(struct pci_dev *dev, int mask)
if (!(mask & (1 << i)))
continue;
+ r_name = pci_resource_name(dev, i);
+
if (!(r->flags & (IORESOURCE_IO | IORESOURCE_MEM)))
continue;
if ((i == PCI_ROM_RESOURCE) &&
@@ -495,14 +503,14 @@ int pci_enable_resources(struct pci_dev *dev, int mask)
continue;
if (r->flags & IORESOURCE_UNSET) {
- pci_err(dev, "can't enable device: BAR %d %pR not assigned\n",
- i, r);
+ pci_err(dev, "%s %pR: not assigned; can't enable device\n",
+ r_name, r);
return -EINVAL;
}
if (!r->parent) {
- pci_err(dev, "can't enable device: BAR %d %pR not claimed\n",
- i, r);
+ pci_err(dev, "%s %pR: not claimed; can't enable device\n",
+ r_name, r);
return -EINVAL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 010/460] ASoC: cs42l43: Report insert for exotic peripherals
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 009/460] ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 011/460] scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() Greg Kroah-Hartman
` (292 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Charles Keepax, Mark Brown,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charles Keepax <ckeepax@opensource.cirrus.com>
[ Upstream commit 6510e1324bcdc8caf21f6d17efe27604c48f0d64 ]
For some exotic peripherals the type detect can return a reserved value
of 0x4. This will currently return an error and not report anything to
user-space, update this to report the insert normally.
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://patch.msgid.link/20260223093616.3800350-1-ckeepax@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/cs42l43-jack.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/soc/codecs/cs42l43-jack.c b/sound/soc/codecs/cs42l43-jack.c
index aa0062f3aa918..3a61f222d85fe 100644
--- a/sound/soc/codecs/cs42l43-jack.c
+++ b/sound/soc/codecs/cs42l43-jack.c
@@ -711,6 +711,7 @@ static int cs42l43_run_type_detect(struct cs42l43_codec *priv)
switch (type & CS42L43_HSDET_TYPE_STS_MASK) {
case 0x0: // CTIA
case 0x1: // OMTP
+ case 0x4:
return cs42l43_run_load_detect(priv, true);
case 0x2: // 3-pole
return cs42l43_run_load_detect(priv, false);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 086/567] drm/amdgpu: keep vga memory on MacBooks with switchable graphics
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 085/567] drm/amd: Drop special case for yellow carp without discovery Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 087/567] eventpoll: Fix integer overflow in ep_loop_check_proc() Greg Kroah-Hartman
` (291 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Kleiner, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
[ Upstream commit 096bb75e13cc508d3915b7604e356bcb12b17766 ]
On Intel MacBookPros with switchable graphics, when the iGPU
is enabled, the address of VRAM gets put at 0 in the dGPU's
virtual address space. This is non-standard and seems to cause
issues with the cursor if it ends up at 0. We have the framework
to reserve memory at 0 in the address space, so enable it here if
the vram start address is 0.
Reviewed-and-tested-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4302
Cc: stable@vger.kernel.org
Cc: Mario Kleiner <mario.kleiner.de@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
index 7d120d4175499..8cb192636368f 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
@@ -728,6 +728,16 @@ void amdgpu_gmc_get_vbios_allocations(struct amdgpu_device *adev)
case CHIP_RENOIR:
adev->mman.keep_stolen_vga_memory = true;
break;
+ case CHIP_POLARIS10:
+ case CHIP_POLARIS11:
+ case CHIP_POLARIS12:
+ /* MacBookPros with switchable graphics put VRAM at 0 when
+ * the iGPU is enabled which results in cursor issues if
+ * the cursor ends up at 0. Reserve vram at 0 in that case.
+ */
+ if (adev->gmc.vram_start == 0)
+ adev->mman.keep_stolen_vga_memory = true;
+ break;
default:
adev->mman.keep_stolen_vga_memory = false;
break;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 024/481] resource: Add resource set range and size helpers
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 023/481] PCI: Use resource names in PCI log messages Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 025/481] PCI: Use resource_set_range() that correctly sets ->end Greg Kroah-Hartman
` (291 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen, Bjorn Helgaas,
Jonathan Cameron, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
[ Upstream commit 9fb6fef0fb49124291837af1da5028f79d53f98e ]
Setting the end address for a resource with a given size lacks a helper and
is therefore coded manually unlike the getter side which has a helper for
resource size calculation. Also, almost all callsites that calculate the
end address for a resource also set the start address right before it like
this:
res->start = start_addr;
res->end = res->start + size - 1;
Add resource_set_range(res, start_addr, size) that sets the start address
and calculates the end address to simplify this often repeated fragment.
Also add resource_set_size() for the cases where setting the start address
of the resource is not necessary but mention in its kerneldoc that
resource_set_range() is preferred when setting both addresses.
Link: https://lore.kernel.org/r/20240614100606.15830-2-ilpo.jarvinen@linux.intel.com
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: 11721c45a826 ("PCI: Use resource_set_range() that correctly sets ->end")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/ioport.h | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/include/linux/ioport.h b/include/linux/ioport.h
index 4ae3c541ea6f4..a81579821b673 100644
--- a/include/linux/ioport.h
+++ b/include/linux/ioport.h
@@ -216,6 +216,38 @@ struct resource *lookup_resource(struct resource *root, resource_size_t start);
int adjust_resource(struct resource *res, resource_size_t start,
resource_size_t size);
resource_size_t resource_alignment(struct resource *res);
+
+/**
+ * resource_set_size - Calculate resource end address from size and start
+ * @res: Resource descriptor
+ * @size: Size of the resource
+ *
+ * Calculate the end address for @res based on @size.
+ *
+ * Note: The start address of @res must be set when calling this function.
+ * Prefer resource_set_range() if setting both the start address and @size.
+ */
+static inline void resource_set_size(struct resource *res, resource_size_t size)
+{
+ res->end = res->start + size - 1;
+}
+
+/**
+ * resource_set_range - Set resource start and end addresses
+ * @res: Resource descriptor
+ * @start: Start address for the resource
+ * @size: Size of the resource
+ *
+ * Set @res start address and calculate the end address based on @size.
+ */
+static inline void resource_set_range(struct resource *res,
+ resource_size_t start,
+ resource_size_t size)
+{
+ res->start = start;
+ resource_set_size(res, size);
+}
+
static inline resource_size_t resource_size(const struct resource *res)
{
return res->end - res->start + 1;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 011/460] scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 010/460] ASoC: cs42l43: Report insert for exotic peripherals Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 012/460] scsi: ufs: core: Fix shift out of bounds when MAXQ=32 Greg Kroah-Hartman
` (291 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Wang, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Wang <peter.wang@mediatek.com>
[ Upstream commit 30df81f2228d65bddf492db3929d9fcaffd38fc5 ]
The kernel log indicates a crash in ufshcd_add_command_trace, due to a NULL
pointer dereference when accessing hwq->id. This can happen if
ufshcd_mcq_req_to_hwq() returns NULL.
This patch adds a NULL check for hwq before accessing its id field to
prevent a kernel crash.
Kernel log excerpt:
[<ffffffd5d192dc4c>] notify_die+0x4c/0x8c
[<ffffffd5d1814e58>] __die+0x60/0xb0
[<ffffffd5d1814d64>] die+0x4c/0xe0
[<ffffffd5d181575c>] die_kernel_fault+0x74/0x88
[<ffffffd5d1864db4>] __do_kernel_fault+0x314/0x318
[<ffffffd5d2a3cdf8>] do_page_fault+0xa4/0x5f8
[<ffffffd5d2a3cd34>] do_translation_fault+0x34/0x54
[<ffffffd5d1864524>] do_mem_abort+0x50/0xa8
[<ffffffd5d2a297dc>] el1_abort+0x3c/0x64
[<ffffffd5d2a29718>] el1h_64_sync_handler+0x44/0xcc
[<ffffffd5d181133c>] el1h_64_sync+0x80/0x88
[<ffffffd5d255c1dc>] ufshcd_add_command_trace+0x23c/0x320
[<ffffffd5d255bad8>] ufshcd_compl_one_cqe+0xa4/0x404
[<ffffffd5d2572968>] ufshcd_mcq_poll_cqe_lock+0xac/0x104
[<ffffffd5d11c7460>] ufs_mtk_mcq_intr+0x54/0x74 [ufs_mediatek_mod]
[<ffffffd5d19ab92c>] __handle_irq_event_percpu+0xc8/0x348
[<ffffffd5d19abca8>] handle_irq_event+0x3c/0xa8
[<ffffffd5d19b1f0c>] handle_fasteoi_irq+0xf8/0x294
[<ffffffd5d19aa778>] generic_handle_domain_irq+0x54/0x80
[<ffffffd5d18102bc>] gic_handle_irq+0x1d4/0x330
[<ffffffd5d1838210>] call_on_irq_stack+0x44/0x68
[<ffffffd5d183af30>] do_interrupt_handler+0x78/0xd8
[<ffffffd5d2a29c00>] el1_interrupt+0x48/0xa8
[<ffffffd5d2a29ba8>] el1h_64_irq_handler+0x14/0x24
[<ffffffd5d18113c4>] el1h_64_irq+0x80/0x88
[<ffffffd5d2527fb4>] arch_local_irq_enable+0x4/0x1c
[<ffffffd5d25282e4>] cpuidle_enter+0x34/0x54
[<ffffffd5d195a678>] do_idle+0x1dc/0x2f8
[<ffffffd5d195a7c4>] cpu_startup_entry+0x30/0x3c
[<ffffffd5d18155c4>] secondary_start_kernel+0x134/0x1ac
[<ffffffd5d18640bc>] __secondary_switched+0xc4/0xcc
Signed-off-by: Peter Wang <peter.wang@mediatek.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260223065657.2432447-1-peter.wang@mediatek.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufshcd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index ad5866149e240..726bf4247f1fe 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -483,8 +483,8 @@ static void ufshcd_add_command_trace(struct ufs_hba *hba, unsigned int tag,
if (hba->mcq_enabled) {
struct ufs_hw_queue *hwq = ufshcd_mcq_req_to_hwq(hba, rq);
-
- hwq_id = hwq->id;
+ if (hwq)
+ hwq_id = hwq->id;
} else {
doorbell = ufshcd_readl(hba, REG_UTP_TRANSFER_REQ_DOOR_BELL);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 087/567] eventpoll: Fix integer overflow in ep_loop_check_proc()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 086/567] drm/amdgpu: keep vga memory on MacBooks with switchable graphics Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 088/567] media: dvb-core: fix wrong reinitialization of ringbuffer on reopen Greg Kroah-Hartman
` (290 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Jann Horn,
Christian Brauner
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit fdcfce93073d990ed4b71752e31ad1c1d6e9d58b upstream.
If a recursive call to ep_loop_check_proc() hits the `result = INT_MAX`,
an integer overflow will occur in the calling ep_loop_check_proc() at
`result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1)`,
breaking the recursion depth check.
Fix it by using a different placeholder value that can't lead to an
overflow.
Reported-by: Guenter Roeck <linux@roeck-us.net>
Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://patch.msgid.link/20260223-epoll-int-overflow-v1-1-452f35132224@google.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/eventpoll.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1907,7 +1907,8 @@ static int ep_poll(struct eventpoll *ep,
* @ep: the &struct eventpoll to be currently checked.
* @depth: Current depth of the path being checked.
*
- * Return: depth of the subtree, or INT_MAX if we found a loop or went too deep.
+ * Return: depth of the subtree, or a value bigger than EP_MAX_NESTS if we found
+ * a loop or went too deep.
*/
static int ep_loop_check_proc(struct eventpoll *ep, int depth)
{
@@ -1926,7 +1927,7 @@ static int ep_loop_check_proc(struct eve
struct eventpoll *ep_tovisit;
ep_tovisit = epi->ffd.file->private_data;
if (ep_tovisit == inserting_into || depth > EP_MAX_NESTS)
- result = INT_MAX;
+ result = EP_MAX_NESTS+1;
else
result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1);
if (result > EP_MAX_NESTS)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 025/481] PCI: Use resource_set_range() that correctly sets ->end
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 024/481] resource: Add resource set range and size helpers Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 026/481] KVM: x86/pmu: Provide "error" semantics for unsupported-but-known PMU MSRs Greg Kroah-Hartman
` (290 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen, Bjorn Helgaas,
Andy Shevchenko, Christian Marangi, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
[ Upstream commit 11721c45a8266a9d0c9684153d20e37159465f96 ]
__pci_read_base() sets resource start and end addresses when resource
is larger than 4G but pci_bus_addr_t or resource_size_t are not capable
of representing 64-bit PCI addresses. This creates a problematic
resource that has non-zero flags but the start and end addresses do not
yield to resource size of 0 but 1.
Replace custom resource addresses setup with resource_set_range()
that correctly sets end address as -1 which results in resource_size()
returning 0.
For consistency, also use resource_set_range() in the other branch that
does size based resource setup.
Fixes: 23b13bc76f35 ("PCI: Fail safely if we can't handle BARs larger than 4GB")
Link: https://lore.kernel.org/all/20251207215359.28895-1-ansuelsmth@gmail.com/T/#m990492684913c5a158ff0e5fc90697d8ad95351b
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: stable@vger.kernel.org
Cc: Christian Marangi <ansuelsmth@gmail.com>
Link: https://patch.msgid.link/20251208145654.5294-1-ilpo.jarvinen@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/probe.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 8f99607e0a526..02f3fbe78c46f 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -264,8 +264,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
if ((sizeof(pci_bus_addr_t) < 8 || sizeof(resource_size_t) < 8)
&& sz64 > 0x100000000ULL) {
res->flags |= IORESOURCE_UNSET | IORESOURCE_DISABLED;
- res->start = 0;
- res->end = 0;
+ resource_set_range(res, 0, 0);
pci_err(dev, "%s: can't handle BAR larger than 4GB (size %#010llx)\n",
res_name, (unsigned long long)sz64);
goto out;
@@ -274,8 +273,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
if ((sizeof(pci_bus_addr_t) < 8) && l) {
/* Above 32-bit boundary; try to reallocate */
res->flags |= IORESOURCE_UNSET;
- res->start = 0;
- res->end = sz64 - 1;
+ resource_set_range(res, 0, sz64);
pci_info(dev, "%s: can't handle BAR above 4GB (bus address %#010llx)\n",
res_name, (unsigned long long)l64);
goto out;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 012/460] scsi: ufs: core: Fix shift out of bounds when MAXQ=32
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 011/460] scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 013/460] ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0 Greg Kroah-Hartman
` (290 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, wangshuaiwei, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: wangshuaiwei <wangshuaiwei1@xiaomi.com>
[ Upstream commit 2f38fd99c0004676d835ae96ac4f3b54edc02c82 ]
According to JESD223F, the maximum number of queues (MAXQ) is 32. When MCQ
is enabled and ESI is disabled, nr_hw_queues=32 causes a shift overflow
problem.
Fix this by using 64-bit intermediate values to handle the nr_hw_queues=32
case safely.
Signed-off-by: wangshuaiwei <wangshuaiwei1@xiaomi.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260224063228.50112-1-wangshuaiwei1@xiaomi.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufshcd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index 726bf4247f1fe..ea6e7c18e35cd 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -6974,7 +6974,7 @@ static irqreturn_t ufshcd_handle_mcq_cq_events(struct ufs_hba *hba)
ret = ufshcd_vops_get_outstanding_cqs(hba, &outstanding_cqs);
if (ret)
- outstanding_cqs = (1U << hba->nr_hw_queues) - 1;
+ outstanding_cqs = (1ULL << hba->nr_hw_queues) - 1;
/* Exclude the poll queues */
nr_queues = hba->nr_hw_queues - hba->nr_queues[HCTX_TYPE_POLL];
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 088/567] media: dvb-core: fix wrong reinitialization of ringbuffer on reopen
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 087/567] eventpoll: Fix integer overflow in ep_loop_check_proc() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 089/567] nfc: pn533: properly drop the usb interface reference on disconnect Greg Kroah-Hartman
` (289 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ab12f0c08dd7ab8d057c,
Jens Axboe, Linus Torvalds
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
commit bfbc0b5b32a8f28ce284add619bf226716a59bc0 upstream.
dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the
DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which
reinitializes the waitqueue list head to empty.
Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the
same DVR device share it), this orphans any existing waitqueue entries
from io_uring poll or epoll, leaving them with stale prev/next pointers
while the list head is reset to {self, self}.
The waitqueue and spinlock in dvr_buffer are already properly
initialized once in dvb_dmxdev_init(). The open path only needs to
reset the buffer data pointer, size, and read/write positions.
Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct
assignment of data/size and a call to dvb_ringbuffer_reset(), which
properly resets pread, pwrite, and error with correct memory ordering
without touching the waitqueue or spinlock.
Cc: stable@vger.kernel.org
Fixes: 34731df288a5f ("V4L/DVB (3501): Dmxdev: use dvb_ringbuffer")
Reported-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com
Tested-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/698a26d3.050a0220.3b3015.007d.GAE@google.com/
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/dvb-core/dmxdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -168,7 +168,9 @@ static int dvb_dvr_open(struct inode *in
mutex_unlock(&dmxdev->mutex);
return -ENOMEM;
}
- dvb_ringbuffer_init(&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE);
+ dmxdev->dvr_buffer.data = mem;
+ dmxdev->dvr_buffer.size = DVR_BUFFER_SIZE;
+ dvb_ringbuffer_reset(&dmxdev->dvr_buffer);
if (dmxdev->may_do_mmap)
dvb_vb2_init(&dmxdev->dvr_vb2_ctx, "dvr",
file->f_flags & O_NONBLOCK);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 026/481] KVM: x86/pmu: Provide "error" semantics for unsupported-but-known PMU MSRs
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 025/481] PCI: Use resource_set_range() that correctly sets ->end Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 027/481] KVM: x86: Fix KVM_GET_MSRS stack info leak Greg Kroah-Hartman
` (289 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 2de154f541fc5b9f2aed3fe06e218130718ce320 ]
Provide "error" semantics (read zeros, drop writes) for userspace accesses
to MSRs that are ultimately unsupported for whatever reason, but for which
KVM told userspace to save and restore the MSR, i.e. for MSRs that KVM
included in KVM_GET_MSR_INDEX_LIST.
Previously, KVM special cased a few PMU MSRs that were problematic at one
point or another. Extend the treatment to all PMU MSRs, e.g. to avoid
spurious unsupported accesses.
Note, the logic can also be used for non-PMU MSRs, but as of today only
PMU MSRs can end up being unsupported after KVM told userspace to save and
restore them.
Link: https://lore.kernel.org/r/20230124234905.3774678-7-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Stable-dep-of: 5bb9ac186512 ("KVM: x86: Return "unsupported" instead of "invalid" on access to unsupported PV MSR")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/x86.c | 51 ++++++++++++++++++++++++++--------------------
1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 2253c51e33e36..0b8ec5886d44f 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3576,6 +3576,18 @@ static void record_steal_time(struct kvm_vcpu *vcpu)
mark_page_dirty_in_slot(vcpu->kvm, ghc->memslot, gpa_to_gfn(ghc->gpa));
}
+static bool kvm_is_msr_to_save(u32 msr_index)
+{
+ unsigned int i;
+
+ for (i = 0; i < num_msrs_to_save; i++) {
+ if (msrs_to_save[i] == msr_index)
+ return true;
+ }
+
+ return false;
+}
+
int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
{
u32 msr = msr_info->index;
@@ -3896,20 +3908,18 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
vcpu->arch.guest_fpu.xfd_err = data;
break;
#endif
- case MSR_IA32_PEBS_ENABLE:
- case MSR_IA32_DS_AREA:
- case MSR_PEBS_DATA_CFG:
- case MSR_F15H_PERF_CTL0 ... MSR_F15H_PERF_CTR5:
+ default:
if (kvm_pmu_is_valid_msr(vcpu, msr))
return kvm_pmu_set_msr(vcpu, msr_info);
+
/*
* Userspace is allowed to write '0' to MSRs that KVM reports
* as to-be-saved, even if an MSRs isn't fully supported.
*/
- return !msr_info->host_initiated || data;
- default:
- if (kvm_pmu_is_valid_msr(vcpu, msr))
- return kvm_pmu_set_msr(vcpu, msr_info);
+ if (msr_info->host_initiated && !data &&
+ kvm_is_msr_to_save(msr))
+ break;
+
return KVM_MSR_RET_INVALID;
}
return 0;
@@ -4000,20 +4010,6 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
case MSR_DRAM_ENERGY_STATUS: /* DRAM controller */
msr_info->data = 0;
break;
- case MSR_IA32_PEBS_ENABLE:
- case MSR_IA32_DS_AREA:
- case MSR_PEBS_DATA_CFG:
- case MSR_F15H_PERF_CTL0 ... MSR_F15H_PERF_CTR5:
- if (kvm_pmu_is_valid_msr(vcpu, msr_info->index))
- return kvm_pmu_get_msr(vcpu, msr_info);
- /*
- * Userspace is allowed to read MSRs that KVM reports as
- * to-be-saved, even if an MSR isn't fully supported.
- */
- if (!msr_info->host_initiated)
- return 1;
- msr_info->data = 0;
- break;
case MSR_K7_EVNTSEL0 ... MSR_K7_EVNTSEL3:
case MSR_K7_PERFCTR0 ... MSR_K7_PERFCTR3:
case MSR_P6_PERFCTR0 ... MSR_P6_PERFCTR1:
@@ -4268,6 +4264,17 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
default:
if (kvm_pmu_is_valid_msr(vcpu, msr_info->index))
return kvm_pmu_get_msr(vcpu, msr_info);
+
+ /*
+ * Userspace is allowed to read MSRs that KVM reports as
+ * to-be-saved, even if an MSR isn't fully supported.
+ */
+ if (msr_info->host_initiated &&
+ kvm_is_msr_to_save(msr_info->index)) {
+ msr_info->data = 0;
+ break;
+ }
+
return KVM_MSR_RET_INVALID;
}
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 013/460] ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 012/460] scsi: ufs: core: Fix shift out of bounds when MAXQ=32 Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 014/460] drm/amdgpu/vcn5: Add SMU dpm interface type Greg Kroah-Hartman
` (289 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit c5bf24c8aba1ff711226ee0f039ff01a5754692b ]
Although DIYINHK USB Audio 2.0 (ID 20b1:2009) shows the implicit
feedback source for the capture stream, this would cause several
problems for the playback. Namely, the device can get wMaxPackSize
1024 for 24/32 bit format with 6 channels, and when a high sample rate
like 352.8kHz or 384kHz is played, the packet size overflows the max
limit. Also, the device has another two playback altsets, and those
aren't properly handled with the implicit feedback.
Since the device has been working well even before introducing the
implicit feedback, we can assume that it works fine in the async mode.
This patch adds the explicit skip of the implicit fb detection to make
the playback running in the async mode.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221076
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260225085233.316306-4-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index 41752b8197463..5c3a97ea46e04 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -2351,6 +2351,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER),
DEVICE_FLG(0x2040, 0x7281, /* Hauppauge HVR-950Q-MXL */
QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER),
+ DEVICE_FLG(0x20b1, 0x2009, /* XMOS Ltd DIYINHK USB Audio 2.0 */
+ QUIRK_FLAG_SKIP_IMPLICIT_FB | QUIRK_FLAG_DSD_RAW),
DEVICE_FLG(0x2040, 0x8200, /* Hauppauge Woodbury */
QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER),
DEVICE_FLG(0x21b4, 0x0081, /* AudioQuest DragonFly */
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 089/567] nfc: pn533: properly drop the usb interface reference on disconnect
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 088/567] media: dvb-core: fix wrong reinitialization of ringbuffer on reopen Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 090/567] net: usb: kaweth: validate USB endpoints Greg Kroah-Hartman
` (288 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Simon Horman, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 12133a483dfa832241fbbf09321109a0ea8a520e upstream.
When the device is disconnected from the driver, there is a "dangling"
reference count on the usb interface that was grabbed in the probe
callback. Fix this up by properly dropping the reference after we are
done with it.
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Fixes: c46ee38620a2 ("NFC: pn533: add NXP pn533 nfc device driver")
Link: https://patch.msgid.link/2026022329-flashing-ought-7573@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nfc/pn533/usb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/nfc/pn533/usb.c
+++ b/drivers/nfc/pn533/usb.c
@@ -629,6 +629,7 @@ static void pn533_usb_disconnect(struct
usb_free_urb(phy->out_urb);
usb_free_urb(phy->ack_urb);
kfree(phy->ack_buffer);
+ usb_put_dev(phy->udev);
nfc_info(&interface->dev, "NXP PN533 NFC device disconnected\n");
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 027/481] KVM: x86: Fix KVM_GET_MSRS stack info leak
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 026/481] KVM: x86/pmu: Provide "error" semantics for unsupported-but-known PMU MSRs Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 028/481] KVM: x86: Rename KVM_MSR_RET_INVALID to KVM_MSR_RET_UNSUPPORTED Greg Kroah-Hartman
` (288 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathias Krause, Xiaoyao Li,
Sean Christopherson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@grsecurity.net>
[ Upstream commit 3376ca3f1a2075eaa23c5576c47d04d7e8a4adda ]
Commit 6abe9c1386e5 ("KVM: X86: Move ignore_msrs handling upper the
stack") changed the 'ignore_msrs' handling, including sanitizing return
values to the caller. This was fine until commit 12bc2132b15e ("KVM:
X86: Do the same ignore_msrs check for feature msrs") which allowed
non-existing feature MSRs to be ignored, i.e. to not generate an error
on the ioctl() level. It even tried to preserve the sanitization of the
return value. However, the logic is flawed, as '*data' will be
overwritten again with the uninitialized stack value of msr.data.
Fix this by simplifying the logic and always initializing msr.data,
vanishing the need for an additional error exit path.
Fixes: 12bc2132b15e ("KVM: X86: Do the same ignore_msrs check for feature msrs")
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Link: https://lore.kernel.org/r/20240203124522.592778-2-minipli@grsecurity.net
Signed-off-by: Sean Christopherson <seanjc@google.com>
Stable-dep-of: 5bb9ac186512 ("KVM: x86: Return "unsupported" instead of "invalid" on access to unsupported PV MSR")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/x86.c | 15 +++++----------
1 file changed, 5 insertions(+), 10 deletions(-)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 0b8ec5886d44f..80daa1ef956fa 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1713,22 +1713,17 @@ static int do_get_msr_feature(struct kvm_vcpu *vcpu, unsigned index, u64 *data)
struct kvm_msr_entry msr;
int r;
+ /* Unconditionally clear the output for simplicity */
+ msr.data = 0;
msr.index = index;
r = kvm_get_msr_feature(&msr);
- if (r == KVM_MSR_RET_INVALID) {
- /* Unconditionally clear the output for simplicity */
- *data = 0;
- if (kvm_msr_ignored_check(index, 0, false))
- r = 0;
- }
-
- if (r)
- return r;
+ if (r == KVM_MSR_RET_INVALID && kvm_msr_ignored_check(index, 0, false))
+ r = 0;
*data = msr.data;
- return 0;
+ return r;
}
static bool __kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 014/460] drm/amdgpu/vcn5: Add SMU dpm interface type
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 013/460] ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0 Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 015/460] ALSA: usb-audio: Check max frame size for implicit feedback mode, too Greg Kroah-Hartman
` (288 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, sguttula, Pratik Vishwakarma,
Alex Deucher, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: sguttula <suresh.guttula@amd.com>
[ Upstream commit a5fe1a54513196e4bc8f9170006057dc31e7155e ]
This will set AMDGPU_VCN_SMU_DPM_INTERFACE_* smu_type
based on soc type and fixing ring timeout issue seen
for DPM enabled case.
Signed-off-by: sguttula <suresh.guttula@amd.com>
Reviewed-by: Pratik Vishwakarma <Pratik.Vishwakarma@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit f0f23c315b38c55e8ce9484cf59b65811f350630)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c
index a359d612182dd..3aa715830fbe8 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c
@@ -166,6 +166,10 @@ static int vcn_v5_0_0_sw_init(void *handle)
fw_shared->present_flag_0 = cpu_to_le32(AMDGPU_FW_SHARED_FLAG_0_UNIFIED_QUEUE);
fw_shared->sq.is_enabled = 1;
+ fw_shared->present_flag_0 |= cpu_to_le32(AMDGPU_VCN_SMU_DPM_INTERFACE_FLAG);
+ fw_shared->smu_dpm_interface.smu_interface_type = (adev->flags & AMD_IS_APU) ?
+ AMDGPU_VCN_SMU_DPM_INTERFACE_APU : AMDGPU_VCN_SMU_DPM_INTERFACE_DGPU;
+
if (amdgpu_vcnfw_log)
amdgpu_vcn_fwlog_init(&adev->vcn.inst[i]);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 090/567] net: usb: kaweth: validate USB endpoints
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 089/567] nfc: pn533: properly drop the usb interface reference on disconnect Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 091/567] net: usb: kalmia: " Greg Kroah-Hartman
` (287 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Simon Horman, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4b063c002ca759d1b299988ee23f564c9609c875 upstream.
The kaweth driver should validate that the device it is probing has the
proper number and types of USB endpoints it is expecting before it binds
to it. If a malicious device were to not have the same urbs the driver
will crash later on when it blindly accesses these endpoints.
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Link: https://patch.msgid.link/2026022305-substance-virtual-c728@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/kaweth.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/drivers/net/usb/kaweth.c
+++ b/drivers/net/usb/kaweth.c
@@ -883,6 +883,13 @@ static int kaweth_probe(
const eth_addr_t bcast_addr = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
int result = 0;
int rv = -EIO;
+ static const u8 bulk_ep_addr[] = {
+ 1 | USB_DIR_IN,
+ 2 | USB_DIR_OUT,
+ 0};
+ static const u8 int_ep_addr[] = {
+ 3 | USB_DIR_IN,
+ 0};
dev_dbg(dev,
"Kawasaki Device Probe (Device number:%d): 0x%4.4x:0x%4.4x:0x%4.4x\n",
@@ -896,6 +903,12 @@ static int kaweth_probe(
(int)udev->descriptor.bLength,
(int)udev->descriptor.bDescriptorType);
+ if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) ||
+ !usb_check_int_endpoints(intf, int_ep_addr)) {
+ dev_err(dev, "couldn't find required endpoints\n");
+ return -ENODEV;
+ }
+
netdev = alloc_etherdev(sizeof(*kaweth));
if (!netdev)
return -ENOMEM;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 028/481] KVM: x86: Rename KVM_MSR_RET_INVALID to KVM_MSR_RET_UNSUPPORTED
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 027/481] KVM: x86: Fix KVM_GET_MSRS stack info leak Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 029/481] KVM: x86: Return "unsupported" instead of "invalid" on access to unsupported PV MSR Greg Kroah-Hartman
` (287 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit aaecae7b6a2b19a874a7df0d474f44f3a5b5a74e ]
Rename the "INVALID" internal MSR error return code to "UNSUPPORTED" to
try and make it more clear that access was denied because the MSR itself
is unsupported/unknown. "INVALID" is too ambiguous, as it could just as
easily mean the value for WRMSR as invalid.
Avoid UNKNOWN and UNIMPLEMENTED, as the error code is used for MSRs that
_are_ actually implemented by KVM, e.g. if the MSR is unsupported because
an associated feature flag is not present in guest CPUID.
Opportunistically beef up the comments for the internal MSR error codes.
Link: https://lore.kernel.org/r/20240802181935.292540-4-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Stable-dep-of: 5bb9ac186512 ("KVM: x86: Return "unsupported" instead of "invalid" on access to unsupported PV MSR")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/svm/svm.c | 2 +-
arch/x86/kvm/vmx/vmx.c | 2 +-
arch/x86/kvm/x86.c | 12 ++++++------
arch/x86/kvm/x86.h | 15 +++++++++++----
4 files changed, 19 insertions(+), 12 deletions(-)
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index a885fb39a6559..5d7775b869732 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -2735,7 +2735,7 @@ static int svm_get_msr_feature(struct kvm_msr_entry *msr)
msr->data = kvm_caps.supported_perf_cap;
return 0;
default:
- return KVM_MSR_RET_INVALID;
+ return KVM_MSR_RET_UNSUPPORTED;
}
return 0;
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index ebdc86030a7a4..e5d162e97f503 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -1889,7 +1889,7 @@ static int vmx_get_msr_feature(struct kvm_msr_entry *msr)
msr->data = kvm_caps.supported_perf_cap;
return 0;
default:
- return KVM_MSR_RET_INVALID;
+ return KVM_MSR_RET_UNSUPPORTED;
}
}
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 80daa1ef956fa..84e54547ec7d0 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1718,7 +1718,7 @@ static int do_get_msr_feature(struct kvm_vcpu *vcpu, unsigned index, u64 *data)
msr.index = index;
r = kvm_get_msr_feature(&msr);
- if (r == KVM_MSR_RET_INVALID && kvm_msr_ignored_check(index, 0, false))
+ if (r == KVM_MSR_RET_UNSUPPORTED && kvm_msr_ignored_check(index, 0, false))
r = 0;
*data = msr.data;
@@ -1908,7 +1908,7 @@ static int kvm_set_msr_ignored_check(struct kvm_vcpu *vcpu,
{
int ret = __kvm_set_msr(vcpu, index, data, host_initiated);
- if (ret == KVM_MSR_RET_INVALID)
+ if (ret == KVM_MSR_RET_UNSUPPORTED)
if (kvm_msr_ignored_check(index, data, true))
ret = 0;
@@ -1953,7 +1953,7 @@ static int kvm_get_msr_ignored_check(struct kvm_vcpu *vcpu,
{
int ret = __kvm_get_msr(vcpu, index, data, host_initiated);
- if (ret == KVM_MSR_RET_INVALID) {
+ if (ret == KVM_MSR_RET_UNSUPPORTED) {
/* Unconditionally clear *data for simplicity */
*data = 0;
if (kvm_msr_ignored_check(index, 0, false))
@@ -2022,7 +2022,7 @@ static int complete_fast_rdmsr(struct kvm_vcpu *vcpu)
static u64 kvm_msr_reason(int r)
{
switch (r) {
- case KVM_MSR_RET_INVALID:
+ case KVM_MSR_RET_UNSUPPORTED:
return KVM_MSR_EXIT_REASON_UNKNOWN;
case KVM_MSR_RET_FILTERED:
return KVM_MSR_EXIT_REASON_FILTER;
@@ -3915,7 +3915,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
kvm_is_msr_to_save(msr))
break;
- return KVM_MSR_RET_INVALID;
+ return KVM_MSR_RET_UNSUPPORTED;
}
return 0;
}
@@ -4270,7 +4270,7 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
break;
}
- return KVM_MSR_RET_INVALID;
+ return KVM_MSR_RET_UNSUPPORTED;
}
return 0;
}
diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
index f3554bf052016..9bb2f237b0fc0 100644
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -459,11 +459,18 @@ bool kvm_msr_allowed(struct kvm_vcpu *vcpu, u32 index, u32 type);
/*
* Internal error codes that are used to indicate that MSR emulation encountered
- * an error that should result in #GP in the guest, unless userspace
- * handles it.
+ * an error that should result in #GP in the guest, unless userspace handles it.
+ * Note, '1', '0', and negative numbers are off limits, as they are used by KVM
+ * as part of KVM's lightly documented internal KVM_RUN return codes.
+ *
+ * UNSUPPORTED - The MSR isn't supported, either because it is completely
+ * unknown to KVM, or because the MSR should not exist according
+ * to the vCPU model.
+ *
+ * FILTERED - Access to the MSR is denied by a userspace MSR filter.
*/
-#define KVM_MSR_RET_INVALID 2 /* in-kernel MSR emulation #GP condition */
-#define KVM_MSR_RET_FILTERED 3 /* #GP due to userspace MSR filter */
+#define KVM_MSR_RET_UNSUPPORTED 2
+#define KVM_MSR_RET_FILTERED 3
#define __cr4_reserved_bits(__cpu_has, __c) \
({ \
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 015/460] ALSA: usb-audio: Check max frame size for implicit feedback mode, too
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 014/460] drm/amdgpu/vcn5: Add SMU dpm interface type Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 016/460] powerpc/uaccess: Fix inline assembly for clang build on PPC32 Greg Kroah-Hartman
` (287 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 7cb2a5422f5bbdf1cf32eae0eda41000485b9346 ]
When the packet sizes are taken from the capture stream in the
implicit feedback mode, the sizes might be larger than the upper
boundary defined by the descriptor. As already done for other
transfer modes, we have to cap the sizes accordingly at sending,
otherwise this would lead to an error in USB core at submission of
URBs.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221076
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260225085233.316306-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/endpoint.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
index 9d22613f71e24..2616a7efcc212 100644
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -224,6 +224,7 @@ int snd_usb_endpoint_next_packet_size(struct snd_usb_endpoint *ep,
packet = ctx->packet_size[idx];
if (packet) {
+ packet = min(packet, ep->maxframesize);
if (avail && packet >= avail)
return -EAGAIN;
return packet;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 091/567] net: usb: kalmia: validate USB endpoints
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 090/567] net: usb: kaweth: validate USB endpoints Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 092/567] net: usb: pegasus: " Greg Kroah-Hartman
` (286 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Simon Horman, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c58b6c29a4c9b8125e8ad3bca0637e00b71e2693 upstream.
The kalmia driver should validate that the device it is probing has the
proper number and types of USB endpoints it is expecting before it binds
to it. If a malicious device were to not have the same urbs the driver
will crash later on when it blindly accesses these endpoints.
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Fixes: d40261236e8e ("net/usb: Add Samsung Kalmia driver for Samsung GT-B3730")
Link: https://patch.msgid.link/2026022326-shack-headstone-ef6f@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/kalmia.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/net/usb/kalmia.c
+++ b/drivers/net/usb/kalmia.c
@@ -132,11 +132,18 @@ kalmia_bind(struct usbnet *dev, struct u
{
int status;
u8 ethernet_addr[ETH_ALEN];
+ static const u8 ep_addr[] = {
+ 1 | USB_DIR_IN,
+ 2 | USB_DIR_OUT,
+ 0};
/* Don't bind to AT command interface */
if (intf->cur_altsetting->desc.bInterfaceClass != USB_CLASS_VENDOR_SPEC)
return -EINVAL;
+ if (!usb_check_bulk_endpoints(intf, ep_addr))
+ return -ENODEV;
+
dev->in = usb_rcvbulkpipe(dev->udev, 0x81 & USB_ENDPOINT_NUMBER_MASK);
dev->out = usb_sndbulkpipe(dev->udev, 0x02 & USB_ENDPOINT_NUMBER_MASK);
dev->status = NULL;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 029/481] KVM: x86: Return "unsupported" instead of "invalid" on access to unsupported PV MSR
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 028/481] KVM: x86: Rename KVM_MSR_RET_INVALID to KVM_MSR_RET_UNSUPPORTED Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 030/481] media: tegra-video: Use accessors for pad config try_* fields Greg Kroah-Hartman
` (286 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jim Mattson, Sean Christopherson,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 5bb9ac1865123356337a389af935d3913ee917ed ]
Return KVM_MSR_RET_UNSUPPORTED instead of '1' (which for all intents and
purposes means "invalid") when rejecting accesses to KVM PV MSRs to adhere
to KVM's ABI of allowing host reads and writes of '0' to MSRs that are
advertised to userspace via KVM_GET_MSR_INDEX_LIST, even if the vCPU model
doesn't support the MSR.
E.g. running a QEMU VM with
-cpu host,-kvmclock,kvm-pv-enforce-cpuid
yields:
qemu: error: failed to set MSR 0x12 to 0x0
qemu: target/i386/kvm/kvm.c:3301: kvm_buf_set_msrs:
Assertion `ret == cpu->kvm_msr_buf->nmsrs' failed.
Fixes: 66570e966dd9 ("kvm: x86: only provide PV features if enabled in guest's CPUID")
Cc: stable@vger.kernel.org
Reviewed-by: Jim Mattson <jmattson@google.com>
Link: https://patch.msgid.link/20251230205948.4094097-1-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/x86.c | 40 ++++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 84e54547ec7d0..b6fdf084fc92a 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3731,47 +3731,47 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
break;
case MSR_KVM_WALL_CLOCK_NEW:
if (!guest_pv_has(vcpu, KVM_FEATURE_CLOCKSOURCE2))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
vcpu->kvm->arch.wall_clock = data;
kvm_write_wall_clock(vcpu->kvm, data, 0);
break;
case MSR_KVM_WALL_CLOCK:
if (!guest_pv_has(vcpu, KVM_FEATURE_CLOCKSOURCE))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
vcpu->kvm->arch.wall_clock = data;
kvm_write_wall_clock(vcpu->kvm, data, 0);
break;
case MSR_KVM_SYSTEM_TIME_NEW:
if (!guest_pv_has(vcpu, KVM_FEATURE_CLOCKSOURCE2))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
kvm_write_system_time(vcpu, data, false, msr_info->host_initiated);
break;
case MSR_KVM_SYSTEM_TIME:
if (!guest_pv_has(vcpu, KVM_FEATURE_CLOCKSOURCE))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
kvm_write_system_time(vcpu, data, true, msr_info->host_initiated);
break;
case MSR_KVM_ASYNC_PF_EN:
if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
if (kvm_pv_enable_async_pf(vcpu, data))
return 1;
break;
case MSR_KVM_ASYNC_PF_INT:
if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF_INT))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
if (kvm_pv_enable_async_pf_int(vcpu, data))
return 1;
break;
case MSR_KVM_ASYNC_PF_ACK:
if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF_INT))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
if (data & 0x1) {
vcpu->arch.apf.pageready_pending = false;
kvm_check_async_pf_completion(vcpu);
@@ -3779,7 +3779,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
break;
case MSR_KVM_STEAL_TIME:
if (!guest_pv_has(vcpu, KVM_FEATURE_STEAL_TIME))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
if (unlikely(!sched_info_on()))
return 1;
@@ -3797,7 +3797,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
break;
case MSR_KVM_PV_EOI_EN:
if (!guest_pv_has(vcpu, KVM_FEATURE_PV_EOI))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
if (kvm_lapic_set_pv_eoi(vcpu, data, sizeof(u8)))
return 1;
@@ -3805,7 +3805,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
case MSR_KVM_POLL_CONTROL:
if (!guest_pv_has(vcpu, KVM_FEATURE_POLL_CONTROL))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
/* only enable bit supported */
if (data & (-1ULL << 1))
@@ -4108,61 +4108,61 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
break;
case MSR_KVM_WALL_CLOCK:
if (!guest_pv_has(vcpu, KVM_FEATURE_CLOCKSOURCE))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = vcpu->kvm->arch.wall_clock;
break;
case MSR_KVM_WALL_CLOCK_NEW:
if (!guest_pv_has(vcpu, KVM_FEATURE_CLOCKSOURCE2))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = vcpu->kvm->arch.wall_clock;
break;
case MSR_KVM_SYSTEM_TIME:
if (!guest_pv_has(vcpu, KVM_FEATURE_CLOCKSOURCE))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = vcpu->arch.time;
break;
case MSR_KVM_SYSTEM_TIME_NEW:
if (!guest_pv_has(vcpu, KVM_FEATURE_CLOCKSOURCE2))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = vcpu->arch.time;
break;
case MSR_KVM_ASYNC_PF_EN:
if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = vcpu->arch.apf.msr_en_val;
break;
case MSR_KVM_ASYNC_PF_INT:
if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF_INT))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = vcpu->arch.apf.msr_int_val;
break;
case MSR_KVM_ASYNC_PF_ACK:
if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF_INT))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = 0;
break;
case MSR_KVM_STEAL_TIME:
if (!guest_pv_has(vcpu, KVM_FEATURE_STEAL_TIME))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = vcpu->arch.st.msr_val;
break;
case MSR_KVM_PV_EOI_EN:
if (!guest_pv_has(vcpu, KVM_FEATURE_PV_EOI))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = vcpu->arch.pv_eoi.msr_val;
break;
case MSR_KVM_POLL_CONTROL:
if (!guest_pv_has(vcpu, KVM_FEATURE_POLL_CONTROL))
- return 1;
+ return KVM_MSR_RET_UNSUPPORTED;
msr_info->data = vcpu->arch.msr_kvm_poll_control;
break;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 016/460] powerpc/uaccess: Fix inline assembly for clang build on PPC32
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 015/460] ALSA: usb-audio: Check max frame size for implicit feedback mode, too Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 017/460] kexec: Consolidate machine_kexec_mask_interrupts() implementation Greg Kroah-Hartman
` (286 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot,
Christophe Leroy (CS GROUP), Nathan Chancellor,
Madhavan Srinivasan, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
[ Upstream commit 0ee95a1d458630272d0415d0ffa9424fcb606c90 ]
Test robot reports the following error with clang-16.0.6:
In file included from kernel/rseq.c:75:
include/linux/rseq_entry.h:141:3: error: invalid operand for instruction
unsafe_get_user(offset, &ucs->post_commit_offset, efault);
^
include/linux/uaccess.h:608:2: note: expanded from macro 'unsafe_get_user'
arch_unsafe_get_user(x, ptr, local_label); \
^
arch/powerpc/include/asm/uaccess.h:518:2: note: expanded from macro 'arch_unsafe_get_user'
__get_user_size_goto(__gu_val, __gu_addr, sizeof(*(p)), e); \
^
arch/powerpc/include/asm/uaccess.h:284:2: note: expanded from macro '__get_user_size_goto'
__get_user_size_allowed(x, ptr, size, __gus_retval); \
^
arch/powerpc/include/asm/uaccess.h:275:10: note: expanded from macro '__get_user_size_allowed'
case 8: __get_user_asm2(x, (u64 __user *)ptr, retval); break; \
^
arch/powerpc/include/asm/uaccess.h:258:4: note: expanded from macro '__get_user_asm2'
" li %1+1,0\n" \
^
<inline asm>:7:5: note: instantiated into assembly here
li 31+1,0
^
1 error generated.
On PPC32, for 64 bits vars a pair of registers is used. Usually the
lower register in the pair is the high part and the higher register is
the low part. GCC uses r3/r4 ... r11/r12 ... r14/r15 ... r30/r31
In older kernel code inline assembly was using %1 and %1+1 to represent
64 bits values. However here it looks like clang uses r31 as high part,
allthough r32 doesn't exist hence the error.
Allthoug %1+1 should work, most places now use %L1 instead of %1+1, so
let's do the same here.
With that change, the build doesn't fail anymore and a disassembly shows
clang uses r17/r18 and r31/r14 pair when GCC would have used r16/r17 and
r30/r31:
Disassembly of section .fixup:
00000000 <.fixup>:
0: 38 a0 ff f2 li r5,-14
4: 3a 20 00 00 li r17,0
8: 3a 40 00 00 li r18,0
c: 48 00 00 00 b c <.fixup+0xc>
c: R_PPC_REL24 .text+0xbc
10: 38 a0 ff f2 li r5,-14
14: 3b e0 00 00 li r31,0
18: 39 c0 00 00 li r14,0
1c: 48 00 00 00 b 1c <.fixup+0x1c>
1c: R_PPC_REL24 .text+0x144
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202602021825.otcItxGi-lkp@intel.com/
Fixes: c20beffeec3c ("powerpc/uaccess: Use flexible addressing with __put_user()/__get_user()")
Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
Acked-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/8ca3a657a650e497a96bfe7acde2f637dadab344.1770103646.git.chleroy@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/include/asm/uaccess.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
index 3987a5c33558b..929f7050c73a6 100644
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -253,7 +253,7 @@ __gus_failed: \
".section .fixup,\"ax\"\n" \
"4: li %0,%3\n" \
" li %1,0\n" \
- " li %1+1,0\n" \
+ " li %L1,0\n" \
" b 3b\n" \
".previous\n" \
EX_TABLE(1b, 4b) \
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 092/567] net: usb: pegasus: validate USB endpoints
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 091/567] net: usb: kalmia: " Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 093/567] can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message Greg Kroah-Hartman
` (285 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Petko Manolov, stable,
Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 11de1d3ae5565ed22ef1f89d73d8f2d00322c699 upstream.
The pegasus driver should validate that the device it is probing has the
proper number and types of USB endpoints it is expecting before it binds
to it. If a malicious device were to not have the same urbs the driver
will crash later on when it blindly accesses these endpoints.
Cc: Petko Manolov <petkan@nucleusys.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026022347-legibly-attest-cc5c@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/pegasus.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
--- a/drivers/net/usb/pegasus.c
+++ b/drivers/net/usb/pegasus.c
@@ -815,8 +815,19 @@ static void unlink_all_urbs(pegasus_t *p
static int alloc_urbs(pegasus_t *pegasus)
{
+ static const u8 bulk_ep_addr[] = {
+ 1 | USB_DIR_IN,
+ 2 | USB_DIR_OUT,
+ 0};
+ static const u8 int_ep_addr[] = {
+ 3 | USB_DIR_IN,
+ 0};
int res = -ENOMEM;
+ if (!usb_check_bulk_endpoints(pegasus->intf, bulk_ep_addr) ||
+ !usb_check_int_endpoints(pegasus->intf, int_ep_addr))
+ return -ENODEV;
+
pegasus->rx_urb = usb_alloc_urb(0, GFP_KERNEL);
if (!pegasus->rx_urb) {
return res;
@@ -1171,6 +1182,7 @@ static int pegasus_probe(struct usb_inte
pegasus = netdev_priv(net);
pegasus->dev_index = dev_index;
+ pegasus->intf = intf;
res = alloc_urbs(pegasus);
if (res < 0) {
@@ -1182,7 +1194,6 @@ static int pegasus_probe(struct usb_inte
INIT_DELAYED_WORK(&pegasus->carrier_check, check_carrier);
- pegasus->intf = intf;
pegasus->usb = dev;
pegasus->net = net;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 030/481] media: tegra-video: Use accessors for pad config try_* fields
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 029/481] KVM: x86: Return "unsupported" instead of "invalid" on access to unsupported PV MSR Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 031/481] media: tegra-video: Fix memory leak in __tegra_channel_try_format() Greg Kroah-Hartman
` (285 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Luca Ceresoli,
Sakari Ailus, Mauro Carvalho Chehab, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
[ Upstream commit 0623979d8352efe18f83c4fad95a2e61df17b3e7 ]
The 'try_*' fields of the v4l2_subdev_pad_config structure are meant to
be accessed through helper functions. Replace direct access with usage
of the v4l2_subdev_get_pad_format(), v4l2_subdev_get_pad_crop() and
v4l2_subdev_get_pad_compose() helpers.
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Stable-dep-of: 43e5302d2233 ("media: tegra-video: Fix memory leak in __tegra_channel_try_format()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/media/tegra-video/vi.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/drivers/staging/media/tegra-video/vi.c b/drivers/staging/media/tegra-video/vi.c
index 9d46a36cc0140..e82ab9044ef3b 100644
--- a/drivers/staging/media/tegra-video/vi.c
+++ b/drivers/staging/media/tegra-video/vi.c
@@ -502,6 +502,7 @@ static int __tegra_channel_try_format(struct tegra_vi_channel *chan,
.which = V4L2_SUBDEV_FORMAT_ACTIVE,
.target = V4L2_SEL_TGT_CROP_BOUNDS,
};
+ struct v4l2_rect *try_crop;
int ret;
subdev = tegra_channel_get_remote_source_subdev(chan);
@@ -537,24 +538,25 @@ static int __tegra_channel_try_format(struct tegra_vi_channel *chan,
* Attempt to obtain the format size from subdev.
* If not available, try to get crop boundary from subdev.
*/
+ try_crop = v4l2_subdev_get_pad_crop(subdev, sd_state, 0);
fse.code = fmtinfo->code;
ret = v4l2_subdev_call(subdev, pad, enum_frame_size, sd_state, &fse);
if (ret) {
if (!v4l2_subdev_has_op(subdev, pad, get_selection)) {
- sd_state->pads->try_crop.width = 0;
- sd_state->pads->try_crop.height = 0;
+ try_crop->width = 0;
+ try_crop->height = 0;
} else {
ret = v4l2_subdev_call(subdev, pad, get_selection,
NULL, &sdsel);
if (ret)
return -EINVAL;
- sd_state->pads->try_crop.width = sdsel.r.width;
- sd_state->pads->try_crop.height = sdsel.r.height;
+ try_crop->width = sdsel.r.width;
+ try_crop->height = sdsel.r.height;
}
} else {
- sd_state->pads->try_crop.width = fse.max_width;
- sd_state->pads->try_crop.height = fse.max_height;
+ try_crop->width = fse.max_width;
+ try_crop->height = fse.max_height;
}
ret = v4l2_subdev_call(subdev, pad, set_fmt, sd_state, &fmt);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 017/460] kexec: Consolidate machine_kexec_mask_interrupts() implementation
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 016/460] powerpc/uaccess: Fix inline assembly for clang build on PPC32 Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 018/460] kexec: Include kernel-end even without crashkernel Greg Kroah-Hartman
` (285 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eliav Farber, Thomas Gleixner,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eliav Farber <farbere@amazon.com>
[ Upstream commit bad6722e478f5b17a5ceb039dfb4c680cf2c0b48 ]
Consolidate the machine_kexec_mask_interrupts implementation into a common
function located in a new file: kernel/irq/kexec.c. This removes duplicate
implementations from architecture-specific files in arch/arm, arch/arm64,
arch/powerpc, and arch/riscv, reducing code duplication and improving
maintainability.
The new implementation retains architecture-specific behavior for
CONFIG_GENERIC_IRQ_KEXEC_CLEAR_VM_FORWARD, which was previously implemented
for ARM64. When enabled (currently for ARM64), it clears the active state
of interrupts forwarded to virtual machines (VMs) before handling other
interrupt masking operations.
Signed-off-by: Eliav Farber <farbere@amazon.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/all/20241204142003.32859-2-farbere@amazon.com
Stable-dep-of: 20197b967a6a ("powerpc/kexec/core: use big-endian types for crash variables")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/kernel/machine_kexec.c | 23 ------------------
arch/arm64/Kconfig | 1 +
arch/arm64/kernel/machine_kexec.c | 31 ------------------------
arch/powerpc/include/asm/kexec.h | 1 -
arch/powerpc/kexec/core.c | 22 -----------------
arch/powerpc/kexec/core_32.c | 1 +
arch/riscv/kernel/machine_kexec.c | 23 ------------------
include/linux/irq.h | 3 +++
kernel/irq/Kconfig | 6 +++++
kernel/irq/Makefile | 2 +-
kernel/irq/kexec.c | 40 +++++++++++++++++++++++++++++++
11 files changed, 52 insertions(+), 101 deletions(-)
create mode 100644 kernel/irq/kexec.c
diff --git a/arch/arm/kernel/machine_kexec.c b/arch/arm/kernel/machine_kexec.c
index 80ceb5bd2680b..dd430477e7c13 100644
--- a/arch/arm/kernel/machine_kexec.c
+++ b/arch/arm/kernel/machine_kexec.c
@@ -127,29 +127,6 @@ void crash_smp_send_stop(void)
cpus_stopped = 1;
}
-static void machine_kexec_mask_interrupts(void)
-{
- unsigned int i;
- struct irq_desc *desc;
-
- for_each_irq_desc(i, desc) {
- struct irq_chip *chip;
-
- chip = irq_desc_get_chip(desc);
- if (!chip)
- continue;
-
- if (chip->irq_eoi && irqd_irq_inprogress(&desc->irq_data))
- chip->irq_eoi(&desc->irq_data);
-
- if (chip->irq_mask)
- chip->irq_mask(&desc->irq_data);
-
- if (chip->irq_disable && !irqd_irq_disabled(&desc->irq_data))
- chip->irq_disable(&desc->irq_data);
- }
-}
-
void machine_crash_shutdown(struct pt_regs *regs)
{
local_irq_disable();
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 0e2902f38e70e..f487c5e21e2f1 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -146,6 +146,7 @@ config ARM64
select GENERIC_IDLE_POLL_SETUP
select GENERIC_IOREMAP
select GENERIC_IRQ_IPI
+ select GENERIC_IRQ_KEXEC_CLEAR_VM_FORWARD
select GENERIC_IRQ_PROBE
select GENERIC_IRQ_SHOW
select GENERIC_IRQ_SHOW_LEVEL
diff --git a/arch/arm64/kernel/machine_kexec.c b/arch/arm64/kernel/machine_kexec.c
index 82e2203d86a31..6f121a0164a48 100644
--- a/arch/arm64/kernel/machine_kexec.c
+++ b/arch/arm64/kernel/machine_kexec.c
@@ -207,37 +207,6 @@ void machine_kexec(struct kimage *kimage)
BUG(); /* Should never get here. */
}
-static void machine_kexec_mask_interrupts(void)
-{
- unsigned int i;
- struct irq_desc *desc;
-
- for_each_irq_desc(i, desc) {
- struct irq_chip *chip;
- int ret;
-
- chip = irq_desc_get_chip(desc);
- if (!chip)
- continue;
-
- /*
- * First try to remove the active state. If this
- * fails, try to EOI the interrupt.
- */
- ret = irq_set_irqchip_state(i, IRQCHIP_STATE_ACTIVE, false);
-
- if (ret && irqd_irq_inprogress(&desc->irq_data) &&
- chip->irq_eoi)
- chip->irq_eoi(&desc->irq_data);
-
- if (chip->irq_mask)
- chip->irq_mask(&desc->irq_data);
-
- if (chip->irq_disable && !irqd_irq_disabled(&desc->irq_data))
- chip->irq_disable(&desc->irq_data);
- }
-}
-
/**
* machine_crash_shutdown - shutdown non-crashing cpus and save registers
*/
diff --git a/arch/powerpc/include/asm/kexec.h b/arch/powerpc/include/asm/kexec.h
index 270ee93a0f7d8..601e569303e1b 100644
--- a/arch/powerpc/include/asm/kexec.h
+++ b/arch/powerpc/include/asm/kexec.h
@@ -61,7 +61,6 @@ struct pt_regs;
extern void kexec_smp_wait(void); /* get and clear naca physid, wait for
master to copy new code to 0 */
extern void default_machine_kexec(struct kimage *image);
-extern void machine_kexec_mask_interrupts(void);
void relocate_new_kernel(unsigned long indirection_page, unsigned long reboot_code_buffer,
unsigned long start_address) __noreturn;
diff --git a/arch/powerpc/kexec/core.c b/arch/powerpc/kexec/core.c
index b8333a49ea5da..58a930a47422b 100644
--- a/arch/powerpc/kexec/core.c
+++ b/arch/powerpc/kexec/core.c
@@ -22,28 +22,6 @@
#include <asm/setup.h>
#include <asm/firmware.h>
-void machine_kexec_mask_interrupts(void) {
- unsigned int i;
- struct irq_desc *desc;
-
- for_each_irq_desc(i, desc) {
- struct irq_chip *chip;
-
- chip = irq_desc_get_chip(desc);
- if (!chip)
- continue;
-
- if (chip->irq_eoi && irqd_irq_inprogress(&desc->irq_data))
- chip->irq_eoi(&desc->irq_data);
-
- if (chip->irq_mask)
- chip->irq_mask(&desc->irq_data);
-
- if (chip->irq_disable && !irqd_irq_disabled(&desc->irq_data))
- chip->irq_disable(&desc->irq_data);
- }
-}
-
#ifdef CONFIG_CRASH_DUMP
void machine_crash_shutdown(struct pt_regs *regs)
{
diff --git a/arch/powerpc/kexec/core_32.c b/arch/powerpc/kexec/core_32.c
index c95f96850c9e1..deb28eb44f30f 100644
--- a/arch/powerpc/kexec/core_32.c
+++ b/arch/powerpc/kexec/core_32.c
@@ -7,6 +7,7 @@
* Copyright (C) 2005 IBM Corporation.
*/
+#include <linux/irq.h>
#include <linux/kexec.h>
#include <linux/mm.h>
#include <linux/string.h>
diff --git a/arch/riscv/kernel/machine_kexec.c b/arch/riscv/kernel/machine_kexec.c
index 3c830a6f7ef46..2306ce3e5f229 100644
--- a/arch/riscv/kernel/machine_kexec.c
+++ b/arch/riscv/kernel/machine_kexec.c
@@ -114,29 +114,6 @@ void machine_shutdown(void)
#endif
}
-static void machine_kexec_mask_interrupts(void)
-{
- unsigned int i;
- struct irq_desc *desc;
-
- for_each_irq_desc(i, desc) {
- struct irq_chip *chip;
-
- chip = irq_desc_get_chip(desc);
- if (!chip)
- continue;
-
- if (chip->irq_eoi && irqd_irq_inprogress(&desc->irq_data))
- chip->irq_eoi(&desc->irq_data);
-
- if (chip->irq_mask)
- chip->irq_mask(&desc->irq_data);
-
- if (chip->irq_disable && !irqd_irq_disabled(&desc->irq_data))
- chip->irq_disable(&desc->irq_data);
- }
-}
-
/*
* machine_crash_shutdown - Prepare to kexec after a kernel crash
*
diff --git a/include/linux/irq.h b/include/linux/irq.h
index fa711f80957b6..25f51bf3c351f 100644
--- a/include/linux/irq.h
+++ b/include/linux/irq.h
@@ -694,6 +694,9 @@ extern int irq_chip_request_resources_parent(struct irq_data *data);
extern void irq_chip_release_resources_parent(struct irq_data *data);
#endif
+/* Disable or mask interrupts during a kernel kexec */
+extern void machine_kexec_mask_interrupts(void);
+
/* Handling of unhandled and spurious interrupts: */
extern void note_interrupt(struct irq_desc *desc, irqreturn_t action_ret);
diff --git a/kernel/irq/Kconfig b/kernel/irq/Kconfig
index 529adb1f58593..875f25ed6f710 100644
--- a/kernel/irq/Kconfig
+++ b/kernel/irq/Kconfig
@@ -141,6 +141,12 @@ config GENERIC_IRQ_DEBUGFS
If you don't know what to do here, say N.
+# Clear forwarded VM interrupts during kexec.
+# This option ensures the kernel clears active states for interrupts
+# forwarded to virtual machines (VMs) during a machine kexec.
+config GENERIC_IRQ_KEXEC_CLEAR_VM_FORWARD
+ bool
+
endmenu
config GENERIC_IRQ_MULTI_HANDLER
diff --git a/kernel/irq/Makefile b/kernel/irq/Makefile
index f19d3080bf11a..c0f44c06d69df 100644
--- a/kernel/irq/Makefile
+++ b/kernel/irq/Makefile
@@ -1,6 +1,6 @@
# SPDX-License-Identifier: GPL-2.0
-obj-y := irqdesc.o handle.o manage.o spurious.o resend.o chip.o dummychip.o devres.o
+obj-y := irqdesc.o handle.o manage.o spurious.o resend.o chip.o dummychip.o devres.o kexec.o
obj-$(CONFIG_IRQ_TIMINGS) += timings.o
ifeq ($(CONFIG_TEST_IRQ_TIMINGS),y)
CFLAGS_timings.o += -DDEBUG
diff --git a/kernel/irq/kexec.c b/kernel/irq/kexec.c
new file mode 100644
index 0000000000000..0f9548c1708dd
--- /dev/null
+++ b/kernel/irq/kexec.c
@@ -0,0 +1,40 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <linux/interrupt.h>
+#include <linux/irq.h>
+#include <linux/irqdesc.h>
+#include <linux/irqnr.h>
+
+#include "internals.h"
+
+void machine_kexec_mask_interrupts(void)
+{
+ struct irq_desc *desc;
+ unsigned int i;
+
+ for_each_irq_desc(i, desc) {
+ struct irq_chip *chip;
+ int check_eoi = 1;
+
+ chip = irq_desc_get_chip(desc);
+ if (!chip)
+ continue;
+
+ if (IS_ENABLED(CONFIG_GENERIC_IRQ_KEXEC_CLEAR_VM_FORWARD)) {
+ /*
+ * First try to remove the active state from an interrupt which is forwarded
+ * to a VM. If the interrupt is not forwarded, try to EOI the interrupt.
+ */
+ check_eoi = irq_set_irqchip_state(i, IRQCHIP_STATE_ACTIVE, false);
+ }
+
+ if (check_eoi && chip->irq_eoi && irqd_irq_inprogress(&desc->irq_data))
+ chip->irq_eoi(&desc->irq_data);
+
+ if (chip->irq_mask)
+ chip->irq_mask(&desc->irq_data);
+
+ if (chip->irq_disable && !irqd_irq_disabled(&desc->irq_data))
+ chip->irq_disable(&desc->irq_data);
+ }
+}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 093/567] can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 092/567] net: usb: pegasus: " Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 094/567] can: usb: f81604: correctly anchor the urb in the read bulk callback Greg Kroah-Hartman
` (284 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vincent Mailhol, Marc Kleine-Budde,
stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 38a01c9700b0dcafe97dfa9dc7531bf4a245deff upstream.
When looking at the data in a USB urb, the actual_length is the size of
the buffer passed to the driver, not the transfer_buffer_length which is
set by the driver as the max size of the buffer.
When parsing the messages in ems_usb_read_bulk_callback() properly check
the size both at the beginning of parsing the message to make sure it is
big enough for the expected structure, and at the end of the message to
make sure we don't overflow past the end of the buffer for the next
message.
Cc: Vincent Mailhol <mailhol@kernel.org>
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: stable@kernel.org
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026022316-answering-strainer-a5db@gregkh
Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/ems_usb.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -445,6 +445,11 @@ static void ems_usb_read_bulk_callback(s
start = CPC_HEADER_SIZE;
while (msg_count) {
+ if (start + CPC_MSG_HEADER_LEN > urb->actual_length) {
+ netdev_err(netdev, "format error\n");
+ break;
+ }
+
msg = (struct ems_cpc_msg *)&ibuf[start];
switch (msg->type) {
@@ -474,7 +479,7 @@ static void ems_usb_read_bulk_callback(s
start += CPC_MSG_HEADER_LEN + msg->length;
msg_count--;
- if (start > urb->transfer_buffer_length) {
+ if (start > urb->actual_length) {
netdev_err(netdev, "format error\n");
break;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 031/481] media: tegra-video: Fix memory leak in __tegra_channel_try_format()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 030/481] media: tegra-video: Use accessors for pad config try_* fields Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 032/481] media: camss: vfe-480: Multiple outputs support for SM8250 Greg Kroah-Hartman
` (284 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zilin Guan, Hans Verkuil,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 43e5302d22334f1183dec3e0d5d8007eefe2817c ]
The state object allocated by __v4l2_subdev_state_alloc() must be freed
with __v4l2_subdev_state_free() when it is no longer needed.
In __tegra_channel_try_format(), two error paths return directly after
v4l2_subdev_call() fails, without freeing the allocated 'sd_state'
object. This violates the requirement and causes a memory leak.
Fix this by introducing a cleanup label and using goto statements in the
error paths to ensure that __v4l2_subdev_state_free() is always called
before the function returns.
Fixes: 56f64b82356b7 ("media: tegra-video: Use zero crop settings if subdev has no get_selection")
Fixes: 1ebaeb09830f3 ("media: tegra-video: Add support for external sensor capture")
Cc: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/media/tegra-video/vi.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/media/tegra-video/vi.c b/drivers/staging/media/tegra-video/vi.c
index e82ab9044ef3b..ea96fd67035c7 100644
--- a/drivers/staging/media/tegra-video/vi.c
+++ b/drivers/staging/media/tegra-video/vi.c
@@ -503,7 +503,7 @@ static int __tegra_channel_try_format(struct tegra_vi_channel *chan,
.target = V4L2_SEL_TGT_CROP_BOUNDS,
};
struct v4l2_rect *try_crop;
- int ret;
+ int ret = 0;
subdev = tegra_channel_get_remote_source_subdev(chan);
if (!subdev)
@@ -548,8 +548,10 @@ static int __tegra_channel_try_format(struct tegra_vi_channel *chan,
} else {
ret = v4l2_subdev_call(subdev, pad, get_selection,
NULL, &sdsel);
- if (ret)
- return -EINVAL;
+ if (ret) {
+ ret = -EINVAL;
+ goto out_free;
+ }
try_crop->width = sdsel.r.width;
try_crop->height = sdsel.r.height;
@@ -561,14 +563,15 @@ static int __tegra_channel_try_format(struct tegra_vi_channel *chan,
ret = v4l2_subdev_call(subdev, pad, set_fmt, sd_state, &fmt);
if (ret < 0)
- return ret;
+ goto out_free;
v4l2_fill_pix_format(pix, &fmt.format);
tegra_channel_fmt_align(chan, pix, fmtinfo->bpp);
+out_free:
__v4l2_subdev_state_free(sd_state);
- return 0;
+ return ret;
}
static int tegra_channel_try_format(struct file *file, void *fh,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 018/460] kexec: Include kernel-end even without crashkernel
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 017/460] kexec: Consolidate machine_kexec_mask_interrupts() implementation Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 019/460] powerpc/kexec/core: use big-endian types for crash variables Greg Kroah-Hartman
` (284 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Collins, Sourabh Jain,
Madhavan Srinivasan, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Collins <bcollins@kernel.org>
[ Upstream commit 38c64dfe0af12778953846df5f259e913275cfe5 ]
Certain versions of kexec don't even work without kernel-end being
added to the device-tree. Add it even if crash-kernel is disabled.
Signed-off-by: Ben Collins <bcollins@kernel.org>
Reviewed-by: Sourabh Jain <sourabhjain@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/2025042122-inescapable-mandrill-8a5ff2@boujee-and-buff
Stable-dep-of: 20197b967a6a ("powerpc/kexec/core: use big-endian types for crash variables")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kexec/core.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/arch/powerpc/kexec/core.c b/arch/powerpc/kexec/core.c
index 58a930a47422b..50e7cf4b992b1 100644
--- a/arch/powerpc/kexec/core.c
+++ b/arch/powerpc/kexec/core.c
@@ -22,6 +22,8 @@
#include <asm/setup.h>
#include <asm/firmware.h>
+#define cpu_to_be_ulong __PASTE(cpu_to_be, BITS_PER_LONG)
+
#ifdef CONFIG_CRASH_DUMP
void machine_crash_shutdown(struct pt_regs *regs)
{
@@ -156,17 +158,10 @@ int __init overlaps_crashkernel(unsigned long start, unsigned long size)
}
/* Values we need to export to the second kernel via the device tree. */
-static phys_addr_t kernel_end;
static phys_addr_t crashk_base;
static phys_addr_t crashk_size;
static unsigned long long mem_limit;
-static struct property kernel_end_prop = {
- .name = "linux,kernel-end",
- .length = sizeof(phys_addr_t),
- .value = &kernel_end,
-};
-
static struct property crashk_base_prop = {
.name = "linux,crashkernel-base",
.length = sizeof(phys_addr_t),
@@ -185,8 +180,6 @@ static struct property memory_limit_prop = {
.value = &mem_limit,
};
-#define cpu_to_be_ulong __PASTE(cpu_to_be, BITS_PER_LONG)
-
static void __init export_crashk_values(struct device_node *node)
{
/* There might be existing crash kernel properties, but we can't
@@ -210,6 +203,15 @@ static void __init export_crashk_values(struct device_node *node)
mem_limit = cpu_to_be_ulong(memory_limit);
of_update_property(node, &memory_limit_prop);
}
+#endif /* CONFIG_CRASH_RESERVE */
+
+static phys_addr_t kernel_end;
+
+static struct property kernel_end_prop = {
+ .name = "linux,kernel-end",
+ .length = sizeof(phys_addr_t),
+ .value = &kernel_end,
+};
static int __init kexec_setup(void)
{
@@ -220,16 +222,17 @@ static int __init kexec_setup(void)
return -ENOENT;
/* remove any stale properties so ours can be found */
- of_remove_property(node, of_find_property(node, kernel_end_prop.name, NULL));
+ of_remove_property(node, of_find_property(node, kernel_end_prop.name,
+ NULL));
/* information needed by userspace when using default_machine_kexec */
kernel_end = cpu_to_be_ulong(__pa(_end));
of_add_property(node, &kernel_end_prop);
+#ifdef CONFIG_CRASH_RESERVE
export_crashk_values(node);
-
+#endif
of_node_put(node);
return 0;
}
late_initcall(kexec_setup);
-#endif /* CONFIG_CRASH_RESERVE */
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 094/567] can: usb: f81604: correctly anchor the urb in the read bulk callback
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 093/567] can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 095/567] can: ucan: Fix infinite loop from zero-length messages Greg Kroah-Hartman
` (283 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ji-Ze Hong (Peter Hong),
Marc Kleine-Budde, Vincent Mailhol, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 952caa5da10bed22be09612433964f6877ba0dde upstream.
When submitting an urb, that is using the anchor pattern, it needs to be
anchored before submitting it otherwise it could be leaked if
usb_kill_anchored_urbs() is called. This logic is correctly done
elsewhere in the driver, except in the read bulk callback so do that
here also.
Cc: Ji-Ze Hong (Peter Hong) <peter_hong@fintek.com.tw>
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: Vincent Mailhol <mailhol@kernel.org>
Cc: stable@kernel.org
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026022334-starlight-scaling-2cea@gregkh
Fixes: 88da17436973 ("can: usb: f81604: add Fintek F81604 support")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/f81604.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/drivers/net/can/usb/f81604.c
+++ b/drivers/net/can/usb/f81604.c
@@ -413,6 +413,7 @@ static void f81604_read_bulk_callback(st
{
struct f81604_can_frame *frame = urb->transfer_buffer;
struct net_device *netdev = urb->context;
+ struct f81604_port_priv *priv = netdev_priv(netdev);
int ret;
if (!netif_device_present(netdev))
@@ -445,10 +446,15 @@ static void f81604_read_bulk_callback(st
f81604_process_rx_packet(netdev, frame);
resubmit_urb:
+ usb_anchor_urb(urb, &priv->urbs_anchor);
ret = usb_submit_urb(urb, GFP_ATOMIC);
+ if (!ret)
+ return;
+ usb_unanchor_urb(urb);
+
if (ret == -ENODEV)
netif_device_detach(netdev);
- else if (ret)
+ else
netdev_err(netdev,
"%s: failed to resubmit read bulk urb: %pe\n",
__func__, ERR_PTR(ret));
@@ -646,10 +652,15 @@ static void f81604_read_int_callback(str
f81604_handle_tx(priv, data);
resubmit_urb:
+ usb_anchor_urb(urb, &priv->urbs_anchor);
ret = usb_submit_urb(urb, GFP_ATOMIC);
+ if (!ret)
+ return;
+ usb_unanchor_urb(urb);
+
if (ret == -ENODEV)
netif_device_detach(netdev);
- else if (ret)
+ else
netdev_err(netdev, "%s: failed to resubmit int urb: %pe\n",
__func__, ERR_PTR(ret));
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 032/481] media: camss: vfe-480: Multiple outputs support for SM8250
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 031/481] media: tegra-video: Fix memory leak in __tegra_channel_try_format() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 033/481] media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update() Greg Kroah-Hartman
` (283 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Milen Mitkov, Robert Foss,
Bryan ODonoghue, Hans Verkuil, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Milen Mitkov <quic_mmitkov@quicinc.com>
[ Upstream commit 1c4abf0246d2ad5fabc830f1d9cc3944d5a4ae95 ]
On SM8250 each VFE supports at least 3 RDI channels, or 4
in case of VFE-Lite, so add appropriate IRQ setup and handling.
Signed-off-by: Milen Mitkov <quic_mmitkov@quicinc.com>
Reviewed-by: Robert Foss <robert.foss@linaro.org>
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Acked-by: Robert Foss <robert.foss@linaro.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Stable-dep-of: d965919af524 ("media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../media/platform/qcom/camss/camss-vfe-480.c | 57 ++++++++++++-------
1 file changed, 38 insertions(+), 19 deletions(-)
diff --git a/drivers/media/platform/qcom/camss/camss-vfe-480.c b/drivers/media/platform/qcom/camss/camss-vfe-480.c
index 72f5cfeeb49bf..0063e36a30e05 100644
--- a/drivers/media/platform/qcom/camss/camss-vfe-480.c
+++ b/drivers/media/platform/qcom/camss/camss-vfe-480.c
@@ -93,6 +93,8 @@ static inline int bus_irq_mask_0_comp_done(struct vfe_device *vfe, int n)
#define RDI_WM(n) ((IS_LITE ? 0 : 23) + (n))
#define RDI_COMP_GROUP(n) ((IS_LITE ? 0 : 11) + (n))
+#define MAX_VFE_OUTPUT_LINES 4
+
static u32 vfe_hw_version(struct vfe_device *vfe)
{
u32 hw_version = readl_relaxed(vfe->base + VFE_HW_VERSION);
@@ -170,12 +172,26 @@ static inline void vfe_reg_update_clear(struct vfe_device *vfe,
static void vfe_enable_irq_common(struct vfe_device *vfe)
{
- /* enable only the IRQs used: rup and comp_done irqs for RDI0 */
+ /* enable reset ack IRQ and top BUS status IRQ */
writel_relaxed(IRQ_MASK_0_RESET_ACK | IRQ_MASK_0_BUS_TOP_IRQ,
vfe->base + VFE_IRQ_MASK(0));
- writel_relaxed(BUS_IRQ_MASK_0_RDI_RUP(vfe, 0) |
- BUS_IRQ_MASK_0_COMP_DONE(vfe, RDI_COMP_GROUP(0)),
- vfe->base + VFE_BUS_IRQ_MASK(0));
+}
+
+static void vfe_enable_lines_irq(struct vfe_device *vfe)
+{
+ int i;
+ u32 bus_irq_mask = 0;
+
+ for (i = 0; i < MAX_VFE_OUTPUT_LINES; i++) {
+ /* Enable IRQ for newly added lines, but also keep already running lines's IRQ */
+ if (vfe->line[i].output.state == VFE_OUTPUT_RESERVED ||
+ vfe->line[i].output.state == VFE_OUTPUT_ON) {
+ bus_irq_mask |= BUS_IRQ_MASK_0_RDI_RUP(vfe, i)
+ | BUS_IRQ_MASK_0_COMP_DONE(vfe, RDI_COMP_GROUP(i));
+ }
+ }
+
+ writel_relaxed(bus_irq_mask, vfe->base + VFE_BUS_IRQ_MASK(0));
}
static void vfe_isr_reg_update(struct vfe_device *vfe, enum vfe_line_id line_id);
@@ -192,6 +208,7 @@ static irqreturn_t vfe_isr(int irq, void *dev)
{
struct vfe_device *vfe = dev;
u32 status;
+ int i;
status = readl_relaxed(vfe->base + VFE_IRQ_STATUS(0));
writel_relaxed(status, vfe->base + VFE_IRQ_CLEAR(0));
@@ -206,11 +223,14 @@ static irqreturn_t vfe_isr(int irq, void *dev)
writel_relaxed(status, vfe->base + VFE_BUS_IRQ_CLEAR(0));
writel_relaxed(1, vfe->base + VFE_BUS_IRQ_CLEAR_GLOBAL);
- if (status & BUS_IRQ_MASK_0_RDI_RUP(vfe, 0))
- vfe_isr_reg_update(vfe, 0);
+ /* Loop through all WMs IRQs */
+ for (i = 0; i < MSM_VFE_IMAGE_MASTERS_NUM; i++) {
+ if (status & BUS_IRQ_MASK_0_RDI_RUP(vfe, i))
+ vfe_isr_reg_update(vfe, i);
- if (status & BUS_IRQ_MASK_0_COMP_DONE(vfe, RDI_COMP_GROUP(0)))
- vfe_isr_wm_done(vfe, 0);
+ if (status & BUS_IRQ_MASK_0_COMP_DONE(vfe, RDI_COMP_GROUP(i)))
+ vfe_isr_wm_done(vfe, i);
+ }
}
return IRQ_HANDLED;
@@ -233,7 +253,6 @@ static int vfe_get_output(struct vfe_line *line)
struct vfe_device *vfe = to_vfe(line);
struct vfe_output *output;
unsigned long flags;
- int wm_idx;
spin_lock_irqsave(&vfe->output_lock, flags);
@@ -245,12 +264,12 @@ static int vfe_get_output(struct vfe_line *line)
output->wm_num = 1;
- wm_idx = vfe_reserve_wm(vfe, line->id);
- if (wm_idx < 0) {
- dev_err(vfe->camss->dev, "Can not reserve wm\n");
- goto error_get_wm;
- }
- output->wm_idx[0] = wm_idx;
+ /* Correspondence between VFE line number and WM number.
+ * line 0 -> RDI 0, line 1 -> RDI1, line 2 -> RDI2, line 3 -> PIX/RDI3
+ * Note this 1:1 mapping will not work for PIX streams.
+ */
+ output->wm_idx[0] = line->id;
+ vfe->wm_output_map[line->id] = line->id;
output->drop_update_idx = 0;
@@ -258,11 +277,9 @@ static int vfe_get_output(struct vfe_line *line)
return 0;
-error_get_wm:
- vfe_release_wm(vfe, output->wm_idx[0]);
- output->state = VFE_OUTPUT_OFF;
error:
spin_unlock_irqrestore(&vfe->output_lock, flags);
+ output->state = VFE_OUTPUT_OFF;
return -EINVAL;
}
@@ -344,6 +361,8 @@ static int vfe_enable(struct vfe_line *line)
vfe->stream_count++;
+ vfe_enable_lines_irq(vfe);
+
mutex_unlock(&vfe->stream_lock);
ret = vfe_get_output(line);
@@ -550,7 +569,7 @@ static const struct camss_video_ops vfe_video_ops_480 = {
static void vfe_subdev_init(struct device *dev, struct vfe_device *vfe)
{
vfe->video_ops = vfe_video_ops_480;
- vfe->line_num = 1;
+ vfe->line_num = MAX_VFE_OUTPUT_LINES;
}
const struct vfe_hw_ops vfe_ops_480 = {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 019/460] powerpc/kexec/core: use big-endian types for crash variables
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 018/460] kexec: Include kernel-end even without crashkernel Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 020/460] powerpc/crash: adjust the elfcorehdr size Greg Kroah-Hartman
` (283 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Sourabh Jain,
Venkat Rao Bagalkote, Madhavan Srinivasan, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sourabh Jain <sourabhjain@linux.ibm.com>
[ Upstream commit 20197b967a6a29dab81495f25a988515bda84cfe ]
Use explicit word-sized big-endian types for kexec and crash related
variables. This makes the endianness unambiguous and avoids type
mismatches that trigger sparse warnings.
The change addresses sparse warnings like below (seen on both 32-bit
and 64-bit builds):
CHECK ../arch/powerpc/kexec/core.c
sparse: expected unsigned int static [addressable] [toplevel] [usertype] crashk_base
sparse: got restricted __be32 [usertype]
sparse: warning: incorrect type in assignment (different base types)
sparse: expected unsigned int static [addressable] [toplevel] [usertype] crashk_size
sparse: got restricted __be32 [usertype]
sparse: warning: incorrect type in assignment (different base types)
sparse: expected unsigned long long static [addressable] [toplevel] mem_limit
sparse: got restricted __be32 [usertype]
sparse: warning: incorrect type in assignment (different base types)
sparse: expected unsigned int static [addressable] [toplevel] [usertype] kernel_end
sparse: got restricted __be32 [usertype]
No functional change intended.
Fixes: ea961a828fe7 ("powerpc: Fix endian issues in kexec and crash dump code")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202512221405.VHPKPjnp-lkp@intel.com/
Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20251224151257.28672-1-sourabhjain@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kexec/core.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/arch/powerpc/kexec/core.c b/arch/powerpc/kexec/core.c
index 50e7cf4b992b1..31797f2145ec5 100644
--- a/arch/powerpc/kexec/core.c
+++ b/arch/powerpc/kexec/core.c
@@ -23,6 +23,7 @@
#include <asm/firmware.h>
#define cpu_to_be_ulong __PASTE(cpu_to_be, BITS_PER_LONG)
+#define __be_word __PASTE(__be, BITS_PER_LONG)
#ifdef CONFIG_CRASH_DUMP
void machine_crash_shutdown(struct pt_regs *regs)
@@ -158,25 +159,25 @@ int __init overlaps_crashkernel(unsigned long start, unsigned long size)
}
/* Values we need to export to the second kernel via the device tree. */
-static phys_addr_t crashk_base;
-static phys_addr_t crashk_size;
-static unsigned long long mem_limit;
+static __be_word crashk_base;
+static __be_word crashk_size;
+static __be_word mem_limit;
static struct property crashk_base_prop = {
.name = "linux,crashkernel-base",
- .length = sizeof(phys_addr_t),
+ .length = sizeof(__be_word),
.value = &crashk_base
};
static struct property crashk_size_prop = {
.name = "linux,crashkernel-size",
- .length = sizeof(phys_addr_t),
+ .length = sizeof(__be_word),
.value = &crashk_size,
};
static struct property memory_limit_prop = {
.name = "linux,memory-limit",
- .length = sizeof(unsigned long long),
+ .length = sizeof(__be_word),
.value = &mem_limit,
};
@@ -205,11 +206,11 @@ static void __init export_crashk_values(struct device_node *node)
}
#endif /* CONFIG_CRASH_RESERVE */
-static phys_addr_t kernel_end;
+static __be_word kernel_end;
static struct property kernel_end_prop = {
.name = "linux,kernel-end",
- .length = sizeof(phys_addr_t),
+ .length = sizeof(__be_word),
.value = &kernel_end,
};
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 095/567] can: ucan: Fix infinite loop from zero-length messages
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 094/567] can: usb: f81604: correctly anchor the urb in the read bulk callback Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 096/567] can: usb: etas_es58x: correctly anchor the urb in the read bulk callback Greg Kroah-Hartman
` (282 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde, Vincent Mailhol,
stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1e446fd0582ad8be9f6dafb115fc2e7245f9bea7 upstream.
If a broken ucan device gets a message with the message length field set
to 0, then the driver will loop for forever in
ucan_read_bulk_callback(), hanging the system. If the length is 0, just
skip the message and go on to the next one.
This has been fixed in the kvaser_usb driver in the past in commit
0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in
command parsers"), so there must be some broken devices out there like
this somewhere.
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: Vincent Mailhol <mailhol@kernel.org>
Cc: stable@kernel.org
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026022319-huff-absurd-6a18@gregkh
Fixes: 9f2d3eae88d2 ("can: ucan: add driver for Theobroma Systems UCAN devices")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/ucan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/can/usb/ucan.c
+++ b/drivers/net/can/usb/ucan.c
@@ -749,7 +749,7 @@ static void ucan_read_bulk_callback(stru
len = le16_to_cpu(m->len);
/* check sanity (length of content) */
- if (urb->actual_length - pos < len) {
+ if ((len == 0) || (urb->actual_length - pos < len)) {
netdev_warn(up->netdev,
"invalid message (short; no data; l:%d)\n",
urb->actual_length);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 033/481] media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 032/481] media: camss: vfe-480: Multiple outputs support for SM8250 Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 034/481] KVM: x86: WARN if a vCPU gets a valid wakeup that KVM cant yet inject Greg Kroah-Hartman
` (282 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alper Ak, Bryan ODonoghue,
Bryan ODonoghue, Hans Verkuil, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alper Ak <alperyasinak1@gmail.com>
[ Upstream commit d965919af524e68cb2ab1a685872050ad2ee933d ]
vfe_isr() iterates using MSM_VFE_IMAGE_MASTERS_NUM(7) as the loop
bound and passes the index to vfe_isr_reg_update(). However,
vfe->line[] array is defined with VFE_LINE_NUM_MAX(4):
struct vfe_line line[VFE_LINE_NUM_MAX];
When index is 4, 5, 6, the access to vfe->line[line_id] exceeds
the array bounds and resulting in out-of-bounds memory access.
Fix this by using separate loops for output lines and write masters.
Fixes: 4edc8eae715c ("media: camss: Add initial support for VFE hardware version Titan 480")
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/qcom/camss/camss-vfe-480.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/qcom/camss/camss-vfe-480.c b/drivers/media/platform/qcom/camss/camss-vfe-480.c
index 0063e36a30e05..fa818517ab0da 100644
--- a/drivers/media/platform/qcom/camss/camss-vfe-480.c
+++ b/drivers/media/platform/qcom/camss/camss-vfe-480.c
@@ -223,11 +223,13 @@ static irqreturn_t vfe_isr(int irq, void *dev)
writel_relaxed(status, vfe->base + VFE_BUS_IRQ_CLEAR(0));
writel_relaxed(1, vfe->base + VFE_BUS_IRQ_CLEAR_GLOBAL);
- /* Loop through all WMs IRQs */
- for (i = 0; i < MSM_VFE_IMAGE_MASTERS_NUM; i++) {
+ for (i = 0; i < MAX_VFE_OUTPUT_LINES; i++) {
if (status & BUS_IRQ_MASK_0_RDI_RUP(vfe, i))
vfe_isr_reg_update(vfe, i);
+ }
+ /* Loop through all WMs IRQs */
+ for (i = 0; i < MSM_VFE_IMAGE_MASTERS_NUM; i++) {
if (status & BUS_IRQ_MASK_0_COMP_DONE(vfe, RDI_COMP_GROUP(i)))
vfe_isr_wm_done(vfe, i);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 020/460] powerpc/crash: adjust the elfcorehdr size
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 019/460] powerpc/kexec/core: use big-endian types for crash variables Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 021/460] remoteproc: sysmon: Correct subsys_name_len type in QMI request Greg Kroah-Hartman
` (282 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hari Bathini, Sourabh Jain,
Madhavan Srinivasan, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sourabh Jain <sourabhjain@linux.ibm.com>
[ Upstream commit 04e707cb77c272cb0bb2e2e3c5c7f844d804a089 ]
With crash hotplug support enabled, additional memory is allocated to
the elfcorehdr kexec segment to accommodate resources added during
memory hotplug events. However, the kdump FDT is not updated with the
same size, which can result in elfcorehdr corruption in the kdump
kernel.
Update elf_headers_sz (the kimage member representing the size of the
elfcorehdr kexec segment) to reflect the total memory allocated for the
elfcorehdr segment instead of the elfcorehdr buffer size at the time of
kdump load. This allows of_kexec_alloc_and_setup_fdt() to reserve the
full elfcorehdr memory in the kdump FDT and prevents elfcorehdr
corruption.
Fixes: 849599b702ef8 ("powerpc/crash: add crash memory hotplug support")
Reviewed-by: Hari Bathini <hbathini@linux.ibm.com>
Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260227171801.2238847-1-sourabhjain@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kexec/file_load_64.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kexec/file_load_64.c b/arch/powerpc/kexec/file_load_64.c
index dc65c13911577..248a0f00a291f 100644
--- a/arch/powerpc/kexec/file_load_64.c
+++ b/arch/powerpc/kexec/file_load_64.c
@@ -633,6 +633,11 @@ static int load_elfcorehdr_segment(struct kimage *image, struct kexec_buf *kbuf)
kbuf->buffer = headers;
kbuf->mem = KEXEC_BUF_MEM_UNKNOWN;
kbuf->bufsz = headers_sz;
+
+ /*
+ * Account for extra space required to accommodate additional memory
+ * ranges in elfcorehdr due to memory hotplug events.
+ */
kbuf->memsz = headers_sz + kdump_extra_elfcorehdr_size(cmem);
kbuf->top_down = false;
@@ -643,7 +648,14 @@ static int load_elfcorehdr_segment(struct kimage *image, struct kexec_buf *kbuf)
}
image->elf_load_addr = kbuf->mem;
- image->elf_headers_sz = headers_sz;
+
+ /*
+ * If CONFIG_CRASH_HOTPLUG is enabled, the elfcorehdr kexec segment
+ * memsz can be larger than bufsz. Always initialize elf_headers_sz
+ * with memsz. This ensures the correct size is reserved for elfcorehdr
+ * memory in the FDT prepared for kdump.
+ */
+ image->elf_headers_sz = kbuf->memsz;
image->elf_headers = headers;
out:
kfree(cmem);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 096/567] can: usb: etas_es58x: correctly anchor the urb in the read bulk callback
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 095/567] can: ucan: Fix infinite loop from zero-length messages Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 097/567] can: usb: f81604: handle short interrupt urb messages properly Greg Kroah-Hartman
` (281 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vincent Mailhol, Marc Kleine-Budde,
stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5eaad4f768266f1f17e01232ffe2ef009f8129b7 upstream.
When submitting an urb, that is using the anchor pattern, it needs to be
anchored before submitting it otherwise it could be leaked if
usb_kill_anchored_urbs() is called. This logic is correctly done
elsewhere in the driver, except in the read bulk callback so do that
here also.
Cc: Vincent Mailhol <mailhol@kernel.org>
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: stable@kernel.org
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Vincent Mailhol <mailhol@kernel.org>
Tested-by: Vincent Mailhol <mailhol@kernel.org>
Link: https://patch.msgid.link/2026022320-poser-stiffly-9d84@gregkh
Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/etas_es58x/es58x_core.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/net/can/usb/etas_es58x/es58x_core.c
+++ b/drivers/net/can/usb/etas_es58x/es58x_core.c
@@ -1461,12 +1461,18 @@ static void es58x_read_bulk_callback(str
}
resubmit_urb:
+ usb_anchor_urb(urb, &es58x_dev->rx_urbs);
ret = usb_submit_urb(urb, GFP_ATOMIC);
+ if (!ret)
+ return;
+
+ usb_unanchor_urb(urb);
+
if (ret == -ENODEV) {
for (i = 0; i < es58x_dev->num_can_ch; i++)
if (es58x_dev->netdev[i])
netif_device_detach(es58x_dev->netdev[i]);
- } else if (ret)
+ } else
dev_err_ratelimited(dev,
"Failed resubmitting read bulk urb: %pe\n",
ERR_PTR(ret));
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 034/481] KVM: x86: WARN if a vCPU gets a valid wakeup that KVM cant yet inject
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 033/481] media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 035/481] KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block() Greg Kroah-Hartman
` (281 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 45405155d876c326da89162b8173b8cc9ab7ed75 ]
WARN if a blocking vCPU is awakened by a valid wake event that KVM can't
inject, e.g. because KVM needs to complete a nested VM-enter, or needs to
re-inject an exception. For the nested VM-Enter case, KVM is supposed to
clear "nested_run_pending" if L1 puts L2 into HLT, i.e. entering HLT
"completes" the nested VM-Enter. And for already-injected exceptions, it
should be impossible for the vCPU to be in a blocking state if a VM-Exit
occurred while an exception was being vectored.
Link: https://lore.kernel.org/r/20240607172609.3205077-7-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Stable-dep-of: ead63640d4e7 ("KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/x86.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index b6fdf084fc92a..824844a7c6e88 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -11064,7 +11064,10 @@ static inline int vcpu_block(struct kvm_vcpu *vcpu)
* causes a spurious wakeup from HLT).
*/
if (is_guest_mode(vcpu)) {
- if (kvm_check_nested_events(vcpu) < 0)
+ int r = kvm_check_nested_events(vcpu);
+
+ WARN_ON_ONCE(r == -EBUSY);
+ if (r < 0)
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 021/460] remoteproc: sysmon: Correct subsys_name_len type in QMI request
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 020/460] powerpc/crash: adjust the elfcorehdr size Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 022/460] remoteproc: mediatek: Unprepare SCP clock during system suspend Greg Kroah-Hartman
` (281 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Andersson, Chris Lew,
Bjorn Andersson, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
[ Upstream commit da994db94e60f9a9411108ddf4d1836147ad4c9c ]
The QMI message encoder has up until recently read a single byte (as
elem_size == 1), but with the introduction of big endian support it's
become apparent that this field is expected to be a full u32 -
regardless of the size of the length in the encoded message (which is
what elem_size specifies).
The result is that the encoder now reads past the length byte and
rejects the unreasonably large length formed when including the
following 3 bytes from the subsys_name array.
Fix this by changing to the expected type.
Fixes: 1fb82ee806d1 ("remoteproc: qcom: Introduce sysmon")
Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Reviewed-by: Chris Lew <christopher.lew@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260220-qmi-encode-invalid-length-v2-1-5674be35ab29@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/qcom_sysmon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/remoteproc/qcom_sysmon.c b/drivers/remoteproc/qcom_sysmon.c
index c24e4a8828738..db33a41051a3e 100644
--- a/drivers/remoteproc/qcom_sysmon.c
+++ b/drivers/remoteproc/qcom_sysmon.c
@@ -203,7 +203,7 @@ static const struct qmi_elem_info ssctl_shutdown_resp_ei[] = {
};
struct ssctl_subsys_event_req {
- u8 subsys_name_len;
+ u32 subsys_name_len;
char subsys_name[SSCTL_SUBSYS_NAME_LENGTH];
u32 event;
u8 evt_driven_valid;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 097/567] can: usb: f81604: handle short interrupt urb messages properly
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 096/567] can: usb: etas_es58x: correctly anchor the urb in the read bulk callback Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 098/567] can: usb: f81604: handle bulk write errors properly Greg Kroah-Hartman
` (280 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ji-Ze Hong (Peter Hong),
Marc Kleine-Budde, Vincent Mailhol, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7299b1b39a255f6092ce4ec0b65f66e9d6a357af upstream.
If an interrupt urb is received that is not the correct length, properly
detect it and don't attempt to treat the data as valid.
Cc: Ji-Ze Hong (Peter Hong) <peter_hong@fintek.com.tw>
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: Vincent Mailhol <mailhol@kernel.org>
Cc: stable@kernel.org
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026022331-opal-evaluator-a928@gregkh
Fixes: 88da17436973 ("can: usb: f81604: add Fintek F81604 support")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/f81604.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/net/can/usb/f81604.c
+++ b/drivers/net/can/usb/f81604.c
@@ -626,6 +626,12 @@ static void f81604_read_int_callback(str
netdev_info(netdev, "%s: Int URB aborted: %pe\n", __func__,
ERR_PTR(urb->status));
+ if (urb->actual_length < sizeof(*data)) {
+ netdev_warn(netdev, "%s: short int URB: %u < %zu\n",
+ __func__, urb->actual_length, sizeof(*data));
+ goto resubmit_urb;
+ }
+
switch (urb->status) {
case 0: /* success */
break;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 035/481] KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 034/481] KVM: x86: WARN if a vCPU gets a valid wakeup that KVM cant yet inject Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 036/481] drm/tegra: dsi: fix device leak on probe Greg Kroah-Hartman
` (280 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alessandro Ratti,
syzbot+1522459a74d26b0ac33a, Sean Christopherson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit ead63640d4e72e6f6d464f4e31f7fecb79af8869 ]
Ignore -EBUSY when checking nested events after exiting a blocking state
while L2 is active, as exiting to userspace will generate a spurious
userspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM's
demise. Continuing with the wakeup isn't perfect either, as *something*
has gone sideways if a vCPU is awakened in L2 with an injected event (or
worse, a nested run pending), but continuing on gives the VM a decent
chance of surviving without any major side effects.
As explained in the Fixes commits, it _should_ be impossible for a vCPU to
be put into a blocking state with an already-injected event (exception,
IRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injected
events, and thus put the vCPU into what should be an impossible state.
Don't bother trying to preserve the WARN, e.g. with an anti-syzkaller
Kconfig, as WARNs can (hopefully) be added in paths where _KVM_ would be
violating x86 architecture, e.g. by WARNing if KVM attempts to inject an
exception or interrupt while the vCPU isn't running.
Cc: Alessandro Ratti <alessandro@0x65c.net>
Cc: stable@vger.kernel.org
Fixes: 26844fee6ade ("KVM: x86: never write to memory from kvm_vcpu_check_block()")
Fixes: 45405155d876 ("KVM: x86: WARN if a vCPU gets a valid wakeup that KVM can't yet inject")
Link: https://syzkaller.appspot.com/text?tag=ReproC&x=10d4261a580000
Reported-by: syzbot+1522459a74d26b0ac33a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/671bc7a7.050a0220.455e8.022a.GAE@google.com
Link: https://patch.msgid.link/20260109030657.994759-1-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/x86.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 824844a7c6e88..8617f7fec9643 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -11066,8 +11066,7 @@ static inline int vcpu_block(struct kvm_vcpu *vcpu)
if (is_guest_mode(vcpu)) {
int r = kvm_check_nested_events(vcpu);
- WARN_ON_ONCE(r == -EBUSY);
- if (r < 0)
+ if (r < 0 && r != -EBUSY)
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 022/460] remoteproc: mediatek: Unprepare SCP clock during system suspend
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 021/460] remoteproc: sysmon: Correct subsys_name_len type in QMI request Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 023/460] powerpc: 83xx: km83xx: Fix keymile vendor prefix Greg Kroah-Hartman
` (280 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, AngeloGioacchino Del Regno,
Tzung-Bi Shih, Mathieu Poirier, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tzung-Bi Shih <tzungbi@kernel.org>
[ Upstream commit 35c3f72a2d55dbf52f28f4ecae51c76be1acf545 ]
Prior to commit d935187cfb27 ("remoteproc: mediatek: Break lock
dependency to prepare_lock"), `scp->clk` was prepared and enabled only
when it needs to communicate with the SCP. The commit d935187cfb27
moved the prepare operation to remoteproc's prepare(), keeping the clock
prepared as long as the SCP is running.
The power consumption due to the prolonged clock preparation can be
negligible when the system is running, as SCP is designed to be a very
power efficient processor.
However, the clock remains prepared even when the system enters system
suspend. This prevents the underlying clock controller (and potentially
the parent PLLs) from shutting down, which increases power consumption
and may block the system from entering deep sleep states.
Add suspend and resume callbacks. Unprepare the clock in suspend() if
it was active and re-prepare it in resume() to ensure the clock is
properly disabled during system suspend, while maintaining the "always
prepared" semantics while the system is active. The driver doesn't
implement .attach() callback, hence it only checks for RPROC_RUNNING.
Fixes: d935187cfb27 ("remoteproc: mediatek: Break lock dependency to prepare_lock")
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Link: https://lore.kernel.org/r/20260206033034.3031781-1-tzungbi@kernel.org
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/mtk_scp.c | 39 ++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/drivers/remoteproc/mtk_scp.c b/drivers/remoteproc/mtk_scp.c
index ae20d2221c8e0..fcd2665f7abbc 100644
--- a/drivers/remoteproc/mtk_scp.c
+++ b/drivers/remoteproc/mtk_scp.c
@@ -1544,12 +1544,51 @@ static const struct of_device_id mtk_scp_of_match[] = {
};
MODULE_DEVICE_TABLE(of, mtk_scp_of_match);
+static int __maybe_unused scp_suspend(struct device *dev)
+{
+ struct mtk_scp *scp = dev_get_drvdata(dev);
+ struct rproc *rproc = scp->rproc;
+
+ /*
+ * Only unprepare if the SCP is running and holding the clock.
+ *
+ * Note: `scp_ops` doesn't implement .attach() callback, hence
+ * `rproc->state` can never be RPROC_ATTACHED. Otherwise, it
+ * should also be checked here.
+ */
+ if (rproc->state == RPROC_RUNNING)
+ clk_unprepare(scp->clk);
+ return 0;
+}
+
+static int __maybe_unused scp_resume(struct device *dev)
+{
+ struct mtk_scp *scp = dev_get_drvdata(dev);
+ struct rproc *rproc = scp->rproc;
+
+ /*
+ * Only prepare if the SCP was running and holding the clock.
+ *
+ * Note: `scp_ops` doesn't implement .attach() callback, hence
+ * `rproc->state` can never be RPROC_ATTACHED. Otherwise, it
+ * should also be checked here.
+ */
+ if (rproc->state == RPROC_RUNNING)
+ return clk_prepare(scp->clk);
+ return 0;
+}
+
+static const struct dev_pm_ops scp_pm_ops = {
+ SET_SYSTEM_SLEEP_PM_OPS(scp_suspend, scp_resume)
+};
+
static struct platform_driver mtk_scp_driver = {
.probe = scp_probe,
.remove_new = scp_remove,
.driver = {
.name = "mtk-scp",
.of_match_table = mtk_scp_of_match,
+ .pm = &scp_pm_ops,
},
};
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 098/567] can: usb: f81604: handle bulk write errors properly
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 097/567] can: usb: f81604: handle short interrupt urb messages properly Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 099/567] HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them Greg Kroah-Hartman
` (279 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ji-Ze Hong (Peter Hong),
Marc Kleine-Budde, Vincent Mailhol, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 51f94780720fa90c424f67e3e9784cb8ef8190e5 upstream.
If a write urb fails then more needs to be done other than just logging
the message, otherwise the transmission could be stalled. Properly
increment the error counters and wake up the queues so that data will
continue to flow.
Cc: Ji-Ze Hong (Peter Hong) <peter_hong@fintek.com.tw>
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: Vincent Mailhol <mailhol@kernel.org>
Cc: stable@kernel.org
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026022334-slackness-dynamic-9195@gregkh
Fixes: 88da17436973 ("can: usb: f81604: add Fintek F81604 support")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/f81604.c | 24 +++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
--- a/drivers/net/can/usb/f81604.c
+++ b/drivers/net/can/usb/f81604.c
@@ -891,9 +891,27 @@ static void f81604_write_bulk_callback(s
if (!netif_device_present(netdev))
return;
- if (urb->status)
- netdev_info(netdev, "%s: Tx URB error: %pe\n", __func__,
- ERR_PTR(urb->status));
+ if (!urb->status)
+ return;
+
+ switch (urb->status) {
+ case -ENOENT:
+ case -ECONNRESET:
+ case -ESHUTDOWN:
+ return;
+ default:
+ break;
+ }
+
+ if (net_ratelimit())
+ netdev_err(netdev, "%s: Tx URB error: %pe\n", __func__,
+ ERR_PTR(urb->status));
+
+ can_free_echo_skb(netdev, 0, NULL);
+ netdev->stats.tx_dropped++;
+ netdev->stats.tx_errors++;
+
+ netif_wake_queue(netdev);
}
static void f81604_clear_reg_work(struct work_struct *work)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 036/481] drm/tegra: dsi: fix device leak on probe
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 035/481] KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 037/481] bus: omap-ocp2scp: Convert to platform remove callback returning void Greg Kroah-Hartman
` (279 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thierry Reding, Johan Hovold,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit bfef062695570842cf96358f2f46f4c6642c6689 ]
Make sure to drop the reference taken when looking up the companion
(ganged) device and its driver data during probe().
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Fixes: e94236cde4d5 ("drm/tegra: dsi: Add ganged mode support")
Fixes: 221e3638feb8 ("drm/tegra: Fix reference leak in tegra_dsi_ganged_probe")
Cc: stable@vger.kernel.org # 3.19: 221e3638feb8
Cc: Thierry Reding <treding@nvidia.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Link: https://patch.msgid.link/20251121164201.13188-1-johan@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/tegra/dsi.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c
index 7bb26655cb3cc..74d27b564d564 100644
--- a/drivers/gpu/drm/tegra/dsi.c
+++ b/drivers/gpu/drm/tegra/dsi.c
@@ -1539,11 +1539,9 @@ static int tegra_dsi_ganged_probe(struct tegra_dsi *dsi)
return -EPROBE_DEFER;
dsi->slave = platform_get_drvdata(gangster);
-
- if (!dsi->slave) {
- put_device(&gangster->dev);
+ put_device(&gangster->dev);
+ if (!dsi->slave)
return -EPROBE_DEFER;
- }
dsi->slave->master = dsi;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 023/460] powerpc: 83xx: km83xx: Fix keymile vendor prefix
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 022/460] remoteproc: mediatek: Unprepare SCP clock during system suspend Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 024/460] smb/server: Fix another refcount leak in smb2_open() Greg Kroah-Hartman
` (279 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, J . Neuschäfer, Heiko Schocher,
Madhavan Srinivasan, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: J. Neuschäfer <j.ne@posteo.net>
[ Upstream commit 691417ffe7821721e0a28bd25ad8c0dc0d4ae4ad ]
When kmeter.c was refactored into km83xx.c in 2011, the "keymile" vendor
prefix was changed to upper-case "Keymile". The devicetree at
arch/powerpc/boot/dts/kmeter1.dts never underwent the same change,
suggesting that this was simply a mistake.
Fixes: 93e2b95c81042d ("powerpc/83xx: rename and update kmeter1")
Signed-off-by: J. Neuschäfer <j.ne@posteo.net>
Reviewed-by: Heiko Schocher <hs@nabladev.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260303-keymile-v1-1-463a11e71702@posteo.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/83xx/km83xx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/platforms/83xx/km83xx.c b/arch/powerpc/platforms/83xx/km83xx.c
index 2b5d187d9b62d..9ef8fb39dd1b1 100644
--- a/arch/powerpc/platforms/83xx/km83xx.c
+++ b/arch/powerpc/platforms/83xx/km83xx.c
@@ -155,8 +155,8 @@ machine_device_initcall(mpc83xx_km, mpc83xx_declare_of_platform_devices);
/* list of the supported boards */
static char *board[] __initdata = {
- "Keymile,KMETER1",
- "Keymile,kmpbec8321",
+ "keymile,KMETER1",
+ "keymile,kmpbec8321",
NULL
};
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 099/567] HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 098/567] can: usb: f81604: handle bulk write errors properly Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 100/567] x86/efi: defer freeing of boot services memory Greg Kroah-Hartman
` (278 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Kosina, Benjamin Tissoires,
Bastien Nocera, linux-input, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ecfa6f34492c493a9a1dc2900f3edeb01c79946b upstream.
In commit 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at
raw event handle"), we handle the fact that raw event callbacks
can happen even for a HID device that has not been "claimed" causing a
crash if a broken device were attempted to be connected to the system.
Fix up the remaining in-tree HID drivers that forgot to add this same
check to resolve the same issue.
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <bentiss@kernel.org>
Cc: Bastien Nocera <hadess@hadess.net>
Cc: linux-input@vger.kernel.org
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-cmedia.c | 2 +-
drivers/hid/hid-creative-sb0540.c | 2 +-
drivers/hid/hid-zydacron.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/hid/hid-cmedia.c
+++ b/drivers/hid/hid-cmedia.c
@@ -99,7 +99,7 @@ static int cmhid_raw_event(struct hid_de
{
struct cmhid *cm = hid_get_drvdata(hid);
- if (len != CM6533_JD_RAWEV_LEN)
+ if (len != CM6533_JD_RAWEV_LEN || !(hid->claimed & HID_CLAIMED_INPUT))
goto out;
if (memcmp(data+CM6533_JD_SFX_OFFSET, ji_sfx, sizeof(ji_sfx)))
goto out;
--- a/drivers/hid/hid-creative-sb0540.c
+++ b/drivers/hid/hid-creative-sb0540.c
@@ -153,7 +153,7 @@ static int creative_sb0540_raw_event(str
u64 code, main_code;
int key;
- if (len != 6)
+ if (len != 6 || !(hid->claimed & HID_CLAIMED_INPUT))
return 0;
/* From daemons/hw_hiddev.c sb0540_rec() in lirc */
--- a/drivers/hid/hid-zydacron.c
+++ b/drivers/hid/hid-zydacron.c
@@ -114,7 +114,7 @@ static int zc_raw_event(struct hid_devic
unsigned key;
unsigned short index;
- if (report->id == data[0]) {
+ if (report->id == data[0] && (hdev->claimed & HID_CLAIMED_INPUT)) {
/* break keys */
for (index = 0; index < 4; index++) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 037/481] bus: omap-ocp2scp: Convert to platform remove callback returning void
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 036/481] drm/tegra: dsi: fix device leak on probe Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 038/481] bus: omap-ocp2scp: fix OF populate on driver rebind Greg Kroah-Hartman
` (278 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 854f89a5b56354ba4135e0e1f0e57ab2caee59ee ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is ignored (apart
from emitting a warning) and this typically results in resource leaks.
To improve here there is a quest to make the remove callback return
void. In the first step of this quest all drivers are converted to
.remove_new(), which already returns void. Eventually after all drivers
are converted, .remove_new() will be renamed to .remove().
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Link: https://lore.kernel.org/r/20231109202830.4124591-3-u.kleine-koenig@pengutronix.de
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Stable-dep-of: 5eb63e9bb65d ("bus: omap-ocp2scp: fix OF populate on driver rebind")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bus/omap-ocp2scp.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/bus/omap-ocp2scp.c b/drivers/bus/omap-ocp2scp.c
index e02d0656242b8..7d7479ba0a759 100644
--- a/drivers/bus/omap-ocp2scp.c
+++ b/drivers/bus/omap-ocp2scp.c
@@ -84,12 +84,10 @@ static int omap_ocp2scp_probe(struct platform_device *pdev)
return ret;
}
-static int omap_ocp2scp_remove(struct platform_device *pdev)
+static void omap_ocp2scp_remove(struct platform_device *pdev)
{
pm_runtime_disable(&pdev->dev);
device_for_each_child(&pdev->dev, NULL, ocp2scp_remove_devices);
-
- return 0;
}
#ifdef CONFIG_OF
@@ -103,7 +101,7 @@ MODULE_DEVICE_TABLE(of, omap_ocp2scp_id_table);
static struct platform_driver omap_ocp2scp_driver = {
.probe = omap_ocp2scp_probe,
- .remove = omap_ocp2scp_remove,
+ .remove_new = omap_ocp2scp_remove,
.driver = {
.name = "omap-ocp2scp",
.of_match_table = of_match_ptr(omap_ocp2scp_id_table),
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 024/460] smb/server: Fix another refcount leak in smb2_open()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 023/460] powerpc: 83xx: km83xx: Fix keymile vendor prefix Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 025/460] nfs: return EISDIR on nfs3_proc_create if d_alias is a dir Greg Kroah-Hartman
` (278 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, ChenXiaoSong,
Namjae Jeon, Steve French, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit c15e7c62feb3751cbdd458555819df1d70374890 ]
If ksmbd_override_fsids() fails, we jump to err_out2. At that point, fp is
NULL because it hasn't been assigned dh_info.fp yet, so ksmbd_fd_put(work,
fp) will not be called. However, dh_info.fp was already inserted into the
session file table by ksmbd_reopen_durable_fd(), so it will leak in the
session file table until the session is closed.
Move fp = dh_info.fp; ahead of the ksmbd_override_fsids() check to fix the
problem.
Found by an experimental AI code review agent at Google.
Fixes: c8efcc786146a ("ksmbd: add support for durable handles v1/v2")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/smb2pdu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 0d7ba57c1ca64..d1c2e8779ee18 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -3012,13 +3012,14 @@ int smb2_open(struct ksmbd_work *work)
goto err_out2;
}
+ fp = dh_info.fp;
+
if (ksmbd_override_fsids(work)) {
rc = -ENOMEM;
ksmbd_put_durable_fd(dh_info.fp);
goto err_out2;
}
- fp = dh_info.fp;
file_info = FILE_OPENED;
rc = ksmbd_vfs_getattr(&fp->filp->f_path, &stat);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 100/567] x86/efi: defer freeing of boot services memory
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 099/567] HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 101/567] platform/x86: dell-wmi-sysman: Dont hex dump plaintext password data Greg Kroah-Hartman
` (277 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mike Rapoport (Microsoft),
Benjamin Herrenschmidt, Ard Biesheuvel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Rapoport (Microsoft) <rppt@kernel.org>
commit a4b0bf6a40f3c107c67a24fbc614510ef5719980 upstream.
efi_free_boot_services() frees memory occupied by EFI_BOOT_SERVICES_CODE
and EFI_BOOT_SERVICES_DATA using memblock_free_late().
There are two issue with that: memblock_free_late() should be used for
memory allocated with memblock_alloc() while the memory reserved with
memblock_reserve() should be freed with free_reserved_area().
More acutely, with CONFIG_DEFERRED_STRUCT_PAGE_INIT=y
efi_free_boot_services() is called before deferred initialization of the
memory map is complete.
Benjamin Herrenschmidt reports that this causes a leak of ~140MB of
RAM on EC2 t3a.nano instances which only have 512MB or RAM.
If the freed memory resides in the areas that memory map for them is
still uninitialized, they won't be actually freed because
memblock_free_late() calls memblock_free_pages() and the latter skips
uninitialized pages.
Using free_reserved_area() at this point is also problematic because
__free_page() accesses the buddy of the freed page and that again might
end up in uninitialized part of the memory map.
Delaying the entire efi_free_boot_services() could be problematic
because in addition to freeing boot services memory it updates
efi.memmap without any synchronization and that's undesirable late in
boot when there is concurrency.
More robust approach is to only defer freeing of the EFI boot services
memory.
Split efi_free_boot_services() in two. First efi_unmap_boot_services()
collects ranges that should be freed into an array then
efi_free_boot_services() later frees them after deferred init is complete.
Link: https://lore.kernel.org/all/ec2aaef14783869b3be6e3c253b2dcbf67dbc12a.camel@kernel.crashing.org
Fixes: 916f676f8dc0 ("x86, efi: Retain boot service code until after switching to virtual mode")
Cc: <stable@vger.kernel.org>
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Reviewed-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/efi.h | 2 -
arch/x86/platform/efi/efi.c | 2 -
arch/x86/platform/efi/quirks.c | 55 ++++++++++++++++++++++++++++++++++--
drivers/firmware/efi/mokvar-table.c | 2 -
4 files changed, 55 insertions(+), 6 deletions(-)
--- a/arch/x86/include/asm/efi.h
+++ b/arch/x86/include/asm/efi.h
@@ -138,7 +138,7 @@ extern void __init efi_apply_memmap_quir
extern int __init efi_reuse_config(u64 tables, int nr_tables);
extern void efi_delete_dummy_variable(void);
extern void efi_crash_gracefully_on_page_fault(unsigned long phys_addr);
-extern void efi_free_boot_services(void);
+extern void efi_unmap_boot_services(void);
void arch_efi_call_virt_setup(void);
void arch_efi_call_virt_teardown(void);
--- a/arch/x86/platform/efi/efi.c
+++ b/arch/x86/platform/efi/efi.c
@@ -860,7 +860,7 @@ static void __init __efi_enter_virtual_m
}
efi_check_for_embedded_firmwares();
- efi_free_boot_services();
+ efi_unmap_boot_services();
if (!efi_is_mixed())
efi_native_runtime_setup();
--- a/arch/x86/platform/efi/quirks.c
+++ b/arch/x86/platform/efi/quirks.c
@@ -341,7 +341,7 @@ void __init efi_reserve_boot_services(vo
/*
* Because the following memblock_reserve() is paired
- * with memblock_free_late() for this region in
+ * with free_reserved_area() for this region in
* efi_free_boot_services(), we must be extremely
* careful not to reserve, and subsequently free,
* critical regions of memory (like the kernel image) or
@@ -404,17 +404,33 @@ static void __init efi_unmap_pages(efi_m
pr_err("Failed to unmap VA mapping for 0x%llx\n", va);
}
-void __init efi_free_boot_services(void)
+struct efi_freeable_range {
+ u64 start;
+ u64 end;
+};
+
+static struct efi_freeable_range *ranges_to_free;
+
+void __init efi_unmap_boot_services(void)
{
struct efi_memory_map_data data = { 0 };
efi_memory_desc_t *md;
int num_entries = 0;
+ int idx = 0;
+ size_t sz;
void *new, *new_md;
/* Keep all regions for /sys/kernel/debug/efi */
if (efi_enabled(EFI_DBG))
return;
+ sz = sizeof(*ranges_to_free) * efi.memmap.nr_map + 1;
+ ranges_to_free = kzalloc(sz, GFP_KERNEL);
+ if (!ranges_to_free) {
+ pr_err("Failed to allocate storage for freeable EFI regions\n");
+ return;
+ }
+
for_each_efi_memory_desc(md) {
unsigned long long start = md->phys_addr;
unsigned long long size = md->num_pages << EFI_PAGE_SHIFT;
@@ -471,7 +487,15 @@ void __init efi_free_boot_services(void)
start = SZ_1M;
}
- memblock_free_late(start, size);
+ /*
+ * With CONFIG_DEFERRED_STRUCT_PAGE_INIT parts of the memory
+ * map are still not initialized and we can't reliably free
+ * memory here.
+ * Queue the ranges to free at a later point.
+ */
+ ranges_to_free[idx].start = start;
+ ranges_to_free[idx].end = start + size;
+ idx++;
}
if (!num_entries)
@@ -512,6 +536,31 @@ void __init efi_free_boot_services(void)
}
}
+static int __init efi_free_boot_services(void)
+{
+ struct efi_freeable_range *range = ranges_to_free;
+ unsigned long freed = 0;
+
+ if (!ranges_to_free)
+ return 0;
+
+ while (range->start) {
+ void *start = phys_to_virt(range->start);
+ void *end = phys_to_virt(range->end);
+
+ free_reserved_area(start, end, -1, NULL);
+ freed += (end - start);
+ range++;
+ }
+ kfree(ranges_to_free);
+
+ if (freed)
+ pr_info("Freeing EFI boot services memory: %ldK\n", freed / SZ_1K);
+
+ return 0;
+}
+arch_initcall(efi_free_boot_services);
+
/*
* A number of config table entries get remapped to virtual addresses
* after entering EFI virtual mode. However, the kexec kernel requires
--- a/drivers/firmware/efi/mokvar-table.c
+++ b/drivers/firmware/efi/mokvar-table.c
@@ -85,7 +85,7 @@ static struct kobject *mokvar_kobj;
* as an alternative to ordinary EFI variables, due to platform-dependent
* limitations. The memory occupied by this table is marked as reserved.
*
- * This routine must be called before efi_free_boot_services() in order
+ * This routine must be called before efi_unmap_boot_services() in order
* to guarantee that it can mark the table as reserved.
*
* Implicit inputs:
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 038/481] bus: omap-ocp2scp: fix OF populate on driver rebind
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 037/481] bus: omap-ocp2scp: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 039/481] ext4: make ext4_es_remove_extent() return void Greg Kroah-Hartman
` (277 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Kevin Hilman,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 5eb63e9bb65d88abde647ced50fe6ad40c11de1a ]
Since commit c6e126de43e7 ("of: Keep track of populated platform
devices") child devices will not be created by of_platform_populate()
if the devices had previously been deregistered individually so that the
OF_POPULATED flag is still set in the corresponding OF nodes.
Switch to using of_platform_depopulate() instead of open coding so that
the child devices are created if the driver is rebound.
Fixes: c6e126de43e7 ("of: Keep track of populated platform devices")
Cc: stable@vger.kernel.org # 3.16
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251219110119.23507-1-johan@kernel.org
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bus/omap-ocp2scp.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)
diff --git a/drivers/bus/omap-ocp2scp.c b/drivers/bus/omap-ocp2scp.c
index 7d7479ba0a759..87e290a3dc817 100644
--- a/drivers/bus/omap-ocp2scp.c
+++ b/drivers/bus/omap-ocp2scp.c
@@ -17,15 +17,6 @@
#define OCP2SCP_TIMING 0x18
#define SYNC2_MASK 0xf
-static int ocp2scp_remove_devices(struct device *dev, void *c)
-{
- struct platform_device *pdev = to_platform_device(dev);
-
- platform_device_unregister(pdev);
-
- return 0;
-}
-
static int omap_ocp2scp_probe(struct platform_device *pdev)
{
int ret;
@@ -79,7 +70,7 @@ static int omap_ocp2scp_probe(struct platform_device *pdev)
pm_runtime_disable(&pdev->dev);
err0:
- device_for_each_child(&pdev->dev, NULL, ocp2scp_remove_devices);
+ of_platform_depopulate(&pdev->dev);
return ret;
}
@@ -87,7 +78,7 @@ static int omap_ocp2scp_probe(struct platform_device *pdev)
static void omap_ocp2scp_remove(struct platform_device *pdev)
{
pm_runtime_disable(&pdev->dev);
- device_for_each_child(&pdev->dev, NULL, ocp2scp_remove_devices);
+ of_platform_depopulate(&pdev->dev);
}
#ifdef CONFIG_OF
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 025/460] nfs: return EISDIR on nfs3_proc_create if d_alias is a dir
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 024/460] smb/server: Fix another refcount leak in smb2_open() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 026/460] drm/msm/dsi: fix hdisplay calculation when programming dsi registers Greg Kroah-Hartman
` (277 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olga Kornievskaia, Scott Mayhew,
Roberto Bergantinos Corpas, Anna Schumaker, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roberto Bergantinos Corpas <rbergant@redhat.com>
[ Upstream commit 410666a298c34ebd57256fde6b24c96bd23059a2 ]
If we found an alias through nfs3_do_create/nfs_add_or_obtain
/d_splice_alias which happens to be a dir dentry, we don't return
any error, and simply forget about this alias, but the original
dentry we were adding and passed as parameter remains negative.
This later causes an oops on nfs_atomic_open_v23/finish_open since we
supply a negative dentry to do_dentry_open.
This has been observed running lustre-racer, where dirs and files are
created/removed concurrently with the same name and O_EXCL is not
used to open files (frequent file redirection).
While d_splice_alias typically returns a directory alias or NULL, we
explicitly check d_is_dir() to ensure that we don't attempt to perform
file operations (like finish_open) on a directory inode, which triggers
the observed oops.
Fixes: 7c6c5249f061 ("NFS: add atomic_open for NFSv3 to handle O_TRUNC correctly.")
Reviewed-by: Olga Kornievskaia <okorniev@redhat.com>
Reviewed-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Roberto Bergantinos Corpas <rbergant@redhat.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/nfs3proc.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/nfs/nfs3proc.c b/fs/nfs/nfs3proc.c
index 88b0fb343ae04..b02ea9fc812da 100644
--- a/fs/nfs/nfs3proc.c
+++ b/fs/nfs/nfs3proc.c
@@ -393,8 +393,13 @@ nfs3_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
if (status != 0)
goto out_release_acls;
- if (d_alias)
+ if (d_alias) {
+ if (d_is_dir(d_alias)) {
+ status = -EISDIR;
+ goto out_dput;
+ }
dentry = d_alias;
+ }
/* When we created the file with exclusive semantics, make
* sure we set the attributes afterwards. */
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 101/567] platform/x86: dell-wmi-sysman: Dont hex dump plaintext password data
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 100/567] x86/efi: defer freeing of boot services memory Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 102/567] platform/x86: dell-wmi: Add audio/mic mute key codes Greg Kroah-Hartman
` (276 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Ilpo Järvinen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit d1a196e0a6dcddd03748468a0e9e3100790fc85c upstream.
set_new_password() hex dumps the entire buffer, which contains plaintext
password data, including current and new passwords. Remove the hex dump
to avoid leaking credentials.
Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Link: https://patch.msgid.link/20260303113050.58127-2-thorsten.blum@linux.dev
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c
+++ b/drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c
@@ -93,7 +93,6 @@ int set_new_password(const char *passwor
if (ret < 0)
goto out;
- print_hex_dump_bytes("set new password data: ", DUMP_PREFIX_NONE, buffer, buffer_size);
ret = call_password_interface(wmi_priv.password_attr_wdev, buffer, buffer_size);
/* on success copy the new password to current password */
if (!ret)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 039/481] ext4: make ext4_es_remove_extent() return void
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 038/481] bus: omap-ocp2scp: fix OF populate on driver rebind Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 040/481] ext4: get rid of ppath in ext4_find_extent() Greg Kroah-Hartman
` (276 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Theodore Tso,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit ed5d285b3f2a9a37ff778c5e440daf49351fcc4d ]
Now ext4_es_remove_extent() never fails, so make it return void.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20230424033846.4732-10-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: 22784ca541c0 ("ext4: subdivide EXT4_EXT_DATA_VALID1")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 34 ++++++----------------------------
fs/ext4/extents_status.c | 12 ++++++------
fs/ext4/extents_status.h | 4 ++--
fs/ext4/inline.c | 12 ++----------
fs/ext4/inode.c | 8 ++------
5 files changed, 18 insertions(+), 52 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 1df7174774694..af4cae13685d7 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -4463,15 +4463,8 @@ int ext4_ext_truncate(handle_t *handle, struct inode *inode)
last_block = (inode->i_size + sb->s_blocksize - 1)
>> EXT4_BLOCK_SIZE_BITS(sb);
-retry:
- err = ext4_es_remove_extent(inode, last_block,
- EXT_MAX_BLOCKS - last_block);
- if (err == -ENOMEM) {
- memalloc_retry_wait(GFP_ATOMIC);
- goto retry;
- }
- if (err)
- return err;
+ ext4_es_remove_extent(inode, last_block, EXT_MAX_BLOCKS - last_block);
+
retry_remove_space:
err = ext4_ext_remove_space(inode, last_block, EXT_MAX_BLOCKS - 1);
if (err == -ENOMEM) {
@@ -5419,13 +5412,7 @@ static int ext4_collapse_range(struct file *file, loff_t offset, loff_t len)
down_write(&EXT4_I(inode)->i_data_sem);
ext4_discard_preallocations(inode, 0);
-
- ret = ext4_es_remove_extent(inode, punch_start,
- EXT_MAX_BLOCKS - punch_start);
- if (ret) {
- up_write(&EXT4_I(inode)->i_data_sem);
- goto out_stop;
- }
+ ext4_es_remove_extent(inode, punch_start, EXT_MAX_BLOCKS - punch_start);
ret = ext4_ext_remove_space(inode, punch_start, punch_stop - 1);
if (ret) {
@@ -5611,12 +5598,7 @@ static int ext4_insert_range(struct file *file, loff_t offset, loff_t len)
ext4_free_ext_path(path);
}
- ret = ext4_es_remove_extent(inode, offset_lblk,
- EXT_MAX_BLOCKS - offset_lblk);
- if (ret) {
- up_write(&EXT4_I(inode)->i_data_sem);
- goto out_stop;
- }
+ ext4_es_remove_extent(inode, offset_lblk, EXT_MAX_BLOCKS - offset_lblk);
/*
* if offset_lblk lies in a hole which is at start of file, use
@@ -5675,12 +5657,8 @@ ext4_swap_extents(handle_t *handle, struct inode *inode1,
BUG_ON(!inode_is_locked(inode1));
BUG_ON(!inode_is_locked(inode2));
- *erp = ext4_es_remove_extent(inode1, lblk1, count);
- if (unlikely(*erp))
- return 0;
- *erp = ext4_es_remove_extent(inode2, lblk2, count);
- if (unlikely(*erp))
- return 0;
+ ext4_es_remove_extent(inode1, lblk1, count);
+ ext4_es_remove_extent(inode2, lblk2, count);
while (count) {
struct ext4_extent *ex1, *ex2, tmp_ex;
diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c
index 592229027af72..862a8308cd9b0 100644
--- a/fs/ext4/extents_status.c
+++ b/fs/ext4/extents_status.c
@@ -1494,10 +1494,10 @@ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk,
* @len - number of blocks to remove
*
* Reduces block/cluster reservation count and for bigalloc cancels pending
- * reservations as needed. Returns 0 on success, error code on failure.
+ * reservations as needed.
*/
-int ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk,
- ext4_lblk_t len)
+void ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk,
+ ext4_lblk_t len)
{
ext4_lblk_t end;
int err = 0;
@@ -1505,14 +1505,14 @@ int ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk,
struct extent_status *es = NULL;
if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY)
- return 0;
+ return;
trace_ext4_es_remove_extent(inode, lblk, len);
es_debug("remove [%u/%u) from extent status tree of inode %lu\n",
lblk, len, inode->i_ino);
if (!len)
- return err;
+ return;
end = lblk + len - 1;
BUG_ON(end < lblk);
@@ -1539,7 +1539,7 @@ int ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk,
ext4_es_print_tree(inode);
ext4_da_release_space(inode, reserved);
- return 0;
+ return;
}
static int __es_shrink(struct ext4_sb_info *sbi, int nr_to_scan,
diff --git a/fs/ext4/extents_status.h b/fs/ext4/extents_status.h
index 481ec4381bee6..1d1247bbfd477 100644
--- a/fs/ext4/extents_status.h
+++ b/fs/ext4/extents_status.h
@@ -133,8 +133,8 @@ extern void ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk,
extern void ext4_es_cache_extent(struct inode *inode, ext4_lblk_t lblk,
ext4_lblk_t len, ext4_fsblk_t pblk,
unsigned int status);
-extern int ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk,
- ext4_lblk_t len);
+extern void ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk,
+ ext4_lblk_t len);
extern void ext4_es_find_extent_range(struct inode *inode,
int (*match_fn)(struct extent_status *es),
ext4_lblk_t lblk, ext4_lblk_t end,
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index a1fb99d2b472b..c15ea7589945f 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -2004,16 +2004,8 @@ int ext4_inline_data_truncate(struct inode *inode, int *has_inline)
* the extent status cache must be cleared to avoid leaving
* behind stale delayed allocated extent entries
*/
- if (!ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)) {
-retry:
- err = ext4_es_remove_extent(inode, 0, EXT_MAX_BLOCKS);
- if (err == -ENOMEM) {
- memalloc_retry_wait(GFP_ATOMIC);
- goto retry;
- }
- if (err)
- goto out_error;
- }
+ if (!ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA))
+ ext4_es_remove_extent(inode, 0, EXT_MAX_BLOCKS);
/* Clear the content in the xattr space. */
if (inline_size > EXT4_MIN_INLINE_DATA_SIZE) {
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index bf1f8319e2d74..79619f3db984f 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4134,12 +4134,8 @@ int ext4_punch_hole(struct file *file, loff_t offset, loff_t length)
down_write(&EXT4_I(inode)->i_data_sem);
ext4_discard_preallocations(inode, 0);
- ret = ext4_es_remove_extent(inode, first_block,
- stop_block - first_block);
- if (ret) {
- up_write(&EXT4_I(inode)->i_data_sem);
- goto out_stop;
- }
+ ext4_es_remove_extent(inode, first_block,
+ stop_block - first_block);
if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
ret = ext4_ext_remove_space(inode, first_block,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 026/460] drm/msm/dsi: fix hdisplay calculation when programming dsi registers
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 025/460] nfs: return EISDIR on nfs3_proc_create if d_alias is a dir Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 027/460] xprtrdma: Decrement re_receiving on the early exit paths Greg Kroah-Hartman
` (276 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengyu Luo, Dmitry Baryshkov,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengyu Luo <mitltlatltl@gmail.com>
[ Upstream commit ac47870fd795549f03d57e0879fc730c79119f4b ]
Recently, the hdisplay calculation is working for 3:1 compressed ratio
only. If we have a video panel with DSC BPP = 8, and BPC = 10, we still
use the default bits_per_pclk = 24, then we get the wrong hdisplay. We
can draw the conclusion by cross-comparing the calculation with the
calculation in dsi_adjust_pclk_for_compression().
Since CMD mode does not use this, we can remove
!(msm_host->mode_flags & MIPI_DSI_MODE_VIDEO) safely.
Fixes: efcbd6f9cdeb ("drm/msm/dsi: Enable widebus for DSI")
Signed-off-by: Pengyu Luo <mitltlatltl@gmail.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/704822/
Link: https://lore.kernel.org/r/20260214105145.105308-1-mitltlatltl@gmail.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dsi/dsi_host.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
index d22e01751f5ee..c85d0d5fc5800 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
@@ -944,7 +944,7 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi)
if (msm_host->dsc) {
struct drm_dsc_config *dsc = msm_host->dsc;
- u32 bytes_per_pclk;
+ u32 bits_per_pclk;
/* update dsc params with timing params */
if (!dsc || !mode->hdisplay || !mode->vdisplay) {
@@ -966,7 +966,9 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi)
/*
* DPU sends 3 bytes per pclk cycle to DSI. If widebus is
- * enabled, bus width is extended to 6 bytes.
+ * enabled, MDP always sends out 48-bit compressed data per
+ * pclk and on average, DSI consumes an amount of compressed
+ * data equivalent to the uncompressed pixel depth per pclk.
*
* Calculate the number of pclks needed to transmit one line of
* the compressed data.
@@ -978,12 +980,12 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi)
* unused anyway.
*/
h_total -= hdisplay;
- if (wide_bus_enabled && !(msm_host->mode_flags & MIPI_DSI_MODE_VIDEO))
- bytes_per_pclk = 6;
+ if (wide_bus_enabled)
+ bits_per_pclk = mipi_dsi_pixel_format_to_bpp(msm_host->format);
else
- bytes_per_pclk = 3;
+ bits_per_pclk = 24;
- hdisplay = DIV_ROUND_UP(msm_dsc_get_bytes_per_line(msm_host->dsc), bytes_per_pclk);
+ hdisplay = DIV_ROUND_UP(msm_dsc_get_bytes_per_line(msm_host->dsc) * 8, bits_per_pclk);
h_total += hdisplay;
ha_end = ha_start + hdisplay;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 102/567] platform/x86: dell-wmi: Add audio/mic mute key codes
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 101/567] platform/x86: dell-wmi-sysman: Dont hex dump plaintext password data Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 103/567] ALSA: usb-audio: Use correct version for UAC3 header validation Greg Kroah-Hartman
` (275 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olexa Bilaniuk, Kurt Borja,
Pali Rohár, Ilpo Järvinen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kurt Borja <kuurtb@gmail.com>
commit 26a7601471f62b95d56a81c3a8ccb551b5a6630f upstream.
Add audio/mic mute key codes found in Alienware m18 r1 AMD.
Cc: stable@vger.kernel.org
Tested-by: Olexa Bilaniuk <obilaniu@gmail.com>
Suggested-by: Olexa Bilaniuk <obilaniu@gmail.com>
Signed-off-by: Kurt Borja <kuurtb@gmail.com>
Acked-by: Pali Rohár <pali@kernel.org>
Link: https://patch.msgid.link/20260207-mute-keys-v2-1-c55e5471c9c1@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/dell/dell-wmi-base.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/platform/x86/dell/dell-wmi-base.c
+++ b/drivers/platform/x86/dell/dell-wmi-base.c
@@ -80,6 +80,12 @@ static const struct dmi_system_id dell_w
static const struct key_entry dell_wmi_keymap_type_0000[] = {
{ KE_IGNORE, 0x003a, { KEY_CAPSLOCK } },
+ /* Audio mute toggle */
+ { KE_KEY, 0x0109, { KEY_MUTE } },
+
+ /* Mic mute toggle */
+ { KE_KEY, 0x0150, { KEY_MICMUTE } },
+
/* Meta key lock */
{ KE_IGNORE, 0xe000, { KEY_RIGHTMETA } },
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 040/481] ext4: get rid of ppath in ext4_find_extent()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 039/481] ext4: make ext4_es_remove_extent() return void Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 041/481] ext4: get rid of ppath in ext4_ext_create_new_leaf() Greg Kroah-Hartman
` (275 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Ojaswin Mujoo,
Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit 0be4c0c2f17bd10ae16c852f02d51a6a7b318aca ]
The use of path and ppath is now very confusing, so to make the code more
readable, pass path between functions uniformly, and get rid of ppath.
Getting rid of ppath in ext4_find_extent() requires its caller to update
ppath. These ppaths will also be dropped later. No functional changes.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-12-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: 22784ca541c0 ("ext4: subdivide EXT4_EXT_DATA_VALID1")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/ext4.h | 2 +-
fs/ext4/extents.c | 55 +++++++++++++++++++++++--------------------
fs/ext4/move_extent.c | 7 +++---
3 files changed, 34 insertions(+), 30 deletions(-)
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 27753291fb7ec..490496adf17cc 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -3723,7 +3723,7 @@ extern int ext4_ext_insert_extent(handle_t *, struct inode *,
struct ext4_ext_path **,
struct ext4_extent *, int);
extern struct ext4_ext_path *ext4_find_extent(struct inode *, ext4_lblk_t,
- struct ext4_ext_path **,
+ struct ext4_ext_path *,
int flags);
extern void ext4_free_ext_path(struct ext4_ext_path *);
extern int ext4_ext_check_inode(struct inode *inode);
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index af4cae13685d7..a58f415f882b2 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -881,11 +881,10 @@ void ext4_ext_tree_init(handle_t *handle, struct inode *inode)
struct ext4_ext_path *
ext4_find_extent(struct inode *inode, ext4_lblk_t block,
- struct ext4_ext_path **orig_path, int flags)
+ struct ext4_ext_path *path, int flags)
{
struct ext4_extent_header *eh;
struct buffer_head *bh;
- struct ext4_ext_path *path = orig_path ? *orig_path : NULL;
short int depth, i, ppos = 0;
int ret;
gfp_t gfp_flags = GFP_NOFS;
@@ -906,7 +905,7 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
ext4_ext_drop_refs(path);
if (depth > path[0].p_maxdepth) {
kfree(path);
- *orig_path = path = NULL;
+ path = NULL;
}
}
if (!path) {
@@ -957,14 +956,10 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
ext4_ext_show_path(inode, path);
- if (orig_path)
- *orig_path = path;
return path;
err:
ext4_free_ext_path(path);
- if (orig_path)
- *orig_path = NULL;
return ERR_PTR(ret);
}
@@ -1429,7 +1424,7 @@ static int ext4_ext_create_new_leaf(handle_t *handle, struct inode *inode,
/* refill path */
path = ext4_find_extent(inode,
(ext4_lblk_t)le32_to_cpu(newext->ee_block),
- ppath, gb_flags);
+ path, gb_flags);
if (IS_ERR(path))
err = PTR_ERR(path);
} else {
@@ -1441,7 +1436,7 @@ static int ext4_ext_create_new_leaf(handle_t *handle, struct inode *inode,
/* refill path */
path = ext4_find_extent(inode,
(ext4_lblk_t)le32_to_cpu(newext->ee_block),
- ppath, gb_flags);
+ path, gb_flags);
if (IS_ERR(path)) {
err = PTR_ERR(path);
goto out;
@@ -1457,8 +1452,8 @@ static int ext4_ext_create_new_leaf(handle_t *handle, struct inode *inode,
goto repeat;
}
}
-
out:
+ *ppath = IS_ERR(path) ? NULL : path;
return err;
}
@@ -3248,15 +3243,17 @@ static int ext4_split_extent_at(handle_t *handle,
* WARN_ON may be triggered in ext4_da_update_reserve_space() due to
* an incorrect ee_len causing the i_reserved_data_blocks exception.
*/
- path = ext4_find_extent(inode, ee_block, ppath,
+ path = ext4_find_extent(inode, ee_block, *ppath,
flags | EXT4_EX_NOFAIL);
if (IS_ERR(path)) {
EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld",
split, PTR_ERR(path));
+ *ppath = NULL;
return PTR_ERR(path);
}
depth = ext_depth(inode);
ex = path[depth].p_ext;
+ *ppath = path;
if (EXT4_EXT_MAY_ZEROOUT & split_flag) {
if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {
@@ -3369,9 +3366,12 @@ static int ext4_split_extent(handle_t *handle,
* Update path is required because previous ext4_split_extent_at() may
* result in split of original leaf or extent zeroout.
*/
- path = ext4_find_extent(inode, map->m_lblk, ppath, flags);
- if (IS_ERR(path))
+ path = ext4_find_extent(inode, map->m_lblk, *ppath, flags);
+ if (IS_ERR(path)) {
+ *ppath = NULL;
return PTR_ERR(path);
+ }
+ *ppath = path;
depth = ext_depth(inode);
ex = path[depth].p_ext;
if (!ex) {
@@ -3758,9 +3758,12 @@ static int ext4_convert_unwritten_extents_endio(handle_t *handle,
EXT4_GET_BLOCKS_CONVERT);
if (err < 0)
return err;
- path = ext4_find_extent(inode, map->m_lblk, ppath, 0);
- if (IS_ERR(path))
+ path = ext4_find_extent(inode, map->m_lblk, *ppath, 0);
+ if (IS_ERR(path)) {
+ *ppath = NULL;
return PTR_ERR(path);
+ }
+ *ppath = path;
depth = ext_depth(inode);
ex = path[depth].p_ext;
}
@@ -3816,9 +3819,12 @@ convert_initialized_extent(handle_t *handle, struct inode *inode,
EXT4_GET_BLOCKS_CONVERT_UNWRITTEN);
if (err < 0)
return err;
- path = ext4_find_extent(inode, map->m_lblk, ppath, 0);
- if (IS_ERR(path))
+ path = ext4_find_extent(inode, map->m_lblk, *ppath, 0);
+ if (IS_ERR(path)) {
+ *ppath = NULL;
return PTR_ERR(path);
+ }
+ *ppath = path;
depth = ext_depth(inode);
ex = path[depth].p_ext;
if (!ex) {
@@ -5197,7 +5203,7 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle,
* won't be shifted beyond EXT_MAX_BLOCKS.
*/
if (SHIFT == SHIFT_LEFT) {
- path = ext4_find_extent(inode, start - 1, &path,
+ path = ext4_find_extent(inode, start - 1, path,
EXT4_EX_NOCACHE);
if (IS_ERR(path))
return PTR_ERR(path);
@@ -5246,7 +5252,7 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle,
* becomes NULL to indicate the end of the loop.
*/
while (iterator && start <= stop) {
- path = ext4_find_extent(inode, *iterator, &path,
+ path = ext4_find_extent(inode, *iterator, path,
EXT4_EX_NOCACHE);
if (IS_ERR(path))
return PTR_ERR(path);
@@ -5844,11 +5850,8 @@ int ext4_clu_mapped(struct inode *inode, ext4_lblk_t lclu)
/* search for the extent closest to the first block in the cluster */
path = ext4_find_extent(inode, EXT4_C2B(sbi, lclu), NULL, 0);
- if (IS_ERR(path)) {
- err = PTR_ERR(path);
- path = NULL;
- goto out;
- }
+ if (IS_ERR(path))
+ return PTR_ERR(path);
depth = ext_depth(inode);
@@ -5932,7 +5935,7 @@ int ext4_ext_replay_update_ex(struct inode *inode, ext4_lblk_t start,
if (ret)
goto out;
- path = ext4_find_extent(inode, start, &path, 0);
+ path = ext4_find_extent(inode, start, path, 0);
if (IS_ERR(path))
return PTR_ERR(path);
ex = path[path->p_depth].p_ext;
@@ -5946,7 +5949,7 @@ int ext4_ext_replay_update_ex(struct inode *inode, ext4_lblk_t start,
if (ret)
goto out;
- path = ext4_find_extent(inode, start, &path, 0);
+ path = ext4_find_extent(inode, start, path, 0);
if (IS_ERR(path))
return PTR_ERR(path);
ex = path[path->p_depth].p_ext;
diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c
index e01632462db9f..0aff07c570a46 100644
--- a/fs/ext4/move_extent.c
+++ b/fs/ext4/move_extent.c
@@ -26,16 +26,17 @@ static inline int
get_ext_path(struct inode *inode, ext4_lblk_t lblock,
struct ext4_ext_path **ppath)
{
- struct ext4_ext_path *path;
+ struct ext4_ext_path *path = *ppath;
- path = ext4_find_extent(inode, lblock, ppath, EXT4_EX_NOCACHE);
+ *ppath = NULL;
+ path = ext4_find_extent(inode, lblock, path, EXT4_EX_NOCACHE);
if (IS_ERR(path))
return PTR_ERR(path);
if (path[ext_depth(inode)].p_ext == NULL) {
ext4_free_ext_path(path);
- *ppath = NULL;
return -ENODATA;
}
+ *ppath = path;
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 027/460] xprtrdma: Decrement re_receiving on the early exit paths
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 026/460] drm/msm/dsi: fix hdisplay calculation when programming dsi registers Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 028/460] btrfs: hold space_info->lock when clearing periodic reclaim ready Greg Kroah-Hartman
` (275 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Badger, Chuck Lever,
Anna Schumaker, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Badger <ebadger@purestorage.com>
[ Upstream commit 7b6275c80a0c81c5f8943272292dfe67730ce849 ]
In the event that rpcrdma_post_recvs() fails to create a work request
(due to memory allocation failure, say) or otherwise exits early, we
should decrement ep->re_receiving before returning. Otherwise we will
hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and
the completion will never be triggered.
On a system with high memory pressure, this can appear as the following
hung task:
INFO: task kworker/u385:17:8393 blocked for more than 122 seconds.
Tainted: G S E 6.19.0 #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000
Workqueue: xprtiod xprt_autoclose [sunrpc]
Call Trace:
<TASK>
__schedule+0x48b/0x18b0
? ib_post_send_mad+0x247/0xae0 [ib_core]
schedule+0x27/0xf0
schedule_timeout+0x104/0x110
__wait_for_common+0x98/0x180
? __pfx_schedule_timeout+0x10/0x10
wait_for_completion+0x24/0x40
rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma]
xprt_rdma_close+0x12/0x40 [rpcrdma]
xprt_autoclose+0x5f/0x120 [sunrpc]
process_one_work+0x191/0x3e0
worker_thread+0x2e3/0x420
? __pfx_worker_thread+0x10/0x10
kthread+0x10d/0x230
? __pfx_kthread+0x10/0x10
ret_from_fork+0x273/0x2b0
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
Fixes: 15788d1d1077 ("xprtrdma: Do not refresh Receive Queue while it is draining")
Signed-off-by: Eric Badger <ebadger@purestorage.com>
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sunrpc/xprtrdma/verbs.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index 63262ef0c2e3a..8abbd9c4045a4 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -1362,7 +1362,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed)
needed += RPCRDMA_MAX_RECV_BATCH;
if (atomic_inc_return(&ep->re_receiving) > 1)
- goto out;
+ goto out_dec;
/* fast path: all needed reps can be found on the free list */
wr = NULL;
@@ -1385,7 +1385,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed)
++count;
}
if (!wr)
- goto out;
+ goto out_dec;
rc = ib_post_recv(ep->re_id->qp, wr,
(const struct ib_recv_wr **)&bad_wr);
@@ -1400,9 +1400,10 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed)
--count;
}
}
+
+out_dec:
if (atomic_dec_return(&ep->re_receiving) > 0)
complete(&ep->re_done);
-
out:
trace_xprtrdma_post_recvs(r_xprt, count);
ep->re_receive_count += count;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 103/567] ALSA: usb-audio: Use correct version for UAC3 header validation
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 102/567] platform/x86: dell-wmi: Add audio/mic mute key codes Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 104/567] wifi: radiotap: reject radiotap with unknown bits Greg Kroah-Hartman
` (274 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jun Seo, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jun Seo <jun.seo.93@proton.me>
commit 54f9d645a5453d0bfece0c465d34aaf072ea99fa upstream.
The entry of the validators table for UAC3 AC header descriptor is
defined with the wrong protocol version UAC_VERSION_2, while it should
have been UAC_VERSION_3. This results in the validator never matching
for actual UAC3 devices (protocol == UAC_VERSION_3), causing their
header descriptors to bypass validation entirely. A malicious USB
device presenting a truncated UAC3 header could exploit this to cause
out-of-bounds reads when the driver later accesses unvalidated
descriptor fields.
The bug was introduced in the same commit as the recently fixed UAC3
feature unit sub-type typo, and appears to be from the same copy-paste
error when the UAC3 section was created from the UAC2 section.
Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units")
Cc: <stable@vger.kernel.org>
Signed-off-by: Jun Seo <jun.seo.93@proton.me>
Link: https://patch.msgid.link/20260226010820.36529-1-jun.seo.93@proton.me
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/validate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/usb/validate.c
+++ b/sound/usb/validate.c
@@ -281,7 +281,7 @@ static const struct usb_desc_validator a
/* UAC_VERSION_2, UAC2_SAMPLE_RATE_CONVERTER: not implemented yet */
/* UAC3 */
- FIXED(UAC_VERSION_2, UAC_HEADER, struct uac3_ac_header_descriptor),
+ FIXED(UAC_VERSION_3, UAC_HEADER, struct uac3_ac_header_descriptor),
FIXED(UAC_VERSION_3, UAC_INPUT_TERMINAL,
struct uac3_input_terminal_descriptor),
FIXED(UAC_VERSION_3, UAC_OUTPUT_TERMINAL,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 041/481] ext4: get rid of ppath in ext4_ext_create_new_leaf()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 040/481] ext4: get rid of ppath in ext4_find_extent() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 042/481] ext4: get rid of ppath in ext4_ext_insert_extent() Greg Kroah-Hartman
` (274 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Ojaswin Mujoo,
Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit a000bc8678cc2bb10a5b80b4e991e77c7b4612fd ]
The use of path and ppath is now very confusing, so to make the code more
readable, pass path between functions uniformly, and get rid of ppath.
To get rid of the ppath in ext4_ext_create_new_leaf(), the following is
done here:
* Free the extents path when an error is encountered.
* Its caller needs to update ppath if it uses ppath.
No functional changes.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-14-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: 22784ca541c0 ("ext4: subdivide EXT4_EXT_DATA_VALID1")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 43 ++++++++++++++++++++++---------------------
1 file changed, 22 insertions(+), 21 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index a58f415f882b2..eda6f92a42330 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -1392,13 +1392,12 @@ static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode,
* finds empty index and adds new leaf.
* if no free index is found, then it requests in-depth growing.
*/
-static int ext4_ext_create_new_leaf(handle_t *handle, struct inode *inode,
- unsigned int mb_flags,
- unsigned int gb_flags,
- struct ext4_ext_path **ppath,
- struct ext4_extent *newext)
+static struct ext4_ext_path *
+ext4_ext_create_new_leaf(handle_t *handle, struct inode *inode,
+ unsigned int mb_flags, unsigned int gb_flags,
+ struct ext4_ext_path *path,
+ struct ext4_extent *newext)
{
- struct ext4_ext_path *path = *ppath;
struct ext4_ext_path *curp;
int depth, i, err = 0;
@@ -1419,28 +1418,25 @@ static int ext4_ext_create_new_leaf(handle_t *handle, struct inode *inode,
* entry: create all needed subtree and add new leaf */
err = ext4_ext_split(handle, inode, mb_flags, path, newext, i);
if (err)
- goto out;
+ goto errout;
/* refill path */
path = ext4_find_extent(inode,
(ext4_lblk_t)le32_to_cpu(newext->ee_block),
path, gb_flags);
- if (IS_ERR(path))
- err = PTR_ERR(path);
+ return path;
} else {
/* tree is full, time to grow in depth */
err = ext4_ext_grow_indepth(handle, inode, mb_flags);
if (err)
- goto out;
+ goto errout;
/* refill path */
path = ext4_find_extent(inode,
(ext4_lblk_t)le32_to_cpu(newext->ee_block),
path, gb_flags);
- if (IS_ERR(path)) {
- err = PTR_ERR(path);
- goto out;
- }
+ if (IS_ERR(path))
+ return path;
/*
* only first (depth 0 -> 1) produces free space;
@@ -1452,9 +1448,11 @@ static int ext4_ext_create_new_leaf(handle_t *handle, struct inode *inode,
goto repeat;
}
}
-out:
- *ppath = IS_ERR(path) ? NULL : path;
- return err;
+ return path;
+
+errout:
+ ext4_free_ext_path(path);
+ return ERR_PTR(err);
}
/*
@@ -2097,11 +2095,14 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
*/
if (gb_flags & EXT4_GET_BLOCKS_METADATA_NOFAIL)
mb_flags |= EXT4_MB_USE_RESERVED;
- err = ext4_ext_create_new_leaf(handle, inode, mb_flags, gb_flags,
- ppath, newext);
- if (err)
+ path = ext4_ext_create_new_leaf(handle, inode, mb_flags, gb_flags,
+ path, newext);
+ if (IS_ERR(path)) {
+ *ppath = NULL;
+ err = PTR_ERR(path);
goto cleanup;
- path = *ppath;
+ }
+ *ppath = path;
depth = ext_depth(inode);
eh = path[depth].p_hdr;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 028/460] btrfs: hold space_info->lock when clearing periodic reclaim ready
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 027/460] xprtrdma: Decrement re_receiving on the early exit paths Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 029/460] workqueue: Use POOL_BH instead of WQ_BH when checking pool flags Greg Kroah-Hartman
` (274 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Mason, Boris Burkov,
Sun YangKai, David Sterba, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sun YangKai <sunk67188@gmail.com>
[ Upstream commit b8883b61f2fc50dcf22938cbed40fec05020552f ]
btrfs_set_periodic_reclaim_ready() requires space_info->lock to be held,
as enforced by lockdep_assert_held(). However, btrfs_reclaim_sweep() was
calling it after do_reclaim_sweep() returns, at which point
space_info->lock is no longer held.
Fix this by explicitly acquiring space_info->lock before clearing the
periodic reclaim ready flag in btrfs_reclaim_sweep().
Reported-by: Chris Mason <clm@meta.com>
Link: https://lore.kernel.org/linux-btrfs/20260208182556.891815-1-clm@meta.com/
Fixes: 19eff93dc738 ("btrfs: fix periodic reclaim condition")
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Sun YangKai <sunk67188@gmail.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/space-info.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
index af19f7a3e74a4..ada19b3288611 100644
--- a/fs/btrfs/space-info.c
+++ b/fs/btrfs/space-info.c
@@ -2128,8 +2128,11 @@ void btrfs_reclaim_sweep(const struct btrfs_fs_info *fs_info)
if (!btrfs_should_periodic_reclaim(space_info))
continue;
for (raid = 0; raid < BTRFS_NR_RAID_TYPES; raid++) {
- if (do_reclaim_sweep(space_info, raid))
+ if (do_reclaim_sweep(space_info, raid)) {
+ spin_lock(&space_info->lock);
btrfs_set_periodic_reclaim_ready(space_info, false);
+ spin_unlock(&space_info->lock);
+ }
}
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 104/567] wifi: radiotap: reject radiotap with unknown bits
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 103/567] ALSA: usb-audio: Use correct version for UAC3 header validation Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 105/567] wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() Greg Kroah-Hartman
` (273 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b09c1af8764c0097bb19,
Johannes Berg
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit c854758abe0b8d86f9c43dc060ff56a0ee5b31e0 upstream.
The radiotap parser is currently only used with the radiotap
namespace (not with vendor namespaces), but if the undefined
field 18 is used, the alignment/size is unknown as well. In
this case, iterator->_next_ns_data isn't initialized (it's
only set for skipping vendor namespaces), and syzbot points
out that we later compare against this uninitialized value.
Fix this by moving the rejection of unknown radiotap fields
down to after the in-namespace lookup, so it will really use
iterator->_next_ns_data only for vendor namespaces, even in
case undefined fields are present.
Cc: stable@vger.kernel.org
Fixes: 33e5a2f776e3 ("wireless: update radiotap parser")
Reported-by: syzbot+b09c1af8764c0097bb19@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/69944a91.a70a0220.2c38d7.00fc.GAE@google.com
Link: https://patch.msgid.link/20260217120526.162647-2-johannes@sipsolutions.net
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/radiotap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/wireless/radiotap.c
+++ b/net/wireless/radiotap.c
@@ -239,14 +239,14 @@ int ieee80211_radiotap_iterator_next(
default:
if (!iterator->current_namespace ||
iterator->_arg_index >= iterator->current_namespace->n_bits) {
- if (iterator->current_namespace == &radiotap_ns)
- return -ENOENT;
align = 0;
} else {
align = iterator->current_namespace->align_size[iterator->_arg_index].align;
size = iterator->current_namespace->align_size[iterator->_arg_index].size;
}
if (!align) {
+ if (iterator->current_namespace == &radiotap_ns)
+ return -ENOENT;
/* skip all subsequent data */
iterator->_arg = iterator->_next_ns_data;
/* give up on this namespace */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 042/481] ext4: get rid of ppath in ext4_ext_insert_extent()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 041/481] ext4: get rid of ppath in ext4_ext_create_new_leaf() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 043/481] ext4: get rid of ppath in ext4_split_extent_at() Greg Kroah-Hartman
` (273 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Ojaswin Mujoo,
Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit f7d1331f16a869c76a5102caebb58e840e1d509c ]
The use of path and ppath is now very confusing, so to make the code more
readable, pass path between functions uniformly, and get rid of ppath.
To get rid of the ppath in ext4_ext_insert_extent(), the following is done
here:
* Free the extents path when an error is encountered.
* Its caller needs to update ppath if it uses ppath.
* Free path when npath is used, free npath when it is not used.
* The got_allocated_blocks label in ext4_ext_map_blocks() does not
update err now, so err is updated to 0 if the err returned by
ext4_ext_search_right() is greater than 0 and is about to enter
got_allocated_blocks.
No functional changes.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-15-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: 22784ca541c0 ("ext4: subdivide EXT4_EXT_DATA_VALID1")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/ext4.h | 7 ++--
fs/ext4/extents.c | 88 ++++++++++++++++++++++++-------------------
fs/ext4/fast_commit.c | 8 ++--
fs/ext4/migrate.c | 5 ++-
4 files changed, 61 insertions(+), 47 deletions(-)
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 490496adf17cc..7449777fabc36 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -3719,9 +3719,10 @@ extern int ext4_map_blocks(handle_t *handle, struct inode *inode,
extern int ext4_ext_calc_credits_for_single_extent(struct inode *inode,
int num,
struct ext4_ext_path *path);
-extern int ext4_ext_insert_extent(handle_t *, struct inode *,
- struct ext4_ext_path **,
- struct ext4_extent *, int);
+extern struct ext4_ext_path *ext4_ext_insert_extent(
+ handle_t *handle, struct inode *inode,
+ struct ext4_ext_path *path,
+ struct ext4_extent *newext, int gb_flags);
extern struct ext4_ext_path *ext4_find_extent(struct inode *, ext4_lblk_t,
struct ext4_ext_path *,
int flags);
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index eda6f92a42330..59c0bffc691d1 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -1960,16 +1960,15 @@ static unsigned int ext4_ext_check_overlap(struct ext4_sb_info *sbi,
* inserts requested extent as new one into the tree,
* creating new leaf in the no-space case.
*/
-int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
- struct ext4_ext_path **ppath,
- struct ext4_extent *newext, int gb_flags)
+struct ext4_ext_path *
+ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
+ struct ext4_ext_path *path,
+ struct ext4_extent *newext, int gb_flags)
{
- struct ext4_ext_path *path = *ppath;
struct ext4_extent_header *eh;
struct ext4_extent *ex, *fex;
struct ext4_extent *nearex; /* nearest extent */
- struct ext4_ext_path *npath = NULL;
- int depth, len, err;
+ int depth, len, err = 0;
ext4_lblk_t next;
int mb_flags = 0, unwritten;
@@ -1977,14 +1976,16 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
mb_flags |= EXT4_MB_DELALLOC_RESERVED;
if (unlikely(ext4_ext_get_actual_len(newext) == 0)) {
EXT4_ERROR_INODE(inode, "ext4_ext_get_actual_len(newext) == 0");
- return -EFSCORRUPTED;
+ err = -EFSCORRUPTED;
+ goto errout;
}
depth = ext_depth(inode);
ex = path[depth].p_ext;
eh = path[depth].p_hdr;
if (unlikely(path[depth].p_hdr == NULL)) {
EXT4_ERROR_INODE(inode, "path[%d].p_hdr == NULL", depth);
- return -EFSCORRUPTED;
+ err = -EFSCORRUPTED;
+ goto errout;
}
/* try to insert block into found extent and return */
@@ -2022,7 +2023,7 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
err = ext4_ext_get_access(handle, inode,
path + depth);
if (err)
- return err;
+ goto errout;
unwritten = ext4_ext_is_unwritten(ex);
ex->ee_len = cpu_to_le16(ext4_ext_get_actual_len(ex)
+ ext4_ext_get_actual_len(newext));
@@ -2047,7 +2048,7 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
err = ext4_ext_get_access(handle, inode,
path + depth);
if (err)
- return err;
+ goto errout;
unwritten = ext4_ext_is_unwritten(ex);
ex->ee_block = newext->ee_block;
@@ -2072,21 +2073,26 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
if (le32_to_cpu(newext->ee_block) > le32_to_cpu(fex->ee_block))
next = ext4_ext_next_leaf_block(path);
if (next != EXT_MAX_BLOCKS) {
+ struct ext4_ext_path *npath;
+
ext_debug(inode, "next leaf block - %u\n", next);
- BUG_ON(npath != NULL);
npath = ext4_find_extent(inode, next, NULL, gb_flags);
- if (IS_ERR(npath))
- return PTR_ERR(npath);
+ if (IS_ERR(npath)) {
+ err = PTR_ERR(npath);
+ goto errout;
+ }
BUG_ON(npath->p_depth != path->p_depth);
eh = npath[depth].p_hdr;
if (le16_to_cpu(eh->eh_entries) < le16_to_cpu(eh->eh_max)) {
ext_debug(inode, "next leaf isn't full(%d)\n",
le16_to_cpu(eh->eh_entries));
+ ext4_free_ext_path(path);
path = npath;
goto has_space;
}
ext_debug(inode, "next leaf has no free space(%d,%d)\n",
le16_to_cpu(eh->eh_entries), le16_to_cpu(eh->eh_max));
+ ext4_free_ext_path(npath);
}
/*
@@ -2097,12 +2103,8 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
mb_flags |= EXT4_MB_USE_RESERVED;
path = ext4_ext_create_new_leaf(handle, inode, mb_flags, gb_flags,
path, newext);
- if (IS_ERR(path)) {
- *ppath = NULL;
- err = PTR_ERR(path);
- goto cleanup;
- }
- *ppath = path;
+ if (IS_ERR(path))
+ return path;
depth = ext_depth(inode);
eh = path[depth].p_hdr;
@@ -2111,7 +2113,7 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
err = ext4_ext_get_access(handle, inode, path + depth);
if (err)
- goto cleanup;
+ goto errout;
if (!nearex) {
/* there is no extent in this leaf, create first one */
@@ -2169,17 +2171,20 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
if (!(gb_flags & EXT4_GET_BLOCKS_PRE_IO))
ext4_ext_try_to_merge(handle, inode, path, nearex);
-
/* time to correct all indexes above */
err = ext4_ext_correct_indexes(handle, inode, path);
if (err)
- goto cleanup;
+ goto errout;
err = ext4_ext_dirty(handle, inode, path + path->p_depth);
+ if (err)
+ goto errout;
-cleanup:
- ext4_free_ext_path(npath);
- return err;
+ return path;
+
+errout:
+ ext4_free_ext_path(path);
+ return ERR_PTR(err);
}
static int ext4_fill_es_cache_info(struct inode *inode,
@@ -3232,24 +3237,29 @@ static int ext4_split_extent_at(handle_t *handle,
if (split_flag & EXT4_EXT_MARK_UNWRIT2)
ext4_ext_mark_unwritten(ex2);
- err = ext4_ext_insert_extent(handle, inode, ppath, &newex, flags);
- if (err != -ENOSPC && err != -EDQUOT && err != -ENOMEM)
+ path = ext4_ext_insert_extent(handle, inode, path, &newex, flags);
+ if (!IS_ERR(path)) {
+ *ppath = path;
goto out;
+ }
+ *ppath = NULL;
+ err = PTR_ERR(path);
+ if (err != -ENOSPC && err != -EDQUOT && err != -ENOMEM)
+ return err;
/*
- * Update path is required because previous ext4_ext_insert_extent()
- * may have freed or reallocated the path. Using EXT4_EX_NOFAIL
- * guarantees that ext4_find_extent() will not return -ENOMEM,
- * otherwise -ENOMEM will cause a retry in do_writepages(), and a
- * WARN_ON may be triggered in ext4_da_update_reserve_space() due to
- * an incorrect ee_len causing the i_reserved_data_blocks exception.
+ * Get a new path to try to zeroout or fix the extent length.
+ * Using EXT4_EX_NOFAIL guarantees that ext4_find_extent()
+ * will not return -ENOMEM, otherwise -ENOMEM will cause a
+ * retry in do_writepages(), and a WARN_ON may be triggered
+ * in ext4_da_update_reserve_space() due to an incorrect
+ * ee_len causing the i_reserved_data_blocks exception.
*/
- path = ext4_find_extent(inode, ee_block, *ppath,
+ path = ext4_find_extent(inode, ee_block, NULL,
flags | EXT4_EX_NOFAIL);
if (IS_ERR(path)) {
EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld",
split, PTR_ERR(path));
- *ppath = NULL;
return PTR_ERR(path);
}
depth = ext_depth(inode);
@@ -3308,7 +3318,7 @@ static int ext4_split_extent_at(handle_t *handle,
ext4_ext_dirty(handle, inode, path + path->p_depth);
return err;
out:
- ext4_ext_show_leaf(inode, *ppath);
+ ext4_ext_show_leaf(inode, path);
return err;
}
@@ -4299,6 +4309,7 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode,
get_implied_cluster_alloc(inode->i_sb, map, &ex2, path)) {
ar.len = allocated = map->m_len;
newblock = map->m_pblk;
+ err = 0;
goto got_allocated_blocks;
}
@@ -4371,8 +4382,9 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode,
map->m_flags |= EXT4_MAP_UNWRITTEN;
}
- err = ext4_ext_insert_extent(handle, inode, &path, &newex, flags);
- if (err) {
+ path = ext4_ext_insert_extent(handle, inode, path, &newex, flags);
+ if (IS_ERR(path)) {
+ err = PTR_ERR(path);
if (allocated_clusters) {
int fb_flags = 0;
diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c
index 94f90032ca561..83a0a78a124a1 100644
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -1828,12 +1828,12 @@ static int ext4_fc_replay_add_range(struct super_block *sb,
if (ext4_ext_is_unwritten(ex))
ext4_ext_mark_unwritten(&newex);
down_write(&EXT4_I(inode)->i_data_sem);
- ret = ext4_ext_insert_extent(
- NULL, inode, &path, &newex, 0);
+ path = ext4_ext_insert_extent(NULL, inode,
+ path, &newex, 0);
up_write((&EXT4_I(inode)->i_data_sem));
- ext4_free_ext_path(path);
- if (ret)
+ if (IS_ERR(path))
goto out;
+ ext4_free_ext_path(path);
goto next;
}
diff --git a/fs/ext4/migrate.c b/fs/ext4/migrate.c
index 0be0467ae6dd2..7a0e429507cf3 100644
--- a/fs/ext4/migrate.c
+++ b/fs/ext4/migrate.c
@@ -37,7 +37,6 @@ static int finish_range(handle_t *handle, struct inode *inode,
path = ext4_find_extent(inode, lb->first_block, NULL, 0);
if (IS_ERR(path)) {
retval = PTR_ERR(path);
- path = NULL;
goto err_out;
}
@@ -53,7 +52,9 @@ static int finish_range(handle_t *handle, struct inode *inode,
retval = ext4_datasem_ensure_credits(handle, inode, needed, needed, 0);
if (retval < 0)
goto err_out;
- retval = ext4_ext_insert_extent(handle, inode, &path, &newext, 0);
+ path = ext4_ext_insert_extent(handle, inode, path, &newext, 0);
+ if (IS_ERR(path))
+ retval = PTR_ERR(path);
err_out:
up_write((&EXT4_I(inode)->i_data_sem));
ext4_free_ext_path(path);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 029/460] workqueue: Use POOL_BH instead of WQ_BH when checking pool flags
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 028/460] btrfs: hold space_info->lock when clearing periodic reclaim ready Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 030/460] perf disasm: Fix off-by-one bug in outside check Greg Kroah-Hartman
` (273 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Song Liu, Tejun Heo,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit f42f9091be9e5ff57567a3945cfcdd498f475348 ]
pr_cont_worker_id() checks pool->flags against WQ_BH, which is a
workqueue-level flag (defined in workqueue.h). Pool flags use a
separate namespace with POOL_* constants (defined in workqueue.c).
The correct constant is POOL_BH. Both WQ_BH and POOL_BH are defined
as (1 << 0) so this has no behavioral impact, but it is semantically
wrong and inconsistent with every other pool-level BH check in the
file.
Fixes: 4cb1ef64609f ("workqueue: Implement BH workqueues to eventually replace tasklets")
Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/workqueue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 3840d7ce9cda0..b2fdb8719a744 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -6209,7 +6209,7 @@ static void pr_cont_worker_id(struct worker *worker)
{
struct worker_pool *pool = worker->pool;
- if (pool->flags & WQ_BH)
+ if (pool->flags & POOL_BH)
pr_cont("bh%s",
pool->attrs->nice == HIGHPRI_NICE_LEVEL ? "-hi" : "");
else
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 105/567] wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 104/567] wifi: radiotap: reject radiotap with unknown bits Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 106/567] wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration Greg Kroah-Hartman
` (272 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Daniil Dulov, Johannes Berg
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniil Dulov <d.dulov@aladdin.ru>
commit 767d23ade706d5fa51c36168e92a9c5533c351a1 upstream.
There is a use-after-free error in cfg80211_shutdown_all_interfaces found
by syzkaller:
BUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220
Read of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326
CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: events cfg80211_rfkill_block_work
Call Trace:
<TASK>
dump_stack_lvl+0x116/0x1f0
print_report+0xcd/0x630
kasan_report+0xe0/0x110
cfg80211_shutdown_all_interfaces+0x213/0x220
cfg80211_rfkill_block_work+0x1e/0x30
process_one_work+0x9cf/0x1b70
worker_thread+0x6c8/0xf10
kthread+0x3c5/0x780
ret_from_fork+0x56d/0x700
ret_from_fork_asm+0x1a/0x30
</TASK>
The problem arises due to the rfkill_block work is not cancelled when wiphy
is being unregistered. In order to fix the issue cancel the corresponding
work in wiphy_unregister().
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 1f87f7d3a3b4 ("cfg80211: add rfkill support")
Cc: stable@vger.kernel.org
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
Link: https://patch.msgid.link/20260211082024.1967588-1-d.dulov@aladdin.ru
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/core.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -1132,6 +1132,7 @@ void wiphy_unregister(struct wiphy *wiph
/* this has nothing to do now but make sure it's gone */
cancel_work_sync(&rdev->wiphy_work);
+ cancel_work_sync(&rdev->rfkill_block);
cancel_work_sync(&rdev->conn_work);
flush_work(&rdev->event_work);
cancel_delayed_work_sync(&rdev->dfs_update_channels_wk);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 043/481] ext4: get rid of ppath in ext4_split_extent_at()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 042/481] ext4: get rid of ppath in ext4_ext_insert_extent() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 044/481] ext4: subdivide EXT4_EXT_DATA_VALID1 Greg Kroah-Hartman
` (272 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Ojaswin Mujoo,
Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit 1de82b1b60d4613753254bf3cbf622a4c02c945c ]
The use of path and ppath is now very confusing, so to make the code more
readable, pass path between functions uniformly, and get rid of ppath.
To get rid of the ppath in ext4_split_extent_at(), the following is done
here:
* Free the extents path when an error is encountered.
* Its caller needs to update ppath if it uses ppath.
* Teach ext4_ext_show_leaf() to skip error pointer.
No functional changes.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-16-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: 22784ca541c0 ("ext4: subdivide EXT4_EXT_DATA_VALID1")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 85 ++++++++++++++++++++++++++---------------------
1 file changed, 47 insertions(+), 38 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 59c0bffc691d1..6da0bf3cf406d 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -84,12 +84,11 @@ static void ext4_extent_block_csum_set(struct inode *inode,
et->et_checksum = ext4_extent_block_csum(inode, eh);
}
-static int ext4_split_extent_at(handle_t *handle,
- struct inode *inode,
- struct ext4_ext_path **ppath,
- ext4_lblk_t split,
- int split_flag,
- int flags);
+static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle,
+ struct inode *inode,
+ struct ext4_ext_path *path,
+ ext4_lblk_t split,
+ int split_flag, int flags);
static int ext4_ext_trunc_restart_fn(struct inode *inode, int *dropped)
{
@@ -335,9 +334,15 @@ ext4_force_split_extent_at(handle_t *handle, struct inode *inode,
if (nofail)
flags |= EXT4_GET_BLOCKS_METADATA_NOFAIL | EXT4_EX_NOFAIL;
- return ext4_split_extent_at(handle, inode, ppath, lblk, unwritten ?
+ path = ext4_split_extent_at(handle, inode, path, lblk, unwritten ?
EXT4_EXT_MARK_UNWRIT1|EXT4_EXT_MARK_UNWRIT2 : 0,
flags);
+ if (IS_ERR(path)) {
+ *ppath = NULL;
+ return PTR_ERR(path);
+ }
+ *ppath = path;
+ return 0;
}
static int
@@ -689,7 +694,7 @@ static void ext4_ext_show_leaf(struct inode *inode, struct ext4_ext_path *path)
struct ext4_extent *ex;
int i;
- if (!path)
+ if (IS_ERR_OR_NULL(path))
return;
eh = path[depth].p_hdr;
@@ -3155,16 +3160,14 @@ static int ext4_ext_zeroout(struct inode *inode, struct ext4_extent *ex)
* a> the extent are splitted into two extent.
* b> split is not needed, and just mark the extent.
*
- * return 0 on success.
+ * Return an extent path pointer on success, or an error pointer on failure.
*/
-static int ext4_split_extent_at(handle_t *handle,
- struct inode *inode,
- struct ext4_ext_path **ppath,
- ext4_lblk_t split,
- int split_flag,
- int flags)
+static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle,
+ struct inode *inode,
+ struct ext4_ext_path *path,
+ ext4_lblk_t split,
+ int split_flag, int flags)
{
- struct ext4_ext_path *path = *ppath;
ext4_fsblk_t newblock;
ext4_lblk_t ee_block;
struct ext4_extent *ex, newex, orig_ex, zero_ex;
@@ -3238,14 +3241,12 @@ static int ext4_split_extent_at(handle_t *handle,
ext4_ext_mark_unwritten(ex2);
path = ext4_ext_insert_extent(handle, inode, path, &newex, flags);
- if (!IS_ERR(path)) {
- *ppath = path;
+ if (!IS_ERR(path))
goto out;
- }
- *ppath = NULL;
+
err = PTR_ERR(path);
if (err != -ENOSPC && err != -EDQUOT && err != -ENOMEM)
- return err;
+ return path;
/*
* Get a new path to try to zeroout or fix the extent length.
@@ -3255,16 +3256,14 @@ static int ext4_split_extent_at(handle_t *handle,
* in ext4_da_update_reserve_space() due to an incorrect
* ee_len causing the i_reserved_data_blocks exception.
*/
- path = ext4_find_extent(inode, ee_block, NULL,
- flags | EXT4_EX_NOFAIL);
+ path = ext4_find_extent(inode, ee_block, NULL, flags | EXT4_EX_NOFAIL);
if (IS_ERR(path)) {
EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld",
split, PTR_ERR(path));
- return PTR_ERR(path);
+ return path;
}
depth = ext_depth(inode);
ex = path[depth].p_ext;
- *ppath = path;
if (EXT4_EXT_MAY_ZEROOUT & split_flag) {
if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {
@@ -3316,10 +3315,13 @@ static int ext4_split_extent_at(handle_t *handle,
* and err is a non-zero error code.
*/
ext4_ext_dirty(handle, inode, path + path->p_depth);
- return err;
out:
+ if (err) {
+ ext4_free_ext_path(path);
+ path = ERR_PTR(err);
+ }
ext4_ext_show_leaf(inode, path);
- return err;
+ return path;
}
/*
@@ -3366,10 +3368,14 @@ static int ext4_split_extent(handle_t *handle,
EXT4_EXT_MARK_UNWRIT2;
if (split_flag & EXT4_EXT_DATA_VALID2)
split_flag1 |= EXT4_EXT_DATA_VALID1;
- err = ext4_split_extent_at(handle, inode, ppath,
+ path = ext4_split_extent_at(handle, inode, path,
map->m_lblk + map->m_len, split_flag1, flags1);
- if (err)
+ if (IS_ERR(path)) {
+ err = PTR_ERR(path);
+ *ppath = NULL;
goto out;
+ }
+ *ppath = path;
} else {
allocated = ee_len - (map->m_lblk - ee_block);
}
@@ -3377,7 +3383,7 @@ static int ext4_split_extent(handle_t *handle,
* Update path is required because previous ext4_split_extent_at() may
* result in split of original leaf or extent zeroout.
*/
- path = ext4_find_extent(inode, map->m_lblk, *ppath, flags);
+ path = ext4_find_extent(inode, map->m_lblk, path, flags);
if (IS_ERR(path)) {
*ppath = NULL;
return PTR_ERR(path);
@@ -3399,13 +3405,17 @@ static int ext4_split_extent(handle_t *handle,
split_flag1 |= split_flag & (EXT4_EXT_MAY_ZEROOUT |
EXT4_EXT_MARK_UNWRIT2);
}
- err = ext4_split_extent_at(handle, inode, ppath,
+ path = ext4_split_extent_at(handle, inode, path,
map->m_lblk, split_flag1, flags);
- if (err)
+ if (IS_ERR(path)) {
+ err = PTR_ERR(path);
+ *ppath = NULL;
goto out;
+ }
+ *ppath = path;
}
- ext4_ext_show_leaf(inode, *ppath);
+ ext4_ext_show_leaf(inode, path);
out:
return err ? err : allocated;
}
@@ -5601,22 +5611,21 @@ static int ext4_insert_range(struct file *file, loff_t offset, loff_t len)
if (ext4_ext_is_unwritten(extent))
split_flag = EXT4_EXT_MARK_UNWRIT1 |
EXT4_EXT_MARK_UNWRIT2;
- ret = ext4_split_extent_at(handle, inode, &path,
+ path = ext4_split_extent_at(handle, inode, path,
offset_lblk, split_flag,
EXT4_EX_NOCACHE |
EXT4_GET_BLOCKS_PRE_IO |
EXT4_GET_BLOCKS_METADATA_NOFAIL);
}
- ext4_free_ext_path(path);
- if (ret < 0) {
+ if (IS_ERR(path)) {
up_write(&EXT4_I(inode)->i_data_sem);
+ ret = PTR_ERR(path);
goto out_stop;
}
- } else {
- ext4_free_ext_path(path);
}
+ ext4_free_ext_path(path);
ext4_es_remove_extent(inode, offset_lblk, EXT_MAX_BLOCKS - offset_lblk);
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 030/460] perf disasm: Fix off-by-one bug in outside check
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 029/460] workqueue: Use POOL_BH instead of WQ_BH when checking pool flags Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 031/460] net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets Greg Kroah-Hartman
` (272 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Peter Collingbourne,
Adrian Hunter, Alexander Shishkin, Bill Wendling, Ingo Molnar,
James Clark, Jiri Olsa, Justin Stitt, Mark Rutland, Namhyung Kim,
Nathan Chancellor, Nick Desaulniers, Peter Zijlstra,
Arnaldo Carvalho de Melo, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Collingbourne <pcc@google.com>
[ Upstream commit b3ce769203a99d6f3c6d6269ec09232a8c5da422 ]
If a branch target points to one past the end of a function, the branch
should be treated as a branch to another function.
This can happen e.g. with a tail call to a function that is laid out
immediately after the caller.
Fixes: 751b1783da784299 ("perf annotate: Mark jumps to outher functions with the call arrow")
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Peter Collingbourne <pcc@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Bill Wendling <morbo@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Justin Stitt <justinstitt@google.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://linux-review.googlesource.com/id/Ide471112e82d68177e0faf08ca411d9fcf0a7bdf
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/disasm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/util/disasm.c b/tools/perf/util/disasm.c
index 2dc93199ac258..8a6f450c6f8e7 100644
--- a/tools/perf/util/disasm.c
+++ b/tools/perf/util/disasm.c
@@ -408,7 +408,7 @@ static int jump__parse(struct arch *arch, struct ins_operands *ops, struct map_s
start = map__unmap_ip(map, sym->start);
end = map__unmap_ip(map, sym->end);
- ops->target.outside = target.addr < start || target.addr > end;
+ ops->target.outside = target.addr < start || target.addr >= end;
/*
* FIXME: things like this in _cpp_lex_token (gcc's cc1 program):
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 106/567] wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 105/567] wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 107/567] wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() Greg Kroah-Hartman
` (271 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ariel Silver, Johannes Berg
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ariel Silver <arielsilver77@gmail.com>
commit 162d331d833dc73a3e905a24c44dd33732af1fc5 upstream.
link_id is taken from the ML Reconfiguration element (control & 0x000f),
so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS
(15) elements, so index 15 is out-of-bounds. Skip subelements with
link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds
write.
Fixes: 8eb8dd2ffbbb ("wifi: mac80211: Support link removal using Reconfiguration ML element")
Reported-by: Ariel Silver <arielsilver77@gmail.com>
Signed-off-by: Ariel Silver <arielsilver77@gmail.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260220101129.1202657-1-Ariel.Silver@cybereason.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/mlme.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -5854,6 +5854,9 @@ static void ieee80211_ml_reconfiguration
control = le16_to_cpu(prof->control);
link_id = control & IEEE80211_MLE_STA_RECONF_CONTROL_LINK_ID;
+ if (link_id >= IEEE80211_MLD_MAX_NUM_LINKS)
+ continue;
+
removed_links |= BIT(link_id);
/* the MAC address should not be included, but handle it */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 044/481] ext4: subdivide EXT4_EXT_DATA_VALID1
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 043/481] ext4: get rid of ppath in ext4_split_extent_at() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 045/481] ext4: dont zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1 Greg Kroah-Hartman
` (271 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Yi, Ojaswin Mujoo, Baokun Li,
stable, Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
[ Upstream commit 22784ca541c0f01c5ebad14e8228298dc0a390ed ]
When splitting an extent, if the EXT4_GET_BLOCKS_CONVERT flag is set and
it is necessary to split the target extent in the middle,
ext4_split_extent() first handles splitting the latter half of the
extent and passes the EXT4_EXT_DATA_VALID1 flag. This flag implies that
all blocks before the split point contain valid data; however, this
assumption is incorrect.
Therefore, subdivid EXT4_EXT_DATA_VALID1 into
EXT4_EXT_DATA_ENTIRE_VALID1 and EXT4_EXT_DATA_PARTIAL_VALID1, which
indicate that the first half of the extent is either entirely valid or
only partially valid, respectively. These two flags cannot be set
simultaneously.
This patch does not use EXT4_EXT_DATA_PARTIAL_VALID1, it only replaces
EXT4_EXT_DATA_VALID1 with EXT4_EXT_DATA_ENTIRE_VALID1 at the location
where it is set, no logical changes.
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Cc: stable@kernel.org
Message-ID: <20251129103247.686136-2-yi.zhang@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 6da0bf3cf406d..e2f9c27c7e161 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -43,8 +43,13 @@
#define EXT4_EXT_MARK_UNWRIT1 0x2 /* mark first half unwritten */
#define EXT4_EXT_MARK_UNWRIT2 0x4 /* mark second half unwritten */
-#define EXT4_EXT_DATA_VALID1 0x8 /* first half contains valid data */
-#define EXT4_EXT_DATA_VALID2 0x10 /* second half contains valid data */
+/* first half contains valid data */
+#define EXT4_EXT_DATA_ENTIRE_VALID1 0x8 /* has entirely valid data */
+#define EXT4_EXT_DATA_PARTIAL_VALID1 0x10 /* has partially valid data */
+#define EXT4_EXT_DATA_VALID1 (EXT4_EXT_DATA_ENTIRE_VALID1 | \
+ EXT4_EXT_DATA_PARTIAL_VALID1)
+
+#define EXT4_EXT_DATA_VALID2 0x20 /* second half contains valid data */
static __le32 ext4_extent_block_csum(struct inode *inode,
struct ext4_extent_header *eh)
@@ -3175,8 +3180,9 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle,
unsigned int ee_len, depth;
int err = 0;
- BUG_ON((split_flag & (EXT4_EXT_DATA_VALID1 | EXT4_EXT_DATA_VALID2)) ==
- (EXT4_EXT_DATA_VALID1 | EXT4_EXT_DATA_VALID2));
+ BUG_ON((split_flag & EXT4_EXT_DATA_VALID1) == EXT4_EXT_DATA_VALID1);
+ BUG_ON((split_flag & EXT4_EXT_DATA_VALID1) &&
+ (split_flag & EXT4_EXT_DATA_VALID2));
/* Do not cache extents that are in the process of being modified. */
flags |= EXT4_EX_NOCACHE;
@@ -3367,7 +3373,7 @@ static int ext4_split_extent(handle_t *handle,
split_flag1 |= EXT4_EXT_MARK_UNWRIT1 |
EXT4_EXT_MARK_UNWRIT2;
if (split_flag & EXT4_EXT_DATA_VALID2)
- split_flag1 |= EXT4_EXT_DATA_VALID1;
+ split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1;
path = ext4_split_extent_at(handle, inode, path,
map->m_lblk + map->m_len, split_flag1, flags1);
if (IS_ERR(path)) {
@@ -3731,7 +3737,7 @@ static int ext4_split_convert_extents(handle_t *handle,
/* Convert to unwritten */
if (flags & EXT4_GET_BLOCKS_CONVERT_UNWRITTEN) {
- split_flag |= EXT4_EXT_DATA_VALID1;
+ split_flag |= EXT4_EXT_DATA_ENTIRE_VALID1;
/* Convert to initialized */
} else if (flags & EXT4_GET_BLOCKS_CONVERT) {
split_flag |= ee_block + ee_len <= eof_block ?
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 031/460] net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 030/460] perf disasm: Fix off-by-one bug in outside check Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 032/460] drm/msm/dsi: fix pclk rate calculation for bonded dsi Greg Kroah-Hartman
` (271 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mieczyslaw Nalewaj,
Luiz Angelo Daros de Luca, Simon Horman, Linus Walleij,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mieczyslaw Nalewaj <namiltd@yahoo.com>
[ Upstream commit f76a93241d71fbba8425e3967097b498c29264ed ]
rx_packets should report the number of frames successfully received:
unicast + multicast + broadcast. Subtracting ifOutDiscards (a TX
counter) is incorrect and can undercount RX packets. RX drops are
already reported via rx_dropped (e.g. etherStatsDropEvents), so
there is no need to adjust rx_packets.
This patch removes the subtraction of ifOutDiscards from rx_packets
in rtl8365mb_stats_update().
Link: https://lore.kernel.org/netdev/878777925.105015.1763423928520@mail.yahoo.com/
Fixes: 4af2950c50c8 ("net: dsa: realtek-smi: add rtl8365mb subdriver for RTL8365MB-VC")
Signed-off-by: Mieczyslaw Nalewaj <namiltd@yahoo.com>
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Acked-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/20260303-realtek_namiltd_fix2-v1-1-bfa433d3401e@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/realtek/rtl8365mb.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/dsa/realtek/rtl8365mb.c b/drivers/net/dsa/realtek/rtl8365mb.c
index 74a8336174e50..4cb986988f1ad 100644
--- a/drivers/net/dsa/realtek/rtl8365mb.c
+++ b/drivers/net/dsa/realtek/rtl8365mb.c
@@ -1480,8 +1480,7 @@ static void rtl8365mb_stats_update(struct realtek_priv *priv, int port)
stats->rx_packets = cnt[RTL8365MB_MIB_ifInUcastPkts] +
cnt[RTL8365MB_MIB_ifInMulticastPkts] +
- cnt[RTL8365MB_MIB_ifInBroadcastPkts] -
- cnt[RTL8365MB_MIB_ifOutDiscards];
+ cnt[RTL8365MB_MIB_ifInBroadcastPkts];
stats->tx_packets = cnt[RTL8365MB_MIB_ifOutUcastPkts] +
cnt[RTL8365MB_MIB_ifOutMulticastPkts] +
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 107/567] wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 106/567] wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 108/567] IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() Greg Kroah-Hartman
` (270 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vahagn Vardanian, Johannes Berg
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vahagn Vardanian <vahagn@redrays.io>
commit 017c1792525064a723971f0216e6ef86a8c7af11 upstream.
In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced
at lines 1638 and 1642 without a prior NULL check:
ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
...
pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);
The mesh_matches_local() check above only validates the Mesh ID,
Mesh Configuration, and Supported Rates IEs. It does not verify the
presence of the Mesh Channel Switch Parameters IE (element ID 118).
When a received CSA action frame omits that IE, ieee802_11_parse_elems()
leaves elems->mesh_chansw_params_ie as NULL, and the unconditional
dereference causes a kernel NULL pointer dereference.
A remote mesh peer with an established peer link (PLINK_ESTAB) can
trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame
that includes a matching Mesh ID and Mesh Configuration IE but omits the
Mesh Channel Switch Parameters IE. No authentication beyond the default
open mesh peering is required.
Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:
BUG: kernel NULL pointer dereference, address: 0000000000000000
Oops: Oops: 0000 [#1] SMP NOPTI
RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]
CR2: 0000000000000000
Fix by adding a NULL check for mesh_chansw_params_ie after
mesh_matches_local() returns, consistent with how other optional IEs
are guarded throughout the mesh code.
The bug has been present since v3.13 (released 2014-01-19).
Fixes: 8f2535b92d68 ("mac80211: process the CSA frame for mesh accordingly")
Cc: stable@vger.kernel.org
Signed-off-by: Vahagn Vardanian <vahagn@redrays.io>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/mesh.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -1640,6 +1640,9 @@ static void mesh_rx_csa_frame(struct iee
if (!mesh_matches_local(sdata, elems))
goto free;
+ if (!elems->mesh_chansw_params_ie)
+ goto free;
+
ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
if (!--ifmsh->chsw_ttl)
fwd_csa = false;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 045/481] ext4: dont zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 044/481] ext4: subdivide EXT4_EXT_DATA_VALID1 Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 046/481] ext4: drop extent cache after doing PARTIAL_VALID1 zeroout Greg Kroah-Hartman
` (270 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Yi, Ojaswin Mujoo, Baokun Li,
stable, Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
[ Upstream commit 1bf6974822d1dba86cf11b5f05498581cf3488a2 ]
When allocating initialized blocks from a large unwritten extent, or
when splitting an unwritten extent during end I/O and converting it to
initialized, there is currently a potential issue of stale data if the
extent needs to be split in the middle.
0 A B N
[UUUUUUUUUUUU] U: unwritten extent
[--DDDDDDDD--] D: valid data
|<- ->| ----> this range needs to be initialized
ext4_split_extent() first try to split this extent at B with
EXT4_EXT_DATA_ENTIRE_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but
ext4_split_extent_at() failed to split this extent due to temporary lack
of space. It zeroout B to N and mark the entire extent from 0 to N
as written.
0 A B N
[WWWWWWWWWWWW] W: written extent
[SSDDDDDDDDZZ] Z: zeroed, S: stale data
ext4_split_extent() then try to split this extent at A with
EXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and left
a stale written extent from 0 to A.
0 A B N
[WW|WWWWWWWWWW]
[SS|DDDDDDDDZZ]
Fix this by pass EXT4_EXT_DATA_PARTIAL_VALID1 to ext4_split_extent_at()
when splitting at B, don't convert the entire extent to written and left
it as unwritten after zeroing out B to N. The remaining work is just
like the standard two-part split. ext4_split_extent() will pass the
EXT4_EXT_DATA_VALID2 flag when it calls ext4_split_extent_at() for the
second time, allowing it to properly handle the split. If the split is
successful, it will keep extent from 0 to A as unwritten.
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Cc: stable@kernel.org
Message-ID: <20251129103247.686136-3-yi.zhang@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index e2f9c27c7e161..da7414e84ead8 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -3298,6 +3298,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle,
}
if (!err) {
+ /*
+ * The first half contains partially valid data, the
+ * splitting of this extent has not been completed, fix
+ * extent length and ext4_split_extent() split will the
+ * first half again.
+ */
+ if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1)
+ goto fix_extent_len;
+
/* update the extent length and mark as initialized */
ex->ee_len = cpu_to_le16(ee_len);
ext4_ext_try_to_merge(handle, inode, path, ex);
@@ -3373,7 +3382,9 @@ static int ext4_split_extent(handle_t *handle,
split_flag1 |= EXT4_EXT_MARK_UNWRIT1 |
EXT4_EXT_MARK_UNWRIT2;
if (split_flag & EXT4_EXT_DATA_VALID2)
- split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1;
+ split_flag1 |= map->m_lblk > ee_block ?
+ EXT4_EXT_DATA_PARTIAL_VALID1 :
+ EXT4_EXT_DATA_ENTIRE_VALID1;
path = ext4_split_extent_at(handle, inode, path,
map->m_lblk + map->m_len, split_flag1, flags1);
if (IS_ERR(path)) {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 032/460] drm/msm/dsi: fix pclk rate calculation for bonded dsi
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 031/460] net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 033/460] drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v14 Greg Kroah-Hartman
` (270 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengyu Luo, Dmitry Baryshkov,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengyu Luo <mitltlatltl@gmail.com>
[ Upstream commit e4eb11b34d6c84f398d8f08d7cb4d6c38e739dd2 ]
Recently, we round up new_hdisplay once at most, for bonded dsi, we
may need twice, since they are independent links, we should round up
each half separately. This also aligns with the hdisplay we program
later in dsi_timing_setup()
Example:
full_hdisplay = 1904, dsc_bpp = 8, bpc = 8
new_full_hdisplay = DIV_ROUND_UP(1904 * 8, 8 * 3) = 635
if we use half display
new_half_hdisplay = DIV_ROUND_UP(952 * 8, 8 * 3) = 318
new_full_display = 636
Fixes: 7c9e4a554d4a ("drm/msm/dsi: Reduce pclk rate for compression")
Signed-off-by: Pengyu Luo <mitltlatltl@gmail.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/709716/
Link: https://lore.kernel.org/r/20260306163255.215456-1-mitltlatltl@gmail.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dsi/dsi_host.c | 29 +++++++++++++++++++++++------
1 file changed, 23 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
index c85d0d5fc5800..0c360e7903295 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
@@ -534,13 +534,30 @@ void dsi_link_clk_disable_v2(struct msm_dsi_host *msm_host)
* FIXME: Reconsider this if/when CMD mode handling is rewritten to use
* transfer time and data overhead as a starting point of the calculations.
*/
-static unsigned long dsi_adjust_pclk_for_compression(const struct drm_display_mode *mode,
- const struct drm_dsc_config *dsc)
+static unsigned long
+dsi_adjust_pclk_for_compression(const struct drm_display_mode *mode,
+ const struct drm_dsc_config *dsc,
+ bool is_bonded_dsi)
{
- int new_hdisplay = DIV_ROUND_UP(mode->hdisplay * drm_dsc_get_bpp_int(dsc),
- dsc->bits_per_component * 3);
+ int hdisplay, new_hdisplay, new_htotal;
- int new_htotal = mode->htotal - mode->hdisplay + new_hdisplay;
+ /*
+ * For bonded DSI, split hdisplay across two links and round up each
+ * half separately, passing the full hdisplay would only round up once.
+ * This also aligns with the hdisplay we program later in
+ * dsi_timing_setup()
+ */
+ hdisplay = mode->hdisplay;
+ if (is_bonded_dsi)
+ hdisplay /= 2;
+
+ new_hdisplay = DIV_ROUND_UP(hdisplay * drm_dsc_get_bpp_int(dsc),
+ dsc->bits_per_component * 3);
+
+ if (is_bonded_dsi)
+ new_hdisplay *= 2;
+
+ new_htotal = mode->htotal - mode->hdisplay + new_hdisplay;
return mult_frac(mode->clock * 1000u, new_htotal, mode->htotal);
}
@@ -553,7 +570,7 @@ static unsigned long dsi_get_pclk_rate(const struct drm_display_mode *mode,
pclk_rate = mode->clock * 1000u;
if (dsc)
- pclk_rate = dsi_adjust_pclk_for_compression(mode, dsc);
+ pclk_rate = dsi_adjust_pclk_for_compression(mode, dsc, is_bonded_dsi);
/*
* For bonded DSI mode, the current DRM mode has the complete width of the
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 108/567] IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 107/567] wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 109/567] RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() Greg Kroah-Hartman
` (269 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Leon Romanovsky
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 117942ca43e2e3c3d121faae530989931b7f67e1 upstream.
Fix a user triggerable leak on the system call failure path.
Cc: stable@vger.kernel.org
Fixes: ec34a922d243 ("[PATCH] IB/mthca: Add SRQ implementation")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Link: https://patch.msgid.link/2-v1-83e918d69e73+a9-rdma_udata_rc_jgg@nvidia.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/mthca/mthca_provider.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/hw/mthca/mthca_provider.c
+++ b/drivers/infiniband/hw/mthca/mthca_provider.c
@@ -428,6 +428,8 @@ static int mthca_create_srq(struct ib_sr
if (context && ib_copy_to_udata(udata, &srq->srqn, sizeof(__u32))) {
mthca_free_srq(to_mdev(ibsrq->device), srq);
+ mthca_unmap_user_db(to_mdev(ibsrq->device), &context->uar,
+ context->db_tab, ucmd.db_index);
return -EFAULT;
}
@@ -436,6 +438,7 @@ static int mthca_create_srq(struct ib_sr
static int mthca_destroy_srq(struct ib_srq *srq, struct ib_udata *udata)
{
+ mthca_free_srq(to_mdev(srq->device), to_msrq(srq));
if (udata) {
struct mthca_ucontext *context =
rdma_udata_to_drv_context(
@@ -446,8 +449,6 @@ static int mthca_destroy_srq(struct ib_s
mthca_unmap_user_db(to_mdev(srq->device), &context->uar,
context->db_tab, to_msrq(srq)->db_index);
}
-
- mthca_free_srq(to_mdev(srq->device), to_msrq(srq));
return 0;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 046/481] ext4: drop extent cache after doing PARTIAL_VALID1 zeroout
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 045/481] ext4: dont zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1 Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 047/481] ext4: drop extent cache when splitting extent fails Greg Kroah-Hartman
` (269 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Yi, Baokun Li, stable,
Ojaswin Mujoo, Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
[ Upstream commit 6d882ea3b0931b43530d44149b79fcd4ffc13030 ]
When splitting an unwritten extent in the middle and converting it to
initialized in ext4_split_extent() with the EXT4_EXT_MAY_ZEROOUT and
EXT4_EXT_DATA_VALID2 flags set, it could leave a stale unwritten extent.
Assume we have an unwritten file and buffered write in the middle of it
without dioread_nolock enabled, it will allocate blocks as written
extent.
0 A B N
[UUUUUUUUUUUU] on-disk extent U: unwritten extent
[UUUUUUUUUUUU] extent status tree
[--DDDDDDDD--] D: valid data
|<- ->| ----> this range needs to be initialized
ext4_split_extent() first try to split this extent at B with
EXT4_EXT_DATA_PARTIAL_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but
ext4_split_extent_at() failed to split this extent due to temporary lack
of space. It zeroout B to N and leave the entire extent as unwritten.
0 A B N
[UUUUUUUUUUUU] on-disk extent
[UUUUUUUUUUUU] extent status tree
[--DDDDDDDDZZ] Z: zeroed data
ext4_split_extent() then try to split this extent at A with
EXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and
leave an written extent from A to N.
0 A B N
[UUWWWWWWWWWW] on-disk extent W: written extent
[UUUUUUUUUUUU] extent status tree
[--DDDDDDDDZZ]
Finally ext4_map_create_blocks() only insert extent A to B to the extent
status tree, and leave an stale unwritten extent in the status tree.
0 A B N
[UUWWWWWWWWWW] on-disk extent W: written extent
[UUWWWWWWWWUU] extent status tree
[--DDDDDDDDZZ]
Fix this issue by always cached extent status entry after zeroing out
the second part.
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Cc: stable@kernel.org
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Message-ID: <20251129103247.686136-7-yi.zhang@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index da7414e84ead8..30b0b25aac9ff 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -3304,8 +3304,16 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle,
* extent length and ext4_split_extent() split will the
* first half again.
*/
- if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1)
+ if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) {
+ /*
+ * Drop extent cache to prevent stale unwritten
+ * extents remaining after zeroing out.
+ */
+ ext4_es_remove_extent(inode,
+ le32_to_cpu(zero_ex.ee_block),
+ ext4_ext_get_actual_len(&zero_ex));
goto fix_extent_len;
+ }
/* update the extent length and mark as initialized */
ex->ee_len = cpu_to_le16(ee_len);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 033/460] drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v14
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 032/460] drm/msm/dsi: fix pclk rate calculation for bonded dsi Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 034/460] bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states Greg Kroah-Hartman
` (269 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Wang, Alex Deucher, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Wang <kevinyang.wang@amd.com>
[ Upstream commit 9d4837a26149355ffe3a1f80de80531eafdd3353 ]
add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v14.0.2/14.0.3
Fixes: 9710b84e2a6a ("drm/amd/pm: add overdrive support on smu v14.0.2/3")
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/5018
Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 1b5cf07d80bb16d1593579ccdb23f08ea4262c14)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
index 3bab8269a46aa..d061467eba2ea 100644
--- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
@@ -2394,7 +2394,8 @@ static int smu_v14_0_2_restore_user_od_settings(struct smu_context *smu)
user_od_table->OverDriveTable.FeatureCtrlMask = BIT(PP_OD_FEATURE_GFXCLK_BIT) |
BIT(PP_OD_FEATURE_UCLK_BIT) |
BIT(PP_OD_FEATURE_GFX_VF_CURVE_BIT) |
- BIT(PP_OD_FEATURE_FAN_CURVE_BIT);
+ BIT(PP_OD_FEATURE_FAN_CURVE_BIT) |
+ BIT(PP_OD_FEATURE_ZERO_FAN_BIT);
res = smu_v14_0_2_upload_overdrive_table(smu, user_od_table);
user_od_table->OverDriveTable.FeatureCtrlMask = 0;
if (res == 0)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 109/567] RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 108/567] IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 110/567] net/sched: ets: fix divide by zero in the offload path Greg Kroah-Hartman
` (268 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Leon Romanovsky
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 74586c6da9ea222a61c98394f2fc0a604748438c upstream.
struct irdma_create_ah_resp { // 8 bytes, no padding
__u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx)
__u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK
};
rsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata().
The reserved members of the structure were not zeroed.
Cc: stable@vger.kernel.org
Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Link: https://patch.msgid.link/3-v1-83e918d69e73+a9-rdma_udata_rc_jgg@nvidia.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/irdma/verbs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -4588,7 +4588,7 @@ static int irdma_create_user_ah(struct i
#define IRDMA_CREATE_AH_MIN_RESP_LEN offsetofend(struct irdma_create_ah_resp, rsvd)
struct irdma_ah *ah = container_of(ibah, struct irdma_ah, ibah);
struct irdma_device *iwdev = to_iwdev(ibah->pd->device);
- struct irdma_create_ah_resp uresp;
+ struct irdma_create_ah_resp uresp = {};
struct irdma_ah *parent_ah;
int err;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 047/481] ext4: drop extent cache when splitting extent fails
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 046/481] ext4: drop extent cache after doing PARTIAL_VALID1 zeroout Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 048/481] ext4: remove unnecessary e4b->bd_buddy_page check in ext4_mb_load_buddy_gfp Greg Kroah-Hartman
` (268 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Yi, Baokun Li, stable,
Ojaswin Mujoo, Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
[ Upstream commit 79b592e8f1b435796cbc2722190368e3e8ffd7a1 ]
When the split extent fails, we might leave some extents still being
processed and return an error directly, which will result in stale
extent entries remaining in the extent status tree. So drop all of the
remaining potentially stale extents if the splitting fails.
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Cc: stable@kernel.org
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Message-ID: <20251129103247.686136-8-yi.zhang@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 30b0b25aac9ff..bb27c04798d2b 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -3252,7 +3252,7 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle,
err = PTR_ERR(path);
if (err != -ENOSPC && err != -EDQUOT && err != -ENOMEM)
- return path;
+ goto out_path;
/*
* Get a new path to try to zeroout or fix the extent length.
@@ -3266,7 +3266,7 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle,
if (IS_ERR(path)) {
EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld",
split, PTR_ERR(path));
- return path;
+ goto out_path;
}
depth = ext_depth(inode);
ex = path[depth].p_ext;
@@ -3343,6 +3343,10 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle,
ext4_free_ext_path(path);
path = ERR_PTR(err);
}
+out_path:
+ if (IS_ERR(path))
+ /* Remove all remaining potentially stale extents. */
+ ext4_es_remove_extent(inode, ee_block, ee_len);
ext4_ext_show_leaf(inode, path);
return path;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 034/460] bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 033/460] drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v14 Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 035/460] net/mlx5: IFC updates for disabled host PF Greg Kroah-Hartman
` (268 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hangbin Liu, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 3348be7978f450ede0c308a4e8416ac716cf1015 ]
Before the fixed commit, we check slave->new_link during commit
state, which values are only BOND_LINK_{NOCHANGE, UP, DOWN}. After
the commit, we start using slave->link_new_state, which state also could
be BOND_LINK_{FAIL, BACK}.
For example, when we set updelay/downdelay, after a failover,
the slave->link_new_state could be set to BOND_LINK_{FAIL, BACK} in
bond_miimon_inspect(). And later in bond_miimon_commit(), it will treat
it as invalid and print an error, which would cause confusion for users.
[ 106.440254] bond0: (slave veth2): link status down for interface, disabling it in 200 ms
[ 106.440265] bond0: (slave veth2): invalid new link 1 on slave
[ 106.648276] bond0: (slave veth2): link status definitely down, disabling slave
[ 107.480271] bond0: (slave veth2): link status up, enabling it in 200 ms
[ 107.480288] bond0: (slave veth2): invalid new link 3 on slave
[ 107.688302] bond0: (slave veth2): link status definitely up, 10000 Mbps full duplex
Let's handle BOND_LINK_{FAIL, BACK} as valid link states.
Fixes: 1899bb325149 ("bonding: fix state transition issue in link monitoring")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20260304-b4-bond_updelay-v1-2-f72eb2e454d0@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 2ac455a9d1bb1..c71b52e2966fc 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -2936,8 +2936,14 @@ static void bond_miimon_commit(struct bonding *bond)
continue;
+ case BOND_LINK_FAIL:
+ case BOND_LINK_BACK:
+ slave_dbg(bond->dev, slave->dev, "link_new_state %d on slave\n",
+ slave->link_new_state);
+ continue;
+
default:
- slave_err(bond->dev, slave->dev, "invalid new link %d on slave\n",
+ slave_err(bond->dev, slave->dev, "invalid link_new_state %d on slave\n",
slave->link_new_state);
bond_propose_link_state(slave, BOND_LINK_NOCHANGE);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 110/567] net/sched: ets: fix divide by zero in the offload path
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 109/567] RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 111/567] scsi: target: Fix recursive locking in __configfs_open_file() Greg Kroah-Hartman
` (267 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Davide Caratti, Jamal Hadi Salim,
Petr Machata, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davide Caratti <dcaratti@redhat.com>
commit e35626f610f3d2b7953ccddf6a77453da22b3a9e upstream.
Offloading ETS requires computing each class' WRR weight: this is done by
averaging over the sums of quanta as 'q_sum' and 'q_psum'. Using unsigned
int, the same integer size as the individual DRR quanta, can overflow and
even cause division by zero, like it happened in the following splat:
Oops: divide error: 0000 [#1] SMP PTI
CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full)
Tainted: [E]=UNSIGNED_MODULE
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]
Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44
RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246
RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660
RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe
R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000
FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0
Call Trace:
<TASK>
ets_qdisc_change+0x870/0xf40 [sch_ets]
qdisc_create+0x12b/0x540
tc_modify_qdisc+0x6d7/0xbd0
rtnetlink_rcv_msg+0x168/0x6b0
netlink_rcv_skb+0x5c/0x110
netlink_unicast+0x1d6/0x2b0
netlink_sendmsg+0x22e/0x470
____sys_sendmsg+0x38a/0x3c0
___sys_sendmsg+0x99/0xe0
__sys_sendmsg+0x8a/0xf0
do_syscall_64+0x111/0xf80
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f440b81c77e
Code: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa
RSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e
RDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003
RBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8
R13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980
</TASK>
Modules linked in: sch_ets(E) netdevsim(E)
---[ end trace 0000000000000000 ]---
RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]
Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44
RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246
RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660
RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe
R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000
FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception ]---
Fix this using 64-bit integers for 'q_sum' and 'q_psum'.
Cc: stable@vger.kernel.org
Fixes: d35eb52bd2ac ("net: sch_ets: Make the ETS qdisc offloadable")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Link: https://patch.msgid.link/28504887df314588c7255e9911769c36f751edee.1771964872.git.dcaratti@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_ets.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/net/sched/sch_ets.c
+++ b/net/sched/sch_ets.c
@@ -115,12 +115,12 @@ static void ets_offload_change(struct Qd
struct ets_sched *q = qdisc_priv(sch);
struct tc_ets_qopt_offload qopt;
unsigned int w_psum_prev = 0;
- unsigned int q_psum = 0;
- unsigned int q_sum = 0;
unsigned int quantum;
unsigned int w_psum;
unsigned int weight;
unsigned int i;
+ u64 q_psum = 0;
+ u64 q_sum = 0;
if (!tc_can_offload(dev) || !dev->netdev_ops->ndo_setup_tc)
return;
@@ -138,8 +138,12 @@ static void ets_offload_change(struct Qd
for (i = 0; i < q->nbands; i++) {
quantum = q->classes[i].quantum;
- q_psum += quantum;
- w_psum = quantum ? q_psum * 100 / q_sum : 0;
+ if (quantum) {
+ q_psum += quantum;
+ w_psum = div64_u64(q_psum * 100, q_sum);
+ } else {
+ w_psum = 0;
+ }
weight = w_psum - w_psum_prev;
w_psum_prev = w_psum;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 048/481] ext4: remove unnecessary e4b->bd_buddy_page check in ext4_mb_load_buddy_gfp
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 047/481] ext4: drop extent cache when splitting extent fails Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 049/481] ext4: convert some BUG_ONs in mballoc to use WARN_RATELIMITED instead Greg Kroah-Hartman
` (267 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kemeng Shi, Ojaswin Mujoo,
Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kemeng Shi <shikemeng@huaweicloud.com>
[ Upstream commit 285164b80175157c18a06425cf25591c9f942b1a ]
e4b->bd_buddy_page is only set if we initialize ext4_buddy successfully. So
e4b->bd_buddy_page is always NULL in error handle branch. Just remove the
dead check.
Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://lore.kernel.org/r/20230303172120.3800725-11-shikemeng@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: bdc56a9c46b2 ("ext4: fix e4b bitmap inconsistency reports")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 71e15007ffdf4..7431ff97a68c8 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1599,8 +1599,7 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
put_page(page);
if (e4b->bd_bitmap_page)
put_page(e4b->bd_bitmap_page);
- if (e4b->bd_buddy_page)
- put_page(e4b->bd_buddy_page);
+
e4b->bd_buddy = NULL;
e4b->bd_bitmap = NULL;
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 035/460] net/mlx5: IFC updates for disabled host PF
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 034/460] bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 036/460] net/mlx5: Query to see if host PF is disabled Greg Kroah-Hartman
` (267 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Jurgens, William Tu,
Tariq Toukan, Leon Romanovsky, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Jurgens <danielj@nvidia.com>
[ Upstream commit cd1746cb6555a2238c4aae9f9d60b637a61bf177 ]
The port 2 host PF can be disabled, this bit reflects that setting.
Signed-off-by: Daniel Jurgens <danielj@nvidia.com>
Reviewed-by: William Tu <witu@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1752064867-16874-3-git-send-email-tariqt@nvidia.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Stable-dep-of: aed763abf0e9 ("net/mlx5: Fix deadlock between devlink lock and esw->wq")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/mlx5/mlx5_ifc.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
index 2b1a816e4d59c..6ea35c8ce00fb 100644
--- a/include/linux/mlx5/mlx5_ifc.h
+++ b/include/linux/mlx5/mlx5_ifc.h
@@ -12282,7 +12282,9 @@ struct mlx5_ifc_mtrc_ctrl_bits {
struct mlx5_ifc_host_params_context_bits {
u8 host_number[0x8];
- u8 reserved_at_8[0x7];
+ u8 reserved_at_8[0x5];
+ u8 host_pf_not_exist[0x1];
+ u8 reserved_at_14[0x1];
u8 host_pf_disabled[0x1];
u8 host_num_of_vfs[0x10];
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 111/567] scsi: target: Fix recursive locking in __configfs_open_file()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 110/567] net/sched: ets: fix divide by zero in the offload path Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 112/567] Squashfs: check metadata block offset is within range Greg Kroah-Hartman
` (266 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f6e8174215573a84b797,
Prithvi Tambewagh, Dmitry Bogdanov, Martin K. Petersen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prithvi Tambewagh <activprithvi@gmail.com>
commit 14d4ac19d1895397532eec407433c5d74d9da53b upstream.
In flush_write_buffer, &p->frag_sem is acquired and then the loaded store
function is called, which, here, is target_core_item_dbroot_store(). This
function called filp_open(), following which these functions were called
(in reverse order), according to the call trace:
down_read
__configfs_open_file
do_dentry_open
vfs_open
do_open
path_openat
do_filp_open
file_open_name
filp_open
target_core_item_dbroot_store
flush_write_buffer
configfs_write_iter
target_core_item_dbroot_store() tries to validate the new file path by
trying to open the file path provided to it; however, in this case, the bug
report shows:
db_root: not a directory: /sys/kernel/config/target/dbroot
indicating that the same configfs file was tried to be opened, on which it
is currently working on. Thus, it is trying to acquire frag_sem semaphore
of the same file of which it already holds the semaphore obtained in
flush_write_buffer(), leading to acquiring the semaphore in a nested manner
and a possibility of recursive locking.
Fix this by modifying target_core_item_dbroot_store() to use kern_path()
instead of filp_open() to avoid opening the file using filesystem-specific
function __configfs_open_file(), and further modifying it to make this fix
compatible.
Reported-by: syzbot+f6e8174215573a84b797@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f6e8174215573a84b797
Tested-by: syzbot+f6e8174215573a84b797@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Prithvi Tambewagh <activprithvi@gmail.com>
Reviewed-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Link: https://patch.msgid.link/20260216062002.61937-1-activprithvi@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/target_core_configfs.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
--- a/drivers/target/target_core_configfs.c
+++ b/drivers/target/target_core_configfs.c
@@ -108,8 +108,8 @@ static ssize_t target_core_item_dbroot_s
const char *page, size_t count)
{
ssize_t read_bytes;
- struct file *fp;
ssize_t r = -EINVAL;
+ struct path path = {};
mutex_lock(&target_devices_lock);
if (target_devices) {
@@ -131,17 +131,14 @@ static ssize_t target_core_item_dbroot_s
db_root_stage[read_bytes - 1] = '\0';
/* validate new db root before accepting it */
- fp = filp_open(db_root_stage, O_RDONLY, 0);
- if (IS_ERR(fp)) {
+ r = kern_path(db_root_stage, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path);
+ if (r) {
pr_err("db_root: cannot open: %s\n", db_root_stage);
+ if (r == -ENOTDIR)
+ pr_err("db_root: not a directory: %s\n", db_root_stage);
goto unlock;
}
- if (!S_ISDIR(file_inode(fp)->i_mode)) {
- filp_close(fp, NULL);
- pr_err("db_root: not a directory: %s\n", db_root_stage);
- goto unlock;
- }
- filp_close(fp, NULL);
+ path_put(&path);
strncpy(db_root, db_root_stage, read_bytes);
pr_debug("Target_Core_ConfigFS: db_root set to %s\n", db_root);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 049/481] ext4: convert some BUG_ONs in mballoc to use WARN_RATELIMITED instead
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 048/481] ext4: remove unnecessary e4b->bd_buddy_page check in ext4_mb_load_buddy_gfp Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 050/481] ext4: delete redundant calculations in ext4_mb_get_buddy_page_lock() Greg Kroah-Hartman
` (266 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
[ Upstream commit 19b8b035a776939ceb3de0f45aded4751d7849ef ]
In cases where we have an obvious way of continuing, let's use
WARN_RATELIMITED() instead of BUG_ON().
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: bdc56a9c46b2 ("ext4: fix e4b bitmap inconsistency reports")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 7431ff97a68c8..2a385dc610704 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1531,7 +1531,13 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
put_page(page);
page = find_or_create_page(inode->i_mapping, pnum, gfp);
if (page) {
- BUG_ON(page->mapping != inode->i_mapping);
+ if (WARN_RATELIMIT(page->mapping != inode->i_mapping,
+ "ext4: bitmap's paging->mapping != inode->i_mapping\n")) {
+ /* should never happen */
+ unlock_page(page);
+ ret = -EINVAL;
+ goto err;
+ }
if (!PageUptodate(page)) {
ret = ext4_mb_init_cache(page, NULL, gfp);
if (ret) {
@@ -1567,7 +1573,13 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
put_page(page);
page = find_or_create_page(inode->i_mapping, pnum, gfp);
if (page) {
- BUG_ON(page->mapping != inode->i_mapping);
+ if (WARN_RATELIMIT(page->mapping != inode->i_mapping,
+ "ext4: buddy bitmap's page->mapping != inode->i_mapping\n")) {
+ /* should never happen */
+ unlock_page(page);
+ ret = -EINVAL;
+ goto err;
+ }
if (!PageUptodate(page)) {
ret = ext4_mb_init_cache(page, e4b->bd_bitmap,
gfp);
@@ -2286,7 +2298,9 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac,
continue;
buddy = mb_find_buddy(e4b, i, &max);
- BUG_ON(buddy == NULL);
+ if (WARN_RATELIMIT(buddy == NULL,
+ "ext4: mb_simple_scan_group: mb_find_buddy failed, (%d)\n", i))
+ continue;
k = mb_find_next_zero_bit(buddy, max, 0);
if (k >= max) {
@@ -4312,15 +4326,14 @@ static void ext4_discard_allocated_blocks(struct ext4_allocation_context *ac)
if (ac->ac_f_ex.fe_len == 0)
return;
err = ext4_mb_load_buddy(ac->ac_sb, ac->ac_f_ex.fe_group, &e4b);
- if (err) {
+ if (WARN_RATELIMIT(err,
+ "ext4: mb_load_buddy failed (%d)", err))
/*
* This should never happen since we pin the
* pages in the ext4_allocation_context so
* ext4_mb_load_buddy() should never fail.
*/
- WARN(1, "mb_load_buddy failed (%d)", err);
return;
- }
ext4_lock_group(ac->ac_sb, ac->ac_f_ex.fe_group);
mb_free_blocks(ac->ac_inode, &e4b, ac->ac_f_ex.fe_start,
ac->ac_f_ex.fe_len);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 036/460] net/mlx5: Query to see if host PF is disabled
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 035/460] net/mlx5: IFC updates for disabled host PF Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 037/460] net/mlx5: Fix deadlock between devlink lock and esw->wq Greg Kroah-Hartman
` (266 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Jurgens, William Tu,
Tariq Toukan, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Jurgens <danielj@nvidia.com>
[ Upstream commit 9e84de72aef9bcf0e751a0bff3ac91b0cf52366f ]
The host PF can be disabled, query firmware to check if the host PF of
this function exists.
Signed-off-by: Daniel Jurgens <danielj@nvidia.com>
Reviewed-by: William Tu <witu@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1755112796-467444-2-git-send-email-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: aed763abf0e9 ("net/mlx5: Fix deadlock between devlink lock and esw->wq")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/mellanox/mlx5/core/eswitch.c | 23 +++++++++++++++++++
.../net/ethernet/mellanox/mlx5/core/eswitch.h | 1 +
2 files changed, 24 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
index 6544546a1153f..b26ab78006ea0 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
@@ -1038,6 +1038,25 @@ const u32 *mlx5_esw_query_functions(struct mlx5_core_dev *dev)
return ERR_PTR(err);
}
+static int mlx5_esw_host_functions_enabled_query(struct mlx5_eswitch *esw)
+{
+ const u32 *query_host_out;
+
+ if (!mlx5_core_is_ecpf_esw_manager(esw->dev))
+ return 0;
+
+ query_host_out = mlx5_esw_query_functions(esw->dev);
+ if (IS_ERR(query_host_out))
+ return PTR_ERR(query_host_out);
+
+ esw->esw_funcs.host_funcs_disabled =
+ MLX5_GET(query_esw_functions_out, query_host_out,
+ host_params_context.host_pf_not_exist);
+
+ kvfree(query_host_out);
+ return 0;
+}
+
static void mlx5_eswitch_event_handler_register(struct mlx5_eswitch *esw)
{
if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev)) {
@@ -1871,6 +1890,10 @@ int mlx5_eswitch_init(struct mlx5_core_dev *dev)
goto abort;
}
+ err = mlx5_esw_host_functions_enabled_query(esw);
+ if (err)
+ goto abort;
+
err = mlx5_esw_vports_init(esw);
if (err)
goto abort;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
index 48fd0400ffd4e..be6e60d961689 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
@@ -316,6 +316,7 @@ struct mlx5_host_work {
struct mlx5_esw_functions {
struct mlx5_nb nb;
+ bool host_funcs_disabled;
u16 num_vfs;
u16 num_ec_vfs;
};
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 112/567] Squashfs: check metadata block offset is within range
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 111/567] scsi: target: Fix recursive locking in __configfs_open_file() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 113/567] drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() Greg Kroah-Hartman
` (265 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+a9747fe1c35a5b115d3f,
Phillip Lougher, Christian Brauner, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phillip Lougher <phillip@squashfs.org.uk>
commit fdb24a820a5832ec4532273282cbd4f22c291a0d upstream.
Syzkaller reports a "general protection fault in squashfs_copy_data"
This is ultimately caused by a corrupted index look-up table, which
produces a negative metadata block offset.
This is subsequently passed to squashfs_copy_data (via
squashfs_read_metadata) where the negative offset causes an out of bounds
access.
The fix is to check that the offset is within range in
squashfs_read_metadata. This will trap this and other cases.
Link: https://lkml.kernel.org/r/20260217050955.138351-1-phillip@squashfs.org.uk
Fixes: f400e12656ab ("Squashfs: cache operations")
Reported-by: syzbot+a9747fe1c35a5b115d3f@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/699234e2.a70a0220.2c38d7.00e2.GAE@google.com/
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/squashfs/cache.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/squashfs/cache.c
+++ b/fs/squashfs/cache.c
@@ -340,6 +340,9 @@ int squashfs_read_metadata(struct super_
if (unlikely(length < 0))
return -EIO;
+ if (unlikely(*offset < 0 || *offset >= SQUASHFS_METADATA_SIZE))
+ return -EIO;
+
while (length) {
entry = squashfs_cache_get(sb, msblk->block_cache, *block, 0);
if (entry->error) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 050/481] ext4: delete redundant calculations in ext4_mb_get_buddy_page_lock()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 049/481] ext4: convert some BUG_ONs in mballoc to use WARN_RATELIMITED instead Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 051/481] ext4: convert bd_bitmap_page to bd_bitmap_folio Greg Kroah-Hartman
` (265 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gou Hao, Jan Kara, Theodore Tso,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gou Hao <gouhao@uniontech.com>
[ Upstream commit f2fec3e99a32d7c14dbf63c824f8286ebc94b18d ]
'blocks_per_page' is always 1 after 'if (blocks_per_page >= 2)',
'pnum' and 'block' are equal in this case.
Signed-off-by: Gou Hao <gouhao@uniontech.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20231024035215.29474-1-gouhao@uniontech.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: bdc56a9c46b2 ("ext4: fix e4b bitmap inconsistency reports")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 2a385dc610704..899d7eb6df3dc 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1370,9 +1370,8 @@ static int ext4_mb_get_buddy_page_lock(struct super_block *sb,
return 0;
}
- block++;
- pnum = block / blocks_per_page;
- page = find_or_create_page(inode->i_mapping, pnum, gfp);
+ /* blocks_per_page == 1, hence we need another page for the buddy */
+ page = find_or_create_page(inode->i_mapping, block + 1, gfp);
if (!page)
return -ENOMEM;
BUG_ON(page->mapping != inode->i_mapping);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 037/460] net/mlx5: Fix deadlock between devlink lock and esw->wq
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 036/460] net/mlx5: Query to see if host PF is disabled Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 038/460] net/mlx5: Fix crash when moving to switchdev mode Greg Kroah-Hartman
` (265 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cosmin Ratiu, Moshe Shemesh,
Dragos Tatulea, Simon Horman, Tariq Toukan, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cosmin Ratiu <cratiu@nvidia.com>
[ Upstream commit aed763abf0e905b4b8d747d1ba9e172961572f57 ]
esw->work_queue executes esw_functions_changed_event_handler ->
esw_vfs_changed_event_handler and acquires the devlink lock.
.eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) ->
mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked ->
mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks
when esw_vfs_changed_event_handler executes.
Fix that by no longer flushing the work to avoid the deadlock, and using
a generation counter to keep track of work relevance. This avoids an old
handler manipulating an esw that has undergone one or more mode changes:
- the counter is incremented in mlx5_eswitch_event_handler_unregister.
- the counter is read and passed to the ephemeral mlx5_host_work struct.
- the work handler takes the devlink lock and bails out if the current
generation is different than the one it was scheduled to operate on.
- mlx5_eswitch_cleanup does the final draining before destroying the wq.
No longer flushing the workqueue has the side effect of maybe no longer
cancelling pending vport_change_handler work items, but that's ok since
those are disabled elsewhere:
- mlx5_eswitch_disable_locked disables the vport eq notifier.
- mlx5_esw_vport_disable disarms the HW EQ notification and marks
vport->enabled under state_lock to false to prevent pending vport
handler from doing anything.
- mlx5_eswitch_cleanup destroys the workqueue and makes sure all events
are disabled/finished.
Fixes: f1bc646c9a06 ("net/mlx5: Use devl_ API in mlx5_esw_offloads_devlink_port_register")
Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260305081019.1811100-1-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/mellanox/mlx5/core/eswitch.c | 7 ++++---
.../net/ethernet/mellanox/mlx5/core/eswitch.h | 2 ++
.../mellanox/mlx5/core/eswitch_offloads.c | 18 +++++++++++++-----
3 files changed, 19 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
index b26ab78006ea0..864e88f057714 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
@@ -1068,10 +1068,11 @@ static void mlx5_eswitch_event_handler_register(struct mlx5_eswitch *esw)
static void mlx5_eswitch_event_handler_unregister(struct mlx5_eswitch *esw)
{
- if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev))
+ if (esw->mode == MLX5_ESWITCH_OFFLOADS &&
+ mlx5_eswitch_is_funcs_handler(esw->dev)) {
mlx5_eq_notifier_unregister(esw->dev, &esw->esw_funcs.nb);
-
- flush_workqueue(esw->work_queue);
+ atomic_inc(&esw->esw_funcs.generation);
+ }
}
static void mlx5_eswitch_clear_vf_vports_info(struct mlx5_eswitch *esw)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
index be6e60d961689..63c2b36ce967b 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
@@ -312,10 +312,12 @@ struct esw_mc_addr { /* SRIOV only */
struct mlx5_host_work {
struct work_struct work;
struct mlx5_eswitch *esw;
+ int work_gen;
};
struct mlx5_esw_functions {
struct mlx5_nb nb;
+ atomic_t generation;
bool host_funcs_disabled;
u16 num_vfs;
u16 num_ec_vfs;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
index 7cead1ba0bfa1..b122003d8bcde 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
@@ -3402,22 +3402,28 @@ static void esw_offloads_steering_cleanup(struct mlx5_eswitch *esw)
}
static void
-esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, const u32 *out)
+esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, int work_gen,
+ const u32 *out)
{
struct devlink *devlink;
bool host_pf_disabled;
u16 new_num_vfs;
+ devlink = priv_to_devlink(esw->dev);
+ devl_lock(devlink);
+
+ /* Stale work from one or more mode changes ago. Bail out. */
+ if (work_gen != atomic_read(&esw->esw_funcs.generation))
+ goto unlock;
+
new_num_vfs = MLX5_GET(query_esw_functions_out, out,
host_params_context.host_num_of_vfs);
host_pf_disabled = MLX5_GET(query_esw_functions_out, out,
host_params_context.host_pf_disabled);
if (new_num_vfs == esw->esw_funcs.num_vfs || host_pf_disabled)
- return;
+ goto unlock;
- devlink = priv_to_devlink(esw->dev);
- devl_lock(devlink);
/* Number of VFs can only change from "0 to x" or "x to 0". */
if (esw->esw_funcs.num_vfs > 0) {
mlx5_eswitch_unload_vf_vports(esw, esw->esw_funcs.num_vfs);
@@ -3432,6 +3438,7 @@ esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, const u32 *out)
}
}
esw->esw_funcs.num_vfs = new_num_vfs;
+unlock:
devl_unlock(devlink);
}
@@ -3448,7 +3455,7 @@ static void esw_functions_changed_event_handler(struct work_struct *work)
if (IS_ERR(out))
goto out;
- esw_vfs_changed_event_handler(esw, out);
+ esw_vfs_changed_event_handler(esw, host_work->work_gen, out);
kvfree(out);
out:
kfree(host_work);
@@ -3468,6 +3475,7 @@ int mlx5_esw_funcs_changed_handler(struct notifier_block *nb, unsigned long type
esw = container_of(esw_funcs, struct mlx5_eswitch, esw_funcs);
host_work->esw = esw;
+ host_work->work_gen = atomic_read(&esw_funcs->generation);
INIT_WORK(&host_work->work, esw_functions_changed_event_handler);
queue_work(esw->work_queue, &host_work->work);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 113/567] drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 112/567] Squashfs: check metadata block offset is within range Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 114/567] drbd: fix null-pointer dereference on local read error Greg Kroah-Hartman
` (264 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lars Ellenberg,
Christoph Böhmwalder, Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lars Ellenberg <lars.ellenberg@linbit.com>
commit ab140365fb62c0bdab22b2f516aff563b2559e3b upstream.
Even though we check that we "should" be able to do lc_get_cumulative()
while holding the device->al_lock spinlock, it may still fail,
if some other code path decided to do lc_try_lock() with bad timing.
If that happened, we logged "LOGIC BUG for enr=...",
but still did not return an error.
The rest of the code now assumed that this request has references
for the relevant activity log extents.
The implcations are that during an active resync, mutual exclusivity of
resync versus application IO is not guaranteed. And a potential crash
at this point may not realizs that these extents could have been target
of in-flight IO and would need to be resynced just in case.
Also, once the request completes, it will give up activity log references it
does not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put().
Fix:
Do not crash the kernel for a condition that is harmless during normal
operation: also catch "e->refcnt == 0", not only "e == NULL"
when being noisy about "al_complete_io() called on inactive extent %u\n".
And do not try to be smart and "guess" whether something will work, then
be surprised when it does not.
Deal with the fact that it may or may not work. If it does not, remember a
possible "partially in activity log" state (only possible for requests that
cross extent boundaries), and return an error code from
drbd_al_begin_io_nonblock().
A latter call for the same request will then resume from where we left off.
Cc: stable@vger.kernel.org
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/drbd/drbd_actlog.c | 53 ++++++++++++++++---------------------
drivers/block/drbd/drbd_interval.h | 5 ++-
2 files changed, 27 insertions(+), 31 deletions(-)
--- a/drivers/block/drbd/drbd_actlog.c
+++ b/drivers/block/drbd/drbd_actlog.c
@@ -483,38 +483,20 @@ void drbd_al_begin_io(struct drbd_device
int drbd_al_begin_io_nonblock(struct drbd_device *device, struct drbd_interval *i)
{
- struct lru_cache *al = device->act_log;
/* for bios crossing activity log extent boundaries,
* we may need to activate two extents in one go */
unsigned first = i->sector >> (AL_EXTENT_SHIFT-9);
unsigned last = i->size == 0 ? first : (i->sector + (i->size >> 9) - 1) >> (AL_EXTENT_SHIFT-9);
- unsigned nr_al_extents;
- unsigned available_update_slots;
unsigned enr;
- D_ASSERT(device, first <= last);
-
- nr_al_extents = 1 + last - first; /* worst case: all touched extends are cold. */
- available_update_slots = min(al->nr_elements - al->used,
- al->max_pending_changes - al->pending_changes);
-
- /* We want all necessary updates for a given request within the same transaction
- * We could first check how many updates are *actually* needed,
- * and use that instead of the worst-case nr_al_extents */
- if (available_update_slots < nr_al_extents) {
- /* Too many activity log extents are currently "hot".
- *
- * If we have accumulated pending changes already,
- * we made progress.
- *
- * If we cannot get even a single pending change through,
- * stop the fast path until we made some progress,
- * or requests to "cold" extents could be starved. */
- if (!al->pending_changes)
- __set_bit(__LC_STARVING, &device->act_log->flags);
- return -ENOBUFS;
+ if (i->partially_in_al_next_enr) {
+ D_ASSERT(device, first < i->partially_in_al_next_enr);
+ D_ASSERT(device, last >= i->partially_in_al_next_enr);
+ first = i->partially_in_al_next_enr;
}
+ D_ASSERT(device, first <= last);
+
/* Is resync active in this area? */
for (enr = first; enr <= last; enr++) {
struct lc_element *tmp;
@@ -529,14 +511,21 @@ int drbd_al_begin_io_nonblock(struct drb
}
}
- /* Checkout the refcounts.
- * Given that we checked for available elements and update slots above,
- * this has to be successful. */
+ /* Try to checkout the refcounts. */
for (enr = first; enr <= last; enr++) {
struct lc_element *al_ext;
al_ext = lc_get_cumulative(device->act_log, enr);
- if (!al_ext)
- drbd_info(device, "LOGIC BUG for enr=%u\n", enr);
+
+ if (!al_ext) {
+ /* Did not work. We may have exhausted the possible
+ * changes per transaction. Or raced with someone
+ * "locking" it against changes.
+ * Remember where to continue from.
+ */
+ if (enr > first)
+ i->partially_in_al_next_enr = enr;
+ return -ENOBUFS;
+ }
}
return 0;
}
@@ -556,7 +545,11 @@ void drbd_al_complete_io(struct drbd_dev
for (enr = first; enr <= last; enr++) {
extent = lc_find(device->act_log, enr);
- if (!extent) {
+ /* Yes, this masks a bug elsewhere. However, during normal
+ * operation this is harmless, so no need to crash the kernel
+ * by the BUG_ON(refcount == 0) in lc_put().
+ */
+ if (!extent || extent->refcnt == 0) {
drbd_err(device, "al_complete_io() called on inactive extent %u\n", enr);
continue;
}
--- a/drivers/block/drbd/drbd_interval.h
+++ b/drivers/block/drbd/drbd_interval.h
@@ -8,12 +8,15 @@
struct drbd_interval {
struct rb_node rb;
sector_t sector; /* start sector of the interval */
- unsigned int size; /* size in bytes */
sector_t end; /* highest interval end in subtree */
+ unsigned int size; /* size in bytes */
unsigned int local:1 /* local or remote request? */;
unsigned int waiting:1; /* someone is waiting for completion */
unsigned int completed:1; /* this has been completed already;
* ignore for conflict detection */
+
+ /* to resume a partially successful drbd_al_begin_io_nonblock(); */
+ unsigned int partially_in_al_next_enr;
};
static inline void drbd_clear_interval(struct drbd_interval *i)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 051/481] ext4: convert bd_bitmap_page to bd_bitmap_folio
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 050/481] ext4: delete redundant calculations in ext4_mb_get_buddy_page_lock() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 052/481] ext4: convert bd_buddy_page to bd_buddy_folio Greg Kroah-Hartman
` (264 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
[ Upstream commit 99b150d84e4939735cfce245e32e3d29312c68ec ]
There is no need to make this a multi-page folio, so leave all the
infrastructure around it in pages. But since we're locking it, playing
with its refcount and checking whether it's uptodate, it needs to move
to the folio API.
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Link: https://lore.kernel.org/r/20240416172900.244637-2-willy@infradead.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: bdc56a9c46b2 ("ext4: fix e4b bitmap inconsistency reports")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 98 ++++++++++++++++++++++++-----------------------
fs/ext4/mballoc.h | 2 +-
2 files changed, 52 insertions(+), 48 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 899d7eb6df3dc..083e4904ed679 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1345,9 +1345,10 @@ static int ext4_mb_get_buddy_page_lock(struct super_block *sb,
int block, pnum, poff;
int blocks_per_page;
struct page *page;
+ struct folio *folio;
e4b->bd_buddy_page = NULL;
- e4b->bd_bitmap_page = NULL;
+ e4b->bd_bitmap_folio = NULL;
blocks_per_page = PAGE_SIZE / sb->s_blocksize;
/*
@@ -1358,12 +1359,13 @@ static int ext4_mb_get_buddy_page_lock(struct super_block *sb,
block = group * 2;
pnum = block / blocks_per_page;
poff = block % blocks_per_page;
- page = find_or_create_page(inode->i_mapping, pnum, gfp);
- if (!page)
- return -ENOMEM;
- BUG_ON(page->mapping != inode->i_mapping);
- e4b->bd_bitmap_page = page;
- e4b->bd_bitmap = page_address(page) + (poff * sb->s_blocksize);
+ folio = __filemap_get_folio(inode->i_mapping, pnum,
+ FGP_LOCK | FGP_ACCESSED | FGP_CREAT, gfp);
+ if (IS_ERR(folio))
+ return PTR_ERR(folio);
+ BUG_ON(folio->mapping != inode->i_mapping);
+ e4b->bd_bitmap_folio = folio;
+ e4b->bd_bitmap = folio_address(folio) + (poff * sb->s_blocksize);
if (blocks_per_page >= 2) {
/* buddy and bitmap are on the same page */
@@ -1381,9 +1383,9 @@ static int ext4_mb_get_buddy_page_lock(struct super_block *sb,
static void ext4_mb_put_buddy_page_lock(struct ext4_buddy *e4b)
{
- if (e4b->bd_bitmap_page) {
- unlock_page(e4b->bd_bitmap_page);
- put_page(e4b->bd_bitmap_page);
+ if (e4b->bd_bitmap_folio) {
+ folio_unlock(e4b->bd_bitmap_folio);
+ folio_put(e4b->bd_bitmap_folio);
}
if (e4b->bd_buddy_page) {
unlock_page(e4b->bd_buddy_page);
@@ -1403,6 +1405,7 @@ int ext4_mb_init_group(struct super_block *sb, ext4_group_t group, gfp_t gfp)
struct ext4_group_info *this_grp;
struct ext4_buddy e4b;
struct page *page;
+ struct folio *folio;
int ret = 0;
might_sleep();
@@ -1429,11 +1432,11 @@ int ext4_mb_init_group(struct super_block *sb, ext4_group_t group, gfp_t gfp)
goto err;
}
- page = e4b.bd_bitmap_page;
- ret = ext4_mb_init_cache(page, NULL, gfp);
+ folio = e4b.bd_bitmap_folio;
+ ret = ext4_mb_init_cache(&folio->page, NULL, gfp);
if (ret)
goto err;
- if (!PageUptodate(page)) {
+ if (!folio_test_uptodate(folio)) {
ret = -EIO;
goto err;
}
@@ -1475,6 +1478,7 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
int pnum;
int poff;
struct page *page;
+ struct folio *folio;
int ret;
struct ext4_group_info *grp;
struct ext4_sb_info *sbi = EXT4_SB(sb);
@@ -1493,7 +1497,7 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
e4b->bd_sb = sb;
e4b->bd_group = group;
e4b->bd_buddy_page = NULL;
- e4b->bd_bitmap_page = NULL;
+ e4b->bd_bitmap_folio = NULL;
if (unlikely(EXT4_MB_GRP_NEED_INIT(grp))) {
/*
@@ -1514,53 +1518,53 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
pnum = block / blocks_per_page;
poff = block % blocks_per_page;
- /* we could use find_or_create_page(), but it locks page
- * what we'd like to avoid in fast path ... */
- page = find_get_page_flags(inode->i_mapping, pnum, FGP_ACCESSED);
- if (page == NULL || !PageUptodate(page)) {
- if (page)
+ /* Avoid locking the folio in the fast path ... */
+ folio = __filemap_get_folio(inode->i_mapping, pnum, FGP_ACCESSED, 0);
+ if (IS_ERR(folio) || !folio_test_uptodate(folio)) {
+ if (!IS_ERR(folio))
/*
- * drop the page reference and try
- * to get the page with lock. If we
+ * drop the folio reference and try
+ * to get the folio with lock. If we
* are not uptodate that implies
- * somebody just created the page but
- * is yet to initialize the same. So
+ * somebody just created the folio but
+ * is yet to initialize it. So
* wait for it to initialize.
*/
- put_page(page);
- page = find_or_create_page(inode->i_mapping, pnum, gfp);
- if (page) {
- if (WARN_RATELIMIT(page->mapping != inode->i_mapping,
- "ext4: bitmap's paging->mapping != inode->i_mapping\n")) {
+ folio_put(folio);
+ folio = __filemap_get_folio(inode->i_mapping, pnum,
+ FGP_LOCK | FGP_ACCESSED | FGP_CREAT, gfp);
+ if (!IS_ERR(folio)) {
+ if (WARN_RATELIMIT(folio->mapping != inode->i_mapping,
+ "ext4: bitmap's mapping != inode->i_mapping\n")) {
/* should never happen */
- unlock_page(page);
+ folio_unlock(folio);
ret = -EINVAL;
goto err;
}
- if (!PageUptodate(page)) {
- ret = ext4_mb_init_cache(page, NULL, gfp);
+ if (!folio_test_uptodate(folio)) {
+ ret = ext4_mb_init_cache(&folio->page, NULL, gfp);
if (ret) {
- unlock_page(page);
+ folio_unlock(folio);
goto err;
}
- mb_cmp_bitmaps(e4b, page_address(page) +
+ mb_cmp_bitmaps(e4b, folio_address(folio) +
(poff * sb->s_blocksize));
}
- unlock_page(page);
+ folio_unlock(folio);
}
}
- if (page == NULL) {
- ret = -ENOMEM;
+ if (IS_ERR(folio)) {
+ ret = PTR_ERR(folio);
goto err;
}
- if (!PageUptodate(page)) {
+ if (!folio_test_uptodate(folio)) {
ret = -EIO;
goto err;
}
/* Pages marked accessed already */
- e4b->bd_bitmap_page = page;
- e4b->bd_bitmap = page_address(page) + (poff * sb->s_blocksize);
+ e4b->bd_bitmap_folio = folio;
+ e4b->bd_bitmap = folio_address(folio) + (poff * sb->s_blocksize);
block++;
pnum = block / blocks_per_page;
@@ -1608,8 +1612,8 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
err:
if (page)
put_page(page);
- if (e4b->bd_bitmap_page)
- put_page(e4b->bd_bitmap_page);
+ if (e4b->bd_bitmap_folio)
+ folio_put(e4b->bd_bitmap_folio);
e4b->bd_buddy = NULL;
e4b->bd_bitmap = NULL;
@@ -1624,8 +1628,8 @@ static int ext4_mb_load_buddy(struct super_block *sb, ext4_group_t group,
static void ext4_mb_unload_buddy(struct ext4_buddy *e4b)
{
- if (e4b->bd_bitmap_page)
- put_page(e4b->bd_bitmap_page);
+ if (e4b->bd_bitmap_folio)
+ folio_put(e4b->bd_bitmap_folio);
if (e4b->bd_buddy_page)
put_page(e4b->bd_buddy_page);
}
@@ -2050,7 +2054,7 @@ static void ext4_mb_use_best_found(struct ext4_allocation_context *ac,
* double allocate blocks. The reference is dropped
* in ext4_mb_release_context
*/
- ac->ac_bitmap_page = e4b->bd_bitmap_page;
+ ac->ac_bitmap_page = &e4b->bd_bitmap_folio->page;
get_page(ac->ac_bitmap_page);
ac->ac_buddy_page = e4b->bd_buddy_page;
get_page(ac->ac_buddy_page);
@@ -3715,7 +3719,7 @@ static void ext4_free_data_in_buddy(struct super_block *sb,
* balance refcounts from ext4_mb_free_metadata()
*/
put_page(e4b.bd_buddy_page);
- put_page(e4b.bd_bitmap_page);
+ folio_put(e4b.bd_bitmap_folio);
}
ext4_unlock_group(sb, entry->efd_group);
ext4_mb_unload_buddy(&e4b);
@@ -5888,7 +5892,7 @@ ext4_mb_free_metadata(handle_t *handle, struct ext4_buddy *e4b,
struct rb_node *parent = NULL, *new_node;
BUG_ON(!ext4_handle_valid(handle));
- BUG_ON(e4b->bd_bitmap_page == NULL);
+ BUG_ON(e4b->bd_bitmap_folio == NULL);
BUG_ON(e4b->bd_buddy_page == NULL);
new_node = &new_entry->efd_node;
@@ -5901,7 +5905,7 @@ ext4_mb_free_metadata(handle_t *handle, struct ext4_buddy *e4b,
* on-disk bitmap and lose not-yet-available
* blocks */
get_page(e4b->bd_buddy_page);
- get_page(e4b->bd_bitmap_page);
+ folio_get(e4b->bd_bitmap_folio);
}
while (*n) {
parent = *n;
diff --git a/fs/ext4/mballoc.h b/fs/ext4/mballoc.h
index 2d95fcab941f6..24e7c7a04f674 100644
--- a/fs/ext4/mballoc.h
+++ b/fs/ext4/mballoc.h
@@ -203,7 +203,7 @@ struct ext4_allocation_context {
struct ext4_buddy {
struct page *bd_buddy_page;
void *bd_buddy;
- struct page *bd_bitmap_page;
+ struct folio *bd_bitmap_folio;
void *bd_bitmap;
struct ext4_group_info *bd_info;
struct super_block *bd_sb;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 038/460] net/mlx5: Fix crash when moving to switchdev mode
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 037/460] net/mlx5: Fix deadlock between devlink lock and esw->wq Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 039/460] net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery Greg Kroah-Hartman
` (264 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Patrisious Haddad, Leon Romanovsky,
Tariq Toukan, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Patrisious Haddad <phaddad@nvidia.com>
[ Upstream commit 24b2795f9683e092dc22a68f487e7aaaf2ddafea ]
When moving to switchdev mode when the device doesn't support IPsec,
we try to clean up the IPsec resources anyway which causes the crash
below, fix that by correctly checking for IPsec support before trying
to clean up its resources.
[27642.515799] WARNING: arch/x86/mm/fault.c:1276 at
do_user_addr_fault+0x18a/0x680, CPU#4: devlink/6490
[27642.517159] Modules linked in: xt_conntrack xt_MASQUERADE
ip6table_nat ip6table_filter ip6_tables iptable_nat nf_nat xt_addrtype
rpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_fwctl nfnetlink
zram zsmalloc mlx5_ib fuse rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi
scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_core
ib_core
[27642.521358] CPU: 4 UID: 0 PID: 6490 Comm: devlink Not tainted
6.19.0-rc5_for_upstream_min_debug_2026_01_14_16_47 #1 NONE
[27642.522923] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[27642.524528] RIP: 0010:do_user_addr_fault+0x18a/0x680
[27642.525362] Code: ff 0f 84 75 03 00 00 48 89 ee 4c 89 e7 e8 5e b9 22
00 49 89 c0 48 85 c0 0f 84 a8 02 00 00 f7 c3 60 80 00 00 74 22 31 c9 eb
ae <0f> 0b 48 83 c4 10 48 89 ea 48 89 de 4c 89 f7 5b 5d 41 5c 41 5d
41
[27642.528166] RSP: 0018:ffff88810770f6b8 EFLAGS: 00010046
[27642.529038] RAX: 0000000000000000 RBX: 0000000000000002 RCX:
ffff88810b980f00
[27642.530158] RDX: 00000000000000a0 RSI: 0000000000000002 RDI:
ffff88810770f728
[27642.531270] RBP: 00000000000000a0 R08: 0000000000000000 R09:
0000000000000000
[27642.532383] R10: 0000000000000000 R11: 0000000000000000 R12:
ffff888103f3c4c0
[27642.533499] R13: 0000000000000000 R14: ffff88810770f728 R15:
0000000000000000
[27642.534614] FS: 00007f197c741740(0000) GS:ffff88856a94c000(0000)
knlGS:0000000000000000
[27642.535915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[27642.536858] CR2: 00000000000000a0 CR3: 000000011334c003 CR4:
0000000000172eb0
[27642.537982] Call Trace:
[27642.538466] <TASK>
[27642.538907] exc_page_fault+0x76/0x140
[27642.539583] asm_exc_page_fault+0x22/0x30
[27642.540282] RIP: 0010:_raw_spin_lock_irqsave+0x10/0x30
[27642.541134] Code: 07 85 c0 75 11 ba ff 00 00 00 f0 0f b1 17 75 06 b8
01 00 00 00 c3 31 c0 c3 90 0f 1f 44 00 00 53 9c 5b fa 31 c0 ba 01 00 00
00 <f0> 0f b1 17 75 05 48 89 d8 5b c3 89 c6 e8 7e 02 00 00 48 89 d8
5b
[27642.543936] RSP: 0018:ffff88810770f7d8 EFLAGS: 00010046
[27642.544803] RAX: 0000000000000000 RBX: 0000000000000202 RCX:
ffff888113ad96d8
[27642.545916] RDX: 0000000000000001 RSI: ffff88810770f818 RDI:
00000000000000a0
[27642.547027] RBP: 0000000000000098 R08: 0000000000000400 R09:
ffff88810b980f00
[27642.548140] R10: 0000000000000001 R11: ffff888101845a80 R12:
00000000000000a8
[27642.549263] R13: ffffffffa02a9060 R14: 00000000000000a0 R15:
ffff8881130d8a40
[27642.550379] complete_all+0x20/0x90
[27642.551010] mlx5e_ipsec_disable_events+0xb6/0xf0 [mlx5_core]
[27642.552022] mlx5e_nic_disable+0x12d/0x220 [mlx5_core]
[27642.552929] mlx5e_detach_netdev+0x66/0xf0 [mlx5_core]
[27642.553822] mlx5e_netdev_change_profile+0x5b/0x120 [mlx5_core]
[27642.554821] mlx5e_vport_rep_load+0x419/0x590 [mlx5_core]
[27642.555757] ? xa_load+0x53/0x90
[27642.556361] __esw_offloads_load_rep+0x54/0x70 [mlx5_core]
[27642.557328] mlx5_esw_offloads_rep_load+0x45/0xd0 [mlx5_core]
[27642.558320] esw_offloads_enable+0xb4b/0xc90 [mlx5_core]
[27642.559247] mlx5_eswitch_enable_locked+0x34e/0x4f0 [mlx5_core]
[27642.560257] ? mlx5_rescan_drivers_locked+0x222/0x2d0 [mlx5_core]
[27642.561284] mlx5_devlink_eswitch_mode_set+0x5ac/0x9c0 [mlx5_core]
[27642.562334] ? devlink_rate_set_ops_supported+0x21/0x3a0
[27642.563220] devlink_nl_eswitch_set_doit+0x67/0xe0
[27642.564026] genl_family_rcv_msg_doit+0xe0/0x130
[27642.564816] genl_rcv_msg+0x183/0x290
[27642.565466] ? __devlink_nl_pre_doit.isra.0+0x160/0x160
[27642.566329] ? devlink_nl_eswitch_get_doit+0x290/0x290
[27642.567181] ? devlink_nl_pre_doit_parent_dev_optional+0x20/0x20
[27642.568147] ? genl_family_rcv_msg_dumpit+0xf0/0xf0
[27642.568966] netlink_rcv_skb+0x4b/0xf0
[27642.569629] genl_rcv+0x24/0x40
[27642.570215] netlink_unicast+0x255/0x380
[27642.570901] ? __alloc_skb+0xfa/0x1e0
[27642.571560] netlink_sendmsg+0x1f3/0x420
[27642.572249] __sock_sendmsg+0x38/0x60
[27642.572911] __sys_sendto+0x119/0x180
[27642.573561] ? __sys_recvmsg+0x5c/0xb0
[27642.574227] __x64_sys_sendto+0x20/0x30
[27642.574904] do_syscall_64+0x55/0xc10
[27642.575554] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[27642.576391] RIP: 0033:0x7f197c85e807
[27642.577050] Code: c7 c0 ff ff ff ff eb be 66 2e 0f 1f 84 00 00 00 00
00 90 f3 0f 1e fa 80 3d 45 08 0d 00 00 41 89 ca 74 10 b8 2c 00 00 00 0f
05 <48> 3d 00 f0 ff ff 77 69 c3 55 48 89 e5 53 48 83 ec 38 44 89 4d
d0
[27642.579846] RSP: 002b:00007ffebd4e2248 EFLAGS: 00000202 ORIG_RAX:
000000000000002c
[27642.581082] RAX: ffffffffffffffda RBX: 000055cfcd9cd2a0 RCX:
00007f197c85e807
[27642.582200] RDX: 0000000000000038 RSI: 000055cfcd9cd490 RDI:
0000000000000003
[27642.583320] RBP: 00007ffebd4e2290 R08: 00007f197c942200 R09:
000000000000000c
[27642.584437] R10: 0000000000000000 R11: 0000000000000202 R12:
0000000000000000
[27642.585555] R13: 000055cfcd9cd490 R14: 00007ffebd4e45d1 R15:
000055cfcd9cd2a0
[27642.586671] </TASK>
[27642.587121] ---[ end trace 0000000000000000 ]---
[27642.587910] BUG: kernel NULL pointer dereference, address:
00000000000000a0
Fixes: 664f76be38a1 ("net/mlx5: Fix IPsec cleanup over MPV device")
Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260305142634.1813208-2-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
index 831d4b17ad07a..c48eeb399a422 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
@@ -2449,7 +2449,7 @@ void mlx5e_ipsec_disable_events(struct mlx5e_priv *priv)
goto out;
peer_priv = mlx5_devcom_get_next_peer_data(priv->devcom, &tmp);
- if (peer_priv)
+ if (peer_priv && peer_priv->ipsec)
complete_all(&peer_priv->ipsec->comp);
mlx5_devcom_for_each_peer_end(priv->devcom);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 114/567] drbd: fix null-pointer dereference on local read error
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 113/567] drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 115/567] smb: client: fix cifs_pick_channel when channels are equally loaded Greg Kroah-Hartman
` (263 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tuo Li, Christoph Böhmwalder,
Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
commit 0d195d3b205ca90db30d70d09d7bb6909aac178f upstream.
In drbd_request_endio(), READ_COMPLETED_WITH_ERROR is passed to
__req_mod() with a NULL peer_device:
__req_mod(req, what, NULL, &m);
The READ_COMPLETED_WITH_ERROR handler then unconditionally passes this
NULL peer_device to drbd_set_out_of_sync(), which dereferences it,
causing a null-pointer dereference.
Fix this by obtaining the peer_device via first_peer_device(device),
matching how drbd_req_destroy() handles the same situation.
Cc: stable@vger.kernel.org
Reported-by: Tuo Li <islituo@gmail.com>
Link: https://lore.kernel.org/linux-block/20260104165355.151864-1-islituo@gmail.com
Signed-off-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/drbd/drbd_req.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/block/drbd/drbd_req.c
+++ b/drivers/block/drbd/drbd_req.c
@@ -621,7 +621,8 @@ int __req_mod(struct drbd_request *req,
break;
case READ_COMPLETED_WITH_ERROR:
- drbd_set_out_of_sync(peer_device, req->i.sector, req->i.size);
+ drbd_set_out_of_sync(first_peer_device(device),
+ req->i.sector, req->i.size);
drbd_report_io_error(device, req);
__drbd_chk_io_error(device, DRBD_READ_ERROR);
fallthrough;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 052/481] ext4: convert bd_buddy_page to bd_buddy_folio
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 051/481] ext4: convert bd_bitmap_page to bd_bitmap_folio Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 053/481] ext4: fix e4b bitmap inconsistency reports Greg Kroah-Hartman
` (263 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
[ Upstream commit 5eea586b47f05b5f5518cf8f9dd9283a01a8066d ]
There is no need to make this a multi-page folio, so leave all the
infrastructure around it in pages. But since we're locking it, playing
with its refcount and checking whether it's uptodate, it needs to move
to the folio API.
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Link: https://lore.kernel.org/r/20240416172900.244637-3-willy@infradead.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: bdc56a9c46b2 ("ext4: fix e4b bitmap inconsistency reports")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 91 +++++++++++++++++++++++------------------------
fs/ext4/mballoc.h | 2 +-
2 files changed, 46 insertions(+), 47 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 083e4904ed679..19e5b57387d60 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1336,7 +1336,7 @@ static int ext4_mb_init_cache(struct page *page, char *incore, gfp_t gfp)
* Lock the buddy and bitmap pages. This make sure other parallel init_group
* on the same buddy page doesn't happen whild holding the buddy page lock.
* Return locked buddy and bitmap pages on e4b struct. If buddy and bitmap
- * are on the same page e4b->bd_buddy_page is NULL and return value is 0.
+ * are on the same page e4b->bd_buddy_folio is NULL and return value is 0.
*/
static int ext4_mb_get_buddy_page_lock(struct super_block *sb,
ext4_group_t group, struct ext4_buddy *e4b, gfp_t gfp)
@@ -1344,10 +1344,9 @@ static int ext4_mb_get_buddy_page_lock(struct super_block *sb,
struct inode *inode = EXT4_SB(sb)->s_buddy_cache;
int block, pnum, poff;
int blocks_per_page;
- struct page *page;
struct folio *folio;
- e4b->bd_buddy_page = NULL;
+ e4b->bd_buddy_folio = NULL;
e4b->bd_bitmap_folio = NULL;
blocks_per_page = PAGE_SIZE / sb->s_blocksize;
@@ -1373,11 +1372,12 @@ static int ext4_mb_get_buddy_page_lock(struct super_block *sb,
}
/* blocks_per_page == 1, hence we need another page for the buddy */
- page = find_or_create_page(inode->i_mapping, block + 1, gfp);
- if (!page)
- return -ENOMEM;
- BUG_ON(page->mapping != inode->i_mapping);
- e4b->bd_buddy_page = page;
+ folio = __filemap_get_folio(inode->i_mapping, block + 1,
+ FGP_LOCK | FGP_ACCESSED | FGP_CREAT, gfp);
+ if (IS_ERR(folio))
+ return PTR_ERR(folio);
+ BUG_ON(folio->mapping != inode->i_mapping);
+ e4b->bd_buddy_folio = folio;
return 0;
}
@@ -1387,9 +1387,9 @@ static void ext4_mb_put_buddy_page_lock(struct ext4_buddy *e4b)
folio_unlock(e4b->bd_bitmap_folio);
folio_put(e4b->bd_bitmap_folio);
}
- if (e4b->bd_buddy_page) {
- unlock_page(e4b->bd_buddy_page);
- put_page(e4b->bd_buddy_page);
+ if (e4b->bd_buddy_folio) {
+ folio_unlock(e4b->bd_buddy_folio);
+ folio_put(e4b->bd_buddy_folio);
}
}
@@ -1404,7 +1404,6 @@ int ext4_mb_init_group(struct super_block *sb, ext4_group_t group, gfp_t gfp)
struct ext4_group_info *this_grp;
struct ext4_buddy e4b;
- struct page *page;
struct folio *folio;
int ret = 0;
@@ -1441,7 +1440,7 @@ int ext4_mb_init_group(struct super_block *sb, ext4_group_t group, gfp_t gfp)
goto err;
}
- if (e4b.bd_buddy_page == NULL) {
+ if (e4b.bd_buddy_folio == NULL) {
/*
* If both the bitmap and buddy are in
* the same page we don't need to force
@@ -1451,11 +1450,11 @@ int ext4_mb_init_group(struct super_block *sb, ext4_group_t group, gfp_t gfp)
goto err;
}
/* init buddy cache */
- page = e4b.bd_buddy_page;
- ret = ext4_mb_init_cache(page, e4b.bd_bitmap, gfp);
+ folio = e4b.bd_buddy_folio;
+ ret = ext4_mb_init_cache(&folio->page, e4b.bd_bitmap, gfp);
if (ret)
goto err;
- if (!PageUptodate(page)) {
+ if (!folio_test_uptodate(folio)) {
ret = -EIO;
goto err;
}
@@ -1477,7 +1476,6 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
int block;
int pnum;
int poff;
- struct page *page;
struct folio *folio;
int ret;
struct ext4_group_info *grp;
@@ -1496,7 +1494,7 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
e4b->bd_info = grp;
e4b->bd_sb = sb;
e4b->bd_group = group;
- e4b->bd_buddy_page = NULL;
+ e4b->bd_buddy_folio = NULL;
e4b->bd_bitmap_folio = NULL;
if (unlikely(EXT4_MB_GRP_NEED_INIT(grp))) {
@@ -1562,7 +1560,7 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
goto err;
}
- /* Pages marked accessed already */
+ /* Folios marked accessed already */
e4b->bd_bitmap_folio = folio;
e4b->bd_bitmap = folio_address(folio) + (poff * sb->s_blocksize);
@@ -1570,48 +1568,49 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
pnum = block / blocks_per_page;
poff = block % blocks_per_page;
- page = find_get_page_flags(inode->i_mapping, pnum, FGP_ACCESSED);
- if (page == NULL || !PageUptodate(page)) {
- if (page)
- put_page(page);
- page = find_or_create_page(inode->i_mapping, pnum, gfp);
- if (page) {
- if (WARN_RATELIMIT(page->mapping != inode->i_mapping,
- "ext4: buddy bitmap's page->mapping != inode->i_mapping\n")) {
+ folio = __filemap_get_folio(inode->i_mapping, pnum, FGP_ACCESSED, 0);
+ if (IS_ERR(folio) || !folio_test_uptodate(folio)) {
+ if (!IS_ERR(folio))
+ folio_put(folio);
+ folio = __filemap_get_folio(inode->i_mapping, pnum,
+ FGP_LOCK | FGP_ACCESSED | FGP_CREAT, gfp);
+ if (!IS_ERR(folio)) {
+ if (WARN_RATELIMIT(folio->mapping != inode->i_mapping,
+ "ext4: buddy bitmap's mapping != inode->i_mapping\n")) {
/* should never happen */
- unlock_page(page);
+ folio_unlock(folio);
ret = -EINVAL;
goto err;
}
- if (!PageUptodate(page)) {
- ret = ext4_mb_init_cache(page, e4b->bd_bitmap,
+ if (!folio_test_uptodate(folio)) {
+ ret = ext4_mb_init_cache(&folio->page, e4b->bd_bitmap,
gfp);
if (ret) {
- unlock_page(page);
+ folio_unlock(folio);
goto err;
}
}
- unlock_page(page);
+ folio_unlock(folio);
}
}
- if (page == NULL) {
- ret = -ENOMEM;
+ if (IS_ERR(folio)) {
+ ret = PTR_ERR(folio);
goto err;
}
- if (!PageUptodate(page)) {
+ if (!folio_test_uptodate(folio)) {
ret = -EIO;
goto err;
}
- /* Pages marked accessed already */
- e4b->bd_buddy_page = page;
- e4b->bd_buddy = page_address(page) + (poff * sb->s_blocksize);
+ /* Folios marked accessed already */
+ e4b->bd_buddy_folio = folio;
+ e4b->bd_buddy = folio_address(folio) + (poff * sb->s_blocksize);
return 0;
err:
- if (page)
- put_page(page);
+ if (folio)
+ folio_put(folio);
if (e4b->bd_bitmap_folio)
folio_put(e4b->bd_bitmap_folio);
@@ -1630,8 +1629,8 @@ static void ext4_mb_unload_buddy(struct ext4_buddy *e4b)
{
if (e4b->bd_bitmap_folio)
folio_put(e4b->bd_bitmap_folio);
- if (e4b->bd_buddy_page)
- put_page(e4b->bd_buddy_page);
+ if (e4b->bd_buddy_folio)
+ folio_put(e4b->bd_buddy_folio);
}
@@ -2056,7 +2055,7 @@ static void ext4_mb_use_best_found(struct ext4_allocation_context *ac,
*/
ac->ac_bitmap_page = &e4b->bd_bitmap_folio->page;
get_page(ac->ac_bitmap_page);
- ac->ac_buddy_page = e4b->bd_buddy_page;
+ ac->ac_buddy_page = &e4b->bd_buddy_folio->page;
get_page(ac->ac_buddy_page);
/* store last allocated for subsequent stream allocation */
if (ac->ac_flags & EXT4_MB_STREAM_ALLOC) {
@@ -3718,7 +3717,7 @@ static void ext4_free_data_in_buddy(struct super_block *sb,
/* No more items in the per group rb tree
* balance refcounts from ext4_mb_free_metadata()
*/
- put_page(e4b.bd_buddy_page);
+ folio_put(e4b.bd_buddy_folio);
folio_put(e4b.bd_bitmap_folio);
}
ext4_unlock_group(sb, entry->efd_group);
@@ -5893,7 +5892,7 @@ ext4_mb_free_metadata(handle_t *handle, struct ext4_buddy *e4b,
BUG_ON(!ext4_handle_valid(handle));
BUG_ON(e4b->bd_bitmap_folio == NULL);
- BUG_ON(e4b->bd_buddy_page == NULL);
+ BUG_ON(e4b->bd_buddy_folio == NULL);
new_node = &new_entry->efd_node;
cluster = new_entry->efd_start_cluster;
@@ -5904,7 +5903,7 @@ ext4_mb_free_metadata(handle_t *handle, struct ext4_buddy *e4b,
* otherwise we'll refresh it from
* on-disk bitmap and lose not-yet-available
* blocks */
- get_page(e4b->bd_buddy_page);
+ folio_get(e4b->bd_buddy_folio);
folio_get(e4b->bd_bitmap_folio);
}
while (*n) {
diff --git a/fs/ext4/mballoc.h b/fs/ext4/mballoc.h
index 24e7c7a04f674..fe4dbbbbe8725 100644
--- a/fs/ext4/mballoc.h
+++ b/fs/ext4/mballoc.h
@@ -201,7 +201,7 @@ struct ext4_allocation_context {
#define AC_STATUS_BREAK 3
struct ext4_buddy {
- struct page *bd_buddy_page;
+ struct folio *bd_buddy_folio;
void *bd_buddy;
struct folio *bd_bitmap_folio;
void *bd_bitmap;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 039/460] net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 038/460] net/mlx5: Fix crash when moving to switchdev mode Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 040/460] net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit Greg Kroah-Hartman
` (263 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gal Pressman, Dragos Tatulea,
Tariq Toukan, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <gal@nvidia.com>
[ Upstream commit 1633111d69053512d099658d4a05fc736fab36b0 ]
In case of a TX error CQE, a recovery flow is triggered,
mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc,
desyncing the DMA FIFO producer and consumer.
After recovery, the producer pushes new DMA entries at the old
dma_fifo_pc, while the consumer reads from position 0.
This causes us to unmap stale DMA addresses from before the recovery.
The DMA FIFO is a purely software construct with no HW counterpart.
At the point of reset, all WQEs have been flushed so dma_fifo_cc is
already equal to dma_fifo_pc. There is no need to reset either counter,
similar to how skb_fifo pc/cc are untouched.
Remove the 'dma_fifo_cc = 0' reset.
This fixes the following WARNING:
WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90
Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables]
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:iommu_dma_unmap_page+0x79/0x90
Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00
Call Trace:
<IRQ>
? __warn+0x7d/0x110
? iommu_dma_unmap_page+0x79/0x90
? report_bug+0x16d/0x180
? handle_bug+0x4f/0x90
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x16/0x20
? iommu_dma_unmap_page+0x79/0x90
? iommu_dma_unmap_page+0x2e/0x90
dma_unmap_page_attrs+0x10d/0x1b0
mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core]
mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core]
mlx5e_napi_poll+0x8b/0xac0 [mlx5_core]
__napi_poll+0x24/0x190
net_rx_action+0x32a/0x3b0
? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core]
? notifier_call_chain+0x35/0xa0
handle_softirqs+0xc9/0x270
irq_exit_rcu+0x71/0xd0
common_interrupt+0x7f/0xa0
</IRQ>
<TASK>
asm_common_interrupt+0x22/0x40
Fixes: db75373c91b0 ("net/mlx5e: Recover Send Queue (SQ) from error state")
Signed-off-by: Gal Pressman <gal@nvidia.com>
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260305142634.1813208-4-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
index dbd9482359e1e..74f9703013b43 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
@@ -45,7 +45,6 @@ static void mlx5e_reset_txqsq_cc_pc(struct mlx5e_txqsq *sq)
"SQ 0x%x: cc (0x%x) != pc (0x%x)\n",
sq->sqn, sq->cc, sq->pc);
sq->cc = 0;
- sq->dma_fifo_cc = 0;
sq->pc = 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 115/567] smb: client: fix cifs_pick_channel when channels are equally loaded
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 114/567] drbd: fix null-pointer dereference on local read error Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 116/567] smb: client: fix broken multichannel with krb5+signing Greg Kroah-Hartman
` (262 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henrique Carvalho,
Paulo Alcantara (Red Hat), Meetakshi Setiya, Shyam Prasad N,
Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henrique Carvalho <henrique.carvalho@suse.com>
commit 663c28469d3274d6456f206a6671c91493d85ff1 upstream.
cifs_pick_channel uses (start % chan_count) when channels are equally
loaded, but that can return a channel that failed the eligibility
checks.
Drop the fallback and return the scan-selected channel instead. If none
is eligible, keep the existing behavior of using the primary channel.
Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Acked-by: Meetakshi Setiya <msetiya@microsoft.com>
Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/transport.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
--- a/fs/smb/client/transport.c
+++ b/fs/smb/client/transport.c
@@ -1022,16 +1022,21 @@ cifs_cancelled_callback(struct mid_q_ent
}
/*
- * Return a channel (master if none) of @ses that can be used to send
- * regular requests.
+ * cifs_pick_channel - pick an eligible channel for network operations
*
- * If we are currently binding a new channel (negprot/sess.setup),
- * return the new incomplete channel.
+ * @ses: session reference
+ *
+ * Select an eligible channel (not terminating and not marked as needing
+ * reconnect), preferring the least loaded one. If no eligible channel is
+ * found, fall back to the primary channel (index 0).
+ *
+ * Return: TCP_Server_Info pointer for the chosen channel, or NULL if @ses is
+ * NULL.
*/
struct TCP_Server_Info *cifs_pick_channel(struct cifs_ses *ses)
{
uint index = 0;
- unsigned int min_in_flight = UINT_MAX, max_in_flight = 0;
+ unsigned int min_in_flight = UINT_MAX;
struct TCP_Server_Info *server = NULL;
int i, start, cur;
@@ -1061,14 +1066,8 @@ struct TCP_Server_Info *cifs_pick_channe
min_in_flight = server->in_flight;
index = cur;
}
- if (server->in_flight > max_in_flight)
- max_in_flight = server->in_flight;
}
- /* if all channels are equally loaded, fall back to round-robin */
- if (min_in_flight == max_in_flight)
- index = (uint)start % ses->chan_count;
-
server = ses->chans[index].server;
spin_unlock(&ses->chan_lock);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 053/481] ext4: fix e4b bitmap inconsistency reports
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 052/481] ext4: convert bd_buddy_page to bd_buddy_folio Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 054/481] mfd: qcom-pm8xxx: Convert to platform remove callback returning void Greg Kroah-Hartman
` (262 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yongjian Sun, Zhang Yi, Baokun Li,
Jan Kara, Theodore Tso, stable, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongjian Sun <sunyongjian1@huawei.com>
[ Upstream commit bdc56a9c46b2a99c12313122b9352b619a2e719e ]
A bitmap inconsistency issue was observed during stress tests under
mixed huge-page workloads. Ext4 reported multiple e4b bitmap check
failures like:
ext4_mb_complex_scan_group:2508: group 350, 8179 free clusters as
per group info. But got 8192 blocks
Analysis and experimentation confirmed that the issue is caused by a
race condition between page migration and bitmap modification. Although
this timing window is extremely narrow, it is still hit in practice:
folio_lock ext4_mb_load_buddy
__migrate_folio
check ref count
folio_mc_copy __filemap_get_folio
folio_try_get(folio)
......
mb_mark_used
ext4_mb_unload_buddy
__folio_migrate_mapping
folio_ref_freeze
folio_unlock
The root cause of this issue is that the fast path of load_buddy only
increments the folio's reference count, which is insufficient to prevent
concurrent folio migration. We observed that the folio migration process
acquires the folio lock. Therefore, we can determine whether to take the
fast path in load_buddy by checking the lock status. If the folio is
locked, we opt for the slow path (which acquires the lock) to close this
concurrency window.
Additionally, this change addresses the following issues:
When the DOUBLE_CHECK macro is enabled to inspect bitmap-related
issues, the following error may be triggered:
corruption in group 324 at byte 784(6272): f in copy != ff on
disk/prealloc
Analysis reveals that this is a false positive. There is a specific race
window where the bitmap and the group descriptor become momentarily
inconsistent, leading to this error report:
ext4_mb_load_buddy ext4_mb_load_buddy
__filemap_get_folio(create|lock)
folio_lock
ext4_mb_init_cache
folio_mark_uptodate
__filemap_get_folio(no lock)
......
mb_mark_used
mb_mark_used_double
mb_cmp_bitmaps
mb_set_bits(e4b->bd_bitmap)
folio_unlock
The original logic assumed that since mb_cmp_bitmaps is called when the
bitmap is newly loaded from disk, the folio lock would be sufficient to
prevent concurrent access. However, this overlooks a specific race
condition: if another process attempts to load buddy and finds the folio
is already in an uptodate state, it will immediately begin using it without
holding folio lock.
Signed-off-by: Yongjian Sun <sunyongjian1@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20260106090820.836242-1-sunyongjian@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 19e5b57387d60..93e05e6159fb8 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1518,16 +1518,17 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
/* Avoid locking the folio in the fast path ... */
folio = __filemap_get_folio(inode->i_mapping, pnum, FGP_ACCESSED, 0);
- if (IS_ERR(folio) || !folio_test_uptodate(folio)) {
+ if (IS_ERR(folio) || !folio_test_uptodate(folio) || folio_test_locked(folio)) {
+ /*
+ * folio_test_locked is employed to detect ongoing folio
+ * migrations, since concurrent migrations can lead to
+ * bitmap inconsistency. And if we are not uptodate that
+ * implies somebody just created the folio but is yet to
+ * initialize it. We can drop the folio reference and
+ * try to get the folio with lock in both cases to avoid
+ * concurrency.
+ */
if (!IS_ERR(folio))
- /*
- * drop the folio reference and try
- * to get the folio with lock. If we
- * are not uptodate that implies
- * somebody just created the folio but
- * is yet to initialize it. So
- * wait for it to initialize.
- */
folio_put(folio);
folio = __filemap_get_folio(inode->i_mapping, pnum,
FGP_LOCK | FGP_ACCESSED | FGP_CREAT, gfp);
@@ -1569,7 +1570,7 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
poff = block % blocks_per_page;
folio = __filemap_get_folio(inode->i_mapping, pnum, FGP_ACCESSED, 0);
- if (IS_ERR(folio) || !folio_test_uptodate(folio)) {
+ if (IS_ERR(folio) || !folio_test_uptodate(folio) || folio_test_locked(folio)) {
if (!IS_ERR(folio))
folio_put(folio);
folio = __filemap_get_folio(inode->i_mapping, pnum,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 040/460] net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 039/460] net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 041/460] drm/sitronix/st7586: fix bad pixel data due to byte swap Greg Kroah-Hartman
` (262 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 0cc0c2e661af418bbf7074179ea5cfffc0a5c466 ]
teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit
through slave devices, but does not update skb->dev to the slave device
beforehand.
When a gretap tunnel is a TEQL slave, the transmit path reaches
iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0
master) and later calls iptunnel_xmit_stats(dev, pkt_len). This
function does:
get_cpu_ptr(dev->tstats)
Since teql_master_setup() does not set dev->pcpu_stat_type to
NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats
for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes
NULL + __per_cpu_offset[cpu], resulting in a page fault.
BUG: unable to handle page fault for address: ffff8880e6659018
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 68bc067 P4D 68bc067 PUD 0
Oops: Oops: 0002 [#1] SMP KASAN PTI
RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89)
Call Trace:
<TASK>
ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)
__gre_xmit (net/ipv4/ip_gre.c:478)
gre_tap_xmit (net/ipv4/ip_gre.c:779)
teql_master_xmit (net/sched/sch_teql.c:319)
dev_hard_start_xmit (net/core/dev.c:3887)
sch_direct_xmit (net/sched/sch_generic.c:347)
__dev_queue_xmit (net/core/dev.c:4802)
neigh_direct_output (net/core/neighbour.c:1660)
ip_finish_output2 (net/ipv4/ip_output.c:237)
__ip_finish_output.part.0 (net/ipv4/ip_output.c:315)
ip_mc_output (net/ipv4/ip_output.c:369)
ip_send_skb (net/ipv4/ip_output.c:1508)
udp_send_skb (net/ipv4/udp.c:1195)
udp_sendmsg (net/ipv4/udp.c:1485)
inet_sendmsg (net/ipv4/af_inet.c:859)
__sys_sendto (net/socket.c:2206)
Fix this by setting skb->dev = slave before calling
netdev_start_xmit(), so that tunnel xmit functions see the correct
slave device with properly allocated tstats.
Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Link: https://patch.msgid.link/20260304044216.3517851-3-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_teql.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
index 6e4bdaa876ed6..783300d8b0197 100644
--- a/net/sched/sch_teql.c
+++ b/net/sched/sch_teql.c
@@ -315,6 +315,7 @@ static netdev_tx_t teql_master_xmit(struct sk_buff *skb, struct net_device *dev)
if (__netif_tx_trylock(slave_txq)) {
unsigned int length = qdisc_pkt_len(skb);
+ skb->dev = slave;
if (!netif_xmit_frozen_or_stopped(slave_txq) &&
netdev_start_xmit(skb, slave, slave_txq, false) ==
NETDEV_TX_OK) {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 116/567] smb: client: fix broken multichannel with krb5+signing
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 115/567] smb: client: fix cifs_pick_channel when channels are equally loaded Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 117/567] smb: client: Dont log plaintext credentials in cifs_set_cifscreds Greg Kroah-Hartman
` (261 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaoli Feng, Enzo Matsumiya,
Paulo Alcantara (Red Hat), David Howells, linux-cifs,
Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.org>
commit d9d1e319b39ea685ede59319002d567c159d23c3 upstream.
When mounting a share with 'multichannel,max_channels=n,sec=krb5i',
the client was duplicating signing key for all secondary channels,
thus making the server fail all commands sent from secondary channels
due to bad signatures.
Every channel has its own signing key, so when establishing a new
channel with krb5 auth, make sure to use the new session key as the
derived key to generate channel's signing key in SMB2_auth_kerberos().
Repro:
$ mount.cifs //srv/share /mnt -o multichannel,max_channels=4,sec=krb5i
$ sleep 5
$ umount /mnt
$ dmesg
...
CIFS: VFS: sign fail cmd 0x5 message id 0x2
CIFS: VFS: \\srv SMB signature verification returned error = -13
CIFS: VFS: sign fail cmd 0x5 message id 0x2
CIFS: VFS: \\srv SMB signature verification returned error = -13
CIFS: VFS: sign fail cmd 0x4 message id 0x2
CIFS: VFS: \\srv SMB signature verification returned error = -13
Reported-by: Xiaoli Feng <xifeng@redhat.com>
Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Cc: David Howells <dhowells@redhat.com>
Cc: linux-cifs@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2pdu.c | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -1660,19 +1660,17 @@ SMB2_auth_kerberos(struct SMB2_sess_data
is_binding = (ses->ses_status == SES_GOOD);
spin_unlock(&ses->ses_lock);
- /* keep session key if binding */
- if (!is_binding) {
- kfree_sensitive(ses->auth_key.response);
- ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len,
- GFP_KERNEL);
- if (!ses->auth_key.response) {
- cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n",
- msg->sesskey_len);
- rc = -ENOMEM;
- goto out_put_spnego_key;
- }
- ses->auth_key.len = msg->sesskey_len;
+ kfree_sensitive(ses->auth_key.response);
+ ses->auth_key.response = kmemdup(msg->data,
+ msg->sesskey_len,
+ GFP_KERNEL);
+ if (!ses->auth_key.response) {
+ cifs_dbg(VFS, "%s: can't allocate (%u bytes) memory\n",
+ __func__, msg->sesskey_len);
+ rc = -ENOMEM;
+ goto out_put_spnego_key;
}
+ ses->auth_key.len = msg->sesskey_len;
sess_data->iov[1].iov_base = msg->data + msg->sesskey_len;
sess_data->iov[1].iov_len = msg->secblob_len;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 054/481] mfd: qcom-pm8xxx: Convert to platform remove callback returning void
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 053/481] ext4: fix e4b bitmap inconsistency reports Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 055/481] mfd: qcom-pm8xxx: Fix OF populate on driver rebind Greg Kroah-Hartman
` (261 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Uwe Kleine-König,
Lee Jones, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 19ea1d3953017518d85db35b69b5aea9bc64d630 ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is ignored (apart
from emitting a warning) and this typically results in resource leaks.
To improve here there is a quest to make the remove callback return
void. In the first step of this quest all drivers are converted to
.remove_new(), which already returns void. Eventually after all drivers
are converted, .remove_new() will be renamed to .remove().
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20231123165627.492259-14-u.kleine-koenig@pengutronix.de
Signed-off-by: Lee Jones <lee@kernel.org>
Stable-dep-of: 27a8acea47a9 ("mfd: qcom-pm8xxx: Fix OF populate on driver rebind")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/qcom-pm8xxx.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/mfd/qcom-pm8xxx.c b/drivers/mfd/qcom-pm8xxx.c
index 2f2734ba5273e..8831448371290 100644
--- a/drivers/mfd/qcom-pm8xxx.c
+++ b/drivers/mfd/qcom-pm8xxx.c
@@ -587,19 +587,17 @@ static int pm8xxx_remove_child(struct device *dev, void *unused)
return 0;
}
-static int pm8xxx_remove(struct platform_device *pdev)
+static void pm8xxx_remove(struct platform_device *pdev)
{
struct pm_irq_chip *chip = platform_get_drvdata(pdev);
device_for_each_child(&pdev->dev, NULL, pm8xxx_remove_child);
irq_domain_remove(chip->irqdomain);
-
- return 0;
}
static struct platform_driver pm8xxx_driver = {
.probe = pm8xxx_probe,
- .remove = pm8xxx_remove,
+ .remove_new = pm8xxx_remove,
.driver = {
.name = "pm8xxx-core",
.of_match_table = pm8xxx_id_table,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 041/460] drm/sitronix/st7586: fix bad pixel data due to byte swap
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 040/460] net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 042/460] ASoC: soc-core: drop delayed_work_pending() check before flush Greg Kroah-Hartman
` (261 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann,
Javier Martinez Canillas, David Lechner, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner <dlechner@baylibre.com>
[ Upstream commit 46d8a07b4ae262e2fec6ce2aa454e06243661265 ]
Correctly set dbi->write_memory_bpw for the ST7586 driver. This driver
is for a monochrome display that has an unusual data format, so the
default value set in mipi_dbi_spi_init() is not correct simply because
this controller is non-standard.
Previously, we were using dbi->swap_bytes to make the same sort of
workaround, but it was removed in the same commit that added
dbi->write_memory_bpw, so we need to use the latter now to have the
correct behavior.
This fixes every 3 columns of pixels being swapped on the display. There
are 3 pixels per byte, so the byte swap caused this effect.
Fixes: df3fb27a74a4 ("drm/mipi-dbi: Make bits per word configurable for pixel transfers")
Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: David Lechner <dlechner@baylibre.com>
Link: https://patch.msgid.link/20260228-drm-mipi-dbi-fix-st7586-byte-swap-v1-1-e78f6c24cd28@baylibre.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/tiny/st7586.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/drivers/gpu/drm/tiny/st7586.c b/drivers/gpu/drm/tiny/st7586.c
index b9c6ed352182f..f8b1eaffb5e87 100644
--- a/drivers/gpu/drm/tiny/st7586.c
+++ b/drivers/gpu/drm/tiny/st7586.c
@@ -345,6 +345,12 @@ static int st7586_probe(struct spi_device *spi)
if (ret)
return ret;
+ /*
+ * Override value set by mipi_dbi_spi_init(). This driver is a bit
+ * non-standard, so best to set it explicitly here.
+ */
+ dbi->write_memory_bpw = 8;
+
/* Cannot read from this controller via SPI */
dbi->read_commands = NULL;
@@ -354,15 +360,6 @@ static int st7586_probe(struct spi_device *spi)
if (ret)
return ret;
- /*
- * we are using 8-bit data, so we are not actually swapping anything,
- * but setting mipi->swap_bytes makes mipi_dbi_typec3_command() do the
- * right thing and not use 16-bit transfers (which results in swapped
- * bytes on little-endian systems and causes out of order data to be
- * sent to the display).
- */
- dbi->swap_bytes = true;
-
drm_mode_config_reset(drm);
ret = drm_dev_register(drm, 0);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 117/567] smb: client: Dont log plaintext credentials in cifs_set_cifscreds
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 116/567] smb: client: fix broken multichannel with krb5+signing Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 118/567] scsi: core: Fix refcount leak for tagset_refcnt Greg Kroah-Hartman
` (260 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (Red Hat),
Thorsten Blum, Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d upstream.
When debug logging is enabled, cifs_set_cifscreds() logs the key
payload and exposes the plaintext username and password. Remove the
debug log to avoid exposing credentials.
Fixes: 8a8798a5ff90 ("cifs: fetch credentials out of keyring for non-krb5 auth multiuser mounts")
Cc: stable@vger.kernel.org
Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/connect.c | 1 -
1 file changed, 1 deletion(-)
--- a/fs/smb/client/connect.c
+++ b/fs/smb/client/connect.c
@@ -2214,7 +2214,6 @@ cifs_set_cifscreds(struct smb3_fs_contex
/* find first : in payload */
payload = upayload->data;
delim = strnchr(payload, upayload->datalen, ':');
- cifs_dbg(FYI, "payload=%s\n", payload);
if (!delim) {
cifs_dbg(FYI, "Unable to find ':' in payload (datalen=%d)\n",
upayload->datalen);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 055/481] mfd: qcom-pm8xxx: Fix OF populate on driver rebind
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 054/481] mfd: qcom-pm8xxx: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 056/481] mfd: omap-usb-host: Convert to platform remove callback returning void Greg Kroah-Hartman
` (260 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Dmitry Baryshkov,
Konrad Dybcio, Lee Jones, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 27a8acea47a93fea6ad0e2df4c20a9b51490e4d9 ]
Since commit c6e126de43e7 ("of: Keep track of populated platform
devices") child devices will not be created by of_platform_populate()
if the devices had previously been deregistered individually so that the
OF_POPULATED flag is still set in the corresponding OF nodes.
Switch to using of_platform_depopulate() instead of open coding so that
the child devices are created if the driver is rebound.
Fixes: c6e126de43e7 ("of: Keep track of populated platform devices")
Cc: stable@vger.kernel.org # 3.16
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://patch.msgid.link/20251219110947.24101-1-johan@kernel.org
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/qcom-pm8xxx.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/drivers/mfd/qcom-pm8xxx.c b/drivers/mfd/qcom-pm8xxx.c
index 8831448371290..cbcbff3c95ecb 100644
--- a/drivers/mfd/qcom-pm8xxx.c
+++ b/drivers/mfd/qcom-pm8xxx.c
@@ -581,17 +581,11 @@ static int pm8xxx_probe(struct platform_device *pdev)
return rc;
}
-static int pm8xxx_remove_child(struct device *dev, void *unused)
-{
- platform_device_unregister(to_platform_device(dev));
- return 0;
-}
-
static void pm8xxx_remove(struct platform_device *pdev)
{
struct pm_irq_chip *chip = platform_get_drvdata(pdev);
- device_for_each_child(&pdev->dev, NULL, pm8xxx_remove_child);
+ of_platform_depopulate(&pdev->dev);
irq_domain_remove(chip->irqdomain);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 042/460] ASoC: soc-core: drop delayed_work_pending() check before flush
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 041/460] drm/sitronix/st7586: fix bad pixel data due to byte swap Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 043/460] ASoC: soc-core: flush delayed work before removing DAIs and widgets Greg Kroah-Hartman
` (260 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matteo Cotifava, Mark Brown,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: matteo.cotifava <cotifavamatteo@gmail.com>
[ Upstream commit 3c99c9f0ed60582c1c9852b685d78d5d3a50de63 ]
The delayed_work_pending() check before flush_delayed_work() in
soc_free_pcm_runtime() is unnecessary and racy. flush_delayed_work()
is safe to call unconditionally - it is a no-op when no work is
pending. Remove the check.
The original check was added by commit 9c9b65203492 ("ASoC: core:
only flush inited work during free") but delayed_work_pending()
followed by flush_delayed_work() has a time-of-check/time-of-use
window where work can become pending between the two calls.
Fixes: 9c9b65203492 ("ASoC: core: only flush inited work during free")
Signed-off-by: Matteo Cotifava <cotifavamatteo@gmail.com>
Link: https://patch.msgid.link/20260309215412.545628-2-cotifavamatteo@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 4ac870c2dafa2..791197c1e05b9 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -456,8 +456,7 @@ static void soc_free_pcm_runtime(struct snd_soc_pcm_runtime *rtd)
list_del(&rtd->list);
- if (delayed_work_pending(&rtd->delayed_work))
- flush_delayed_work(&rtd->delayed_work);
+ flush_delayed_work(&rtd->delayed_work);
snd_soc_pcm_component_free(rtd);
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 118/567] scsi: core: Fix refcount leak for tagset_refcnt
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 117/567] smb: client: Dont log plaintext credentials in cifs_set_cifscreds Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 119/567] selftests: mptcp: more stable simult_flows tests Greg Kroah-Hartman
` (259 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junxiao Bi, Mike Christie,
Bart Van Assche, Martin K. Petersen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junxiao Bi <junxiao.bi@oracle.com>
commit 1ac22c8eae81366101597d48360718dff9b9d980 upstream.
This leak will cause a hang when tearing down the SCSI host. For example,
iscsid hangs with the following call trace:
[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured
PID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: "iscsid"
#0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4
#1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f
#2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0
#3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f
#4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b
#5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp]
#6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi]
#7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi]
#8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6
#9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef
Fixes: 8fe4ce5836e9 ("scsi: core: Fix a use-after-free")
Cc: stable@vger.kernel.org
Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260223232728.93350-1-junxiao.bi@oracle.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/scsi_scan.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -354,6 +354,7 @@ static struct scsi_device *scsi_alloc_sd
* since we use this queue depth most of times.
*/
if (scsi_realloc_sdev_budget_map(sdev, depth)) {
+ kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags);
put_device(&starget->dev);
kfree(sdev);
goto out;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 056/481] mfd: omap-usb-host: Convert to platform remove callback returning void
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 055/481] mfd: qcom-pm8xxx: Fix OF populate on driver rebind Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 057/481] mfd: omap-usb-host: Fix OF populate on driver rebind Greg Kroah-Hartman
` (259 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Lee Jones,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 418d1e74f8597e0b2d5d0d6e1be8f1f47e68f0a4 ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is ignored (apart
from emitting a warning) and this typically results in resource leaks.
To improve here there is a quest to make the remove callback return
void. In the first step of this quest all drivers are converted to
.remove_new(), which already returns void. Eventually after all drivers
are converted, .remove_new() will be renamed to .remove().
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20231123165627.492259-11-u.kleine-koenig@pengutronix.de
Signed-off-by: Lee Jones <lee@kernel.org>
Stable-dep-of: 24804ba508a3 ("mfd: omap-usb-host: Fix OF populate on driver rebind")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/omap-usb-host.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/mfd/omap-usb-host.c b/drivers/mfd/omap-usb-host.c
index 787d2ae863752..b61fb9933aa85 100644
--- a/drivers/mfd/omap-usb-host.c
+++ b/drivers/mfd/omap-usb-host.c
@@ -818,13 +818,12 @@ static int usbhs_omap_remove_child(struct device *dev, void *data)
*
* Reverses the effect of usbhs_omap_probe().
*/
-static int usbhs_omap_remove(struct platform_device *pdev)
+static void usbhs_omap_remove(struct platform_device *pdev)
{
pm_runtime_disable(&pdev->dev);
/* remove children */
device_for_each_child(&pdev->dev, NULL, usbhs_omap_remove_child);
- return 0;
}
static const struct dev_pm_ops usbhsomap_dev_pm_ops = {
@@ -847,7 +846,7 @@ static struct platform_driver usbhs_omap_driver = {
.of_match_table = usbhs_omap_dt_ids,
},
.probe = usbhs_omap_probe,
- .remove = usbhs_omap_remove,
+ .remove_new = usbhs_omap_remove,
};
MODULE_AUTHOR("Keshava Munegowda <keshava_mgowda@ti.com>");
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 043/460] ASoC: soc-core: flush delayed work before removing DAIs and widgets
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 042/460] ASoC: soc-core: drop delayed_work_pending() check before flush Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 044/460] ASoC: simple-card-utils: use __free(device_node) for device node Greg Kroah-Hartman
` (259 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matteo Cotifava, Mark Brown,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: matteo.cotifava <cotifavamatteo@gmail.com>
[ Upstream commit 95bc5c225513fc3c4ce169563fb5e3929fbb938b ]
When a sound card is unbound while a PCM stream is open, a
use-after-free can occur in snd_soc_dapm_stream_event(), called from
the close_delayed_work workqueue handler.
During unbind, snd_soc_unbind_card() flushes delayed work and then
calls soc_cleanup_card_resources(). Inside cleanup,
snd_card_disconnect_sync() releases all PCM file descriptors, and
the resulting PCM close path can call snd_soc_dapm_stream_stop()
which schedules new delayed work with a pmdown_time timer delay.
Since this happens after the flush in snd_soc_unbind_card(), the
new work is not caught. soc_remove_link_components() then frees
DAPM widgets before this work fires, leading to the use-after-free.
The existing flush in soc_free_pcm_runtime() also cannot help as it
runs after soc_remove_link_components() has already freed the widgets.
Add a flush in soc_cleanup_card_resources() after
snd_card_disconnect_sync() (after which no new PCM closes can
schedule further delayed work) and before soc_remove_link_dais()
and soc_remove_link_components() (which tear down the structures the
delayed work accesses).
Fixes: e894efef9ac7 ("ASoC: core: add support to card rebind")
Signed-off-by: Matteo Cotifava <cotifavamatteo@gmail.com>
Link: https://patch.msgid.link/20260309215412.545628-3-cotifavamatteo@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 791197c1e05b9..ea6b39003461f 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -2114,6 +2114,9 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card)
for_each_card_rtds(card, rtd)
if (rtd->initialized)
snd_soc_link_exit(rtd);
+ /* flush delayed work before removing DAIs and DAPM widgets */
+ snd_soc_flush_all_delayed_work(card);
+
/* remove and free each DAI */
soc_remove_link_dais(card);
soc_remove_link_components(card);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 119/567] selftests: mptcp: more stable simult_flows tests
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 118/567] scsi: core: Fix refcount leak for tagset_refcnt Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 120/567] selftests: mptcp: join: check removing signal+subflow endp Greg Kroah-Hartman
` (258 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 8c09412e584d9bcc0e71d758ec1008d1c8d1a326 upstream.
By default, the netem qdisc can keep up to 1000 packets under its belly
to deal with the configured rate and delay. The simult flows test-case
simulates very low speed links, to avoid problems due to slow CPUs and
the TCP stack tend to transmit at a slightly higher rate than the
(virtual) link constraints.
All the above causes a relatively large amount of packets being enqueued
in the netem qdiscs - the longer the transfer, the longer the queue -
producing increasingly high TCP RTT samples and consequently increasingly
larger receive buffer size due to DRS.
When the receive buffer size becomes considerably larger than the needed
size, the tests results can flake, i.e. because minimal inaccuracy in the
pacing rate can lead to a single subflow usage towards the end of the
connection for a considerable amount of data.
Address the issue explicitly setting netem limits suitable for the
configured link speeds and unflake all the affected tests.
Fixes: 1a418cb8e888 ("mptcp: simult flow self-tests")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-1-4b5462b6f016@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/simult_flows.sh | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/tools/testing/selftests/net/mptcp/simult_flows.sh
+++ b/tools/testing/selftests/net/mptcp/simult_flows.sh
@@ -227,10 +227,13 @@ run_test()
for dev in ns2eth1 ns2eth2; do
tc -n $ns2 qdisc del dev $dev root >/dev/null 2>&1
done
- tc -n $ns1 qdisc add dev ns1eth1 root netem rate ${rate1}mbit $delay1
- tc -n $ns1 qdisc add dev ns1eth2 root netem rate ${rate2}mbit $delay2
- tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1
- tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2
+
+ # keep the queued pkts number low, or the RTT estimator will see
+ # increasing latency over time.
+ tc -n $ns1 qdisc add dev ns1eth1 root netem rate ${rate1}mbit $delay1 limit 50
+ tc -n $ns1 qdisc add dev ns1eth2 root netem rate ${rate2}mbit $delay2 limit 50
+ tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1 limit 50
+ tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2 limit 50
# time is measured in ms, account for transfer size, aggregated link speed
# and header overhead (10%)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 057/481] mfd: omap-usb-host: Fix OF populate on driver rebind
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 056/481] mfd: omap-usb-host: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 058/481] arm64: dts: rockchip: Fix rk356x PCIe range mappings Greg Kroah-Hartman
` (258 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Andreas Kemnade,
Lee Jones, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 24804ba508a3e240501c521685a1c4eb9f574f8e ]
Since commit c6e126de43e7 ("of: Keep track of populated platform
devices") child devices will not be created by of_platform_populate()
if the devices had previously been deregistered individually so that the
OF_POPULATED flag is still set in the corresponding OF nodes.
Switch to using of_platform_depopulate() instead of open coding so that
the child devices are created if the driver is rebound.
Fixes: c6e126de43e7 ("of: Keep track of populated platform devices")
Cc: stable@vger.kernel.org # 3.16
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Andreas Kemnade <andreas@kemnade.info>
Link: https://patch.msgid.link/20251219110714.23919-1-johan@kernel.org
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/omap-usb-host.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/mfd/omap-usb-host.c b/drivers/mfd/omap-usb-host.c
index b61fb9933aa85..936faa0c26e09 100644
--- a/drivers/mfd/omap-usb-host.c
+++ b/drivers/mfd/omap-usb-host.c
@@ -822,8 +822,10 @@ static void usbhs_omap_remove(struct platform_device *pdev)
{
pm_runtime_disable(&pdev->dev);
- /* remove children */
- device_for_each_child(&pdev->dev, NULL, usbhs_omap_remove_child);
+ if (pdev->dev.of_node)
+ of_platform_depopulate(&pdev->dev);
+ else
+ device_for_each_child(&pdev->dev, NULL, usbhs_omap_remove_child);
}
static const struct dev_pm_ops usbhsomap_dev_pm_ops = {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 044/460] ASoC: simple-card-utils: use __free(device_node) for device node
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 043/460] ASoC: soc-core: flush delayed work before removing DAIs and widgets Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 045/460] ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays Greg Kroah-Hartman
` (258 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuninori Morimoto, Mark Brown,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit 419d1918105e5d9926ab02f1f834bb416dc76f65 ]
simple-card-utils handles many type of device_node, thus need to
use of_node_put() in many place. Let's use __free(device_node)
and avoid it.
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87r06pfre8.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 4185b95f8a42 ("ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/generic/simple-card-utils.c | 44 +++++++++------------------
1 file changed, 14 insertions(+), 30 deletions(-)
diff --git a/sound/soc/generic/simple-card-utils.c b/sound/soc/generic/simple-card-utils.c
index 47933afdb7261..4857ceecbdc4a 100644
--- a/sound/soc/generic/simple-card-utils.c
+++ b/sound/soc/generic/simple-card-utils.c
@@ -999,35 +999,27 @@ EXPORT_SYMBOL_GPL(graph_util_card_probe);
int graph_util_is_ports0(struct device_node *np)
{
- struct device_node *port, *ports, *ports0, *top;
- int ret;
+ struct device_node *parent __free(device_node) = of_get_parent(np);
+ struct device_node *port;
/* np is "endpoint" or "port" */
- if (of_node_name_eq(np, "endpoint")) {
- port = of_get_parent(np);
- } else {
+ if (of_node_name_eq(np, "endpoint"))
+ port = parent;
+ else
port = np;
- of_node_get(port);
- }
-
- ports = of_get_parent(port);
- top = of_get_parent(ports);
- ports0 = of_get_child_by_name(top, "ports");
-
- ret = ports0 == ports;
- of_node_put(port);
- of_node_put(ports);
- of_node_put(ports0);
- of_node_put(top);
+ struct device_node *ports __free(device_node) = of_get_parent(port);
+ struct device_node *top __free(device_node) = of_get_parent(ports);
+ struct device_node *ports0 __free(device_node) = of_get_child_by_name(top, "ports");
- return ret;
+ return ports0 == ports;
}
EXPORT_SYMBOL_GPL(graph_util_is_ports0);
static int graph_get_dai_id(struct device_node *ep)
{
- struct device_node *node;
+ struct device_node *node __free(device_node) = of_graph_get_port_parent(ep);
+ struct device_node *port __free(device_node) = of_get_parent(ep);
struct device_node *endpoint;
struct of_endpoint info;
int i, id;
@@ -1050,13 +1042,10 @@ static int graph_get_dai_id(struct device_node *ep)
if (of_property_present(ep, "reg"))
return info.id;
- node = of_get_parent(ep);
- ret = of_property_present(node, "reg");
- of_node_put(node);
+ ret = of_property_present(port, "reg");
if (ret)
return info.port;
}
- node = of_graph_get_port_parent(ep);
/*
* Non HDMI sound case, counting port/endpoint on its DT
@@ -1070,8 +1059,6 @@ static int graph_get_dai_id(struct device_node *ep)
i++;
}
- of_node_put(node);
-
if (id < 0)
return -ENODEV;
@@ -1081,7 +1068,6 @@ static int graph_get_dai_id(struct device_node *ep)
int graph_util_parse_dai(struct device *dev, struct device_node *ep,
struct snd_soc_dai_link_component *dlc, int *is_single_link)
{
- struct device_node *node;
struct of_phandle_args args = {};
struct snd_soc_dai *dai;
int ret;
@@ -1089,7 +1075,7 @@ int graph_util_parse_dai(struct device *dev, struct device_node *ep,
if (!ep)
return 0;
- node = of_graph_get_port_parent(ep);
+ struct device_node *node __free(device_node) = of_graph_get_port_parent(ep);
/*
* Try to find from DAI node
@@ -1131,10 +1117,8 @@ int graph_util_parse_dai(struct device *dev, struct device_node *ep,
* if he unbinded CPU or Codec.
*/
ret = snd_soc_get_dlc(&args, dlc);
- if (ret < 0) {
- of_node_put(node);
+ if (ret < 0)
return ret;
- }
parse_dai_end:
if (is_single_link)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 120/567] selftests: mptcp: join: check removing signal+subflow endp
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 119/567] selftests: mptcp: more stable simult_flows tests Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 121/567] ARM: clean up the memset64() C wrapper Greg Kroah-Hartman
` (257 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 1777f349ff41b62dfe27454b69c27b0bc99ffca5 upstream.
This validates the previous commit: endpoints with both the signal and
subflow flags should always be marked as used even if it was not
possible to create new subflows due to the MPTCP PM limits.
For this test, an extra endpoint is created with both the signal and the
subflow flags, and limits are set not to create extra subflows. In this
case, an ADD_ADDR is sent, but no subflows are created. Still, the local
endpoint is marked as used, and no warning is fired when removing the
endpoint, after having sent a RM_ADDR.
The 'Fixes' tag here below is the same as the one from the previous
commit: this patch here is not fixing anything wrong in the selftests,
but it validates the previous fix for an issue introduced by this commit
ID.
Fixes: 85df533a787b ("mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-5-4b5462b6f016@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_join.sh | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -2424,6 +2424,19 @@ remove_tests()
chk_rst_nr 0 0
fi
+ # signal+subflow with limits, remove
+ if reset "remove signal+subflow with limits"; then
+ pm_nl_set_limits $ns1 0 0
+ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,subflow
+ pm_nl_set_limits $ns2 0 0
+ addr_nr_ns1=-1 speed=slow \
+ run_tests $ns1 $ns2 10.0.1.1
+ chk_join_nr 0 0 0
+ chk_add_nr 1 1
+ chk_rm_nr 1 0 invert
+ chk_rst_nr 0 0
+ fi
+
# addresses remove
if reset "remove addresses"; then
pm_nl_set_limits $ns1 3 3
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 058/481] arm64: dts: rockchip: Fix rk356x PCIe range mappings
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 057/481] mfd: omap-usb-host: Fix OF populate on driver rebind Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 059/481] clk: tegra: tegra124-emc: fix device leak on set_rate() Greg Kroah-Hartman
` (257 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Powers-Holmes, Shawn Lin,
Heiko Stuebner, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shawn Lin <shawn.lin@rock-chips.com>
[ Upstream commit f63ea193a404481f080ca2958f73e9f364682db9 ]
The pcie bus address should be mapped 1:1 to the cpu side MMIO address, so
that there is no same address allocated from normal system memory. Otherwise
it's broken if the same address assigned to the EP for DMA purpose.Fix it to
sync with the vendor BSP.
Fixes: 568a67e742df ("arm64: dts: rockchip: Fix rk356x PCIe register and range mappings")
Fixes: 66b51ea7d70f ("arm64: dts: rockchip: Add rk3568 PCIe2x1 controller")
Cc: stable@vger.kernel.org
Cc: Andrew Powers-Holmes <aholmes@omnom.net>
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Link: https://patch.msgid.link/1767600929-195341-1-git-send-email-shawn.lin@rock-chips.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3568.dtsi | 4 ++--
arch/arm64/boot/dts/rockchip/rk356x.dtsi | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3568.dtsi b/arch/arm64/boot/dts/rockchip/rk3568.dtsi
index f1be76a54ceb0..4305fd20b5c32 100644
--- a/arch/arm64/boot/dts/rockchip/rk3568.dtsi
+++ b/arch/arm64/boot/dts/rockchip/rk3568.dtsi
@@ -97,7 +97,7 @@ pcie3x1: pcie@fe270000 {
<0x0 0xf2000000 0x0 0x00100000>;
ranges = <0x01000000 0x0 0xf2100000 0x0 0xf2100000 0x0 0x00100000>,
<0x02000000 0x0 0xf2200000 0x0 0xf2200000 0x0 0x01e00000>,
- <0x03000000 0x0 0x40000000 0x3 0x40000000 0x0 0x40000000>;
+ <0x03000000 0x3 0x40000000 0x3 0x40000000 0x0 0x40000000>;
reg-names = "dbi", "apb", "config";
resets = <&cru SRST_PCIE30X1_POWERUP>;
reset-names = "pipe";
@@ -150,7 +150,7 @@ pcie3x2: pcie@fe280000 {
<0x0 0xf0000000 0x0 0x00100000>;
ranges = <0x01000000 0x0 0xf0100000 0x0 0xf0100000 0x0 0x00100000>,
<0x02000000 0x0 0xf0200000 0x0 0xf0200000 0x0 0x01e00000>,
- <0x03000000 0x0 0x40000000 0x3 0x80000000 0x0 0x40000000>;
+ <0x03000000 0x3 0x80000000 0x3 0x80000000 0x0 0x40000000>;
reg-names = "dbi", "apb", "config";
resets = <&cru SRST_PCIE30X2_POWERUP>;
reset-names = "pipe";
diff --git a/arch/arm64/boot/dts/rockchip/rk356x.dtsi b/arch/arm64/boot/dts/rockchip/rk356x.dtsi
index e5c88f0007253..05cc28f8f7669 100644
--- a/arch/arm64/boot/dts/rockchip/rk356x.dtsi
+++ b/arch/arm64/boot/dts/rockchip/rk356x.dtsi
@@ -985,7 +985,7 @@ pcie2x1: pcie@fe260000 {
power-domains = <&power RK3568_PD_PIPE>;
ranges = <0x01000000 0x0 0xf4100000 0x0 0xf4100000 0x0 0x00100000>,
<0x02000000 0x0 0xf4200000 0x0 0xf4200000 0x0 0x01e00000>,
- <0x03000000 0x0 0x40000000 0x3 0x00000000 0x0 0x40000000>;
+ <0x03000000 0x3 0x00000000 0x3 0x00000000 0x0 0x40000000>;
resets = <&cru SRST_PCIE20_POWERUP>;
reset-names = "pipe";
#address-cells = <3>;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 045/460] ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 044/460] ASoC: simple-card-utils: use __free(device_node) for device node Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 046/460] net: sfp: improve Huawei MA5671a fixup Greg Kroah-Hartman
` (257 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sen Wang, Kuninori Morimoto,
Mark Brown, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sen Wang <sen@ti.com>
[ Upstream commit 4185b95f8a42d92d68c49289b4644546b51e252b ]
graph_util_is_ports0() identifies DPCM front-end (ports@0) vs back-end
(ports@1) by calling of_get_child_by_name() to find the first "ports"
child and comparing pointers. This relies on child iteration order
matching DTS source order.
When the DPCM topology comes from a DT overlay, __of_attach_node()
inserts new children at the head of the sibling list, reversing the
order. of_get_child_by_name() then returns ports@1 instead of ports@0,
causing all front-end links to be classified as back-ends. The card
registers with no PCM devices.
Fix this by matching the unit address directly from the node name
instead of relying on sibling order.
Fixes: 92939252458f ("ASoC: simple-card-utils: add asoc_graph_is_ports0()")
Signed-off-by: Sen Wang <sen@ti.com>
Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/20260309042109.2576612-1-sen@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/generic/simple-card-utils.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/sound/soc/generic/simple-card-utils.c b/sound/soc/generic/simple-card-utils.c
index 4857ceecbdc4a..c9f92d445f4c9 100644
--- a/sound/soc/generic/simple-card-utils.c
+++ b/sound/soc/generic/simple-card-utils.c
@@ -1008,11 +1008,15 @@ int graph_util_is_ports0(struct device_node *np)
else
port = np;
- struct device_node *ports __free(device_node) = of_get_parent(port);
- struct device_node *top __free(device_node) = of_get_parent(ports);
- struct device_node *ports0 __free(device_node) = of_get_child_by_name(top, "ports");
+ struct device_node *ports __free(device_node) = of_get_parent(port);
+ const char *at = strchr(kbasename(ports->full_name), '@');
- return ports0 == ports;
+ /*
+ * Since child iteration order may differ
+ * between a base DT and DT overlays,
+ * string match "ports" or "ports@0" in the node name instead.
+ */
+ return !at || !strcmp(at, "@0");
}
EXPORT_SYMBOL_GPL(graph_util_is_ports0);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 059/481] clk: tegra: tegra124-emc: fix device leak on set_rate()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 058/481] arm64: dts: rockchip: Fix rk356x PCIe range mappings Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 060/481] usb: cdns3: remove redundant if branch Greg Kroah-Hartman
` (256 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikko Perttunen, Miaoqian Lin,
Johan Hovold, Stephen Boyd, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit da61439c63d34ae6503d080a847f144d587e3a48 ]
Make sure to drop the reference taken when looking up the EMC device and
its driver data on first set_rate().
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Fixes: 2db04f16b589 ("clk: tegra: Add EMC clock driver")
Fixes: 6d6ef58c2470 ("clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver")
Cc: stable@vger.kernel.org # 4.2: 6d6ef58c2470
Cc: Mikko Perttunen <mperttunen@nvidia.com>
Cc: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/tegra/clk-tegra124-emc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/tegra/clk-tegra124-emc.c b/drivers/clk/tegra/clk-tegra124-emc.c
index 0f6fb776b2298..5f1af6dfe7154 100644
--- a/drivers/clk/tegra/clk-tegra124-emc.c
+++ b/drivers/clk/tegra/clk-tegra124-emc.c
@@ -197,8 +197,8 @@ static struct tegra_emc *emc_ensure_emc_driver(struct tegra_clk_emc *tegra)
tegra->emc_node = NULL;
tegra->emc = platform_get_drvdata(pdev);
+ put_device(&pdev->dev);
if (!tegra->emc) {
- put_device(&pdev->dev);
pr_err("%s: cannot find EMC driver\n", __func__);
return NULL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 121/567] ARM: clean up the memset64() C wrapper
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 120/567] selftests: mptcp: join: check removing signal+subflow endp Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 122/567] hwmon: (aht10) Add support for dht20 Greg Kroah-Hartman
` (256 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh,
Linus Torvalds, Ben Hutchings
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
commit b52343d1cb47bb27ca32a3f4952cc2fd3cd165bf upstream.
The current logic to split the 64-bit argument into its 32-bit halves is
byte-order specific and a bit clunky. Use a union instead which is
easier to read and works in all cases.
GCC still generates the same machine code.
While at it, rename the arguments of the __memset64() prototype to
actually reflect their semantics.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Reported-by: Ben Hutchings <ben@decadent.org.uk> # for -stable
Link: https://lore.kernel.org/all/1a11526ae3d8664f705b541b8d6ea57b847b49a8.camel@decadent.org.uk/
Suggested-by: https://lore.kernel.org/all/aZonkWMwpbFhzDJq@casper.infradead.org/ # for -stable
Link: https://lore.kernel.org/all/aZonkWMwpbFhzDJq@casper.infradead.org/
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/include/asm/string.h | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/arch/arm/include/asm/string.h
+++ b/arch/arm/include/asm/string.h
@@ -39,13 +39,17 @@ static inline void *memset32(uint32_t *p
}
#define __HAVE_ARCH_MEMSET64
-extern void *__memset64(uint64_t *, uint32_t low, __kernel_size_t, uint32_t hi);
+extern void *__memset64(uint64_t *, uint32_t first, __kernel_size_t, uint32_t second);
static inline void *memset64(uint64_t *p, uint64_t v, __kernel_size_t n)
{
- if (IS_ENABLED(CONFIG_CPU_LITTLE_ENDIAN))
- return __memset64(p, v, n * 8, v >> 32);
- else
- return __memset64(p, v >> 32, n * 8, v);
+ union {
+ uint64_t val;
+ struct {
+ uint32_t first, second;
+ };
+ } word = { .val = v };
+
+ return __memset64(p, word.first, n * 8, word.second);
}
/*
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 046/460] net: sfp: improve Huawei MA5671a fixup
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 045/460] ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 047/460] serial: caif: hold tty->link reference in ldisc_open and ser_release Greg Kroah-Hartman
` (256 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Álvaro Fernández Rojas,
Andrew Lunn, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit 87d126852158467ab87d5cbc36ccfd3f15464a6c ]
With the current sfp_fixup_ignore_tx_fault() fixup we ignore the TX_FAULT
signal, but we also need to apply sfp_fixup_ignore_los() in order to be
able to communicate with the module even if the fiber isn't connected for
configuration purposes.
This is needed for all the MA5671a firmwares, excluding the FS modded
firmware.
Fixes: 2069624dac19 ("net: sfp: Add tx-fault workaround for Huawei MA5671A SFP ONT")
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20260306125139.213637-1-noltari@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/sfp.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
index cae748b762236..dd8d37b44aac8 100644
--- a/drivers/net/phy/sfp.c
+++ b/drivers/net/phy/sfp.c
@@ -360,6 +360,12 @@ static void sfp_fixup_ignore_tx_fault(struct sfp *sfp)
sfp->state_ignore_mask |= SFP_F_TX_FAULT;
}
+static void sfp_fixup_ignore_tx_fault_and_los(struct sfp *sfp)
+{
+ sfp_fixup_ignore_tx_fault(sfp);
+ sfp_fixup_ignore_los(sfp);
+}
+
static void sfp_fixup_ignore_hw(struct sfp *sfp, unsigned int mask)
{
sfp->state_hw_mask &= ~mask;
@@ -523,7 +529,7 @@ static const struct sfp_quirk sfp_quirks[] = {
// Huawei MA5671A can operate at 2500base-X, but report 1.2GBd NRZ in
// their EEPROM
SFP_QUIRK("HUAWEI", "MA5671A", sfp_quirk_2500basex,
- sfp_fixup_ignore_tx_fault),
+ sfp_fixup_ignore_tx_fault_and_los),
// Lantech 8330-262D-E and 8330-265D can operate at 2500base-X, but
// incorrectly report 2500MBd NRZ in their EEPROM.
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 122/567] hwmon: (aht10) Add support for dht20
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 121/567] ARM: clean up the memset64() C wrapper Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 123/567] hwmon: (aht10) Fix initialization commands for AHT20 Greg Kroah-Hartman
` (255 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akhilesh Patil, Guenter Roeck,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhilesh Patil <akhilesh@ee.iitb.ac.in>
[ Upstream commit 3eaf1b631506e8de2cb37c278d5bc042521e82c1 ]
Add support for dht20 temperature and humidity sensor from Aosong.
Modify aht10 driver to handle different init command for dht20 sensor by
adding init_cmd entry in the driver data. dht20 sensor is compatible with
aht10 hwmon driver with this change.
Tested on TI am62x SK board with dht20 sensor connected at i2c-2 port.
Signed-off-by: Akhilesh Patil <akhilesh@ee.iitb.ac.in>
Link: https://lore.kernel.org/r/2025112-94320-906858@bhairav-test.ee.iitb.ac.in
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Stable-dep-of: b7497b5a99f5 ("hwmon: (aht10) Fix initialization commands for AHT20")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/hwmon/aht10.rst | 10 +++++++++-
drivers/hwmon/Kconfig | 6 +++---
drivers/hwmon/aht10.c | 19 ++++++++++++++++---
3 files changed, 28 insertions(+), 7 deletions(-)
diff --git a/Documentation/hwmon/aht10.rst b/Documentation/hwmon/aht10.rst
index 213644b4ecba6..7903b6434326d 100644
--- a/Documentation/hwmon/aht10.rst
+++ b/Documentation/hwmon/aht10.rst
@@ -20,6 +20,14 @@ Supported chips:
English: http://www.aosong.com/userfiles/files/media/Data%20Sheet%20AHT20.pdf
+ * Aosong DHT20
+
+ Prefix: 'dht20'
+
+ Addresses scanned: None
+
+ Datasheet: https://www.digikey.co.nz/en/htmldatasheets/production/9184855/0/0/1/101020932
+
Author: Johannes Cornelis Draaijer <jcdra1@gmail.com>
@@ -33,7 +41,7 @@ The address of this i2c device may only be 0x38
Special Features
----------------
-AHT20 has additional CRC8 support which is sent as the last byte of the sensor
+AHT20, DHT20 has additional CRC8 support which is sent as the last byte of the sensor
values.
Usage Notes
diff --git a/drivers/hwmon/Kconfig b/drivers/hwmon/Kconfig
index a4c361b6619c1..2b090dbd836c5 100644
--- a/drivers/hwmon/Kconfig
+++ b/drivers/hwmon/Kconfig
@@ -257,12 +257,12 @@ config SENSORS_ADT7475
will be called adt7475.
config SENSORS_AHT10
- tristate "Aosong AHT10, AHT20"
+ tristate "Aosong AHT10, AHT20, DHT20"
depends on I2C
select CRC8
help
- If you say yes here, you get support for the Aosong AHT10 and AHT20
- temperature and humidity sensors
+ If you say yes here, you get support for the Aosong AHT10, AHT20 and
+ DHT20 temperature and humidity sensors
This driver can also be built as a module. If so, the module
will be called aht10.
diff --git a/drivers/hwmon/aht10.c b/drivers/hwmon/aht10.c
index f136bf3ff40ad..4f235dfb260f8 100644
--- a/drivers/hwmon/aht10.c
+++ b/drivers/hwmon/aht10.c
@@ -37,6 +37,8 @@
#define AHT10_CMD_MEAS 0b10101100
#define AHT10_CMD_RST 0b10111010
+#define DHT20_CMD_INIT 0x71
+
/*
* Flags in the answer byte/command
*/
@@ -48,11 +50,12 @@
#define AHT10_MAX_POLL_INTERVAL_LEN 30
-enum aht10_variant { aht10, aht20 };
+enum aht10_variant { aht10, aht20, dht20};
static const struct i2c_device_id aht10_id[] = {
{ "aht10", aht10 },
{ "aht20", aht20 },
+ { "dht20", dht20 },
{ },
};
MODULE_DEVICE_TABLE(i2c, aht10_id);
@@ -77,6 +80,7 @@ MODULE_DEVICE_TABLE(i2c, aht10_id);
* AHT10/AHT20
* @crc8: crc8 support flag
* @meas_size: measurements data size
+ * @init_cmd: Initialization command
*/
struct aht10_data {
@@ -92,6 +96,7 @@ struct aht10_data {
int humidity;
bool crc8;
unsigned int meas_size;
+ u8 init_cmd;
};
/**
@@ -101,13 +106,13 @@ struct aht10_data {
*/
static int aht10_init(struct aht10_data *data)
{
- const u8 cmd_init[] = {AHT10_CMD_INIT, AHT10_CAL_ENABLED | AHT10_MODE_CYC,
+ const u8 cmd_init[] = {data->init_cmd, AHT10_CAL_ENABLED | AHT10_MODE_CYC,
0x00};
int res;
u8 status;
struct i2c_client *client = data->client;
- res = i2c_master_send(client, cmd_init, 3);
+ res = i2c_master_send(client, cmd_init, sizeof(cmd_init));
if (res < 0)
return res;
@@ -353,9 +358,17 @@ static int aht10_probe(struct i2c_client *client)
data->meas_size = AHT20_MEAS_SIZE;
data->crc8 = true;
crc8_populate_msb(crc8_table, AHT20_CRC8_POLY);
+ data->init_cmd = AHT10_CMD_INIT;
+ break;
+ case dht20:
+ data->meas_size = AHT20_MEAS_SIZE;
+ data->crc8 = true;
+ crc8_populate_msb(crc8_table, AHT20_CRC8_POLY);
+ data->init_cmd = DHT20_CMD_INIT;
break;
default:
data->meas_size = AHT10_MEAS_SIZE;
+ data->init_cmd = AHT10_CMD_INIT;
break;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 060/481] usb: cdns3: remove redundant if branch
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 059/481] clk: tegra: tegra124-emc: fix device leak on set_rate() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 061/481] usb: cdns3: call cdns_power_is_lost() only once in cdns_resume() Greg Kroah-Hartman
` (255 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hongyu Xie, Peter Chen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongyu Xie <xiehongyu1@kylinos.cn>
[ Upstream commit dedab674428f8a99468a4864c067128ba9ea83a6 ]
cdns->role_sw->dev->driver_data gets set in routines showing below,
cdns_init
sw_desc.driver_data = cdns;
cdns->role_sw = usb_role_switch_register(dev, &sw_desc);
dev_set_drvdata(&sw->dev, desc->driver_data);
In cdns_resume,
cdns->role = cdns_role_get(cdns->role_sw); //line redundant
struct cdns *cdns = usb_role_switch_get_drvdata(sw);
dev_get_drvdata(&sw->dev)
return dev->driver_data
return cdns->role;
"line redundant" equals to,
cdns->role = cdns->role;
So fix this if branch.
Signed-off-by: Hongyu Xie <xiehongyu1@kylinos.cn>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://lore.kernel.org/r/20241231013641.23908-1-xiehongyu1@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 87e4b043b98a ("usb: cdns3: fix role switching during resume")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/cdns3/core.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/usb/cdns3/core.c b/drivers/usb/cdns3/core.c
index 7242591b346bc..d272d7b82bec1 100644
--- a/drivers/usb/cdns3/core.c
+++ b/drivers/usb/cdns3/core.c
@@ -528,9 +528,7 @@ int cdns_resume(struct cdns *cdns)
int ret = 0;
if (cdns_power_is_lost(cdns)) {
- if (cdns->role_sw) {
- cdns->role = cdns_role_get(cdns->role_sw);
- } else {
+ if (!cdns->role_sw) {
real_role = cdns_hw_role_state_machine(cdns);
if (real_role != cdns->role) {
ret = cdns_hw_role_switch(cdns);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 047/460] serial: caif: hold tty->link reference in ldisc_open and ser_release
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 046/460] net: sfp: improve Huawei MA5671a fixup Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 048/460] bnxt_en: Fix RSS table size check when changing ethtool channels Greg Kroah-Hartman
` (255 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuangpeng Bai, Jiayuan Chen,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
[ Upstream commit 288598d80a068a0e9281de35bcb4ce495f189e2a ]
A reproducer triggers a KASAN slab-use-after-free in pty_write_room()
when caif_serial's TX path calls tty_write_room(). The faulting access
is on tty->link->port.
Hold an extra kref on tty->link for the lifetime of the caif_serial line
discipline: get it in ldisc_open() and drop it in ser_release(), and
also drop it on the ldisc_open() error path.
With this change applied, the reproducer no longer triggers the UAF in
my testing.
Link: https://gist.github.com/shuangpengbai/c898debad6bdf170a84be7e6b3d8707f
Link: https://lore.kernel.org/netdev/20260301220525.1546355-1-shuangpeng.kernel@gmail.com
Fixes: e31d5a05948e ("caif: tty's are kref objects so take a reference")
Signed-off-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20260306034006.3395740-1-shuangpeng.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/caif/caif_serial.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
index 699ed0ff461e8..6799dbf80f484 100644
--- a/drivers/net/caif/caif_serial.c
+++ b/drivers/net/caif/caif_serial.c
@@ -311,6 +311,7 @@ static void ser_release(struct work_struct *work)
dev_close(ser->dev);
unregister_netdevice(ser->dev);
debugfs_deinit(ser);
+ tty_kref_put(tty->link);
tty_kref_put(tty);
}
rtnl_unlock();
@@ -345,6 +346,7 @@ static int ldisc_open(struct tty_struct *tty)
ser = netdev_priv(dev);
ser->tty = tty_kref_get(tty);
+ tty_kref_get(tty->link);
ser->dev = dev;
debugfs_init(ser, tty);
tty->receive_room = N_TTY_BUF_SIZE;
@@ -353,6 +355,7 @@ static int ldisc_open(struct tty_struct *tty)
rtnl_lock();
result = register_netdevice(dev);
if (result) {
+ tty_kref_put(tty->link);
tty_kref_put(tty);
rtnl_unlock();
free_netdev(dev);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 123/567] hwmon: (aht10) Fix initialization commands for AHT20
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 122/567] hwmon: (aht10) Add support for dht20 Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 124/567] pinctrl: equilibrium: rename irq_chip function callbacks Greg Kroah-Hartman
` (254 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hao Yu, Guenter Roeck, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hao Yu <haoyufine@gmail.com>
[ Upstream commit b7497b5a99f54ab8dcda5b14a308385b2fb03d8d ]
According to the AHT20 datasheet (updated to V1.0 after the 2023.09
version), the initialization command for AHT20 is 0b10111110 (0xBE).
The previous sequence (0xE1) used in earlier versions is no longer
compatible with newer AHT20 sensors. Update the initialization
command to ensure the sensor is properly initialized.
While at it, use binary notation for DHT20_CMD_INIT to match the notation
used in the datasheet.
Fixes: d2abcb5cc885 ("hwmon: (aht10) Add support for compatible aht20")
Signed-off-by: Hao Yu <haoyufine@gmail.com>
Link: https://lore.kernel.org/r/20260222170332.1616-3-haoyufine@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/aht10.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/hwmon/aht10.c b/drivers/hwmon/aht10.c
index 4f235dfb260f8..aa116957d9c96 100644
--- a/drivers/hwmon/aht10.c
+++ b/drivers/hwmon/aht10.c
@@ -37,7 +37,9 @@
#define AHT10_CMD_MEAS 0b10101100
#define AHT10_CMD_RST 0b10111010
-#define DHT20_CMD_INIT 0x71
+#define AHT20_CMD_INIT 0b10111110
+
+#define DHT20_CMD_INIT 0b01110001
/*
* Flags in the answer byte/command
@@ -358,7 +360,7 @@ static int aht10_probe(struct i2c_client *client)
data->meas_size = AHT20_MEAS_SIZE;
data->crc8 = true;
crc8_populate_msb(crc8_table, AHT20_CRC8_POLY);
- data->init_cmd = AHT10_CMD_INIT;
+ data->init_cmd = AHT20_CMD_INIT;
break;
case dht20:
data->meas_size = AHT20_MEAS_SIZE;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 061/481] usb: cdns3: call cdns_power_is_lost() only once in cdns_resume()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 060/481] usb: cdns3: remove redundant if branch Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 062/481] usb: cdns3: fix role switching during resume Greg Kroah-Hartman
` (254 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Théo Lebrun, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Théo Lebrun <theo.lebrun@bootlin.com>
[ Upstream commit 17c6526b333cfd89a4c888a6f7c876c8c326e5ae ]
cdns_power_is_lost() does a register read.
Call it only once rather than twice.
Signed-off-by: Théo Lebrun <theo.lebrun@bootlin.com>
Link: https://lore.kernel.org/r/20250205-s2r-cdns-v7-4-13658a271c3c@bootlin.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 87e4b043b98a ("usb: cdns3: fix role switching during resume")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/cdns3/core.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/cdns3/core.c b/drivers/usb/cdns3/core.c
index d272d7b82bec1..8e46fd36b0e56 100644
--- a/drivers/usb/cdns3/core.c
+++ b/drivers/usb/cdns3/core.c
@@ -523,11 +523,12 @@ EXPORT_SYMBOL_GPL(cdns_suspend);
int cdns_resume(struct cdns *cdns)
{
+ bool power_lost = cdns_power_is_lost(cdns);
enum usb_role real_role;
bool role_changed = false;
int ret = 0;
- if (cdns_power_is_lost(cdns)) {
+ if (power_lost) {
if (!cdns->role_sw) {
real_role = cdns_hw_role_state_machine(cdns);
if (real_role != cdns->role) {
@@ -550,7 +551,7 @@ int cdns_resume(struct cdns *cdns)
}
if (cdns->roles[cdns->role]->resume)
- cdns->roles[cdns->role]->resume(cdns, cdns_power_is_lost(cdns));
+ cdns->roles[cdns->role]->resume(cdns, power_lost);
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 048/460] bnxt_en: Fix RSS table size check when changing ethtool channels
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 047/460] serial: caif: hold tty->link reference in ldisc_open and ser_release Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 049/460] mctp: i2c: fix skb memory leak in receive path Greg Kroah-Hartman
` (254 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Björn Töpel,
Andy Gospodarek, Pavan Chebbi, Michael Chan, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavan Chebbi <pavan.chebbi@broadcom.com>
[ Upstream commit 0d9a60a0618d255530ca56072c5f39eb58e1ed4a ]
When changing channels, the current check in bnxt_set_channels()
is not checking for non-default RSS contexts when the RSS table size
changes. The current check for IFF_RXFH_CONFIGURED is only sufficient
for the default RSS context. Expand the check to include the presence
of any non-default RSS contexts.
Allowing such change will result in incorrect configuration of the
context's RSS table when the table size changes.
Fixes: b3d0083caf9a ("bnxt_en: Support RSS contexts in ethtool .{get|set}_rxfh()")
Reported-by: Björn Töpel <bjorn@kernel.org>
Link: https://lore.kernel.org/netdev/20260303181535.2671734-1-bjorn@kernel.org/
Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Signed-off-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Link: https://patch.msgid.link/20260306225854.3575672-1-michael.chan@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
index 0a8f3dc3c2f01..0be9c64ae2fad 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
@@ -958,8 +958,8 @@ static int bnxt_set_channels(struct net_device *dev,
if (bnxt_get_nr_rss_ctxs(bp, req_rx_rings) !=
bnxt_get_nr_rss_ctxs(bp, bp->rx_nr_rings) &&
- netif_is_rxfh_configured(dev)) {
- netdev_warn(dev, "RSS table size change required, RSS table entries must be default to proceed\n");
+ (netif_is_rxfh_configured(dev) || bp->num_rss_ctx)) {
+ netdev_warn(dev, "RSS table size change required, RSS table entries must be default (with no additional RSS contexts present) to proceed\n");
return -EINVAL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 124/567] pinctrl: equilibrium: rename irq_chip function callbacks
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 123/567] hwmon: (aht10) Fix initialization commands for AHT20 Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 125/567] pinctrl: equilibrium: fix warning trace on load Greg Kroah-Hartman
` (253 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Eckert, Linus Walleij,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Eckert <fe@dev.tdt.de>
[ Upstream commit 1f96b84835eafb3e6f366dc3a66c0e69504cec9d ]
Renaming of the irq_chip callback functions to improve clarity.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Stable-dep-of: 3e00b1b332e5 ("pinctrl: equilibrium: fix warning trace on load")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-equilibrium.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/drivers/pinctrl/pinctrl-equilibrium.c b/drivers/pinctrl/pinctrl-equilibrium.c
index d7c89c310b373..a5f7e34146c7c 100644
--- a/drivers/pinctrl/pinctrl-equilibrium.c
+++ b/drivers/pinctrl/pinctrl-equilibrium.c
@@ -22,7 +22,7 @@
#define PIN_NAME_LEN 10
#define PAD_REG_OFF 0x100
-static void eqbr_gpio_disable_irq(struct irq_data *d)
+static void eqbr_irq_mask(struct irq_data *d)
{
struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
struct eqbr_gpio_ctrl *gctrl = gpiochip_get_data(gc);
@@ -35,7 +35,7 @@ static void eqbr_gpio_disable_irq(struct irq_data *d)
gpiochip_disable_irq(gc, offset);
}
-static void eqbr_gpio_enable_irq(struct irq_data *d)
+static void eqbr_irq_unmask(struct irq_data *d)
{
struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
struct eqbr_gpio_ctrl *gctrl = gpiochip_get_data(gc);
@@ -49,7 +49,7 @@ static void eqbr_gpio_enable_irq(struct irq_data *d)
raw_spin_unlock_irqrestore(&gctrl->lock, flags);
}
-static void eqbr_gpio_ack_irq(struct irq_data *d)
+static void eqbr_irq_ack(struct irq_data *d)
{
struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
struct eqbr_gpio_ctrl *gctrl = gpiochip_get_data(gc);
@@ -61,10 +61,10 @@ static void eqbr_gpio_ack_irq(struct irq_data *d)
raw_spin_unlock_irqrestore(&gctrl->lock, flags);
}
-static void eqbr_gpio_mask_ack_irq(struct irq_data *d)
+static void eqbr_irq_mask_ack(struct irq_data *d)
{
- eqbr_gpio_disable_irq(d);
- eqbr_gpio_ack_irq(d);
+ eqbr_irq_mask(d);
+ eqbr_irq_ack(d);
}
static inline void eqbr_cfg_bit(void __iomem *addr,
@@ -91,7 +91,7 @@ static int eqbr_irq_type_cfg(struct gpio_irq_type *type,
return 0;
}
-static int eqbr_gpio_set_irq_type(struct irq_data *d, unsigned int type)
+static int eqbr_irq_set_type(struct irq_data *d, unsigned int type)
{
struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
struct eqbr_gpio_ctrl *gctrl = gpiochip_get_data(gc);
@@ -165,11 +165,11 @@ static void eqbr_irq_handler(struct irq_desc *desc)
static const struct irq_chip eqbr_irq_chip = {
.name = "gpio_irq",
- .irq_mask = eqbr_gpio_disable_irq,
- .irq_unmask = eqbr_gpio_enable_irq,
- .irq_ack = eqbr_gpio_ack_irq,
- .irq_mask_ack = eqbr_gpio_mask_ack_irq,
- .irq_set_type = eqbr_gpio_set_irq_type,
+ .irq_ack = eqbr_irq_ack,
+ .irq_mask = eqbr_irq_mask,
+ .irq_mask_ack = eqbr_irq_mask_ack,
+ .irq_unmask = eqbr_irq_unmask,
+ .irq_set_type = eqbr_irq_set_type,
.flags = IRQCHIP_IMMUTABLE,
GPIOCHIP_IRQ_RESOURCE_HELPERS,
};
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 062/481] usb: cdns3: fix role switching during resume
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 061/481] usb: cdns3: call cdns_power_is_lost() only once in cdns_resume() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 063/481] ALSA: hda/conexant: Add quirk for HP ZBook Studio G4 Greg Kroah-Hartman
` (253 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Thomas Richard (TI),
Peter Chen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Richard (TI) <thomas.richard@bootlin.com>
[ Upstream commit 87e4b043b98a1d269be0b812f383881abee0ca45 ]
If the role change while we are suspended, the cdns3 driver switches to the
new mode during resume. However, switching to host mode in this context
causes a NULL pointer dereference.
The host role's start() operation registers a xhci-hcd device, but its
probe is deferred while we are in the resume path. The host role's resume()
operation assumes the xhci-hcd device is already probed, which is not the
case, leading to the dereference. Since the start() operation of the new
role is already called, the resume operation can be skipped.
So skip the resume operation for the new role if a role switch occurs
during resume. Once the resume sequence is complete, the xhci-hcd device
can be probed in case of host mode.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000208
Mem abort info:
...
Data abort info:
...
[0000000000000208] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] SMP
Modules linked in:
CPU: 0 UID: 0 PID: 146 Comm: sh Not tainted
6.19.0-rc7-00013-g6e64f4aabfae-dirty #135 PREEMPT
Hardware name: Texas Instruments J7200 EVM (DT)
pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : usb_hcd_is_primary_hcd+0x0/0x1c
lr : cdns_host_resume+0x24/0x5c
...
Call trace:
usb_hcd_is_primary_hcd+0x0/0x1c (P)
cdns_resume+0x6c/0xbc
cdns3_controller_resume.isra.0+0xe8/0x17c
cdns3_plat_resume+0x18/0x24
platform_pm_resume+0x2c/0x68
dpm_run_callback+0x90/0x248
device_resume+0x100/0x24c
dpm_resume+0x190/0x2ec
dpm_resume_end+0x18/0x34
suspend_devices_and_enter+0x2b0/0xa44
pm_suspend+0x16c/0x5fc
state_store+0x80/0xec
kobj_attr_store+0x18/0x2c
sysfs_kf_write+0x7c/0x94
kernfs_fop_write_iter+0x130/0x1dc
vfs_write+0x240/0x370
ksys_write+0x70/0x108
__arm64_sys_write+0x1c/0x28
invoke_syscall+0x48/0x10c
el0_svc_common.constprop.0+0x40/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x34/0x108
el0t_64_sync_handler+0xa0/0xe4
el0t_64_sync+0x198/0x19c
Code: 52800003 f9407ca5 d63f00a0 17ffffe4 (f9410401)
---[ end trace 0000000000000000 ]---
Cc: stable <stable@kernel.org>
Fixes: 2cf2581cd229 ("usb: cdns3: add power lost support for system resume")
Signed-off-by: Thomas Richard (TI) <thomas.richard@bootlin.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://patch.msgid.link/20260130-usb-cdns3-fix-role-switching-during-resume-v1-1-44c456852b52@bootlin.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/cdns3/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/cdns3/core.c b/drivers/usb/cdns3/core.c
index 8e46fd36b0e56..93e93bb9a314f 100644
--- a/drivers/usb/cdns3/core.c
+++ b/drivers/usb/cdns3/core.c
@@ -550,7 +550,7 @@ int cdns_resume(struct cdns *cdns)
}
}
- if (cdns->roles[cdns->role]->resume)
+ if (!role_changed && cdns->roles[cdns->role]->resume)
cdns->roles[cdns->role]->resume(cdns, power_lost);
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 049/460] mctp: i2c: fix skb memory leak in receive path
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 048/460] bnxt_en: Fix RSS table size check when changing ethtool channels Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 050/460] can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value Greg Kroah-Hartman
` (253 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haiyue Wang, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haiyue Wang <haiyuewa@163.com>
[ Upstream commit e3f5e0f22cfc2371e7471c9fd5b4da78f9df7c69 ]
When 'midev->allow_rx' is false, the newly allocated skb isn't consumed
by netif_rx(), it needs to free the skb directly.
Fixes: f5b8abf9fc3d ("mctp i2c: MCTP I2C binding driver")
Signed-off-by: Haiyue Wang <haiyuewa@163.com>
Link: https://patch.msgid.link/20260305143240.97592-1-haiyuewa@163.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/mctp/mctp-i2c.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c
index 617333343ca00..f8f83fe424e51 100644
--- a/drivers/net/mctp/mctp-i2c.c
+++ b/drivers/net/mctp/mctp-i2c.c
@@ -344,6 +344,7 @@ static int mctp_i2c_recv(struct mctp_i2c_dev *midev)
} else {
status = NET_RX_DROP;
spin_unlock_irqrestore(&midev->lock, flags);
+ kfree_skb(skb);
}
if (status == NET_RX_SUCCESS) {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 125/567] pinctrl: equilibrium: fix warning trace on load
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 124/567] pinctrl: equilibrium: rename irq_chip function callbacks Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 126/567] platform/x86: thinkpad_acpi: Fix errors reading battery thresholds Greg Kroah-Hartman
` (252 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Eckert, Linus Walleij,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Eckert <fe@dev.tdt.de>
[ Upstream commit 3e00b1b332e54ba50cca6691f628b9c06574024f ]
The callback functions 'eqbr_irq_mask()' and 'eqbr_irq_ack()' are also
called in the callback function 'eqbr_irq_mask_ack()'. This is done to
avoid source code duplication. The problem, is that in the function
'eqbr_irq_mask()' also calles the gpiolib function 'gpiochip_disable_irq()'
This generates the following warning trace in the log for every gpio on
load.
[ 6.088111] ------------[ cut here ]------------
[ 6.092440] WARNING: CPU: 3 PID: 1 at drivers/gpio/gpiolib.c:3810 gpiochip_disable_irq+0x39/0x50
[ 6.097847] Modules linked in:
[ 6.097847] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.12.59+ #0
[ 6.097847] Tainted: [W]=WARN
[ 6.097847] RIP: 0010:gpiochip_disable_irq+0x39/0x50
[ 6.097847] Code: 39 c6 48 19 c0 21 c6 48 c1 e6 05 48 03 b2 38 03 00 00 48 81 fe 00 f0 ff ff 77 11 48 8b 46 08 f6 c4 02 74 06 f0 80 66 09 fb c3 <0f> 0b 90 0f 1f 40 00 c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40
[ 6.097847] RSP: 0000:ffffc9000000b830 EFLAGS: 00010046
[ 6.097847] RAX: 0000000000000045 RBX: ffff888001be02a0 RCX: 0000000000000008
[ 6.097847] RDX: ffff888001be9000 RSI: ffff888001b2dd00 RDI: ffff888001be02a0
[ 6.097847] RBP: ffffc9000000b860 R08: 0000000000000000 R09: 0000000000000000
[ 6.097847] R10: 0000000000000001 R11: ffff888001b2a154 R12: ffff888001be0514
[ 6.097847] R13: ffff888001be02a0 R14: 0000000000000008 R15: 0000000000000000
[ 6.097847] FS: 0000000000000000(0000) GS:ffff888041d80000(0000) knlGS:0000000000000000
[ 6.097847] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6.097847] CR2: 0000000000000000 CR3: 0000000003030000 CR4: 00000000001026b0
[ 6.097847] Call Trace:
[ 6.097847] <TASK>
[ 6.097847] ? eqbr_irq_mask+0x63/0x70
[ 6.097847] ? no_action+0x10/0x10
[ 6.097847] eqbr_irq_mask_ack+0x11/0x60
In an other driver (drivers/pinctrl/starfive/pinctrl-starfive-jh7100.c) the
interrupt is not disabled here.
To fix this, do not call the 'eqbr_irq_mask()' and 'eqbr_irq_ack()'
function. Implement instead this directly without disabling the interrupts.
Fixes: 52066a53bd11 ("pinctrl: equilibrium: Convert to immutable irq_chip")
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-equilibrium.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/pinctrl/pinctrl-equilibrium.c b/drivers/pinctrl/pinctrl-equilibrium.c
index a5f7e34146c7c..e1d8c656576a8 100644
--- a/drivers/pinctrl/pinctrl-equilibrium.c
+++ b/drivers/pinctrl/pinctrl-equilibrium.c
@@ -63,8 +63,15 @@ static void eqbr_irq_ack(struct irq_data *d)
static void eqbr_irq_mask_ack(struct irq_data *d)
{
- eqbr_irq_mask(d);
- eqbr_irq_ack(d);
+ struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
+ struct eqbr_gpio_ctrl *gctrl = gpiochip_get_data(gc);
+ unsigned int offset = irqd_to_hwirq(d);
+ unsigned long flags;
+
+ raw_spin_lock_irqsave(&gctrl->lock, flags);
+ writel(BIT(offset), gctrl->membase + GPIO_IRNENCLR);
+ writel(BIT(offset), gctrl->membase + GPIO_IRNCR);
+ raw_spin_unlock_irqrestore(&gctrl->lock, flags);
}
static inline void eqbr_cfg_bit(void __iomem *addr,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 063/481] ALSA: hda/conexant: Add quirk for HP ZBook Studio G4
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 062/481] usb: cdns3: fix role switching during resume Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 064/481] hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization induced race Greg Kroah-Hartman
` (252 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 1585cf83e98db32463e5d54161b06a5f01fe9976 ]
It was reported that we need the same quirk for HP ZBook Studio G4
(SSID 103c:826b) as other HP models to make the mute-LED working.
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/64d78753-b9ff-4c64-8920-64d8d31cd20c@gmail.com
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221002
Link: https://patch.msgid.link/20260207131324.2428030-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_conexant.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
index a3d68b83ebd5f..643d1f7ba5ad3 100644
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -1099,6 +1099,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
SND_PCI_QUIRK(0x103c, 0x822e, "HP ProBook 440 G4", CXT_FIXUP_MUTE_LED_GPIO),
SND_PCI_QUIRK(0x103c, 0x8231, "HP ProBook 450 G4", CXT_FIXUP_MUTE_LED_GPIO),
+ SND_PCI_QUIRK(0x103c, 0x826b, "HP ZBook Studio G4", CXT_FIXUP_MUTE_LED_GPIO),
SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK),
SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE),
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 050/460] can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 049/460] mctp: i2c: fix skb memory leak in receive path Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 051/460] bonding: add ESP offload features when slaves support Greg Kroah-Hartman
` (252 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenyuan Li, Marc Kleine-Budde,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenyuan Li <2063309626@qq.com>
[ Upstream commit 47bba09b14fa21712398febf36cb14fd4fc3bded ]
In hi3110_open(), the return value of hi3110_power_enable() is not checked.
If power enable fails, the device may not function correctly, while the
driver still returns success.
Add a check for the return value and propagate the error accordingly.
Signed-off-by: Wenyuan Li <2063309626@qq.com>
Link: https://patch.msgid.link/tencent_B5E2E7528BB28AA8A2A56E16C49BD58B8B07@qq.com
Fixes: 57e83fb9b746 ("can: hi311x: Add Holt HI-311x CAN driver")
[mkl: adjust subject, commit message and jump label]
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/spi/hi311x.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c
index c9eba1d37b0eb..10470e7436158 100644
--- a/drivers/net/can/spi/hi311x.c
+++ b/drivers/net/can/spi/hi311x.c
@@ -756,7 +756,9 @@ static int hi3110_open(struct net_device *net)
return ret;
mutex_lock(&priv->hi3110_lock);
- hi3110_power_enable(priv->transceiver, 1);
+ ret = hi3110_power_enable(priv->transceiver, 1);
+ if (ret)
+ goto out_close_candev;
priv->force_quit = 0;
priv->tx_skb = NULL;
@@ -791,6 +793,7 @@ static int hi3110_open(struct net_device *net)
hi3110_hw_sleep(spi);
out_close:
hi3110_power_enable(priv->transceiver, 0);
+ out_close_candev:
close_candev(net);
mutex_unlock(&priv->hi3110_lock);
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 126/567] platform/x86: thinkpad_acpi: Fix errors reading battery thresholds
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 125/567] pinctrl: equilibrium: fix warning trace on load Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 127/567] pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe() Greg Kroah-Hartman
` (251 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Teh, Mark Pearson,
Ilpo Järvinen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Teh <jonathan.teh@outlook.com>
[ Upstream commit 53e977b1d50c46f2c4ec3865cd13a822f58ad3cd ]
Check whether the battery supports the relevant charge threshold before
reading the value to silence these errors:
thinkpad_acpi: acpi_evalf(BCTG, dd, ...) failed: AE_NOT_FOUND
ACPI: \_SB_.PCI0.LPC_.EC__.HKEY: BCTG: evaluate failed
thinkpad_acpi: acpi_evalf(BCSG, dd, ...) failed: AE_NOT_FOUND
ACPI: \_SB_.PCI0.LPC_.EC__.HKEY: BCSG: evaluate failed
when reading the charge thresholds via sysfs on platforms that do not
support them such as the ThinkPad T400.
Fixes: 2801b9683f74 ("thinkpad_acpi: Add support for battery thresholds")
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=202619
Signed-off-by: Jonathan Teh <jonathan.teh@outlook.com>
Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Link: https://patch.msgid.link/MI0P293MB01967B206E1CA6F337EBFB12926CA@MI0P293MB0196.ITAP293.PROD.OUTLOOK.COM
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/thinkpad_acpi.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
index 88364a5502e69..be46479d54afe 100644
--- a/drivers/platform/x86/thinkpad_acpi.c
+++ b/drivers/platform/x86/thinkpad_acpi.c
@@ -9441,14 +9441,16 @@ static int tpacpi_battery_get(int what, int battery, int *ret)
{
switch (what) {
case THRESHOLD_START:
- if ACPI_FAILURE(tpacpi_battery_acpi_eval(GET_START, ret, battery))
+ if (!battery_info.batteries[battery].start_support ||
+ ACPI_FAILURE(tpacpi_battery_acpi_eval(GET_START, ret, battery)))
return -ENODEV;
/* The value is in the low 8 bits of the response */
*ret = *ret & 0xFF;
return 0;
case THRESHOLD_STOP:
- if ACPI_FAILURE(tpacpi_battery_acpi_eval(GET_STOP, ret, battery))
+ if (!battery_info.batteries[battery].stop_support ||
+ ACPI_FAILURE(tpacpi_battery_acpi_eval(GET_STOP, ret, battery)))
return -ENODEV;
/* Value is in lower 8 bits */
*ret = *ret & 0xFF;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 064/481] hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization induced race
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 063/481] ALSA: hda/conexant: Add quirk for HP ZBook Studio G4 Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 065/481] ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314 Greg Kroah-Hartman
` (251 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Hutchings, Gui-Dong Han,
Guenter Roeck, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
[ Upstream commit 007be4327e443d79c9dd9e56dc16c36f6395d208 ]
Simply copying shared data to a local variable cannot prevent data
races. The compiler is allowed to optimize away the local copy and
re-read the shared memory, causing a Time-of-Check Time-of-Use (TOCTOU)
issue if the data changes between the check and the usage.
To enforce the use of the local variable, use READ_ONCE() when reading
the shared data and WRITE_ONCE() when updating it. Apply these macros to
the three identified locations (curr_sense, adc, and fault) where local
variables are used for error validation, ensuring the value remains
consistent.
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Closes: https://lore.kernel.org/all/6fe17868327207e8b850cf9f88b7dc58b2021f73.camel@decadent.org.uk/
Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles")
Fixes: b8d5acdcf525 ("hwmon: (max16065) Use local variable to avoid TOCTOU")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://lore.kernel.org/r/20260203121443.5482-1-hanguidong02@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/max16065.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/drivers/hwmon/max16065.c b/drivers/hwmon/max16065.c
index 648eb7e867d10..b61bba4166f78 100644
--- a/drivers/hwmon/max16065.c
+++ b/drivers/hwmon/max16065.c
@@ -151,27 +151,27 @@ static struct max16065_data *max16065_update_device(struct device *dev)
int i;
for (i = 0; i < data->num_adc; i++)
- data->adc[i]
- = max16065_read_adc(client, MAX16065_ADC(i));
+ WRITE_ONCE(data->adc[i],
+ max16065_read_adc(client, MAX16065_ADC(i)));
if (data->have_current) {
- data->adc[MAX16065_NUM_ADC]
- = max16065_read_adc(client, MAX16065_CSP_ADC);
- data->curr_sense
- = i2c_smbus_read_byte_data(client,
- MAX16065_CURR_SENSE);
+ WRITE_ONCE(data->adc[MAX16065_NUM_ADC],
+ max16065_read_adc(client, MAX16065_CSP_ADC));
+ WRITE_ONCE(data->curr_sense,
+ i2c_smbus_read_byte_data(client, MAX16065_CURR_SENSE));
}
for (i = 0; i < 2; i++)
- data->fault[i]
- = i2c_smbus_read_byte_data(client, MAX16065_FAULT(i));
+ WRITE_ONCE(data->fault[i],
+ i2c_smbus_read_byte_data(client, MAX16065_FAULT(i)));
/*
* MAX16067 and MAX16068 have separate undervoltage and
* overvoltage alarm bits. Squash them together.
*/
if (data->chip == max16067 || data->chip == max16068)
- data->fault[0] |= data->fault[1];
+ WRITE_ONCE(data->fault[0],
+ data->fault[0] | data->fault[1]);
data->last_updated = jiffies;
data->valid = true;
@@ -185,7 +185,7 @@ static ssize_t max16065_alarm_show(struct device *dev,
{
struct sensor_device_attribute_2 *attr2 = to_sensor_dev_attr_2(da);
struct max16065_data *data = max16065_update_device(dev);
- int val = data->fault[attr2->nr];
+ int val = READ_ONCE(data->fault[attr2->nr]);
if (val < 0)
return val;
@@ -203,7 +203,7 @@ static ssize_t max16065_input_show(struct device *dev,
{
struct sensor_device_attribute *attr = to_sensor_dev_attr(da);
struct max16065_data *data = max16065_update_device(dev);
- int adc = data->adc[attr->index];
+ int adc = READ_ONCE(data->adc[attr->index]);
if (unlikely(adc < 0))
return adc;
@@ -216,7 +216,7 @@ static ssize_t max16065_current_show(struct device *dev,
struct device_attribute *da, char *buf)
{
struct max16065_data *data = max16065_update_device(dev);
- int curr_sense = data->curr_sense;
+ int curr_sense = READ_ONCE(data->curr_sense);
if (unlikely(curr_sense < 0))
return curr_sense;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 051/460] bonding: add ESP offload features when slaves support
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 050/460] can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 052/460] bonding: Correctly support GSO ESP offload Greg Kroah-Hartman
` (251 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianbo Liu, Boris Pismenny,
Tariq Toukan, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianbo Liu <jianbol@nvidia.com>
[ Upstream commit 4861333b42178fa3d8fd1bb4e2cfb2fedc968dba ]
Add NETIF_F_GSO_ESP bit to bond's gso_partial_features if all slaves
support it, such that ESP segmentation is handled by hardware if possible.
Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Boris Pismenny <borisp@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20241105192721.584822-1-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index c71b52e2966fc..aac385607ac42 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1558,6 +1558,7 @@ static void bond_compute_features(struct bonding *bond)
{
unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE |
IFF_XMIT_DST_RELEASE_PERM;
+ netdev_features_t gso_partial_features = NETIF_F_GSO_ESP;
netdev_features_t vlan_features = BOND_VLAN_FEATURES;
netdev_features_t enc_features = BOND_ENC_FEATURES;
#ifdef CONFIG_XFRM_OFFLOAD
@@ -1591,6 +1592,9 @@ static void bond_compute_features(struct bonding *bond)
BOND_XFRM_FEATURES);
#endif /* CONFIG_XFRM_OFFLOAD */
+ if (slave->dev->hw_enc_features & NETIF_F_GSO_PARTIAL)
+ gso_partial_features &= slave->dev->gso_partial_features;
+
mpls_features = netdev_increment_features(mpls_features,
slave->dev->mpls_features,
BOND_MPLS_FEATURES);
@@ -1604,6 +1608,11 @@ static void bond_compute_features(struct bonding *bond)
}
bond_dev->hard_header_len = max_hard_header_len;
+ if (gso_partial_features & NETIF_F_GSO_ESP)
+ bond_dev->gso_partial_features |= NETIF_F_GSO_ESP;
+ else
+ bond_dev->gso_partial_features &= ~NETIF_F_GSO_ESP;
+
done:
bond_dev->vlan_features = vlan_features;
bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL |
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 127/567] pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 126/567] platform/x86: thinkpad_acpi: Fix errors reading battery thresholds Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 128/567] hwmon: (it87) Check the it87_lock() return value Greg Kroah-Hartman
` (250 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Charles Keepax,
Linus Walleij, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit fd5bed798f45eb3a178ad527b43ab92705faaf8a ]
devm_add_action_or_reset() already invokes the action on failure,
so the explicit put causes a double-put.
Fixes: 9b07cdf86a0b ("pinctrl: cirrus: Fix fwnode leak in cs42l43_pin_probe()")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/cirrus/pinctrl-cs42l43.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/pinctrl/cirrus/pinctrl-cs42l43.c b/drivers/pinctrl/cirrus/pinctrl-cs42l43.c
index e1ac89be7c847..1640c5522f0e8 100644
--- a/drivers/pinctrl/cirrus/pinctrl-cs42l43.c
+++ b/drivers/pinctrl/cirrus/pinctrl-cs42l43.c
@@ -574,10 +574,9 @@ static int cs42l43_pin_probe(struct platform_device *pdev)
if (child) {
ret = devm_add_action_or_reset(&pdev->dev,
cs42l43_fwnode_put, child);
- if (ret) {
- fwnode_handle_put(child);
+ if (ret)
return ret;
- }
+
if (!child->dev)
child->dev = priv->dev;
fwnode = child;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 065/481] ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 064/481] hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization induced race Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 066/481] net: arcnet: com20020-pci: fix support for 2.5Mbit cards Greg Kroah-Hartman
` (250 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 7bc0df86c2384bc1e2012a2c946f82305054da64 ]
Acer Swift SF314 (SSID 1025:136d) needs a bit of tweaks of the pin
configurations for NID 0x16 and 0x19 to make the headphone / headset
jack working. NID 0x17 can remain as is for the working speaker, and
the built-in mic is supported via SOF.
Cc: <stable@vger.kernel.org>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221086
Link: https://patch.msgid.link/20260217104414.62911-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_conexant.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
index 643d1f7ba5ad3..e5837e47aa227 100644
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -312,6 +312,7 @@ enum {
CXT_PINCFG_SWS_JS201D,
CXT_PINCFG_TOP_SPEAKER,
CXT_FIXUP_HP_A_U,
+ CXT_FIXUP_ACER_SWIFT_HP,
};
/* for hda_fixup_thinkpad_acpi() */
@@ -1042,6 +1043,14 @@ static const struct hda_fixup cxt_fixups[] = {
.type = HDA_FIXUP_FUNC,
.v.func = cxt_fixup_hp_a_u,
},
+ [CXT_FIXUP_ACER_SWIFT_HP] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+ { 0x16, 0x0321403f }, /* Headphone */
+ { 0x19, 0x40f001f0 }, /* Mic */
+ { }
+ },
+ },
};
static const struct snd_pci_quirk cxt5045_fixups[] = {
@@ -1091,6 +1100,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
SND_PCI_QUIRK(0x1025, 0x0543, "Acer Aspire One 522", CXT_FIXUP_STEREO_DMIC),
SND_PCI_QUIRK(0x1025, 0x054c, "Acer Aspire 3830TG", CXT_FIXUP_ASPIRE_DMIC),
SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", CXT_FIXUP_ASPIRE_DMIC),
+ SND_PCI_QUIRK(0x1025, 0x136d, "Acer Swift SF314", CXT_FIXUP_ACER_SWIFT_HP),
SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK),
SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 052/460] bonding: Correctly support GSO ESP offload
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 051/460] bonding: add ESP offload features when slaves support Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 053/460] net: add a common function to compute features for upper devices Greg Kroah-Hartman
` (250 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hangbin Liu, Cosmin Ratiu,
Jay Vosburgh, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cosmin Ratiu <cratiu@nvidia.com>
[ Upstream commit 9e6c4e6b605c1fa3e24f74ee0b641e95f090188a ]
The referenced fix is incomplete. It correctly computes
bond_dev->gso_partial_features across slaves, but unfortunately
netdev_fix_features discards gso_partial_features from the feature set
if NETIF_F_GSO_PARTIAL isn't set in bond_dev->features.
This is visible with ethtool -k bond0 | grep esp:
tx-esp-segmentation: off [requested on]
esp-hw-offload: on
esp-tx-csum-hw-offload: on
This patch reworks the bonding GSO offload support by:
- making aggregating gso_partial_features across slaves similar to the
other feature sets (this part is a no-op).
- advertising the default partial gso features on empty bond devs, same
as with other feature sets (also a no-op).
- adding NETIF_F_GSO_PARTIAL to hw_enc_features filtered across slaves.
- adding NETIF_F_GSO_PARTIAL to features in bond_setup()
With all of these, 'ethtool -k bond0 | grep esp' now reports:
tx-esp-segmentation: on
esp-hw-offload: on
esp-tx-csum-hw-offload: on
Fixes: 4861333b4217 ("bonding: add ESP offload features when slaves support")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
Acked-by: Jay Vosburgh <jv@jvosburgh.net>
Link: https://patch.msgid.link/20250127104147.759658-1-cratiu@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index aac385607ac42..fe29a0911308d 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1548,17 +1548,20 @@ static netdev_features_t bond_fix_features(struct net_device *dev,
NETIF_F_HIGHDMA | NETIF_F_LRO)
#define BOND_ENC_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \
- NETIF_F_RXCSUM | NETIF_F_GSO_SOFTWARE)
+ NETIF_F_RXCSUM | NETIF_F_GSO_SOFTWARE | \
+ NETIF_F_GSO_PARTIAL)
#define BOND_MPLS_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \
NETIF_F_GSO_SOFTWARE)
+#define BOND_GSO_PARTIAL_FEATURES (NETIF_F_GSO_ESP)
+
static void bond_compute_features(struct bonding *bond)
{
+ netdev_features_t gso_partial_features = BOND_GSO_PARTIAL_FEATURES;
unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE |
IFF_XMIT_DST_RELEASE_PERM;
- netdev_features_t gso_partial_features = NETIF_F_GSO_ESP;
netdev_features_t vlan_features = BOND_VLAN_FEATURES;
netdev_features_t enc_features = BOND_ENC_FEATURES;
#ifdef CONFIG_XFRM_OFFLOAD
@@ -1592,8 +1595,9 @@ static void bond_compute_features(struct bonding *bond)
BOND_XFRM_FEATURES);
#endif /* CONFIG_XFRM_OFFLOAD */
- if (slave->dev->hw_enc_features & NETIF_F_GSO_PARTIAL)
- gso_partial_features &= slave->dev->gso_partial_features;
+ gso_partial_features = netdev_increment_features(gso_partial_features,
+ slave->dev->gso_partial_features,
+ BOND_GSO_PARTIAL_FEATURES);
mpls_features = netdev_increment_features(mpls_features,
slave->dev->mpls_features,
@@ -1608,12 +1612,8 @@ static void bond_compute_features(struct bonding *bond)
}
bond_dev->hard_header_len = max_hard_header_len;
- if (gso_partial_features & NETIF_F_GSO_ESP)
- bond_dev->gso_partial_features |= NETIF_F_GSO_ESP;
- else
- bond_dev->gso_partial_features &= ~NETIF_F_GSO_ESP;
-
done:
+ bond_dev->gso_partial_features = gso_partial_features;
bond_dev->vlan_features = vlan_features;
bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL |
NETIF_F_HW_VLAN_CTAG_TX |
@@ -6082,6 +6082,7 @@ void bond_setup(struct net_device *bond_dev)
bond_dev->hw_features |= NETIF_F_GSO_ENCAP_ALL;
bond_dev->features |= bond_dev->hw_features;
bond_dev->features |= NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_STAG_TX;
+ bond_dev->features |= NETIF_F_GSO_PARTIAL;
#ifdef CONFIG_XFRM_OFFLOAD
bond_dev->hw_features |= BOND_XFRM_FEATURES;
/* Only enable XFRM features if this is an active-backup config */
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 128/567] hwmon: (it87) Check the it87_lock() return value
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 127/567] pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 129/567] e1000e: clear DPG_EN after reset to avoid autonomous power-gating Greg Kroah-Hartman
` (249 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Crawford, Guenter Roeck,
Jean Delvare, linux-hwmon, Bart Van Assche, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit 07ed4f05bbfd2bc014974dcc4297fd3aa1cb88c0 ]
Return early in it87_resume() if it87_lock() fails instead of ignoring the
return value of that function. This patch suppresses a Clang thread-safety
warning.
Cc: Frank Crawford <frank@crawford.emu.id.au>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: Jean Delvare <jdelvare@suse.com>
Cc: linux-hwmon@vger.kernel.org
Fixes: 376e1a937b30 ("hwmon: (it87) Add calls to smbus_enable/smbus_disable as required")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Link: https://lore.kernel.org/r/20260223220102.2158611-15-bart.vanassche@linux.dev
[groeck: Declare 'ret' at the beginning of it87_resume()]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/it87.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/hwmon/it87.c b/drivers/hwmon/it87.c
index fbe86cec60553..51882f7386cc8 100644
--- a/drivers/hwmon/it87.c
+++ b/drivers/hwmon/it87.c
@@ -3547,10 +3547,13 @@ static int it87_resume(struct device *dev)
{
struct platform_device *pdev = to_platform_device(dev);
struct it87_data *data = dev_get_drvdata(dev);
+ int err;
it87_resume_sio(pdev);
- it87_lock(data);
+ err = it87_lock(data);
+ if (err)
+ return err;
it87_check_pwm(dev);
it87_check_limit_regs(data);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 066/481] net: arcnet: com20020-pci: fix support for 2.5Mbit cards
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 065/481] ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314 Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 067/481] drm/amd: Drop special case for yellow carp without discovery Greg Kroah-Hartman
` (249 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Ethan Nelson-Moore,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Nelson-Moore <enelsonmoore@gmail.com>
[ Upstream commit c7d9be66b71af490446127c6ffcb66d6bb71b8b9 ]
Commit 8c14f9c70327 ("ARCNET: add com20020 PCI IDs with metadata")
converted the com20020-pci driver to use a card info structure instead
of a single flag mask in driver_data. However, it failed to take into
account that in the original code, driver_data of 0 indicates a card
with no special flags, not a card that should not have any card info
structure. This introduced a null pointer dereference when cards with
no flags were probed.
Commit bd6f1fd5d33d ("net: arcnet: com20020: Fix null-ptr-deref in
com20020pci_probe()") then papered over this issue by rejecting cards
with no driver_data instead of resolving the problem at its source.
Fix the original issue by introducing a new card info structure for
2.5Mbit cards that does not set any flags and using it if no
driver_data is present.
Fixes: 8c14f9c70327 ("ARCNET: add com20020 PCI IDs with metadata")
Fixes: bd6f1fd5d33d ("net: arcnet: com20020: Fix null-ptr-deref in com20020pci_probe()")
Cc: stable@vger.kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
Link: https://patch.msgid.link/20260213045510.32368-1-enelsonmoore@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/arcnet/com20020-pci.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/drivers/net/arcnet/com20020-pci.c b/drivers/net/arcnet/com20020-pci.c
index e7db6a4e4dc9d..e9ee32b091a41 100644
--- a/drivers/net/arcnet/com20020-pci.c
+++ b/drivers/net/arcnet/com20020-pci.c
@@ -114,6 +114,8 @@ static const struct attribute_group com20020_state_group = {
.attrs = com20020_state_attrs,
};
+static struct com20020_pci_card_info card_info_2p5mbit;
+
static void com20020pci_remove(struct pci_dev *pdev);
static int com20020pci_probe(struct pci_dev *pdev,
@@ -139,7 +141,7 @@ static int com20020pci_probe(struct pci_dev *pdev,
ci = (struct com20020_pci_card_info *)id->driver_data;
if (!ci)
- return -EINVAL;
+ ci = &card_info_2p5mbit;
priv->ci = ci;
mm = &ci->misc_map;
@@ -346,6 +348,18 @@ static struct com20020_pci_card_info card_info_5mbit = {
.flags = ARC_IS_5MBIT,
};
+static struct com20020_pci_card_info card_info_2p5mbit = {
+ .name = "ARC-PCI",
+ .devcount = 1,
+ .chan_map_tbl = {
+ {
+ .bar = 2,
+ .offset = 0x00,
+ .size = 0x08,
+ },
+ },
+};
+
static struct com20020_pci_card_info card_info_sohard = {
.name = "SOHARD SH ARC-PCI",
.devcount = 1,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 053/460] net: add a common function to compute features for upper devices
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 052/460] bonding: Correctly support GSO ESP offload Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 054/460] bonding: use common function to compute the features Greg Kroah-Hartman
` (249 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Hangbin Liu,
Sabrina Dubroca, Jiri Pirko, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 28098defc79fe7d29e6bfe4eb6312991f6bdc3d3 ]
Some high level software drivers need to compute features from lower
devices. But each has their own implementations and may lost some
feature compute. Let's use one common function to compute features
for kinds of these devices.
The new helper uses the current bond implementation as the reference
one, as the latter already handles all the relevant aspects: netdev
features, TSO limits and dst retention.
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Link: https://patch.msgid.link/20251017034155.61990-2-liuhangbin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netdev_features.h | 18 +++++++
include/linux/netdevice.h | 1 +
net/core/dev.c | 88 +++++++++++++++++++++++++++++++++
3 files changed, 107 insertions(+)
diff --git a/include/linux/netdev_features.h b/include/linux/netdev_features.h
index 11be70a7929f2..2f4243b61a525 100644
--- a/include/linux/netdev_features.h
+++ b/include/linux/netdev_features.h
@@ -253,6 +253,24 @@ static inline int find_next_netdev_feature(u64 feature, unsigned long start)
NETIF_F_GSO_UDP_TUNNEL | \
NETIF_F_GSO_UDP_TUNNEL_CSUM)
+/* virtual device features */
+#define MASTER_UPPER_DEV_VLAN_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \
+ NETIF_F_FRAGLIST | NETIF_F_GSO_SOFTWARE | \
+ NETIF_F_GSO_ENCAP_ALL | \
+ NETIF_F_HIGHDMA | NETIF_F_LRO)
+
+#define MASTER_UPPER_DEV_ENC_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \
+ NETIF_F_RXCSUM | NETIF_F_GSO_SOFTWARE | \
+ NETIF_F_GSO_PARTIAL)
+
+#define MASTER_UPPER_DEV_MPLS_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \
+ NETIF_F_GSO_SOFTWARE)
+
+#define MASTER_UPPER_DEV_XFRM_FEATURES (NETIF_F_HW_ESP | NETIF_F_HW_ESP_TX_CSUM | \
+ NETIF_F_GSO_ESP)
+
+#define MASTER_UPPER_DEV_GSO_PARTIAL_FEATURES (NETIF_F_GSO_ESP)
+
static inline netdev_features_t netdev_base_features(netdev_features_t features)
{
features &= ~NETIF_F_ONE_FOR_ALL;
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 77a99c8ab01c7..3699c43731ccf 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -4993,6 +4993,7 @@ static inline netdev_features_t netdev_add_tso_features(netdev_features_t featur
int __netdev_update_features(struct net_device *dev);
void netdev_update_features(struct net_device *dev);
void netdev_change_features(struct net_device *dev);
+void netdev_compute_master_upper_features(struct net_device *dev, bool update_header);
void netif_stacked_transfer_operstate(const struct net_device *rootdev,
struct net_device *dev);
diff --git a/net/core/dev.c b/net/core/dev.c
index e7127eca1afc5..a855cee5e5aeb 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -11851,6 +11851,94 @@ netdev_features_t netdev_increment_features(netdev_features_t all,
}
EXPORT_SYMBOL(netdev_increment_features);
+/**
+ * netdev_compute_master_upper_features - compute feature from lowers
+ * @dev: the upper device
+ * @update_header: whether to update upper device's header_len/headroom/tailroom
+ *
+ * Recompute the upper device's feature based on all lower devices.
+ */
+void netdev_compute_master_upper_features(struct net_device *dev, bool update_header)
+{
+ unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE | IFF_XMIT_DST_RELEASE_PERM;
+ netdev_features_t gso_partial_features = MASTER_UPPER_DEV_GSO_PARTIAL_FEATURES;
+ netdev_features_t xfrm_features = MASTER_UPPER_DEV_XFRM_FEATURES;
+ netdev_features_t mpls_features = MASTER_UPPER_DEV_MPLS_FEATURES;
+ netdev_features_t vlan_features = MASTER_UPPER_DEV_VLAN_FEATURES;
+ netdev_features_t enc_features = MASTER_UPPER_DEV_ENC_FEATURES;
+ unsigned short max_header_len = ETH_HLEN;
+ unsigned int tso_max_size = TSO_MAX_SIZE;
+ unsigned short max_headroom = 0;
+ unsigned short max_tailroom = 0;
+ u16 tso_max_segs = TSO_MAX_SEGS;
+ struct net_device *lower_dev;
+ struct list_head *iter;
+
+ mpls_features = netdev_base_features(mpls_features);
+ vlan_features = netdev_base_features(vlan_features);
+ enc_features = netdev_base_features(enc_features);
+
+ netdev_for_each_lower_dev(dev, lower_dev, iter) {
+ gso_partial_features = netdev_increment_features(gso_partial_features,
+ lower_dev->gso_partial_features,
+ MASTER_UPPER_DEV_GSO_PARTIAL_FEATURES);
+
+ vlan_features = netdev_increment_features(vlan_features,
+ lower_dev->vlan_features,
+ MASTER_UPPER_DEV_VLAN_FEATURES);
+
+ enc_features = netdev_increment_features(enc_features,
+ lower_dev->hw_enc_features,
+ MASTER_UPPER_DEV_ENC_FEATURES);
+
+ if (IS_ENABLED(CONFIG_XFRM_OFFLOAD))
+ xfrm_features = netdev_increment_features(xfrm_features,
+ lower_dev->hw_enc_features,
+ MASTER_UPPER_DEV_XFRM_FEATURES);
+
+ mpls_features = netdev_increment_features(mpls_features,
+ lower_dev->mpls_features,
+ MASTER_UPPER_DEV_MPLS_FEATURES);
+
+ dst_release_flag &= lower_dev->priv_flags;
+
+ if (update_header) {
+ max_header_len = max(max_header_len, lower_dev->hard_header_len);
+ max_headroom = max(max_headroom, lower_dev->needed_headroom);
+ max_tailroom = max(max_tailroom, lower_dev->needed_tailroom);
+ }
+
+ tso_max_size = min(tso_max_size, lower_dev->tso_max_size);
+ tso_max_segs = min(tso_max_segs, lower_dev->tso_max_segs);
+ }
+
+ dev->gso_partial_features = gso_partial_features;
+ dev->vlan_features = vlan_features;
+ dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL |
+ NETIF_F_HW_VLAN_CTAG_TX |
+ NETIF_F_HW_VLAN_STAG_TX;
+ if (IS_ENABLED(CONFIG_XFRM_OFFLOAD))
+ dev->hw_enc_features |= xfrm_features;
+ dev->mpls_features = mpls_features;
+
+ dev->priv_flags &= ~IFF_XMIT_DST_RELEASE;
+ if ((dev->priv_flags & IFF_XMIT_DST_RELEASE_PERM) &&
+ dst_release_flag == (IFF_XMIT_DST_RELEASE | IFF_XMIT_DST_RELEASE_PERM))
+ dev->priv_flags |= IFF_XMIT_DST_RELEASE;
+
+ if (update_header) {
+ dev->hard_header_len = max_header_len;
+ dev->needed_headroom = max_headroom;
+ dev->needed_tailroom = max_tailroom;
+ }
+
+ netif_set_tso_max_segs(dev, tso_max_segs);
+ netif_set_tso_max_size(dev, tso_max_size);
+
+ netdev_change_features(dev);
+}
+EXPORT_SYMBOL(netdev_compute_master_upper_features);
+
static struct hlist_head * __net_init netdev_create_hash(void)
{
int i;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 129/567] e1000e: clear DPG_EN after reset to avoid autonomous power-gating
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 128/567] hwmon: (it87) Check the it87_lock() return value Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 130/567] drm/ssd130x: Use bool for ssd130x_deviceinfo flags Greg Kroah-Hartman
` (248 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vitaly Lifshits, Aleksandr Loktionov,
Avigail Dahan, Paul Menzel, Tony Nguyen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vitaly Lifshits <vitaly.lifshits@intel.com>
[ Upstream commit 0942fc6d324eb9c6b16187b2aa994c0823557f06 ]
Panther Lake systems introduced an autonomous power gating feature for
the integrated Gigabit Ethernet in shutdown state (S5) state. As part of
it, the reset value of DPG_EN bit was changed to 1. Clear this bit after
performing hardware reset to avoid errors such as Tx/Rx hangs, or packet
loss/corruption.
Fixes: 0c9183ce61bc ("e1000e: Add support for the next LOM generation")
Signed-off-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/e1000e/defines.h | 1 +
drivers/net/ethernet/intel/e1000e/ich8lan.c | 9 +++++++++
2 files changed, 10 insertions(+)
diff --git a/drivers/net/ethernet/intel/e1000e/defines.h b/drivers/net/ethernet/intel/e1000e/defines.h
index 955bb11618572..c4db2927c6c42 100644
--- a/drivers/net/ethernet/intel/e1000e/defines.h
+++ b/drivers/net/ethernet/intel/e1000e/defines.h
@@ -33,6 +33,7 @@
/* Extended Device Control */
#define E1000_CTRL_EXT_LPCD 0x00000004 /* LCD Power Cycle Done */
+#define E1000_CTRL_EXT_DPG_EN 0x00000008 /* Dynamic Power Gating Enable */
#define E1000_CTRL_EXT_SDP3_DATA 0x00000080 /* Value of SW Definable Pin 3 */
#define E1000_CTRL_EXT_FORCE_SMBUS 0x00000800 /* Force SMBus mode */
#define E1000_CTRL_EXT_EE_RST 0x00002000 /* Reinitialize from EEPROM */
diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c
index df4e7d781cb1c..f9328caefe44b 100644
--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
+++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
@@ -4925,6 +4925,15 @@ static s32 e1000_reset_hw_ich8lan(struct e1000_hw *hw)
reg |= E1000_KABGTXD_BGSQLBIAS;
ew32(KABGTXD, reg);
+ /* The hardware reset value of the DPG_EN bit is 1.
+ * Clear DPG_EN to prevent unexpected autonomous power gating.
+ */
+ if (hw->mac.type >= e1000_pch_ptp) {
+ reg = er32(CTRL_EXT);
+ reg &= ~E1000_CTRL_EXT_DPG_EN;
+ ew32(CTRL_EXT, reg);
+ }
+
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 067/481] drm/amd: Drop special case for yellow carp without discovery
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 066/481] net: arcnet: com20020-pci: fix support for 2.5Mbit cards Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 068/481] drm/amdgpu: keep vga memory on MacBooks with switchable graphics Greg Kroah-Hartman
` (248 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit 3ef07651a5756e7de65615e18eacbf8822c23016 ]
`amdgpu_gmc_get_vbios_allocations` has a special case for how to
bring up yellow carp when amdgpu discovery is turned off. As this ASIC
ships with discovery turned on, it's generally dead code and worse it
causes `adev->mman.keep_stolen_vga_memory` to not be initialized for
yellow carp.
Remove it.
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Stable-dep-of: 096bb75e13cc ("drm/amdgpu: keep vga memory on MacBooks with switchable graphics")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
index fd98d2508a22a..4bc05178504dc 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
@@ -652,12 +652,6 @@ void amdgpu_gmc_get_vbios_allocations(struct amdgpu_device *adev)
case CHIP_RENOIR:
adev->mman.keep_stolen_vga_memory = true;
break;
- case CHIP_YELLOW_CARP:
- if (amdgpu_discovery == 0) {
- adev->mman.stolen_reserved_offset = 0x1ffb0000;
- adev->mman.stolen_reserved_size = 64 * PAGE_SIZE;
- }
- break;
default:
adev->mman.keep_stolen_vga_memory = false;
break;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 054/460] bonding: use common function to compute the features
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 053/460] net: add a common function to compute features for upper devices Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 055/460] bonding: fix type confusion in bond_setup_by_slave() Greg Kroah-Hartman
` (248 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hangbin Liu, Sabrina Dubroca,
Jiri Pirko, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit d4fde269a970666a30dd3abd0413273a06dd972d ]
Use the new functon netdev_compute_master_upper_features() to compute the bonding
features.
Note that bond_compute_features() currently uses bond_for_each_slave()
to traverse the lower devices list, and that is just a macro wrapper of
netdev_for_each_lower_private(). We use similar helper
netdev_for_each_lower_dev() in netdev_compute_master_upper_features() to
iterate the slave device, as there is not need to get the private data.
No functional change intended.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Link: https://patch.msgid.link/20251017034155.61990-3-liuhangbin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 99 ++-------------------------------
1 file changed, 4 insertions(+), 95 deletions(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index fe29a0911308d..6f2b4734c9c06 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1542,97 +1542,6 @@ static netdev_features_t bond_fix_features(struct net_device *dev,
return features;
}
-#define BOND_VLAN_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \
- NETIF_F_FRAGLIST | NETIF_F_GSO_SOFTWARE | \
- NETIF_F_GSO_ENCAP_ALL | \
- NETIF_F_HIGHDMA | NETIF_F_LRO)
-
-#define BOND_ENC_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \
- NETIF_F_RXCSUM | NETIF_F_GSO_SOFTWARE | \
- NETIF_F_GSO_PARTIAL)
-
-#define BOND_MPLS_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \
- NETIF_F_GSO_SOFTWARE)
-
-#define BOND_GSO_PARTIAL_FEATURES (NETIF_F_GSO_ESP)
-
-
-static void bond_compute_features(struct bonding *bond)
-{
- netdev_features_t gso_partial_features = BOND_GSO_PARTIAL_FEATURES;
- unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE |
- IFF_XMIT_DST_RELEASE_PERM;
- netdev_features_t vlan_features = BOND_VLAN_FEATURES;
- netdev_features_t enc_features = BOND_ENC_FEATURES;
-#ifdef CONFIG_XFRM_OFFLOAD
- netdev_features_t xfrm_features = BOND_XFRM_FEATURES;
-#endif /* CONFIG_XFRM_OFFLOAD */
- netdev_features_t mpls_features = BOND_MPLS_FEATURES;
- struct net_device *bond_dev = bond->dev;
- struct list_head *iter;
- struct slave *slave;
- unsigned short max_hard_header_len = ETH_HLEN;
- unsigned int tso_max_size = TSO_MAX_SIZE;
- u16 tso_max_segs = TSO_MAX_SEGS;
-
- if (!bond_has_slaves(bond))
- goto done;
-
- vlan_features = netdev_base_features(vlan_features);
- mpls_features = netdev_base_features(mpls_features);
-
- bond_for_each_slave(bond, slave, iter) {
- vlan_features = netdev_increment_features(vlan_features,
- slave->dev->vlan_features, BOND_VLAN_FEATURES);
-
- enc_features = netdev_increment_features(enc_features,
- slave->dev->hw_enc_features,
- BOND_ENC_FEATURES);
-
-#ifdef CONFIG_XFRM_OFFLOAD
- xfrm_features = netdev_increment_features(xfrm_features,
- slave->dev->hw_enc_features,
- BOND_XFRM_FEATURES);
-#endif /* CONFIG_XFRM_OFFLOAD */
-
- gso_partial_features = netdev_increment_features(gso_partial_features,
- slave->dev->gso_partial_features,
- BOND_GSO_PARTIAL_FEATURES);
-
- mpls_features = netdev_increment_features(mpls_features,
- slave->dev->mpls_features,
- BOND_MPLS_FEATURES);
-
- dst_release_flag &= slave->dev->priv_flags;
- if (slave->dev->hard_header_len > max_hard_header_len)
- max_hard_header_len = slave->dev->hard_header_len;
-
- tso_max_size = min(tso_max_size, slave->dev->tso_max_size);
- tso_max_segs = min(tso_max_segs, slave->dev->tso_max_segs);
- }
- bond_dev->hard_header_len = max_hard_header_len;
-
-done:
- bond_dev->gso_partial_features = gso_partial_features;
- bond_dev->vlan_features = vlan_features;
- bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL |
- NETIF_F_HW_VLAN_CTAG_TX |
- NETIF_F_HW_VLAN_STAG_TX;
-#ifdef CONFIG_XFRM_OFFLOAD
- bond_dev->hw_enc_features |= xfrm_features;
-#endif /* CONFIG_XFRM_OFFLOAD */
- bond_dev->mpls_features = mpls_features;
- netif_set_tso_max_segs(bond_dev, tso_max_segs);
- netif_set_tso_max_size(bond_dev, tso_max_size);
-
- bond_dev->priv_flags &= ~IFF_XMIT_DST_RELEASE;
- if ((bond_dev->priv_flags & IFF_XMIT_DST_RELEASE_PERM) &&
- dst_release_flag == (IFF_XMIT_DST_RELEASE | IFF_XMIT_DST_RELEASE_PERM))
- bond_dev->priv_flags |= IFF_XMIT_DST_RELEASE;
-
- netdev_change_features(bond_dev);
-}
-
static void bond_setup_by_slave(struct net_device *bond_dev,
struct net_device *slave_dev)
{
@@ -2379,7 +2288,7 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
}
bond->slave_cnt++;
- bond_compute_features(bond);
+ netdev_compute_master_upper_features(bond->dev, true);
bond_set_carrier(bond);
/* Needs to be called before bond_select_active_slave(), which will
@@ -2631,7 +2540,7 @@ static int __bond_release_one(struct net_device *bond_dev,
call_netdevice_notifiers(NETDEV_RELEASE, bond->dev);
}
- bond_compute_features(bond);
+ netdev_compute_master_upper_features(bond->dev, true);
if (!(bond_dev->features & NETIF_F_VLAN_CHALLENGED) &&
(old_features & NETIF_F_VLAN_CHALLENGED))
slave_info(bond_dev, slave_dev, "last VLAN challenged slave left bond - VLAN blocking is removed\n");
@@ -4135,7 +4044,7 @@ static int bond_slave_netdev_event(unsigned long event,
case NETDEV_FEAT_CHANGE:
if (!bond->notifier_ctx) {
bond->notifier_ctx = true;
- bond_compute_features(bond);
+ netdev_compute_master_upper_features(bond->dev, true);
bond->notifier_ctx = false;
}
break;
@@ -6073,7 +5982,7 @@ void bond_setup(struct net_device *bond_dev)
* capable
*/
- bond_dev->hw_features = BOND_VLAN_FEATURES |
+ bond_dev->hw_features = MASTER_UPPER_DEV_VLAN_FEATURES |
NETIF_F_HW_VLAN_CTAG_RX |
NETIF_F_HW_VLAN_CTAG_FILTER |
NETIF_F_HW_VLAN_STAG_RX |
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 130/567] drm/ssd130x: Use bool for ssd130x_deviceinfo flags
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 129/567] e1000e: clear DPG_EN after reset to avoid autonomous power-gating Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 131/567] drm/ssd130x: Store the HW buffer in the driver-private CRTC state Greg Kroah-Hartman
` (247 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven,
Javier Martinez Canillas, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert@linux-m68k.org>
[ Upstream commit 15d30b46573d75f5cb58cfacded8ebab9c76a2b0 ]
The .need_pwm and .need_chargepump fields in struct ssd130x_deviceinfo
are flags that can have only two possible values: 0 and 1.
Reduce kernel size by changing their types from int to bool.
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Tested-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/285005ff361969eff001386c5f97990f0e703838.1692888745.git.geert@linux-m68k.org
Stable-dep-of: 36d9579fed6c ("drm/solomon: Fix page start when updating rectangle in page addressing mode")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/solomon/ssd130x.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/solomon/ssd130x.h b/drivers/gpu/drm/solomon/ssd130x.h
index 87968b3e7fb82..aa39b13615ebe 100644
--- a/drivers/gpu/drm/solomon/ssd130x.h
+++ b/drivers/gpu/drm/solomon/ssd130x.h
@@ -40,8 +40,8 @@ struct ssd130x_deviceinfo {
u32 default_width;
u32 default_height;
u32 page_height;
- int need_pwm;
- int need_chargepump;
+ bool need_pwm;
+ bool need_chargepump;
bool page_mode_only;
};
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 068/481] drm/amdgpu: keep vga memory on MacBooks with switchable graphics
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 067/481] drm/amd: Drop special case for yellow carp without discovery Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 069/481] eventpoll: Fix integer overflow in ep_loop_check_proc() Greg Kroah-Hartman
` (247 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Kleiner, Alex Deucher,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
[ Upstream commit 096bb75e13cc508d3915b7604e356bcb12b17766 ]
On Intel MacBookPros with switchable graphics, when the iGPU
is enabled, the address of VRAM gets put at 0 in the dGPU's
virtual address space. This is non-standard and seems to cause
issues with the cursor if it ends up at 0. We have the framework
to reserve memory at 0 in the address space, so enable it here if
the vram start address is 0.
Reviewed-and-tested-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4302
Cc: stable@vger.kernel.org
Cc: Mario Kleiner <mario.kleiner.de@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
index 4bc05178504dc..3a1576e2f8e3b 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
@@ -652,6 +652,16 @@ void amdgpu_gmc_get_vbios_allocations(struct amdgpu_device *adev)
case CHIP_RENOIR:
adev->mman.keep_stolen_vga_memory = true;
break;
+ case CHIP_POLARIS10:
+ case CHIP_POLARIS11:
+ case CHIP_POLARIS12:
+ /* MacBookPros with switchable graphics put VRAM at 0 when
+ * the iGPU is enabled which results in cursor issues if
+ * the cursor ends up at 0. Reserve vram at 0 in that case.
+ */
+ if (adev->gmc.vram_start == 0)
+ adev->mman.keep_stolen_vga_memory = true;
+ break;
default:
adev->mman.keep_stolen_vga_memory = false;
break;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 055/460] bonding: fix type confusion in bond_setup_by_slave()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 054/460] bonding: use common function to compute the features Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 056/460] mctp: route: hold key->lock in mctp_flow_prepare_output() Greg Kroah-Hartman
` (247 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jay Vosburgh, Eric Dumazet,
Jiayuan Chen, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@shopee.com>
[ Upstream commit 950803f7254721c1c15858fbbfae3deaaeeecb11 ]
kernel BUG at net/core/skbuff.c:2306!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306
RSP: 0018:ffffc90004aff760 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e
RDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900
RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000
R10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780
R13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0
Call Trace:
<TASK>
ipgre_header+0xdd/0x540 net/ipv4/ip_gre.c:900
dev_hard_header include/linux/netdevice.h:3439 [inline]
packet_snd net/packet/af_packet.c:3028 [inline]
packet_sendmsg+0x3ae5/0x53c0 net/packet/af_packet.c:3108
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
____sys_sendmsg+0xa54/0xc30 net/socket.c:2592
___sys_sendmsg+0x190/0x1e0 net/socket.c:2646
__sys_sendmsg+0x170/0x220 net/socket.c:2678
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe1a0e6c1a9
When a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond,
bond_setup_by_slave() directly copies the slave's header_ops to the
bond device:
bond_dev->header_ops = slave_dev->header_ops;
This causes a type confusion when dev_hard_header() is later called
on the bond device. Functions like ipgre_header(), ip6gre_header(),all use
netdev_priv(dev) to access their device-specific private data. When
called with the bond device, netdev_priv() returns the bond's private
data (struct bonding) instead of the expected type (e.g. struct
ip_tunnel), leading to garbage values being read and kernel crashes.
Fix this by introducing bond_header_ops with wrapper functions that
delegate to the active slave's header_ops using the slave's own
device. This ensures netdev_priv() in the slave's header functions
always receives the correct device.
The fix is placed in the bonding driver rather than individual device
drivers, as the root cause is bond blindly inheriting header_ops from
the slave without considering that these callbacks expect a specific
netdev_priv() layout.
The type confusion can be observed by adding a printk in
ipgre_header() and running the following commands:
ip link add dummy0 type dummy
ip addr add 10.0.0.1/24 dev dummy0
ip link set dummy0 up
ip link add gre1 type gre local 10.0.0.1
ip link add bond1 type bond mode active-backup
ip link set gre1 master bond1
ip link set gre1 up
ip link set bond1 up
ip addr add fe80::1/64 dev bond1
Fixes: 1284cd3a2b74 ("bonding: two small fixes for IPoIB support")
Suggested-by: Jay Vosburgh <jv@jvosburgh.net>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
Link: https://patch.msgid.link/20260306021508.222062-1-jiayuan.chen@linux.dev
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 47 ++++++++++++++++++++++++++++++++-
1 file changed, 46 insertions(+), 1 deletion(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 6f2b4734c9c06..546c9004c9e30 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1542,6 +1542,50 @@ static netdev_features_t bond_fix_features(struct net_device *dev,
return features;
}
+static int bond_header_create(struct sk_buff *skb, struct net_device *bond_dev,
+ unsigned short type, const void *daddr,
+ const void *saddr, unsigned int len)
+{
+ struct bonding *bond = netdev_priv(bond_dev);
+ const struct header_ops *slave_ops;
+ struct slave *slave;
+ int ret = 0;
+
+ rcu_read_lock();
+ slave = rcu_dereference(bond->curr_active_slave);
+ if (slave) {
+ slave_ops = READ_ONCE(slave->dev->header_ops);
+ if (slave_ops && slave_ops->create)
+ ret = slave_ops->create(skb, slave->dev,
+ type, daddr, saddr, len);
+ }
+ rcu_read_unlock();
+ return ret;
+}
+
+static int bond_header_parse(const struct sk_buff *skb, unsigned char *haddr)
+{
+ struct bonding *bond = netdev_priv(skb->dev);
+ const struct header_ops *slave_ops;
+ struct slave *slave;
+ int ret = 0;
+
+ rcu_read_lock();
+ slave = rcu_dereference(bond->curr_active_slave);
+ if (slave) {
+ slave_ops = READ_ONCE(slave->dev->header_ops);
+ if (slave_ops && slave_ops->parse)
+ ret = slave_ops->parse(skb, haddr);
+ }
+ rcu_read_unlock();
+ return ret;
+}
+
+static const struct header_ops bond_header_ops = {
+ .create = bond_header_create,
+ .parse = bond_header_parse,
+};
+
static void bond_setup_by_slave(struct net_device *bond_dev,
struct net_device *slave_dev)
{
@@ -1549,7 +1593,8 @@ static void bond_setup_by_slave(struct net_device *bond_dev,
dev_close(bond_dev);
- bond_dev->header_ops = slave_dev->header_ops;
+ bond_dev->header_ops = slave_dev->header_ops ?
+ &bond_header_ops : NULL;
bond_dev->type = slave_dev->type;
bond_dev->hard_header_len = slave_dev->hard_header_len;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 131/567] drm/ssd130x: Store the HW buffer in the driver-private CRTC state
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 130/567] drm/ssd130x: Use bool for ssd130x_deviceinfo flags Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 132/567] drm/ssd130x: Replace .page_height field in device info with a constant Greg Kroah-Hartman
` (246 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven,
Javier Martinez Canillas, Maxime Ripard, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Javier Martinez Canillas <javierm@redhat.com>
[ Upstream commit d51f9fbd98b6d88aef4f6431bbb575378a6c7a24 ]
The commit 45b58669e532 ("drm/ssd130x: Allocate buffer in the plane's
.atomic_check() callback") moved the allocation of the intermediate and
HW buffers from the encoder's .atomic_enable callback, to the plane's
.atomic_check callback.
This was suggested by Maxime Ripard, because drivers aren't allowed to
fail after the drm_atomic_helper_swap_state() function has been called.
And the encoder's .atomic_enable happens after the new atomic state has
been swapped, so allocations (that can fail) shouldn't be done there.
But the HW buffer isn't really tied to the plane's state. It has a fixed
size that only depends on the (also fixed) display resolution defined in
the Device Tree Blob.
That buffer can be considered part of the CRTC state, and for this reason
makes more sense to do its allocation in the CRTC .atomic_check callback.
The other allocated buffer (used to store a conversion from the emulated
XR24 format to the native R1 format) is part of the plane's state, since
it will be optional once the driver supports R1 and allows user-space to
set that pixel format.
So let's keep the allocation for it in the plane's .atomic_check callback,
this can't be moved to the CRTC's .atomic_check because changing a format
does not trigger a CRTC mode set.
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Closes: https://lore.kernel.org/dri-devel/CAMuHMdWv_QSatDgihr8=2SXHhvp=icNxumZcZOPwT9Q_QiogNQ@mail.gmail.com/
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Acked-by: Maxime Ripard <mripard@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20230913052938.1114651-1-javierm@redhat.com
Stable-dep-of: 36d9579fed6c ("drm/solomon: Fix page start when updating rectangle in page addressing mode")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/solomon/ssd130x.c | 153 +++++++++++++++++++++++-------
1 file changed, 118 insertions(+), 35 deletions(-)
diff --git a/drivers/gpu/drm/solomon/ssd130x.c b/drivers/gpu/drm/solomon/ssd130x.c
index deec6acdcf646..ef3e3832add90 100644
--- a/drivers/gpu/drm/solomon/ssd130x.c
+++ b/drivers/gpu/drm/solomon/ssd130x.c
@@ -141,14 +141,23 @@ const struct ssd130x_deviceinfo ssd130x_variants[] = {
};
EXPORT_SYMBOL_NS_GPL(ssd130x_variants, DRM_SSD130X);
+struct ssd130x_crtc_state {
+ struct drm_crtc_state base;
+ /* Buffer to store pixels in HW format and written to the panel */
+ u8 *data_array;
+};
+
struct ssd130x_plane_state {
struct drm_shadow_plane_state base;
/* Intermediate buffer to convert pixels from XRGB8888 to HW format */
u8 *buffer;
- /* Buffer to store pixels in HW format and written to the panel */
- u8 *data_array;
};
+static inline struct ssd130x_crtc_state *to_ssd130x_crtc_state(struct drm_crtc_state *state)
+{
+ return container_of(state, struct ssd130x_crtc_state, base);
+}
+
static inline struct ssd130x_plane_state *to_ssd130x_plane_state(struct drm_plane_state *state)
{
return container_of(state, struct ssd130x_plane_state, base.base);
@@ -448,13 +457,11 @@ static int ssd130x_init(struct ssd130x_device *ssd130x)
}
static int ssd130x_update_rect(struct ssd130x_device *ssd130x,
- struct ssd130x_plane_state *ssd130x_state,
- struct drm_rect *rect)
+ struct drm_rect *rect, u8 *buf,
+ u8 *data_array)
{
unsigned int x = rect->x1;
unsigned int y = rect->y1;
- u8 *buf = ssd130x_state->buffer;
- u8 *data_array = ssd130x_state->data_array;
unsigned int width = drm_rect_width(rect);
unsigned int height = drm_rect_height(rect);
unsigned int line_length = DIV_ROUND_UP(width, 8);
@@ -550,12 +557,10 @@ static int ssd130x_update_rect(struct ssd130x_device *ssd130x,
return ret;
}
-static void ssd130x_clear_screen(struct ssd130x_device *ssd130x,
- struct ssd130x_plane_state *ssd130x_state)
+static void ssd130x_clear_screen(struct ssd130x_device *ssd130x, u8 *data_array)
{
unsigned int page_height = ssd130x->device_info->page_height;
unsigned int pages = DIV_ROUND_UP(ssd130x->height, page_height);
- u8 *data_array = ssd130x_state->data_array;
unsigned int width = ssd130x->width;
int ret, i;
@@ -594,15 +599,13 @@ static void ssd130x_clear_screen(struct ssd130x_device *ssd130x,
}
}
-static int ssd130x_fb_blit_rect(struct drm_plane_state *state,
+static int ssd130x_fb_blit_rect(struct drm_framebuffer *fb,
const struct iosys_map *vmap,
- struct drm_rect *rect)
+ struct drm_rect *rect,
+ u8 *buf, u8 *data_array)
{
- struct drm_framebuffer *fb = state->fb;
struct ssd130x_device *ssd130x = drm_to_ssd130x(fb->dev);
unsigned int page_height = ssd130x->device_info->page_height;
- struct ssd130x_plane_state *ssd130x_state = to_ssd130x_plane_state(state);
- u8 *buf = ssd130x_state->buffer;
struct iosys_map dst;
unsigned int dst_pitch;
int ret = 0;
@@ -622,7 +625,7 @@ static int ssd130x_fb_blit_rect(struct drm_plane_state *state,
drm_gem_fb_end_cpu_access(fb, DMA_FROM_DEVICE);
- ssd130x_update_rect(ssd130x, ssd130x_state, rect);
+ ssd130x_update_rect(ssd130x, rect, buf, data_array);
return ret;
}
@@ -634,12 +637,19 @@ static int ssd130x_primary_plane_helper_atomic_check(struct drm_plane *plane,
struct ssd130x_device *ssd130x = drm_to_ssd130x(drm);
struct drm_plane_state *plane_state = drm_atomic_get_new_plane_state(state, plane);
struct ssd130x_plane_state *ssd130x_state = to_ssd130x_plane_state(plane_state);
- unsigned int page_height = ssd130x->device_info->page_height;
- unsigned int pages = DIV_ROUND_UP(ssd130x->height, page_height);
+ struct drm_crtc *crtc = plane_state->crtc;
+ struct drm_crtc_state *crtc_state;
const struct drm_format_info *fi;
unsigned int pitch;
int ret;
+ if (!crtc)
+ return -EINVAL;
+
+ crtc_state = drm_atomic_get_crtc_state(state, crtc);
+ if (IS_ERR(crtc_state))
+ return PTR_ERR(crtc_state);
+
ret = drm_plane_helper_atomic_check(plane, state);
if (ret)
return ret;
@@ -654,14 +664,6 @@ static int ssd130x_primary_plane_helper_atomic_check(struct drm_plane *plane,
if (!ssd130x_state->buffer)
return -ENOMEM;
- ssd130x_state->data_array = kcalloc(ssd130x->width, pages, GFP_KERNEL);
- if (!ssd130x_state->data_array) {
- kfree(ssd130x_state->buffer);
- /* Set to prevent a double free in .atomic_destroy_state() */
- ssd130x_state->buffer = NULL;
- return -ENOMEM;
- }
-
return 0;
}
@@ -671,6 +673,10 @@ static void ssd130x_primary_plane_helper_atomic_update(struct drm_plane *plane,
struct drm_plane_state *plane_state = drm_atomic_get_new_plane_state(state, plane);
struct drm_plane_state *old_plane_state = drm_atomic_get_old_plane_state(state, plane);
struct drm_shadow_plane_state *shadow_plane_state = to_drm_shadow_plane_state(plane_state);
+ struct drm_crtc_state *crtc_state = drm_atomic_get_new_crtc_state(state, plane_state->crtc);
+ struct ssd130x_crtc_state *ssd130x_crtc_state = to_ssd130x_crtc_state(crtc_state);
+ struct ssd130x_plane_state *ssd130x_plane_state = to_ssd130x_plane_state(plane_state);
+ struct drm_framebuffer *fb = plane_state->fb;
struct drm_atomic_helper_damage_iter iter;
struct drm_device *drm = plane->dev;
struct drm_rect dst_clip;
@@ -687,7 +693,9 @@ static void ssd130x_primary_plane_helper_atomic_update(struct drm_plane *plane,
if (!drm_rect_intersect(&dst_clip, &damage))
continue;
- ssd130x_fb_blit_rect(plane_state, &shadow_plane_state->data[0], &dst_clip);
+ ssd130x_fb_blit_rect(fb, &shadow_plane_state->data[0], &dst_clip,
+ ssd130x_plane_state->buffer,
+ ssd130x_crtc_state->data_array);
}
drm_dev_exit(idx);
@@ -698,13 +706,21 @@ static void ssd130x_primary_plane_helper_atomic_disable(struct drm_plane *plane,
{
struct drm_device *drm = plane->dev;
struct ssd130x_device *ssd130x = drm_to_ssd130x(drm);
- struct ssd130x_plane_state *ssd130x_state = to_ssd130x_plane_state(plane->state);
+ struct drm_plane_state *plane_state = drm_atomic_get_new_plane_state(state, plane);
+ struct drm_crtc_state *crtc_state;
+ struct ssd130x_crtc_state *ssd130x_crtc_state;
int idx;
+ if (!plane_state->crtc)
+ return;
+
+ crtc_state = drm_atomic_get_new_crtc_state(state, plane_state->crtc);
+ ssd130x_crtc_state = to_ssd130x_crtc_state(crtc_state);
+
if (!drm_dev_enter(drm, &idx))
return;
- ssd130x_clear_screen(ssd130x, ssd130x_state);
+ ssd130x_clear_screen(ssd130x, ssd130x_crtc_state->data_array);
drm_dev_exit(idx);
}
@@ -737,9 +753,8 @@ static struct drm_plane_state *ssd130x_primary_plane_duplicate_state(struct drm_
if (!ssd130x_state)
return NULL;
- /* The buffers are not duplicated and are allocated in .atomic_check */
+ /* The buffer is not duplicated and is allocated in .atomic_check */
ssd130x_state->buffer = NULL;
- ssd130x_state->data_array = NULL;
new_shadow_plane_state = &ssd130x_state->base;
@@ -753,7 +768,6 @@ static void ssd130x_primary_plane_destroy_state(struct drm_plane *plane,
{
struct ssd130x_plane_state *ssd130x_state = to_ssd130x_plane_state(state);
- kfree(ssd130x_state->data_array);
kfree(ssd130x_state->buffer);
__drm_gem_destroy_shadow_plane_state(&ssd130x_state->base);
@@ -793,6 +807,75 @@ static enum drm_mode_status ssd130x_crtc_helper_mode_valid(struct drm_crtc *crtc
return MODE_OK;
}
+static int ssd130x_crtc_helper_atomic_check(struct drm_crtc *crtc,
+ struct drm_atomic_state *state)
+{
+ struct drm_device *drm = crtc->dev;
+ struct ssd130x_device *ssd130x = drm_to_ssd130x(drm);
+ struct drm_crtc_state *crtc_state = drm_atomic_get_new_crtc_state(state, crtc);
+ struct ssd130x_crtc_state *ssd130x_state = to_ssd130x_crtc_state(crtc_state);
+ unsigned int page_height = ssd130x->device_info->page_height;
+ unsigned int pages = DIV_ROUND_UP(ssd130x->height, page_height);
+ int ret;
+
+ ret = drm_crtc_helper_atomic_check(crtc, state);
+ if (ret)
+ return ret;
+
+ ssd130x_state->data_array = kmalloc(ssd130x->width * pages, GFP_KERNEL);
+ if (!ssd130x_state->data_array)
+ return -ENOMEM;
+
+ return 0;
+}
+
+/* Called during init to allocate the CRTC's atomic state. */
+static void ssd130x_crtc_reset(struct drm_crtc *crtc)
+{
+ struct ssd130x_crtc_state *ssd130x_state;
+
+ WARN_ON(crtc->state);
+
+ ssd130x_state = kzalloc(sizeof(*ssd130x_state), GFP_KERNEL);
+ if (!ssd130x_state)
+ return;
+
+ __drm_atomic_helper_crtc_reset(crtc, &ssd130x_state->base);
+}
+
+static struct drm_crtc_state *ssd130x_crtc_duplicate_state(struct drm_crtc *crtc)
+{
+ struct ssd130x_crtc_state *old_ssd130x_state;
+ struct ssd130x_crtc_state *ssd130x_state;
+
+ if (WARN_ON(!crtc->state))
+ return NULL;
+
+ old_ssd130x_state = to_ssd130x_crtc_state(crtc->state);
+ ssd130x_state = kmemdup(old_ssd130x_state, sizeof(*ssd130x_state), GFP_KERNEL);
+ if (!ssd130x_state)
+ return NULL;
+
+ /* The buffer is not duplicated and is allocated in .atomic_check */
+ ssd130x_state->data_array = NULL;
+
+ __drm_atomic_helper_crtc_duplicate_state(crtc, &ssd130x_state->base);
+
+ return &ssd130x_state->base;
+}
+
+static void ssd130x_crtc_destroy_state(struct drm_crtc *crtc,
+ struct drm_crtc_state *state)
+{
+ struct ssd130x_crtc_state *ssd130x_state = to_ssd130x_crtc_state(state);
+
+ kfree(ssd130x_state->data_array);
+
+ __drm_atomic_helper_crtc_destroy_state(state);
+
+ kfree(ssd130x_state);
+}
+
/*
* The CRTC is always enabled. Screen updates are performed by
* the primary plane's atomic_update function. Disabling clears
@@ -800,16 +883,16 @@ static enum drm_mode_status ssd130x_crtc_helper_mode_valid(struct drm_crtc *crtc
*/
static const struct drm_crtc_helper_funcs ssd130x_crtc_helper_funcs = {
.mode_valid = ssd130x_crtc_helper_mode_valid,
- .atomic_check = drm_crtc_helper_atomic_check,
+ .atomic_check = ssd130x_crtc_helper_atomic_check,
};
static const struct drm_crtc_funcs ssd130x_crtc_funcs = {
- .reset = drm_atomic_helper_crtc_reset,
+ .reset = ssd130x_crtc_reset,
.destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
- .atomic_duplicate_state = drm_atomic_helper_crtc_duplicate_state,
- .atomic_destroy_state = drm_atomic_helper_crtc_destroy_state,
+ .atomic_duplicate_state = ssd130x_crtc_duplicate_state,
+ .atomic_destroy_state = ssd130x_crtc_destroy_state,
};
static void ssd130x_encoder_helper_atomic_enable(struct drm_encoder *encoder,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 069/481] eventpoll: Fix integer overflow in ep_loop_check_proc()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 068/481] drm/amdgpu: keep vga memory on MacBooks with switchable graphics Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 070/481] media: dvb-core: fix wrong reinitialization of ringbuffer on reopen Greg Kroah-Hartman
` (246 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Jann Horn,
Christian Brauner
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit fdcfce93073d990ed4b71752e31ad1c1d6e9d58b upstream.
If a recursive call to ep_loop_check_proc() hits the `result = INT_MAX`,
an integer overflow will occur in the calling ep_loop_check_proc() at
`result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1)`,
breaking the recursion depth check.
Fix it by using a different placeholder value that can't lead to an
overflow.
Reported-by: Guenter Roeck <linux@roeck-us.net>
Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://patch.msgid.link/20260223-epoll-int-overflow-v1-1-452f35132224@google.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/eventpoll.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1872,7 +1872,8 @@ static int ep_poll(struct eventpoll *ep,
* @ep: the &struct eventpoll to be currently checked.
* @depth: Current depth of the path being checked.
*
- * Return: depth of the subtree, or INT_MAX if we found a loop or went too deep.
+ * Return: depth of the subtree, or a value bigger than EP_MAX_NESTS if we found
+ * a loop or went too deep.
*/
static int ep_loop_check_proc(struct eventpoll *ep, int depth)
{
@@ -1891,7 +1892,7 @@ static int ep_loop_check_proc(struct eve
struct eventpoll *ep_tovisit;
ep_tovisit = epi->ffd.file->private_data;
if (ep_tovisit == inserting_into || depth > EP_MAX_NESTS)
- result = INT_MAX;
+ result = EP_MAX_NESTS+1;
else
result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1);
if (result > EP_MAX_NESTS)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 056/460] mctp: route: hold key->lock in mctp_flow_prepare_output()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 055/460] bonding: fix type confusion in bond_setup_by_slave() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 057/460] amd-xgbe: fix link status handling in xgbe_rx_adaptation Greg Kroah-Hartman
` (246 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chengfeng Ye, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chengfeng Ye <dg573847474@gmail.com>
[ Upstream commit 7d86aa41c073c4e7eb75fd2e674f1fd8f289728a ]
mctp_flow_prepare_output() checks key->dev and may call
mctp_dev_set_key(), but it does not hold key->lock while doing so.
mctp_dev_set_key() and mctp_dev_release_key() are annotated with
__must_hold(&key->lock), so key->dev access is intended to be
serialized by key->lock. The mctp_sendmsg() transmit path reaches
mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output()
without holding key->lock, so the check-and-set sequence is racy.
Example interleaving:
CPU0 CPU1
---- ----
mctp_flow_prepare_output(key, devA)
if (!key->dev) // sees NULL
mctp_flow_prepare_output(
key, devB)
if (!key->dev) // still NULL
mctp_dev_set_key(devB, key)
mctp_dev_hold(devB)
key->dev = devB
mctp_dev_set_key(devA, key)
mctp_dev_hold(devA)
key->dev = devA // overwrites devB
Now both devA and devB references were acquired, but only the final
key->dev value is tracked for release. One reference can be lost,
causing a resource leak as mctp_dev_release_key() would only decrease
the reference on one dev.
Fix by taking key->lock around the key->dev check and
mctp_dev_set_key() call.
Fixes: 67737c457281 ("mctp: Pass flow data & flow release events to drivers")
Signed-off-by: Chengfeng Ye <dg573847474@gmail.com>
Link: https://patch.msgid.link/20260306031402.857224-1-dg573847474@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mctp/route.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/net/mctp/route.c b/net/mctp/route.c
index 19ff259d7bc43..08bbd861dc42e 100644
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -306,6 +306,7 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev)
{
struct mctp_sk_key *key;
struct mctp_flow *flow;
+ unsigned long flags;
flow = skb_ext_find(skb, SKB_EXT_MCTP);
if (!flow)
@@ -313,12 +314,14 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev)
key = flow->key;
- if (key->dev) {
+ spin_lock_irqsave(&key->lock, flags);
+
+ if (!key->dev)
+ mctp_dev_set_key(dev, key);
+ else
WARN_ON(key->dev != dev);
- return;
- }
- mctp_dev_set_key(dev, key);
+ spin_unlock_irqrestore(&key->lock, flags);
}
#else
static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key) {}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 132/567] drm/ssd130x: Replace .page_height field in device info with a constant
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 131/567] drm/ssd130x: Store the HW buffer in the driver-private CRTC state Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 133/567] drm/solomon: Fix page start when updating rectangle in page addressing mode Greg Kroah-Hartman
` (245 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Javier Martinez Canillas,
Geert Uytterhoeven, Thomas Zimmermann, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Javier Martinez Canillas <javierm@redhat.com>
[ Upstream commit ec5dceb8180f0cb110dc7029d55d6a83d0583015 ]
This deemed useful to avoid hardcoding a page height and allow to support
other Solomon controller families, but dividing the screen in pages seems
to be something that is specific to the SSD130x chip family.
For example, SSD132x chip family divides the screen in segments (columns)
and common outputs (rows), so the concept of screen pages does not exist
for the SSD132x family.
Let's drop this field from the device info struct and just use a constant
SSD130X_PAGE_HEIGHT macro to define the page height. While being there,
replace hardcoded 8 values in places where it is used as the page height.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20231014071520.1342189-2-javierm@redhat.com
Stable-dep-of: 36d9579fed6c ("drm/solomon: Fix page start when updating rectangle in page addressing mode")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/solomon/ssd130x.c | 37 +++++++++++++++----------------
drivers/gpu/drm/solomon/ssd130x.h | 1 -
2 files changed, 18 insertions(+), 20 deletions(-)
diff --git a/drivers/gpu/drm/solomon/ssd130x.c b/drivers/gpu/drm/solomon/ssd130x.c
index ef3e3832add90..81c85e67fa070 100644
--- a/drivers/gpu/drm/solomon/ssd130x.c
+++ b/drivers/gpu/drm/solomon/ssd130x.c
@@ -42,6 +42,8 @@
#define DRIVER_MAJOR 1
#define DRIVER_MINOR 0
+#define SSD130X_PAGE_HEIGHT 8
+
#define SSD130X_PAGE_COL_START_LOW 0x00
#define SSD130X_PAGE_COL_START_HIGH 0x10
#define SSD130X_SET_ADDRESS_MODE 0x20
@@ -102,7 +104,6 @@ const struct ssd130x_deviceinfo ssd130x_variants[] = {
.default_width = 132,
.default_height = 64,
.page_mode_only = 1,
- .page_height = 8,
},
[SSD1305_ID] = {
.default_vcomh = 0x34,
@@ -110,7 +111,6 @@ const struct ssd130x_deviceinfo ssd130x_variants[] = {
.default_dclk_frq = 7,
.default_width = 132,
.default_height = 64,
- .page_height = 8,
},
[SSD1306_ID] = {
.default_vcomh = 0x20,
@@ -119,7 +119,6 @@ const struct ssd130x_deviceinfo ssd130x_variants[] = {
.need_chargepump = 1,
.default_width = 128,
.default_height = 64,
- .page_height = 8,
},
[SSD1307_ID] = {
.default_vcomh = 0x20,
@@ -128,7 +127,6 @@ const struct ssd130x_deviceinfo ssd130x_variants[] = {
.need_pwm = 1,
.default_width = 128,
.default_height = 39,
- .page_height = 8,
},
[SSD1309_ID] = {
.default_vcomh = 0x34,
@@ -136,7 +134,6 @@ const struct ssd130x_deviceinfo ssd130x_variants[] = {
.default_dclk_frq = 10,
.default_width = 128,
.default_height = 64,
- .page_height = 8,
}
};
EXPORT_SYMBOL_NS_GPL(ssd130x_variants, DRM_SSD130X);
@@ -465,13 +462,13 @@ static int ssd130x_update_rect(struct ssd130x_device *ssd130x,
unsigned int width = drm_rect_width(rect);
unsigned int height = drm_rect_height(rect);
unsigned int line_length = DIV_ROUND_UP(width, 8);
- unsigned int page_height = ssd130x->device_info->page_height;
+ unsigned int page_height = SSD130X_PAGE_HEIGHT;
unsigned int pages = DIV_ROUND_UP(height, page_height);
struct drm_device *drm = &ssd130x->drm;
u32 array_idx = 0;
int ret, i, j, k;
- drm_WARN_ONCE(drm, y % 8 != 0, "y must be aligned to screen page\n");
+ drm_WARN_ONCE(drm, y % page_height != 0, "y must be aligned to screen page\n");
/*
* The screen is divided in pages, each having a height of 8
@@ -503,27 +500,32 @@ static int ssd130x_update_rect(struct ssd130x_device *ssd130x,
*/
if (!ssd130x->page_address_mode) {
+ u8 page_start;
+
/* Set address range for horizontal addressing mode */
ret = ssd130x_set_col_range(ssd130x, ssd130x->col_offset + x, width);
if (ret < 0)
return ret;
- ret = ssd130x_set_page_range(ssd130x, ssd130x->page_offset + y / 8, pages);
+ page_start = ssd130x->page_offset + y / page_height;
+ ret = ssd130x_set_page_range(ssd130x, page_start, pages);
if (ret < 0)
return ret;
}
for (i = 0; i < pages; i++) {
- int m = 8;
+ int m = page_height;
/* Last page may be partial */
- if (8 * (y / 8 + i + 1) > ssd130x->height)
- m = ssd130x->height % 8;
+ if (page_height * (y / page_height + i + 1) > ssd130x->height)
+ m = ssd130x->height % page_height;
+
for (j = 0; j < width; j++) {
u8 data = 0;
for (k = 0; k < m; k++) {
- u8 byte = buf[(8 * i + k) * line_length + j / 8];
+ u32 idx = (page_height * i + k) * line_length + j / 8;
+ u8 byte = buf[idx];
u8 bit = (byte >> (j % 8)) & 1;
data |= bit << k;
@@ -559,8 +561,7 @@ static int ssd130x_update_rect(struct ssd130x_device *ssd130x,
static void ssd130x_clear_screen(struct ssd130x_device *ssd130x, u8 *data_array)
{
- unsigned int page_height = ssd130x->device_info->page_height;
- unsigned int pages = DIV_ROUND_UP(ssd130x->height, page_height);
+ unsigned int pages = DIV_ROUND_UP(ssd130x->height, SSD130X_PAGE_HEIGHT);
unsigned int width = ssd130x->width;
int ret, i;
@@ -605,14 +606,13 @@ static int ssd130x_fb_blit_rect(struct drm_framebuffer *fb,
u8 *buf, u8 *data_array)
{
struct ssd130x_device *ssd130x = drm_to_ssd130x(fb->dev);
- unsigned int page_height = ssd130x->device_info->page_height;
struct iosys_map dst;
unsigned int dst_pitch;
int ret = 0;
/* Align y to display page boundaries */
- rect->y1 = round_down(rect->y1, page_height);
- rect->y2 = min_t(unsigned int, round_up(rect->y2, page_height), ssd130x->height);
+ rect->y1 = round_down(rect->y1, SSD130X_PAGE_HEIGHT);
+ rect->y2 = min_t(unsigned int, round_up(rect->y2, SSD130X_PAGE_HEIGHT), ssd130x->height);
dst_pitch = DIV_ROUND_UP(drm_rect_width(rect), 8);
@@ -814,8 +814,7 @@ static int ssd130x_crtc_helper_atomic_check(struct drm_crtc *crtc,
struct ssd130x_device *ssd130x = drm_to_ssd130x(drm);
struct drm_crtc_state *crtc_state = drm_atomic_get_new_crtc_state(state, crtc);
struct ssd130x_crtc_state *ssd130x_state = to_ssd130x_crtc_state(crtc_state);
- unsigned int page_height = ssd130x->device_info->page_height;
- unsigned int pages = DIV_ROUND_UP(ssd130x->height, page_height);
+ unsigned int pages = DIV_ROUND_UP(ssd130x->height, SSD130X_PAGE_HEIGHT);
int ret;
ret = drm_crtc_helper_atomic_check(crtc, state);
diff --git a/drivers/gpu/drm/solomon/ssd130x.h b/drivers/gpu/drm/solomon/ssd130x.h
index aa39b13615ebe..bbe374453605b 100644
--- a/drivers/gpu/drm/solomon/ssd130x.h
+++ b/drivers/gpu/drm/solomon/ssd130x.h
@@ -39,7 +39,6 @@ struct ssd130x_deviceinfo {
u32 default_dclk_frq;
u32 default_width;
u32 default_height;
- u32 page_height;
bool need_pwm;
bool need_chargepump;
bool page_mode_only;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 070/481] media: dvb-core: fix wrong reinitialization of ringbuffer on reopen
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 069/481] eventpoll: Fix integer overflow in ep_loop_check_proc() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 071/481] nfc: pn533: properly drop the usb interface reference on disconnect Greg Kroah-Hartman
` (245 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ab12f0c08dd7ab8d057c,
Jens Axboe, Linus Torvalds
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
commit bfbc0b5b32a8f28ce284add619bf226716a59bc0 upstream.
dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the
DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which
reinitializes the waitqueue list head to empty.
Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the
same DVR device share it), this orphans any existing waitqueue entries
from io_uring poll or epoll, leaving them with stale prev/next pointers
while the list head is reset to {self, self}.
The waitqueue and spinlock in dvr_buffer are already properly
initialized once in dvb_dmxdev_init(). The open path only needs to
reset the buffer data pointer, size, and read/write positions.
Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct
assignment of data/size and a call to dvb_ringbuffer_reset(), which
properly resets pread, pwrite, and error with correct memory ordering
without touching the waitqueue or spinlock.
Cc: stable@vger.kernel.org
Fixes: 34731df288a5f ("V4L/DVB (3501): Dmxdev: use dvb_ringbuffer")
Reported-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com
Tested-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/698a26d3.050a0220.3b3015.007d.GAE@google.com/
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/dvb-core/dmxdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -168,7 +168,9 @@ static int dvb_dvr_open(struct inode *in
mutex_unlock(&dmxdev->mutex);
return -ENOMEM;
}
- dvb_ringbuffer_init(&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE);
+ dmxdev->dvr_buffer.data = mem;
+ dmxdev->dvr_buffer.size = DVR_BUFFER_SIZE;
+ dvb_ringbuffer_reset(&dmxdev->dvr_buffer);
if (dmxdev->may_do_mmap)
dvb_vb2_init(&dmxdev->dvr_vb2_ctx, "dvr",
file->f_flags & O_NONBLOCK);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 057/460] amd-xgbe: fix link status handling in xgbe_rx_adaptation
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 056/460] mctp: route: hold key->lock in mctp_flow_prepare_output() Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 058/460] amd-xgbe: prevent CRC errors during RX adaptation with AN disabled Greg Kroah-Hartman
` (245 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raju Rangoju, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raju Rangoju <Raju.Rangoju@amd.com>
[ Upstream commit 6485cb96be5cd0f4bf39554737ba11322cc9b053 ]
The link status bit is latched low to allow detection of momentary
link drops. If the status indicates that the link is already down,
read it again to obtain the current state.
Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation")
Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
Link: https://patch.msgid.link/20260306111629.1515676-2-Raju.Rangoju@amd.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
index 6d2c401bb246e..469b28c159e7d 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
@@ -2050,7 +2050,7 @@ static void xgbe_set_rx_adap_mode(struct xgbe_prv_data *pdata,
static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata)
{
struct xgbe_phy_data *phy_data = pdata->phy_data;
- unsigned int reg;
+ int reg;
/* step 2: force PCS to send RX_ADAPT Req to PHY */
XMDIO_WRITE_BITS(pdata, MDIO_MMD_PMAPMD, MDIO_PMA_RX_EQ_CTRL4,
@@ -2072,11 +2072,20 @@ static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata)
/* Step 4: Check for Block lock */
- /* Link status is latched low, so read once to clear
- * and then read again to get current state
- */
- reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
+ if (reg < 0)
+ goto set_mode;
+
+ /* Link status is latched low so that momentary link drops
+ * can be detected. If link was already down read again
+ * to get the latest state.
+ */
+ if (!pdata->phy.link && !(reg & MDIO_STAT1_LSTATUS)) {
+ reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
+ if (reg < 0)
+ goto set_mode;
+ }
+
if (reg & MDIO_STAT1_LSTATUS) {
/* If the block lock is found, update the helpers
* and declare the link up
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 133/567] drm/solomon: Fix page start when updating rectangle in page addressing mode
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 132/567] drm/ssd130x: Replace .page_height field in device info with a constant Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 134/567] net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling in ALE table Greg Kroah-Hartman
` (244 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Francesco Lavra,
Javier Martinez Canillas, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Francesco Lavra <flavra@baylibre.com>
[ Upstream commit 36d9579fed6c9429aa172f77bd28c58696ce8e2b ]
In page addressing mode, the pixel values of a dirty rectangle must be sent
to the display controller one page at a time. The range of pages
corresponding to a given rectangle is being incorrectly calculated as if
the Y value of the top left coordinate of the rectangle was 0. This can
result in rectangle updates being displayed on wrong parts of the screen.
Fix the above issue by consolidating the start page calculation in a single
place at the beginning of the update_rect function, and using the
calculated value for all addressing modes.
Fixes: b0daaa5cfaa5 ("drm/ssd130x: Support page addressing mode")
Signed-off-by: Francesco Lavra <flavra@baylibre.com>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Link: https://patch.msgid.link/20260210180932.736502-1-flavra@baylibre.com
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/solomon/ssd130x.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/solomon/ssd130x.c b/drivers/gpu/drm/solomon/ssd130x.c
index 81c85e67fa070..0d6a2664cfbeb 100644
--- a/drivers/gpu/drm/solomon/ssd130x.c
+++ b/drivers/gpu/drm/solomon/ssd130x.c
@@ -463,6 +463,7 @@ static int ssd130x_update_rect(struct ssd130x_device *ssd130x,
unsigned int height = drm_rect_height(rect);
unsigned int line_length = DIV_ROUND_UP(width, 8);
unsigned int page_height = SSD130X_PAGE_HEIGHT;
+ u8 page_start = ssd130x->page_offset + y / page_height;
unsigned int pages = DIV_ROUND_UP(height, page_height);
struct drm_device *drm = &ssd130x->drm;
u32 array_idx = 0;
@@ -500,14 +501,11 @@ static int ssd130x_update_rect(struct ssd130x_device *ssd130x,
*/
if (!ssd130x->page_address_mode) {
- u8 page_start;
-
/* Set address range for horizontal addressing mode */
ret = ssd130x_set_col_range(ssd130x, ssd130x->col_offset + x, width);
if (ret < 0)
return ret;
- page_start = ssd130x->page_offset + y / page_height;
ret = ssd130x_set_page_range(ssd130x, page_start, pages);
if (ret < 0)
return ret;
@@ -539,7 +537,7 @@ static int ssd130x_update_rect(struct ssd130x_device *ssd130x,
*/
if (ssd130x->page_address_mode) {
ret = ssd130x_set_page_pos(ssd130x,
- ssd130x->page_offset + i,
+ page_start + i,
ssd130x->col_offset + x);
if (ret < 0)
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 071/481] nfc: pn533: properly drop the usb interface reference on disconnect
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 070/481] media: dvb-core: fix wrong reinitialization of ringbuffer on reopen Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 072/481] net: usb: kaweth: validate USB endpoints Greg Kroah-Hartman
` (244 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Simon Horman, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 12133a483dfa832241fbbf09321109a0ea8a520e upstream.
When the device is disconnected from the driver, there is a "dangling"
reference count on the usb interface that was grabbed in the probe
callback. Fix this up by properly dropping the reference after we are
done with it.
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Fixes: c46ee38620a2 ("NFC: pn533: add NXP pn533 nfc device driver")
Link: https://patch.msgid.link/2026022329-flashing-ought-7573@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nfc/pn533/usb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/nfc/pn533/usb.c
+++ b/drivers/nfc/pn533/usb.c
@@ -629,6 +629,7 @@ static void pn533_usb_disconnect(struct
usb_free_urb(phy->out_urb);
usb_free_urb(phy->ack_urb);
kfree(phy->ack_buffer);
+ usb_put_dev(phy->udev);
nfc_info(&interface->dev, "NXP PN533 NFC device disconnected\n");
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 058/460] amd-xgbe: prevent CRC errors during RX adaptation with AN disabled
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 057/460] amd-xgbe: fix link status handling in xgbe_rx_adaptation Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 059/460] xdp: allow attaching already registered memory model to xdp_rxq_info Greg Kroah-Hartman
` (244 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raju Rangoju, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raju Rangoju <Raju.Rangoju@amd.com>
[ Upstream commit 27a4dd0c702b3b2b9cf2c045d100cc2fe8720b81 ]
When operating in 10GBASE-KR mode with auto-negotiation disabled and RX
adaptation enabled, CRC errors can occur during the RX adaptation
process. This happens because the driver continues transmitting and
receiving packets while adaptation is in progress.
Fix this by stopping TX/RX immediately when the link goes down and RX
adaptation needs to be re-triggered, and only re-enabling TX/RX after
adaptation completes and the link is confirmed up. Introduce a flag to
track whether TX/RX was disabled for adaptation so it can be restored
correctly.
This prevents packets from being transmitted or received during the RX
adaptation window and avoids CRC errors from corrupted frames.
The flag tracking the data path state is synchronized with hardware
state in xgbe_start() to prevent stale state after device restarts.
This ensures that after a restart cycle (where xgbe_stop disables
TX/RX and xgbe_start re-enables them), the flag correctly reflects
that the data path is active.
Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation")
Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
Link: https://patch.msgid.link/20260306111629.1515676-3-Raju.Rangoju@amd.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 4 ++
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 63 ++++++++++++++++++++-
drivers/net/ethernet/amd/xgbe/xgbe.h | 4 ++
3 files changed, 69 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
index c6fcddbff3f56..418f4513a0b95 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
@@ -1338,6 +1338,10 @@ static int xgbe_start(struct xgbe_prv_data *pdata)
hw_if->enable_tx(pdata);
hw_if->enable_rx(pdata);
+ /* Synchronize flag with hardware state after enabling TX/RX.
+ * This prevents stale state after device restart cycles.
+ */
+ pdata->data_path_stopped = false;
udp_tunnel_nic_reset_ntf(netdev);
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
index 469b28c159e7d..0a99a21af5815 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
@@ -2125,6 +2125,48 @@ static void xgbe_phy_rx_adaptation(struct xgbe_prv_data *pdata)
xgbe_rx_adaptation(pdata);
}
+/*
+ * xgbe_phy_stop_data_path - Stop TX/RX to prevent packet corruption
+ * @pdata: driver private data
+ *
+ * This function stops the data path (TX and RX) to prevent packet
+ * corruption during critical PHY operations like RX adaptation.
+ * Must be called before initiating RX adaptation when link goes down.
+ */
+static void xgbe_phy_stop_data_path(struct xgbe_prv_data *pdata)
+{
+ if (pdata->data_path_stopped)
+ return;
+
+ /* Stop TX/RX to prevent packet corruption during RX adaptation */
+ pdata->hw_if.disable_tx(pdata);
+ pdata->hw_if.disable_rx(pdata);
+ pdata->data_path_stopped = true;
+
+ netif_dbg(pdata, link, pdata->netdev,
+ "stopping data path for RX adaptation\n");
+}
+
+/*
+ * xgbe_phy_start_data_path - Re-enable TX/RX after RX adaptation
+ * @pdata: driver private data
+ *
+ * This function re-enables the data path (TX and RX) after RX adaptation
+ * has completed successfully. Only called when link is confirmed up.
+ */
+static void xgbe_phy_start_data_path(struct xgbe_prv_data *pdata)
+{
+ if (!pdata->data_path_stopped)
+ return;
+
+ pdata->hw_if.enable_rx(pdata);
+ pdata->hw_if.enable_tx(pdata);
+ pdata->data_path_stopped = false;
+
+ netif_dbg(pdata, link, pdata->netdev,
+ "restarting data path after RX adaptation\n");
+}
+
static void xgbe_phy_rx_reset(struct xgbe_prv_data *pdata)
{
int reg;
@@ -2918,13 +2960,27 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart)
if (pdata->en_rx_adap) {
/* if the link is available and adaptation is done,
* declare link up
+ *
+ * Note: When link is up and adaptation is done, we can
+ * safely re-enable the data path if it was stopped
+ * for adaptation.
*/
- if ((reg & MDIO_STAT1_LSTATUS) && pdata->rx_adapt_done)
+ if ((reg & MDIO_STAT1_LSTATUS) && pdata->rx_adapt_done) {
+ xgbe_phy_start_data_path(pdata);
return 1;
+ }
/* If either link is not available or adaptation is not done,
* retrigger the adaptation logic. (if the mode is not set,
* then issue mailbox command first)
*/
+
+ /* CRITICAL: Stop data path BEFORE triggering RX adaptation
+ * to prevent CRC errors from packets corrupted during
+ * the adaptation process. This is especially important
+ * when AN is OFF in 10G KR mode.
+ */
+ xgbe_phy_stop_data_path(pdata);
+
if (pdata->mode_set) {
xgbe_phy_rx_adaptation(pdata);
} else {
@@ -2932,8 +2988,11 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart)
xgbe_phy_set_mode(pdata, phy_data->cur_mode);
}
- if (pdata->rx_adapt_done)
+ if (pdata->rx_adapt_done) {
+ /* Adaptation complete, safe to re-enable data path */
+ xgbe_phy_start_data_path(pdata);
return 1;
+ }
} else if (reg & MDIO_STAT1_LSTATUS)
return 1;
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h
index c98461252053f..ebe504cb9a117 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
+++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
@@ -1321,6 +1321,10 @@ struct xgbe_prv_data {
bool en_rx_adap;
int rx_adapt_retries;
bool rx_adapt_done;
+ /* Flag to track if data path (TX/RX) was stopped for RX adaptation.
+ * This prevents packet corruption during the adaptation window.
+ */
+ bool data_path_stopped;
bool mode_set;
};
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 134/567] net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling in ALE table
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 133/567] drm/solomon: Fix page start when updating rectangle in page addressing mode Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 135/567] xsk: Get rid of xdp_buff_xsk::xskb_list_node Greg Kroah-Hartman
` (243 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chintan Vankar, Simon Horman,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chintan Vankar <c-vankar@ti.com>
[ Upstream commit be11a537224d72b906db6b98510619770298c8a4 ]
In the current implementation, flushing multicast entries in MAC mode
incorrectly deletes entries for all ports instead of only the target port,
disrupting multicast traffic on other ports. The cause is adding multicast
entries by setting only host port bit, and not setting the MAC port bits.
Fix this by setting the MAC port's bit in the port mask while adding the
multicast entry. Also fix the flush logic to preserve the host port bit
during removal of MAC port and free ALE entries when mask contains only
host port.
Fixes: 5c50a856d550 ("drivers: net: ethernet: cpsw: add multicast address to ALE table")
Signed-off-by: Chintan Vankar <c-vankar@ti.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260224181359.2055322-1-c-vankar@ti.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +-
drivers/net/ethernet/ti/cpsw_ale.c | 9 ++++-----
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
index 28cc23736a69b..93cb4193cf0ac 100644
--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
@@ -261,7 +261,7 @@ static void am65_cpsw_nuss_ndo_slave_set_rx_mode(struct net_device *ndev)
cpsw_ale_set_allmulti(common->ale,
ndev->flags & IFF_ALLMULTI, port->port_id);
- port_mask = ALE_PORT_HOST;
+ port_mask = BIT(port->port_id) | ALE_PORT_HOST;
/* Clear all mcast from ALE */
cpsw_ale_flush_multicast(common->ale, port_mask, -1);
diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c
index 9eccc7064c2b0..bf0b2950272cf 100644
--- a/drivers/net/ethernet/ti/cpsw_ale.c
+++ b/drivers/net/ethernet/ti/cpsw_ale.c
@@ -422,14 +422,13 @@ static void cpsw_ale_flush_mcast(struct cpsw_ale *ale, u32 *ale_entry,
ale->port_mask_bits);
if ((mask & port_mask) == 0)
return; /* ports dont intersect, not interested */
- mask &= ~port_mask;
+ mask &= (~port_mask | ALE_PORT_HOST);
- /* free if only remaining port is host port */
- if (mask)
+ if (mask == 0x0 || mask == ALE_PORT_HOST)
+ cpsw_ale_set_entry_type(ale_entry, ALE_TYPE_FREE);
+ else
cpsw_ale_set_port_mask(ale_entry, mask,
ale->port_mask_bits);
- else
- cpsw_ale_set_entry_type(ale_entry, ALE_TYPE_FREE);
}
int cpsw_ale_flush_multicast(struct cpsw_ale *ale, int port_mask, int vid)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 072/481] net: usb: kaweth: validate USB endpoints
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 071/481] nfc: pn533: properly drop the usb interface reference on disconnect Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 073/481] net: usb: kalmia: " Greg Kroah-Hartman
` (243 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Simon Horman, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4b063c002ca759d1b299988ee23f564c9609c875 upstream.
The kaweth driver should validate that the device it is probing has the
proper number and types of USB endpoints it is expecting before it binds
to it. If a malicious device were to not have the same urbs the driver
will crash later on when it blindly accesses these endpoints.
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Link: https://patch.msgid.link/2026022305-substance-virtual-c728@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/kaweth.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/drivers/net/usb/kaweth.c
+++ b/drivers/net/usb/kaweth.c
@@ -883,6 +883,13 @@ static int kaweth_probe(
const eth_addr_t bcast_addr = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
int result = 0;
int rv = -EIO;
+ static const u8 bulk_ep_addr[] = {
+ 1 | USB_DIR_IN,
+ 2 | USB_DIR_OUT,
+ 0};
+ static const u8 int_ep_addr[] = {
+ 3 | USB_DIR_IN,
+ 0};
dev_dbg(dev,
"Kawasaki Device Probe (Device number:%d): 0x%4.4x:0x%4.4x:0x%4.4x\n",
@@ -896,6 +903,12 @@ static int kaweth_probe(
(int)udev->descriptor.bLength,
(int)udev->descriptor.bDescriptorType);
+ if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) ||
+ !usb_check_int_endpoints(intf, int_ep_addr)) {
+ dev_err(dev, "couldn't find required endpoints\n");
+ return -ENODEV;
+ }
+
netdev = alloc_etherdev(sizeof(*kaweth));
if (!netdev)
return -ENOMEM;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 059/460] xdp: allow attaching already registered memory model to xdp_rxq_info
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 058/460] amd-xgbe: prevent CRC errors during RX adaptation with AN disabled Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 060/460] xdp: register system page pool as an XDP memory model Greg Kroah-Hartman
` (243 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Toke Høiland-Jørgensen,
Alexander Lobakin, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Lobakin <aleksander.lobakin@intel.com>
[ Upstream commit f65966fe0178c06065d354c22fb456fc4370b527 ]
One may need to register memory model separately from xdp_rxq_info. One
simple example may be XDP test run code, but in general, it might be
useful when memory model registering is managed by one layer and then
XDP RxQ info by a different one.
Allow such scenarios by adding a simple helper which "attaches"
already registered memory model to the desired xdp_rxq_info. As this
is mostly needed for Page Pool, add a special function to do that for
a &page_pool pointer.
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Link: https://patch.msgid.link/20241203173733.3181246-5-aleksander.lobakin@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/xdp.h | 32 +++++++++++++++++++++++++++
net/core/xdp.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 88 insertions(+)
diff --git a/include/net/xdp.h b/include/net/xdp.h
index b80953f0affb0..05be2de2fd472 100644
--- a/include/net/xdp.h
+++ b/include/net/xdp.h
@@ -356,6 +356,38 @@ void xdp_rxq_info_unreg_mem_model(struct xdp_rxq_info *xdp_rxq);
int xdp_reg_mem_model(struct xdp_mem_info *mem,
enum xdp_mem_type type, void *allocator);
void xdp_unreg_mem_model(struct xdp_mem_info *mem);
+int xdp_reg_page_pool(struct page_pool *pool);
+void xdp_unreg_page_pool(const struct page_pool *pool);
+void xdp_rxq_info_attach_page_pool(struct xdp_rxq_info *xdp_rxq,
+ const struct page_pool *pool);
+
+/**
+ * xdp_rxq_info_attach_mem_model - attach registered mem info to RxQ info
+ * @xdp_rxq: XDP RxQ info to attach the memory info to
+ * @mem: already registered memory info
+ *
+ * If the driver registers its memory providers manually, it must use this
+ * function instead of xdp_rxq_info_reg_mem_model().
+ */
+static inline void
+xdp_rxq_info_attach_mem_model(struct xdp_rxq_info *xdp_rxq,
+ const struct xdp_mem_info *mem)
+{
+ xdp_rxq->mem = *mem;
+}
+
+/**
+ * xdp_rxq_info_detach_mem_model - detach registered mem info from RxQ info
+ * @xdp_rxq: XDP RxQ info to detach the memory info from
+ *
+ * If the driver registers its memory providers manually and then attaches it
+ * via xdp_rxq_info_attach_mem_model(), it must call this function before
+ * xdp_rxq_info_unreg().
+ */
+static inline void xdp_rxq_info_detach_mem_model(struct xdp_rxq_info *xdp_rxq)
+{
+ xdp_rxq->mem = (struct xdp_mem_info){ };
+}
/* Drivers not supporting XDP metadata can use this helper, which
* rejects any room expansion for metadata as a result.
diff --git a/net/core/xdp.c b/net/core/xdp.c
index 23e7d736718b0..8a3ea90e8cf97 100644
--- a/net/core/xdp.c
+++ b/net/core/xdp.c
@@ -365,6 +365,62 @@ int xdp_rxq_info_reg_mem_model(struct xdp_rxq_info *xdp_rxq,
EXPORT_SYMBOL_GPL(xdp_rxq_info_reg_mem_model);
+/**
+ * xdp_reg_page_pool - register &page_pool as a memory provider for XDP
+ * @pool: &page_pool to register
+ *
+ * Can be used to register pools manually without connecting to any XDP RxQ
+ * info, so that the XDP layer will be aware of them. Then, they can be
+ * attached to an RxQ info manually via xdp_rxq_info_attach_page_pool().
+ *
+ * Return: %0 on success, -errno on error.
+ */
+int xdp_reg_page_pool(struct page_pool *pool)
+{
+ struct xdp_mem_info mem;
+
+ return xdp_reg_mem_model(&mem, MEM_TYPE_PAGE_POOL, pool);
+}
+EXPORT_SYMBOL_GPL(xdp_reg_page_pool);
+
+/**
+ * xdp_unreg_page_pool - unregister &page_pool from the memory providers list
+ * @pool: &page_pool to unregister
+ *
+ * A shorthand for manual unregistering page pools. If the pool was previously
+ * attached to an RxQ info, it must be detached first.
+ */
+void xdp_unreg_page_pool(const struct page_pool *pool)
+{
+ struct xdp_mem_info mem = {
+ .type = MEM_TYPE_PAGE_POOL,
+ .id = pool->xdp_mem_id,
+ };
+
+ xdp_unreg_mem_model(&mem);
+}
+EXPORT_SYMBOL_GPL(xdp_unreg_page_pool);
+
+/**
+ * xdp_rxq_info_attach_page_pool - attach registered pool to RxQ info
+ * @xdp_rxq: XDP RxQ info to attach the pool to
+ * @pool: pool to attach
+ *
+ * If the pool was registered manually, this function must be called instead
+ * of xdp_rxq_info_reg_mem_model() to connect it to the RxQ info.
+ */
+void xdp_rxq_info_attach_page_pool(struct xdp_rxq_info *xdp_rxq,
+ const struct page_pool *pool)
+{
+ struct xdp_mem_info mem = {
+ .type = MEM_TYPE_PAGE_POOL,
+ .id = pool->xdp_mem_id,
+ };
+
+ xdp_rxq_info_attach_mem_model(xdp_rxq, &mem);
+}
+EXPORT_SYMBOL_GPL(xdp_rxq_info_attach_page_pool);
+
/* XDP RX runs under NAPI protection, and in different delivery error
* scenarios (e.g. queue full), it is possible to return the xdp_frame
* while still leveraging this protection. The @napi_direct boolean
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 135/567] xsk: Get rid of xdp_buff_xsk::xskb_list_node
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 134/567] net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling in ALE table Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 136/567] xsk: s/free_list_node/list_node/ Greg Kroah-Hartman
` (242 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej Fijalkowski, Daniel Borkmann,
Magnus Karlsson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
[ Upstream commit b692bf9a7543af7ad11a59d182a3757578f0ba53 ]
Let's bring xdp_buff_xsk back to occupying 2 cachelines by removing
xskb_list_node - for the purpose of gathering the xskb frags
free_list_node can be used, head of the list (xsk_buff_pool::xskb_list)
stays as-is, just reuse the node ptr.
It is safe to do as a single xdp_buff_xsk can never reside in two
pool's lists simultaneously.
Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
Link: https://lore.kernel.org/bpf/20241007122458.282590-2-maciej.fijalkowski@intel.com
Stable-dep-of: f7387d6579d6 ("xsk: Fix zero-copy AF_XDP fragment drop")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/xdp_sock_drv.h | 14 +++++++-------
include/net/xsk_buff_pool.h | 1 -
net/xdp/xsk.c | 4 ++--
net/xdp/xsk_buff_pool.c | 1 -
4 files changed, 9 insertions(+), 11 deletions(-)
diff --git a/include/net/xdp_sock_drv.h b/include/net/xdp_sock_drv.h
index 5425f7ad5ebde..39b43eb2b799d 100644
--- a/include/net/xdp_sock_drv.h
+++ b/include/net/xdp_sock_drv.h
@@ -114,8 +114,8 @@ static inline void xsk_buff_free(struct xdp_buff *xdp)
if (likely(!xdp_buff_has_frags(xdp)))
goto out;
- list_for_each_entry_safe(pos, tmp, xskb_list, xskb_list_node) {
- list_del(&pos->xskb_list_node);
+ list_for_each_entry_safe(pos, tmp, xskb_list, free_list_node) {
+ list_del(&pos->free_list_node);
xp_free(pos);
}
@@ -128,7 +128,7 @@ static inline void xsk_buff_add_frag(struct xdp_buff *xdp)
{
struct xdp_buff_xsk *frag = container_of(xdp, struct xdp_buff_xsk, xdp);
- list_add_tail(&frag->xskb_list_node, &frag->pool->xskb_list);
+ list_add_tail(&frag->free_list_node, &frag->pool->xskb_list);
}
static inline struct xdp_buff *xsk_buff_get_frag(struct xdp_buff *first)
@@ -138,9 +138,9 @@ static inline struct xdp_buff *xsk_buff_get_frag(struct xdp_buff *first)
struct xdp_buff_xsk *frag;
frag = list_first_entry_or_null(&xskb->pool->xskb_list,
- struct xdp_buff_xsk, xskb_list_node);
+ struct xdp_buff_xsk, free_list_node);
if (frag) {
- list_del(&frag->xskb_list_node);
+ list_del(&frag->free_list_node);
ret = &frag->xdp;
}
@@ -151,7 +151,7 @@ static inline void xsk_buff_del_tail(struct xdp_buff *tail)
{
struct xdp_buff_xsk *xskb = container_of(tail, struct xdp_buff_xsk, xdp);
- list_del(&xskb->xskb_list_node);
+ list_del(&xskb->free_list_node);
}
static inline struct xdp_buff *xsk_buff_get_tail(struct xdp_buff *first)
@@ -160,7 +160,7 @@ static inline struct xdp_buff *xsk_buff_get_tail(struct xdp_buff *first)
struct xdp_buff_xsk *frag;
frag = list_last_entry(&xskb->pool->xskb_list, struct xdp_buff_xsk,
- xskb_list_node);
+ free_list_node);
return &frag->xdp;
}
diff --git a/include/net/xsk_buff_pool.h b/include/net/xsk_buff_pool.h
index f0d6ce4bda7a2..d6cba1d4076ea 100644
--- a/include/net/xsk_buff_pool.h
+++ b/include/net/xsk_buff_pool.h
@@ -29,7 +29,6 @@ struct xdp_buff_xsk {
struct xsk_buff_pool *pool;
u64 orig_addr;
struct list_head free_list_node;
- struct list_head xskb_list_node;
};
#define XSK_CHECK_PRIV_TYPE(t) BUILD_BUG_ON(sizeof(t) > offsetofend(struct xdp_buff_xsk, cb))
diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index 569d39f19c569..bb8f52c345868 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -172,14 +172,14 @@ static int xsk_rcv_zc(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len)
return 0;
xskb_list = &xskb->pool->xskb_list;
- list_for_each_entry_safe(pos, tmp, xskb_list, xskb_list_node) {
+ list_for_each_entry_safe(pos, tmp, xskb_list, free_list_node) {
if (list_is_singular(xskb_list))
contd = 0;
len = pos->xdp.data_end - pos->xdp.data;
err = __xsk_rcv_zc(xs, pos, len, contd);
if (err)
goto err;
- list_del(&pos->xskb_list_node);
+ list_del(&pos->free_list_node);
}
return 0;
diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c
index 380b0b3f3d8d0..8bc7cdf4719c8 100644
--- a/net/xdp/xsk_buff_pool.c
+++ b/net/xdp/xsk_buff_pool.c
@@ -101,7 +101,6 @@ struct xsk_buff_pool *xp_create_and_assign_umem(struct xdp_sock *xs,
xskb->pool = pool;
xskb->xdp.frame_sz = umem->chunk_size - umem->headroom;
INIT_LIST_HEAD(&xskb->free_list_node);
- INIT_LIST_HEAD(&xskb->xskb_list_node);
if (pool->unaligned)
pool->free_heads[i] = xskb;
else
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 073/481] net: usb: kalmia: validate USB endpoints
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 072/481] net: usb: kaweth: validate USB endpoints Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 074/481] net: usb: pegasus: " Greg Kroah-Hartman
` (242 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Simon Horman, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c58b6c29a4c9b8125e8ad3bca0637e00b71e2693 upstream.
The kalmia driver should validate that the device it is probing has the
proper number and types of USB endpoints it is expecting before it binds
to it. If a malicious device were to not have the same urbs the driver
will crash later on when it blindly accesses these endpoints.
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Fixes: d40261236e8e ("net/usb: Add Samsung Kalmia driver for Samsung GT-B3730")
Link: https://patch.msgid.link/2026022326-shack-headstone-ef6f@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/kalmia.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/net/usb/kalmia.c
+++ b/drivers/net/usb/kalmia.c
@@ -132,11 +132,18 @@ kalmia_bind(struct usbnet *dev, struct u
{
int status;
u8 ethernet_addr[ETH_ALEN];
+ static const u8 ep_addr[] = {
+ 1 | USB_DIR_IN,
+ 2 | USB_DIR_OUT,
+ 0};
/* Don't bind to AT command interface */
if (intf->cur_altsetting->desc.bInterfaceClass != USB_CLASS_VENDOR_SPEC)
return -EINVAL;
+ if (!usb_check_bulk_endpoints(intf, ep_addr))
+ return -ENODEV;
+
dev->in = usb_rcvbulkpipe(dev->udev, 0x81 & USB_ENDPOINT_NUMBER_MASK);
dev->out = usb_sndbulkpipe(dev->udev, 0x02 & USB_ENDPOINT_NUMBER_MASK);
dev->status = NULL;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 060/460] xdp: register system page pool as an XDP memory model
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 059/460] xdp: allow attaching already registered memory model to xdp_rxq_info Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 061/460] net: add xmit recursion limit to tunnel xmit functions Greg Kroah-Hartman
` (242 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Toke Høiland-Jørgensen,
Alexander Lobakin, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Toke Høiland-Jørgensen <toke@redhat.com>
[ Upstream commit e77d9aee951341119be16a991fcfc76d1154d22a ]
To make the system page pool usable as a source for allocating XDP
frames, we need to register it with xdp_reg_mem_model(), so that page
return works correctly. This is done in preparation for using the system
page_pool to convert XDP_PASS XSk frames to skbs; for the same reason,
make the per-cpu variable non-static so we can access it from other
source files as well (but w/o exporting).
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Link: https://patch.msgid.link/20241203173733.3181246-7-aleksander.lobakin@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netdevice.h | 1 +
net/core/dev.c | 10 +++++++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 3699c43731ccf..d5215f23f2b99 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -3256,6 +3256,7 @@ struct softnet_data {
};
DECLARE_PER_CPU_ALIGNED(struct softnet_data, softnet_data);
+DECLARE_PER_CPU(struct page_pool *, system_page_pool);
#ifndef CONFIG_PREEMPT_RT
static inline int dev_recursion_level(void)
diff --git a/net/core/dev.c b/net/core/dev.c
index a855cee5e5aeb..336257b515f04 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -460,7 +460,7 @@ EXPORT_PER_CPU_SYMBOL(softnet_data);
* PP consumers must pay attention to run APIs in the appropriate context
* (e.g. NAPI context).
*/
-static DEFINE_PER_CPU(struct page_pool *, system_page_pool);
+DEFINE_PER_CPU(struct page_pool *, system_page_pool);
#ifdef CONFIG_LOCKDEP
/*
@@ -12225,11 +12225,18 @@ static int net_page_pool_create(int cpuid)
.nid = cpu_to_mem(cpuid),
};
struct page_pool *pp_ptr;
+ int err;
pp_ptr = page_pool_create_percpu(&page_pool_params, cpuid);
if (IS_ERR(pp_ptr))
return -ENOMEM;
+ err = xdp_reg_page_pool(pp_ptr);
+ if (err) {
+ page_pool_destroy(pp_ptr);
+ return err;
+ }
+
per_cpu(system_page_pool, cpuid) = pp_ptr;
#endif
return 0;
@@ -12363,6 +12370,7 @@ static int __init net_dev_init(void)
if (!pp_ptr)
continue;
+ xdp_unreg_page_pool(pp_ptr);
page_pool_destroy(pp_ptr);
per_cpu(system_page_pool, i) = NULL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 136/567] xsk: s/free_list_node/list_node/
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 135/567] xsk: Get rid of xdp_buff_xsk::xskb_list_node Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 137/567] xsk: Fix fragment node deletion to prevent buffer leak Greg Kroah-Hartman
` (241 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej Fijalkowski, Daniel Borkmann,
Magnus Karlsson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
[ Upstream commit 30ec2c1baaead43903ad63ff8e3083949059083c ]
Now that free_list_node's purpose is two-folded, make it just a
'list_node'.
Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
Link: https://lore.kernel.org/bpf/20241007122458.282590-3-maciej.fijalkowski@intel.com
Stable-dep-of: f7387d6579d6 ("xsk: Fix zero-copy AF_XDP fragment drop")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/xdp_sock_drv.h | 14 +++++++-------
include/net/xsk_buff_pool.h | 2 +-
net/xdp/xsk.c | 4 ++--
net/xdp/xsk_buff_pool.c | 14 +++++++-------
4 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/include/net/xdp_sock_drv.h b/include/net/xdp_sock_drv.h
index 39b43eb2b799d..7be51bdd9c63a 100644
--- a/include/net/xdp_sock_drv.h
+++ b/include/net/xdp_sock_drv.h
@@ -114,8 +114,8 @@ static inline void xsk_buff_free(struct xdp_buff *xdp)
if (likely(!xdp_buff_has_frags(xdp)))
goto out;
- list_for_each_entry_safe(pos, tmp, xskb_list, free_list_node) {
- list_del(&pos->free_list_node);
+ list_for_each_entry_safe(pos, tmp, xskb_list, list_node) {
+ list_del(&pos->list_node);
xp_free(pos);
}
@@ -128,7 +128,7 @@ static inline void xsk_buff_add_frag(struct xdp_buff *xdp)
{
struct xdp_buff_xsk *frag = container_of(xdp, struct xdp_buff_xsk, xdp);
- list_add_tail(&frag->free_list_node, &frag->pool->xskb_list);
+ list_add_tail(&frag->list_node, &frag->pool->xskb_list);
}
static inline struct xdp_buff *xsk_buff_get_frag(struct xdp_buff *first)
@@ -138,9 +138,9 @@ static inline struct xdp_buff *xsk_buff_get_frag(struct xdp_buff *first)
struct xdp_buff_xsk *frag;
frag = list_first_entry_or_null(&xskb->pool->xskb_list,
- struct xdp_buff_xsk, free_list_node);
+ struct xdp_buff_xsk, list_node);
if (frag) {
- list_del(&frag->free_list_node);
+ list_del(&frag->list_node);
ret = &frag->xdp;
}
@@ -151,7 +151,7 @@ static inline void xsk_buff_del_tail(struct xdp_buff *tail)
{
struct xdp_buff_xsk *xskb = container_of(tail, struct xdp_buff_xsk, xdp);
- list_del(&xskb->free_list_node);
+ list_del(&xskb->list_node);
}
static inline struct xdp_buff *xsk_buff_get_tail(struct xdp_buff *first)
@@ -160,7 +160,7 @@ static inline struct xdp_buff *xsk_buff_get_tail(struct xdp_buff *first)
struct xdp_buff_xsk *frag;
frag = list_last_entry(&xskb->pool->xskb_list, struct xdp_buff_xsk,
- free_list_node);
+ list_node);
return &frag->xdp;
}
diff --git a/include/net/xsk_buff_pool.h b/include/net/xsk_buff_pool.h
index d6cba1d4076ea..97392fd7712c6 100644
--- a/include/net/xsk_buff_pool.h
+++ b/include/net/xsk_buff_pool.h
@@ -28,7 +28,7 @@ struct xdp_buff_xsk {
dma_addr_t frame_dma;
struct xsk_buff_pool *pool;
u64 orig_addr;
- struct list_head free_list_node;
+ struct list_head list_node;
};
#define XSK_CHECK_PRIV_TYPE(t) BUILD_BUG_ON(sizeof(t) > offsetofend(struct xdp_buff_xsk, cb))
diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index bb8f52c345868..8ccc2f2a99d97 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -172,14 +172,14 @@ static int xsk_rcv_zc(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len)
return 0;
xskb_list = &xskb->pool->xskb_list;
- list_for_each_entry_safe(pos, tmp, xskb_list, free_list_node) {
+ list_for_each_entry_safe(pos, tmp, xskb_list, list_node) {
if (list_is_singular(xskb_list))
contd = 0;
len = pos->xdp.data_end - pos->xdp.data;
err = __xsk_rcv_zc(xs, pos, len, contd);
if (err)
goto err;
- list_del(&pos->free_list_node);
+ list_del(&pos->list_node);
}
return 0;
diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c
index 8bc7cdf4719c8..6789d99fd99e0 100644
--- a/net/xdp/xsk_buff_pool.c
+++ b/net/xdp/xsk_buff_pool.c
@@ -100,7 +100,7 @@ struct xsk_buff_pool *xp_create_and_assign_umem(struct xdp_sock *xs,
xskb = &pool->heads[i];
xskb->pool = pool;
xskb->xdp.frame_sz = umem->chunk_size - umem->headroom;
- INIT_LIST_HEAD(&xskb->free_list_node);
+ INIT_LIST_HEAD(&xskb->list_node);
if (pool->unaligned)
pool->free_heads[i] = xskb;
else
@@ -534,8 +534,8 @@ struct xdp_buff *xp_alloc(struct xsk_buff_pool *pool)
} else {
pool->free_list_cnt--;
xskb = list_first_entry(&pool->free_list, struct xdp_buff_xsk,
- free_list_node);
- list_del_init(&xskb->free_list_node);
+ list_node);
+ list_del_init(&xskb->list_node);
}
xskb->xdp.data = xskb->xdp.data_hard_start + XDP_PACKET_HEADROOM;
@@ -603,8 +603,8 @@ static u32 xp_alloc_reused(struct xsk_buff_pool *pool, struct xdp_buff **xdp, u3
i = nb_entries;
while (i--) {
- xskb = list_first_entry(&pool->free_list, struct xdp_buff_xsk, free_list_node);
- list_del_init(&xskb->free_list_node);
+ xskb = list_first_entry(&pool->free_list, struct xdp_buff_xsk, list_node);
+ list_del_init(&xskb->list_node);
*xdp = &xskb->xdp;
xdp++;
@@ -655,11 +655,11 @@ EXPORT_SYMBOL(xp_can_alloc);
void xp_free(struct xdp_buff_xsk *xskb)
{
- if (!list_empty(&xskb->free_list_node))
+ if (!list_empty(&xskb->list_node))
return;
xskb->pool->free_list_cnt++;
- list_add(&xskb->free_list_node, &xskb->pool->free_list);
+ list_add(&xskb->list_node, &xskb->pool->free_list);
}
EXPORT_SYMBOL(xp_free);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 074/481] net: usb: pegasus: validate USB endpoints
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 073/481] net: usb: kalmia: " Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 075/481] can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message Greg Kroah-Hartman
` (241 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Petko Manolov, stable,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 11de1d3ae5565ed22ef1f89d73d8f2d00322c699 upstream.
The pegasus driver should validate that the device it is probing has the
proper number and types of USB endpoints it is expecting before it binds
to it. If a malicious device were to not have the same urbs the driver
will crash later on when it blindly accesses these endpoints.
Cc: Petko Manolov <petkan@nucleusys.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026022347-legibly-attest-cc5c@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/pegasus.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
--- a/drivers/net/usb/pegasus.c
+++ b/drivers/net/usb/pegasus.c
@@ -815,8 +815,19 @@ static void unlink_all_urbs(pegasus_t *p
static int alloc_urbs(pegasus_t *pegasus)
{
+ static const u8 bulk_ep_addr[] = {
+ 1 | USB_DIR_IN,
+ 2 | USB_DIR_OUT,
+ 0};
+ static const u8 int_ep_addr[] = {
+ 3 | USB_DIR_IN,
+ 0};
int res = -ENOMEM;
+ if (!usb_check_bulk_endpoints(pegasus->intf, bulk_ep_addr) ||
+ !usb_check_int_endpoints(pegasus->intf, int_ep_addr))
+ return -ENODEV;
+
pegasus->rx_urb = usb_alloc_urb(0, GFP_KERNEL);
if (!pegasus->rx_urb) {
return res;
@@ -1171,6 +1182,7 @@ static int pegasus_probe(struct usb_inte
pegasus = netdev_priv(net);
pegasus->dev_index = dev_index;
+ pegasus->intf = intf;
res = alloc_urbs(pegasus);
if (res < 0) {
@@ -1182,7 +1194,6 @@ static int pegasus_probe(struct usb_inte
INIT_DELAYED_WORK(&pegasus->carrier_check, check_carrier);
- pegasus->intf = intf;
pegasus->usb = dev;
pegasus->net = net;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 061/460] net: add xmit recursion limit to tunnel xmit functions
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 060/460] xdp: register system page pool as an XDP memory model Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 062/460] netfilter: nf_tables: always walk all pending catchall elements Greg Kroah-Hartman
` (241 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 6f1a9140ecda3baba3d945b9a6155af4268aafc4 ]
Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own
recursion limit. When a bond device in broadcast mode has GRE tap
interfaces as slaves, and those GRE tunnels route back through the
bond, multicast/broadcast traffic triggers infinite recursion between
bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing
kernel stack overflow.
The existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not
sufficient because tunnel recursion involves route lookups and full IP
output, consuming much more stack per level. Use a lower limit of 4
(IP_TUNNEL_RECURSION_LIMIT) to prevent overflow.
Add recursion detection using dev_xmit_recursion helpers directly in
iptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel
paths including UDP encapsulated tunnels (VXLAN, Geneve, etc.).
Move dev_xmit_recursion helpers from net/core/dev.h to public header
include/linux/netdevice.h so they can be used by tunnel code.
BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160
Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11
Workqueue: mld mld_ifc_work
Call Trace:
<TASK>
__build_flow_key.constprop.0 (net/ipv4/route.c:515)
ip_rt_update_pmtu (net/ipv4/route.c:1073)
iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84)
ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)
gre_tap_xmit (net/ipv4/ip_gre.c:779)
dev_hard_start_xmit (net/core/dev.c:3887)
sch_direct_xmit (net/sched/sch_generic.c:347)
__dev_queue_xmit (net/core/dev.c:4802)
bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)
bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)
bond_start_xmit (drivers/net/bonding/bond_main.c:5530)
dev_hard_start_xmit (net/core/dev.c:3887)
__dev_queue_xmit (net/core/dev.c:4841)
ip_finish_output2 (net/ipv4/ip_output.c:237)
ip_output (net/ipv4/ip_output.c:438)
iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)
gre_tap_xmit (net/ipv4/ip_gre.c:779)
dev_hard_start_xmit (net/core/dev.c:3887)
sch_direct_xmit (net/sched/sch_generic.c:347)
__dev_queue_xmit (net/core/dev.c:4802)
bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)
bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)
bond_start_xmit (drivers/net/bonding/bond_main.c:5530)
dev_hard_start_xmit (net/core/dev.c:3887)
__dev_queue_xmit (net/core/dev.c:4841)
ip_finish_output2 (net/ipv4/ip_output.c:237)
ip_output (net/ipv4/ip_output.c:438)
iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)
ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)
gre_tap_xmit (net/ipv4/ip_gre.c:779)
dev_hard_start_xmit (net/core/dev.c:3887)
sch_direct_xmit (net/sched/sch_generic.c:347)
__dev_queue_xmit (net/core/dev.c:4802)
bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)
bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)
bond_start_xmit (drivers/net/bonding/bond_main.c:5530)
dev_hard_start_xmit (net/core/dev.c:3887)
__dev_queue_xmit (net/core/dev.c:4841)
mld_sendpack
mld_ifc_work
process_one_work
worker_thread
</TASK>
Fixes: 745e20f1b626 ("net: add a recursion limit in xmit path")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Link: https://patch.msgid.link/20260306160133.3852900-2-bestswngs@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netdevice.h | 32 ++++++++++++++++++++++++++++++++
include/net/ip6_tunnel.h | 12 ++++++++++++
include/net/ip_tunnels.h | 7 +++++++
net/core/dev.h | 35 -----------------------------------
net/ipv4/ip_tunnel_core.c | 13 +++++++++++++
5 files changed, 64 insertions(+), 35 deletions(-)
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index d5215f23f2b99..12edeeb172c4e 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -3258,17 +3258,49 @@ struct softnet_data {
DECLARE_PER_CPU_ALIGNED(struct softnet_data, softnet_data);
DECLARE_PER_CPU(struct page_pool *, system_page_pool);
+#define XMIT_RECURSION_LIMIT 8
+
#ifndef CONFIG_PREEMPT_RT
static inline int dev_recursion_level(void)
{
return this_cpu_read(softnet_data.xmit.recursion);
}
+
+static inline bool dev_xmit_recursion(void)
+{
+ return unlikely(__this_cpu_read(softnet_data.xmit.recursion) >
+ XMIT_RECURSION_LIMIT);
+}
+
+static inline void dev_xmit_recursion_inc(void)
+{
+ __this_cpu_inc(softnet_data.xmit.recursion);
+}
+
+static inline void dev_xmit_recursion_dec(void)
+{
+ __this_cpu_dec(softnet_data.xmit.recursion);
+}
#else
static inline int dev_recursion_level(void)
{
return current->net_xmit.recursion;
}
+static inline bool dev_xmit_recursion(void)
+{
+ return unlikely(current->net_xmit.recursion > XMIT_RECURSION_LIMIT);
+}
+
+static inline void dev_xmit_recursion_inc(void)
+{
+ current->net_xmit.recursion++;
+}
+
+static inline void dev_xmit_recursion_dec(void)
+{
+ current->net_xmit.recursion--;
+}
#endif
void __netif_schedule(struct Qdisc *q);
diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h
index 399592405c72a..dfdb4dba5be8f 100644
--- a/include/net/ip6_tunnel.h
+++ b/include/net/ip6_tunnel.h
@@ -156,6 +156,16 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb,
{
int pkt_len, err;
+ if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) {
+ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
+ dev->name);
+ DEV_STATS_INC(dev, tx_errors);
+ kfree_skb(skb);
+ return;
+ }
+
+ dev_xmit_recursion_inc();
+
memset(skb->cb, 0, sizeof(struct inet6_skb_parm));
pkt_len = skb->len - skb_inner_network_offset(skb);
err = ip6_local_out(dev_net(skb_dst(skb)->dev), sk, skb);
@@ -165,6 +175,8 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb,
pkt_len = -1;
iptunnel_xmit_stats(dev, pkt_len);
}
+
+ dev_xmit_recursion_dec();
}
#endif
#endif
diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
index 1f92cc7fdbd21..0a5556ef16729 100644
--- a/include/net/ip_tunnels.h
+++ b/include/net/ip_tunnels.h
@@ -24,6 +24,13 @@
#include <net/ip6_route.h>
#endif
+/* Recursion limit for tunnel xmit to detect routing loops.
+ * Unlike XMIT_RECURSION_LIMIT (8) used in the no-qdisc path, tunnel
+ * recursion involves route lookups and full IP output, consuming much
+ * more stack per level, so a lower limit is needed.
+ */
+#define IP_TUNNEL_RECURSION_LIMIT 4
+
/* Keep error state on tunnel for 30 sec */
#define IPTUNNEL_ERR_TIMEO (30*HZ)
diff --git a/net/core/dev.h b/net/core/dev.h
index 764e0097ccf22..e0603dcb6aa12 100644
--- a/net/core/dev.h
+++ b/net/core/dev.h
@@ -162,41 +162,6 @@ static inline void napi_assert_will_not_race(const struct napi_struct *napi)
void kick_defer_list_purge(struct softnet_data *sd, unsigned int cpu);
-#define XMIT_RECURSION_LIMIT 8
-
-#ifndef CONFIG_PREEMPT_RT
-static inline bool dev_xmit_recursion(void)
-{
- return unlikely(__this_cpu_read(softnet_data.xmit.recursion) >
- XMIT_RECURSION_LIMIT);
-}
-
-static inline void dev_xmit_recursion_inc(void)
-{
- __this_cpu_inc(softnet_data.xmit.recursion);
-}
-
-static inline void dev_xmit_recursion_dec(void)
-{
- __this_cpu_dec(softnet_data.xmit.recursion);
-}
-#else
-static inline bool dev_xmit_recursion(void)
-{
- return unlikely(current->net_xmit.recursion > XMIT_RECURSION_LIMIT);
-}
-
-static inline void dev_xmit_recursion_inc(void)
-{
- current->net_xmit.recursion++;
-}
-
-static inline void dev_xmit_recursion_dec(void)
-{
- current->net_xmit.recursion--;
-}
-#endif
-
int dev_set_hwtstamp_phylib(struct net_device *dev,
struct kernel_hwtstamp_config *cfg,
struct netlink_ext_ack *extack);
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index 8392d304a72eb..53d02602c17a3 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -57,6 +57,17 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb,
struct iphdr *iph;
int err;
+ if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) {
+ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
+ dev->name);
+ DEV_STATS_INC(dev, tx_errors);
+ ip_rt_put(rt);
+ kfree_skb(skb);
+ return;
+ }
+
+ dev_xmit_recursion_inc();
+
skb_scrub_packet(skb, xnet);
skb_clear_hash_if_not_l4(skb);
@@ -86,6 +97,8 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb,
pkt_len = 0;
iptunnel_xmit_stats(dev, pkt_len);
}
+
+ dev_xmit_recursion_dec();
}
EXPORT_SYMBOL_GPL(iptunnel_xmit);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 137/567] xsk: Fix fragment node deletion to prevent buffer leak
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 136/567] xsk: s/free_list_node/list_node/ Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 138/567] xsk: Fix zero-copy AF_XDP fragment drop Greg Kroah-Hartman
` (240 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej Fijalkowski, Nikhil P. Rao,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikhil P. Rao <nikhil.rao@amd.com>
[ Upstream commit 60abb0ac11dccd6b98fd9182bc5f85b621688861 ]
After commit b692bf9a7543 ("xsk: Get rid of xdp_buff_xsk::xskb_list_node"),
the list_node field is reused for both the xskb pool list and the buffer
free list, this causes a buffer leak as described below.
xp_free() checks if a buffer is already on the free list using
list_empty(&xskb->list_node). When list_del() is used to remove a node
from the xskb pool list, it doesn't reinitialize the node pointers.
This means list_empty() will return false even after the node has been
removed, causing xp_free() to incorrectly skip adding the buffer to the
free list.
Fix this by using list_del_init() instead of list_del() in all fragment
handling paths, this ensures the list node is reinitialized after removal,
allowing the list_empty() to work correctly.
Fixes: b692bf9a7543 ("xsk: Get rid of xdp_buff_xsk::xskb_list_node")
Acked-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Signed-off-by: Nikhil P. Rao <nikhil.rao@amd.com>
Link: https://patch.msgid.link/20260225000456.107806-2-nikhil.rao@amd.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: f7387d6579d6 ("xsk: Fix zero-copy AF_XDP fragment drop")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/xdp_sock_drv.h | 6 +++---
net/xdp/xsk.c | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/include/net/xdp_sock_drv.h b/include/net/xdp_sock_drv.h
index 7be51bdd9c63a..91339ffd2f2a8 100644
--- a/include/net/xdp_sock_drv.h
+++ b/include/net/xdp_sock_drv.h
@@ -115,7 +115,7 @@ static inline void xsk_buff_free(struct xdp_buff *xdp)
goto out;
list_for_each_entry_safe(pos, tmp, xskb_list, list_node) {
- list_del(&pos->list_node);
+ list_del_init(&pos->list_node);
xp_free(pos);
}
@@ -140,7 +140,7 @@ static inline struct xdp_buff *xsk_buff_get_frag(struct xdp_buff *first)
frag = list_first_entry_or_null(&xskb->pool->xskb_list,
struct xdp_buff_xsk, list_node);
if (frag) {
- list_del(&frag->list_node);
+ list_del_init(&frag->list_node);
ret = &frag->xdp;
}
@@ -151,7 +151,7 @@ static inline void xsk_buff_del_tail(struct xdp_buff *tail)
{
struct xdp_buff_xsk *xskb = container_of(tail, struct xdp_buff_xsk, xdp);
- list_del(&xskb->list_node);
+ list_del_init(&xskb->list_node);
}
static inline struct xdp_buff *xsk_buff_get_tail(struct xdp_buff *first)
diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index 8ccc2f2a99d97..8f3971a94d967 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -179,7 +179,7 @@ static int xsk_rcv_zc(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len)
err = __xsk_rcv_zc(xs, pos, len, contd);
if (err)
goto err;
- list_del(&pos->list_node);
+ list_del_init(&pos->list_node);
}
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 075/481] can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 074/481] net: usb: pegasus: " Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 076/481] can: ucan: Fix infinite loop from zero-length messages Greg Kroah-Hartman
` (240 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vincent Mailhol, Marc Kleine-Budde,
stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 38a01c9700b0dcafe97dfa9dc7531bf4a245deff upstream.
When looking at the data in a USB urb, the actual_length is the size of
the buffer passed to the driver, not the transfer_buffer_length which is
set by the driver as the max size of the buffer.
When parsing the messages in ems_usb_read_bulk_callback() properly check
the size both at the beginning of parsing the message to make sure it is
big enough for the expected structure, and at the end of the message to
make sure we don't overflow past the end of the buffer for the next
message.
Cc: Vincent Mailhol <mailhol@kernel.org>
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: stable@kernel.org
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026022316-answering-strainer-a5db@gregkh
Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/ems_usb.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -445,6 +445,11 @@ static void ems_usb_read_bulk_callback(s
start = CPC_HEADER_SIZE;
while (msg_count) {
+ if (start + CPC_MSG_HEADER_LEN > urb->actual_length) {
+ netdev_err(netdev, "format error\n");
+ break;
+ }
+
msg = (struct ems_cpc_msg *)&ibuf[start];
switch (msg->type) {
@@ -474,7 +479,7 @@ static void ems_usb_read_bulk_callback(s
start += CPC_MSG_HEADER_LEN + msg->length;
msg_count--;
- if (start > urb->transfer_buffer_length) {
+ if (start > urb->actual_length) {
netdev_err(netdev, "format error\n");
break;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 062/460] netfilter: nf_tables: always walk all pending catchall elements
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 061/460] net: add xmit recursion limit to tunnel xmit functions Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 063/460] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() Greg Kroah-Hartman
` (240 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiming Qian, Florian Westphal,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9 ]
During transaction processing we might have more than one catchall element:
1 live catchall element and 1 pending element that is coming as part of the
new batch.
If the map holding the catchall elements is also going away, its
required to toggle all catchall elements and not just the first viable
candidate.
Otherwise, we get:
WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404
RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]
[..]
__nft_set_elem_destroy+0x106/0x380 [nf_tables]
nf_tables_abort_release+0x348/0x8d0 [nf_tables]
nf_tables_abort+0xcf2/0x3ac0 [nf_tables]
nfnetlink_rcv_batch+0x9c9/0x20e0 [..]
Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index c1b9b00907bbb..268d00ffee0cb 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -700,7 +700,6 @@ static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,
nft_set_elem_change_active(ctx->net, set, ext);
nft_setelem_data_deactivate(ctx->net, set, catchall->elem);
- break;
}
}
@@ -5706,7 +5705,6 @@ static void nft_map_catchall_activate(const struct nft_ctx *ctx,
nft_clear(ctx->net, ext);
nft_setelem_data_activate(ctx->net, set, catchall->elem);
- break;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 138/567] xsk: Fix zero-copy AF_XDP fragment drop
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 137/567] xsk: Fix fragment node deletion to prevent buffer leak Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 139/567] dpaa2-switch: do not clear any interrupts automatically Greg Kroah-Hartman
` (239 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikhil P. Rao, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikhil P. Rao <nikhil.rao@amd.com>
[ Upstream commit f7387d6579d65efd490a864254101cb665f2e7a7 ]
AF_XDP should ensure that only a complete packet is sent to application.
In the zero-copy case, if the Rx queue gets full as fragments are being
enqueued, the remaining fragments are dropped.
For the multi-buffer case, add a check to ensure that the Rx queue has
enough space for all fragments of a packet before starting to enqueue
them.
Fixes: 24ea50127ecf ("xsk: support mbuf on ZC RX")
Signed-off-by: Nikhil P. Rao <nikhil.rao@amd.com>
Link: https://patch.msgid.link/20260225000456.107806-3-nikhil.rao@amd.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xdp/xsk.c | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index 8f3971a94d967..9e1ac917f9708 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -160,25 +160,31 @@ static int xsk_rcv_zc(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len)
struct xdp_buff_xsk *pos, *tmp;
struct list_head *xskb_list;
u32 contd = 0;
+ u32 num_desc;
int err;
- if (frags)
- contd = XDP_PKT_CONTD;
+ if (likely(!frags)) {
+ err = __xsk_rcv_zc(xs, xskb, len, contd);
+ if (err)
+ goto err;
+ return 0;
+ }
- err = __xsk_rcv_zc(xs, xskb, len, contd);
- if (err)
+ contd = XDP_PKT_CONTD;
+ num_desc = xdp_get_shared_info_from_buff(xdp)->nr_frags + 1;
+ if (xskq_prod_nb_free(xs->rx, num_desc) < num_desc) {
+ xs->rx_queue_full++;
+ err = -ENOBUFS;
goto err;
- if (likely(!frags))
- return 0;
+ }
+ __xsk_rcv_zc(xs, xskb, len, contd);
xskb_list = &xskb->pool->xskb_list;
list_for_each_entry_safe(pos, tmp, xskb_list, list_node) {
if (list_is_singular(xskb_list))
contd = 0;
len = pos->xdp.data_end - pos->xdp.data;
- err = __xsk_rcv_zc(xs, pos, len, contd);
- if (err)
- goto err;
+ __xsk_rcv_zc(xs, pos, len, contd);
list_del_init(&pos->list_node);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 076/481] can: ucan: Fix infinite loop from zero-length messages
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 075/481] can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 077/481] can: usb: etas_es58x: correctly anchor the urb in the read bulk callback Greg Kroah-Hartman
` (239 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde, Vincent Mailhol,
stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1e446fd0582ad8be9f6dafb115fc2e7245f9bea7 upstream.
If a broken ucan device gets a message with the message length field set
to 0, then the driver will loop for forever in
ucan_read_bulk_callback(), hanging the system. If the length is 0, just
skip the message and go on to the next one.
This has been fixed in the kvaser_usb driver in the past in commit
0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in
command parsers"), so there must be some broken devices out there like
this somewhere.
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: Vincent Mailhol <mailhol@kernel.org>
Cc: stable@kernel.org
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026022319-huff-absurd-6a18@gregkh
Fixes: 9f2d3eae88d2 ("can: ucan: add driver for Theobroma Systems UCAN devices")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/ucan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/can/usb/ucan.c
+++ b/drivers/net/can/usb/ucan.c
@@ -747,7 +747,7 @@ static void ucan_read_bulk_callback(stru
len = le16_to_cpu(m->len);
/* check sanity (length of content) */
- if (urb->actual_length - pos < len) {
+ if ((len == 0) || (urb->actual_length - pos < len)) {
netdev_warn(up->netdev,
"invalid message (short; no data; l:%d)\n",
urb->actual_length);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 063/460] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 062/460] netfilter: nf_tables: always walk all pending catchall elements Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 064/460] netfilter: x_tables: guard option walkers against 1-byte tail reads Greg Kroah-Hartman
` (239 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jenny Guanni Qu, Florian Westphal,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jenny Guanni Qu <qguanni@gmail.com>
[ Upstream commit d6d8cd2db236a9dd13dbc2d05843b3445cc964b5 ]
pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the
to_offset argument on every iteration, including the last one where
i == m->field_count - 1. This reads one element past the end of the
stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS]
with NFT_PIPAPO_MAX_FIELDS == 16).
Although pipapo_unmap() returns early when is_last is true without
using the to_offset value, the argument is evaluated at the call site
before the function body executes, making this a genuine out-of-bounds
stack read confirmed by KASAN:
BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables]
Read of size 4 at addr ffff8000810e71a4
This frame has 1 object:
[32, 160) 'rulemap'
The buggy address is at offset 164 -- exactly 4 bytes past the end
of the rulemap array.
Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid
the out-of-bounds read.
Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_set_pipapo.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
index ab5045bf3e599..a2dd1212e0f0d 100644
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1627,6 +1627,7 @@ static void pipapo_drop(struct nft_pipapo_match *m,
int i;
nft_pipapo_for_each_field(f, i, m) {
+ bool last = i == m->field_count - 1;
int g;
for (g = 0; g < f->groups; g++) {
@@ -1646,7 +1647,7 @@ static void pipapo_drop(struct nft_pipapo_match *m,
}
pipapo_unmap(f->mt, f->rules, rulemap[i].to, rulemap[i].n,
- rulemap[i + 1].n, i == m->field_count - 1);
+ last ? 0 : rulemap[i + 1].n, last);
if (pipapo_resize(f, f->rules, f->rules - rulemap[i].n)) {
/* We can ignore this, a failure to shrink tables down
* doesn't make tables invalid.
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 139/567] dpaa2-switch: do not clear any interrupts automatically
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 138/567] xsk: Fix zero-copy AF_XDP fragment drop Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 140/567] dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler Greg Kroah-Hartman
` (238 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ioana Ciornei, Simon Horman,
David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ioana Ciornei <ioana.ciornei@nxp.com>
[ Upstream commit f6da276479c63ca29774bc331a537b92f0550c45 ]
The DPSW object has multiple event sources multiplexed over the same
IRQ. The driver has the capability to configure only some of these
events to trigger the IRQ.
The dpsw_get_irq_status() can clear events automatically based on the
value stored in the 'status' variable passed to it. We don't want that
to happen because we could get into a situation when we are clearing
more events than we actually handled.
Just resort to manually clearing the events that we handled. Also, since
status is not used on the out path we remove its initialization to zero.
This change does not have a user-visible effect because the dpaa2-switch
driver enables and handles all the DPSW events which exist at the
moment.
Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 74badb9c20b1 ("dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
index 2631732ab2164..e44ab53448500 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
@@ -1518,9 +1518,9 @@ static irqreturn_t dpaa2_switch_irq0_handler_thread(int irq_num, void *arg)
struct device *dev = (struct device *)arg;
struct ethsw_core *ethsw = dev_get_drvdata(dev);
struct ethsw_port_priv *port_priv;
- u32 status = ~0;
int err, if_id;
bool had_mac;
+ u32 status;
err = dpsw_get_irq_status(ethsw->mc_io, 0, ethsw->dpsw_handle,
DPSW_IRQ_INDEX_IF, &status);
@@ -1553,12 +1553,12 @@ static irqreturn_t dpaa2_switch_irq0_handler_thread(int irq_num, void *arg)
dpaa2_switch_port_connect_mac(port_priv);
}
-out:
err = dpsw_clear_irq_status(ethsw->mc_io, 0, ethsw->dpsw_handle,
DPSW_IRQ_INDEX_IF, status);
if (err)
dev_err(dev, "Can't clear irq status (err %d)\n", err);
+out:
return IRQ_HANDLED;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 077/481] can: usb: etas_es58x: correctly anchor the urb in the read bulk callback
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 076/481] can: ucan: Fix infinite loop from zero-length messages Greg Kroah-Hartman
@ 2026-03-23 13:40 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 078/481] HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them Greg Kroah-Hartman
` (238 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vincent Mailhol, Marc Kleine-Budde,
stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5eaad4f768266f1f17e01232ffe2ef009f8129b7 upstream.
When submitting an urb, that is using the anchor pattern, it needs to be
anchored before submitting it otherwise it could be leaked if
usb_kill_anchored_urbs() is called. This logic is correctly done
elsewhere in the driver, except in the read bulk callback so do that
here also.
Cc: Vincent Mailhol <mailhol@kernel.org>
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: stable@kernel.org
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Vincent Mailhol <mailhol@kernel.org>
Tested-by: Vincent Mailhol <mailhol@kernel.org>
Link: https://patch.msgid.link/2026022320-poser-stiffly-9d84@gregkh
Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/etas_es58x/es58x_core.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/net/can/usb/etas_es58x/es58x_core.c
+++ b/drivers/net/can/usb/etas_es58x/es58x_core.c
@@ -1460,12 +1460,18 @@ static void es58x_read_bulk_callback(str
}
resubmit_urb:
+ usb_anchor_urb(urb, &es58x_dev->rx_urbs);
ret = usb_submit_urb(urb, GFP_ATOMIC);
+ if (!ret)
+ return;
+
+ usb_unanchor_urb(urb);
+
if (ret == -ENODEV) {
for (i = 0; i < es58x_dev->num_can_ch; i++)
if (es58x_dev->netdev[i])
netif_device_detach(es58x_dev->netdev[i]);
- } else if (ret)
+ } else
dev_err_ratelimited(dev,
"Failed resubmitting read bulk urb: %pe\n",
ERR_PTR(ret));
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 064/460] netfilter: x_tables: guard option walkers against 1-byte tail reads
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.12 063/460] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 065/460] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path Greg Kroah-Hartman
` (238 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Dull, Florian Westphal,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Dull <monderasdor@gmail.com>
[ Upstream commit cfe770220ac2dbd3e104c6b45094037455da81d4 ]
When the last byte of options is a non-single-byte option kind, walkers
that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end
of the option area.
Add an explicit i == optlen - 1 check before dereferencing op[i + 1]
in xt_tcpudp and xt_dccp option walkers.
Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables")
Signed-off-by: David Dull <monderasdor@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_dccp.c | 4 ++--
net/netfilter/xt_tcpudp.c | 6 ++++--
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index e5a13ecbe67a0..037ab93e25d0a 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -62,10 +62,10 @@ dccp_find_option(u_int8_t option,
return true;
}
- if (op[i] < 2)
+ if (op[i] < 2 || i == optlen - 1)
i++;
else
- i += op[i+1]?:1;
+ i += op[i + 1] ? : 1;
}
spin_unlock_bh(&dccp_buflock);
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index e8991130a3de0..f76cf18f1a244 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -59,8 +59,10 @@ tcp_find_option(u_int8_t option,
for (i = 0; i < optlen; ) {
if (op[i] == option) return !invert;
- if (op[i] < 2) i++;
- else i += op[i+1]?:1;
+ if (op[i] < 2 || i == optlen - 1)
+ i++;
+ else
+ i += op[i + 1] ? : 1;
}
return invert;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 140/567] dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.6 139/567] dpaa2-switch: do not clear any interrupts automatically Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 141/567] atm: lec: fix null-ptr-deref in lec_arp_clear_vccs Greg Kroah-Hartman
` (237 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junrui Luo, Guenter Roeck,
Ioana Ciornei, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit 74badb9c20b1a9c02a95c735c6d3cd6121679c93 ]
Commit 31a7a0bbeb00 ("dpaa2-switch: add bounds check for if_id in IRQ
handler") introduces a range check for if_id to avoid an out-of-bounds
access. If an out-of-bounds if_id is detected, the interrupt status is
not cleared. This may result in an interrupt storm.
Clear the interrupt status after detecting an out-of-bounds if_id to avoid
the problem.
Found by an experimental AI code review agent at Google.
Fixes: 31a7a0bbeb00 ("dpaa2-switch: add bounds check for if_id in IRQ handler")
Cc: Junrui Luo <moonafterrain@outlook.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Link: https://patch.msgid.link/20260227055812.1777915-1-linux@roeck-us.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
index e44ab53448500..176f7072338b2 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
@@ -1532,7 +1532,7 @@ static irqreturn_t dpaa2_switch_irq0_handler_thread(int irq_num, void *arg)
if_id = (status & 0xFFFF0000) >> 16;
if (if_id >= ethsw->sw_attr.num_ifs) {
dev_err(dev, "Invalid if_id %d in IRQ status\n", if_id);
- goto out;
+ goto out_clear;
}
port_priv = ethsw->ports[if_id];
@@ -1553,6 +1553,7 @@ static irqreturn_t dpaa2_switch_irq0_handler_thread(int irq_num, void *arg)
dpaa2_switch_port_connect_mac(port_priv);
}
+out_clear:
err = dpsw_clear_irq_status(ethsw->mc_io, 0, ethsw->dpsw_handle,
DPSW_IRQ_INDEX_IF, status);
if (err)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 078/481] HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-03-23 13:40 ` [PATCH 6.1 077/481] can: usb: etas_es58x: correctly anchor the urb in the read bulk callback Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 079/481] x86/efi: defer freeing of boot services memory Greg Kroah-Hartman
` (237 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Kosina, Benjamin Tissoires,
Bastien Nocera, linux-input, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ecfa6f34492c493a9a1dc2900f3edeb01c79946b upstream.
In commit 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at
raw event handle"), we handle the fact that raw event callbacks
can happen even for a HID device that has not been "claimed" causing a
crash if a broken device were attempted to be connected to the system.
Fix up the remaining in-tree HID drivers that forgot to add this same
check to resolve the same issue.
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <bentiss@kernel.org>
Cc: Bastien Nocera <hadess@hadess.net>
Cc: linux-input@vger.kernel.org
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-cmedia.c | 2 +-
drivers/hid/hid-creative-sb0540.c | 2 +-
drivers/hid/hid-zydacron.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/hid/hid-cmedia.c
+++ b/drivers/hid/hid-cmedia.c
@@ -99,7 +99,7 @@ static int cmhid_raw_event(struct hid_de
{
struct cmhid *cm = hid_get_drvdata(hid);
- if (len != CM6533_JD_RAWEV_LEN)
+ if (len != CM6533_JD_RAWEV_LEN || !(hid->claimed & HID_CLAIMED_INPUT))
goto out;
if (memcmp(data+CM6533_JD_SFX_OFFSET, ji_sfx, sizeof(ji_sfx)))
goto out;
--- a/drivers/hid/hid-creative-sb0540.c
+++ b/drivers/hid/hid-creative-sb0540.c
@@ -153,7 +153,7 @@ static int creative_sb0540_raw_event(str
u64 code, main_code;
int key;
- if (len != 6)
+ if (len != 6 || !(hid->claimed & HID_CLAIMED_INPUT))
return 0;
/* From daemons/hw_hiddev.c sb0540_rec() in lirc */
--- a/drivers/hid/hid-zydacron.c
+++ b/drivers/hid/hid-zydacron.c
@@ -114,7 +114,7 @@ static int zc_raw_event(struct hid_devic
unsigned key;
unsigned short index;
- if (report->id == data[0]) {
+ if (report->id == data[0] && (hdev->claimed & HID_CLAIMED_INPUT)) {
/* break keys */
for (index = 0; index < 4; index++) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 065/460] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 064/460] netfilter: x_tables: guard option walkers against 1-byte tail reads Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 066/460] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() Greg Kroah-Hartman
` (237 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Dull, Hyunwoo Kim,
Florian Westphal, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit f1ba83755d81c6fc66ac7acd723d238f974091e9 ]
nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue
entry from the queue data structures, taking ownership of the entry.
For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN
attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN
present but NFQA_VLAN_TCI missing), the function returns immediately
without freeing the dequeued entry or its sk_buff.
This leaks the nf_queue_entry, its associated sk_buff, and all held
references (net_device refcounts, struct net refcount). Repeated
triggering exhausts kernel memory.
Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict
on the error path, consistent with other error handling in this file.
Fixes: 8d45ff22f1b4 ("netfilter: bridge: nf queue verdict to use NFQA_VLAN and NFQA_L2HDR")
Reviewed-by: David Dull <monderasdor@gmail.com>
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_queue.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index af35dbc19864a..df0232cf24ce2 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -1547,8 +1547,10 @@ static int nfqnl_recv_verdict(struct sk_buff *skb, const struct nfnl_info *info,
if (entry->state.pf == PF_BRIDGE) {
err = nfqa_parse_bridge(entry, nfqa);
- if (err < 0)
+ if (err < 0) {
+ nfqnl_reinject(entry, NF_DROP);
return err;
+ }
}
if (nfqa[NFQA_PAYLOAD]) {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 141/567] atm: lec: fix null-ptr-deref in lec_arp_clear_vccs
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 140/567] dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 142/567] amd-xgbe: fix MAC_TCR_SS register width for 2.5G and 10M speeds Greg Kroah-Hartman
` (236 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+72e3ea390c305de0e259,
Dan Carpenter, Simon Horman, Jiayuan Chen, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@shopee.com>
[ Upstream commit 101bacb303e89dc2e0640ae6a5e0fb97c4eb45bb ]
syzkaller reported a null-ptr-deref in lec_arp_clear_vccs().
This issue can be easily reproduced using the syzkaller reproducer.
In the ATM LANE (LAN Emulation) module, the same atm_vcc can be shared by
multiple lec_arp_table entries (e.g., via entry->vcc or entry->recv_vcc).
When the underlying VCC is closed, lec_vcc_close() iterates over all
ARP entries and calls lec_arp_clear_vccs() for each matched entry.
For example, when lec_vcc_close() iterates through the hlists in
priv->lec_arp_empty_ones or other ARP tables:
1. In the first iteration, for the first matched ARP entry sharing the VCC,
lec_arp_clear_vccs() frees the associated vpriv (which is vcc->user_back)
and sets vcc->user_back to NULL.
2. In the second iteration, for the next matched ARP entry sharing the same
VCC, lec_arp_clear_vccs() is called again. It obtains a NULL vpriv from
vcc->user_back (via LEC_VCC_PRIV(vcc)) and then attempts to dereference it
via `vcc->pop = vpriv->old_pop`, leading to a null-ptr-deref crash.
Fix this by adding a null check for vpriv before dereferencing
it. If vpriv is already NULL, it means the VCC has been cleared
by a previous call, so we can safely skip the cleanup and just
clear the entry's vcc/recv_vcc pointers.
The entire cleanup block (including vcc_release_async()) is placed inside
the vpriv guard because a NULL vpriv indicates the VCC has already been
fully released by a prior iteration — repeating the teardown would
redundantly set flags and trigger callbacks on an already-closing socket.
The Fixes tag points to the initial commit because the entry->vcc path has
been vulnerable since the original code. The entry->recv_vcc path was later
added by commit 8d9f73c0ad2f ("atm: fix a memory leak of vcc->user_back")
with the same pattern, and both paths are fixed here.
Reported-by: syzbot+72e3ea390c305de0e259@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68c95a83.050a0220.3c6139.0e5c.GAE@google.com/T/
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Suggested-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
Link: https://patch.msgid.link/20260225123250.189289-1-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/atm/lec.c | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/net/atm/lec.c b/net/atm/lec.c
index b7fa48a9b7205..0d4b8e5936dcf 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -1260,24 +1260,28 @@ static void lec_arp_clear_vccs(struct lec_arp_table *entry)
struct lec_vcc_priv *vpriv = LEC_VCC_PRIV(vcc);
struct net_device *dev = (struct net_device *)vcc->proto_data;
- vcc->pop = vpriv->old_pop;
- if (vpriv->xoff)
- netif_wake_queue(dev);
- kfree(vpriv);
- vcc->user_back = NULL;
- vcc->push = entry->old_push;
- vcc_release_async(vcc, -EPIPE);
+ if (vpriv) {
+ vcc->pop = vpriv->old_pop;
+ if (vpriv->xoff)
+ netif_wake_queue(dev);
+ kfree(vpriv);
+ vcc->user_back = NULL;
+ vcc->push = entry->old_push;
+ vcc_release_async(vcc, -EPIPE);
+ }
entry->vcc = NULL;
}
if (entry->recv_vcc) {
struct atm_vcc *vcc = entry->recv_vcc;
struct lec_vcc_priv *vpriv = LEC_VCC_PRIV(vcc);
- kfree(vpriv);
- vcc->user_back = NULL;
+ if (vpriv) {
+ kfree(vpriv);
+ vcc->user_back = NULL;
- entry->recv_vcc->push = entry->old_recv_push;
- vcc_release_async(entry->recv_vcc, -EPIPE);
+ entry->recv_vcc->push = entry->old_recv_push;
+ vcc_release_async(entry->recv_vcc, -EPIPE);
+ }
entry->recv_vcc = NULL;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 079/481] x86/efi: defer freeing of boot services memory
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 078/481] HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 080/481] platform/x86: dell-wmi-sysman: Dont hex dump plaintext password data Greg Kroah-Hartman
` (236 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mike Rapoport (Microsoft),
Benjamin Herrenschmidt, Ard Biesheuvel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Rapoport (Microsoft) <rppt@kernel.org>
commit a4b0bf6a40f3c107c67a24fbc614510ef5719980 upstream.
efi_free_boot_services() frees memory occupied by EFI_BOOT_SERVICES_CODE
and EFI_BOOT_SERVICES_DATA using memblock_free_late().
There are two issue with that: memblock_free_late() should be used for
memory allocated with memblock_alloc() while the memory reserved with
memblock_reserve() should be freed with free_reserved_area().
More acutely, with CONFIG_DEFERRED_STRUCT_PAGE_INIT=y
efi_free_boot_services() is called before deferred initialization of the
memory map is complete.
Benjamin Herrenschmidt reports that this causes a leak of ~140MB of
RAM on EC2 t3a.nano instances which only have 512MB or RAM.
If the freed memory resides in the areas that memory map for them is
still uninitialized, they won't be actually freed because
memblock_free_late() calls memblock_free_pages() and the latter skips
uninitialized pages.
Using free_reserved_area() at this point is also problematic because
__free_page() accesses the buddy of the freed page and that again might
end up in uninitialized part of the memory map.
Delaying the entire efi_free_boot_services() could be problematic
because in addition to freeing boot services memory it updates
efi.memmap without any synchronization and that's undesirable late in
boot when there is concurrency.
More robust approach is to only defer freeing of the EFI boot services
memory.
Split efi_free_boot_services() in two. First efi_unmap_boot_services()
collects ranges that should be freed into an array then
efi_free_boot_services() later frees them after deferred init is complete.
Link: https://lore.kernel.org/all/ec2aaef14783869b3be6e3c253b2dcbf67dbc12a.camel@kernel.crashing.org
Fixes: 916f676f8dc0 ("x86, efi: Retain boot service code until after switching to virtual mode")
Cc: <stable@vger.kernel.org>
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Reviewed-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/efi.h | 2 -
arch/x86/platform/efi/efi.c | 2 -
arch/x86/platform/efi/quirks.c | 55 ++++++++++++++++++++++++++++++++++--
drivers/firmware/efi/mokvar-table.c | 2 -
4 files changed, 55 insertions(+), 6 deletions(-)
--- a/arch/x86/include/asm/efi.h
+++ b/arch/x86/include/asm/efi.h
@@ -162,7 +162,7 @@ extern void __init efi_apply_memmap_quir
extern int __init efi_reuse_config(u64 tables, int nr_tables);
extern void efi_delete_dummy_variable(void);
extern void efi_crash_gracefully_on_page_fault(unsigned long phys_addr);
-extern void efi_free_boot_services(void);
+extern void efi_unmap_boot_services(void);
void efi_enter_mm(void);
void efi_leave_mm(void);
--- a/arch/x86/platform/efi/efi.c
+++ b/arch/x86/platform/efi/efi.c
@@ -811,7 +811,7 @@ static void __init __efi_enter_virtual_m
}
efi_check_for_embedded_firmwares();
- efi_free_boot_services();
+ efi_unmap_boot_services();
if (!efi_is_mixed())
efi_native_runtime_setup();
--- a/arch/x86/platform/efi/quirks.c
+++ b/arch/x86/platform/efi/quirks.c
@@ -333,7 +333,7 @@ void __init efi_reserve_boot_services(vo
/*
* Because the following memblock_reserve() is paired
- * with memblock_free_late() for this region in
+ * with free_reserved_area() for this region in
* efi_free_boot_services(), we must be extremely
* careful not to reserve, and subsequently free,
* critical regions of memory (like the kernel image) or
@@ -396,17 +396,33 @@ static void __init efi_unmap_pages(efi_m
pr_err("Failed to unmap VA mapping for 0x%llx\n", va);
}
-void __init efi_free_boot_services(void)
+struct efi_freeable_range {
+ u64 start;
+ u64 end;
+};
+
+static struct efi_freeable_range *ranges_to_free;
+
+void __init efi_unmap_boot_services(void)
{
struct efi_memory_map_data data = { 0 };
efi_memory_desc_t *md;
int num_entries = 0;
+ int idx = 0;
+ size_t sz;
void *new, *new_md;
/* Keep all regions for /sys/kernel/debug/efi */
if (efi_enabled(EFI_DBG))
return;
+ sz = sizeof(*ranges_to_free) * efi.memmap.nr_map + 1;
+ ranges_to_free = kzalloc(sz, GFP_KERNEL);
+ if (!ranges_to_free) {
+ pr_err("Failed to allocate storage for freeable EFI regions\n");
+ return;
+ }
+
for_each_efi_memory_desc(md) {
unsigned long long start = md->phys_addr;
unsigned long long size = md->num_pages << EFI_PAGE_SHIFT;
@@ -463,7 +479,15 @@ void __init efi_free_boot_services(void)
start = SZ_1M;
}
- memblock_free_late(start, size);
+ /*
+ * With CONFIG_DEFERRED_STRUCT_PAGE_INIT parts of the memory
+ * map are still not initialized and we can't reliably free
+ * memory here.
+ * Queue the ranges to free at a later point.
+ */
+ ranges_to_free[idx].start = start;
+ ranges_to_free[idx].end = start + size;
+ idx++;
}
if (!num_entries)
@@ -504,6 +528,31 @@ void __init efi_free_boot_services(void)
}
}
+static int __init efi_free_boot_services(void)
+{
+ struct efi_freeable_range *range = ranges_to_free;
+ unsigned long freed = 0;
+
+ if (!ranges_to_free)
+ return 0;
+
+ while (range->start) {
+ void *start = phys_to_virt(range->start);
+ void *end = phys_to_virt(range->end);
+
+ free_reserved_area(start, end, -1, NULL);
+ freed += (end - start);
+ range++;
+ }
+ kfree(ranges_to_free);
+
+ if (freed)
+ pr_info("Freeing EFI boot services memory: %ldK\n", freed / SZ_1K);
+
+ return 0;
+}
+arch_initcall(efi_free_boot_services);
+
/*
* A number of config table entries get remapped to virtual addresses
* after entering EFI virtual mode. However, the kexec kernel requires
--- a/drivers/firmware/efi/mokvar-table.c
+++ b/drivers/firmware/efi/mokvar-table.c
@@ -85,7 +85,7 @@ static struct kobject *mokvar_kobj;
* as an alternative to ordinary EFI variables, due to platform-dependent
* limitations. The memory occupied by this table is marked as reserved.
*
- * This routine must be called before efi_free_boot_services() in order
+ * This routine must be called before efi_unmap_boot_services() in order
* to guarantee that it can mark the table as reserved.
*
* Implicit inputs:
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 066/460] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 065/460] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 067/460] netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels Greg Kroah-Hartman
` (236 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Florian Westphal,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit 6dcee8496d53165b2d8a5909b3050b62ae71fe89 ]
nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label
inside the for loop body. When the "last" helper saved in cb->args[1]
is deleted between dump rounds, every entry fails the (cur != last)
check, so cb->args[1] is never cleared. The for loop finishes with
cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back
into the loop body bypassing the bounds check, causing an 8-byte
out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize].
The 'goto restart' block was meant to re-traverse the current bucket
when "last" is no longer found, but it was placed after the for loop
instead of inside it. Move the block into the for loop body so that
the restart only occurs while cb->args[0] is still within bounds.
BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0
Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131
Call Trace:
nfnl_cthelper_dump_table+0x9f/0x1b0
netlink_dump+0x333/0x880
netlink_recvmsg+0x3e2/0x4b0
sock_recvmsg+0xde/0xf0
__sys_recvfrom+0x150/0x200
__x64_sys_recvfrom+0x76/0x90
do_syscall_64+0xc3/0x6e0
Allocated by task 1:
__kvmalloc_node_noprof+0x21b/0x700
nf_ct_alloc_hashtable+0x65/0xd0
nf_conntrack_helper_init+0x21/0x60
nf_conntrack_init_start+0x18d/0x300
nf_conntrack_standalone_init+0x12/0xc0
Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_cthelper.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index 97248963a7d3b..71a248cca746a 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -603,10 +603,10 @@ nfnl_cthelper_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
goto out;
}
}
- }
- if (cb->args[1]) {
- cb->args[1] = 0;
- goto restart;
+ if (cb->args[1]) {
+ cb->args[1] = 0;
+ goto restart;
+ }
}
out:
rcu_read_unlock();
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 142/567] amd-xgbe: fix MAC_TCR_SS register width for 2.5G and 10M speeds
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 141/567] atm: lec: fix null-ptr-deref in lec_arp_clear_vccs Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 143/567] can: bcm: fix locking for bcm_op runtime updates Greg Kroah-Hartman
` (235 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guruvendra Punugupati, Raju Rangoju,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raju Rangoju <Raju.Rangoju@amd.com>
[ Upstream commit 9439a661c2e80485406ce2c90b107ca17858382d ]
Extend the MAC_TCR_SS (Speed Select) register field width from 2 bits
to 3 bits to properly support all speed settings.
The MAC_TCR register's SS field encoding requires 3 bits to represent
all supported speeds:
- 0x00: 10Gbps (XGMII)
- 0x02: 2.5Gbps (GMII) / 100Mbps
- 0x03: 1Gbps / 10Mbps
- 0x06: 2.5Gbps (XGMII) - P100a only
With only 2 bits, values 0x04-0x07 cannot be represented, which breaks
2.5G XGMII mode on newer platforms and causes incorrect speed select
values to be programmed.
Fixes: 07445f3c7ca1 ("amd-xgbe: Add support for 10 Mbps speed")
Co-developed-by: Guruvendra Punugupati <Guruvendra.Punugupati@amd.com>
Signed-off-by: Guruvendra Punugupati <Guruvendra.Punugupati@amd.com>
Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
Link: https://patch.msgid.link/20260226170753.250312-1-Raju.Rangoju@amd.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-common.h b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
index aa25a8a0a106f..d99d2295eab0f 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
@@ -514,7 +514,7 @@
#define MAC_SSIR_SSINC_INDEX 16
#define MAC_SSIR_SSINC_WIDTH 8
#define MAC_TCR_SS_INDEX 29
-#define MAC_TCR_SS_WIDTH 2
+#define MAC_TCR_SS_WIDTH 3
#define MAC_TCR_TE_INDEX 0
#define MAC_TCR_TE_WIDTH 1
#define MAC_TCR_VNE_INDEX 24
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 080/481] platform/x86: dell-wmi-sysman: Dont hex dump plaintext password data
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 079/481] x86/efi: defer freeing of boot services memory Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 081/481] platform/x86: dell-wmi: Add audio/mic mute key codes Greg Kroah-Hartman
` (235 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Ilpo Järvinen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit d1a196e0a6dcddd03748468a0e9e3100790fc85c upstream.
set_new_password() hex dumps the entire buffer, which contains plaintext
password data, including current and new passwords. Remove the hex dump
to avoid leaking credentials.
Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Link: https://patch.msgid.link/20260303113050.58127-2-thorsten.blum@linux.dev
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c
+++ b/drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c
@@ -93,7 +93,6 @@ int set_new_password(const char *passwor
if (ret < 0)
goto out;
- print_hex_dump_bytes("set new password data: ", DUMP_PREFIX_NONE, buffer, buffer_size);
ret = call_password_interface(wmi_priv.password_attr_wdev, buffer, buffer_size);
/* on success copy the new password to current password */
if (!ret)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 067/460] netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 066/460] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 068/460] perf annotate: Fix hashmap__new() error checking Greg Kroah-Hartman
` (235 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Yuan Tan,
Xin Liu, Florian Westphal, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuan Tan <tanyuan98@outlook.com>
[ Upstream commit 329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf ]
IDLETIMER revision 0 rules reuse existing timers by label and always call
mod_timer() on timer->timer.
If the label was created first by revision 1 with XT_IDLETIMER_ALARM,
the object uses alarm timer semantics and timer->timer is never initialized.
Reusing that object from revision 0 causes mod_timer() on an uninitialized
timer_list, triggering debugobjects warnings and possible panic when
panic_on_warn=1.
Fix this by rejecting revision 0 rule insertion when an existing timer with
the same label is of ALARM type.
Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target")
Co-developed-by: Yifan Wu <yifanwucs@gmail.com>
Signed-off-by: Yifan Wu <yifanwucs@gmail.com>
Co-developed-by: Juefei Pu <tomapufckgml@gmail.com>
Signed-off-by: Juefei Pu <tomapufckgml@gmail.com>
Signed-off-by: Yuan Tan <tanyuan98@outlook.com>
Signed-off-by: Xin Liu <dstsmallbird@foxmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_IDLETIMER.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index 9869ef3c2ab37..92a8289b1cb35 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -320,6 +320,12 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par)
info->timer = __idletimer_tg_find_by_label(info->label);
if (info->timer) {
+ if (info->timer->timer_type & XT_IDLETIMER_ALARM) {
+ pr_debug("Adding/Replacing rule with same label and different timer type is not allowed\n");
+ mutex_unlock(&list_mutex);
+ return -EINVAL;
+ }
+
info->timer->refcnt++;
mod_timer(&info->timer->timer,
msecs_to_jiffies(info->timeout * 1000) + jiffies);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 143/567] can: bcm: fix locking for bcm_op runtime updates
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 142/567] amd-xgbe: fix MAC_TCR_SS register width for 2.5G and 10M speeds Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 144/567] can: mcp251x: fix deadlock in error path of mcp251x_open Greg Kroah-Hartman
` (234 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+5b11eccc403dd1cea9f8,
Oliver Hartkopp, Marc Kleine-Budde, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Hartkopp <socketcan@hartkopp.net>
[ Upstream commit c35636e91e392e1540949bbc67932167cb48bc3a ]
Commit c2aba69d0c36 ("can: bcm: add locking for bcm_op runtime updates")
added a locking for some variables that can be modified at runtime when
updating the sending bcm_op with a new TX_SETUP command in bcm_tx_setup().
Usually the RX_SETUP only handles and filters incoming traffic with one
exception: When the RX_RTR_FRAME flag is set a predefined CAN frame is
sent when a specific RTR frame is received. Therefore the rx bcm_op uses
bcm_can_tx() which uses the bcm_tx_lock that was only initialized in
bcm_tx_setup(). Add the missing spin_lock_init() when allocating the
bcm_op in bcm_rx_setup() to handle the RTR case properly.
Fixes: c2aba69d0c36 ("can: bcm: add locking for bcm_op runtime updates")
Reported-by: syzbot+5b11eccc403dd1cea9f8@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-can/699466e4.a70a0220.2c38d7.00ff.GAE@google.com/
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Link: https://patch.msgid.link/20260218-bcm_spin_lock_init-v1-1-592634c8a5b5@hartkopp.net
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/can/bcm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/can/bcm.c b/net/can/bcm.c
index 75653584f31b9..35039645c4629 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -1128,6 +1128,7 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
if (!op)
return -ENOMEM;
+ spin_lock_init(&op->bcm_tx_lock);
op->can_id = msg_head->can_id;
op->nframes = msg_head->nframes;
op->cfsiz = CFSIZ(msg_head->flags);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 081/481] platform/x86: dell-wmi: Add audio/mic mute key codes
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 080/481] platform/x86: dell-wmi-sysman: Dont hex dump plaintext password data Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 082/481] ALSA: usb-audio: Use correct version for UAC3 header validation Greg Kroah-Hartman
` (234 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olexa Bilaniuk, Kurt Borja,
Pali Rohár, Ilpo Järvinen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kurt Borja <kuurtb@gmail.com>
commit 26a7601471f62b95d56a81c3a8ccb551b5a6630f upstream.
Add audio/mic mute key codes found in Alienware m18 r1 AMD.
Cc: stable@vger.kernel.org
Tested-by: Olexa Bilaniuk <obilaniu@gmail.com>
Suggested-by: Olexa Bilaniuk <obilaniu@gmail.com>
Signed-off-by: Kurt Borja <kuurtb@gmail.com>
Acked-by: Pali Rohár <pali@kernel.org>
Link: https://patch.msgid.link/20260207-mute-keys-v2-1-c55e5471c9c1@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/dell/dell-wmi-base.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/platform/x86/dell/dell-wmi-base.c
+++ b/drivers/platform/x86/dell/dell-wmi-base.c
@@ -80,6 +80,12 @@ static const struct dmi_system_id dell_w
static const struct key_entry dell_wmi_keymap_type_0000[] = {
{ KE_IGNORE, 0x003a, { KEY_CAPSLOCK } },
+ /* Audio mute toggle */
+ { KE_KEY, 0x0109, { KEY_MUTE } },
+
+ /* Mic mute toggle */
+ { KE_KEY, 0x0150, { KEY_MICMUTE } },
+
/* Meta key lock */
{ KE_IGNORE, 0xe000, { KEY_RIGHTMETA } },
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 068/460] perf annotate: Fix hashmap__new() error checking
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 067/460] netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 069/460] regulator: pca9450: Correct interrupt type Greg Kroah-Hartman
` (234 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Chen Ni, Adrian Hunter,
Alexander Shishkin, Ingo Molnar, James Clark, Jiri Olsa,
Mark Rutland, Namhyung Kim, Peter Zijlstra, Tianyou Li,
Arnaldo Carvalho de Melo, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit bf29cb3641b80bac759c3332b02e0b270e16bf94 ]
The hashmap__new() function never returns NULL, it returns error
pointers. Fix the error checking to match.
Additionally, set src->samples to NULL to prevent any later code from
accidentally using the error pointer.
Fixes: d3e7cad6f36d9e80 ("perf annotate: Add a hashmap for symbol histogram")
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Tianyou Li <tianyou.li@intel.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/annotate.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
index cb8f191e19fd9..890cc0a69fa5e 100644
--- a/tools/perf/util/annotate.c
+++ b/tools/perf/util/annotate.c
@@ -44,6 +44,7 @@
#include "strbuf.h"
#include <regex.h>
#include <linux/bitops.h>
+#include <linux/err.h>
#include <linux/kernel.h>
#include <linux/string.h>
#include <linux/zalloc.h>
@@ -135,8 +136,10 @@ static int annotated_source__alloc_histograms(struct annotated_source *src,
return -1;
src->samples = hashmap__new(sym_hist_hash, sym_hist_equal, NULL);
- if (src->samples == NULL)
+ if (IS_ERR(src->samples)) {
zfree(&src->histograms);
+ src->samples = NULL;
+ }
return src->histograms ? 0 : -1;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 144/567] can: mcp251x: fix deadlock in error path of mcp251x_open
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 143/567] can: bcm: fix locking for bcm_op runtime updates Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 145/567] rust: kunit: fix warning when !CONFIG_PRINTK Greg Kroah-Hartman
` (233 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alban Bedel, Marc Kleine-Budde,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alban Bedel <alban.bedel@lht.dlh.de>
[ Upstream commit ab3f894de216f4a62adc3b57e9191888cbf26885 ]
The mcp251x_open() function call free_irq() in its error path with the
mpc_lock mutex held. But if an interrupt already occurred the
interrupt handler will be waiting for the mpc_lock and free_irq() will
deadlock waiting for the handler to finish.
This issue is similar to the one fixed in commit 7dd9c26bd6cf ("can:
mcp251x: fix deadlock if an interrupt occurs during mcp251x_open") but
for the error path.
To solve this issue move the call to free_irq() after the lock is
released. Setting `priv->force_quit = 1` beforehand ensure that the IRQ
handler will exit right away once it acquired the lock.
Signed-off-by: Alban Bedel <alban.bedel@lht.dlh.de>
Link: https://patch.msgid.link/20260209144706.2261954-1-alban.bedel@lht.dlh.de
Fixes: bf66f3736a94 ("can: mcp251x: Move to threaded interrupts instead of workqueues.")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/spi/mcp251x.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
index 8c56f85e87c1a..72ae17b2313ec 100644
--- a/drivers/net/can/spi/mcp251x.c
+++ b/drivers/net/can/spi/mcp251x.c
@@ -1202,6 +1202,7 @@ static int mcp251x_open(struct net_device *net)
{
struct mcp251x_priv *priv = netdev_priv(net);
struct spi_device *spi = priv->spi;
+ bool release_irq = false;
unsigned long flags = 0;
int ret;
@@ -1245,12 +1246,24 @@ static int mcp251x_open(struct net_device *net)
return 0;
out_free_irq:
- free_irq(spi->irq, priv);
+ /* The IRQ handler might be running, and if so it will be waiting
+ * for the lock. But free_irq() must wait for the handler to finish
+ * so calling it here would deadlock.
+ *
+ * Setting priv->force_quit will let the handler exit right away
+ * without any access to the hardware. This make it safe to call
+ * free_irq() after the lock is released.
+ */
+ priv->force_quit = 1;
+ release_irq = true;
+
mcp251x_hw_sleep(spi);
out_close:
mcp251x_power_enable(priv->transceiver, 0);
close_candev(net);
mutex_unlock(&priv->mcp_lock);
+ if (release_irq)
+ free_irq(spi->irq, priv);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 082/481] ALSA: usb-audio: Use correct version for UAC3 header validation
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 081/481] platform/x86: dell-wmi: Add audio/mic mute key codes Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 083/481] wifi: radiotap: reject radiotap with unknown bits Greg Kroah-Hartman
` (233 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jun Seo, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jun Seo <jun.seo.93@proton.me>
commit 54f9d645a5453d0bfece0c465d34aaf072ea99fa upstream.
The entry of the validators table for UAC3 AC header descriptor is
defined with the wrong protocol version UAC_VERSION_2, while it should
have been UAC_VERSION_3. This results in the validator never matching
for actual UAC3 devices (protocol == UAC_VERSION_3), causing their
header descriptors to bypass validation entirely. A malicious USB
device presenting a truncated UAC3 header could exploit this to cause
out-of-bounds reads when the driver later accesses unvalidated
descriptor fields.
The bug was introduced in the same commit as the recently fixed UAC3
feature unit sub-type typo, and appears to be from the same copy-paste
error when the UAC3 section was created from the UAC2 section.
Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units")
Cc: <stable@vger.kernel.org>
Signed-off-by: Jun Seo <jun.seo.93@proton.me>
Link: https://patch.msgid.link/20260226010820.36529-1-jun.seo.93@proton.me
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/validate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/usb/validate.c
+++ b/sound/usb/validate.c
@@ -281,7 +281,7 @@ static const struct usb_desc_validator a
/* UAC_VERSION_2, UAC2_SAMPLE_RATE_CONVERTER: not implemented yet */
/* UAC3 */
- FIXED(UAC_VERSION_2, UAC_HEADER, struct uac3_ac_header_descriptor),
+ FIXED(UAC_VERSION_3, UAC_HEADER, struct uac3_ac_header_descriptor),
FIXED(UAC_VERSION_3, UAC_INPUT_TERMINAL,
struct uac3_input_terminal_descriptor),
FIXED(UAC_VERSION_3, UAC_OUTPUT_TERMINAL,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 069/460] regulator: pca9450: Correct interrupt type
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 068/460] perf annotate: Fix hashmap__new() error checking Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 070/460] perf ftrace: Fix hashmap__new() error checking Greg Kroah-Hartman
` (233 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Mark Brown, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 5d0efaf47ee90ac60efae790acee3a3ed99ebf80 ]
Kernel warning on i.MX8MP-EVK when doing module test:
irq: type mismatch, failed to map hwirq-3 for gpio@30200000!
Per PCA945[X] specification: The IRQ_B pin is pulled low when any unmasked
interrupt bit status is changed and it is released high once application
processor read INT1 register.
So the interrupt should be configured as IRQF_TRIGGER_LOW, not
IRQF_TRIGGER_FALLING.
Fixes: 0935ff5f1f0a4 ("regulator: pca9450: add pca9450 pmic driver")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Link: https://patch.msgid.link/20260310-pca9450-irq-v1-1-36adf52c2c55@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/pca9450-regulator.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c
index 1ffa145319f23..2a0fac873f9c1 100644
--- a/drivers/regulator/pca9450-regulator.c
+++ b/drivers/regulator/pca9450-regulator.c
@@ -965,7 +965,7 @@ static int pca9450_i2c_probe(struct i2c_client *i2c)
if (pca9450->irq) {
ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL,
pca9450_irq_handler,
- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT),
+ (IRQF_TRIGGER_LOW | IRQF_ONESHOT),
"pca9450-irq", pca9450);
if (ret != 0) {
dev_err(pca9450->dev, "Failed to request IRQ: %d\n",
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 145/567] rust: kunit: fix warning when !CONFIG_PRINTK
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 144/567] can: mcp251x: fix deadlock in error path of mcp251x_open Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 146/567] kunit: tool: copy caller args in run_kernel to prevent mutation Greg Kroah-Hartman
` (232 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre Courbot, Alice Ryhl,
David Gow, Shuah Khan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Courbot <acourbot@nvidia.com>
[ Upstream commit 7dd34dfc8dfa92a7244242098110388367996ac3 ]
If `CONFIG_PRINTK` is not set, then the following warnings are issued
during build:
warning: unused variable: `args`
--> ../rust/kernel/kunit.rs:16:12
|
16 | pub fn err(args: fmt::Arguments<'_>) {
| ^^^^ help: if this is intentional, prefix it with an underscore: `_args`
|
= note: `#[warn(unused_variables)]` (part of `#[warn(unused)]`) on by default
warning: unused variable: `args`
--> ../rust/kernel/kunit.rs:32:13
|
32 | pub fn info(args: fmt::Arguments<'_>) {
| ^^^^ help: if this is intentional, prefix it with an underscore: `_args`
Fix this by adding a no-op assignment using `args` when `CONFIG_PRINTK`
is not set.
Fixes: a66d733da801 ("rust: support running Rust documentation tests as KUnit ones")
Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: David Gow <david@davidgow.net>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
rust/kernel/kunit.rs | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/rust/kernel/kunit.rs b/rust/kernel/kunit.rs
index 722655b2d62df..f33d8f5f1851a 100644
--- a/rust/kernel/kunit.rs
+++ b/rust/kernel/kunit.rs
@@ -13,6 +13,10 @@
/// Public but hidden since it should only be used from KUnit generated code.
#[doc(hidden)]
pub fn err(args: fmt::Arguments<'_>) {
+ // `args` is unused if `CONFIG_PRINTK` is not set - this avoids a build-time warning.
+ #[cfg(not(CONFIG_PRINTK))]
+ let _ = args;
+
// SAFETY: The format string is null-terminated and the `%pA` specifier matches the argument we
// are passing.
#[cfg(CONFIG_PRINTK)]
@@ -29,6 +33,10 @@ pub fn err(args: fmt::Arguments<'_>) {
/// Public but hidden since it should only be used from KUnit generated code.
#[doc(hidden)]
pub fn info(args: fmt::Arguments<'_>) {
+ // `args` is unused if `CONFIG_PRINTK` is not set - this avoids a build-time warning.
+ #[cfg(not(CONFIG_PRINTK))]
+ let _ = args;
+
// SAFETY: The format string is null-terminated and the `%pA` specifier matches the argument we
// are passing.
#[cfg(CONFIG_PRINTK)]
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 083/481] wifi: radiotap: reject radiotap with unknown bits
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 082/481] ALSA: usb-audio: Use correct version for UAC3 header validation Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 084/481] wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() Greg Kroah-Hartman
` (232 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b09c1af8764c0097bb19,
Johannes Berg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit c854758abe0b8d86f9c43dc060ff56a0ee5b31e0 upstream.
The radiotap parser is currently only used with the radiotap
namespace (not with vendor namespaces), but if the undefined
field 18 is used, the alignment/size is unknown as well. In
this case, iterator->_next_ns_data isn't initialized (it's
only set for skipping vendor namespaces), and syzbot points
out that we later compare against this uninitialized value.
Fix this by moving the rejection of unknown radiotap fields
down to after the in-namespace lookup, so it will really use
iterator->_next_ns_data only for vendor namespaces, even in
case undefined fields are present.
Cc: stable@vger.kernel.org
Fixes: 33e5a2f776e3 ("wireless: update radiotap parser")
Reported-by: syzbot+b09c1af8764c0097bb19@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/69944a91.a70a0220.2c38d7.00fc.GAE@google.com
Link: https://patch.msgid.link/20260217120526.162647-2-johannes@sipsolutions.net
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/radiotap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/wireless/radiotap.c
+++ b/net/wireless/radiotap.c
@@ -239,14 +239,14 @@ int ieee80211_radiotap_iterator_next(
default:
if (!iterator->current_namespace ||
iterator->_arg_index >= iterator->current_namespace->n_bits) {
- if (iterator->current_namespace == &radiotap_ns)
- return -ENOENT;
align = 0;
} else {
align = iterator->current_namespace->align_size[iterator->_arg_index].align;
size = iterator->current_namespace->align_size[iterator->_arg_index].size;
}
if (!align) {
+ if (iterator->current_namespace == &radiotap_ns)
+ return -ENOENT;
/* skip all subsequent data */
iterator->_arg = iterator->_next_ns_data;
/* give up on this namespace */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 070/460] perf ftrace: Fix hashmap__new() error checking
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 069/460] regulator: pca9450: Correct interrupt type Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 071/460] sched: idle: Make skipping governor callbacks more consistent Greg Kroah-Hartman
` (232 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Chen Ni, Adrian Hunter,
Alexander Shishkin, Ingo Molnar, James Clark, Jiri Olsa,
Mark Rutland, Namhyung Kim, Peter Zijlstra,
Arnaldo Carvalho de Melo, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit be34705aa527872e5ce83927b7bc9307ba8095ca ]
The hashmap__new() function never returns NULL, it returns error
pointers. Fix the error checking to match.
Additionally, set ftrace->profile_hash to NULL on error, and return the
exact error code from hashmap__new().
Fixes: 0f223813edd051a5 ("perf ftrace: Add 'profile' command")
Suggested-by: Ian Rogers <irogers@google.com>
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-ftrace.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/tools/perf/builtin-ftrace.c b/tools/perf/builtin-ftrace.c
index a56cf8b0a7d40..09c484182d5bc 100644
--- a/tools/perf/builtin-ftrace.c
+++ b/tools/perf/builtin-ftrace.c
@@ -18,6 +18,7 @@
#include <poll.h>
#include <ctype.h>
#include <linux/capability.h>
+#include <linux/err.h>
#include <linux/string.h>
#include "debug.h"
@@ -998,8 +999,12 @@ static int prepare_func_profile(struct perf_ftrace *ftrace)
ftrace->graph_tail = 1;
ftrace->profile_hash = hashmap__new(profile_hash, profile_equal, NULL);
- if (ftrace->profile_hash == NULL)
- return -ENOMEM;
+ if (IS_ERR(ftrace->profile_hash)) {
+ int err = PTR_ERR(ftrace->profile_hash);
+
+ ftrace->profile_hash = NULL;
+ return err;
+ }
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 146/567] kunit: tool: copy caller args in run_kernel to prevent mutation
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 145/567] rust: kunit: fix warning when !CONFIG_PRINTK Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 147/567] net: dsa: realtek: rtl8365mb: fix rtl8365mb_phy_ocp_write return value Greg Kroah-Hartman
` (231 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuvam Pandey, David Gow, Shuah Khan,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuvam Pandey <shuvampandey1@gmail.com>
[ Upstream commit 40804c4974b8df2adab72f6475d343eaff72b7f6 ]
run_kernel() appended KUnit flags directly to the caller-provided args
list. When exec_tests() calls run_kernel() repeatedly (e.g. with
--run_isolated), each call mutated the same list, causing later runs
to inherit stale filter_glob values and duplicate kunit.enable flags.
Fix this by copying args at the start of run_kernel(). Add a regression
test that calls run_kernel() twice with the same list and verifies the
original remains unchanged.
Fixes: ff9e09a3762f ("kunit: tool: support running each suite/test separately")
Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com>
Reviewed-by: David Gow <david@davidgow.net>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/kunit/kunit_kernel.py | 6 ++++--
tools/testing/kunit/kunit_tool_test.py | 26 ++++++++++++++++++++++++++
2 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/tools/testing/kunit/kunit_kernel.py b/tools/testing/kunit/kunit_kernel.py
index 0b6488efed47a..df7622dac0ff1 100644
--- a/tools/testing/kunit/kunit_kernel.py
+++ b/tools/testing/kunit/kunit_kernel.py
@@ -331,8 +331,10 @@ class LinuxSourceTree:
return self.validate_config(build_dir)
def run_kernel(self, args: Optional[List[str]]=None, build_dir: str='', filter_glob: str='', filter: str='', filter_action: Optional[str]=None, timeout: Optional[int]=None) -> Iterator[str]:
- if not args:
- args = []
+ # Copy to avoid mutating the caller-supplied list. exec_tests() reuses
+ # the same args across repeated run_kernel() calls (e.g. --run_isolated),
+ # so appending to the original would accumulate stale flags on each call.
+ args = list(args) if args else []
if filter_glob:
args.append('kunit.filter_glob=' + filter_glob)
if filter:
diff --git a/tools/testing/kunit/kunit_tool_test.py b/tools/testing/kunit/kunit_tool_test.py
index b28c1510be2eb..5254a25ad2d9d 100755
--- a/tools/testing/kunit/kunit_tool_test.py
+++ b/tools/testing/kunit/kunit_tool_test.py
@@ -461,6 +461,32 @@ class LinuxSourceTreeTest(unittest.TestCase):
with open(kunit_kernel.get_outfile_path(build_dir), 'rt') as outfile:
self.assertEqual(outfile.read(), 'hi\nbye\n', msg='Missing some output')
+ def test_run_kernel_args_not_mutated(self):
+ """Verify run_kernel() copies args so callers can reuse them."""
+ start_calls = []
+
+ def fake_start(start_args, unused_build_dir):
+ start_calls.append(list(start_args))
+ return subprocess.Popen(['printf', 'KTAP version 1\n'],
+ text=True, stdout=subprocess.PIPE)
+
+ with tempfile.TemporaryDirectory('') as build_dir:
+ tree = kunit_kernel.LinuxSourceTree(build_dir,
+ kunitconfig_paths=[os.devnull])
+ with mock.patch.object(tree._ops, 'start', side_effect=fake_start), \
+ mock.patch.object(kunit_kernel.subprocess, 'call'):
+ kernel_args = ['mem=1G']
+ for _ in tree.run_kernel(args=kernel_args, build_dir=build_dir,
+ filter_glob='suite.test1'):
+ pass
+ for _ in tree.run_kernel(args=kernel_args, build_dir=build_dir,
+ filter_glob='suite.test2'):
+ pass
+ self.assertEqual(kernel_args, ['mem=1G'],
+ 'run_kernel() should not modify caller args')
+ self.assertIn('kunit.filter_glob=suite.test1', start_calls[0])
+ self.assertIn('kunit.filter_glob=suite.test2', start_calls[1])
+
def test_build_reconfig_no_config(self):
with tempfile.TemporaryDirectory('') as build_dir:
with open(kunit_kernel.get_kunitconfig_path(build_dir), 'w') as f:
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 084/481] wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 083/481] wifi: radiotap: reject radiotap with unknown bits Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 085/481] IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() Greg Kroah-Hartman
` (231 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vahagn Vardanian, Johannes Berg
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vahagn Vardanian <vahagn@redrays.io>
commit 017c1792525064a723971f0216e6ef86a8c7af11 upstream.
In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced
at lines 1638 and 1642 without a prior NULL check:
ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
...
pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);
The mesh_matches_local() check above only validates the Mesh ID,
Mesh Configuration, and Supported Rates IEs. It does not verify the
presence of the Mesh Channel Switch Parameters IE (element ID 118).
When a received CSA action frame omits that IE, ieee802_11_parse_elems()
leaves elems->mesh_chansw_params_ie as NULL, and the unconditional
dereference causes a kernel NULL pointer dereference.
A remote mesh peer with an established peer link (PLINK_ESTAB) can
trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame
that includes a matching Mesh ID and Mesh Configuration IE but omits the
Mesh Channel Switch Parameters IE. No authentication beyond the default
open mesh peering is required.
Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:
BUG: kernel NULL pointer dereference, address: 0000000000000000
Oops: Oops: 0000 [#1] SMP NOPTI
RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]
CR2: 0000000000000000
Fix by adding a NULL check for mesh_chansw_params_ie after
mesh_matches_local() returns, consistent with how other optional IEs
are guarded throughout the mesh code.
The bug has been present since v3.13 (released 2014-01-19).
Fixes: 8f2535b92d68 ("mac80211: process the CSA frame for mesh accordingly")
Cc: stable@vger.kernel.org
Signed-off-by: Vahagn Vardanian <vahagn@redrays.io>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/mesh.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -1474,6 +1474,9 @@ static void mesh_rx_csa_frame(struct iee
if (!mesh_matches_local(sdata, elems))
goto free;
+ if (!elems->mesh_chansw_params_ie)
+ goto free;
+
ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
if (!--ifmsh->chsw_ttl)
fwd_csa = false;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 071/460] sched: idle: Make skipping governor callbacks more consistent
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 070/460] perf ftrace: Fix hashmap__new() error checking Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 072/460] nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set Greg Kroah-Hartman
` (231 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Christian Loehle,
Aboorva Devarajan, Frederic Weisbecker, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit d557640e4ce589a24dca5ca7ce3b9680f471325f ]
If the cpuidle governor .select() callback is skipped because there
is only one idle state in the cpuidle driver, the .reflect() callback
should be skipped as well, at least for consistency (if not for
correctness), so do it.
Fixes: e5c9ffc6ae1b ("cpuidle: Skip governor when only one idle state is available")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Christian Loehle <christian.loehle@arm.com>
Reviewed-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
Link: https://patch.msgid.link/12857700.O9o76ZdvQC@rafael.j.wysocki
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpuidle/cpuidle.c | 10 ----------
kernel/sched/idle.c | 11 ++++++++++-
2 files changed, 10 insertions(+), 11 deletions(-)
diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c
index 2cb11e5a11251..0e1bbc966135d 100644
--- a/drivers/cpuidle/cpuidle.c
+++ b/drivers/cpuidle/cpuidle.c
@@ -353,16 +353,6 @@ noinstr int cpuidle_enter_state(struct cpuidle_device *dev,
int cpuidle_select(struct cpuidle_driver *drv, struct cpuidle_device *dev,
bool *stop_tick)
{
- /*
- * If there is only a single idle state (or none), there is nothing
- * meaningful for the governor to choose. Skip the governor and
- * always use state 0 with the tick running.
- */
- if (drv->state_count <= 1) {
- *stop_tick = false;
- return 0;
- }
-
return cpuidle_curr_governor->select(drv, dev, stop_tick);
}
diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c
index 624ef809f6715..b6a072a323a44 100644
--- a/kernel/sched/idle.c
+++ b/kernel/sched/idle.c
@@ -214,7 +214,7 @@ static void cpuidle_idle_call(void)
next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns);
call_cpuidle(drv, dev, next_state);
- } else {
+ } else if (drv->state_count > 1) {
bool stop_tick = true;
/*
@@ -232,6 +232,15 @@ static void cpuidle_idle_call(void)
* Give the governor an opportunity to reflect on the outcome
*/
cpuidle_reflect(dev, entered_state);
+ } else {
+ tick_nohz_idle_retain_tick();
+
+ /*
+ * If there is only a single idle state (or none), there is
+ * nothing meaningful for the governor to choose. Skip the
+ * governor and always use state 0.
+ */
+ call_cpuidle(drv, dev, 0);
}
exit_idle:
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 147/567] net: dsa: realtek: rtl8365mb: fix rtl8365mb_phy_ocp_write return value
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 146/567] kunit: tool: copy caller args in run_kernel to prevent mutation Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 148/567] bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded Greg Kroah-Hartman
` (230 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mieczyslaw Nalewaj, Andrew Lunn,
Luiz Angelo Daros de Luca, Linus Walleij, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mieczyslaw Nalewaj <namiltd@yahoo.com>
[ Upstream commit 7cbe98f7bef965241a5908d50d557008cf998aee ]
Function rtl8365mb_phy_ocp_write() always returns 0, even when an error
occurs during register access. This patch fixes the return value to
propagate the actual error code from regmap operations.
Link: https://lore.kernel.org/netdev/a2dfde3c-d46f-434b-9d16-1e251e449068@yahoo.com/
Fixes: 2796728460b8 ("net: dsa: realtek: rtl8365mb: serialize indirect PHY register access")
Signed-off-by: Mieczyslaw Nalewaj <namiltd@yahoo.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/20260301-realtek_namiltd_fix1-v1-1-43a6bb707f9c@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/realtek/rtl8365mb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/dsa/realtek/rtl8365mb.c b/drivers/net/dsa/realtek/rtl8365mb.c
index 41ea3b5a42b14..318eced8f0d34 100644
--- a/drivers/net/dsa/realtek/rtl8365mb.c
+++ b/drivers/net/dsa/realtek/rtl8365mb.c
@@ -766,7 +766,7 @@ static int rtl8365mb_phy_ocp_write(struct realtek_priv *priv, int phy,
out:
mutex_unlock(&priv->map_lock);
- return 0;
+ return ret;
}
static int rtl8365mb_phy_read(struct realtek_priv *priv, int phy, int regnum)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 085/481] IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 084/481] wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 086/481] RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() Greg Kroah-Hartman
` (230 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Leon Romanovsky
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 117942ca43e2e3c3d121faae530989931b7f67e1 upstream.
Fix a user triggerable leak on the system call failure path.
Cc: stable@vger.kernel.org
Fixes: ec34a922d243 ("[PATCH] IB/mthca: Add SRQ implementation")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Link: https://patch.msgid.link/2-v1-83e918d69e73+a9-rdma_udata_rc_jgg@nvidia.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/mthca/mthca_provider.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/hw/mthca/mthca_provider.c
+++ b/drivers/infiniband/hw/mthca/mthca_provider.c
@@ -428,6 +428,8 @@ static int mthca_create_srq(struct ib_sr
if (context && ib_copy_to_udata(udata, &srq->srqn, sizeof(__u32))) {
mthca_free_srq(to_mdev(ibsrq->device), srq);
+ mthca_unmap_user_db(to_mdev(ibsrq->device), &context->uar,
+ context->db_tab, ucmd.db_index);
return -EFAULT;
}
@@ -436,6 +438,7 @@ static int mthca_create_srq(struct ib_sr
static int mthca_destroy_srq(struct ib_srq *srq, struct ib_udata *udata)
{
+ mthca_free_srq(to_mdev(srq->device), to_msrq(srq));
if (udata) {
struct mthca_ucontext *context =
rdma_udata_to_drv_context(
@@ -446,8 +449,6 @@ static int mthca_destroy_srq(struct ib_s
mthca_unmap_user_db(to_mdev(srq->device), &context->uar,
context->db_tab, to_msrq(srq)->db_index);
}
-
- mthca_free_srq(to_mdev(srq->device), to_msrq(srq));
return 0;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 072/460] nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 071/460] sched: idle: Make skipping governor callbacks more consistent Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 073/460] nvme-pci: Fix race bug in nvme_poll_irqdisable() Greg Kroah-Hartman
` (230 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Shi, Weidong Zhu, Dave Tian,
Sungwoo Kim, Keith Busch, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sungwoo Kim <iam@sung-woo.kim>
[ Upstream commit b4e78f1427c7d6859229ae9616df54e1fc05a516 ]
dev->online_queues is a count incremented in nvme_init_queue. Thus,
valid indices are 0 through dev->online_queues − 1.
This patch fixes the loop condition to ensure the index stays within the
valid range. Index 0 is excluded because it is the admin queue.
KASAN splat:
==================================================================
BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]
BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404
Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74
CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: nvme-reset-wq nvme_reset_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xce/0x5d0 mm/kasan/report.c:482
kasan_report+0xdc/0x110 mm/kasan/report.c:595
__asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379
nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]
nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404
nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252
process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x65c/0xe60 kernel/workqueue.c:3421
kthread+0x41a/0x930 kernel/kthread.c:463
ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Allocated by task 34 on cpu 1 at 4.241550s:
kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57
kasan_save_track+0x1c/0x70 mm/kasan/common.c:78
kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__do_kmalloc_node mm/slub.c:5657 [inline]
__kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663
kmalloc_array_node_noprof include/linux/slab.h:1075 [inline]
nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline]
nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534
local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324
pci_call_probe drivers/pci/pci-driver.c:392 [inline]
__pci_device_probe drivers/pci/pci-driver.c:417 [inline]
pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451
call_driver_probe drivers/base/dd.c:583 [inline]
really_probe+0x29b/0xb70 drivers/base/dd.c:661
__driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803
driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833
__driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159
async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129
process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x65c/0xe60 kernel/workqueue.c:3421
kthread+0x41a/0x930 kernel/kthread.c:463
ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
The buggy address belongs to the object at ffff88800592a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 244 bytes to the right of
allocated 1152-byte region [ffff88800592a000, ffff88800592a480)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff)
page_type: f5(slab)
raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001
head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 000fffffc0000003 ffffea0000164a01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88800592a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88800592a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88800592a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88800592a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88800592a600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Fixes: 0f0d2c876c96 (nvme: free sq/cq dbbuf pointers when dbbuf set fails)
Acked-by: Chao Shi <cshi008@fiu.edu>
Acked-by: Weidong Zhu <weizhu@fiu.edu>
Acked-by: Dave Tian <daveti@purdue.edu>
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index b31a2dad361d6..c7d1e9c2b1571 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -343,7 +343,7 @@ static void nvme_dbbuf_set(struct nvme_dev *dev)
/* Free memory and continue on */
nvme_dbbuf_dma_free(dev);
- for (i = 1; i <= dev->online_queues; i++)
+ for (i = 1; i < dev->online_queues; i++)
nvme_dbbuf_free(&dev->queues[i]);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 148/567] bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 147/567] net: dsa: realtek: rtl8365mb: fix rtl8365mb_phy_ocp_write return value Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 149/567] octeon_ep: Relocate counter updates before NAPI Greg Kroah-Hartman
` (229 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+5a287bcdc08104bc3132,
Jiayuan Chen, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@shopee.com>
[ Upstream commit 479d589b40b836442bbdadc3fdb37f001bb67f26 ]
bond_option_mode_set() already rejects mode changes that would make a
loaded XDP program incompatible via bond_xdp_check(). However,
bond_option_xmit_hash_policy_set() has no such guard.
For 802.3ad and balance-xor modes, bond_xdp_check() returns false when
xmit_hash_policy is vlan+srcmac, because the 802.1q payload is usually
absent due to hardware offload. This means a user can:
1. Attach a native XDP program to a bond in 802.3ad/balance-xor mode
with a compatible xmit_hash_policy (e.g. layer2+3).
2. Change xmit_hash_policy to vlan+srcmac while XDP remains loaded.
This leaves bond->xdp_prog set but bond_xdp_check() now returning false
for the same device. When the bond is later destroyed, dev_xdp_uninstall()
calls bond_xdp_set(dev, NULL, NULL) to remove the program, which hits
the bond_xdp_check() guard and returns -EOPNOTSUPP, triggering:
WARN_ON(dev_xdp_install(dev, mode, bpf_op, NULL, 0, NULL))
Fix this by rejecting xmit_hash_policy changes to vlan+srcmac when an
XDP program is loaded on a bond in 802.3ad or balance-xor mode.
commit 39a0876d595b ("net, bonding: Disallow vlan+srcmac with XDP")
introduced bond_xdp_check() which returns false for 802.3ad/balance-xor
modes when xmit_hash_policy is vlan+srcmac. The check was wired into
bond_xdp_set() to reject XDP attachment with an incompatible policy, but
the symmetric path -- preventing xmit_hash_policy from being changed to an
incompatible value after XDP is already loaded -- was left unguarded in
bond_option_xmit_hash_policy_set().
Note:
commit 094ee6017ea0 ("bonding: check xdp prog when set bond mode")
later added a similar guard to bond_option_mode_set(), but
bond_option_xmit_hash_policy_set() remained unprotected.
Reported-by: syzbot+5a287bcdc08104bc3132@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6995aff6.050a0220.2eeac1.014e.GAE@google.com/T/
Fixes: 39a0876d595b ("net, bonding: Disallow vlan+srcmac with XDP")
Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
Link: https://patch.msgid.link/20260226080306.98766-2-jiayuan.chen@linux.dev
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 9 +++++++--
drivers/net/bonding/bond_options.c | 2 ++
include/net/bonding.h | 1 +
3 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 836d7fcac71a1..a2bf7bb12ff7c 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -322,7 +322,7 @@ static bool bond_sk_check(struct bonding *bond)
}
}
-bool bond_xdp_check(struct bonding *bond, int mode)
+bool __bond_xdp_check(int mode, int xmit_policy)
{
switch (mode) {
case BOND_MODE_ROUNDROBIN:
@@ -333,7 +333,7 @@ bool bond_xdp_check(struct bonding *bond, int mode)
/* vlan+srcmac is not supported with XDP as in most cases the 802.1q
* payload is not in the packet due to hardware offload.
*/
- if (bond->params.xmit_policy != BOND_XMIT_POLICY_VLAN_SRCMAC)
+ if (xmit_policy != BOND_XMIT_POLICY_VLAN_SRCMAC)
return true;
fallthrough;
default:
@@ -341,6 +341,11 @@ bool bond_xdp_check(struct bonding *bond, int mode)
}
}
+bool bond_xdp_check(struct bonding *bond, int mode)
+{
+ return __bond_xdp_check(mode, bond->params.xmit_policy);
+}
+
/*---------------------------------- VLAN -----------------------------------*/
/* In the following 2 functions, bond_vlan_rx_add_vid and bond_vlan_rx_kill_vid,
diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
index 5a2a935945c4c..b823425ad7f69 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -1546,6 +1546,8 @@ static int bond_option_fail_over_mac_set(struct bonding *bond,
static int bond_option_xmit_hash_policy_set(struct bonding *bond,
const struct bond_opt_value *newval)
{
+ if (bond->xdp_prog && !__bond_xdp_check(BOND_MODE(bond), newval->value))
+ return -EOPNOTSUPP;
netdev_dbg(bond->dev, "Setting xmit hash policy to %s (%llu)\n",
newval->string, newval->value);
bond->params.xmit_policy = newval->value;
diff --git a/include/net/bonding.h b/include/net/bonding.h
index 9fb40a5920209..66940d41d4854 100644
--- a/include/net/bonding.h
+++ b/include/net/bonding.h
@@ -696,6 +696,7 @@ void bond_debug_register(struct bonding *bond);
void bond_debug_unregister(struct bonding *bond);
void bond_debug_reregister(struct bonding *bond);
const char *bond_mode_name(int mode);
+bool __bond_xdp_check(int mode, int xmit_policy);
bool bond_xdp_check(struct bonding *bond, int mode);
void bond_setup(struct net_device *bond_dev);
unsigned int bond_get_num_tx_queues(void);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 086/481] RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 085/481] IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 087/481] net/sched: ets: fix divide by zero in the offload path Greg Kroah-Hartman
` (229 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Leon Romanovsky
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 74586c6da9ea222a61c98394f2fc0a604748438c upstream.
struct irdma_create_ah_resp { // 8 bytes, no padding
__u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx)
__u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK
};
rsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata().
The reserved members of the structure were not zeroed.
Cc: stable@vger.kernel.org
Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Link: https://patch.msgid.link/3-v1-83e918d69e73+a9-rdma_udata_rc_jgg@nvidia.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/irdma/verbs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -4338,7 +4338,7 @@ static int irdma_create_user_ah(struct i
#define IRDMA_CREATE_AH_MIN_RESP_LEN offsetofend(struct irdma_create_ah_resp, rsvd)
struct irdma_ah *ah = container_of(ibah, struct irdma_ah, ibah);
struct irdma_device *iwdev = to_iwdev(ibah->pd->device);
- struct irdma_create_ah_resp uresp;
+ struct irdma_create_ah_resp uresp = {};
struct irdma_ah *parent_ah;
int err;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 073/460] nvme-pci: Fix race bug in nvme_poll_irqdisable()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 072/460] nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 074/460] i40e: fix src IP mask checks and memcpy argument names in cloud filter Greg Kroah-Hartman
` (229 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Shi, Weidong Zhu, Dave Tian,
Christoph Hellwig, Sungwoo Kim, Keith Busch, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sungwoo Kim <iam@sung-woo.kim>
[ Upstream commit fc71f409b22ca831a9f87a2712eaa09ef2bb4a5e ]
In the following scenario, pdev can be disabled between (1) and (3) by
(2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will
return MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2).
This causes IRQ warning because it tries to enable INTx IRQ that has
never been disabled before.
To fix this, save IRQ number into a local variable and ensure
disable_irq() and enable_irq() operate on the same IRQ number. Even if
pci_free_irq_vectors() frees the IRQ concurrently, disable_irq() and
enable_irq() on a stale IRQ number is still valid and safe, and the
depth accounting reamins balanced.
task 1:
nvme_poll_irqdisable()
disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(1)
enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(3)
task 2:
nvme_reset_work()
nvme_dev_disable()
pdev->msix_enable = 0; ...(2)
crash log:
------------[ cut here ]------------
Unbalanced enable for IRQ 10
WARNING: kernel/irq/manage.c:753 at __enable_irq+0x102/0x190 kernel/irq/manage.c:753, CPU#1: kworker/1:0H/26
Modules linked in:
CPU: 1 UID: 0 PID: 26 Comm: kworker/1:0H Not tainted 6.19.0-dirty #9 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: kblockd blk_mq_timeout_work
RIP: 0010:__enable_irq+0x107/0x190 kernel/irq/manage.c:753
Code: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 79 48 8d 3d 2e 7a 3f 05 41 8b 74 24 2c <67> 48 0f b9 3a e8 ef b9 21 00 5b 41 5c 5d e9 46 54 66 03 e8 e1 b9
RSP: 0018:ffffc900001bf550 EFLAGS: 00010046
RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffffb20c0e90
RDX: 0000000000000000 RSI: 000000000000000a RDI: ffffffffb74b88f0
RBP: ffffc900001bf560 R08: ffff88800197cf00 R09: 0000000000000001
R10: 0000000000000003 R11: 0000000000000003 R12: ffff8880012a6000
R13: 1ffff92000037eae R14: 000000000000000a R15: 0000000000000293
FS: 0000000000000000(0000) GS:ffff8880b49f7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555da4a25fa8 CR3: 00000000208e8000 CR4: 00000000000006f0
Call Trace:
<TASK>
enable_irq+0x121/0x1e0 kernel/irq/manage.c:797
nvme_poll_irqdisable+0x162/0x1c0 drivers/nvme/host/pci.c:1494
nvme_timeout+0x965/0x14b0 drivers/nvme/host/pci.c:1744
blk_mq_rq_timed_out block/blk-mq.c:1653 [inline]
blk_mq_handle_expired+0x227/0x2d0 block/blk-mq.c:1721
bt_iter+0x2fc/0x3a0 block/blk-mq-tag.c:292
__sbitmap_for_each_set include/linux/sbitmap.h:269 [inline]
sbitmap_for_each_set include/linux/sbitmap.h:290 [inline]
bt_for_each block/blk-mq-tag.c:324 [inline]
blk_mq_queue_tag_busy_iter+0x969/0x1e80 block/blk-mq-tag.c:536
blk_mq_timeout_work+0x627/0x870 block/blk-mq.c:1763
process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x65c/0xe60 kernel/workqueue.c:3421
kthread+0x41a/0x930 kernel/kthread.c:463
ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
irq event stamp: 74478
hardirqs last enabled at (74477): [<ffffffffb5720a9c>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline]
hardirqs last enabled at (74477): [<ffffffffb5720a9c>] _raw_spin_unlock_irq+0x2c/0x60 kernel/locking/spinlock.c:202
hardirqs last disabled at (74478): [<ffffffffb57207b5>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (74478): [<ffffffffb57207b5>] _raw_spin_lock_irqsave+0x85/0xa0 kernel/locking/spinlock.c:162
softirqs last enabled at (74304): [<ffffffffb1e9466c>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last enabled at (74304): [<ffffffffb1e9466c>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last enabled at (74304): [<ffffffffb1e9466c>] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723
softirqs last disabled at (74287): [<ffffffffb1e9466c>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (74287): [<ffffffffb1e9466c>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (74287): [<ffffffffb1e9466c>] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723
---[ end trace 0000000000000000 ]---
Fixes: fa059b856a59 (nvme-pci: Simplify nvme_poll_irqdisable)
Acked-by: Chao Shi <cshi008@fiu.edu>
Acked-by: Weidong Zhu <weizhu@fiu.edu>
Acked-by: Dave Tian <daveti@purdue.edu>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index c7d1e9c2b1571..6bd02c9116501 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1201,14 +1201,16 @@ static irqreturn_t nvme_irq_check(int irq, void *data)
static void nvme_poll_irqdisable(struct nvme_queue *nvmeq)
{
struct pci_dev *pdev = to_pci_dev(nvmeq->dev->dev);
+ int irq;
WARN_ON_ONCE(test_bit(NVMEQ_POLLED, &nvmeq->flags));
- disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector));
+ irq = pci_irq_vector(pdev, nvmeq->cq_vector);
+ disable_irq(irq);
spin_lock(&nvmeq->cq_poll_lock);
nvme_poll_cq(nvmeq, NULL);
spin_unlock(&nvmeq->cq_poll_lock);
- enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector));
+ enable_irq(irq);
}
static int nvme_poll(struct blk_mq_hw_ctx *hctx, struct io_comp_batch *iob)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 149/567] octeon_ep: Relocate counter updates before NAPI
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 148/567] bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 150/567] octeon_ep: avoid compiler and IQ/OQ reordering Greg Kroah-Hartman
` (228 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sathesh Edara, Shinas Rasheed,
Vimlesh Kumar, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vimlesh Kumar <vimleshk@marvell.com>
[ Upstream commit 18c04a808c436d629d5812ce883e3822a5f5a47f ]
Relocate IQ/OQ IN/OUT_CNTS updates to occur before NAPI completion,
and replace napi_complete with napi_complete_done.
Moving the IQ/OQ counter updates before napi_complete_done ensures
1. Counter registers are updated before re-enabling interrupts.
2. Prevents a race where new packets arrive but counters aren't properly
synchronized.
napi_complete_done (vs napi_complete) allows for better
interrupt coalescing.
Fixes: 37d79d0596062 ("octeon_ep: add Tx/Rx processing and interrupt support")
Signed-off-by: Sathesh Edara <sedara@marvell.com>
Signed-off-by: Shinas Rasheed <srasheed@marvell.com>
Signed-off-by: Vimlesh Kumar <vimleshk@marvell.com>
Link: https://patch.msgid.link/20260227091402.1773833-2-vimleshk@marvell.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/marvell/octeon_ep/octep_main.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
index db24c290a9079..111caa5ce12fa 100644
--- a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
+++ b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
@@ -534,12 +534,12 @@ static void octep_clean_irqs(struct octep_device *oct)
}
/**
- * octep_enable_ioq_irq() - Enable MSI-x interrupt of a Tx/Rx queue.
+ * octep_update_pkt() - Update IQ/OQ IN/OUT_CNT registers.
*
* @iq: Octeon Tx queue data structure.
* @oq: Octeon Rx queue data structure.
*/
-static void octep_enable_ioq_irq(struct octep_iq *iq, struct octep_oq *oq)
+static void octep_update_pkt(struct octep_iq *iq, struct octep_oq *oq)
{
u32 pkts_pend = oq->pkts_pending;
@@ -555,7 +555,17 @@ static void octep_enable_ioq_irq(struct octep_iq *iq, struct octep_oq *oq)
}
/* Flush the previous wrties before writing to RESEND bit */
- wmb();
+ smp_wmb();
+}
+
+/**
+ * octep_enable_ioq_irq() - Enable MSI-x interrupt of a Tx/Rx queue.
+ *
+ * @iq: Octeon Tx queue data structure.
+ * @oq: Octeon Rx queue data structure.
+ */
+static void octep_enable_ioq_irq(struct octep_iq *iq, struct octep_oq *oq)
+{
writeq(1UL << OCTEP_OQ_INTR_RESEND_BIT, oq->pkts_sent_reg);
writeq(1UL << OCTEP_IQ_INTR_RESEND_BIT, iq->inst_cnt_reg);
}
@@ -581,7 +591,8 @@ static int octep_napi_poll(struct napi_struct *napi, int budget)
if (tx_pending || rx_done >= budget)
return budget;
- napi_complete(napi);
+ octep_update_pkt(ioq_vector->iq, ioq_vector->oq);
+ napi_complete_done(napi, rx_done);
octep_enable_ioq_irq(ioq_vector->iq, ioq_vector->oq);
return rx_done;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 087/481] net/sched: ets: fix divide by zero in the offload path
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 086/481] RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 088/481] scsi: target: Fix recursive locking in __configfs_open_file() Greg Kroah-Hartman
` (228 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Davide Caratti, Jamal Hadi Salim,
Petr Machata, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davide Caratti <dcaratti@redhat.com>
commit e35626f610f3d2b7953ccddf6a77453da22b3a9e upstream.
Offloading ETS requires computing each class' WRR weight: this is done by
averaging over the sums of quanta as 'q_sum' and 'q_psum'. Using unsigned
int, the same integer size as the individual DRR quanta, can overflow and
even cause division by zero, like it happened in the following splat:
Oops: divide error: 0000 [#1] SMP PTI
CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full)
Tainted: [E]=UNSIGNED_MODULE
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]
Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44
RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246
RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660
RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe
R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000
FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0
Call Trace:
<TASK>
ets_qdisc_change+0x870/0xf40 [sch_ets]
qdisc_create+0x12b/0x540
tc_modify_qdisc+0x6d7/0xbd0
rtnetlink_rcv_msg+0x168/0x6b0
netlink_rcv_skb+0x5c/0x110
netlink_unicast+0x1d6/0x2b0
netlink_sendmsg+0x22e/0x470
____sys_sendmsg+0x38a/0x3c0
___sys_sendmsg+0x99/0xe0
__sys_sendmsg+0x8a/0xf0
do_syscall_64+0x111/0xf80
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f440b81c77e
Code: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa
RSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e
RDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003
RBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8
R13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980
</TASK>
Modules linked in: sch_ets(E) netdevsim(E)
---[ end trace 0000000000000000 ]---
RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]
Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44
RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246
RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660
RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe
R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000
FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception ]---
Fix this using 64-bit integers for 'q_sum' and 'q_psum'.
Cc: stable@vger.kernel.org
Fixes: d35eb52bd2ac ("net: sch_ets: Make the ETS qdisc offloadable")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Link: https://patch.msgid.link/28504887df314588c7255e9911769c36f751edee.1771964872.git.dcaratti@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_ets.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/net/sched/sch_ets.c
+++ b/net/sched/sch_ets.c
@@ -115,12 +115,12 @@ static void ets_offload_change(struct Qd
struct ets_sched *q = qdisc_priv(sch);
struct tc_ets_qopt_offload qopt;
unsigned int w_psum_prev = 0;
- unsigned int q_psum = 0;
- unsigned int q_sum = 0;
unsigned int quantum;
unsigned int w_psum;
unsigned int weight;
unsigned int i;
+ u64 q_psum = 0;
+ u64 q_sum = 0;
if (!tc_can_offload(dev) || !dev->netdev_ops->ndo_setup_tc)
return;
@@ -138,8 +138,12 @@ static void ets_offload_change(struct Qd
for (i = 0; i < q->nbands; i++) {
quantum = q->classes[i].quantum;
- q_psum += quantum;
- w_psum = quantum ? q_psum * 100 / q_sum : 0;
+ if (quantum) {
+ q_psum += quantum;
+ w_psum = div64_u64(q_psum * 100, q_sum);
+ } else {
+ w_psum = 0;
+ }
weight = w_psum - w_psum_prev;
w_psum_prev = w_psum;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 074/460] i40e: fix src IP mask checks and memcpy argument names in cloud filter
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 073/460] nvme-pci: Fix race bug in nvme_poll_irqdisable() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 075/460] e1000/e1000e: Fix leak in DMA error cleanup Greg Kroah-Hartman
` (228 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Aleksandr Loktionov,
Paul Menzel, Tony Nguyen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit e809085f492842ce7a519c9ef72d40f4bca89c13 ]
Fix following issues in the IPv4 and IPv6 cloud filter handling logic in
both the add and delete paths:
- The source-IP mask check incorrectly compares mask.src_ip[0] against
tcf.dst_ip[0]. Update it to compare against tcf.src_ip[0]. This likely
goes unnoticed because the check is in an "else if" path that only
executes when dst_ip is not set, most cloud filter use cases focus on
destination-IP matching, and the buggy condition can accidentally
evaluate true in some cases.
- memcpy() for the IPv4 source address incorrectly uses
ARRAY_SIZE(tcf.dst_ip) instead of ARRAY_SIZE(tcf.src_ip), although
both arrays are the same size.
- The IPv4 memcpy operations used ARRAY_SIZE(tcf.dst_ip) and ARRAY_SIZE
(tcf.src_ip), Update these to use sizeof(cfilter->ip.v4.dst_ip) and
sizeof(cfilter->ip.v4.src_ip) to ensure correct and explicit copy size.
- In the IPv6 delete path, memcmp() uses sizeof(src_ip6) when comparing
dst_ip6 fields. Replace this with sizeof(dst_ip6) to make the intent
explicit, even though both fields are struct in6_addr.
Fixes: e284fc280473 ("i40e: Add and delete cloud filter")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
index 3251ffa7d994b..9cf5b6349b0d7 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -3821,10 +3821,10 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg)
cfilter.n_proto = ETH_P_IP;
if (mask.dst_ip[0] & tcf.dst_ip[0])
memcpy(&cfilter.ip.v4.dst_ip, tcf.dst_ip,
- ARRAY_SIZE(tcf.dst_ip));
- else if (mask.src_ip[0] & tcf.dst_ip[0])
+ sizeof(cfilter.ip.v4.dst_ip));
+ else if (mask.src_ip[0] & tcf.src_ip[0])
memcpy(&cfilter.ip.v4.src_ip, tcf.src_ip,
- ARRAY_SIZE(tcf.dst_ip));
+ sizeof(cfilter.ip.v4.src_ip));
break;
case VIRTCHNL_TCP_V6_FLOW:
cfilter.n_proto = ETH_P_IPV6;
@@ -3879,7 +3879,7 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg)
/* for ipv6, mask is set for all sixteen bytes (4 words) */
if (cfilter.n_proto == ETH_P_IPV6 && mask.dst_ip[3])
if (memcmp(&cfilter.ip.v6.dst_ip6, &cf->ip.v6.dst_ip6,
- sizeof(cfilter.ip.v6.src_ip6)))
+ sizeof(cfilter.ip.v6.dst_ip6)))
continue;
if (mask.vlan_id)
if (cfilter.vlan_id != cf->vlan_id)
@@ -3967,10 +3967,10 @@ static int i40e_vc_add_cloud_filter(struct i40e_vf *vf, u8 *msg)
cfilter->n_proto = ETH_P_IP;
if (mask.dst_ip[0] & tcf.dst_ip[0])
memcpy(&cfilter->ip.v4.dst_ip, tcf.dst_ip,
- ARRAY_SIZE(tcf.dst_ip));
- else if (mask.src_ip[0] & tcf.dst_ip[0])
+ sizeof(cfilter->ip.v4.dst_ip));
+ else if (mask.src_ip[0] & tcf.src_ip[0])
memcpy(&cfilter->ip.v4.src_ip, tcf.src_ip,
- ARRAY_SIZE(tcf.dst_ip));
+ sizeof(cfilter->ip.v4.src_ip));
break;
case VIRTCHNL_TCP_V6_FLOW:
cfilter->n_proto = ETH_P_IPV6;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 150/567] octeon_ep: avoid compiler and IQ/OQ reordering
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 149/567] octeon_ep: Relocate counter updates before NAPI Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 151/567] wifi: cw1200: Fix locking in error paths Greg Kroah-Hartman
` (227 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sathesh Edara, Shinas Rasheed,
Vimlesh Kumar, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vimlesh Kumar <vimleshk@marvell.com>
[ Upstream commit 43b3160cb639079a15daeb5f080120afbfbfc918 ]
Utilize READ_ONCE and WRITE_ONCE APIs for IO queue Tx/Rx
variable access to prevent compiler optimization and reordering.
Additionally, ensure IO queue OUT/IN_CNT registers are flushed
by performing a read-back after writing.
The compiler could reorder reads/writes to pkts_pending, last_pkt_count,
etc., causing stale values to be used when calculating packets to process
or register updates to send to hardware. The Octeon hardware requires a
read-back after writing to OUT_CNT/IN_CNT registers to ensure the write
has been flushed through any posted write buffers before the interrupt
resend bit is set. Without this, we have observed cases where the hardware
didn't properly update its internal state.
wmb/rmb only provides ordering guarantees but doesn't prevent the compiler
from performing optimizations like caching in registers, load tearing etc.
Fixes: 37d79d0596062 ("octeon_ep: add Tx/Rx processing and interrupt support")
Signed-off-by: Sathesh Edara <sedara@marvell.com>
Signed-off-by: Shinas Rasheed <srasheed@marvell.com>
Signed-off-by: Vimlesh Kumar <vimleshk@marvell.com>
Link: https://patch.msgid.link/20260227091402.1773833-3-vimleshk@marvell.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/marvell/octeon_ep/octep_main.c | 21 +++++++++------
.../net/ethernet/marvell/octeon_ep/octep_rx.c | 27 +++++++++++++------
2 files changed, 32 insertions(+), 16 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
index 111caa5ce12fa..e4a78d5e73495 100644
--- a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
+++ b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
@@ -541,17 +541,22 @@ static void octep_clean_irqs(struct octep_device *oct)
*/
static void octep_update_pkt(struct octep_iq *iq, struct octep_oq *oq)
{
- u32 pkts_pend = oq->pkts_pending;
+ u32 pkts_pend = READ_ONCE(oq->pkts_pending);
+ u32 last_pkt_count = READ_ONCE(oq->last_pkt_count);
+ u32 pkts_processed = READ_ONCE(iq->pkts_processed);
+ u32 pkt_in_done = READ_ONCE(iq->pkt_in_done);
netdev_dbg(iq->netdev, "enabling intr for Q-%u\n", iq->q_no);
- if (iq->pkts_processed) {
- writel(iq->pkts_processed, iq->inst_cnt_reg);
- iq->pkt_in_done -= iq->pkts_processed;
- iq->pkts_processed = 0;
+ if (pkts_processed) {
+ writel(pkts_processed, iq->inst_cnt_reg);
+ readl(iq->inst_cnt_reg);
+ WRITE_ONCE(iq->pkt_in_done, (pkt_in_done - pkts_processed));
+ WRITE_ONCE(iq->pkts_processed, 0);
}
- if (oq->last_pkt_count - pkts_pend) {
- writel(oq->last_pkt_count - pkts_pend, oq->pkts_sent_reg);
- oq->last_pkt_count = pkts_pend;
+ if (last_pkt_count - pkts_pend) {
+ writel(last_pkt_count - pkts_pend, oq->pkts_sent_reg);
+ readl(oq->pkts_sent_reg);
+ WRITE_ONCE(oq->last_pkt_count, pkts_pend);
}
/* Flush the previous wrties before writing to RESEND bit */
diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c b/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c
index 60afb6bf2f679..e0c1e13e48c02 100644
--- a/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c
+++ b/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c
@@ -323,10 +323,16 @@ static int octep_oq_check_hw_for_pkts(struct octep_device *oct,
struct octep_oq *oq)
{
u32 pkt_count, new_pkts;
+ u32 last_pkt_count, pkts_pending;
pkt_count = readl(oq->pkts_sent_reg);
- new_pkts = pkt_count - oq->last_pkt_count;
+ last_pkt_count = READ_ONCE(oq->last_pkt_count);
+ new_pkts = pkt_count - last_pkt_count;
+ if (pkt_count < last_pkt_count) {
+ dev_err(oq->dev, "OQ-%u pkt_count(%u) < oq->last_pkt_count(%u)\n",
+ oq->q_no, pkt_count, last_pkt_count);
+ }
/* Clear the hardware packets counter register if the rx queue is
* being processed continuously with-in a single interrupt and
* reached half its max value.
@@ -337,8 +343,9 @@ static int octep_oq_check_hw_for_pkts(struct octep_device *oct,
pkt_count = readl(oq->pkts_sent_reg);
new_pkts += pkt_count;
}
- oq->last_pkt_count = pkt_count;
- oq->pkts_pending += new_pkts;
+ WRITE_ONCE(oq->last_pkt_count, pkt_count);
+ pkts_pending = READ_ONCE(oq->pkts_pending);
+ WRITE_ONCE(oq->pkts_pending, (pkts_pending + new_pkts));
return new_pkts;
}
@@ -411,7 +418,7 @@ static int __octep_oq_process_rx(struct octep_device *oct,
u16 data_offset;
u32 read_idx;
- read_idx = oq->host_read_idx;
+ read_idx = READ_ONCE(oq->host_read_idx);
rx_bytes = 0;
desc_used = 0;
for (pkt = 0; pkt < pkts_to_process; pkt++) {
@@ -494,7 +501,7 @@ static int __octep_oq_process_rx(struct octep_device *oct,
napi_gro_receive(oq->napi, skb);
}
- oq->host_read_idx = read_idx;
+ WRITE_ONCE(oq->host_read_idx, read_idx);
oq->refill_count += desc_used;
oq->stats.packets += pkt;
oq->stats.bytes += rx_bytes;
@@ -517,22 +524,26 @@ int octep_oq_process_rx(struct octep_oq *oq, int budget)
{
u32 pkts_available, pkts_processed, total_pkts_processed;
struct octep_device *oct = oq->octep_dev;
+ u32 pkts_pending;
pkts_available = 0;
pkts_processed = 0;
total_pkts_processed = 0;
while (total_pkts_processed < budget) {
/* update pending count only when current one exhausted */
- if (oq->pkts_pending == 0)
+ pkts_pending = READ_ONCE(oq->pkts_pending);
+ if (pkts_pending == 0)
octep_oq_check_hw_for_pkts(oct, oq);
+ pkts_pending = READ_ONCE(oq->pkts_pending);
pkts_available = min(budget - total_pkts_processed,
- oq->pkts_pending);
+ pkts_pending);
if (!pkts_available)
break;
pkts_processed = __octep_oq_process_rx(oct, oq,
pkts_available);
- oq->pkts_pending -= pkts_processed;
+ pkts_pending = READ_ONCE(oq->pkts_pending);
+ WRITE_ONCE(oq->pkts_pending, (pkts_pending - pkts_processed));
total_pkts_processed += pkts_processed;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 088/481] scsi: target: Fix recursive locking in __configfs_open_file()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 087/481] net/sched: ets: fix divide by zero in the offload path Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 089/481] Squashfs: check metadata block offset is within range Greg Kroah-Hartman
` (227 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f6e8174215573a84b797,
Prithvi Tambewagh, Dmitry Bogdanov, Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prithvi Tambewagh <activprithvi@gmail.com>
commit 14d4ac19d1895397532eec407433c5d74d9da53b upstream.
In flush_write_buffer, &p->frag_sem is acquired and then the loaded store
function is called, which, here, is target_core_item_dbroot_store(). This
function called filp_open(), following which these functions were called
(in reverse order), according to the call trace:
down_read
__configfs_open_file
do_dentry_open
vfs_open
do_open
path_openat
do_filp_open
file_open_name
filp_open
target_core_item_dbroot_store
flush_write_buffer
configfs_write_iter
target_core_item_dbroot_store() tries to validate the new file path by
trying to open the file path provided to it; however, in this case, the bug
report shows:
db_root: not a directory: /sys/kernel/config/target/dbroot
indicating that the same configfs file was tried to be opened, on which it
is currently working on. Thus, it is trying to acquire frag_sem semaphore
of the same file of which it already holds the semaphore obtained in
flush_write_buffer(), leading to acquiring the semaphore in a nested manner
and a possibility of recursive locking.
Fix this by modifying target_core_item_dbroot_store() to use kern_path()
instead of filp_open() to avoid opening the file using filesystem-specific
function __configfs_open_file(), and further modifying it to make this fix
compatible.
Reported-by: syzbot+f6e8174215573a84b797@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f6e8174215573a84b797
Tested-by: syzbot+f6e8174215573a84b797@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Prithvi Tambewagh <activprithvi@gmail.com>
Reviewed-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Link: https://patch.msgid.link/20260216062002.61937-1-activprithvi@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/target_core_configfs.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
--- a/drivers/target/target_core_configfs.c
+++ b/drivers/target/target_core_configfs.c
@@ -107,8 +107,8 @@ static ssize_t target_core_item_dbroot_s
const char *page, size_t count)
{
ssize_t read_bytes;
- struct file *fp;
ssize_t r = -EINVAL;
+ struct path path = {};
mutex_lock(&target_devices_lock);
if (target_devices) {
@@ -130,17 +130,14 @@ static ssize_t target_core_item_dbroot_s
db_root_stage[read_bytes - 1] = '\0';
/* validate new db root before accepting it */
- fp = filp_open(db_root_stage, O_RDONLY, 0);
- if (IS_ERR(fp)) {
+ r = kern_path(db_root_stage, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path);
+ if (r) {
pr_err("db_root: cannot open: %s\n", db_root_stage);
+ if (r == -ENOTDIR)
+ pr_err("db_root: not a directory: %s\n", db_root_stage);
goto unlock;
}
- if (!S_ISDIR(file_inode(fp)->i_mode)) {
- filp_close(fp, NULL);
- pr_err("db_root: not a directory: %s\n", db_root_stage);
- goto unlock;
- }
- filp_close(fp, NULL);
+ path_put(&path);
strncpy(db_root, db_root_stage, read_bytes);
pr_debug("Target_Core_ConfigFS: db_root set to %s\n", db_root);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 075/460] e1000/e1000e: Fix leak in DMA error cleanup
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 074/460] i40e: fix src IP mask checks and memcpy argument names in cloud filter Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 076/460] net: bcmgenet: fix broken EEE by converting to phylib-managed state Greg Kroah-Hartman
` (227 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matt Vollrath, Tony Nguyen,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Vollrath <tactii@gmail.com>
[ Upstream commit e94eaef11142b01f77bf8ba4d0b59720b7858109 ]
If an error is encountered while mapping TX buffers, the driver should
unmap any buffers already mapped for that skb.
Because count is incremented after a successful mapping, it will always
match the correct number of unmappings needed when dma_error is reached.
Decrementing count before the while loop in dma_error causes an
off-by-one error. If any mapping was successful before an unsuccessful
mapping, exactly one DMA mapping would leak.
In these commits, a faulty while condition caused an infinite loop in
dma_error:
Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e
driver")
Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver")
Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of
unsigned in *_tx_map()") fixed the infinite loop, but introduced the
off-by-one error.
This issue may still exist in the igbvf driver, but I did not address it
in this patch.
Fixes: c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()")
Assisted-by: Claude:claude-4.6-opus
Signed-off-by: Matt Vollrath <tactii@gmail.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/e1000/e1000_main.c | 2 --
drivers/net/ethernet/intel/e1000e/netdev.c | 2 --
2 files changed, 4 deletions(-)
diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
index 67d7651b6411d..8072aa8f05e38 100644
--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
+++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
@@ -2948,8 +2948,6 @@ static int e1000_tx_map(struct e1000_adapter *adapter,
dma_error:
dev_err(&pdev->dev, "TX DMA map failed\n");
buffer_info->dma = 0;
- if (count)
- count--;
while (count--) {
if (i == 0)
diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
index 5fe54e9b71e25..4d9dcb0001d21 100644
--- a/drivers/net/ethernet/intel/e1000e/netdev.c
+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
@@ -5633,8 +5633,6 @@ static int e1000_tx_map(struct e1000_ring *tx_ring, struct sk_buff *skb,
dma_error:
dev_err(&pdev->dev, "Tx DMA map failed\n");
buffer_info->dma = 0;
- if (count)
- count--;
while (count--) {
if (i == 0)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 151/567] wifi: cw1200: Fix locking in error paths
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 150/567] octeon_ep: avoid compiler and IQ/OQ reordering Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 152/567] wifi: wlcore: Fix a locking bug Greg Kroah-Hartman
` (226 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bart Van Assche, Johannes Berg,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit d98c24617a831e92e7224a07dcaed2dd0b02af96 ]
cw1200_wow_suspend() must only return with priv->conf_mutex locked if it
returns zero. This mutex must be unlocked if an error is returned. Add
mutex_unlock() calls to the error paths from which that call is missing.
This has been detected by the Clang thread-safety analyzer.
Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260223220102.2158611-25-bart.vanassche@linux.dev
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/st/cw1200/pm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/st/cw1200/pm.c b/drivers/net/wireless/st/cw1200/pm.c
index a20ab577a3644..212b6f2af8de4 100644
--- a/drivers/net/wireless/st/cw1200/pm.c
+++ b/drivers/net/wireless/st/cw1200/pm.c
@@ -264,12 +264,14 @@ int cw1200_wow_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
wiphy_err(priv->hw->wiphy,
"PM request failed: %d. WoW is disabled.\n", ret);
cw1200_wow_resume(hw);
+ mutex_unlock(&priv->conf_mutex);
return -EBUSY;
}
/* Force resume if event is coming from the device. */
if (atomic_read(&priv->bh_rx)) {
cw1200_wow_resume(hw);
+ mutex_unlock(&priv->conf_mutex);
return -EAGAIN;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 089/481] Squashfs: check metadata block offset is within range
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 088/481] scsi: target: Fix recursive locking in __configfs_open_file() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 090/481] drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() Greg Kroah-Hartman
` (226 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+a9747fe1c35a5b115d3f,
Phillip Lougher, Christian Brauner, Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phillip Lougher <phillip@squashfs.org.uk>
commit fdb24a820a5832ec4532273282cbd4f22c291a0d upstream.
Syzkaller reports a "general protection fault in squashfs_copy_data"
This is ultimately caused by a corrupted index look-up table, which
produces a negative metadata block offset.
This is subsequently passed to squashfs_copy_data (via
squashfs_read_metadata) where the negative offset causes an out of bounds
access.
The fix is to check that the offset is within range in
squashfs_read_metadata. This will trap this and other cases.
Link: https://lkml.kernel.org/r/20260217050955.138351-1-phillip@squashfs.org.uk
Fixes: f400e12656ab ("Squashfs: cache operations")
Reported-by: syzbot+a9747fe1c35a5b115d3f@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/699234e2.a70a0220.2c38d7.00e2.GAE@google.com/
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/squashfs/cache.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/squashfs/cache.c
+++ b/fs/squashfs/cache.c
@@ -340,6 +340,9 @@ int squashfs_read_metadata(struct super_
if (unlikely(length < 0))
return -EIO;
+ if (unlikely(*offset < 0 || *offset >= SQUASHFS_METADATA_SIZE))
+ return -EIO;
+
while (length) {
entry = squashfs_cache_get(sb, msblk->block_cache, *block, 0);
if (entry->error) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 076/460] net: bcmgenet: fix broken EEE by converting to phylib-managed state
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 075/460] e1000/e1000e: Fix leak in DMA error cleanup Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 077/460] ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address() Greg Kroah-Hartman
` (226 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Lunn, Nicolai Buchwitz,
Florian Fainelli, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolai Buchwitz <nb@tipi-net.de>
[ Upstream commit 908c344d5cfac4160f49715da9efacdf5b6a28bd ]
The bcmgenet EEE implementation is broken in several ways.
phy_support_eee() is never called, so the PHY never advertises EEE
and phylib never sets phydev->enable_tx_lpi. bcmgenet_mac_config()
checks priv->eee.eee_enabled to decide whether to enable the MAC
LPI logic, but that field is never initialised to true, so the MAC
never enters Low Power Idle even when EEE is negotiated - wasting
the power savings EEE is designed to provide. The only way to get
EEE working at all is a manual 'ethtool --set-eee eth0 eee on' after
every link-up, and even then bcmgenet_get_eee() immediately clobbers
the reported state because phy_ethtool_get_eee() overwrites
eee_enabled and tx_lpi_enabled with the uninitialised PHY eee_cfg
values. Finally, bcmgenet_mac_config() is only called on link-up,
so EEE is never disabled in hardware on link-down.
Fix all of this by removing the MAC-side EEE state tracking
(priv->eee) and aligning with the pattern used by other non-phylink
MAC drivers such as FEC.
Call phy_support_eee() in bcmgenet_mii_probe() so the PHY advertises
EEE link modes and phylib tracks negotiation state. Move the EEE
hardware control to bcmgenet_mii_setup(), which is called on every
link event, and drive it directly from phydev->enable_tx_lpi - the
flag phylib sets when EEE is negotiated and the user has not disabled
it. This enables EEE automatically once the link partner agrees and
disables it cleanly on link-down.
Make bcmgenet_get_eee() and bcmgenet_set_eee() pure passthroughs to
phy_ethtool_get_eee() and phy_ethtool_set_eee(), with the MAC
hardware register read/written for tx_lpi_timer. Drop struct
ethtool_keee eee from struct bcmgenet_priv.
Fixes: fe0d4fd9285e ("net: phy: Keep track of EEE configuration")
Link: https://lore.kernel.org/netdev/d352039f-4cbb-41e6-9aeb-0b4f3941b54c@lunn.ch/
Suggested-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Nicolai Buchwitz <nb@tipi-net.de>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20260310054935.1238594-1-nb@tipi-net.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/broadcom/genet/bcmgenet.c | 31 +++++++------------
.../net/ethernet/broadcom/genet/bcmgenet.h | 5 +--
drivers/net/ethernet/broadcom/genet/bcmmii.c | 10 +++---
3 files changed, 18 insertions(+), 28 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index f7be886570d88..49f6e83d60139 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1272,8 +1272,7 @@ static void bcmgenet_get_ethtool_stats(struct net_device *dev,
}
}
-void bcmgenet_eee_enable_set(struct net_device *dev, bool enable,
- bool tx_lpi_enabled)
+void bcmgenet_eee_enable_set(struct net_device *dev, bool enable)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
u32 off = priv->hw_params->tbuf_offset + TBUF_ENERGY_CTRL;
@@ -1293,7 +1292,7 @@ void bcmgenet_eee_enable_set(struct net_device *dev, bool enable,
/* Enable EEE and switch to a 27Mhz clock automatically */
reg = bcmgenet_readl(priv->base + off);
- if (tx_lpi_enabled)
+ if (enable)
reg |= TBUF_EEE_EN | TBUF_PM_EN;
else
reg &= ~(TBUF_EEE_EN | TBUF_PM_EN);
@@ -1312,14 +1311,12 @@ void bcmgenet_eee_enable_set(struct net_device *dev, bool enable,
priv->clk_eee_enabled = false;
}
- priv->eee.eee_enabled = enable;
- priv->eee.tx_lpi_enabled = tx_lpi_enabled;
}
static int bcmgenet_get_eee(struct net_device *dev, struct ethtool_keee *e)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
- struct ethtool_keee *p = &priv->eee;
+ int ret;
if (GENET_IS_V1(priv))
return -EOPNOTSUPP;
@@ -1327,17 +1324,21 @@ static int bcmgenet_get_eee(struct net_device *dev, struct ethtool_keee *e)
if (!dev->phydev)
return -ENODEV;
- e->tx_lpi_enabled = p->tx_lpi_enabled;
+ ret = phy_ethtool_get_eee(dev->phydev, e);
+ if (ret)
+ return ret;
+
+ /* tx_lpi_timer is maintained by the MAC hardware register; the
+ * PHY-level eee_cfg timer is not set for GENET.
+ */
e->tx_lpi_timer = bcmgenet_umac_readl(priv, UMAC_EEE_LPI_TIMER);
- return phy_ethtool_get_eee(dev->phydev, e);
+ return 0;
}
static int bcmgenet_set_eee(struct net_device *dev, struct ethtool_keee *e)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
- struct ethtool_keee *p = &priv->eee;
- bool active;
if (GENET_IS_V1(priv))
return -EOPNOTSUPP;
@@ -1345,15 +1346,7 @@ static int bcmgenet_set_eee(struct net_device *dev, struct ethtool_keee *e)
if (!dev->phydev)
return -ENODEV;
- p->eee_enabled = e->eee_enabled;
-
- if (!p->eee_enabled) {
- bcmgenet_eee_enable_set(dev, false, false);
- } else {
- active = phy_init_eee(dev->phydev, false) >= 0;
- bcmgenet_umac_writel(priv, e->tx_lpi_timer, UMAC_EEE_LPI_TIMER);
- bcmgenet_eee_enable_set(dev, active, e->tx_lpi_enabled);
- }
+ bcmgenet_umac_writel(priv, e->tx_lpi_timer, UMAC_EEE_LPI_TIMER);
return phy_ethtool_set_eee(dev->phydev, e);
}
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.h b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
index 43b923c48b14f..c0005a0fff567 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
@@ -646,8 +646,6 @@ struct bcmgenet_priv {
bool wol_active;
struct bcmgenet_mib_counters mib;
-
- struct ethtool_keee eee;
};
#define GENET_IO_MACRO(name, offset) \
@@ -705,7 +703,6 @@ int bcmgenet_wol_power_down_cfg(struct bcmgenet_priv *priv,
void bcmgenet_wol_power_up_cfg(struct bcmgenet_priv *priv,
enum bcmgenet_power_mode mode);
-void bcmgenet_eee_enable_set(struct net_device *dev, bool enable,
- bool tx_lpi_enabled);
+void bcmgenet_eee_enable_set(struct net_device *dev, bool enable);
#endif /* __BCMGENET_H__ */
diff --git a/drivers/net/ethernet/broadcom/genet/bcmmii.c b/drivers/net/ethernet/broadcom/genet/bcmmii.c
index c4a3698cef66f..9beb65e6d0a96 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
@@ -30,7 +30,6 @@ static void bcmgenet_mac_config(struct net_device *dev)
struct bcmgenet_priv *priv = netdev_priv(dev);
struct phy_device *phydev = dev->phydev;
u32 reg, cmd_bits = 0;
- bool active;
/* speed */
if (phydev->speed == SPEED_1000)
@@ -91,10 +90,6 @@ static void bcmgenet_mac_config(struct net_device *dev)
bcmgenet_umac_writel(priv, reg, UMAC_CMD);
spin_unlock_bh(&priv->reg_lock);
- active = phy_init_eee(phydev, 0) >= 0;
- bcmgenet_eee_enable_set(dev,
- priv->eee.eee_enabled && active,
- priv->eee.tx_lpi_enabled);
}
/* setup netdev link state when PHY link status change and
@@ -114,6 +109,8 @@ void bcmgenet_mii_setup(struct net_device *dev)
bcmgenet_ext_writel(priv, reg, EXT_RGMII_OOB_CTRL);
}
+ bcmgenet_eee_enable_set(dev, phydev->enable_tx_lpi);
+
phy_print_status(phydev);
}
@@ -408,6 +405,9 @@ int bcmgenet_mii_probe(struct net_device *dev)
/* Indicate that the MAC is responsible for PHY PM */
dev->phydev->mac_managed_pm = true;
+ if (!GENET_IS_V1(priv))
+ phy_support_eee(dev->phydev);
+
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 152/567] wifi: wlcore: Fix a locking bug
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 151/567] wifi: cw1200: Fix locking in error paths Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 153/567] wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211() Greg Kroah-Hartman
` (225 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bart Van Assche, Johannes Berg,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit 72c6df8f284b3a49812ce2ac136727ace70acc7c ]
Make sure that wl->mutex is locked before it is unlocked. This has been
detected by the Clang thread-safety analyzer.
Fixes: 45aa7f071b06 ("wlcore: Use generic runtime pm calls for wowlan elp configuration")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260223220102.2158611-26-bart.vanassche@linux.dev
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ti/wlcore/main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/ti/wlcore/main.c b/drivers/net/wireless/ti/wlcore/main.c
index 9706240ddd416..d818485d7e6af 100644
--- a/drivers/net/wireless/ti/wlcore/main.c
+++ b/drivers/net/wireless/ti/wlcore/main.c
@@ -1800,6 +1800,8 @@ static int __maybe_unused wl1271_op_resume(struct ieee80211_hw *hw)
wl->wow_enabled);
WARN_ON(!wl->wow_enabled);
+ mutex_lock(&wl->mutex);
+
ret = pm_runtime_force_resume(wl->dev);
if (ret < 0) {
wl1271_error("ELP wakeup failure!");
@@ -1816,8 +1818,6 @@ static int __maybe_unused wl1271_op_resume(struct ieee80211_hw *hw)
run_irq_work = true;
spin_unlock_irqrestore(&wl->wl_lock, flags);
- mutex_lock(&wl->mutex);
-
/* test the recovery flag before calling any SDIO functions */
pending_recovery = test_bit(WL1271_FLAG_RECOVERY_IN_PROGRESS,
&wl->flags);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 090/481] drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 089/481] Squashfs: check metadata block offset is within range Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 091/481] smb: client: fix broken multichannel with krb5+signing Greg Kroah-Hartman
` (225 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lars Ellenberg,
Christoph Böhmwalder, Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lars Ellenberg <lars.ellenberg@linbit.com>
commit ab140365fb62c0bdab22b2f516aff563b2559e3b upstream.
Even though we check that we "should" be able to do lc_get_cumulative()
while holding the device->al_lock spinlock, it may still fail,
if some other code path decided to do lc_try_lock() with bad timing.
If that happened, we logged "LOGIC BUG for enr=...",
but still did not return an error.
The rest of the code now assumed that this request has references
for the relevant activity log extents.
The implcations are that during an active resync, mutual exclusivity of
resync versus application IO is not guaranteed. And a potential crash
at this point may not realizs that these extents could have been target
of in-flight IO and would need to be resynced just in case.
Also, once the request completes, it will give up activity log references it
does not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put().
Fix:
Do not crash the kernel for a condition that is harmless during normal
operation: also catch "e->refcnt == 0", not only "e == NULL"
when being noisy about "al_complete_io() called on inactive extent %u\n".
And do not try to be smart and "guess" whether something will work, then
be surprised when it does not.
Deal with the fact that it may or may not work. If it does not, remember a
possible "partially in activity log" state (only possible for requests that
cross extent boundaries), and return an error code from
drbd_al_begin_io_nonblock().
A latter call for the same request will then resume from where we left off.
Cc: stable@vger.kernel.org
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/drbd/drbd_actlog.c | 53 ++++++++++++++++---------------------
drivers/block/drbd/drbd_interval.h | 5 ++-
2 files changed, 27 insertions(+), 31 deletions(-)
--- a/drivers/block/drbd/drbd_actlog.c
+++ b/drivers/block/drbd/drbd_actlog.c
@@ -483,38 +483,20 @@ void drbd_al_begin_io(struct drbd_device
int drbd_al_begin_io_nonblock(struct drbd_device *device, struct drbd_interval *i)
{
- struct lru_cache *al = device->act_log;
/* for bios crossing activity log extent boundaries,
* we may need to activate two extents in one go */
unsigned first = i->sector >> (AL_EXTENT_SHIFT-9);
unsigned last = i->size == 0 ? first : (i->sector + (i->size >> 9) - 1) >> (AL_EXTENT_SHIFT-9);
- unsigned nr_al_extents;
- unsigned available_update_slots;
unsigned enr;
- D_ASSERT(device, first <= last);
-
- nr_al_extents = 1 + last - first; /* worst case: all touched extends are cold. */
- available_update_slots = min(al->nr_elements - al->used,
- al->max_pending_changes - al->pending_changes);
-
- /* We want all necessary updates for a given request within the same transaction
- * We could first check how many updates are *actually* needed,
- * and use that instead of the worst-case nr_al_extents */
- if (available_update_slots < nr_al_extents) {
- /* Too many activity log extents are currently "hot".
- *
- * If we have accumulated pending changes already,
- * we made progress.
- *
- * If we cannot get even a single pending change through,
- * stop the fast path until we made some progress,
- * or requests to "cold" extents could be starved. */
- if (!al->pending_changes)
- __set_bit(__LC_STARVING, &device->act_log->flags);
- return -ENOBUFS;
+ if (i->partially_in_al_next_enr) {
+ D_ASSERT(device, first < i->partially_in_al_next_enr);
+ D_ASSERT(device, last >= i->partially_in_al_next_enr);
+ first = i->partially_in_al_next_enr;
}
+ D_ASSERT(device, first <= last);
+
/* Is resync active in this area? */
for (enr = first; enr <= last; enr++) {
struct lc_element *tmp;
@@ -529,14 +511,21 @@ int drbd_al_begin_io_nonblock(struct drb
}
}
- /* Checkout the refcounts.
- * Given that we checked for available elements and update slots above,
- * this has to be successful. */
+ /* Try to checkout the refcounts. */
for (enr = first; enr <= last; enr++) {
struct lc_element *al_ext;
al_ext = lc_get_cumulative(device->act_log, enr);
- if (!al_ext)
- drbd_info(device, "LOGIC BUG for enr=%u\n", enr);
+
+ if (!al_ext) {
+ /* Did not work. We may have exhausted the possible
+ * changes per transaction. Or raced with someone
+ * "locking" it against changes.
+ * Remember where to continue from.
+ */
+ if (enr > first)
+ i->partially_in_al_next_enr = enr;
+ return -ENOBUFS;
+ }
}
return 0;
}
@@ -556,7 +545,11 @@ void drbd_al_complete_io(struct drbd_dev
for (enr = first; enr <= last; enr++) {
extent = lc_find(device->act_log, enr);
- if (!extent) {
+ /* Yes, this masks a bug elsewhere. However, during normal
+ * operation this is harmless, so no need to crash the kernel
+ * by the BUG_ON(refcount == 0) in lc_put().
+ */
+ if (!extent || extent->refcnt == 0) {
drbd_err(device, "al_complete_io() called on inactive extent %u\n", enr);
continue;
}
--- a/drivers/block/drbd/drbd_interval.h
+++ b/drivers/block/drbd/drbd_interval.h
@@ -8,12 +8,15 @@
struct drbd_interval {
struct rb_node rb;
sector_t sector; /* start sector of the interval */
- unsigned int size; /* size in bytes */
sector_t end; /* highest interval end in subtree */
+ unsigned int size; /* size in bytes */
unsigned int local:1 /* local or remote request? */;
unsigned int waiting:1; /* someone is waiting for completion */
unsigned int completed:1; /* this has been completed already;
* ignore for conflict detection */
+
+ /* to resume a partially successful drbd_al_begin_io_nonblock(); */
+ unsigned int partially_in_al_next_enr;
};
static inline void drbd_clear_interval(struct drbd_interval *i)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 077/460] ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 076/460] net: bcmgenet: fix broken EEE by converting to phylib-managed state Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 078/460] ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition Greg Kroah-Hartman
` (225 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Dooks, Rafael J. Wysocki,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Dooks <ben.dooks@codethink.co.uk>
[ Upstream commit 393815f57651101f1590632092986d1d5a3a41bd ]
The pointer returned from acpi_os_map_generic_address() is
tagged with __iomem, so make the rv it is returned to also
of void __iomem * type.
Fixes the following sparse warning:
drivers/acpi/osl.c:1686:20: warning: incorrect type in assignment (different address spaces)
drivers/acpi/osl.c:1686:20: expected void *rv
drivers/acpi/osl.c:1686:20: got void [noderef] __iomem *
Fixes: 6915564dc5a8 ("ACPI: OSL: Change the type of acpi_os_map_generic_address() return value")
Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
[ rjw: Subject tweak, added Fixes tag ]
Link: https://patch.msgid.link/20260311105835.463030-1-ben.dooks@codethink.co.uk
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/osl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index 70af3fbbebe54..6537644faf381 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -1649,7 +1649,7 @@ acpi_status __init acpi_os_initialize(void)
* Use acpi_os_map_generic_address to pre-map the reset
* register if it's in system memory.
*/
- void *rv;
+ void __iomem *rv;
rv = acpi_os_map_generic_address(&acpi_gbl_FADT.reset_register);
pr_debug("%s: Reset register mapping %s\n", __func__,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 153/567] wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 152/567] wifi: wlcore: Fix a locking bug Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 154/567] wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Greg Kroah-Hartman
` (224 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Johannes Berg,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 60862846308627e9e15546bb647a00de44deb27b ]
Check frame length before accessing the mgmt fields in
mt7996_mac_write_txwi_80211 in order to avoid a possible oob access.
Fixes: 98686cd21624c ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260226-mt76-addba-req-oob-access-v1-1-b0f6d1ad4850@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index 8fa16f95e6a7b..3dd503b363ce0 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -784,6 +784,7 @@ mt7996_mac_write_txwi_80211(struct mt7996_dev *dev, __le32 *txwi,
u32 val;
if (ieee80211_is_action(fc) &&
+ skb->len >= IEEE80211_MIN_ACTION_SIZE + 1 &&
mgmt->u.action.category == WLAN_CATEGORY_BACK &&
mgmt->u.action.u.addba_req.action_code == WLAN_ACTION_ADDBA_REQ)
tid = MT_TX_ADDBA;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 091/481] smb: client: fix broken multichannel with krb5+signing
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 090/481] drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 092/481] smb: client: Dont log plaintext credentials in cifs_set_cifscreds Greg Kroah-Hartman
` (224 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaoli Feng, Enzo Matsumiya,
Paulo Alcantara (Red Hat), David Howells, linux-cifs,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.org>
commit d9d1e319b39ea685ede59319002d567c159d23c3 upstream.
When mounting a share with 'multichannel,max_channels=n,sec=krb5i',
the client was duplicating signing key for all secondary channels,
thus making the server fail all commands sent from secondary channels
due to bad signatures.
Every channel has its own signing key, so when establishing a new
channel with krb5 auth, make sure to use the new session key as the
derived key to generate channel's signing key in SMB2_auth_kerberos().
Repro:
$ mount.cifs //srv/share /mnt -o multichannel,max_channels=4,sec=krb5i
$ sleep 5
$ umount /mnt
$ dmesg
...
CIFS: VFS: sign fail cmd 0x5 message id 0x2
CIFS: VFS: \\srv SMB signature verification returned error = -13
CIFS: VFS: sign fail cmd 0x5 message id 0x2
CIFS: VFS: \\srv SMB signature verification returned error = -13
CIFS: VFS: sign fail cmd 0x4 message id 0x2
CIFS: VFS: \\srv SMB signature verification returned error = -13
Reported-by: Xiaoli Feng <xifeng@redhat.com>
Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Cc: David Howells <dhowells@redhat.com>
Cc: linux-cifs@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2pdu.c | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -1484,19 +1484,17 @@ SMB2_auth_kerberos(struct SMB2_sess_data
is_binding = (ses->ses_status == SES_GOOD);
spin_unlock(&ses->ses_lock);
- /* keep session key if binding */
- if (!is_binding) {
- kfree_sensitive(ses->auth_key.response);
- ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len,
- GFP_KERNEL);
- if (!ses->auth_key.response) {
- cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n",
- msg->sesskey_len);
- rc = -ENOMEM;
- goto out_put_spnego_key;
- }
- ses->auth_key.len = msg->sesskey_len;
+ kfree_sensitive(ses->auth_key.response);
+ ses->auth_key.response = kmemdup(msg->data,
+ msg->sesskey_len,
+ GFP_KERNEL);
+ if (!ses->auth_key.response) {
+ cifs_dbg(VFS, "%s: can't allocate (%u bytes) memory\n",
+ __func__, msg->sesskey_len);
+ rc = -ENOMEM;
+ goto out_put_spnego_key;
}
+ ses->auth_key.len = msg->sesskey_len;
sess_data->iov[1].iov_base = msg->data + msg->sesskey_len;
sess_data->iov[1].iov_len = msg->secblob_len;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 078/460] ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 077/460] ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 079/460] ASoC: detect empty DMI strings Greg Kroah-Hartman
` (224 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Ni, Mark Brown, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit 53f3a900e9a383d47af7253076e19f510c5708d0 ]
The acp3x_5682_init() function did not check the return value of
clk_get(), which could lead to dereferencing error pointers in
rt5682_clk_enable().
Fix this by:
1. Changing clk_get() to the device-managed devm_clk_get().
2. Adding proper IS_ERR() checks for both clock acquisitions.
Fixes: 6b8e4e7db3cd ("ASoC: amd: Add machine driver for Raven based platform")
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Link: https://patch.msgid.link/20260310024246.2153827-1-nichen@iscas.ac.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/acp3x-rt5682-max9836.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/sound/soc/amd/acp3x-rt5682-max9836.c b/sound/soc/amd/acp3x-rt5682-max9836.c
index 357dfd016bafd..6c4716565ded0 100644
--- a/sound/soc/amd/acp3x-rt5682-max9836.c
+++ b/sound/soc/amd/acp3x-rt5682-max9836.c
@@ -94,8 +94,13 @@ static int acp3x_5682_init(struct snd_soc_pcm_runtime *rtd)
return ret;
}
- rt5682_dai_wclk = clk_get(component->dev, "rt5682-dai-wclk");
- rt5682_dai_bclk = clk_get(component->dev, "rt5682-dai-bclk");
+ rt5682_dai_wclk = devm_clk_get(component->dev, "rt5682-dai-wclk");
+ if (IS_ERR(rt5682_dai_wclk))
+ return PTR_ERR(rt5682_dai_wclk);
+
+ rt5682_dai_bclk = devm_clk_get(component->dev, "rt5682-dai-bclk");
+ if (IS_ERR(rt5682_dai_bclk))
+ return PTR_ERR(rt5682_dai_bclk);
ret = snd_soc_card_jack_new_pins(card, "Headset Jack",
SND_JACK_HEADSET |
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 154/567] wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 153/567] wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 155/567] indirect_call_wrapper: do not reevaluate function pointer Greg Kroah-Hartman
` (223 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Johannes Berg,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 4e10a730d1b511ff49723371ed6d694dd1b2c785 ]
Check frame length before accessing the mgmt fields in
mt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob
access.
Fixes: 577dbc6c656d ("mt76: mt7915: enable offloading of sequence number assignment")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260226-mt76-addba-req-oob-access-v1-3-b0f6d1ad4850@kernel.org
[fix check to also cover mgmt->u.action.u.addba_req.capab,
correct Fixes tag]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
index 87479c6c2b505..570c9dcbc505e 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
@@ -394,6 +394,7 @@ mt76_connac2_mac_write_txwi_80211(struct mt76_dev *dev, __le32 *txwi,
u32 val;
if (ieee80211_is_action(fc) &&
+ skb->len >= IEEE80211_MIN_ACTION_SIZE + 1 + 1 + 2 &&
mgmt->u.action.category == WLAN_CATEGORY_BACK &&
mgmt->u.action.u.addba_req.action_code == WLAN_ACTION_ADDBA_REQ) {
u16 capab = le16_to_cpu(mgmt->u.action.u.addba_req.capab);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 092/481] smb: client: Dont log plaintext credentials in cifs_set_cifscreds
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 091/481] smb: client: fix broken multichannel with krb5+signing Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 093/481] scsi: core: Fix refcount leak for tagset_refcnt Greg Kroah-Hartman
` (223 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (Red Hat),
Thorsten Blum, Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d upstream.
When debug logging is enabled, cifs_set_cifscreds() logs the key
payload and exposes the plaintext username and password. Remove the
debug log to avoid exposing credentials.
Fixes: 8a8798a5ff90 ("cifs: fetch credentials out of keyring for non-krb5 auth multiuser mounts")
Cc: stable@vger.kernel.org
Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/connect.c | 1 -
1 file changed, 1 deletion(-)
--- a/fs/smb/client/connect.c
+++ b/fs/smb/client/connect.c
@@ -2178,7 +2178,6 @@ cifs_set_cifscreds(struct smb3_fs_contex
/* find first : in payload */
payload = upayload->data;
delim = strnchr(payload, upayload->datalen, ':');
- cifs_dbg(FYI, "payload=%s\n", payload);
if (!delim) {
cifs_dbg(FYI, "Unable to find ':' in payload (datalen=%d)\n",
upayload->datalen);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 079/460] ASoC: detect empty DMI strings
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 078/460] ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 080/460] drm/amdkfd: Unreserve bo if queue update failed Greg Kroah-Hartman
` (223 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Casey Connolly, Mark Brown,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Casey Connolly <casey.connolly@linaro.org>
[ Upstream commit a9683730e8b1d632674f81844ed03ddfbe4821c0 ]
Some bootloaders like recent versions of U-Boot may install some DMI
properties with empty values rather than not populate them. This manages
to make its way through the validator and cleanup resulting in a rogue
hyphen being appended to the card longname.
Fixes: 4e01e5dbba96 ("ASoC: improve the DMI long card code in asoc-core")
Signed-off-by: Casey Connolly <casey.connolly@linaro.org>
Link: https://patch.msgid.link/20260306174707.283071-2-casey.connolly@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index ea6b39003461f..a1e3829914268 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -1837,12 +1837,15 @@ static void cleanup_dmi_name(char *name)
/*
* Check if a DMI field is valid, i.e. not containing any string
- * in the black list.
+ * in the black list and not the empty string.
*/
static int is_dmi_valid(const char *field)
{
int i = 0;
+ if (!field[0])
+ return 0;
+
while (dmi_blacklist[i]) {
if (strstr(field, dmi_blacklist[i]))
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 155/567] indirect_call_wrapper: do not reevaluate function pointer
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 154/567] wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 156/567] net/rds: Fix circular locking dependency in rds_tcp_tune Greg Kroah-Hartman
` (222 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Kuniyuki Iwashima,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 710f5c76580306cdb9ec51fac8fcf6a8faff7821 ]
We have an increasing number of READ_ONCE(xxx->function)
combined with INDIRECT_CALL_[1234]() helpers.
Unfortunately this forces INDIRECT_CALL_[1234]() to read
xxx->function many times, which is not what we wanted.
Fix these macros so that xxx->function value is not reloaded.
$ scripts/bloat-o-meter -t vmlinux.0 vmlinux
add/remove: 0/0 grow/shrink: 1/65 up/down: 122/-1084 (-962)
Function old new delta
ip_push_pending_frames 59 181 +122
ip6_finish_output 687 681 -6
__udp_enqueue_schedule_skb 1078 1072 -6
ioam6_output 2319 2312 -7
xfrm4_rcv_encap_finish2 64 56 -8
xfrm4_output 297 289 -8
vrf_ip_local_out 278 270 -8
vrf_ip6_local_out 278 270 -8
seg6_input_finish 64 56 -8
rpl_output 700 692 -8
ipmr_forward_finish 124 116 -8
ip_forward_finish 143 135 -8
ip6mr_forward2_finish 100 92 -8
ip6_forward_finish 73 65 -8
input_action_end_bpf 1091 1083 -8
dst_input 52 44 -8
__xfrm6_output 801 793 -8
__xfrm4_output 83 75 -8
bpf_input 500 491 -9
__tcp_check_space 530 521 -9
input_action_end_dt6 291 280 -11
vti6_tnl_xmit 1634 1622 -12
bpf_xmit 1203 1191 -12
rpl_input 497 483 -14
rawv6_send_hdrinc 1355 1341 -14
ndisc_send_skb 1030 1016 -14
ipv6_srh_rcv 1377 1363 -14
ip_send_unicast_reply 1253 1239 -14
ip_rcv_finish 226 212 -14
ip6_rcv_finish 300 286 -14
input_action_end_x_core 205 191 -14
input_action_end_x 355 341 -14
input_action_end_t 205 191 -14
input_action_end_dx6_finish 127 113 -14
input_action_end_dx4_finish 373 359 -14
input_action_end_dt4 426 412 -14
input_action_end_core 186 172 -14
input_action_end_b6_encap 292 278 -14
input_action_end_b6 198 184 -14
igmp6_send 1332 1318 -14
ip_sublist_rcv 864 848 -16
ip6_sublist_rcv 1091 1075 -16
ipv6_rpl_srh_rcv 1937 1920 -17
xfrm_policy_queue_process 1246 1228 -18
seg6_output_core 903 885 -18
mld_sendpack 856 836 -20
NF_HOOK 756 736 -20
vti_tunnel_xmit 1447 1426 -21
input_action_end_dx6 664 642 -22
input_action_end 1502 1480 -22
sock_sendmsg_nosec 134 111 -23
ip6mr_forward2 388 364 -24
sock_recvmsg_nosec 134 109 -25
seg6_input_core 836 810 -26
ip_send_skb 172 146 -26
ip_local_out 140 114 -26
ip6_local_out 140 114 -26
__sock_sendmsg 162 136 -26
__ip_queue_xmit 1196 1170 -26
__ip_finish_output 405 379 -26
ipmr_queue_fwd_xmit 373 346 -27
sock_recvmsg 173 145 -28
ip6_xmit 1635 1607 -28
xfrm_output_resume 1418 1389 -29
ip_build_and_send_pkt 625 591 -34
dst_output 504 432 -72
Total: Before=25217686, After=25216724, chg -0.00%
Fixes: 283c16a2dfd3 ("indirect call wrappers: helpers to speed-up indirect calls of builtin")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260227172603.1700433-1-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/indirect_call_wrapper.h | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/include/linux/indirect_call_wrapper.h b/include/linux/indirect_call_wrapper.h
index c1c76a70a6ce9..227cee5e2a98b 100644
--- a/include/linux/indirect_call_wrapper.h
+++ b/include/linux/indirect_call_wrapper.h
@@ -16,22 +16,26 @@
*/
#define INDIRECT_CALL_1(f, f1, ...) \
({ \
- likely(f == f1) ? f1(__VA_ARGS__) : f(__VA_ARGS__); \
+ typeof(f) __f1 = (f); \
+ likely(__f1 == f1) ? f1(__VA_ARGS__) : __f1(__VA_ARGS__); \
})
#define INDIRECT_CALL_2(f, f2, f1, ...) \
({ \
- likely(f == f2) ? f2(__VA_ARGS__) : \
- INDIRECT_CALL_1(f, f1, __VA_ARGS__); \
+ typeof(f) __f2 = (f); \
+ likely(__f2 == f2) ? f2(__VA_ARGS__) : \
+ INDIRECT_CALL_1(__f2, f1, __VA_ARGS__); \
})
#define INDIRECT_CALL_3(f, f3, f2, f1, ...) \
({ \
- likely(f == f3) ? f3(__VA_ARGS__) : \
- INDIRECT_CALL_2(f, f2, f1, __VA_ARGS__); \
+ typeof(f) __f3 = (f); \
+ likely(__f3 == f3) ? f3(__VA_ARGS__) : \
+ INDIRECT_CALL_2(__f3, f2, f1, __VA_ARGS__); \
})
#define INDIRECT_CALL_4(f, f4, f3, f2, f1, ...) \
({ \
- likely(f == f4) ? f4(__VA_ARGS__) : \
- INDIRECT_CALL_3(f, f3, f2, f1, __VA_ARGS__); \
+ typeof(f) __f4 = (f); \
+ likely(__f4 == f4) ? f4(__VA_ARGS__) : \
+ INDIRECT_CALL_3(__f4, f3, f2, f1, __VA_ARGS__); \
})
#define INDIRECT_CALLABLE_DECLARE(f) f
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 093/481] scsi: core: Fix refcount leak for tagset_refcnt
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 092/481] smb: client: Dont log plaintext credentials in cifs_set_cifscreds Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 094/481] selftests: mptcp: more stable simult_flows tests Greg Kroah-Hartman
` (222 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junxiao Bi, Mike Christie,
Bart Van Assche, Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junxiao Bi <junxiao.bi@oracle.com>
commit 1ac22c8eae81366101597d48360718dff9b9d980 upstream.
This leak will cause a hang when tearing down the SCSI host. For example,
iscsid hangs with the following call trace:
[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured
PID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: "iscsid"
#0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4
#1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f
#2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0
#3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f
#4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b
#5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp]
#6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi]
#7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi]
#8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6
#9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef
Fixes: 8fe4ce5836e9 ("scsi: core: Fix a use-after-free")
Cc: stable@vger.kernel.org
Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260223232728.93350-1-junxiao.bi@oracle.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/scsi_scan.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -355,6 +355,7 @@ static struct scsi_device *scsi_alloc_sd
* since we use this queue depth most of times.
*/
if (scsi_realloc_sdev_budget_map(sdev, depth)) {
+ kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags);
put_device(&starget->dev);
kfree(sdev);
goto out;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 080/460] drm/amdkfd: Unreserve bo if queue update failed
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 079/460] ASoC: detect empty DMI strings Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 081/460] net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled Greg Kroah-Hartman
` (222 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Yang, Alex Sierra,
Alex Deucher, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philip Yang <Philip.Yang@amd.com>
[ Upstream commit 2ce75a0b7e1bfddbcb9bc8aeb2e5e7fa99971acf ]
Error handling path should unreserve bo then return failed.
Fixes: 305cd109b761 ("drm/amdkfd: Validate user queue update")
Signed-off-by: Philip Yang <Philip.Yang@amd.com>
Reviewed-by: Alex Sierra <alex.sierra@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit c24afed7de9ecce341825d8ab55a43a254348b33)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
index 4078a81761871..e3749dae5e599 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
@@ -600,6 +600,7 @@ int pqm_update_queue_properties(struct process_queue_manager *pqm,
p->queue_size)) {
pr_debug("ring buf 0x%llx size 0x%llx not mapped on GPU\n",
p->queue_address, p->queue_size);
+ amdgpu_bo_unreserve(vm->root.bo);
return -EFAULT;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 156/567] net/rds: Fix circular locking dependency in rds_tcp_tune
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 155/567] indirect_call_wrapper: do not reevaluate function pointer Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 157/567] xen/acpi-processor: fix _CST detection using undersized evaluation buffer Greg Kroah-Hartman
` (221 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+2e2cf5331207053b8106,
Allison Henderson, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Allison Henderson <achender@kernel.org>
[ Upstream commit 6a877ececd6daa002a9a0002cd0fbca6592a9244 ]
syzbot reported a circular locking dependency in rds_tcp_tune() where
sk_net_refcnt_upgrade() is called while holding the socket lock:
======================================================
WARNING: possible circular locking dependency detected
======================================================
kworker/u10:8/15040 is trying to acquire lock:
ffffffff8e9aaf80 (fs_reclaim){+.+.}-{0:0},
at: __kmalloc_cache_noprof+0x4b/0x6f0
but task is already holding lock:
ffff88805a3c1ce0 (k-sk_lock-AF_INET6){+.+.}-{0:0},
at: rds_tcp_tune+0xd7/0x930
The issue occurs because sk_net_refcnt_upgrade() performs memory
allocation (via get_net_track() -> ref_tracker_alloc()) while the
socket lock is held, creating a circular dependency with fs_reclaim.
Fix this by moving sk_net_refcnt_upgrade() outside the socket lock
critical section. This is safe because the fields modified by the
sk_net_refcnt_upgrade() call (sk_net_refcnt, ns_tracker) are not
accessed by any concurrent code path at this point.
v2:
- Corrected fixes tag
- check patch line wrap nits
- ai commentary nits
Reported-by: syzbot+2e2cf5331207053b8106@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2e2cf5331207053b8106
Fixes: 3a58f13a881e ("net: rds: acquire refcount on TCP sockets")
Signed-off-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/20260227202336.167757-1-achender@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rds/tcp.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/net/rds/tcp.c b/net/rds/tcp.c
index 985b05f38b674..dee18da64a322 100644
--- a/net/rds/tcp.c
+++ b/net/rds/tcp.c
@@ -494,18 +494,24 @@ bool rds_tcp_tune(struct socket *sock)
struct rds_tcp_net *rtn;
tcp_sock_set_nodelay(sock->sk);
- lock_sock(sk);
/* TCP timer functions might access net namespace even after
* a process which created this net namespace terminated.
*/
if (!sk->sk_net_refcnt) {
- if (!maybe_get_net(net)) {
- release_sock(sk);
+ if (!maybe_get_net(net))
return false;
- }
+ /*
+ * sk_net_refcnt_upgrade() must be called before lock_sock()
+ * because it does a GFP_KERNEL allocation, which can trigger
+ * fs_reclaim and create a circular lock dependency with the
+ * socket lock. The fields it modifies (sk_net_refcnt,
+ * ns_tracker) are not accessed by any concurrent code path
+ * at this point.
+ */
sk_net_refcnt_upgrade(sk);
put_net(net);
}
+ lock_sock(sk);
rtn = net_generic(net, rds_tcp_netid);
if (rtn->sndbuf_size > 0) {
sk->sk_sndbuf = rtn->sndbuf_size;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 094/481] selftests: mptcp: more stable simult_flows tests
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 093/481] scsi: core: Fix refcount leak for tagset_refcnt Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 095/481] selftests: mptcp: join: check removing signal+subflow endp Greg Kroah-Hartman
` (221 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 8c09412e584d9bcc0e71d758ec1008d1c8d1a326 upstream.
By default, the netem qdisc can keep up to 1000 packets under its belly
to deal with the configured rate and delay. The simult flows test-case
simulates very low speed links, to avoid problems due to slow CPUs and
the TCP stack tend to transmit at a slightly higher rate than the
(virtual) link constraints.
All the above causes a relatively large amount of packets being enqueued
in the netem qdiscs - the longer the transfer, the longer the queue -
producing increasingly high TCP RTT samples and consequently increasingly
larger receive buffer size due to DRS.
When the receive buffer size becomes considerably larger than the needed
size, the tests results can flake, i.e. because minimal inaccuracy in the
pacing rate can lead to a single subflow usage towards the end of the
connection for a considerable amount of data.
Address the issue explicitly setting netem limits suitable for the
configured link speeds and unflake all the affected tests.
Fixes: 1a418cb8e888 ("mptcp: simult flow self-tests")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-1-4b5462b6f016@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/simult_flows.sh | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/tools/testing/selftests/net/mptcp/simult_flows.sh
+++ b/tools/testing/selftests/net/mptcp/simult_flows.sh
@@ -246,10 +246,13 @@ run_test()
for dev in ns2eth1 ns2eth2; do
tc -n $ns2 qdisc del dev $dev root >/dev/null 2>&1
done
- tc -n $ns1 qdisc add dev ns1eth1 root netem rate ${rate1}mbit $delay1
- tc -n $ns1 qdisc add dev ns1eth2 root netem rate ${rate2}mbit $delay2
- tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1
- tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2
+
+ # keep the queued pkts number low, or the RTT estimator will see
+ # increasing latency over time.
+ tc -n $ns1 qdisc add dev ns1eth1 root netem rate ${rate1}mbit $delay1 limit 50
+ tc -n $ns1 qdisc add dev ns1eth2 root netem rate ${rate2}mbit $delay2 limit 50
+ tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1 limit 50
+ tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2 limit 50
# time is measured in ms, account for transfer size, aggregated link speed
# and header overhead (10%)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 081/460] net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 080/460] drm/amdkfd: Unreserve bo if queue update failed Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 082/460] net: dsa: realtek: Fix LED group port bit for non-zero LED group Greg Kroah-Hartman
` (221 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Ricardo B . Marlière, Hangbin Liu, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo B. Marlière <rbm@suse.com>
[ Upstream commit 30021e969d48e5819d5ae56936c2f34c0f7ce997 ]
When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
initialized because inet6_init() exits before ndisc_init() is called
which initializes it. If bonding ARP/NS validation is enabled, an IPv6
NS/NA packet received on a slave can reach bond_validate_na(), which
calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can
crash in __ipv6_chk_addr_and_flags().
BUG: kernel NULL pointer dereference, address: 00000000000005d8
Oops: Oops: 0000 [#1] SMP NOPTI
RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170
Call Trace:
<IRQ>
ipv6_chk_addr+0x1f/0x30
bond_validate_na+0x12e/0x1d0 [bonding]
? __pfx_bond_handle_frame+0x10/0x10 [bonding]
bond_rcv_validate+0x1a0/0x450 [bonding]
bond_handle_frame+0x5e/0x290 [bonding]
? srso_alias_return_thunk+0x5/0xfbef5
__netif_receive_skb_core.constprop.0+0x3e8/0xe50
? srso_alias_return_thunk+0x5/0xfbef5
? update_cfs_rq_load_avg+0x1a/0x240
? srso_alias_return_thunk+0x5/0xfbef5
? __enqueue_entity+0x5e/0x240
__netif_receive_skb_one_core+0x39/0xa0
process_backlog+0x9c/0x150
__napi_poll+0x30/0x200
? srso_alias_return_thunk+0x5/0xfbef5
net_rx_action+0x338/0x3b0
handle_softirqs+0xc9/0x2a0
do_softirq+0x42/0x60
</IRQ>
<TASK>
__local_bh_enable_ip+0x62/0x70
__dev_queue_xmit+0x2d3/0x1000
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? packet_parse_headers+0x10a/0x1a0
packet_sendmsg+0x10da/0x1700
? kick_pool+0x5f/0x140
? srso_alias_return_thunk+0x5/0xfbef5
? __queue_work+0x12d/0x4f0
__sys_sendto+0x1f3/0x220
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x101/0xf80
? exc_page_fault+0x6e/0x170
? srso_alias_return_thunk+0x5/0xfbef5
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to
bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate()
and avoid the path to ipv6_chk_addr().
Suggested-by: Fernando Fernandez Mancera <fmancera@suse.de>
Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets")
Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20260307-net-nd_tbl_fixes-v4-2-e2677e85628c@suse.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 546c9004c9e30..d11ca46a5b1f7 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -3487,7 +3487,7 @@ int bond_rcv_validate(const struct sk_buff *skb, struct bonding *bond,
} else if (is_arp) {
return bond_arp_rcv(skb, bond, slave);
#if IS_ENABLED(CONFIG_IPV6)
- } else if (is_ipv6) {
+ } else if (is_ipv6 && likely(ipv6_mod_enabled())) {
return bond_na_rcv(skb, bond, slave);
#endif
} else {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 157/567] xen/acpi-processor: fix _CST detection using undersized evaluation buffer
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 156/567] net/rds: Fix circular locking dependency in rds_tcp_tune Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 158/567] bpf: export bpf_link_inc_not_zero Greg Kroah-Hartman
` (220 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Thomson, Jan Beulich,
Juergen Gross, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Thomson <dt@linux-mail.net>
[ Upstream commit 8b57227d59a86fc06d4f09de08f98133680f2cae ]
read_acpi_id() attempts to evaluate _CST using a stack buffer of
sizeof(union acpi_object) (48 bytes), but _CST returns a nested Package
of sub-Packages (one per C-state, each containing a register descriptor,
type, latency, and power) requiring hundreds of bytes. The evaluation
always fails with AE_BUFFER_OVERFLOW.
On modern systems using FFH/MWAIT entry (where pblk is zero), this
causes the function to return before setting the acpi_id_cst_present
bit. In check_acpi_ids(), flags.power is then zero for all Phase 2 CPUs
(physical CPUs beyond dom0's vCPU count), so push_cxx_to_hypervisor() is
never called for them.
On a system with dom0_max_vcpus=2 and 8 physical CPUs, only PCPUs 0-1
receive C-state data. PCPUs 2-7 are stuck in C0/C1 idle, unable to
enter C2/C3. This costs measurable wall power (4W observed on an Intel
Core Ultra 7 265K with Xen 4.20).
The function never uses the _CST return value -- it only needs to know
whether _CST exists. Replace the broken acpi_evaluate_object() call with
acpi_has_method(), which correctly detects _CST presence using
acpi_get_handle() without any buffer allocation. This brings C-state
detection to parity with the P-state path, which already works correctly
for Phase 2 CPUs.
Fixes: 59a568029181 ("xen/acpi-processor: C and P-state driver that uploads said data to hypervisor.")
Signed-off-by: David Thomson <dt@linux-mail.net>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20260224093707.19679-1-dt@linux-mail.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/xen/xen-acpi-processor.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/xen/xen-acpi-processor.c b/drivers/xen/xen-acpi-processor.c
index 2967039398463..520756159d3d3 100644
--- a/drivers/xen/xen-acpi-processor.c
+++ b/drivers/xen/xen-acpi-processor.c
@@ -379,11 +379,8 @@ read_acpi_id(acpi_handle handle, u32 lvl, void *context, void **rv)
acpi_psd[acpi_id].domain);
}
- status = acpi_evaluate_object(handle, "_CST", NULL, &buffer);
- if (ACPI_FAILURE(status)) {
- if (!pblk)
- return AE_OK;
- }
+ if (!pblk && !acpi_has_method(handle, "_CST"))
+ return AE_OK;
/* .. and it has a C-state */
__set_bit(acpi_id, acpi_id_cst_present);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 095/481] selftests: mptcp: join: check removing signal+subflow endp
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 094/481] selftests: mptcp: more stable simult_flows tests Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 096/481] ARM: clean up the memset64() C wrapper Greg Kroah-Hartman
` (220 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 1777f349ff41b62dfe27454b69c27b0bc99ffca5 upstream.
This validates the previous commit: endpoints with both the signal and
subflow flags should always be marked as used even if it was not
possible to create new subflows due to the MPTCP PM limits.
For this test, an extra endpoint is created with both the signal and the
subflow flags, and limits are set not to create extra subflows. In this
case, an ADD_ADDR is sent, but no subflows are created. Still, the local
endpoint is marked as used, and no warning is fired when removing the
endpoint, after having sent a RM_ADDR.
The 'Fixes' tag here below is the same as the one from the previous
commit: this patch here is not fixing anything wrong in the selftests,
but it validates the previous fix for an issue introduced by this commit
ID.
Fixes: 85df533a787b ("mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-5-4b5462b6f016@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_join.sh | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -2389,6 +2389,19 @@ remove_tests()
chk_rst_nr 0 0
fi
+ # signal+subflow with limits, remove
+ if reset "remove signal+subflow with limits"; then
+ pm_nl_set_limits $ns1 0 0
+ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,subflow
+ pm_nl_set_limits $ns2 0 0
+ addr_nr_ns1=-1 speed=slow \
+ run_tests $ns1 $ns2 10.0.1.1
+ chk_join_nr 0 0 0
+ chk_add_nr 1 1
+ chk_rm_nr 1 0 invert
+ chk_rst_nr 0 0
+ fi
+
# addresses remove
if reset "remove addresses"; then
pm_nl_set_limits $ns1 3 3
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 082/460] net: dsa: realtek: Fix LED group port bit for non-zero LED group
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 081/460] net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 083/460] octeontx2-af: devlink: fix NIX RAS reporter recovery condition Greg Kroah-Hartman
` (220 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Behún, Andrew Lunn,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Behún <kabel@kernel.org>
[ Upstream commit e8f0dc024ce55451ebd54bad975134ba802e4fcc ]
The rtl8366rb_led_group_port_mask() function always returns LED port
bit in LED group 0; the switch statement returns the same thing in all
non-default cases.
This means that the driver does not currently support configuring LEDs
in non-zero LED groups.
Fix this.
Fixes: 32d617005475a71e ("net: dsa: realtek: add LED drivers for rtl8366rb")
Signed-off-by: Marek Behún <kabel@kernel.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20260311111237.29002-1-kabel@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/realtek/rtl8366rb-leds.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/dsa/realtek/rtl8366rb-leds.c b/drivers/net/dsa/realtek/rtl8366rb-leds.c
index 99c890681ae60..509ffd3f8db5c 100644
--- a/drivers/net/dsa/realtek/rtl8366rb-leds.c
+++ b/drivers/net/dsa/realtek/rtl8366rb-leds.c
@@ -12,11 +12,11 @@ static inline u32 rtl8366rb_led_group_port_mask(u8 led_group, u8 port)
case 0:
return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port));
case 1:
- return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port));
+ return FIELD_PREP(RTL8366RB_LED_X_1_CTRL_MASK, BIT(port));
case 2:
- return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port));
+ return FIELD_PREP(RTL8366RB_LED_2_X_CTRL_MASK, BIT(port));
case 3:
- return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port));
+ return FIELD_PREP(RTL8366RB_LED_X_3_CTRL_MASK, BIT(port));
default:
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 158/567] bpf: export bpf_link_inc_not_zero.
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 157/567] xen/acpi-processor: fix _CST detection using undersized evaluation buffer Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 159/567] bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim Greg Kroah-Hartman
` (219 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kui-Feng Lee, Martin KaFai Lau,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kui-Feng Lee <thinker.li@gmail.com>
[ Upstream commit 67c3e8353f45c27800eecc46e00e8272f063f7d1 ]
bpf_link_inc_not_zero() will be used by kernel modules. We will use it in
bpf_testmod.c later.
Signed-off-by: Kui-Feng Lee <thinker.li@gmail.com>
Link: https://lore.kernel.org/r/20240530065946.979330-5-thinker.li@gmail.com
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Stable-dep-of: 56145d237385 ("bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/bpf.h | 6 ++++++
kernel/bpf/syscall.c | 3 ++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 0af6b2a5273ad..1021156886272 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -2231,6 +2231,7 @@ int bpf_link_prime(struct bpf_link *link, struct bpf_link_primer *primer);
int bpf_link_settle(struct bpf_link_primer *primer);
void bpf_link_cleanup(struct bpf_link_primer *primer);
void bpf_link_inc(struct bpf_link *link);
+struct bpf_link *bpf_link_inc_not_zero(struct bpf_link *link);
void bpf_link_put(struct bpf_link *link);
int bpf_link_new_fd(struct bpf_link *link);
struct bpf_link *bpf_link_get_from_fd(u32 ufd);
@@ -2586,6 +2587,11 @@ static inline void bpf_link_inc(struct bpf_link *link)
{
}
+static inline struct bpf_link *bpf_link_inc_not_zero(struct bpf_link *link)
+{
+ return NULL;
+}
+
static inline void bpf_link_put(struct bpf_link *link)
{
}
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 63cf5a221081b..2207f9e7a5674 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -5219,10 +5219,11 @@ static int link_detach(union bpf_attr *attr)
return ret;
}
-static struct bpf_link *bpf_link_inc_not_zero(struct bpf_link *link)
+struct bpf_link *bpf_link_inc_not_zero(struct bpf_link *link)
{
return atomic64_fetch_add_unless(&link->refcnt, 1, 0) ? link : ERR_PTR(-ENOENT);
}
+EXPORT_SYMBOL(bpf_link_inc_not_zero);
struct bpf_link *bpf_link_by_id(u32 id)
{
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 096/481] ARM: clean up the memset64() C wrapper
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 095/481] selftests: mptcp: join: check removing signal+subflow endp Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 097/481] platform/x86: thinkpad_acpi: Fix errors reading battery thresholds Greg Kroah-Hartman
` (219 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh,
Linus Torvalds, Ben Hutchings
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
commit b52343d1cb47bb27ca32a3f4952cc2fd3cd165bf upstream.
The current logic to split the 64-bit argument into its 32-bit halves is
byte-order specific and a bit clunky. Use a union instead which is
easier to read and works in all cases.
GCC still generates the same machine code.
While at it, rename the arguments of the __memset64() prototype to
actually reflect their semantics.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Reported-by: Ben Hutchings <ben@decadent.org.uk> # for -stable
Link: https://lore.kernel.org/all/1a11526ae3d8664f705b541b8d6ea57b847b49a8.camel@decadent.org.uk/
Suggested-by: https://lore.kernel.org/all/aZonkWMwpbFhzDJq@casper.infradead.org/ # for -stable
Link: https://lore.kernel.org/all/aZonkWMwpbFhzDJq@casper.infradead.org/
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/include/asm/string.h | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/arch/arm/include/asm/string.h
+++ b/arch/arm/include/asm/string.h
@@ -39,13 +39,17 @@ static inline void *memset32(uint32_t *p
}
#define __HAVE_ARCH_MEMSET64
-extern void *__memset64(uint64_t *, uint32_t low, __kernel_size_t, uint32_t hi);
+extern void *__memset64(uint64_t *, uint32_t first, __kernel_size_t, uint32_t second);
static inline void *memset64(uint64_t *p, uint64_t v, __kernel_size_t n)
{
- if (IS_ENABLED(CONFIG_CPU_LITTLE_ENDIAN))
- return __memset64(p, v, n * 8, v >> 32);
- else
- return __memset64(p, v >> 32, n * 8, v);
+ union {
+ uint64_t val;
+ struct {
+ uint32_t first, second;
+ };
+ } word = { .val = v };
+
+ return __memset64(p, word.first, n * 8, word.second);
}
/*
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 083/460] octeontx2-af: devlink: fix NIX RAS reporter recovery condition
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 082/460] net: dsa: realtek: Fix LED group port bit for non-zero LED group Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 084/460] octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status Greg Kroah-Hartman
` (219 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit dc26ca99b835e21e76a58b1463b84adb0ca34f58 ]
The NIX RAS health reporter recovery routine checks nix_af_rvu_int to
decide whether to re-enable NIX_AF_RAS interrupts. This is the RVU
interrupt status field and is unrelated to RAS events, so the recovery
flow may incorrectly skip re-enabling NIX_AF_RAS interrupts.
Check nix_af_rvu_ras instead before writing NIX_AF_RAS_ENA_W1S.
Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20260310184824.1183651-1-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
index 06f778baaeef2..79ab91de90e47 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
@@ -475,7 +475,7 @@ static int rvu_hw_nix_ras_recover(struct devlink_health_reporter *reporter,
if (blkaddr < 0)
return blkaddr;
- if (nix_event_ctx->nix_af_rvu_int)
+ if (nix_event_ctx->nix_af_rvu_ras)
rvu_write64(rvu, blkaddr, NIX_AF_RAS_ENA_W1S, ~0ULL);
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 159/567] bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 158/567] bpf: export bpf_link_inc_not_zero Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 160/567] smb/client: fix buffer size for smb311_posix_qinfo in smb2_compound_op() Greg Kroah-Hartman
` (218 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kaiyan Mei, Lang Xu,
Martin KaFai Lau, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lang Xu <xulang@uniontech.com>
[ Upstream commit 56145d237385ca0e7ca9ff7b226aaf2eb8ef368b ]
The root cause of this bug is that when 'bpf_link_put' reduces the
refcount of 'shim_link->link.link' to zero, the resource is considered
released but may still be referenced via 'tr->progs_hlist' in
'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in
'bpf_shim_tramp_link_release' is deferred. During this window, another
process can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'.
Based on Martin KaFai Lau's suggestions, I have created a simple patch.
To fix this:
Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'.
Only increment the refcount if it is not already zero.
Testing:
I verified the fix by adding a delay in
'bpf_shim_tramp_link_release' to make the bug easier to trigger:
static void bpf_shim_tramp_link_release(struct bpf_link *link)
{
/* ... */
if (!shim_link->trampoline)
return;
+ msleep(100);
WARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link,
shim_link->trampoline, NULL));
bpf_trampoline_put(shim_link->trampoline);
}
Before the patch, running a PoC easily reproduced the crash(almost 100%)
with a call trace similar to KaiyanM's report.
After the patch, the bug no longer occurs even after millions of
iterations.
Fixes: 69fd337a975c ("bpf: per-cgroup lsm flavor")
Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Closes: https://lore.kernel.org/bpf/3c4ebb0b.46ff8.19abab8abe2.Coremail.kaiyanm@hust.edu.cn/
Signed-off-by: Lang Xu <xulang@uniontech.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Link: https://patch.msgid.link/279EEE1BA1DDB49D+20260303095217.34436-1-xulang@uniontech.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/trampoline.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
index e48791442acc5..6f7968d3704eb 100644
--- a/kernel/bpf/trampoline.c
+++ b/kernel/bpf/trampoline.c
@@ -701,10 +701,8 @@ int bpf_trampoline_link_cgroup_shim(struct bpf_prog *prog,
mutex_lock(&tr->mutex);
shim_link = cgroup_shim_find(tr, bpf_func);
- if (shim_link) {
+ if (shim_link && !IS_ERR(bpf_link_inc_not_zero(&shim_link->link.link))) {
/* Reusing existing shim attached by the other program. */
- bpf_link_inc(&shim_link->link.link);
-
mutex_unlock(&tr->mutex);
bpf_trampoline_put(tr); /* bpf_trampoline_get above */
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 097/481] platform/x86: thinkpad_acpi: Fix errors reading battery thresholds
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 096/481] ARM: clean up the memset64() C wrapper Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 098/481] net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling in ALE table Greg Kroah-Hartman
` (218 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Teh, Mark Pearson,
Ilpo Järvinen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Teh <jonathan.teh@outlook.com>
[ Upstream commit 53e977b1d50c46f2c4ec3865cd13a822f58ad3cd ]
Check whether the battery supports the relevant charge threshold before
reading the value to silence these errors:
thinkpad_acpi: acpi_evalf(BCTG, dd, ...) failed: AE_NOT_FOUND
ACPI: \_SB_.PCI0.LPC_.EC__.HKEY: BCTG: evaluate failed
thinkpad_acpi: acpi_evalf(BCSG, dd, ...) failed: AE_NOT_FOUND
ACPI: \_SB_.PCI0.LPC_.EC__.HKEY: BCSG: evaluate failed
when reading the charge thresholds via sysfs on platforms that do not
support them such as the ThinkPad T400.
Fixes: 2801b9683f74 ("thinkpad_acpi: Add support for battery thresholds")
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=202619
Signed-off-by: Jonathan Teh <jonathan.teh@outlook.com>
Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Link: https://patch.msgid.link/MI0P293MB01967B206E1CA6F337EBFB12926CA@MI0P293MB0196.ITAP293.PROD.OUTLOOK.COM
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/thinkpad_acpi.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
index c0977ffec96c4..3f2098e686f73 100644
--- a/drivers/platform/x86/thinkpad_acpi.c
+++ b/drivers/platform/x86/thinkpad_acpi.c
@@ -9643,14 +9643,16 @@ static int tpacpi_battery_get(int what, int battery, int *ret)
{
switch (what) {
case THRESHOLD_START:
- if ACPI_FAILURE(tpacpi_battery_acpi_eval(GET_START, ret, battery))
+ if (!battery_info.batteries[battery].start_support ||
+ ACPI_FAILURE(tpacpi_battery_acpi_eval(GET_START, ret, battery)))
return -ENODEV;
/* The value is in the low 8 bits of the response */
*ret = *ret & 0xFF;
return 0;
case THRESHOLD_STOP:
- if ACPI_FAILURE(tpacpi_battery_acpi_eval(GET_STOP, ret, battery))
+ if (!battery_info.batteries[battery].stop_support ||
+ ACPI_FAILURE(tpacpi_battery_acpi_eval(GET_STOP, ret, battery)))
return -ENODEV;
/* Value is in lower 8 bits */
*ret = *ret & 0xFF;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 084/460] octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 083/460] octeontx2-af: devlink: fix NIX RAS reporter recovery condition Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 085/460] net: prevent NULL deref in ip[6]tunnel_xmit() Greg Kroah-Hartman
` (218 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 87f7dff3ec75b91def0024ebaaf732457f47a63b ]
The NIX RAS health report path uses nix_af_rvu_err when handling the
NIX_AF_RVU_RAS case, so the report prints the ERR interrupt status rather
than the RAS interrupt status.
Use nix_af_rvu_ras for the NIX_AF_RVU_RAS report.
Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20260310184824.1183651-2-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
index 79ab91de90e47..6f8914431de4f 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
@@ -327,10 +327,10 @@ static int rvu_nix_report_show(struct devlink_fmsg *fmsg, void *ctx,
rvu_report_pair_end(fmsg);
break;
case NIX_AF_RVU_RAS:
- intr_val = nix_event_context->nix_af_rvu_err;
+ intr_val = nix_event_context->nix_af_rvu_ras;
rvu_report_pair_start(fmsg, "NIX_AF_RAS");
devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ",
- nix_event_context->nix_af_rvu_err);
+ nix_event_context->nix_af_rvu_ras);
devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:");
if (intr_val & BIT_ULL(34))
devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S");
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 160/567] smb/client: fix buffer size for smb311_posix_qinfo in smb2_compound_op()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 159/567] bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 161/567] smb/client: fix buffer size for smb311_posix_qinfo in SMB311_posix_query_info() Greg Kroah-Hartman
` (217 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ChenXiaoSong, ZhangGuoDong,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhangGuoDong <zhangguodong@kylinos.cn>
[ Upstream commit 12c43a062acb0ac137fc2a4a106d4d084b8c5416 ]
Use `sizeof(struct smb311_posix_qinfo)` instead of sizeof its pointer,
so the allocated buffer matches the actual struct size.
Fixes: 6a5f6592a0b6 ("SMB311: Add support for query info using posix extensions (level 100)")
Reported-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: ZhangGuoDong <zhangguodong@kylinos.cn>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/smb2inode.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
index d6086394d0b84..c576d82799acb 100644
--- a/fs/smb/client/smb2inode.c
+++ b/fs/smb/client/smb2inode.c
@@ -315,7 +315,7 @@ static int smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon,
cfile->fid.volatile_fid,
SMB_FIND_FILE_POSIX_INFO,
SMB2_O_INFO_FILE, 0,
- sizeof(struct smb311_posix_qinfo *) +
+ sizeof(struct smb311_posix_qinfo) +
(PATH_MAX * 2) +
(sizeof(struct smb_sid) * 2), 0, NULL);
} else {
@@ -325,7 +325,7 @@ static int smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon,
COMPOUND_FID,
SMB_FIND_FILE_POSIX_INFO,
SMB2_O_INFO_FILE, 0,
- sizeof(struct smb311_posix_qinfo *) +
+ sizeof(struct smb311_posix_qinfo) +
(PATH_MAX * 2) +
(sizeof(struct smb_sid) * 2), 0, NULL);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 098/481] net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling in ALE table
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 097/481] platform/x86: thinkpad_acpi: Fix errors reading battery thresholds Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 099/481] net: dpaa2: replace dpaa2_mac_is_type_fixed() with dpaa2_mac_is_type_phy() Greg Kroah-Hartman
` (217 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chintan Vankar, Simon Horman,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chintan Vankar <c-vankar@ti.com>
[ Upstream commit be11a537224d72b906db6b98510619770298c8a4 ]
In the current implementation, flushing multicast entries in MAC mode
incorrectly deletes entries for all ports instead of only the target port,
disrupting multicast traffic on other ports. The cause is adding multicast
entries by setting only host port bit, and not setting the MAC port bits.
Fix this by setting the MAC port's bit in the port mask while adding the
multicast entry. Also fix the flush logic to preserve the host port bit
during removal of MAC port and free ALE entries when mask contains only
host port.
Fixes: 5c50a856d550 ("drivers: net: ethernet: cpsw: add multicast address to ALE table")
Signed-off-by: Chintan Vankar <c-vankar@ti.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260224181359.2055322-1-c-vankar@ti.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +-
drivers/net/ethernet/ti/cpsw_ale.c | 9 ++++-----
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
index a0a9e4e13e77b..d04a05e959bbb 100644
--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
@@ -257,7 +257,7 @@ static void am65_cpsw_nuss_ndo_slave_set_rx_mode(struct net_device *ndev)
cpsw_ale_set_allmulti(common->ale,
ndev->flags & IFF_ALLMULTI, port->port_id);
- port_mask = ALE_PORT_HOST;
+ port_mask = BIT(port->port_id) | ALE_PORT_HOST;
/* Clear all mcast from ALE */
cpsw_ale_flush_multicast(common->ale, port_mask, -1);
diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c
index 3d42ca15e8779..d7c65df7f8c06 100644
--- a/drivers/net/ethernet/ti/cpsw_ale.c
+++ b/drivers/net/ethernet/ti/cpsw_ale.c
@@ -422,14 +422,13 @@ static void cpsw_ale_flush_mcast(struct cpsw_ale *ale, u32 *ale_entry,
ale->port_mask_bits);
if ((mask & port_mask) == 0)
return; /* ports dont intersect, not interested */
- mask &= ~port_mask;
+ mask &= (~port_mask | ALE_PORT_HOST);
- /* free if only remaining port is host port */
- if (mask)
+ if (mask == 0x0 || mask == ALE_PORT_HOST)
+ cpsw_ale_set_entry_type(ale_entry, ALE_TYPE_FREE);
+ else
cpsw_ale_set_port_mask(ale_entry, mask,
ale->port_mask_bits);
- else
- cpsw_ale_set_entry_type(ale_entry, ALE_TYPE_FREE);
}
int cpsw_ale_flush_multicast(struct cpsw_ale *ale, int port_mask, int vid)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 085/460] net: prevent NULL deref in ip[6]tunnel_xmit()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 084/460] octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 086/460] iio: imu: inv-mpu9150: fix irq ack preventing irq storms Greg Kroah-Hartman
` (217 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Weiming Shi,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit c38b8f5f791ecce13ab77e2257f8fd2444ba80f6 ]
Blamed commit missed that both functions can be called with dev == NULL.
Also add unlikely() hints for these conditions that only fuzzers can hit.
Fixes: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions")
Signed-off-by: Eric Dumazet <edumazet@google.com>
CC: Weiming Shi <bestswngs@gmail.com>
Link: https://patch.msgid.link/20260312043908.2790803-1-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/ip6_tunnel.h | 10 ++++++----
net/ipv4/ip_tunnel_core.c | 10 ++++++----
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h
index dfdb4dba5be8f..17913fca5445a 100644
--- a/include/net/ip6_tunnel.h
+++ b/include/net/ip6_tunnel.h
@@ -156,10 +156,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb,
{
int pkt_len, err;
- if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) {
- net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
- dev->name);
- DEV_STATS_INC(dev, tx_errors);
+ if (unlikely(dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT)) {
+ if (dev) {
+ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
+ dev->name);
+ DEV_STATS_INC(dev, tx_errors);
+ }
kfree_skb(skb);
return;
}
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index 53d02602c17a3..507f2f9ec400c 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -57,10 +57,12 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb,
struct iphdr *iph;
int err;
- if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) {
- net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
- dev->name);
- DEV_STATS_INC(dev, tx_errors);
+ if (unlikely(dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT)) {
+ if (dev) {
+ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
+ dev->name);
+ DEV_STATS_INC(dev, tx_errors);
+ }
ip_rt_put(rt);
kfree_skb(skb);
return;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 161/567] smb/client: fix buffer size for smb311_posix_qinfo in SMB311_posix_query_info()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 160/567] smb/client: fix buffer size for smb311_posix_qinfo in smb2_compound_op() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 162/567] ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() Greg Kroah-Hartman
` (216 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ChenXiaoSong, ZhangGuoDong,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhangGuoDong <zhangguodong@kylinos.cn>
[ Upstream commit 9621b996e4db1dbc2b3dc5d5910b7d6179397320 ]
SMB311_posix_query_info() is currently unused, but it may still be used in
some stable versions, so these changes are submitted as a separate patch.
Use `sizeof(struct smb311_posix_qinfo)` instead of sizeof its pointer,
so the allocated buffer matches the actual struct size.
Fixes: b1bc1874b885 ("smb311: Add support for SMB311 query info (non-compounded)")
Reported-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: ZhangGuoDong <zhangguodong@kylinos.cn>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/smb2pdu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
index d1d332f08883a..094f431e428fa 100644
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -3927,7 +3927,7 @@ int
SMB311_posix_query_info(const unsigned int xid, struct cifs_tcon *tcon,
u64 persistent_fid, u64 volatile_fid, struct smb311_posix_qinfo *data, u32 *plen)
{
- size_t output_len = sizeof(struct smb311_posix_qinfo *) +
+ size_t output_len = sizeof(struct smb311_posix_qinfo) +
(sizeof(struct smb_sid) * 2) + (PATH_MAX * 2);
*plen = 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 099/481] net: dpaa2: replace dpaa2_mac_is_type_fixed() with dpaa2_mac_is_type_phy()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 098/481] net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling in ALE table Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 100/481] net: dpaa2-switch: assign port_priv->mac after dpaa2_mac_connect() call Greg Kroah-Hartman
` (216 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Andrew Lunn,
Ioana Ciornei, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit 320fefa9e2edc67011e235ea1d50f0d00ddfe004 ]
dpaa2_mac_is_type_fixed() is a header with no implementation and no
callers, which is referenced from the documentation though. It can be
deleted.
On the other hand, it would be useful to reuse the code between
dpaa2_eth_is_type_phy() and dpaa2_switch_port_is_type_phy(). That common
code should be called dpaa2_mac_is_type_phy(), so let's create that.
The removal and the addition are merged into the same patch because,
in fact, is_type_phy() is the logical opposite of is_type_fixed().
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Tested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 74badb9c20b1 ("dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/freescale/dpaa2/mac-phy-support.rst | 9 ++++++---
drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h | 7 +------
drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.h | 10 ++++++++--
drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.h | 7 +------
4 files changed, 16 insertions(+), 17 deletions(-)
diff --git a/Documentation/networking/device_drivers/ethernet/freescale/dpaa2/mac-phy-support.rst b/Documentation/networking/device_drivers/ethernet/freescale/dpaa2/mac-phy-support.rst
index 51e6624fb7741..1d2f55feca242 100644
--- a/Documentation/networking/device_drivers/ethernet/freescale/dpaa2/mac-phy-support.rst
+++ b/Documentation/networking/device_drivers/ethernet/freescale/dpaa2/mac-phy-support.rst
@@ -181,10 +181,13 @@ when necessary using the below listed API::
- int dpaa2_mac_connect(struct dpaa2_mac *mac);
- void dpaa2_mac_disconnect(struct dpaa2_mac *mac);
-A phylink integration is necessary only when the partner DPMAC is not of TYPE_FIXED.
-One can check for this condition using the below API::
+A phylink integration is necessary only when the partner DPMAC is not of
+``TYPE_FIXED``. This means it is either of ``TYPE_PHY``, or of
+``TYPE_BACKPLANE`` (the difference being the two that in the ``TYPE_BACKPLANE``
+mode, the MC firmware does not access the PCS registers). One can check for
+this condition using the following helper::
- - bool dpaa2_mac_is_type_fixed(struct fsl_mc_device *dpmac_dev,struct fsl_mc_io *mc_io);
+ - static inline bool dpaa2_mac_is_type_phy(struct dpaa2_mac *mac);
Before connection to a MAC, the caller must allocate and populate the
dpaa2_mac structure with the associated net_device, a pointer to the MC portal
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h
index e703846adc9f0..9c8d888b10b01 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h
@@ -733,12 +733,7 @@ static inline unsigned int dpaa2_eth_rx_head_room(struct dpaa2_eth_priv *priv)
static inline bool dpaa2_eth_is_type_phy(struct dpaa2_eth_priv *priv)
{
- if (priv->mac &&
- (priv->mac->attr.link_type == DPMAC_LINK_TYPE_PHY ||
- priv->mac->attr.link_type == DPMAC_LINK_TYPE_BACKPLANE))
- return true;
-
- return false;
+ return dpaa2_mac_is_type_phy(priv->mac);
}
static inline bool dpaa2_eth_has_mac(struct dpaa2_eth_priv *priv)
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.h b/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.h
index a58cab188a99a..c1ec9efd413ac 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.h
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.h
@@ -30,8 +30,14 @@ struct dpaa2_mac {
struct phy *serdes_phy;
};
-bool dpaa2_mac_is_type_fixed(struct fsl_mc_device *dpmac_dev,
- struct fsl_mc_io *mc_io);
+static inline bool dpaa2_mac_is_type_phy(struct dpaa2_mac *mac)
+{
+ if (!mac)
+ return false;
+
+ return mac->attr.link_type == DPMAC_LINK_TYPE_PHY ||
+ mac->attr.link_type == DPMAC_LINK_TYPE_BACKPLANE;
+}
int dpaa2_mac_open(struct dpaa2_mac *mac);
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.h b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.h
index 0002dca4d4177..9898073abe012 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.h
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.h
@@ -230,12 +230,7 @@ static inline bool dpaa2_switch_supports_cpu_traffic(struct ethsw_core *ethsw)
static inline bool
dpaa2_switch_port_is_type_phy(struct ethsw_port_priv *port_priv)
{
- if (port_priv->mac &&
- (port_priv->mac->attr.link_type == DPMAC_LINK_TYPE_PHY ||
- port_priv->mac->attr.link_type == DPMAC_LINK_TYPE_BACKPLANE))
- return true;
-
- return false;
+ return dpaa2_mac_is_type_phy(port_priv->mac);
}
static inline bool dpaa2_switch_port_has_mac(struct ethsw_port_priv *port_priv)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 086/460] iio: imu: inv-mpu9150: fix irq ack preventing irq storms
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 085/460] net: prevent NULL deref in ip[6]tunnel_xmit() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 087/460] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() Greg Kroah-Hartman
` (216 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andreas Kemnade,
Jean-Baptiste Maneyrol, Jonathan Cameron, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Kemnade <andreas@kemnade.info>
[ Upstream commit d23d763e00ace4e9c59f8d33e0713d401133ba88 ]
IRQ needs to be acked. for some odd reasons, reading from irq status does
not reliable help, enable acking from any register to be on the safe side
and read the irq status register. Comments in the code indicate a known
unreliability with that register.
The blamed commit was tested with mpu6050 in lg,p895 and lg,p880 according
to Tested-bys. But with the MPU9150 in the Epson Moverio BT-200 this leads
to irq storms without properly acking the irq.
Fixes: 0a3b517c8089 ("iio: imu: inv_mpu6050: fix interrupt status read for old buggy chips")
Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
Acked-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/imu/inv_mpu6050/inv_mpu_core.c | 8 ++++++++
drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h | 2 ++
drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c | 5 ++++-
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
index 14d95f34e981c..6afc78810820d 100644
--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
+++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
@@ -1922,6 +1922,14 @@ int inv_mpu_core_probe(struct regmap *regmap, int irq, const char *name,
irq_type);
return -EINVAL;
}
+
+ /*
+ * Acking interrupts by status register does not work reliably
+ * but seem to work when this bit is set.
+ */
+ if (st->chip_type == INV_MPU9150)
+ st->irq_mask |= INV_MPU6050_INT_RD_CLEAR;
+
device_set_wakeup_capable(dev, true);
st->vdd_supply = devm_regulator_get(dev, "vdd");
diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h
index e1c0c51468761..e3618ca3fadd9 100644
--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h
+++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h
@@ -387,6 +387,8 @@ struct inv_mpu6050_state {
/* enable level triggering */
#define INV_MPU6050_LATCH_INT_EN 0x20
#define INV_MPU6050_BIT_BYPASS_EN 0x2
+/* allow acking interrupts by any register read */
+#define INV_MPU6050_INT_RD_CLEAR 0x10
/* Allowed timestamp period jitter in percent */
#define INV_MPU6050_TS_PERIOD_JITTER 4
diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c
index 5b1088cc3704f..c60e4109ed1dc 100644
--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c
+++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c
@@ -249,7 +249,6 @@ static irqreturn_t inv_mpu6050_interrupt_handle(int irq, void *p)
switch (st->chip_type) {
case INV_MPU6000:
case INV_MPU6050:
- case INV_MPU9150:
/*
* WoM is not supported and interrupt status read seems to be broken for
* some chips. Since data ready is the only interrupt, bypass interrupt
@@ -258,6 +257,10 @@ static irqreturn_t inv_mpu6050_interrupt_handle(int irq, void *p)
wom_bits = 0;
int_status = INV_MPU6050_BIT_RAW_DATA_RDY_INT;
goto data_ready_interrupt;
+ case INV_MPU9150:
+ /* IRQ needs to be acked */
+ wom_bits = 0;
+ break;
case INV_MPU6500:
case INV_MPU6515:
case INV_MPU6880:
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 162/567] ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 161/567] smb/client: fix buffer size for smb311_posix_qinfo in SMB311_posix_query_info() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 163/567] amd-xgbe: fix sleep while atomic on suspend/resume Greg Kroah-Hartman
` (215 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Ahern, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 2ffb4f5c2ccb2fa1c049dd11899aee7967deef5a ]
l3mdev_master_dev_rcu() can return NULL when the slave device is being
un-slaved from a VRF. All other callers deal with this, but we lost
the fallback to loopback in ip6_rt_pcpu_alloc() -> ip6_rt_get_dev_rcu()
with commit 4832c30d5458 ("net: ipv6: put host and anycast routes on
device with address").
KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]
RIP: 0010:ip6_rt_pcpu_alloc (net/ipv6/route.c:1418)
Call Trace:
ip6_pol_route (net/ipv6/route.c:2318)
fib6_rule_lookup (net/ipv6/fib6_rules.c:115)
ip6_route_output_flags (net/ipv6/route.c:2607)
vrf_process_v6_outbound (drivers/net/vrf.c:437)
I was tempted to rework the un-slaving code to clear the flag first
and insert synchronize_rcu() before we remove the upper. But looks like
the explicit fallback to loopback_dev is an established pattern.
And I guess avoiding the synchronize_rcu() is nice, too.
Fixes: 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address")
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20260301194548.927324-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index ad452a04d7299..72853ef73e821 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1065,7 +1065,8 @@ static struct net_device *ip6_rt_get_dev_rcu(const struct fib6_result *res)
*/
if (netif_is_l3_slave(dev) &&
!rt6_need_strict(&res->f6i->fib6_dst.addr))
- dev = l3mdev_master_dev_rcu(dev);
+ dev = l3mdev_master_dev_rcu(dev) ? :
+ dev_net(dev)->loopback_dev;
else if (!netif_is_l3_master(dev))
dev = dev_net(dev)->loopback_dev;
/* last case is netif_is_l3_master(dev) is true in which
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 100/481] net: dpaa2-switch: assign port_priv->mac after dpaa2_mac_connect() call
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 099/481] net: dpaa2: replace dpaa2_mac_is_type_fixed() with dpaa2_mac_is_type_phy() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 101/481] net: dpaa2-switch replace direct MAC access with dpaa2_switch_port_has_mac() Greg Kroah-Hartman
` (215 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Ioana Ciornei,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit 88d64367cea019fa6197d0d97a85ac90279919b7 ]
The dpaa2-switch has the exact same locking requirements when connected
to a DPMAC, so it needs port_priv->mac to always point either to NULL,
or to a DPMAC with a fully initialized phylink instance.
Make the same preparatory change in the dpaa2-switch driver as in the
dpaa2-eth one.
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Tested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 74badb9c20b1 ("dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/freescale/dpaa2/dpaa2-switch.c | 21 +++++++++++--------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
index 1e8ce5db867b4..371f53a100e84 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
@@ -1460,9 +1460,8 @@ static int dpaa2_switch_port_connect_mac(struct ethsw_port_priv *port_priv)
err = dpaa2_mac_open(mac);
if (err)
goto err_free_mac;
- port_priv->mac = mac;
- if (dpaa2_switch_port_is_type_phy(port_priv)) {
+ if (dpaa2_mac_is_type_phy(mac)) {
err = dpaa2_mac_connect(mac);
if (err) {
netdev_err(port_priv->netdev,
@@ -1472,11 +1471,12 @@ static int dpaa2_switch_port_connect_mac(struct ethsw_port_priv *port_priv)
}
}
+ port_priv->mac = mac;
+
return 0;
err_close_mac:
dpaa2_mac_close(mac);
- port_priv->mac = NULL;
err_free_mac:
kfree(mac);
out_put_device:
@@ -1486,15 +1486,18 @@ static int dpaa2_switch_port_connect_mac(struct ethsw_port_priv *port_priv)
static void dpaa2_switch_port_disconnect_mac(struct ethsw_port_priv *port_priv)
{
- if (dpaa2_switch_port_is_type_phy(port_priv))
- dpaa2_mac_disconnect(port_priv->mac);
+ struct dpaa2_mac *mac = port_priv->mac;
- if (!dpaa2_switch_port_has_mac(port_priv))
+ port_priv->mac = NULL;
+
+ if (!mac)
return;
- dpaa2_mac_close(port_priv->mac);
- kfree(port_priv->mac);
- port_priv->mac = NULL;
+ if (dpaa2_mac_is_type_phy(mac))
+ dpaa2_mac_disconnect(mac);
+
+ dpaa2_mac_close(mac);
+ kfree(mac);
}
static irqreturn_t dpaa2_switch_irq0_handler_thread(int irq_num, void *arg)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 087/460] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 086/460] iio: imu: inv-mpu9150: fix irq ack preventing irq storms Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 088/460] Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on" Greg Kroah-Hartman
` (215 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Seungjin Bae, Alan Stern,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seungjin Bae <eeodqql09@gmail.com>
[ Upstream commit 8479891d1f04a8ce55366fe4ca361ccdb96f02e1 ]
The `check_command_size_in_blocks()` function calculates the data size
in bytes by left shifting `common->data_size_from_cmnd` by the block
size (`common->curlun->blkbits`). However, it does not validate whether
this shift operation will cause an integer overflow.
Initially, the block size is set up in `fsg_lun_open()` , and the
`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During
initialization, there is no integer overflow check for the interaction
between two variables.
So if a malicious USB host sends a SCSI READ or WRITE command
requesting a large amount of data (`common->data_size_from_cmnd`), the
left shift operation can wrap around. This results in a truncated data
size, which can bypass boundary checks and potentially lead to memory
corruption or out-of-bounds accesses.
Fix this by using the check_shl_overflow() macro to safely perform the
shift and catch any overflows.
Fixes: 144974e7f9e3 ("usb: gadget: mass_storage: support multi-luns with different logic block size")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/20260228104324.1696455-2-eeodqql09@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/function/f_mass_storage.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c
index 08e0d1c511e8d..74cb7e57a197c 100644
--- a/drivers/usb/gadget/function/f_mass_storage.c
+++ b/drivers/usb/gadget/function/f_mass_storage.c
@@ -180,6 +180,7 @@
#include <linux/kthread.h>
#include <linux/sched/signal.h>
#include <linux/limits.h>
+#include <linux/overflow.h>
#include <linux/pagemap.h>
#include <linux/rwsem.h>
#include <linux/slab.h>
@@ -1853,8 +1854,15 @@ static int check_command_size_in_blocks(struct fsg_common *common,
int cmnd_size, enum data_direction data_dir,
unsigned int mask, int needs_medium, const char *name)
{
- if (common->curlun)
- common->data_size_from_cmnd <<= common->curlun->blkbits;
+ if (common->curlun) {
+ if (check_shl_overflow(common->data_size_from_cmnd,
+ common->curlun->blkbits,
+ &common->data_size_from_cmnd)) {
+ common->phase_error = 1;
+ return -EINVAL;
+ }
+ }
+
return check_command(common, cmnd_size, data_dir,
mask, needs_medium, name);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 163/567] amd-xgbe: fix sleep while atomic on suspend/resume
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 162/567] ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 164/567] drm/sched: Fix kernel-doc warning for drm_sched_job_done() Greg Kroah-Hartman
` (214 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raju Rangoju, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raju Rangoju <Raju.Rangoju@amd.com>
[ Upstream commit e2f27363aa6d983504c6836dd0975535e2e9dba0 ]
The xgbe_powerdown() and xgbe_powerup() functions use spinlocks
(spin_lock_irqsave) while calling functions that may sleep:
- napi_disable() can sleep waiting for NAPI polling to complete
- flush_workqueue() can sleep waiting for pending work items
This causes a "BUG: scheduling while atomic" error during suspend/resume
cycles on systems using the AMD XGBE Ethernet controller.
The spinlock protection in these functions is unnecessary as these
functions are called from suspend/resume paths which are already serialized
by the PM core
Fix this by removing the spinlock. Since only code that takes this lock
is xgbe_powerdown() and xgbe_powerup(), remove it completely.
Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver")
Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
Link: https://patch.msgid.link/20260302042124.1386445-1-Raju.Rangoju@amd.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 10 ----------
drivers/net/ethernet/amd/xgbe/xgbe-main.c | 1 -
drivers/net/ethernet/amd/xgbe/xgbe.h | 3 ---
3 files changed, 14 deletions(-)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
index 3d6f8f3a83366..256969ac2cb9e 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
@@ -1181,7 +1181,6 @@ int xgbe_powerdown(struct net_device *netdev, unsigned int caller)
{
struct xgbe_prv_data *pdata = netdev_priv(netdev);
struct xgbe_hw_if *hw_if = &pdata->hw_if;
- unsigned long flags;
DBGPR("-->xgbe_powerdown\n");
@@ -1192,8 +1191,6 @@ int xgbe_powerdown(struct net_device *netdev, unsigned int caller)
return -EINVAL;
}
- spin_lock_irqsave(&pdata->lock, flags);
-
if (caller == XGMAC_DRIVER_CONTEXT)
netif_device_detach(netdev);
@@ -1209,8 +1206,6 @@ int xgbe_powerdown(struct net_device *netdev, unsigned int caller)
pdata->power_down = 1;
- spin_unlock_irqrestore(&pdata->lock, flags);
-
DBGPR("<--xgbe_powerdown\n");
return 0;
@@ -1220,7 +1215,6 @@ int xgbe_powerup(struct net_device *netdev, unsigned int caller)
{
struct xgbe_prv_data *pdata = netdev_priv(netdev);
struct xgbe_hw_if *hw_if = &pdata->hw_if;
- unsigned long flags;
DBGPR("-->xgbe_powerup\n");
@@ -1231,8 +1225,6 @@ int xgbe_powerup(struct net_device *netdev, unsigned int caller)
return -EINVAL;
}
- spin_lock_irqsave(&pdata->lock, flags);
-
pdata->power_down = 0;
xgbe_napi_enable(pdata, 0);
@@ -1247,8 +1239,6 @@ int xgbe_powerup(struct net_device *netdev, unsigned int caller)
xgbe_start_timers(pdata);
- spin_unlock_irqrestore(&pdata->lock, flags);
-
DBGPR("<--xgbe_powerup\n");
return 0;
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-main.c b/drivers/net/ethernet/amd/xgbe/xgbe-main.c
index 0e8698928e4d7..6e8fafb2acbaa 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-main.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-main.c
@@ -185,7 +185,6 @@ struct xgbe_prv_data *xgbe_alloc_pdata(struct device *dev)
pdata->netdev = netdev;
pdata->dev = dev;
- spin_lock_init(&pdata->lock);
spin_lock_init(&pdata->xpcs_lock);
mutex_init(&pdata->rss_mutex);
spin_lock_init(&pdata->tstamp_lock);
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h
index a596cd08124fa..82a88d0c15e31 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
+++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
@@ -1083,9 +1083,6 @@ struct xgbe_prv_data {
unsigned int pp3;
unsigned int pp4;
- /* Overall device lock */
- spinlock_t lock;
-
/* XPCS indirect addressing lock */
spinlock_t xpcs_lock;
unsigned int xpcs_window_def_reg;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 101/481] net: dpaa2-switch replace direct MAC access with dpaa2_switch_port_has_mac()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 100/481] net: dpaa2-switch: assign port_priv->mac after dpaa2_mac_connect() call Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 102/481] net: dpaa2-switch: serialize changes to priv->mac with a mutex Greg Kroah-Hartman
` (214 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Ioana Ciornei,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit bc230671bfb25c2d3c225f674fe6c03cea88d22e ]
The helper function will gain a lockdep annotation in a future patch.
Make sure to benefit from it.
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Tested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 74badb9c20b1 ("dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-ethtool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-ethtool.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-ethtool.c
index 720c9230cab57..0b41a945e0fff 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-ethtool.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-ethtool.c
@@ -196,7 +196,7 @@ static void dpaa2_switch_ethtool_get_stats(struct net_device *netdev,
dpaa2_switch_ethtool_counters[i].name, err);
}
- if (port_priv->mac)
+ if (dpaa2_switch_port_has_mac(port_priv))
dpaa2_mac_get_ethtool_stats(port_priv->mac, data + i);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 088/460] Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on"
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 087/460] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 089/460] cgroup: fix race between task migration and iteration Greg Kroah-Hartman
` (214 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marco Mattiolo, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit a7037c3eb0130a6167138e69178895b22758d7f3.
The backport applied regulator-boot-on to vreg_l12a_1p8 (ldo12) instead
of vreg_l14a_1p88 (ldo14) due to identical surrounding context lines.
Reported-by: Marco Mattiolo <marco.mattiolo@hotmail.it>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi b/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi
index 934bf9cfc5ac7..56840b6ed6449 100644
--- a/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi
+++ b/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi
@@ -246,7 +246,6 @@ vreg_l12a_1p8: ldo12 {
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <1800000>;
regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
- regulator-boot-on;
};
vreg_l14a_1p88: ldo14 {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 164/567] drm/sched: Fix kernel-doc warning for drm_sched_job_done()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 163/567] amd-xgbe: fix sleep while atomic on suspend/resume Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 165/567] nvme: reject invalid pr_read_keys() num_keys values Greg Kroah-Hartman
` (213 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yujie Liu, Philipp Stanner,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yujie Liu <yujie.liu@intel.com>
[ Upstream commit 61ded1083b264ff67ca8c2de822c66b6febaf9a8 ]
There is a kernel-doc warning for the scheduler:
Warning: drivers/gpu/drm/scheduler/sched_main.c:367 function parameter 'result' not described in 'drm_sched_job_done'
Fix the warning by describing the undocumented error code.
Fixes: 539f9ee4b52a ("drm/scheduler: properly forward fence errors")
Signed-off-by: Yujie Liu <yujie.liu@intel.com>
[phasta: Flesh out commit message]
Signed-off-by: Philipp Stanner <phasta@kernel.org>
Link: https://patch.msgid.link/20260227082452.1802922-1-yujie.liu@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/scheduler/sched_main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c
index 4faa2108c0a73..50716bc5eef63 100644
--- a/drivers/gpu/drm/scheduler/sched_main.c
+++ b/drivers/gpu/drm/scheduler/sched_main.c
@@ -259,6 +259,7 @@ drm_sched_rq_select_entity_fifo(struct drm_sched_rq *rq)
/**
* drm_sched_job_done - complete a job
* @s_job: pointer to the job which is done
+ * @result: 0 on success, -ERRNO on error
*
* Finish the job's fence and wake up the worker thread.
*/
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 102/481] net: dpaa2-switch: serialize changes to priv->mac with a mutex
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 101/481] net: dpaa2-switch replace direct MAC access with dpaa2_switch_port_has_mac() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 103/481] dpaa2-switch: do not clear any interrupts automatically Greg Kroah-Hartman
` (213 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Ioana Ciornei,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit 3c7f44fa9c4c8a9154935ca49e4cf45c14240335 ]
The dpaa2-switch driver uses a DPMAC in the same way as the dpaa2-eth
driver, so we need to duplicate the locking solution established by the
previous change to the switch driver as well.
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Tested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 74badb9c20b1 ("dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../freescale/dpaa2/dpaa2-switch-ethtool.c | 32 +++++++++++++++----
.../ethernet/freescale/dpaa2/dpaa2-switch.c | 31 ++++++++++++++++--
.../ethernet/freescale/dpaa2/dpaa2-switch.h | 2 ++
3 files changed, 55 insertions(+), 10 deletions(-)
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-ethtool.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-ethtool.c
index 0b41a945e0fff..dc9f4ad8a061d 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-ethtool.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-ethtool.c
@@ -60,11 +60,18 @@ dpaa2_switch_get_link_ksettings(struct net_device *netdev,
{
struct ethsw_port_priv *port_priv = netdev_priv(netdev);
struct dpsw_link_state state = {0};
- int err = 0;
+ int err;
+
+ mutex_lock(&port_priv->mac_lock);
- if (dpaa2_switch_port_is_type_phy(port_priv))
- return phylink_ethtool_ksettings_get(port_priv->mac->phylink,
- link_ksettings);
+ if (dpaa2_switch_port_is_type_phy(port_priv)) {
+ err = phylink_ethtool_ksettings_get(port_priv->mac->phylink,
+ link_ksettings);
+ mutex_unlock(&port_priv->mac_lock);
+ return err;
+ }
+
+ mutex_unlock(&port_priv->mac_lock);
err = dpsw_if_get_link_state(port_priv->ethsw_data->mc_io, 0,
port_priv->ethsw_data->dpsw_handle,
@@ -99,9 +106,16 @@ dpaa2_switch_set_link_ksettings(struct net_device *netdev,
bool if_running;
int err = 0, ret;
- if (dpaa2_switch_port_is_type_phy(port_priv))
- return phylink_ethtool_ksettings_set(port_priv->mac->phylink,
- link_ksettings);
+ mutex_lock(&port_priv->mac_lock);
+
+ if (dpaa2_switch_port_is_type_phy(port_priv)) {
+ err = phylink_ethtool_ksettings_set(port_priv->mac->phylink,
+ link_ksettings);
+ mutex_unlock(&port_priv->mac_lock);
+ return err;
+ }
+
+ mutex_unlock(&port_priv->mac_lock);
/* Interface needs to be down to change link settings */
if_running = netif_running(netdev);
@@ -196,8 +210,12 @@ static void dpaa2_switch_ethtool_get_stats(struct net_device *netdev,
dpaa2_switch_ethtool_counters[i].name, err);
}
+ mutex_lock(&port_priv->mac_lock);
+
if (dpaa2_switch_port_has_mac(port_priv))
dpaa2_mac_get_ethtool_stats(port_priv->mac, data + i);
+
+ mutex_unlock(&port_priv->mac_lock);
}
const struct ethtool_ops dpaa2_switch_port_ethtool_ops = {
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
index 371f53a100e84..68378d694c5d3 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
@@ -603,8 +603,11 @@ static int dpaa2_switch_port_link_state_update(struct net_device *netdev)
/* When we manage the MAC/PHY using phylink there is no need
* to manually update the netif_carrier.
+ * We can avoid locking because we are called from the "link changed"
+ * IRQ handler, which is the same as the "endpoint changed" IRQ handler
+ * (the writer to port_priv->mac), so we cannot race with it.
*/
- if (dpaa2_switch_port_is_type_phy(port_priv))
+ if (dpaa2_mac_is_type_phy(port_priv->mac))
return 0;
/* Interrupts are received even though no one issued an 'ifconfig up'
@@ -684,6 +687,8 @@ static int dpaa2_switch_port_open(struct net_device *netdev)
struct ethsw_core *ethsw = port_priv->ethsw_data;
int err;
+ mutex_lock(&port_priv->mac_lock);
+
if (!dpaa2_switch_port_is_type_phy(port_priv)) {
/* Explicitly set carrier off, otherwise
* netif_carrier_ok() will return true and cause 'ip link show'
@@ -697,6 +702,7 @@ static int dpaa2_switch_port_open(struct net_device *netdev)
port_priv->ethsw_data->dpsw_handle,
port_priv->idx);
if (err) {
+ mutex_unlock(&port_priv->mac_lock);
netdev_err(netdev, "dpsw_if_enable err %d\n", err);
return err;
}
@@ -708,6 +714,8 @@ static int dpaa2_switch_port_open(struct net_device *netdev)
phylink_start(port_priv->mac->phylink);
}
+ mutex_unlock(&port_priv->mac_lock);
+
return 0;
}
@@ -717,6 +725,8 @@ static int dpaa2_switch_port_stop(struct net_device *netdev)
struct ethsw_core *ethsw = port_priv->ethsw_data;
int err;
+ mutex_lock(&port_priv->mac_lock);
+
if (dpaa2_switch_port_is_type_phy(port_priv)) {
phylink_stop(port_priv->mac->phylink);
dpaa2_mac_stop(port_priv->mac);
@@ -725,6 +735,8 @@ static int dpaa2_switch_port_stop(struct net_device *netdev)
netif_carrier_off(netdev);
}
+ mutex_unlock(&port_priv->mac_lock);
+
err = dpsw_if_disable(port_priv->ethsw_data->mc_io, 0,
port_priv->ethsw_data->dpsw_handle,
port_priv->idx);
@@ -1471,7 +1483,9 @@ static int dpaa2_switch_port_connect_mac(struct ethsw_port_priv *port_priv)
}
}
+ mutex_lock(&port_priv->mac_lock);
port_priv->mac = mac;
+ mutex_unlock(&port_priv->mac_lock);
return 0;
@@ -1486,9 +1500,12 @@ static int dpaa2_switch_port_connect_mac(struct ethsw_port_priv *port_priv)
static void dpaa2_switch_port_disconnect_mac(struct ethsw_port_priv *port_priv)
{
- struct dpaa2_mac *mac = port_priv->mac;
+ struct dpaa2_mac *mac;
+ mutex_lock(&port_priv->mac_lock);
+ mac = port_priv->mac;
port_priv->mac = NULL;
+ mutex_unlock(&port_priv->mac_lock);
if (!mac)
return;
@@ -1507,6 +1524,7 @@ static irqreturn_t dpaa2_switch_irq0_handler_thread(int irq_num, void *arg)
struct ethsw_port_priv *port_priv;
u32 status = ~0;
int err, if_id;
+ bool had_mac;
err = dpsw_get_irq_status(ethsw->mc_io, 0, ethsw->dpsw_handle,
DPSW_IRQ_INDEX_IF, &status);
@@ -1529,7 +1547,12 @@ static irqreturn_t dpaa2_switch_irq0_handler_thread(int irq_num, void *arg)
if (status & DPSW_IRQ_EVENT_ENDPOINT_CHANGED) {
rtnl_lock();
- if (dpaa2_switch_port_has_mac(port_priv))
+ /* We can avoid locking because the "endpoint changed" IRQ
+ * handler is the only one who changes priv->mac at runtime,
+ * so we are not racing with anyone.
+ */
+ had_mac = !!port_priv->mac;
+ if (had_mac)
dpaa2_switch_port_disconnect_mac(port_priv);
else
dpaa2_switch_port_connect_mac(port_priv);
@@ -3279,6 +3302,8 @@ static int dpaa2_switch_probe_port(struct ethsw_core *ethsw,
port_priv->netdev = port_netdev;
port_priv->ethsw_data = ethsw;
+ mutex_init(&port_priv->mac_lock);
+
port_priv->idx = port_idx;
port_priv->stp_state = BR_STATE_FORWARDING;
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.h b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.h
index 9898073abe012..42b3ca73f55d5 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.h
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.h
@@ -161,6 +161,8 @@ struct ethsw_port_priv {
struct dpaa2_switch_filter_block *filter_block;
struct dpaa2_mac *mac;
+ /* Protects against changes to port_priv->mac */
+ struct mutex mac_lock;
};
/* Switch data */
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 089/460] cgroup: fix race between task migration and iteration
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 088/460] Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on" Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 090/460] ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() Greg Kroah-Hartman
` (213 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qingye Zhao, Michal Koutný,
Tejun Heo
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingye Zhao <zhaoqingye@honor.com>
commit 5ee01f1a7343d6a3547b6802ca2d4cdce0edacb1 upstream.
When a task is migrated out of a css_set, cgroup_migrate_add_task()
first moves it from cset->tasks to cset->mg_tasks via:
list_move_tail(&task->cg_list, &cset->mg_tasks);
If a css_task_iter currently has it->task_pos pointing to this task,
css_set_move_task() calls css_task_iter_skip() to keep the iterator
valid. However, since the task has already been moved to ->mg_tasks,
the iterator is advanced relative to the mg_tasks list instead of the
original tasks list. As a result, remaining tasks on cset->tasks, as
well as tasks queued on cset->mg_tasks, can be skipped by iteration.
Fix this by calling css_set_skip_task_iters() before unlinking
task->cg_list from cset->tasks. This advances all active iterators to
the next task on cset->tasks, so iteration continues correctly even
when a task is concurrently being migrated.
This race is hard to hit in practice without instrumentation, but it
can be reproduced by artificially slowing down cgroup_procs_show().
For example, on an Android device a temporary
/sys/kernel/cgroup/cgroup_test knob can be added to inject a delay
into cgroup_procs_show(), and then:
1) Spawn three long-running tasks (PIDs 101, 102, 103).
2) Create a test cgroup and move the tasks into it.
3) Enable a large delay via /sys/kernel/cgroup/cgroup_test.
4) In one shell, read cgroup.procs from the test cgroup.
5) Within the delay window, in another shell migrate PID 102 by
writing it to a different cgroup.procs file.
Under this setup, cgroup.procs can intermittently show only PID 101
while skipping PID 103. Once the migration completes, reading the
file again shows all tasks as expected.
Note that this change does not allow removing the existing
css_set_skip_task_iters() call in css_set_move_task(). The new call
in cgroup_migrate_add_task() only handles iterators that are racing
with migration while the task is still on cset->tasks. Iterators may
also start after the task has been moved to cset->mg_tasks. If we
dropped css_set_skip_task_iters() from css_set_move_task(), such
iterators could keep task_pos pointing to a migrating task, causing
css_task_iter_advance() to malfunction on the destination css_set,
up to and including crashes or infinite loops.
The race window between migration and iteration is very small, and
css_task_iter is not on a hot path. In the worst case, when an
iterator is positioned on the first thread of the migrating process,
cgroup_migrate_add_task() may have to skip multiple tasks via
css_set_skip_task_iters(). However, this only happens when migration
and iteration actually race, so the performance impact is negligible
compared to the correctness fix provided here.
Fixes: b636fd38dc40 ("cgroup: Implement css_task_iter_skip()")
Cc: stable@vger.kernel.org # v5.2+
Signed-off-by: Qingye Zhao <zhaoqingye@honor.com>
Reviewed-by: Michal Koutný <mkoutny@suse.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/cgroup/cgroup.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -2530,6 +2530,7 @@ static void cgroup_migrate_add_task(stru
mgctx->tset.nr_tasks++;
+ css_set_skip_task_iters(cset, task);
list_move_tail(&task->cg_list, &cset->mg_tasks);
if (list_empty(&cset->mg_node))
list_add_tail(&cset->mg_node,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 165/567] nvme: reject invalid pr_read_keys() num_keys values
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 164/567] drm/sched: Fix kernel-doc warning for drm_sched_job_done() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 166/567] nvme: fix memory allocation in nvme_pr_read_keys() Greg Kroah-Hartman
` (212 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Hajnoczi, Hannes Reinecke,
Christoph Hellwig, Martin K. Petersen, Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Hajnoczi <stefanha@redhat.com>
[ Upstream commit 38ec8469f39e0e96e7dd9b76f05e0f8eb78be681 ]
The pr_read_keys() interface has a u32 num_keys parameter. The NVMe
Reservation Report command has a u32 maximum length. Reject num_keys
values that are too large to fit.
This will become important when pr_read_keys() is exposed to untrusted
userspace via an <linux/pr.h> ioctl.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Stable-dep-of: c3320153769f ("nvme: fix memory allocation in nvme_pr_read_keys()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pr.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/nvme/host/pr.c b/drivers/nvme/host/pr.c
index 803efc97fd1ea..0636fa4d6f77b 100644
--- a/drivers/nvme/host/pr.c
+++ b/drivers/nvme/host/pr.c
@@ -203,7 +203,8 @@ static int nvme_pr_resv_report(struct block_device *bdev, void *data,
static int nvme_pr_read_keys(struct block_device *bdev,
struct pr_keys *keys_info)
{
- u32 rse_len, num_keys = keys_info->num_keys;
+ size_t rse_len;
+ u32 num_keys = keys_info->num_keys;
struct nvme_reservation_status_ext *rse;
int ret, i;
bool eds;
@@ -213,6 +214,9 @@ static int nvme_pr_read_keys(struct block_device *bdev,
* enough to get enough keys to fill the return keys buffer.
*/
rse_len = struct_size(rse, regctl_eds, num_keys);
+ if (rse_len > U32_MAX)
+ return -EINVAL;
+
rse = kzalloc(rse_len, GFP_KERNEL);
if (!rse)
return -ENOMEM;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 103/481] dpaa2-switch: do not clear any interrupts automatically
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 102/481] net: dpaa2-switch: serialize changes to priv->mac with a mutex Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 104/481] dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler Greg Kroah-Hartman
` (212 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ioana Ciornei, Simon Horman,
David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ioana Ciornei <ioana.ciornei@nxp.com>
[ Upstream commit f6da276479c63ca29774bc331a537b92f0550c45 ]
The DPSW object has multiple event sources multiplexed over the same
IRQ. The driver has the capability to configure only some of these
events to trigger the IRQ.
The dpsw_get_irq_status() can clear events automatically based on the
value stored in the 'status' variable passed to it. We don't want that
to happen because we could get into a situation when we are clearing
more events than we actually handled.
Just resort to manually clearing the events that we handled. Also, since
status is not used on the out path we remove its initialization to zero.
This change does not have a user-visible effect because the dpaa2-switch
driver enables and handles all the DPSW events which exist at the
moment.
Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 74badb9c20b1 ("dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
index 68378d694c5d3..b29f49ec64049 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
@@ -1522,9 +1522,9 @@ static irqreturn_t dpaa2_switch_irq0_handler_thread(int irq_num, void *arg)
struct device *dev = (struct device *)arg;
struct ethsw_core *ethsw = dev_get_drvdata(dev);
struct ethsw_port_priv *port_priv;
- u32 status = ~0;
int err, if_id;
bool had_mac;
+ u32 status;
err = dpsw_get_irq_status(ethsw->mc_io, 0, ethsw->dpsw_handle,
DPSW_IRQ_INDEX_IF, &status);
@@ -1559,12 +1559,12 @@ static irqreturn_t dpaa2_switch_irq0_handler_thread(int irq_num, void *arg)
rtnl_unlock();
}
-out:
err = dpsw_clear_irq_status(ethsw->mc_io, 0, ethsw->dpsw_handle,
DPSW_IRQ_INDEX_IF, status);
if (err)
dev_err(dev, "Can't clear irq status (err %d)\n", err);
+out:
return IRQ_HANDLED;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 090/460] ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 089/460] cgroup: fix race between task migration and iteration Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 091/460] ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces Greg Kroah-Hartman
` (212 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mehul Rao, Takashi Iwai
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mehul Rao <mehulrao@gmail.com>
commit 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6 upstream.
In the drain loop, the local variable 'runtime' is reassigned to a
linked stream's runtime (runtime = s->runtime at line 2157). After
releasing the stream lock at line 2169, the code accesses
runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size
(lines 2170-2178) — all referencing the linked stream's runtime without
any lock or refcount protecting its lifetime.
A concurrent close() on the linked stream's fd triggers
snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private()
→ snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime).
No synchronization prevents kfree(runtime) from completing while the
drain path dereferences the stale pointer.
Fix by caching the needed runtime fields (no_period_wakeup, rate,
buffer_size) into local variables while still holding the stream lock,
and using the cached values after the lock is released.
Fixes: f2b3614cefb6 ("ALSA: PCM - Don't check DMA time-out too shortly")
Cc: stable@vger.kernel.org
Signed-off-by: Mehul Rao <mehulrao@gmail.com>
Link: https://patch.msgid.link/20260305193508.311096-1-mehulrao@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/pcm_native.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -2144,6 +2144,10 @@ static int snd_pcm_drain(struct snd_pcm_
for (;;) {
long tout;
struct snd_pcm_runtime *to_check;
+ unsigned int drain_rate;
+ snd_pcm_uframes_t drain_bufsz;
+ bool drain_no_period_wakeup;
+
if (signal_pending(current)) {
result = -ERESTARTSYS;
break;
@@ -2163,16 +2167,25 @@ static int snd_pcm_drain(struct snd_pcm_
snd_pcm_group_unref(group, substream);
if (!to_check)
break; /* all drained */
+ /*
+ * Cache the runtime fields needed after unlock.
+ * A concurrent close() on the linked stream may free
+ * its runtime via snd_pcm_detach_substream() once we
+ * release the stream lock below.
+ */
+ drain_no_period_wakeup = to_check->no_period_wakeup;
+ drain_rate = to_check->rate;
+ drain_bufsz = to_check->buffer_size;
init_waitqueue_entry(&wait, current);
set_current_state(TASK_INTERRUPTIBLE);
add_wait_queue(&to_check->sleep, &wait);
snd_pcm_stream_unlock_irq(substream);
- if (runtime->no_period_wakeup)
+ if (drain_no_period_wakeup)
tout = MAX_SCHEDULE_TIMEOUT;
else {
tout = 100;
- if (runtime->rate) {
- long t = runtime->buffer_size * 1100 / runtime->rate;
+ if (drain_rate) {
+ long t = drain_bufsz * 1100 / drain_rate;
tout = max(t, tout);
}
tout = msecs_to_jiffies(tout);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 166/567] nvme: fix memory allocation in nvme_pr_read_keys()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 165/567] nvme: reject invalid pr_read_keys() num_keys values Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 167/567] net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs Greg Kroah-Hartman
` (211 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Shi, Weidong Zhu, Dave Tian,
Christoph Hellwig, Hannes Reinecke, Sungwoo Kim, Keith Busch,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sungwoo Kim <iam@sung-woo.kim>
[ Upstream commit c3320153769f05fd7fe9d840cb555dd3080ae424 ]
nvme_pr_read_keys() takes num_keys from userspace and uses it to
calculate the allocation size for rse via struct_size(). The upper
limit is PR_KEYS_MAX (64K).
A malicious or buggy userspace can pass a large num_keys value that
results in a 4MB allocation attempt at most, causing a warning in
the page allocator when the order exceeds MAX_PAGE_ORDER.
To fix this, use kvzalloc() instead of kzalloc().
This bug has the same reasoning and fix with the patch below:
https://lore.kernel.org/linux-block/20251212013510.3576091-1-kartikey406@gmail.com/
Warning log:
WARNING: mm/page_alloc.c:5216 at __alloc_frozen_pages_noprof+0x5aa/0x2300 mm/page_alloc.c:5216, CPU#1: syz-executor117/272
Modules linked in:
CPU: 1 UID: 0 PID: 272 Comm: syz-executor117 Not tainted 6.19.0 #1 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:__alloc_frozen_pages_noprof+0x5aa/0x2300 mm/page_alloc.c:5216
Code: ff 83 bd a8 fe ff ff 0a 0f 86 69 fb ff ff 0f b6 1d f9 f9 c4 04 80 fb 01 0f 87 3b 76 30 ff 83 e3 01 75 09 c6 05 e4 f9 c4 04 01 <0f> 0b 48 c7 85 70 fe ff ff 00 00 00 00 e9 8f fd ff ff 31 c0 e9 0d
RSP: 0018:ffffc90000fcf450 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffff920001f9ea0
RDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000040dc0
RBP: ffffc90000fcf648 R08: ffff88800b6c3380 R09: 0000000000000001
R10: ffffc90000fcf840 R11: ffff88807ffad280 R12: 0000000000000000
R13: 0000000000040dc0 R14: 0000000000000001 R15: ffffc90000fcf620
FS: 0000555565db33c0(0000) GS:ffff8880be26c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000000c CR3: 0000000003b72000 CR4: 00000000000006f0
Call Trace:
<TASK>
alloc_pages_mpol+0x236/0x4d0 mm/mempolicy.c:2486
alloc_frozen_pages_noprof+0x149/0x180 mm/mempolicy.c:2557
___kmalloc_large_node+0x10c/0x140 mm/slub.c:5598
__kmalloc_large_node_noprof+0x25/0xc0 mm/slub.c:5629
__do_kmalloc_node mm/slub.c:5645 [inline]
__kmalloc_noprof+0x483/0x6f0 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
nvme_pr_read_keys+0x8f/0x4c0 drivers/nvme/host/pr.c:245
blkdev_pr_read_keys block/ioctl.c:456 [inline]
blkdev_common_ioctl+0x1b71/0x29b0 block/ioctl.c:730
blkdev_ioctl+0x299/0x700 block/ioctl.c:786
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x1bf/0x220 fs/ioctl.c:583
x64_sys_call+0x1280/0x21b0 mnt/fuzznvme_1/fuzznvme/linux-build/v6.19/./arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x71/0x330 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fb893d3108d
Code: 28 c3 e8 46 1e 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffff61f2f38 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffff61f3138 RCX: 00007fb893d3108d
RDX: 0000000020000040 RSI: 00000000c01070ce RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 00007ffff61f3138
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffff61f3128 R14: 00007fb893dae530 R15: 0000000000000001
</TASK>
Fixes: 5fd96a4e15de (nvme: Add pr_ops read_keys support)
Acked-by: Chao Shi <cshi008@fiu.edu>
Acked-by: Weidong Zhu <weizhu@fiu.edu>
Acked-by: Dave Tian <daveti@purdue.edu>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/nvme/host/pr.c b/drivers/nvme/host/pr.c
index 0636fa4d6f77b..1df7cb3155601 100644
--- a/drivers/nvme/host/pr.c
+++ b/drivers/nvme/host/pr.c
@@ -217,7 +217,7 @@ static int nvme_pr_read_keys(struct block_device *bdev,
if (rse_len > U32_MAX)
return -EINVAL;
- rse = kzalloc(rse_len, GFP_KERNEL);
+ rse = kvzalloc(rse_len, GFP_KERNEL);
if (!rse)
return -ENOMEM;
@@ -242,7 +242,7 @@ static int nvme_pr_read_keys(struct block_device *bdev,
}
free_rse:
- kfree(rse);
+ kvfree(rse);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 104/481] dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 103/481] dpaa2-switch: do not clear any interrupts automatically Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 105/481] atm: lec: fix null-ptr-deref in lec_arp_clear_vccs Greg Kroah-Hartman
` (211 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junrui Luo, Guenter Roeck,
Ioana Ciornei, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit 74badb9c20b1a9c02a95c735c6d3cd6121679c93 ]
Commit 31a7a0bbeb00 ("dpaa2-switch: add bounds check for if_id in IRQ
handler") introduces a range check for if_id to avoid an out-of-bounds
access. If an out-of-bounds if_id is detected, the interrupt status is
not cleared. This may result in an interrupt storm.
Clear the interrupt status after detecting an out-of-bounds if_id to avoid
the problem.
Found by an experimental AI code review agent at Google.
Fixes: 31a7a0bbeb00 ("dpaa2-switch: add bounds check for if_id in IRQ handler")
Cc: Junrui Luo <moonafterrain@outlook.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Link: https://patch.msgid.link/20260227055812.1777915-1-linux@roeck-us.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
index b29f49ec64049..510a018978d9a 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
@@ -1536,7 +1536,7 @@ static irqreturn_t dpaa2_switch_irq0_handler_thread(int irq_num, void *arg)
if_id = (status & 0xFFFF0000) >> 16;
if (if_id >= ethsw->sw_attr.num_ifs) {
dev_err(dev, "Invalid if_id %d in IRQ status\n", if_id);
- goto out;
+ goto out_clear;
}
port_priv = ethsw->ports[if_id];
@@ -1559,6 +1559,7 @@ static irqreturn_t dpaa2_switch_irq0_handler_thread(int irq_num, void *arg)
rtnl_unlock();
}
+out_clear:
err = dpsw_clear_irq_status(ethsw->mc_io, 0, ethsw->dpsw_handle,
DPSW_IRQ_INDEX_IF, status);
if (err)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 091/460] ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 090/460] ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 092/460] net: usb: lan78xx: fix silent drop of packets with checksum errors Greg Kroah-Hartman
` (211 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8f29539ef9a1c8334f42,
syzbot+ae893a8901067fde2741, Takashi Iwai
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit df1d8abf36ca3681c21a6809eaa9a1e01ef897a6 upstream.
The Scarlett2 mixer quirk in USB-audio driver may hit a NULL
dereference when a malformed USB descriptor is passed, since it
assumes the presence of an endpoint in the parsed interface in
scarlett2_find_fc_interface(), as reported by fuzzer.
For avoiding the NULL dereference, just add the sanity check of
bNumEndpoints and skip the invalid interface.
Reported-by: syzbot+8f29539ef9a1c8334f42@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/69acbbe1.050a0220.310d8.0001.GAE@google.com
Reported-by: syzbot+ae893a8901067fde2741@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/69acf72a.050a0220.310d8.0004.GAE@google.com
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260309104632.141895-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_scarlett2.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/usb/mixer_scarlett2.c
+++ b/sound/usb/mixer_scarlett2.c
@@ -8579,6 +8579,8 @@ static int scarlett2_find_fc_interface(s
if (desc->bInterfaceClass != 255)
continue;
+ if (desc->bNumEndpoints < 1)
+ continue;
epd = get_endpoint(intf->altsetting, 0);
private->bInterfaceNumber = desc->bInterfaceNumber;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 167/567] net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 166/567] nvme: fix memory allocation in nvme_pr_read_keys() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 168/567] net: nfc: nci: Fix zero-length proprietary notifications Greg Kroah-Hartman
` (210 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Koichiro Den, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Koichiro Den <den@valinux.co.jp>
[ Upstream commit 7f083faf59d14c04e01ec05a7507f036c965acf8 ]
When shrinking the number of real tx queues,
netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush
qdiscs for queues which will no longer be used.
qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with
qdisc_lock(). However, for lockless qdiscs, the dequeue path is
serialized by qdisc_run_begin/end() using qdisc->seqlock instead, so
qdisc_reset() can run concurrently with __qdisc_run() and free skbs
while they are still being dequeued, leading to UAF.
This can easily be reproduced on e.g. virtio-net by imposing heavy
traffic while frequently changing the number of queue pairs:
iperf3 -ub0 -c $peer -t 0 &
while :; do
ethtool -L eth0 combined 1
ethtool -L eth0 combined 2
done
With KASAN enabled, this leads to reports like:
BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760
...
Call Trace:
<TASK>
...
__qdisc_run+0x133f/0x1760
__dev_queue_xmit+0x248f/0x3550
ip_finish_output2+0xa42/0x2110
ip_output+0x1a7/0x410
ip_send_skb+0x2e6/0x480
udp_send_skb+0xb0a/0x1590
udp_sendmsg+0x13c9/0x1fc0
...
</TASK>
Allocated by task 1270 on cpu 5 at 44.558414s:
...
alloc_skb_with_frags+0x84/0x7c0
sock_alloc_send_pskb+0x69a/0x830
__ip_append_data+0x1b86/0x48c0
ip_make_skb+0x1e8/0x2b0
udp_sendmsg+0x13a6/0x1fc0
...
Freed by task 1306 on cpu 3 at 44.558445s:
...
kmem_cache_free+0x117/0x5e0
pfifo_fast_reset+0x14d/0x580
qdisc_reset+0x9e/0x5f0
netif_set_real_num_tx_queues+0x303/0x840
virtnet_set_channels+0x1bf/0x260 [virtio_net]
ethnl_set_channels+0x684/0xae0
ethnl_default_set_doit+0x31a/0x890
...
Serialize qdisc_reset_all_tx_gt() against the lockless dequeue path by
taking qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching the
serialization model already used by dev_reset_queue().
Additionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state
reflects an empty queue, avoiding needless re-scheduling.
Fixes: 6b3ba9146fe6 ("net: sched: allow qdiscs to handle locking")
Signed-off-by: Koichiro Den <den@valinux.co.jp>
Link: https://patch.msgid.link/20260228145307.3955532-1-den@valinux.co.jp
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/sch_generic.h | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
index 3287988a6a987..232b7b22e993a 100644
--- a/include/net/sch_generic.h
+++ b/include/net/sch_generic.h
@@ -756,13 +756,23 @@ static inline bool skb_skip_tc_classify(struct sk_buff *skb)
static inline void qdisc_reset_all_tx_gt(struct net_device *dev, unsigned int i)
{
struct Qdisc *qdisc;
+ bool nolock;
for (; i < dev->num_tx_queues; i++) {
qdisc = rtnl_dereference(netdev_get_tx_queue(dev, i)->qdisc);
if (qdisc) {
+ nolock = qdisc->flags & TCQ_F_NOLOCK;
+
+ if (nolock)
+ spin_lock_bh(&qdisc->seqlock);
spin_lock_bh(qdisc_lock(qdisc));
qdisc_reset(qdisc);
spin_unlock_bh(qdisc_lock(qdisc));
+ if (nolock) {
+ clear_bit(__QDISC_STATE_MISSED, &qdisc->state);
+ clear_bit(__QDISC_STATE_DRAINING, &qdisc->state);
+ spin_unlock_bh(&qdisc->seqlock);
+ }
}
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 105/481] atm: lec: fix null-ptr-deref in lec_arp_clear_vccs
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 104/481] dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 106/481] can: bcm: fix locking for bcm_op runtime updates Greg Kroah-Hartman
` (210 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+72e3ea390c305de0e259,
Dan Carpenter, Simon Horman, Jiayuan Chen, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@shopee.com>
[ Upstream commit 101bacb303e89dc2e0640ae6a5e0fb97c4eb45bb ]
syzkaller reported a null-ptr-deref in lec_arp_clear_vccs().
This issue can be easily reproduced using the syzkaller reproducer.
In the ATM LANE (LAN Emulation) module, the same atm_vcc can be shared by
multiple lec_arp_table entries (e.g., via entry->vcc or entry->recv_vcc).
When the underlying VCC is closed, lec_vcc_close() iterates over all
ARP entries and calls lec_arp_clear_vccs() for each matched entry.
For example, when lec_vcc_close() iterates through the hlists in
priv->lec_arp_empty_ones or other ARP tables:
1. In the first iteration, for the first matched ARP entry sharing the VCC,
lec_arp_clear_vccs() frees the associated vpriv (which is vcc->user_back)
and sets vcc->user_back to NULL.
2. In the second iteration, for the next matched ARP entry sharing the same
VCC, lec_arp_clear_vccs() is called again. It obtains a NULL vpriv from
vcc->user_back (via LEC_VCC_PRIV(vcc)) and then attempts to dereference it
via `vcc->pop = vpriv->old_pop`, leading to a null-ptr-deref crash.
Fix this by adding a null check for vpriv before dereferencing
it. If vpriv is already NULL, it means the VCC has been cleared
by a previous call, so we can safely skip the cleanup and just
clear the entry's vcc/recv_vcc pointers.
The entire cleanup block (including vcc_release_async()) is placed inside
the vpriv guard because a NULL vpriv indicates the VCC has already been
fully released by a prior iteration — repeating the teardown would
redundantly set flags and trigger callbacks on an already-closing socket.
The Fixes tag points to the initial commit because the entry->vcc path has
been vulnerable since the original code. The entry->recv_vcc path was later
added by commit 8d9f73c0ad2f ("atm: fix a memory leak of vcc->user_back")
with the same pattern, and both paths are fixed here.
Reported-by: syzbot+72e3ea390c305de0e259@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68c95a83.050a0220.3c6139.0e5c.GAE@google.com/T/
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Suggested-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
Link: https://patch.msgid.link/20260225123250.189289-1-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/atm/lec.c | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/net/atm/lec.c b/net/atm/lec.c
index b7fa48a9b7205..0d4b8e5936dcf 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -1260,24 +1260,28 @@ static void lec_arp_clear_vccs(struct lec_arp_table *entry)
struct lec_vcc_priv *vpriv = LEC_VCC_PRIV(vcc);
struct net_device *dev = (struct net_device *)vcc->proto_data;
- vcc->pop = vpriv->old_pop;
- if (vpriv->xoff)
- netif_wake_queue(dev);
- kfree(vpriv);
- vcc->user_back = NULL;
- vcc->push = entry->old_push;
- vcc_release_async(vcc, -EPIPE);
+ if (vpriv) {
+ vcc->pop = vpriv->old_pop;
+ if (vpriv->xoff)
+ netif_wake_queue(dev);
+ kfree(vpriv);
+ vcc->user_back = NULL;
+ vcc->push = entry->old_push;
+ vcc_release_async(vcc, -EPIPE);
+ }
entry->vcc = NULL;
}
if (entry->recv_vcc) {
struct atm_vcc *vcc = entry->recv_vcc;
struct lec_vcc_priv *vpriv = LEC_VCC_PRIV(vcc);
- kfree(vpriv);
- vcc->user_back = NULL;
+ if (vpriv) {
+ kfree(vpriv);
+ vcc->user_back = NULL;
- entry->recv_vcc->push = entry->old_recv_push;
- vcc_release_async(entry->recv_vcc, -EPIPE);
+ entry->recv_vcc->push = entry->old_recv_push;
+ vcc_release_async(entry->recv_vcc, -EPIPE);
+ }
entry->recv_vcc = NULL;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 092/460] net: usb: lan78xx: fix silent drop of packets with checksum errors
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 091/460] ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 093/460] net: usb: lan78xx: fix TX byte statistics for small packets Greg Kroah-Hartman
` (210 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit e4f774a0cc955ce762aec91c66915a6e15087ab7 upstream.
Do not drop packets with checksum errors at the USB driver level;
pass them to the network stack.
Previously, the driver dropped all packets where the 'Receive Error
Detected' (RED) bit was set, regardless of the specific error type. This
caused packets with only IP or TCP/UDP checksum errors to be dropped
before reaching the kernel, preventing the network stack from accounting
for them or performing software fallback.
Add a mask for hard hardware errors to safely drop genuinely corrupt
frames, while allowing checksum-errored frames to pass with their
ip_summed field explicitly set to CHECKSUM_NONE.
Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20260305143429.530909-2-o.rempel@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/lan78xx.c | 4 +++-
drivers/net/usb/lan78xx.h | 3 +++
2 files changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -3537,6 +3537,7 @@ static void lan78xx_rx_csum_offload(stru
*/
if (!(dev->net->features & NETIF_F_RXCSUM) ||
unlikely(rx_cmd_a & RX_CMD_A_ICSM_) ||
+ unlikely(rx_cmd_a & RX_CMD_A_CSE_MASK_) ||
((rx_cmd_a & RX_CMD_A_FVTG_) &&
!(dev->net->features & NETIF_F_HW_VLAN_CTAG_RX))) {
skb->ip_summed = CHECKSUM_NONE;
@@ -3609,7 +3610,8 @@ static int lan78xx_rx(struct lan78xx_net
return 0;
}
- if (unlikely(rx_cmd_a & RX_CMD_A_RED_)) {
+ if (unlikely(rx_cmd_a & RX_CMD_A_RED_) &&
+ (rx_cmd_a & RX_CMD_A_RX_HARD_ERRS_MASK_)) {
netif_dbg(dev, rx_err, dev->net,
"Error rx_cmd_a=0x%08x", rx_cmd_a);
} else {
--- a/drivers/net/usb/lan78xx.h
+++ b/drivers/net/usb/lan78xx.h
@@ -74,6 +74,9 @@
#define RX_CMD_A_ICSM_ (0x00004000)
#define RX_CMD_A_LEN_MASK_ (0x00003FFF)
+#define RX_CMD_A_RX_HARD_ERRS_MASK_ \
+ (RX_CMD_A_RX_ERRS_MASK_ & ~RX_CMD_A_CSE_MASK_)
+
/* Rx Command B */
#define RX_CMD_B_CSUM_SHIFT_ (16)
#define RX_CMD_B_CSUM_MASK_ (0xFFFF0000)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 168/567] net: nfc: nci: Fix zero-length proprietary notifications
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 167/567] net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 169/567] nfc: nci: free skb on nci_transceive early error paths Greg Kroah-Hartman
` (209 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Ray, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Ray <ian.ray@gehealthcare.com>
[ Upstream commit f7d92f11bd33a6eb49c7c812255ef4ab13681f0f ]
NCI NFC controllers may have proprietary OIDs with zero-length payload.
One example is: drivers/nfc/nxp-nci/core.c, NXP_NCI_RF_TXLDO_ERROR_NTF.
Allow a zero length payload in proprietary notifications *only*.
Before:
-- >8 --
kernel: nci: nci_recv_frame: len 3
-- >8 --
After:
-- >8 --
kernel: nci: nci_recv_frame: len 3
kernel: nci: nci_ntf_packet: NCI RX: MT=ntf, PBF=0, GID=0x1, OID=0x23, plen=0
kernel: nci: nci_ntf_packet: unknown ntf opcode 0x123
kernel: nfc nfc0: NFC: RF transmitter couldn't start. Bad power and/or configuration?
-- >8 --
After fixing the hardware:
-- >8 --
kernel: nci: nci_recv_frame: len 27
kernel: nci: nci_ntf_packet: NCI RX: MT=ntf, PBF=0, GID=0x1, OID=0x5, plen=24
kernel: nci: nci_rf_intf_activated_ntf_packet: rf_discovery_id 1
-- >8 --
Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet")
Signed-off-by: Ian Ray <ian.ray@gehealthcare.com>
Link: https://patch.msgid.link/20260302163238.140576-1-ian.ray@gehealthcare.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/nci/core.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index b7d4952a7dcf8..7a4742a092626 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -1471,10 +1471,20 @@ static bool nci_valid_size(struct sk_buff *skb)
unsigned int hdr_size = NCI_CTRL_HDR_SIZE;
if (skb->len < hdr_size ||
- !nci_plen(skb->data) ||
skb->len < hdr_size + nci_plen(skb->data)) {
return false;
}
+
+ if (!nci_plen(skb->data)) {
+ /* Allow zero length in proprietary notifications (0x20 - 0x3F). */
+ if (nci_opcode_oid(nci_opcode(skb->data)) >= 0x20 &&
+ nci_mt(skb->data) == NCI_MT_NTF_PKT)
+ return true;
+
+ /* Disallow zero length otherwise. */
+ return false;
+ }
+
return true;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 106/481] can: bcm: fix locking for bcm_op runtime updates
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 105/481] atm: lec: fix null-ptr-deref in lec_arp_clear_vccs Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 107/481] can: mcp251x: fix deadlock in error path of mcp251x_open Greg Kroah-Hartman
` (209 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+5b11eccc403dd1cea9f8,
Oliver Hartkopp, Marc Kleine-Budde, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Hartkopp <socketcan@hartkopp.net>
[ Upstream commit c35636e91e392e1540949bbc67932167cb48bc3a ]
Commit c2aba69d0c36 ("can: bcm: add locking for bcm_op runtime updates")
added a locking for some variables that can be modified at runtime when
updating the sending bcm_op with a new TX_SETUP command in bcm_tx_setup().
Usually the RX_SETUP only handles and filters incoming traffic with one
exception: When the RX_RTR_FRAME flag is set a predefined CAN frame is
sent when a specific RTR frame is received. Therefore the rx bcm_op uses
bcm_can_tx() which uses the bcm_tx_lock that was only initialized in
bcm_tx_setup(). Add the missing spin_lock_init() when allocating the
bcm_op in bcm_rx_setup() to handle the RTR case properly.
Fixes: c2aba69d0c36 ("can: bcm: add locking for bcm_op runtime updates")
Reported-by: syzbot+5b11eccc403dd1cea9f8@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-can/699466e4.a70a0220.2c38d7.00ff.GAE@google.com/
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Link: https://patch.msgid.link/20260218-bcm_spin_lock_init-v1-1-592634c8a5b5@hartkopp.net
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/can/bcm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/can/bcm.c b/net/can/bcm.c
index 4fb5cfaf74f3f..050c755ff5fbd 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -1128,6 +1128,7 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
if (!op)
return -ENOMEM;
+ spin_lock_init(&op->bcm_tx_lock);
op->can_id = msg_head->can_id;
op->nframes = msg_head->nframes;
op->cfsiz = CFSIZ(msg_head->flags);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 093/460] net: usb: lan78xx: fix TX byte statistics for small packets
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 092/460] net: usb: lan78xx: fix silent drop of packets with checksum errors Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 094/460] net: usb: lan78xx: skip LTM configuration for LAN7850 Greg Kroah-Hartman
` (209 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit 50988747c30df47b73b787f234f746027cb7ec6c upstream.
Account for hardware auto-padding in TX byte counters to reflect actual
wire traffic.
The LAN7850 hardware automatically pads undersized frames to the minimum
Ethernet frame length (ETH_ZLEN, 60 bytes). However, the driver tracks
the network statistics based on the unpadded socket buffer length. This
results in the tx_bytes counter under-reporting the actual physical
bytes placed on the Ethernet wire for small packets (like short ARP or
ICMP requests).
Use max_t() to ensure the transmission statistics accurately account for
the hardware-generated padding.
Fixes: d383216a7efe ("lan78xx: Introduce Tx URB processing improvements")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20260305143429.530909-3-o.rempel@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/lan78xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -3886,7 +3886,7 @@ static struct skb_data *lan78xx_tx_buf_f
}
tx_data += len;
- entry->length += len;
+ entry->length += max_t(unsigned int, len, ETH_ZLEN);
entry->num_of_packet += skb_shinfo(skb)->gso_segs ?: 1;
dev_kfree_skb_any(skb);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 169/567] nfc: nci: free skb on nci_transceive early error paths
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 168/567] net: nfc: nci: Fix zero-length proprietary notifications Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 170/567] nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback Greg Kroah-Hartman
` (208 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joe Damato, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 7bd4b0c4779f978a6528c9b7937d2ca18e936e2c ]
nci_transceive() takes ownership of the skb passed by the caller,
but the -EPROTO, -EINVAL, and -EBUSY error paths return without
freeing it.
Due to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changes
the nci/nci_dev selftest hits the error path occasionally in NIPA,
and kmemleak detects leaks:
unreferenced object 0xff11000015ce6a40 (size 640):
comm "nci_dev", pid 3954, jiffies 4295441246
hex dump (first 32 bytes):
6b 6b 6b 6b 00 a4 00 0c 02 e1 03 6b 6b 6b 6b 6b kkkk.......kkkkk
6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
backtrace (crc 7c40cc2a):
kmem_cache_alloc_node_noprof+0x492/0x630
__alloc_skb+0x11e/0x5f0
alloc_skb_with_frags+0xc6/0x8f0
sock_alloc_send_pskb+0x326/0x3f0
nfc_alloc_send_skb+0x94/0x1d0
rawsock_sendmsg+0x162/0x4c0
do_syscall_64+0x117/0xfc0
Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
Reviewed-by: Joe Damato <joe@dama.to>
Link: https://patch.msgid.link/20260303162346.2071888-2-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/nci/core.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index 7a4742a092626..1f33da345bea6 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -1024,18 +1024,23 @@ static int nci_transceive(struct nfc_dev *nfc_dev, struct nfc_target *target,
struct nci_conn_info *conn_info;
conn_info = ndev->rf_conn_info;
- if (!conn_info)
+ if (!conn_info) {
+ kfree_skb(skb);
return -EPROTO;
+ }
pr_debug("target_idx %d, len %d\n", target->idx, skb->len);
if (!ndev->target_active_prot) {
pr_err("unable to exchange data, no active target\n");
+ kfree_skb(skb);
return -EINVAL;
}
- if (test_and_set_bit(NCI_DATA_EXCHANGE, &ndev->flags))
+ if (test_and_set_bit(NCI_DATA_EXCHANGE, &ndev->flags)) {
+ kfree_skb(skb);
return -EBUSY;
+ }
/* store cb and context to be used on receiving data */
conn_info->data_exchange_cb = cb;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 107/481] can: mcp251x: fix deadlock in error path of mcp251x_open
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 106/481] can: bcm: fix locking for bcm_op runtime updates Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 108/481] kunit: tool: print summary of failed tests if a few failed out of a lot Greg Kroah-Hartman
` (208 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alban Bedel, Marc Kleine-Budde,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alban Bedel <alban.bedel@lht.dlh.de>
[ Upstream commit ab3f894de216f4a62adc3b57e9191888cbf26885 ]
The mcp251x_open() function call free_irq() in its error path with the
mpc_lock mutex held. But if an interrupt already occurred the
interrupt handler will be waiting for the mpc_lock and free_irq() will
deadlock waiting for the handler to finish.
This issue is similar to the one fixed in commit 7dd9c26bd6cf ("can:
mcp251x: fix deadlock if an interrupt occurs during mcp251x_open") but
for the error path.
To solve this issue move the call to free_irq() after the lock is
released. Setting `priv->force_quit = 1` beforehand ensure that the IRQ
handler will exit right away once it acquired the lock.
Signed-off-by: Alban Bedel <alban.bedel@lht.dlh.de>
Link: https://patch.msgid.link/20260209144706.2261954-1-alban.bedel@lht.dlh.de
Fixes: bf66f3736a94 ("can: mcp251x: Move to threaded interrupts instead of workqueues.")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/spi/mcp251x.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
index 8c56f85e87c1a..72ae17b2313ec 100644
--- a/drivers/net/can/spi/mcp251x.c
+++ b/drivers/net/can/spi/mcp251x.c
@@ -1202,6 +1202,7 @@ static int mcp251x_open(struct net_device *net)
{
struct mcp251x_priv *priv = netdev_priv(net);
struct spi_device *spi = priv->spi;
+ bool release_irq = false;
unsigned long flags = 0;
int ret;
@@ -1245,12 +1246,24 @@ static int mcp251x_open(struct net_device *net)
return 0;
out_free_irq:
- free_irq(spi->irq, priv);
+ /* The IRQ handler might be running, and if so it will be waiting
+ * for the lock. But free_irq() must wait for the handler to finish
+ * so calling it here would deadlock.
+ *
+ * Setting priv->force_quit will let the handler exit right away
+ * without any access to the hardware. This make it safe to call
+ * free_irq() after the lock is released.
+ */
+ priv->force_quit = 1;
+ release_irq = true;
+
mcp251x_hw_sleep(spi);
out_close:
mcp251x_power_enable(priv->transceiver, 0);
close_candev(net);
mutex_unlock(&priv->mcp_lock);
+ if (release_irq)
+ free_irq(spi->irq, priv);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 094/460] net: usb: lan78xx: skip LTM configuration for LAN7850
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 093/460] net: usb: lan78xx: fix TX byte statistics for small packets Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 095/460] ata: libata-core: Add BRIDGE_OK quirk for QEMU drives Greg Kroah-Hartman
` (208 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit d9cc0e440f0664f6f3e2c26e39ab9dd5f3badba7 upstream.
Do not configure Latency Tolerance Messaging (LTM) on USB 2.0 hardware.
The LAN7850 is a High-Speed (USB 2.0) only device and does not support
SuperSpeed features like LTM. Currently, the driver unconditionally
attempts to configure LTM registers during initialization. On the
LAN7850, these registers do not exist, resulting in writes to invalid
or undocumented memory space.
This issue was identified during a port to the regmap API with strict
register validation enabled. While no functional issues or crashes have
been observed from these invalid writes, bypassing LTM initialization
on the LAN7850 ensures the driver strictly adheres to the hardware's
valid register map.
Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20260305143429.530909-4-o.rempel@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/lan78xx.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -2667,6 +2667,10 @@ static void lan78xx_init_ltm(struct lan7
u32 buf;
u32 regs[6] = { 0 };
+ /* LAN7850 is USB 2.0 and does not support LTM */
+ if (dev->chipid == ID_REV_CHIP_ID_7850_)
+ return;
+
ret = lan78xx_read_reg(dev, USB_CFG1, &buf);
if (buf & USB_CFG1_LTM_ENABLE_) {
u8 temp[2];
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 170/567] nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 169/567] nfc: nci: free skb on nci_transceive early error paths Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 171/567] nfc: rawsock: cancel tx_work before socket teardown Greg Kroah-Hartman
` (207 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joe Damato, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 0efdc02f4f6d52f8ca5d5889560f325a836ce0a8 ]
Move clear_bit(NCI_DATA_EXCHANGE) before invoking the data exchange
callback in nci_data_exchange_complete().
The callback (e.g. rawsock_data_exchange_complete) may immediately
schedule another data exchange via schedule_work(tx_work). On a
multi-CPU system, tx_work can run and reach nci_transceive() before
the current nci_data_exchange_complete() clears the flag, causing
test_and_set_bit(NCI_DATA_EXCHANGE) to return -EBUSY and the new
transfer to fail.
This causes intermittent flakes in nci/nci_dev in NIPA:
# # RUN NCI.NCI1_0.t4t_tag_read ...
# # t4t_tag_read: Test terminated by timeout
# # FAIL NCI.NCI1_0.t4t_tag_read
# not ok 3 NCI.NCI1_0.t4t_tag_read
Fixes: 38f04c6b1b68 ("NFC: protect nci_data_exchange transactions")
Reviewed-by: Joe Damato <joe@dama.to>
Link: https://patch.msgid.link/20260303162346.2071888-5-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/nci/data.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c
index 3d36ea5701f02..7a3fb2a397a1e 100644
--- a/net/nfc/nci/data.c
+++ b/net/nfc/nci/data.c
@@ -33,7 +33,8 @@ void nci_data_exchange_complete(struct nci_dev *ndev, struct sk_buff *skb,
conn_info = nci_get_conn_info_by_conn_id(ndev, conn_id);
if (!conn_info) {
kfree_skb(skb);
- goto exit;
+ clear_bit(NCI_DATA_EXCHANGE, &ndev->flags);
+ return;
}
cb = conn_info->data_exchange_cb;
@@ -45,6 +46,12 @@ void nci_data_exchange_complete(struct nci_dev *ndev, struct sk_buff *skb,
del_timer_sync(&ndev->data_timer);
clear_bit(NCI_DATA_EXCHANGE_TO, &ndev->flags);
+ /* Mark the exchange as done before calling the callback.
+ * The callback (e.g. rawsock_data_exchange_complete) may
+ * want to immediately queue another data exchange.
+ */
+ clear_bit(NCI_DATA_EXCHANGE, &ndev->flags);
+
if (cb) {
/* forward skb to nfc core */
cb(cb_context, skb, err);
@@ -54,9 +61,6 @@ void nci_data_exchange_complete(struct nci_dev *ndev, struct sk_buff *skb,
/* no waiting callback, free skb */
kfree_skb(skb);
}
-
-exit:
- clear_bit(NCI_DATA_EXCHANGE, &ndev->flags);
}
/* ----------------- NCI TX Data ----------------- */
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 108/481] kunit: tool: print summary of failed tests if a few failed out of a lot
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 107/481] can: mcp251x: fix deadlock in error path of mcp251x_open Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 109/481] kunit: tool: make --json do nothing if --raw_ouput is set Greg Kroah-Hartman
` (207 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Latypov, David Gow,
Shuah Khan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Latypov <dlatypov@google.com>
[ Upstream commit f19dd011d8de6f0c1d20abea5158aa4f5d9cea44 ]
E.g. all the hw_breakpoint tests are failing right now.
So if I run `kunit.py run --altests --arch=x86_64`, then I see
> Testing complete. Ran 408 tests: passed: 392, failed: 9, skipped: 7
Seeing which 9 tests failed out of the hundreds is annoying.
If my terminal doesn't have scrollback support, I have to resort to
looking at `.kunit/test.log` for the `not ok` lines.
Teach kunit.py to print a summarized list of failures if the # of tests
reachs an arbitrary threshold (>=100 tests).
To try and keep the output from being too long/noisy, this new logic
a) just reports "parent_test failed" if every child test failed
b) won't print anything if there are >10 failures (also arbitrary).
With this patch, we get an extra line of output showing:
> Testing complete. Ran 408 tests: passed: 392, failed: 9, skipped: 7
> Failures: hw_breakpoint
This also works with parameterized tests, e.g. if I add a fake failure
> Failures: kcsan.test_atomic_builtins_missing_barrier.threads=6
Note: we didn't have enough tests for this to be a problem before.
But with commit 980ac3ad0512 ("kunit: tool: rename all_test_uml.config,
use it for --alltests"), --alltests works and thus running >100 tests
will probably become more common.
Signed-off-by: Daniel Latypov <dlatypov@google.com>
Reviewed-by: David Gow <davidgow@google.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Stable-dep-of: 40804c4974b8 ("kunit: tool: copy caller args in run_kernel to prevent mutation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/kunit/kunit_parser.py | 47 ++++++++++++++++++++++++++
tools/testing/kunit/kunit_tool_test.py | 22 ++++++++++++
2 files changed, 69 insertions(+)
diff --git a/tools/testing/kunit/kunit_parser.py b/tools/testing/kunit/kunit_parser.py
index 1ae873e3e3415..94dba66feec50 100644
--- a/tools/testing/kunit/kunit_parser.py
+++ b/tools/testing/kunit/kunit_parser.py
@@ -58,6 +58,10 @@ class Test:
self.counts.errors += 1
stdout.print_with_timestamp(stdout.red('[ERROR]') + f' Test: {self.name}: {error_message}')
+ def ok_status(self) -> bool:
+ """Returns true if the status was ok, i.e. passed or skipped."""
+ return self.status in (TestStatus.SUCCESS, TestStatus.SKIPPED)
+
class TestStatus(Enum):
"""An enumeration class to represent the status of a test."""
SUCCESS = auto()
@@ -565,6 +569,40 @@ def print_test_footer(test: Test) -> None:
stdout.print_with_timestamp(format_test_divider(message,
len(message) - stdout.color_len()))
+
+
+def _summarize_failed_tests(test: Test) -> str:
+ """Tries to summarize all the failing subtests in `test`."""
+
+ def failed_names(test: Test, parent_name: str) -> List[str]:
+ # Note: we use 'main' internally for the top-level test.
+ if not parent_name or parent_name == 'main':
+ full_name = test.name
+ else:
+ full_name = parent_name + '.' + test.name
+
+ if not test.subtests: # this is a leaf node
+ return [full_name]
+
+ # If all the children failed, just say this subtest failed.
+ # Don't summarize it down "the top-level test failed", though.
+ failed_subtests = [sub for sub in test.subtests if not sub.ok_status()]
+ if parent_name and len(failed_subtests) == len(test.subtests):
+ return [full_name]
+
+ all_failures = [] # type: List[str]
+ for t in failed_subtests:
+ all_failures.extend(failed_names(t, full_name))
+ return all_failures
+
+ failures = failed_names(test, '')
+ # If there are too many failures, printing them out will just be noisy.
+ if len(failures) > 10: # this is an arbitrary limit
+ return ''
+
+ return 'Failures: ' + ', '.join(failures)
+
+
def print_summary_line(test: Test) -> None:
"""
Prints summary line of test object. Color of line is dependent on
@@ -587,6 +625,15 @@ def print_summary_line(test: Test) -> None:
color = stdout.red
stdout.print_with_timestamp(color(f'Testing complete. {test.counts}'))
+ # Summarize failures that might have gone off-screen since we had a lot
+ # of tests (arbitrarily defined as >=100 for now).
+ if test.ok_status() or test.counts.total() < 100:
+ return
+ summarized = _summarize_failed_tests(test)
+ if not summarized:
+ return
+ stdout.print_with_timestamp(color(summarized))
+
# Other methods:
def bubble_up_test_results(test: Test) -> None:
diff --git a/tools/testing/kunit/kunit_tool_test.py b/tools/testing/kunit/kunit_tool_test.py
index e2cd2cc2e98f6..42cbf28bfa6c6 100755
--- a/tools/testing/kunit/kunit_tool_test.py
+++ b/tools/testing/kunit/kunit_tool_test.py
@@ -309,6 +309,28 @@ class KUnitParserTest(unittest.TestCase):
result.status)
self.assertEqual('kunit-resource-test', result.subtests[0].name)
+ def test_summarize_failures(self):
+ output = """
+ KTAP version 1
+ 1..2
+ # Subtest: all_failed_suite
+ 1..2
+ not ok 1 - test1
+ not ok 2 - test2
+ not ok 1 - all_failed_suite
+ # Subtest: some_failed_suite
+ 1..2
+ ok 1 - test1
+ not ok 2 - test2
+ not ok 1 - some_failed_suite
+ """
+ result = kunit_parser.parse_run_tests(output.splitlines())
+ self.assertEqual(kunit_parser.TestStatus.FAILURE, result.status)
+
+ self.assertEqual(kunit_parser._summarize_failed_tests(result),
+ 'Failures: all_failed_suite, some_failed_suite.test2')
+
+
def line_stream_from_strs(strs: Iterable[str]) -> kunit_parser.LineStream:
return kunit_parser.LineStream(enumerate(strs, start=1))
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 095/460] ata: libata-core: Add BRIDGE_OK quirk for QEMU drives
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 094/460] net: usb: lan78xx: skip LTM configuration for LAN7850 Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 096/460] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA Greg Kroah-Hartman
` (207 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pedro Falcato, Damien Le Moal,
Hannes Reinecke, Niklas Cassel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pedro Falcato <pfalcato@suse.de>
commit b92b0075ee1870f78f59ab1f7da7dbfdd718ad7a upstream.
Currently, whenever you boot with a QEMU drive over an AHCI interface,
you get:
[ 1.632121] ata1.00: applying bridge limits
This happens due to the kernel not believing the given drive is SATA,
since word 93 of IDENTIFY (ATA_ID_HW_CONFIG) is non-zero. The result is
a pretty severe limit in max_hw_sectors_kb, which limits our IO sizes.
QEMU has set word 93 erroneously for SATA drives but does not, in any
way, emulate any of these real hardware details. There is no PATA
drive and no SATA cable.
As such, add a BRIDGE_OK quirk for QEMU HARDDISK. Special care is taken
to limit this quirk to "2.5+", to allow for fixed future versions.
This results in the max_hw_sectors being limited solely by the
controller interface's limits. Which, for AHCI controllers, takes it
from 128KB to 32767KB.
Cc: stable@vger.kernel.org
Signed-off-by: Pedro Falcato <pfalcato@suse.de>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/libata-core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4144,6 +4144,7 @@ static const struct ata_dev_quirks_entry
/* Devices that do not need bridging limits applied */
{ "MTRON MSP-SATA*", NULL, ATA_QUIRK_BRIDGE_OK },
{ "BUFFALO HD-QSU2/R5", NULL, ATA_QUIRK_BRIDGE_OK },
+ { "QEMU HARDDISK", "2.5+", ATA_QUIRK_BRIDGE_OK },
/* Devices which aren't very happy with higher link speeds */
{ "WD My Book", NULL, ATA_QUIRK_1_5_GBPS },
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 171/567] nfc: rawsock: cancel tx_work before socket teardown
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 170/567] nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 172/567] net: stmmac: Fix error handling in VLAN add and delete paths Greg Kroah-Hartman
` (206 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joe Damato, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit d793458c45df2aed498d7f74145eab7ee22d25aa ]
In rawsock_release(), cancel any pending tx_work and purge the write
queue before orphaning the socket. rawsock_tx_work runs on the system
workqueue and calls nfc_data_exchange which dereferences the NCI
device. Without synchronization, tx_work can race with socket and
device teardown when a process is killed (e.g. by SIGKILL), leading
to use-after-free or leaked references.
Set SEND_SHUTDOWN first so that if tx_work is already running it will
see the flag and skip transmitting, then use cancel_work_sync to wait
for any in-progress execution to finish, and finally purge any
remaining queued skbs.
Fixes: 23b7869c0fd0 ("NFC: add the NFC socket raw protocol")
Reviewed-by: Joe Damato <joe@dama.to>
Link: https://patch.msgid.link/20260303162346.2071888-6-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/rawsock.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c
index 5125392bb68eb..028b4daafaf83 100644
--- a/net/nfc/rawsock.c
+++ b/net/nfc/rawsock.c
@@ -67,6 +67,17 @@ static int rawsock_release(struct socket *sock)
if (sock->type == SOCK_RAW)
nfc_sock_unlink(&raw_sk_list, sk);
+ if (sk->sk_state == TCP_ESTABLISHED) {
+ /* Prevent rawsock_tx_work from starting new transmits and
+ * wait for any in-progress work to finish. This must happen
+ * before the socket is orphaned to avoid a race where
+ * rawsock_tx_work runs after the NCI device has been freed.
+ */
+ sk->sk_shutdown |= SEND_SHUTDOWN;
+ cancel_work_sync(&nfc_rawsock(sk)->tx_work);
+ rawsock_write_queue_purge(sk);
+ }
+
sock_orphan(sk);
sock_put(sk);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 109/481] kunit: tool: make --json do nothing if --raw_ouput is set
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 108/481] kunit: tool: print summary of failed tests if a few failed out of a lot Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 110/481] kunit: tool: parse KTAP compliant test output Greg Kroah-Hartman
` (206 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Latypov, David Gow,
Shuah Khan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Latypov <dlatypov@google.com>
[ Upstream commit 309e22effb741a8c65131a2694a49839fd685a27 ]
When --raw_output is set (to any value), we don't actually parse the
test results. So asking to print the test results as json doesn't make
sense.
We internally create a fake test with one passing subtest, so --json
would actually print out something misleading.
This patch:
* Rewords the flag descriptions so hopefully this is more obvious.
* Also updates --raw_output's description to note the default behavior
is to print out only "KUnit" results (actually any KTAP results)
* also renames and refactors some related logic for clarity (e.g.
test_result => test, it's a kunit_parser.Test object).
Notably, this patch does not make it an error to specify --json and
--raw_output together. This is an edge case, but I know of at least one
wrapper around kunit.py that always sets --json. You'd never be able to
use --raw_output with that wrapper.
Signed-off-by: Daniel Latypov <dlatypov@google.com>
Reviewed-by: David Gow <davidgow@google.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Stable-dep-of: 40804c4974b8 ("kunit: tool: copy caller args in run_kernel to prevent mutation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/kunit/kunit.py | 34 ++++++++++++++++++----------------
1 file changed, 18 insertions(+), 16 deletions(-)
diff --git a/tools/testing/kunit/kunit.py b/tools/testing/kunit/kunit.py
index 4d4663fb578bd..e7b6549712d66 100755
--- a/tools/testing/kunit/kunit.py
+++ b/tools/testing/kunit/kunit.py
@@ -192,12 +192,11 @@ def _map_to_overall_status(test_status: kunit_parser.TestStatus) -> KunitStatus:
def parse_tests(request: KunitParseRequest, metadata: kunit_json.Metadata, input_data: Iterable[str]) -> Tuple[KunitResult, kunit_parser.Test]:
parse_start = time.time()
- test_result = kunit_parser.Test()
-
if request.raw_output:
# Treat unparsed results as one passing test.
- test_result.status = kunit_parser.TestStatus.SUCCESS
- test_result.counts.passed = 1
+ fake_test = kunit_parser.Test()
+ fake_test.status = kunit_parser.TestStatus.SUCCESS
+ fake_test.counts.passed = 1
output: Iterable[str] = input_data
if request.raw_output == 'all':
@@ -206,14 +205,17 @@ def parse_tests(request: KunitParseRequest, metadata: kunit_json.Metadata, input
output = kunit_parser.extract_tap_lines(output, lstrip=False)
for line in output:
print(line.rstrip())
+ parse_time = time.time() - parse_start
+ return KunitResult(KunitStatus.SUCCESS, parse_time), fake_test
- else:
- test_result = kunit_parser.parse_run_tests(input_data)
- parse_end = time.time()
+
+ # Actually parse the test results.
+ test = kunit_parser.parse_run_tests(input_data)
+ parse_time = time.time() - parse_start
if request.json:
json_str = kunit_json.get_json_result(
- test=test_result,
+ test=test,
metadata=metadata)
if request.json == 'stdout':
print(json_str)
@@ -223,10 +225,10 @@ def parse_tests(request: KunitParseRequest, metadata: kunit_json.Metadata, input
stdout.print_with_timestamp("Test results stored in %s" %
os.path.abspath(request.json))
- if test_result.status != kunit_parser.TestStatus.SUCCESS:
- return KunitResult(KunitStatus.TEST_FAILURE, parse_end - parse_start), test_result
+ if test.status != kunit_parser.TestStatus.SUCCESS:
+ return KunitResult(KunitStatus.TEST_FAILURE, parse_time), test
- return KunitResult(KunitStatus.SUCCESS, parse_end - parse_start), test_result
+ return KunitResult(KunitStatus.SUCCESS, parse_time), test
def run_tests(linux: kunit_kernel.LinuxSourceTree,
request: KunitRequest) -> KunitResult:
@@ -359,14 +361,14 @@ def add_exec_opts(parser) -> None:
choices=['suite', 'test'])
def add_parse_opts(parser) -> None:
- parser.add_argument('--raw_output', help='If set don\'t format output from kernel. '
- 'If set to --raw_output=kunit, filters to just KUnit output.',
+ parser.add_argument('--raw_output', help='If set don\'t parse output from kernel. '
+ 'By default, filters to just KUnit output. Use '
+ '--raw_output=all to show everything',
type=str, nargs='?', const='all', default=None, choices=['all', 'kunit'])
parser.add_argument('--json',
nargs='?',
- help='Stores test results in a JSON, and either '
- 'prints to stdout or saves to file if a '
- 'filename is specified',
+ help='Prints parsed test results as JSON to stdout or a file if '
+ 'a filename is specified. Does nothing if --raw_output is set.',
type=str, const='stdout', default=None, metavar='FILE')
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 096/460] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 095/460] ata: libata-core: Add BRIDGE_OK quirk for QEMU drives Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 097/460] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC Greg Kroah-Hartman
` (206 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Heng, Mark Brown
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Heng <zhangheng@kylinos.cn>
commit 325291b20f8a6f14b9c82edbf5d12e4e71f6adaa upstream.
Add a DMI quirk for the ASUS EXPERTBOOK PM1503CDA fixing the
issue where the internal microphone was not detected.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221070
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
Link: https://patch.msgid.link/20260304063255.139331-1-zhangheng@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -703,6 +703,13 @@ static const struct dmi_system_id yc_acp
DMI_MATCH(DMI_PRODUCT_NAME, "ASUS EXPERTBOOK BM1503CDA"),
}
},
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_BOARD_NAME, "PM1503CDA"),
+ }
+ },
{}
};
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 172/567] net: stmmac: Fix error handling in VLAN add and delete paths
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 171/567] nfc: rawsock: cancel tx_work before socket teardown Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 173/567] net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup() Greg Kroah-Hartman
` (205 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ovidiu Panait, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
[ Upstream commit 35dfedce442c4060cfe5b98368bc9643fb995716 ]
stmmac_vlan_rx_add_vid() updates active_vlans and the VLAN hash
register before writing the HW filter entry. If the filter write
fails, it leaves a stale VID in active_vlans and the hash register.
stmmac_vlan_rx_kill_vid() has the reverse problem: it clears
active_vlans before removing the HW filter. On failure, the VID is
gone from active_vlans but still present in the HW filter table.
To fix this, reorder the operations to update the hash table first,
then attempt the HW filter operation. If the HW filter fails, roll
back both the active_vlans bitmap and the hash table by calling
stmmac_vlan_update() again.
Fixes: ed64639bc1e0 ("net: stmmac: Add support for VLAN Rx filtering")
Signed-off-by: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
Link: https://patch.msgid.link/20260303145828.7845-2-ovidiu.panait.rb@renesas.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/stmicro/stmmac/stmmac_main.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index 7a8861d77e047..42df435c4d838 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -6549,9 +6549,13 @@ static int stmmac_vlan_rx_add_vid(struct net_device *ndev, __be16 proto, u16 vid
if (priv->hw->num_vlan) {
ret = stmmac_add_hw_vlan_rx_fltr(priv, ndev, priv->hw, proto, vid);
- if (ret)
+ if (ret) {
+ clear_bit(vid, priv->active_vlans);
+ stmmac_vlan_update(priv, is_double);
goto err_pm_put;
+ }
}
+
err_pm_put:
pm_runtime_put(priv->device);
@@ -6572,15 +6576,21 @@ static int stmmac_vlan_rx_kill_vid(struct net_device *ndev, __be16 proto, u16 vi
is_double = true;
clear_bit(vid, priv->active_vlans);
+ ret = stmmac_vlan_update(priv, is_double);
+ if (ret) {
+ set_bit(vid, priv->active_vlans);
+ goto del_vlan_error;
+ }
if (priv->hw->num_vlan) {
ret = stmmac_del_hw_vlan_rx_fltr(priv, ndev, priv->hw, proto, vid);
- if (ret)
+ if (ret) {
+ set_bit(vid, priv->active_vlans);
+ stmmac_vlan_update(priv, is_double);
goto del_vlan_error;
+ }
}
- ret = stmmac_vlan_update(priv, is_double);
-
del_vlan_error:
pm_runtime_put(priv->device);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 110/481] kunit: tool: parse KTAP compliant test output
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 109/481] kunit: tool: make --json do nothing if --raw_ouput is set Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 111/481] kunit: tool: dont include KTAP headers and the like in the test log Greg Kroah-Hartman
` (205 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rae Moar, Daniel Latypov, David Gow,
Shuah Khan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rae Moar <rmoar@google.com>
[ Upstream commit 434498a6bee3db729dbdb7f131f3506f4dca85e8 ]
Change the KUnit parser to be able to parse test output that complies with
the KTAP version 1 specification format found here:
https://kernel.org/doc/html/latest/dev-tools/ktap.html. Ensure the parser
is able to parse tests with the original KUnit test output format as
well.
KUnit parser now accepts any of the following test output formats:
Original KUnit test output format:
TAP version 14
1..1
# Subtest: kunit-test-suite
1..3
ok 1 - kunit_test_1
ok 2 - kunit_test_2
ok 3 - kunit_test_3
# kunit-test-suite: pass:3 fail:0 skip:0 total:3
# Totals: pass:3 fail:0 skip:0 total:3
ok 1 - kunit-test-suite
KTAP version 1 test output format:
KTAP version 1
1..1
KTAP version 1
1..3
ok 1 kunit_test_1
ok 2 kunit_test_2
ok 3 kunit_test_3
ok 1 kunit-test-suite
New KUnit test output format (changes made in the next patch of
this series):
KTAP version 1
1..1
KTAP version 1
# Subtest: kunit-test-suite
1..3
ok 1 kunit_test_1
ok 2 kunit_test_2
ok 3 kunit_test_3
# kunit-test-suite: pass:3 fail:0 skip:0 total:3
# Totals: pass:3 fail:0 skip:0 total:3
ok 1 kunit-test-suite
Signed-off-by: Rae Moar <rmoar@google.com>
Reviewed-by: Daniel Latypov <dlatypov@google.com>
Reviewed-by: David Gow <davidgow@google.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Stable-dep-of: 40804c4974b8 ("kunit: tool: copy caller args in run_kernel to prevent mutation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/kunit/kunit_parser.py | 79 ++++++++++++-------
tools/testing/kunit/kunit_tool_test.py | 14 ++++
.../test_data/test_parse_ktap_output.log | 8 ++
| 7 ++
4 files changed, 80 insertions(+), 28 deletions(-)
create mode 100644 tools/testing/kunit/test_data/test_parse_ktap_output.log
create mode 100644 tools/testing/kunit/test_data/test_parse_subtest_header.log
diff --git a/tools/testing/kunit/kunit_parser.py b/tools/testing/kunit/kunit_parser.py
index 94dba66feec50..259ce7696587b 100644
--- a/tools/testing/kunit/kunit_parser.py
+++ b/tools/testing/kunit/kunit_parser.py
@@ -450,6 +450,7 @@ def parse_diagnostic(lines: LineStream) -> List[str]:
- '# Subtest: [test name]'
- '[ok|not ok] [test number] [-] [test name] [optional skip
directive]'
+ - 'KTAP version [version number]'
Parameters:
lines - LineStream of KTAP output to parse
@@ -458,8 +459,9 @@ def parse_diagnostic(lines: LineStream) -> List[str]:
Log of diagnostic lines
"""
log = [] # type: List[str]
- while lines and not TEST_RESULT.match(lines.peek()) and not \
- TEST_HEADER.match(lines.peek()):
+ non_diagnostic_lines = [TEST_RESULT, TEST_HEADER, KTAP_START]
+ while lines and not any(re.match(lines.peek())
+ for re in non_diagnostic_lines):
log.append(lines.pop())
return log
@@ -505,11 +507,15 @@ def print_test_header(test: Test) -> None:
test - Test object representing current test being printed
"""
message = test.name
+ if message != "":
+ # Add a leading space before the subtest counts only if a test name
+ # is provided using a "# Subtest" header line.
+ message += " "
if test.expected_count:
if test.expected_count == 1:
- message += ' (1 subtest)'
+ message += '(1 subtest)'
else:
- message += f' ({test.expected_count} subtests)'
+ message += f'({test.expected_count} subtests)'
stdout.print_with_timestamp(format_test_divider(message, len(message)))
def print_log(log: Iterable[str]) -> None:
@@ -656,7 +662,7 @@ def bubble_up_test_results(test: Test) -> None:
elif test.counts.get_status() == TestStatus.TEST_CRASHED:
test.status = TestStatus.TEST_CRASHED
-def parse_test(lines: LineStream, expected_num: int, log: List[str]) -> Test:
+def parse_test(lines: LineStream, expected_num: int, log: List[str], is_subtest: bool) -> Test:
"""
Finds next test to parse in LineStream, creates new Test object,
parses any subtests of the test, populates Test object with all
@@ -674,15 +680,32 @@ def parse_test(lines: LineStream, expected_num: int, log: List[str]) -> Test:
1..4
[subtests]
- - Subtest header line
+ - Subtest header (must include either the KTAP version line or
+ "# Subtest" header line)
- Example:
+ Example (preferred format with both KTAP version line and
+ "# Subtest" line):
+
+ KTAP version 1
+ # Subtest: name
+ 1..3
+ [subtests]
+ ok 1 name
+
+ Example (only "# Subtest" line):
# Subtest: name
1..3
[subtests]
ok 1 name
+ Example (only KTAP version line, compliant with KTAP v1 spec):
+
+ KTAP version 1
+ 1..3
+ [subtests]
+ ok 1 name
+
- Test result line
Example:
@@ -694,28 +717,29 @@ def parse_test(lines: LineStream, expected_num: int, log: List[str]) -> Test:
expected_num - expected test number for test to be parsed
log - list of strings containing any preceding diagnostic lines
corresponding to the current test
+ is_subtest - boolean indicating whether test is a subtest
Return:
Test object populated with characteristics and any subtests
"""
test = Test()
test.log.extend(log)
- parent_test = False
- main = parse_ktap_header(lines, test)
- if main:
- # If KTAP/TAP header is found, attempt to parse
+ if not is_subtest:
+ # If parsing the main/top-level test, parse KTAP version line and
# test plan
test.name = "main"
+ ktap_line = parse_ktap_header(lines, test)
parse_test_plan(lines, test)
parent_test = True
else:
- # If KTAP/TAP header is not found, test must be subtest
- # header or test result line so parse attempt to parser
- # subtest header
- parent_test = parse_test_header(lines, test)
+ # If not the main test, attempt to parse a test header containing
+ # the KTAP version line and/or subtest header line
+ ktap_line = parse_ktap_header(lines, test)
+ subtest_line = parse_test_header(lines, test)
+ parent_test = (ktap_line or subtest_line)
if parent_test:
- # If subtest header is found, attempt to parse
- # test plan and print header
+ # If KTAP version line and/or subtest header is found, attempt
+ # to parse test plan and print test header
parse_test_plan(lines, test)
print_test_header(test)
expected_count = test.expected_count
@@ -730,7 +754,7 @@ def parse_test(lines: LineStream, expected_num: int, log: List[str]) -> Test:
sub_log = parse_diagnostic(lines)
sub_test = Test()
if not lines or (peek_test_name_match(lines, test) and
- not main):
+ is_subtest):
if expected_count and test_num <= expected_count:
# If parser reaches end of test before
# parsing expected number of subtests, print
@@ -744,20 +768,19 @@ def parse_test(lines: LineStream, expected_num: int, log: List[str]) -> Test:
test.log.extend(sub_log)
break
else:
- sub_test = parse_test(lines, test_num, sub_log)
+ sub_test = parse_test(lines, test_num, sub_log, True)
subtests.append(sub_test)
test_num += 1
test.subtests = subtests
- if not main:
+ if is_subtest:
# If not main test, look for test result line
test.log.extend(parse_diagnostic(lines))
- if (parent_test and peek_test_name_match(lines, test)) or \
- not parent_test:
- parse_test_result(lines, test, expected_num)
- else:
+ if test.name != "" and not peek_test_name_match(lines, test):
test.add_error('missing subtest result line!')
+ else:
+ parse_test_result(lines, test, expected_num)
- # Check for there being no tests
+ # Check for there being no subtests within parent test
if parent_test and len(subtests) == 0:
# Don't override a bad status if this test had one reported.
# Assumption: no subtests means CRASHED is from Test.__init__()
@@ -767,11 +790,11 @@ def parse_test(lines: LineStream, expected_num: int, log: List[str]) -> Test:
# Add statuses to TestCounts attribute in Test object
bubble_up_test_results(test)
- if parent_test and not main:
+ if parent_test and is_subtest:
# If test has subtests and is not the main test object, print
# footer.
print_test_footer(test)
- elif not main:
+ elif is_subtest:
print_test_result(test)
return test
@@ -794,7 +817,7 @@ def parse_run_tests(kernel_output: Iterable[str]) -> Test:
test.add_error('could not find any KTAP output!')
test.status = TestStatus.FAILURE_TO_PARSE_TESTS
else:
- test = parse_test(lines, 0, [])
+ test = parse_test(lines, 0, [], False)
if test.status != TestStatus.NO_TESTS:
test.status = test.counts.get_status()
stdout.print_with_timestamp(DIVIDER)
diff --git a/tools/testing/kunit/kunit_tool_test.py b/tools/testing/kunit/kunit_tool_test.py
index 42cbf28bfa6c6..8334d660753c4 100755
--- a/tools/testing/kunit/kunit_tool_test.py
+++ b/tools/testing/kunit/kunit_tool_test.py
@@ -330,6 +330,20 @@ class KUnitParserTest(unittest.TestCase):
self.assertEqual(kunit_parser._summarize_failed_tests(result),
'Failures: all_failed_suite, some_failed_suite.test2')
+ def test_ktap_format(self):
+ ktap_log = test_data_path('test_parse_ktap_output.log')
+ with open(ktap_log) as file:
+ result = kunit_parser.parse_run_tests(file.readlines())
+ self.assertEqual(result.counts, kunit_parser.TestCounts(passed=3))
+ self.assertEqual('suite', result.subtests[0].name)
+ self.assertEqual('case_1', result.subtests[0].subtests[0].name)
+ self.assertEqual('case_2', result.subtests[0].subtests[1].name)
+
+ def test_parse_subtest_header(self):
+ ktap_log = test_data_path('test_parse_subtest_header.log')
+ with open(ktap_log) as file:
+ result = kunit_parser.parse_run_tests(file.readlines())
+ self.print_mock.assert_any_call(StrContains('suite (1 subtest)'))
def line_stream_from_strs(strs: Iterable[str]) -> kunit_parser.LineStream:
return kunit_parser.LineStream(enumerate(strs, start=1))
diff --git a/tools/testing/kunit/test_data/test_parse_ktap_output.log b/tools/testing/kunit/test_data/test_parse_ktap_output.log
new file mode 100644
index 0000000000000..ccdf244e53039
--- /dev/null
+++ b/tools/testing/kunit/test_data/test_parse_ktap_output.log
@@ -0,0 +1,8 @@
+KTAP version 1
+1..1
+ KTAP version 1
+ 1..3
+ ok 1 case_1
+ ok 2 case_2
+ ok 3 case_3
+ok 1 suite
--git a/tools/testing/kunit/test_data/test_parse_subtest_header.log b/tools/testing/kunit/test_data/test_parse_subtest_header.log
new file mode 100644
index 0000000000000..216631092e7b1
--- /dev/null
+++ b/tools/testing/kunit/test_data/test_parse_subtest_header.log
@@ -0,0 +1,7 @@
+KTAP version 1
+1..1
+ KTAP version 1
+ # Subtest: suite
+ 1..1
+ ok 1 test
+ok 1 suite
\ No newline at end of file
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 097/460] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 096/460] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 098/460] USB: add QUIRK_NO_BOS for video capture several devices Greg Kroah-Hartman
` (205 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naveen N Rao (AMD), Jim Mattson,
Sean Christopherson, Paolo Bonzini
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 3989a6d036c8ec82c0de3614bed23a1dacd45de5 upstream.
Initialize all per-vCPU AVIC control fields in the VMCB if AVIC is enabled
in KVM and the VM has an in-kernel local APIC, i.e. if it's _possible_ the
vCPU could activate AVIC at any point in its lifecycle. Configuring the
VMCB if and only if AVIC is active "works" purely because of optimizations
in kvm_create_lapic() to speculatively set apicv_active if AVIC is enabled
*and* to defer updates until the first KVM_RUN. In quotes because KVM
likely won't do the right thing if kvm_apicv_activated() is false, i.e. if
a vCPU is created while APICv is inhibited at the VM level for whatever
reason. E.g. if the inhibit is *removed* before KVM_REQ_APICV_UPDATE is
handled in KVM_RUN, then __kvm_vcpu_update_apicv() will elide calls to
vendor code due to seeing "apicv_active == activate".
Cleaning up the initialization code will also allow fixing a bug where KVM
incorrectly leaves CR8 interception enabled when AVIC is activated without
creating a mess with respect to whether AVIC is activated or not.
Cc: stable@vger.kernel.org
Fixes: 67034bb9dd5e ("KVM: SVM: Add irqchip_split() checks before enabling AVIC")
Fixes: 6c3e4422dd20 ("svm: Add support for dynamic APICv")
Reviewed-by: Naveen N Rao (AMD) <naveen@kernel.org>
Reviewed-by: Jim Mattson <jmattson@google.com>
Link: https://patch.msgid.link/20260203190711.458413-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/avic.c | 2 +-
arch/x86/kvm/svm/svm.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -253,7 +253,7 @@ void avic_init_vmcb(struct vcpu_svm *svm
vmcb->control.avic_physical_id = ppa & AVIC_HPA_MASK;
vmcb->control.avic_vapic_bar = APIC_DEFAULT_PHYS_BASE & VMCB_AVIC_APIC_BAR_MASK;
- if (kvm_apicv_activated(svm->vcpu.kvm))
+ if (kvm_vcpu_apicv_active(&svm->vcpu))
avic_activate_vmcb(svm);
else
avic_deactivate_vmcb(svm);
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -1360,7 +1360,7 @@ static void init_vmcb(struct kvm_vcpu *v
if (boot_cpu_has(X86_FEATURE_V_SPEC_CTRL))
set_msr_interception(vcpu, svm->msrpm, MSR_IA32_SPEC_CTRL, 1, 1);
- if (kvm_vcpu_apicv_active(vcpu))
+ if (enable_apicv && irqchip_in_kernel(vcpu->kvm))
avic_init_vmcb(svm, vmcb);
if (vnmi)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 173/567] net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 172/567] net: stmmac: Fix error handling in VLAN add and delete paths Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 174/567] net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled Greg Kroah-Hartman
` (204 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Valerio, Lorenzo Bianconi,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 0abc73c8a40fd64ac1739c90bb4f42c418d27a5e ]
Reset eBPF program pointer to old_prog and do not decrease its ref-count
if mtk_open routine in mtk_xdp_setup() fails.
Fixes: 7c26c20da5d42 ("net: ethernet: mtk_eth_soc: add basic XDP support")
Suggested-by: Paolo Valerio <pvalerio@redhat.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260303-mtk-xdp-prog-ptr-fix-v2-1-97b6dbbe240f@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mediatek/mtk_eth_soc.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
index c843e6531449b..e2d3bda1dc923 100644
--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
@@ -3529,12 +3529,21 @@ static int mtk_xdp_setup(struct net_device *dev, struct bpf_prog *prog,
mtk_stop(dev);
old_prog = rcu_replace_pointer(eth->prog, prog, lockdep_rtnl_is_held());
+
+ if (netif_running(dev) && need_update) {
+ int err;
+
+ err = mtk_open(dev);
+ if (err) {
+ rcu_assign_pointer(eth->prog, old_prog);
+
+ return err;
+ }
+ }
+
if (old_prog)
bpf_prog_put(old_prog);
- if (netif_running(dev) && need_update)
- return mtk_open(dev);
-
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 111/481] kunit: tool: dont include KTAP headers and the like in the test log
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 110/481] kunit: tool: parse KTAP compliant test output Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 112/481] kunit: tool: make parser preserve whitespace when printing " Greg Kroah-Hartman
` (204 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Latypov, David Gow,
Shuah Khan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Latypov <dlatypov@google.com>
[ Upstream commit 5937e0c04afc7d4b7b737fda93316ba4b74183c0 ]
We print the "test log" on failure.
This is meant to be all the kernel output that happened during the test.
But we also include the special KTAP lines in it, which are often
redundant.
E.g. we include the "not ok" line in the log, right before we print
that the test case failed...
[13:51:48] Expected 2 + 1 == 2, but
[13:51:48] 2 + 1 == 3 (0x3)
[13:51:48] not ok 1 example_simple_test
[13:51:48] [FAILED] example_simple_test
More full example after this patch:
[13:51:48] =================== example (4 subtests) ===================
[13:51:48] # example_simple_test: initializing
[13:51:48] # example_simple_test: EXPECTATION FAILED at lib/kunit/kunit-example-test.c:29
[13:51:48] Expected 2 + 1 == 2, but
[13:51:48] 2 + 1 == 3 (0x3)
[13:51:48] [FAILED] example_simple_test
Signed-off-by: Daniel Latypov <dlatypov@google.com>
Reviewed-by: David Gow <davidgow@google.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Stable-dep-of: 40804c4974b8 ("kunit: tool: copy caller args in run_kernel to prevent mutation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/kunit/kunit_parser.py | 8 ++++----
tools/testing/kunit/kunit_tool_test.py | 17 +++++++++++++++++
2 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/tools/testing/kunit/kunit_parser.py b/tools/testing/kunit/kunit_parser.py
index 259ce7696587b..baf0430be0e33 100644
--- a/tools/testing/kunit/kunit_parser.py
+++ b/tools/testing/kunit/kunit_parser.py
@@ -304,7 +304,7 @@ def parse_ktap_header(lines: LineStream, test: Test) -> bool:
check_version(version_num, TAP_VERSIONS, 'TAP', test)
else:
return False
- test.log.append(lines.pop())
+ lines.pop()
return True
TEST_HEADER = re.compile(r'^# Subtest: (.*)$')
@@ -327,8 +327,8 @@ def parse_test_header(lines: LineStream, test: Test) -> bool:
match = TEST_HEADER.match(lines.peek())
if not match:
return False
- test.log.append(lines.pop())
test.name = match.group(1)
+ lines.pop()
return True
TEST_PLAN = re.compile(r'1\.\.([0-9]+)')
@@ -354,9 +354,9 @@ def parse_test_plan(lines: LineStream, test: Test) -> bool:
if not match:
test.expected_count = None
return False
- test.log.append(lines.pop())
expected_count = int(match.group(1))
test.expected_count = expected_count
+ lines.pop()
return True
TEST_RESULT = re.compile(r'^(ok|not ok) ([0-9]+) (- )?([^#]*)( # .*)?$')
@@ -418,7 +418,7 @@ def parse_test_result(lines: LineStream, test: Test,
# Check if line matches test result line format
if not match:
return False
- test.log.append(lines.pop())
+ lines.pop()
# Set name of test object
if skip_match:
diff --git a/tools/testing/kunit/kunit_tool_test.py b/tools/testing/kunit/kunit_tool_test.py
index 8334d660753c4..7e2f748a24eb2 100755
--- a/tools/testing/kunit/kunit_tool_test.py
+++ b/tools/testing/kunit/kunit_tool_test.py
@@ -81,6 +81,10 @@ class KconfigTest(unittest.TestCase):
class KUnitParserTest(unittest.TestCase):
+ def noPrintCallContains(self, substr: str):
+ for call in self.print_mock.mock_calls:
+ self.assertNotIn(substr, call.args[0])
+
def assertContains(self, needle: str, haystack: kunit_parser.LineStream):
# Clone the iterator so we can print the contents on failure.
copy, backup = itertools.tee(haystack)
@@ -345,6 +349,19 @@ class KUnitParserTest(unittest.TestCase):
result = kunit_parser.parse_run_tests(file.readlines())
self.print_mock.assert_any_call(StrContains('suite (1 subtest)'))
+ def test_show_test_output_on_failure(self):
+ output = """
+ KTAP version 1
+ 1..1
+ Test output.
+ not ok 1 test1
+ """
+ result = kunit_parser.parse_run_tests(output.splitlines())
+ self.assertEqual(kunit_parser.TestStatus.FAILURE, result.status)
+
+ self.print_mock.assert_any_call(StrContains('Test output.'))
+ self.noPrintCallContains('not ok 1 test1')
+
def line_stream_from_strs(strs: Iterable[str]) -> kunit_parser.LineStream:
return kunit_parser.LineStream(enumerate(strs, start=1))
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 098/460] USB: add QUIRK_NO_BOS for video capture several devices
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 097/460] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 099/460] usb/core/quirks: Add Huawei ME906S-device to wakeup quirk Greg Kroah-Hartman
` (204 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, A1RM4X
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: A1RM4X <dev@a1rm4x.com>
commit 93cd0d664661f58f7e7bed7373714ab2ace41734 upstream.
Several USB capture devices also need the USB_QUIRK_NO_BOS set for them
to work properly, odds are they are all the same chip inside, just
different vendor/product ids.
This fixes up:
- ASUS TUF 4K PRO
- Avermedia Live Gamer Ultra 2.1 (GC553G2)
- UGREEN 35871
to now run at full speed (10 Gbps/4K 60 fps mode.)
Link: https://lore.kernel.org/r/CACy+XB-f-51xGpNQFCSm5pE_momTQLu=BaZggHYU1DiDmFX=ug@mail.gmail.com
Cc: stable <stable@kernel.org>
Signed-off-by: A1RM4X <dev@a1rm4x.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -377,6 +377,9 @@ static const struct usb_device_id usb_qu
/* SanDisk Extreme 55AE */
{ USB_DEVICE(0x0781, 0x55ae), .driver_info = USB_QUIRK_NO_LPM },
+ /* Avermedia Live Gamer Ultra 2.1 (GC553G2) - BOS descriptor fetch hangs at SuperSpeed Plus */
+ { USB_DEVICE(0x07ca, 0x2553), .driver_info = USB_QUIRK_NO_BOS },
+
/* Realforce 87U Keyboard */
{ USB_DEVICE(0x0853, 0x011b), .driver_info = USB_QUIRK_NO_LPM },
@@ -434,6 +437,9 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x0b05, 0x17e0), .driver_info =
USB_QUIRK_IGNORE_REMOTE_WAKEUP },
+ /* ASUS TUF 4K PRO - BOS descriptor fetch hangs at SuperSpeed Plus */
+ { USB_DEVICE(0x0b05, 0x1ab9), .driver_info = USB_QUIRK_NO_BOS },
+
/* Realtek Semiconductor Corp. Mass Storage Device (Multicard Reader)*/
{ USB_DEVICE(0x0bda, 0x0151), .driver_info = USB_QUIRK_CONFIG_INTF_STRINGS },
@@ -562,6 +568,9 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x2386, 0x350e), .driver_info = USB_QUIRK_NO_LPM },
+ /* UGREEN 35871 - BOS descriptor fetch hangs at SuperSpeed Plus */
+ { USB_DEVICE(0x2b89, 0x5871), .driver_info = USB_QUIRK_NO_BOS },
+
/* APTIV AUTOMOTIVE HUB */
{ USB_DEVICE(0x2c48, 0x0132), .driver_info =
USB_QUIRK_SHORT_SET_ADDRESS_REQ_TIMEOUT },
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 174/567] net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 173/567] net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 175/567] net: vxlan: " Greg Kroah-Hartman
` (203 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guruprasad C P,
Fernando Fernandez Mancera, Ido Schimmel, Nikolay Aleksandrov,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit e5e890630533bdc15b26a34bb8e7ef539bdf1322 ]
When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
initialized because inet6_init() exits before ndisc_init() is called
which initializes it. Then, if neigh_suppress is enabled and an ICMPv6
Neighbor Discovery packet reaches the bridge, br_do_suppress_nd() will
dereference ipv6_stub->nd_tbl which is NULL, passing it to
neigh_lookup(). This causes a kernel NULL pointer dereference.
BUG: kernel NULL pointer dereference, address: 0000000000000268
Oops: 0000 [#1] PREEMPT SMP NOPTI
[...]
RIP: 0010:neigh_lookup+0x16/0xe0
[...]
Call Trace:
<IRQ>
? neigh_lookup+0x16/0xe0
br_do_suppress_nd+0x160/0x290 [bridge]
br_handle_frame_finish+0x500/0x620 [bridge]
br_handle_frame+0x353/0x440 [bridge]
__netif_receive_skb_core.constprop.0+0x298/0x1110
__netif_receive_skb_one_core+0x3d/0xa0
process_backlog+0xa0/0x140
__napi_poll+0x2c/0x170
net_rx_action+0x2c4/0x3a0
handle_softirqs+0xd0/0x270
do_softirq+0x3f/0x60
Fix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in
the callers. This is in essence disabling NS/NA suppression when IPv6 is
disabled.
Fixes: ed842faeb2bd ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports")
Reported-by: Guruprasad C P <gurucp2005@gmail.com>
Closes: https://lore.kernel.org/netdev/CAHXs0ORzd62QOG-Fttqa2Cx_A_VFp=utE2H2VTX5nqfgs7LDxQ@mail.gmail.com/
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20260304120357.9778-1-fmancera@suse.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_device.c | 2 +-
net/bridge/br_input.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
index 42d4c3727bf76..4af3e4c67038d 100644
--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -72,7 +72,7 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
eth_hdr(skb)->h_proto == htons(ETH_P_RARP)) &&
br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED)) {
br_do_proxy_suppress_arp(skb, br, vid, NULL);
- } else if (IS_ENABLED(CONFIG_IPV6) &&
+ } else if (ipv6_mod_enabled() &&
skb->protocol == htons(ETH_P_IPV6) &&
br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED) &&
pskb_may_pull(skb, sizeof(struct ipv6hdr) +
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 847fe03a08ee8..46d2b20afd5ff 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -165,7 +165,7 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
(skb->protocol == htons(ETH_P_ARP) ||
skb->protocol == htons(ETH_P_RARP))) {
br_do_proxy_suppress_arp(skb, br, vid, p);
- } else if (IS_ENABLED(CONFIG_IPV6) &&
+ } else if (ipv6_mod_enabled() &&
skb->protocol == htons(ETH_P_IPV6) &&
br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED) &&
pskb_may_pull(skb, sizeof(struct ipv6hdr) +
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 112/481] kunit: tool: make parser preserve whitespace when printing test log
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 111/481] kunit: tool: dont include KTAP headers and the like in the test log Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 113/481] kunit: kunit.py extract handlers Greg Kroah-Hartman
` (203 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Latypov, David Gow,
Shuah Khan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Latypov <dlatypov@google.com>
[ Upstream commit c2bb92bc4ea13842fdd27819c0d5b48df2b86ea5 ]
Currently, kunit_parser.py is stripping all leading whitespace to make
parsing easier. But this means we can't accurately show kernel output
for failing tests or when the kernel crashes.
Embarassingly, this affects even KUnit's own output, e.g.
[13:40:46] Expected 2 + 1 == 2, but
[13:40:46] 2 + 1 == 3 (0x3)
[13:40:46] not ok 1 example_simple_test
[13:40:46] [FAILED] example_simple_test
After this change, here's what the output in context would look like
[13:40:46] =================== example (4 subtests) ===================
[13:40:46] # example_simple_test: initializing
[13:40:46] # example_simple_test: EXPECTATION FAILED at lib/kunit/kunit-example-test.c:29
[13:40:46] Expected 2 + 1 == 2, but
[13:40:46] 2 + 1 == 3 (0x3)
[13:40:46] [FAILED] example_simple_test
[13:40:46] [SKIPPED] example_skip_test
[13:40:46] [SKIPPED] example_mark_skipped_test
[13:40:46] [PASSED] example_all_expect_macros_test
[13:40:46] # example: initializing suite
[13:40:46] # example: pass:1 fail:1 skip:2 total:4
[13:40:46] # Totals: pass:1 fail:1 skip:2 total:4
[13:40:46] ===================== [FAILED] example =====================
This example shows one minor cosmetic defect this approach has.
The test counts lines prevent us from dedenting the suite-level output.
But at the same time, any form of non-KUnit output would do the same
unless it happened to be indented as well.
Signed-off-by: Daniel Latypov <dlatypov@google.com>
Reviewed-by: David Gow <davidgow@google.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Stable-dep-of: 40804c4974b8 ("kunit: tool: copy caller args in run_kernel to prevent mutation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/kunit/kunit.py | 2 +-
tools/testing/kunit/kunit_parser.py | 27 +++++++++++++-------------
tools/testing/kunit/kunit_tool_test.py | 2 ++
3 files changed, 16 insertions(+), 15 deletions(-)
diff --git a/tools/testing/kunit/kunit.py b/tools/testing/kunit/kunit.py
index e7b6549712d66..43fbe96318fe1 100755
--- a/tools/testing/kunit/kunit.py
+++ b/tools/testing/kunit/kunit.py
@@ -202,7 +202,7 @@ def parse_tests(request: KunitParseRequest, metadata: kunit_json.Metadata, input
if request.raw_output == 'all':
pass
elif request.raw_output == 'kunit':
- output = kunit_parser.extract_tap_lines(output, lstrip=False)
+ output = kunit_parser.extract_tap_lines(output)
for line in output:
print(line.rstrip())
parse_time = time.time() - parse_start
diff --git a/tools/testing/kunit/kunit_parser.py b/tools/testing/kunit/kunit_parser.py
index baf0430be0e33..c02100b70af62 100644
--- a/tools/testing/kunit/kunit_parser.py
+++ b/tools/testing/kunit/kunit_parser.py
@@ -12,6 +12,7 @@
from __future__ import annotations
import re
import sys
+import textwrap
from enum import Enum, auto
from typing import Iterable, Iterator, List, Optional, Tuple
@@ -217,12 +218,12 @@ class LineStream:
# Parsing helper methods:
-KTAP_START = re.compile(r'KTAP version ([0-9]+)$')
-TAP_START = re.compile(r'TAP version ([0-9]+)$')
-KTAP_END = re.compile('(List of all partitions:|'
+KTAP_START = re.compile(r'\s*KTAP version ([0-9]+)$')
+TAP_START = re.compile(r'\s*TAP version ([0-9]+)$')
+KTAP_END = re.compile(r'\s*(List of all partitions:|'
'Kernel panic - not syncing: VFS:|reboot: System halted)')
-def extract_tap_lines(kernel_output: Iterable[str], lstrip=True) -> LineStream:
+def extract_tap_lines(kernel_output: Iterable[str]) -> LineStream:
"""Extracts KTAP lines from the kernel output."""
def isolate_ktap_output(kernel_output: Iterable[str]) \
-> Iterator[Tuple[int, str]]:
@@ -248,11 +249,8 @@ def extract_tap_lines(kernel_output: Iterable[str], lstrip=True) -> LineStream:
# stop extracting KTAP lines
break
elif started:
- # remove the prefix and optionally any leading
- # whitespace. Our parsing logic relies on this.
+ # remove the prefix, if any.
line = line[prefix_len:]
- if lstrip:
- line = line.lstrip()
yield line_num, line
return LineStream(lines=isolate_ktap_output(kernel_output))
@@ -307,7 +305,7 @@ def parse_ktap_header(lines: LineStream, test: Test) -> bool:
lines.pop()
return True
-TEST_HEADER = re.compile(r'^# Subtest: (.*)$')
+TEST_HEADER = re.compile(r'^\s*# Subtest: (.*)$')
def parse_test_header(lines: LineStream, test: Test) -> bool:
"""
@@ -331,7 +329,7 @@ def parse_test_header(lines: LineStream, test: Test) -> bool:
lines.pop()
return True
-TEST_PLAN = re.compile(r'1\.\.([0-9]+)')
+TEST_PLAN = re.compile(r'^\s*1\.\.([0-9]+)')
def parse_test_plan(lines: LineStream, test: Test) -> bool:
"""
@@ -359,9 +357,9 @@ def parse_test_plan(lines: LineStream, test: Test) -> bool:
lines.pop()
return True
-TEST_RESULT = re.compile(r'^(ok|not ok) ([0-9]+) (- )?([^#]*)( # .*)?$')
+TEST_RESULT = re.compile(r'^\s*(ok|not ok) ([0-9]+) (- )?([^#]*)( # .*)?$')
-TEST_RESULT_SKIP = re.compile(r'^(ok|not ok) ([0-9]+) (- )?(.*) # SKIP(.*)$')
+TEST_RESULT_SKIP = re.compile(r'^\s*(ok|not ok) ([0-9]+) (- )?(.*) # SKIP(.*)$')
def peek_test_name_match(lines: LineStream, test: Test) -> bool:
"""
@@ -520,8 +518,9 @@ def print_test_header(test: Test) -> None:
def print_log(log: Iterable[str]) -> None:
"""Prints all strings in saved log for test in yellow."""
- for m in log:
- stdout.print_with_timestamp(stdout.yellow(m))
+ formatted = textwrap.dedent('\n'.join(log))
+ for line in formatted.splitlines():
+ stdout.print_with_timestamp(stdout.yellow(line))
def format_test_result(test: Test) -> str:
"""
diff --git a/tools/testing/kunit/kunit_tool_test.py b/tools/testing/kunit/kunit_tool_test.py
index 7e2f748a24eb2..fc13326e5c47a 100755
--- a/tools/testing/kunit/kunit_tool_test.py
+++ b/tools/testing/kunit/kunit_tool_test.py
@@ -354,12 +354,14 @@ class KUnitParserTest(unittest.TestCase):
KTAP version 1
1..1
Test output.
+ Indented more.
not ok 1 test1
"""
result = kunit_parser.parse_run_tests(output.splitlines())
self.assertEqual(kunit_parser.TestStatus.FAILURE, result.status)
self.print_mock.assert_any_call(StrContains('Test output.'))
+ self.print_mock.assert_any_call(StrContains(' Indented more.'))
self.noPrintCallContains('not ok 1 test1')
def line_stream_from_strs(strs: Iterable[str]) -> kunit_parser.LineStream:
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 099/460] usb/core/quirks: Add Huawei ME906S-device to wakeup quirk
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 098/460] USB: add QUIRK_NO_BOS for video capture several devices Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 100/460] USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed Greg Kroah-Hartman
` (203 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Christoffer Sandberg,
Werner Sembach
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoffer Sandberg <cs@tuxedo.de>
commit 0326ff28d56b4fa202de36ffc8462a354f383a64 upstream.
Similar to other Huawei LTE modules using this quirk, this version with
another vid/pid suffers from spurious wakeups.
Setting the quirk fixes the issue for this device as well.
Cc: stable <stable@kernel.org>
Signed-off-by: Christoffer Sandberg <cs@tuxedo.de>
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Link: https://patch.msgid.link/20260306172817.2098898-1-wse@tuxedocomputers.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -208,6 +208,10 @@ static const struct usb_device_id usb_qu
/* HP v222w 16GB Mini USB Drive */
{ USB_DEVICE(0x03f0, 0x3f40), .driver_info = USB_QUIRK_DELAY_INIT },
+ /* Huawei 4G LTE module ME906S */
+ { USB_DEVICE(0x03f0, 0xa31d), .driver_info =
+ USB_QUIRK_DISCONNECT_SUSPEND },
+
/* Creative SB Audigy 2 NX */
{ USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME },
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 175/567] net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 174/567] net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 176/567] net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop Greg Kroah-Hartman
` (202 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 168ff39e4758897d2eee4756977d036d52884c7e ]
When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
initialized because inet6_init() exits before ndisc_init() is called
which initializes it. If an IPv6 packet is injected into the interface,
route_shortcircuit() is called and a NULL pointer dereference happens on
neigh_lookup().
BUG: kernel NULL pointer dereference, address: 0000000000000380
Oops: Oops: 0000 [#1] SMP NOPTI
[...]
RIP: 0010:neigh_lookup+0x20/0x270
[...]
Call Trace:
<TASK>
vxlan_xmit+0x638/0x1ef0 [vxlan]
dev_hard_start_xmit+0x9e/0x2e0
__dev_queue_xmit+0xbee/0x14e0
packet_sendmsg+0x116f/0x1930
__sys_sendto+0x1f5/0x200
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x12f/0x1590
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fix this by adding an early check on route_shortcircuit() when protocol
is ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because
VXLAN can be built-in even when IPv6 is built as a module.
Fixes: e15a00aafa4b ("vxlan: add ipv6 route short circuit support")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Link: https://patch.msgid.link/20260304120357.9778-2-fmancera@suse.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vxlan/vxlan_core.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
index 1b6b6acd34894..a862998fb3ba6 100644
--- a/drivers/net/vxlan/vxlan_core.c
+++ b/drivers/net/vxlan/vxlan_core.c
@@ -2126,6 +2126,11 @@ static bool route_shortcircuit(struct net_device *dev, struct sk_buff *skb)
{
struct ipv6hdr *pip6;
+ /* check if nd_tbl is not initiliazed due to
+ * ipv6.disable=1 set during boot
+ */
+ if (!ipv6_stub->nd_tbl)
+ return false;
if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
return false;
pip6 = ipv6_hdr(skb);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 113/481] kunit: kunit.py extract handlers
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 112/481] kunit: tool: make parser preserve whitespace when printing " Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 114/481] kunit: tool: remove unused imports and variables Greg Kroah-Hartman
` (202 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Pantyukhin, David Gow,
Shuah Khan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Pantyukhin <apantykhin@gmail.com>
[ Upstream commit 2dc9d6ca52a47fd00822e818c2a5e48fc5fbbd53 ]
The main function contains a wide if-elif block that handles different
subcommands. It's possible to make code refactoring to extract
subcommands handlers.
Fixed commit summary line.
Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Alexander Pantyukhin <apantykhin@gmail.com>
Reviewed-by: David Gow <davidgow@google.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Stable-dep-of: 40804c4974b8 ("kunit: tool: copy caller args in run_kernel to prevent mutation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/kunit/kunit.py | 167 ++++++++++++++++++++---------------
1 file changed, 96 insertions(+), 71 deletions(-)
diff --git a/tools/testing/kunit/kunit.py b/tools/testing/kunit/kunit.py
index 43fbe96318fe1..8cd8188675047 100755
--- a/tools/testing/kunit/kunit.py
+++ b/tools/testing/kunit/kunit.py
@@ -395,6 +395,95 @@ def tree_from_args(cli_args: argparse.Namespace) -> kunit_kernel.LinuxSourceTree
extra_qemu_args=qemu_args)
+def run_handler(cli_args):
+ if not os.path.exists(cli_args.build_dir):
+ os.mkdir(cli_args.build_dir)
+
+ linux = tree_from_args(cli_args)
+ request = KunitRequest(build_dir=cli_args.build_dir,
+ make_options=cli_args.make_options,
+ jobs=cli_args.jobs,
+ raw_output=cli_args.raw_output,
+ json=cli_args.json,
+ timeout=cli_args.timeout,
+ filter_glob=cli_args.filter_glob,
+ kernel_args=cli_args.kernel_args,
+ run_isolated=cli_args.run_isolated)
+ result = run_tests(linux, request)
+ if result.status != KunitStatus.SUCCESS:
+ sys.exit(1)
+
+
+def config_handler(cli_args):
+ if cli_args.build_dir and (
+ not os.path.exists(cli_args.build_dir)):
+ os.mkdir(cli_args.build_dir)
+
+ linux = tree_from_args(cli_args)
+ request = KunitConfigRequest(build_dir=cli_args.build_dir,
+ make_options=cli_args.make_options)
+ result = config_tests(linux, request)
+ stdout.print_with_timestamp((
+ 'Elapsed time: %.3fs\n') % (
+ result.elapsed_time))
+ if result.status != KunitStatus.SUCCESS:
+ sys.exit(1)
+
+
+def build_handler(cli_args):
+ linux = tree_from_args(cli_args)
+ request = KunitBuildRequest(build_dir=cli_args.build_dir,
+ make_options=cli_args.make_options,
+ jobs=cli_args.jobs)
+ result = config_and_build_tests(linux, request)
+ stdout.print_with_timestamp((
+ 'Elapsed time: %.3fs\n') % (
+ result.elapsed_time))
+ if result.status != KunitStatus.SUCCESS:
+ sys.exit(1)
+
+
+def exec_handler(cli_args):
+ linux = tree_from_args(cli_args)
+ exec_request = KunitExecRequest(raw_output=cli_args.raw_output,
+ build_dir=cli_args.build_dir,
+ json=cli_args.json,
+ timeout=cli_args.timeout,
+ filter_glob=cli_args.filter_glob,
+ kernel_args=cli_args.kernel_args,
+ run_isolated=cli_args.run_isolated)
+ result = exec_tests(linux, exec_request)
+ stdout.print_with_timestamp((
+ 'Elapsed time: %.3fs\n') % (result.elapsed_time))
+ if result.status != KunitStatus.SUCCESS:
+ sys.exit(1)
+
+
+def parse_handler(cli_args):
+ if cli_args.file is None:
+ sys.stdin.reconfigure(errors='backslashreplace') # pytype: disable=attribute-error
+ kunit_output = sys.stdin
+ else:
+ with open(cli_args.file, 'r', errors='backslashreplace') as f:
+ kunit_output = f.read().splitlines()
+ # We know nothing about how the result was created!
+ metadata = kunit_json.Metadata()
+ request = KunitParseRequest(raw_output=cli_args.raw_output,
+ json=cli_args.json)
+ result, _ = parse_tests(request, metadata, kunit_output)
+ if result.status != KunitStatus.SUCCESS:
+ sys.exit(1)
+
+
+subcommand_handlers_map = {
+ 'run': run_handler,
+ 'config': config_handler,
+ 'build': build_handler,
+ 'exec': exec_handler,
+ 'parse': parse_handler
+}
+
+
def main(argv):
parser = argparse.ArgumentParser(
description='Helps writing and running KUnit tests.')
@@ -438,78 +527,14 @@ def main(argv):
if get_kernel_root_path():
os.chdir(get_kernel_root_path())
- if cli_args.subcommand == 'run':
- if not os.path.exists(cli_args.build_dir):
- os.mkdir(cli_args.build_dir)
-
- linux = tree_from_args(cli_args)
- request = KunitRequest(build_dir=cli_args.build_dir,
- make_options=cli_args.make_options,
- jobs=cli_args.jobs,
- raw_output=cli_args.raw_output,
- json=cli_args.json,
- timeout=cli_args.timeout,
- filter_glob=cli_args.filter_glob,
- kernel_args=cli_args.kernel_args,
- run_isolated=cli_args.run_isolated)
- result = run_tests(linux, request)
- if result.status != KunitStatus.SUCCESS:
- sys.exit(1)
- elif cli_args.subcommand == 'config':
- if cli_args.build_dir and (
- not os.path.exists(cli_args.build_dir)):
- os.mkdir(cli_args.build_dir)
-
- linux = tree_from_args(cli_args)
- request = KunitConfigRequest(build_dir=cli_args.build_dir,
- make_options=cli_args.make_options)
- result = config_tests(linux, request)
- stdout.print_with_timestamp((
- 'Elapsed time: %.3fs\n') % (
- result.elapsed_time))
- if result.status != KunitStatus.SUCCESS:
- sys.exit(1)
- elif cli_args.subcommand == 'build':
- linux = tree_from_args(cli_args)
- request = KunitBuildRequest(build_dir=cli_args.build_dir,
- make_options=cli_args.make_options,
- jobs=cli_args.jobs)
- result = config_and_build_tests(linux, request)
- stdout.print_with_timestamp((
- 'Elapsed time: %.3fs\n') % (
- result.elapsed_time))
- if result.status != KunitStatus.SUCCESS:
- sys.exit(1)
- elif cli_args.subcommand == 'exec':
- linux = tree_from_args(cli_args)
- exec_request = KunitExecRequest(raw_output=cli_args.raw_output,
- build_dir=cli_args.build_dir,
- json=cli_args.json,
- timeout=cli_args.timeout,
- filter_glob=cli_args.filter_glob,
- kernel_args=cli_args.kernel_args,
- run_isolated=cli_args.run_isolated)
- result = exec_tests(linux, exec_request)
- stdout.print_with_timestamp((
- 'Elapsed time: %.3fs\n') % (result.elapsed_time))
- if result.status != KunitStatus.SUCCESS:
- sys.exit(1)
- elif cli_args.subcommand == 'parse':
- if cli_args.file is None:
- sys.stdin.reconfigure(errors='backslashreplace') # pytype: disable=attribute-error
- kunit_output = sys.stdin
- else:
- with open(cli_args.file, 'r', errors='backslashreplace') as f:
- kunit_output = f.read().splitlines()
- # We know nothing about how the result was created!
- metadata = kunit_json.Metadata()
- request = KunitParseRequest(raw_output=cli_args.raw_output,
- json=cli_args.json)
- result, _ = parse_tests(request, metadata, kunit_output)
- if result.status != KunitStatus.SUCCESS:
- sys.exit(1)
- else:
+ subcomand_handler = subcommand_handlers_map.get(cli_args.subcommand, None)
+
+ if subcomand_handler is None:
parser.print_help()
+ return
+
+ subcomand_handler(cli_args)
+
if __name__ == '__main__':
main(sys.argv[1:])
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 100/460] USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 099/460] usb/core/quirks: Add Huawei ME906S-device to wakeup quirk Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 101/460] usb: xhci: Fix memory leak in xhci_disable_slot() Greg Kroah-Hartman
` (202 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vyacheslav Vahnenko, stable
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vyacheslav Vahnenko <vahnenko2003@gmail.com>
commit d0d9b1f4f5391e6a00cee81d73ed2e8f98446d5f upstream.
Add USB_QUIRK_NO_BOS for ezcap401 capture card, without it dmesg will show
"unable to get BOS descriptor or descriptor too short" and "unable to
read config index 0 descriptor/start: -71" errors and device will not
able to work at full speed at 10gbs
Signed-off-by: Vyacheslav Vahnenko <vahnenko2003@gmail.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260313123638.20481-1-vahnenko2003@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -585,6 +585,9 @@ static const struct usb_device_id usb_qu
/* Alcor Link AK9563 SC Reader used in 2022 Lenovo ThinkPads */
{ USB_DEVICE(0x2ce3, 0x9563), .driver_info = USB_QUIRK_NO_LPM },
+ /* ezcap401 - BOS descriptor fetch hangs at SuperSpeed Plus */
+ { USB_DEVICE(0x32ed, 0x0401), .driver_info = USB_QUIRK_NO_BOS },
+
/* DELL USB GEN2 */
{ USB_DEVICE(0x413c, 0xb062), .driver_info = USB_QUIRK_NO_LPM | USB_QUIRK_RESET_RESUME },
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 176/567] net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 175/567] net: vxlan: " Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 177/567] net/sched: act_ife: Fix metalist update behavior Greg Kroah-Hartman
` (201 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ido Schimmel,
syzbot+334190e097a98a1b81bb, Jiayuan Chen, David Ahern,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@shopee.com>
[ Upstream commit 21ec92774d1536f71bdc90b0e3d052eff99cf093 ]
When a standalone IPv6 nexthop object is created with a loopback device
(e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifies
it as a reject route. This is because nexthop objects have no destination
prefix (fc_dst=::), causing fib6_is_reject() to match any loopback
nexthop. The reject path skips fib_nh_common_init(), leaving
nhc_pcpu_rth_output unallocated. If an IPv4 route later references this
nexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and
panics.
Simplify the check in fib6_nh_init() to only match explicit reject
routes (RTF_REJECT) instead of using fib6_is_reject(). The loopback
promotion heuristic in fib6_is_reject() is handled separately by
ip6_route_info_create_nh(). After this change, the three cases behave
as follows:
1. Explicit reject route ("ip -6 route add unreachable 2001:db8::/64"):
RTF_REJECT is set, enters reject path, skips fib_nh_common_init().
No behavior change.
2. Implicit loopback reject route ("ip -6 route add 2001:db8::/32 dev lo"):
RTF_REJECT is not set, takes normal path, fib_nh_common_init() is
called. ip6_route_info_create_nh() still promotes it to reject
afterward. nhc_pcpu_rth_output is allocated but unused, which is
harmless.
3. Standalone nexthop object ("ip -6 nexthop add id 100 dev lo"):
RTF_REJECT is not set, takes normal path, fib_nh_common_init() is
called. nhc_pcpu_rth_output is properly allocated, fixing the crash
when IPv4 routes reference this nexthop.
Suggested-by: Ido Schimmel <idosch@nvidia.com>
Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects")
Reported-by: syzbot+334190e097a98a1b81bb@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/698f8482.a70a0220.2c38d7.00ca.GAE@google.com/T/
Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20260304113817.294966-2-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 72853ef73e821..7a91e539bbd14 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -3567,7 +3567,6 @@ int fib6_nh_init(struct net *net, struct fib6_nh *fib6_nh,
netdevice_tracker *dev_tracker = &fib6_nh->fib_nh_dev_tracker;
struct net_device *dev = NULL;
struct inet6_dev *idev = NULL;
- int addr_type;
int err;
fib6_nh->fib_nh_family = AF_INET6;
@@ -3609,11 +3608,10 @@ int fib6_nh_init(struct net *net, struct fib6_nh *fib6_nh,
fib6_nh->fib_nh_weight = 1;
- /* We cannot add true routes via loopback here,
- * they would result in kernel looping; promote them to reject routes
+ /* Reset the nexthop device to the loopback device in case of reject
+ * routes.
*/
- addr_type = ipv6_addr_type(&cfg->fc_dst);
- if (fib6_is_reject(cfg->fc_flags, dev, addr_type)) {
+ if (cfg->fc_flags & RTF_REJECT) {
/* hold loopback dev/idev if we haven't done so. */
if (dev != net->loopback_dev) {
if (dev) {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 114/481] kunit: tool: remove unused imports and variables
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 113/481] kunit: kunit.py extract handlers Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 115/481] kunit: tool: fix pre-existing `mypy --strict` errors and update run_checks.py Greg Kroah-Hartman
` (201 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Latypov, David Gow,
Shuah Khan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Latypov <dlatypov@google.com>
[ Upstream commit 126901ba3499880c9ed033633817cf7493120fda ]
We don't run a linter regularly over kunit.py code (the default settings
on most don't like kernel style, e.g. tabs) so some of these imports
didn't get removed when they stopped being used.
Signed-off-by: Daniel Latypov <dlatypov@google.com>
Reviewed-by: David Gow <davidgow@google.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Stable-dep-of: 40804c4974b8 ("kunit: tool: copy caller args in run_kernel to prevent mutation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/kunit/kunit.py | 2 +-
tools/testing/kunit/kunit_config.py | 2 +-
tools/testing/kunit/kunit_kernel.py | 1 -
tools/testing/kunit/kunit_parser.py | 1 -
tools/testing/kunit/kunit_tool_test.py | 2 +-
5 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/tools/testing/kunit/kunit.py b/tools/testing/kunit/kunit.py
index 8cd8188675047..172db04b48f42 100755
--- a/tools/testing/kunit/kunit.py
+++ b/tools/testing/kunit/kunit.py
@@ -132,7 +132,7 @@ def _suites_from_test_list(tests: List[str]) -> List[str]:
parts = t.split('.', maxsplit=2)
if len(parts) != 2:
raise ValueError(f'internal KUnit error, test name should be of the form "<suite>.<test>", got "{t}"')
- suite, case = parts
+ suite, _ = parts
if not suites or suites[-1] != suite:
suites.append(suite)
return suites
diff --git a/tools/testing/kunit/kunit_config.py b/tools/testing/kunit/kunit_config.py
index 48b5f34b2e5d7..9f76d7b896175 100644
--- a/tools/testing/kunit/kunit_config.py
+++ b/tools/testing/kunit/kunit_config.py
@@ -8,7 +8,7 @@
from dataclasses import dataclass
import re
-from typing import Dict, Iterable, List, Set, Tuple
+from typing import Dict, Iterable, List, Tuple
CONFIG_IS_NOT_SET_PATTERN = r'^# CONFIG_(\w+) is not set$'
CONFIG_PATTERN = r'^CONFIG_(\w+)=(\S+|".*")$'
diff --git a/tools/testing/kunit/kunit_kernel.py b/tools/testing/kunit/kunit_kernel.py
index 53e90c3358348..cd73256c30c39 100644
--- a/tools/testing/kunit/kunit_kernel.py
+++ b/tools/testing/kunit/kunit_kernel.py
@@ -18,7 +18,6 @@ import threading
from typing import Iterator, List, Optional, Tuple
import kunit_config
-from kunit_printer import stdout
import qemu_config
KCONFIG_PATH = '.config'
diff --git a/tools/testing/kunit/kunit_parser.py b/tools/testing/kunit/kunit_parser.py
index c02100b70af62..d5abd0567c8e0 100644
--- a/tools/testing/kunit/kunit_parser.py
+++ b/tools/testing/kunit/kunit_parser.py
@@ -11,7 +11,6 @@
from __future__ import annotations
import re
-import sys
import textwrap
from enum import Enum, auto
diff --git a/tools/testing/kunit/kunit_tool_test.py b/tools/testing/kunit/kunit_tool_test.py
index fc13326e5c47a..9ba0ff95fad5c 100755
--- a/tools/testing/kunit/kunit_tool_test.py
+++ b/tools/testing/kunit/kunit_tool_test.py
@@ -346,7 +346,7 @@ class KUnitParserTest(unittest.TestCase):
def test_parse_subtest_header(self):
ktap_log = test_data_path('test_parse_subtest_header.log')
with open(ktap_log) as file:
- result = kunit_parser.parse_run_tests(file.readlines())
+ kunit_parser.parse_run_tests(file.readlines())
self.print_mock.assert_any_call(StrContains('suite (1 subtest)'))
def test_show_test_output_on_failure(self):
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 101/460] usb: xhci: Fix memory leak in xhci_disable_slot()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 100/460] USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 102/460] usb: xhci: Prevent interrupt storm on host controller error (HCE) Greg Kroah-Hartman
` (201 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zilin Guan, Mathias Nyman
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
commit c1c8550e70401159184130a1afc6261db01fc0ce upstream.
xhci_alloc_command() allocates a command structure and, when the
second argument is true, also allocates a completion structure.
Currently, the error handling path in xhci_disable_slot() only frees
the command structure using kfree(), causing the completion structure
to leak.
Use xhci_free_command() instead of kfree(). xhci_free_command() correctly
frees both the command structure and the associated completion structure.
Since the command structure is allocated with zero-initialization,
command->in_ctx is NULL and will not be erroneously freed by
xhci_free_command().
This bug was found using an experimental static analysis tool we are
developing. The tool is based on the LLVM framework and is specifically
designed to detect memory management issues. It is currently under
active development and not yet publicly available, but we plan to
open-source it after our research is published.
The bug was originally detected on v6.13-rc1 using our static analysis
tool, and we have verified that the issue persists in the latest mainline
kernel.
We performed build testing on x86_64 with allyesconfig using GCC=11.4.0.
Since triggering these error paths in xhci_disable_slot() requires specific
hardware conditions or abnormal state, we were unable to construct a test
case to reliably trigger these specific error paths at runtime.
Fixes: 7faac1953ed1 ("xhci: avoid race between disable slot command and host runtime suspend")
CC: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://patch.msgid.link/20260304223639.3882398-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -3939,7 +3939,7 @@ int xhci_disable_slot(struct xhci_hcd *x
if (state == 0xffffffff || (xhci->xhc_state & XHCI_STATE_DYING) ||
(xhci->xhc_state & XHCI_STATE_HALTED)) {
spin_unlock_irqrestore(&xhci->lock, flags);
- kfree(command);
+ xhci_free_command(xhci, command);
return -ENODEV;
}
@@ -3947,7 +3947,7 @@ int xhci_disable_slot(struct xhci_hcd *x
slot_id);
if (ret) {
spin_unlock_irqrestore(&xhci->lock, flags);
- kfree(command);
+ xhci_free_command(xhci, command);
return ret;
}
xhci_ring_cmd_db(xhci);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 177/567] net/sched: act_ife: Fix metalist update behavior
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 176/567] net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 178/567] xdp: use modulo operation to calculate XDP frag tailroom Greg Kroah-Hartman
` (200 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ruitong Liu, Victor Nogueira,
Jamal Hadi Salim, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit e2cedd400c3ec0302ffca2490e8751772906ac23 ]
Whenever an ife action replace changes the metalist, instead of
replacing the old data on the metalist, the current ife code is appending
the new metadata. Aside from being innapropriate behavior, this may lead
to an unbounded addition of metadata to the metalist which might cause an
out of bounds error when running the encode op:
[ 138.423369][ C1] ==================================================================
[ 138.424317][ C1] BUG: KASAN: slab-out-of-bounds in ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.424906][ C1] Write of size 4 at addr ffff8880077f4ffe by task ife_out_out_bou/255
[ 138.425778][ C1] CPU: 1 UID: 0 PID: 255 Comm: ife_out_out_bou Not tainted 7.0.0-rc1-00169-gfbdfa8da05b6 #624 PREEMPT(full)
[ 138.425795][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 138.425800][ C1] Call Trace:
[ 138.425804][ C1] <IRQ>
[ 138.425808][ C1] dump_stack_lvl (lib/dump_stack.c:122)
[ 138.425828][ C1] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
[ 138.425839][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 138.425844][ C1] ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:95 (discriminator 1) ./include/linux/rcupdate.h:975 (discriminator 1) ./include/linux/mmzone.h:2207 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))
[ 138.425853][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.425859][ C1] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
[ 138.425868][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.425878][ C1] kasan_check_range (mm/kasan/generic.c:186 (discriminator 1) mm/kasan/generic.c:200 (discriminator 1))
[ 138.425884][ C1] __asan_memset (mm/kasan/shadow.c:84 (discriminator 2))
[ 138.425889][ C1] ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.425893][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:171)
[ 138.425898][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 138.425903][ C1] ife_encode_meta_u16 (net/sched/act_ife.c:57)
[ 138.425910][ C1] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
[ 138.425916][ C1] ? __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 3))
[ 138.425921][ C1] ? __pfx_ife_encode_meta_u16 (net/sched/act_ife.c:45)
[ 138.425927][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 138.425931][ C1] tcf_ife_act (net/sched/act_ife.c:847 net/sched/act_ife.c:879)
To solve this issue, fix the replace behavior by adding the metalist to
the ife rcu data structure.
Fixes: aa9fd9a325d51 ("sched: act: ife: update parameters via rcu handling")
Reported-by: Ruitong Liu <cnitlrt@gmail.com>
Tested-by: Ruitong Liu <cnitlrt@gmail.com>
Co-developed-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260304140603.76500-1-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/tc_act/tc_ife.h | 4 +-
net/sched/act_ife.c | 93 ++++++++++++++++++-------------------
2 files changed, 45 insertions(+), 52 deletions(-)
diff --git a/include/net/tc_act/tc_ife.h b/include/net/tc_act/tc_ife.h
index c7f24a2da1cad..24d4d5a62b3c2 100644
--- a/include/net/tc_act/tc_ife.h
+++ b/include/net/tc_act/tc_ife.h
@@ -13,15 +13,13 @@ struct tcf_ife_params {
u8 eth_src[ETH_ALEN];
u16 eth_type;
u16 flags;
-
+ struct list_head metalist;
struct rcu_head rcu;
};
struct tcf_ife_info {
struct tc_action common;
struct tcf_ife_params __rcu *params;
- /* list of metaids allowed */
- struct list_head metalist;
};
#define to_ife(a) ((struct tcf_ife_info *)a)
diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
index 58c1ab02bd0d2..bf772401b1f41 100644
--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -293,8 +293,8 @@ static int load_metaops_and_vet(u32 metaid, void *val, int len, bool rtnl_held)
/* called when adding new meta information
*/
static int __add_metainfo(const struct tcf_meta_ops *ops,
- struct tcf_ife_info *ife, u32 metaid, void *metaval,
- int len, bool atomic, bool exists)
+ struct tcf_ife_params *p, u32 metaid, void *metaval,
+ int len, bool atomic)
{
struct tcf_meta_info *mi = NULL;
int ret = 0;
@@ -313,45 +313,40 @@ static int __add_metainfo(const struct tcf_meta_ops *ops,
}
}
- if (exists)
- spin_lock_bh(&ife->tcf_lock);
- list_add_tail(&mi->metalist, &ife->metalist);
- if (exists)
- spin_unlock_bh(&ife->tcf_lock);
+ list_add_tail(&mi->metalist, &p->metalist);
return ret;
}
static int add_metainfo_and_get_ops(const struct tcf_meta_ops *ops,
- struct tcf_ife_info *ife, u32 metaid,
- bool exists)
+ struct tcf_ife_params *p, u32 metaid)
{
int ret;
if (!try_module_get(ops->owner))
return -ENOENT;
- ret = __add_metainfo(ops, ife, metaid, NULL, 0, true, exists);
+ ret = __add_metainfo(ops, p, metaid, NULL, 0, true);
if (ret)
module_put(ops->owner);
return ret;
}
-static int add_metainfo(struct tcf_ife_info *ife, u32 metaid, void *metaval,
- int len, bool exists)
+static int add_metainfo(struct tcf_ife_params *p, u32 metaid, void *metaval,
+ int len)
{
const struct tcf_meta_ops *ops = find_ife_oplist(metaid);
int ret;
if (!ops)
return -ENOENT;
- ret = __add_metainfo(ops, ife, metaid, metaval, len, false, exists);
+ ret = __add_metainfo(ops, p, metaid, metaval, len, false);
if (ret)
/*put back what find_ife_oplist took */
module_put(ops->owner);
return ret;
}
-static int use_all_metadata(struct tcf_ife_info *ife, bool exists)
+static int use_all_metadata(struct tcf_ife_params *p)
{
struct tcf_meta_ops *o;
int rc = 0;
@@ -359,7 +354,7 @@ static int use_all_metadata(struct tcf_ife_info *ife, bool exists)
read_lock(&ife_mod_lock);
list_for_each_entry(o, &ifeoplist, list) {
- rc = add_metainfo_and_get_ops(o, ife, o->metaid, exists);
+ rc = add_metainfo_and_get_ops(o, p, o->metaid);
if (rc == 0)
installed += 1;
}
@@ -371,7 +366,7 @@ static int use_all_metadata(struct tcf_ife_info *ife, bool exists)
return -EINVAL;
}
-static int dump_metalist(struct sk_buff *skb, struct tcf_ife_info *ife)
+static int dump_metalist(struct sk_buff *skb, struct tcf_ife_params *p)
{
struct tcf_meta_info *e;
struct nlattr *nest;
@@ -379,14 +374,14 @@ static int dump_metalist(struct sk_buff *skb, struct tcf_ife_info *ife)
int total_encoded = 0;
/*can only happen on decode */
- if (list_empty(&ife->metalist))
+ if (list_empty(&p->metalist))
return 0;
nest = nla_nest_start_noflag(skb, TCA_IFE_METALST);
if (!nest)
goto out_nlmsg_trim;
- list_for_each_entry(e, &ife->metalist, metalist) {
+ list_for_each_entry(e, &p->metalist, metalist) {
if (!e->ops->get(skb, e))
total_encoded += 1;
}
@@ -403,13 +398,11 @@ static int dump_metalist(struct sk_buff *skb, struct tcf_ife_info *ife)
return -1;
}
-/* under ife->tcf_lock */
-static void _tcf_ife_cleanup(struct tc_action *a)
+static void __tcf_ife_cleanup(struct tcf_ife_params *p)
{
- struct tcf_ife_info *ife = to_ife(a);
struct tcf_meta_info *e, *n;
- list_for_each_entry_safe(e, n, &ife->metalist, metalist) {
+ list_for_each_entry_safe(e, n, &p->metalist, metalist) {
list_del(&e->metalist);
if (e->metaval) {
if (e->ops->release)
@@ -422,18 +415,23 @@ static void _tcf_ife_cleanup(struct tc_action *a)
}
}
+static void tcf_ife_cleanup_params(struct rcu_head *head)
+{
+ struct tcf_ife_params *p = container_of(head, struct tcf_ife_params,
+ rcu);
+
+ __tcf_ife_cleanup(p);
+ kfree(p);
+}
+
static void tcf_ife_cleanup(struct tc_action *a)
{
struct tcf_ife_info *ife = to_ife(a);
struct tcf_ife_params *p;
- spin_lock_bh(&ife->tcf_lock);
- _tcf_ife_cleanup(a);
- spin_unlock_bh(&ife->tcf_lock);
-
p = rcu_dereference_protected(ife->params, 1);
if (p)
- kfree_rcu(p, rcu);
+ call_rcu(&p->rcu, tcf_ife_cleanup_params);
}
static int load_metalist(struct nlattr **tb, bool rtnl_held)
@@ -455,8 +453,7 @@ static int load_metalist(struct nlattr **tb, bool rtnl_held)
return 0;
}
-static int populate_metalist(struct tcf_ife_info *ife, struct nlattr **tb,
- bool exists, bool rtnl_held)
+static int populate_metalist(struct tcf_ife_params *p, struct nlattr **tb)
{
int len = 0;
int rc = 0;
@@ -468,7 +465,7 @@ static int populate_metalist(struct tcf_ife_info *ife, struct nlattr **tb,
val = nla_data(tb[i]);
len = nla_len(tb[i]);
- rc = add_metainfo(ife, i, val, len, exists);
+ rc = add_metainfo(p, i, val, len);
if (rc)
return rc;
}
@@ -523,6 +520,7 @@ static int tcf_ife_init(struct net *net, struct nlattr *nla,
p = kzalloc(sizeof(*p), GFP_KERNEL);
if (!p)
return -ENOMEM;
+ INIT_LIST_HEAD(&p->metalist);
if (tb[TCA_IFE_METALST]) {
err = nla_parse_nested_deprecated(tb2, IFE_META_MAX,
@@ -567,8 +565,6 @@ static int tcf_ife_init(struct net *net, struct nlattr *nla,
}
ife = to_ife(*a);
- if (ret == ACT_P_CREATED)
- INIT_LIST_HEAD(&ife->metalist);
err = tcf_action_check_ctrlact(parm->action, tp, &goto_ch, extack);
if (err < 0)
@@ -600,8 +596,7 @@ static int tcf_ife_init(struct net *net, struct nlattr *nla,
}
if (tb[TCA_IFE_METALST]) {
- err = populate_metalist(ife, tb2, exists,
- !(flags & TCA_ACT_FLAGS_NO_RTNL));
+ err = populate_metalist(p, tb2);
if (err)
goto metadata_parse_err;
} else {
@@ -610,7 +605,7 @@ static int tcf_ife_init(struct net *net, struct nlattr *nla,
* as we can. You better have at least one else we are
* going to bail out
*/
- err = use_all_metadata(ife, exists);
+ err = use_all_metadata(p);
if (err)
goto metadata_parse_err;
}
@@ -626,13 +621,14 @@ static int tcf_ife_init(struct net *net, struct nlattr *nla,
if (goto_ch)
tcf_chain_put_by_act(goto_ch);
if (p)
- kfree_rcu(p, rcu);
+ call_rcu(&p->rcu, tcf_ife_cleanup_params);
return ret;
metadata_parse_err:
if (goto_ch)
tcf_chain_put_by_act(goto_ch);
release_idr:
+ __tcf_ife_cleanup(p);
kfree(p);
tcf_idr_release(*a, bind);
return err;
@@ -679,7 +675,7 @@ static int tcf_ife_dump(struct sk_buff *skb, struct tc_action *a, int bind,
if (nla_put(skb, TCA_IFE_TYPE, 2, &p->eth_type))
goto nla_put_failure;
- if (dump_metalist(skb, ife)) {
+ if (dump_metalist(skb, p)) {
/*ignore failure to dump metalist */
pr_info("Failed to dump metalist\n");
}
@@ -693,13 +689,13 @@ static int tcf_ife_dump(struct sk_buff *skb, struct tc_action *a, int bind,
return -1;
}
-static int find_decode_metaid(struct sk_buff *skb, struct tcf_ife_info *ife,
+static int find_decode_metaid(struct sk_buff *skb, struct tcf_ife_params *p,
u16 metaid, u16 mlen, void *mdata)
{
struct tcf_meta_info *e;
/* XXX: use hash to speed up */
- list_for_each_entry(e, &ife->metalist, metalist) {
+ list_for_each_entry_rcu(e, &p->metalist, metalist) {
if (metaid == e->metaid) {
if (e->ops) {
/* We check for decode presence already */
@@ -716,10 +712,13 @@ static int tcf_ife_decode(struct sk_buff *skb, const struct tc_action *a,
{
struct tcf_ife_info *ife = to_ife(a);
int action = ife->tcf_action;
+ struct tcf_ife_params *p;
u8 *ifehdr_end;
u8 *tlv_data;
u16 metalen;
+ p = rcu_dereference_bh(ife->params);
+
bstats_update(this_cpu_ptr(ife->common.cpu_bstats), skb);
tcf_lastuse_update(&ife->tcf_tm);
@@ -745,7 +744,7 @@ static int tcf_ife_decode(struct sk_buff *skb, const struct tc_action *a,
return TC_ACT_SHOT;
}
- if (find_decode_metaid(skb, ife, mtype, dlen, curr_data)) {
+ if (find_decode_metaid(skb, p, mtype, dlen, curr_data)) {
/* abuse overlimits to count when we receive metadata
* but dont have an ops for it
*/
@@ -769,12 +768,12 @@ static int tcf_ife_decode(struct sk_buff *skb, const struct tc_action *a,
/*XXX: check if we can do this at install time instead of current
* send data path
**/
-static int ife_get_sz(struct sk_buff *skb, struct tcf_ife_info *ife)
+static int ife_get_sz(struct sk_buff *skb, struct tcf_ife_params *p)
{
- struct tcf_meta_info *e, *n;
+ struct tcf_meta_info *e;
int tot_run_sz = 0, run_sz = 0;
- list_for_each_entry_safe(e, n, &ife->metalist, metalist) {
+ list_for_each_entry_rcu(e, &p->metalist, metalist) {
if (e->ops->check_presence) {
run_sz = e->ops->check_presence(skb, e);
tot_run_sz += run_sz;
@@ -795,7 +794,7 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a,
OUTERHDR:TOTMETALEN:{TLVHDR:Metadatum:TLVHDR..}:ORIGDATA
where ORIGDATA = original ethernet header ...
*/
- u16 metalen = ife_get_sz(skb, ife);
+ u16 metalen = ife_get_sz(skb, p);
int hdrm = metalen + skb->dev->hard_header_len + IFE_METAHDRLEN;
unsigned int skboff = 0;
int new_len = skb->len + hdrm;
@@ -833,25 +832,21 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a,
if (!ife_meta)
goto drop;
- spin_lock(&ife->tcf_lock);
-
/* XXX: we dont have a clever way of telling encode to
* not repeat some of the computations that are done by
* ops->presence_check...
*/
- list_for_each_entry(e, &ife->metalist, metalist) {
+ list_for_each_entry_rcu(e, &p->metalist, metalist) {
if (e->ops->encode) {
err = e->ops->encode(skb, (void *)(ife_meta + skboff),
e);
}
if (err < 0) {
/* too corrupt to keep around if overwritten */
- spin_unlock(&ife->tcf_lock);
goto drop;
}
skboff += err;
}
- spin_unlock(&ife->tcf_lock);
oethh = (struct ethhdr *)skb->data;
if (!is_zero_ether_addr(p->eth_src))
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 115/481] kunit: tool: fix pre-existing `mypy --strict` errors and update run_checks.py
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 114/481] kunit: tool: remove unused imports and variables Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 116/481] kunit: tool: Add command line interface to filter and report attributes Greg Kroah-Hartman
` (200 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Berg, Daniel Latypov,
David Gow, Shuah Khan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Latypov <dlatypov@google.com>
[ Upstream commit 1da2e6220e1115930694c649605534baf6fa3dea ]
Basically, get this command to be happy and make run_checks.py happy
$ mypy --strict --exclude '_test.py$' --exclude qemu_configs/ ./tools/testing/kunit/
Primarily the changes are
* add `-> None` return type annotations
* add all the missing argument type annotations
Previously, we had false positives from mypy in `main()`, see commit
09641f7c7d8f ("kunit: tool: surface and address more typing issues").
But after commit 2dc9d6ca52a4 ("kunit: kunit.py extract handlers")
refactored things, the variable name reuse mypy hated is gone.
Note: mypy complains we don't annotate the types the unused args in our
signal handler. That's silly.
But to make it happy, I've copy-pasted an appropriate annotation from
https://github.com/python/typing/discussions/1042#discussioncomment-2013595.
Reported-by: Johannes Berg <johannes.berg@intel.com>
Link: https://lore.kernel.org/linux-kselftest/9a172b50457f4074af41fe1dc8e55dcaf4795d7e.camel@sipsolutions.net/
Signed-off-by: Daniel Latypov <dlatypov@google.com>
Reviewed-by: David Gow <davidgow@google.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Stable-dep-of: 40804c4974b8 ("kunit: tool: copy caller args in run_kernel to prevent mutation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/kunit/kunit.py | 24 ++++++++++++------------
tools/testing/kunit/kunit_config.py | 4 ++--
tools/testing/kunit/kunit_kernel.py | 29 +++++++++++++++--------------
tools/testing/kunit/run_checks.py | 4 ++--
4 files changed, 31 insertions(+), 30 deletions(-)
diff --git a/tools/testing/kunit/kunit.py b/tools/testing/kunit/kunit.py
index 172db04b48f42..1ed7f0f86dee3 100755
--- a/tools/testing/kunit/kunit.py
+++ b/tools/testing/kunit/kunit.py
@@ -278,7 +278,7 @@ def massage_argv(argv: Sequence[str]) -> Sequence[str]:
def get_default_jobs() -> int:
return len(os.sched_getaffinity(0))
-def add_common_opts(parser) -> None:
+def add_common_opts(parser: argparse.ArgumentParser) -> None:
parser.add_argument('--build_dir',
help='As in the make command, it specifies the build '
'directory.',
@@ -329,13 +329,13 @@ def add_common_opts(parser) -> None:
help='Additional QEMU arguments, e.g. "-smp 8"',
action='append', metavar='')
-def add_build_opts(parser) -> None:
+def add_build_opts(parser: argparse.ArgumentParser) -> None:
parser.add_argument('--jobs',
help='As in the make command, "Specifies the number of '
'jobs (commands) to run simultaneously."',
type=int, default=get_default_jobs(), metavar='N')
-def add_exec_opts(parser) -> None:
+def add_exec_opts(parser: argparse.ArgumentParser) -> None:
parser.add_argument('--timeout',
help='maximum number of seconds to allow for all tests '
'to run. This does not include time taken to build the '
@@ -360,7 +360,7 @@ def add_exec_opts(parser) -> None:
type=str,
choices=['suite', 'test'])
-def add_parse_opts(parser) -> None:
+def add_parse_opts(parser: argparse.ArgumentParser) -> None:
parser.add_argument('--raw_output', help='If set don\'t parse output from kernel. '
'By default, filters to just KUnit output. Use '
'--raw_output=all to show everything',
@@ -395,7 +395,7 @@ def tree_from_args(cli_args: argparse.Namespace) -> kunit_kernel.LinuxSourceTree
extra_qemu_args=qemu_args)
-def run_handler(cli_args):
+def run_handler(cli_args: argparse.Namespace) -> None:
if not os.path.exists(cli_args.build_dir):
os.mkdir(cli_args.build_dir)
@@ -414,7 +414,7 @@ def run_handler(cli_args):
sys.exit(1)
-def config_handler(cli_args):
+def config_handler(cli_args: argparse.Namespace) -> None:
if cli_args.build_dir and (
not os.path.exists(cli_args.build_dir)):
os.mkdir(cli_args.build_dir)
@@ -430,7 +430,7 @@ def config_handler(cli_args):
sys.exit(1)
-def build_handler(cli_args):
+def build_handler(cli_args: argparse.Namespace) -> None:
linux = tree_from_args(cli_args)
request = KunitBuildRequest(build_dir=cli_args.build_dir,
make_options=cli_args.make_options,
@@ -443,7 +443,7 @@ def build_handler(cli_args):
sys.exit(1)
-def exec_handler(cli_args):
+def exec_handler(cli_args: argparse.Namespace) -> None:
linux = tree_from_args(cli_args)
exec_request = KunitExecRequest(raw_output=cli_args.raw_output,
build_dir=cli_args.build_dir,
@@ -459,10 +459,10 @@ def exec_handler(cli_args):
sys.exit(1)
-def parse_handler(cli_args):
+def parse_handler(cli_args: argparse.Namespace) -> None:
if cli_args.file is None:
- sys.stdin.reconfigure(errors='backslashreplace') # pytype: disable=attribute-error
- kunit_output = sys.stdin
+ sys.stdin.reconfigure(errors='backslashreplace') # type: ignore
+ kunit_output = sys.stdin # type: Iterable[str]
else:
with open(cli_args.file, 'r', errors='backslashreplace') as f:
kunit_output = f.read().splitlines()
@@ -484,7 +484,7 @@ subcommand_handlers_map = {
}
-def main(argv):
+def main(argv: Sequence[str]) -> None:
parser = argparse.ArgumentParser(
description='Helps writing and running KUnit tests.')
subparser = parser.add_subparsers(dest='subcommand')
diff --git a/tools/testing/kunit/kunit_config.py b/tools/testing/kunit/kunit_config.py
index 9f76d7b896175..eb5dd01210b1b 100644
--- a/tools/testing/kunit/kunit_config.py
+++ b/tools/testing/kunit/kunit_config.py
@@ -8,7 +8,7 @@
from dataclasses import dataclass
import re
-from typing import Dict, Iterable, List, Tuple
+from typing import Any, Dict, Iterable, List, Tuple
CONFIG_IS_NOT_SET_PATTERN = r'^# CONFIG_(\w+) is not set$'
CONFIG_PATTERN = r'^CONFIG_(\w+)=(\S+|".*")$'
@@ -34,7 +34,7 @@ class Kconfig:
def __init__(self) -> None:
self._entries = {} # type: Dict[str, str]
- def __eq__(self, other) -> bool:
+ def __eq__(self, other: Any) -> bool:
if not isinstance(other, self.__class__):
return False
return self._entries == other._entries
diff --git a/tools/testing/kunit/kunit_kernel.py b/tools/testing/kunit/kunit_kernel.py
index cd73256c30c39..faf90dcfed32d 100644
--- a/tools/testing/kunit/kunit_kernel.py
+++ b/tools/testing/kunit/kunit_kernel.py
@@ -16,6 +16,7 @@ import shutil
import signal
import threading
from typing import Iterator, List, Optional, Tuple
+from types import FrameType
import kunit_config
import qemu_config
@@ -56,7 +57,7 @@ class LinuxSourceTreeOperations:
def make_arch_config(self, base_kunitconfig: kunit_config.Kconfig) -> kunit_config.Kconfig:
return base_kunitconfig
- def make_olddefconfig(self, build_dir: str, make_options) -> None:
+ def make_olddefconfig(self, build_dir: str, make_options: Optional[List[str]]) -> None:
command = ['make', 'ARCH=' + self._linux_arch, 'O=' + build_dir, 'olddefconfig']
if self._cross_compile:
command += ['CROSS_COMPILE=' + self._cross_compile]
@@ -70,7 +71,7 @@ class LinuxSourceTreeOperations:
except subprocess.CalledProcessError as e:
raise ConfigError(e.output.decode())
- def make(self, jobs, build_dir: str, make_options) -> None:
+ def make(self, jobs: int, build_dir: str, make_options: Optional[List[str]]) -> None:
command = ['make', 'ARCH=' + self._linux_arch, 'O=' + build_dir, '--jobs=' + str(jobs)]
if make_options:
command.extend(make_options)
@@ -132,7 +133,7 @@ class LinuxSourceTreeOperationsQemu(LinuxSourceTreeOperations):
class LinuxSourceTreeOperationsUml(LinuxSourceTreeOperations):
"""An abstraction over command line operations performed on a source tree."""
- def __init__(self, cross_compile=None):
+ def __init__(self, cross_compile: Optional[str]=None):
super().__init__(linux_arch='um', cross_compile=cross_compile)
def make_arch_config(self, base_kunitconfig: kunit_config.Kconfig) -> kunit_config.Kconfig:
@@ -215,7 +216,7 @@ def _get_qemu_ops(config_path: str,
if not hasattr(config, 'QEMU_ARCH'):
raise ValueError('qemu_config module missing "QEMU_ARCH": ' + config_path)
- params: qemu_config.QemuArchParams = config.QEMU_ARCH # type: ignore
+ params: qemu_config.QemuArchParams = config.QEMU_ARCH
if extra_qemu_args:
params.extra_qemu_params.extend(extra_qemu_args)
return params.linux_arch, LinuxSourceTreeOperationsQemu(
@@ -229,10 +230,10 @@ class LinuxSourceTree:
build_dir: str,
kunitconfig_paths: Optional[List[str]]=None,
kconfig_add: Optional[List[str]]=None,
- arch=None,
- cross_compile=None,
- qemu_config_path=None,
- extra_qemu_args=None) -> None:
+ arch: Optional[str]=None,
+ cross_compile: Optional[str]=None,
+ qemu_config_path: Optional[str]=None,
+ extra_qemu_args: Optional[List[str]]=None) -> None:
signal.signal(signal.SIGINT, self.signal_handler)
if qemu_config_path:
self._arch, self._ops = _get_qemu_ops(qemu_config_path, extra_qemu_args, cross_compile)
@@ -275,7 +276,7 @@ class LinuxSourceTree:
logging.error(message)
return False
- def build_config(self, build_dir: str, make_options) -> bool:
+ def build_config(self, build_dir: str, make_options: Optional[List[str]]) -> bool:
kconfig_path = get_kconfig_path(build_dir)
if build_dir and not os.path.exists(build_dir):
os.mkdir(build_dir)
@@ -303,7 +304,7 @@ class LinuxSourceTree:
old_kconfig = kunit_config.parse_file(old_path)
return old_kconfig != self._kconfig
- def build_reconfig(self, build_dir: str, make_options) -> bool:
+ def build_reconfig(self, build_dir: str, make_options: Optional[List[str]]) -> bool:
"""Creates a new .config if it is not a subset of the .kunitconfig."""
kconfig_path = get_kconfig_path(build_dir)
if not os.path.exists(kconfig_path):
@@ -319,7 +320,7 @@ class LinuxSourceTree:
os.remove(kconfig_path)
return self.build_config(build_dir, make_options)
- def build_kernel(self, jobs, build_dir: str, make_options) -> bool:
+ def build_kernel(self, jobs: int, build_dir: str, make_options: Optional[List[str]]) -> bool:
try:
self._ops.make_olddefconfig(build_dir, make_options)
self._ops.make(jobs, build_dir, make_options)
@@ -328,7 +329,7 @@ class LinuxSourceTree:
return False
return self.validate_config(build_dir)
- def run_kernel(self, args=None, build_dir='', filter_glob='', timeout=None) -> Iterator[str]:
+ def run_kernel(self, args: Optional[List[str]]=None, build_dir: str='', filter_glob: str='', timeout: Optional[int]=None) -> Iterator[str]:
if not args:
args = []
if filter_glob:
@@ -339,7 +340,7 @@ class LinuxSourceTree:
assert process.stdout is not None # tell mypy it's set
# Enforce the timeout in a background thread.
- def _wait_proc():
+ def _wait_proc() -> None:
try:
process.wait(timeout=timeout)
except Exception as e:
@@ -365,6 +366,6 @@ class LinuxSourceTree:
waiter.join()
subprocess.call(['stty', 'sane'])
- def signal_handler(self, unused_sig, unused_frame) -> None:
+ def signal_handler(self, unused_sig: int, unused_frame: Optional[FrameType]) -> None:
logging.error('Build interruption occurred. Cleaning console.')
subprocess.call(['stty', 'sane'])
diff --git a/tools/testing/kunit/run_checks.py b/tools/testing/kunit/run_checks.py
index 066e6f938f6dc..d061cf1ca4a59 100755
--- a/tools/testing/kunit/run_checks.py
+++ b/tools/testing/kunit/run_checks.py
@@ -23,7 +23,7 @@ commands: Dict[str, Sequence[str]] = {
'kunit_tool_test.py': ['./kunit_tool_test.py'],
'kunit smoke test': ['./kunit.py', 'run', '--kunitconfig=lib/kunit', '--build_dir=kunit_run_checks'],
'pytype': ['/bin/sh', '-c', 'pytype *.py'],
- 'mypy': ['/bin/sh', '-c', 'mypy *.py'],
+ 'mypy': ['mypy', '--strict', '--exclude', '_test.py$', '--exclude', 'qemu_configs/', '.'],
}
# The user might not have mypy or pytype installed, skip them if so.
@@ -73,7 +73,7 @@ def main(argv: Sequence[str]) -> None:
sys.exit(1)
-def run_cmd(argv: Sequence[str]):
+def run_cmd(argv: Sequence[str]) -> None:
subprocess.check_output(argv, stderr=subprocess.STDOUT, cwd=ABS_TOOL_PATH, timeout=TIMEOUT)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 102/460] usb: xhci: Prevent interrupt storm on host controller error (HCE)
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 101/460] usb: xhci: Fix memory leak in xhci_disable_slot() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 103/460] usb: yurex: fix race in probe Greg Kroah-Hartman
` (200 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dayu Jiang, Mathias Nyman
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dayu Jiang <jiangdayu@xiaomi.com>
commit d6d5febd12452b7fd951fdd15c3ec262f01901a4 upstream.
The xHCI controller reports a Host Controller Error (HCE) in UAS Storage
Device plug/unplug scenarios on Android devices. HCE is checked in
xhci_irq() function and causes an interrupt storm (since the interrupt
isn’t cleared), leading to severe system-level faults.
When the xHC controller reports HCE in the interrupt handler, the driver
only logs a warning and assumes xHC activity will stop as stated in xHCI
specification. An interrupt storm does however continue on some hosts
even after HCE, and only ceases after manually disabling xHC interrupt
and stopping the controller by calling xhci_halt().
Add xhci_halt() to xhci_irq() function where STS_HCE status is checked,
mirroring the existing error handling pattern used for STS_FATAL errors.
This only fixes the interrupt storm. Proper HCE recovery requires resetting
and re-initializing the xHC.
CC: stable@vger.kernel.org
Signed-off-by: Dayu Jiang <jiangdayu@xiaomi.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://patch.msgid.link/20260304223639.3882398-3-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-ring.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -3200,6 +3200,7 @@ irqreturn_t xhci_irq(struct usb_hcd *hcd
if (status & STS_HCE) {
xhci_warn(xhci, "WARNING: Host Controller Error\n");
+ xhci_halt(xhci);
goto out;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 178/567] xdp: use modulo operation to calculate XDP frag tailroom
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 177/567] net/sched: act_ife: Fix metalist update behavior Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 179/567] xsk: introduce helper to determine rxq->frag_size Greg Kroah-Hartman
` (199 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Aleksandr Loktionov,
Larysa Zaremba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Larysa Zaremba <larysa.zaremba@intel.com>
[ Upstream commit 88b6b7f7b216108a09887b074395fa7b751880b1 ]
The current formula for calculating XDP tailroom in mbuf packets works only
if each frag has its own page (if rxq->frag_size is PAGE_SIZE), this
defeats the purpose of the parameter overall and without any indication
leads to negative calculated tailroom on at least half of frags, if shared
pages are used.
There are not many drivers that set rxq->frag_size. Among them:
* i40e and enetc always split page uniformly between frags, use shared
pages
* ice uses page_pool frags via libeth, those are power-of-2 and uniformly
distributed across page
* idpf has variable frag_size with XDP on, so current API is not applicable
* mlx5, mtk and mvneta use PAGE_SIZE or 0 as frag_size for page_pool
As for AF_XDP ZC, only ice, i40e and idpf declare frag_size for it. Modulo
operation yields good results for aligned chunks, they are all power-of-2,
between 2K and PAGE_SIZE. Formula without modulo fails when chunk_size is
2K. Buffers in unaligned mode are not distributed uniformly, so modulo
operation would not work.
To accommodate unaligned buffers, we could define frag_size as
data + tailroom, and hence do not subtract offset when calculating
tailroom, but this would necessitate more changes in the drivers.
Define rxq->frag_size as an even portion of a page that fully belongs to a
single frag. When calculating tailroom, locate the data start within such
portion by performing a modulo operation on page offset.
Fixes: bf25146a5595 ("bpf: add frags support to the bpf_xdp_adjust_tail() API")
Acked-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Larysa Zaremba <larysa.zaremba@intel.com>
Link: https://patch.msgid.link/20260305111253.2317394-2-larysa.zaremba@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index e5dc1f699297b..58109f6201b76 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -4137,7 +4137,8 @@ static int bpf_xdp_frags_increase_tail(struct xdp_buff *xdp, int offset)
if (!rxq->frag_size || rxq->frag_size > xdp->frame_sz)
return -EOPNOTSUPP;
- tailroom = rxq->frag_size - skb_frag_size(frag) - skb_frag_off(frag);
+ tailroom = rxq->frag_size - skb_frag_size(frag) -
+ skb_frag_off(frag) % rxq->frag_size;
if (unlikely(offset > tailroom))
return -EINVAL;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 116/481] kunit: tool: Add command line interface to filter and report attributes
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 115/481] kunit: tool: fix pre-existing `mypy --strict` errors and update run_checks.py Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 117/481] kunit: tool: copy caller args in run_kernel to prevent mutation Greg Kroah-Hartman
` (199 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Gow, Rae Moar, Shuah Khan,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rae Moar <rmoar@google.com>
[ Upstream commit 723c8258c8fe167191b53e274dea435c4522e4d7 ]
Add ability to kunit.py to filter attributes and report a list of tests
including attributes without running tests.
Add flag "--filter" to input filters on test attributes. Tests will be
filtered out if they do not match all inputted filters.
Example: --filter speed=slow (This filter would run only the tests that are
marked as slow)
Filters have operations: <, >, <=, >=, !=, and =. But note that the
characters < and > are often interpreted by the shell, so they may need to
be quoted or escaped.
Example: --filter "speed>slow" or --filter speed\>slow (This filter would
run only the tests that have the speed faster than slow.
Additionally, multiple filters can be used.
Example: --filter "speed=slow, module!=example" (This filter would run
only the tests that have the speed slow and are not in the "example"
module)
Note if the user wants to skip filtered tests instead of not
running/showing them use the "--filter_action=skip" flag instead.
Expose the output of kunit.action=list option with flag "--list_tests" to
output a list of tests. Additionally, add flag "--list_tests_attr" to
output a list of tests and their attributes. These flags are useful to see
tests and test attributes without needing to run tests.
Example of the output of "--list_tests_attr":
example
example.test_1
example.test_2
# example.test_2.speed: slow
This output includes a suite, example, with two test cases, test_1 and
test_2. And in this instance test_2 has been marked as slow.
Reviewed-by: David Gow <davidgow@google.com>
Signed-off-by: Rae Moar <rmoar@google.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Stable-dep-of: 40804c4974b8 ("kunit: tool: copy caller args in run_kernel to prevent mutation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/kunit/kunit.py | 70 ++++++++++++++++++++++++--
tools/testing/kunit/kunit_kernel.py | 8 ++-
tools/testing/kunit/kunit_parser.py | 11 +++-
tools/testing/kunit/kunit_tool_test.py | 39 +++++++-------
4 files changed, 99 insertions(+), 29 deletions(-)
diff --git a/tools/testing/kunit/kunit.py b/tools/testing/kunit/kunit.py
index 1ed7f0f86dee3..23f84f405b4a0 100755
--- a/tools/testing/kunit/kunit.py
+++ b/tools/testing/kunit/kunit.py
@@ -55,8 +55,12 @@ class KunitExecRequest(KunitParseRequest):
build_dir: str
timeout: int
filter_glob: str
+ filter: str
+ filter_action: Optional[str]
kernel_args: Optional[List[str]]
run_isolated: Optional[str]
+ list_tests: bool
+ list_tests_attr: bool
@dataclass
class KunitRequest(KunitExecRequest, KunitBuildRequest):
@@ -111,19 +115,41 @@ def config_and_build_tests(linux: kunit_kernel.LinuxSourceTree,
def _list_tests(linux: kunit_kernel.LinuxSourceTree, request: KunitExecRequest) -> List[str]:
args = ['kunit.action=list']
+
+ if request.kernel_args:
+ args.extend(request.kernel_args)
+
+ output = linux.run_kernel(args=args,
+ timeout=request.timeout,
+ filter_glob=request.filter_glob,
+ filter=request.filter,
+ filter_action=request.filter_action,
+ build_dir=request.build_dir)
+ lines = kunit_parser.extract_tap_lines(output)
+ # Hack! Drop the dummy TAP version header that the executor prints out.
+ lines.pop()
+
+ # Filter out any extraneous non-test output that might have gotten mixed in.
+ return [l for l in output if re.match(r'^[^\s.]+\.[^\s.]+$', l)]
+
+def _list_tests_attr(linux: kunit_kernel.LinuxSourceTree, request: KunitExecRequest) -> Iterable[str]:
+ args = ['kunit.action=list_attr']
+
if request.kernel_args:
args.extend(request.kernel_args)
output = linux.run_kernel(args=args,
timeout=request.timeout,
filter_glob=request.filter_glob,
+ filter=request.filter,
+ filter_action=request.filter_action,
build_dir=request.build_dir)
lines = kunit_parser.extract_tap_lines(output)
# Hack! Drop the dummy TAP version header that the executor prints out.
lines.pop()
# Filter out any extraneous non-test output that might have gotten mixed in.
- return [l for l in lines if re.match(r'^[^\s.]+\.[^\s.]+$', l)]
+ return lines
def _suites_from_test_list(tests: List[str]) -> List[str]:
"""Extracts all the suites from an ordered list of tests."""
@@ -137,10 +163,18 @@ def _suites_from_test_list(tests: List[str]) -> List[str]:
suites.append(suite)
return suites
-
-
def exec_tests(linux: kunit_kernel.LinuxSourceTree, request: KunitExecRequest) -> KunitResult:
filter_globs = [request.filter_glob]
+ if request.list_tests:
+ output = _list_tests(linux, request)
+ for line in output:
+ print(line.rstrip())
+ return KunitResult(status=KunitStatus.SUCCESS, elapsed_time=0.0)
+ if request.list_tests_attr:
+ attr_output = _list_tests_attr(linux, request)
+ for line in attr_output:
+ print(line.rstrip())
+ return KunitResult(status=KunitStatus.SUCCESS, elapsed_time=0.0)
if request.run_isolated:
tests = _list_tests(linux, request)
if request.run_isolated == 'test':
@@ -164,6 +198,8 @@ def exec_tests(linux: kunit_kernel.LinuxSourceTree, request: KunitExecRequest) -
args=request.kernel_args,
timeout=request.timeout,
filter_glob=filter_glob,
+ filter=request.filter,
+ filter_action=request.filter_action,
build_dir=request.build_dir)
_, test_result = parse_tests(request, metadata, run_result)
@@ -350,6 +386,16 @@ def add_exec_opts(parser: argparse.ArgumentParser) -> None:
nargs='?',
default='',
metavar='filter_glob')
+ parser.add_argument('--filter',
+ help='Filter KUnit tests with attributes, '
+ 'e.g. module=example or speed>slow',
+ type=str,
+ default='')
+ parser.add_argument('--filter_action',
+ help='If set to skip, filtered tests will be skipped, '
+ 'e.g. --filter_action=skip. Otherwise they will not run.',
+ type=str,
+ choices=['skip'])
parser.add_argument('--kernel_args',
help='Kernel command-line parameters. Maybe be repeated',
action='append', metavar='')
@@ -359,6 +405,12 @@ def add_exec_opts(parser: argparse.ArgumentParser) -> None:
'what ran before it.',
type=str,
choices=['suite', 'test'])
+ parser.add_argument('--list_tests', help='If set, list all tests that will be '
+ 'run.',
+ action='store_true')
+ parser.add_argument('--list_tests_attr', help='If set, list all tests and test '
+ 'attributes.',
+ action='store_true')
def add_parse_opts(parser: argparse.ArgumentParser) -> None:
parser.add_argument('--raw_output', help='If set don\'t parse output from kernel. '
@@ -407,8 +459,12 @@ def run_handler(cli_args: argparse.Namespace) -> None:
json=cli_args.json,
timeout=cli_args.timeout,
filter_glob=cli_args.filter_glob,
+ filter=cli_args.filter,
+ filter_action=cli_args.filter_action,
kernel_args=cli_args.kernel_args,
- run_isolated=cli_args.run_isolated)
+ run_isolated=cli_args.run_isolated,
+ list_tests=cli_args.list_tests,
+ list_tests_attr=cli_args.list_tests_attr)
result = run_tests(linux, request)
if result.status != KunitStatus.SUCCESS:
sys.exit(1)
@@ -450,8 +506,12 @@ def exec_handler(cli_args: argparse.Namespace) -> None:
json=cli_args.json,
timeout=cli_args.timeout,
filter_glob=cli_args.filter_glob,
+ filter=cli_args.filter,
+ filter_action=cli_args.filter_action,
kernel_args=cli_args.kernel_args,
- run_isolated=cli_args.run_isolated)
+ run_isolated=cli_args.run_isolated,
+ list_tests=cli_args.list_tests,
+ list_tests_attr=cli_args.list_tests_attr)
result = exec_tests(linux, exec_request)
stdout.print_with_timestamp((
'Elapsed time: %.3fs\n') % (result.elapsed_time))
diff --git a/tools/testing/kunit/kunit_kernel.py b/tools/testing/kunit/kunit_kernel.py
index faf90dcfed32d..86accd53644c1 100644
--- a/tools/testing/kunit/kunit_kernel.py
+++ b/tools/testing/kunit/kunit_kernel.py
@@ -329,11 +329,15 @@ class LinuxSourceTree:
return False
return self.validate_config(build_dir)
- def run_kernel(self, args: Optional[List[str]]=None, build_dir: str='', filter_glob: str='', timeout: Optional[int]=None) -> Iterator[str]:
+ def run_kernel(self, args: Optional[List[str]]=None, build_dir: str='', filter_glob: str='', filter: str='', filter_action: Optional[str]=None, timeout: Optional[int]=None) -> Iterator[str]:
if not args:
args = []
if filter_glob:
- args.append('kunit.filter_glob='+filter_glob)
+ args.append('kunit.filter_glob=' + filter_glob)
+ if filter:
+ args.append('kunit.filter="' + filter + '"')
+ if filter_action:
+ args.append('kunit.filter_action=' + filter_action)
args.append('kunit.enable=1')
process = self._ops.start(args, build_dir)
diff --git a/tools/testing/kunit/kunit_parser.py b/tools/testing/kunit/kunit_parser.py
index d5abd0567c8e0..ca9921ea328a4 100644
--- a/tools/testing/kunit/kunit_parser.py
+++ b/tools/testing/kunit/kunit_parser.py
@@ -221,6 +221,7 @@ KTAP_START = re.compile(r'\s*KTAP version ([0-9]+)$')
TAP_START = re.compile(r'\s*TAP version ([0-9]+)$')
KTAP_END = re.compile(r'\s*(List of all partitions:|'
'Kernel panic - not syncing: VFS:|reboot: System halted)')
+EXECUTOR_ERROR = re.compile(r'\s*kunit executor: (.*)$')
def extract_tap_lines(kernel_output: Iterable[str]) -> LineStream:
"""Extracts KTAP lines from the kernel output."""
@@ -251,6 +252,8 @@ def extract_tap_lines(kernel_output: Iterable[str]) -> LineStream:
# remove the prefix, if any.
line = line[prefix_len:]
yield line_num, line
+ elif EXECUTOR_ERROR.search(line):
+ yield line_num, line
return LineStream(lines=isolate_ktap_output(kernel_output))
KTAP_VERSIONS = [1]
@@ -456,7 +459,7 @@ def parse_diagnostic(lines: LineStream) -> List[str]:
Log of diagnostic lines
"""
log = [] # type: List[str]
- non_diagnostic_lines = [TEST_RESULT, TEST_HEADER, KTAP_START]
+ non_diagnostic_lines = [TEST_RESULT, TEST_HEADER, KTAP_START, TAP_START]
while lines and not any(re.match(lines.peek())
for re in non_diagnostic_lines):
log.append(lines.pop())
@@ -722,6 +725,11 @@ def parse_test(lines: LineStream, expected_num: int, log: List[str], is_subtest:
"""
test = Test()
test.log.extend(log)
+
+ # Parse any errors prior to parsing tests
+ err_log = parse_diagnostic(lines)
+ test.log.extend(err_log)
+
if not is_subtest:
# If parsing the main/top-level test, parse KTAP version line and
# test plan
@@ -783,6 +791,7 @@ def parse_test(lines: LineStream, expected_num: int, log: List[str], is_subtest:
# Don't override a bad status if this test had one reported.
# Assumption: no subtests means CRASHED is from Test.__init__()
if test.status in (TestStatus.TEST_CRASHED, TestStatus.SUCCESS):
+ print_log(test.log)
test.status = TestStatus.NO_TESTS
test.add_error('0 tests run!')
diff --git a/tools/testing/kunit/kunit_tool_test.py b/tools/testing/kunit/kunit_tool_test.py
index 9ba0ff95fad5c..04714f59fced6 100755
--- a/tools/testing/kunit/kunit_tool_test.py
+++ b/tools/testing/kunit/kunit_tool_test.py
@@ -612,7 +612,7 @@ class KUnitMainTest(unittest.TestCase):
self.assertEqual(self.linux_source_mock.build_reconfig.call_count, 0)
self.assertEqual(self.linux_source_mock.run_kernel.call_count, 1)
self.linux_source_mock.run_kernel.assert_called_once_with(
- args=None, build_dir='.kunit', filter_glob='', timeout=300)
+ args=None, build_dir='.kunit', filter_glob='', filter='', filter_action=None, timeout=300)
self.print_mock.assert_any_call(StrContains('Testing complete.'))
def test_run_passes_args_pass(self):
@@ -620,7 +620,7 @@ class KUnitMainTest(unittest.TestCase):
self.assertEqual(self.linux_source_mock.build_reconfig.call_count, 1)
self.assertEqual(self.linux_source_mock.run_kernel.call_count, 1)
self.linux_source_mock.run_kernel.assert_called_once_with(
- args=None, build_dir='.kunit', filter_glob='', timeout=300)
+ args=None, build_dir='.kunit', filter_glob='', filter='', filter_action=None, timeout=300)
self.print_mock.assert_any_call(StrContains('Testing complete.'))
def test_exec_passes_args_fail(self):
@@ -644,7 +644,7 @@ class KUnitMainTest(unittest.TestCase):
kunit.main(['run'])
self.assertEqual(e.exception.code, 1)
self.linux_source_mock.run_kernel.assert_called_once_with(
- args=None, build_dir='.kunit', filter_glob='', timeout=300)
+ args=None, build_dir='.kunit', filter_glob='', filter='', filter_action=None, timeout=300)
self.print_mock.assert_any_call(StrContains(' 0 tests run!'))
def test_exec_raw_output(self):
@@ -685,13 +685,13 @@ class KUnitMainTest(unittest.TestCase):
self.linux_source_mock.run_kernel = mock.Mock(return_value=[])
kunit.main(['run', '--raw_output', 'filter_glob'])
self.linux_source_mock.run_kernel.assert_called_once_with(
- args=None, build_dir='.kunit', filter_glob='filter_glob', timeout=300)
+ args=None, build_dir='.kunit', filter_glob='filter_glob', filter='', filter_action=None, timeout=300)
def test_exec_timeout(self):
timeout = 3453
kunit.main(['exec', '--timeout', str(timeout)])
self.linux_source_mock.run_kernel.assert_called_once_with(
- args=None, build_dir='.kunit', filter_glob='', timeout=timeout)
+ args=None, build_dir='.kunit', filter_glob='', filter='', filter_action=None, timeout=timeout)
self.print_mock.assert_any_call(StrContains('Testing complete.'))
def test_run_timeout(self):
@@ -699,7 +699,7 @@ class KUnitMainTest(unittest.TestCase):
kunit.main(['run', '--timeout', str(timeout)])
self.assertEqual(self.linux_source_mock.build_reconfig.call_count, 1)
self.linux_source_mock.run_kernel.assert_called_once_with(
- args=None, build_dir='.kunit', filter_glob='', timeout=timeout)
+ args=None, build_dir='.kunit', filter_glob='', filter='', filter_action=None, timeout=timeout)
self.print_mock.assert_any_call(StrContains('Testing complete.'))
def test_run_builddir(self):
@@ -707,7 +707,7 @@ class KUnitMainTest(unittest.TestCase):
kunit.main(['run', '--build_dir=.kunit'])
self.assertEqual(self.linux_source_mock.build_reconfig.call_count, 1)
self.linux_source_mock.run_kernel.assert_called_once_with(
- args=None, build_dir=build_dir, filter_glob='', timeout=300)
+ args=None, build_dir=build_dir, filter_glob='', filter='', filter_action=None, timeout=300)
self.print_mock.assert_any_call(StrContains('Testing complete.'))
def test_config_builddir(self):
@@ -725,7 +725,7 @@ class KUnitMainTest(unittest.TestCase):
build_dir = '.kunit'
kunit.main(['exec', '--build_dir', build_dir])
self.linux_source_mock.run_kernel.assert_called_once_with(
- args=None, build_dir=build_dir, filter_glob='', timeout=300)
+ args=None, build_dir=build_dir, filter_glob='', filter='', filter_action=None, timeout=300)
self.print_mock.assert_any_call(StrContains('Testing complete.'))
def test_run_kunitconfig(self):
@@ -801,7 +801,7 @@ class KUnitMainTest(unittest.TestCase):
kunit.main(['run', '--kernel_args=a=1', '--kernel_args=b=2'])
self.assertEqual(self.linux_source_mock.build_reconfig.call_count, 1)
self.linux_source_mock.run_kernel.assert_called_once_with(
- args=['a=1','b=2'], build_dir='.kunit', filter_glob='', timeout=300)
+ args=['a=1','b=2'], build_dir='.kunit', filter_glob='', filter='', filter_action=None, timeout=300)
self.print_mock.assert_any_call(StrContains('Testing complete.'))
def test_list_tests(self):
@@ -809,13 +809,11 @@ class KUnitMainTest(unittest.TestCase):
self.linux_source_mock.run_kernel.return_value = ['TAP version 14', 'init: random output'] + want
got = kunit._list_tests(self.linux_source_mock,
- kunit.KunitExecRequest(None, None, '.kunit', 300, 'suite*', None, 'suite'))
-
+ kunit.KunitExecRequest(None, None, '.kunit', 300, 'suite*', '', None, None, 'suite', False, False))
self.assertEqual(got, want)
# Should respect the user's filter glob when listing tests.
self.linux_source_mock.run_kernel.assert_called_once_with(
- args=['kunit.action=list'], build_dir='.kunit', filter_glob='suite*', timeout=300)
-
+ args=['kunit.action=list'], build_dir='.kunit', filter_glob='suite*', filter='', filter_action=None, timeout=300)
@mock.patch.object(kunit, '_list_tests')
def test_run_isolated_by_suite(self, mock_tests):
@@ -824,10 +822,10 @@ class KUnitMainTest(unittest.TestCase):
# Should respect the user's filter glob when listing tests.
mock_tests.assert_called_once_with(mock.ANY,
- kunit.KunitExecRequest(None, None, '.kunit', 300, 'suite*.test*', None, 'suite'))
+ kunit.KunitExecRequest(None, None, '.kunit', 300, 'suite*.test*', '', None, None, 'suite', False, False))
self.linux_source_mock.run_kernel.assert_has_calls([
- mock.call(args=None, build_dir='.kunit', filter_glob='suite.test*', timeout=300),
- mock.call(args=None, build_dir='.kunit', filter_glob='suite2.test*', timeout=300),
+ mock.call(args=None, build_dir='.kunit', filter_glob='suite.test*', filter='', filter_action=None, timeout=300),
+ mock.call(args=None, build_dir='.kunit', filter_glob='suite2.test*', filter='', filter_action=None, timeout=300),
])
@mock.patch.object(kunit, '_list_tests')
@@ -837,13 +835,12 @@ class KUnitMainTest(unittest.TestCase):
# Should respect the user's filter glob when listing tests.
mock_tests.assert_called_once_with(mock.ANY,
- kunit.KunitExecRequest(None, None, '.kunit', 300, 'suite*', None, 'test'))
+ kunit.KunitExecRequest(None, None, '.kunit', 300, 'suite*', '', None, None, 'test', False, False))
self.linux_source_mock.run_kernel.assert_has_calls([
- mock.call(args=None, build_dir='.kunit', filter_glob='suite.test1', timeout=300),
- mock.call(args=None, build_dir='.kunit', filter_glob='suite.test2', timeout=300),
- mock.call(args=None, build_dir='.kunit', filter_glob='suite2.test1', timeout=300),
+ mock.call(args=None, build_dir='.kunit', filter_glob='suite.test1', filter='', filter_action=None, timeout=300),
+ mock.call(args=None, build_dir='.kunit', filter_glob='suite.test2', filter='', filter_action=None, timeout=300),
+ mock.call(args=None, build_dir='.kunit', filter_glob='suite2.test1', filter='', filter_action=None, timeout=300),
])
-
if __name__ == '__main__':
unittest.main()
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 103/460] usb: yurex: fix race in probe
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 102/460] usb: xhci: Prevent interrupt storm on host controller error (HCE) Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 104/460] usb: dwc3: pci: add support for the Intel Nova Lake -H Greg Kroah-Hartman
` (199 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Oliver Neukum
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 7a875c09899ba0404844abfd8f0d54cdc481c151 upstream.
The bbu member of the descriptor must be set to the value
standing for uninitialized values before the URB whose
completion handler sets bbu is submitted. Otherwise there is
a window during which probing can overwrite already retrieved
data.
Cc: stable <stable@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://patch.msgid.link/20260209143720.1507500-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/yurex.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/misc/yurex.c
+++ b/drivers/usb/misc/yurex.c
@@ -272,6 +272,7 @@ static int yurex_probe(struct usb_interf
dev->int_buffer, YUREX_BUF_SIZE, yurex_interrupt,
dev, 1);
dev->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+ dev->bbu = -1;
if (usb_submit_urb(dev->urb, GFP_KERNEL)) {
retval = -EIO;
dev_err(&interface->dev, "Could not submitting URB\n");
@@ -280,7 +281,6 @@ static int yurex_probe(struct usb_interf
/* save our data pointer in this interface device */
usb_set_intfdata(interface, dev);
- dev->bbu = -1;
/* we can register the device now, as it is ready */
retval = usb_register_dev(interface, &yurex_class);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 179/567] xsk: introduce helper to determine rxq->frag_size
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 178/567] xdp: use modulo operation to calculate XDP frag tailroom Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 180/567] i40e: fix registering XDP RxQ info Greg Kroah-Hartman
` (198 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov, Larysa Zaremba,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Larysa Zaremba <larysa.zaremba@intel.com>
[ Upstream commit 16394d80539937d348dd3b9ea32415c54e67a81b ]
rxq->frag_size is basically a step between consecutive strictly aligned
frames. In ZC mode, chunk size fits exactly, but if chunks are unaligned,
there is no safe way to determine accessible space to grow tailroom.
Report frag_size to be zero, if chunks are unaligned, chunk_size otherwise.
Fixes: 24ea50127ecf ("xsk: support mbuf on ZC RX")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Larysa Zaremba <larysa.zaremba@intel.com>
Link: https://patch.msgid.link/20260305111253.2317394-3-larysa.zaremba@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/xdp_sock_drv.h | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/include/net/xdp_sock_drv.h b/include/net/xdp_sock_drv.h
index 91339ffd2f2a8..7dc08a4646242 100644
--- a/include/net/xdp_sock_drv.h
+++ b/include/net/xdp_sock_drv.h
@@ -41,6 +41,11 @@ static inline u32 xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool)
return xsk_pool_get_chunk_size(pool) - xsk_pool_get_headroom(pool);
}
+static inline u32 xsk_pool_get_rx_frag_step(struct xsk_buff_pool *pool)
+{
+ return pool->unaligned ? 0 : xsk_pool_get_chunk_size(pool);
+}
+
static inline void xsk_pool_set_rxq_info(struct xsk_buff_pool *pool,
struct xdp_rxq_info *rxq)
{
@@ -263,6 +268,11 @@ static inline u32 xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool)
return 0;
}
+static inline u32 xsk_pool_get_rx_frag_step(struct xsk_buff_pool *pool)
+{
+ return 0;
+}
+
static inline void xsk_pool_set_rxq_info(struct xsk_buff_pool *pool,
struct xdp_rxq_info *rxq)
{
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 117/481] kunit: tool: copy caller args in run_kernel to prevent mutation
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 116/481] kunit: tool: Add command line interface to filter and report attributes Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 118/481] net: dsa: realtek: rtl8365mb: fix rtl8365mb_phy_ocp_write return value Greg Kroah-Hartman
` (198 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuvam Pandey, David Gow, Shuah Khan,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuvam Pandey <shuvampandey1@gmail.com>
[ Upstream commit 40804c4974b8df2adab72f6475d343eaff72b7f6 ]
run_kernel() appended KUnit flags directly to the caller-provided args
list. When exec_tests() calls run_kernel() repeatedly (e.g. with
--run_isolated), each call mutated the same list, causing later runs
to inherit stale filter_glob values and duplicate kunit.enable flags.
Fix this by copying args at the start of run_kernel(). Add a regression
test that calls run_kernel() twice with the same list and verifies the
original remains unchanged.
Fixes: ff9e09a3762f ("kunit: tool: support running each suite/test separately")
Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com>
Reviewed-by: David Gow <david@davidgow.net>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/kunit/kunit_kernel.py | 6 ++++--
tools/testing/kunit/kunit_tool_test.py | 26 ++++++++++++++++++++++++++
2 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/tools/testing/kunit/kunit_kernel.py b/tools/testing/kunit/kunit_kernel.py
index 86accd53644c1..2343f9a77a65a 100644
--- a/tools/testing/kunit/kunit_kernel.py
+++ b/tools/testing/kunit/kunit_kernel.py
@@ -330,8 +330,10 @@ class LinuxSourceTree:
return self.validate_config(build_dir)
def run_kernel(self, args: Optional[List[str]]=None, build_dir: str='', filter_glob: str='', filter: str='', filter_action: Optional[str]=None, timeout: Optional[int]=None) -> Iterator[str]:
- if not args:
- args = []
+ # Copy to avoid mutating the caller-supplied list. exec_tests() reuses
+ # the same args across repeated run_kernel() calls (e.g. --run_isolated),
+ # so appending to the original would accumulate stale flags on each call.
+ args = list(args) if args else []
if filter_glob:
args.append('kunit.filter_glob=' + filter_glob)
if filter:
diff --git a/tools/testing/kunit/kunit_tool_test.py b/tools/testing/kunit/kunit_tool_test.py
index 04714f59fced6..29063d9ae2851 100755
--- a/tools/testing/kunit/kunit_tool_test.py
+++ b/tools/testing/kunit/kunit_tool_test.py
@@ -479,6 +479,32 @@ class LinuxSourceTreeTest(unittest.TestCase):
with open(kunit_kernel.get_outfile_path(build_dir), 'rt') as outfile:
self.assertEqual(outfile.read(), 'hi\nbye\n', msg='Missing some output')
+ def test_run_kernel_args_not_mutated(self):
+ """Verify run_kernel() copies args so callers can reuse them."""
+ start_calls = []
+
+ def fake_start(start_args, unused_build_dir):
+ start_calls.append(list(start_args))
+ return subprocess.Popen(['printf', 'KTAP version 1\n'],
+ text=True, stdout=subprocess.PIPE)
+
+ with tempfile.TemporaryDirectory('') as build_dir:
+ tree = kunit_kernel.LinuxSourceTree(build_dir,
+ kunitconfig_paths=[os.devnull])
+ with mock.patch.object(tree._ops, 'start', side_effect=fake_start), \
+ mock.patch.object(kunit_kernel.subprocess, 'call'):
+ kernel_args = ['mem=1G']
+ for _ in tree.run_kernel(args=kernel_args, build_dir=build_dir,
+ filter_glob='suite.test1'):
+ pass
+ for _ in tree.run_kernel(args=kernel_args, build_dir=build_dir,
+ filter_glob='suite.test2'):
+ pass
+ self.assertEqual(kernel_args, ['mem=1G'],
+ 'run_kernel() should not modify caller args')
+ self.assertIn('kunit.filter_glob=suite.test1', start_calls[0])
+ self.assertIn('kunit.filter_glob=suite.test2', start_calls[1])
+
def test_build_reconfig_no_config(self):
with tempfile.TemporaryDirectory('') as build_dir:
with open(kunit_kernel.get_kunitconfig_path(build_dir), 'w') as f:
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 104/460] usb: dwc3: pci: add support for the Intel Nova Lake -H
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 103/460] usb: yurex: fix race in probe Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 105/460] usb: misc: uss720: properly clean up reference in uss720_probe() Greg Kroah-Hartman
` (198 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Heikki Krogerus, stable,
Thinh Nguyen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
commit 17ab4d4078e22be7fd8fd6fc710c15c085a4cb1b upstream.
This patch adds the necessary PCI ID for Intel Nova Lake -H
devices.
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: stable <stable@kernel.org>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/20260309130204.208661-1-heikki.krogerus@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-pci.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/dwc3/dwc3-pci.c
+++ b/drivers/usb/dwc3/dwc3-pci.c
@@ -56,6 +56,7 @@
#define PCI_DEVICE_ID_INTEL_CNPH 0xa36e
#define PCI_DEVICE_ID_INTEL_CNPV 0xa3b0
#define PCI_DEVICE_ID_INTEL_RPL 0xa70e
+#define PCI_DEVICE_ID_INTEL_NVLH 0xd37f
#define PCI_DEVICE_ID_INTEL_PTLH 0xe332
#define PCI_DEVICE_ID_INTEL_PTLH_PCH 0xe37e
#define PCI_DEVICE_ID_INTEL_PTLU 0xe432
@@ -448,6 +449,7 @@ static const struct pci_device_id dwc3_p
{ PCI_DEVICE_DATA(INTEL, CNPH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, CNPV, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, RPL, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, NVLH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, PTLH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, PTLH_PCH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, PTLU, &dwc3_pci_intel_swnode) },
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 180/567] i40e: fix registering XDP RxQ info
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 179/567] xsk: introduce helper to determine rxq->frag_size Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 181/567] i40e: use xdp.frame_sz as XDP RxQ info frag_size Greg Kroah-Hartman
` (197 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov, Larysa Zaremba,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Larysa Zaremba <larysa.zaremba@intel.com>
[ Upstream commit 8f497dc8a61429cc004720aa8e713743355d80cf ]
Current way of handling XDP RxQ info in i40e has a problem, where frag_size
is not updated when xsk_buff_pool is detached or when MTU is changed, this
leads to growing tail always failing for multi-buffer packets.
Couple XDP RxQ info registering with buffer allocations and unregistering
with cleaning the ring.
Fixes: a045d2f2d03d ("i40e: set xdp_rxq_info::frag_size")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Larysa Zaremba <larysa.zaremba@intel.com>
Link: https://patch.msgid.link/20260305111253.2317394-6-larysa.zaremba@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_main.c | 34 ++++++++++++---------
drivers/net/ethernet/intel/i40e/i40e_txrx.c | 5 +--
2 files changed, 22 insertions(+), 17 deletions(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index 1f233fac9d4e3..ca35979482c67 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -3637,18 +3637,8 @@ static int i40e_configure_rx_ring(struct i40e_ring *ring)
if (ring->vsi->type != I40E_VSI_MAIN)
goto skip;
- if (!xdp_rxq_info_is_reg(&ring->xdp_rxq)) {
- err = __xdp_rxq_info_reg(&ring->xdp_rxq, ring->netdev,
- ring->queue_index,
- ring->q_vector->napi.napi_id,
- ring->rx_buf_len);
- if (err)
- return err;
- }
-
ring->xsk_pool = i40e_xsk_pool(ring);
if (ring->xsk_pool) {
- xdp_rxq_info_unreg(&ring->xdp_rxq);
ring->rx_buf_len = xsk_pool_get_rx_frame_size(ring->xsk_pool);
err = __xdp_rxq_info_reg(&ring->xdp_rxq, ring->netdev,
ring->queue_index,
@@ -3660,17 +3650,23 @@ static int i40e_configure_rx_ring(struct i40e_ring *ring)
MEM_TYPE_XSK_BUFF_POOL,
NULL);
if (err)
- return err;
+ goto unreg_xdp;
dev_info(&vsi->back->pdev->dev,
"Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring %d\n",
ring->queue_index);
} else {
+ err = __xdp_rxq_info_reg(&ring->xdp_rxq, ring->netdev,
+ ring->queue_index,
+ ring->q_vector->napi.napi_id,
+ ring->rx_buf_len);
+ if (err)
+ return err;
err = xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
MEM_TYPE_PAGE_SHARED,
NULL);
if (err)
- return err;
+ goto unreg_xdp;
}
skip:
@@ -3708,7 +3704,8 @@ static int i40e_configure_rx_ring(struct i40e_ring *ring)
dev_info(&vsi->back->pdev->dev,
"Failed to clear LAN Rx queue context on Rx ring %d (pf_q %d), error: %d\n",
ring->queue_index, pf_q, err);
- return -ENOMEM;
+ err = -ENOMEM;
+ goto unreg_xdp;
}
/* set the context in the HMC */
@@ -3717,7 +3714,8 @@ static int i40e_configure_rx_ring(struct i40e_ring *ring)
dev_info(&vsi->back->pdev->dev,
"Failed to set LAN Rx queue context on Rx ring %d (pf_q %d), error: %d\n",
ring->queue_index, pf_q, err);
- return -ENOMEM;
+ err = -ENOMEM;
+ goto unreg_xdp;
}
/* configure Rx buffer alignment */
@@ -3725,7 +3723,8 @@ static int i40e_configure_rx_ring(struct i40e_ring *ring)
if (I40E_2K_TOO_SMALL_WITH_PADDING) {
dev_info(&vsi->back->pdev->dev,
"2k Rx buffer is too small to fit standard MTU and skb_shared_info\n");
- return -EOPNOTSUPP;
+ err = -EOPNOTSUPP;
+ goto unreg_xdp;
}
clear_ring_build_skb_enabled(ring);
} else {
@@ -3755,6 +3754,11 @@ static int i40e_configure_rx_ring(struct i40e_ring *ring)
}
return 0;
+unreg_xdp:
+ if (ring->vsi->type == I40E_VSI_MAIN)
+ xdp_rxq_info_unreg(&ring->xdp_rxq);
+
+ return err;
}
/**
diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
index 99604379c87b6..873fd080de939 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
@@ -1473,6 +1473,9 @@ void i40e_clean_rx_ring(struct i40e_ring *rx_ring)
if (!rx_ring->rx_bi)
return;
+ if (xdp_rxq_info_is_reg(&rx_ring->xdp_rxq))
+ xdp_rxq_info_unreg(&rx_ring->xdp_rxq);
+
if (rx_ring->xsk_pool) {
i40e_xsk_clean_rx_ring(rx_ring);
goto skip_free;
@@ -1530,8 +1533,6 @@ void i40e_clean_rx_ring(struct i40e_ring *rx_ring)
void i40e_free_rx_resources(struct i40e_ring *rx_ring)
{
i40e_clean_rx_ring(rx_ring);
- if (rx_ring->vsi->type == I40E_VSI_MAIN)
- xdp_rxq_info_unreg(&rx_ring->xdp_rxq);
rx_ring->xdp_prog = NULL;
kfree(rx_ring->rx_bi);
rx_ring->rx_bi = NULL;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 118/481] net: dsa: realtek: rtl8365mb: fix rtl8365mb_phy_ocp_write return value
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 117/481] kunit: tool: copy caller args in run_kernel to prevent mutation Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 119/481] octeon_ep: Relocate counter updates before NAPI Greg Kroah-Hartman
` (197 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mieczyslaw Nalewaj, Andrew Lunn,
Luiz Angelo Daros de Luca, Linus Walleij, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mieczyslaw Nalewaj <namiltd@yahoo.com>
[ Upstream commit 7cbe98f7bef965241a5908d50d557008cf998aee ]
Function rtl8365mb_phy_ocp_write() always returns 0, even when an error
occurs during register access. This patch fixes the return value to
propagate the actual error code from regmap operations.
Link: https://lore.kernel.org/netdev/a2dfde3c-d46f-434b-9d16-1e251e449068@yahoo.com/
Fixes: 2796728460b8 ("net: dsa: realtek: rtl8365mb: serialize indirect PHY register access")
Signed-off-by: Mieczyslaw Nalewaj <namiltd@yahoo.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/20260301-realtek_namiltd_fix1-v1-1-43a6bb707f9c@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/realtek/rtl8365mb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/dsa/realtek/rtl8365mb.c b/drivers/net/dsa/realtek/rtl8365mb.c
index da31d8b839ac6..abdff73aa9c32 100644
--- a/drivers/net/dsa/realtek/rtl8365mb.c
+++ b/drivers/net/dsa/realtek/rtl8365mb.c
@@ -764,7 +764,7 @@ static int rtl8365mb_phy_ocp_write(struct realtek_priv *priv, int phy,
out:
mutex_unlock(&priv->map_lock);
- return 0;
+ return ret;
}
static int rtl8365mb_phy_read(struct realtek_priv *priv, int phy, int regnum)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 105/460] usb: misc: uss720: properly clean up reference in uss720_probe()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 104/460] usb: dwc3: pci: add support for the Intel Nova Lake -H Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 106/460] usb: core: dont power off roothub PHYs if phy_set_mode() fails Greg Kroah-Hartman
` (197 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 45dba8011efac11a2f360383221b541f5ea53ce5 upstream.
If get_1284_register() fails, the usb device reference count is
incorrect and needs to be properly dropped before returning. That will
happen when the kref is dropped in the call to destroy_priv(), so jump
to that error path instead of returning directly.
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_2000
Link: https://patch.msgid.link/2026022342-smokiness-stove-d792@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/uss720.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/misc/uss720.c
+++ b/drivers/usb/misc/uss720.c
@@ -736,7 +736,7 @@ static int uss720_probe(struct usb_inter
ret = get_1284_register(pp, 0, ®, GFP_KERNEL);
dev_dbg(&intf->dev, "reg: %7ph\n", priv->reg);
if (ret < 0)
- return ret;
+ goto probe_abort;
ret = usb_find_last_int_in_endpoint(interface, &epd);
if (!ret) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 181/567] i40e: use xdp.frame_sz as XDP RxQ info frag_size
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 180/567] i40e: fix registering XDP RxQ info Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 182/567] xdp: produce a warning when calculated tailroom is negative Greg Kroah-Hartman
` (196 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov, Larysa Zaremba,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Larysa Zaremba <larysa.zaremba@intel.com>
[ Upstream commit c69d22c6c46a1d792ba8af3d8d6356fdc0e6f538 ]
The only user of frag_size field in XDP RxQ info is
bpf_xdp_frags_increase_tail(). It clearly expects whole buffer size instead
of DMA write size. Different assumptions in i40e driver configuration lead
to negative tailroom.
Set frag_size to the same value as frame_sz in shared pages mode, use new
helper to set frag_size when AF_XDP ZC is active.
Fixes: a045d2f2d03d ("i40e: set xdp_rxq_info::frag_size")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Larysa Zaremba <larysa.zaremba@intel.com>
Link: https://patch.msgid.link/20260305111253.2317394-7-larysa.zaremba@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_main.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index ca35979482c67..9bcd32d31da77 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -3623,6 +3623,7 @@ static int i40e_configure_rx_ring(struct i40e_ring *ring)
u16 pf_q = vsi->base_queue + ring->queue_index;
struct i40e_hw *hw = &vsi->back->hw;
struct i40e_hmc_obj_rxq rx_ctx;
+ u32 xdp_frame_sz;
int err = 0;
bool ok;
@@ -3632,6 +3633,7 @@ static int i40e_configure_rx_ring(struct i40e_ring *ring)
memset(&rx_ctx, 0, sizeof(rx_ctx));
ring->rx_buf_len = vsi->rx_buf_len;
+ xdp_frame_sz = i40e_rx_pg_size(ring) / 2;
/* XDP RX-queue info only needed for RX rings exposed to XDP */
if (ring->vsi->type != I40E_VSI_MAIN)
@@ -3639,11 +3641,12 @@ static int i40e_configure_rx_ring(struct i40e_ring *ring)
ring->xsk_pool = i40e_xsk_pool(ring);
if (ring->xsk_pool) {
+ xdp_frame_sz = xsk_pool_get_rx_frag_step(ring->xsk_pool);
ring->rx_buf_len = xsk_pool_get_rx_frame_size(ring->xsk_pool);
err = __xdp_rxq_info_reg(&ring->xdp_rxq, ring->netdev,
ring->queue_index,
ring->q_vector->napi.napi_id,
- ring->rx_buf_len);
+ xdp_frame_sz);
if (err)
return err;
err = xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
@@ -3659,7 +3662,7 @@ static int i40e_configure_rx_ring(struct i40e_ring *ring)
err = __xdp_rxq_info_reg(&ring->xdp_rxq, ring->netdev,
ring->queue_index,
ring->q_vector->napi.napi_id,
- ring->rx_buf_len);
+ xdp_frame_sz);
if (err)
return err;
err = xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
@@ -3670,7 +3673,7 @@ static int i40e_configure_rx_ring(struct i40e_ring *ring)
}
skip:
- xdp_init_buff(&ring->xdp, i40e_rx_pg_size(ring) / 2, &ring->xdp_rxq);
+ xdp_init_buff(&ring->xdp, xdp_frame_sz, &ring->xdp_rxq);
rx_ctx.dbuff = DIV_ROUND_UP(ring->rx_buf_len,
BIT_ULL(I40E_RXQ_CTX_DBUFF_SHIFT));
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 119/481] octeon_ep: Relocate counter updates before NAPI
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 118/481] net: dsa: realtek: rtl8365mb: fix rtl8365mb_phy_ocp_write return value Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 120/481] octeon_ep: avoid compiler and IQ/OQ reordering Greg Kroah-Hartman
` (196 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sathesh Edara, Shinas Rasheed,
Vimlesh Kumar, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vimlesh Kumar <vimleshk@marvell.com>
[ Upstream commit 18c04a808c436d629d5812ce883e3822a5f5a47f ]
Relocate IQ/OQ IN/OUT_CNTS updates to occur before NAPI completion,
and replace napi_complete with napi_complete_done.
Moving the IQ/OQ counter updates before napi_complete_done ensures
1. Counter registers are updated before re-enabling interrupts.
2. Prevents a race where new packets arrive but counters aren't properly
synchronized.
napi_complete_done (vs napi_complete) allows for better
interrupt coalescing.
Fixes: 37d79d0596062 ("octeon_ep: add Tx/Rx processing and interrupt support")
Signed-off-by: Sathesh Edara <sedara@marvell.com>
Signed-off-by: Shinas Rasheed <srasheed@marvell.com>
Signed-off-by: Vimlesh Kumar <vimleshk@marvell.com>
Link: https://patch.msgid.link/20260227091402.1773833-2-vimleshk@marvell.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/marvell/octeon_ep/octep_main.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
index e171097c13654..aa98cc8fd344e 100644
--- a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
+++ b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
@@ -346,12 +346,12 @@ static void octep_clean_irqs(struct octep_device *oct)
}
/**
- * octep_enable_ioq_irq() - Enable MSI-x interrupt of a Tx/Rx queue.
+ * octep_update_pkt() - Update IQ/OQ IN/OUT_CNT registers.
*
* @iq: Octeon Tx queue data structure.
* @oq: Octeon Rx queue data structure.
*/
-static void octep_enable_ioq_irq(struct octep_iq *iq, struct octep_oq *oq)
+static void octep_update_pkt(struct octep_iq *iq, struct octep_oq *oq)
{
u32 pkts_pend = oq->pkts_pending;
@@ -367,7 +367,17 @@ static void octep_enable_ioq_irq(struct octep_iq *iq, struct octep_oq *oq)
}
/* Flush the previous wrties before writing to RESEND bit */
- wmb();
+ smp_wmb();
+}
+
+/**
+ * octep_enable_ioq_irq() - Enable MSI-x interrupt of a Tx/Rx queue.
+ *
+ * @iq: Octeon Tx queue data structure.
+ * @oq: Octeon Rx queue data structure.
+ */
+static void octep_enable_ioq_irq(struct octep_iq *iq, struct octep_oq *oq)
+{
writeq(1UL << OCTEP_OQ_INTR_RESEND_BIT, oq->pkts_sent_reg);
writeq(1UL << OCTEP_IQ_INTR_RESEND_BIT, iq->inst_cnt_reg);
}
@@ -393,7 +403,8 @@ static int octep_napi_poll(struct napi_struct *napi, int budget)
if (tx_pending || rx_done >= budget)
return budget;
- napi_complete(napi);
+ octep_update_pkt(ioq_vector->iq, ioq_vector->oq);
+ napi_complete_done(napi, rx_done);
octep_enable_ioq_irq(ioq_vector->iq, ioq_vector->oq);
return rx_done;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 106/460] usb: core: dont power off roothub PHYs if phy_set_mode() fails
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 105/460] usb: misc: uss720: properly clean up reference in uss720_probe() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 107/460] usb: cdc-acm: Restore CAP_BRK functionnality to CH343 Greg Kroah-Hartman
` (196 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gabor Juhos, Miquel Raynal
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
commit e293015ba76eb96ce4ebed7e3b2cb1a7d319f3e9 upstream.
Remove the error path from the usb_phy_roothub_set_mode() function.
The code is clearly wrong, because phy_set_mode() calls can't be
balanced with phy_power_off() calls.
Additionally, the usb_phy_roothub_set_mode() function is called only
from usb_add_hcd() before it powers on the PHYs, so powering off those
makes no sense anyway.
Presumably, the code is copy-pasted from the phy_power_on() function
without adjusting the error handling.
Cc: stable@vger.kernel.org # v5.1+
Fixes: b97a31348379 ("usb: core: comply to PHY framework")
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://patch.msgid.link/20260218-usb-phy-poweroff-fix-v1-1-66e6831e860e@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/phy.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
--- a/drivers/usb/core/phy.c
+++ b/drivers/usb/core/phy.c
@@ -200,16 +200,10 @@ int usb_phy_roothub_set_mode(struct usb_
list_for_each_entry(roothub_entry, head, list) {
err = phy_set_mode(roothub_entry->phy, mode);
if (err)
- goto err_out;
+ return err;
}
return 0;
-
-err_out:
- list_for_each_entry_continue_reverse(roothub_entry, head, list)
- phy_power_off(roothub_entry->phy);
-
- return err;
}
EXPORT_SYMBOL_GPL(usb_phy_roothub_set_mode);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 182/567] xdp: produce a warning when calculated tailroom is negative
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 181/567] i40e: use xdp.frame_sz as XDP RxQ info frag_size Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 183/567] selftest/arm64: Fix sve2p1_sigill() to hwcap test Greg Kroah-Hartman
` (195 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov,
Toke Høiland-Jørgensen, Martin KaFai Lau,
Larysa Zaremba, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Larysa Zaremba <larysa.zaremba@intel.com>
[ Upstream commit 8821e857759be9db3cde337ad328b71fe5c8a55f ]
Many ethernet drivers report xdp Rx queue frag size as being the same as
DMA write size. However, the only user of this field, namely
bpf_xdp_frags_increase_tail(), clearly expects a truesize.
Such difference leads to unspecific memory corruption issues under certain
circumstances, e.g. in ixgbevf maximum DMA write size is 3 KB, so when
running xskxceiver's XDP_ADJUST_TAIL_GROW_MULTI_BUFF, 6K packet fully uses
all DMA-writable space in 2 buffers. This would be fine, if only
rxq->frag_size was properly set to 4K, but value of 3K results in a
negative tailroom, because there is a non-zero page offset.
We are supposed to return -EINVAL and be done with it in such case, but due
to tailroom being stored as an unsigned int, it is reported to be somewhere
near UINT_MAX, resulting in a tail being grown, even if the requested
offset is too much (it is around 2K in the abovementioned test). This later
leads to all kinds of unspecific calltraces.
[ 7340.337579] xskxceiver[1440]: segfault at 1da718 ip 00007f4161aeac9d sp 00007f41615a6a00 error 6
[ 7340.338040] xskxceiver[1441]: segfault at 7f410000000b ip 00000000004042b5 sp 00007f415bffecf0 error 4
[ 7340.338179] in libc.so.6[61c9d,7f4161aaf000+160000]
[ 7340.339230] in xskxceiver[42b5,400000+69000]
[ 7340.340300] likely on CPU 6 (core 0, socket 6)
[ 7340.340302] Code: ff ff 01 e9 f4 fe ff ff 0f 1f 44 00 00 4c 39 f0 74 73 31 c0 ba 01 00 00 00 f0 0f b1 17 0f 85 ba 00 00 00 49 8b 87 88 00 00 00 <4c> 89 70 08 eb cc 0f 1f 44 00 00 48 8d bd f0 fe ff ff 89 85 ec fe
[ 7340.340888] likely on CPU 3 (core 0, socket 3)
[ 7340.345088] Code: 00 00 00 ba 00 00 00 00 be 00 00 00 00 89 c7 e8 31 ca ff ff 89 45 ec 8b 45 ec 85 c0 78 07 b8 00 00 00 00 eb 46 e8 0b c8 ff ff <8b> 00 83 f8 69 74 24 e8 ff c7 ff ff 8b 00 83 f8 0b 74 18 e8 f3 c7
[ 7340.404334] Oops: general protection fault, probably for non-canonical address 0x6d255010bdffc: 0000 [#1] SMP NOPTI
[ 7340.405972] CPU: 7 UID: 0 PID: 1439 Comm: xskxceiver Not tainted 6.19.0-rc1+ #21 PREEMPT(lazy)
[ 7340.408006] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014
[ 7340.409716] RIP: 0010:lookup_swap_cgroup_id+0x44/0x80
[ 7340.410455] Code: 83 f8 1c 73 39 48 ba ff ff ff ff ff ff ff 03 48 8b 04 c5 20 55 fa bd 48 21 d1 48 89 ca 83 e1 01 48 d1 ea c1 e1 04 48 8d 04 90 <8b> 00 48 83 c4 10 d3 e8 c3 cc cc cc cc 31 c0 e9 98 b7 dd 00 48 89
[ 7340.412787] RSP: 0018:ffffcc5c04f7f6d0 EFLAGS: 00010202
[ 7340.413494] RAX: 0006d255010bdffc RBX: ffff891f477895a8 RCX: 0000000000000010
[ 7340.414431] RDX: 0001c17e3fffffff RSI: 00fa070000000000 RDI: 000382fc7fffffff
[ 7340.415354] RBP: 00fa070000000000 R08: ffffcc5c04f7f8f8 R09: ffffcc5c04f7f7d0
[ 7340.416283] R10: ffff891f4c1a7000 R11: ffffcc5c04f7f9c8 R12: ffffcc5c04f7f7d0
[ 7340.417218] R13: 03ffffffffffffff R14: 00fa06fffffffe00 R15: ffff891f47789500
[ 7340.418229] FS: 0000000000000000(0000) GS:ffff891ffdfaa000(0000) knlGS:0000000000000000
[ 7340.419489] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7340.420286] CR2: 00007f415bfffd58 CR3: 0000000103f03002 CR4: 0000000000772ef0
[ 7340.421237] PKRU: 55555554
[ 7340.421623] Call Trace:
[ 7340.421987] <TASK>
[ 7340.422309] ? softleaf_from_pte+0x77/0xa0
[ 7340.422855] swap_pte_batch+0xa7/0x290
[ 7340.423363] zap_nonpresent_ptes.constprop.0.isra.0+0xd1/0x270
[ 7340.424102] zap_pte_range+0x281/0x580
[ 7340.424607] zap_pmd_range.isra.0+0xc9/0x240
[ 7340.425177] unmap_page_range+0x24d/0x420
[ 7340.425714] unmap_vmas+0xa1/0x180
[ 7340.426185] exit_mmap+0xe1/0x3b0
[ 7340.426644] __mmput+0x41/0x150
[ 7340.427098] exit_mm+0xb1/0x110
[ 7340.427539] do_exit+0x1b2/0x460
[ 7340.427992] do_group_exit+0x2d/0xc0
[ 7340.428477] get_signal+0x79d/0x7e0
[ 7340.428957] arch_do_signal_or_restart+0x34/0x100
[ 7340.429571] exit_to_user_mode_loop+0x8e/0x4c0
[ 7340.430159] do_syscall_64+0x188/0x6b0
[ 7340.430672] ? __do_sys_clone3+0xd9/0x120
[ 7340.431212] ? switch_fpu_return+0x4e/0xd0
[ 7340.431761] ? arch_exit_to_user_mode_prepare.isra.0+0xa1/0xc0
[ 7340.432498] ? do_syscall_64+0xbb/0x6b0
[ 7340.433015] ? __handle_mm_fault+0x445/0x690
[ 7340.433582] ? count_memcg_events+0xd6/0x210
[ 7340.434151] ? handle_mm_fault+0x212/0x340
[ 7340.434697] ? do_user_addr_fault+0x2b4/0x7b0
[ 7340.435271] ? clear_bhb_loop+0x30/0x80
[ 7340.435788] ? clear_bhb_loop+0x30/0x80
[ 7340.436299] ? clear_bhb_loop+0x30/0x80
[ 7340.436812] ? clear_bhb_loop+0x30/0x80
[ 7340.437323] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 7340.437973] RIP: 0033:0x7f4161b14169
[ 7340.438468] Code: Unable to access opcode bytes at 0x7f4161b1413f.
[ 7340.439242] RSP: 002b:00007ffc6ebfa770 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[ 7340.440173] RAX: fffffffffffffe00 RBX: 00000000000005a1 RCX: 00007f4161b14169
[ 7340.441061] RDX: 00000000000005a1 RSI: 0000000000000109 RDI: 00007f415bfff990
[ 7340.441943] RBP: 00007ffc6ebfa7a0 R08: 0000000000000000 R09: 00000000ffffffff
[ 7340.442824] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 7340.443707] R13: 0000000000000000 R14: 00007f415bfff990 R15: 00007f415bfff6c0
[ 7340.444586] </TASK>
[ 7340.444922] Modules linked in: rfkill intel_rapl_msr intel_rapl_common intel_uncore_frequency_common skx_edac_common nfit libnvdimm kvm_intel vfat fat kvm snd_pcm irqbypass rapl iTCO_wdt snd_timer intel_pmc_bxt iTCO_vendor_support snd ixgbevf virtio_net soundcore i2c_i801 pcspkr libeth_xdp net_failover i2c_smbus lpc_ich failover libeth virtio_balloon joydev 9p fuse loop zram lz4hc_compress lz4_compress 9pnet_virtio 9pnet netfs ghash_clmulni_intel serio_raw qemu_fw_cfg
[ 7340.449650] ---[ end trace 0000000000000000 ]---
The issue can be fixed in all in-tree drivers, but we cannot just trust OOT
drivers to not do this. Therefore, make tailroom a signed int and produce a
warning when it is negative to prevent such mistakes in the future.
Fixes: bf25146a5595 ("bpf: add frags support to the bpf_xdp_adjust_tail() API")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Larysa Zaremba <larysa.zaremba@intel.com>
Link: https://patch.msgid.link/20260305111253.2317394-10-larysa.zaremba@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index 58109f6201b76..b1e9abb3891cc 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -4132,13 +4132,14 @@ static int bpf_xdp_frags_increase_tail(struct xdp_buff *xdp, int offset)
struct skb_shared_info *sinfo = xdp_get_shared_info_from_buff(xdp);
skb_frag_t *frag = &sinfo->frags[sinfo->nr_frags - 1];
struct xdp_rxq_info *rxq = xdp->rxq;
- unsigned int tailroom;
+ int tailroom;
if (!rxq->frag_size || rxq->frag_size > xdp->frame_sz)
return -EOPNOTSUPP;
tailroom = rxq->frag_size - skb_frag_size(frag) -
skb_frag_off(frag) % rxq->frag_size;
+ WARN_ON_ONCE(tailroom < 0);
if (unlikely(offset > tailroom))
return -EINVAL;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 120/481] octeon_ep: avoid compiler and IQ/OQ reordering
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 119/481] octeon_ep: Relocate counter updates before NAPI Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 121/481] wifi: cw1200: Fix locking in error paths Greg Kroah-Hartman
` (195 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sathesh Edara, Shinas Rasheed,
Vimlesh Kumar, Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vimlesh Kumar <vimleshk@marvell.com>
[ Upstream commit 43b3160cb639079a15daeb5f080120afbfbfc918 ]
Utilize READ_ONCE and WRITE_ONCE APIs for IO queue Tx/Rx
variable access to prevent compiler optimization and reordering.
Additionally, ensure IO queue OUT/IN_CNT registers are flushed
by performing a read-back after writing.
The compiler could reorder reads/writes to pkts_pending, last_pkt_count,
etc., causing stale values to be used when calculating packets to process
or register updates to send to hardware. The Octeon hardware requires a
read-back after writing to OUT_CNT/IN_CNT registers to ensure the write
has been flushed through any posted write buffers before the interrupt
resend bit is set. Without this, we have observed cases where the hardware
didn't properly update its internal state.
wmb/rmb only provides ordering guarantees but doesn't prevent the compiler
from performing optimizations like caching in registers, load tearing etc.
Fixes: 37d79d0596062 ("octeon_ep: add Tx/Rx processing and interrupt support")
Signed-off-by: Sathesh Edara <sedara@marvell.com>
Signed-off-by: Shinas Rasheed <srasheed@marvell.com>
Signed-off-by: Vimlesh Kumar <vimleshk@marvell.com>
Link: https://patch.msgid.link/20260227091402.1773833-3-vimleshk@marvell.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/marvell/octeon_ep/octep_main.c | 21 +++++++++------
.../net/ethernet/marvell/octeon_ep/octep_rx.c | 27 +++++++++++++------
2 files changed, 32 insertions(+), 16 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
index aa98cc8fd344e..32b30cbb8c009 100644
--- a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
+++ b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
@@ -353,17 +353,22 @@ static void octep_clean_irqs(struct octep_device *oct)
*/
static void octep_update_pkt(struct octep_iq *iq, struct octep_oq *oq)
{
- u32 pkts_pend = oq->pkts_pending;
+ u32 pkts_pend = READ_ONCE(oq->pkts_pending);
+ u32 last_pkt_count = READ_ONCE(oq->last_pkt_count);
+ u32 pkts_processed = READ_ONCE(iq->pkts_processed);
+ u32 pkt_in_done = READ_ONCE(iq->pkt_in_done);
netdev_dbg(iq->netdev, "enabling intr for Q-%u\n", iq->q_no);
- if (iq->pkts_processed) {
- writel(iq->pkts_processed, iq->inst_cnt_reg);
- iq->pkt_in_done -= iq->pkts_processed;
- iq->pkts_processed = 0;
+ if (pkts_processed) {
+ writel(pkts_processed, iq->inst_cnt_reg);
+ readl(iq->inst_cnt_reg);
+ WRITE_ONCE(iq->pkt_in_done, (pkt_in_done - pkts_processed));
+ WRITE_ONCE(iq->pkts_processed, 0);
}
- if (oq->last_pkt_count - pkts_pend) {
- writel(oq->last_pkt_count - pkts_pend, oq->pkts_sent_reg);
- oq->last_pkt_count = pkts_pend;
+ if (last_pkt_count - pkts_pend) {
+ writel(last_pkt_count - pkts_pend, oq->pkts_sent_reg);
+ readl(oq->pkts_sent_reg);
+ WRITE_ONCE(oq->last_pkt_count, pkts_pend);
}
/* Flush the previous wrties before writing to RESEND bit */
diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c b/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c
index 4f3c1187a6e82..0ecfc4e36f3ac 100644
--- a/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c
+++ b/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c
@@ -317,10 +317,16 @@ static int octep_oq_check_hw_for_pkts(struct octep_device *oct,
struct octep_oq *oq)
{
u32 pkt_count, new_pkts;
+ u32 last_pkt_count, pkts_pending;
pkt_count = readl(oq->pkts_sent_reg);
- new_pkts = pkt_count - oq->last_pkt_count;
+ last_pkt_count = READ_ONCE(oq->last_pkt_count);
+ new_pkts = pkt_count - last_pkt_count;
+ if (pkt_count < last_pkt_count) {
+ dev_err(oq->dev, "OQ-%u pkt_count(%u) < oq->last_pkt_count(%u)\n",
+ oq->q_no, pkt_count, last_pkt_count);
+ }
/* Clear the hardware packets counter register if the rx queue is
* being processed continuously with-in a single interrupt and
* reached half its max value.
@@ -331,8 +337,9 @@ static int octep_oq_check_hw_for_pkts(struct octep_device *oct,
pkt_count = readl(oq->pkts_sent_reg);
new_pkts += pkt_count;
}
- oq->last_pkt_count = pkt_count;
- oq->pkts_pending += new_pkts;
+ WRITE_ONCE(oq->last_pkt_count, pkt_count);
+ pkts_pending = READ_ONCE(oq->pkts_pending);
+ WRITE_ONCE(oq->pkts_pending, (pkts_pending + new_pkts));
return new_pkts;
}
@@ -405,7 +412,7 @@ static int __octep_oq_process_rx(struct octep_device *oct,
u16 data_offset;
u32 read_idx;
- read_idx = oq->host_read_idx;
+ read_idx = READ_ONCE(oq->host_read_idx);
rx_bytes = 0;
desc_used = 0;
for (pkt = 0; pkt < pkts_to_process; pkt++) {
@@ -488,7 +495,7 @@ static int __octep_oq_process_rx(struct octep_device *oct,
napi_gro_receive(oq->napi, skb);
}
- oq->host_read_idx = read_idx;
+ WRITE_ONCE(oq->host_read_idx, read_idx);
oq->refill_count += desc_used;
oq->stats.packets += pkt;
oq->stats.bytes += rx_bytes;
@@ -511,22 +518,26 @@ int octep_oq_process_rx(struct octep_oq *oq, int budget)
{
u32 pkts_available, pkts_processed, total_pkts_processed;
struct octep_device *oct = oq->octep_dev;
+ u32 pkts_pending;
pkts_available = 0;
pkts_processed = 0;
total_pkts_processed = 0;
while (total_pkts_processed < budget) {
/* update pending count only when current one exhausted */
- if (oq->pkts_pending == 0)
+ pkts_pending = READ_ONCE(oq->pkts_pending);
+ if (pkts_pending == 0)
octep_oq_check_hw_for_pkts(oct, oq);
+ pkts_pending = READ_ONCE(oq->pkts_pending);
pkts_available = min(budget - total_pkts_processed,
- oq->pkts_pending);
+ pkts_pending);
if (!pkts_available)
break;
pkts_processed = __octep_oq_process_rx(oct, oq,
pkts_available);
- oq->pkts_pending -= pkts_processed;
+ pkts_pending = READ_ONCE(oq->pkts_pending);
+ WRITE_ONCE(oq->pkts_pending, (pkts_pending - pkts_processed));
total_pkts_processed += pkts_processed;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 107/460] usb: cdc-acm: Restore CAP_BRK functionnality to CH343
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 106/460] usb: core: dont power off roothub PHYs if phy_set_mode() fails Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 108/460] usb: roles: get usb role switch from parent only for usb-b-connector Greg Kroah-Hartman
` (195 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Zyngier, stable, Oliver Neukum
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit 14ae24cba291bddfdc296bbcbfd00cd09d0498ef upstream.
The CH343 USB/serial adapter is as buggy as it is popular (very).
One of its quirks is that despite being capable of signalling a
BREAK condition, it doesn't advertise it.
This used to work nonetheless until 66aad7d8d3ec5 ("usb: cdc-acm:
return correct error code on unsupported break") applied some
reasonable restrictions, preventing breaks from being emitted on
devices that do not advertise CAP_BRK.
Add a quirk for this particular device, so that breaks can still
be produced on some of my machines attached to my console server.
Fixes: 66aad7d8d3ec5 ("usb: cdc-acm: return correct error code on unsupported break")
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable <stable@kernel.org>
Cc: Oliver Neukum <oneukum@suse.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Oliver Neukum <oneukum@suse.com>
Link: https://patch.msgid.link/20260301124440.1192752-1-maz@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-acm.c | 5 +++++
drivers/usb/class/cdc-acm.h | 1 +
2 files changed, 6 insertions(+)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1379,6 +1379,8 @@ made_compressed_probe:
acm->ctrl_caps = h.usb_cdc_acm_descriptor->bmCapabilities;
if (quirks & NO_CAP_LINE)
acm->ctrl_caps &= ~USB_CDC_CAP_LINE;
+ if (quirks & MISSING_CAP_BRK)
+ acm->ctrl_caps |= USB_CDC_CAP_BRK;
acm->ctrlsize = ctrlsize;
acm->readsize = readsize;
acm->rx_buflimit = num_rx_buf;
@@ -2002,6 +2004,9 @@ static const struct usb_device_id acm_id
.driver_info = IGNORE_DEVICE,
},
+ /* CH343 supports CAP_BRK, but doesn't advertise it */
+ { USB_DEVICE(0x1a86, 0x55d3), .driver_info = MISSING_CAP_BRK, },
+
/* control interfaces without any protocol set */
{ USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
USB_CDC_PROTO_NONE) },
--- a/drivers/usb/class/cdc-acm.h
+++ b/drivers/usb/class/cdc-acm.h
@@ -113,3 +113,4 @@ struct acm {
#define CLEAR_HALT_CONDITIONS BIT(5)
#define SEND_ZERO_PACKET BIT(6)
#define DISABLE_ECHO BIT(7)
+#define MISSING_CAP_BRK BIT(8)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 183/567] selftest/arm64: Fix sve2p1_sigill() to hwcap test
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 182/567] xdp: produce a warning when calculated tailroom is negative Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 184/567] tracing: Add NULL pointer check to trigger_data_free() Greg Kroah-Hartman
` (194 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Mark Brown, Will Deacon,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yifan Wu <wuyifan50@huawei.com>
[ Upstream commit d87c828daa7ead9763416f75cc416496969cf1dc ]
The FEAT_SVE2p1 is indicated by ID_AA64ZFR0_EL1.SVEver. However,
the BFADD requires the FEAT_SVE_B16B16, which is indicated by
ID_AA64ZFR0_EL1.B16B16. This could cause the test to incorrectly
fail on a CPU that supports FEAT_SVE2.1 but not FEAT_SVE_B16B16.
LD1Q Gather load quadwords which is decoded from SVE encodings and
implied by FEAT_SVE2p1.
Fixes: c5195b027d29 ("kselftest/arm64: Add SVE 2.1 to hwcap test")
Signed-off-by: Yifan Wu <wuyifan50@huawei.com>
Reviewed-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/arm64/abi/hwcap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/arm64/abi/hwcap.c b/tools/testing/selftests/arm64/abi/hwcap.c
index e3d262831d919..311a2a65f7cf2 100644
--- a/tools/testing/selftests/arm64/abi/hwcap.c
+++ b/tools/testing/selftests/arm64/abi/hwcap.c
@@ -216,8 +216,8 @@ static void sve2_sigill(void)
static void sve2p1_sigill(void)
{
- /* BFADD Z0.H, Z0.H, Z0.H */
- asm volatile(".inst 0x65000000" : : : "z0");
+ /* LD1Q {Z0.Q}, P0/Z, [Z0.D, X0] */
+ asm volatile(".inst 0xC400A000" : : : "z0");
}
static void sveaes_sigill(void)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 121/481] wifi: cw1200: Fix locking in error paths
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 120/481] octeon_ep: avoid compiler and IQ/OQ reordering Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 122/481] wifi: wlcore: Fix a locking bug Greg Kroah-Hartman
` (194 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bart Van Assche, Johannes Berg,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit d98c24617a831e92e7224a07dcaed2dd0b02af96 ]
cw1200_wow_suspend() must only return with priv->conf_mutex locked if it
returns zero. This mutex must be unlocked if an error is returned. Add
mutex_unlock() calls to the error paths from which that call is missing.
This has been detected by the Clang thread-safety analyzer.
Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260223220102.2158611-25-bart.vanassche@linux.dev
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/st/cw1200/pm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/st/cw1200/pm.c b/drivers/net/wireless/st/cw1200/pm.c
index a20ab577a3644..212b6f2af8de4 100644
--- a/drivers/net/wireless/st/cw1200/pm.c
+++ b/drivers/net/wireless/st/cw1200/pm.c
@@ -264,12 +264,14 @@ int cw1200_wow_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
wiphy_err(priv->hw->wiphy,
"PM request failed: %d. WoW is disabled.\n", ret);
cw1200_wow_resume(hw);
+ mutex_unlock(&priv->conf_mutex);
return -EBUSY;
}
/* Force resume if event is coming from the device. */
if (atomic_read(&priv->bh_rx)) {
cw1200_wow_resume(hw);
+ mutex_unlock(&priv->conf_mutex);
return -EAGAIN;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 108/460] usb: roles: get usb role switch from parent only for usb-b-connector
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 107/460] usb: cdc-acm: Restore CAP_BRK functionnality to CH343 Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 109/460] usb: typec: altmode/displayport: set displayport signaling rate in configure message Greg Kroah-Hartman
` (194 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Xu Yang, Arnaud Ferraris,
Heikki Krogerus
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 8345b1539faa49fcf9c9439c3cbd97dac6eca171 upstream.
usb_role_switch_is_parent() was walking up to the parent node and checking
for the "usb-role-switch" property regardless of the type of the passed
fwnode. This could cause unrelated device nodes to be probed as potential
role switch parent, leading to spurious matches and "-EPROBE_DEFER" being
returned infinitely.
Till now only Type-B connector node will have a parent node which may
present "usb-role-switch" property and register the role switch device.
For Type-C connector node, its parent node will always be a Type-C chip
device which will never register the role switch device. However, it may
still present a non-boolean "usb-role-switch = <&usb_controller>" property
for historical compatibility.
So restrict the helper to only operate on Type-B connector when attempting
to get the role switch from parent node.
Fixes: 6fadd72943b8 ("usb: roles: get usb-role-switch from parent")
Cc: stable <stable@kernel.org>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Tested-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260309074313.2809867-3-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/roles/class.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/roles/class.c
+++ b/drivers/usb/roles/class.c
@@ -139,9 +139,14 @@ static void *usb_role_switch_match(const
static struct usb_role_switch *
usb_role_switch_is_parent(struct fwnode_handle *fwnode)
{
- struct fwnode_handle *parent = fwnode_get_parent(fwnode);
+ struct fwnode_handle *parent;
struct device *dev;
+ if (!fwnode_device_is_compatible(fwnode, "usb-b-connector"))
+ return NULL;
+
+ parent = fwnode_get_parent(fwnode);
+
if (!fwnode_property_present(parent, "usb-role-switch")) {
fwnode_handle_put(parent);
return NULL;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 184/567] tracing: Add NULL pointer check to trigger_data_free()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 183/567] selftest/arm64: Fix sve2p1_sigill() to hwcap test Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 185/567] net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks Greg Kroah-Hartman
` (193 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Masami Hiramatsu,
Mathieu Desnoyers, Steven Rostedt (Google), Guenter Roeck,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit 457965c13f0837a289c9164b842d0860133f6274 ]
If trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse()
jumps to the out_free error path. While kfree() safely handles a NULL
pointer, trigger_data_free() does not. This causes a NULL pointer
dereference in trigger_data_free() when evaluating
data->cmd_ops->set_filter.
Fix the problem by adding a NULL pointer check to trigger_data_free().
The problem was found by an experimental code review agent based on
gemini-3.1-pro while reviewing backports into v6.18.y.
Cc: Miaoqian Lin <linmq006@gmail.com>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
Link: https://patch.msgid.link/20260305193339.2810953-1-linux@roeck-us.net
Fixes: 0550069cc25f ("tracing: Properly process error handling in event_hist_trigger_parse()")
Assisted-by: Gemini:gemini-3.1-pro
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_events_trigger.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
index fe079ff82ef1b..3ef1fe15493d3 100644
--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -19,6 +19,9 @@ static DEFINE_MUTEX(trigger_cmd_mutex);
void trigger_data_free(struct event_trigger_data *data)
{
+ if (!data)
+ return;
+
if (data->cmd_ops->set_filter)
data->cmd_ops->set_filter(NULL, data, NULL);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 122/481] wifi: wlcore: Fix a locking bug
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 121/481] wifi: cw1200: Fix locking in error paths Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 123/481] wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Greg Kroah-Hartman
` (193 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bart Van Assche, Johannes Berg,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit 72c6df8f284b3a49812ce2ac136727ace70acc7c ]
Make sure that wl->mutex is locked before it is unlocked. This has been
detected by the Clang thread-safety analyzer.
Fixes: 45aa7f071b06 ("wlcore: Use generic runtime pm calls for wowlan elp configuration")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260223220102.2158611-26-bart.vanassche@linux.dev
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ti/wlcore/main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/ti/wlcore/main.c b/drivers/net/wireless/ti/wlcore/main.c
index b88ceb1f9800c..95de73f4a7dfd 100644
--- a/drivers/net/wireless/ti/wlcore/main.c
+++ b/drivers/net/wireless/ti/wlcore/main.c
@@ -1800,6 +1800,8 @@ static int __maybe_unused wl1271_op_resume(struct ieee80211_hw *hw)
wl->wow_enabled);
WARN_ON(!wl->wow_enabled);
+ mutex_lock(&wl->mutex);
+
ret = pm_runtime_force_resume(wl->dev);
if (ret < 0) {
wl1271_error("ELP wakeup failure!");
@@ -1816,8 +1818,6 @@ static int __maybe_unused wl1271_op_resume(struct ieee80211_hw *hw)
run_irq_work = true;
spin_unlock_irqrestore(&wl->wl_lock, flags);
- mutex_lock(&wl->mutex);
-
/* test the recovery flag before calling any SDIO functions */
pending_recovery = test_bit(WL1271_FLAG_RECOVERY_IN_PROGRESS,
&wl->flags);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 109/460] usb: typec: altmode/displayport: set displayport signaling rate in configure message
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 108/460] usb: roles: get usb role switch from parent only for usb-b-connector Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 110/460] USB: usbcore: Introduce usb_bulk_msg_killable() Greg Kroah-Hartman
` (193 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, RD Babiera, Heikki Krogerus
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: RD Babiera <rdbabiera@google.com>
commit e8557acfa079a54b59a21f447c82a31aec7717df upstream.
dp_altmode_configure sets the signaling rate to the current
configuration's rate and then shifts the value to the Select
Configuration bitfield. On the initial configuration, dp->data.conf
is 0 to begin with, so the signaling rate field is never set, which
leads to some DisplayPort Alt Mode partners sending NAK to the
Configure message.
Set the signaling rate to the capabilities supported by both the
port and the port partner. If the cable supports DisplayPort Alt Mode,
then include its capabilities as well.
Fixes: a17fae8fc38e ("usb: typec: Add Displayport Alternate Mode 2.1 Support")
Cc: stable <stable@kernel.org>
Signed-off-by: RD Babiera <rdbabiera@google.com>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260310204106.3939862-2-rdbabiera@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/altmodes/displayport.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/typec/altmodes/displayport.c
+++ b/drivers/usb/typec/altmodes/displayport.c
@@ -93,9 +93,14 @@ static int dp_altmode_configure(struct d
{
u8 pin_assign = 0;
u32 conf;
+ u32 signal;
/* DP Signalling */
- conf = (dp->data.conf & DP_CONF_SIGNALLING_MASK) >> DP_CONF_SIGNALLING_SHIFT;
+ signal = DP_CAP_DP_SIGNALLING(dp->port->vdo) & DP_CAP_DP_SIGNALLING(dp->alt->vdo);
+ if (dp->plug_prime)
+ signal &= DP_CAP_DP_SIGNALLING(dp->plug_prime->vdo);
+
+ conf = signal << DP_CONF_SIGNALLING_SHIFT;
switch (con) {
case DP_STATUS_CON_DISABLED:
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 185/567] net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 184/567] tracing: Add NULL pointer check to trigger_data_free() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 186/567] net: tcp: accept old ack during closing Greg Kroah-Hartman
` (192 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, GangMin Kim, Victor Nogueira,
Jamal Hadi Salim, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Nogueira <victor@mojatatu.com>
commit 11cb63b0d1a0685e0831ae3c77223e002ef18189 upstream.
As Paolo said earlier [1]:
"Since the blamed commit below, classify can return TC_ACT_CONSUMED while
the current skb being held by the defragmentation engine. As reported by
GangMin Kim, if such packet is that may cause a UaF when the defrag engine
later on tries to tuch again such packet."
act_ct was never meant to be used in the egress path, however some users
are attaching it to egress today [2]. Attempting to reach a middle
ground, we noticed that, while most qdiscs are not handling
TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we
address the issue by only allowing act_ct to bind to clsact/ingress
qdiscs and shared blocks. That way it's still possible to attach act_ct to
egress (albeit only with clsact).
[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/
[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/
Reported-by: GangMin Kim <km.kim1503@gmail.com>
Fixes: 3f14b377d01d ("net/sched: act_ct: fix skb leak and crash on ooo frags")
CC: stable@vger.kernel.org
Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260225134349.1287037-1-victor@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/act_api.h | 1 +
net/sched/act_ct.c | 6 ++++++
net/sched/cls_api.c | 7 +++++++
3 files changed, 14 insertions(+)
--- a/include/net/act_api.h
+++ b/include/net/act_api.h
@@ -68,6 +68,7 @@ struct tc_action {
#define TCA_ACT_FLAGS_REPLACE (1U << (TCA_ACT_FLAGS_USER_BITS + 2))
#define TCA_ACT_FLAGS_NO_RTNL (1U << (TCA_ACT_FLAGS_USER_BITS + 3))
#define TCA_ACT_FLAGS_AT_INGRESS (1U << (TCA_ACT_FLAGS_USER_BITS + 4))
+#define TCA_ACT_FLAGS_AT_INGRESS_OR_CLSACT (1U << (TCA_ACT_FLAGS_USER_BITS + 5))
/* Update lastuse only if needed, to avoid dirtying a cache line.
* We use a temp variable to avoid fetching jiffies twice.
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -1327,6 +1327,12 @@ static int tcf_ct_init(struct net *net,
return -EINVAL;
}
+ if (bind && !(flags & TCA_ACT_FLAGS_AT_INGRESS_OR_CLSACT)) {
+ NL_SET_ERR_MSG_MOD(extack,
+ "Attaching ct to a non ingress/clsact qdisc is unsupported");
+ return -EOPNOTSUPP;
+ }
+
err = nla_parse_nested(tb, TCA_CT_MAX, nla, ct_policy, extack);
if (err < 0)
return err;
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -2151,6 +2151,11 @@ static bool is_qdisc_ingress(__u32 class
return (TC_H_MIN(classid) == TC_H_MIN(TC_H_MIN_INGRESS));
}
+static bool is_ingress_or_clsact(struct tcf_block *block, struct Qdisc *q)
+{
+ return tcf_block_shared(block) || (q && !!(q->flags & TCQ_F_INGRESS));
+}
+
static int tc_new_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
struct netlink_ext_ack *extack)
{
@@ -2344,6 +2349,8 @@ replay:
flags |= TCA_ACT_FLAGS_NO_RTNL;
if (is_qdisc_ingress(parent))
flags |= TCA_ACT_FLAGS_AT_INGRESS;
+ if (is_ingress_or_clsact(block, q))
+ flags |= TCA_ACT_FLAGS_AT_INGRESS_OR_CLSACT;
err = tp->ops->change(net, skb, tp, cl, t->tcm_handle, tca, &fh,
flags, extack);
if (err == 0) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 123/481] wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 122/481] wifi: wlcore: Fix a locking bug Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 124/481] indirect_call_wrapper: do not reevaluate function pointer Greg Kroah-Hartman
` (192 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Johannes Berg,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 4e10a730d1b511ff49723371ed6d694dd1b2c785 ]
Check frame length before accessing the mgmt fields in
mt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob
access.
Fixes: 577dbc6c656d ("mt76: mt7915: enable offloading of sequence number assignment")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260226-mt76-addba-req-oob-access-v1-3-b0f6d1ad4850@kernel.org
[fix check to also cover mgmt->u.action.u.addba_req.capab,
correct Fixes tag]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
index f7d392fce8c28..f69cb83adcca9 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
@@ -375,6 +375,7 @@ mt76_connac2_mac_write_txwi_80211(struct mt76_dev *dev, __le32 *txwi,
u32 val;
if (ieee80211_is_action(fc) &&
+ skb->len >= IEEE80211_MIN_ACTION_SIZE + 1 + 1 + 2 &&
mgmt->u.action.category == WLAN_CATEGORY_BACK &&
mgmt->u.action.u.addba_req.action_code == WLAN_ACTION_ADDBA_REQ) {
u16 capab = le16_to_cpu(mgmt->u.action.u.addba_req.capab);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 110/460] USB: usbcore: Introduce usb_bulk_msg_killable()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 109/460] usb: typec: altmode/displayport: set displayport signaling rate in configure message Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 111/460] USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts Greg Kroah-Hartman
` (192 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alan Stern, Oliver Neukum
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 416909962e7cdf29fd01ac523c953f37708df93d upstream.
The synchronous message API in usbcore (usb_control_msg(),
usb_bulk_msg(), and so on) uses uninterruptible waits. However,
drivers may call these routines in the context of a user thread, which
means it ought to be possible to at least kill them.
For this reason, introduce a new usb_bulk_msg_killable() function
which behaves the same as usb_bulk_msg() except for using
wait_for_completion_killable_timeout() instead of
wait_for_completion_timeout(). The same can be done later for
usb_control_msg() later on, if it turns out to be needed.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Suggested-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/linux-usb/3acfe838-6334-4f6d-be7c-4bb01704b33d@rowland.harvard.edu/
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
CC: stable@vger.kernel.org
Link: https://patch.msgid.link/248628b4-cc83-4e81-a620-3ce4e0376d41@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/message.c | 79 +++++++++++++++++++++++++++++++++++++++------
include/linux/usb.h | 5 +-
2 files changed, 72 insertions(+), 12 deletions(-)
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -42,16 +42,17 @@ static void usb_api_blocking_completion(
/*
- * Starts urb and waits for completion or timeout. Note that this call
- * is NOT interruptible. Many device driver i/o requests should be
- * interruptible and therefore these drivers should implement their
- * own interruptible routines.
+ * Starts urb and waits for completion or timeout.
+ * Whether or not the wait is killable depends on the flag passed in.
+ * For example, compare usb_bulk_msg() and usb_bulk_msg_killable().
*/
-static int usb_start_wait_urb(struct urb *urb, int timeout, int *actual_length)
+static int usb_start_wait_urb(struct urb *urb, int timeout, int *actual_length,
+ bool killable)
{
struct api_context ctx;
unsigned long expire;
int retval;
+ long rc;
init_completion(&ctx.done);
urb->context = &ctx;
@@ -61,12 +62,21 @@ static int usb_start_wait_urb(struct urb
goto out;
expire = timeout ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT;
- if (!wait_for_completion_timeout(&ctx.done, expire)) {
+ if (killable)
+ rc = wait_for_completion_killable_timeout(&ctx.done, expire);
+ else
+ rc = wait_for_completion_timeout(&ctx.done, expire);
+ if (rc <= 0) {
usb_kill_urb(urb);
- retval = (ctx.status == -ENOENT ? -ETIMEDOUT : ctx.status);
+ if (ctx.status != -ENOENT)
+ retval = ctx.status;
+ else if (rc == 0)
+ retval = -ETIMEDOUT;
+ else
+ retval = rc;
dev_dbg(&urb->dev->dev,
- "%s timed out on ep%d%s len=%u/%u\n",
+ "%s timed out or killed on ep%d%s len=%u/%u\n",
current->comm,
usb_endpoint_num(&urb->ep->desc),
usb_urb_dir_in(urb) ? "in" : "out",
@@ -100,7 +110,7 @@ static int usb_internal_control_msg(stru
usb_fill_control_urb(urb, usb_dev, pipe, (unsigned char *)cmd, data,
len, usb_api_blocking_completion, NULL);
- retv = usb_start_wait_urb(urb, timeout, &length);
+ retv = usb_start_wait_urb(urb, timeout, &length, false);
if (retv < 0)
return retv;
else
@@ -385,10 +395,59 @@ int usb_bulk_msg(struct usb_device *usb_
usb_fill_bulk_urb(urb, usb_dev, pipe, data, len,
usb_api_blocking_completion, NULL);
- return usb_start_wait_urb(urb, timeout, actual_length);
+ return usb_start_wait_urb(urb, timeout, actual_length, false);
}
EXPORT_SYMBOL_GPL(usb_bulk_msg);
+/**
+ * usb_bulk_msg_killable - Builds a bulk urb, sends it off and waits for completion in a killable state
+ * @usb_dev: pointer to the usb device to send the message to
+ * @pipe: endpoint "pipe" to send the message to
+ * @data: pointer to the data to send
+ * @len: length in bytes of the data to send
+ * @actual_length: pointer to a location to put the actual length transferred
+ * in bytes
+ * @timeout: time in msecs to wait for the message to complete before
+ * timing out (if 0 the wait is forever)
+ *
+ * Context: task context, might sleep.
+ *
+ * This function is just like usb_blk_msg() except that it waits in a
+ * killable state.
+ *
+ * Return:
+ * If successful, 0. Otherwise a negative error number. The number of actual
+ * bytes transferred will be stored in the @actual_length parameter.
+ *
+ */
+int usb_bulk_msg_killable(struct usb_device *usb_dev, unsigned int pipe,
+ void *data, int len, int *actual_length, int timeout)
+{
+ struct urb *urb;
+ struct usb_host_endpoint *ep;
+
+ ep = usb_pipe_endpoint(usb_dev, pipe);
+ if (!ep || len < 0)
+ return -EINVAL;
+
+ urb = usb_alloc_urb(0, GFP_KERNEL);
+ if (!urb)
+ return -ENOMEM;
+
+ if ((ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) ==
+ USB_ENDPOINT_XFER_INT) {
+ pipe = (pipe & ~(3 << 30)) | (PIPE_INTERRUPT << 30);
+ usb_fill_int_urb(urb, usb_dev, pipe, data, len,
+ usb_api_blocking_completion, NULL,
+ ep->desc.bInterval);
+ } else
+ usb_fill_bulk_urb(urb, usb_dev, pipe, data, len,
+ usb_api_blocking_completion, NULL);
+
+ return usb_start_wait_urb(urb, timeout, actual_length, true);
+}
+EXPORT_SYMBOL_GPL(usb_bulk_msg_killable);
+
/*-------------------------------------------------------------------*/
static void sg_clean(struct usb_sg_request *io)
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -1836,8 +1836,9 @@ extern int usb_control_msg(struct usb_de
extern int usb_interrupt_msg(struct usb_device *usb_dev, unsigned int pipe,
void *data, int len, int *actual_length, int timeout);
extern int usb_bulk_msg(struct usb_device *usb_dev, unsigned int pipe,
- void *data, int len, int *actual_length,
- int timeout);
+ void *data, int len, int *actual_length, int timeout);
+extern int usb_bulk_msg_killable(struct usb_device *usb_dev, unsigned int pipe,
+ void *data, int len, int *actual_length, int timeout);
/* wrappers around usb_control_msg() for the most common standard requests */
int usb_control_msg_send(struct usb_device *dev, __u8 endpoint, __u8 request,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 186/567] net: tcp: accept old ack during closing
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 185/567] net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 187/567] apparmor: validate DFA start states are in bounds in unpack_pdb Greg Kroah-Hartman
` (191 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Menglong Dong, Simon Horman,
Eric Dumazet, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Menglong Dong <menglong8.dong@gmail.com>
commit 795a7dfbc3d95e4c7c09569f319f026f8c7f5a9c upstream.
For now, the packet with an old ack is not accepted if we are in
FIN_WAIT1 state, which can cause retransmission. Taking the following
case as an example:
Client Server
| |
FIN_WAIT1(Send FIN, seq=10) FIN_WAIT1(Send FIN, seq=20, ack=10)
| |
| Send ACK(seq=21, ack=11)
Recv ACK(seq=21, ack=11)
|
Recv FIN(seq=20, ack=10)
In the case above, simultaneous close is happening, and the FIN and ACK
packet that send from the server is out of order. Then, the FIN will be
dropped by the client, as it has an old ack. Then, the server has to
retransmit the FIN, which can cause delay if the server has set the
SO_LINGER on the socket.
Old ack is accepted in the ESTABLISHED and TIME_WAIT state, and I think
it should be better to keep the same logic.
In this commit, we accept old ack in FIN_WAIT1/FIN_WAIT2/CLOSING/LAST_ACK
states. Maybe we should limit it to FIN_WAIT1 for now?
Signed-off-by: Menglong Dong <menglong8.dong@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20240126040519.1846345-1-menglong8.dong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_input.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -6705,17 +6705,21 @@ int tcp_rcv_state_process(struct sock *s
return 0;
/* step 5: check the ACK field */
- acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH |
- FLAG_UPDATE_TS_RECENT |
- FLAG_NO_CHALLENGE_ACK) > 0;
+ reason = tcp_ack(sk, skb, FLAG_SLOWPATH |
+ FLAG_UPDATE_TS_RECENT |
+ FLAG_NO_CHALLENGE_ACK);
- if (!acceptable) {
+ if ((int)reason <= 0) {
if (sk->sk_state == TCP_SYN_RECV)
return 1; /* send one RST */
- tcp_send_challenge_ack(sk);
- SKB_DR_SET(reason, TCP_OLD_ACK);
- goto discard;
+ /* accept old ack during closing */
+ if ((int)reason < 0) {
+ tcp_send_challenge_ack(sk);
+ reason = -reason;
+ goto discard;
+ }
}
+ SKB_DR_SET(reason, NOT_SPECIFIED);
switch (sk->sk_state) {
case TCP_SYN_RECV:
tp->delivered++; /* SYN-ACK delivery isn't tracked in tcp_ack */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 124/481] indirect_call_wrapper: do not reevaluate function pointer
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 123/481] wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 125/481] xen/acpi-processor: fix _CST detection using undersized evaluation buffer Greg Kroah-Hartman
` (191 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Kuniyuki Iwashima,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 710f5c76580306cdb9ec51fac8fcf6a8faff7821 ]
We have an increasing number of READ_ONCE(xxx->function)
combined with INDIRECT_CALL_[1234]() helpers.
Unfortunately this forces INDIRECT_CALL_[1234]() to read
xxx->function many times, which is not what we wanted.
Fix these macros so that xxx->function value is not reloaded.
$ scripts/bloat-o-meter -t vmlinux.0 vmlinux
add/remove: 0/0 grow/shrink: 1/65 up/down: 122/-1084 (-962)
Function old new delta
ip_push_pending_frames 59 181 +122
ip6_finish_output 687 681 -6
__udp_enqueue_schedule_skb 1078 1072 -6
ioam6_output 2319 2312 -7
xfrm4_rcv_encap_finish2 64 56 -8
xfrm4_output 297 289 -8
vrf_ip_local_out 278 270 -8
vrf_ip6_local_out 278 270 -8
seg6_input_finish 64 56 -8
rpl_output 700 692 -8
ipmr_forward_finish 124 116 -8
ip_forward_finish 143 135 -8
ip6mr_forward2_finish 100 92 -8
ip6_forward_finish 73 65 -8
input_action_end_bpf 1091 1083 -8
dst_input 52 44 -8
__xfrm6_output 801 793 -8
__xfrm4_output 83 75 -8
bpf_input 500 491 -9
__tcp_check_space 530 521 -9
input_action_end_dt6 291 280 -11
vti6_tnl_xmit 1634 1622 -12
bpf_xmit 1203 1191 -12
rpl_input 497 483 -14
rawv6_send_hdrinc 1355 1341 -14
ndisc_send_skb 1030 1016 -14
ipv6_srh_rcv 1377 1363 -14
ip_send_unicast_reply 1253 1239 -14
ip_rcv_finish 226 212 -14
ip6_rcv_finish 300 286 -14
input_action_end_x_core 205 191 -14
input_action_end_x 355 341 -14
input_action_end_t 205 191 -14
input_action_end_dx6_finish 127 113 -14
input_action_end_dx4_finish 373 359 -14
input_action_end_dt4 426 412 -14
input_action_end_core 186 172 -14
input_action_end_b6_encap 292 278 -14
input_action_end_b6 198 184 -14
igmp6_send 1332 1318 -14
ip_sublist_rcv 864 848 -16
ip6_sublist_rcv 1091 1075 -16
ipv6_rpl_srh_rcv 1937 1920 -17
xfrm_policy_queue_process 1246 1228 -18
seg6_output_core 903 885 -18
mld_sendpack 856 836 -20
NF_HOOK 756 736 -20
vti_tunnel_xmit 1447 1426 -21
input_action_end_dx6 664 642 -22
input_action_end 1502 1480 -22
sock_sendmsg_nosec 134 111 -23
ip6mr_forward2 388 364 -24
sock_recvmsg_nosec 134 109 -25
seg6_input_core 836 810 -26
ip_send_skb 172 146 -26
ip_local_out 140 114 -26
ip6_local_out 140 114 -26
__sock_sendmsg 162 136 -26
__ip_queue_xmit 1196 1170 -26
__ip_finish_output 405 379 -26
ipmr_queue_fwd_xmit 373 346 -27
sock_recvmsg 173 145 -28
ip6_xmit 1635 1607 -28
xfrm_output_resume 1418 1389 -29
ip_build_and_send_pkt 625 591 -34
dst_output 504 432 -72
Total: Before=25217686, After=25216724, chg -0.00%
Fixes: 283c16a2dfd3 ("indirect call wrappers: helpers to speed-up indirect calls of builtin")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260227172603.1700433-1-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/indirect_call_wrapper.h | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/include/linux/indirect_call_wrapper.h b/include/linux/indirect_call_wrapper.h
index c1c76a70a6ce9..227cee5e2a98b 100644
--- a/include/linux/indirect_call_wrapper.h
+++ b/include/linux/indirect_call_wrapper.h
@@ -16,22 +16,26 @@
*/
#define INDIRECT_CALL_1(f, f1, ...) \
({ \
- likely(f == f1) ? f1(__VA_ARGS__) : f(__VA_ARGS__); \
+ typeof(f) __f1 = (f); \
+ likely(__f1 == f1) ? f1(__VA_ARGS__) : __f1(__VA_ARGS__); \
})
#define INDIRECT_CALL_2(f, f2, f1, ...) \
({ \
- likely(f == f2) ? f2(__VA_ARGS__) : \
- INDIRECT_CALL_1(f, f1, __VA_ARGS__); \
+ typeof(f) __f2 = (f); \
+ likely(__f2 == f2) ? f2(__VA_ARGS__) : \
+ INDIRECT_CALL_1(__f2, f1, __VA_ARGS__); \
})
#define INDIRECT_CALL_3(f, f3, f2, f1, ...) \
({ \
- likely(f == f3) ? f3(__VA_ARGS__) : \
- INDIRECT_CALL_2(f, f2, f1, __VA_ARGS__); \
+ typeof(f) __f3 = (f); \
+ likely(__f3 == f3) ? f3(__VA_ARGS__) : \
+ INDIRECT_CALL_2(__f3, f2, f1, __VA_ARGS__); \
})
#define INDIRECT_CALL_4(f, f4, f3, f2, f1, ...) \
({ \
- likely(f == f4) ? f4(__VA_ARGS__) : \
- INDIRECT_CALL_3(f, f3, f2, f1, __VA_ARGS__); \
+ typeof(f) __f4 = (f); \
+ likely(__f4 == f4) ? f4(__VA_ARGS__) : \
+ INDIRECT_CALL_3(__f4, f3, f2, f1, __VA_ARGS__); \
})
#define INDIRECT_CALLABLE_DECLARE(f) f
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 111/460] USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 110/460] USB: usbcore: Introduce usb_bulk_msg_killable() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 112/460] USB: core: Limit the length of unkillable synchronous timeouts Greg Kroah-Hartman
` (191 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, syzbot+25ba18e2c5040447585d,
Alan Stern
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 7784caa413a89487dd14dd5c41db8753483b2acb upstream.
The usbtmc driver accepts timeout values specified by the user in an
ioctl command, and uses these timeouts for some usb_bulk_msg() calls.
Since the user can specify arbitrarily long timeouts and
usb_bulk_msg() uses unkillable waits, call usb_bulk_msg_killable()
instead to avoid the possibility of the user hanging a kernel thread
indefinitely.
Reported-by: syzbot+25ba18e2c5040447585d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-usb/8e1c7ac5-e076-44b0-84b8-1b34b20f0ae1@suse.com/T/#t
Tested-by: syzbot+25ba18e2c5040447585d@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Fixes: 048c6d88a021 ("usb: usbtmc: Add ioctls to set/get usb timeout")
CC: stable@vger.kernel.org
Link: https://patch.msgid.link/81c6fc24-0607-40f1-8c20-5270dab2fad5@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usbtmc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -727,7 +727,7 @@ static int usbtmc488_ioctl_trigger(struc
buffer[1] = data->bTag;
buffer[2] = ~data->bTag;
- retval = usb_bulk_msg(data->usb_dev,
+ retval = usb_bulk_msg_killable(data->usb_dev,
usb_sndbulkpipe(data->usb_dev,
data->bulk_out),
buffer, USBTMC_HEADER_SIZE,
@@ -1347,7 +1347,7 @@ static int send_request_dev_dep_msg_in(s
buffer[11] = 0; /* Reserved */
/* Send bulk URB */
- retval = usb_bulk_msg(data->usb_dev,
+ retval = usb_bulk_msg_killable(data->usb_dev,
usb_sndbulkpipe(data->usb_dev,
data->bulk_out),
buffer, USBTMC_HEADER_SIZE,
@@ -1419,7 +1419,7 @@ static ssize_t usbtmc_read(struct file *
actual = 0;
/* Send bulk URB */
- retval = usb_bulk_msg(data->usb_dev,
+ retval = usb_bulk_msg_killable(data->usb_dev,
usb_rcvbulkpipe(data->usb_dev,
data->bulk_in),
buffer, bufsize, &actual,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 187/567] apparmor: validate DFA start states are in bounds in unpack_pdb
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 186/567] net: tcp: accept old ack during closing Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 188/567] apparmor: fix memory leak in verify_header Greg Kroah-Hartman
` (190 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qualys Security Advisory,
Salvatore Bonaccorso, Georgia Garcia, Cengiz Can,
Massimiliano Pellizzer, John Johansen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
commit 9063d7e2615f4a7ab321de6b520e23d370e58816 upstream.
Start states are read from untrusted data and used as indexes into the
DFA state tables. The aa_dfa_next() function call in unpack_pdb() will
access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds
the number of states in the DFA, this results in an out-of-bound read.
==================================================================
BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360
Read of size 4 at addr ffff88811956fb90 by task su/1097
...
Reject policies with out-of-bounds start states during unpacking
to prevent the issue.
Fixes: ad5ff3db53c6 ("AppArmor: Add ability to load extended policy")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/policy_unpack.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -764,7 +764,17 @@ static int unpack_pdb(struct aa_ext *e,
if (!aa_unpack_u32(e, &pdb->start[AA_CLASS_FILE], "dfa_start")) {
/* default start state for xmatch and file dfa */
pdb->start[AA_CLASS_FILE] = DFA_START;
- } /* setup class index */
+ }
+
+ size_t state_count = pdb->dfa->tables[YYTD_ID_BASE]->td_lolen;
+
+ if (pdb->start[0] >= state_count ||
+ pdb->start[AA_CLASS_FILE] >= state_count) {
+ *info = "invalid dfa start state";
+ goto fail;
+ }
+
+ /* setup class index */
for (i = AA_CLASS_FILE + 1; i <= AA_CLASS_LAST; i++) {
pdb->start[i] = aa_dfa_next(pdb->dfa, pdb->start[0],
i);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 125/481] xen/acpi-processor: fix _CST detection using undersized evaluation buffer
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 124/481] indirect_call_wrapper: do not reevaluate function pointer Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 126/481] bpf: export bpf_link_inc_not_zero Greg Kroah-Hartman
` (190 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Thomson, Jan Beulich,
Juergen Gross, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Thomson <dt@linux-mail.net>
[ Upstream commit 8b57227d59a86fc06d4f09de08f98133680f2cae ]
read_acpi_id() attempts to evaluate _CST using a stack buffer of
sizeof(union acpi_object) (48 bytes), but _CST returns a nested Package
of sub-Packages (one per C-state, each containing a register descriptor,
type, latency, and power) requiring hundreds of bytes. The evaluation
always fails with AE_BUFFER_OVERFLOW.
On modern systems using FFH/MWAIT entry (where pblk is zero), this
causes the function to return before setting the acpi_id_cst_present
bit. In check_acpi_ids(), flags.power is then zero for all Phase 2 CPUs
(physical CPUs beyond dom0's vCPU count), so push_cxx_to_hypervisor() is
never called for them.
On a system with dom0_max_vcpus=2 and 8 physical CPUs, only PCPUs 0-1
receive C-state data. PCPUs 2-7 are stuck in C0/C1 idle, unable to
enter C2/C3. This costs measurable wall power (4W observed on an Intel
Core Ultra 7 265K with Xen 4.20).
The function never uses the _CST return value -- it only needs to know
whether _CST exists. Replace the broken acpi_evaluate_object() call with
acpi_has_method(), which correctly detects _CST presence using
acpi_get_handle() without any buffer allocation. This brings C-state
detection to parity with the P-state path, which already works correctly
for Phase 2 CPUs.
Fixes: 59a568029181 ("xen/acpi-processor: C and P-state driver that uploads said data to hypervisor.")
Signed-off-by: David Thomson <dt@linux-mail.net>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20260224093707.19679-1-dt@linux-mail.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/xen/xen-acpi-processor.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/xen/xen-acpi-processor.c b/drivers/xen/xen-acpi-processor.c
index 9cb61db67efde..12877f85bb79d 100644
--- a/drivers/xen/xen-acpi-processor.c
+++ b/drivers/xen/xen-acpi-processor.c
@@ -379,11 +379,8 @@ read_acpi_id(acpi_handle handle, u32 lvl, void *context, void **rv)
acpi_psd[acpi_id].domain);
}
- status = acpi_evaluate_object(handle, "_CST", NULL, &buffer);
- if (ACPI_FAILURE(status)) {
- if (!pblk)
- return AE_OK;
- }
+ if (!pblk && !acpi_has_method(handle, "_CST"))
+ return AE_OK;
/* .. and it has a C-state */
__set_bit(acpi_id, acpi_id_cst_present);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 112/460] USB: core: Limit the length of unkillable synchronous timeouts
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 111/460] USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 113/460] usb: class: cdc-wdm: fix reordering issue in read code path Greg Kroah-Hartman
` (190 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alan Stern
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 1015c27a5e1a63efae2b18a9901494474b4d1dc3 upstream.
The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in
usbcore allow unlimited timeout durations. And since they use
uninterruptible waits, this leaves open the possibility of hanging a
task for an indefinitely long time, with no way to kill it short of
unplugging the target device.
To prevent this sort of problem, enforce a maximum limit on the length
of these unkillable timeouts. The limit chosen here, somewhat
arbitrarily, is 60 seconds. On many systems (although not all) this
is short enough to avoid triggering the kernel's hung-task detector.
In addition, clear up the ambiguity of negative timeout values by
treating them the same as 0, i.e., using the maximum allowed timeout.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/linux-usb/3acfe838-6334-4f6d-be7c-4bb01704b33d@rowland.harvard.edu/
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
CC: stable@vger.kernel.org
Link: https://patch.msgid.link/15fc9773-a007-47b0-a703-df89a8cf83dd@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/message.c | 27 +++++++++++++--------------
include/linux/usb.h | 3 +++
2 files changed, 16 insertions(+), 14 deletions(-)
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -45,6 +45,8 @@ static void usb_api_blocking_completion(
* Starts urb and waits for completion or timeout.
* Whether or not the wait is killable depends on the flag passed in.
* For example, compare usb_bulk_msg() and usb_bulk_msg_killable().
+ *
+ * For non-killable waits, we enforce a maximum limit on the timeout value.
*/
static int usb_start_wait_urb(struct urb *urb, int timeout, int *actual_length,
bool killable)
@@ -61,7 +63,9 @@ static int usb_start_wait_urb(struct urb
if (unlikely(retval))
goto out;
- expire = timeout ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT;
+ if (!killable && (timeout <= 0 || timeout > USB_MAX_SYNCHRONOUS_TIMEOUT))
+ timeout = USB_MAX_SYNCHRONOUS_TIMEOUT;
+ expire = (timeout > 0) ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT;
if (killable)
rc = wait_for_completion_killable_timeout(&ctx.done, expire);
else
@@ -127,8 +131,7 @@ static int usb_internal_control_msg(stru
* @index: USB message index value
* @data: pointer to the data to send
* @size: length in bytes of the data to send
- * @timeout: time in msecs to wait for the message to complete before timing
- * out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
*
* Context: task context, might sleep.
*
@@ -183,8 +186,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg);
* @index: USB message index value
* @driver_data: pointer to the data to send
* @size: length in bytes of the data to send
- * @timeout: time in msecs to wait for the message to complete before timing
- * out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
* @memflags: the flags for memory allocation for buffers
*
* Context: !in_interrupt ()
@@ -242,8 +244,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg_send);
* @index: USB message index value
* @driver_data: pointer to the data to be filled in by the message
* @size: length in bytes of the data to be received
- * @timeout: time in msecs to wait for the message to complete before timing
- * out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
* @memflags: the flags for memory allocation for buffers
*
* Context: !in_interrupt ()
@@ -314,8 +315,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg_recv);
* @len: length in bytes of the data to send
* @actual_length: pointer to a location to put the actual length transferred
* in bytes
- * @timeout: time in msecs to wait for the message to complete before
- * timing out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
*
* Context: task context, might sleep.
*
@@ -347,8 +347,7 @@ EXPORT_SYMBOL_GPL(usb_interrupt_msg);
* @len: length in bytes of the data to send
* @actual_length: pointer to a location to put the actual length transferred
* in bytes
- * @timeout: time in msecs to wait for the message to complete before
- * timing out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
*
* Context: task context, might sleep.
*
@@ -408,12 +407,12 @@ EXPORT_SYMBOL_GPL(usb_bulk_msg);
* @actual_length: pointer to a location to put the actual length transferred
* in bytes
* @timeout: time in msecs to wait for the message to complete before
- * timing out (if 0 the wait is forever)
+ * timing out (if <= 0, the wait is as long as possible)
*
* Context: task context, might sleep.
*
- * This function is just like usb_blk_msg() except that it waits in a
- * killable state.
+ * This function is just like usb_blk_msg(), except that it waits in a
+ * killable state and there is no limit on the timeout length.
*
* Return:
* If successful, 0. Otherwise a negative error number. The number of actual
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -1830,6 +1830,9 @@ void usb_free_coherent(struct usb_device
* SYNCHRONOUS CALL SUPPORT *
*-------------------------------------------------------------------*/
+/* Maximum value allowed for timeout in synchronous routines below */
+#define USB_MAX_SYNCHRONOUS_TIMEOUT 60000 /* ms */
+
extern int usb_control_msg(struct usb_device *dev, unsigned int pipe,
__u8 request, __u8 requesttype, __u16 value, __u16 index,
void *data, __u16 size, int timeout);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 188/567] apparmor: fix memory leak in verify_header
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 187/567] apparmor: validate DFA start states are in bounds in unpack_pdb Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 189/567] apparmor: replace recursive profile removal with iterative approach Greg Kroah-Hartman
` (189 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qualys Security Advisory,
Salvatore Bonaccorso, Georgia Garcia, Cengiz Can,
Massimiliano Pellizzer, John Johansen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
commit e38c55d9f834e5b848bfed0f5c586aaf45acb825 upstream.
The function sets `*ns = NULL` on every call, leaking the namespace
string allocated in previous iterations when multiple profiles are
unpacked. This also breaks namespace consistency checking since *ns
is always NULL when the comparison is made.
Remove the incorrect assignment.
The caller (aa_unpack) initializes *ns to NULL once before the loop,
which is sufficient.
Fixes: dd51c8485763 ("apparmor: provide base for multiple profiles to be replaced at once")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/policy_unpack.c | 1 -
1 file changed, 1 deletion(-)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -1132,7 +1132,6 @@ static int verify_header(struct aa_ext *
{
int error = -EPROTONOSUPPORT;
const char *name = NULL;
- *ns = NULL;
/* get the interface version */
if (!aa_unpack_u32(e, &e->version, "version")) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 126/481] bpf: export bpf_link_inc_not_zero.
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 125/481] xen/acpi-processor: fix _CST detection using undersized evaluation buffer Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 127/481] bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim Greg Kroah-Hartman
` (189 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kui-Feng Lee, Martin KaFai Lau,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kui-Feng Lee <thinker.li@gmail.com>
[ Upstream commit 67c3e8353f45c27800eecc46e00e8272f063f7d1 ]
bpf_link_inc_not_zero() will be used by kernel modules. We will use it in
bpf_testmod.c later.
Signed-off-by: Kui-Feng Lee <thinker.li@gmail.com>
Link: https://lore.kernel.org/r/20240530065946.979330-5-thinker.li@gmail.com
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Stable-dep-of: 56145d237385 ("bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/bpf.h | 6 ++++++
kernel/bpf/syscall.c | 3 ++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 142a21f019ff8..3045de8e3f660 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -1907,6 +1907,7 @@ int bpf_link_prime(struct bpf_link *link, struct bpf_link_primer *primer);
int bpf_link_settle(struct bpf_link_primer *primer);
void bpf_link_cleanup(struct bpf_link_primer *primer);
void bpf_link_inc(struct bpf_link *link);
+struct bpf_link *bpf_link_inc_not_zero(struct bpf_link *link);
void bpf_link_put(struct bpf_link *link);
int bpf_link_new_fd(struct bpf_link *link);
struct file *bpf_link_new_file(struct bpf_link *link, int *reserved_fd);
@@ -2254,6 +2255,11 @@ static inline void bpf_link_inc(struct bpf_link *link)
{
}
+static inline struct bpf_link *bpf_link_inc_not_zero(struct bpf_link *link)
+{
+ return NULL;
+}
+
static inline void bpf_link_put(struct bpf_link *link)
{
}
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index b559d99e5959a..ed8f55bdc1370 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -4763,10 +4763,11 @@ static int link_detach(union bpf_attr *attr)
return ret;
}
-static struct bpf_link *bpf_link_inc_not_zero(struct bpf_link *link)
+struct bpf_link *bpf_link_inc_not_zero(struct bpf_link *link)
{
return atomic64_fetch_add_unless(&link->refcnt, 1, 0) ? link : ERR_PTR(-ENOENT);
}
+EXPORT_SYMBOL(bpf_link_inc_not_zero);
struct bpf_link *bpf_link_by_id(u32 id)
{
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 113/460] usb: class: cdc-wdm: fix reordering issue in read code path
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 112/460] USB: core: Limit the length of unkillable synchronous timeouts Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 114/460] usb: renesas_usbhs: fix use-after-free in ISR during device removal Greg Kroah-Hartman
` (189 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Oliver Neukum, Gui-Dong Han
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 8df672bfe3ec2268c2636584202755898e547173 upstream.
Quoting the bug report:
Due to compiler optimization or CPU out-of-order execution, the
desc->length update can be reordered before the memmove. If this
happens, wdm_read() can see the new length and call copy_to_user() on
uninitialized memory. This also violates LKMM data race rules [1].
Fix it by using WRITE_ONCE and memory barriers.
Fixes: afba937e540c9 ("USB: CDC WDM driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Closes: https://lore.kernel.org/linux-usb/CALbr=LbrUZn_cfp7CfR-7Z5wDTHF96qeuM=3fO2m-q4cDrnC4A@mail.gmail.com/
Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
Reviewed-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://patch.msgid.link/20260304130116.1721682-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-wdm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -225,7 +225,8 @@ static void wdm_in_callback(struct urb *
/* we may already be in overflow */
if (!test_bit(WDM_OVERFLOW, &desc->flags)) {
memmove(desc->ubuf + desc->length, desc->inbuf, length);
- desc->length += length;
+ smp_wmb(); /* against wdm_read() */
+ WRITE_ONCE(desc->length, desc->length + length);
}
}
skip_error:
@@ -533,6 +534,7 @@ static ssize_t wdm_read
return -ERESTARTSYS;
cntr = READ_ONCE(desc->length);
+ smp_rmb(); /* against wdm_in_callback() */
if (cntr == 0) {
desc->read = 0;
retry:
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 189/567] apparmor: replace recursive profile removal with iterative approach
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 188/567] apparmor: fix memory leak in verify_header Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 190/567] apparmor: fix: limit the number of levels of policy namespaces Greg Kroah-Hartman
` (188 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qualys Security Advisory,
Salvatore Bonaccorso, Georgia Garcia, Cengiz Can,
Massimiliano Pellizzer, John Johansen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
commit ab09264660f9de5d05d1ef4e225aa447c63a8747 upstream.
The profile removal code uses recursion when removing nested profiles,
which can lead to kernel stack exhaustion and system crashes.
Reproducer:
$ pf='a'; for ((i=0; i<1024; i++)); do
echo -e "profile $pf { \n }" | apparmor_parser -K -a;
pf="$pf//x";
done
$ echo -n a > /sys/kernel/security/apparmor/.remove
Replace the recursive __aa_profile_list_release() approach with an
iterative approach in __remove_profile(). The function repeatedly
finds and removes leaf profiles until the entire subtree is removed,
maintaining the same removal semantic without recursion.
Fixes: c88d4c7b049e ("AppArmor: core policy routines")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/policy.c | 30 +++++++++++++++++++++++++++---
1 file changed, 27 insertions(+), 3 deletions(-)
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -182,19 +182,43 @@ static void __list_remove_profile(struct
}
/**
- * __remove_profile - remove old profile, and children
- * @profile: profile to be replaced (NOT NULL)
+ * __remove_profile - remove profile, and children
+ * @profile: profile to be removed (NOT NULL)
*
* Requires: namespace list lock be held, or list not be shared
*/
static void __remove_profile(struct aa_profile *profile)
{
+ struct aa_profile *curr, *to_remove;
+
AA_BUG(!profile);
AA_BUG(!profile->ns);
AA_BUG(!mutex_is_locked(&profile->ns->lock));
/* release any children lists first */
- __aa_profile_list_release(&profile->base.profiles);
+ if (!list_empty(&profile->base.profiles)) {
+ curr = list_first_entry(&profile->base.profiles, struct aa_profile, base.list);
+
+ while (curr != profile) {
+
+ while (!list_empty(&curr->base.profiles))
+ curr = list_first_entry(&curr->base.profiles,
+ struct aa_profile, base.list);
+
+ to_remove = curr;
+ if (!list_is_last(&to_remove->base.list,
+ &aa_deref_parent(curr)->base.profiles))
+ curr = list_next_entry(to_remove, base.list);
+ else
+ curr = aa_deref_parent(curr);
+
+ /* released by free_profile */
+ aa_label_remove(&to_remove->label);
+ __aafs_profile_rmdir(to_remove);
+ __list_remove_profile(to_remove);
+ }
+ }
+
/* released by free_profile */
aa_label_remove(&profile->label);
__aafs_profile_rmdir(profile);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 127/481] bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 126/481] bpf: export bpf_link_inc_not_zero Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 128/481] ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() Greg Kroah-Hartman
` (188 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kaiyan Mei, Lang Xu,
Martin KaFai Lau, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lang Xu <xulang@uniontech.com>
[ Upstream commit 56145d237385ca0e7ca9ff7b226aaf2eb8ef368b ]
The root cause of this bug is that when 'bpf_link_put' reduces the
refcount of 'shim_link->link.link' to zero, the resource is considered
released but may still be referenced via 'tr->progs_hlist' in
'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in
'bpf_shim_tramp_link_release' is deferred. During this window, another
process can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'.
Based on Martin KaFai Lau's suggestions, I have created a simple patch.
To fix this:
Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'.
Only increment the refcount if it is not already zero.
Testing:
I verified the fix by adding a delay in
'bpf_shim_tramp_link_release' to make the bug easier to trigger:
static void bpf_shim_tramp_link_release(struct bpf_link *link)
{
/* ... */
if (!shim_link->trampoline)
return;
+ msleep(100);
WARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link,
shim_link->trampoline, NULL));
bpf_trampoline_put(shim_link->trampoline);
}
Before the patch, running a PoC easily reproduced the crash(almost 100%)
with a call trace similar to KaiyanM's report.
After the patch, the bug no longer occurs even after millions of
iterations.
Fixes: 69fd337a975c ("bpf: per-cgroup lsm flavor")
Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Closes: https://lore.kernel.org/bpf/3c4ebb0b.46ff8.19abab8abe2.Coremail.kaiyanm@hust.edu.cn/
Signed-off-by: Lang Xu <xulang@uniontech.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Link: https://patch.msgid.link/279EEE1BA1DDB49D+20260303095217.34436-1-xulang@uniontech.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/trampoline.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
index 4c7c6129db90e..17763af54179b 100644
--- a/kernel/bpf/trampoline.c
+++ b/kernel/bpf/trampoline.c
@@ -732,10 +732,8 @@ int bpf_trampoline_link_cgroup_shim(struct bpf_prog *prog,
mutex_lock(&tr->mutex);
shim_link = cgroup_shim_find(tr, bpf_func);
- if (shim_link) {
+ if (shim_link && !IS_ERR(bpf_link_inc_not_zero(&shim_link->link.link))) {
/* Reusing existing shim attached by the other program. */
- bpf_link_inc(&shim_link->link.link);
-
mutex_unlock(&tr->mutex);
bpf_trampoline_put(tr); /* bpf_trampoline_get above */
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 114/460] usb: renesas_usbhs: fix use-after-free in ISR during device removal
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 113/460] usb: class: cdc-wdm: fix reordering issue in read code path Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 115/460] usb: mdc800: handle signal and read racing Greg Kroah-Hartman
` (188 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alan Stern, Fan Wu
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fan Wu <fanwu01@zju.edu.cn>
commit 3cbc242b88c607f55da3d0d0d336b49bf1e20412 upstream.
In usbhs_remove(), the driver frees resources (including the pipe array)
while the interrupt handler (usbhs_interrupt) is still registered. If an
interrupt fires after usbhs_pipe_remove() but before the driver is fully
unbound, the ISR may access freed memory, causing a use-after-free.
Fix this by calling devm_free_irq() before freeing resources. This ensures
the interrupt handler is both disabled and synchronized (waits for any
running ISR to complete) before usbhs_pipe_remove() is called.
Fixes: f1407d5c6624 ("usb: renesas_usbhs: Add Renesas USBHS common code")
Cc: stable <stable@kernel.org>
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Fan Wu <fanwu01@zju.edu.cn>
Link: https://patch.msgid.link/20260303073344.34577-1-fanwu01@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/renesas_usbhs/common.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/usb/renesas_usbhs/common.c
+++ b/drivers/usb/renesas_usbhs/common.c
@@ -811,6 +811,15 @@ static void usbhs_remove(struct platform
usbhs_platform_call(priv, hardware_exit, pdev);
reset_control_assert(priv->rsts);
+
+ /*
+ * Explicitly free the IRQ to ensure the interrupt handler is
+ * disabled and synchronized before freeing resources.
+ * devm_free_irq() calls free_irq() which waits for any running
+ * ISR to complete, preventing UAF.
+ */
+ devm_free_irq(&pdev->dev, priv->irq, priv);
+
usbhs_mod_remove(priv);
usbhs_fifo_remove(priv);
usbhs_pipe_remove(priv);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 190/567] apparmor: fix: limit the number of levels of policy namespaces
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 189/567] apparmor: replace recursive profile removal with iterative approach Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 191/567] apparmor: fix side-effect bug in match_char() macro usage Greg Kroah-Hartman
` (187 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qualys Security Advisory, Ryan Lee,
Cengiz Can, John Johansen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Johansen <john.johansen@canonical.com>
commit 306039414932c80f8420695a24d4fe10c84ccfb2 upstream.
Currently the number of policy namespaces is not bounded relying on
the user namespace limit. However policy namespaces aren't strictly
tied to user namespaces and it is possible to create them and nest
them arbitrarily deep which can be used to exhaust system resource.
Hard cap policy namespaces to the same depth as user namespaces.
Fixes: c88d4c7b049e8 ("AppArmor: core policy routines")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Reviewed-by: Ryan Lee <ryan.lee@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/include/policy_ns.h | 2 ++
security/apparmor/policy_ns.c | 2 ++
2 files changed, 4 insertions(+)
--- a/security/apparmor/include/policy_ns.h
+++ b/security/apparmor/include/policy_ns.h
@@ -18,6 +18,8 @@
#include "label.h"
#include "policy.h"
+/* Match max depth of user namespaces */
+#define MAX_NS_DEPTH 32
/* struct aa_ns_acct - accounting of profiles in namespace
* @max_size: maximum space allowed for all profiles in namespace
--- a/security/apparmor/policy_ns.c
+++ b/security/apparmor/policy_ns.c
@@ -260,6 +260,8 @@ static struct aa_ns *__aa_create_ns(stru
AA_BUG(!name);
AA_BUG(!mutex_is_locked(&parent->lock));
+ if (parent->level > MAX_NS_DEPTH)
+ return ERR_PTR(-ENOSPC);
ns = alloc_ns(parent->base.hname, name);
if (!ns)
return ERR_PTR(-ENOMEM);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 128/481] ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 127/481] bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 129/481] amd-xgbe: fix sleep while atomic on suspend/resume Greg Kroah-Hartman
` (187 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Ahern, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 2ffb4f5c2ccb2fa1c049dd11899aee7967deef5a ]
l3mdev_master_dev_rcu() can return NULL when the slave device is being
un-slaved from a VRF. All other callers deal with this, but we lost
the fallback to loopback in ip6_rt_pcpu_alloc() -> ip6_rt_get_dev_rcu()
with commit 4832c30d5458 ("net: ipv6: put host and anycast routes on
device with address").
KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]
RIP: 0010:ip6_rt_pcpu_alloc (net/ipv6/route.c:1418)
Call Trace:
ip6_pol_route (net/ipv6/route.c:2318)
fib6_rule_lookup (net/ipv6/fib6_rules.c:115)
ip6_route_output_flags (net/ipv6/route.c:2607)
vrf_process_v6_outbound (drivers/net/vrf.c:437)
I was tempted to rework the un-slaving code to clear the flag first
and insert synchronize_rcu() before we remove the upper. But looks like
the explicit fallback to loopback_dev is an established pattern.
And I guess avoiding the synchronize_rcu() is nice, too.
Fixes: 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address")
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20260301194548.927324-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 07e3d59c24059..5aa5390da1095 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1058,7 +1058,8 @@ static struct net_device *ip6_rt_get_dev_rcu(const struct fib6_result *res)
*/
if (netif_is_l3_slave(dev) &&
!rt6_need_strict(&res->f6i->fib6_dst.addr))
- dev = l3mdev_master_dev_rcu(dev);
+ dev = l3mdev_master_dev_rcu(dev) ? :
+ dev_net(dev)->loopback_dev;
else if (!netif_is_l3_master(dev))
dev = dev_net(dev)->loopback_dev;
/* last case is netif_is_l3_master(dev) is true in which
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 115/460] usb: mdc800: handle signal and read racing
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 114/460] usb: renesas_usbhs: fix use-after-free in ISR during device removal Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 116/460] usb: image: mdc800: kill download URB on timeout Greg Kroah-Hartman
` (187 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, stable
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 2d6d260e9a3576256fe9ef6d1f7930c9ec348723 upstream.
If a signal arrives after a read has partially completed,
we need to return the number of bytes read. -EINTR is correct
only if that number is zero.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260209142048.1503791-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/image/mdc800.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/image/mdc800.c
+++ b/drivers/usb/image/mdc800.c
@@ -707,7 +707,7 @@ static ssize_t mdc800_device_read (struc
if (signal_pending (current))
{
mutex_unlock(&mdc800->io_lock);
- return -EINTR;
+ return len == left ? -EINTR : len-left;
}
sts=left > (mdc800->out_count-mdc800->out_ptr)?mdc800->out_count-mdc800->out_ptr:left;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 191/567] apparmor: fix side-effect bug in match_char() macro usage
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 190/567] apparmor: fix: limit the number of levels of policy namespaces Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 192/567] apparmor: fix missing bounds check on DEFAULT table in verify_dfa() Greg Kroah-Hartman
` (186 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qualys Security Advisory,
Salvatore Bonaccorso, Georgia Garcia, Cengiz Can,
Massimiliano Pellizzer, John Johansen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
commit 8756b68edae37ff546c02091989a4ceab3f20abd upstream.
The match_char() macro evaluates its character parameter multiple
times when traversing differential encoding chains. When invoked
with *str++, the string pointer advances on each iteration of the
inner do-while loop, causing the DFA to check different characters
at each iteration and therefore skip input characters.
This results in out-of-bounds reads when the pointer advances past
the input buffer boundary.
[ 94.984676] ==================================================================
[ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760
[ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976
[ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)
[ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 94.986329] Call Trace:
[ 94.986341] <TASK>
[ 94.986347] dump_stack_lvl+0x5e/0x80
[ 94.986374] print_report+0xc8/0x270
[ 94.986384] ? aa_dfa_match+0x5ae/0x760
[ 94.986388] kasan_report+0x118/0x150
[ 94.986401] ? aa_dfa_match+0x5ae/0x760
[ 94.986405] aa_dfa_match+0x5ae/0x760
[ 94.986408] __aa_path_perm+0x131/0x400
[ 94.986418] aa_path_perm+0x219/0x2f0
[ 94.986424] apparmor_file_open+0x345/0x570
[ 94.986431] security_file_open+0x5c/0x140
[ 94.986442] do_dentry_open+0x2f6/0x1120
[ 94.986450] vfs_open+0x38/0x2b0
[ 94.986453] ? may_open+0x1e2/0x2b0
[ 94.986466] path_openat+0x231b/0x2b30
[ 94.986469] ? __x64_sys_openat+0xf8/0x130
[ 94.986477] do_file_open+0x19d/0x360
[ 94.986487] do_sys_openat2+0x98/0x100
[ 94.986491] __x64_sys_openat+0xf8/0x130
[ 94.986499] do_syscall_64+0x8e/0x660
[ 94.986515] ? count_memcg_events+0x15f/0x3c0
[ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986540] ? handle_mm_fault+0x1639/0x1ef0
[ 94.986551] ? vma_start_read+0xf0/0x320
[ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0
[ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0
[ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986588] ? irqentry_exit+0x3c/0x590
[ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 94.986597] RIP: 0033:0x7fda4a79c3ea
Fix by extracting the character value before invoking match_char,
ensuring single evaluation per outer loop.
Fixes: 074c1cd798cb ("apparmor: dfa move character match into a macro")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/match.c | 30 ++++++++++++++++++++----------
1 file changed, 20 insertions(+), 10 deletions(-)
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -408,13 +408,18 @@ aa_state_t aa_dfa_match_len(struct aa_df
if (dfa->tables[YYTD_ID_EC]) {
/* Equivalence class table defined */
u8 *equiv = EQUIV_TABLE(dfa);
- for (; len; len--)
- match_char(state, def, base, next, check,
- equiv[(u8) *str++]);
+ for (; len; len--) {
+ u8 c = equiv[(u8) *str];
+
+ match_char(state, def, base, next, check, c);
+ str++;
+ }
} else {
/* default is direct to next state */
- for (; len; len--)
- match_char(state, def, base, next, check, (u8) *str++);
+ for (; len; len--) {
+ match_char(state, def, base, next, check, (u8) *str);
+ str++;
+ }
}
return state;
@@ -448,13 +453,18 @@ aa_state_t aa_dfa_match(struct aa_dfa *d
/* Equivalence class table defined */
u8 *equiv = EQUIV_TABLE(dfa);
/* default is direct to next state */
- while (*str)
- match_char(state, def, base, next, check,
- equiv[(u8) *str++]);
+ while (*str) {
+ u8 c = equiv[(u8) *str];
+
+ match_char(state, def, base, next, check, c);
+ str++;
+ }
} else {
/* default is direct to next state */
- while (*str)
- match_char(state, def, base, next, check, (u8) *str++);
+ while (*str) {
+ match_char(state, def, base, next, check, (u8) *str);
+ str++;
+ }
}
return state;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 129/481] amd-xgbe: fix sleep while atomic on suspend/resume
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 128/481] ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 130/481] net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs Greg Kroah-Hartman
` (186 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raju Rangoju, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raju Rangoju <Raju.Rangoju@amd.com>
[ Upstream commit e2f27363aa6d983504c6836dd0975535e2e9dba0 ]
The xgbe_powerdown() and xgbe_powerup() functions use spinlocks
(spin_lock_irqsave) while calling functions that may sleep:
- napi_disable() can sleep waiting for NAPI polling to complete
- flush_workqueue() can sleep waiting for pending work items
This causes a "BUG: scheduling while atomic" error during suspend/resume
cycles on systems using the AMD XGBE Ethernet controller.
The spinlock protection in these functions is unnecessary as these
functions are called from suspend/resume paths which are already serialized
by the PM core
Fix this by removing the spinlock. Since only code that takes this lock
is xgbe_powerdown() and xgbe_powerup(), remove it completely.
Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver")
Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
Link: https://patch.msgid.link/20260302042124.1386445-1-Raju.Rangoju@amd.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 10 ----------
drivers/net/ethernet/amd/xgbe/xgbe-main.c | 1 -
drivers/net/ethernet/amd/xgbe/xgbe.h | 3 ---
3 files changed, 14 deletions(-)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
index 3d6f8f3a83366..256969ac2cb9e 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
@@ -1181,7 +1181,6 @@ int xgbe_powerdown(struct net_device *netdev, unsigned int caller)
{
struct xgbe_prv_data *pdata = netdev_priv(netdev);
struct xgbe_hw_if *hw_if = &pdata->hw_if;
- unsigned long flags;
DBGPR("-->xgbe_powerdown\n");
@@ -1192,8 +1191,6 @@ int xgbe_powerdown(struct net_device *netdev, unsigned int caller)
return -EINVAL;
}
- spin_lock_irqsave(&pdata->lock, flags);
-
if (caller == XGMAC_DRIVER_CONTEXT)
netif_device_detach(netdev);
@@ -1209,8 +1206,6 @@ int xgbe_powerdown(struct net_device *netdev, unsigned int caller)
pdata->power_down = 1;
- spin_unlock_irqrestore(&pdata->lock, flags);
-
DBGPR("<--xgbe_powerdown\n");
return 0;
@@ -1220,7 +1215,6 @@ int xgbe_powerup(struct net_device *netdev, unsigned int caller)
{
struct xgbe_prv_data *pdata = netdev_priv(netdev);
struct xgbe_hw_if *hw_if = &pdata->hw_if;
- unsigned long flags;
DBGPR("-->xgbe_powerup\n");
@@ -1231,8 +1225,6 @@ int xgbe_powerup(struct net_device *netdev, unsigned int caller)
return -EINVAL;
}
- spin_lock_irqsave(&pdata->lock, flags);
-
pdata->power_down = 0;
xgbe_napi_enable(pdata, 0);
@@ -1247,8 +1239,6 @@ int xgbe_powerup(struct net_device *netdev, unsigned int caller)
xgbe_start_timers(pdata);
- spin_unlock_irqrestore(&pdata->lock, flags);
-
DBGPR("<--xgbe_powerup\n");
return 0;
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-main.c b/drivers/net/ethernet/amd/xgbe/xgbe-main.c
index 0e8698928e4d7..6e8fafb2acbaa 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-main.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-main.c
@@ -185,7 +185,6 @@ struct xgbe_prv_data *xgbe_alloc_pdata(struct device *dev)
pdata->netdev = netdev;
pdata->dev = dev;
- spin_lock_init(&pdata->lock);
spin_lock_init(&pdata->xpcs_lock);
mutex_init(&pdata->rss_mutex);
spin_lock_init(&pdata->tstamp_lock);
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h
index f3ba76530b67b..92c40142c4576 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
+++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
@@ -1077,9 +1077,6 @@ struct xgbe_prv_data {
unsigned int pp3;
unsigned int pp4;
- /* Overall device lock */
- spinlock_t lock;
-
/* XPCS indirect addressing lock */
spinlock_t xpcs_lock;
unsigned int xpcs_window_def_reg;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 116/460] usb: image: mdc800: kill download URB on timeout
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 115/460] usb: mdc800: handle signal and read racing Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 117/460] rust: kbuild: allow `unused_features` Greg Kroah-Hartman
` (186 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ziyi Guo, stable
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ziyi Guo <n7l8m4@u.northwestern.edu>
commit 1be3b77de4eb89af8ae2fd6610546be778e25589 upstream.
mdc800_device_read() submits download_urb and waits for completion.
If the timeout fires and the device has not responded, the function
returns without killing the URB, leaving it active.
A subsequent read() resubmits the same URB while it is still
in-flight, triggering the WARN in usb_submit_urb():
"URB submitted while active"
Check the return value of wait_event_timeout() and kill the URB if
it indicates timeout, ensuring the URB is complete before its status
is inspected or the URB is resubmitted.
Similar to
- commit 372c93131998 ("USB: yurex: fix control-URB timeout handling")
- commit b98d5000c505 ("media: rc: iguanair: handle timeouts")
Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260209151937.2247202-1-n7l8m4@u.northwestern.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/image/mdc800.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/image/mdc800.c
+++ b/drivers/usb/image/mdc800.c
@@ -730,9 +730,11 @@ static ssize_t mdc800_device_read (struc
mutex_unlock(&mdc800->io_lock);
return len-left;
}
- wait_event_timeout(mdc800->download_wait,
+ retval = wait_event_timeout(mdc800->download_wait,
mdc800->downloaded,
msecs_to_jiffies(TO_DOWNLOAD_GET_READY));
+ if (!retval)
+ usb_kill_urb(mdc800->download_urb);
mdc800->downloaded = 0;
if (mdc800->download_urb->status != 0)
{
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 192/567] apparmor: fix missing bounds check on DEFAULT table in verify_dfa()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 191/567] apparmor: fix side-effect bug in match_char() macro usage Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 193/567] apparmor: Fix double free of ns_name in aa_replace_profiles() Greg Kroah-Hartman
` (185 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qualys Security Advisory,
Salvatore Bonaccorso, Georgia Garcia, Cengiz Can,
Massimiliano Pellizzer, John Johansen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
commit d352873bbefa7eb39995239d0b44ccdf8aaa79a4 upstream.
The verify_dfa() function only checks DEFAULT_TABLE bounds when the state
is not differentially encoded.
When the verification loop traverses the differential encoding chain,
it reads k = DEFAULT_TABLE[j] and uses k as an array index without
validation. A malformed DFA with DEFAULT_TABLE[j] >= state_count,
therefore, causes both out-of-bounds reads and writes.
[ 57.179855] ==================================================================
[ 57.180549] BUG: KASAN: slab-out-of-bounds in verify_dfa+0x59a/0x660
[ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993
[ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)
[ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 57.181563] Call Trace:
[ 57.181572] <TASK>
[ 57.181577] dump_stack_lvl+0x5e/0x80
[ 57.181596] print_report+0xc8/0x270
[ 57.181605] ? verify_dfa+0x59a/0x660
[ 57.181608] kasan_report+0x118/0x150
[ 57.181620] ? verify_dfa+0x59a/0x660
[ 57.181623] verify_dfa+0x59a/0x660
[ 57.181627] aa_dfa_unpack+0x1610/0x1740
[ 57.181629] ? __kmalloc_cache_noprof+0x1d0/0x470
[ 57.181640] unpack_pdb+0x86d/0x46b0
[ 57.181647] ? srso_alias_return_thunk+0x5/0xfbef5
[ 57.181653] ? srso_alias_return_thunk+0x5/0xfbef5
[ 57.181656] ? aa_unpack_nameX+0x1a8/0x300
[ 57.181659] aa_unpack+0x20b0/0x4c30
[ 57.181662] ? srso_alias_return_thunk+0x5/0xfbef5
[ 57.181664] ? stack_depot_save_flags+0x33/0x700
[ 57.181681] ? kasan_save_track+0x4f/0x80
[ 57.181683] ? kasan_save_track+0x3e/0x80
[ 57.181686] ? __kasan_kmalloc+0x93/0xb0
[ 57.181688] ? __kvmalloc_node_noprof+0x44a/0x780
[ 57.181693] ? aa_simple_write_to_buffer+0x54/0x130
[ 57.181697] ? policy_update+0x154/0x330
[ 57.181704] aa_replace_profiles+0x15a/0x1dd0
[ 57.181707] ? srso_alias_return_thunk+0x5/0xfbef5
[ 57.181710] ? __kvmalloc_node_noprof+0x44a/0x780
[ 57.181712] ? aa_loaddata_alloc+0x77/0x140
[ 57.181715] ? srso_alias_return_thunk+0x5/0xfbef5
[ 57.181717] ? _copy_from_user+0x2a/0x70
[ 57.181730] policy_update+0x17a/0x330
[ 57.181733] profile_replace+0x153/0x1a0
[ 57.181735] ? rw_verify_area+0x93/0x2d0
[ 57.181740] vfs_write+0x235/0xab0
[ 57.181745] ksys_write+0xb0/0x170
[ 57.181748] do_syscall_64+0x8e/0x660
[ 57.181762] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 57.181765] RIP: 0033:0x7f6192792eb2
Remove the MATCH_FLAG_DIFF_ENCODE condition to validate all DEFAULT_TABLE
entries unconditionally.
Fixes: 031dcc8f4e84 ("apparmor: dfa add support for state differential encoding")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/match.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -160,9 +160,10 @@ static int verify_dfa(struct aa_dfa *dfa
if (state_count == 0)
goto out;
for (i = 0; i < state_count; i++) {
- if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) &&
- (DEFAULT_TABLE(dfa)[i] >= state_count))
+ if (DEFAULT_TABLE(dfa)[i] >= state_count) {
+ pr_err("AppArmor DFA default state out of bounds");
goto out;
+ }
if (BASE_TABLE(dfa)[i] & MATCH_FLAGS_INVALID) {
pr_err("AppArmor DFA state with invalid match flags");
goto out;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 130/481] net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 129/481] amd-xgbe: fix sleep while atomic on suspend/resume Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 131/481] net: nfc: nci: Fix zero-length proprietary notifications Greg Kroah-Hartman
` (185 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Koichiro Den, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Koichiro Den <den@valinux.co.jp>
[ Upstream commit 7f083faf59d14c04e01ec05a7507f036c965acf8 ]
When shrinking the number of real tx queues,
netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush
qdiscs for queues which will no longer be used.
qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with
qdisc_lock(). However, for lockless qdiscs, the dequeue path is
serialized by qdisc_run_begin/end() using qdisc->seqlock instead, so
qdisc_reset() can run concurrently with __qdisc_run() and free skbs
while they are still being dequeued, leading to UAF.
This can easily be reproduced on e.g. virtio-net by imposing heavy
traffic while frequently changing the number of queue pairs:
iperf3 -ub0 -c $peer -t 0 &
while :; do
ethtool -L eth0 combined 1
ethtool -L eth0 combined 2
done
With KASAN enabled, this leads to reports like:
BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760
...
Call Trace:
<TASK>
...
__qdisc_run+0x133f/0x1760
__dev_queue_xmit+0x248f/0x3550
ip_finish_output2+0xa42/0x2110
ip_output+0x1a7/0x410
ip_send_skb+0x2e6/0x480
udp_send_skb+0xb0a/0x1590
udp_sendmsg+0x13c9/0x1fc0
...
</TASK>
Allocated by task 1270 on cpu 5 at 44.558414s:
...
alloc_skb_with_frags+0x84/0x7c0
sock_alloc_send_pskb+0x69a/0x830
__ip_append_data+0x1b86/0x48c0
ip_make_skb+0x1e8/0x2b0
udp_sendmsg+0x13a6/0x1fc0
...
Freed by task 1306 on cpu 3 at 44.558445s:
...
kmem_cache_free+0x117/0x5e0
pfifo_fast_reset+0x14d/0x580
qdisc_reset+0x9e/0x5f0
netif_set_real_num_tx_queues+0x303/0x840
virtnet_set_channels+0x1bf/0x260 [virtio_net]
ethnl_set_channels+0x684/0xae0
ethnl_default_set_doit+0x31a/0x890
...
Serialize qdisc_reset_all_tx_gt() against the lockless dequeue path by
taking qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching the
serialization model already used by dev_reset_queue().
Additionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state
reflects an empty queue, avoiding needless re-scheduling.
Fixes: 6b3ba9146fe6 ("net: sched: allow qdiscs to handle locking")
Signed-off-by: Koichiro Den <den@valinux.co.jp>
Link: https://patch.msgid.link/20260228145307.3955532-1-den@valinux.co.jp
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/sch_generic.h | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
index b34e9e93a1463..7bb73448de0d3 100644
--- a/include/net/sch_generic.h
+++ b/include/net/sch_generic.h
@@ -724,13 +724,23 @@ static inline bool skb_skip_tc_classify(struct sk_buff *skb)
static inline void qdisc_reset_all_tx_gt(struct net_device *dev, unsigned int i)
{
struct Qdisc *qdisc;
+ bool nolock;
for (; i < dev->num_tx_queues; i++) {
qdisc = rtnl_dereference(netdev_get_tx_queue(dev, i)->qdisc);
if (qdisc) {
+ nolock = qdisc->flags & TCQ_F_NOLOCK;
+
+ if (nolock)
+ spin_lock_bh(&qdisc->seqlock);
spin_lock_bh(qdisc_lock(qdisc));
qdisc_reset(qdisc);
spin_unlock_bh(qdisc_lock(qdisc));
+ if (nolock) {
+ clear_bit(__QDISC_STATE_MISSED, &qdisc->state);
+ clear_bit(__QDISC_STATE_DRAINING, &qdisc->state);
+ spin_unlock_bh(&qdisc->seqlock);
+ }
}
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 117/460] rust: kbuild: allow `unused_features`
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 116/460] usb: image: mdc800: kill download URB on timeout Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 118/460] mm/tracing: rss_stat: ensure curr is false from kthread context Greg Kroah-Hartman
` (185 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Benno Lossin, Gary Guo, Miguel Ojeda
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miguel Ojeda <ojeda@kernel.org>
commit 592c61f3bfceaa29f8275696bd67c3dfad7ef72e upstream.
Starting with the upcoming Rust 1.96.0 (to be released 2026-05-28),
`rustc` introduces the new lint `unused_features` [1], which warns [2]:
warning: feature `used_with_arg` is declared but not used
--> <crate attribute>:1:93
|
1 | #![feature(asm_const,asm_goto,arbitrary_self_types,lint_reasons,offset_of_nested,raw_ref_op,used_with_arg)]
| ^^^^^^^^^^^^^
|
= note: `#[warn(unused_features)]` (part of `#[warn(unused)]`) on by default
The original goal of using `-Zcrate-attr` automatically was that there
is a consistent set of features enabled and managed globally for all
Rust kernel code (modulo exceptions like the `rust/` crated).
While we could require crates to enable features manually (even if we
still keep the `-Zallow-features=` list, i.e. removing the `-Zcrate-attr`
list), it is not really worth making all developers worry about it just
for a new lint.
The features are expected to eventually become stable anyway (most already
did), and thus having to remove features in every file that may use them
is not worth it either.
Thus just allow the new lint globally.
The lint actually existed for a long time, which is why `rustc` does
not complain about an unknown lint in the stable versions we support,
but it was "disabled" years ago [3], and now it was made to work again.
For extra context, the new implementation of the lint has already been
improved to avoid linting about features that became stable thanks to
Benno's report and the ensuing discussion [4] [5], but while that helps,
it is still the case that we may have features enabled that are not used
for one reason or another in a particular crate.
Cc: stable@vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs).
Link: https://github.com/rust-lang/rust/pull/152164 [1]
Link: https://github.com/Rust-for-Linux/pin-init/pull/114 [2]
Link: https://github.com/rust-lang/rust/issues/44232 [3]
Link: https://github.com/rust-lang/rust/issues/153523 [4]
Link: https://github.com/rust-lang/rust/pull/153610 [5]
Reviewed-by: Benno Lossin <lossin@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Link: https://patch.msgid.link/20260312111014.74198-1-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Makefile | 1 +
1 file changed, 1 insertion(+)
--- a/Makefile
+++ b/Makefile
@@ -446,6 +446,7 @@ KBUILD_USERLDFLAGS := $(USERLDFLAGS)
export rust_common_flags := --edition=2021 \
-Zbinary_dep_depinfo=y \
-Astable_features \
+ -Aunused_features \
-Dnon_ascii_idents \
-Dunsafe_op_in_unsafe_fn \
-Wmissing_docs \
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 193/567] apparmor: Fix double free of ns_name in aa_replace_profiles()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 192/567] apparmor: fix missing bounds check on DEFAULT table in verify_dfa() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 194/567] apparmor: fix unprivileged local user can do privileged policy management Greg Kroah-Hartman
` (184 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qualys Security Advisory,
Salvatore Bonaccorso, Georgia Garcia, Cengiz Can, John Johansen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Johansen <john.johansen@canonical.com>
commit 5df0c44e8f5f619d3beb871207aded7c78414502 upstream.
if ns_name is NULL after
1071 error = aa_unpack(udata, &lh, &ns_name);
and if ent->ns_name contains an ns_name in
1089 } else if (ent->ns_name) {
then ns_name is assigned the ent->ns_name
1095 ns_name = ent->ns_name;
however ent->ns_name is freed at
1262 aa_load_ent_free(ent);
and then again when freeing ns_name at
1270 kfree(ns_name);
Fix this by NULLing out ent->ns_name after it is transferred to ns_name
Fixes: 145a0ef21c8e9 ("apparmor: fix blob compression when ns is forced on a policy load")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/policy.c | 1 +
1 file changed, 1 insertion(+)
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1115,6 +1115,7 @@ ssize_t aa_replace_profiles(struct aa_ns
goto fail;
}
ns_name = ent->ns_name;
+ ent->ns_name = NULL;
} else
count++;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 131/481] net: nfc: nci: Fix zero-length proprietary notifications
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 130/481] net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 132/481] nfc: nci: free skb on nci_transceive early error paths Greg Kroah-Hartman
` (184 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Ray, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Ray <ian.ray@gehealthcare.com>
[ Upstream commit f7d92f11bd33a6eb49c7c812255ef4ab13681f0f ]
NCI NFC controllers may have proprietary OIDs with zero-length payload.
One example is: drivers/nfc/nxp-nci/core.c, NXP_NCI_RF_TXLDO_ERROR_NTF.
Allow a zero length payload in proprietary notifications *only*.
Before:
-- >8 --
kernel: nci: nci_recv_frame: len 3
-- >8 --
After:
-- >8 --
kernel: nci: nci_recv_frame: len 3
kernel: nci: nci_ntf_packet: NCI RX: MT=ntf, PBF=0, GID=0x1, OID=0x23, plen=0
kernel: nci: nci_ntf_packet: unknown ntf opcode 0x123
kernel: nfc nfc0: NFC: RF transmitter couldn't start. Bad power and/or configuration?
-- >8 --
After fixing the hardware:
-- >8 --
kernel: nci: nci_recv_frame: len 27
kernel: nci: nci_ntf_packet: NCI RX: MT=ntf, PBF=0, GID=0x1, OID=0x5, plen=24
kernel: nci: nci_rf_intf_activated_ntf_packet: rf_discovery_id 1
-- >8 --
Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet")
Signed-off-by: Ian Ray <ian.ray@gehealthcare.com>
Link: https://patch.msgid.link/20260302163238.140576-1-ian.ray@gehealthcare.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/nci/core.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index 2ffdbbf90eb70..6b62218718a06 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -1470,10 +1470,20 @@ static bool nci_valid_size(struct sk_buff *skb)
unsigned int hdr_size = NCI_CTRL_HDR_SIZE;
if (skb->len < hdr_size ||
- !nci_plen(skb->data) ||
skb->len < hdr_size + nci_plen(skb->data)) {
return false;
}
+
+ if (!nci_plen(skb->data)) {
+ /* Allow zero length in proprietary notifications (0x20 - 0x3F). */
+ if (nci_opcode_oid(nci_opcode(skb->data)) >= 0x20 &&
+ nci_mt(skb->data) == NCI_MT_NTF_PKT)
+ return true;
+
+ /* Disallow zero length otherwise. */
+ return false;
+ }
+
return true;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 118/460] mm/tracing: rss_stat: ensure curr is false from kthread context
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 117/460] rust: kbuild: allow `unused_features` Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 119/460] mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index() Greg Kroah-Hartman
` (184 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kalesh Singh, Zi Yan, SeongJae Park,
Pedro Falcato, David Hildenbrand (Arm), Joel Fernandes,
Lorenzo Stoakes, Minchan Kim, Steven Rostedt, Suren Baghdasaryan,
Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kalesh Singh <kaleshsingh@google.com>
commit 079c24d5690262e83ee476e2a548e416f3237511 upstream.
The rss_stat trace event allows userspace tools, like Perfetto [1], to
inspect per-process RSS metric changes over time.
The curr field was introduced to rss_stat in commit e4dcad204d3a
("rss_stat: add support to detect RSS updates of external mm"). Its
intent is to indicate whether the RSS update is for the mm_struct of the
current execution context; and is set to false when operating on a remote
mm_struct (e.g., via kswapd or a direct reclaimer).
However, an issue arises when a kernel thread temporarily adopts a user
process's mm_struct. Kernel threads do not have their own mm_struct and
normally have current->mm set to NULL. To operate on user memory, they
can "borrow" a memory context using kthread_use_mm(), which sets
current->mm to the user process's mm.
This can be observed, for example, in the USB Function Filesystem (FFS)
driver. The ffs_user_copy_worker() handles AIO completions and uses
kthread_use_mm() to copy data to a user-space buffer. If a page fault
occurs during this copy, the fault handler executes in the kthread's
context.
At this point, current is the kthread, but current->mm points to the user
process's mm. Since the rss_stat event (from the page fault) is for that
same mm, the condition current->mm == mm becomes true, causing curr to be
incorrectly set to true when the trace event is emitted.
This is misleading because it suggests the mm belongs to the kthread,
confusing userspace tools that track per-process RSS changes and
corrupting their mm_id-to-process association.
Fix this by ensuring curr is always false when the trace event is emitted
from a kthread context by checking for the PF_KTHREAD flag.
Link: https://lkml.kernel.org/r/20260219233708.1971199-1-kaleshsingh@google.com
Link: https://perfetto.dev/ [1]
Fixes: e4dcad204d3a ("rss_stat: add support to detect RSS updates of external mm")
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
Acked-by: Zi Yan <ziy@nvidia.com>
Acked-by: SeongJae Park <sj@kernel.org>
Reviewed-by: Pedro Falcato <pfalcato@suse.de>
Cc: "David Hildenbrand (Arm)" <david@kernel.org>
Cc: Joel Fernandes <joel@joelfernandes.org>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: <stable@vger.kernel.org> [5.10+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/trace/events/kmem.h | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/include/trace/events/kmem.h
+++ b/include/trace/events/kmem.h
@@ -397,7 +397,13 @@ TRACE_EVENT(rss_stat,
TP_fast_assign(
__entry->mm_id = mm_ptr_to_hash(mm);
- __entry->curr = !!(current->mm == mm);
+ /*
+ * curr is true if the mm matches the current task's mm_struct.
+ * Since kthreads (PF_KTHREAD) have no mm_struct of their own
+ * but can borrow one via kthread_use_mm(), we must filter them
+ * out to avoid incorrectly attributing the RSS update to them.
+ */
+ __entry->curr = current->mm == mm && !(current->flags & PF_KTHREAD);
__entry->member = member;
__entry->size = (percpu_counter_sum_positive(&mm->rss_stat[member])
<< PAGE_SHIFT);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 194/567] apparmor: fix unprivileged local user can do privileged policy management
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 193/567] apparmor: Fix double free of ns_name in aa_replace_profiles() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 195/567] apparmor: fix differential encoding verification Greg Kroah-Hartman
` (183 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qualys Security Advisory,
Salvatore Bonaccorso, Georgia Garcia, Cengiz Can, John Johansen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Johansen <john.johansen@canonical.com>
commit 6601e13e82841879406bf9f369032656f441a425 upstream.
An unprivileged local user can load, replace, and remove profiles by
opening the apparmorfs interfaces, via a confused deputy attack, by
passing the opened fd to a privileged process, and getting the
privileged process to write to the interface.
This does require a privileged target that can be manipulated to do
the write for the unprivileged process, but once such access is
achieved full policy management is possible and all the possible
implications that implies: removing confinement, DoS of system or
target applications by denying all execution, by-passing the
unprivileged user namespace restriction, to exploiting kernel bugs for
a local privilege escalation.
The policy management interface can not have its permissions simply
changed from 0666 to 0600 because non-root processes need to be able
to load policy to different policy namespaces.
Instead ensure the task writing the interface has privileges that
are a subset of the task that opened the interface. This is already
done via policy for confined processes, but unconfined can delegate
access to the opened fd, by-passing the usual policy check.
Fixes: b7fd2c0340eac ("apparmor: add per policy ns .load, .replace, .remove interface files")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/apparmorfs.c | 16 +++++++++-------
security/apparmor/include/policy.h | 2 +-
security/apparmor/policy.c | 34 +++++++++++++++++++++++++++++++++-
3 files changed, 43 insertions(+), 9 deletions(-)
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -412,7 +412,8 @@ static struct aa_loaddata *aa_simple_wri
}
static ssize_t policy_update(u32 mask, const char __user *buf, size_t size,
- loff_t *pos, struct aa_ns *ns)
+ loff_t *pos, struct aa_ns *ns,
+ const struct cred *ocred)
{
struct aa_loaddata *data;
struct aa_label *label;
@@ -423,7 +424,7 @@ static ssize_t policy_update(u32 mask, c
/* high level check about policy management - fine grained in
* below after unpack
*/
- error = aa_may_manage_policy(current_cred(), label, ns, mask);
+ error = aa_may_manage_policy(current_cred(), label, ns, ocred, mask);
if (error)
goto end_section;
@@ -444,7 +445,8 @@ static ssize_t profile_load(struct file
loff_t *pos)
{
struct aa_ns *ns = aa_get_ns(f->f_inode->i_private);
- int error = policy_update(AA_MAY_LOAD_POLICY, buf, size, pos, ns);
+ int error = policy_update(AA_MAY_LOAD_POLICY, buf, size, pos, ns,
+ f->f_cred);
aa_put_ns(ns);
@@ -462,7 +464,7 @@ static ssize_t profile_replace(struct fi
{
struct aa_ns *ns = aa_get_ns(f->f_inode->i_private);
int error = policy_update(AA_MAY_LOAD_POLICY | AA_MAY_REPLACE_POLICY,
- buf, size, pos, ns);
+ buf, size, pos, ns, f->f_cred);
aa_put_ns(ns);
return error;
@@ -487,7 +489,7 @@ static ssize_t profile_remove(struct fil
* below after unpack
*/
error = aa_may_manage_policy(current_cred(), label, ns,
- AA_MAY_REMOVE_POLICY);
+ f->f_cred, AA_MAY_REMOVE_POLICY);
if (error)
goto out;
@@ -1819,7 +1821,7 @@ static int ns_mkdir_op(struct mnt_idmap
int error;
label = begin_current_label_crit_section();
- error = aa_may_manage_policy(current_cred(), label, NULL,
+ error = aa_may_manage_policy(current_cred(), label, NULL, NULL,
AA_MAY_LOAD_POLICY);
end_current_label_crit_section(label);
if (error)
@@ -1869,7 +1871,7 @@ static int ns_rmdir_op(struct inode *dir
int error;
label = begin_current_label_crit_section();
- error = aa_may_manage_policy(current_cred(), label, NULL,
+ error = aa_may_manage_policy(current_cred(), label, NULL, NULL,
AA_MAY_LOAD_POLICY);
end_current_label_crit_section(label);
if (error)
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -401,7 +401,7 @@ bool aa_policy_admin_capable(const struc
struct aa_label *label, struct aa_ns *ns);
int aa_may_manage_policy(const struct cred *subj_cred,
struct aa_label *label, struct aa_ns *ns,
- u32 mask);
+ const struct cred *ocred, u32 mask);
bool aa_current_policy_view_capable(struct aa_ns *ns);
bool aa_current_policy_admin_capable(struct aa_ns *ns);
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -891,17 +891,44 @@ bool aa_current_policy_admin_capable(str
return res;
}
+static bool is_subset_of_obj_privilege(const struct cred *cred,
+ struct aa_label *label,
+ const struct cred *ocred)
+{
+ if (cred == ocred)
+ return true;
+
+ if (!aa_label_is_subset(label, cred_label(ocred)))
+ return false;
+ /* don't allow crossing userns for now */
+ if (cred->user_ns != ocred->user_ns)
+ return false;
+ if (!cap_issubset(cred->cap_inheritable, ocred->cap_inheritable))
+ return false;
+ if (!cap_issubset(cred->cap_permitted, ocred->cap_permitted))
+ return false;
+ if (!cap_issubset(cred->cap_effective, ocred->cap_effective))
+ return false;
+ if (!cap_issubset(cred->cap_bset, ocred->cap_bset))
+ return false;
+ if (!cap_issubset(cred->cap_ambient, ocred->cap_ambient))
+ return false;
+ return true;
+}
+
+
/**
* aa_may_manage_policy - can the current task manage policy
* @subj_cred; subjects cred
* @label: label to check if it can manage policy
* @ns: namespace being managed by @label (may be NULL if @label's ns)
+ * @ocred: object cred if request is coming from an open object
* @mask: contains the policy manipulation operation being done
*
* Returns: 0 if the task is allowed to manipulate policy else error
*/
int aa_may_manage_policy(const struct cred *subj_cred, struct aa_label *label,
- struct aa_ns *ns, u32 mask)
+ struct aa_ns *ns, const struct cred *ocred, u32 mask)
{
const char *op;
@@ -917,6 +944,11 @@ int aa_may_manage_policy(const struct cr
return audit_policy(label, op, NULL, NULL, "policy_locked",
-EACCES);
+ if (ocred && !is_subset_of_obj_privilege(subj_cred, label, ocred))
+ return audit_policy(label, op, NULL, NULL,
+ "not privileged for target profile",
+ -EACCES);
+
if (!aa_policy_admin_capable(subj_cred, label, ns))
return audit_policy(label, op, NULL, NULL, "not policy admin",
-EACCES);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 132/481] nfc: nci: free skb on nci_transceive early error paths
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 131/481] net: nfc: nci: Fix zero-length proprietary notifications Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 133/481] nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback Greg Kroah-Hartman
` (183 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joe Damato, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 7bd4b0c4779f978a6528c9b7937d2ca18e936e2c ]
nci_transceive() takes ownership of the skb passed by the caller,
but the -EPROTO, -EINVAL, and -EBUSY error paths return without
freeing it.
Due to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changes
the nci/nci_dev selftest hits the error path occasionally in NIPA,
and kmemleak detects leaks:
unreferenced object 0xff11000015ce6a40 (size 640):
comm "nci_dev", pid 3954, jiffies 4295441246
hex dump (first 32 bytes):
6b 6b 6b 6b 00 a4 00 0c 02 e1 03 6b 6b 6b 6b 6b kkkk.......kkkkk
6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
backtrace (crc 7c40cc2a):
kmem_cache_alloc_node_noprof+0x492/0x630
__alloc_skb+0x11e/0x5f0
alloc_skb_with_frags+0xc6/0x8f0
sock_alloc_send_pskb+0x326/0x3f0
nfc_alloc_send_skb+0x94/0x1d0
rawsock_sendmsg+0x162/0x4c0
do_syscall_64+0x117/0xfc0
Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
Reviewed-by: Joe Damato <joe@dama.to>
Link: https://patch.msgid.link/20260303162346.2071888-2-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/nci/core.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index 6b62218718a06..cdc1aa8662544 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -1023,18 +1023,23 @@ static int nci_transceive(struct nfc_dev *nfc_dev, struct nfc_target *target,
struct nci_conn_info *conn_info;
conn_info = ndev->rf_conn_info;
- if (!conn_info)
+ if (!conn_info) {
+ kfree_skb(skb);
return -EPROTO;
+ }
pr_debug("target_idx %d, len %d\n", target->idx, skb->len);
if (!ndev->target_active_prot) {
pr_err("unable to exchange data, no active target\n");
+ kfree_skb(skb);
return -EINVAL;
}
- if (test_and_set_bit(NCI_DATA_EXCHANGE, &ndev->flags))
+ if (test_and_set_bit(NCI_DATA_EXCHANGE, &ndev->flags)) {
+ kfree_skb(skb);
return -EBUSY;
+ }
/* store cb and context to be used on receiving data */
conn_info->data_exchange_cb = cb;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 119/460] mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 118/460] mm/tracing: rss_stat: ensure curr is false from kthread context Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 120/460] mm/kfence: disable KFENCE upon KASAN HW tags enablement Greg Kroah-Hartman
` (183 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Felix Gu, Ulf Hansson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
commit af12e64ae0661546e8b4f5d30d55c5f53a11efe7 upstream.
When calling of_parse_phandle_with_args(), the caller is responsible
to call of_node_put() to release the reference of device node.
In of_get_dml_pipe_index(), it does not release the reference.
Fixes: 9cb15142d0e3 ("mmc: mmci: Add qcom dml support to the driver.")
Signed-off-by: Felix Gu <gu_0233@qq.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/mmci_qcom_dml.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mmc/host/mmci_qcom_dml.c
+++ b/drivers/mmc/host/mmci_qcom_dml.c
@@ -109,6 +109,7 @@ static int of_get_dml_pipe_index(struct
&dma_spec))
return -ENODEV;
+ of_node_put(dma_spec.np);
if (dma_spec.args_count)
return dma_spec.args[0];
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 195/567] apparmor: fix differential encoding verification
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 194/567] apparmor: fix unprivileged local user can do privileged policy management Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 196/567] apparmor: fix race on rawdata dereference Greg Kroah-Hartman
` (182 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qualys Security Advisory,
Salvatore Bonaccorso, Georgia Garcia, Cengiz Can, John Johansen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Johansen <john.johansen@canonical.com>
commit 39440b137546a3aa383cfdabc605fb73811b6093 upstream.
Differential encoding allows loops to be created if it is abused. To
prevent this the unpack should verify that a diff-encode chain
terminates.
Unfortunately the differential encode verification had two bugs.
1. it conflated states that had gone through check and already been
marked, with states that were currently being checked and marked.
This means that loops in the current chain being verified are treated
as a chain that has already been verified.
2. the order bailout on already checked states compared current chain
check iterators j,k instead of using the outer loop iterator i.
Meaning a step backwards in states in the current chain verification
was being mistaken for moving to an already verified state.
Move to a double mark scheme where already verified states get a
different mark, than the current chain being kept. This enables us
to also drop the backwards verification check that was the cause of
the second error as any already verified state is already marked.
Fixes: 031dcc8f4e84 ("apparmor: dfa add support for state differential encoding")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/include/match.h | 1 +
security/apparmor/match.c | 23 +++++++++++++++++++----
2 files changed, 20 insertions(+), 4 deletions(-)
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -181,6 +181,7 @@ static inline void aa_put_dfa(struct aa_
#define MATCH_FLAG_DIFF_ENCODE 0x80000000
#define MARK_DIFF_ENCODE 0x40000000
#define MATCH_FLAG_OOB_TRANSITION 0x20000000
+#define MARK_DIFF_ENCODE_VERIFIED 0x10000000
#define MATCH_FLAGS_MASK 0xff000000
#define MATCH_FLAGS_VALID (MATCH_FLAG_DIFF_ENCODE | MATCH_FLAG_OOB_TRANSITION)
#define MATCH_FLAGS_INVALID (MATCH_FLAGS_MASK & ~MATCH_FLAGS_VALID)
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -202,16 +202,31 @@ static int verify_dfa(struct aa_dfa *dfa
size_t j, k;
for (j = i;
- (BASE_TABLE(dfa)[j] & MATCH_FLAG_DIFF_ENCODE) &&
- !(BASE_TABLE(dfa)[j] & MARK_DIFF_ENCODE);
+ ((BASE_TABLE(dfa)[j] & MATCH_FLAG_DIFF_ENCODE) &&
+ !(BASE_TABLE(dfa)[j] & MARK_DIFF_ENCODE_VERIFIED));
j = k) {
+ if (BASE_TABLE(dfa)[j] & MARK_DIFF_ENCODE)
+ /* loop in current chain */
+ goto out;
k = DEFAULT_TABLE(dfa)[j];
if (j == k)
+ /* self loop */
goto out;
- if (k < j)
- break; /* already verified */
BASE_TABLE(dfa)[j] |= MARK_DIFF_ENCODE;
}
+ /* move mark to verified */
+ for (j = i;
+ (BASE_TABLE(dfa)[j] & MATCH_FLAG_DIFF_ENCODE);
+ j = k) {
+ k = DEFAULT_TABLE(dfa)[j];
+ if (j < i)
+ /* jumps to state/chain that has been
+ * verified
+ */
+ break;
+ BASE_TABLE(dfa)[j] &= ~MARK_DIFF_ENCODE;
+ BASE_TABLE(dfa)[j] |= MARK_DIFF_ENCODE_VERIFIED;
+ }
}
error = 0;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 133/481] nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 132/481] nfc: nci: free skb on nci_transceive early error paths Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 134/481] nfc: rawsock: cancel tx_work before socket teardown Greg Kroah-Hartman
` (182 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joe Damato, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 0efdc02f4f6d52f8ca5d5889560f325a836ce0a8 ]
Move clear_bit(NCI_DATA_EXCHANGE) before invoking the data exchange
callback in nci_data_exchange_complete().
The callback (e.g. rawsock_data_exchange_complete) may immediately
schedule another data exchange via schedule_work(tx_work). On a
multi-CPU system, tx_work can run and reach nci_transceive() before
the current nci_data_exchange_complete() clears the flag, causing
test_and_set_bit(NCI_DATA_EXCHANGE) to return -EBUSY and the new
transfer to fail.
This causes intermittent flakes in nci/nci_dev in NIPA:
# # RUN NCI.NCI1_0.t4t_tag_read ...
# # t4t_tag_read: Test terminated by timeout
# # FAIL NCI.NCI1_0.t4t_tag_read
# not ok 3 NCI.NCI1_0.t4t_tag_read
Fixes: 38f04c6b1b68 ("NFC: protect nci_data_exchange transactions")
Reviewed-by: Joe Damato <joe@dama.to>
Link: https://patch.msgid.link/20260303162346.2071888-5-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/nci/data.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c
index 3d36ea5701f02..7a3fb2a397a1e 100644
--- a/net/nfc/nci/data.c
+++ b/net/nfc/nci/data.c
@@ -33,7 +33,8 @@ void nci_data_exchange_complete(struct nci_dev *ndev, struct sk_buff *skb,
conn_info = nci_get_conn_info_by_conn_id(ndev, conn_id);
if (!conn_info) {
kfree_skb(skb);
- goto exit;
+ clear_bit(NCI_DATA_EXCHANGE, &ndev->flags);
+ return;
}
cb = conn_info->data_exchange_cb;
@@ -45,6 +46,12 @@ void nci_data_exchange_complete(struct nci_dev *ndev, struct sk_buff *skb,
del_timer_sync(&ndev->data_timer);
clear_bit(NCI_DATA_EXCHANGE_TO, &ndev->flags);
+ /* Mark the exchange as done before calling the callback.
+ * The callback (e.g. rawsock_data_exchange_complete) may
+ * want to immediately queue another data exchange.
+ */
+ clear_bit(NCI_DATA_EXCHANGE, &ndev->flags);
+
if (cb) {
/* forward skb to nfc core */
cb(cb_context, skb, err);
@@ -54,9 +61,6 @@ void nci_data_exchange_complete(struct nci_dev *ndev, struct sk_buff *skb,
/* no waiting callback, free skb */
kfree_skb(skb);
}
-
-exit:
- clear_bit(NCI_DATA_EXCHANGE, &ndev->flags);
}
/* ----------------- NCI TX Data ----------------- */
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 120/460] mm/kfence: disable KFENCE upon KASAN HW tags enablement
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 119/460] mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 121/460] mmc: core: Avoid bitfield RMW for claim/retune flags Greg Kroah-Hartman
` (182 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Potapenko, Marco Elver,
Andrey Konovalov, Andrey Ryabinin, Dmitry Vyukov,
Ernesto Martinez Garcia, Kees Cook, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Potapenko <glider@google.com>
commit 09833d99db36d74456a4d13eb29c32d56ff8f2b6 upstream.
KFENCE does not currently support KASAN hardware tags. As a result, the
two features are incompatible when enabled simultaneously.
Given that MTE provides deterministic protection and KFENCE is a
sampling-based debugging tool, prioritize the stronger hardware
protections. Disable KFENCE initialization and free the pre-allocated
pool if KASAN hardware tags are detected to ensure the system maintains
the security guarantees provided by MTE.
Link: https://lkml.kernel.org/r/20260213095410.1862978-1-glider@google.com
Fixes: 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure")
Signed-off-by: Alexander Potapenko <glider@google.com>
Suggested-by: Marco Elver <elver@google.com>
Reviewed-by: Marco Elver <elver@google.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Ernesto Martinez Garcia <ernesto.martinezgarcia@tugraz.at>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Kees Cook <kees@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/kfence/core.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/mm/kfence/core.c
+++ b/mm/kfence/core.c
@@ -13,6 +13,7 @@
#include <linux/hash.h>
#include <linux/irq_work.h>
#include <linux/jhash.h>
+#include <linux/kasan-enabled.h>
#include <linux/kcsan-checks.h>
#include <linux/kfence.h>
#include <linux/kmemleak.h>
@@ -881,6 +882,20 @@ void __init kfence_alloc_pool_and_metada
return;
/*
+ * If KASAN hardware tags are enabled, disable KFENCE, because it
+ * does not support MTE yet.
+ */
+ if (kasan_hw_tags_enabled()) {
+ pr_info("disabled as KASAN HW tags are enabled\n");
+ if (__kfence_pool) {
+ memblock_free(__kfence_pool, KFENCE_POOL_SIZE);
+ __kfence_pool = NULL;
+ }
+ kfence_sample_interval = 0;
+ return;
+ }
+
+ /*
* If the pool has already been initialized by arch, there is no need to
* re-allocate the memory pool.
*/
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 196/567] apparmor: fix race on rawdata dereference
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 195/567] apparmor: fix differential encoding verification Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 197/567] apparmor: fix race between freeing data and fs accessing it Greg Kroah-Hartman
` (181 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qualys Security Advisory,
Georgia Garcia, Maxime Bélair, Cengiz Can,
Salvatore Bonaccorso, John Johansen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Johansen <john.johansen@canonical.com>
commit a0b7091c4de45a7325c8780e6934a894f92ac86b upstream.
There is a race condition that leads to a use-after-free situation:
because the rawdata inodes are not refcounted, an attacker can start
open()ing one of the rawdata files, and at the same time remove the
last reference to this rawdata (by removing the corresponding profile,
for example), which frees its struct aa_loaddata; as a result, when
seq_rawdata_open() is reached, i_private is a dangling pointer and
freed memory is accessed.
The rawdata inodes weren't refcounted to avoid a circular refcount and
were supposed to be held by the profile rawdata reference. However
during profile removal there is a window where the vfs and profile
destruction race, resulting in the use after free.
Fix this by moving to a double refcount scheme. Where the profile
refcount on rawdata is used to break the circular dependency. Allowing
for freeing of the rawdata once all inode references to the rawdata
are put.
Fixes: 5d5182cae401 ("apparmor: move to per loaddata files, instead of replicating in profiles")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Maxime Bélair <maxime.belair@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/apparmorfs.c | 35 ++++++++------
security/apparmor/include/policy_unpack.h | 71 ++++++++++++++++++------------
security/apparmor/policy.c | 12 ++---
security/apparmor/policy_unpack.c | 32 +++++++++----
4 files changed, 93 insertions(+), 57 deletions(-)
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -79,7 +79,7 @@ static void rawdata_f_data_free(struct r
if (!private)
return;
- aa_put_loaddata(private->loaddata);
+ aa_put_i_loaddata(private->loaddata);
kvfree(private);
}
@@ -404,7 +404,8 @@ static struct aa_loaddata *aa_simple_wri
data->size = copy_size;
if (copy_from_user(data->data, userbuf, copy_size)) {
- aa_put_loaddata(data);
+ /* trigger free - don't need to put pcount */
+ aa_put_i_loaddata(data);
return ERR_PTR(-EFAULT);
}
@@ -432,7 +433,10 @@ static ssize_t policy_update(u32 mask, c
error = PTR_ERR(data);
if (!IS_ERR(data)) {
error = aa_replace_profiles(ns, label, mask, data);
- aa_put_loaddata(data);
+ /* put pcount, which will put count and free if no
+ * profiles referencing it.
+ */
+ aa_put_profile_loaddata(data);
}
end_section:
end_current_label_crit_section(label);
@@ -503,7 +507,7 @@ static ssize_t profile_remove(struct fil
if (!IS_ERR(data)) {
data->data[size] = 0;
error = aa_remove_profiles(ns, label, data->data, size);
- aa_put_loaddata(data);
+ aa_put_profile_loaddata(data);
}
out:
end_current_label_crit_section(label);
@@ -1242,18 +1246,17 @@ static const struct file_operations seq_
static int seq_rawdata_open(struct inode *inode, struct file *file,
int (*show)(struct seq_file *, void *))
{
- struct aa_loaddata *data = __aa_get_loaddata(inode->i_private);
+ struct aa_loaddata *data = aa_get_i_loaddata(inode->i_private);
int error;
if (!data)
- /* lost race this ent is being reaped */
return -ENOENT;
error = single_open(file, show, data);
if (error) {
AA_BUG(file->private_data &&
((struct seq_file *)file->private_data)->private);
- aa_put_loaddata(data);
+ aa_put_i_loaddata(data);
}
return error;
@@ -1264,7 +1267,7 @@ static int seq_rawdata_release(struct in
struct seq_file *seq = (struct seq_file *) file->private_data;
if (seq)
- aa_put_loaddata(seq->private);
+ aa_put_i_loaddata(seq->private);
return single_release(inode, file);
}
@@ -1378,9 +1381,8 @@ static int rawdata_open(struct inode *in
if (!aa_current_policy_view_capable(NULL))
return -EACCES;
- loaddata = __aa_get_loaddata(inode->i_private);
+ loaddata = aa_get_i_loaddata(inode->i_private);
if (!loaddata)
- /* lost race: this entry is being reaped */
return -ENOENT;
private = rawdata_f_data_alloc(loaddata->size);
@@ -1405,7 +1407,7 @@ fail_decompress:
return error;
fail_private_alloc:
- aa_put_loaddata(loaddata);
+ aa_put_i_loaddata(loaddata);
return error;
}
@@ -1422,9 +1424,9 @@ static void remove_rawdata_dents(struct
for (i = 0; i < AAFS_LOADDATA_NDENTS; i++) {
if (!IS_ERR_OR_NULL(rawdata->dents[i])) {
- /* no refcounts on i_private */
aafs_remove(rawdata->dents[i]);
rawdata->dents[i] = NULL;
+ aa_put_i_loaddata(rawdata);
}
}
}
@@ -1463,18 +1465,21 @@ int __aa_fs_create_rawdata(struct aa_ns
if (IS_ERR(dir))
/* ->name freed when rawdata freed */
return PTR_ERR(dir);
+ aa_get_i_loaddata(rawdata);
rawdata->dents[AAFS_LOADDATA_DIR] = dir;
dent = aafs_create_file("abi", S_IFREG | 0444, dir, rawdata,
&seq_rawdata_abi_fops);
if (IS_ERR(dent))
goto fail;
+ aa_get_i_loaddata(rawdata);
rawdata->dents[AAFS_LOADDATA_ABI] = dent;
dent = aafs_create_file("revision", S_IFREG | 0444, dir, rawdata,
&seq_rawdata_revision_fops);
if (IS_ERR(dent))
goto fail;
+ aa_get_i_loaddata(rawdata);
rawdata->dents[AAFS_LOADDATA_REVISION] = dent;
if (aa_g_hash_policy) {
@@ -1482,6 +1487,7 @@ int __aa_fs_create_rawdata(struct aa_ns
rawdata, &seq_rawdata_hash_fops);
if (IS_ERR(dent))
goto fail;
+ aa_get_i_loaddata(rawdata);
rawdata->dents[AAFS_LOADDATA_HASH] = dent;
}
@@ -1490,24 +1496,25 @@ int __aa_fs_create_rawdata(struct aa_ns
&seq_rawdata_compressed_size_fops);
if (IS_ERR(dent))
goto fail;
+ aa_get_i_loaddata(rawdata);
rawdata->dents[AAFS_LOADDATA_COMPRESSED_SIZE] = dent;
dent = aafs_create_file("raw_data", S_IFREG | 0444,
dir, rawdata, &rawdata_fops);
if (IS_ERR(dent))
goto fail;
+ aa_get_i_loaddata(rawdata);
rawdata->dents[AAFS_LOADDATA_DATA] = dent;
d_inode(dent)->i_size = rawdata->size;
rawdata->ns = aa_get_ns(ns);
list_add(&rawdata->list, &ns->rawdata_list);
- /* no refcount on inode rawdata */
return 0;
fail:
remove_rawdata_dents(rawdata);
-
+ aa_put_i_loaddata(rawdata);
return PTR_ERR(dent);
}
#endif /* CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */
--- a/security/apparmor/include/policy_unpack.h
+++ b/security/apparmor/include/policy_unpack.h
@@ -87,17 +87,29 @@ struct aa_ext {
u32 version;
};
-/*
- * struct aa_loaddata - buffer of policy raw_data set
+/* struct aa_loaddata - buffer of policy raw_data set
+ * @count: inode/filesystem refcount - use aa_get_i_loaddata()
+ * @pcount: profile refcount - use aa_get_profile_loaddata()
+ * @list: list the loaddata is on
+ * @work: used to do a delayed cleanup
+ * @dents: refs to dents created in aafs
+ * @ns: the namespace this loaddata was loaded into
+ * @name:
+ * @size: the size of the data that was loaded
+ * @compressed_size: the size of the data when it is compressed
+ * @revision: unique revision count that this data was loaded as
+ * @abi: the abi number the loaddata uses
+ * @hash: a hash of the loaddata, used to help dedup data
*
- * there is no loaddata ref for being on ns list, nor a ref from
- * d_inode(@dentry) when grab a ref from these, @ns->lock must be held
- * && __aa_get_loaddata() needs to be used, and the return value
- * checked, if NULL the loaddata is already being reaped and should be
- * considered dead.
+ * There is no loaddata ref for being on ns->rawdata_list, so
+ * @ns->lock must be held when walking the list. Dentries and
+ * inode opens hold refs on @count; profiles hold refs on @pcount.
+ * When the last @pcount drops, do_ploaddata_rmfs() removes the
+ * fs entries and drops the associated @count ref.
*/
struct aa_loaddata {
struct kref count;
+ struct kref pcount;
struct list_head list;
struct work_struct work;
struct dentry *dents[AAFS_LOADDATA_NDENTS];
@@ -119,52 +131,55 @@ struct aa_loaddata {
int aa_unpack(struct aa_loaddata *udata, struct list_head *lh, const char **ns);
/**
- * __aa_get_loaddata - get a reference count to uncounted data reference
+ * aa_get_loaddata - get a reference count from a counted data reference
* @data: reference to get a count on
*
- * Returns: pointer to reference OR NULL if race is lost and reference is
- * being repeated.
- * Requires: @data->ns->lock held, and the return code MUST be checked
- *
- * Use only from inode->i_private and @data->list found references
+ * Returns: pointer to reference
+ * Requires: @data to have a valid reference count on it. It is a bug
+ * if the race to reap can be encountered when it is used.
*/
static inline struct aa_loaddata *
-__aa_get_loaddata(struct aa_loaddata *data)
+aa_get_i_loaddata(struct aa_loaddata *data)
{
- if (data && kref_get_unless_zero(&(data->count)))
- return data;
- return NULL;
+ if (data)
+ kref_get(&(data->count));
+ return data;
}
+
/**
- * aa_get_loaddata - get a reference count from a counted data reference
+ * aa_get_profile_loaddata - get a profile reference count on loaddata
* @data: reference to get a count on
*
- * Returns: point to reference
- * Requires: @data to have a valid reference count on it. It is a bug
- * if the race to reap can be encountered when it is used.
+ * Returns: pointer to reference
+ * Requires: @data to have a valid reference count on it.
*/
static inline struct aa_loaddata *
-aa_get_loaddata(struct aa_loaddata *data)
+aa_get_profile_loaddata(struct aa_loaddata *data)
{
- struct aa_loaddata *tmp = __aa_get_loaddata(data);
-
- AA_BUG(data && !tmp);
-
- return tmp;
+ if (data)
+ kref_get(&(data->pcount));
+ return data;
}
void __aa_loaddata_update(struct aa_loaddata *data, long revision);
bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r);
void aa_loaddata_kref(struct kref *kref);
+void aa_ploaddata_kref(struct kref *kref);
struct aa_loaddata *aa_loaddata_alloc(size_t size);
-static inline void aa_put_loaddata(struct aa_loaddata *data)
+static inline void aa_put_i_loaddata(struct aa_loaddata *data)
{
if (data)
kref_put(&data->count, aa_loaddata_kref);
}
+static inline void aa_put_profile_loaddata(struct aa_loaddata *data)
+{
+ if (data)
+ kref_put(&data->pcount, aa_ploaddata_kref);
+}
+
#if IS_ENABLED(CONFIG_KUNIT)
bool aa_inbounds(struct aa_ext *e, size_t size);
size_t aa_unpack_u16_chunk(struct aa_ext *e, char **chunk);
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -336,7 +336,7 @@ void aa_free_profile(struct aa_profile *
}
kfree_sensitive(profile->hash);
- aa_put_loaddata(profile->rawdata);
+ aa_put_profile_loaddata(profile->rawdata);
aa_label_destroy(&profile->label);
kfree_sensitive(profile);
@@ -1120,7 +1120,7 @@ ssize_t aa_replace_profiles(struct aa_ns
LIST_HEAD(lh);
op = mask & AA_MAY_REPLACE_POLICY ? OP_PROF_REPL : OP_PROF_LOAD;
- aa_get_loaddata(udata);
+ aa_get_profile_loaddata(udata);
/* released below */
error = aa_unpack(udata, &lh, &ns_name);
if (error)
@@ -1172,10 +1172,10 @@ ssize_t aa_replace_profiles(struct aa_ns
if (aa_rawdata_eq(rawdata_ent, udata)) {
struct aa_loaddata *tmp;
- tmp = __aa_get_loaddata(rawdata_ent);
+ tmp = aa_get_profile_loaddata(rawdata_ent);
/* check we didn't fail the race */
if (tmp) {
- aa_put_loaddata(udata);
+ aa_put_profile_loaddata(udata);
udata = tmp;
break;
}
@@ -1188,7 +1188,7 @@ ssize_t aa_replace_profiles(struct aa_ns
struct aa_profile *p;
if (aa_g_export_binary)
- ent->new->rawdata = aa_get_loaddata(udata);
+ ent->new->rawdata = aa_get_profile_loaddata(udata);
error = __lookup_replace(ns, ent->new->base.hname,
!(mask & AA_MAY_REPLACE_POLICY),
&ent->old, &info);
@@ -1321,7 +1321,7 @@ ssize_t aa_replace_profiles(struct aa_ns
out:
aa_put_ns(ns);
- aa_put_loaddata(udata);
+ aa_put_profile_loaddata(udata);
kfree(ns_name);
if (error)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -108,34 +108,47 @@ bool aa_rawdata_eq(struct aa_loaddata *l
return memcmp(l->data, r->data, r->compressed_size ?: r->size) == 0;
}
+static void do_loaddata_free(struct aa_loaddata *d)
+{
+ kfree_sensitive(d->hash);
+ kfree_sensitive(d->name);
+ kvfree(d->data);
+ kfree_sensitive(d);
+}
+
+void aa_loaddata_kref(struct kref *kref)
+{
+ struct aa_loaddata *d = container_of(kref, struct aa_loaddata, count);
+
+ do_loaddata_free(d);
+}
+
/*
* need to take the ns mutex lock which is NOT safe most places that
* put_loaddata is called, so we have to delay freeing it
*/
-static void do_loaddata_free(struct work_struct *work)
+static void do_ploaddata_rmfs(struct work_struct *work)
{
struct aa_loaddata *d = container_of(work, struct aa_loaddata, work);
struct aa_ns *ns = aa_get_ns(d->ns);
if (ns) {
mutex_lock_nested(&ns->lock, ns->level);
+ /* remove fs ref to loaddata */
__aa_fs_remove_rawdata(d);
mutex_unlock(&ns->lock);
aa_put_ns(ns);
}
-
- kfree_sensitive(d->hash);
- kfree_sensitive(d->name);
- kvfree(d->data);
- kfree_sensitive(d);
+ /* called by dropping last pcount, so drop its associated icount */
+ aa_put_i_loaddata(d);
}
-void aa_loaddata_kref(struct kref *kref)
+void aa_ploaddata_kref(struct kref *kref)
{
- struct aa_loaddata *d = container_of(kref, struct aa_loaddata, count);
+ struct aa_loaddata *d = container_of(kref, struct aa_loaddata, pcount);
if (d) {
- INIT_WORK(&d->work, do_loaddata_free);
+ INIT_WORK(&d->work, do_ploaddata_rmfs);
schedule_work(&d->work);
}
}
@@ -153,6 +166,7 @@ struct aa_loaddata *aa_loaddata_alloc(si
return ERR_PTR(-ENOMEM);
}
kref_init(&d->count);
+ kref_init(&d->pcount);
INIT_LIST_HEAD(&d->list);
return d;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 134/481] nfc: rawsock: cancel tx_work before socket teardown
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 133/481] nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 135/481] net: stmmac: Fix error handling in VLAN add and delete paths Greg Kroah-Hartman
` (181 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joe Damato, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit d793458c45df2aed498d7f74145eab7ee22d25aa ]
In rawsock_release(), cancel any pending tx_work and purge the write
queue before orphaning the socket. rawsock_tx_work runs on the system
workqueue and calls nfc_data_exchange which dereferences the NCI
device. Without synchronization, tx_work can race with socket and
device teardown when a process is killed (e.g. by SIGKILL), leading
to use-after-free or leaked references.
Set SEND_SHUTDOWN first so that if tx_work is already running it will
see the flag and skip transmitting, then use cancel_work_sync to wait
for any in-progress execution to finish, and finally purge any
remaining queued skbs.
Fixes: 23b7869c0fd0 ("NFC: add the NFC socket raw protocol")
Reviewed-by: Joe Damato <joe@dama.to>
Link: https://patch.msgid.link/20260303162346.2071888-6-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/rawsock.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c
index 8dd569765f96e..cffbb96beb6cb 100644
--- a/net/nfc/rawsock.c
+++ b/net/nfc/rawsock.c
@@ -66,6 +66,17 @@ static int rawsock_release(struct socket *sock)
if (sock->type == SOCK_RAW)
nfc_sock_unlink(&raw_sk_list, sk);
+ if (sk->sk_state == TCP_ESTABLISHED) {
+ /* Prevent rawsock_tx_work from starting new transmits and
+ * wait for any in-progress work to finish. This must happen
+ * before the socket is orphaned to avoid a race where
+ * rawsock_tx_work runs after the NCI device has been freed.
+ */
+ sk->sk_shutdown |= SEND_SHUTDOWN;
+ cancel_work_sync(&nfc_rawsock(sk)->tx_work);
+ rawsock_write_queue_purge(sk);
+ }
+
sock_orphan(sk);
sock_put(sk);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 121/460] mmc: core: Avoid bitfield RMW for claim/retune flags
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 120/460] mm/kfence: disable KFENCE upon KASAN HW tags enablement Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 122/460] ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start Greg Kroah-Hartman
` (181 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Penghe Geng,
Ulf Hansson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Penghe Geng <pgeng@nvidia.com>
commit 901084c51a0a8fb42a3f37d2e9c62083c495f824 upstream.
Move claimed and retune control flags out of the bitfield word to
avoid unrelated RMW side effects in asynchronous contexts.
The host->claimed bit shared a word with retune flags. Writes to claimed
in __mmc_claim_host() or retune_now in mmc_mq_queue_rq() can overwrite
other bits when concurrent updates happen in other contexts, triggering
spurious WARN_ON(!host->claimed). Convert claimed, can_retune,
retune_now and retune_paused to bool to remove shared-word coupling.
Fixes: 6c0cedd1ef952 ("mmc: core: Introduce host claiming by context")
Fixes: 1e8e55b67030c ("mmc: block: Add CQE support")
Cc: stable@vger.kernel.org
Suggested-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Penghe Geng <pgeng@nvidia.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mmc/host.h | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/include/linux/mmc/host.h
+++ b/include/linux/mmc/host.h
@@ -423,14 +423,12 @@ struct mmc_host {
struct mmc_ios ios; /* current io bus settings */
+ bool claimed; /* host exclusively claimed */
+
/* group bitfields together to minimize padding */
unsigned int use_spi_crc:1;
- unsigned int claimed:1; /* host exclusively claimed */
unsigned int doing_init_tune:1; /* initial tuning in progress */
- unsigned int can_retune:1; /* re-tuning can be used */
unsigned int doing_retune:1; /* re-tuning in progress */
- unsigned int retune_now:1; /* do re-tuning at next req */
- unsigned int retune_paused:1; /* re-tuning is temporarily disabled */
unsigned int retune_crc_disable:1; /* don't trigger retune upon crc */
unsigned int can_dma_map_merge:1; /* merging can be used */
unsigned int vqmmc_enabled:1; /* vqmmc regulator is enabled */
@@ -438,6 +436,9 @@ struct mmc_host {
int rescan_disable; /* disable card detection */
int rescan_entered; /* used with nonremovable devices */
+ bool can_retune; /* re-tuning can be used */
+ bool retune_now; /* do re-tuning at next req */
+ bool retune_paused; /* re-tuning is temporarily disabled */
int need_retune; /* re-tuning is needed */
int hold_retune; /* hold off re-tuning */
unsigned int retune_period; /* re-tuning period in secs */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 197/567] apparmor: fix race between freeing data and fs accessing it
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 196/567] apparmor: fix race on rawdata dereference Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 198/567] scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT Greg Kroah-Hartman
` (180 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qualys Security Advisory,
Georgia Garcia, Maxime Bélair, Cengiz Can, John Johansen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Johansen <john.johansen@canonical.com>
commit 8e135b8aee5a06c52a4347a5a6d51223c6f36ba3 upstream.
AppArmor was putting the reference to i_private data on its end after
removing the original entry from the file system. However the inode
can and does live beyond that point and it is possible that some of
the fs call back functions will be invoked after the reference has
been put, which results in a race between freeing the data and
accessing it through the fs.
While the rawdata/loaddata is the most likely candidate to fail the
race, as it has the fewest references. If properly crafted it might be
possible to trigger a race for the other types stored in i_private.
Fix this by moving the put of i_private referenced data to the correct
place which is during inode eviction.
Fixes: c961ee5f21b20 ("apparmor: convert from securityfs to apparmorfs for policy ns files")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Maxime Bélair <maxime.belair@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/apparmorfs.c | 194 +++++++++++++++++-------------
security/apparmor/include/label.h | 16 +-
security/apparmor/include/lib.h | 12 +
security/apparmor/include/policy.h | 8 -
security/apparmor/include/policy_unpack.h | 6
security/apparmor/label.c | 12 +
security/apparmor/policy_unpack.c | 6
7 files changed, 153 insertions(+), 101 deletions(-)
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -32,6 +32,7 @@
#include "include/crypto.h"
#include "include/ipc.h"
#include "include/label.h"
+#include "include/lib.h"
#include "include/policy.h"
#include "include/policy_ns.h"
#include "include/resource.h"
@@ -62,6 +63,7 @@
* securityfs and apparmorfs filesystems.
*/
+#define IREF_POISON 101
/*
* support fns
@@ -153,6 +155,71 @@ static int aafs_show_path(struct seq_fil
return 0;
}
+static struct aa_ns *get_ns_common_ref(struct aa_common_ref *ref)
+{
+ if (ref) {
+ struct aa_label *reflabel = container_of(ref, struct aa_label,
+ count);
+ return aa_get_ns(labels_ns(reflabel));
+ }
+
+ return NULL;
+}
+
+static struct aa_proxy *get_proxy_common_ref(struct aa_common_ref *ref)
+{
+ if (ref)
+ return aa_get_proxy(container_of(ref, struct aa_proxy, count));
+
+ return NULL;
+}
+
+static struct aa_loaddata *get_loaddata_common_ref(struct aa_common_ref *ref)
+{
+ if (ref)
+ return aa_get_i_loaddata(container_of(ref, struct aa_loaddata,
+ count));
+ return NULL;
+}
+
+static void aa_put_common_ref(struct aa_common_ref *ref)
+{
+ if (!ref)
+ return;
+
+ switch (ref->reftype) {
+ case REF_RAWDATA:
+ aa_put_i_loaddata(container_of(ref, struct aa_loaddata,
+ count));
+ break;
+ case REF_PROXY:
+ aa_put_proxy(container_of(ref, struct aa_proxy,
+ count));
+ break;
+ case REF_NS:
+ /* ns count is held on its unconfined label */
+ aa_put_ns(labels_ns(container_of(ref, struct aa_label, count)));
+ break;
+ default:
+ AA_BUG(true, "unknown refcount type");
+ break;
+ }
+}
+
+static void aa_get_common_ref(struct aa_common_ref *ref)
+{
+ kref_get(&ref->count);
+}
+
+static void aafs_evict(struct inode *inode)
+{
+ struct aa_common_ref *ref = inode->i_private;
+
+ clear_inode(inode);
+ aa_put_common_ref(ref);
+ inode->i_private = (void *) IREF_POISON;
+}
+
static void aafs_free_inode(struct inode *inode)
{
if (S_ISLNK(inode->i_mode))
@@ -162,6 +229,7 @@ static void aafs_free_inode(struct inode
static const struct super_operations aafs_super_ops = {
.statfs = simple_statfs,
+ .evict_inode = aafs_evict,
.free_inode = aafs_free_inode,
.show_path = aafs_show_path,
};
@@ -262,7 +330,8 @@ static int __aafs_setup_d_inode(struct i
* aafs_remove(). Will return ERR_PTR on failure.
*/
static struct dentry *aafs_create(const char *name, umode_t mode,
- struct dentry *parent, void *data, void *link,
+ struct dentry *parent,
+ struct aa_common_ref *data, void *link,
const struct file_operations *fops,
const struct inode_operations *iops)
{
@@ -299,6 +368,9 @@ static struct dentry *aafs_create(const
goto fail_dentry;
inode_unlock(dir);
+ if (data)
+ aa_get_common_ref(data);
+
return dentry;
fail_dentry:
@@ -323,7 +395,8 @@ fail_lock:
* see aafs_create
*/
static struct dentry *aafs_create_file(const char *name, umode_t mode,
- struct dentry *parent, void *data,
+ struct dentry *parent,
+ struct aa_common_ref *data,
const struct file_operations *fops)
{
return aafs_create(name, mode, parent, data, NULL, fops, NULL);
@@ -448,7 +521,7 @@ end_section:
static ssize_t profile_load(struct file *f, const char __user *buf, size_t size,
loff_t *pos)
{
- struct aa_ns *ns = aa_get_ns(f->f_inode->i_private);
+ struct aa_ns *ns = get_ns_common_ref(f->f_inode->i_private);
int error = policy_update(AA_MAY_LOAD_POLICY, buf, size, pos, ns,
f->f_cred);
@@ -466,7 +539,7 @@ static const struct file_operations aa_f
static ssize_t profile_replace(struct file *f, const char __user *buf,
size_t size, loff_t *pos)
{
- struct aa_ns *ns = aa_get_ns(f->f_inode->i_private);
+ struct aa_ns *ns = get_ns_common_ref(f->f_inode->i_private);
int error = policy_update(AA_MAY_LOAD_POLICY | AA_MAY_REPLACE_POLICY,
buf, size, pos, ns, f->f_cred);
aa_put_ns(ns);
@@ -486,7 +559,7 @@ static ssize_t profile_remove(struct fil
struct aa_loaddata *data;
struct aa_label *label;
ssize_t error;
- struct aa_ns *ns = aa_get_ns(f->f_inode->i_private);
+ struct aa_ns *ns = get_ns_common_ref(f->f_inode->i_private);
label = begin_current_label_crit_section();
/* high level check about policy management - fine grained in
@@ -576,7 +649,7 @@ static int ns_revision_open(struct inode
if (!rev)
return -ENOMEM;
- rev->ns = aa_get_ns(inode->i_private);
+ rev->ns = get_ns_common_ref(inode->i_private);
if (!rev->ns)
rev->ns = aa_get_current_ns();
file->private_data = rev;
@@ -1054,7 +1127,7 @@ static const struct file_operations seq_
static int seq_profile_open(struct inode *inode, struct file *file,
int (*show)(struct seq_file *, void *))
{
- struct aa_proxy *proxy = aa_get_proxy(inode->i_private);
+ struct aa_proxy *proxy = get_proxy_common_ref(inode->i_private);
int error = single_open(file, show, proxy);
if (error) {
@@ -1246,7 +1319,7 @@ static const struct file_operations seq_
static int seq_rawdata_open(struct inode *inode, struct file *file,
int (*show)(struct seq_file *, void *))
{
- struct aa_loaddata *data = aa_get_i_loaddata(inode->i_private);
+ struct aa_loaddata *data = get_loaddata_common_ref(inode->i_private);
int error;
if (!data)
@@ -1381,7 +1454,7 @@ static int rawdata_open(struct inode *in
if (!aa_current_policy_view_capable(NULL))
return -EACCES;
- loaddata = aa_get_i_loaddata(inode->i_private);
+ loaddata = get_loaddata_common_ref(inode->i_private);
if (!loaddata)
return -ENOENT;
@@ -1426,7 +1499,6 @@ static void remove_rawdata_dents(struct
if (!IS_ERR_OR_NULL(rawdata->dents[i])) {
aafs_remove(rawdata->dents[i]);
rawdata->dents[i] = NULL;
- aa_put_i_loaddata(rawdata);
}
}
}
@@ -1465,45 +1537,41 @@ int __aa_fs_create_rawdata(struct aa_ns
if (IS_ERR(dir))
/* ->name freed when rawdata freed */
return PTR_ERR(dir);
- aa_get_i_loaddata(rawdata);
rawdata->dents[AAFS_LOADDATA_DIR] = dir;
- dent = aafs_create_file("abi", S_IFREG | 0444, dir, rawdata,
+ dent = aafs_create_file("abi", S_IFREG | 0444, dir, &rawdata->count,
&seq_rawdata_abi_fops);
if (IS_ERR(dent))
goto fail;
- aa_get_i_loaddata(rawdata);
rawdata->dents[AAFS_LOADDATA_ABI] = dent;
- dent = aafs_create_file("revision", S_IFREG | 0444, dir, rawdata,
- &seq_rawdata_revision_fops);
+ dent = aafs_create_file("revision", S_IFREG | 0444, dir,
+ &rawdata->count,
+ &seq_rawdata_revision_fops);
if (IS_ERR(dent))
goto fail;
- aa_get_i_loaddata(rawdata);
rawdata->dents[AAFS_LOADDATA_REVISION] = dent;
if (aa_g_hash_policy) {
dent = aafs_create_file("sha1", S_IFREG | 0444, dir,
- rawdata, &seq_rawdata_hash_fops);
+ &rawdata->count,
+ &seq_rawdata_hash_fops);
if (IS_ERR(dent))
goto fail;
- aa_get_i_loaddata(rawdata);
rawdata->dents[AAFS_LOADDATA_HASH] = dent;
}
dent = aafs_create_file("compressed_size", S_IFREG | 0444, dir,
- rawdata,
+ &rawdata->count,
&seq_rawdata_compressed_size_fops);
if (IS_ERR(dent))
goto fail;
- aa_get_i_loaddata(rawdata);
rawdata->dents[AAFS_LOADDATA_COMPRESSED_SIZE] = dent;
- dent = aafs_create_file("raw_data", S_IFREG | 0444,
- dir, rawdata, &rawdata_fops);
+ dent = aafs_create_file("raw_data", S_IFREG | 0444, dir,
+ &rawdata->count, &rawdata_fops);
if (IS_ERR(dent))
goto fail;
- aa_get_i_loaddata(rawdata);
rawdata->dents[AAFS_LOADDATA_DATA] = dent;
d_inode(dent)->i_size = rawdata->size;
@@ -1514,7 +1582,6 @@ int __aa_fs_create_rawdata(struct aa_ns
fail:
remove_rawdata_dents(rawdata);
- aa_put_i_loaddata(rawdata);
return PTR_ERR(dent);
}
#endif /* CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */
@@ -1538,13 +1605,10 @@ void __aafs_profile_rmdir(struct aa_prof
__aafs_profile_rmdir(child);
for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) {
- struct aa_proxy *proxy;
if (!profile->dents[i])
continue;
- proxy = d_inode(profile->dents[i])->i_private;
aafs_remove(profile->dents[i]);
- aa_put_proxy(proxy);
profile->dents[i] = NULL;
}
}
@@ -1577,14 +1641,7 @@ static struct dentry *create_profile_fil
struct aa_profile *profile,
const struct file_operations *fops)
{
- struct aa_proxy *proxy = aa_get_proxy(profile->label.proxy);
- struct dentry *dent;
-
- dent = aafs_create_file(name, S_IFREG | 0444, dir, proxy, fops);
- if (IS_ERR(dent))
- aa_put_proxy(proxy);
-
- return dent;
+ return aafs_create_file(name, S_IFREG | 0444, dir, &profile->label.proxy->count, fops);
}
#ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY
@@ -1635,7 +1692,8 @@ static const char *rawdata_get_link_base
struct delayed_call *done,
const char *name)
{
- struct aa_proxy *proxy = inode->i_private;
+ struct aa_common_ref *ref = inode->i_private;
+ struct aa_proxy *proxy = container_of(ref, struct aa_proxy, count);
struct aa_label *label;
struct aa_profile *profile;
char *target;
@@ -1777,27 +1835,24 @@ int __aafs_profile_mkdir(struct aa_profi
if (profile->rawdata) {
if (aa_g_hash_policy) {
dent = aafs_create("raw_sha1", S_IFLNK | 0444, dir,
- profile->label.proxy, NULL, NULL,
- &rawdata_link_sha1_iops);
+ &profile->label.proxy->count, NULL,
+ NULL, &rawdata_link_sha1_iops);
if (IS_ERR(dent))
goto fail;
- aa_get_proxy(profile->label.proxy);
profile->dents[AAFS_PROF_RAW_HASH] = dent;
}
dent = aafs_create("raw_abi", S_IFLNK | 0444, dir,
- profile->label.proxy, NULL, NULL,
+ &profile->label.proxy->count, NULL, NULL,
&rawdata_link_abi_iops);
if (IS_ERR(dent))
goto fail;
- aa_get_proxy(profile->label.proxy);
profile->dents[AAFS_PROF_RAW_ABI] = dent;
dent = aafs_create("raw_data", S_IFLNK | 0444, dir,
- profile->label.proxy, NULL, NULL,
+ &profile->label.proxy->count, NULL, NULL,
&rawdata_link_data_iops);
if (IS_ERR(dent))
goto fail;
- aa_get_proxy(profile->label.proxy);
profile->dents[AAFS_PROF_RAW_DATA] = dent;
}
#endif /*CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */
@@ -1834,7 +1889,7 @@ static int ns_mkdir_op(struct mnt_idmap
if (error)
return error;
- parent = aa_get_ns(dir->i_private);
+ parent = get_ns_common_ref(dir->i_private);
AA_BUG(d_inode(ns_subns_dir(parent)) != dir);
/* we have to unlock and then relock to get locking order right
@@ -1884,7 +1939,7 @@ static int ns_rmdir_op(struct inode *dir
if (error)
return error;
- parent = aa_get_ns(dir->i_private);
+ parent = get_ns_common_ref(dir->i_private);
/* rmdir calls the generic securityfs functions to remove files
* from the apparmor dir. It is up to the apparmor ns locking
* to avoid races.
@@ -1954,27 +2009,6 @@ void __aafs_ns_rmdir(struct aa_ns *ns)
__aa_fs_list_remove_rawdata(ns);
- if (ns_subns_dir(ns)) {
- sub = d_inode(ns_subns_dir(ns))->i_private;
- aa_put_ns(sub);
- }
- if (ns_subload(ns)) {
- sub = d_inode(ns_subload(ns))->i_private;
- aa_put_ns(sub);
- }
- if (ns_subreplace(ns)) {
- sub = d_inode(ns_subreplace(ns))->i_private;
- aa_put_ns(sub);
- }
- if (ns_subremove(ns)) {
- sub = d_inode(ns_subremove(ns))->i_private;
- aa_put_ns(sub);
- }
- if (ns_subrevision(ns)) {
- sub = d_inode(ns_subrevision(ns))->i_private;
- aa_put_ns(sub);
- }
-
for (i = AAFS_NS_SIZEOF - 1; i >= 0; --i) {
aafs_remove(ns->dents[i]);
ns->dents[i] = NULL;
@@ -1999,40 +2033,40 @@ static int __aafs_ns_mkdir_entries(struc
return PTR_ERR(dent);
ns_subdata_dir(ns) = dent;
- dent = aafs_create_file("revision", 0444, dir, ns,
+ dent = aafs_create_file("revision", 0444, dir,
+ &ns->unconfined->label.count,
&aa_fs_ns_revision_fops);
if (IS_ERR(dent))
return PTR_ERR(dent);
- aa_get_ns(ns);
ns_subrevision(ns) = dent;
- dent = aafs_create_file(".load", 0640, dir, ns,
- &aa_fs_profile_load);
+ dent = aafs_create_file(".load", 0640, dir,
+ &ns->unconfined->label.count,
+ &aa_fs_profile_load);
if (IS_ERR(dent))
return PTR_ERR(dent);
- aa_get_ns(ns);
ns_subload(ns) = dent;
- dent = aafs_create_file(".replace", 0640, dir, ns,
- &aa_fs_profile_replace);
+ dent = aafs_create_file(".replace", 0640, dir,
+ &ns->unconfined->label.count,
+ &aa_fs_profile_replace);
if (IS_ERR(dent))
return PTR_ERR(dent);
- aa_get_ns(ns);
ns_subreplace(ns) = dent;
- dent = aafs_create_file(".remove", 0640, dir, ns,
- &aa_fs_profile_remove);
+ dent = aafs_create_file(".remove", 0640, dir,
+ &ns->unconfined->label.count,
+ &aa_fs_profile_remove);
if (IS_ERR(dent))
return PTR_ERR(dent);
- aa_get_ns(ns);
ns_subremove(ns) = dent;
/* use create_dentry so we can supply private data */
- dent = aafs_create("namespaces", S_IFDIR | 0755, dir, ns, NULL, NULL,
- &ns_dir_inode_operations);
+ dent = aafs_create("namespaces", S_IFDIR | 0755, dir,
+ &ns->unconfined->label.count,
+ NULL, NULL, &ns_dir_inode_operations);
if (IS_ERR(dent))
return PTR_ERR(dent);
- aa_get_ns(ns);
ns_subns_dir(ns) = dent;
return 0;
--- a/security/apparmor/include/label.h
+++ b/security/apparmor/include/label.h
@@ -101,7 +101,7 @@ enum label_flags {
struct aa_label;
struct aa_proxy {
- struct kref count;
+ struct aa_common_ref count;
struct aa_label __rcu *label;
};
@@ -121,7 +121,7 @@ struct label_it {
* @ent: set of profiles for label, actual size determined by @size
*/
struct aa_label {
- struct kref count;
+ struct aa_common_ref count;
struct rb_node node;
struct rcu_head rcu;
struct aa_proxy *proxy;
@@ -373,7 +373,7 @@ int aa_label_match(struct aa_profile *pr
*/
static inline struct aa_label *__aa_get_label(struct aa_label *l)
{
- if (l && kref_get_unless_zero(&l->count))
+ if (l && kref_get_unless_zero(&l->count.count))
return l;
return NULL;
@@ -382,7 +382,7 @@ static inline struct aa_label *__aa_get_
static inline struct aa_label *aa_get_label(struct aa_label *l)
{
if (l)
- kref_get(&(l->count));
+ kref_get(&(l->count.count));
return l;
}
@@ -402,7 +402,7 @@ static inline struct aa_label *aa_get_la
rcu_read_lock();
do {
c = rcu_dereference(*l);
- } while (c && !kref_get_unless_zero(&c->count));
+ } while (c && !kref_get_unless_zero(&c->count.count));
rcu_read_unlock();
return c;
@@ -442,7 +442,7 @@ static inline struct aa_label *aa_get_ne
static inline void aa_put_label(struct aa_label *l)
{
if (l)
- kref_put(&l->count, aa_label_kref);
+ kref_put(&l->count.count, aa_label_kref);
}
@@ -452,7 +452,7 @@ void aa_proxy_kref(struct kref *kref);
static inline struct aa_proxy *aa_get_proxy(struct aa_proxy *proxy)
{
if (proxy)
- kref_get(&(proxy->count));
+ kref_get(&(proxy->count.count));
return proxy;
}
@@ -460,7 +460,7 @@ static inline struct aa_proxy *aa_get_pr
static inline void aa_put_proxy(struct aa_proxy *proxy)
{
if (proxy)
- kref_put(&proxy->count, aa_proxy_kref);
+ kref_put(&proxy->count.count, aa_proxy_kref);
}
void __aa_proxy_redirect(struct aa_label *orig, struct aa_label *new);
--- a/security/apparmor/include/lib.h
+++ b/security/apparmor/include/lib.h
@@ -71,6 +71,18 @@ void aa_info_message(const char *str);
/* Security blob offsets */
extern struct lsm_blob_sizes apparmor_blob_sizes;
+enum reftype {
+ REF_NS,
+ REF_PROXY,
+ REF_RAWDATA,
+};
+
+/* common reference count used by data the shows up in aafs */
+struct aa_common_ref {
+ struct kref count;
+ enum reftype reftype;
+};
+
/**
* aa_strneq - compare null terminated @str to a non null terminated substring
* @str: a null terminated string
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -337,7 +337,7 @@ static inline aa_state_t ANY_RULE_MEDIAT
static inline struct aa_profile *aa_get_profile(struct aa_profile *p)
{
if (p)
- kref_get(&(p->label.count));
+ kref_get(&(p->label.count.count));
return p;
}
@@ -351,7 +351,7 @@ static inline struct aa_profile *aa_get_
*/
static inline struct aa_profile *aa_get_profile_not0(struct aa_profile *p)
{
- if (p && kref_get_unless_zero(&p->label.count))
+ if (p && kref_get_unless_zero(&p->label.count.count))
return p;
return NULL;
@@ -371,7 +371,7 @@ static inline struct aa_profile *aa_get_
rcu_read_lock();
do {
c = rcu_dereference(*p);
- } while (c && !kref_get_unless_zero(&c->label.count));
+ } while (c && !kref_get_unless_zero(&c->label.count.count));
rcu_read_unlock();
return c;
@@ -384,7 +384,7 @@ static inline struct aa_profile *aa_get_
static inline void aa_put_profile(struct aa_profile *p)
{
if (p)
- kref_put(&p->label.count, aa_label_kref);
+ kref_put(&p->label.count.count, aa_label_kref);
}
static inline int AUDIT_MODE(struct aa_profile *profile)
--- a/security/apparmor/include/policy_unpack.h
+++ b/security/apparmor/include/policy_unpack.h
@@ -108,7 +108,7 @@ struct aa_ext {
* fs entries and drops the associated @count ref.
*/
struct aa_loaddata {
- struct kref count;
+ struct aa_common_ref count;
struct kref pcount;
struct list_head list;
struct work_struct work;
@@ -143,7 +143,7 @@ aa_get_i_loaddata(struct aa_loaddata *da
{
if (data)
- kref_get(&(data->count));
+ kref_get(&(data->count.count));
return data;
}
@@ -171,7 +171,7 @@ struct aa_loaddata *aa_loaddata_alloc(si
static inline void aa_put_i_loaddata(struct aa_loaddata *data)
{
if (data)
- kref_put(&data->count, aa_loaddata_kref);
+ kref_put(&data->count.count, aa_loaddata_kref);
}
static inline void aa_put_profile_loaddata(struct aa_loaddata *data)
--- a/security/apparmor/label.c
+++ b/security/apparmor/label.c
@@ -52,7 +52,8 @@ static void free_proxy(struct aa_proxy *
void aa_proxy_kref(struct kref *kref)
{
- struct aa_proxy *proxy = container_of(kref, struct aa_proxy, count);
+ struct aa_proxy *proxy = container_of(kref, struct aa_proxy,
+ count.count);
free_proxy(proxy);
}
@@ -63,7 +64,8 @@ struct aa_proxy *aa_alloc_proxy(struct a
new = kzalloc(sizeof(struct aa_proxy), gfp);
if (new) {
- kref_init(&new->count);
+ kref_init(&new->count.count);
+ new->count.reftype = REF_PROXY;
rcu_assign_pointer(new->label, aa_get_label(label));
}
return new;
@@ -369,7 +371,8 @@ static void label_free_rcu(struct rcu_he
void aa_label_kref(struct kref *kref)
{
- struct aa_label *label = container_of(kref, struct aa_label, count);
+ struct aa_label *label = container_of(kref, struct aa_label,
+ count.count);
struct aa_ns *ns = labels_ns(label);
if (!ns) {
@@ -406,7 +409,8 @@ bool aa_label_init(struct aa_label *labe
label->size = size; /* doesn't include null */
label->vec[size] = NULL; /* null terminate */
- kref_init(&label->count);
+ kref_init(&label->count.count);
+ label->count.reftype = REF_NS; /* for aafs purposes */
RB_CLEAR_NODE(&label->node);
return true;
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -118,7 +118,8 @@ static void do_loaddata_free(struct aa_l
void aa_loaddata_kref(struct kref *kref)
{
- struct aa_loaddata *d = container_of(kref, struct aa_loaddata, count);
+ struct aa_loaddata *d = container_of(kref, struct aa_loaddata,
+ count.count);
do_loaddata_free(d);
}
@@ -165,7 +166,8 @@ struct aa_loaddata *aa_loaddata_alloc(si
kfree(d);
return ERR_PTR(-ENOMEM);
}
- kref_init(&d->count);
+ kref_init(&d->count.count);
+ d->count.reftype = REF_RAWDATA;
kref_init(&d->pcount);
INIT_LIST_HEAD(&d->list);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 135/481] net: stmmac: Fix error handling in VLAN add and delete paths
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 134/481] nfc: rawsock: cancel tx_work before socket teardown Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 136/481] net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup() Greg Kroah-Hartman
` (180 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ovidiu Panait, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
[ Upstream commit 35dfedce442c4060cfe5b98368bc9643fb995716 ]
stmmac_vlan_rx_add_vid() updates active_vlans and the VLAN hash
register before writing the HW filter entry. If the filter write
fails, it leaves a stale VID in active_vlans and the hash register.
stmmac_vlan_rx_kill_vid() has the reverse problem: it clears
active_vlans before removing the HW filter. On failure, the VID is
gone from active_vlans but still present in the HW filter table.
To fix this, reorder the operations to update the hash table first,
then attempt the HW filter operation. If the HW filter fails, roll
back both the active_vlans bitmap and the hash table by calling
stmmac_vlan_update() again.
Fixes: ed64639bc1e0 ("net: stmmac: Add support for VLAN Rx filtering")
Signed-off-by: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
Link: https://patch.msgid.link/20260303145828.7845-2-ovidiu.panait.rb@renesas.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/stmicro/stmmac/stmmac_main.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index b5de07b84f77b..1b3ea615cbba2 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -6451,9 +6451,13 @@ static int stmmac_vlan_rx_add_vid(struct net_device *ndev, __be16 proto, u16 vid
if (priv->hw->num_vlan) {
ret = stmmac_add_hw_vlan_rx_fltr(priv, ndev, priv->hw, proto, vid);
- if (ret)
+ if (ret) {
+ clear_bit(vid, priv->active_vlans);
+ stmmac_vlan_update(priv, is_double);
goto err_pm_put;
+ }
}
+
err_pm_put:
pm_runtime_put(priv->device);
@@ -6474,15 +6478,21 @@ static int stmmac_vlan_rx_kill_vid(struct net_device *ndev, __be16 proto, u16 vi
is_double = true;
clear_bit(vid, priv->active_vlans);
+ ret = stmmac_vlan_update(priv, is_double);
+ if (ret) {
+ set_bit(vid, priv->active_vlans);
+ goto del_vlan_error;
+ }
if (priv->hw->num_vlan) {
ret = stmmac_del_hw_vlan_rx_fltr(priv, ndev, priv->hw, proto, vid);
- if (ret)
+ if (ret) {
+ set_bit(vid, priv->active_vlans);
+ stmmac_vlan_update(priv, is_double);
goto del_vlan_error;
+ }
}
- ret = stmmac_vlan_update(priv, is_double);
-
del_vlan_error:
pm_runtime_put(priv->device);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 122/460] ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 121/460] mmc: core: Avoid bitfield RMW for claim/retune flags Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 123/460] tipc: fix divide-by-zero in tipc_sk_filter_connect() Greg Kroah-Hartman
` (180 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ravi Hothi, Srinivas Kandagatla,
Mark Brown
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ravi Hothi <ravi.hothi@oss.qualcomm.com>
commit d6db827b430bdcca3976cebca7bd69cca03cde2c upstream.
During ADSP stop and start, the kernel crashes due to the order in which
ASoC components are removed.
On ADSP stop, the q6apm-audio .remove callback unloads topology and removes
PCM runtimes during ASoC teardown. This deletes the RTDs that contain the
q6apm DAI components before their removal pass runs, leaving those
components still linked to the card and causing crashes on the next rebind.
Fix this by ensuring that all dependent (child) components are removed
first, and the q6apm component is removed last.
[ 48.105720] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0
[ 48.114763] Mem abort info:
[ 48.117650] ESR = 0x0000000096000004
[ 48.121526] EC = 0x25: DABT (current EL), IL = 32 bits
[ 48.127010] SET = 0, FnV = 0
[ 48.130172] EA = 0, S1PTW = 0
[ 48.133415] FSC = 0x04: level 0 translation fault
[ 48.138446] Data abort info:
[ 48.141422] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 48.147079] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 48.152354] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 48.157859] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001173cf000
[ 48.164517] [00000000000000d0] pgd=0000000000000000, p4d=0000000000000000
[ 48.171530] Internal error: Oops: 0000000096000004 [#1] SMP
[ 48.177348] Modules linked in: q6prm_clocks q6apm_lpass_dais q6apm_dai snd_q6dsp_common q6prm snd_q6apm 8021q garp mrp stp llc snd_soc_hdmi_codec apr pdr_interface phy_qcom_edp fastrpc qcom_pd_mapper rpmsg_ctrl qrtr_smd rpmsg_char qcom_pdr_msg qcom_iris v4l2_mem2mem videobuf2_dma_contig ath11k_pci msm ubwc_config at24 ath11k videobuf2_memops mac80211 ocmem videobuf2_v4l2 libarc4 drm_gpuvm mhi qrtr videodev drm_exec snd_soc_sc8280xp gpu_sched videobuf2_common nvmem_qcom_spmi_sdam snd_soc_qcom_sdw drm_dp_aux_bus qcom_q6v5_pas qcom_spmi_temp_alarm snd_soc_qcom_common rtc_pm8xxx qcom_pon drm_display_helper cec qcom_pil_info qcom_stats soundwire_bus drm_client_lib mc dispcc0_sa8775p videocc_sa8775p qcom_q6v5 camcc_sa8775p snd_soc_dmic phy_qcom_sgmii_eth snd_soc_max98357a i2c_qcom_geni snd_soc_core dwmac_qcom_ethqos llcc_qcom icc_bwmon qcom_sysmon snd_compress qcom_refgen_regulator coresight_stm stmmac_platform snd_pcm_dmaengine qcom_common coresight_tmc stmmac coresight_replicator qcom_glink_smem coresight_cti stm_core
[ 48.177444] coresight_funnel snd_pcm ufs_qcom phy_qcom_qmp_usb gpi phy_qcom_snps_femto_v2 coresight phy_qcom_qmp_ufs qcom_wdt gpucc_sa8775p pcs_xpcs mdt_loader qcom_ice icc_osm_l3 qmi_helpers snd_timer snd soundcore display_connector qcom_rng nvmem_reboot_mode drm_kms_helper phy_qcom_qmp_pcie sha256 cfg80211 rfkill socinfo fuse drm backlight ipv6
[ 48.301059] CPU: 2 UID: 0 PID: 293 Comm: kworker/u32:2 Not tainted 6.19.0-rc6-dirty #10 PREEMPT
[ 48.310081] Hardware name: Qualcomm Technologies, Inc. Lemans EVK (DT)
[ 48.316782] Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]
[ 48.323672] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 48.330825] pc : mutex_lock+0xc/0x54
[ 48.334514] lr : soc_dapm_shutdown_dapm+0x44/0x174 [snd_soc_core]
[ 48.340794] sp : ffff800084ddb7b0
[ 48.344207] x29: ffff800084ddb7b0 x28: ffff00009cd9cf30 x27: ffff00009cd9cc00
[ 48.351544] x26: ffff000099610190 x25: ffffa31d2f19c810 x24: ffffa31d2f185098
[ 48.358869] x23: ffff800084ddb7f8 x22: 0000000000000000 x21: 00000000000000d0
[ 48.366198] x20: ffff00009ba6c338 x19: ffff00009ba6c338 x18: 00000000ffffffff
[ 48.373528] x17: 000000040044ffff x16: ffffa31d4ae6dca8 x15: 072007740775076f
[ 48.380853] x14: 0765076d07690774 x13: 00313a323a656369 x12: 767265733a637673
[ 48.388182] x11: 00000000000003f9 x10: ffffa31d4c7dea98 x9 : 0000000000000001
[ 48.395519] x8 : ffff00009a2aadc0 x7 : 0000000000000003 x6 : 0000000000000000
[ 48.402854] x5 : 0000000000000000 x4 : 0000000000000028 x3 : ffff000ef397a698
[ 48.410180] x2 : ffff00009a2aadc0 x1 : 0000000000000000 x0 : 00000000000000d0
[ 48.417506] Call trace:
[ 48.420025] mutex_lock+0xc/0x54 (P)
[ 48.423712] snd_soc_dapm_shutdown+0x44/0xbc [snd_soc_core]
[ 48.429447] soc_cleanup_card_resources+0x30/0x2c0 [snd_soc_core]
[ 48.435719] snd_soc_bind_card+0x4dc/0xcc0 [snd_soc_core]
[ 48.441278] snd_soc_add_component+0x27c/0x2c8 [snd_soc_core]
[ 48.447192] snd_soc_register_component+0x9c/0xf4 [snd_soc_core]
[ 48.453371] devm_snd_soc_register_component+0x64/0xc4 [snd_soc_core]
[ 48.459994] apm_probe+0xb4/0x110 [snd_q6apm]
[ 48.464479] apr_device_probe+0x24/0x40 [apr]
[ 48.468964] really_probe+0xbc/0x298
[ 48.472651] __driver_probe_device+0x78/0x12c
[ 48.477132] driver_probe_device+0x40/0x160
[ 48.481435] __device_attach_driver+0xb8/0x134
[ 48.486011] bus_for_each_drv+0x80/0xdc
[ 48.489964] __device_attach+0xa8/0x1b0
[ 48.493916] device_initial_probe+0x50/0x54
[ 48.498219] bus_probe_device+0x38/0xa0
[ 48.502170] device_add+0x590/0x760
[ 48.505761] device_register+0x20/0x30
[ 48.509623] of_register_apr_devices+0x1d8/0x318 [apr]
[ 48.514905] apr_pd_status+0x2c/0x54 [apr]
[ 48.519114] pdr_notifier_work+0x8c/0xe0 [pdr_interface]
[ 48.524570] process_one_work+0x150/0x294
[ 48.528692] worker_thread+0x2d8/0x3d8
[ 48.532551] kthread+0x130/0x204
[ 48.535874] ret_from_fork+0x10/0x20
[ 48.539559] Code: d65f03c0 d5384102 d503201f d2800001 (c8e17c02)
[ 48.545823] ---[ end trace 0000000000000000 ]---
Fixes: 5477518b8a0e ("ASoC: qdsp6: audioreach: add q6apm support")
Cc: stable@vger.kernel.org
Signed-off-by: Ravi Hothi <ravi.hothi@oss.qualcomm.com>
Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260227144534.278568-1-ravi.hothi@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm-dai.c | 1 +
sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 1 +
sound/soc/qcom/qdsp6/q6apm.c | 1 +
3 files changed, 3 insertions(+)
--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
@@ -844,6 +844,7 @@ static const struct snd_soc_component_dr
.ack = q6apm_dai_ack,
.compress_ops = &q6apm_dai_compress_ops,
.use_dai_pcm_id = true,
+ .remove_order = SND_SOC_COMP_ORDER_EARLY,
};
static int q6apm_dai_probe(struct platform_device *pdev)
--- a/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c
+++ b/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c
@@ -278,6 +278,7 @@ static const struct snd_soc_component_dr
.of_xlate_dai_name = q6dsp_audio_ports_of_xlate_dai_name,
.be_pcm_base = AUDIOREACH_BE_PCM_BASE,
.use_dai_pcm_id = true,
+ .remove_order = SND_SOC_COMP_ORDER_FIRST,
};
static int q6apm_lpass_dai_dev_probe(struct platform_device *pdev)
--- a/sound/soc/qcom/qdsp6/q6apm.c
+++ b/sound/soc/qcom/qdsp6/q6apm.c
@@ -732,6 +732,7 @@ static const struct snd_soc_component_dr
.name = APM_AUDIO_DRV_NAME,
.probe = q6apm_audio_probe,
.remove = q6apm_audio_remove,
+ .remove_order = SND_SOC_COMP_ORDER_LAST,
};
static int apm_probe(gpr_device_t *gdev)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 198/567] scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 197/567] apparmor: fix race between freeing data and fs accessing it Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 199/567] ACPI: PM: Save NVS memory on Lenovo G70-35 Greg Kroah-Hartman
` (179 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kiszka, Florian Bezdeka,
Michael Kelley, Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kiszka <jan.kiszka@siemens.com>
[ Upstream commit 57297736c08233987e5d29ce6584c6ca2a831b12 ]
This resolves the follow splat and lock-up when running with PREEMPT_RT
enabled on Hyper-V:
[ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002
[ 415.140822] INFO: lockdep is turned off.
[ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec ghash_clmulni_intel aesni_intel rapl binfmt_misc nls_ascii nls_cp437 vfat fat snd_pcm hyperv_drm snd_timer drm_client_lib drm_shmem_helper snd sg soundcore drm_kms_helper pcspkr hv_balloon hv_utils evdev joydev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common hv_sock vmw_vsock_vmci_transport vsock vmw_vmci efivarfs autofs4 ext4 crc16 mbcache jbd2 sr_mod sd_mod cdrom hv_storvsc serio_raw hid_generic scsi_transport_fc hid_hyperv scsi_mod hid hv_netvsc hyperv_keyboard scsi_common
[ 415.140846] Preemption disabled at:
[ 415.140847] [<ffffffffc0656171>] storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]
[ 415.140854] CPU: 8 UID: 0 PID: 1048 Comm: stress-ng-iomix Not tainted 6.19.0-rc7 #30 PREEMPT_{RT,(full)}
[ 415.140856] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/04/2024
[ 415.140857] Call Trace:
[ 415.140861] <TASK>
[ 415.140861] ? storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]
[ 415.140863] dump_stack_lvl+0x91/0xb0
[ 415.140870] __schedule_bug+0x9c/0xc0
[ 415.140875] __schedule+0xdf6/0x1300
[ 415.140877] ? rtlock_slowlock_locked+0x56c/0x1980
[ 415.140879] ? rcu_is_watching+0x12/0x60
[ 415.140883] schedule_rtlock+0x21/0x40
[ 415.140885] rtlock_slowlock_locked+0x502/0x1980
[ 415.140891] rt_spin_lock+0x89/0x1e0
[ 415.140893] hv_ringbuffer_write+0x87/0x2a0
[ 415.140899] vmbus_sendpacket_mpb_desc+0xb6/0xe0
[ 415.140900] ? rcu_is_watching+0x12/0x60
[ 415.140902] storvsc_queuecommand+0x669/0xbe0 [hv_storvsc]
[ 415.140904] ? HARDIRQ_verbose+0x10/0x10
[ 415.140908] ? __rq_qos_issue+0x28/0x40
[ 415.140911] scsi_queue_rq+0x760/0xd80 [scsi_mod]
[ 415.140926] __blk_mq_issue_directly+0x4a/0xc0
[ 415.140928] blk_mq_issue_direct+0x87/0x2b0
[ 415.140931] blk_mq_dispatch_queue_requests+0x120/0x440
[ 415.140933] blk_mq_flush_plug_list+0x7a/0x1a0
[ 415.140935] __blk_flush_plug+0xf4/0x150
[ 415.140940] __submit_bio+0x2b2/0x5c0
[ 415.140944] ? submit_bio_noacct_nocheck+0x272/0x360
[ 415.140946] submit_bio_noacct_nocheck+0x272/0x360
[ 415.140951] ext4_read_bh_lock+0x3e/0x60 [ext4]
[ 415.140995] ext4_block_write_begin+0x396/0x650 [ext4]
[ 415.141018] ? __pfx_ext4_da_get_block_prep+0x10/0x10 [ext4]
[ 415.141038] ext4_da_write_begin+0x1c4/0x350 [ext4]
[ 415.141060] generic_perform_write+0x14e/0x2c0
[ 415.141065] ext4_buffered_write_iter+0x6b/0x120 [ext4]
[ 415.141083] vfs_write+0x2ca/0x570
[ 415.141087] ksys_write+0x76/0xf0
[ 415.141089] do_syscall_64+0x99/0x1490
[ 415.141093] ? rcu_is_watching+0x12/0x60
[ 415.141095] ? finish_task_switch.isra.0+0xdf/0x3d0
[ 415.141097] ? rcu_is_watching+0x12/0x60
[ 415.141098] ? lock_release+0x1f0/0x2a0
[ 415.141100] ? rcu_is_watching+0x12/0x60
[ 415.141101] ? finish_task_switch.isra.0+0xe4/0x3d0
[ 415.141103] ? rcu_is_watching+0x12/0x60
[ 415.141104] ? __schedule+0xb34/0x1300
[ 415.141106] ? hrtimer_try_to_cancel+0x1d/0x170
[ 415.141109] ? do_nanosleep+0x8b/0x160
[ 415.141111] ? hrtimer_nanosleep+0x89/0x100
[ 415.141114] ? __pfx_hrtimer_wakeup+0x10/0x10
[ 415.141116] ? xfd_validate_state+0x26/0x90
[ 415.141118] ? rcu_is_watching+0x12/0x60
[ 415.141120] ? do_syscall_64+0x1e0/0x1490
[ 415.141121] ? do_syscall_64+0x1e0/0x1490
[ 415.141123] ? rcu_is_watching+0x12/0x60
[ 415.141124] ? do_syscall_64+0x1e0/0x1490
[ 415.141125] ? do_syscall_64+0x1e0/0x1490
[ 415.141127] ? irqentry_exit+0x140/0x7e0
[ 415.141129] entry_SYSCALL_64_after_hwframe+0x76/0x7e
get_cpu() disables preemption while the spinlock hv_ringbuffer_write is
using is converted to an rt-mutex under PREEMPT_RT.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Tested-by: Florian Bezdeka <florian.bezdeka@siemens.com>
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Tested-by: Michael Kelley <mhklinux@outlook.com>
Link: https://patch.msgid.link/0c7fb5cd-fb21-4760-8593-e04bade84744@siemens.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/storvsc_drv.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
index 9dcad02ce4895..106bccaac4276 100644
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1861,8 +1861,9 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
cmd_request->payload_sz = payload_sz;
/* Invokes the vsc to start an IO */
- ret = storvsc_do_io(dev, cmd_request, get_cpu());
- put_cpu();
+ migrate_disable();
+ ret = storvsc_do_io(dev, cmd_request, smp_processor_id());
+ migrate_enable();
if (ret)
scsi_dma_unmap(scmnd);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 136/481] net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 135/481] net: stmmac: Fix error handling in VLAN add and delete paths Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 137/481] net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled Greg Kroah-Hartman
` (179 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Valerio, Lorenzo Bianconi,
Paolo Abeni, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 0abc73c8a40fd64ac1739c90bb4f42c418d27a5e ]
Reset eBPF program pointer to old_prog and do not decrease its ref-count
if mtk_open routine in mtk_xdp_setup() fails.
Fixes: 7c26c20da5d42 ("net: ethernet: mtk_eth_soc: add basic XDP support")
Suggested-by: Paolo Valerio <pvalerio@redhat.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260303-mtk-xdp-prog-ptr-fix-v2-1-97b6dbbe240f@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mediatek/mtk_eth_soc.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
index 3f2f725ccceb3..20d14e3ae6efd 100644
--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
@@ -3119,12 +3119,21 @@ static int mtk_xdp_setup(struct net_device *dev, struct bpf_prog *prog,
mtk_stop(dev);
old_prog = rcu_replace_pointer(eth->prog, prog, lockdep_rtnl_is_held());
+
+ if (netif_running(dev) && need_update) {
+ int err;
+
+ err = mtk_open(dev);
+ if (err) {
+ rcu_assign_pointer(eth->prog, old_prog);
+
+ return err;
+ }
+ }
+
if (old_prog)
bpf_prog_put(old_prog);
- if (netif_running(dev) && need_update)
- return mtk_open(dev);
-
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 123/460] tipc: fix divide-by-zero in tipc_sk_filter_connect()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 122/460] ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 124/460] kprobes: avoid crash when rmmod/insmod after ftrace killed Greg Kroah-Hartman
` (179 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mehul Rao, Tung Nguyen,
Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mehul Rao <mehulrao@gmail.com>
commit 6c5a9baa15de240e747263aba435a0951da8d8d2 upstream.
A user can set conn_timeout to any value via
setsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a
SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in
tipc_sk_filter_connect() executes:
delay %= (tsk->conn_timeout / 4);
If conn_timeout is in the range [0, 3], the integer division yields 0,
and the modulo operation triggers a divide-by-zero exception, causing a
kernel oops/panic.
Fix this by clamping conn_timeout to a minimum of 4 at the point of use
in tipc_sk_filter_connect().
Oops: divide error: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+
RIP: 0010:tipc_sk_filter_rcv (net/tipc/socket.c:2236 net/tipc/socket.c:2362)
Call Trace:
tipc_sk_backlog_rcv (include/linux/instrumented.h:82 include/linux/atomic/atomic-instrumented.h:32 include/net/sock.h:2357 net/tipc/socket.c:2406)
__release_sock (include/net/sock.h:1185 net/core/sock.c:3213)
release_sock (net/core/sock.c:3797)
tipc_connect (net/tipc/socket.c:2570)
__sys_connect (include/linux/file.h:62 include/linux/file.h:83 net/socket.c:2098)
Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket")
Cc: stable@vger.kernel.org
Signed-off-by: Mehul Rao <mehulrao@gmail.com>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Link: https://patch.msgid.link/20260310170730.28841-1-mehulrao@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tipc/socket.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -2233,6 +2233,8 @@ static bool tipc_sk_filter_connect(struc
if (skb_queue_empty(&sk->sk_write_queue))
break;
get_random_bytes(&delay, 2);
+ if (tsk->conn_timeout < 4)
+ tsk->conn_timeout = 4;
delay %= (tsk->conn_timeout / 4);
delay = msecs_to_jiffies(delay + 100);
sk_reset_timer(sk, &sk->sk_timer, jiffies + delay);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 199/567] ACPI: PM: Save NVS memory on Lenovo G70-35
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 198/567] scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 200/567] scsi: mpi3mr: Add NULL checks when resetting request and reply queues Greg Kroah-Hartman
` (178 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Piotr Mazek, Rafael J. Wysocki,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Piotr Mazek <pmazek@outlook.com>
[ Upstream commit 023cd6d90f8aa2ef7b72d84be84a18e61ecebd64 ]
[821d6f0359b0614792ab8e2fb93b503e25a65079] prevented machines
produced later than 2012 from saving NVS region to accelerate S3.
Despite being made after 2012, Lenovo G70-35 still needs NVS memory
saving during S3. A quirk is introduced for this platform.
Signed-off-by: Piotr Mazek <pmazek@outlook.com>
[ rjw: Subject adjustment ]
Link: https://patch.msgid.link/GV2PPF3CD5B63CC2442EE3F76F8443EAD90D499A@GV2PPF3CD5B63CC.EURP251.PROD.OUTLOOK.COM
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/sleep.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c
index 728acfeb774d8..2fd51b18d13c4 100644
--- a/drivers/acpi/sleep.c
+++ b/drivers/acpi/sleep.c
@@ -372,6 +372,14 @@ static const struct dmi_system_id acpisleep_dmi_table[] __initconst = {
DMI_MATCH(DMI_PRODUCT_NAME, "80E1"),
},
},
+ {
+ .callback = init_nvs_save_s3,
+ .ident = "Lenovo G70-35",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "80Q5"),
+ },
+ },
/*
* ThinkPad X1 Tablet(2016) cannot do suspend-to-idle using
* the Low Power S0 Idle firmware interface (see
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 137/481] net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 136/481] net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup() Greg Kroah-Hartman
@ 2026-03-23 13:41 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 138/481] net: vxlan: " Greg Kroah-Hartman
` (178 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guruprasad C P,
Fernando Fernandez Mancera, Ido Schimmel, Nikolay Aleksandrov,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit e5e890630533bdc15b26a34bb8e7ef539bdf1322 ]
When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
initialized because inet6_init() exits before ndisc_init() is called
which initializes it. Then, if neigh_suppress is enabled and an ICMPv6
Neighbor Discovery packet reaches the bridge, br_do_suppress_nd() will
dereference ipv6_stub->nd_tbl which is NULL, passing it to
neigh_lookup(). This causes a kernel NULL pointer dereference.
BUG: kernel NULL pointer dereference, address: 0000000000000268
Oops: 0000 [#1] PREEMPT SMP NOPTI
[...]
RIP: 0010:neigh_lookup+0x16/0xe0
[...]
Call Trace:
<IRQ>
? neigh_lookup+0x16/0xe0
br_do_suppress_nd+0x160/0x290 [bridge]
br_handle_frame_finish+0x500/0x620 [bridge]
br_handle_frame+0x353/0x440 [bridge]
__netif_receive_skb_core.constprop.0+0x298/0x1110
__netif_receive_skb_one_core+0x3d/0xa0
process_backlog+0xa0/0x140
__napi_poll+0x2c/0x170
net_rx_action+0x2c4/0x3a0
handle_softirqs+0xd0/0x270
do_softirq+0x3f/0x60
Fix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in
the callers. This is in essence disabling NS/NA suppression when IPv6 is
disabled.
Fixes: ed842faeb2bd ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports")
Reported-by: Guruprasad C P <gurucp2005@gmail.com>
Closes: https://lore.kernel.org/netdev/CAHXs0ORzd62QOG-Fttqa2Cx_A_VFp=utE2H2VTX5nqfgs7LDxQ@mail.gmail.com/
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20260304120357.9778-1-fmancera@suse.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_device.c | 2 +-
net/bridge/br_input.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
index 036ae99d09841..052986e05e620 100644
--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -71,7 +71,7 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
eth_hdr(skb)->h_proto == htons(ETH_P_RARP)) &&
br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED)) {
br_do_proxy_suppress_arp(skb, br, vid, NULL);
- } else if (IS_ENABLED(CONFIG_IPV6) &&
+ } else if (ipv6_mod_enabled() &&
skb->protocol == htons(ETH_P_IPV6) &&
br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED) &&
pskb_may_pull(skb, sizeof(struct ipv6hdr) +
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index e33500771b30f..aca6db6f95355 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -148,7 +148,7 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
(skb->protocol == htons(ETH_P_ARP) ||
skb->protocol == htons(ETH_P_RARP))) {
br_do_proxy_suppress_arp(skb, br, vid, p);
- } else if (IS_ENABLED(CONFIG_IPV6) &&
+ } else if (ipv6_mod_enabled() &&
skb->protocol == htons(ETH_P_IPV6) &&
br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED) &&
pskb_may_pull(skb, sizeof(struct ipv6hdr) +
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 124/460] kprobes: avoid crash when rmmod/insmod after ftrace killed
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.12 123/460] tipc: fix divide-by-zero in tipc_sk_filter_connect() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 125/460] ceph: add a bunch of missing ceph_path_info initializers Greg Kroah-Hartman
` (178 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Masami Hiramatsu (Google),
Steven Rostedt (Google)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
commit e113f0b46d19626ec15388bcb91432c9a4fd6261 upstream.
After we hit ftrace is killed by some errors, the kernel crash if
we remove modules in which kprobe probes.
BUG: unable to handle page fault for address: fffffbfff805000d
PGD 817fcc067 P4D 817fcc067 PUD 817fc8067 PMD 101555067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN PTI
CPU: 4 UID: 0 PID: 2012 Comm: rmmod Tainted: G W OE
Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
RIP: 0010:kprobes_module_callback+0x89/0x790
RSP: 0018:ffff88812e157d30 EFLAGS: 00010a02
RAX: 1ffffffff805000d RBX: dffffc0000000000 RCX: ffffffff86a8de90
RDX: ffffed1025c2af9b RSI: 0000000000000008 RDI: ffffffffc0280068
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed1025c2af9a
R10: ffff88812e157cd7 R11: 205d323130325420 R12: 0000000000000002
R13: ffffffffc0290488 R14: 0000000000000002 R15: ffffffffc0280040
FS: 00007fbc450dd740(0000) GS:ffff888420331000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff805000d CR3: 000000010f624000 CR4: 00000000000006f0
Call Trace:
<TASK>
notifier_call_chain+0xc6/0x280
blocking_notifier_call_chain+0x60/0x90
__do_sys_delete_module.constprop.0+0x32a/0x4e0
do_syscall_64+0x5d/0xfa0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
This is because the kprobe on ftrace does not correctly handles
the kprobe_ftrace_disabled flag set by ftrace_kill().
To prevent this error, check kprobe_ftrace_disabled in
__disarm_kprobe_ftrace() and skip all ftrace related operations.
Link: https://lore.kernel.org/all/176473947565.1727781.13110060700668331950.stgit@mhiramat.tok.corp.google.com/
Reported-by: Ye Bin <yebin10@huawei.com>
Closes: https://lore.kernel.org/all/20251125020536.2484381-1-yebin@huaweicloud.com/
Fixes: ae6aa16fdc16 ("kprobes: introduce ftrace based optimization")
Cc: stable@vger.kernel.org
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/kprobes.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1113,6 +1113,10 @@ static int __disarm_kprobe_ftrace(struct
int ret;
lockdep_assert_held(&kprobe_mutex);
+ if (unlikely(kprobe_ftrace_disabled)) {
+ /* Now ftrace is disabled forever, disarm is already done. */
+ return 0;
+ }
if (*cnt == 1) {
ret = unregister_ftrace_function(ops);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 200/567] scsi: mpi3mr: Add NULL checks when resetting request and reply queues
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.6 199/567] ACPI: PM: Save NVS memory on Lenovo G70-35 Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 201/567] unshare: fix unshare_fs() handling Greg Kroah-Hartman
` (177 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ranjan Kumar, Martin K. Petersen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjan Kumar <ranjan.kumar@broadcom.com>
[ Upstream commit fa96392ebebc8fade2b878acb14cce0f71016503 ]
The driver encountered a crash during resource cleanup when the reply and
request queues were NULL due to freed memory. This issue occurred when the
creation of reply or request queues failed, and the driver freed the memory
first, but attempted to mem set the content of the freed memory, leading to
a system crash.
Add NULL pointer checks for reply and request queues before accessing the
reply/request memory during cleanup
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Link: https://patch.msgid.link/20260212070026.30263-1-ranjan.kumar@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mpi3mr/mpi3mr_fw.c | 34 ++++++++++++++++++---------------
1 file changed, 19 insertions(+), 15 deletions(-)
diff --git a/drivers/scsi/mpi3mr/mpi3mr_fw.c b/drivers/scsi/mpi3mr/mpi3mr_fw.c
index b6ae7ba6de523..b742ece3f0507 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
@@ -4262,21 +4262,25 @@ void mpi3mr_memset_buffers(struct mpi3mr_ioc *mrioc)
}
for (i = 0; i < mrioc->num_queues; i++) {
- mrioc->op_reply_qinfo[i].qid = 0;
- mrioc->op_reply_qinfo[i].ci = 0;
- mrioc->op_reply_qinfo[i].num_replies = 0;
- mrioc->op_reply_qinfo[i].ephase = 0;
- atomic_set(&mrioc->op_reply_qinfo[i].pend_ios, 0);
- atomic_set(&mrioc->op_reply_qinfo[i].in_use, 0);
- mpi3mr_memset_op_reply_q_buffers(mrioc, i);
-
- mrioc->req_qinfo[i].ci = 0;
- mrioc->req_qinfo[i].pi = 0;
- mrioc->req_qinfo[i].num_requests = 0;
- mrioc->req_qinfo[i].qid = 0;
- mrioc->req_qinfo[i].reply_qid = 0;
- spin_lock_init(&mrioc->req_qinfo[i].q_lock);
- mpi3mr_memset_op_req_q_buffers(mrioc, i);
+ if (mrioc->op_reply_qinfo) {
+ mrioc->op_reply_qinfo[i].qid = 0;
+ mrioc->op_reply_qinfo[i].ci = 0;
+ mrioc->op_reply_qinfo[i].num_replies = 0;
+ mrioc->op_reply_qinfo[i].ephase = 0;
+ atomic_set(&mrioc->op_reply_qinfo[i].pend_ios, 0);
+ atomic_set(&mrioc->op_reply_qinfo[i].in_use, 0);
+ mpi3mr_memset_op_reply_q_buffers(mrioc, i);
+ }
+
+ if (mrioc->req_qinfo) {
+ mrioc->req_qinfo[i].ci = 0;
+ mrioc->req_qinfo[i].pi = 0;
+ mrioc->req_qinfo[i].num_requests = 0;
+ mrioc->req_qinfo[i].qid = 0;
+ mrioc->req_qinfo[i].reply_qid = 0;
+ spin_lock_init(&mrioc->req_qinfo[i].q_lock);
+ mpi3mr_memset_op_req_q_buffers(mrioc, i);
+ }
}
atomic_set(&mrioc->pend_large_data_sz, 0);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 138/481] net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-03-23 13:41 ` [PATCH 6.1 137/481] net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 139/481] net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop Greg Kroah-Hartman
` (177 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 168ff39e4758897d2eee4756977d036d52884c7e ]
When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
initialized because inet6_init() exits before ndisc_init() is called
which initializes it. If an IPv6 packet is injected into the interface,
route_shortcircuit() is called and a NULL pointer dereference happens on
neigh_lookup().
BUG: kernel NULL pointer dereference, address: 0000000000000380
Oops: Oops: 0000 [#1] SMP NOPTI
[...]
RIP: 0010:neigh_lookup+0x20/0x270
[...]
Call Trace:
<TASK>
vxlan_xmit+0x638/0x1ef0 [vxlan]
dev_hard_start_xmit+0x9e/0x2e0
__dev_queue_xmit+0xbee/0x14e0
packet_sendmsg+0x116f/0x1930
__sys_sendto+0x1f5/0x200
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x12f/0x1590
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fix this by adding an early check on route_shortcircuit() when protocol
is ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because
VXLAN can be built-in even when IPv6 is built as a module.
Fixes: e15a00aafa4b ("vxlan: add ipv6 route short circuit support")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Link: https://patch.msgid.link/20260304120357.9778-2-fmancera@suse.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vxlan/vxlan_core.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
index 50dacdc1b6a7a..9c3a12feb25d2 100644
--- a/drivers/net/vxlan/vxlan_core.c
+++ b/drivers/net/vxlan/vxlan_core.c
@@ -2171,6 +2171,11 @@ static bool route_shortcircuit(struct net_device *dev, struct sk_buff *skb)
{
struct ipv6hdr *pip6;
+ /* check if nd_tbl is not initiliazed due to
+ * ipv6.disable=1 set during boot
+ */
+ if (!ipv6_stub->nd_tbl)
+ return false;
if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
return false;
pip6 = ipv6_hdr(skb);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 125/460] ceph: add a bunch of missing ceph_path_info initializers
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 124/460] kprobes: avoid crash when rmmod/insmod after ftrace killed Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 126/460] libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() Greg Kroah-Hartman
` (177 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Kellermann, Viacheslav Dubeyko,
Ilya Dryomov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Kellermann <max.kellermann@ionos.com>
commit 43323a5934b660afae687e8e4e95ac328615a5c4 upstream.
ceph_mdsc_build_path() must be called with a zero-initialized
ceph_path_info parameter, or else the following
ceph_mdsc_free_path_info() may crash.
Example crash (on Linux 6.18.12):
virt_to_cache: Object is not a Slab page!
WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6732 kmem_cache_free+0x316/0x400
[...]
Call Trace:
[...]
ceph_open+0x13d/0x3e0
do_dentry_open+0x134/0x480
vfs_open+0x2a/0xe0
path_openat+0x9a3/0x1160
[...]
cache_from_obj: Wrong slab cache. names_cache but object is from ceph_inode_info
WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6746 kmem_cache_free+0x2dd/0x400
[...]
kernel BUG at mm/slub.c:634!
Oops: invalid opcode: 0000 [#1] SMP NOPTI
RIP: 0010:__slab_free+0x1a4/0x350
Some of the ceph_mdsc_build_path() callers had initializers, but
others had not, even though they were all added by commit 15f519e9f883
("ceph: fix race condition validating r_parent before applying state").
The ones without initializer are suspectible to random crashes. (I can
imagine it could even be possible to exploit this bug to elevate
privileges.)
Unfortunately, these Ceph functions are undocumented and its semantics
can only be derived from the code. I see that ceph_mdsc_build_path()
initializes the structure only on success, but not on error.
Calling ceph_mdsc_free_path_info() after a failed
ceph_mdsc_build_path() call does not even make sense, but that's what
all callers do, and for it to be safe, the structure must be
zero-initialized. The least intrusive approach to fix this is
therefore to add initializers everywhere.
Cc: stable@vger.kernel.org
Fixes: 15f519e9f883 ("ceph: fix race condition validating r_parent before applying state")
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/debugfs.c | 4 ++--
fs/ceph/dir.c | 2 +-
fs/ceph/file.c | 4 ++--
fs/ceph/inode.c | 2 +-
4 files changed, 6 insertions(+), 6 deletions(-)
--- a/fs/ceph/debugfs.c
+++ b/fs/ceph/debugfs.c
@@ -79,7 +79,7 @@ static int mdsc_show(struct seq_file *s,
if (req->r_inode) {
seq_printf(s, " #%llx", ceph_ino(req->r_inode));
} else if (req->r_dentry) {
- struct ceph_path_info path_info;
+ struct ceph_path_info path_info = {0};
path = ceph_mdsc_build_path(mdsc, req->r_dentry, &path_info, 0);
if (IS_ERR(path))
path = NULL;
@@ -98,7 +98,7 @@ static int mdsc_show(struct seq_file *s,
}
if (req->r_old_dentry) {
- struct ceph_path_info path_info;
+ struct ceph_path_info path_info = {0};
path = ceph_mdsc_build_path(mdsc, req->r_old_dentry, &path_info, 0);
if (IS_ERR(path))
path = NULL;
--- a/fs/ceph/dir.c
+++ b/fs/ceph/dir.c
@@ -1354,7 +1354,7 @@ static int ceph_unlink(struct inode *dir
if (!dn) {
try_async = false;
} else {
- struct ceph_path_info path_info;
+ struct ceph_path_info path_info = {0};
path = ceph_mdsc_build_path(mdsc, dn, &path_info, 0);
if (IS_ERR(path)) {
try_async = false;
--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -397,7 +397,7 @@ int ceph_open(struct inode *inode, struc
if (!dentry) {
do_sync = true;
} else {
- struct ceph_path_info path_info;
+ struct ceph_path_info path_info = {0};
path = ceph_mdsc_build_path(mdsc, dentry, &path_info, 0);
if (IS_ERR(path)) {
do_sync = true;
@@ -807,7 +807,7 @@ int ceph_atomic_open(struct inode *dir,
if (!dn) {
try_async = false;
} else {
- struct ceph_path_info path_info;
+ struct ceph_path_info path_info = {0};
path = ceph_mdsc_build_path(mdsc, dn, &path_info, 0);
if (IS_ERR(path)) {
try_async = false;
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -2546,7 +2546,7 @@ int __ceph_setattr(struct mnt_idmap *idm
if (!dentry) {
do_sync = true;
} else {
- struct ceph_path_info path_info;
+ struct ceph_path_info path_info = {0};
path = ceph_mdsc_build_path(mdsc, dentry, &path_info, 0);
if (IS_ERR(path)) {
do_sync = true;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 201/567] unshare: fix unshare_fs() handling
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 200/567] scsi: mpi3mr: Add NULL checks when resetting request and reply queues Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 202/567] wifi: mac80211: set default WMM parameters on all links Greg Kroah-Hartman
` (176 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Al Viro, Waiman Long,
Christian Brauner, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 6c4b2243cb6c0755159bd567130d5e12e7b10d9f ]
There's an unpleasant corner case in unshare(2), when we have a
CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that
case copy_mnt_ns() gets passed current->fs instead of a private copy,
which causes interesting warts in proof of correctness]
> I guess if private means fs->users == 1, the condition could still be true.
Unfortunately, it's worse than just a convoluted proof of correctness.
Consider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS
(and current->fs->users == 1).
We pass current->fs to copy_mnt_ns(), all right. Suppose it succeeds and
flips current->fs->{pwd,root} to corresponding locations in the new namespace.
Now we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM).
We call put_mnt_ns() on the namespace created by copy_mnt_ns(), it's
destroyed and its mount tree is dissolved, but... current->fs->root and
current->fs->pwd are both left pointing to now detached mounts.
They are pinning those, so it's not a UAF, but it leaves the calling
process with unshare(2) failing with -ENOMEM _and_ leaving it with
pwd and root on detached isolated mounts. The last part is clearly a bug.
There is other fun related to that mess (races with pivot_root(), including
the one between pivot_root() and fork(), of all things), but this one
is easy to isolate and fix - treat CLONE_NEWNS as "allocate a new
fs_struct even if it hadn't been shared in the first place". Sure, we could
go for something like "if both CLONE_NEWNS *and* one of the things that might
end up failing after copy_mnt_ns() call in create_new_namespaces() are set,
force allocation of new fs_struct", but let's keep it simple - the cost
of copy_fs_struct() is trivial.
Another benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets
a freshly allocated fs_struct, yet to be attached to anything. That
seriously simplifies the analysis...
FWIW, that bug had been there since the introduction of unshare(2) ;-/
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Link: https://patch.msgid.link/20260207082524.GE3183987@ZenIV
Tested-by: Waiman Long <longman@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/fork.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/fork.c b/kernel/fork.c
index 2141ebb2ef92a..ce6f6e1e39057 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -3350,7 +3350,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
return 0;
/* don't need lock here; in the worst case we'll do useless copy */
- if (fs->users == 1)
+ if (!(unshare_flags & CLONE_NEWNS) && fs->users == 1)
return 0;
*new_fsp = copy_fs_struct(fs);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 139/481] net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 138/481] net: vxlan: " Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 140/481] net/sched: act_ife: Fix metalist update behavior Greg Kroah-Hartman
` (176 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ido Schimmel,
syzbot+334190e097a98a1b81bb, Jiayuan Chen, David Ahern,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@shopee.com>
[ Upstream commit 21ec92774d1536f71bdc90b0e3d052eff99cf093 ]
When a standalone IPv6 nexthop object is created with a loopback device
(e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifies
it as a reject route. This is because nexthop objects have no destination
prefix (fc_dst=::), causing fib6_is_reject() to match any loopback
nexthop. The reject path skips fib_nh_common_init(), leaving
nhc_pcpu_rth_output unallocated. If an IPv4 route later references this
nexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and
panics.
Simplify the check in fib6_nh_init() to only match explicit reject
routes (RTF_REJECT) instead of using fib6_is_reject(). The loopback
promotion heuristic in fib6_is_reject() is handled separately by
ip6_route_info_create_nh(). After this change, the three cases behave
as follows:
1. Explicit reject route ("ip -6 route add unreachable 2001:db8::/64"):
RTF_REJECT is set, enters reject path, skips fib_nh_common_init().
No behavior change.
2. Implicit loopback reject route ("ip -6 route add 2001:db8::/32 dev lo"):
RTF_REJECT is not set, takes normal path, fib_nh_common_init() is
called. ip6_route_info_create_nh() still promotes it to reject
afterward. nhc_pcpu_rth_output is allocated but unused, which is
harmless.
3. Standalone nexthop object ("ip -6 nexthop add id 100 dev lo"):
RTF_REJECT is not set, takes normal path, fib_nh_common_init() is
called. nhc_pcpu_rth_output is properly allocated, fixing the crash
when IPv4 routes reference this nexthop.
Suggested-by: Ido Schimmel <idosch@nvidia.com>
Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects")
Reported-by: syzbot+334190e097a98a1b81bb@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/698f8482.a70a0220.2c38d7.00ca.GAE@google.com/T/
Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20260304113817.294966-2-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 5aa5390da1095..987ef0954e2ea 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -3558,7 +3558,6 @@ int fib6_nh_init(struct net *net, struct fib6_nh *fib6_nh,
{
struct net_device *dev = NULL;
struct inet6_dev *idev = NULL;
- int addr_type;
int err;
fib6_nh->fib_nh_family = AF_INET6;
@@ -3599,11 +3598,10 @@ int fib6_nh_init(struct net *net, struct fib6_nh *fib6_nh,
fib6_nh->fib_nh_weight = 1;
- /* We cannot add true routes via loopback here,
- * they would result in kernel looping; promote them to reject routes
+ /* Reset the nexthop device to the loopback device in case of reject
+ * routes.
*/
- addr_type = ipv6_addr_type(&cfg->fc_dst);
- if (fib6_is_reject(cfg->fc_flags, dev, addr_type)) {
+ if (cfg->fc_flags & RTF_REJECT) {
/* hold loopback dev/idev if we haven't done so. */
if (dev != net->loopback_dev) {
if (dev) {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 126/460] libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 125/460] ceph: add a bunch of missing ceph_path_info initializers Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 127/460] libceph: reject preamble if control segment is empty Greg Kroah-Hartman
` (176 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Viacheslav Dubeyko,
Ilya Dryomov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit b282c43ed156ae15ea76748fc15cd5c39dc9ab72 upstream.
This patch fixes an out-of-bounds access in ceph_handle_auth_reply()
that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In
ceph_handle_auth_reply(), the value of the payload_len field of such a
message is stored in a variable of type int. A value greater than
INT_MAX leads to an integer overflow and is interpreted as a negative
value. This leads to decrementing the pointer address by this value and
subsequently accessing it because ceph_decode_need() only checks that
the memory access does not exceed the end address of the allocation.
This patch fixes the issue by changing the data type of payload_len to
u32. Additionally, the data type of result_msg_len is changed to u32,
as it is also a variable holding a non-negative length.
Also, an additional layer of sanity checks is introduced, ensuring that
directly after reading it from the message, payload_len and
result_msg_len are not greater than the overall segment length.
BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph]
Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262
CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: ceph-msgr ceph_con_workfn [libceph]
Call Trace:
<TASK>
dump_stack_lvl+0x76/0xa0
print_report+0xd1/0x620
? __pfx__raw_spin_lock_irqsave+0x10/0x10
? kasan_complete_mode_report_info+0x72/0x210
kasan_report+0xe7/0x130
? ceph_handle_auth_reply+0x642/0x7a0 [libceph]
? ceph_handle_auth_reply+0x642/0x7a0 [libceph]
__asan_report_load_n_noabort+0xf/0x20
ceph_handle_auth_reply+0x642/0x7a0 [libceph]
mon_dispatch+0x973/0x23d0 [libceph]
? apparmor_socket_recvmsg+0x6b/0xa0
? __pfx_mon_dispatch+0x10/0x10 [libceph]
? __kasan_check_write+0x14/0x30i
? mutex_unlock+0x7f/0xd0
? __pfx_mutex_unlock+0x10/0x10
? __pfx_do_recvmsg+0x10/0x10 [libceph]
ceph_con_process_message+0x1f1/0x650 [libceph]
process_message+0x1e/0x450 [libceph]
ceph_con_v2_try_read+0x2e48/0x6c80 [libceph]
? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph]
? save_fpregs_to_fpstate+0xb0/0x230
? raw_spin_rq_unlock+0x17/0xa0
? finish_task_switch.isra.0+0x13b/0x760
? __switch_to+0x385/0xda0
? __kasan_check_write+0x14/0x30
? mutex_lock+0x8d/0xe0
? __pfx_mutex_lock+0x10/0x10
ceph_con_workfn+0x248/0x10c0 [libceph]
process_one_work+0x629/0xf80
? __kasan_check_write+0x14/0x30
worker_thread+0x87f/0x1570
? __pfx__raw_spin_lock_irqsave+0x10/0x10
? __pfx_try_to_wake_up+0x10/0x10
? kasan_print_address_stack_frame+0x1f7/0x280
? __pfx_worker_thread+0x10/0x10
kthread+0x396/0x830
? __pfx__raw_spin_lock_irq+0x10/0x10
? __pfx_kthread+0x10/0x10
? __kasan_check_write+0x14/0x30
? recalc_sigpending+0x180/0x210
? __pfx_kthread+0x10/0x10
ret_from_fork+0x3f7/0x610
? __pfx_ret_from_fork+0x10/0x10
? __switch_to+0x385/0xda0
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
[ idryomov: replace if statements with ceph_decode_need() for
payload_len and result_msg_len ]
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/auth.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -205,9 +205,9 @@ int ceph_handle_auth_reply(struct ceph_a
s32 result;
u64 global_id;
void *payload, *payload_end;
- int payload_len;
+ u32 payload_len;
char *result_msg;
- int result_msg_len;
+ u32 result_msg_len;
int ret = -EINVAL;
mutex_lock(&ac->mutex);
@@ -217,10 +217,12 @@ int ceph_handle_auth_reply(struct ceph_a
result = ceph_decode_32(&p);
global_id = ceph_decode_64(&p);
payload_len = ceph_decode_32(&p);
+ ceph_decode_need(&p, end, payload_len, bad);
payload = p;
p += payload_len;
ceph_decode_need(&p, end, sizeof(u32), bad);
result_msg_len = ceph_decode_32(&p);
+ ceph_decode_need(&p, end, result_msg_len, bad);
result_msg = p;
p += result_msg_len;
if (p != end)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 202/567] wifi: mac80211: set default WMM parameters on all links
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 201/567] unshare: fix unshare_fs() handling Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 203/567] ACPI: OSI: Add DMI quirk for Acer Aspire One D255 Greg Kroah-Hartman
` (175 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ramanathan Choodamani, Aishwarya R,
Johannes Berg, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ramanathan Choodamani <quic_rchoodam@quicinc.com>
[ Upstream commit 2259d14499d16b115ef8d5d2ddc867e2be7cb5b5 ]
Currently, mac80211 only initializes default WMM parameters
on the deflink during do_open(). For MLO cases, this
leaves the additional links without proper WMM defaults
if hostapd does not supply per-link WMM parameters, leading
to inconsistent QoS behavior across links.
Set default WMM parameters for each link during
ieee80211_vif_update_links(), because this ensures all
individual links in an MLD have valid WMM settings during
bring-up and behave consistently across different BSS.
Signed-off-by: Ramanathan Choodamani <quic_rchoodam@quicinc.com>
Signed-off-by: Aishwarya R <aishwarya.r@oss.qualcomm.com>
Link: https://patch.msgid.link/20260205094216.3093542-1-aishwarya.r@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/link.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/mac80211/link.c b/net/mac80211/link.c
index af4d2b2e9a26f..2b44f1fe2031a 100644
--- a/net/mac80211/link.c
+++ b/net/mac80211/link.c
@@ -201,6 +201,7 @@ static int ieee80211_vif_update_links(struct ieee80211_sub_if_data *sdata,
struct ieee80211_bss_conf *old[IEEE80211_MLD_MAX_NUM_LINKS];
struct ieee80211_link_data *old_data[IEEE80211_MLD_MAX_NUM_LINKS];
bool use_deflink = old_links == 0; /* set for error case */
+ bool non_sta = sdata->vif.type != NL80211_IFTYPE_STATION;
sdata_assert_lock(sdata);
@@ -254,6 +255,7 @@ static int ieee80211_vif_update_links(struct ieee80211_sub_if_data *sdata,
link = links[link_id];
ieee80211_link_init(sdata, link_id, &link->data, &link->conf);
ieee80211_link_setup(&link->data);
+ ieee80211_set_wmm_default(&link->data, true, non_sta);
}
if (new_links == 0)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 140/481] net/sched: act_ife: Fix metalist update behavior
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 139/481] net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 141/481] xdp: use modulo operation to calculate XDP frag tailroom Greg Kroah-Hartman
` (175 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ruitong Liu, Victor Nogueira,
Jamal Hadi Salim, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit e2cedd400c3ec0302ffca2490e8751772906ac23 ]
Whenever an ife action replace changes the metalist, instead of
replacing the old data on the metalist, the current ife code is appending
the new metadata. Aside from being innapropriate behavior, this may lead
to an unbounded addition of metadata to the metalist which might cause an
out of bounds error when running the encode op:
[ 138.423369][ C1] ==================================================================
[ 138.424317][ C1] BUG: KASAN: slab-out-of-bounds in ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.424906][ C1] Write of size 4 at addr ffff8880077f4ffe by task ife_out_out_bou/255
[ 138.425778][ C1] CPU: 1 UID: 0 PID: 255 Comm: ife_out_out_bou Not tainted 7.0.0-rc1-00169-gfbdfa8da05b6 #624 PREEMPT(full)
[ 138.425795][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 138.425800][ C1] Call Trace:
[ 138.425804][ C1] <IRQ>
[ 138.425808][ C1] dump_stack_lvl (lib/dump_stack.c:122)
[ 138.425828][ C1] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
[ 138.425839][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 138.425844][ C1] ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:95 (discriminator 1) ./include/linux/rcupdate.h:975 (discriminator 1) ./include/linux/mmzone.h:2207 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))
[ 138.425853][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.425859][ C1] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
[ 138.425868][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.425878][ C1] kasan_check_range (mm/kasan/generic.c:186 (discriminator 1) mm/kasan/generic.c:200 (discriminator 1))
[ 138.425884][ C1] __asan_memset (mm/kasan/shadow.c:84 (discriminator 2))
[ 138.425889][ C1] ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.425893][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:171)
[ 138.425898][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 138.425903][ C1] ife_encode_meta_u16 (net/sched/act_ife.c:57)
[ 138.425910][ C1] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
[ 138.425916][ C1] ? __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 3))
[ 138.425921][ C1] ? __pfx_ife_encode_meta_u16 (net/sched/act_ife.c:45)
[ 138.425927][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 138.425931][ C1] tcf_ife_act (net/sched/act_ife.c:847 net/sched/act_ife.c:879)
To solve this issue, fix the replace behavior by adding the metalist to
the ife rcu data structure.
Fixes: aa9fd9a325d51 ("sched: act: ife: update parameters via rcu handling")
Reported-by: Ruitong Liu <cnitlrt@gmail.com>
Tested-by: Ruitong Liu <cnitlrt@gmail.com>
Co-developed-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260304140603.76500-1-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/tc_act/tc_ife.h | 4 +-
net/sched/act_ife.c | 93 ++++++++++++++++++-------------------
2 files changed, 45 insertions(+), 52 deletions(-)
diff --git a/include/net/tc_act/tc_ife.h b/include/net/tc_act/tc_ife.h
index c7f24a2da1cad..24d4d5a62b3c2 100644
--- a/include/net/tc_act/tc_ife.h
+++ b/include/net/tc_act/tc_ife.h
@@ -13,15 +13,13 @@ struct tcf_ife_params {
u8 eth_src[ETH_ALEN];
u16 eth_type;
u16 flags;
-
+ struct list_head metalist;
struct rcu_head rcu;
};
struct tcf_ife_info {
struct tc_action common;
struct tcf_ife_params __rcu *params;
- /* list of metaids allowed */
- struct list_head metalist;
};
#define to_ife(a) ((struct tcf_ife_info *)a)
diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
index 1f243ea65443c..a25203a492700 100644
--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -292,8 +292,8 @@ static int load_metaops_and_vet(u32 metaid, void *val, int len, bool rtnl_held)
/* called when adding new meta information
*/
static int __add_metainfo(const struct tcf_meta_ops *ops,
- struct tcf_ife_info *ife, u32 metaid, void *metaval,
- int len, bool atomic, bool exists)
+ struct tcf_ife_params *p, u32 metaid, void *metaval,
+ int len, bool atomic)
{
struct tcf_meta_info *mi = NULL;
int ret = 0;
@@ -312,45 +312,40 @@ static int __add_metainfo(const struct tcf_meta_ops *ops,
}
}
- if (exists)
- spin_lock_bh(&ife->tcf_lock);
- list_add_tail(&mi->metalist, &ife->metalist);
- if (exists)
- spin_unlock_bh(&ife->tcf_lock);
+ list_add_tail(&mi->metalist, &p->metalist);
return ret;
}
static int add_metainfo_and_get_ops(const struct tcf_meta_ops *ops,
- struct tcf_ife_info *ife, u32 metaid,
- bool exists)
+ struct tcf_ife_params *p, u32 metaid)
{
int ret;
if (!try_module_get(ops->owner))
return -ENOENT;
- ret = __add_metainfo(ops, ife, metaid, NULL, 0, true, exists);
+ ret = __add_metainfo(ops, p, metaid, NULL, 0, true);
if (ret)
module_put(ops->owner);
return ret;
}
-static int add_metainfo(struct tcf_ife_info *ife, u32 metaid, void *metaval,
- int len, bool exists)
+static int add_metainfo(struct tcf_ife_params *p, u32 metaid, void *metaval,
+ int len)
{
const struct tcf_meta_ops *ops = find_ife_oplist(metaid);
int ret;
if (!ops)
return -ENOENT;
- ret = __add_metainfo(ops, ife, metaid, metaval, len, false, exists);
+ ret = __add_metainfo(ops, p, metaid, metaval, len, false);
if (ret)
/*put back what find_ife_oplist took */
module_put(ops->owner);
return ret;
}
-static int use_all_metadata(struct tcf_ife_info *ife, bool exists)
+static int use_all_metadata(struct tcf_ife_params *p)
{
struct tcf_meta_ops *o;
int rc = 0;
@@ -358,7 +353,7 @@ static int use_all_metadata(struct tcf_ife_info *ife, bool exists)
read_lock(&ife_mod_lock);
list_for_each_entry(o, &ifeoplist, list) {
- rc = add_metainfo_and_get_ops(o, ife, o->metaid, exists);
+ rc = add_metainfo_and_get_ops(o, p, o->metaid);
if (rc == 0)
installed += 1;
}
@@ -370,7 +365,7 @@ static int use_all_metadata(struct tcf_ife_info *ife, bool exists)
return -EINVAL;
}
-static int dump_metalist(struct sk_buff *skb, struct tcf_ife_info *ife)
+static int dump_metalist(struct sk_buff *skb, struct tcf_ife_params *p)
{
struct tcf_meta_info *e;
struct nlattr *nest;
@@ -378,14 +373,14 @@ static int dump_metalist(struct sk_buff *skb, struct tcf_ife_info *ife)
int total_encoded = 0;
/*can only happen on decode */
- if (list_empty(&ife->metalist))
+ if (list_empty(&p->metalist))
return 0;
nest = nla_nest_start_noflag(skb, TCA_IFE_METALST);
if (!nest)
goto out_nlmsg_trim;
- list_for_each_entry(e, &ife->metalist, metalist) {
+ list_for_each_entry(e, &p->metalist, metalist) {
if (!e->ops->get(skb, e))
total_encoded += 1;
}
@@ -402,13 +397,11 @@ static int dump_metalist(struct sk_buff *skb, struct tcf_ife_info *ife)
return -1;
}
-/* under ife->tcf_lock */
-static void _tcf_ife_cleanup(struct tc_action *a)
+static void __tcf_ife_cleanup(struct tcf_ife_params *p)
{
- struct tcf_ife_info *ife = to_ife(a);
struct tcf_meta_info *e, *n;
- list_for_each_entry_safe(e, n, &ife->metalist, metalist) {
+ list_for_each_entry_safe(e, n, &p->metalist, metalist) {
list_del(&e->metalist);
if (e->metaval) {
if (e->ops->release)
@@ -421,18 +414,23 @@ static void _tcf_ife_cleanup(struct tc_action *a)
}
}
+static void tcf_ife_cleanup_params(struct rcu_head *head)
+{
+ struct tcf_ife_params *p = container_of(head, struct tcf_ife_params,
+ rcu);
+
+ __tcf_ife_cleanup(p);
+ kfree(p);
+}
+
static void tcf_ife_cleanup(struct tc_action *a)
{
struct tcf_ife_info *ife = to_ife(a);
struct tcf_ife_params *p;
- spin_lock_bh(&ife->tcf_lock);
- _tcf_ife_cleanup(a);
- spin_unlock_bh(&ife->tcf_lock);
-
p = rcu_dereference_protected(ife->params, 1);
if (p)
- kfree_rcu(p, rcu);
+ call_rcu(&p->rcu, tcf_ife_cleanup_params);
}
static int load_metalist(struct nlattr **tb, bool rtnl_held)
@@ -454,8 +452,7 @@ static int load_metalist(struct nlattr **tb, bool rtnl_held)
return 0;
}
-static int populate_metalist(struct tcf_ife_info *ife, struct nlattr **tb,
- bool exists, bool rtnl_held)
+static int populate_metalist(struct tcf_ife_params *p, struct nlattr **tb)
{
int len = 0;
int rc = 0;
@@ -467,7 +464,7 @@ static int populate_metalist(struct tcf_ife_info *ife, struct nlattr **tb,
val = nla_data(tb[i]);
len = nla_len(tb[i]);
- rc = add_metainfo(ife, i, val, len, exists);
+ rc = add_metainfo(p, i, val, len);
if (rc)
return rc;
}
@@ -522,6 +519,7 @@ static int tcf_ife_init(struct net *net, struct nlattr *nla,
p = kzalloc(sizeof(*p), GFP_KERNEL);
if (!p)
return -ENOMEM;
+ INIT_LIST_HEAD(&p->metalist);
if (tb[TCA_IFE_METALST]) {
err = nla_parse_nested_deprecated(tb2, IFE_META_MAX,
@@ -566,8 +564,6 @@ static int tcf_ife_init(struct net *net, struct nlattr *nla,
}
ife = to_ife(*a);
- if (ret == ACT_P_CREATED)
- INIT_LIST_HEAD(&ife->metalist);
err = tcf_action_check_ctrlact(parm->action, tp, &goto_ch, extack);
if (err < 0)
@@ -599,8 +595,7 @@ static int tcf_ife_init(struct net *net, struct nlattr *nla,
}
if (tb[TCA_IFE_METALST]) {
- err = populate_metalist(ife, tb2, exists,
- !(flags & TCA_ACT_FLAGS_NO_RTNL));
+ err = populate_metalist(p, tb2);
if (err)
goto metadata_parse_err;
} else {
@@ -609,7 +604,7 @@ static int tcf_ife_init(struct net *net, struct nlattr *nla,
* as we can. You better have at least one else we are
* going to bail out
*/
- err = use_all_metadata(ife, exists);
+ err = use_all_metadata(p);
if (err)
goto metadata_parse_err;
}
@@ -625,13 +620,14 @@ static int tcf_ife_init(struct net *net, struct nlattr *nla,
if (goto_ch)
tcf_chain_put_by_act(goto_ch);
if (p)
- kfree_rcu(p, rcu);
+ call_rcu(&p->rcu, tcf_ife_cleanup_params);
return ret;
metadata_parse_err:
if (goto_ch)
tcf_chain_put_by_act(goto_ch);
release_idr:
+ __tcf_ife_cleanup(p);
kfree(p);
tcf_idr_release(*a, bind);
return err;
@@ -678,7 +674,7 @@ static int tcf_ife_dump(struct sk_buff *skb, struct tc_action *a, int bind,
if (nla_put(skb, TCA_IFE_TYPE, 2, &p->eth_type))
goto nla_put_failure;
- if (dump_metalist(skb, ife)) {
+ if (dump_metalist(skb, p)) {
/*ignore failure to dump metalist */
pr_info("Failed to dump metalist\n");
}
@@ -692,13 +688,13 @@ static int tcf_ife_dump(struct sk_buff *skb, struct tc_action *a, int bind,
return -1;
}
-static int find_decode_metaid(struct sk_buff *skb, struct tcf_ife_info *ife,
+static int find_decode_metaid(struct sk_buff *skb, struct tcf_ife_params *p,
u16 metaid, u16 mlen, void *mdata)
{
struct tcf_meta_info *e;
/* XXX: use hash to speed up */
- list_for_each_entry(e, &ife->metalist, metalist) {
+ list_for_each_entry_rcu(e, &p->metalist, metalist) {
if (metaid == e->metaid) {
if (e->ops) {
/* We check for decode presence already */
@@ -715,10 +711,13 @@ static int tcf_ife_decode(struct sk_buff *skb, const struct tc_action *a,
{
struct tcf_ife_info *ife = to_ife(a);
int action = ife->tcf_action;
+ struct tcf_ife_params *p;
u8 *ifehdr_end;
u8 *tlv_data;
u16 metalen;
+ p = rcu_dereference_bh(ife->params);
+
bstats_update(this_cpu_ptr(ife->common.cpu_bstats), skb);
tcf_lastuse_update(&ife->tcf_tm);
@@ -744,7 +743,7 @@ static int tcf_ife_decode(struct sk_buff *skb, const struct tc_action *a,
return TC_ACT_SHOT;
}
- if (find_decode_metaid(skb, ife, mtype, dlen, curr_data)) {
+ if (find_decode_metaid(skb, p, mtype, dlen, curr_data)) {
/* abuse overlimits to count when we receive metadata
* but dont have an ops for it
*/
@@ -768,12 +767,12 @@ static int tcf_ife_decode(struct sk_buff *skb, const struct tc_action *a,
/*XXX: check if we can do this at install time instead of current
* send data path
**/
-static int ife_get_sz(struct sk_buff *skb, struct tcf_ife_info *ife)
+static int ife_get_sz(struct sk_buff *skb, struct tcf_ife_params *p)
{
- struct tcf_meta_info *e, *n;
+ struct tcf_meta_info *e;
int tot_run_sz = 0, run_sz = 0;
- list_for_each_entry_safe(e, n, &ife->metalist, metalist) {
+ list_for_each_entry_rcu(e, &p->metalist, metalist) {
if (e->ops->check_presence) {
run_sz = e->ops->check_presence(skb, e);
tot_run_sz += run_sz;
@@ -794,7 +793,7 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a,
OUTERHDR:TOTMETALEN:{TLVHDR:Metadatum:TLVHDR..}:ORIGDATA
where ORIGDATA = original ethernet header ...
*/
- u16 metalen = ife_get_sz(skb, ife);
+ u16 metalen = ife_get_sz(skb, p);
int hdrm = metalen + skb->dev->hard_header_len + IFE_METAHDRLEN;
unsigned int skboff = 0;
int new_len = skb->len + hdrm;
@@ -832,25 +831,21 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a,
if (!ife_meta)
goto drop;
- spin_lock(&ife->tcf_lock);
-
/* XXX: we dont have a clever way of telling encode to
* not repeat some of the computations that are done by
* ops->presence_check...
*/
- list_for_each_entry(e, &ife->metalist, metalist) {
+ list_for_each_entry_rcu(e, &p->metalist, metalist) {
if (e->ops->encode) {
err = e->ops->encode(skb, (void *)(ife_meta + skboff),
e);
}
if (err < 0) {
/* too corrupt to keep around if overwritten */
- spin_unlock(&ife->tcf_lock);
goto drop;
}
skboff += err;
}
- spin_unlock(&ife->tcf_lock);
oethh = (struct ethhdr *)skb->data;
if (!is_zero_ether_addr(p->eth_src))
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 127/460] libceph: reject preamble if control segment is empty
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 126/460] libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 128/460] libceph: prevent potential out-of-bounds reads in process_message_header() Greg Kroah-Hartman
` (175 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ilya Dryomov, Alex Markuze
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit c4c22b846eceff05b1129b8844a80310e55a7f87 upstream.
While head_onwire_len() has a branch to handle ctrl_len == 0 case,
prepare_read_control() always sets up a kvec for the CRC meaning that
a non-empty control segment is effectively assumed. All frames that
clients deal with meet that assumption, so let's make it official and
treat the preamble with an empty control segment as malformed.
Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/messenger_v2.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -392,7 +392,7 @@ static int head_onwire_len(int ctrl_len,
int head_len;
int rem_len;
- BUG_ON(ctrl_len < 0 || ctrl_len > CEPH_MSG_MAX_CONTROL_LEN);
+ BUG_ON(ctrl_len < 1 || ctrl_len > CEPH_MSG_MAX_CONTROL_LEN);
if (secure) {
head_len = CEPH_PREAMBLE_SECURE_LEN;
@@ -401,9 +401,7 @@ static int head_onwire_len(int ctrl_len,
head_len += padded_len(rem_len) + CEPH_GCM_TAG_LEN;
}
} else {
- head_len = CEPH_PREAMBLE_PLAIN_LEN;
- if (ctrl_len)
- head_len += ctrl_len + CEPH_CRC_LEN;
+ head_len = CEPH_PREAMBLE_PLAIN_LEN + ctrl_len + CEPH_CRC_LEN;
}
return head_len;
}
@@ -528,11 +526,16 @@ static int decode_preamble(void *p, stru
desc->fd_aligns[i] = ceph_decode_16(&p);
}
- if (desc->fd_lens[0] < 0 ||
+ /*
+ * This would fire for FRAME_TAG_WAIT (it has one empty
+ * segment), but we should never get it as client.
+ */
+ if (desc->fd_lens[0] < 1 ||
desc->fd_lens[0] > CEPH_MSG_MAX_CONTROL_LEN) {
pr_err("bad control segment length %d\n", desc->fd_lens[0]);
return -EINVAL;
}
+
if (desc->fd_lens[1] < 0 ||
desc->fd_lens[1] > CEPH_MSG_MAX_FRONT_LEN) {
pr_err("bad front segment length %d\n", desc->fd_lens[1]);
@@ -549,10 +552,6 @@ static int decode_preamble(void *p, stru
return -EINVAL;
}
- /*
- * This would fire for FRAME_TAG_WAIT (it has one empty
- * segment), but we should never get it as client.
- */
if (!desc->fd_lens[desc->fd_seg_cnt - 1]) {
pr_err("last segment empty, segment count %d\n",
desc->fd_seg_cnt);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 203/567] ACPI: OSI: Add DMI quirk for Acer Aspire One D255
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 202/567] wifi: mac80211: set default WMM parameters on all links Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 204/567] scsi: ses: Fix devices attaching to different hosts Greg Kroah-Hartman
` (174 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sofia Schneider, Rafael J. Wysocki,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sofia Schneider <sofia@schn.dev>
[ Upstream commit 5ede90206273ff156a778254f0f972a55e973c89 ]
The screen backlight turns off during boot (specifically during udev device
initialization) when returning true for _OSI("Windows 2009").
Analyzing the device's DSDT reveals that the firmware takes a different
code path when Windows 7 is reported, which leads to the backlight shutoff.
Add a DMI quirk to invoke dmi_disable_osi_win7 for this model.
Signed-off-by: Sofia Schneider <sofia@schn.dev>
Link: https://patch.msgid.link/20260223025240.518509-1-sofia@schn.dev
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/osi.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/acpi/osi.c b/drivers/acpi/osi.c
index ae9620757865b..600af8814038a 100644
--- a/drivers/acpi/osi.c
+++ b/drivers/acpi/osi.c
@@ -389,6 +389,19 @@ static const struct dmi_system_id acpi_osi_dmi_table[] __initconst = {
},
},
+ /*
+ * The screen backlight turns off during udev device creation
+ * when returning true for _OSI("Windows 2009")
+ */
+ {
+ .callback = dmi_disable_osi_win7,
+ .ident = "Acer Aspire One D255",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "AOD255"),
+ },
+ },
+
/*
* The wireless hotkey does not work on those machines when
* returning true for _OSI("Windows 2012")
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 141/481] xdp: use modulo operation to calculate XDP frag tailroom
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 140/481] net/sched: act_ife: Fix metalist update behavior Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 142/481] xdp: produce a warning when calculated tailroom is negative Greg Kroah-Hartman
` (174 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Aleksandr Loktionov,
Larysa Zaremba, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Larysa Zaremba <larysa.zaremba@intel.com>
[ Upstream commit 88b6b7f7b216108a09887b074395fa7b751880b1 ]
The current formula for calculating XDP tailroom in mbuf packets works only
if each frag has its own page (if rxq->frag_size is PAGE_SIZE), this
defeats the purpose of the parameter overall and without any indication
leads to negative calculated tailroom on at least half of frags, if shared
pages are used.
There are not many drivers that set rxq->frag_size. Among them:
* i40e and enetc always split page uniformly between frags, use shared
pages
* ice uses page_pool frags via libeth, those are power-of-2 and uniformly
distributed across page
* idpf has variable frag_size with XDP on, so current API is not applicable
* mlx5, mtk and mvneta use PAGE_SIZE or 0 as frag_size for page_pool
As for AF_XDP ZC, only ice, i40e and idpf declare frag_size for it. Modulo
operation yields good results for aligned chunks, they are all power-of-2,
between 2K and PAGE_SIZE. Formula without modulo fails when chunk_size is
2K. Buffers in unaligned mode are not distributed uniformly, so modulo
operation would not work.
To accommodate unaligned buffers, we could define frag_size as
data + tailroom, and hence do not subtract offset when calculating
tailroom, but this would necessitate more changes in the drivers.
Define rxq->frag_size as an even portion of a page that fully belongs to a
single frag. When calculating tailroom, locate the data start within such
portion by performing a modulo operation on page offset.
Fixes: bf25146a5595 ("bpf: add frags support to the bpf_xdp_adjust_tail() API")
Acked-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Larysa Zaremba <larysa.zaremba@intel.com>
Link: https://patch.msgid.link/20260305111253.2317394-2-larysa.zaremba@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index c177e40e70770..128e4b947d985 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -4083,7 +4083,8 @@ static int bpf_xdp_frags_increase_tail(struct xdp_buff *xdp, int offset)
if (!rxq->frag_size || rxq->frag_size > xdp->frame_sz)
return -EOPNOTSUPP;
- tailroom = rxq->frag_size - skb_frag_size(frag) - skb_frag_off(frag);
+ tailroom = rxq->frag_size - skb_frag_size(frag) -
+ skb_frag_off(frag) % rxq->frag_size;
if (unlikely(offset > tailroom))
return -EINVAL;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 128/460] libceph: prevent potential out-of-bounds reads in process_message_header()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 127/460] libceph: reject preamble if control segment is empty Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 129/460] libceph: Use u32 for non-negative values in ceph_monmap_decode() Greg Kroah-Hartman
` (174 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov,
Alex Markuze, Viacheslav Dubeyko
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit 69fb5d91bba44ecf7eb80530b85fa4fb028921d5 upstream.
If the message frame is (maliciously) corrupted in a way that the
length of the control segment ends up being less than the size of the
message header or a different frame is made to look like a message
frame, out-of-bounds reads may ensue in process_message_header().
Perform an explicit bounds check before decoding the message header.
Cc: stable@vger.kernel.org
Reported-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/messenger_v2.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -2864,12 +2864,15 @@ static int process_message_header(struct
void *p, void *end)
{
struct ceph_frame_desc *desc = &con->v2.in_desc;
- struct ceph_msg_header2 *hdr2 = p;
+ struct ceph_msg_header2 *hdr2;
struct ceph_msg_header hdr;
int skip;
int ret;
u64 seq;
+ ceph_decode_need(&p, end, sizeof(*hdr2), bad);
+ hdr2 = p;
+
/* verify seq# */
seq = le64_to_cpu(hdr2->seq);
if ((s64)seq - (s64)con->in_seq < 1) {
@@ -2900,6 +2903,10 @@ static int process_message_header(struct
WARN_ON(!con->in_msg);
WARN_ON(con->in_msg->con != con);
return 1;
+
+bad:
+ pr_err("failed to decode message header\n");
+ return -EINVAL;
}
static int process_message(struct ceph_connection *con)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 204/567] scsi: ses: Fix devices attaching to different hosts
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 203/567] ACPI: OSI: Add DMI quirk for Acer Aspire One D255 Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 205/567] ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table Greg Kroah-Hartman
` (173 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Jeffery, Tomas Henzl,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomas Henzl <thenzl@redhat.com>
[ Upstream commit 70ca8caa96ce473647054f5c7b9dab5423902402 ]
On a multipath SAS system some devices don't end up with correct symlinks
from the SCSI device to its enclosure. Some devices even have enclosure
links pointing to enclosures attached to different SCSI hosts.
ses_match_to_enclosure() calls enclosure_for_each_device() which iterates
over all enclosures on the system, not just enclosures attached to the
current SCSI host.
Replace the iteration with a direct call to ses_enclosure_find_by_addr().
Reviewed-by: David Jeffery <djeffery@redhat.com>
Signed-off-by: Tomas Henzl <thenzl@redhat.com>
Link: https://patch.msgid.link/20260210191850.36784-1-thenzl@redhat.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/ses.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index d7d0c35c58b80..05e462f328e75 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -503,9 +503,8 @@ struct efd {
};
static int ses_enclosure_find_by_addr(struct enclosure_device *edev,
- void *data)
+ struct efd *efd)
{
- struct efd *efd = data;
int i;
struct ses_component *scomp;
@@ -658,7 +657,7 @@ static void ses_match_to_enclosure(struct enclosure_device *edev,
if (efd.addr) {
efd.dev = &sdev->sdev_gendev;
- enclosure_for_each_device(ses_enclosure_find_by_addr, &efd);
+ ses_enclosure_find_by_addr(edev, &efd);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 142/481] xdp: produce a warning when calculated tailroom is negative
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 141/481] xdp: use modulo operation to calculate XDP frag tailroom Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 143/481] tracing: Add NULL pointer check to trigger_data_free() Greg Kroah-Hartman
` (173 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov,
Toke Høiland-Jørgensen, Martin KaFai Lau,
Larysa Zaremba, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Larysa Zaremba <larysa.zaremba@intel.com>
[ Upstream commit 8821e857759be9db3cde337ad328b71fe5c8a55f ]
Many ethernet drivers report xdp Rx queue frag size as being the same as
DMA write size. However, the only user of this field, namely
bpf_xdp_frags_increase_tail(), clearly expects a truesize.
Such difference leads to unspecific memory corruption issues under certain
circumstances, e.g. in ixgbevf maximum DMA write size is 3 KB, so when
running xskxceiver's XDP_ADJUST_TAIL_GROW_MULTI_BUFF, 6K packet fully uses
all DMA-writable space in 2 buffers. This would be fine, if only
rxq->frag_size was properly set to 4K, but value of 3K results in a
negative tailroom, because there is a non-zero page offset.
We are supposed to return -EINVAL and be done with it in such case, but due
to tailroom being stored as an unsigned int, it is reported to be somewhere
near UINT_MAX, resulting in a tail being grown, even if the requested
offset is too much (it is around 2K in the abovementioned test). This later
leads to all kinds of unspecific calltraces.
[ 7340.337579] xskxceiver[1440]: segfault at 1da718 ip 00007f4161aeac9d sp 00007f41615a6a00 error 6
[ 7340.338040] xskxceiver[1441]: segfault at 7f410000000b ip 00000000004042b5 sp 00007f415bffecf0 error 4
[ 7340.338179] in libc.so.6[61c9d,7f4161aaf000+160000]
[ 7340.339230] in xskxceiver[42b5,400000+69000]
[ 7340.340300] likely on CPU 6 (core 0, socket 6)
[ 7340.340302] Code: ff ff 01 e9 f4 fe ff ff 0f 1f 44 00 00 4c 39 f0 74 73 31 c0 ba 01 00 00 00 f0 0f b1 17 0f 85 ba 00 00 00 49 8b 87 88 00 00 00 <4c> 89 70 08 eb cc 0f 1f 44 00 00 48 8d bd f0 fe ff ff 89 85 ec fe
[ 7340.340888] likely on CPU 3 (core 0, socket 3)
[ 7340.345088] Code: 00 00 00 ba 00 00 00 00 be 00 00 00 00 89 c7 e8 31 ca ff ff 89 45 ec 8b 45 ec 85 c0 78 07 b8 00 00 00 00 eb 46 e8 0b c8 ff ff <8b> 00 83 f8 69 74 24 e8 ff c7 ff ff 8b 00 83 f8 0b 74 18 e8 f3 c7
[ 7340.404334] Oops: general protection fault, probably for non-canonical address 0x6d255010bdffc: 0000 [#1] SMP NOPTI
[ 7340.405972] CPU: 7 UID: 0 PID: 1439 Comm: xskxceiver Not tainted 6.19.0-rc1+ #21 PREEMPT(lazy)
[ 7340.408006] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014
[ 7340.409716] RIP: 0010:lookup_swap_cgroup_id+0x44/0x80
[ 7340.410455] Code: 83 f8 1c 73 39 48 ba ff ff ff ff ff ff ff 03 48 8b 04 c5 20 55 fa bd 48 21 d1 48 89 ca 83 e1 01 48 d1 ea c1 e1 04 48 8d 04 90 <8b> 00 48 83 c4 10 d3 e8 c3 cc cc cc cc 31 c0 e9 98 b7 dd 00 48 89
[ 7340.412787] RSP: 0018:ffffcc5c04f7f6d0 EFLAGS: 00010202
[ 7340.413494] RAX: 0006d255010bdffc RBX: ffff891f477895a8 RCX: 0000000000000010
[ 7340.414431] RDX: 0001c17e3fffffff RSI: 00fa070000000000 RDI: 000382fc7fffffff
[ 7340.415354] RBP: 00fa070000000000 R08: ffffcc5c04f7f8f8 R09: ffffcc5c04f7f7d0
[ 7340.416283] R10: ffff891f4c1a7000 R11: ffffcc5c04f7f9c8 R12: ffffcc5c04f7f7d0
[ 7340.417218] R13: 03ffffffffffffff R14: 00fa06fffffffe00 R15: ffff891f47789500
[ 7340.418229] FS: 0000000000000000(0000) GS:ffff891ffdfaa000(0000) knlGS:0000000000000000
[ 7340.419489] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7340.420286] CR2: 00007f415bfffd58 CR3: 0000000103f03002 CR4: 0000000000772ef0
[ 7340.421237] PKRU: 55555554
[ 7340.421623] Call Trace:
[ 7340.421987] <TASK>
[ 7340.422309] ? softleaf_from_pte+0x77/0xa0
[ 7340.422855] swap_pte_batch+0xa7/0x290
[ 7340.423363] zap_nonpresent_ptes.constprop.0.isra.0+0xd1/0x270
[ 7340.424102] zap_pte_range+0x281/0x580
[ 7340.424607] zap_pmd_range.isra.0+0xc9/0x240
[ 7340.425177] unmap_page_range+0x24d/0x420
[ 7340.425714] unmap_vmas+0xa1/0x180
[ 7340.426185] exit_mmap+0xe1/0x3b0
[ 7340.426644] __mmput+0x41/0x150
[ 7340.427098] exit_mm+0xb1/0x110
[ 7340.427539] do_exit+0x1b2/0x460
[ 7340.427992] do_group_exit+0x2d/0xc0
[ 7340.428477] get_signal+0x79d/0x7e0
[ 7340.428957] arch_do_signal_or_restart+0x34/0x100
[ 7340.429571] exit_to_user_mode_loop+0x8e/0x4c0
[ 7340.430159] do_syscall_64+0x188/0x6b0
[ 7340.430672] ? __do_sys_clone3+0xd9/0x120
[ 7340.431212] ? switch_fpu_return+0x4e/0xd0
[ 7340.431761] ? arch_exit_to_user_mode_prepare.isra.0+0xa1/0xc0
[ 7340.432498] ? do_syscall_64+0xbb/0x6b0
[ 7340.433015] ? __handle_mm_fault+0x445/0x690
[ 7340.433582] ? count_memcg_events+0xd6/0x210
[ 7340.434151] ? handle_mm_fault+0x212/0x340
[ 7340.434697] ? do_user_addr_fault+0x2b4/0x7b0
[ 7340.435271] ? clear_bhb_loop+0x30/0x80
[ 7340.435788] ? clear_bhb_loop+0x30/0x80
[ 7340.436299] ? clear_bhb_loop+0x30/0x80
[ 7340.436812] ? clear_bhb_loop+0x30/0x80
[ 7340.437323] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 7340.437973] RIP: 0033:0x7f4161b14169
[ 7340.438468] Code: Unable to access opcode bytes at 0x7f4161b1413f.
[ 7340.439242] RSP: 002b:00007ffc6ebfa770 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[ 7340.440173] RAX: fffffffffffffe00 RBX: 00000000000005a1 RCX: 00007f4161b14169
[ 7340.441061] RDX: 00000000000005a1 RSI: 0000000000000109 RDI: 00007f415bfff990
[ 7340.441943] RBP: 00007ffc6ebfa7a0 R08: 0000000000000000 R09: 00000000ffffffff
[ 7340.442824] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 7340.443707] R13: 0000000000000000 R14: 00007f415bfff990 R15: 00007f415bfff6c0
[ 7340.444586] </TASK>
[ 7340.444922] Modules linked in: rfkill intel_rapl_msr intel_rapl_common intel_uncore_frequency_common skx_edac_common nfit libnvdimm kvm_intel vfat fat kvm snd_pcm irqbypass rapl iTCO_wdt snd_timer intel_pmc_bxt iTCO_vendor_support snd ixgbevf virtio_net soundcore i2c_i801 pcspkr libeth_xdp net_failover i2c_smbus lpc_ich failover libeth virtio_balloon joydev 9p fuse loop zram lz4hc_compress lz4_compress 9pnet_virtio 9pnet netfs ghash_clmulni_intel serio_raw qemu_fw_cfg
[ 7340.449650] ---[ end trace 0000000000000000 ]---
The issue can be fixed in all in-tree drivers, but we cannot just trust OOT
drivers to not do this. Therefore, make tailroom a signed int and produce a
warning when it is negative to prevent such mistakes in the future.
Fixes: bf25146a5595 ("bpf: add frags support to the bpf_xdp_adjust_tail() API")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Larysa Zaremba <larysa.zaremba@intel.com>
Link: https://patch.msgid.link/20260305111253.2317394-10-larysa.zaremba@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index 128e4b947d985..d71c24eafcb5a 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -4078,13 +4078,14 @@ static int bpf_xdp_frags_increase_tail(struct xdp_buff *xdp, int offset)
struct skb_shared_info *sinfo = xdp_get_shared_info_from_buff(xdp);
skb_frag_t *frag = &sinfo->frags[sinfo->nr_frags - 1];
struct xdp_rxq_info *rxq = xdp->rxq;
- unsigned int tailroom;
+ int tailroom;
if (!rxq->frag_size || rxq->frag_size > xdp->frame_sz)
return -EOPNOTSUPP;
tailroom = rxq->frag_size - skb_frag_size(frag) -
skb_frag_off(frag) % rxq->frag_size;
+ WARN_ON_ONCE(tailroom < 0);
if (unlikely(offset > tailroom))
return -EINVAL;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 129/460] libceph: Use u32 for non-negative values in ceph_monmap_decode()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 128/460] libceph: prevent potential out-of-bounds reads in process_message_header() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 130/460] libceph: admit message frames only in CEPH_CON_S_OPEN state Greg Kroah-Hartman
` (173 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Viacheslav Dubeyko,
Ilya Dryomov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit 770444611f047dbfd4517ec0bc1b179d40c2f346 upstream.
This patch fixes unnecessary implicit conversions that change signedness
of blob_len and num_mon in ceph_monmap_decode().
Currently blob_len and num_mon are (signed) int variables. They are used
to hold values that are always non-negative and get assigned in
ceph_decode_32_safe(), which is meant to assign u32 values. Both
variables are subsequently used as unsigned values, and the value of
num_mon is further assigned to monmap->num_mon, which is of type u32.
Therefore, both variables should be of type u32. This is especially
relevant for num_mon. If the value read from the incoming message is
very large, it is interpreted as a negative value, and the check for
num_mon > CEPH_MAX_MON does not catch it. This leads to the attempt to
allocate a very large chunk of memory for monmap, which will most likely
fail. In this case, an unnecessary attempt to allocate memory is
performed, and -ENOMEM is returned instead of -EINVAL.
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/mon_client.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -72,8 +72,8 @@ static struct ceph_monmap *ceph_monmap_d
struct ceph_monmap *monmap = NULL;
struct ceph_fsid fsid;
u32 struct_len;
- int blob_len;
- int num_mon;
+ u32 blob_len;
+ u32 num_mon;
u8 struct_v;
u32 epoch;
int ret;
@@ -112,7 +112,7 @@ static struct ceph_monmap *ceph_monmap_d
}
ceph_decode_32_safe(p, end, num_mon, e_inval);
- dout("%s fsid %pU epoch %u num_mon %d\n", __func__, &fsid, epoch,
+ dout("%s fsid %pU epoch %u num_mon %u\n", __func__, &fsid, epoch,
num_mon);
if (num_mon > CEPH_MAX_MON)
goto e_inval;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 205/567] ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 204/567] scsi: ses: Fix devices attaching to different hosts Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 206/567] ASoC: cs42l43: Report insert for exotic peripherals Greg Kroah-Hartman
` (172 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Azamat Almazbek uulu,
Vijendar Mukunda, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Azamat Almazbek uulu <almazbek1608@gmail.com>
[ Upstream commit 32fc4168fa56f6301d858c778a3d712774e9657e ]
The ASUS ExpertBook BM1503CDA (Ryzen 5 7535U, Barcelo-R) has an
internal DMIC connected through the AMD ACP (Audio CoProcessor)
but is missing from the DMI quirk table, so the acp6x machine
driver probe returns -ENODEV and no DMIC capture device is created.
Add the DMI entry so the internal microphone works out of the box.
Signed-off-by: Azamat Almazbek uulu <almazbek1608@gmail.com>
Reviewed-by: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
Link: https://patch.msgid.link/20260221114813.5610-1-almazbek1608@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
index 5aeacbcb1f6ad..106012da7443e 100644
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -696,6 +696,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "Vivobook_ASUSLaptop M6501RR_M6501RR"),
}
},
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "ASUS EXPERTBOOK BM1503CDA"),
+ }
+ },
{}
};
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 143/481] tracing: Add NULL pointer check to trigger_data_free()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 142/481] xdp: produce a warning when calculated tailroom is negative Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 144/481] net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks Greg Kroah-Hartman
` (172 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Masami Hiramatsu,
Mathieu Desnoyers, Steven Rostedt (Google), Guenter Roeck,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit 457965c13f0837a289c9164b842d0860133f6274 ]
If trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse()
jumps to the out_free error path. While kfree() safely handles a NULL
pointer, trigger_data_free() does not. This causes a NULL pointer
dereference in trigger_data_free() when evaluating
data->cmd_ops->set_filter.
Fix the problem by adding a NULL pointer check to trigger_data_free().
The problem was found by an experimental code review agent based on
gemini-3.1-pro while reviewing backports into v6.18.y.
Cc: Miaoqian Lin <linmq006@gmail.com>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
Link: https://patch.msgid.link/20260305193339.2810953-1-linux@roeck-us.net
Fixes: 0550069cc25f ("tracing: Properly process error handling in event_hist_trigger_parse()")
Assisted-by: Gemini:gemini-3.1-pro
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_events_trigger.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
index 782ccb2433bb4..401d88d3b2c4b 100644
--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -19,6 +19,9 @@ static DEFINE_MUTEX(trigger_cmd_mutex);
void trigger_data_free(struct event_trigger_data *data)
{
+ if (!data)
+ return;
+
if (data->cmd_ops->set_filter)
data->cmd_ops->set_filter(NULL, data, NULL);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 130/460] libceph: admit message frames only in CEPH_CON_S_OPEN state
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 129/460] libceph: Use u32 for non-negative values in ceph_monmap_decode() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 131/460] ceph: fix i_nlink underrun during async unlink Greg Kroah-Hartman
` (172 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilya Dryomov, Alex Markuze,
Viacheslav Dubeyko
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit a5a373705081d7cc6363e16990e2361b0b362314 upstream.
Similar checks are performed for all control frames, but an early check
for message frames was missing. process_message() is already set up to
terminate the loop in case the state changes while con->ops->dispatch()
handler is being executed.
Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/messenger_v2.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -2936,6 +2936,11 @@ static int __handle_control(struct ceph_
if (con->v2.in_desc.fd_tag != FRAME_TAG_MESSAGE)
return process_control(con, p, end);
+ if (con->state != CEPH_CON_S_OPEN) {
+ con->error_msg = "protocol error, unexpected message";
+ return -EINVAL;
+ }
+
ret = process_message_header(con, p, end);
if (ret < 0)
return ret;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 206/567] ASoC: cs42l43: Report insert for exotic peripherals
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 205/567] ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 207/567] scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() Greg Kroah-Hartman
` (171 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Charles Keepax, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charles Keepax <ckeepax@opensource.cirrus.com>
[ Upstream commit 6510e1324bcdc8caf21f6d17efe27604c48f0d64 ]
For some exotic peripherals the type detect can return a reserved value
of 0x4. This will currently return an error and not report anything to
user-space, update this to report the insert normally.
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://patch.msgid.link/20260223093616.3800350-1-ckeepax@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/cs42l43-jack.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/soc/codecs/cs42l43-jack.c b/sound/soc/codecs/cs42l43-jack.c
index f58d55d77693f..ba60acc4b2f09 100644
--- a/sound/soc/codecs/cs42l43-jack.c
+++ b/sound/soc/codecs/cs42l43-jack.c
@@ -699,6 +699,7 @@ static int cs42l43_run_type_detect(struct cs42l43_codec *priv)
switch (type & CS42L43_HSDET_TYPE_STS_MASK) {
case 0x0: // CTIA
case 0x1: // OMTP
+ case 0x4:
return cs42l43_run_load_detect(priv, true);
case 0x2: // 3-pole
return cs42l43_run_load_detect(priv, false);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 144/481] net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 143/481] tracing: Add NULL pointer check to trigger_data_free() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 145/481] net: tcp: accept old ack during closing Greg Kroah-Hartman
` (171 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, GangMin Kim, Victor Nogueira,
Jamal Hadi Salim, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Nogueira <victor@mojatatu.com>
commit 11cb63b0d1a0685e0831ae3c77223e002ef18189 upstream.
As Paolo said earlier [1]:
"Since the blamed commit below, classify can return TC_ACT_CONSUMED while
the current skb being held by the defragmentation engine. As reported by
GangMin Kim, if such packet is that may cause a UaF when the defrag engine
later on tries to tuch again such packet."
act_ct was never meant to be used in the egress path, however some users
are attaching it to egress today [2]. Attempting to reach a middle
ground, we noticed that, while most qdiscs are not handling
TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we
address the issue by only allowing act_ct to bind to clsact/ingress
qdiscs and shared blocks. That way it's still possible to attach act_ct to
egress (albeit only with clsact).
[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/
[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/
Reported-by: GangMin Kim <km.kim1503@gmail.com>
Fixes: 3f14b377d01d ("net/sched: act_ct: fix skb leak and crash on ooo frags")
CC: stable@vger.kernel.org
Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260225134349.1287037-1-victor@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/act_api.h | 1 +
net/sched/act_ct.c | 6 ++++++
net/sched/cls_api.c | 7 +++++++
3 files changed, 14 insertions(+)
--- a/include/net/act_api.h
+++ b/include/net/act_api.h
@@ -67,6 +67,7 @@ struct tc_action {
#define TCA_ACT_FLAGS_BIND (1U << (TCA_ACT_FLAGS_USER_BITS + 1))
#define TCA_ACT_FLAGS_REPLACE (1U << (TCA_ACT_FLAGS_USER_BITS + 2))
#define TCA_ACT_FLAGS_NO_RTNL (1U << (TCA_ACT_FLAGS_USER_BITS + 3))
+#define TCA_ACT_FLAGS_AT_INGRESS_OR_CLSACT (1U << (TCA_ACT_FLAGS_USER_BITS + 5))
/* Update lastuse only if needed, to avoid dirtying a cache line.
* We use a temp variable to avoid fetching jiffies twice.
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -1440,6 +1440,12 @@ static int tcf_ct_init(struct net *net,
return -EINVAL;
}
+ if (bind && !(flags & TCA_ACT_FLAGS_AT_INGRESS_OR_CLSACT)) {
+ NL_SET_ERR_MSG_MOD(extack,
+ "Attaching ct to a non ingress/clsact qdisc is unsupported");
+ return -EOPNOTSUPP;
+ }
+
err = nla_parse_nested(tb, TCA_CT_MAX, nla, ct_policy, extack);
if (err < 0)
return err;
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -1993,6 +1993,11 @@ static void tfilter_put(struct tcf_proto
tp->ops->put(tp, fh);
}
+static bool is_ingress_or_clsact(struct tcf_block *block, struct Qdisc *q)
+{
+ return tcf_block_shared(block) || (q && !!(q->flags & TCQ_F_INGRESS));
+}
+
static int tc_new_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
struct netlink_ext_ack *extack)
{
@@ -2184,6 +2189,8 @@ replay:
flags |= TCA_ACT_FLAGS_REPLACE;
if (!rtnl_held)
flags |= TCA_ACT_FLAGS_NO_RTNL;
+ if (is_ingress_or_clsact(block, q))
+ flags |= TCA_ACT_FLAGS_AT_INGRESS_OR_CLSACT;
err = tp->ops->change(net, skb, tp, cl, t->tcm_handle, tca, &fh,
flags, extack);
if (err == 0) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 131/460] ceph: fix i_nlink underrun during async unlink
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 130/460] libceph: admit message frames only in CEPH_CON_S_OPEN state Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 132/460] ceph: fix memory leaks in ceph_mdsc_build_path() Greg Kroah-Hartman
` (171 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Kellermann, Viacheslav Dubeyko,
Ilya Dryomov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Kellermann <max.kellermann@ionos.com>
commit ce0123cbb4a40a2f1bbb815f292b26e96088639f upstream.
During async unlink, we drop the `i_nlink` counter before we receive
the completion (that will eventually update the `i_nlink`) because "we
assume that the unlink will succeed". That is not a bad idea, but it
races against deletions by other clients (or against the completion of
our own unlink) and can lead to an underrun which emits a WARNING like
this one:
WARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68
Modules linked in:
CPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted 6.14.11-cm4all1-ampere #655
Hardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023
pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : drop_nlink+0x50/0x68
lr : ceph_unlink+0x6c4/0x720
sp : ffff80012173bc90
x29: ffff80012173bc90 x28: ffff086d0a45aaf8 x27: ffff0871d0eb5680
x26: ffff087f2a64a718 x25: 0000020000000180 x24: 0000000061c88647
x23: 0000000000000002 x22: ffff07ff9236d800 x21: 0000000000001203
x20: ffff07ff9237b000 x19: ffff088b8296afc0 x18: 00000000f3c93365
x17: 0000000000070000 x16: ffff08faffcbdfe8 x15: ffff08faffcbdfec
x14: 0000000000000000 x13: 45445f65645f3037 x12: 34385f6369706f74
x11: 0000a2653104bb20 x10: ffffd85f26d73290 x9 : ffffd85f25664f94
x8 : 00000000000000c0 x7 : 0000000000000000 x6 : 0000000000000002
x5 : 0000000000000081 x4 : 0000000000000481 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff08727d3f91e8
Call trace:
drop_nlink+0x50/0x68 (P)
vfs_unlink+0xb0/0x2e8
do_unlinkat+0x204/0x288
__arm64_sys_unlinkat+0x3c/0x80
invoke_syscall.constprop.0+0x54/0xe8
do_el0_svc+0xa4/0xc8
el0_svc+0x18/0x58
el0t_64_sync_handler+0x104/0x130
el0t_64_sync+0x154/0x158
In ceph_unlink(), a call to ceph_mdsc_submit_request() submits the
CEPH_MDS_OP_UNLINK to the MDS, but does not wait for completion.
Meanwhile, between this call and the following drop_nlink() call, a
worker thread may process a CEPH_CAP_OP_IMPORT, CEPH_CAP_OP_GRANT or
just a CEPH_MSG_CLIENT_REPLY (the latter of which could be our own
completion). These will lead to a set_nlink() call, updating the
`i_nlink` counter to the value received from the MDS. If that new
`i_nlink` value happens to be zero, it is illegal to decrement it
further. But that is exactly what ceph_unlink() will do then.
The WARNING can be reproduced this way:
1. Force async unlink; only the async code path is affected. Having
no real clue about Ceph internals, I was unable to find out why the
MDS wouldn't give me the "Fxr" capabilities, so I patched
get_caps_for_async_unlink() to always succeed.
(Note that the WARNING dump above was found on an unpatched kernel,
without this kludge - this is not a theoretical bug.)
2. Add a sleep call after ceph_mdsc_submit_request() so the unlink
completion gets handled by a worker thread before drop_nlink() is
called. This guarantees that the `i_nlink` is already zero before
drop_nlink() runs.
The solution is to skip the counter decrement when it is already zero,
but doing so without a lock is still racy (TOCTOU). Since
ceph_fill_inode() and handle_cap_grant() both hold the
`ceph_inode_info.i_ceph_lock` spinlock while set_nlink() runs, this
seems like the proper lock to protect the `i_nlink` updates.
I found prior art in NFS and SMB (using `inode.i_lock`) and AFS (using
`afs_vnode.cb_lock`). All three have the zero check as well.
Cc: stable@vger.kernel.org
Fixes: 2ccb45462aea ("ceph: perform asynchronous unlink if we have sufficient caps")
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/dir.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/fs/ceph/dir.c
+++ b/fs/ceph/dir.c
@@ -1330,6 +1330,7 @@ static int ceph_unlink(struct inode *dir
struct ceph_client *cl = fsc->client;
struct ceph_mds_client *mdsc = fsc->mdsc;
struct inode *inode = d_inode(dentry);
+ struct ceph_inode_info *ci = ceph_inode(inode);
struct ceph_mds_request *req;
bool try_async = ceph_test_mount_opt(fsc, ASYNC_DIROPS);
struct dentry *dn;
@@ -1415,7 +1416,19 @@ retry:
* We have enough caps, so we assume that the unlink
* will succeed. Fix up the target inode and dcache.
*/
- drop_nlink(inode);
+
+ /*
+ * Protect the i_nlink update with i_ceph_lock
+ * to precent racing against ceph_fill_inode()
+ * handling our completion on a worker thread
+ * and don't decrement if i_nlink has already
+ * been updated to zero by this completion.
+ */
+ spin_lock(&ci->i_ceph_lock);
+ if (inode->i_nlink > 0)
+ drop_nlink(inode);
+ spin_unlock(&ci->i_ceph_lock);
+
d_delete(dentry);
} else {
spin_lock(&fsc->async_unlink_conflict_lock);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 207/567] scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 206/567] ASoC: cs42l43: Report insert for exotic peripherals Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 208/567] scsi: ufs: core: Fix shift out of bounds when MAXQ=32 Greg Kroah-Hartman
` (170 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Wang, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Wang <peter.wang@mediatek.com>
[ Upstream commit 30df81f2228d65bddf492db3929d9fcaffd38fc5 ]
The kernel log indicates a crash in ufshcd_add_command_trace, due to a NULL
pointer dereference when accessing hwq->id. This can happen if
ufshcd_mcq_req_to_hwq() returns NULL.
This patch adds a NULL check for hwq before accessing its id field to
prevent a kernel crash.
Kernel log excerpt:
[<ffffffd5d192dc4c>] notify_die+0x4c/0x8c
[<ffffffd5d1814e58>] __die+0x60/0xb0
[<ffffffd5d1814d64>] die+0x4c/0xe0
[<ffffffd5d181575c>] die_kernel_fault+0x74/0x88
[<ffffffd5d1864db4>] __do_kernel_fault+0x314/0x318
[<ffffffd5d2a3cdf8>] do_page_fault+0xa4/0x5f8
[<ffffffd5d2a3cd34>] do_translation_fault+0x34/0x54
[<ffffffd5d1864524>] do_mem_abort+0x50/0xa8
[<ffffffd5d2a297dc>] el1_abort+0x3c/0x64
[<ffffffd5d2a29718>] el1h_64_sync_handler+0x44/0xcc
[<ffffffd5d181133c>] el1h_64_sync+0x80/0x88
[<ffffffd5d255c1dc>] ufshcd_add_command_trace+0x23c/0x320
[<ffffffd5d255bad8>] ufshcd_compl_one_cqe+0xa4/0x404
[<ffffffd5d2572968>] ufshcd_mcq_poll_cqe_lock+0xac/0x104
[<ffffffd5d11c7460>] ufs_mtk_mcq_intr+0x54/0x74 [ufs_mediatek_mod]
[<ffffffd5d19ab92c>] __handle_irq_event_percpu+0xc8/0x348
[<ffffffd5d19abca8>] handle_irq_event+0x3c/0xa8
[<ffffffd5d19b1f0c>] handle_fasteoi_irq+0xf8/0x294
[<ffffffd5d19aa778>] generic_handle_domain_irq+0x54/0x80
[<ffffffd5d18102bc>] gic_handle_irq+0x1d4/0x330
[<ffffffd5d1838210>] call_on_irq_stack+0x44/0x68
[<ffffffd5d183af30>] do_interrupt_handler+0x78/0xd8
[<ffffffd5d2a29c00>] el1_interrupt+0x48/0xa8
[<ffffffd5d2a29ba8>] el1h_64_irq_handler+0x14/0x24
[<ffffffd5d18113c4>] el1h_64_irq+0x80/0x88
[<ffffffd5d2527fb4>] arch_local_irq_enable+0x4/0x1c
[<ffffffd5d25282e4>] cpuidle_enter+0x34/0x54
[<ffffffd5d195a678>] do_idle+0x1dc/0x2f8
[<ffffffd5d195a7c4>] cpu_startup_entry+0x30/0x3c
[<ffffffd5d18155c4>] secondary_start_kernel+0x134/0x1ac
[<ffffffd5d18640bc>] __secondary_switched+0xc4/0xcc
Signed-off-by: Peter Wang <peter.wang@mediatek.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260223065657.2432447-1-peter.wang@mediatek.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufshcd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index 0b74ef63e6721..4b34f65e6d8e2 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -461,8 +461,8 @@ static void ufshcd_add_command_trace(struct ufs_hba *hba, unsigned int tag,
if (is_mcq_enabled(hba)) {
struct ufs_hw_queue *hwq = ufshcd_mcq_req_to_hwq(hba, rq);
-
- hwq_id = hwq->id;
+ if (hwq)
+ hwq_id = hwq->id;
} else {
doorbell = ufshcd_readl(hba, REG_UTP_TRANSFER_REQ_DOOR_BELL);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 145/481] net: tcp: accept old ack during closing
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 144/481] net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 146/481] scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT Greg Kroah-Hartman
` (170 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Menglong Dong, Simon Horman,
Eric Dumazet, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Menglong Dong <menglong8.dong@gmail.com>
commit 795a7dfbc3d95e4c7c09569f319f026f8c7f5a9c upstream.
For now, the packet with an old ack is not accepted if we are in
FIN_WAIT1 state, which can cause retransmission. Taking the following
case as an example:
Client Server
| |
FIN_WAIT1(Send FIN, seq=10) FIN_WAIT1(Send FIN, seq=20, ack=10)
| |
| Send ACK(seq=21, ack=11)
Recv ACK(seq=21, ack=11)
|
Recv FIN(seq=20, ack=10)
In the case above, simultaneous close is happening, and the FIN and ACK
packet that send from the server is out of order. Then, the FIN will be
dropped by the client, as it has an old ack. Then, the server has to
retransmit the FIN, which can cause delay if the server has set the
SO_LINGER on the socket.
Old ack is accepted in the ESTABLISHED and TIME_WAIT state, and I think
it should be better to keep the same logic.
In this commit, we accept old ack in FIN_WAIT1/FIN_WAIT2/CLOSING/LAST_ACK
states. Maybe we should limit it to FIN_WAIT1 for now?
Signed-off-by: Menglong Dong <menglong8.dong@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20240126040519.1846345-1-menglong8.dong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_input.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -6630,17 +6630,21 @@ int tcp_rcv_state_process(struct sock *s
return 0;
/* step 5: check the ACK field */
- acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH |
- FLAG_UPDATE_TS_RECENT |
- FLAG_NO_CHALLENGE_ACK) > 0;
+ reason = tcp_ack(sk, skb, FLAG_SLOWPATH |
+ FLAG_UPDATE_TS_RECENT |
+ FLAG_NO_CHALLENGE_ACK);
- if (!acceptable) {
+ if ((int)reason <= 0) {
if (sk->sk_state == TCP_SYN_RECV)
return 1; /* send one RST */
- tcp_send_challenge_ack(sk);
- SKB_DR_SET(reason, TCP_OLD_ACK);
- goto discard;
+ /* accept old ack during closing */
+ if ((int)reason < 0) {
+ tcp_send_challenge_ack(sk);
+ reason = -reason;
+ goto discard;
+ }
}
+ SKB_DR_SET(reason, NOT_SPECIFIED);
switch (sk->sk_state) {
case TCP_SYN_RECV:
tp->delivered++; /* SYN-ACK delivery isn't tracked in tcp_ack */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 132/460] ceph: fix memory leaks in ceph_mdsc_build_path()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 131/460] ceph: fix i_nlink underrun during async unlink Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 133/460] time/jiffies: Mark jiffies_64_to_clock_t() notrace Greg Kroah-Hartman
` (170 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Kellermann, Viacheslav Dubeyko,
Ilya Dryomov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Kellermann <max.kellermann@ionos.com>
commit 040d159a45ded7f33201421a81df0aa2a86e5a0b upstream.
Add __putname() calls to error code paths that did not free the "path"
pointer obtained by __getname(). If ownership of this pointer is not
passed to the caller via path_info.path, the function must free it
before returning.
Cc: stable@vger.kernel.org
Fixes: 3fd945a79e14 ("ceph: encode encrypted name in ceph_mdsc_build_path and dentry release")
Fixes: 550f7ca98ee0 ("ceph: give up on paths longer than PATH_MAX")
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/mds_client.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -2766,6 +2766,7 @@ retry:
if (ret < 0) {
dput(parent);
dput(cur);
+ __putname(path);
return ERR_PTR(ret);
}
@@ -2775,6 +2776,7 @@ retry:
if (len < 0) {
dput(parent);
dput(cur);
+ __putname(path);
return ERR_PTR(len);
}
}
@@ -2811,6 +2813,7 @@ retry:
* cannot ever succeed. Creating paths that long is
* possible with Ceph, but Linux cannot use them.
*/
+ __putname(path);
return ERR_PTR(-ENAMETOOLONG);
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 208/567] scsi: ufs: core: Fix shift out of bounds when MAXQ=32
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 207/567] scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 209/567] ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0 Greg Kroah-Hartman
` (169 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, wangshuaiwei, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: wangshuaiwei <wangshuaiwei1@xiaomi.com>
[ Upstream commit 2f38fd99c0004676d835ae96ac4f3b54edc02c82 ]
According to JESD223F, the maximum number of queues (MAXQ) is 32. When MCQ
is enabled and ESI is disabled, nr_hw_queues=32 causes a shift overflow
problem.
Fix this by using 64-bit intermediate values to handle the nr_hw_queues=32
case safely.
Signed-off-by: wangshuaiwei <wangshuaiwei1@xiaomi.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260224063228.50112-1-wangshuaiwei1@xiaomi.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufshcd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index 4b34f65e6d8e2..d109a0c8f75ff 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -6960,7 +6960,7 @@ static irqreturn_t ufshcd_handle_mcq_cq_events(struct ufs_hba *hba)
ret = ufshcd_vops_get_outstanding_cqs(hba, &outstanding_cqs);
if (ret)
- outstanding_cqs = (1U << hba->nr_hw_queues) - 1;
+ outstanding_cqs = (1ULL << hba->nr_hw_queues) - 1;
/* Exclude the poll queues */
nr_queues = hba->nr_hw_queues - hba->nr_queues[HCTX_TYPE_POLL];
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 146/481] scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 145/481] net: tcp: accept old ack during closing Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 147/481] ACPI: PM: Save NVS memory on Lenovo G70-35 Greg Kroah-Hartman
` (169 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kiszka, Florian Bezdeka,
Michael Kelley, Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kiszka <jan.kiszka@siemens.com>
[ Upstream commit 57297736c08233987e5d29ce6584c6ca2a831b12 ]
This resolves the follow splat and lock-up when running with PREEMPT_RT
enabled on Hyper-V:
[ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002
[ 415.140822] INFO: lockdep is turned off.
[ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec ghash_clmulni_intel aesni_intel rapl binfmt_misc nls_ascii nls_cp437 vfat fat snd_pcm hyperv_drm snd_timer drm_client_lib drm_shmem_helper snd sg soundcore drm_kms_helper pcspkr hv_balloon hv_utils evdev joydev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common hv_sock vmw_vsock_vmci_transport vsock vmw_vmci efivarfs autofs4 ext4 crc16 mbcache jbd2 sr_mod sd_mod cdrom hv_storvsc serio_raw hid_generic scsi_transport_fc hid_hyperv scsi_mod hid hv_netvsc hyperv_keyboard scsi_common
[ 415.140846] Preemption disabled at:
[ 415.140847] [<ffffffffc0656171>] storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]
[ 415.140854] CPU: 8 UID: 0 PID: 1048 Comm: stress-ng-iomix Not tainted 6.19.0-rc7 #30 PREEMPT_{RT,(full)}
[ 415.140856] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/04/2024
[ 415.140857] Call Trace:
[ 415.140861] <TASK>
[ 415.140861] ? storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]
[ 415.140863] dump_stack_lvl+0x91/0xb0
[ 415.140870] __schedule_bug+0x9c/0xc0
[ 415.140875] __schedule+0xdf6/0x1300
[ 415.140877] ? rtlock_slowlock_locked+0x56c/0x1980
[ 415.140879] ? rcu_is_watching+0x12/0x60
[ 415.140883] schedule_rtlock+0x21/0x40
[ 415.140885] rtlock_slowlock_locked+0x502/0x1980
[ 415.140891] rt_spin_lock+0x89/0x1e0
[ 415.140893] hv_ringbuffer_write+0x87/0x2a0
[ 415.140899] vmbus_sendpacket_mpb_desc+0xb6/0xe0
[ 415.140900] ? rcu_is_watching+0x12/0x60
[ 415.140902] storvsc_queuecommand+0x669/0xbe0 [hv_storvsc]
[ 415.140904] ? HARDIRQ_verbose+0x10/0x10
[ 415.140908] ? __rq_qos_issue+0x28/0x40
[ 415.140911] scsi_queue_rq+0x760/0xd80 [scsi_mod]
[ 415.140926] __blk_mq_issue_directly+0x4a/0xc0
[ 415.140928] blk_mq_issue_direct+0x87/0x2b0
[ 415.140931] blk_mq_dispatch_queue_requests+0x120/0x440
[ 415.140933] blk_mq_flush_plug_list+0x7a/0x1a0
[ 415.140935] __blk_flush_plug+0xf4/0x150
[ 415.140940] __submit_bio+0x2b2/0x5c0
[ 415.140944] ? submit_bio_noacct_nocheck+0x272/0x360
[ 415.140946] submit_bio_noacct_nocheck+0x272/0x360
[ 415.140951] ext4_read_bh_lock+0x3e/0x60 [ext4]
[ 415.140995] ext4_block_write_begin+0x396/0x650 [ext4]
[ 415.141018] ? __pfx_ext4_da_get_block_prep+0x10/0x10 [ext4]
[ 415.141038] ext4_da_write_begin+0x1c4/0x350 [ext4]
[ 415.141060] generic_perform_write+0x14e/0x2c0
[ 415.141065] ext4_buffered_write_iter+0x6b/0x120 [ext4]
[ 415.141083] vfs_write+0x2ca/0x570
[ 415.141087] ksys_write+0x76/0xf0
[ 415.141089] do_syscall_64+0x99/0x1490
[ 415.141093] ? rcu_is_watching+0x12/0x60
[ 415.141095] ? finish_task_switch.isra.0+0xdf/0x3d0
[ 415.141097] ? rcu_is_watching+0x12/0x60
[ 415.141098] ? lock_release+0x1f0/0x2a0
[ 415.141100] ? rcu_is_watching+0x12/0x60
[ 415.141101] ? finish_task_switch.isra.0+0xe4/0x3d0
[ 415.141103] ? rcu_is_watching+0x12/0x60
[ 415.141104] ? __schedule+0xb34/0x1300
[ 415.141106] ? hrtimer_try_to_cancel+0x1d/0x170
[ 415.141109] ? do_nanosleep+0x8b/0x160
[ 415.141111] ? hrtimer_nanosleep+0x89/0x100
[ 415.141114] ? __pfx_hrtimer_wakeup+0x10/0x10
[ 415.141116] ? xfd_validate_state+0x26/0x90
[ 415.141118] ? rcu_is_watching+0x12/0x60
[ 415.141120] ? do_syscall_64+0x1e0/0x1490
[ 415.141121] ? do_syscall_64+0x1e0/0x1490
[ 415.141123] ? rcu_is_watching+0x12/0x60
[ 415.141124] ? do_syscall_64+0x1e0/0x1490
[ 415.141125] ? do_syscall_64+0x1e0/0x1490
[ 415.141127] ? irqentry_exit+0x140/0x7e0
[ 415.141129] entry_SYSCALL_64_after_hwframe+0x76/0x7e
get_cpu() disables preemption while the spinlock hv_ringbuffer_write is
using is converted to an rt-mutex under PREEMPT_RT.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Tested-by: Florian Bezdeka <florian.bezdeka@siemens.com>
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Tested-by: Michael Kelley <mhklinux@outlook.com>
Link: https://patch.msgid.link/0c7fb5cd-fb21-4760-8593-e04bade84744@siemens.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/storvsc_drv.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
index ae9258347106d..d5165655fc053 100644
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1852,8 +1852,9 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
cmd_request->payload_sz = payload_sz;
/* Invokes the vsc to start an IO */
- ret = storvsc_do_io(dev, cmd_request, get_cpu());
- put_cpu();
+ migrate_disable();
+ ret = storvsc_do_io(dev, cmd_request, smp_processor_id());
+ migrate_enable();
if (ret)
scsi_dma_unmap(scmnd);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 133/460] time/jiffies: Mark jiffies_64_to_clock_t() notrace
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 132/460] ceph: fix memory leaks in ceph_mdsc_build_path() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 134/460] i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach Greg Kroah-Hartman
` (169 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steven Rostedt (Google),
Thomas Gleixner, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
[ Upstream commit 755a648e78f12574482d4698d877375793867fa1 ]
The trace_clock_jiffies() function that handles the "uptime" clock for
tracing calls jiffies_64_to_clock_t(). This causes the function tracer to
constantly recurse when the tracing clock is set to "uptime". Mark it
notrace to prevent unnecessary recursion when using the "uptime" clock.
Fixes: 58d4e21e50ff3 ("tracing: Fix wraparound problems in "uptime" trace clock")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260306212403.72270bb2@robin
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/time.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/time/time.c b/kernel/time/time.c
index 1ad88e97b4ebc..da7e8a02a0964 100644
--- a/kernel/time/time.c
+++ b/kernel/time/time.c
@@ -702,7 +702,7 @@ EXPORT_SYMBOL(clock_t_to_jiffies);
*
* Return: jiffies_64 value converted to 64-bit "clock_t" (CLOCKS_PER_SEC)
*/
-u64 jiffies_64_to_clock_t(u64 x)
+notrace u64 jiffies_64_to_clock_t(u64 x)
{
#if (TICK_NSEC % (NSEC_PER_SEC / USER_HZ)) == 0
# if HZ < USER_HZ
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 209/567] ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 208/567] scsi: ufs: core: Fix shift out of bounds when MAXQ=32 Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 210/567] ALSA: usb-audio: Check max frame size for implicit feedback mode, too Greg Kroah-Hartman
` (168 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit c5bf24c8aba1ff711226ee0f039ff01a5754692b ]
Although DIYINHK USB Audio 2.0 (ID 20b1:2009) shows the implicit
feedback source for the capture stream, this would cause several
problems for the playback. Namely, the device can get wMaxPackSize
1024 for 24/32 bit format with 6 channels, and when a high sample rate
like 352.8kHz or 384kHz is played, the packet size overflows the max
limit. Also, the device has another two playback altsets, and those
aren't properly handled with the implicit feedback.
Since the device has been working well even before introducing the
implicit feedback, we can assume that it works fine in the async mode.
This patch adds the explicit skip of the implicit fb detection to make
the playback running in the async mode.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221076
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260225085233.316306-4-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index 15e72c419dbc2..04896ab01f372 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -2251,6 +2251,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER),
DEVICE_FLG(0x2040, 0x7281, /* Hauppauge HVR-950Q-MXL */
QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER),
+ DEVICE_FLG(0x20b1, 0x2009, /* XMOS Ltd DIYINHK USB Audio 2.0 */
+ QUIRK_FLAG_SKIP_IMPLICIT_FB | QUIRK_FLAG_DSD_RAW),
DEVICE_FLG(0x2040, 0x8200, /* Hauppauge Woodbury */
QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER),
DEVICE_FLG(0x21b4, 0x0081, /* AudioQuest DragonFly */
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 147/481] ACPI: PM: Save NVS memory on Lenovo G70-35
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 146/481] scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 148/481] scsi: mpi3mr: Add NULL checks when resetting request and reply queues Greg Kroah-Hartman
` (168 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Piotr Mazek, Rafael J. Wysocki,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Piotr Mazek <pmazek@outlook.com>
[ Upstream commit 023cd6d90f8aa2ef7b72d84be84a18e61ecebd64 ]
[821d6f0359b0614792ab8e2fb93b503e25a65079] prevented machines
produced later than 2012 from saving NVS region to accelerate S3.
Despite being made after 2012, Lenovo G70-35 still needs NVS memory
saving during S3. A quirk is introduced for this platform.
Signed-off-by: Piotr Mazek <pmazek@outlook.com>
[ rjw: Subject adjustment ]
Link: https://patch.msgid.link/GV2PPF3CD5B63CC2442EE3F76F8443EAD90D499A@GV2PPF3CD5B63CC.EURP251.PROD.OUTLOOK.COM
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/sleep.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c
index 6026e20f022a2..cc490fbcfe273 100644
--- a/drivers/acpi/sleep.c
+++ b/drivers/acpi/sleep.c
@@ -372,6 +372,14 @@ static const struct dmi_system_id acpisleep_dmi_table[] __initconst = {
DMI_MATCH(DMI_PRODUCT_NAME, "80E1"),
},
},
+ {
+ .callback = init_nvs_save_s3,
+ .ident = "Lenovo G70-35",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "80Q5"),
+ },
+ },
/*
* ThinkPad X1 Tablet(2016) cannot do suspend-to-idle using
* the Low Power S0 Idle firmware interface (see
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 134/460] i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 133/460] time/jiffies: Mark jiffies_64_to_clock_t() notrace Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 135/460] scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend Greg Kroah-Hartman
` (168 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Ng Ho Yin, Frank Li,
Alexandre Belloni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Ng Ho Yin <adrianhoyin.ng@altera.com>
[ Upstream commit f311a05784634febd299f03476b80f3f18489767 ]
The DesignWare I3C master controller ACKs IBIs as soon as a valid
Device Address Table (DAT) entry is present. This can create a race
between device attachment (after DAA) and the point where the client
driver enables IBIs via i3c_device_enable_ibi().
Set DEV_ADDR_TABLE_SIR_REJECT in the DAT entry during
attach_i3c_dev() and reattach_i3c_dev() so that IBIs are rejected
by default. The bit is managed thereafter by the existing
dw_i3c_master_set_sir_enabled() function, which clears it in
enable_ibi() after ENEC is issued, and restores it in disable_ibi()
after DISEC.
Fixes: 1dd728f5d4d4 ("i3c: master: Add driver for Synopsys DesignWare IP")
Signed-off-by: Adrian Ng Ho Yin <adrianhoyin.ng@altera.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/53f5b8cbdd8af789ec38b95b02873f32f9182dd6.1770962368.git.adrianhoyin.ng@altera.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/dw-i3c-master.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index 4c019c746f231..e0853a6bde0a4 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1013,7 +1013,7 @@ static int dw_i3c_master_reattach_i3c_dev(struct i3c_dev_desc *dev,
master->free_pos &= ~BIT(pos);
}
- writel(DEV_ADDR_TABLE_DYNAMIC_ADDR(dev->info.dyn_addr),
+ writel(DEV_ADDR_TABLE_DYNAMIC_ADDR(dev->info.dyn_addr) | DEV_ADDR_TABLE_SIR_REJECT,
master->regs +
DEV_ADDR_TABLE_LOC(master->datstartaddr, data->index));
@@ -1042,7 +1042,7 @@ static int dw_i3c_master_attach_i3c_dev(struct i3c_dev_desc *dev)
master->free_pos &= ~BIT(pos);
i3c_dev_set_master_data(dev, data);
- writel(DEV_ADDR_TABLE_DYNAMIC_ADDR(master->devs[pos].addr),
+ writel(DEV_ADDR_TABLE_DYNAMIC_ADDR(master->devs[pos].addr) | DEV_ADDR_TABLE_SIR_REJECT,
master->regs +
DEV_ADDR_TABLE_LOC(master->datstartaddr, data->index));
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 210/567] ALSA: usb-audio: Check max frame size for implicit feedback mode, too
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 209/567] ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0 Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 211/567] powerpc/uaccess: Fix inline assembly for clang build on PPC32 Greg Kroah-Hartman
` (167 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 7cb2a5422f5bbdf1cf32eae0eda41000485b9346 ]
When the packet sizes are taken from the capture stream in the
implicit feedback mode, the sizes might be larger than the upper
boundary defined by the descriptor. As already done for other
transfer modes, we have to cap the sizes accordingly at sending,
otherwise this would lead to an error in USB core at submission of
URBs.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221076
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260225085233.316306-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/endpoint.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
index 806755a65fc05..f6cef6aaca773 100644
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -224,6 +224,7 @@ int snd_usb_endpoint_next_packet_size(struct snd_usb_endpoint *ep,
packet = ctx->packet_size[idx];
if (packet) {
+ packet = min(packet, ep->maxframesize);
if (avail && packet >= avail)
return -EAGAIN;
return packet;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 148/481] scsi: mpi3mr: Add NULL checks when resetting request and reply queues
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 147/481] ACPI: PM: Save NVS memory on Lenovo G70-35 Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 149/481] unshare: fix unshare_fs() handling Greg Kroah-Hartman
` (167 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ranjan Kumar, Martin K. Petersen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjan Kumar <ranjan.kumar@broadcom.com>
[ Upstream commit fa96392ebebc8fade2b878acb14cce0f71016503 ]
The driver encountered a crash during resource cleanup when the reply and
request queues were NULL due to freed memory. This issue occurred when the
creation of reply or request queues failed, and the driver freed the memory
first, but attempted to mem set the content of the freed memory, leading to
a system crash.
Add NULL pointer checks for reply and request queues before accessing the
reply/request memory during cleanup
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Link: https://patch.msgid.link/20260212070026.30263-1-ranjan.kumar@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mpi3mr/mpi3mr_fw.c | 34 ++++++++++++++++++---------------
1 file changed, 19 insertions(+), 15 deletions(-)
diff --git a/drivers/scsi/mpi3mr/mpi3mr_fw.c b/drivers/scsi/mpi3mr/mpi3mr_fw.c
index 9d8f5a4794666..d4747ff4d800a 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
@@ -4246,21 +4246,25 @@ void mpi3mr_memset_buffers(struct mpi3mr_ioc *mrioc)
}
for (i = 0; i < mrioc->num_queues; i++) {
- mrioc->op_reply_qinfo[i].qid = 0;
- mrioc->op_reply_qinfo[i].ci = 0;
- mrioc->op_reply_qinfo[i].num_replies = 0;
- mrioc->op_reply_qinfo[i].ephase = 0;
- atomic_set(&mrioc->op_reply_qinfo[i].pend_ios, 0);
- atomic_set(&mrioc->op_reply_qinfo[i].in_use, 0);
- mpi3mr_memset_op_reply_q_buffers(mrioc, i);
-
- mrioc->req_qinfo[i].ci = 0;
- mrioc->req_qinfo[i].pi = 0;
- mrioc->req_qinfo[i].num_requests = 0;
- mrioc->req_qinfo[i].qid = 0;
- mrioc->req_qinfo[i].reply_qid = 0;
- spin_lock_init(&mrioc->req_qinfo[i].q_lock);
- mpi3mr_memset_op_req_q_buffers(mrioc, i);
+ if (mrioc->op_reply_qinfo) {
+ mrioc->op_reply_qinfo[i].qid = 0;
+ mrioc->op_reply_qinfo[i].ci = 0;
+ mrioc->op_reply_qinfo[i].num_replies = 0;
+ mrioc->op_reply_qinfo[i].ephase = 0;
+ atomic_set(&mrioc->op_reply_qinfo[i].pend_ios, 0);
+ atomic_set(&mrioc->op_reply_qinfo[i].in_use, 0);
+ mpi3mr_memset_op_reply_q_buffers(mrioc, i);
+ }
+
+ if (mrioc->req_qinfo) {
+ mrioc->req_qinfo[i].ci = 0;
+ mrioc->req_qinfo[i].pi = 0;
+ mrioc->req_qinfo[i].num_requests = 0;
+ mrioc->req_qinfo[i].qid = 0;
+ mrioc->req_qinfo[i].reply_qid = 0;
+ spin_lock_init(&mrioc->req_qinfo[i].q_lock);
+ mpi3mr_memset_op_req_q_buffers(mrioc, i);
+ }
}
atomic_set(&mrioc->pend_large_data_sz, 0);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 135/460] scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 134/460] i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 136/460] scsi: hisi_sas: Add time interval between two H2D FIS following soft reset spec Greg Kroah-Hartman
` (167 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bean Huo, Bart Van Assche,
Wang Shuaiwei, Martin K. Petersen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Shuaiwei <wangshuaiwei1@xiaomi.com>
[ Upstream commit b0bd84c39289ef6a6c3827dd52c875659291970a ]
In __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancel
the UFS RTC work, but it is placed after ufshcd_vops_suspend(hba, pm_op,
POST_CHANGE). This creates a race condition where ufshcd_rtc_work() can
still be running while ufshcd_vops_suspend() is executing. When
UFSHCD_CAP_CLK_GATING is not supported, the condition
!hba->clk_gating.active_reqs is always true, causing ufshcd_update_rtc()
to be executed. Since ufshcd_vops_suspend() typically performs clock
gating operations, executing ufshcd_update_rtc() at that moment triggers
an SError. The kernel panic trace is as follows:
Kernel panic - not syncing: Asynchronous SError Interrupt
Call trace:
dump_backtrace+0xec/0x128
show_stack+0x18/0x28
dump_stack_lvl+0x40/0xa0
dump_stack+0x18/0x24
panic+0x148/0x374
nmi_panic+0x3c/0x8c
arm64_serror_panic+0x64/0x8c
do_serror+0xc4/0xc8
el1h_64_error_handler+0x34/0x4c
el1h_64_error+0x68/0x6c
el1_interrupt+0x20/0x58
el1h_64_irq_handler+0x18/0x24
el1h_64_irq+0x68/0x6c
ktime_get+0xc4/0x12c
ufshcd_mcq_sq_stop+0x4c/0xec
ufshcd_mcq_sq_cleanup+0x64/0x1dc
ufshcd_clear_cmd+0x38/0x134
ufshcd_issue_dev_cmd+0x298/0x4d0
ufshcd_exec_dev_cmd+0x1a4/0x1c4
ufshcd_query_attr+0xbc/0x19c
ufshcd_rtc_work+0x10c/0x1c8
process_scheduled_works+0x1c4/0x45c
worker_thread+0x32c/0x3e8
kthread+0x120/0x1d8
ret_from_fork+0x10/0x20
Fix this by moving cancel_delayed_work_sync() before the call to
ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE), ensuring the UFS RTC work is
fully completed or cancelled at that point.
Cc: Bean Huo <beanhuo@iokpp.de>
Fixes: 6bf999e0eb41 ("scsi: ufs: core: Add UFS RTC support")
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Wang Shuaiwei <wangshuaiwei1@xiaomi.com>
Link: https://patch.msgid.link/20260307035128.3419687-1-wangshuaiwei1@xiaomi.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufshcd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index ea6e7c18e35cd..22d3cb0ddbcaa 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -9813,6 +9813,7 @@ static int __ufshcd_wl_suspend(struct ufs_hba *hba, enum ufs_pm_op pm_op)
}
flush_work(&hba->eeh_work);
+ cancel_delayed_work_sync(&hba->ufs_rtc_update_work);
ret = ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE);
if (ret)
@@ -9867,7 +9868,6 @@ static int __ufshcd_wl_suspend(struct ufs_hba *hba, enum ufs_pm_op pm_op)
if (ret)
goto set_link_active;
- cancel_delayed_work_sync(&hba->ufs_rtc_update_work);
goto out;
set_link_active:
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 211/567] powerpc/uaccess: Fix inline assembly for clang build on PPC32
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 210/567] ALSA: usb-audio: Check max frame size for implicit feedback mode, too Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 212/567] remoteproc: sysmon: Correct subsys_name_len type in QMI request Greg Kroah-Hartman
` (166 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot,
Christophe Leroy (CS GROUP), Nathan Chancellor,
Madhavan Srinivasan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
[ Upstream commit 0ee95a1d458630272d0415d0ffa9424fcb606c90 ]
Test robot reports the following error with clang-16.0.6:
In file included from kernel/rseq.c:75:
include/linux/rseq_entry.h:141:3: error: invalid operand for instruction
unsafe_get_user(offset, &ucs->post_commit_offset, efault);
^
include/linux/uaccess.h:608:2: note: expanded from macro 'unsafe_get_user'
arch_unsafe_get_user(x, ptr, local_label); \
^
arch/powerpc/include/asm/uaccess.h:518:2: note: expanded from macro 'arch_unsafe_get_user'
__get_user_size_goto(__gu_val, __gu_addr, sizeof(*(p)), e); \
^
arch/powerpc/include/asm/uaccess.h:284:2: note: expanded from macro '__get_user_size_goto'
__get_user_size_allowed(x, ptr, size, __gus_retval); \
^
arch/powerpc/include/asm/uaccess.h:275:10: note: expanded from macro '__get_user_size_allowed'
case 8: __get_user_asm2(x, (u64 __user *)ptr, retval); break; \
^
arch/powerpc/include/asm/uaccess.h:258:4: note: expanded from macro '__get_user_asm2'
" li %1+1,0\n" \
^
<inline asm>:7:5: note: instantiated into assembly here
li 31+1,0
^
1 error generated.
On PPC32, for 64 bits vars a pair of registers is used. Usually the
lower register in the pair is the high part and the higher register is
the low part. GCC uses r3/r4 ... r11/r12 ... r14/r15 ... r30/r31
In older kernel code inline assembly was using %1 and %1+1 to represent
64 bits values. However here it looks like clang uses r31 as high part,
allthough r32 doesn't exist hence the error.
Allthoug %1+1 should work, most places now use %L1 instead of %1+1, so
let's do the same here.
With that change, the build doesn't fail anymore and a disassembly shows
clang uses r17/r18 and r31/r14 pair when GCC would have used r16/r17 and
r30/r31:
Disassembly of section .fixup:
00000000 <.fixup>:
0: 38 a0 ff f2 li r5,-14
4: 3a 20 00 00 li r17,0
8: 3a 40 00 00 li r18,0
c: 48 00 00 00 b c <.fixup+0xc>
c: R_PPC_REL24 .text+0xbc
10: 38 a0 ff f2 li r5,-14
14: 3b e0 00 00 li r31,0
18: 39 c0 00 00 li r14,0
1c: 48 00 00 00 b 1c <.fixup+0x1c>
1c: R_PPC_REL24 .text+0x144
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202602021825.otcItxGi-lkp@intel.com/
Fixes: c20beffeec3c ("powerpc/uaccess: Use flexible addressing with __put_user()/__get_user()")
Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
Acked-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/8ca3a657a650e497a96bfe7acde2f637dadab344.1770103646.git.chleroy@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/include/asm/uaccess.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
index ec7f001d03d01..fa6d8410bc07d 100644
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -242,7 +242,7 @@ __gus_failed: \
".section .fixup,\"ax\"\n" \
"4: li %0,%3\n" \
" li %1,0\n" \
- " li %1+1,0\n" \
+ " li %L1,0\n" \
" b 3b\n" \
".previous\n" \
EX_TABLE(1b, 4b) \
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 149/481] unshare: fix unshare_fs() handling
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 148/481] scsi: mpi3mr: Add NULL checks when resetting request and reply queues Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 150/481] wifi: mac80211: set default WMM parameters on all links Greg Kroah-Hartman
` (166 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Al Viro, Waiman Long,
Christian Brauner, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 6c4b2243cb6c0755159bd567130d5e12e7b10d9f ]
There's an unpleasant corner case in unshare(2), when we have a
CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that
case copy_mnt_ns() gets passed current->fs instead of a private copy,
which causes interesting warts in proof of correctness]
> I guess if private means fs->users == 1, the condition could still be true.
Unfortunately, it's worse than just a convoluted proof of correctness.
Consider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS
(and current->fs->users == 1).
We pass current->fs to copy_mnt_ns(), all right. Suppose it succeeds and
flips current->fs->{pwd,root} to corresponding locations in the new namespace.
Now we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM).
We call put_mnt_ns() on the namespace created by copy_mnt_ns(), it's
destroyed and its mount tree is dissolved, but... current->fs->root and
current->fs->pwd are both left pointing to now detached mounts.
They are pinning those, so it's not a UAF, but it leaves the calling
process with unshare(2) failing with -ENOMEM _and_ leaving it with
pwd and root on detached isolated mounts. The last part is clearly a bug.
There is other fun related to that mess (races with pivot_root(), including
the one between pivot_root() and fork(), of all things), but this one
is easy to isolate and fix - treat CLONE_NEWNS as "allocate a new
fs_struct even if it hadn't been shared in the first place". Sure, we could
go for something like "if both CLONE_NEWNS *and* one of the things that might
end up failing after copy_mnt_ns() call in create_new_namespaces() are set,
force allocation of new fs_struct", but let's keep it simple - the cost
of copy_fs_struct() is trivial.
Another benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets
a freshly allocated fs_struct, yet to be attached to anything. That
seriously simplifies the analysis...
FWIW, that bug had been there since the introduction of unshare(2) ;-/
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Link: https://patch.msgid.link/20260207082524.GE3183987@ZenIV
Tested-by: Waiman Long <longman@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/fork.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/fork.c b/kernel/fork.c
index c548538d3ade8..b8cf8891ffc7b 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -3193,7 +3193,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
return 0;
/* don't need lock here; in the worst case we'll do useless copy */
- if (fs->users == 1)
+ if (!(unshare_flags & CLONE_NEWNS) && fs->users == 1)
return 0;
*new_fsp = copy_fs_struct(fs);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 136/460] scsi: hisi_sas: Add time interval between two H2D FIS following soft reset spec
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 135/460] scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 137/460] scsi: hisi_sas: Use macro instead of magic number Greg Kroah-Hartman
` (166 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xingui Yang, Yihang Li,
Martin K. Petersen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xingui Yang <yangxingui@huawei.com>
[ Upstream commit 3c62791322e42d1afd65acfdb5b3a371bde21ede ]
Spec says at least 5us between two H2D FIS when do soft reset, but be
generous and sleep for about 1ms.
Signed-off-by: Xingui Yang <yangxingui@huawei.com>
Link: https://lore.kernel.org/r/20241008021822.2617339-11-liyihang9@huawei.com
Reviewed-by: Yihang Li <liyihang9@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Stable-dep-of: 8ddc0c269165 ("scsi: hisi_sas: Fix NULL pointer exception during user_scan()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/hisi_sas/hisi_sas_main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
index d9500b7306905..43d2ca4c6605f 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -1341,6 +1341,7 @@ static int hisi_sas_softreset_ata_disk(struct domain_device *device)
}
if (rc == TMF_RESP_FUNC_COMPLETE) {
+ usleep_range(900, 1000);
ata_for_each_link(link, ap, EDGE) {
int pmp = sata_srst_pmp(link);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 212/567] remoteproc: sysmon: Correct subsys_name_len type in QMI request
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 211/567] powerpc/uaccess: Fix inline assembly for clang build on PPC32 Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 213/567] remoteproc: mediatek: Unprepare SCP clock during system suspend Greg Kroah-Hartman
` (165 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Andersson, Chris Lew,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
[ Upstream commit da994db94e60f9a9411108ddf4d1836147ad4c9c ]
The QMI message encoder has up until recently read a single byte (as
elem_size == 1), but with the introduction of big endian support it's
become apparent that this field is expected to be a full u32 -
regardless of the size of the length in the encoded message (which is
what elem_size specifies).
The result is that the encoder now reads past the length byte and
rejects the unreasonably large length formed when including the
following 3 bytes from the subsys_name array.
Fix this by changing to the expected type.
Fixes: 1fb82ee806d1 ("remoteproc: qcom: Introduce sysmon")
Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Reviewed-by: Chris Lew <christopher.lew@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260220-qmi-encode-invalid-length-v2-1-5674be35ab29@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/qcom_sysmon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/remoteproc/qcom_sysmon.c b/drivers/remoteproc/qcom_sysmon.c
index c24e4a8828738..db33a41051a3e 100644
--- a/drivers/remoteproc/qcom_sysmon.c
+++ b/drivers/remoteproc/qcom_sysmon.c
@@ -203,7 +203,7 @@ static const struct qmi_elem_info ssctl_shutdown_resp_ei[] = {
};
struct ssctl_subsys_event_req {
- u8 subsys_name_len;
+ u32 subsys_name_len;
char subsys_name[SSCTL_SUBSYS_NAME_LENGTH];
u32 event;
u8 evt_driven_valid;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 150/481] wifi: mac80211: set default WMM parameters on all links
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 149/481] unshare: fix unshare_fs() handling Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 151/481] ACPI: OSI: Add DMI quirk for Acer Aspire One D255 Greg Kroah-Hartman
` (165 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ramanathan Choodamani, Aishwarya R,
Johannes Berg, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ramanathan Choodamani <quic_rchoodam@quicinc.com>
[ Upstream commit 2259d14499d16b115ef8d5d2ddc867e2be7cb5b5 ]
Currently, mac80211 only initializes default WMM parameters
on the deflink during do_open(). For MLO cases, this
leaves the additional links without proper WMM defaults
if hostapd does not supply per-link WMM parameters, leading
to inconsistent QoS behavior across links.
Set default WMM parameters for each link during
ieee80211_vif_update_links(), because this ensures all
individual links in an MLD have valid WMM settings during
bring-up and behave consistently across different BSS.
Signed-off-by: Ramanathan Choodamani <quic_rchoodam@quicinc.com>
Signed-off-by: Aishwarya R <aishwarya.r@oss.qualcomm.com>
Link: https://patch.msgid.link/20260205094216.3093542-1-aishwarya.r@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/link.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/mac80211/link.c b/net/mac80211/link.c
index a85b44c1bc995..cd84e7f3b742e 100644
--- a/net/mac80211/link.c
+++ b/net/mac80211/link.c
@@ -176,6 +176,7 @@ static int ieee80211_vif_update_links(struct ieee80211_sub_if_data *sdata,
struct ieee80211_bss_conf *old[IEEE80211_MLD_MAX_NUM_LINKS];
struct ieee80211_link_data *old_data[IEEE80211_MLD_MAX_NUM_LINKS];
bool use_deflink = old_links == 0; /* set for error case */
+ bool non_sta = sdata->vif.type != NL80211_IFTYPE_STATION;
sdata_assert_lock(sdata);
@@ -229,6 +230,7 @@ static int ieee80211_vif_update_links(struct ieee80211_sub_if_data *sdata,
link = links[link_id];
ieee80211_link_init(sdata, link_id, &link->data, &link->conf);
ieee80211_link_setup(&link->data);
+ ieee80211_set_wmm_default(&link->data, true, non_sta);
}
if (new_links == 0)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 137/460] scsi: hisi_sas: Use macro instead of magic number
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 136/460] scsi: hisi_sas: Add time interval between two H2D FIS following soft reset spec Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 138/460] scsi: hisi_sas: Fix NULL pointer exception during user_scan() Greg Kroah-Hartman
` (165 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yihang Li, Martin K. Petersen,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yihang Li <liyihang9@huawei.com>
[ Upstream commit 4ca7fe99fc8485fcd04b367f37dc7a48f1355419 ]
The hisi_sas driver has a large number of magic numbers which makes for
unfriendly code reading. Use macro definitions instead.
Signed-off-by: Yihang Li <liyihang9@huawei.com>
Link: https://lore.kernel.org/r/20250414080845.1220997-2-liyihang9@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Stable-dep-of: 8ddc0c269165 ("scsi: hisi_sas: Fix NULL pointer exception during user_scan()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/hisi_sas/hisi_sas.h | 43 +++--
drivers/scsi/hisi_sas/hisi_sas_main.c | 41 +++--
drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 244 ++++++++++++++++---------
3 files changed, 213 insertions(+), 115 deletions(-)
diff --git a/drivers/scsi/hisi_sas/hisi_sas.h b/drivers/scsi/hisi_sas/hisi_sas.h
index 010479a354eee..3311f9b9eca6a 100644
--- a/drivers/scsi/hisi_sas/hisi_sas.h
+++ b/drivers/scsi/hisi_sas/hisi_sas.h
@@ -46,6 +46,13 @@
#define HISI_SAS_IOST_ITCT_CACHE_DW_SZ 10
#define HISI_SAS_FIFO_DATA_DW_SIZE 32
+#define HISI_SAS_REG_MEM_SIZE 4
+#define HISI_SAS_MAX_CDB_LEN 16
+#define HISI_SAS_BLK_QUEUE_DEPTH 64
+
+#define BYTE_TO_DW 4
+#define BYTE_TO_DDW 8
+
#define HISI_SAS_STATUS_BUF_SZ (sizeof(struct hisi_sas_status_buffer))
#define HISI_SAS_COMMAND_TABLE_SZ (sizeof(union hisi_sas_command_table))
@@ -92,6 +99,8 @@
#define HISI_SAS_WAIT_PHYUP_TIMEOUT (30 * HZ)
#define HISI_SAS_CLEAR_ITCT_TIMEOUT (20 * HZ)
+#define HISI_SAS_DELAY_FOR_PHY_DISABLE 100
+#define NAME_BUF_SIZE 256
struct hisi_hba;
@@ -167,6 +176,8 @@ struct hisi_sas_debugfs_fifo {
u32 rd_data[HISI_SAS_FIFO_DATA_DW_SIZE];
};
+#define FRAME_RCVD_BUF 32
+#define SAS_PHY_RESV_SIZE 2
struct hisi_sas_phy {
struct work_struct works[HISI_PHYES_NUM];
struct hisi_hba *hisi_hba;
@@ -178,10 +189,10 @@ struct hisi_sas_phy {
spinlock_t lock;
u64 port_id; /* from hw */
u64 frame_rcvd_size;
- u8 frame_rcvd[32];
+ u8 frame_rcvd[FRAME_RCVD_BUF];
u8 phy_attached;
u8 in_reset;
- u8 reserved[2];
+ u8 reserved[SAS_PHY_RESV_SIZE];
u32 phy_type;
u32 code_violation_err_count;
enum sas_linkrate minimum_linkrate;
@@ -348,6 +359,7 @@ struct hisi_sas_hw {
};
#define HISI_SAS_MAX_DEBUGFS_DUMP (50)
+#define HISI_SAS_DEFAULT_DEBUGFS_DUMP 1
struct hisi_sas_debugfs_cq {
struct hisi_sas_cq *cq;
@@ -527,12 +539,13 @@ struct hisi_sas_cmd_hdr {
__le64 dif_prd_table_addr;
};
+#define ITCT_RESV_DDW 12
struct hisi_sas_itct {
__le64 qw0;
__le64 sas_addr;
__le64 qw2;
__le64 qw3;
- __le64 qw4_15[12];
+ __le64 qw4_15[ITCT_RESV_DDW];
};
struct hisi_sas_iost {
@@ -542,22 +555,26 @@ struct hisi_sas_iost {
__le64 qw3;
};
+#define ERROR_RECORD_BUF_DW 4
struct hisi_sas_err_record {
- u32 data[4];
+ u32 data[ERROR_RECORD_BUF_DW];
};
+#define FIS_RESV_DW 3
struct hisi_sas_initial_fis {
struct hisi_sas_err_record err_record;
struct dev_to_host_fis fis;
- u32 rsvd[3];
+ u32 rsvd[FIS_RESV_DW];
};
+#define BREAKPOINT_DATA_SIZE 128
struct hisi_sas_breakpoint {
- u8 data[128];
+ u8 data[BREAKPOINT_DATA_SIZE];
};
+#define BREAKPOINT_TAG_NUM 32
struct hisi_sas_sata_breakpoint {
- struct hisi_sas_breakpoint tag[32];
+ struct hisi_sas_breakpoint tag[BREAKPOINT_TAG_NUM];
};
struct hisi_sas_sge {
@@ -568,13 +585,15 @@ struct hisi_sas_sge {
__le32 data_off;
};
+#define SMP_CMD_TABLE_SIZE 44
struct hisi_sas_command_table_smp {
- u8 bytes[44];
+ u8 bytes[SMP_CMD_TABLE_SIZE];
};
+#define DUMMY_BUF_SIZE 12
struct hisi_sas_command_table_stp {
struct host_to_dev_fis command_fis;
- u8 dummy[12];
+ u8 dummy[DUMMY_BUF_SIZE];
u8 atapi_cdb[ATAPI_CDB_LEN];
};
@@ -588,12 +607,13 @@ struct hisi_sas_sge_dif_page {
struct hisi_sas_sge sge[HISI_SAS_SGE_DIF_PAGE_CNT];
} __aligned(16);
+#define PROT_BUF_SIZE 7
struct hisi_sas_command_table_ssp {
struct ssp_frame_hdr hdr;
union {
struct {
struct ssp_command_iu task;
- u32 prot[7];
+ u32 prot[PROT_BUF_SIZE];
};
struct ssp_tmf_iu ssp_task;
struct xfer_rdy_iu xfer_rdy;
@@ -607,9 +627,10 @@ union hisi_sas_command_table {
struct hisi_sas_command_table_stp stp;
} __aligned(16);
+#define IU_BUF_SIZE 1024
struct hisi_sas_status_buffer {
struct hisi_sas_err_record err;
- u8 iu[1024];
+ u8 iu[IU_BUF_SIZE];
} __aligned(16);
struct hisi_sas_slot_buf_table {
diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
index 43d2ca4c6605f..71d12b94ba5be 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -7,6 +7,16 @@
#include "hisi_sas.h"
#define DRV_NAME "hisi_sas"
+#define LINK_RATE_BIT_MASK 2
+#define FIS_BUF_SIZE 20
+#define WAIT_CMD_COMPLETE_DELAY 100
+#define WAIT_CMD_COMPLETE_TMROUT 5000
+#define DELAY_FOR_LINK_READY 2000
+#define BLK_CNT_OPTIMIZE_MARK 64
+#define HZ_TO_MHZ 1000000
+#define DELAY_FOR_SOFTRESET_MAX 1000
+#define DELAY_FOR_SOFTRESET_MIN 900
+
#define DEV_IS_GONE(dev) \
((!dev) || (dev->dev_type == SAS_PHY_UNUSED))
@@ -127,7 +137,7 @@ u8 hisi_sas_get_prog_phy_linkrate_mask(enum sas_linkrate max)
max -= SAS_LINK_RATE_1_5_GBPS;
for (i = 0; i <= max; i++)
- rate |= 1 << (i * 2);
+ rate |= 1 << (i * LINK_RATE_BIT_MASK);
return rate;
}
EXPORT_SYMBOL_GPL(hisi_sas_get_prog_phy_linkrate_mask);
@@ -877,7 +887,7 @@ int hisi_sas_device_configure(struct scsi_device *sdev,
if (ret)
return ret;
if (!dev_is_sata(dev))
- sas_change_queue_depth(sdev, 64);
+ sas_change_queue_depth(sdev, HISI_SAS_BLK_QUEUE_DEPTH);
return 0;
}
@@ -1239,7 +1249,7 @@ static int hisi_sas_phy_set_linkrate(struct hisi_hba *hisi_hba, int phy_no,
sas_phy->phy->minimum_linkrate = min;
hisi_sas_phy_enable(hisi_hba, phy_no, 0);
- msleep(100);
+ msleep(HISI_SAS_DELAY_FOR_PHY_DISABLE);
hisi_hba->hw->phy_set_linkrate(hisi_hba, phy_no, &_r);
hisi_sas_phy_enable(hisi_hba, phy_no, 1);
@@ -1269,7 +1279,7 @@ static int hisi_sas_control_phy(struct asd_sas_phy *sas_phy, enum phy_func func,
case PHY_FUNC_LINK_RESET:
hisi_sas_phy_enable(hisi_hba, phy_no, 0);
- msleep(100);
+ msleep(HISI_SAS_DELAY_FOR_PHY_DISABLE);
hisi_sas_phy_enable(hisi_hba, phy_no, 1);
break;
@@ -1324,7 +1334,7 @@ static void hisi_sas_fill_ata_reset_cmd(struct ata_device *dev,
static int hisi_sas_softreset_ata_disk(struct domain_device *device)
{
- u8 fis[20] = {0};
+ u8 fis[FIS_BUF_SIZE] = {0};
struct ata_port *ap = device->sata_dev.ap;
struct ata_link *link;
int rc = TMF_RESP_FUNC_FAILED;
@@ -1341,7 +1351,7 @@ static int hisi_sas_softreset_ata_disk(struct domain_device *device)
}
if (rc == TMF_RESP_FUNC_COMPLETE) {
- usleep_range(900, 1000);
+ usleep_range(DELAY_FOR_SOFTRESET_MIN, DELAY_FOR_SOFTRESET_MAX);
ata_for_each_link(link, ap, EDGE) {
int pmp = sata_srst_pmp(link);
@@ -1460,7 +1470,7 @@ static void hisi_sas_send_ata_reset_each_phy(struct hisi_hba *hisi_hba,
struct device *dev = hisi_hba->dev;
int rc = TMF_RESP_FUNC_FAILED;
struct ata_link *link;
- u8 fis[20] = {0};
+ u8 fis[FIS_BUF_SIZE] = {0};
int i;
for (i = 0; i < hisi_hba->n_phy; i++) {
@@ -1527,7 +1537,9 @@ void hisi_sas_controller_reset_prepare(struct hisi_hba *hisi_hba)
hisi_hba->phy_state = hisi_hba->hw->get_phys_state(hisi_hba);
scsi_block_requests(shost);
- hisi_hba->hw->wait_cmds_complete_timeout(hisi_hba, 100, 5000);
+ hisi_hba->hw->wait_cmds_complete_timeout(hisi_hba,
+ WAIT_CMD_COMPLETE_DELAY,
+ WAIT_CMD_COMPLETE_TMROUT);
/*
* hisi_hba->timer is only used for v1/v2 hw, and check hw->sht
@@ -1828,7 +1840,7 @@ static int hisi_sas_debug_I_T_nexus_reset(struct domain_device *device)
rc = ata_wait_after_reset(link, jiffies + HISI_SAS_WAIT_PHYUP_TIMEOUT,
smp_ata_check_ready_type);
} else {
- msleep(2000);
+ msleep(DELAY_FOR_LINK_READY);
}
return rc;
@@ -2243,12 +2255,14 @@ int hisi_sas_alloc(struct hisi_hba *hisi_hba)
goto err_out;
/* roundup to avoid overly large block size */
- max_command_entries_ru = roundup(max_command_entries, 64);
+ max_command_entries_ru = roundup(max_command_entries,
+ BLK_CNT_OPTIMIZE_MARK);
if (hisi_hba->prot_mask & HISI_SAS_DIX_PROT_MASK)
sz_slot_buf_ru = sizeof(struct hisi_sas_slot_dif_buf_table);
else
sz_slot_buf_ru = sizeof(struct hisi_sas_slot_buf_table);
- sz_slot_buf_ru = roundup(sz_slot_buf_ru, 64);
+
+ sz_slot_buf_ru = roundup(sz_slot_buf_ru, BLK_CNT_OPTIMIZE_MARK);
s = max(lcm(max_command_entries_ru, sz_slot_buf_ru), PAGE_SIZE);
blk_cnt = (max_command_entries_ru * sz_slot_buf_ru) / s;
slots_per_blk = s / sz_slot_buf_ru;
@@ -2413,7 +2427,8 @@ int hisi_sas_get_fw_info(struct hisi_hba *hisi_hba)
if (IS_ERR(refclk))
dev_dbg(dev, "no ref clk property\n");
else
- hisi_hba->refclk_frequency_mhz = clk_get_rate(refclk) / 1000000;
+ hisi_hba->refclk_frequency_mhz = clk_get_rate(refclk) /
+ HZ_TO_MHZ;
if (device_property_read_u32(dev, "phy-count", &hisi_hba->n_phy)) {
dev_err(dev, "could not get property phy-count\n");
@@ -2530,7 +2545,7 @@ int hisi_sas_probe(struct platform_device *pdev,
shost->max_id = HISI_SAS_MAX_DEVICES;
shost->max_lun = ~0;
shost->max_channel = 1;
- shost->max_cmd_len = 16;
+ shost->max_cmd_len = HISI_SAS_MAX_CDB_LEN;
if (hisi_hba->hw->slot_index_alloc) {
shost->can_queue = HISI_SAS_MAX_COMMANDS;
shost->cmd_per_lun = HISI_SAS_MAX_COMMANDS;
diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
index 2b04556681a1a..cf0df9b405b24 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
@@ -465,6 +465,12 @@
#define ITCT_HDR_RTOLT_OFF 48
#define ITCT_HDR_RTOLT_MSK (0xffffULL << ITCT_HDR_RTOLT_OFF)
+/*debugfs*/
+#define TWO_PARA_PER_LINE 2
+#define FOUR_PARA_PER_LINE 4
+#define DUMP_BUF_SIZE 8
+#define BIST_BUF_SIZE 16
+
struct hisi_sas_protect_iu_v3_hw {
u32 dw0;
u32 lbrtcv;
@@ -535,6 +541,43 @@ struct hisi_sas_err_record_v3 {
#define BASE_VECTORS_V3_HW 16
#define MIN_AFFINE_VECTORS_V3_HW (BASE_VECTORS_V3_HW + 1)
+#define IRQ_PHY_UP_DOWN_INDEX 1
+#define IRQ_CHL_INDEX 2
+#define IRQ_AXI_INDEX 11
+
+#define DELAY_FOR_RESET_HW 100
+#define HDR_SG_MOD 0x2
+#define LUN_SIZE 8
+#define ATTR_PRIO_REGION 9
+#define CDB_REGION 12
+#define PRIO_OFF 3
+#define TMF_REGION 10
+#define TAG_MSB 12
+#define TAG_LSB 13
+#define SMP_FRAME_TYPE 2
+#define SMP_CRC_SIZE 4
+#define HDR_TAG_OFF 3
+#define HOST_NO_OFF 6
+#define PHY_NO_OFF 7
+#define IDENTIFY_REG_READ 6
+#define LINK_RESET_TIMEOUT_OFF 4
+#define DECIMALISM_FLAG 10
+#define WAIT_RETRY 100
+#define WAIT_TMROUT 5000
+
+#define ID_DWORD0_INDEX 0
+#define ID_DWORD1_INDEX 1
+#define ID_DWORD2_INDEX 2
+#define ID_DWORD3_INDEX 3
+#define ID_DWORD4_INDEX 4
+#define ID_DWORD5_INDEX 5
+#define TICKS_BIT_INDEX 24
+#define COUNT_BIT_INDEX 8
+
+#define PORT_REG_LENGTH 0x100
+#define GLOBAL_REG_LENGTH 0x800
+#define AXI_REG_LENGTH 0x61
+#define RAS_REG_LENGTH 0x10
#define CHNL_INT_STS_MSK 0xeeeeeeee
#define CHNL_INT_STS_PHY_MSK 0xe
@@ -807,17 +850,17 @@ static void config_id_frame_v3_hw(struct hisi_hba *hisi_hba, int phy_no)
identify_buffer = (u32 *)(&identify_frame);
hisi_sas_phy_write32(hisi_hba, phy_no, TX_ID_DWORD0,
- __swab32(identify_buffer[0]));
+ __swab32(identify_buffer[ID_DWORD0_INDEX]));
hisi_sas_phy_write32(hisi_hba, phy_no, TX_ID_DWORD1,
- __swab32(identify_buffer[1]));
+ __swab32(identify_buffer[ID_DWORD1_INDEX]));
hisi_sas_phy_write32(hisi_hba, phy_no, TX_ID_DWORD2,
- __swab32(identify_buffer[2]));
+ __swab32(identify_buffer[ID_DWORD2_INDEX]));
hisi_sas_phy_write32(hisi_hba, phy_no, TX_ID_DWORD3,
- __swab32(identify_buffer[3]));
+ __swab32(identify_buffer[ID_DWORD3_INDEX]));
hisi_sas_phy_write32(hisi_hba, phy_no, TX_ID_DWORD4,
- __swab32(identify_buffer[4]));
+ __swab32(identify_buffer[ID_DWORD4_INDEX]));
hisi_sas_phy_write32(hisi_hba, phy_no, TX_ID_DWORD5,
- __swab32(identify_buffer[5]));
+ __swab32(identify_buffer[ID_DWORD5_INDEX]));
}
static void setup_itct_v3_hw(struct hisi_hba *hisi_hba,
@@ -937,7 +980,7 @@ static int reset_hw_v3_hw(struct hisi_hba *hisi_hba)
/* Disable all of the PHYs */
hisi_sas_stop_phys(hisi_hba);
- udelay(50);
+ udelay(HISI_SAS_DELAY_FOR_PHY_DISABLE);
/* Ensure axi bus idle */
ret = hisi_sas_read32_poll_timeout(AXI_CFG, val, !val,
@@ -977,7 +1020,7 @@ static int hw_init_v3_hw(struct hisi_hba *hisi_hba)
return rc;
}
- msleep(100);
+ msleep(DELAY_FOR_RESET_HW);
init_reg_v3_hw(hisi_hba);
if (guid_parse("D5918B4B-37AE-4E10-A99F-E5E8A6EF4C1F", &guid)) {
@@ -1026,7 +1069,7 @@ static void disable_phy_v3_hw(struct hisi_hba *hisi_hba, int phy_no)
cfg &= ~PHY_CFG_ENA_MSK;
hisi_sas_phy_write32(hisi_hba, phy_no, PHY_CFG, cfg);
- mdelay(50);
+ mdelay(HISI_SAS_DELAY_FOR_PHY_DISABLE);
state = hisi_sas_read32(hisi_hba, PHY_STATE);
if (state & BIT(phy_no)) {
@@ -1062,7 +1105,7 @@ static void phy_hard_reset_v3_hw(struct hisi_hba *hisi_hba, int phy_no)
hisi_sas_phy_write32(hisi_hba, phy_no, TXID_AUTO,
txid_auto | TX_HARDRST_MSK);
}
- msleep(100);
+ msleep(HISI_SAS_DELAY_FOR_PHY_DISABLE);
hisi_sas_phy_enable(hisi_hba, phy_no, 1);
}
@@ -1107,7 +1150,8 @@ static int get_wideport_bitmap_v3_hw(struct hisi_hba *hisi_hba, int port_id)
for (i = 0; i < hisi_hba->n_phy; i++)
if (phy_state & BIT(i))
- if (((phy_port_num_ma >> (i * 4)) & 0xf) == port_id)
+ if (((phy_port_num_ma >> (i * HISI_SAS_REG_MEM_SIZE)) & 0xf) ==
+ port_id)
bitmap |= BIT(i);
return bitmap;
@@ -1305,9 +1349,9 @@ static void prep_ssp_v3_hw(struct hisi_hba *hisi_hba,
dw1 |= sas_dev->device_id << CMD_HDR_DEV_ID_OFF;
dw2 = (((sizeof(struct ssp_command_iu) + sizeof(struct ssp_frame_hdr)
- + 3) / 4) << CMD_HDR_CFL_OFF) |
- ((HISI_SAS_MAX_SSP_RESP_SZ / 4) << CMD_HDR_MRFL_OFF) |
- (2 << CMD_HDR_SG_MOD_OFF);
+ + 3) / BYTE_TO_DW) << CMD_HDR_CFL_OFF) |
+ ((HISI_SAS_MAX_SSP_RESP_SZ / BYTE_TO_DW) << CMD_HDR_MRFL_OFF) |
+ (HDR_SG_MOD << CMD_HDR_SG_MOD_OFF);
hdr->dw2 = cpu_to_le32(dw2);
hdr->transfer_tags = cpu_to_le32(slot->idx);
@@ -1327,18 +1371,19 @@ static void prep_ssp_v3_hw(struct hisi_hba *hisi_hba,
buf_cmd = hisi_sas_cmd_hdr_addr_mem(slot) +
sizeof(struct ssp_frame_hdr);
- memcpy(buf_cmd, &task->ssp_task.LUN, 8);
+ memcpy(buf_cmd, &task->ssp_task.LUN, LUN_SIZE);
if (!tmf) {
- buf_cmd[9] = ssp_task->task_attr;
- memcpy(buf_cmd + 12, scsi_cmnd->cmnd, scsi_cmnd->cmd_len);
+ buf_cmd[ATTR_PRIO_REGION] = ssp_task->task_attr;
+ memcpy(buf_cmd + CDB_REGION, scsi_cmnd->cmnd,
+ scsi_cmnd->cmd_len);
} else {
- buf_cmd[10] = tmf->tmf;
+ buf_cmd[TMF_REGION] = tmf->tmf;
switch (tmf->tmf) {
case TMF_ABORT_TASK:
case TMF_QUERY_TASK:
- buf_cmd[12] =
+ buf_cmd[TAG_MSB] =
(tmf->tag_of_task_to_be_managed >> 8) & 0xff;
- buf_cmd[13] =
+ buf_cmd[TAG_LSB] =
tmf->tag_of_task_to_be_managed & 0xff;
break;
default:
@@ -1371,7 +1416,8 @@ static void prep_ssp_v3_hw(struct hisi_hba *hisi_hba,
unsigned int interval = scsi_prot_interval(scsi_cmnd);
unsigned int ilog2_interval = ilog2(interval);
- len = (task->total_xfer_len >> ilog2_interval) * 8;
+ len = (task->total_xfer_len >> ilog2_interval) *
+ BYTE_TO_DDW;
}
}
@@ -1391,6 +1437,7 @@ static void prep_smp_v3_hw(struct hisi_hba *hisi_hba,
struct hisi_sas_device *sas_dev = device->lldd_dev;
dma_addr_t req_dma_addr;
unsigned int req_len;
+ u32 cfl;
/* req */
sg_req = &task->smp_task.smp_req;
@@ -1401,7 +1448,7 @@ static void prep_smp_v3_hw(struct hisi_hba *hisi_hba,
/* dw0 */
hdr->dw0 = cpu_to_le32((port->id << CMD_HDR_PORT_OFF) |
(1 << CMD_HDR_PRIORITY_OFF) | /* high pri */
- (2 << CMD_HDR_CMD_OFF)); /* smp */
+ (SMP_FRAME_TYPE << CMD_HDR_CMD_OFF)); /* smp */
/* map itct entry */
hdr->dw1 = cpu_to_le32((sas_dev->device_id << CMD_HDR_DEV_ID_OFF) |
@@ -1409,8 +1456,9 @@ static void prep_smp_v3_hw(struct hisi_hba *hisi_hba,
(DIR_NO_DATA << CMD_HDR_DIR_OFF));
/* dw2 */
- hdr->dw2 = cpu_to_le32((((req_len - 4) / 4) << CMD_HDR_CFL_OFF) |
- (HISI_SAS_MAX_SMP_RESP_SZ / 4 <<
+ cfl = (req_len - SMP_CRC_SIZE) / BYTE_TO_DW;
+ hdr->dw2 = cpu_to_le32((cfl << CMD_HDR_CFL_OFF) |
+ (HISI_SAS_MAX_SMP_RESP_SZ / BYTE_TO_DW <<
CMD_HDR_MRFL_OFF));
hdr->transfer_tags = cpu_to_le32(slot->idx << CMD_HDR_IPTT_OFF);
@@ -1477,12 +1525,13 @@ static void prep_ata_v3_hw(struct hisi_hba *hisi_hba,
struct ata_queued_cmd *qc = task->uldd_task;
hdr_tag = qc->tag;
- task->ata_task.fis.sector_count |= (u8) (hdr_tag << 3);
+ task->ata_task.fis.sector_count |=
+ (u8)(hdr_tag << HDR_TAG_OFF);
dw2 |= hdr_tag << CMD_HDR_NCQ_TAG_OFF;
}
- dw2 |= (HISI_SAS_MAX_STP_RESP_SZ / 4) << CMD_HDR_CFL_OFF |
- 2 << CMD_HDR_SG_MOD_OFF;
+ dw2 |= (HISI_SAS_MAX_STP_RESP_SZ / BYTE_TO_DW) << CMD_HDR_CFL_OFF |
+ HDR_SG_MOD << CMD_HDR_SG_MOD_OFF;
hdr->dw2 = cpu_to_le32(dw2);
/* dw3 */
@@ -1542,9 +1591,9 @@ static irqreturn_t phy_up_v3_hw(int phy_no, struct hisi_hba *hisi_hba)
hisi_sas_phy_write32(hisi_hba, phy_no, PHYCTRL_PHY_ENA_MSK, 1);
port_id = hisi_sas_read32(hisi_hba, PHY_PORT_NUM_MA);
- port_id = (port_id >> (4 * phy_no)) & 0xf;
+ port_id = (port_id >> (HISI_SAS_REG_MEM_SIZE * phy_no)) & 0xf;
link_rate = hisi_sas_read32(hisi_hba, PHY_CONN_RATE);
- link_rate = (link_rate >> (phy_no * 4)) & 0xf;
+ link_rate = (link_rate >> (phy_no * HISI_SAS_REG_MEM_SIZE)) & 0xf;
if (port_id == 0xf) {
dev_err(dev, "phyup: phy%d invalid portid\n", phy_no);
@@ -1577,8 +1626,8 @@ static irqreturn_t phy_up_v3_hw(int phy_no, struct hisi_hba *hisi_hba)
sas_phy->oob_mode = SATA_OOB_MODE;
attached_sas_addr[0] = 0x50;
- attached_sas_addr[6] = shost->host_no;
- attached_sas_addr[7] = phy_no;
+ attached_sas_addr[HOST_NO_OFF] = shost->host_no;
+ attached_sas_addr[PHY_NO_OFF] = phy_no;
memcpy(sas_phy->attached_sas_addr,
attached_sas_addr,
SAS_ADDR_SIZE);
@@ -1594,7 +1643,7 @@ static irqreturn_t phy_up_v3_hw(int phy_no, struct hisi_hba *hisi_hba)
(struct sas_identify_frame *)frame_rcvd;
dev_info(dev, "phyup: phy%d link_rate=%d\n", phy_no, link_rate);
- for (i = 0; i < 6; i++) {
+ for (i = 0; i < IDENTIFY_REG_READ; i++) {
u32 idaf = hisi_sas_phy_read32(hisi_hba, phy_no,
RX_IDAF_DWORD0 + (i * 4));
frame_rcvd[i] = __swab32(idaf);
@@ -1864,7 +1913,7 @@ static void handle_chl_int2_v3_hw(struct hisi_hba *hisi_hba, int phy_no)
dev_warn(dev, "phy%d stp link timeout (0x%x)\n",
phy_no, reg_value);
- if (reg_value & BIT(4))
+ if (reg_value & BIT(LINK_RESET_TIMEOUT_OFF))
hisi_sas_notify_phy_event(phy, HISI_PHYE_LINK_RESET);
}
@@ -2581,7 +2630,7 @@ static int interrupt_init_v3_hw(struct hisi_hba *hisi_hba)
struct pci_dev *pdev = hisi_hba->pci_dev;
int rc, i;
- rc = devm_request_irq(dev, pci_irq_vector(pdev, 1),
+ rc = devm_request_irq(dev, pci_irq_vector(pdev, IRQ_PHY_UP_DOWN_INDEX),
int_phy_up_down_bcast_v3_hw, 0,
DRV_NAME " phy", hisi_hba);
if (rc) {
@@ -2589,7 +2638,7 @@ static int interrupt_init_v3_hw(struct hisi_hba *hisi_hba)
return -ENOENT;
}
- rc = devm_request_irq(dev, pci_irq_vector(pdev, 2),
+ rc = devm_request_irq(dev, pci_irq_vector(pdev, IRQ_CHL_INDEX),
int_chnl_int_v3_hw, 0,
DRV_NAME " channel", hisi_hba);
if (rc) {
@@ -2597,7 +2646,7 @@ static int interrupt_init_v3_hw(struct hisi_hba *hisi_hba)
return -ENOENT;
}
- rc = devm_request_irq(dev, pci_irq_vector(pdev, 11),
+ rc = devm_request_irq(dev, pci_irq_vector(pdev, IRQ_AXI_INDEX),
fatal_axi_int_v3_hw, 0,
DRV_NAME " fatal", hisi_hba);
if (rc) {
@@ -2610,7 +2659,8 @@ static int interrupt_init_v3_hw(struct hisi_hba *hisi_hba)
for (i = 0; i < hisi_hba->cq_nvecs; i++) {
struct hisi_sas_cq *cq = &hisi_hba->cq[i];
- int nr = hisi_sas_intr_conv ? 16 : 16 + i;
+ int nr = hisi_sas_intr_conv ? BASE_VECTORS_V3_HW :
+ BASE_VECTORS_V3_HW + i;
unsigned long irqflags = hisi_sas_intr_conv ? IRQF_SHARED :
IRQF_ONESHOT;
@@ -2668,14 +2718,14 @@ static void interrupt_disable_v3_hw(struct hisi_hba *hisi_hba)
struct pci_dev *pdev = hisi_hba->pci_dev;
int i;
- synchronize_irq(pci_irq_vector(pdev, 1));
- synchronize_irq(pci_irq_vector(pdev, 2));
- synchronize_irq(pci_irq_vector(pdev, 11));
+ synchronize_irq(pci_irq_vector(pdev, IRQ_PHY_UP_DOWN_INDEX));
+ synchronize_irq(pci_irq_vector(pdev, IRQ_CHL_INDEX));
+ synchronize_irq(pci_irq_vector(pdev, IRQ_AXI_INDEX));
for (i = 0; i < hisi_hba->queue_count; i++)
hisi_sas_write32(hisi_hba, OQ0_INT_SRC_MSK + 0x4 * i, 0x1);
for (i = 0; i < hisi_hba->cq_nvecs; i++)
- synchronize_irq(pci_irq_vector(pdev, i + 16));
+ synchronize_irq(pci_irq_vector(pdev, i + BASE_VECTORS_V3_HW));
hisi_sas_write32(hisi_hba, ENT_INT_SRC_MSK1, 0xffffffff);
hisi_sas_write32(hisi_hba, ENT_INT_SRC_MSK2, 0xffffffff);
@@ -2707,7 +2757,7 @@ static int disable_host_v3_hw(struct hisi_hba *hisi_hba)
hisi_sas_stop_phys(hisi_hba);
- mdelay(10);
+ mdelay(HISI_SAS_DELAY_FOR_PHY_DISABLE);
reg_val = hisi_sas_read32(hisi_hba, AXI_MASTER_CFG_BASE +
AM_CTRL_GLOBAL);
@@ -2843,13 +2893,13 @@ static ssize_t intr_coal_ticks_v3_hw_store(struct device *dev,
u32 intr_coal_ticks;
int ret;
- ret = kstrtou32(buf, 10, &intr_coal_ticks);
+ ret = kstrtou32(buf, DECIMALISM_FLAG, &intr_coal_ticks);
if (ret) {
dev_err(dev, "Input data of interrupt coalesce unmatch\n");
return -EINVAL;
}
- if (intr_coal_ticks >= BIT(24)) {
+ if (intr_coal_ticks >= BIT(TICKS_BIT_INDEX)) {
dev_err(dev, "intr_coal_ticks must be less than 2^24!\n");
return -EINVAL;
}
@@ -2882,13 +2932,13 @@ static ssize_t intr_coal_count_v3_hw_store(struct device *dev,
u32 intr_coal_count;
int ret;
- ret = kstrtou32(buf, 10, &intr_coal_count);
+ ret = kstrtou32(buf, DECIMALISM_FLAG, &intr_coal_count);
if (ret) {
dev_err(dev, "Input data of interrupt coalesce unmatch\n");
return -EINVAL;
}
- if (intr_coal_count >= BIT(8)) {
+ if (intr_coal_count >= BIT(COUNT_BIT_INDEX)) {
dev_err(dev, "intr_coal_count must be less than 2^8!\n");
return -EINVAL;
}
@@ -3020,7 +3070,7 @@ static const struct hisi_sas_debugfs_reg_lu debugfs_port_reg_lu[] = {
static const struct hisi_sas_debugfs_reg debugfs_port_reg = {
.lu = debugfs_port_reg_lu,
- .count = 0x100,
+ .count = PORT_REG_LENGTH,
.base_off = PORT_BASE,
};
@@ -3094,7 +3144,7 @@ static const struct hisi_sas_debugfs_reg_lu debugfs_global_reg_lu[] = {
static const struct hisi_sas_debugfs_reg debugfs_global_reg = {
.lu = debugfs_global_reg_lu,
- .count = 0x800,
+ .count = GLOBAL_REG_LENGTH,
};
static const struct hisi_sas_debugfs_reg_lu debugfs_axi_reg_lu[] = {
@@ -3107,7 +3157,7 @@ static const struct hisi_sas_debugfs_reg_lu debugfs_axi_reg_lu[] = {
static const struct hisi_sas_debugfs_reg debugfs_axi_reg = {
.lu = debugfs_axi_reg_lu,
- .count = 0x61,
+ .count = AXI_REG_LENGTH,
.base_off = AXI_MASTER_CFG_BASE,
};
@@ -3124,7 +3174,7 @@ static const struct hisi_sas_debugfs_reg_lu debugfs_ras_reg_lu[] = {
static const struct hisi_sas_debugfs_reg debugfs_ras_reg = {
.lu = debugfs_ras_reg_lu,
- .count = 0x10,
+ .count = RAS_REG_LENGTH,
.base_off = RAS_BASE,
};
@@ -3133,7 +3183,7 @@ static void debugfs_snapshot_prepare_v3_hw(struct hisi_hba *hisi_hba)
struct Scsi_Host *shost = hisi_hba->shost;
scsi_block_requests(shost);
- wait_cmds_complete_timeout_v3_hw(hisi_hba, 100, 5000);
+ wait_cmds_complete_timeout_v3_hw(hisi_hba, WAIT_RETRY, WAIT_TMROUT);
set_bit(HISI_SAS_REJECT_CMD_BIT, &hisi_hba->flags);
hisi_sas_sync_cqs(hisi_hba);
@@ -3174,7 +3224,7 @@ static void read_iost_itct_cache_v3_hw(struct hisi_hba *hisi_hba,
return;
}
- memset(buf, 0, cache_dw_size * 4);
+ memset(buf, 0, cache_dw_size * BYTE_TO_DW);
buf[0] = val;
for (i = 1; i < cache_dw_size; i++)
@@ -3221,7 +3271,7 @@ static void hisi_sas_bist_test_restore_v3_hw(struct hisi_hba *hisi_hba)
reg_val = hisi_sas_phy_read32(hisi_hba, phy_no, PROG_PHY_LINK_RATE);
/* init OOB link rate as 1.5 Gbits */
reg_val &= ~CFG_PROG_OOB_PHY_LINK_RATE_MSK;
- reg_val |= (0x8 << CFG_PROG_OOB_PHY_LINK_RATE_OFF);
+ reg_val |= (SAS_LINK_RATE_1_5_GBPS << CFG_PROG_OOB_PHY_LINK_RATE_OFF);
hisi_sas_phy_write32(hisi_hba, phy_no, PROG_PHY_LINK_RATE, reg_val);
/* enable PHY */
@@ -3230,6 +3280,9 @@ static void hisi_sas_bist_test_restore_v3_hw(struct hisi_hba *hisi_hba)
#define SAS_PHY_BIST_CODE_INIT 0x1
#define SAS_PHY_BIST_CODE1_INIT 0X80
+#define SAS_PHY_BIST_INIT_DELAY 100
+#define SAS_PHY_BIST_LOOP_TEST_0 1
+#define SAS_PHY_BIST_LOOP_TEST_1 2
static int debugfs_set_bist_v3_hw(struct hisi_hba *hisi_hba, bool enable)
{
u32 reg_val, mode_tmp;
@@ -3248,7 +3301,8 @@ static int debugfs_set_bist_v3_hw(struct hisi_hba *hisi_hba, bool enable)
ffe[FFE_SATA_1_5_GBPS], ffe[FFE_SATA_3_0_GBPS],
ffe[FFE_SATA_6_0_GBPS], fix_code[FIXED_CODE],
fix_code[FIXED_CODE_1]);
- mode_tmp = path_mode ? 2 : 1;
+ mode_tmp = path_mode ? SAS_PHY_BIST_LOOP_TEST_1 :
+ SAS_PHY_BIST_LOOP_TEST_0;
if (enable) {
/* some preparations before bist test */
hisi_sas_bist_test_prep_v3_hw(hisi_hba);
@@ -3291,13 +3345,13 @@ static int debugfs_set_bist_v3_hw(struct hisi_hba *hisi_hba, bool enable)
SAS_PHY_BIST_CODE1_INIT);
}
- mdelay(100);
+ mdelay(SAS_PHY_BIST_INIT_DELAY);
reg_val |= (CFG_RX_BIST_EN_MSK | CFG_TX_BIST_EN_MSK);
hisi_sas_phy_write32(hisi_hba, phy_no, SAS_PHY_BIST_CTRL,
reg_val);
/* clear error bit */
- mdelay(100);
+ mdelay(SAS_PHY_BIST_INIT_DELAY);
hisi_sas_phy_read32(hisi_hba, phy_no, SAS_BIST_ERR_CNT);
} else {
/* disable bist test and recover it */
@@ -3473,7 +3527,7 @@ static void debugfs_snapshot_port_reg_v3_hw(struct hisi_hba *hisi_hba)
for (phy_cnt = 0; phy_cnt < hisi_hba->n_phy; phy_cnt++) {
databuf = hisi_hba->debugfs_port_reg[dump_index][phy_cnt].data;
for (i = 0; i < port->count; i++, databuf++) {
- offset = port->base_off + 4 * i;
+ offset = port->base_off + HISI_SAS_REG_MEM_SIZE * i;
*databuf = hisi_sas_phy_read32(hisi_hba, phy_cnt,
offset);
}
@@ -3487,7 +3541,8 @@ static void debugfs_snapshot_global_reg_v3_hw(struct hisi_hba *hisi_hba)
int i;
for (i = 0; i < debugfs_global_reg.count; i++, databuf++)
- *databuf = hisi_sas_read32(hisi_hba, 4 * i);
+ *databuf = hisi_sas_read32(hisi_hba,
+ HISI_SAS_REG_MEM_SIZE * i);
}
static void debugfs_snapshot_axi_reg_v3_hw(struct hisi_hba *hisi_hba)
@@ -3498,7 +3553,9 @@ static void debugfs_snapshot_axi_reg_v3_hw(struct hisi_hba *hisi_hba)
int i;
for (i = 0; i < axi->count; i++, databuf++)
- *databuf = hisi_sas_read32(hisi_hba, 4 * i + axi->base_off);
+ *databuf = hisi_sas_read32(hisi_hba,
+ HISI_SAS_REG_MEM_SIZE * i +
+ axi->base_off);
}
static void debugfs_snapshot_ras_reg_v3_hw(struct hisi_hba *hisi_hba)
@@ -3509,7 +3566,9 @@ static void debugfs_snapshot_ras_reg_v3_hw(struct hisi_hba *hisi_hba)
int i;
for (i = 0; i < ras->count; i++, databuf++)
- *databuf = hisi_sas_read32(hisi_hba, 4 * i + ras->base_off);
+ *databuf = hisi_sas_read32(hisi_hba,
+ HISI_SAS_REG_MEM_SIZE * i +
+ ras->base_off);
}
static void debugfs_snapshot_itct_reg_v3_hw(struct hisi_hba *hisi_hba)
@@ -3572,7 +3631,7 @@ static void debugfs_print_reg_v3_hw(u32 *regs_val, struct seq_file *s,
int i;
for (i = 0; i < reg->count; i++) {
- int off = i * 4;
+ int off = i * HISI_SAS_REG_MEM_SIZE;
const char *name;
name = debugfs_to_reg_name_v3_hw(off, reg->base_off,
@@ -3650,9 +3709,9 @@ static void debugfs_show_row_64_v3_hw(struct seq_file *s, int index,
/* completion header size not fixed per HW version */
seq_printf(s, "index %04d:\n\t", index);
- for (i = 1; i <= sz / 8; i++, ptr++) {
+ for (i = 1; i <= sz / BYTE_TO_DDW; i++, ptr++) {
seq_printf(s, " 0x%016llx", le64_to_cpu(*ptr));
- if (!(i % 2))
+ if (!(i % TWO_PARA_PER_LINE))
seq_puts(s, "\n\t");
}
@@ -3666,9 +3725,9 @@ static void debugfs_show_row_32_v3_hw(struct seq_file *s, int index,
/* completion header size not fixed per HW version */
seq_printf(s, "index %04d:\n\t", index);
- for (i = 1; i <= sz / 4; i++, ptr++) {
+ for (i = 1; i <= sz / BYTE_TO_DW; i++, ptr++) {
seq_printf(s, " 0x%08x", le32_to_cpu(*ptr));
- if (!(i % 4))
+ if (!(i % FOUR_PARA_PER_LINE))
seq_puts(s, "\n\t");
}
seq_puts(s, "\n");
@@ -3753,7 +3812,7 @@ static int debugfs_iost_cache_v3_hw_show(struct seq_file *s, void *p)
struct hisi_sas_debugfs_iost_cache *debugfs_iost_cache = s->private;
struct hisi_sas_iost_itct_cache *iost_cache =
debugfs_iost_cache->cache;
- u32 cache_size = HISI_SAS_IOST_ITCT_CACHE_DW_SZ * 4;
+ u32 cache_size = HISI_SAS_IOST_ITCT_CACHE_DW_SZ * BYTE_TO_DW;
int i, tab_idx;
__le64 *iost;
@@ -3801,7 +3860,7 @@ static int debugfs_itct_cache_v3_hw_show(struct seq_file *s, void *p)
struct hisi_sas_debugfs_itct_cache *debugfs_itct_cache = s->private;
struct hisi_sas_iost_itct_cache *itct_cache =
debugfs_itct_cache->cache;
- u32 cache_size = HISI_SAS_IOST_ITCT_CACHE_DW_SZ * 4;
+ u32 cache_size = HISI_SAS_IOST_ITCT_CACHE_DW_SZ * BYTE_TO_DW;
int i, tab_idx;
__le64 *itct;
@@ -3830,12 +3889,12 @@ static void debugfs_create_files_v3_hw(struct hisi_hba *hisi_hba, int index)
u64 *debugfs_timestamp;
struct dentry *dump_dentry;
struct dentry *dentry;
- char name[256];
+ char name[NAME_BUF_SIZE];
int p;
int c;
int d;
- snprintf(name, 256, "%d", index);
+ snprintf(name, NAME_BUF_SIZE, "%d", index);
dump_dentry = debugfs_create_dir(name, hisi_hba->debugfs_dump_dentry);
@@ -3851,7 +3910,7 @@ static void debugfs_create_files_v3_hw(struct hisi_hba *hisi_hba, int index)
/* Create port dir and files */
dentry = debugfs_create_dir("port", dump_dentry);
for (p = 0; p < hisi_hba->n_phy; p++) {
- snprintf(name, 256, "%d", p);
+ snprintf(name, NAME_BUF_SIZE, "%d", p);
debugfs_create_file(name, 0400, dentry,
&hisi_hba->debugfs_port_reg[index][p],
@@ -3861,7 +3920,7 @@ static void debugfs_create_files_v3_hw(struct hisi_hba *hisi_hba, int index)
/* Create CQ dir and files */
dentry = debugfs_create_dir("cq", dump_dentry);
for (c = 0; c < hisi_hba->queue_count; c++) {
- snprintf(name, 256, "%d", c);
+ snprintf(name, NAME_BUF_SIZE, "%d", c);
debugfs_create_file(name, 0400, dentry,
&hisi_hba->debugfs_cq[index][c],
@@ -3871,7 +3930,7 @@ static void debugfs_create_files_v3_hw(struct hisi_hba *hisi_hba, int index)
/* Create DQ dir and files */
dentry = debugfs_create_dir("dq", dump_dentry);
for (d = 0; d < hisi_hba->queue_count; d++) {
- snprintf(name, 256, "%d", d);
+ snprintf(name, NAME_BUF_SIZE, "%d", d);
debugfs_create_file(name, 0400, dentry,
&hisi_hba->debugfs_dq[index][d],
@@ -3908,9 +3967,9 @@ static ssize_t debugfs_trigger_dump_v3_hw_write(struct file *file,
size_t count, loff_t *ppos)
{
struct hisi_hba *hisi_hba = file->f_inode->i_private;
- char buf[8];
+ char buf[DUMP_BUF_SIZE];
- if (count > 8)
+ if (count > DUMP_BUF_SIZE)
return -EFAULT;
if (copy_from_user(buf, user_buf, count))
@@ -3974,7 +4033,7 @@ static ssize_t debugfs_bist_linkrate_v3_hw_write(struct file *filp,
{
struct seq_file *m = filp->private_data;
struct hisi_hba *hisi_hba = m->private;
- char kbuf[16] = {}, *pkbuf;
+ char kbuf[BIST_BUF_SIZE] = {}, *pkbuf;
bool found = false;
int i;
@@ -3991,7 +4050,7 @@ static ssize_t debugfs_bist_linkrate_v3_hw_write(struct file *filp,
for (i = 0; i < ARRAY_SIZE(debugfs_loop_linkrate_v3_hw); i++) {
if (!strncmp(debugfs_loop_linkrate_v3_hw[i].name,
- pkbuf, 16)) {
+ pkbuf, BIST_BUF_SIZE)) {
hisi_hba->debugfs_bist_linkrate =
debugfs_loop_linkrate_v3_hw[i].value;
found = true;
@@ -4049,7 +4108,7 @@ static ssize_t debugfs_bist_code_mode_v3_hw_write(struct file *filp,
{
struct seq_file *m = filp->private_data;
struct hisi_hba *hisi_hba = m->private;
- char kbuf[16] = {}, *pkbuf;
+ char kbuf[BIST_BUF_SIZE] = {}, *pkbuf;
bool found = false;
int i;
@@ -4066,7 +4125,7 @@ static ssize_t debugfs_bist_code_mode_v3_hw_write(struct file *filp,
for (i = 0; i < ARRAY_SIZE(debugfs_loop_code_mode_v3_hw); i++) {
if (!strncmp(debugfs_loop_code_mode_v3_hw[i].name,
- pkbuf, 16)) {
+ pkbuf, BIST_BUF_SIZE)) {
hisi_hba->debugfs_bist_code_mode =
debugfs_loop_code_mode_v3_hw[i].value;
found = true;
@@ -4181,7 +4240,7 @@ static ssize_t debugfs_bist_mode_v3_hw_write(struct file *filp,
{
struct seq_file *m = filp->private_data;
struct hisi_hba *hisi_hba = m->private;
- char kbuf[16] = {}, *pkbuf;
+ char kbuf[BIST_BUF_SIZE] = {}, *pkbuf;
bool found = false;
int i;
@@ -4197,7 +4256,8 @@ static ssize_t debugfs_bist_mode_v3_hw_write(struct file *filp,
pkbuf = strstrip(kbuf);
for (i = 0; i < ARRAY_SIZE(debugfs_loop_modes_v3_hw); i++) {
- if (!strncmp(debugfs_loop_modes_v3_hw[i].name, pkbuf, 16)) {
+ if (!strncmp(debugfs_loop_modes_v3_hw[i].name, pkbuf,
+ BIST_BUF_SIZE)) {
hisi_hba->debugfs_bist_mode =
debugfs_loop_modes_v3_hw[i].value;
found = true;
@@ -4476,8 +4536,9 @@ static int debugfs_fifo_data_v3_hw_show(struct seq_file *s, void *p)
debugfs_read_fifo_data_v3_hw(phy);
- debugfs_show_row_32_v3_hw(s, 0, HISI_SAS_FIFO_DATA_DW_SIZE * 4,
- (__le32 *)phy->fifo.rd_data);
+ debugfs_show_row_32_v3_hw(s, 0,
+ HISI_SAS_FIFO_DATA_DW_SIZE * HISI_SAS_REG_MEM_SIZE,
+ phy->fifo.rd_data);
return 0;
}
@@ -4609,14 +4670,14 @@ static int debugfs_alloc_v3_hw(struct hisi_hba *hisi_hba, int dump_index)
struct hisi_sas_debugfs_regs *regs =
&hisi_hba->debugfs_regs[dump_index][r];
- sz = debugfs_reg_array_v3_hw[r]->count * 4;
+ sz = debugfs_reg_array_v3_hw[r]->count * HISI_SAS_REG_MEM_SIZE;
regs->data = devm_kmalloc(dev, sz, GFP_KERNEL);
if (!regs->data)
goto fail;
regs->hisi_hba = hisi_hba;
}
- sz = debugfs_port_reg.count * 4;
+ sz = debugfs_port_reg.count * HISI_SAS_REG_MEM_SIZE;
for (p = 0; p < hisi_hba->n_phy; p++) {
struct hisi_sas_debugfs_port *port =
&hisi_hba->debugfs_port_reg[dump_index][p];
@@ -4726,11 +4787,11 @@ static void debugfs_phy_down_cnt_init_v3_hw(struct hisi_hba *hisi_hba)
{
struct dentry *dir = debugfs_create_dir("phy_down_cnt",
hisi_hba->debugfs_dir);
- char name[16];
+ char name[NAME_BUF_SIZE];
int phy_no;
for (phy_no = 0; phy_no < hisi_hba->n_phy; phy_no++) {
- snprintf(name, 16, "%d", phy_no);
+ snprintf(name, NAME_BUF_SIZE, "%d", phy_no);
debugfs_create_file(name, 0600, dir,
&hisi_hba->phy[phy_no],
&debugfs_phy_down_cnt_v3_hw_fops);
@@ -4899,7 +4960,7 @@ hisi_sas_v3_probe(struct pci_dev *pdev, const struct pci_device_id *id)
shost->max_id = HISI_SAS_MAX_DEVICES;
shost->max_lun = ~0;
shost->max_channel = 1;
- shost->max_cmd_len = 16;
+ shost->max_cmd_len = HISI_SAS_MAX_CDB_LEN;
shost->can_queue = HISI_SAS_UNRESERVED_IPTT;
shost->cmd_per_lun = HISI_SAS_UNRESERVED_IPTT;
if (hisi_hba->iopoll_q_cnt)
@@ -4981,12 +5042,13 @@ hisi_sas_v3_destroy_irqs(struct pci_dev *pdev, struct hisi_hba *hisi_hba)
{
int i;
- devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 1), hisi_hba);
- devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 2), hisi_hba);
- devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 11), hisi_hba);
+ devm_free_irq(&pdev->dev, pci_irq_vector(pdev, IRQ_PHY_UP_DOWN_INDEX), hisi_hba);
+ devm_free_irq(&pdev->dev, pci_irq_vector(pdev, IRQ_CHL_INDEX), hisi_hba);
+ devm_free_irq(&pdev->dev, pci_irq_vector(pdev, IRQ_AXI_INDEX), hisi_hba);
for (i = 0; i < hisi_hba->cq_nvecs; i++) {
struct hisi_sas_cq *cq = &hisi_hba->cq[i];
- int nr = hisi_sas_intr_conv ? 16 : 16 + i;
+ int nr = hisi_sas_intr_conv ? BASE_VECTORS_V3_HW :
+ BASE_VECTORS_V3_HW + i;
devm_free_irq(&pdev->dev, pci_irq_vector(pdev, nr), cq);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 213/567] remoteproc: mediatek: Unprepare SCP clock during system suspend
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 212/567] remoteproc: sysmon: Correct subsys_name_len type in QMI request Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 214/567] powerpc: 83xx: km83xx: Fix keymile vendor prefix Greg Kroah-Hartman
` (164 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, AngeloGioacchino Del Regno,
Tzung-Bi Shih, Mathieu Poirier, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tzung-Bi Shih <tzungbi@kernel.org>
[ Upstream commit 35c3f72a2d55dbf52f28f4ecae51c76be1acf545 ]
Prior to commit d935187cfb27 ("remoteproc: mediatek: Break lock
dependency to prepare_lock"), `scp->clk` was prepared and enabled only
when it needs to communicate with the SCP. The commit d935187cfb27
moved the prepare operation to remoteproc's prepare(), keeping the clock
prepared as long as the SCP is running.
The power consumption due to the prolonged clock preparation can be
negligible when the system is running, as SCP is designed to be a very
power efficient processor.
However, the clock remains prepared even when the system enters system
suspend. This prevents the underlying clock controller (and potentially
the parent PLLs) from shutting down, which increases power consumption
and may block the system from entering deep sleep states.
Add suspend and resume callbacks. Unprepare the clock in suspend() if
it was active and re-prepare it in resume() to ensure the clock is
properly disabled during system suspend, while maintaining the "always
prepared" semantics while the system is active. The driver doesn't
implement .attach() callback, hence it only checks for RPROC_RUNNING.
Fixes: d935187cfb27 ("remoteproc: mediatek: Break lock dependency to prepare_lock")
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Link: https://lore.kernel.org/r/20260206033034.3031781-1-tzungbi@kernel.org
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/mtk_scp.c | 39 ++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/drivers/remoteproc/mtk_scp.c b/drivers/remoteproc/mtk_scp.c
index ecbece2b5ce7c..bf7a4b975e7e1 100644
--- a/drivers/remoteproc/mtk_scp.c
+++ b/drivers/remoteproc/mtk_scp.c
@@ -1024,12 +1024,51 @@ static const struct of_device_id mtk_scp_of_match[] = {
};
MODULE_DEVICE_TABLE(of, mtk_scp_of_match);
+static int __maybe_unused scp_suspend(struct device *dev)
+{
+ struct mtk_scp *scp = dev_get_drvdata(dev);
+ struct rproc *rproc = scp->rproc;
+
+ /*
+ * Only unprepare if the SCP is running and holding the clock.
+ *
+ * Note: `scp_ops` doesn't implement .attach() callback, hence
+ * `rproc->state` can never be RPROC_ATTACHED. Otherwise, it
+ * should also be checked here.
+ */
+ if (rproc->state == RPROC_RUNNING)
+ clk_unprepare(scp->clk);
+ return 0;
+}
+
+static int __maybe_unused scp_resume(struct device *dev)
+{
+ struct mtk_scp *scp = dev_get_drvdata(dev);
+ struct rproc *rproc = scp->rproc;
+
+ /*
+ * Only prepare if the SCP was running and holding the clock.
+ *
+ * Note: `scp_ops` doesn't implement .attach() callback, hence
+ * `rproc->state` can never be RPROC_ATTACHED. Otherwise, it
+ * should also be checked here.
+ */
+ if (rproc->state == RPROC_RUNNING)
+ return clk_prepare(scp->clk);
+ return 0;
+}
+
+static const struct dev_pm_ops scp_pm_ops = {
+ SET_SYSTEM_SLEEP_PM_OPS(scp_suspend, scp_resume)
+};
+
static struct platform_driver mtk_scp_driver = {
.probe = scp_probe,
.remove_new = scp_remove,
.driver = {
.name = "mtk-scp",
.of_match_table = mtk_scp_of_match,
+ .pm = &scp_pm_ops,
},
};
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 151/481] ACPI: OSI: Add DMI quirk for Acer Aspire One D255
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 150/481] wifi: mac80211: set default WMM parameters on all links Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 152/481] scsi: ses: Fix devices attaching to different hosts Greg Kroah-Hartman
` (164 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sofia Schneider, Rafael J. Wysocki,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sofia Schneider <sofia@schn.dev>
[ Upstream commit 5ede90206273ff156a778254f0f972a55e973c89 ]
The screen backlight turns off during boot (specifically during udev device
initialization) when returning true for _OSI("Windows 2009").
Analyzing the device's DSDT reveals that the firmware takes a different
code path when Windows 7 is reported, which leads to the backlight shutoff.
Add a DMI quirk to invoke dmi_disable_osi_win7 for this model.
Signed-off-by: Sofia Schneider <sofia@schn.dev>
Link: https://patch.msgid.link/20260223025240.518509-1-sofia@schn.dev
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/osi.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/acpi/osi.c b/drivers/acpi/osi.c
index ae9620757865b..600af8814038a 100644
--- a/drivers/acpi/osi.c
+++ b/drivers/acpi/osi.c
@@ -389,6 +389,19 @@ static const struct dmi_system_id acpi_osi_dmi_table[] __initconst = {
},
},
+ /*
+ * The screen backlight turns off during udev device creation
+ * when returning true for _OSI("Windows 2009")
+ */
+ {
+ .callback = dmi_disable_osi_win7,
+ .ident = "Acer Aspire One D255",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "AOD255"),
+ },
+ },
+
/*
* The wireless hotkey does not work on those machines when
* returning true for _OSI("Windows 2012")
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 138/460] scsi: hisi_sas: Fix NULL pointer exception during user_scan()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 137/460] scsi: hisi_sas: Use macro instead of magic number Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 139/460] kbuild: Disable CC_HAS_ASM_GOTO_OUTPUT on clang < 17 Greg Kroah-Hartman
` (164 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xingui Yang, Yihang Li,
Martin K. Petersen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xingui Yang <yangxingui@huawei.com>
[ Upstream commit 8ddc0c26916574395447ebf4cff684314f6873a9 ]
user_scan() invokes updated sas_user_scan() for channel 0, and if
successful, iteratively scans remaining channels (1 to shost->max_channel)
via scsi_scan_host_selected() in commit 37c4e72b0651 ("scsi: Fix
sas_user_scan() to handle wildcard and multi-channel scans"). However,
hisi_sas supports only one channel, and the current value of max_channel is
1. sas_user_scan() for channel 1 will trigger the following NULL pointer
exception:
[ 441.554662] Unable to handle kernel NULL pointer dereference at virtual address 00000000000008b0
[ 441.554699] Mem abort info:
[ 441.554710] ESR = 0x0000000096000004
[ 441.554718] EC = 0x25: DABT (current EL), IL = 32 bits
[ 441.554723] SET = 0, FnV = 0
[ 441.554726] EA = 0, S1PTW = 0
[ 441.554730] FSC = 0x04: level 0 translation fault
[ 441.554735] Data abort info:
[ 441.554737] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 441.554742] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 441.554747] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 441.554752] user pgtable: 4k pages, 48-bit VAs, pgdp=00000828377a6000
[ 441.554757] [00000000000008b0] pgd=0000000000000000, p4d=0000000000000000
[ 441.554769] Internal error: Oops: 0000000096000004 [#1] SMP
[ 441.629589] Modules linked in: arm_spe_pmu arm_smmuv3_pmu tpm_tis_spi hisi_uncore_sllc_pmu hisi_uncore_pa_pmu hisi_uncore_l3c_pmu hisi_uncore_hha_pmu hisi_uncore_ddrc_pmu hisi_uncore_cpa_pmu hns3_pmu hisi_ptt hisi_pcie_pmu tpm_tis_core spidev spi_hisi_sfc_v3xx hisi_uncore_pmu spi_dw_mmio fuse hclge hclge_common hisi_sec2 hisi_hpre hisi_zip hisi_qm hns3 hisi_sas_v3_hw sm3_ce sbsa_gwdt hnae3 hisi_sas_main uacce hisi_dma i2c_hisi dm_mirror dm_region_hash dm_log dm_mod
[ 441.670819] CPU: 46 UID: 0 PID: 6994 Comm: bash Kdump: loaded Not tainted 7.0.0-rc2+ #84 PREEMPT
[ 441.691327] pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 441.698277] pc : sas_find_dev_by_rphy+0x44/0x118
[ 441.702896] lr : sas_find_dev_by_rphy+0x3c/0x118
[ 441.707502] sp : ffff80009abbba40
[ 441.710805] x29: ffff80009abbba40 x28: ffff082819a40008 x27: ffff082810c37c08
[ 441.717930] x26: ffff082810c37c28 x25: ffff082819a40290 x24: ffff082810c37c00
[ 441.725054] x23: 0000000000000000 x22: 0000000000000001 x21: ffff082819a40000
[ 441.732179] x20: ffff082819a40290 x19: 0000000000000000 x18: 0000000000000020
[ 441.739304] x17: 0000000000000000 x16: ffffb5dad6bda690 x15: 00000000ffffffff
[ 441.746428] x14: ffff082814c3b26c x13: 00000000ffffffff x12: ffff082814c3b26a
[ 441.753553] x11: 00000000000000c0 x10: 000000000000003a x9 : ffffb5dad5ea94f4
[ 441.760678] x8 : 000000000000003a x7 : ffff80009abbbab0 x6 : 0000000000000030
[ 441.767802] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
[ 441.774926] x2 : ffff08280f35a300 x1 : ffffb5dad7127180 x0 : 0000000000000000
[ 441.782053] Call trace:
[ 441.784488] sas_find_dev_by_rphy+0x44/0x118 (P)
[ 441.789095] sas_target_alloc+0x24/0xb0
[ 441.792920] scsi_alloc_target+0x290/0x330
[ 441.797010] __scsi_scan_target+0x88/0x258
[ 441.801096] scsi_scan_channel+0x74/0xb8
[ 441.805008] scsi_scan_host_selected+0x170/0x188
[ 441.809615] sas_user_scan+0xfc/0x148
[ 441.813267] store_scan+0x10c/0x180
[ 441.816743] dev_attr_store+0x20/0x40
[ 441.820398] sysfs_kf_write+0x84/0xa8
[ 441.824054] kernfs_fop_write_iter+0x130/0x1c8
[ 441.828487] vfs_write+0x2c0/0x370
[ 441.831880] ksys_write+0x74/0x118
[ 441.835271] __arm64_sys_write+0x24/0x38
[ 441.839182] invoke_syscall+0x50/0x120
[ 441.842919] el0_svc_common.constprop.0+0xc8/0xf0
[ 441.847611] do_el0_svc+0x24/0x38
[ 441.850913] el0_svc+0x38/0x158
[ 441.854043] el0t_64_sync_handler+0xa0/0xe8
[ 441.858214] el0t_64_sync+0x1ac/0x1b0
[ 441.861865] Code: aa1303e0 97ff70a8 34ffff80 d10a4273 (f9445a75)
[ 441.867946] ---[ end trace 0000000000000000 ]---
Therefore, set max_channel to 0.
Fixes: e21fe3a52692 ("scsi: hisi_sas: add initialisation for v3 pci-based controller")
Signed-off-by: Xingui Yang <yangxingui@huawei.com>
Signed-off-by: Yihang Li <liyihang9@huawei.com>
Link: https://patch.msgid.link/20260305064039.4096775-1-liyihang9@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/hisi_sas/hisi_sas_main.c | 2 +-
drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
index 71d12b94ba5be..236e23620f21d 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -2544,7 +2544,7 @@ int hisi_sas_probe(struct platform_device *pdev,
shost->transportt = hisi_sas_stt;
shost->max_id = HISI_SAS_MAX_DEVICES;
shost->max_lun = ~0;
- shost->max_channel = 1;
+ shost->max_channel = 0;
shost->max_cmd_len = HISI_SAS_MAX_CDB_LEN;
if (hisi_hba->hw->slot_index_alloc) {
shost->can_queue = HISI_SAS_MAX_COMMANDS;
diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
index cf0df9b405b24..e958b588d078f 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
@@ -4959,7 +4959,7 @@ hisi_sas_v3_probe(struct pci_dev *pdev, const struct pci_device_id *id)
shost->transportt = hisi_sas_stt;
shost->max_id = HISI_SAS_MAX_DEVICES;
shost->max_lun = ~0;
- shost->max_channel = 1;
+ shost->max_channel = 0;
shost->max_cmd_len = HISI_SAS_MAX_CDB_LEN;
shost->can_queue = HISI_SAS_UNRESERVED_IPTT;
shost->cmd_per_lun = HISI_SAS_UNRESERVED_IPTT;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 214/567] powerpc: 83xx: km83xx: Fix keymile vendor prefix
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 213/567] remoteproc: mediatek: Unprepare SCP clock during system suspend Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 215/567] smb/server: Fix another refcount leak in smb2_open() Greg Kroah-Hartman
` (163 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, J . Neuschäfer, Heiko Schocher,
Madhavan Srinivasan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: J. Neuschäfer <j.ne@posteo.net>
[ Upstream commit 691417ffe7821721e0a28bd25ad8c0dc0d4ae4ad ]
When kmeter.c was refactored into km83xx.c in 2011, the "keymile" vendor
prefix was changed to upper-case "Keymile". The devicetree at
arch/powerpc/boot/dts/kmeter1.dts never underwent the same change,
suggesting that this was simply a mistake.
Fixes: 93e2b95c81042d ("powerpc/83xx: rename and update kmeter1")
Signed-off-by: J. Neuschäfer <j.ne@posteo.net>
Reviewed-by: Heiko Schocher <hs@nabladev.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260303-keymile-v1-1-463a11e71702@posteo.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/83xx/km83xx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/platforms/83xx/km83xx.c b/arch/powerpc/platforms/83xx/km83xx.c
index 2b5d187d9b62d..9ef8fb39dd1b1 100644
--- a/arch/powerpc/platforms/83xx/km83xx.c
+++ b/arch/powerpc/platforms/83xx/km83xx.c
@@ -155,8 +155,8 @@ machine_device_initcall(mpc83xx_km, mpc83xx_declare_of_platform_devices);
/* list of the supported boards */
static char *board[] __initdata = {
- "Keymile,KMETER1",
- "Keymile,kmpbec8321",
+ "keymile,KMETER1",
+ "keymile,kmpbec8321",
NULL
};
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 152/481] scsi: ses: Fix devices attaching to different hosts
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 151/481] ACPI: OSI: Add DMI quirk for Acer Aspire One D255 Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 153/481] ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table Greg Kroah-Hartman
` (163 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Jeffery, Tomas Henzl,
Martin K. Petersen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomas Henzl <thenzl@redhat.com>
[ Upstream commit 70ca8caa96ce473647054f5c7b9dab5423902402 ]
On a multipath SAS system some devices don't end up with correct symlinks
from the SCSI device to its enclosure. Some devices even have enclosure
links pointing to enclosures attached to different SCSI hosts.
ses_match_to_enclosure() calls enclosure_for_each_device() which iterates
over all enclosures on the system, not just enclosures attached to the
current SCSI host.
Replace the iteration with a direct call to ses_enclosure_find_by_addr().
Reviewed-by: David Jeffery <djeffery@redhat.com>
Signed-off-by: Tomas Henzl <thenzl@redhat.com>
Link: https://patch.msgid.link/20260210191850.36784-1-thenzl@redhat.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/ses.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index 6a1428d453f3e..92b3fd10058dd 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -497,9 +497,8 @@ struct efd {
};
static int ses_enclosure_find_by_addr(struct enclosure_device *edev,
- void *data)
+ struct efd *efd)
{
- struct efd *efd = data;
int i;
struct ses_component *scomp;
@@ -652,7 +651,7 @@ static void ses_match_to_enclosure(struct enclosure_device *edev,
if (efd.addr) {
efd.dev = &sdev->sdev_gendev;
- enclosure_for_each_device(ses_enclosure_find_by_addr, &efd);
+ ses_enclosure_find_by_addr(edev, &efd);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 139/460] kbuild: Disable CC_HAS_ASM_GOTO_OUTPUT on clang < 17
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 138/460] scsi: hisi_sas: Fix NULL pointer exception during user_scan() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 140/460] Fix CC_HAS_ASM_GOTO_OUTPUT on non-x86 architectures Greg Kroah-Hartman
` (163 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Thomas Gleixner,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit e2ffa15b9baa447e444d654ffd47123ba6443ae4 ]
clang < 17 fails to use scope local labels with CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y:
{
__label__ local_lbl;
...
unsafe_get_user(uval, uaddr, local_lbl);
...
return 0;
local_lbl:
return -EFAULT;
}
when two such scopes exist in the same function:
error: cannot jump from this asm goto statement to one of its possible targets
There are other failure scenarios. Shuffling code around slightly makes it
worse and fail even with one instance.
That issue prevents using local labels for a cleanup based user access
mechanism.
After failed attempts to provide a simple enough test case for the 'depends
on' test in Kconfig, the initial cure was to mark ASM goto broken on clang
versions < 17 to get this road block out of the way.
But Nathan pointed out that this is a known clang issue and indeed affects
clang < version 17 in combination with cleanup(). It's not even required to
use local labels for that.
The clang issue tracker has a small enough test case, which can be used as
a test in the 'depends on' section of CC_HAS_ASM_GOTO_OUTPUT:
void bar(void **);
void* baz(void);
int foo (void) {
{
asm goto("jmp %l0"::::l0);
return 0;
l0:
return 1;
}
void *x __attribute__((cleanup(bar))) = baz();
{
asm goto("jmp %l0"::::l1);
return 42;
l1:
return 0xff;
}
}
Add another dependency to config CC_HAS_ASM_GOTO_OUTPUT for it and use the
clang issue tracker test case for detection by condensing it to obfuscated
C-code contest format. This reliably catches the problem on clang < 17 and
did not show any issues on the non broken GCC versions.
That test might be sufficient to catch all issues and therefore could
replace the existing test, but keeping that around does no harm either.
Thanks to Nathan for pointing to the relevant clang issue!
Suggested-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Link: https://github.com/ClangBuiltLinux/linux/issues/1886
Link: https://github.com/llvm/llvm-project/commit/f023f5cdb2e6c19026f04a15b5a935c041835d14
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
init/Kconfig | 3 +++
1 file changed, 3 insertions(+)
diff --git a/init/Kconfig b/init/Kconfig
index 219ccdb0af732..1a39330252c59 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -104,7 +104,10 @@ config GCC_ASM_GOTO_OUTPUT_BROKEN
config CC_HAS_ASM_GOTO_OUTPUT
def_bool y
depends on !GCC_ASM_GOTO_OUTPUT_BROKEN
+ # Detect basic support
depends on $(success,echo 'int foo(int x) { asm goto ("": "=r"(x) ::: bar); return x; bar: return 0; }' | $(CC) -x c - -c -o /dev/null)
+ # Detect clang (< v17) scoped label issues
+ depends on $(success,echo 'void b(void **);void* c(void);int f(void){{asm goto("jmp %l0"::::l0);return 0;l0:return 1;}void *x __attribute__((cleanup(b)))=c();{asm goto("jmp %l0"::::l1);return 2;l1:return 3;}}' | $(CC) -x c - -c -o /dev/null)
config CC_HAS_ASM_GOTO_TIED_OUTPUT
depends on CC_HAS_ASM_GOTO_OUTPUT
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 215/567] smb/server: Fix another refcount leak in smb2_open()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 214/567] powerpc: 83xx: km83xx: Fix keymile vendor prefix Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 216/567] xprtrdma: Decrement re_receiving on the early exit paths Greg Kroah-Hartman
` (162 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, ChenXiaoSong,
Namjae Jeon, Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit c15e7c62feb3751cbdd458555819df1d70374890 ]
If ksmbd_override_fsids() fails, we jump to err_out2. At that point, fp is
NULL because it hasn't been assigned dh_info.fp yet, so ksmbd_fd_put(work,
fp) will not be called. However, dh_info.fp was already inserted into the
session file table by ksmbd_reopen_durable_fd(), so it will leak in the
session file table until the session is closed.
Move fp = dh_info.fp; ahead of the ksmbd_override_fsids() check to fix the
problem.
Found by an experimental AI code review agent at Google.
Fixes: c8efcc786146a ("ksmbd: add support for durable handles v1/v2")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/smb2pdu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index da4d914c87ad2..5a112211a7111 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2990,13 +2990,14 @@ int smb2_open(struct ksmbd_work *work)
goto err_out2;
}
+ fp = dh_info.fp;
+
if (ksmbd_override_fsids(work)) {
rc = -ENOMEM;
ksmbd_put_durable_fd(dh_info.fp);
goto err_out2;
}
- fp = dh_info.fp;
file_info = FILE_OPENED;
rc = ksmbd_vfs_getattr(&fp->filp->f_path, &stat);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 153/481] ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 152/481] scsi: ses: Fix devices attaching to different hosts Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 154/481] ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0 Greg Kroah-Hartman
` (162 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Azamat Almazbek uulu,
Vijendar Mukunda, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Azamat Almazbek uulu <almazbek1608@gmail.com>
[ Upstream commit 32fc4168fa56f6301d858c778a3d712774e9657e ]
The ASUS ExpertBook BM1503CDA (Ryzen 5 7535U, Barcelo-R) has an
internal DMIC connected through the AMD ACP (Audio CoProcessor)
but is missing from the DMI quirk table, so the acp6x machine
driver probe returns -ENODEV and no DMIC capture device is created.
Add the DMI entry so the internal microphone works out of the box.
Signed-off-by: Azamat Almazbek uulu <almazbek1608@gmail.com>
Reviewed-by: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
Link: https://patch.msgid.link/20260221114813.5610-1-almazbek1608@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
index 31e4661f78671..715f1f76dab54 100644
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -549,6 +549,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "Vivobook_ASUSLaptop M6501RR_M6501RR"),
}
},
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "ASUS EXPERTBOOK BM1503CDA"),
+ }
+ },
{}
};
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 140/460] Fix CC_HAS_ASM_GOTO_OUTPUT on non-x86 architectures
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 139/460] kbuild: Disable CC_HAS_ASM_GOTO_OUTPUT on clang < 17 Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 141/460] Revert "tcpm: allow looking for role_sw device in the main node" Greg Kroah-Hartman
` (162 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Zijlstra, Nathan Chancellor,
Thomas Gleixner, Linus Torvalds, Sasha Levin, Geert Uytterhoeven
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <torvalds@linux-foundation.org>
[ Upstream commit fde0ab43b9a30d08817adc5402b69fec83a61cb8 ]
There's a silly problem with the CC_HAS_ASM_GOTO_OUTPUT test: even with
a working compiler it will fail on some architectures simply because it
uses the mnemonic "jmp" for testing the inline asm.
And as reported by Geert, not all architectures use that mnemonic, so
the test fails spuriously on such platforms (including arm and riscv,
but also several other architectures).
This issue avoided any obvious test failures because the build still
works thanks to falling back on the old non-asm-goto code, which just
generates worse code.
Just use an empty asm statement instead.
Reported-and-tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Fixes: e2ffa15b9baa ("kbuild: Disable CC_HAS_ASM_GOTO_OUTPUT on clang < 17")
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
init/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/init/Kconfig b/init/Kconfig
index 1a39330252c59..f4b91b1857bf8 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -107,7 +107,7 @@ config CC_HAS_ASM_GOTO_OUTPUT
# Detect basic support
depends on $(success,echo 'int foo(int x) { asm goto ("": "=r"(x) ::: bar); return x; bar: return 0; }' | $(CC) -x c - -c -o /dev/null)
# Detect clang (< v17) scoped label issues
- depends on $(success,echo 'void b(void **);void* c(void);int f(void){{asm goto("jmp %l0"::::l0);return 0;l0:return 1;}void *x __attribute__((cleanup(b)))=c();{asm goto("jmp %l0"::::l1);return 2;l1:return 3;}}' | $(CC) -x c - -c -o /dev/null)
+ depends on $(success,echo 'void b(void **);void* c(void);int f(void){{asm goto(""::::l0);return 0;l0:return 1;}void *x __attribute__((cleanup(b)))=c();{asm goto(""::::l1);return 2;l1:return 3;}}' | $(CC) -x c - -c -o /dev/null)
config CC_HAS_ASM_GOTO_TIED_OUTPUT
depends on CC_HAS_ASM_GOTO_OUTPUT
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.6 216/567] xprtrdma: Decrement re_receiving on the early exit paths
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 215/567] smb/server: Fix another refcount leak in smb2_open() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 217/567] net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets Greg Kroah-Hartman
` (161 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Badger, Chuck Lever,
Anna Schumaker, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Badger <ebadger@purestorage.com>
[ Upstream commit 7b6275c80a0c81c5f8943272292dfe67730ce849 ]
In the event that rpcrdma_post_recvs() fails to create a work request
(due to memory allocation failure, say) or otherwise exits early, we
should decrement ep->re_receiving before returning. Otherwise we will
hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and
the completion will never be triggered.
On a system with high memory pressure, this can appear as the following
hung task:
INFO: task kworker/u385:17:8393 blocked for more than 122 seconds.
Tainted: G S E 6.19.0 #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000
Workqueue: xprtiod xprt_autoclose [sunrpc]
Call Trace:
<TASK>
__schedule+0x48b/0x18b0
? ib_post_send_mad+0x247/0xae0 [ib_core]
schedule+0x27/0xf0
schedule_timeout+0x104/0x110
__wait_for_common+0x98/0x180
? __pfx_schedule_timeout+0x10/0x10
wait_for_completion+0x24/0x40
rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma]
xprt_rdma_close+0x12/0x40 [rpcrdma]
xprt_autoclose+0x5f/0x120 [sunrpc]
process_one_work+0x191/0x3e0
worker_thread+0x2e3/0x420
? __pfx_worker_thread+0x10/0x10
kthread+0x10d/0x230
? __pfx_kthread+0x10/0x10
ret_from_fork+0x273/0x2b0
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
Fixes: 15788d1d1077 ("xprtrdma: Do not refresh Receive Queue while it is draining")
Signed-off-by: Eric Badger <ebadger@purestorage.com>
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sunrpc/xprtrdma/verbs.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index cb909329a5039..4132a505d742a 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -1362,7 +1362,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed, bool temp)
needed += RPCRDMA_MAX_RECV_BATCH;
if (atomic_inc_return(&ep->re_receiving) > 1)
- goto out;
+ goto out_dec;
/* fast path: all needed reps can be found on the free list */
wr = NULL;
@@ -1389,7 +1389,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed, bool temp)
++count;
}
if (!wr)
- goto out;
+ goto out_dec;
rc = ib_post_recv(ep->re_id->qp, wr,
(const struct ib_recv_wr **)&bad_wr);
@@ -1404,9 +1404,10 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed, bool temp)
--count;
}
}
+
+out_dec:
if (atomic_dec_return(&ep->re_receiving) > 0)
complete(&ep->re_done);
-
out:
trace_xprtrdma_post_recvs(r_xprt, count);
ep->re_receive_count += count;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 154/481] ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 153/481] ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 155/481] ALSA: usb-audio: Check max frame size for implicit feedback mode, too Greg Kroah-Hartman
` (161 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit c5bf24c8aba1ff711226ee0f039ff01a5754692b ]
Although DIYINHK USB Audio 2.0 (ID 20b1:2009) shows the implicit
feedback source for the capture stream, this would cause several
problems for the playback. Namely, the device can get wMaxPackSize
1024 for 24/32 bit format with 6 channels, and when a high sample rate
like 352.8kHz or 384kHz is played, the packet size overflows the max
limit. Also, the device has another two playback altsets, and those
aren't properly handled with the implicit feedback.
Since the device has been working well even before introducing the
implicit feedback, we can assume that it works fine in the async mode.
This patch adds the explicit skip of the implicit fb detection to make
the playback running in the async mode.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221076
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260225085233.316306-4-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index f9e998fad773c..74828de545e22 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -2243,6 +2243,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER),
DEVICE_FLG(0x2040, 0x7281, /* Hauppauge HVR-950Q-MXL */
QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER),
+ DEVICE_FLG(0x20b1, 0x2009, /* XMOS Ltd DIYINHK USB Audio 2.0 */
+ QUIRK_FLAG_SKIP_IMPLICIT_FB | QUIRK_FLAG_DSD_RAW),
DEVICE_FLG(0x2040, 0x8200, /* Hauppauge Woodbury */
QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER),
DEVICE_FLG(0x21b4, 0x0081, /* AudioQuest DragonFly */
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 141/460] Revert "tcpm: allow looking for role_sw device in the main node"
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 140/460] Fix CC_HAS_ASM_GOTO_OUTPUT on non-x86 architectures Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 142/460] drm/amd: Disable MES LR compute W/A Greg Kroah-Hartman
` (161 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Xu Yang, Arnaud Ferraris,
Heikki Krogerus
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 6b275bfaa16be3fb1689fa6794e445ecd127a1b4 upstream.
This reverts commit 1366cd228b0c67b60a2c0c26ef37fe9f7cfedb7f.
The fwnode_usb_role_switch_get() returns NULL only if no connection is
found, returns ERR_PTR(-EPROBE_DEFER) if connection is found but deferred
probe is needed, or a valid pointer of usb_role_switch.
When switching from a NULL check to IS_ERR_OR_NULL(), usb_role_switch_get()
returns NULL and overwrites the ERR_PTR(-EPROBE_DEFER) returned by
fwnode_usb_role_switch_get(). This causes the deferred probe indication to
be lost, preventing the USB role switch from ever being retrieved.
Fixes: 1366cd228b0c ("tcpm: allow looking for role_sw device in the main node")
Cc: stable <stable@kernel.org>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Tested-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260309074313.2809867-2-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -7697,7 +7697,7 @@ struct tcpm_port *tcpm_register_port(str
port->partner_desc.identity = &port->partner_ident;
port->role_sw = fwnode_usb_role_switch_get(tcpc->fwnode);
- if (IS_ERR_OR_NULL(port->role_sw))
+ if (!port->role_sw)
port->role_sw = usb_role_switch_get(port->dev);
if (IS_ERR(port->role_sw)) {
err = PTR_ERR(port->role_sw);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 217/567] net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 216/567] xprtrdma: Decrement re_receiving on the early exit paths Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 218/567] drm/msm/dsi: Document DSC related pclk_rate and hdisplay calculations Greg Kroah-Hartman
` (160 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mieczyslaw Nalewaj,
Luiz Angelo Daros de Luca, Simon Horman, Linus Walleij,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mieczyslaw Nalewaj <namiltd@yahoo.com>
[ Upstream commit f76a93241d71fbba8425e3967097b498c29264ed ]
rx_packets should report the number of frames successfully received:
unicast + multicast + broadcast. Subtracting ifOutDiscards (a TX
counter) is incorrect and can undercount RX packets. RX drops are
already reported via rx_dropped (e.g. etherStatsDropEvents), so
there is no need to adjust rx_packets.
This patch removes the subtraction of ifOutDiscards from rx_packets
in rtl8365mb_stats_update().
Link: https://lore.kernel.org/netdev/878777925.105015.1763423928520@mail.yahoo.com/
Fixes: 4af2950c50c8 ("net: dsa: realtek-smi: add rtl8365mb subdriver for RTL8365MB-VC")
Signed-off-by: Mieczyslaw Nalewaj <namiltd@yahoo.com>
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Acked-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/20260303-realtek_namiltd_fix2-v1-1-bfa433d3401e@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/realtek/rtl8365mb.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/dsa/realtek/rtl8365mb.c b/drivers/net/dsa/realtek/rtl8365mb.c
index 318eced8f0d34..9d59d93807825 100644
--- a/drivers/net/dsa/realtek/rtl8365mb.c
+++ b/drivers/net/dsa/realtek/rtl8365mb.c
@@ -1482,8 +1482,7 @@ static void rtl8365mb_stats_update(struct realtek_priv *priv, int port)
stats->rx_packets = cnt[RTL8365MB_MIB_ifInUcastPkts] +
cnt[RTL8365MB_MIB_ifInMulticastPkts] +
- cnt[RTL8365MB_MIB_ifInBroadcastPkts] -
- cnt[RTL8365MB_MIB_ifOutDiscards];
+ cnt[RTL8365MB_MIB_ifInBroadcastPkts];
stats->tx_packets = cnt[RTL8365MB_MIB_ifOutUcastPkts] +
cnt[RTL8365MB_MIB_ifOutMulticastPkts] +
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 155/481] ALSA: usb-audio: Check max frame size for implicit feedback mode, too
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 154/481] ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0 Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 156/481] powerpc/uaccess: Fix inline assembly for clang build on PPC32 Greg Kroah-Hartman
` (160 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 7cb2a5422f5bbdf1cf32eae0eda41000485b9346 ]
When the packet sizes are taken from the capture stream in the
implicit feedback mode, the sizes might be larger than the upper
boundary defined by the descriptor. As already done for other
transfer modes, we have to cap the sizes accordingly at sending,
otherwise this would lead to an error in USB core at submission of
URBs.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221076
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260225085233.316306-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/endpoint.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
index b5af8dc1e48de..0f86319f62598 100644
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -224,6 +224,7 @@ int snd_usb_endpoint_next_packet_size(struct snd_usb_endpoint *ep,
packet = ctx->packet_size[idx];
if (packet) {
+ packet = min(packet, ep->maxframesize);
if (avail && packet >= avail)
return -EAGAIN;
return packet;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 142/460] drm/amd: Disable MES LR compute W/A
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 141/460] Revert "tcpm: allow looking for role_sw device in the main node" Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 143/460] drm/bridge: samsung-dsim: Fix memory leak in error path Greg Kroah-Hartman
` (160 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Deucher, Mario Limonciello
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 6b0d812971370c64b837a2db4275410f478272fe upstream.
A workaround was introduced in commit 1fb710793ce2 ("drm/amdgpu: Enable
MES lr_compute_wa by default") to help with some hangs observed in gfx1151.
This WA didn't fully fix the issue. It was actually fixed by adjusting
the VGPR size to the correct value that matched the hardware in commit
b42f3bf9536c ("drm/amdkfd: bump minimum vgpr size for gfx1151").
There are reports of instability on other products with newer GC microcode
versions, and I believe they're caused by this workaround. As we don't
need the workaround any more, remove it.
Fixes: b42f3bf9536c ("drm/amdkfd: bump minimum vgpr size for gfx1151")
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 9973e64bd6ee7642860a6f3b6958cbf14e89cabd)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 5 -----
drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 5 -----
2 files changed, 10 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c
@@ -677,11 +677,6 @@ static int mes_v11_0_set_hw_resources(st
mes_set_hw_res_pkt.enable_reg_active_poll = 1;
mes_set_hw_res_pkt.enable_level_process_quantum_check = 1;
mes_set_hw_res_pkt.oversubscription_timer = 50;
- if ((mes->adev->mes.sched_version & AMDGPU_MES_VERSION_MASK) >= 0x7f)
- mes_set_hw_res_pkt.enable_lr_compute_wa = 1;
- else
- dev_info_once(mes->adev->dev,
- "MES FW version must be >= 0x7f to enable LR compute workaround.\n");
if (amdgpu_mes_log_enable) {
mes_set_hw_res_pkt.enable_mes_event_int_logging = 1;
--- a/drivers/gpu/drm/amd/amdgpu/mes_v12_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/mes_v12_0.c
@@ -615,11 +615,6 @@ static int mes_v12_0_set_hw_resources(st
mes_set_hw_res_pkt.use_different_vmid_compute = 1;
mes_set_hw_res_pkt.enable_reg_active_poll = 1;
mes_set_hw_res_pkt.enable_level_process_quantum_check = 1;
- if ((mes->adev->mes.sched_version & AMDGPU_MES_VERSION_MASK) >= 0x82)
- mes_set_hw_res_pkt.enable_lr_compute_wa = 1;
- else
- dev_info_once(adev->dev,
- "MES FW version must be >= 0x82 to enable LR compute workaround.\n");
/*
* Keep oversubscribe timer for sdma . When we have unmapped doorbell
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 218/567] drm/msm/dsi: Document DSC related pclk_rate and hdisplay calculations
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 217/567] net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 219/567] drm/msm/dsi: fix pclk rate calculation for bonded dsi Greg Kroah-Hartman
` (159 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Abhinav Kumar,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit 3b56d27ba1578c3d61f51de4102cf896a9a8617e ]
Provide actual documentation for the pclk and hdisplay calculations in
the case of DSC compression being used.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Patchwork: https://patchwork.freedesktop.org/patch/577534/
Link: https://lore.kernel.org/r/20240208-fd_document_dsc_pclk_rate-v4-1-56fe59d0a2e0@linaro.org
Stable-dep-of: e4eb11b34d6c ("drm/msm/dsi: fix pclk rate calculation for bonded dsi")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dsi/dsi_host.c | 33 ++++++++++++++++++++++++++++--
1 file changed, 31 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
index f90ccdfbb2fc7..48a39f8727441 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
@@ -529,6 +529,25 @@ void dsi_link_clk_disable_v2(struct msm_dsi_host *msm_host)
clk_disable_unprepare(msm_host->byte_clk);
}
+/**
+ * dsi_adjust_pclk_for_compression() - Adjust the pclk rate for compression case
+ * @mode: The selected mode for the DSI output
+ * @dsc: DRM DSC configuration for this DSI output
+ *
+ * Adjust the pclk rate by calculating a new hdisplay proportional to
+ * the compression ratio such that:
+ * new_hdisplay = old_hdisplay * compressed_bpp / uncompressed_bpp
+ *
+ * Porches do not need to be adjusted:
+ * - For VIDEO mode they are not compressed by DSC and are passed as is.
+ * - For CMD mode there are no actual porches. Instead these fields
+ * currently represent the overhead to the image data transfer. As such, they
+ * are calculated for the final mode parameters (after the compression) and
+ * are not to be adjusted too.
+ *
+ * FIXME: Reconsider this if/when CMD mode handling is rewritten to use
+ * transfer time and data overhead as a starting point of the calculations.
+ */
static unsigned long dsi_adjust_pclk_for_compression(const struct drm_display_mode *mode,
const struct drm_dsc_config *dsc)
{
@@ -937,8 +956,18 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi)
if (ret)
return;
- /* Divide the display by 3 but keep back/font porch and
- * pulse width same
+ /*
+ * DPU sends 3 bytes per pclk cycle to DSI. If widebus is
+ * enabled, bus width is extended to 6 bytes.
+ *
+ * Calculate the number of pclks needed to transmit one line of
+ * the compressed data.
+
+ * The back/font porch and pulse width are kept intact. For
+ * VIDEO mode they represent timing parameters rather than
+ * actual data transfer, see the documentation for
+ * dsi_adjust_pclk_for_compression(). For CMD mode they are
+ * unused anyway.
*/
h_total -= hdisplay;
hdisplay = DIV_ROUND_UP(msm_dsc_get_bytes_per_line(msm_host->dsc), 3);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 156/481] powerpc/uaccess: Fix inline assembly for clang build on PPC32
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 155/481] ALSA: usb-audio: Check max frame size for implicit feedback mode, too Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 157/481] remoteproc: sysmon: Correct subsys_name_len type in QMI request Greg Kroah-Hartman
` (159 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot,
Christophe Leroy (CS GROUP), Nathan Chancellor,
Madhavan Srinivasan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
[ Upstream commit 0ee95a1d458630272d0415d0ffa9424fcb606c90 ]
Test robot reports the following error with clang-16.0.6:
In file included from kernel/rseq.c:75:
include/linux/rseq_entry.h:141:3: error: invalid operand for instruction
unsafe_get_user(offset, &ucs->post_commit_offset, efault);
^
include/linux/uaccess.h:608:2: note: expanded from macro 'unsafe_get_user'
arch_unsafe_get_user(x, ptr, local_label); \
^
arch/powerpc/include/asm/uaccess.h:518:2: note: expanded from macro 'arch_unsafe_get_user'
__get_user_size_goto(__gu_val, __gu_addr, sizeof(*(p)), e); \
^
arch/powerpc/include/asm/uaccess.h:284:2: note: expanded from macro '__get_user_size_goto'
__get_user_size_allowed(x, ptr, size, __gus_retval); \
^
arch/powerpc/include/asm/uaccess.h:275:10: note: expanded from macro '__get_user_size_allowed'
case 8: __get_user_asm2(x, (u64 __user *)ptr, retval); break; \
^
arch/powerpc/include/asm/uaccess.h:258:4: note: expanded from macro '__get_user_asm2'
" li %1+1,0\n" \
^
<inline asm>:7:5: note: instantiated into assembly here
li 31+1,0
^
1 error generated.
On PPC32, for 64 bits vars a pair of registers is used. Usually the
lower register in the pair is the high part and the higher register is
the low part. GCC uses r3/r4 ... r11/r12 ... r14/r15 ... r30/r31
In older kernel code inline assembly was using %1 and %1+1 to represent
64 bits values. However here it looks like clang uses r31 as high part,
allthough r32 doesn't exist hence the error.
Allthoug %1+1 should work, most places now use %L1 instead of %1+1, so
let's do the same here.
With that change, the build doesn't fail anymore and a disassembly shows
clang uses r17/r18 and r31/r14 pair when GCC would have used r16/r17 and
r30/r31:
Disassembly of section .fixup:
00000000 <.fixup>:
0: 38 a0 ff f2 li r5,-14
4: 3a 20 00 00 li r17,0
8: 3a 40 00 00 li r18,0
c: 48 00 00 00 b c <.fixup+0xc>
c: R_PPC_REL24 .text+0xbc
10: 38 a0 ff f2 li r5,-14
14: 3b e0 00 00 li r31,0
18: 39 c0 00 00 li r14,0
1c: 48 00 00 00 b 1c <.fixup+0x1c>
1c: R_PPC_REL24 .text+0x144
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202602021825.otcItxGi-lkp@intel.com/
Fixes: c20beffeec3c ("powerpc/uaccess: Use flexible addressing with __put_user()/__get_user()")
Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
Acked-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/8ca3a657a650e497a96bfe7acde2f637dadab344.1770103646.git.chleroy@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/include/asm/uaccess.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
index 0d874e343b9f6..bd95fa2c4092b 100644
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -237,7 +237,7 @@ __gus_failed: \
".section .fixup,\"ax\"\n" \
"4: li %0,%3\n" \
" li %1,0\n" \
- " li %1+1,0\n" \
+ " li %L1,0\n" \
" b 3b\n" \
".previous\n" \
EX_TABLE(1b, 4b) \
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 143/460] drm/bridge: samsung-dsim: Fix memory leak in error path
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 142/460] drm/amd: Disable MES LR compute W/A Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 144/460] drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used Greg Kroah-Hartman
` (159 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Osama Abdelkader, Luca Ceresoli
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Osama Abdelkader <osama.abdelkader@gmail.com>
commit 803ec1faf7c1823e6e3b1f2aaa81be18528c9436 upstream.
In samsung_dsim_host_attach(), drm_bridge_add() is called to add the
bridge. However, if samsung_dsim_register_te_irq() or
pdata->host_ops->attach() fails afterwards, the function returns
without removing the bridge, causing a memory leak.
Fix this by adding proper error handling with goto labels to ensure
drm_bridge_remove() is called in all error paths. Also ensure that
samsung_dsim_unregister_te_irq() is called if the attach operation
fails after the TE IRQ has been registered.
samsung_dsim_unregister_te_irq() function is moved without changes
to be before samsung_dsim_host_attach() to avoid forward declaration.
Fixes: e7447128ca4a ("drm: bridge: Generalize Exynos-DSI driver into a Samsung DSIM bridge")
Cc: stable@vger.kernel.org
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Link: https://patch.msgid.link/20260209184115.10937-1-osama.abdelkader@gmail.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/samsung-dsim.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
--- a/drivers/gpu/drm/bridge/samsung-dsim.c
+++ b/drivers/gpu/drm/bridge/samsung-dsim.c
@@ -1697,6 +1697,14 @@ static int samsung_dsim_register_te_irq(
return 0;
}
+static void samsung_dsim_unregister_te_irq(struct samsung_dsim *dsi)
+{
+ if (dsi->te_gpio) {
+ free_irq(gpiod_to_irq(dsi->te_gpio), dsi);
+ gpiod_put(dsi->te_gpio);
+ }
+}
+
static int samsung_dsim_host_attach(struct mipi_dsi_host *host,
struct mipi_dsi_device *device)
{
@@ -1771,13 +1779,13 @@ of_find_panel_or_bridge:
if (!(device->mode_flags & MIPI_DSI_MODE_VIDEO)) {
ret = samsung_dsim_register_te_irq(dsi, &device->dev);
if (ret)
- return ret;
+ goto err_remove_bridge;
}
if (pdata->host_ops && pdata->host_ops->attach) {
ret = pdata->host_ops->attach(dsi, device);
if (ret)
- return ret;
+ goto err_unregister_te_irq;
}
dsi->lanes = device->lanes;
@@ -1785,14 +1793,13 @@ of_find_panel_or_bridge:
dsi->mode_flags = device->mode_flags;
return 0;
-}
-static void samsung_dsim_unregister_te_irq(struct samsung_dsim *dsi)
-{
- if (dsi->te_gpio) {
- free_irq(gpiod_to_irq(dsi->te_gpio), dsi);
- gpiod_put(dsi->te_gpio);
- }
+err_unregister_te_irq:
+ if (!(device->mode_flags & MIPI_DSI_MODE_VIDEO))
+ samsung_dsim_unregister_te_irq(dsi);
+err_remove_bridge:
+ drm_bridge_remove(&dsi->bridge);
+ return ret;
}
static int samsung_dsim_host_detach(struct mipi_dsi_host *host,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 219/567] drm/msm/dsi: fix pclk rate calculation for bonded dsi
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 218/567] drm/msm/dsi: Document DSC related pclk_rate and hdisplay calculations Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 220/567] bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states Greg Kroah-Hartman
` (158 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengyu Luo, Dmitry Baryshkov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengyu Luo <mitltlatltl@gmail.com>
[ Upstream commit e4eb11b34d6c84f398d8f08d7cb4d6c38e739dd2 ]
Recently, we round up new_hdisplay once at most, for bonded dsi, we
may need twice, since they are independent links, we should round up
each half separately. This also aligns with the hdisplay we program
later in dsi_timing_setup()
Example:
full_hdisplay = 1904, dsc_bpp = 8, bpc = 8
new_full_hdisplay = DIV_ROUND_UP(1904 * 8, 8 * 3) = 635
if we use half display
new_half_hdisplay = DIV_ROUND_UP(952 * 8, 8 * 3) = 318
new_full_display = 636
Fixes: 7c9e4a554d4a ("drm/msm/dsi: Reduce pclk rate for compression")
Signed-off-by: Pengyu Luo <mitltlatltl@gmail.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/709716/
Link: https://lore.kernel.org/r/20260306163255.215456-1-mitltlatltl@gmail.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dsi/dsi_host.c | 29 +++++++++++++++++++++++------
1 file changed, 23 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
index 48a39f8727441..6077331deba97 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
@@ -548,13 +548,30 @@ void dsi_link_clk_disable_v2(struct msm_dsi_host *msm_host)
* FIXME: Reconsider this if/when CMD mode handling is rewritten to use
* transfer time and data overhead as a starting point of the calculations.
*/
-static unsigned long dsi_adjust_pclk_for_compression(const struct drm_display_mode *mode,
- const struct drm_dsc_config *dsc)
+static unsigned long
+dsi_adjust_pclk_for_compression(const struct drm_display_mode *mode,
+ const struct drm_dsc_config *dsc,
+ bool is_bonded_dsi)
{
- int new_hdisplay = DIV_ROUND_UP(mode->hdisplay * drm_dsc_get_bpp_int(dsc),
- dsc->bits_per_component * 3);
+ int hdisplay, new_hdisplay, new_htotal;
- int new_htotal = mode->htotal - mode->hdisplay + new_hdisplay;
+ /*
+ * For bonded DSI, split hdisplay across two links and round up each
+ * half separately, passing the full hdisplay would only round up once.
+ * This also aligns with the hdisplay we program later in
+ * dsi_timing_setup()
+ */
+ hdisplay = mode->hdisplay;
+ if (is_bonded_dsi)
+ hdisplay /= 2;
+
+ new_hdisplay = DIV_ROUND_UP(hdisplay * drm_dsc_get_bpp_int(dsc),
+ dsc->bits_per_component * 3);
+
+ if (is_bonded_dsi)
+ new_hdisplay *= 2;
+
+ new_htotal = mode->htotal - mode->hdisplay + new_hdisplay;
return mult_frac(mode->clock * 1000u, new_htotal, mode->htotal);
}
@@ -567,7 +584,7 @@ static unsigned long dsi_get_pclk_rate(const struct drm_display_mode *mode,
pclk_rate = mode->clock * 1000u;
if (dsc)
- pclk_rate = dsi_adjust_pclk_for_compression(mode, dsc);
+ pclk_rate = dsi_adjust_pclk_for_compression(mode, dsc, is_bonded_dsi);
/*
* For bonded DSI mode, the current DRM mode has the complete width of the
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 157/481] remoteproc: sysmon: Correct subsys_name_len type in QMI request
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 156/481] powerpc/uaccess: Fix inline assembly for clang build on PPC32 Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 158/481] remoteproc: mediatek: Unprepare SCP clock during system suspend Greg Kroah-Hartman
` (158 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Andersson, Chris Lew,
Bjorn Andersson, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
[ Upstream commit da994db94e60f9a9411108ddf4d1836147ad4c9c ]
The QMI message encoder has up until recently read a single byte (as
elem_size == 1), but with the introduction of big endian support it's
become apparent that this field is expected to be a full u32 -
regardless of the size of the length in the encoded message (which is
what elem_size specifies).
The result is that the encoder now reads past the length byte and
rejects the unreasonably large length formed when including the
following 3 bytes from the subsys_name array.
Fix this by changing to the expected type.
Fixes: 1fb82ee806d1 ("remoteproc: qcom: Introduce sysmon")
Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Reviewed-by: Chris Lew <christopher.lew@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260220-qmi-encode-invalid-length-v2-1-5674be35ab29@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/qcom_sysmon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/remoteproc/qcom_sysmon.c b/drivers/remoteproc/qcom_sysmon.c
index 15af52f8499eb..78786e08f4f56 100644
--- a/drivers/remoteproc/qcom_sysmon.c
+++ b/drivers/remoteproc/qcom_sysmon.c
@@ -204,7 +204,7 @@ static struct qmi_elem_info ssctl_shutdown_resp_ei[] = {
};
struct ssctl_subsys_event_req {
- u8 subsys_name_len;
+ u32 subsys_name_len;
char subsys_name[SSCTL_SUBSYS_NAME_LENGTH];
u32 event;
u8 evt_driven_valid;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 144/460] drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 143/460] drm/bridge: samsung-dsim: Fix memory leak in error path Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 145/460] s390/pfault: Fix virtual vs physical address confusion Greg Kroah-Hartman
` (158 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Franz Schnyder, Douglas Anderson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Franz Schnyder <franz.schnyder@toradex.com>
commit 0b87d51690dd5131cbe9fbd23746b037aab89815 upstream.
Fallback to polling to detect hotplug events on systems without
interrupts.
On systems where the interrupt line of the bridge is not connected,
the bridge cannot notify hotplug events. Only add the
DRM_BRIDGE_OP_HPD flag if an interrupt has been registered
otherwise remain in polling mode.
Fixes: 55e8ff842051 ("drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type")
Cc: stable@vger.kernel.org # 6.16: 9133bc3f0564: drm/bridge: ti-sn65dsi86: Add
Signed-off-by: Franz Schnyder <franz.schnyder@toradex.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
[dianders: Adjusted Fixes/stable line based on discussion]
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://patch.msgid.link/20260206123758.374555-1-fra.schnyder@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/ti-sn65dsi86.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
@@ -1326,6 +1326,7 @@ static int ti_sn_bridge_probe(struct aux
{
struct ti_sn65dsi86 *pdata = dev_get_drvdata(adev->dev.parent);
struct device_node *np = pdata->dev->of_node;
+ const struct i2c_client *client = to_i2c_client(pdata->dev);
int ret;
pdata->next_bridge = devm_drm_of_get_bridge(&adev->dev, np, 1, 0);
@@ -1345,8 +1346,9 @@ static int ti_sn_bridge_probe(struct aux
? DRM_MODE_CONNECTOR_DisplayPort : DRM_MODE_CONNECTOR_eDP;
if (pdata->bridge.type == DRM_MODE_CONNECTOR_DisplayPort) {
- pdata->bridge.ops = DRM_BRIDGE_OP_EDID | DRM_BRIDGE_OP_DETECT |
- DRM_BRIDGE_OP_HPD;
+ pdata->bridge.ops = DRM_BRIDGE_OP_EDID | DRM_BRIDGE_OP_DETECT;
+ if (client->irq)
+ pdata->bridge.ops |= DRM_BRIDGE_OP_HPD;
/*
* If comms were already enabled they would have been enabled
* with the wrong value of HPD_DISABLE. Update it now. Comms
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 220/567] bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 219/567] drm/msm/dsi: fix pclk rate calculation for bonded dsi Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 221/567] net/mlx5: IFC updates for disabled host PF Greg Kroah-Hartman
` (157 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hangbin Liu, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 3348be7978f450ede0c308a4e8416ac716cf1015 ]
Before the fixed commit, we check slave->new_link during commit
state, which values are only BOND_LINK_{NOCHANGE, UP, DOWN}. After
the commit, we start using slave->link_new_state, which state also could
be BOND_LINK_{FAIL, BACK}.
For example, when we set updelay/downdelay, after a failover,
the slave->link_new_state could be set to BOND_LINK_{FAIL, BACK} in
bond_miimon_inspect(). And later in bond_miimon_commit(), it will treat
it as invalid and print an error, which would cause confusion for users.
[ 106.440254] bond0: (slave veth2): link status down for interface, disabling it in 200 ms
[ 106.440265] bond0: (slave veth2): invalid new link 1 on slave
[ 106.648276] bond0: (slave veth2): link status definitely down, disabling slave
[ 107.480271] bond0: (slave veth2): link status up, enabling it in 200 ms
[ 107.480288] bond0: (slave veth2): invalid new link 3 on slave
[ 107.688302] bond0: (slave veth2): link status definitely up, 10000 Mbps full duplex
Let's handle BOND_LINK_{FAIL, BACK} as valid link states.
Fixes: 1899bb325149 ("bonding: fix state transition issue in link monitoring")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20260304-b4-bond_updelay-v1-2-f72eb2e454d0@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index a2bf7bb12ff7c..b36d1781d8463 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -2859,8 +2859,14 @@ static void bond_miimon_commit(struct bonding *bond)
continue;
+ case BOND_LINK_FAIL:
+ case BOND_LINK_BACK:
+ slave_dbg(bond->dev, slave->dev, "link_new_state %d on slave\n",
+ slave->link_new_state);
+ continue;
+
default:
- slave_err(bond->dev, slave->dev, "invalid new link %d on slave\n",
+ slave_err(bond->dev, slave->dev, "invalid link_new_state %d on slave\n",
slave->link_new_state);
bond_propose_link_state(slave, BOND_LINK_NOCHANGE);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 158/481] remoteproc: mediatek: Unprepare SCP clock during system suspend
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 157/481] remoteproc: sysmon: Correct subsys_name_len type in QMI request Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 159/481] powerpc: 83xx: km83xx: Fix keymile vendor prefix Greg Kroah-Hartman
` (157 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, AngeloGioacchino Del Regno,
Tzung-Bi Shih, Mathieu Poirier, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tzung-Bi Shih <tzungbi@kernel.org>
[ Upstream commit 35c3f72a2d55dbf52f28f4ecae51c76be1acf545 ]
Prior to commit d935187cfb27 ("remoteproc: mediatek: Break lock
dependency to prepare_lock"), `scp->clk` was prepared and enabled only
when it needs to communicate with the SCP. The commit d935187cfb27
moved the prepare operation to remoteproc's prepare(), keeping the clock
prepared as long as the SCP is running.
The power consumption due to the prolonged clock preparation can be
negligible when the system is running, as SCP is designed to be a very
power efficient processor.
However, the clock remains prepared even when the system enters system
suspend. This prevents the underlying clock controller (and potentially
the parent PLLs) from shutting down, which increases power consumption
and may block the system from entering deep sleep states.
Add suspend and resume callbacks. Unprepare the clock in suspend() if
it was active and re-prepare it in resume() to ensure the clock is
properly disabled during system suspend, while maintaining the "always
prepared" semantics while the system is active. The driver doesn't
implement .attach() callback, hence it only checks for RPROC_RUNNING.
Fixes: d935187cfb27 ("remoteproc: mediatek: Break lock dependency to prepare_lock")
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Link: https://lore.kernel.org/r/20260206033034.3031781-1-tzungbi@kernel.org
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/mtk_scp.c | 39 ++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/drivers/remoteproc/mtk_scp.c b/drivers/remoteproc/mtk_scp.c
index 8f513e66ef6bb..476066c9590cb 100644
--- a/drivers/remoteproc/mtk_scp.c
+++ b/drivers/remoteproc/mtk_scp.c
@@ -1025,12 +1025,51 @@ static const struct of_device_id mtk_scp_of_match[] = {
};
MODULE_DEVICE_TABLE(of, mtk_scp_of_match);
+static int __maybe_unused scp_suspend(struct device *dev)
+{
+ struct mtk_scp *scp = dev_get_drvdata(dev);
+ struct rproc *rproc = scp->rproc;
+
+ /*
+ * Only unprepare if the SCP is running and holding the clock.
+ *
+ * Note: `scp_ops` doesn't implement .attach() callback, hence
+ * `rproc->state` can never be RPROC_ATTACHED. Otherwise, it
+ * should also be checked here.
+ */
+ if (rproc->state == RPROC_RUNNING)
+ clk_unprepare(scp->clk);
+ return 0;
+}
+
+static int __maybe_unused scp_resume(struct device *dev)
+{
+ struct mtk_scp *scp = dev_get_drvdata(dev);
+ struct rproc *rproc = scp->rproc;
+
+ /*
+ * Only prepare if the SCP was running and holding the clock.
+ *
+ * Note: `scp_ops` doesn't implement .attach() callback, hence
+ * `rproc->state` can never be RPROC_ATTACHED. Otherwise, it
+ * should also be checked here.
+ */
+ if (rproc->state == RPROC_RUNNING)
+ return clk_prepare(scp->clk);
+ return 0;
+}
+
+static const struct dev_pm_ops scp_pm_ops = {
+ SET_SYSTEM_SLEEP_PM_OPS(scp_suspend, scp_resume)
+};
+
static struct platform_driver mtk_scp_driver = {
.probe = scp_probe,
.remove = scp_remove,
.driver = {
.name = "mtk-scp",
.of_match_table = mtk_scp_of_match,
+ .pm = &scp_pm_ops,
},
};
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 145/460] s390/pfault: Fix virtual vs physical address confusion
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 144/460] drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 146/460] nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit() Greg Kroah-Hartman
` (157 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Claudio Imbrenda, Heiko Carstens,
Alexander Gordeev, Vasily Gorbik
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Gordeev <agordeev@linux.ibm.com>
commit d879ac6756b662a085a743e76023c768c3241579 upstream.
When Linux is running as guest, runs a user space process and the
user space process accesses a page that the host has paged out,
the guest gets a pfault interrupt and schedules a different process.
Without this mechanism the host would have to suspend the whole
virtual CPU until the page has been paged in.
To setup the pfault interrupt the real address of parameter list
should be passed to DIAGNOSE 0x258, but a virtual address is passed
instead.
That has a performance impact, since the pfault setup never succeeds,
the interrupt is never delivered to a guest and the whole virtual CPU
is suspended as result.
Cc: stable@vger.kernel.org
Fixes: c98d2ecae08f ("s390/mm: Uncouple physical vs virtual address spaces")
Reported-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/mm/pfault.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/s390/mm/pfault.c
+++ b/arch/s390/mm/pfault.c
@@ -61,7 +61,7 @@ int __pfault_init(void)
"0: nopr %%r7\n"
EX_TABLE(0b, 0b)
: [rc] "+d" (rc)
- : [refbk] "a" (&pfault_init_refbk), "m" (pfault_init_refbk)
+ : [refbk] "a" (virt_to_phys(&pfault_init_refbk)), "m" (pfault_init_refbk)
: "cc");
return rc;
}
@@ -83,7 +83,7 @@ void __pfault_fini(void)
"0: nopr %%r7\n"
EX_TABLE(0b, 0b)
:
- : [refbk] "a" (&pfault_fini_refbk), "m" (pfault_fini_refbk)
+ : [refbk] "a" (virt_to_phys(&pfault_fini_refbk)), "m" (pfault_fini_refbk)
: "cc");
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 221/567] net/mlx5: IFC updates for disabled host PF
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 220/567] bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 222/567] net/mlx5: Query to see if host PF is disabled Greg Kroah-Hartman
` (156 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Jurgens, William Tu,
Tariq Toukan, Leon Romanovsky, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Jurgens <danielj@nvidia.com>
[ Upstream commit cd1746cb6555a2238c4aae9f9d60b637a61bf177 ]
The port 2 host PF can be disabled, this bit reflects that setting.
Signed-off-by: Daniel Jurgens <danielj@nvidia.com>
Reviewed-by: William Tu <witu@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1752064867-16874-3-git-send-email-tariqt@nvidia.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Stable-dep-of: aed763abf0e9 ("net/mlx5: Fix deadlock between devlink lock and esw->wq")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/mlx5/mlx5_ifc.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
index 4913d364e9774..c59fd31719a13 100644
--- a/include/linux/mlx5/mlx5_ifc.h
+++ b/include/linux/mlx5/mlx5_ifc.h
@@ -11799,7 +11799,9 @@ struct mlx5_ifc_mtrc_ctrl_bits {
struct mlx5_ifc_host_params_context_bits {
u8 host_number[0x8];
- u8 reserved_at_8[0x7];
+ u8 reserved_at_8[0x5];
+ u8 host_pf_not_exist[0x1];
+ u8 reserved_at_14[0x1];
u8 host_pf_disabled[0x1];
u8 host_num_of_vfs[0x10];
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 159/481] powerpc: 83xx: km83xx: Fix keymile vendor prefix
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 158/481] remoteproc: mediatek: Unprepare SCP clock during system suspend Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 160/481] xprtrdma: Decrement re_receiving on the early exit paths Greg Kroah-Hartman
` (156 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, J . Neuschäfer, Heiko Schocher,
Madhavan Srinivasan, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: J. Neuschäfer <j.ne@posteo.net>
[ Upstream commit 691417ffe7821721e0a28bd25ad8c0dc0d4ae4ad ]
When kmeter.c was refactored into km83xx.c in 2011, the "keymile" vendor
prefix was changed to upper-case "Keymile". The devicetree at
arch/powerpc/boot/dts/kmeter1.dts never underwent the same change,
suggesting that this was simply a mistake.
Fixes: 93e2b95c81042d ("powerpc/83xx: rename and update kmeter1")
Signed-off-by: J. Neuschäfer <j.ne@posteo.net>
Reviewed-by: Heiko Schocher <hs@nabladev.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260303-keymile-v1-1-463a11e71702@posteo.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/83xx/km83xx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/platforms/83xx/km83xx.c b/arch/powerpc/platforms/83xx/km83xx.c
index 907acdecc94af..25135a1518fc8 100644
--- a/arch/powerpc/platforms/83xx/km83xx.c
+++ b/arch/powerpc/platforms/83xx/km83xx.c
@@ -155,8 +155,8 @@ machine_device_initcall(mpc83xx_km, mpc83xx_declare_of_platform_devices);
/* list of the supported boards */
static char *board[] __initdata = {
- "Keymile,KMETER1",
- "Keymile,kmpbec8321",
+ "keymile,KMETER1",
+ "keymile,kmpbec8321",
NULL
};
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 146/460] nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit().
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 145/460] s390/pfault: Fix virtual vs physical address confusion Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 147/460] device property: Allow secondary lookup in fwnode_get_next_child_node() Greg Kroah-Hartman
` (156 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Jeff Layton,
Chuck Lever
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
commit 92978c83bb4eef55d02a6c990c01c423131eefa7 upstream.
nfsd_nl_listener_set_doit() uses get_current_cred() without
put_cred().
As we can see from other callers, svc_xprt_create_from_sa()
does not require the extra refcount.
nfsd_nl_listener_set_doit() is always in the process context,
sendmsg(), and current->cred does not go away.
Let's use current_cred() in nfsd_nl_listener_set_doit().
Fixes: 16a471177496 ("NFSD: add listener-{set,get} netlink command")
Cc: stable@vger.kernel.org
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfsctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -2081,7 +2081,7 @@ int nfsd_nl_listener_set_doit(struct sk_
}
ret = svc_xprt_create_from_sa(serv, xcl_name, net, sa, 0,
- get_current_cred());
+ current_cred());
/* always save the latest error */
if (ret < 0)
err = ret;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 222/567] net/mlx5: Query to see if host PF is disabled
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 221/567] net/mlx5: IFC updates for disabled host PF Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 223/567] net/mlx5: Fix deadlock between devlink lock and esw->wq Greg Kroah-Hartman
` (155 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Jurgens, William Tu,
Tariq Toukan, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Jurgens <danielj@nvidia.com>
[ Upstream commit 9e84de72aef9bcf0e751a0bff3ac91b0cf52366f ]
The host PF can be disabled, query firmware to check if the host PF of
this function exists.
Signed-off-by: Daniel Jurgens <danielj@nvidia.com>
Reviewed-by: William Tu <witu@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1755112796-467444-2-git-send-email-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: aed763abf0e9 ("net/mlx5: Fix deadlock between devlink lock and esw->wq")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/mellanox/mlx5/core/eswitch.c | 23 +++++++++++++++++++
.../net/ethernet/mellanox/mlx5/core/eswitch.h | 1 +
2 files changed, 24 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
index 914b380fd3eeb..79fa78b188250 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
@@ -1038,6 +1038,25 @@ const u32 *mlx5_esw_query_functions(struct mlx5_core_dev *dev)
return ERR_PTR(err);
}
+static int mlx5_esw_host_functions_enabled_query(struct mlx5_eswitch *esw)
+{
+ const u32 *query_host_out;
+
+ if (!mlx5_core_is_ecpf_esw_manager(esw->dev))
+ return 0;
+
+ query_host_out = mlx5_esw_query_functions(esw->dev);
+ if (IS_ERR(query_host_out))
+ return PTR_ERR(query_host_out);
+
+ esw->esw_funcs.host_funcs_disabled =
+ MLX5_GET(query_esw_functions_out, query_host_out,
+ host_params_context.host_pf_not_exist);
+
+ kvfree(query_host_out);
+ return 0;
+}
+
static void mlx5_eswitch_event_handler_register(struct mlx5_eswitch *esw)
{
if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev)) {
@@ -1870,6 +1889,10 @@ int mlx5_eswitch_init(struct mlx5_core_dev *dev)
goto abort;
}
+ err = mlx5_esw_host_functions_enabled_query(esw);
+ if (err)
+ goto abort;
+
err = mlx5_esw_vports_init(esw);
if (err)
goto abort;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
index 3e58e731b5697..23e612dd329db 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
@@ -315,6 +315,7 @@ struct mlx5_host_work {
struct mlx5_esw_functions {
struct mlx5_nb nb;
+ bool host_funcs_disabled;
u16 num_vfs;
u16 num_ec_vfs;
};
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 160/481] xprtrdma: Decrement re_receiving on the early exit paths
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 159/481] powerpc: 83xx: km83xx: Fix keymile vendor prefix Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 161/481] net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets Greg Kroah-Hartman
` (155 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Badger, Chuck Lever,
Anna Schumaker, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Badger <ebadger@purestorage.com>
[ Upstream commit 7b6275c80a0c81c5f8943272292dfe67730ce849 ]
In the event that rpcrdma_post_recvs() fails to create a work request
(due to memory allocation failure, say) or otherwise exits early, we
should decrement ep->re_receiving before returning. Otherwise we will
hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and
the completion will never be triggered.
On a system with high memory pressure, this can appear as the following
hung task:
INFO: task kworker/u385:17:8393 blocked for more than 122 seconds.
Tainted: G S E 6.19.0 #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000
Workqueue: xprtiod xprt_autoclose [sunrpc]
Call Trace:
<TASK>
__schedule+0x48b/0x18b0
? ib_post_send_mad+0x247/0xae0 [ib_core]
schedule+0x27/0xf0
schedule_timeout+0x104/0x110
__wait_for_common+0x98/0x180
? __pfx_schedule_timeout+0x10/0x10
wait_for_completion+0x24/0x40
rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma]
xprt_rdma_close+0x12/0x40 [rpcrdma]
xprt_autoclose+0x5f/0x120 [sunrpc]
process_one_work+0x191/0x3e0
worker_thread+0x2e3/0x420
? __pfx_worker_thread+0x10/0x10
kthread+0x10d/0x230
? __pfx_kthread+0x10/0x10
ret_from_fork+0x273/0x2b0
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
Fixes: 15788d1d1077 ("xprtrdma: Do not refresh Receive Queue while it is draining")
Signed-off-by: Eric Badger <ebadger@purestorage.com>
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sunrpc/xprtrdma/verbs.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index cb909329a5039..4132a505d742a 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -1362,7 +1362,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed, bool temp)
needed += RPCRDMA_MAX_RECV_BATCH;
if (atomic_inc_return(&ep->re_receiving) > 1)
- goto out;
+ goto out_dec;
/* fast path: all needed reps can be found on the free list */
wr = NULL;
@@ -1389,7 +1389,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed, bool temp)
++count;
}
if (!wr)
- goto out;
+ goto out_dec;
rc = ib_post_recv(ep->re_id->qp, wr,
(const struct ib_recv_wr **)&bad_wr);
@@ -1404,9 +1404,10 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed, bool temp)
--count;
}
}
+
+out_dec:
if (atomic_dec_return(&ep->re_receiving) > 0)
complete(&ep->re_done);
-
out:
trace_xprtrdma_post_recvs(r_xprt, count);
ep->re_receive_count += count;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 147/460] device property: Allow secondary lookup in fwnode_get_next_child_node()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 146/460] nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 148/460] irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports Greg Kroah-Hartman
` (155 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko,
Rafael J. Wysocki (Intel), Sakari Ailus, Danilo Krummrich
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit 2692c614f8f05929d692b3dbfd3faef1f00fbaf0 upstream.
When device_get_child_node_count() got split to the fwnode and device
respective APIs, the fwnode didn't inherit the ability to traverse over
the secondary fwnode. Hence any user, that switches from device to fwnode
API misses this feature. In particular, this was revealed by the commit
1490cbb9dbfd ("device property: Split fwnode_get_child_node_count()")
that effectively broke the GPIO enumeration on Intel Galileo boards.
Fix this by moving the secondary lookup from device to fwnode API.
Note, in general no device_*() API should go into the depth of the fwnode
implementation.
Fixes: 114dbb4fa7c4 ("drivers property: When no children in primary, try secondary")
Cc: stable@vger.kernel.org
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Link: https://patch.msgid.link/20260210135822.47335-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/property.c | 27 +++++++++++++--------------
1 file changed, 13 insertions(+), 14 deletions(-)
--- a/drivers/base/property.c
+++ b/drivers/base/property.c
@@ -759,7 +759,18 @@ struct fwnode_handle *
fwnode_get_next_child_node(const struct fwnode_handle *fwnode,
struct fwnode_handle *child)
{
- return fwnode_call_ptr_op(fwnode, get_next_child_node, child);
+ struct fwnode_handle *next;
+
+ if (IS_ERR_OR_NULL(fwnode))
+ return NULL;
+
+ /* Try to find a child in primary fwnode */
+ next = fwnode_call_ptr_op(fwnode, get_next_child_node, child);
+ if (next)
+ return next;
+
+ /* When no more children in primary, continue with secondary */
+ return fwnode_call_ptr_op(fwnode->secondary, get_next_child_node, child);
}
EXPORT_SYMBOL_GPL(fwnode_get_next_child_node);
@@ -803,19 +814,7 @@ EXPORT_SYMBOL_GPL(fwnode_get_next_availa
struct fwnode_handle *device_get_next_child_node(const struct device *dev,
struct fwnode_handle *child)
{
- const struct fwnode_handle *fwnode = dev_fwnode(dev);
- struct fwnode_handle *next;
-
- if (IS_ERR_OR_NULL(fwnode))
- return NULL;
-
- /* Try to find a child in primary fwnode */
- next = fwnode_get_next_child_node(fwnode, child);
- if (next)
- return next;
-
- /* When no more children in primary, continue with secondary */
- return fwnode_get_next_child_node(fwnode->secondary, child);
+ return fwnode_get_next_child_node(dev_fwnode(dev), child);
}
EXPORT_SYMBOL_GPL(device_get_next_child_node);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 223/567] net/mlx5: Fix deadlock between devlink lock and esw->wq
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 222/567] net/mlx5: Query to see if host PF is disabled Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 224/567] net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery Greg Kroah-Hartman
` (154 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cosmin Ratiu, Moshe Shemesh,
Dragos Tatulea, Simon Horman, Tariq Toukan, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cosmin Ratiu <cratiu@nvidia.com>
[ Upstream commit aed763abf0e905b4b8d747d1ba9e172961572f57 ]
esw->work_queue executes esw_functions_changed_event_handler ->
esw_vfs_changed_event_handler and acquires the devlink lock.
.eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) ->
mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked ->
mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks
when esw_vfs_changed_event_handler executes.
Fix that by no longer flushing the work to avoid the deadlock, and using
a generation counter to keep track of work relevance. This avoids an old
handler manipulating an esw that has undergone one or more mode changes:
- the counter is incremented in mlx5_eswitch_event_handler_unregister.
- the counter is read and passed to the ephemeral mlx5_host_work struct.
- the work handler takes the devlink lock and bails out if the current
generation is different than the one it was scheduled to operate on.
- mlx5_eswitch_cleanup does the final draining before destroying the wq.
No longer flushing the workqueue has the side effect of maybe no longer
cancelling pending vport_change_handler work items, but that's ok since
those are disabled elsewhere:
- mlx5_eswitch_disable_locked disables the vport eq notifier.
- mlx5_esw_vport_disable disarms the HW EQ notification and marks
vport->enabled under state_lock to false to prevent pending vport
handler from doing anything.
- mlx5_eswitch_cleanup destroys the workqueue and makes sure all events
are disabled/finished.
Fixes: f1bc646c9a06 ("net/mlx5: Use devl_ API in mlx5_esw_offloads_devlink_port_register")
Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260305081019.1811100-1-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/mellanox/mlx5/core/eswitch.c | 7 ++++---
.../net/ethernet/mellanox/mlx5/core/eswitch.h | 2 ++
.../mellanox/mlx5/core/eswitch_offloads.c | 18 +++++++++++++-----
3 files changed, 19 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
index 79fa78b188250..2559237da49c5 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
@@ -1068,10 +1068,11 @@ static void mlx5_eswitch_event_handler_register(struct mlx5_eswitch *esw)
static void mlx5_eswitch_event_handler_unregister(struct mlx5_eswitch *esw)
{
- if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev))
+ if (esw->mode == MLX5_ESWITCH_OFFLOADS &&
+ mlx5_eswitch_is_funcs_handler(esw->dev)) {
mlx5_eq_notifier_unregister(esw->dev, &esw->esw_funcs.nb);
-
- flush_workqueue(esw->work_queue);
+ atomic_inc(&esw->esw_funcs.generation);
+ }
}
static void mlx5_eswitch_clear_vf_vports_info(struct mlx5_eswitch *esw)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
index 23e612dd329db..48bebc3b8b12c 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
@@ -311,10 +311,12 @@ struct esw_mc_addr { /* SRIOV only */
struct mlx5_host_work {
struct work_struct work;
struct mlx5_eswitch *esw;
+ int work_gen;
};
struct mlx5_esw_functions {
struct mlx5_nb nb;
+ atomic_t generation;
bool host_funcs_disabled;
u16 num_vfs;
u16 num_ec_vfs;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
index c218593dc40f4..e69e0f2c33964 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
@@ -3387,22 +3387,28 @@ static void esw_offloads_steering_cleanup(struct mlx5_eswitch *esw)
}
static void
-esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, const u32 *out)
+esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, int work_gen,
+ const u32 *out)
{
struct devlink *devlink;
bool host_pf_disabled;
u16 new_num_vfs;
+ devlink = priv_to_devlink(esw->dev);
+ devl_lock(devlink);
+
+ /* Stale work from one or more mode changes ago. Bail out. */
+ if (work_gen != atomic_read(&esw->esw_funcs.generation))
+ goto unlock;
+
new_num_vfs = MLX5_GET(query_esw_functions_out, out,
host_params_context.host_num_of_vfs);
host_pf_disabled = MLX5_GET(query_esw_functions_out, out,
host_params_context.host_pf_disabled);
if (new_num_vfs == esw->esw_funcs.num_vfs || host_pf_disabled)
- return;
+ goto unlock;
- devlink = priv_to_devlink(esw->dev);
- devl_lock(devlink);
/* Number of VFs can only change from "0 to x" or "x to 0". */
if (esw->esw_funcs.num_vfs > 0) {
mlx5_eswitch_unload_vf_vports(esw, esw->esw_funcs.num_vfs);
@@ -3417,6 +3423,7 @@ esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, const u32 *out)
}
}
esw->esw_funcs.num_vfs = new_num_vfs;
+unlock:
devl_unlock(devlink);
}
@@ -3433,7 +3440,7 @@ static void esw_functions_changed_event_handler(struct work_struct *work)
if (IS_ERR(out))
goto out;
- esw_vfs_changed_event_handler(esw, out);
+ esw_vfs_changed_event_handler(esw, host_work->work_gen, out);
kvfree(out);
out:
kfree(host_work);
@@ -3453,6 +3460,7 @@ int mlx5_esw_funcs_changed_handler(struct notifier_block *nb, unsigned long type
esw = container_of(esw_funcs, struct mlx5_eswitch, esw_funcs);
host_work->esw = esw;
+ host_work->work_gen = atomic_read(&esw_funcs->generation);
INIT_WORK(&host_work->work, esw_functions_changed_event_handler);
queue_work(esw->work_queue, &host_work->work);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 161/481] net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 160/481] xprtrdma: Decrement re_receiving on the early exit paths Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 162/481] bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states Greg Kroah-Hartman
` (154 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mieczyslaw Nalewaj,
Luiz Angelo Daros de Luca, Simon Horman, Linus Walleij,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mieczyslaw Nalewaj <namiltd@yahoo.com>
[ Upstream commit f76a93241d71fbba8425e3967097b498c29264ed ]
rx_packets should report the number of frames successfully received:
unicast + multicast + broadcast. Subtracting ifOutDiscards (a TX
counter) is incorrect and can undercount RX packets. RX drops are
already reported via rx_dropped (e.g. etherStatsDropEvents), so
there is no need to adjust rx_packets.
This patch removes the subtraction of ifOutDiscards from rx_packets
in rtl8365mb_stats_update().
Link: https://lore.kernel.org/netdev/878777925.105015.1763423928520@mail.yahoo.com/
Fixes: 4af2950c50c8 ("net: dsa: realtek-smi: add rtl8365mb subdriver for RTL8365MB-VC")
Signed-off-by: Mieczyslaw Nalewaj <namiltd@yahoo.com>
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Acked-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/20260303-realtek_namiltd_fix2-v1-1-bfa433d3401e@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/realtek/rtl8365mb.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/dsa/realtek/rtl8365mb.c b/drivers/net/dsa/realtek/rtl8365mb.c
index abdff73aa9c32..c22e69ab0deb1 100644
--- a/drivers/net/dsa/realtek/rtl8365mb.c
+++ b/drivers/net/dsa/realtek/rtl8365mb.c
@@ -1451,8 +1451,7 @@ static void rtl8365mb_stats_update(struct realtek_priv *priv, int port)
stats->rx_packets = cnt[RTL8365MB_MIB_ifInUcastPkts] +
cnt[RTL8365MB_MIB_ifInMulticastPkts] +
- cnt[RTL8365MB_MIB_ifInBroadcastPkts] -
- cnt[RTL8365MB_MIB_ifOutDiscards];
+ cnt[RTL8365MB_MIB_ifInBroadcastPkts];
stats->tx_packets = cnt[RTL8365MB_MIB_ifOutUcastPkts] +
cnt[RTL8365MB_MIB_ifOutMulticastPkts] +
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 148/460] irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 147/460] device property: Allow secondary lookup in fwnode_get_next_child_node() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 149/460] btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies() Greg Kroah-Hartman
` (154 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marc Zyngier, Thomas Gleixner,
Robin Murphy, Zenghui Yu
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit ce9e40a9a5e5cff0b1b0d2fa582b3d71a8ce68e8 upstream.
The ITS driver blindly assumes that EventIDs are in abundant supply, to the
point where it never checks how many the hardware actually supports.
It turns out that some pretty esoteric integrations make it so that only a
few bits are available, all the way down to a single bit.
Enforce the advertised limitation at the point of allocating the device
structure, and hope that the endpoint driver can deal with such limitation.
Fixes: 84a6a2e7fc18d ("irqchip: GICv3: ITS: device allocation and configuration")
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Zenghui Yu <zenghui.yu@linux.dev>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260206154816.3582887-1-maz@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-gic-v3-its.c | 4 ++++
include/linux/irqchip/arm-gic-v3.h | 1 +
2 files changed, 5 insertions(+)
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -3393,6 +3393,7 @@ static struct its_device *its_create_dev
int lpi_base;
int nr_lpis;
int nr_ites;
+ int id_bits;
int sz;
if (!its_alloc_device_table(its, dev_id))
@@ -3405,7 +3406,10 @@ static struct its_device *its_create_dev
/*
* Even if the device wants a single LPI, the ITT must be
* sized as a power of two (and you need at least one bit...).
+ * Also honor the ITS's own EID limit.
*/
+ id_bits = FIELD_GET(GITS_TYPER_IDBITS, its->typer) + 1;
+ nvecs = min_t(unsigned int, nvecs, BIT(id_bits));
nr_ites = max(2, nvecs);
sz = nr_ites * (FIELD_GET(GITS_TYPER_ITT_ENTRY_SIZE, its->typer) + 1);
sz = max(sz, ITS_ITT_ALIGN) + ITS_ITT_ALIGN - 1;
--- a/include/linux/irqchip/arm-gic-v3.h
+++ b/include/linux/irqchip/arm-gic-v3.h
@@ -394,6 +394,7 @@
#define GITS_TYPER_VLPIS (1UL << 1)
#define GITS_TYPER_ITT_ENTRY_SIZE_SHIFT 4
#define GITS_TYPER_ITT_ENTRY_SIZE GENMASK_ULL(7, 4)
+#define GITS_TYPER_IDBITS GENMASK_ULL(12, 8)
#define GITS_TYPER_IDBITS_SHIFT 8
#define GITS_TYPER_DEVBITS_SHIFT 13
#define GITS_TYPER_DEVBITS GENMASK_ULL(17, 13)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 224/567] net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 223/567] net/mlx5: Fix deadlock between devlink lock and esw->wq Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 225/567] net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit Greg Kroah-Hartman
` (153 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gal Pressman, Dragos Tatulea,
Tariq Toukan, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <gal@nvidia.com>
[ Upstream commit 1633111d69053512d099658d4a05fc736fab36b0 ]
In case of a TX error CQE, a recovery flow is triggered,
mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc,
desyncing the DMA FIFO producer and consumer.
After recovery, the producer pushes new DMA entries at the old
dma_fifo_pc, while the consumer reads from position 0.
This causes us to unmap stale DMA addresses from before the recovery.
The DMA FIFO is a purely software construct with no HW counterpart.
At the point of reset, all WQEs have been flushed so dma_fifo_cc is
already equal to dma_fifo_pc. There is no need to reset either counter,
similar to how skb_fifo pc/cc are untouched.
Remove the 'dma_fifo_cc = 0' reset.
This fixes the following WARNING:
WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90
Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables]
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:iommu_dma_unmap_page+0x79/0x90
Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00
Call Trace:
<IRQ>
? __warn+0x7d/0x110
? iommu_dma_unmap_page+0x79/0x90
? report_bug+0x16d/0x180
? handle_bug+0x4f/0x90
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x16/0x20
? iommu_dma_unmap_page+0x79/0x90
? iommu_dma_unmap_page+0x2e/0x90
dma_unmap_page_attrs+0x10d/0x1b0
mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core]
mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core]
mlx5e_napi_poll+0x8b/0xac0 [mlx5_core]
__napi_poll+0x24/0x190
net_rx_action+0x32a/0x3b0
? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core]
? notifier_call_chain+0x35/0xa0
handle_softirqs+0xc9/0x270
irq_exit_rcu+0x71/0xd0
common_interrupt+0x7f/0xa0
</IRQ>
<TASK>
asm_common_interrupt+0x22/0x40
Fixes: db75373c91b0 ("net/mlx5e: Recover Send Queue (SQ) from error state")
Signed-off-by: Gal Pressman <gal@nvidia.com>
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260305142634.1813208-4-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
index 51a23345caa18..1319e9ee20fc0 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
@@ -46,7 +46,6 @@ static void mlx5e_reset_txqsq_cc_pc(struct mlx5e_txqsq *sq)
"SQ 0x%x: cc (0x%x) != pc (0x%x)\n",
sq->sqn, sq->cc, sq->pc);
sq->cc = 0;
- sq->dma_fifo_cc = 0;
sq->pc = 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 162/481] bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 161/481] net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 163/481] net/mlx5: IFC updates for disabled host PF Greg Kroah-Hartman
` (153 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hangbin Liu, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 3348be7978f450ede0c308a4e8416ac716cf1015 ]
Before the fixed commit, we check slave->new_link during commit
state, which values are only BOND_LINK_{NOCHANGE, UP, DOWN}. After
the commit, we start using slave->link_new_state, which state also could
be BOND_LINK_{FAIL, BACK}.
For example, when we set updelay/downdelay, after a failover,
the slave->link_new_state could be set to BOND_LINK_{FAIL, BACK} in
bond_miimon_inspect(). And later in bond_miimon_commit(), it will treat
it as invalid and print an error, which would cause confusion for users.
[ 106.440254] bond0: (slave veth2): link status down for interface, disabling it in 200 ms
[ 106.440265] bond0: (slave veth2): invalid new link 1 on slave
[ 106.648276] bond0: (slave veth2): link status definitely down, disabling slave
[ 107.480271] bond0: (slave veth2): link status up, enabling it in 200 ms
[ 107.480288] bond0: (slave veth2): invalid new link 3 on slave
[ 107.688302] bond0: (slave veth2): link status definitely up, 10000 Mbps full duplex
Let's handle BOND_LINK_{FAIL, BACK} as valid link states.
Fixes: 1899bb325149 ("bonding: fix state transition issue in link monitoring")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20260304-b4-bond_updelay-v1-2-f72eb2e454d0@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 8ff1c34b4db63..2296ca9003016 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -2801,8 +2801,14 @@ static void bond_miimon_commit(struct bonding *bond)
continue;
+ case BOND_LINK_FAIL:
+ case BOND_LINK_BACK:
+ slave_dbg(bond->dev, slave->dev, "link_new_state %d on slave\n",
+ slave->link_new_state);
+ continue;
+
default:
- slave_err(bond->dev, slave->dev, "invalid new link %d on slave\n",
+ slave_err(bond->dev, slave->dev, "invalid link_new_state %d on slave\n",
slave->link_new_state);
bond_propose_link_state(slave, BOND_LINK_NOCHANGE);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 149/460] btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 148/460] irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 150/460] ice: reintroduce retry mechanism for indirect AQ Greg Kroah-Hartman
` (153 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, Mark Harmstone,
David Sterba
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Harmstone <mark@harmstone.com>
commit f15fb3d41543244d1179f423da4a4832a55bc050 upstream.
Fix a chunk map leak in btrfs_map_block(): if we return early with -EINVAL,
we're not freeing the chunk map that we've just looked up.
Fixes: 0ae653fbec2b ("btrfs: reduce chunk_map lookups in btrfs_map_block()")
CC: stable@vger.kernel.org # 6.12+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Mark Harmstone <mark@harmstone.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/volumes.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -6522,8 +6522,10 @@ int btrfs_map_block(struct btrfs_fs_info
return PTR_ERR(map);
num_copies = btrfs_chunk_map_num_copies(map);
- if (io_geom.mirror_num > num_copies)
- return -EINVAL;
+ if (io_geom.mirror_num > num_copies) {
+ ret = -EINVAL;
+ goto out;
+ }
map_offset = logical - map->start;
io_geom.raid56_full_stripe_start = (u64)-1;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 225/567] net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 224/567] net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 226/567] ASoC: soc-core: drop delayed_work_pending() check before flush Greg Kroah-Hartman
` (152 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 0cc0c2e661af418bbf7074179ea5cfffc0a5c466 ]
teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit
through slave devices, but does not update skb->dev to the slave device
beforehand.
When a gretap tunnel is a TEQL slave, the transmit path reaches
iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0
master) and later calls iptunnel_xmit_stats(dev, pkt_len). This
function does:
get_cpu_ptr(dev->tstats)
Since teql_master_setup() does not set dev->pcpu_stat_type to
NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats
for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes
NULL + __per_cpu_offset[cpu], resulting in a page fault.
BUG: unable to handle page fault for address: ffff8880e6659018
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 68bc067 P4D 68bc067 PUD 0
Oops: Oops: 0002 [#1] SMP KASAN PTI
RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89)
Call Trace:
<TASK>
ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)
__gre_xmit (net/ipv4/ip_gre.c:478)
gre_tap_xmit (net/ipv4/ip_gre.c:779)
teql_master_xmit (net/sched/sch_teql.c:319)
dev_hard_start_xmit (net/core/dev.c:3887)
sch_direct_xmit (net/sched/sch_generic.c:347)
__dev_queue_xmit (net/core/dev.c:4802)
neigh_direct_output (net/core/neighbour.c:1660)
ip_finish_output2 (net/ipv4/ip_output.c:237)
__ip_finish_output.part.0 (net/ipv4/ip_output.c:315)
ip_mc_output (net/ipv4/ip_output.c:369)
ip_send_skb (net/ipv4/ip_output.c:1508)
udp_send_skb (net/ipv4/udp.c:1195)
udp_sendmsg (net/ipv4/udp.c:1485)
inet_sendmsg (net/ipv4/af_inet.c:859)
__sys_sendto (net/socket.c:2206)
Fix this by setting skb->dev = slave before calling
netdev_start_xmit(), so that tunnel xmit functions see the correct
slave device with properly allocated tstats.
Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Link: https://patch.msgid.link/20260304044216.3517851-3-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_teql.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
index 0a7856e14a975..c89cb6eba27da 100644
--- a/net/sched/sch_teql.c
+++ b/net/sched/sch_teql.c
@@ -315,6 +315,7 @@ static netdev_tx_t teql_master_xmit(struct sk_buff *skb, struct net_device *dev)
if (__netif_tx_trylock(slave_txq)) {
unsigned int length = qdisc_pkt_len(skb);
+ skb->dev = slave;
if (!netif_xmit_frozen_or_stopped(slave_txq) &&
netdev_start_xmit(skb, slave, slave_txq, false) ==
NETDEV_TX_OK) {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 163/481] net/mlx5: IFC updates for disabled host PF
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 162/481] bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 164/481] net/mlx5: Query to see if host PF is disabled Greg Kroah-Hartman
` (152 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Jurgens, William Tu,
Tariq Toukan, Leon Romanovsky, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Jurgens <danielj@nvidia.com>
[ Upstream commit cd1746cb6555a2238c4aae9f9d60b637a61bf177 ]
The port 2 host PF can be disabled, this bit reflects that setting.
Signed-off-by: Daniel Jurgens <danielj@nvidia.com>
Reviewed-by: William Tu <witu@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1752064867-16874-3-git-send-email-tariqt@nvidia.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Stable-dep-of: aed763abf0e9 ("net/mlx5: Fix deadlock between devlink lock and esw->wq")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/mlx5/mlx5_ifc.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
index 4df7b3d358607..9610b325f2b61 100644
--- a/include/linux/mlx5/mlx5_ifc.h
+++ b/include/linux/mlx5/mlx5_ifc.h
@@ -11496,7 +11496,9 @@ struct mlx5_ifc_mtrc_ctrl_bits {
struct mlx5_ifc_host_params_context_bits {
u8 host_number[0x8];
- u8 reserved_at_8[0x7];
+ u8 reserved_at_8[0x5];
+ u8 host_pf_not_exist[0x1];
+ u8 reserved_at_14[0x1];
u8 host_pf_disabled[0x1];
u8 host_num_of_vfs[0x10];
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 150/460] ice: reintroduce retry mechanism for indirect AQ
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 149/460] btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 151/460] ixgbevf: fix link setup issue Greg Kroah-Hartman
` (152 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Schmidt, Jakub Staniszewski,
Dawid Osuchowski, Aleksandr Loktionov, Przemek Kitszel,
Paul Menzel, Tony Nguyen, Rinitha S
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
commit 326256c0a72d4877cec1d4df85357da106233128 upstream.
Add retry mechanism for indirect Admin Queue (AQ) commands. To do so we
need to keep the command buffer.
This technically reverts commit 43a630e37e25
("ice: remove unused buffer copy code in ice_sq_send_cmd_retry()"),
but combines it with a fix in the logic by using a kmemdup() call,
making it more robust and less likely to break in the future due to
programmer error.
Cc: Michal Schmidt <mschmidt@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 3056df93f7a8 ("ice: Re-send some AQ commands, as result of EBUSY AQ error")
Signed-off-by: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
Co-developed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Signed-off-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_common.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/intel/ice/ice_common.c
+++ b/drivers/net/ethernet/intel/ice/ice_common.c
@@ -1579,6 +1579,7 @@ ice_sq_send_cmd_retry(struct ice_hw *hw,
{
struct ice_aq_desc desc_cpy;
bool is_cmd_for_retry;
+ u8 *buf_cpy = NULL;
u8 idx = 0;
u16 opcode;
int status;
@@ -1588,8 +1589,11 @@ ice_sq_send_cmd_retry(struct ice_hw *hw,
memset(&desc_cpy, 0, sizeof(desc_cpy));
if (is_cmd_for_retry) {
- /* All retryable cmds are direct, without buf. */
- WARN_ON(buf);
+ if (buf) {
+ buf_cpy = kmemdup(buf, buf_size, GFP_KERNEL);
+ if (!buf_cpy)
+ return -ENOMEM;
+ }
memcpy(&desc_cpy, desc, sizeof(desc_cpy));
}
@@ -1601,12 +1605,14 @@ ice_sq_send_cmd_retry(struct ice_hw *hw,
hw->adminq.sq_last_status != ICE_AQ_RC_EBUSY)
break;
+ if (buf_cpy)
+ memcpy(buf, buf_cpy, buf_size);
memcpy(desc, &desc_cpy, sizeof(desc_cpy));
-
msleep(ICE_SQ_SEND_DELAY_TIME_MS);
} while (++idx < ICE_SQ_SEND_MAX_EXECUTE);
+ kfree(buf_cpy);
return status;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 226/567] ASoC: soc-core: drop delayed_work_pending() check before flush
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 225/567] net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 227/567] ASoC: soc-core: flush delayed work before removing DAIs and widgets Greg Kroah-Hartman
` (151 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matteo Cotifava, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: matteo.cotifava <cotifavamatteo@gmail.com>
[ Upstream commit 3c99c9f0ed60582c1c9852b685d78d5d3a50de63 ]
The delayed_work_pending() check before flush_delayed_work() in
soc_free_pcm_runtime() is unnecessary and racy. flush_delayed_work()
is safe to call unconditionally - it is a no-op when no work is
pending. Remove the check.
The original check was added by commit 9c9b65203492 ("ASoC: core:
only flush inited work during free") but delayed_work_pending()
followed by flush_delayed_work() has a time-of-check/time-of-use
window where work can become pending between the two calls.
Fixes: 9c9b65203492 ("ASoC: core: only flush inited work during free")
Signed-off-by: Matteo Cotifava <cotifavamatteo@gmail.com>
Link: https://patch.msgid.link/20260309215412.545628-2-cotifavamatteo@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index dc95b6f415558..39570e0e92bbc 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -456,8 +456,7 @@ static void soc_free_pcm_runtime(struct snd_soc_pcm_runtime *rtd)
list_del(&rtd->list);
- if (delayed_work_pending(&rtd->delayed_work))
- flush_delayed_work(&rtd->delayed_work);
+ flush_delayed_work(&rtd->delayed_work);
snd_soc_pcm_component_free(rtd);
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 164/481] net/mlx5: Query to see if host PF is disabled
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 163/481] net/mlx5: IFC updates for disabled host PF Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 165/481] net/mlx5: Fix deadlock between devlink lock and esw->wq Greg Kroah-Hartman
` (151 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Jurgens, William Tu,
Tariq Toukan, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Jurgens <danielj@nvidia.com>
[ Upstream commit 9e84de72aef9bcf0e751a0bff3ac91b0cf52366f ]
The host PF can be disabled, query firmware to check if the host PF of
this function exists.
Signed-off-by: Daniel Jurgens <danielj@nvidia.com>
Reviewed-by: William Tu <witu@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1755112796-467444-2-git-send-email-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: aed763abf0e9 ("net/mlx5: Fix deadlock between devlink lock and esw->wq")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/mellanox/mlx5/core/eswitch.c | 23 +++++++++++++++++++
.../net/ethernet/mellanox/mlx5/core/eswitch.h | 1 +
2 files changed, 24 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
index 9ba825df9be0e..3255af4313a29 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
@@ -969,6 +969,25 @@ const u32 *mlx5_esw_query_functions(struct mlx5_core_dev *dev)
return ERR_PTR(err);
}
+static int mlx5_esw_host_functions_enabled_query(struct mlx5_eswitch *esw)
+{
+ const u32 *query_host_out;
+
+ if (!mlx5_core_is_ecpf_esw_manager(esw->dev))
+ return 0;
+
+ query_host_out = mlx5_esw_query_functions(esw->dev);
+ if (IS_ERR(query_host_out))
+ return PTR_ERR(query_host_out);
+
+ esw->esw_funcs.host_funcs_disabled =
+ MLX5_GET(query_esw_functions_out, query_host_out,
+ host_params_context.host_pf_not_exist);
+
+ kvfree(query_host_out);
+ return 0;
+}
+
static void mlx5_eswitch_event_handler_register(struct mlx5_eswitch *esw)
{
if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev)) {
@@ -1596,6 +1615,10 @@ int mlx5_eswitch_init(struct mlx5_core_dev *dev)
goto abort;
}
+ err = mlx5_esw_host_functions_enabled_query(esw);
+ if (err)
+ goto abort;
+
err = mlx5_esw_vports_init(esw);
if (err)
goto abort;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
index a3daca44f74b1..ff20b43a551de 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
@@ -279,6 +279,7 @@ struct mlx5_host_work {
struct mlx5_esw_functions {
struct mlx5_nb nb;
+ bool host_funcs_disabled;
u16 num_vfs;
};
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 151/460] ixgbevf: fix link setup issue
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 150/460] ice: reintroduce retry mechanism for indirect AQ Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 152/460] staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Greg Kroah-Hartman
` (151 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov,
Piotr Kwapulinski, Paul Menzel, Jedrzej Jagielski,
Rafal Romanowski, Tony Nguyen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
commit feae40a6a178bb525a15f19288016e5778102a99 upstream.
It may happen that VF spawned for E610 adapter has problem with setting
link up. This happens when ixgbevf supporting mailbox API 1.6 cooperates
with PF driver which doesn't support this version of API, and hence
doesn't support new approach for getting PF link data.
In that case VF asks PF to provide link data but as PF doesn't support
it, returns -EOPNOTSUPP what leads to early bail from link configuration
sequence.
Avoid such situation by using legacy VFLINKS approach whenever negotiated
API version is less than 1.6.
To reproduce the issue just create VF and set its link up - adapter must
be any from the E610 family, ixgbevf must support API 1.6 or higher while
ixgbevf must not.
Fixes: 53f0eb62b4d2 ("ixgbevf: fix getting link speed data for E610 devices")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Piotr Kwapulinski <piotr.kwapulinski@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Cc: stable@vger.kernel.org
Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ixgbevf/vf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/intel/ixgbevf/vf.c
+++ b/drivers/net/ethernet/intel/ixgbevf/vf.c
@@ -852,7 +852,8 @@ static s32 ixgbevf_check_mac_link_vf(str
if (!mac->get_link_status)
goto out;
- if (hw->mac.type == ixgbe_mac_e610_vf) {
+ if (hw->mac.type == ixgbe_mac_e610_vf &&
+ hw->api_version >= ixgbe_mbox_api_16) {
ret_val = ixgbevf_get_pf_link_state(hw, speed, link_up);
if (ret_val)
goto out;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 227/567] ASoC: soc-core: flush delayed work before removing DAIs and widgets
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 226/567] ASoC: soc-core: drop delayed_work_pending() check before flush Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 228/567] ASoC: simple-card-utils: use __free(device_node) for device node Greg Kroah-Hartman
` (150 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matteo Cotifava, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: matteo.cotifava <cotifavamatteo@gmail.com>
[ Upstream commit 95bc5c225513fc3c4ce169563fb5e3929fbb938b ]
When a sound card is unbound while a PCM stream is open, a
use-after-free can occur in snd_soc_dapm_stream_event(), called from
the close_delayed_work workqueue handler.
During unbind, snd_soc_unbind_card() flushes delayed work and then
calls soc_cleanup_card_resources(). Inside cleanup,
snd_card_disconnect_sync() releases all PCM file descriptors, and
the resulting PCM close path can call snd_soc_dapm_stream_stop()
which schedules new delayed work with a pmdown_time timer delay.
Since this happens after the flush in snd_soc_unbind_card(), the
new work is not caught. soc_remove_link_components() then frees
DAPM widgets before this work fires, leading to the use-after-free.
The existing flush in soc_free_pcm_runtime() also cannot help as it
runs after soc_remove_link_components() has already freed the widgets.
Add a flush in soc_cleanup_card_resources() after
snd_card_disconnect_sync() (after which no new PCM closes can
schedule further delayed work) and before soc_remove_link_dais()
and soc_remove_link_components() (which tear down the structures the
delayed work accesses).
Fixes: e894efef9ac7 ("ASoC: core: add support to card rebind")
Signed-off-by: Matteo Cotifava <cotifavamatteo@gmail.com>
Link: https://patch.msgid.link/20260309215412.545628-3-cotifavamatteo@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 39570e0e92bbc..e2a4ff5414099 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -1996,6 +1996,9 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card)
for_each_card_rtds(card, rtd)
if (rtd->initialized)
snd_soc_link_exit(rtd);
+ /* flush delayed work before removing DAIs and DAPM widgets */
+ snd_soc_flush_all_delayed_work(card);
+
/* remove and free each DAI */
soc_remove_link_dais(card);
soc_remove_link_components(card);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 165/481] net/mlx5: Fix deadlock between devlink lock and esw->wq
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 164/481] net/mlx5: Query to see if host PF is disabled Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 166/481] net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery Greg Kroah-Hartman
` (150 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cosmin Ratiu, Moshe Shemesh,
Dragos Tatulea, Simon Horman, Tariq Toukan, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cosmin Ratiu <cratiu@nvidia.com>
[ Upstream commit aed763abf0e905b4b8d747d1ba9e172961572f57 ]
esw->work_queue executes esw_functions_changed_event_handler ->
esw_vfs_changed_event_handler and acquires the devlink lock.
.eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) ->
mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked ->
mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks
when esw_vfs_changed_event_handler executes.
Fix that by no longer flushing the work to avoid the deadlock, and using
a generation counter to keep track of work relevance. This avoids an old
handler manipulating an esw that has undergone one or more mode changes:
- the counter is incremented in mlx5_eswitch_event_handler_unregister.
- the counter is read and passed to the ephemeral mlx5_host_work struct.
- the work handler takes the devlink lock and bails out if the current
generation is different than the one it was scheduled to operate on.
- mlx5_eswitch_cleanup does the final draining before destroying the wq.
No longer flushing the workqueue has the side effect of maybe no longer
cancelling pending vport_change_handler work items, but that's ok since
those are disabled elsewhere:
- mlx5_eswitch_disable_locked disables the vport eq notifier.
- mlx5_esw_vport_disable disarms the HW EQ notification and marks
vport->enabled under state_lock to false to prevent pending vport
handler from doing anything.
- mlx5_eswitch_cleanup destroys the workqueue and makes sure all events
are disabled/finished.
Fixes: f1bc646c9a06 ("net/mlx5: Use devl_ API in mlx5_esw_offloads_devlink_port_register")
Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260305081019.1811100-1-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/mellanox/mlx5/core/eswitch.c | 7 ++++---
.../net/ethernet/mellanox/mlx5/core/eswitch.h | 2 ++
.../mellanox/mlx5/core/eswitch_offloads.c | 18 +++++++++++++-----
3 files changed, 19 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
index 3255af4313a29..8b2b78f05cbe7 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
@@ -999,10 +999,11 @@ static void mlx5_eswitch_event_handler_register(struct mlx5_eswitch *esw)
static void mlx5_eswitch_event_handler_unregister(struct mlx5_eswitch *esw)
{
- if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev))
+ if (esw->mode == MLX5_ESWITCH_OFFLOADS &&
+ mlx5_eswitch_is_funcs_handler(esw->dev)) {
mlx5_eq_notifier_unregister(esw->dev, &esw->esw_funcs.nb);
-
- flush_workqueue(esw->work_queue);
+ atomic_inc(&esw->esw_funcs.generation);
+ }
}
static void mlx5_eswitch_clear_vf_vports_info(struct mlx5_eswitch *esw)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
index ff20b43a551de..00d169a11a0a8 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
@@ -275,10 +275,12 @@ struct esw_mc_addr { /* SRIOV only */
struct mlx5_host_work {
struct work_struct work;
struct mlx5_eswitch *esw;
+ int work_gen;
};
struct mlx5_esw_functions {
struct mlx5_nb nb;
+ atomic_t generation;
bool host_funcs_disabled;
u16 num_vfs;
};
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
index f7f1eae998b5e..2a64d0fd2fe52 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
@@ -3207,22 +3207,28 @@ static void esw_offloads_steering_cleanup(struct mlx5_eswitch *esw)
}
static void
-esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, const u32 *out)
+esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, int work_gen,
+ const u32 *out)
{
struct devlink *devlink;
bool host_pf_disabled;
u16 new_num_vfs;
+ devlink = priv_to_devlink(esw->dev);
+ devl_lock(devlink);
+
+ /* Stale work from one or more mode changes ago. Bail out. */
+ if (work_gen != atomic_read(&esw->esw_funcs.generation))
+ goto unlock;
+
new_num_vfs = MLX5_GET(query_esw_functions_out, out,
host_params_context.host_num_of_vfs);
host_pf_disabled = MLX5_GET(query_esw_functions_out, out,
host_params_context.host_pf_disabled);
if (new_num_vfs == esw->esw_funcs.num_vfs || host_pf_disabled)
- return;
+ goto unlock;
- devlink = priv_to_devlink(esw->dev);
- devl_lock(devlink);
/* Number of VFs can only change from "0 to x" or "x to 0". */
if (esw->esw_funcs.num_vfs > 0) {
mlx5_eswitch_unload_vf_vports(esw, esw->esw_funcs.num_vfs);
@@ -3237,6 +3243,7 @@ esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, const u32 *out)
}
}
esw->esw_funcs.num_vfs = new_num_vfs;
+unlock:
devl_unlock(devlink);
}
@@ -3253,7 +3260,7 @@ static void esw_functions_changed_event_handler(struct work_struct *work)
if (IS_ERR(out))
goto out;
- esw_vfs_changed_event_handler(esw, out);
+ esw_vfs_changed_event_handler(esw, host_work->work_gen, out);
kvfree(out);
out:
kfree(host_work);
@@ -3273,6 +3280,7 @@ int mlx5_esw_funcs_changed_handler(struct notifier_block *nb, unsigned long type
esw = container_of(esw_funcs, struct mlx5_eswitch, esw_funcs);
host_work->esw = esw;
+ host_work->work_gen = atomic_read(&esw_funcs->generation);
INIT_WORK(&host_work->work, esw_functions_changed_event_handler);
queue_work(esw->work_queue, &host_work->work);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 152/460] staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 151/460] ixgbevf: fix link setup issue Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 153/460] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie Greg Kroah-Hartman
` (150 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Navaneeth K
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f0109b9d3e1e455429279d602f6276e34689750a upstream.
Just like in commit 154828bf9559 ("staging: rtl8723bs: fix out-of-bounds
read in rtw_get_ie() parser"), we don't trust the data in the frame so
we should check the length better before acting on it
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_2000
Tested-by: Navaneeth K <knavaneeth786@gmail.com>
Reviewed-by: Navaneeth K <knavaneeth786@gmail.com>
Link: https://patch.msgid.link/2026022336-arrange-footwork-6e54@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
@@ -187,20 +187,25 @@ u8 *rtw_get_ie_ex(u8 *in_ie, uint in_len
cnt = 0;
- while (cnt < in_len) {
+ while (cnt + 2 <= in_len) {
+ u8 ie_len = in_ie[cnt + 1];
+
+ if (cnt + 2 + ie_len > in_len)
+ break;
+
if (eid == in_ie[cnt]
- && (!oui || !memcmp(&in_ie[cnt+2], oui, oui_len))) {
+ && (!oui || (ie_len >= oui_len && !memcmp(&in_ie[cnt + 2], oui, oui_len)))) {
target_ie = &in_ie[cnt];
if (ie)
- memcpy(ie, &in_ie[cnt], in_ie[cnt+1]+2);
+ memcpy(ie, &in_ie[cnt], ie_len + 2);
if (ielen)
- *ielen = in_ie[cnt+1]+2;
+ *ielen = ie_len + 2;
break;
}
- cnt += in_ie[cnt+1]+2; /* goto next */
+ cnt += ie_len + 2; /* goto next */
}
return target_ie;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 228/567] ASoC: simple-card-utils: use __free(device_node) for device node
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 227/567] ASoC: soc-core: flush delayed work before removing DAIs and widgets Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 229/567] ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays Greg Kroah-Hartman
` (149 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuninori Morimoto, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit 419d1918105e5d9926ab02f1f834bb416dc76f65 ]
simple-card-utils handles many type of device_node, thus need to
use of_node_put() in many place. Let's use __free(device_node)
and avoid it.
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87r06pfre8.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 4185b95f8a42 ("ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/generic/simple-card-utils.c | 44 +++++++++------------------
1 file changed, 14 insertions(+), 30 deletions(-)
diff --git a/sound/soc/generic/simple-card-utils.c b/sound/soc/generic/simple-card-utils.c
index 598b0000df244..9ef3e69683271 100644
--- a/sound/soc/generic/simple-card-utils.c
+++ b/sound/soc/generic/simple-card-utils.c
@@ -988,35 +988,27 @@ EXPORT_SYMBOL_GPL(asoc_graph_card_probe);
int asoc_graph_is_ports0(struct device_node *np)
{
- struct device_node *port, *ports, *ports0, *top;
- int ret;
+ struct device_node *parent __free(device_node) = of_get_parent(np);
+ struct device_node *port;
/* np is "endpoint" or "port" */
- if (of_node_name_eq(np, "endpoint")) {
- port = of_get_parent(np);
- } else {
+ if (of_node_name_eq(np, "endpoint"))
+ port = parent;
+ else
port = np;
- of_node_get(port);
- }
-
- ports = of_get_parent(port);
- top = of_get_parent(ports);
- ports0 = of_get_child_by_name(top, "ports");
-
- ret = ports0 == ports;
- of_node_put(port);
- of_node_put(ports);
- of_node_put(ports0);
- of_node_put(top);
+ struct device_node *ports __free(device_node) = of_get_parent(port);
+ struct device_node *top __free(device_node) = of_get_parent(ports);
+ struct device_node *ports0 __free(device_node) = of_get_child_by_name(top, "ports");
- return ret;
+ return ports0 == ports;
}
EXPORT_SYMBOL_GPL(asoc_graph_is_ports0);
static int graph_get_dai_id(struct device_node *ep)
{
- struct device_node *node;
+ struct device_node *node __free(device_node) = of_graph_get_port_parent(ep);
+ struct device_node *port __free(device_node) = of_get_parent(ep);
struct device_node *endpoint;
struct of_endpoint info;
int i, id;
@@ -1039,13 +1031,10 @@ static int graph_get_dai_id(struct device_node *ep)
if (of_property_present(ep, "reg"))
return info.id;
- node = of_get_parent(ep);
- ret = of_property_present(node, "reg");
- of_node_put(node);
+ ret = of_property_present(port, "reg");
if (ret)
return info.port;
}
- node = of_graph_get_port_parent(ep);
/*
* Non HDMI sound case, counting port/endpoint on its DT
@@ -1059,8 +1048,6 @@ static int graph_get_dai_id(struct device_node *ep)
i++;
}
- of_node_put(node);
-
if (id < 0)
return -ENODEV;
@@ -1070,7 +1057,6 @@ static int graph_get_dai_id(struct device_node *ep)
int asoc_graph_parse_dai(struct device *dev, struct device_node *ep,
struct snd_soc_dai_link_component *dlc, int *is_single_link)
{
- struct device_node *node;
struct of_phandle_args args = {};
struct snd_soc_dai *dai;
int ret;
@@ -1078,7 +1064,7 @@ int asoc_graph_parse_dai(struct device *dev, struct device_node *ep,
if (!ep)
return 0;
- node = of_graph_get_port_parent(ep);
+ struct device_node *node __free(device_node) = of_graph_get_port_parent(ep);
/*
* Try to find from DAI node
@@ -1120,10 +1106,8 @@ int asoc_graph_parse_dai(struct device *dev, struct device_node *ep,
* if he unbinded CPU or Codec.
*/
ret = snd_soc_get_dlc(&args, dlc);
- if (ret < 0) {
- of_node_put(node);
+ if (ret < 0)
return ret;
- }
parse_dai_end:
if (is_single_link)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 166/481] net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 165/481] net/mlx5: Fix deadlock between devlink lock and esw->wq Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 167/481] net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit Greg Kroah-Hartman
` (149 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gal Pressman, Dragos Tatulea,
Tariq Toukan, Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <gal@nvidia.com>
[ Upstream commit 1633111d69053512d099658d4a05fc736fab36b0 ]
In case of a TX error CQE, a recovery flow is triggered,
mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc,
desyncing the DMA FIFO producer and consumer.
After recovery, the producer pushes new DMA entries at the old
dma_fifo_pc, while the consumer reads from position 0.
This causes us to unmap stale DMA addresses from before the recovery.
The DMA FIFO is a purely software construct with no HW counterpart.
At the point of reset, all WQEs have been flushed so dma_fifo_cc is
already equal to dma_fifo_pc. There is no need to reset either counter,
similar to how skb_fifo pc/cc are untouched.
Remove the 'dma_fifo_cc = 0' reset.
This fixes the following WARNING:
WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90
Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables]
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:iommu_dma_unmap_page+0x79/0x90
Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00
Call Trace:
<IRQ>
? __warn+0x7d/0x110
? iommu_dma_unmap_page+0x79/0x90
? report_bug+0x16d/0x180
? handle_bug+0x4f/0x90
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x16/0x20
? iommu_dma_unmap_page+0x79/0x90
? iommu_dma_unmap_page+0x2e/0x90
dma_unmap_page_attrs+0x10d/0x1b0
mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core]
mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core]
mlx5e_napi_poll+0x8b/0xac0 [mlx5_core]
__napi_poll+0x24/0x190
net_rx_action+0x32a/0x3b0
? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core]
? notifier_call_chain+0x35/0xa0
handle_softirqs+0xc9/0x270
irq_exit_rcu+0x71/0xd0
common_interrupt+0x7f/0xa0
</IRQ>
<TASK>
asm_common_interrupt+0x22/0x40
Fixes: db75373c91b0 ("net/mlx5e: Recover Send Queue (SQ) from error state")
Signed-off-by: Gal Pressman <gal@nvidia.com>
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260305142634.1813208-4-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
index 02d9fb0c5ec24..7c39f14e57cd8 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
@@ -33,7 +33,6 @@ static void mlx5e_reset_txqsq_cc_pc(struct mlx5e_txqsq *sq)
"SQ 0x%x: cc (0x%x) != pc (0x%x)\n",
sq->sqn, sq->cc, sq->pc);
sq->cc = 0;
- sq->dma_fifo_cc = 0;
sq->pc = 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 153/460] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 152/460] staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 154/460] media: dvb-net: fix OOB access in ULE extension header tables Greg Kroah-Hartman
` (149 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Luka Gejak, Dan Carpenter
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luka Gejak <luka.gejak@linux.dev>
commit a75281626fc8fa6dc6c9cc314ee423e8bc45203b upstream.
The current code checks 'i + 5 < in_len' at the end of the if statement.
However, it accesses 'in_ie[i + 5]' before that check, which can lead
to an out-of-bounds read. Move the length check to the beginning of the
conditional to ensure the index is within bounds before accessing the
array.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Luka Gejak <luka.gejak@linux.dev>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/20260224132647.11642-2-luka.gejak@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_mlme.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
@@ -1929,7 +1929,10 @@ int rtw_restruct_wmm_ie(struct adapter *
while (i < in_len) {
ielength = initial_out_len;
- if (in_ie[i] == 0xDD && in_ie[i+2] == 0x00 && in_ie[i+3] == 0x50 && in_ie[i+4] == 0xF2 && in_ie[i+5] == 0x02 && i+5 < in_len) { /* WMM element ID and OUI */
+ if (i + 5 < in_len &&
+ in_ie[i] == 0xDD && in_ie[i + 2] == 0x00 &&
+ in_ie[i + 3] == 0x50 && in_ie[i + 4] == 0xF2 &&
+ in_ie[i + 5] == 0x02) {
for (j = i; j < i + 9; j++) {
out_ie[ielength] = in_ie[j];
ielength++;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 229/567] ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 228/567] ASoC: simple-card-utils: use __free(device_node) for device node Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 230/567] net: sfp: re-implement ignoring the hardware TX_FAULT signal Greg Kroah-Hartman
` (148 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sen Wang, Kuninori Morimoto,
Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sen Wang <sen@ti.com>
[ Upstream commit 4185b95f8a42d92d68c49289b4644546b51e252b ]
graph_util_is_ports0() identifies DPCM front-end (ports@0) vs back-end
(ports@1) by calling of_get_child_by_name() to find the first "ports"
child and comparing pointers. This relies on child iteration order
matching DTS source order.
When the DPCM topology comes from a DT overlay, __of_attach_node()
inserts new children at the head of the sibling list, reversing the
order. of_get_child_by_name() then returns ports@1 instead of ports@0,
causing all front-end links to be classified as back-ends. The card
registers with no PCM devices.
Fix this by matching the unit address directly from the node name
instead of relying on sibling order.
Fixes: 92939252458f ("ASoC: simple-card-utils: add asoc_graph_is_ports0()")
Signed-off-by: Sen Wang <sen@ti.com>
Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/20260309042109.2576612-1-sen@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/generic/simple-card-utils.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/sound/soc/generic/simple-card-utils.c b/sound/soc/generic/simple-card-utils.c
index 9ef3e69683271..86ccd044b93c4 100644
--- a/sound/soc/generic/simple-card-utils.c
+++ b/sound/soc/generic/simple-card-utils.c
@@ -997,11 +997,15 @@ int asoc_graph_is_ports0(struct device_node *np)
else
port = np;
- struct device_node *ports __free(device_node) = of_get_parent(port);
- struct device_node *top __free(device_node) = of_get_parent(ports);
- struct device_node *ports0 __free(device_node) = of_get_child_by_name(top, "ports");
+ struct device_node *ports __free(device_node) = of_get_parent(port);
+ const char *at = strchr(kbasename(ports->full_name), '@');
- return ports0 == ports;
+ /*
+ * Since child iteration order may differ
+ * between a base DT and DT overlays,
+ * string match "ports" or "ports@0" in the node name instead.
+ */
+ return !at || !strcmp(at, "@0");
}
EXPORT_SYMBOL_GPL(asoc_graph_is_ports0);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 167/481] net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 166/481] net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 168/481] ASoC: soc-core: drop delayed_work_pending() check before flush Greg Kroah-Hartman
` (148 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 0cc0c2e661af418bbf7074179ea5cfffc0a5c466 ]
teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit
through slave devices, but does not update skb->dev to the slave device
beforehand.
When a gretap tunnel is a TEQL slave, the transmit path reaches
iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0
master) and later calls iptunnel_xmit_stats(dev, pkt_len). This
function does:
get_cpu_ptr(dev->tstats)
Since teql_master_setup() does not set dev->pcpu_stat_type to
NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats
for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes
NULL + __per_cpu_offset[cpu], resulting in a page fault.
BUG: unable to handle page fault for address: ffff8880e6659018
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 68bc067 P4D 68bc067 PUD 0
Oops: Oops: 0002 [#1] SMP KASAN PTI
RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89)
Call Trace:
<TASK>
ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)
__gre_xmit (net/ipv4/ip_gre.c:478)
gre_tap_xmit (net/ipv4/ip_gre.c:779)
teql_master_xmit (net/sched/sch_teql.c:319)
dev_hard_start_xmit (net/core/dev.c:3887)
sch_direct_xmit (net/sched/sch_generic.c:347)
__dev_queue_xmit (net/core/dev.c:4802)
neigh_direct_output (net/core/neighbour.c:1660)
ip_finish_output2 (net/ipv4/ip_output.c:237)
__ip_finish_output.part.0 (net/ipv4/ip_output.c:315)
ip_mc_output (net/ipv4/ip_output.c:369)
ip_send_skb (net/ipv4/ip_output.c:1508)
udp_send_skb (net/ipv4/udp.c:1195)
udp_sendmsg (net/ipv4/udp.c:1485)
inet_sendmsg (net/ipv4/af_inet.c:859)
__sys_sendto (net/socket.c:2206)
Fix this by setting skb->dev = slave before calling
netdev_start_xmit(), so that tunnel xmit functions see the correct
slave device with properly allocated tstats.
Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Link: https://patch.msgid.link/20260304044216.3517851-3-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_teql.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
index 0a7856e14a975..c89cb6eba27da 100644
--- a/net/sched/sch_teql.c
+++ b/net/sched/sch_teql.c
@@ -315,6 +315,7 @@ static netdev_tx_t teql_master_xmit(struct sk_buff *skb, struct net_device *dev)
if (__netif_tx_trylock(slave_txq)) {
unsigned int length = qdisc_pkt_len(skb);
+ skb->dev = slave;
if (!netif_xmit_frozen_or_stopped(slave_txq) &&
netdev_start_xmit(skb, slave, slave_txq, false) ==
NETDEV_TX_OK) {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 154/460] media: dvb-net: fix OOB access in ULE extension header tables
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 153/460] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 155/460] net: mana: Ring doorbell at 4 CQ wraparounds Greg Kroah-Hartman
` (148 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ariel Silver, Mauro Carvalho Chehab
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ariel Silver <arielsilver77@gmail.com>
commit 24d87712727a5017ad142d63940589a36cd25647 upstream.
The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables
in handle_one_ule_extension() are declared with 255 elements (valid
indices 0-254), but the index htype is derived from network-controlled
data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When
htype equals 255, an out-of-bounds read occurs on the function pointer
table, and the OOB value may be called as a function pointer.
Add a bounds check on htype against the array size before either table
is accessed. Out-of-range values now cause the SNDU to be discarded.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Ariel Silver <arielsilver77@gmail.com>
Signed-off-by: Ariel Silver <arielsilver77@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/dvb-core/dvb_net.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/media/dvb-core/dvb_net.c
+++ b/drivers/media/dvb-core/dvb_net.c
@@ -228,6 +228,9 @@ static int handle_one_ule_extension( str
unsigned char hlen = (p->ule_sndu_type & 0x0700) >> 8;
unsigned char htype = p->ule_sndu_type & 0x00FF;
+ if (htype >= ARRAY_SIZE(ule_mandatory_ext_handlers))
+ return -1;
+
/* Discriminate mandatory and optional extension headers. */
if (hlen == 0) {
/* Mandatory extension header */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 230/567] net: sfp: re-implement ignoring the hardware TX_FAULT signal
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 229/567] ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 231/567] net: sfp: improve Nokia GPON sfp fixup Greg Kroah-Hartman
` (147 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Russell King (Oracle),
Christian Marangi, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
[ Upstream commit e184e8609f8c1cd9fef703f667245b6ebd89c2ed ]
Re-implement how we ignore the hardware TX_FAULT signal. Rather than
having a separate boolean for this, use a bitmask of the hardware
signals that we wish to ignore. This gives more flexibility in the
future to ignore other signals such as RX_LOS.
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Tested-by: Christian Marangi <ansuelsmth@gmail.com>
Link: https://lore.kernel.org/r/E1qnfXc-008UDY-91@rmk-PC.armlinux.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 87d126852158 ("net: sfp: improve Huawei MA5671a fixup")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/sfp.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
index ff438be4c186e..5d1456e1449fb 100644
--- a/drivers/net/phy/sfp.c
+++ b/drivers/net/phy/sfp.c
@@ -257,6 +257,7 @@ struct sfp {
unsigned int state_hw_drive;
unsigned int state_hw_mask;
unsigned int state_soft_mask;
+ unsigned int state_ignore_mask;
unsigned int state;
struct delayed_work poll;
@@ -280,7 +281,6 @@ struct sfp {
unsigned int rs_state_mask;
bool have_a2;
- bool tx_fault_ignore;
const struct sfp_quirk *quirk;
@@ -347,7 +347,7 @@ static void sfp_fixup_long_startup(struct sfp *sfp)
static void sfp_fixup_ignore_tx_fault(struct sfp *sfp)
{
- sfp->tx_fault_ignore = true;
+ sfp->state_ignore_mask |= SFP_F_TX_FAULT;
}
// For 10GBASE-T short-reach modules
@@ -800,7 +800,8 @@ static void sfp_soft_start_poll(struct sfp *sfp)
mutex_lock(&sfp->st_mutex);
// Poll the soft state for hardware pins we want to ignore
- sfp->state_soft_mask = ~sfp->state_hw_mask & mask;
+ sfp->state_soft_mask = ~sfp->state_hw_mask & ~sfp->state_ignore_mask &
+ mask;
if (sfp->state_soft_mask & (SFP_F_LOS | SFP_F_TX_FAULT) &&
!sfp->need_poll)
@@ -2325,7 +2326,7 @@ static int sfp_sm_mod_probe(struct sfp *sfp, bool report)
sfp->module_t_start_up = T_START_UP;
sfp->module_t_wait = T_WAIT;
- sfp->tx_fault_ignore = false;
+ sfp->state_ignore_mask = 0;
if (sfp->id.base.extended_cc == SFF8024_ECC_10GBASE_T_SFI ||
sfp->id.base.extended_cc == SFF8024_ECC_10GBASE_T_SR ||
@@ -2348,6 +2349,8 @@ static int sfp_sm_mod_probe(struct sfp *sfp, bool report)
if (sfp->quirk && sfp->quirk->fixup)
sfp->quirk->fixup(sfp);
+
+ sfp->state_hw_mask &= ~sfp->state_ignore_mask;
mutex_unlock(&sfp->st_mutex);
return 0;
@@ -2848,10 +2851,7 @@ static void sfp_check_state(struct sfp *sfp)
mutex_lock(&sfp->st_mutex);
state = sfp_get_state(sfp);
changed = state ^ sfp->state;
- if (sfp->tx_fault_ignore)
- changed &= SFP_F_PRESENT | SFP_F_LOS;
- else
- changed &= SFP_F_PRESENT | SFP_F_LOS | SFP_F_TX_FAULT;
+ changed &= SFP_F_PRESENT | SFP_F_LOS | SFP_F_TX_FAULT;
for (i = 0; i < GPIO_MAX; i++)
if (changed & BIT(i))
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 168/481] ASoC: soc-core: drop delayed_work_pending() check before flush
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 167/481] net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 169/481] ASoC: core: Exit all links before removing their components Greg Kroah-Hartman
` (147 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matteo Cotifava, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: matteo.cotifava <cotifavamatteo@gmail.com>
[ Upstream commit 3c99c9f0ed60582c1c9852b685d78d5d3a50de63 ]
The delayed_work_pending() check before flush_delayed_work() in
soc_free_pcm_runtime() is unnecessary and racy. flush_delayed_work()
is safe to call unconditionally - it is a no-op when no work is
pending. Remove the check.
The original check was added by commit 9c9b65203492 ("ASoC: core:
only flush inited work during free") but delayed_work_pending()
followed by flush_delayed_work() has a time-of-check/time-of-use
window where work can become pending between the two calls.
Fixes: 9c9b65203492 ("ASoC: core: only flush inited work during free")
Signed-off-by: Matteo Cotifava <cotifavamatteo@gmail.com>
Link: https://patch.msgid.link/20260309215412.545628-2-cotifavamatteo@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 80192b089f250..cb95a9293343f 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -381,8 +381,7 @@ static void soc_free_pcm_runtime(struct snd_soc_pcm_runtime *rtd)
list_del(&rtd->list);
- if (delayed_work_pending(&rtd->delayed_work))
- flush_delayed_work(&rtd->delayed_work);
+ flush_delayed_work(&rtd->delayed_work);
snd_soc_pcm_component_free(rtd);
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 155/460] net: mana: Ring doorbell at 4 CQ wraparounds
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 154/460] media: dvb-net: fix OOB access in ULE extension header tables Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 156/460] ice: fix retry for AQ command 0x06EE Greg Kroah-Hartman
` (147 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Long Li, Haiyang Zhang,
Vadim Fedorenko, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <longli@microsoft.com>
commit dabffd08545ffa1d7183bc45e387860984025291 upstream.
MANA hardware requires at least one doorbell ring every 8 wraparounds
of the CQ. The driver rings the doorbell as a form of flow control to
inform hardware that CQEs have been consumed.
The NAPI poll functions mana_poll_tx_cq() and mana_poll_rx_cq() can
poll up to CQE_POLLING_BUFFER (512) completions per call. If the CQ
has fewer than 512 entries, a single poll call can process more than
4 wraparounds without ringing the doorbell. The doorbell threshold
check also uses ">" instead of ">=", delaying the ring by one extra
CQE beyond 4 wraparounds. Combined, these issues can cause the driver
to exceed the 8-wraparound hardware limit, leading to missed
completions and stalled queues.
Fix this by capping the number of CQEs polled per call to 4 wraparounds
of the CQ in both TX and RX paths. Also change the doorbell threshold
from ">" to ">=" so the doorbell is rung as soon as 4 wraparounds are
reached.
Cc: stable@vger.kernel.org
Fixes: 58a63729c957 ("net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings")
Signed-off-by: Long Li <longli@microsoft.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20260226192833.1050807-1-longli@microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -1368,8 +1368,14 @@ static void mana_poll_tx_cq(struct mana_
ndev = txq->ndev;
apc = netdev_priv(ndev);
+ /* Limit CQEs polled to 4 wraparounds of the CQ to ensure the
+ * doorbell can be rung in time for the hardware's requirement
+ * of at least one doorbell ring every 8 wraparounds.
+ */
comp_read = mana_gd_poll_cq(cq->gdma_cq, completions,
- CQE_POLLING_BUFFER);
+ min((cq->gdma_cq->queue_size /
+ COMP_ENTRY_SIZE) * 4,
+ CQE_POLLING_BUFFER));
if (comp_read < 1)
return;
@@ -1734,7 +1740,14 @@ static void mana_poll_rx_cq(struct mana_
struct mana_rxq *rxq = cq->rxq;
int comp_read, i;
- comp_read = mana_gd_poll_cq(cq->gdma_cq, comp, CQE_POLLING_BUFFER);
+ /* Limit CQEs polled to 4 wraparounds of the CQ to ensure the
+ * doorbell can be rung in time for the hardware's requirement
+ * of at least one doorbell ring every 8 wraparounds.
+ */
+ comp_read = mana_gd_poll_cq(cq->gdma_cq, comp,
+ min((cq->gdma_cq->queue_size /
+ COMP_ENTRY_SIZE) * 4,
+ CQE_POLLING_BUFFER));
WARN_ON_ONCE(comp_read > CQE_POLLING_BUFFER);
rxq->xdp_flush = false;
@@ -1779,11 +1792,11 @@ static int mana_cq_handler(void *context
mana_gd_ring_cq(gdma_queue, SET_ARM_BIT);
cq->work_done_since_doorbell = 0;
napi_complete_done(&cq->napi, w);
- } else if (cq->work_done_since_doorbell >
- cq->gdma_cq->queue_size / COMP_ENTRY_SIZE * 4) {
+ } else if (cq->work_done_since_doorbell >=
+ (cq->gdma_cq->queue_size / COMP_ENTRY_SIZE) * 4) {
/* MANA hardware requires at least one doorbell ring every 8
* wraparounds of CQ even if there is no need to arm the CQ.
- * This driver rings the doorbell as soon as we have exceeded
+ * This driver rings the doorbell as soon as it has processed
* 4 wraparounds.
*/
mana_gd_ring_cq(gdma_queue, 0);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 231/567] net: sfp: improve Nokia GPON sfp fixup
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 230/567] net: sfp: re-implement ignoring the hardware TX_FAULT signal Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 232/567] net: sfp: add quirk for Potron SFP+ XGSPON ONU Stick Greg Kroah-Hartman
` (146 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Russell King (Oracle),
Christian Marangi, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
[ Upstream commit 5ffe330e40bdfad9c49a615c54d2d89343b2f08a ]
Improve the Nokia GPON fixup - we need to ignore not only the hardware
LOS signal, but also the software implementation as well. Do this by
using the new state_ignore_mask to indicate that we should ignore not
only the hardware RX_LOS signal, and also clear the LOS bits in the
option field.
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Tested-by: Christian Marangi <ansuelsmth@gmail.com>
Link: https://lore.kernel.org/r/E1qnfXh-008UDe-F9@rmk-PC.armlinux.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 87d126852158 ("net: sfp: improve Huawei MA5671a fixup")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/sfp.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
index 5d1456e1449fb..c47d7232d1c6e 100644
--- a/drivers/net/phy/sfp.c
+++ b/drivers/net/phy/sfp.c
@@ -345,11 +345,26 @@ static void sfp_fixup_long_startup(struct sfp *sfp)
sfp->module_t_start_up = T_START_UP_BAD_GPON;
}
+static void sfp_fixup_ignore_los(struct sfp *sfp)
+{
+ /* This forces LOS to zero, so we ignore transitions */
+ sfp->state_ignore_mask |= SFP_F_LOS;
+ /* Make sure that LOS options are clear */
+ sfp->id.ext.options &= ~cpu_to_be16(SFP_OPTIONS_LOS_INVERTED |
+ SFP_OPTIONS_LOS_NORMAL);
+}
+
static void sfp_fixup_ignore_tx_fault(struct sfp *sfp)
{
sfp->state_ignore_mask |= SFP_F_TX_FAULT;
}
+static void sfp_fixup_nokia(struct sfp *sfp)
+{
+ sfp_fixup_long_startup(sfp);
+ sfp_fixup_ignore_los(sfp);
+}
+
// For 10GBASE-T short-reach modules
static void sfp_fixup_10gbaset_30m(struct sfp *sfp)
{
@@ -449,7 +464,7 @@ static const struct sfp_quirk sfp_quirks[] = {
// Alcatel Lucent G-010S-A can operate at 2500base-X, but report 3.2GBd
// NRZ in their EEPROM
SFP_QUIRK("ALCATELLUCENT", "3FE46541AA", sfp_quirk_2500basex,
- sfp_fixup_long_startup),
+ sfp_fixup_nokia),
// Fiberstore SFP-10G-T doesn't identify as copper, and uses the
// Rollball protocol to talk to the PHY.
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 169/481] ASoC: core: Exit all links before removing their components
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 168/481] ASoC: soc-core: drop delayed_work_pending() check before flush Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 170/481] ASoC: core: Do not call link_exit() on uninitialized rtd objects Greg Kroah-Hartman
` (146 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cezary Rojewski,
Amadeusz Sławiński, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cezary Rojewski <cezary.rojewski@intel.com>
[ Upstream commit c7eb967d70446971413061effca3226578cb4dab ]
Flows leading to link->init() and link->exit() are not symmetric.
Currently the relevant part of card probe sequence goes as:
for_each_card_rtds(card, rtd)
for_each_rtd_components(rtd, i, component)
component->probe()
for_each_card_rtds(card, rtd)
for_each_rtd_dais(rtd, i, dai)
dai->probe()
for_each_card_rtds(card, rtd)
rtd->init()
On the other side, equivalent remove sequence goes as:
for_each_card_rtds(card, rtd)
for_each_rtd_dais(rtd, i, dai)
dai->remove()
for_each_card_rtds(card, rtd)
for_each_rtd_components(rtd, i, component)
component->remove()
for_each_card_rtds(card, rtd)
rtd->exit()
what can lead to errors as link->exit() may still operate on resources
owned by its components despite the probability of them being freed
during the component->remove().
This change modifies the remove sequence to:
for_each_card_rtds(card, rtd)
rtd->exit()
for_each_card_rtds(card, rtd)
for_each_rtd_dais(rtd, i, dai)
dai->remove()
for_each_card_rtds(card, rtd)
for_each_rtd_components(rtd, i, component)
component->remove()
so code found in link->exit() is safe to touch any component stuff as
component->remove() has not been called yet.
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Link: https://lore.kernel.org/r/20221027085840.1562698-1-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 95bc5c225513 ("ASoC: soc-core: flush delayed work before removing DAIs and widgets")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-core.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index cb95a9293343f..d42cba7de0a3b 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -941,9 +941,6 @@ void snd_soc_remove_pcm_runtime(struct snd_soc_card *card,
lockdep_assert_held(&client_mutex);
- /* release machine specific resources */
- snd_soc_link_exit(rtd);
-
/*
* Notify the machine driver for extra destruction
*/
@@ -1895,6 +1892,9 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card)
snd_soc_dapm_shutdown(card);
+ /* release machine specific resources */
+ for_each_card_rtds(card, rtd)
+ snd_soc_link_exit(rtd);
/* remove and free each DAI */
soc_remove_link_dais(card);
soc_remove_link_components(card);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 156/460] ice: fix retry for AQ command 0x06EE
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 155/460] net: mana: Ring doorbell at 4 CQ wraparounds Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 157/460] tracing: Fix syscall events activation by ensuring refcount hits zero Greg Kroah-Hartman
` (146 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Staniszewski, Dawid Osuchowski,
Aleksandr Loktionov, Przemek Kitszel, Paul Menzel, Tony Nguyen,
Rinitha S
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
commit fb4903b3354aed4a2301180cf991226f896c87ed upstream.
Executing ethtool -m can fail reporting a netlink I/O error while firmware
link management holds the i2c bus used to communicate with the module.
According to Intel(R) Ethernet Controller E810 Datasheet Rev 2.8 [1]
Section 3.3.10.4 Read/Write SFF EEPROM (0x06EE)
request should to be retried upon receiving EBUSY from firmware.
Commit e9c9692c8a81 ("ice: Reimplement module reads used by ethtool")
implemented it only for part of ice_get_module_eeprom(), leaving all other
calls to ice_aq_sff_eeprom() vulnerable to returning early on getting
EBUSY without retrying.
Remove the retry loop from ice_get_module_eeprom() and add Admin Queue
(AQ) command with opcode 0x06EE to the list of commands that should be
retried on receiving EBUSY from firmware.
Cc: stable@vger.kernel.org
Fixes: e9c9692c8a81 ("ice: Reimplement module reads used by ethtool")
Signed-off-by: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
Co-developed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Signed-off-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Link: https://www.intel.com/content/www/us/en/content-details/613875/intel-ethernet-controller-e810-datasheet.html [1]
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_common.c | 1
drivers/net/ethernet/intel/ice/ice_ethtool.c | 35 ++++++++++-----------------
2 files changed, 15 insertions(+), 21 deletions(-)
--- a/drivers/net/ethernet/intel/ice/ice_common.c
+++ b/drivers/net/ethernet/intel/ice/ice_common.c
@@ -1554,6 +1554,7 @@ static bool ice_should_retry_sq_send_cmd
case ice_aqc_opc_lldp_stop:
case ice_aqc_opc_lldp_start:
case ice_aqc_opc_lldp_filter_ctrl:
+ case ice_aqc_opc_sff_eeprom:
return true;
}
--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
+++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
@@ -4528,7 +4528,7 @@ ice_get_module_eeprom(struct net_device
struct ice_pf *pf = vsi->back;
struct ice_hw *hw = &pf->hw;
bool is_sfp = false;
- unsigned int i, j;
+ unsigned int i;
u16 offset = 0;
u8 page = 0;
int status;
@@ -4570,26 +4570,19 @@ ice_get_module_eeprom(struct net_device
if (page == 0 || !(data[0x2] & 0x4)) {
u32 copy_len;
- /* If i2c bus is busy due to slow page change or
- * link management access, call can fail. This is normal.
- * So we retry this a few times.
- */
- for (j = 0; j < 4; j++) {
- status = ice_aq_sff_eeprom(hw, 0, addr, offset, page,
- !is_sfp, value,
- SFF_READ_BLOCK_SIZE,
- 0, NULL);
- netdev_dbg(netdev, "SFF %02X %02X %02X %X = %02X%02X%02X%02X.%02X%02X%02X%02X (%X)\n",
- addr, offset, page, is_sfp,
- value[0], value[1], value[2], value[3],
- value[4], value[5], value[6], value[7],
- status);
- if (status) {
- usleep_range(1500, 2500);
- memset(value, 0, SFF_READ_BLOCK_SIZE);
- continue;
- }
- break;
+ status = ice_aq_sff_eeprom(hw, 0, addr, offset, page,
+ !is_sfp, value,
+ SFF_READ_BLOCK_SIZE,
+ 0, NULL);
+ netdev_dbg(netdev, "SFF %02X %02X %02X %X = %02X%02X%02X%02X.%02X%02X%02X%02X (%pe)\n",
+ addr, offset, page, is_sfp,
+ value[0], value[1], value[2], value[3],
+ value[4], value[5], value[6], value[7],
+ ERR_PTR(status));
+ if (status) {
+ netdev_err(netdev, "%s: error reading module EEPROM: status %pe\n",
+ __func__, ERR_PTR(status));
+ return status;
}
/* Make sure we have enough room for the new block */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 232/567] net: sfp: add quirk for Potron SFP+ XGSPON ONU Stick
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 231/567] net: sfp: improve Nokia GPON sfp fixup Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 233/567] net: sfp: improve Huawei MA5671a fixup Greg Kroah-Hartman
` (145 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Morgan, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Morgan <macromorgan@hotmail.com>
[ Upstream commit dfec1c14aecee6813f9bafc7b560cc3a31d24079 ]
Add quirk for Potron SFP+ XGSPON ONU Stick (YV SFP+ONT-XGSPON).
This device uses pins 2 and 7 for UART communication, so disable
TX_FAULT and LOS. Additionally as it is an embedded system in an
SFP+ form factor provide it enough time to fully boot before we
attempt to use it.
https://www.potrontec.com/index/index/list/cat_id/2.html#11-83
https://pon.wiki/xgs-pon/ont/potron-technology/x-onu-sfpp/
Signed-off-by: Chris Morgan <macromorgan@hotmail.com>
Link: https://patch.msgid.link/20250617180324.229487-1-macroalpha82@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 87d126852158 ("net: sfp: improve Huawei MA5671a fixup")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/sfp.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
index c47d7232d1c6e..6ef50d1ce2eda 100644
--- a/drivers/net/phy/sfp.c
+++ b/drivers/net/phy/sfp.c
@@ -359,6 +359,11 @@ static void sfp_fixup_ignore_tx_fault(struct sfp *sfp)
sfp->state_ignore_mask |= SFP_F_TX_FAULT;
}
+static void sfp_fixup_ignore_hw(struct sfp *sfp, unsigned int mask)
+{
+ sfp->state_hw_mask &= ~mask;
+}
+
static void sfp_fixup_nokia(struct sfp *sfp)
{
sfp_fixup_long_startup(sfp);
@@ -392,7 +397,19 @@ static void sfp_fixup_halny_gsfp(struct sfp *sfp)
* these are possibly used for other purposes on this
* module, e.g. a serial port.
*/
- sfp->state_hw_mask &= ~(SFP_F_TX_FAULT | SFP_F_LOS);
+ sfp_fixup_ignore_hw(sfp, SFP_F_TX_FAULT | SFP_F_LOS);
+}
+
+static void sfp_fixup_potron(struct sfp *sfp)
+{
+ /*
+ * The TX_FAULT and LOS pins on this device are used for serial
+ * communication, so ignore them. Additionally, provide extra
+ * time for this device to fully start up.
+ */
+
+ sfp_fixup_long_startup(sfp);
+ sfp_fixup_ignore_hw(sfp, SFP_F_TX_FAULT | SFP_F_LOS);
}
static void sfp_fixup_rollball(struct sfp *sfp)
@@ -500,6 +517,8 @@ static const struct sfp_quirk sfp_quirks[] = {
SFP_QUIRK_F("Walsun", "HXSX-ATRC-1", sfp_fixup_fs_10gt),
SFP_QUIRK_F("Walsun", "HXSX-ATRI-1", sfp_fixup_fs_10gt),
+ SFP_QUIRK_F("YV", "SFP+ONU-XGSPON", sfp_fixup_potron),
+
// OEM SFP-GE-T is a 1000Base-T module with broken TX_FAULT indicator
SFP_QUIRK_F("OEM", "SFP-GE-T", sfp_fixup_ignore_tx_fault),
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 170/481] ASoC: core: Do not call link_exit() on uninitialized rtd objects
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 169/481] ASoC: core: Exit all links before removing their components Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 171/481] ASoC: soc-core: flush delayed work before removing DAIs and widgets Greg Kroah-Hartman
` (145 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cezary Rojewski,
Amadeusz Sławiński, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
[ Upstream commit dd9f9cc1e6b9391140afa5cf27bb47c9e2a08d02 ]
On init we have sequence:
for_each_card_prelinks(card, i, dai_link) {
ret = snd_soc_add_pcm_runtime(card, dai_link);
ret = init_some_other_things(...);
if (ret)
goto probe_end:
for_each_card_rtds(card, rtd) {
ret = soc_init_pcm_runtime(card, rtd);
probe_end:
while on exit:
for_each_card_rtds(card, rtd)
snd_soc_link_exit(rtd);
If init_some_other_things() step fails due to error we end up with
not fully setup rtds and try to call snd_soc_link_exit on them, which
depending on contents on .link_exit handler, can end up dereferencing
NULL pointer.
Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Link: https://lore.kernel.org/r/20230929103243.705433-2-amadeuszx.slawinski@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 95bc5c225513 ("ASoC: soc-core: flush delayed work before removing DAIs and widgets")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/sound/soc.h | 2 ++
sound/soc/soc-core.c | 20 +++++++++++++++-----
2 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/include/sound/soc.h b/include/sound/soc.h
index d63ac6d9fbdc4..015d5fff397fa 100644
--- a/include/sound/soc.h
+++ b/include/sound/soc.h
@@ -1110,6 +1110,8 @@ struct snd_soc_pcm_runtime {
unsigned int pop_wait:1;
unsigned int fe_compr:1; /* for Dynamic PCM */
+ bool initialized;
+
int num_components;
struct snd_soc_component *components[]; /* CPU/Codec/Platform */
};
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index d42cba7de0a3b..835a9251c074b 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -1256,7 +1256,7 @@ static int soc_init_pcm_runtime(struct snd_soc_card *card,
snd_soc_runtime_get_dai_fmt(rtd);
ret = snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt);
if (ret)
- return ret;
+ goto err;
/* add DPCM sysfs entries */
soc_dpcm_debugfs_add(rtd);
@@ -1281,17 +1281,26 @@ static int soc_init_pcm_runtime(struct snd_soc_card *card,
/* create compress_device if possible */
ret = snd_soc_dai_compress_new(cpu_dai, rtd, num);
if (ret != -ENOTSUPP)
- return ret;
+ goto err;
/* create the pcm */
ret = soc_new_pcm(rtd, num);
if (ret < 0) {
dev_err(card->dev, "ASoC: can't create pcm %s :%d\n",
dai_link->stream_name, ret);
- return ret;
+ goto err;
}
- return snd_soc_pcm_dai_new(rtd);
+ ret = snd_soc_pcm_dai_new(rtd);
+ if (ret < 0)
+ goto err;
+
+ rtd->initialized = true;
+
+ return 0;
+err:
+ snd_soc_link_exit(rtd);
+ return ret;
}
static void soc_set_name_prefix(struct snd_soc_card *card,
@@ -1894,7 +1903,8 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card)
/* release machine specific resources */
for_each_card_rtds(card, rtd)
- snd_soc_link_exit(rtd);
+ if (rtd->initialized)
+ snd_soc_link_exit(rtd);
/* remove and free each DAI */
soc_remove_link_dais(card);
soc_remove_link_components(card);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 157/460] tracing: Fix syscall events activation by ensuring refcount hits zero
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 156/460] ice: fix retry for AQ command 0x06EE Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 158/460] net/tcp-ao: Fix MAC comparison to be constant-time Greg Kroah-Hartman
` (145 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Huiwen He, Steven Rostedt (Google)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huiwen He <hehuiwen@kylinos.cn>
commit 0a663b764dbdf135a126284f454c9f01f95a87d4 upstream.
When multiple syscall events are specified in the kernel command line
(e.g., trace_event=syscalls:sys_enter_openat,syscalls:sys_enter_close),
they are often not captured after boot, even though they appear enabled
in the tracing/set_event file.
The issue stems from how syscall events are initialized. Syscall
tracepoints require the global reference count (sys_tracepoint_refcount)
to transition from 0 to 1 to trigger the registration of the syscall
work (TIF_SYSCALL_TRACEPOINT) for tasks, including the init process (pid 1).
The current implementation of early_enable_events() with disable_first=true
used an interleaved sequence of "Disable A -> Enable A -> Disable B -> Enable B".
If multiple syscalls are enabled, the refcount never drops to zero,
preventing the 0->1 transition that triggers actual registration.
Fix this by splitting early_enable_events() into two distinct phases:
1. Disable all events specified in the buffer.
2. Enable all events specified in the buffer.
This ensures the refcount hits zero before re-enabling, allowing syscall
events to be properly activated during early boot.
The code is also refactored to use a helper function to avoid logic
duplication between the disable and enable phases.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://patch.msgid.link/20260224023544.1250787-1-hehuiwen@kylinos.cn
Fixes: ce1039bd3a89 ("tracing: Fix enabling of syscall events on the command line")
Signed-off-by: Huiwen He <hehuiwen@kylinos.cn>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events.c | 52 +++++++++++++++++++++++++++++++-------------
1 file changed, 37 insertions(+), 15 deletions(-)
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -4173,26 +4173,22 @@ static __init int event_trace_memsetup(v
return 0;
}
-__init void
-early_enable_events(struct trace_array *tr, char *buf, bool disable_first)
+/*
+ * Helper function to enable or disable a comma-separated list of events
+ * from the bootup buffer.
+ */
+static __init void __early_set_events(struct trace_array *tr, char *buf, bool enable)
{
char *token;
- int ret;
-
- while (true) {
- token = strsep(&buf, ",");
-
- if (!token)
- break;
+ while ((token = strsep(&buf, ","))) {
if (*token) {
- /* Restarting syscalls requires that we stop them first */
- if (disable_first)
+ if (enable) {
+ if (ftrace_set_clr_event(tr, token, 1))
+ pr_warn("Failed to enable trace event: %s\n", token);
+ } else {
ftrace_set_clr_event(tr, token, 0);
-
- ret = ftrace_set_clr_event(tr, token, 1);
- if (ret)
- pr_warn("Failed to enable trace event: %s\n", token);
+ }
}
/* Put back the comma to allow this to be called again */
@@ -4201,6 +4197,32 @@ early_enable_events(struct trace_array *
}
}
+/**
+ * early_enable_events - enable events from the bootup buffer
+ * @tr: The trace array to enable the events in
+ * @buf: The buffer containing the comma separated list of events
+ * @disable_first: If true, disable all events in @buf before enabling them
+ *
+ * This function enables events from the bootup buffer. If @disable_first
+ * is true, it will first disable all events in the buffer before enabling
+ * them.
+ *
+ * For syscall events, which rely on a global refcount to register the
+ * SYSCALL_WORK_SYSCALL_TRACEPOINT flag (especially for pid 1), we must
+ * ensure the refcount hits zero before re-enabling them. A simple
+ * "disable then enable" per-event is not enough if multiple syscalls are
+ * used, as the refcount will stay above zero. Thus, we need a two-phase
+ * approach: disable all, then enable all.
+ */
+__init void
+early_enable_events(struct trace_array *tr, char *buf, bool disable_first)
+{
+ if (disable_first)
+ __early_set_events(tr, buf, false);
+
+ __early_set_events(tr, buf, true);
+}
+
static __init int event_trace_enable(void)
{
struct trace_array *tr = top_trace_array();
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 233/567] net: sfp: improve Huawei MA5671a fixup
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 232/567] net: sfp: add quirk for Potron SFP+ XGSPON ONU Stick Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 234/567] serial: caif: hold tty->link reference in ldisc_open and ser_release Greg Kroah-Hartman
` (144 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Álvaro Fernández Rojas,
Andrew Lunn, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit 87d126852158467ab87d5cbc36ccfd3f15464a6c ]
With the current sfp_fixup_ignore_tx_fault() fixup we ignore the TX_FAULT
signal, but we also need to apply sfp_fixup_ignore_los() in order to be
able to communicate with the module even if the fiber isn't connected for
configuration purposes.
This is needed for all the MA5671a firmwares, excluding the FS modded
firmware.
Fixes: 2069624dac19 ("net: sfp: Add tx-fault workaround for Huawei MA5671A SFP ONT")
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20260306125139.213637-1-noltari@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/sfp.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
index 6ef50d1ce2eda..00bbe20b0b43e 100644
--- a/drivers/net/phy/sfp.c
+++ b/drivers/net/phy/sfp.c
@@ -359,6 +359,12 @@ static void sfp_fixup_ignore_tx_fault(struct sfp *sfp)
sfp->state_ignore_mask |= SFP_F_TX_FAULT;
}
+static void sfp_fixup_ignore_tx_fault_and_los(struct sfp *sfp)
+{
+ sfp_fixup_ignore_tx_fault(sfp);
+ sfp_fixup_ignore_los(sfp);
+}
+
static void sfp_fixup_ignore_hw(struct sfp *sfp, unsigned int mask)
{
sfp->state_hw_mask &= ~mask;
@@ -501,7 +507,7 @@ static const struct sfp_quirk sfp_quirks[] = {
// Huawei MA5671A can operate at 2500base-X, but report 1.2GBd NRZ in
// their EEPROM
SFP_QUIRK("HUAWEI", "MA5671A", sfp_quirk_2500basex,
- sfp_fixup_ignore_tx_fault),
+ sfp_fixup_ignore_tx_fault_and_los),
// FS 2.5G Base-T
SFP_QUIRK_M("FS", "SFP-2.5G-T", sfp_quirk_oem_2_5g),
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 171/481] ASoC: soc-core: flush delayed work before removing DAIs and widgets
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 170/481] ASoC: core: Do not call link_exit() on uninitialized rtd objects Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 172/481] serial: caif: hold tty->link reference in ldisc_open and ser_release Greg Kroah-Hartman
` (144 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matteo Cotifava, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: matteo.cotifava <cotifavamatteo@gmail.com>
[ Upstream commit 95bc5c225513fc3c4ce169563fb5e3929fbb938b ]
When a sound card is unbound while a PCM stream is open, a
use-after-free can occur in snd_soc_dapm_stream_event(), called from
the close_delayed_work workqueue handler.
During unbind, snd_soc_unbind_card() flushes delayed work and then
calls soc_cleanup_card_resources(). Inside cleanup,
snd_card_disconnect_sync() releases all PCM file descriptors, and
the resulting PCM close path can call snd_soc_dapm_stream_stop()
which schedules new delayed work with a pmdown_time timer delay.
Since this happens after the flush in snd_soc_unbind_card(), the
new work is not caught. soc_remove_link_components() then frees
DAPM widgets before this work fires, leading to the use-after-free.
The existing flush in soc_free_pcm_runtime() also cannot help as it
runs after soc_remove_link_components() has already freed the widgets.
Add a flush in soc_cleanup_card_resources() after
snd_card_disconnect_sync() (after which no new PCM closes can
schedule further delayed work) and before soc_remove_link_dais()
and soc_remove_link_components() (which tear down the structures the
delayed work accesses).
Fixes: e894efef9ac7 ("ASoC: core: add support to card rebind")
Signed-off-by: Matteo Cotifava <cotifavamatteo@gmail.com>
Link: https://patch.msgid.link/20260309215412.545628-3-cotifavamatteo@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 835a9251c074b..c673453e8a747 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -1905,6 +1905,9 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card)
for_each_card_rtds(card, rtd)
if (rtd->initialized)
snd_soc_link_exit(rtd);
+ /* flush delayed work before removing DAIs and DAPM widgets */
+ snd_soc_flush_all_delayed_work(card);
+
/* remove and free each DAI */
soc_remove_link_dais(card);
soc_remove_link_components(card);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 158/460] net/tcp-ao: Fix MAC comparison to be constant-time
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 157/460] tracing: Fix syscall events activation by ensuring refcount hits zero Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 159/460] batman-adv: Avoid double-rtnl_lock ELP metric worker Greg Kroah-Hartman
` (144 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Biggers, Dmitry Safonov,
Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 67edfec516d30d3e62925c397be4a1e5185802fc upstream.
To prevent timing attacks, MACs need to be compared in constant
time. Use the appropriate helper function for this.
Fixes: 0a3a809089eb ("net/tcp: Verify inbound TCP-AO signed segments")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
Link: https://patch.msgid.link/20260302203600.13561-1-ebiggers@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/Kconfig | 1 +
net/ipv4/tcp_ao.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -748,6 +748,7 @@ config TCP_SIGPOOL
config TCP_AO
bool "TCP: Authentication Option (RFC5925)"
select CRYPTO
+ select CRYPTO_LIB_UTILS
select TCP_SIGPOOL
depends on 64BIT && IPV6 != m # seq-number extension needs WRITE_ONCE(u64)
help
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -10,6 +10,7 @@
#define pr_fmt(fmt) "TCP: " fmt
#include <crypto/hash.h>
+#include <crypto/utils.h>
#include <linux/inetdevice.h>
#include <linux/tcp.h>
@@ -923,7 +924,7 @@ tcp_ao_verify_hash(const struct sock *sk
/* XXX: make it per-AF callback? */
tcp_ao_hash_skb(family, hash_buf, key, sk, skb, traffic_key,
(phash - (u8 *)th), sne);
- if (memcmp(phash, hash_buf, maclen)) {
+ if (crypto_memneq(phash, hash_buf, maclen)) {
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD);
atomic64_inc(&info->counters.pkt_bad);
atomic64_inc(&key->pkt_bad);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 234/567] serial: caif: hold tty->link reference in ldisc_open and ser_release
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 233/567] net: sfp: improve Huawei MA5671a fixup Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 235/567] mctp: i2c: fix skb memory leak in receive path Greg Kroah-Hartman
` (143 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuangpeng Bai, Jiayuan Chen,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
[ Upstream commit 288598d80a068a0e9281de35bcb4ce495f189e2a ]
A reproducer triggers a KASAN slab-use-after-free in pty_write_room()
when caif_serial's TX path calls tty_write_room(). The faulting access
is on tty->link->port.
Hold an extra kref on tty->link for the lifetime of the caif_serial line
discipline: get it in ldisc_open() and drop it in ser_release(), and
also drop it on the ldisc_open() error path.
With this change applied, the reproducer no longer triggers the UAF in
my testing.
Link: https://gist.github.com/shuangpengbai/c898debad6bdf170a84be7e6b3d8707f
Link: https://lore.kernel.org/netdev/20260301220525.1546355-1-shuangpeng.kernel@gmail.com
Fixes: e31d5a05948e ("caif: tty's are kref objects so take a reference")
Signed-off-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20260306034006.3395740-1-shuangpeng.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/caif/caif_serial.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
index 699ed0ff461e8..6799dbf80f484 100644
--- a/drivers/net/caif/caif_serial.c
+++ b/drivers/net/caif/caif_serial.c
@@ -311,6 +311,7 @@ static void ser_release(struct work_struct *work)
dev_close(ser->dev);
unregister_netdevice(ser->dev);
debugfs_deinit(ser);
+ tty_kref_put(tty->link);
tty_kref_put(tty);
}
rtnl_unlock();
@@ -345,6 +346,7 @@ static int ldisc_open(struct tty_struct *tty)
ser = netdev_priv(dev);
ser->tty = tty_kref_get(tty);
+ tty_kref_get(tty->link);
ser->dev = dev;
debugfs_init(ser, tty);
tty->receive_room = N_TTY_BUF_SIZE;
@@ -353,6 +355,7 @@ static int ldisc_open(struct tty_struct *tty)
rtnl_lock();
result = register_netdevice(dev);
if (result) {
+ tty_kref_put(tty->link);
tty_kref_put(tty);
rtnl_unlock();
free_netdev(dev);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 172/481] serial: caif: hold tty->link reference in ldisc_open and ser_release
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 171/481] ASoC: soc-core: flush delayed work before removing DAIs and widgets Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 173/481] mctp: i2c: fix skb memory leak in receive path Greg Kroah-Hartman
` (143 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuangpeng Bai, Jiayuan Chen,
Jakub Kicinski, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
[ Upstream commit 288598d80a068a0e9281de35bcb4ce495f189e2a ]
A reproducer triggers a KASAN slab-use-after-free in pty_write_room()
when caif_serial's TX path calls tty_write_room(). The faulting access
is on tty->link->port.
Hold an extra kref on tty->link for the lifetime of the caif_serial line
discipline: get it in ldisc_open() and drop it in ser_release(), and
also drop it on the ldisc_open() error path.
With this change applied, the reproducer no longer triggers the UAF in
my testing.
Link: https://gist.github.com/shuangpengbai/c898debad6bdf170a84be7e6b3d8707f
Link: https://lore.kernel.org/netdev/20260301220525.1546355-1-shuangpeng.kernel@gmail.com
Fixes: e31d5a05948e ("caif: tty's are kref objects so take a reference")
Signed-off-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20260306034006.3395740-1-shuangpeng.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/caif/caif_serial.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
index 737faeaf847fe..03288b6436467 100644
--- a/drivers/net/caif/caif_serial.c
+++ b/drivers/net/caif/caif_serial.c
@@ -311,6 +311,7 @@ static void ser_release(struct work_struct *work)
dev_close(ser->dev);
unregister_netdevice(ser->dev);
debugfs_deinit(ser);
+ tty_kref_put(tty->link);
tty_kref_put(tty);
}
rtnl_unlock();
@@ -345,6 +346,7 @@ static int ldisc_open(struct tty_struct *tty)
ser = netdev_priv(dev);
ser->tty = tty_kref_get(tty);
+ tty_kref_get(tty->link);
ser->dev = dev;
debugfs_init(ser, tty);
tty->receive_room = N_TTY_BUF_SIZE;
@@ -353,6 +355,7 @@ static int ldisc_open(struct tty_struct *tty)
rtnl_lock();
result = register_netdevice(dev);
if (result) {
+ tty_kref_put(tty->link);
tty_kref_put(tty);
rtnl_unlock();
free_netdev(dev);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 159/460] batman-adv: Avoid double-rtnl_lock ELP metric worker
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 158/460] net/tcp-ao: Fix MAC comparison to be constant-time Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 160/460] parisc: Increase initial mapping to 64 MB with KALLSYMS Greg Kroah-Hartman
` (143 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Schmidbauer,
Sven Eckelmann, Sören Skaarup, Simon Wunderlich
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit cfc83a3c71517b59c1047db57da31e26a9dc2f33 upstream.
batadv_v_elp_get_throughput() might be called when the RTNL lock is already
held. This could be problematic when the work queue item is cancelled via
cancel_delayed_work_sync() in batadv_v_elp_iface_disable(). In this case,
an rtnl_lock() would cause a deadlock.
To avoid this, rtnl_trylock() was used in this function to skip the
retrieval of the ethtool information in case the RTNL lock was already
held.
But for cfg80211 interfaces, batadv_get_real_netdev() was called - which
also uses rtnl_lock(). The approach for __ethtool_get_link_ksettings() must
also be used instead and the lockless version __batadv_get_real_netdev()
has to be called.
Cc: stable@vger.kernel.org
Fixes: 8c8ecc98f5c6 ("batman-adv: Drop unmanaged ELP metric worker")
Reported-by: Christian Schmidbauer <github@grische.xyz>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Tested-by: Sören Skaarup <freifunk_nordm4nn@gmx.de>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bat_v_elp.c | 10 +++++++++-
net/batman-adv/hard-interface.c | 8 ++++----
net/batman-adv/hard-interface.h | 1 +
3 files changed, 14 insertions(+), 5 deletions(-)
--- a/net/batman-adv/bat_v_elp.c
+++ b/net/batman-adv/bat_v_elp.c
@@ -112,7 +112,15 @@ static bool batadv_v_elp_get_throughput(
/* unsupported WiFi driver version */
goto default_throughput;
- real_netdev = batadv_get_real_netdev(hard_iface->net_dev);
+ /* only use rtnl_trylock because the elp worker will be cancelled while
+ * the rntl_lock is held. the cancel_delayed_work_sync() would otherwise
+ * wait forever when the elp work_item was started and it is then also
+ * trying to rtnl_lock
+ */
+ if (!rtnl_trylock())
+ return false;
+ real_netdev = __batadv_get_real_netdev(hard_iface->net_dev);
+ rtnl_unlock();
if (!real_netdev)
goto default_throughput;
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -203,7 +203,7 @@ static bool batadv_is_valid_iface(const
}
/**
- * batadv_get_real_netdevice() - check if the given netdev struct is a virtual
+ * __batadv_get_real_netdev() - check if the given netdev struct is a virtual
* interface on top of another 'real' interface
* @netdev: the device to check
*
@@ -213,7 +213,7 @@ static bool batadv_is_valid_iface(const
* Return: the 'real' net device or the original net device and NULL in case
* of an error.
*/
-static struct net_device *batadv_get_real_netdevice(struct net_device *netdev)
+struct net_device *__batadv_get_real_netdev(struct net_device *netdev)
{
struct batadv_hard_iface *hard_iface = NULL;
struct net_device *real_netdev = NULL;
@@ -266,7 +266,7 @@ struct net_device *batadv_get_real_netde
struct net_device *real_netdev;
rtnl_lock();
- real_netdev = batadv_get_real_netdevice(net_device);
+ real_netdev = __batadv_get_real_netdev(net_device);
rtnl_unlock();
return real_netdev;
@@ -335,7 +335,7 @@ static u32 batadv_wifi_flags_evaluate(st
if (batadv_is_cfg80211_netdev(net_device))
wifi_flags |= BATADV_HARDIF_WIFI_CFG80211_DIRECT;
- real_netdev = batadv_get_real_netdevice(net_device);
+ real_netdev = __batadv_get_real_netdev(net_device);
if (!real_netdev)
return wifi_flags;
--- a/net/batman-adv/hard-interface.h
+++ b/net/batman-adv/hard-interface.h
@@ -68,6 +68,7 @@ enum batadv_hard_if_bcast {
extern struct notifier_block batadv_hard_if_notifier;
+struct net_device *__batadv_get_real_netdev(struct net_device *net_device);
struct net_device *batadv_get_real_netdev(struct net_device *net_device);
bool batadv_is_cfg80211_hardif(struct batadv_hard_iface *hard_iface);
bool batadv_is_wifi_hardif(struct batadv_hard_iface *hard_iface);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 235/567] mctp: i2c: fix skb memory leak in receive path
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 234/567] serial: caif: hold tty->link reference in ldisc_open and ser_release Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 236/567] can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value Greg Kroah-Hartman
` (142 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haiyue Wang, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haiyue Wang <haiyuewa@163.com>
[ Upstream commit e3f5e0f22cfc2371e7471c9fd5b4da78f9df7c69 ]
When 'midev->allow_rx' is false, the newly allocated skb isn't consumed
by netif_rx(), it needs to free the skb directly.
Fixes: f5b8abf9fc3d ("mctp i2c: MCTP I2C binding driver")
Signed-off-by: Haiyue Wang <haiyuewa@163.com>
Link: https://patch.msgid.link/20260305143240.97592-1-haiyuewa@163.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/mctp/mctp-i2c.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c
index c8c2c5dc46eb7..1a7e7397ba75c 100644
--- a/drivers/net/mctp/mctp-i2c.c
+++ b/drivers/net/mctp/mctp-i2c.c
@@ -344,6 +344,7 @@ static int mctp_i2c_recv(struct mctp_i2c_dev *midev)
} else {
status = NET_RX_DROP;
spin_unlock_irqrestore(&midev->lock, flags);
+ kfree_skb(skb);
}
if (status == NET_RX_SUCCESS) {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 173/481] mctp: i2c: fix skb memory leak in receive path
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 172/481] serial: caif: hold tty->link reference in ldisc_open and ser_release Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 174/481] can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value Greg Kroah-Hartman
` (142 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haiyue Wang, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haiyue Wang <haiyuewa@163.com>
[ Upstream commit e3f5e0f22cfc2371e7471c9fd5b4da78f9df7c69 ]
When 'midev->allow_rx' is false, the newly allocated skb isn't consumed
by netif_rx(), it needs to free the skb directly.
Fixes: f5b8abf9fc3d ("mctp i2c: MCTP I2C binding driver")
Signed-off-by: Haiyue Wang <haiyuewa@163.com>
Link: https://patch.msgid.link/20260305143240.97592-1-haiyuewa@163.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/mctp/mctp-i2c.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c
index f77389c7006f8..2eeccc3b70eff 100644
--- a/drivers/net/mctp/mctp-i2c.c
+++ b/drivers/net/mctp/mctp-i2c.c
@@ -344,6 +344,7 @@ static int mctp_i2c_recv(struct mctp_i2c_dev *midev)
} else {
status = NET_RX_DROP;
spin_unlock_irqrestore(&midev->lock, flags);
+ kfree_skb(skb);
}
if (status == NET_RX_SUCCESS) {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 160/460] parisc: Increase initial mapping to 64 MB with KALLSYMS
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 159/460] batman-adv: Avoid double-rtnl_lock ELP metric worker Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 161/460] nouveau/dpcd: return EBUSY for aux xfer if the device is asleep Greg Kroah-Hartman
` (142 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 8e732934fb81282be41602550e7e07baf265e972 upstream.
The 32MB initial kernel mapping can become too small when CONFIG_KALLSYMS
is used. Increase the mapping to 64 MB in this case.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org> # v6.0+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/include/asm/pgtable.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/parisc/include/asm/pgtable.h
+++ b/arch/parisc/include/asm/pgtable.h
@@ -85,7 +85,7 @@ extern void __update_cache(pte_t pte);
printk("%s:%d: bad pgd %08lx.\n", __FILE__, __LINE__, (unsigned long)pgd_val(e))
/* This is the size of the initially mapped kernel memory */
-#if defined(CONFIG_64BIT)
+#if defined(CONFIG_64BIT) || defined(CONFIG_KALLSYMS)
#define KERNEL_INITIAL_ORDER 26 /* 1<<26 = 64MB */
#else
#define KERNEL_INITIAL_ORDER 25 /* 1<<25 = 32MB */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 236/567] can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 235/567] mctp: i2c: fix skb memory leak in receive path Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 237/567] mctp: route: hold key->lock in mctp_flow_prepare_output() Greg Kroah-Hartman
` (141 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenyuan Li, Marc Kleine-Budde,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenyuan Li <2063309626@qq.com>
[ Upstream commit 47bba09b14fa21712398febf36cb14fd4fc3bded ]
In hi3110_open(), the return value of hi3110_power_enable() is not checked.
If power enable fails, the device may not function correctly, while the
driver still returns success.
Add a check for the return value and propagate the error accordingly.
Signed-off-by: Wenyuan Li <2063309626@qq.com>
Link: https://patch.msgid.link/tencent_B5E2E7528BB28AA8A2A56E16C49BD58B8B07@qq.com
Fixes: 57e83fb9b746 ("can: hi311x: Add Holt HI-311x CAN driver")
[mkl: adjust subject, commit message and jump label]
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/spi/hi311x.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c
index 1acd4fc7adc8b..2038b864832c9 100644
--- a/drivers/net/can/spi/hi311x.c
+++ b/drivers/net/can/spi/hi311x.c
@@ -756,7 +756,9 @@ static int hi3110_open(struct net_device *net)
return ret;
mutex_lock(&priv->hi3110_lock);
- hi3110_power_enable(priv->transceiver, 1);
+ ret = hi3110_power_enable(priv->transceiver, 1);
+ if (ret)
+ goto out_close_candev;
priv->force_quit = 0;
priv->tx_skb = NULL;
@@ -791,6 +793,7 @@ static int hi3110_open(struct net_device *net)
hi3110_hw_sleep(spi);
out_close:
hi3110_power_enable(priv->transceiver, 0);
+ out_close_candev:
close_candev(net);
mutex_unlock(&priv->hi3110_lock);
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 174/481] can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 173/481] mctp: i2c: fix skb memory leak in receive path Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 175/481] mctp: route: hold key->lock in mctp_flow_prepare_output() Greg Kroah-Hartman
` (141 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenyuan Li, Marc Kleine-Budde,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenyuan Li <2063309626@qq.com>
[ Upstream commit 47bba09b14fa21712398febf36cb14fd4fc3bded ]
In hi3110_open(), the return value of hi3110_power_enable() is not checked.
If power enable fails, the device may not function correctly, while the
driver still returns success.
Add a check for the return value and propagate the error accordingly.
Signed-off-by: Wenyuan Li <2063309626@qq.com>
Link: https://patch.msgid.link/tencent_B5E2E7528BB28AA8A2A56E16C49BD58B8B07@qq.com
Fixes: 57e83fb9b746 ("can: hi311x: Add Holt HI-311x CAN driver")
[mkl: adjust subject, commit message and jump label]
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/spi/hi311x.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c
index 1acd4fc7adc8b..2038b864832c9 100644
--- a/drivers/net/can/spi/hi311x.c
+++ b/drivers/net/can/spi/hi311x.c
@@ -756,7 +756,9 @@ static int hi3110_open(struct net_device *net)
return ret;
mutex_lock(&priv->hi3110_lock);
- hi3110_power_enable(priv->transceiver, 1);
+ ret = hi3110_power_enable(priv->transceiver, 1);
+ if (ret)
+ goto out_close_candev;
priv->force_quit = 0;
priv->tx_skb = NULL;
@@ -791,6 +793,7 @@ static int hi3110_open(struct net_device *net)
hi3110_hw_sleep(spi);
out_close:
hi3110_power_enable(priv->transceiver, 0);
+ out_close_candev:
close_candev(net);
mutex_unlock(&priv->hi3110_lock);
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 161/460] nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 160/460] parisc: Increase initial mapping to 64 MB with KALLSYMS Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 162/460] arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation Greg Kroah-Hartman
` (141 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lyude Paul, Dave Airlie,
Danilo Krummrich
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Airlie <airlied@redhat.com>
commit 8f3c6f08ababad2e3bdd239728cf66a9949446b4 upstream.
If we have runtime suspended, and userspace wants to use /dev/drm_dp_*
then just tell it the device is busy instead of crashing in the GSP
code.
WARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau]
CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy)
Hardware name: LENOVO 20QTS0PQ00/20QTS0PQ00, BIOS N2OET65W (1.52 ) 08/05/2024
RIP: 0010:r535_gsp_msgq_wait+0x9a/0xb0 [nouveau]
This is a simple fix to get backported. We should probably engineer a
proper power domain solution to wake up devices and keep them awake
while fw updates are happening.
Cc: stable@vger.kernel.org
Fixes: 8894f4919bc4 ("drm/nouveau: register a drm_dp_aux channel for each dp connector")
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patch.msgid.link/20260224031750.791621-1-airlied@gmail.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
@@ -1229,6 +1229,9 @@ nouveau_connector_aux_xfer(struct drm_dp
u8 size = msg->size;
int ret;
+ if (pm_runtime_suspended(nv_connector->base.dev->dev))
+ return -EBUSY;
+
nv_encoder = find_encoder(&nv_connector->base, DCB_OUTPUT_DP);
if (!nv_encoder)
return -ENODEV;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 237/567] mctp: route: hold key->lock in mctp_flow_prepare_output()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 236/567] can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 238/567] amd-xgbe: fix link status handling in xgbe_rx_adaptation Greg Kroah-Hartman
` (140 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chengfeng Ye, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chengfeng Ye <dg573847474@gmail.com>
[ Upstream commit 7d86aa41c073c4e7eb75fd2e674f1fd8f289728a ]
mctp_flow_prepare_output() checks key->dev and may call
mctp_dev_set_key(), but it does not hold key->lock while doing so.
mctp_dev_set_key() and mctp_dev_release_key() are annotated with
__must_hold(&key->lock), so key->dev access is intended to be
serialized by key->lock. The mctp_sendmsg() transmit path reaches
mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output()
without holding key->lock, so the check-and-set sequence is racy.
Example interleaving:
CPU0 CPU1
---- ----
mctp_flow_prepare_output(key, devA)
if (!key->dev) // sees NULL
mctp_flow_prepare_output(
key, devB)
if (!key->dev) // still NULL
mctp_dev_set_key(devB, key)
mctp_dev_hold(devB)
key->dev = devB
mctp_dev_set_key(devA, key)
mctp_dev_hold(devA)
key->dev = devA // overwrites devB
Now both devA and devB references were acquired, but only the final
key->dev value is tracked for release. One reference can be lost,
causing a resource leak as mctp_dev_release_key() would only decrease
the reference on one dev.
Fix by taking key->lock around the key->dev check and
mctp_dev_set_key() call.
Fixes: 67737c457281 ("mctp: Pass flow data & flow release events to drivers")
Signed-off-by: Chengfeng Ye <dg573847474@gmail.com>
Link: https://patch.msgid.link/20260306031402.857224-1-dg573847474@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mctp/route.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/net/mctp/route.c b/net/mctp/route.c
index 009ba5edbd525..59fbc54d8e66c 100644
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -267,6 +267,7 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev)
{
struct mctp_sk_key *key;
struct mctp_flow *flow;
+ unsigned long flags;
flow = skb_ext_find(skb, SKB_EXT_MCTP);
if (!flow)
@@ -274,12 +275,14 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev)
key = flow->key;
- if (key->dev) {
+ spin_lock_irqsave(&key->lock, flags);
+
+ if (!key->dev)
+ mctp_dev_set_key(dev, key);
+ else
WARN_ON(key->dev != dev);
- return;
- }
- mctp_dev_set_key(dev, key);
+ spin_unlock_irqrestore(&key->lock, flags);
}
#else
static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key) {}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 175/481] mctp: route: hold key->lock in mctp_flow_prepare_output()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 174/481] can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 176/481] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() Greg Kroah-Hartman
` (140 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chengfeng Ye, Paolo Abeni,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chengfeng Ye <dg573847474@gmail.com>
[ Upstream commit 7d86aa41c073c4e7eb75fd2e674f1fd8f289728a ]
mctp_flow_prepare_output() checks key->dev and may call
mctp_dev_set_key(), but it does not hold key->lock while doing so.
mctp_dev_set_key() and mctp_dev_release_key() are annotated with
__must_hold(&key->lock), so key->dev access is intended to be
serialized by key->lock. The mctp_sendmsg() transmit path reaches
mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output()
without holding key->lock, so the check-and-set sequence is racy.
Example interleaving:
CPU0 CPU1
---- ----
mctp_flow_prepare_output(key, devA)
if (!key->dev) // sees NULL
mctp_flow_prepare_output(
key, devB)
if (!key->dev) // still NULL
mctp_dev_set_key(devB, key)
mctp_dev_hold(devB)
key->dev = devB
mctp_dev_set_key(devA, key)
mctp_dev_hold(devA)
key->dev = devA // overwrites devB
Now both devA and devB references were acquired, but only the final
key->dev value is tracked for release. One reference can be lost,
causing a resource leak as mctp_dev_release_key() would only decrease
the reference on one dev.
Fix by taking key->lock around the key->dev check and
mctp_dev_set_key() call.
Fixes: 67737c457281 ("mctp: Pass flow data & flow release events to drivers")
Signed-off-by: Chengfeng Ye <dg573847474@gmail.com>
Link: https://patch.msgid.link/20260306031402.857224-1-dg573847474@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mctp/route.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/net/mctp/route.c b/net/mctp/route.c
index 62952ad5cb636..fdeaf80691e55 100644
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -267,6 +267,7 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev)
{
struct mctp_sk_key *key;
struct mctp_flow *flow;
+ unsigned long flags;
flow = skb_ext_find(skb, SKB_EXT_MCTP);
if (!flow)
@@ -274,12 +275,14 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev)
key = flow->key;
- if (key->dev) {
+ spin_lock_irqsave(&key->lock, flags);
+
+ if (!key->dev)
+ mctp_dev_set_key(dev, key);
+ else
WARN_ON(key->dev != dev);
- return;
- }
- mctp_dev_set_key(dev, key);
+ spin_unlock_irqrestore(&key->lock, flags);
}
#else
static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key) {}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 162/460] arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 161/460] nouveau/dpcd: return EBUSY for aux xfer if the device is asleep Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 163/460] hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read Greg Kroah-Hartman
` (140 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Catalin Marinas, Jianpeng Chang,
Will Deacon, Huang, Ying, Guenter Roeck
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Catalin Marinas <catalin.marinas@arm.com>
commit c25c4aa3f79a488cc270507935a29c07dc6bddfc upstream.
Commit 143937ca51cc ("arm64, mm: avoid always making PTE dirty in
pte_mkwrite()") changed pte_mkwrite_novma() to only clear PTE_RDONLY
when PTE_DIRTY is set. This was to allow writable-clean PTEs for swap
pages that haven't actually been written.
However, this broke kexec and hibernation for some platforms. Both go
through trans_pgd_create_copy() -> _copy_pte(), which calls
pte_mkwrite_novma() to make the temporary linear-map copy fully
writable. With the updated pte_mkwrite_novma(), read-only kernel pages
(without PTE_DIRTY) remain read-only in the temporary mapping.
While such behaviour is fine for user pages where hardware DBM or
trapping will make them writeable, subsequent in-kernel writes by the
kexec relocation code will fault.
Add PTE_DIRTY back to all _PAGE_KERNEL* protection definitions. This was
the case prior to 5.4, commit aa57157be69f ("arm64: Ensure
VM_WRITE|VM_SHARED ptes are clean by default"). With the kernel
linear-map PTEs always having PTE_DIRTY set, pte_mkwrite_novma()
correctly clears PTE_RDONLY.
Fixes: 143937ca51cc ("arm64, mm: avoid always making PTE dirty in pte_mkwrite()")
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: stable@vger.kernel.org
Reported-by: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
Link: https://lore.kernel.org/r/20251204062722.3367201-1-jianpeng.chang.cn@windriver.com
Cc: Will Deacon <will@kernel.org>
Cc: Huang, Ying <ying.huang@linux.alibaba.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Huang Ying <ying.huang@linux.alibaba.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/pgtable-prot.h | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/arch/arm64/include/asm/pgtable-prot.h
+++ b/arch/arm64/include/asm/pgtable-prot.h
@@ -52,11 +52,11 @@
#define _PAGE_DEFAULT (_PROT_DEFAULT | PTE_ATTRINDX(MT_NORMAL))
-#define _PAGE_KERNEL (PROT_NORMAL)
-#define _PAGE_KERNEL_RO ((PROT_NORMAL & ~PTE_WRITE) | PTE_RDONLY)
-#define _PAGE_KERNEL_ROX ((PROT_NORMAL & ~(PTE_WRITE | PTE_PXN)) | PTE_RDONLY)
-#define _PAGE_KERNEL_EXEC (PROT_NORMAL & ~PTE_PXN)
-#define _PAGE_KERNEL_EXEC_CONT ((PROT_NORMAL & ~PTE_PXN) | PTE_CONT)
+#define _PAGE_KERNEL (PROT_NORMAL | PTE_DIRTY)
+#define _PAGE_KERNEL_RO ((PROT_NORMAL & ~PTE_WRITE) | PTE_RDONLY | PTE_DIRTY)
+#define _PAGE_KERNEL_ROX ((PROT_NORMAL & ~(PTE_WRITE | PTE_PXN)) | PTE_RDONLY | PTE_DIRTY)
+#define _PAGE_KERNEL_EXEC ((PROT_NORMAL & ~PTE_PXN) | PTE_DIRTY)
+#define _PAGE_KERNEL_EXEC_CONT ((PROT_NORMAL & ~PTE_PXN) | PTE_CONT | PTE_DIRTY)
#define _PAGE_SHARED (_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN | PTE_WRITE)
#define _PAGE_SHARED_EXEC (_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_WRITE)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 238/567] amd-xgbe: fix link status handling in xgbe_rx_adaptation
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 237/567] mctp: route: hold key->lock in mctp_flow_prepare_output() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 239/567] amd-xgbe: prevent CRC errors during RX adaptation with AN disabled Greg Kroah-Hartman
` (139 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raju Rangoju, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raju Rangoju <Raju.Rangoju@amd.com>
[ Upstream commit 6485cb96be5cd0f4bf39554737ba11322cc9b053 ]
The link status bit is latched low to allow detection of momentary
link drops. If the status indicates that the link is already down,
read it again to obtain the current state.
Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation")
Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
Link: https://patch.msgid.link/20260306111629.1515676-2-Raju.Rangoju@amd.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
index 6d2c401bb246e..469b28c159e7d 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
@@ -2050,7 +2050,7 @@ static void xgbe_set_rx_adap_mode(struct xgbe_prv_data *pdata,
static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata)
{
struct xgbe_phy_data *phy_data = pdata->phy_data;
- unsigned int reg;
+ int reg;
/* step 2: force PCS to send RX_ADAPT Req to PHY */
XMDIO_WRITE_BITS(pdata, MDIO_MMD_PMAPMD, MDIO_PMA_RX_EQ_CTRL4,
@@ -2072,11 +2072,20 @@ static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata)
/* Step 4: Check for Block lock */
- /* Link status is latched low, so read once to clear
- * and then read again to get current state
- */
- reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
+ if (reg < 0)
+ goto set_mode;
+
+ /* Link status is latched low so that momentary link drops
+ * can be detected. If link was already down read again
+ * to get the latest state.
+ */
+ if (!pdata->phy.link && !(reg & MDIO_STAT1_LSTATUS)) {
+ reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
+ if (reg < 0)
+ goto set_mode;
+ }
+
if (reg & MDIO_STAT1_LSTATUS) {
/* If the block lock is found, update the helpers
* and declare the link up
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 176/481] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 175/481] mctp: route: hold key->lock in mctp_flow_prepare_output() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 177/481] netfilter: x_tables: guard option walkers against 1-byte tail reads Greg Kroah-Hartman
` (139 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jenny Guanni Qu, Florian Westphal,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jenny Guanni Qu <qguanni@gmail.com>
[ Upstream commit d6d8cd2db236a9dd13dbc2d05843b3445cc964b5 ]
pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the
to_offset argument on every iteration, including the last one where
i == m->field_count - 1. This reads one element past the end of the
stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS]
with NFT_PIPAPO_MAX_FIELDS == 16).
Although pipapo_unmap() returns early when is_last is true without
using the to_offset value, the argument is evaluated at the call site
before the function body executes, making this a genuine out-of-bounds
stack read confirmed by KASAN:
BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables]
Read of size 4 at addr ffff8000810e71a4
This frame has 1 object:
[32, 160) 'rulemap'
The buggy address is at offset 164 -- exactly 4 bytes past the end
of the rulemap array.
Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid
the out-of-bounds read.
Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_set_pipapo.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
index 863162c823306..c8a5618742381 100644
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1541,6 +1541,7 @@ static void pipapo_drop(struct nft_pipapo_match *m,
int i;
nft_pipapo_for_each_field(f, i, m) {
+ bool last = i == m->field_count - 1;
int g;
for (g = 0; g < f->groups; g++) {
@@ -1560,7 +1561,7 @@ static void pipapo_drop(struct nft_pipapo_match *m,
}
pipapo_unmap(f->mt, f->rules, rulemap[i].to, rulemap[i].n,
- rulemap[i + 1].n, i == m->field_count - 1);
+ last ? 0 : rulemap[i + 1].n, last);
if (pipapo_resize(f, f->rules, f->rules - rulemap[i].n)) {
/* We can ignore this, a failure to shrink tables down
* doesn't make tables invalid.
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 163/460] hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 162/460] arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 164/460] parisc: Fix initial page table creation for boot Greg Kroah-Hartman
` (139 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanman Pradhan <psanman@juniper.net>
commit 25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43 upstream.
The q54sj108a2_debugfs_read function suffers from a stack buffer overflow
due to incorrect arguments passed to bin2hex(). The function currently
passes 'data' as the destination and 'data_char' as the source.
Because bin2hex() converts each input byte into two hex characters, a
32-byte block read results in 64 bytes of output. Since 'data' is only
34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end
of the buffer onto the stack.
Additionally, the arguments were swapped: it was reading from the
zero-initialized 'data_char' and writing to 'data', resulting in
all-zero output regardless of the actual I2C read.
Fix this by:
1. Expanding 'data_char' to 66 bytes to safely hold the hex output.
2. Correcting the bin2hex() argument order and using the actual read count.
3. Using a pointer to select the correct output buffer for the final
simple_read_from_buffer call.
Fixes: d014538aa385 ("hwmon: (pmbus) Driver for Delta power supplies Q54SJ108A2")
Cc: stable@vger.kernel.org
Signed-off-by: Sanman Pradhan <psanman@juniper.net>
Link: https://lore.kernel.org/r/20260304235116.1045-1-sanman.p211993@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/q54sj108a2.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
--- a/drivers/hwmon/pmbus/q54sj108a2.c
+++ b/drivers/hwmon/pmbus/q54sj108a2.c
@@ -78,7 +78,8 @@ static ssize_t q54sj108a2_debugfs_read(s
int idx = *idxp;
struct q54sj108a2_data *psu = to_psu(idxp, idx);
char data[I2C_SMBUS_BLOCK_MAX + 2] = { 0 };
- char data_char[I2C_SMBUS_BLOCK_MAX + 2] = { 0 };
+ char data_char[I2C_SMBUS_BLOCK_MAX * 2 + 2] = { 0 };
+ char *out = data;
char *res;
switch (idx) {
@@ -149,27 +150,27 @@ static ssize_t q54sj108a2_debugfs_read(s
if (rc < 0)
return rc;
- res = bin2hex(data, data_char, 32);
- rc = res - data;
-
+ res = bin2hex(data_char, data, rc);
+ rc = res - data_char;
+ out = data_char;
break;
case Q54SJ108A2_DEBUGFS_FLASH_KEY:
rc = i2c_smbus_read_block_data(psu->client, PMBUS_FLASH_KEY_WRITE, data);
if (rc < 0)
return rc;
- res = bin2hex(data, data_char, 4);
- rc = res - data;
-
+ res = bin2hex(data_char, data, rc);
+ rc = res - data_char;
+ out = data_char;
break;
default:
return -EINVAL;
}
- data[rc] = '\n';
+ out[rc] = '\n';
rc += 2;
- return simple_read_from_buffer(buf, count, ppos, data, rc);
+ return simple_read_from_buffer(buf, count, ppos, out, rc);
}
static ssize_t q54sj108a2_debugfs_write(struct file *file, const char __user *buf,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 239/567] amd-xgbe: prevent CRC errors during RX adaptation with AN disabled
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 238/567] amd-xgbe: fix link status handling in xgbe_rx_adaptation Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 240/567] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() Greg Kroah-Hartman
` (138 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raju Rangoju, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raju Rangoju <Raju.Rangoju@amd.com>
[ Upstream commit 27a4dd0c702b3b2b9cf2c045d100cc2fe8720b81 ]
When operating in 10GBASE-KR mode with auto-negotiation disabled and RX
adaptation enabled, CRC errors can occur during the RX adaptation
process. This happens because the driver continues transmitting and
receiving packets while adaptation is in progress.
Fix this by stopping TX/RX immediately when the link goes down and RX
adaptation needs to be re-triggered, and only re-enabling TX/RX after
adaptation completes and the link is confirmed up. Introduce a flag to
track whether TX/RX was disabled for adaptation so it can be restored
correctly.
This prevents packets from being transmitted or received during the RX
adaptation window and avoids CRC errors from corrupted frames.
The flag tracking the data path state is synchronized with hardware
state in xgbe_start() to prevent stale state after device restarts.
This ensures that after a restart cycle (where xgbe_stop disables
TX/RX and xgbe_start re-enables them), the flag correctly reflects
that the data path is active.
Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation")
Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
Link: https://patch.msgid.link/20260306111629.1515676-3-Raju.Rangoju@amd.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 4 ++
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 63 ++++++++++++++++++++-
drivers/net/ethernet/amd/xgbe/xgbe.h | 4 ++
3 files changed, 69 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
index 256969ac2cb9e..67e1d8eacdaed 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
@@ -1338,6 +1338,10 @@ static int xgbe_start(struct xgbe_prv_data *pdata)
hw_if->enable_tx(pdata);
hw_if->enable_rx(pdata);
+ /* Synchronize flag with hardware state after enabling TX/RX.
+ * This prevents stale state after device restart cycles.
+ */
+ pdata->data_path_stopped = false;
udp_tunnel_nic_reset_ntf(netdev);
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
index 469b28c159e7d..0a99a21af5815 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
@@ -2125,6 +2125,48 @@ static void xgbe_phy_rx_adaptation(struct xgbe_prv_data *pdata)
xgbe_rx_adaptation(pdata);
}
+/*
+ * xgbe_phy_stop_data_path - Stop TX/RX to prevent packet corruption
+ * @pdata: driver private data
+ *
+ * This function stops the data path (TX and RX) to prevent packet
+ * corruption during critical PHY operations like RX adaptation.
+ * Must be called before initiating RX adaptation when link goes down.
+ */
+static void xgbe_phy_stop_data_path(struct xgbe_prv_data *pdata)
+{
+ if (pdata->data_path_stopped)
+ return;
+
+ /* Stop TX/RX to prevent packet corruption during RX adaptation */
+ pdata->hw_if.disable_tx(pdata);
+ pdata->hw_if.disable_rx(pdata);
+ pdata->data_path_stopped = true;
+
+ netif_dbg(pdata, link, pdata->netdev,
+ "stopping data path for RX adaptation\n");
+}
+
+/*
+ * xgbe_phy_start_data_path - Re-enable TX/RX after RX adaptation
+ * @pdata: driver private data
+ *
+ * This function re-enables the data path (TX and RX) after RX adaptation
+ * has completed successfully. Only called when link is confirmed up.
+ */
+static void xgbe_phy_start_data_path(struct xgbe_prv_data *pdata)
+{
+ if (!pdata->data_path_stopped)
+ return;
+
+ pdata->hw_if.enable_rx(pdata);
+ pdata->hw_if.enable_tx(pdata);
+ pdata->data_path_stopped = false;
+
+ netif_dbg(pdata, link, pdata->netdev,
+ "restarting data path after RX adaptation\n");
+}
+
static void xgbe_phy_rx_reset(struct xgbe_prv_data *pdata)
{
int reg;
@@ -2918,13 +2960,27 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart)
if (pdata->en_rx_adap) {
/* if the link is available and adaptation is done,
* declare link up
+ *
+ * Note: When link is up and adaptation is done, we can
+ * safely re-enable the data path if it was stopped
+ * for adaptation.
*/
- if ((reg & MDIO_STAT1_LSTATUS) && pdata->rx_adapt_done)
+ if ((reg & MDIO_STAT1_LSTATUS) && pdata->rx_adapt_done) {
+ xgbe_phy_start_data_path(pdata);
return 1;
+ }
/* If either link is not available or adaptation is not done,
* retrigger the adaptation logic. (if the mode is not set,
* then issue mailbox command first)
*/
+
+ /* CRITICAL: Stop data path BEFORE triggering RX adaptation
+ * to prevent CRC errors from packets corrupted during
+ * the adaptation process. This is especially important
+ * when AN is OFF in 10G KR mode.
+ */
+ xgbe_phy_stop_data_path(pdata);
+
if (pdata->mode_set) {
xgbe_phy_rx_adaptation(pdata);
} else {
@@ -2932,8 +2988,11 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart)
xgbe_phy_set_mode(pdata, phy_data->cur_mode);
}
- if (pdata->rx_adapt_done)
+ if (pdata->rx_adapt_done) {
+ /* Adaptation complete, safe to re-enable data path */
+ xgbe_phy_start_data_path(pdata);
return 1;
+ }
} else if (reg & MDIO_STAT1_LSTATUS)
return 1;
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h
index 82a88d0c15e31..ac0f728c5c85d 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
+++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
@@ -1321,6 +1321,10 @@ struct xgbe_prv_data {
bool en_rx_adap;
int rx_adapt_retries;
bool rx_adapt_done;
+ /* Flag to track if data path (TX/RX) was stopped for RX adaptation.
+ * This prevents packet corruption during the adaptation window.
+ */
+ bool data_path_stopped;
bool mode_set;
};
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 177/481] netfilter: x_tables: guard option walkers against 1-byte tail reads
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 176/481] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 178/481] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path Greg Kroah-Hartman
` (138 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Dull, Florian Westphal,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Dull <monderasdor@gmail.com>
[ Upstream commit cfe770220ac2dbd3e104c6b45094037455da81d4 ]
When the last byte of options is a non-single-byte option kind, walkers
that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end
of the option area.
Add an explicit i == optlen - 1 check before dereferencing op[i + 1]
in xt_tcpudp and xt_dccp option walkers.
Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables")
Signed-off-by: David Dull <monderasdor@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_dccp.c | 4 ++--
net/netfilter/xt_tcpudp.c | 6 ++++--
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index e5a13ecbe67a0..037ab93e25d0a 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -62,10 +62,10 @@ dccp_find_option(u_int8_t option,
return true;
}
- if (op[i] < 2)
+ if (op[i] < 2 || i == optlen - 1)
i++;
else
- i += op[i+1]?:1;
+ i += op[i + 1] ? : 1;
}
spin_unlock_bh(&dccp_buflock);
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 11ec2abf0c727..73f50dc01b19f 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -56,8 +56,10 @@ tcp_find_option(u_int8_t option,
for (i = 0; i < optlen; ) {
if (op[i] == option) return !invert;
- if (op[i] < 2) i++;
- else i += op[i+1]?:1;
+ if (op[i] < 2 || i == optlen - 1)
+ i++;
+ else
+ i += op[i + 1] ? : 1;
}
return invert;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 164/460] parisc: Fix initial page table creation for boot
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 163/460] hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 165/460] arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults Greg Kroah-Hartman
` (138 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 8475d8fe21ec9c7eb2faca555fbc5b68cf0d2597 upstream.
The KERNEL_INITIAL_ORDER value defines the initial size (usually 32 or
64 MB) of the page table during bootup. Up until now the whole area was
initialized with PTE entries, but there was no check if we filled too
many entries. Change the code to fill up with so many entries that the
"_end" symbol can be reached by the kernel, but not more entries than
actually fit into the initial PTE tables.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org> # v6.0+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/head.S | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/arch/parisc/kernel/head.S
+++ b/arch/parisc/kernel/head.S
@@ -56,6 +56,7 @@ ENTRY(parisc_kernel_start)
.import __bss_start,data
.import __bss_stop,data
+ .import __end,data
load32 PA(__bss_start),%r3
load32 PA(__bss_stop),%r4
@@ -149,7 +150,11 @@ $cpu_ok:
* everything ... it will get remapped correctly later */
ldo 0+_PAGE_KERNEL_RWX(%r0),%r3 /* Hardwired 0 phys addr start */
load32 (1<<(KERNEL_INITIAL_ORDER-PAGE_SHIFT)),%r11 /* PFN count */
- load32 PA(pg0),%r1
+ load32 PA(_end),%r1
+ SHRREG %r1,PAGE_SHIFT,%r1 /* %r1 is PFN count for _end symbol */
+ cmpb,<<,n %r11,%r1,1f
+ copy %r1,%r11 /* %r1 PFN count smaller than %r11 */
+1: load32 PA(pg0),%r1
$pgt_fill_loop:
STREGM %r3,ASM_PTE_ENTRY_SIZE(%r1)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 240/567] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 239/567] amd-xgbe: prevent CRC errors during RX adaptation with AN disabled Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 241/567] netfilter: x_tables: guard option walkers against 1-byte tail reads Greg Kroah-Hartman
` (137 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jenny Guanni Qu, Florian Westphal,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jenny Guanni Qu <qguanni@gmail.com>
[ Upstream commit d6d8cd2db236a9dd13dbc2d05843b3445cc964b5 ]
pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the
to_offset argument on every iteration, including the last one where
i == m->field_count - 1. This reads one element past the end of the
stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS]
with NFT_PIPAPO_MAX_FIELDS == 16).
Although pipapo_unmap() returns early when is_last is true without
using the to_offset value, the argument is evaluated at the call site
before the function body executes, making this a genuine out-of-bounds
stack read confirmed by KASAN:
BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables]
Read of size 4 at addr ffff8000810e71a4
This frame has 1 object:
[32, 160) 'rulemap'
The buggy address is at offset 164 -- exactly 4 bytes past the end
of the rulemap array.
Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid
the out-of-bounds read.
Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_set_pipapo.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
index c3ada6798d4a3..f4d0bb6b377d1 100644
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1570,6 +1570,7 @@ static void pipapo_drop(struct nft_pipapo_match *m,
int i;
nft_pipapo_for_each_field(f, i, m) {
+ bool last = i == m->field_count - 1;
int g;
for (g = 0; g < f->groups; g++) {
@@ -1589,7 +1590,7 @@ static void pipapo_drop(struct nft_pipapo_match *m,
}
pipapo_unmap(f->mt, f->rules, rulemap[i].to, rulemap[i].n,
- rulemap[i + 1].n, i == m->field_count - 1);
+ last ? 0 : rulemap[i + 1].n, last);
if (pipapo_resize(f, f->rules, f->rules - rulemap[i].n)) {
/* We can ignore this, a failure to shrink tables down
* doesn't make tables invalid.
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 178/481] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 177/481] netfilter: x_tables: guard option walkers against 1-byte tail reads Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 179/481] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() Greg Kroah-Hartman
` (137 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Dull, Hyunwoo Kim,
Florian Westphal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit f1ba83755d81c6fc66ac7acd723d238f974091e9 ]
nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue
entry from the queue data structures, taking ownership of the entry.
For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN
attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN
present but NFQA_VLAN_TCI missing), the function returns immediately
without freeing the dequeued entry or its sk_buff.
This leaks the nf_queue_entry, its associated sk_buff, and all held
references (net_device refcounts, struct net refcount). Repeated
triggering exhausts kernel memory.
Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict
on the error path, consistent with other error handling in this file.
Fixes: 8d45ff22f1b4 ("netfilter: bridge: nf queue verdict to use NFQA_VLAN and NFQA_L2HDR")
Reviewed-by: David Dull <monderasdor@gmail.com>
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_queue.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index f13eed826cbb8..4e0d1362875bd 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -1262,8 +1262,10 @@ static int nfqnl_recv_verdict(struct sk_buff *skb, const struct nfnl_info *info,
if (entry->state.pf == PF_BRIDGE) {
err = nfqa_parse_bridge(entry, nfqa);
- if (err < 0)
+ if (err < 0) {
+ nfqnl_reinject(entry, NF_DROP);
return err;
+ }
}
if (nfqa[NFQA_PAYLOAD]) {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 165/460] arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 164/460] parisc: Fix initial page table creation for boot Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 166/460] parisc: Check kernel mapping earlier at bootup Greg Kroah-Hartman
` (137 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryan Roberts, Catalin Marinas,
Will Deacon, Jason Gunthorpe, John Hubbard, Zi Yan, Breno Leitao,
Alistair Popple, James Houghton, Piotr Jaroszynski, Balbir Singh
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Piotr Jaroszynski <pjaroszynski@nvidia.com>
commit 97c5550b763171dbef61e6239cab372b9f9cd4a2 upstream.
contpte_ptep_set_access_flags() compared the gathered ptep_get() value
against the requested entry to detect no-ops. ptep_get() ORs AF/dirty
from all sub-PTEs in the CONT block, so a dirty sibling can make the
target appear already-dirty. When the gathered value matches entry, the
function returns 0 even though the target sub-PTE still has PTE_RDONLY
set in hardware.
For a CPU with FEAT_HAFDBS this gathered view is fine, since hardware may
set AF/dirty on any sub-PTE and CPU TLB behavior is effectively gathered
across the CONT range. But page-table walkers that evaluate each
descriptor individually (e.g. a CPU without DBM support, or an SMMU
without HTTU, or with HA/HD disabled in CD.TCR) can keep faulting on the
unchanged target sub-PTE, causing an infinite fault loop.
Gathering can therefore cause false no-ops when only a sibling has been
updated:
- write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared)
- read faults: target still lacks PTE_AF
Fix by checking each sub-PTE against the requested AF/dirty/write state
(the same bits consumed by __ptep_set_access_flags()), using raw
per-PTE values rather than the gathered ptep_get() view, before
returning no-op. Keep using the raw target PTE for the write-bit unfold
decision.
Per Arm ARM (DDI 0487) D8.7.1 ("The Contiguous bit"), any sub-PTE in a CONT
range may become the effective cached translation and software must
maintain consistent attributes across the range.
Fixes: 4602e5757bcc ("arm64/mm: wire up PTE_CONT for user mappings")
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: Breno Leitao <leitao@debian.org>
Cc: stable@vger.kernel.org
Reviewed-by: Alistair Popple <apopple@nvidia.com>
Reviewed-by: James Houghton <jthoughton@google.com>
Reviewed-by: Ryan Roberts <ryan.roberts@arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Tested-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Piotr Jaroszynski <pjaroszynski@nvidia.com>
Acked-by: Balbir Singh <balbirs@nvidia.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/mm/contpte.c | 53 ++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 49 insertions(+), 4 deletions(-)
--- a/arch/arm64/mm/contpte.c
+++ b/arch/arm64/mm/contpte.c
@@ -390,6 +390,27 @@ void contpte_clear_young_dirty_ptes(stru
}
EXPORT_SYMBOL_GPL(contpte_clear_young_dirty_ptes);
+static bool contpte_all_subptes_match_access_flags(pte_t *ptep, pte_t entry)
+{
+ pte_t *cont_ptep = contpte_align_down(ptep);
+ /*
+ * PFNs differ per sub-PTE. Match only bits consumed by
+ * __ptep_set_access_flags(): AF, DIRTY and write permission.
+ */
+ const pteval_t cmp_mask = PTE_RDONLY | PTE_AF | PTE_WRITE | PTE_DIRTY;
+ pteval_t entry_cmp = pte_val(entry) & cmp_mask;
+ int i;
+
+ for (i = 0; i < CONT_PTES; i++) {
+ pteval_t pte_cmp = pte_val(__ptep_get(cont_ptep + i)) & cmp_mask;
+
+ if (pte_cmp != entry_cmp)
+ return false;
+ }
+
+ return true;
+}
+
int contpte_ptep_set_access_flags(struct vm_area_struct *vma,
unsigned long addr, pte_t *ptep,
pte_t entry, int dirty)
@@ -399,14 +420,38 @@ int contpte_ptep_set_access_flags(struct
int i;
/*
- * Gather the access/dirty bits for the contiguous range. If nothing has
- * changed, its a noop.
+ * Check whether all sub-PTEs in the CONT block already match the
+ * requested access flags/write permission, using raw per-PTE values
+ * rather than the gathered ptep_get() view.
+ *
+ * __ptep_set_access_flags() can update AF, dirty and write
+ * permission, but only to make the mapping more permissive.
+ *
+ * ptep_get() gathers AF/dirty state across the whole CONT block,
+ * which is correct for a CPU with FEAT_HAFDBS. But page-table
+ * walkers that evaluate each descriptor individually (e.g. a CPU
+ * without DBM support, or an SMMU without HTTU, or with HA/HD
+ * disabled in CD.TCR) can keep faulting on the target sub-PTE if
+ * only a sibling has been updated. Gathering can therefore cause
+ * false no-ops when only a sibling has been updated:
+ * - write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared)
+ * - read faults: target still lacks PTE_AF
+ *
+ * Per Arm ARM (DDI 0487) D8.7.1, any sub-PTE in a CONT range may
+ * become the effective cached translation, so all entries must have
+ * consistent attributes. Check the full CONT block before returning
+ * no-op, and when any sub-PTE mismatches, proceed to update the whole
+ * range.
*/
- orig_pte = pte_mknoncont(ptep_get(ptep));
- if (pte_val(orig_pte) == pte_val(entry))
+ if (contpte_all_subptes_match_access_flags(ptep, entry))
return 0;
/*
+ * Use raw target pte (not gathered) for write-bit unfold decision.
+ */
+ orig_pte = pte_mknoncont(__ptep_get(ptep));
+
+ /*
* We can fix up access/dirty bits without having to unfold the contig
* range. But if the write bit is changing, we must unfold.
*/
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 241/567] netfilter: x_tables: guard option walkers against 1-byte tail reads
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 240/567] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 242/567] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path Greg Kroah-Hartman
` (136 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Dull, Florian Westphal,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Dull <monderasdor@gmail.com>
[ Upstream commit cfe770220ac2dbd3e104c6b45094037455da81d4 ]
When the last byte of options is a non-single-byte option kind, walkers
that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end
of the option area.
Add an explicit i == optlen - 1 check before dereferencing op[i + 1]
in xt_tcpudp and xt_dccp option walkers.
Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables")
Signed-off-by: David Dull <monderasdor@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_dccp.c | 4 ++--
net/netfilter/xt_tcpudp.c | 6 ++++--
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index e5a13ecbe67a0..037ab93e25d0a 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -62,10 +62,10 @@ dccp_find_option(u_int8_t option,
return true;
}
- if (op[i] < 2)
+ if (op[i] < 2 || i == optlen - 1)
i++;
else
- i += op[i+1]?:1;
+ i += op[i + 1] ? : 1;
}
spin_unlock_bh(&dccp_buflock);
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index e8991130a3de0..f76cf18f1a244 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -59,8 +59,10 @@ tcp_find_option(u_int8_t option,
for (i = 0; i < optlen; ) {
if (op[i] == option) return !invert;
- if (op[i] < 2) i++;
- else i += op[i+1]?:1;
+ if (op[i] < 2 || i == optlen - 1)
+ i++;
+ else
+ i += op[i + 1] ? : 1;
}
return invert;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 179/481] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 178/481] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 180/481] netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels Greg Kroah-Hartman
` (136 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Florian Westphal,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit 6dcee8496d53165b2d8a5909b3050b62ae71fe89 ]
nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label
inside the for loop body. When the "last" helper saved in cb->args[1]
is deleted between dump rounds, every entry fails the (cur != last)
check, so cb->args[1] is never cleared. The for loop finishes with
cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back
into the loop body bypassing the bounds check, causing an 8-byte
out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize].
The 'goto restart' block was meant to re-traverse the current bucket
when "last" is no longer found, but it was placed after the for loop
instead of inside it. Move the block into the for loop body so that
the restart only occurs while cb->args[0] is still within bounds.
BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0
Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131
Call Trace:
nfnl_cthelper_dump_table+0x9f/0x1b0
netlink_dump+0x333/0x880
netlink_recvmsg+0x3e2/0x4b0
sock_recvmsg+0xde/0xf0
__sys_recvfrom+0x150/0x200
__x64_sys_recvfrom+0x76/0x90
do_syscall_64+0xc3/0x6e0
Allocated by task 1:
__kvmalloc_node_noprof+0x21b/0x700
nf_ct_alloc_hashtable+0x65/0xd0
nf_conntrack_helper_init+0x21/0x60
nf_conntrack_init_start+0x18d/0x300
nf_conntrack_standalone_init+0x12/0xc0
Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_cthelper.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index 97248963a7d3b..71a248cca746a 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -603,10 +603,10 @@ nfnl_cthelper_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
goto out;
}
}
- }
- if (cb->args[1]) {
- cb->args[1] = 0;
- goto restart;
+ if (cb->args[1]) {
+ cb->args[1] = 0;
+ goto restart;
+ }
}
out:
rcu_read_unlock();
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 166/460] parisc: Check kernel mapping earlier at bootup
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 165/460] arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 167/460] pmdomain: bcm: bcm2835-power: Fix broken reset status read Greg Kroah-Hartman
` (136 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 17c144f1104bfc29a3ce3f7d0931a1bfb7a3558c upstream.
The check if the initial mapping is sufficient needs to happen much
earlier during bootup. Move this test directly to the start_parisc()
function and use native PDC iodc functions to print the warning, because
panic() and printk() are not functional yet.
This fixes boot when enabling various KALLSYSMS options which need
much more space.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org> # v6.0+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/setup.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/arch/parisc/kernel/setup.c
+++ b/arch/parisc/kernel/setup.c
@@ -120,14 +120,6 @@ void __init setup_arch(char **cmdline_p)
#endif
printk(KERN_CONT ".\n");
- /*
- * Check if initial kernel page mappings are sufficient.
- * panic early if not, else we may access kernel functions
- * and variables which can't be reached.
- */
- if (__pa((unsigned long) &_end) >= KERNEL_INITIAL_SIZE)
- panic("KERNEL_INITIAL_ORDER too small!");
-
#ifdef CONFIG_64BIT
if(parisc_narrow_firmware) {
printk(KERN_INFO "Kernel is using PDC in 32-bit mode.\n");
@@ -279,6 +271,18 @@ void __init start_parisc(void)
int ret, cpunum;
struct pdc_coproc_cfg coproc_cfg;
+ /*
+ * Check if initial kernel page mapping is sufficient.
+ * Print warning if not, because we may access kernel functions and
+ * variables which can't be reached yet through the initial mappings.
+ * Note that the panic() and printk() functions are not functional
+ * yet, so we need to use direct iodc() firmware calls instead.
+ */
+ const char warn1[] = "CRITICAL: Kernel may crash because "
+ "KERNEL_INITIAL_ORDER is too small.\n";
+ if (__pa((unsigned long) &_end) >= KERNEL_INITIAL_SIZE)
+ pdc_iodc_print(warn1, sizeof(warn1) - 1);
+
/* check QEMU/SeaBIOS marker in PAGE0 */
running_on_qemu = (memcmp(&PAGE0->pad0, "SeaBIOS", 8) == 0);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 242/567] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 241/567] netfilter: x_tables: guard option walkers against 1-byte tail reads Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 243/567] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() Greg Kroah-Hartman
` (135 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Dull, Hyunwoo Kim,
Florian Westphal, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit f1ba83755d81c6fc66ac7acd723d238f974091e9 ]
nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue
entry from the queue data structures, taking ownership of the entry.
For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN
attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN
present but NFQA_VLAN_TCI missing), the function returns immediately
without freeing the dequeued entry or its sk_buff.
This leaks the nf_queue_entry, its associated sk_buff, and all held
references (net_device refcounts, struct net refcount). Repeated
triggering exhausts kernel memory.
Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict
on the error path, consistent with other error handling in this file.
Fixes: 8d45ff22f1b4 ("netfilter: bridge: nf queue verdict to use NFQA_VLAN and NFQA_L2HDR")
Reviewed-by: David Dull <monderasdor@gmail.com>
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_queue.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 09209b4952ad1..0ac0db71dbc61 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -1283,8 +1283,10 @@ static int nfqnl_recv_verdict(struct sk_buff *skb, const struct nfnl_info *info,
if (entry->state.pf == PF_BRIDGE) {
err = nfqa_parse_bridge(entry, nfqa);
- if (err < 0)
+ if (err < 0) {
+ nfqnl_reinject(entry, NF_DROP);
return err;
+ }
}
if (nfqa[NFQA_PAYLOAD]) {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 180/481] netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 179/481] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 181/481] regulator: pca9450: Make IRQ optional Greg Kroah-Hartman
` (135 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Yuan Tan,
Xin Liu, Florian Westphal, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuan Tan <tanyuan98@outlook.com>
[ Upstream commit 329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf ]
IDLETIMER revision 0 rules reuse existing timers by label and always call
mod_timer() on timer->timer.
If the label was created first by revision 1 with XT_IDLETIMER_ALARM,
the object uses alarm timer semantics and timer->timer is never initialized.
Reusing that object from revision 0 causes mod_timer() on an uninitialized
timer_list, triggering debugobjects warnings and possible panic when
panic_on_warn=1.
Fix this by rejecting revision 0 rule insertion when an existing timer with
the same label is of ALARM type.
Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target")
Co-developed-by: Yifan Wu <yifanwucs@gmail.com>
Signed-off-by: Yifan Wu <yifanwucs@gmail.com>
Co-developed-by: Juefei Pu <tomapufckgml@gmail.com>
Signed-off-by: Juefei Pu <tomapufckgml@gmail.com>
Signed-off-by: Yuan Tan <tanyuan98@outlook.com>
Signed-off-by: Xin Liu <dstsmallbird@foxmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_IDLETIMER.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index 3f6a9770f74ba..9733f49847a6d 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -320,6 +320,12 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par)
info->timer = __idletimer_tg_find_by_label(info->label);
if (info->timer) {
+ if (info->timer->timer_type & XT_IDLETIMER_ALARM) {
+ pr_debug("Adding/Replacing rule with same label and different timer type is not allowed\n");
+ mutex_unlock(&list_mutex);
+ return -EINVAL;
+ }
+
info->timer->refcnt++;
mod_timer(&info->timer->timer,
msecs_to_jiffies(info->timeout * 1000) + jiffies);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 167/460] pmdomain: bcm: bcm2835-power: Fix broken reset status read
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 166/460] parisc: Check kernel mapping earlier at bootup Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 168/460] ata: libata-core: Disable LPM on ST1000DM010-2EP102 Greg Kroah-Hartman
` (135 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maíra Canal, Florian Fainelli,
Stefan Wahren, Ulf Hansson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maíra Canal <mcanal@igalia.com>
commit 550bae2c0931dbb664a61b08c21cf156f0a5362a upstream.
bcm2835_reset_status() has a misplaced parenthesis on every PM_READ()
call. Since PM_READ(reg) expands to readl(power->base + (reg)), the
expression:
PM_READ(PM_GRAFX & PM_V3DRSTN)
computes the bitwise AND of the register offset PM_GRAFX with the
bitmask PM_V3DRSTN before using the result as a register offset, reading
from the wrong MMIO address instead of the intended PM_GRAFX register.
The same issue affects the PM_IMAGE cases.
Fix by moving the closing parenthesis so PM_READ() receives only the
register offset, and the bitmask is applied to the value returned by
the read.
Fixes: 670c672608a1 ("soc: bcm: bcm2835-pm: Add support for power domains under a new binding.")
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Stefan Wahren <wahrenst@gmx.net>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pmdomain/bcm/bcm2835-power.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/pmdomain/bcm/bcm2835-power.c
+++ b/drivers/pmdomain/bcm/bcm2835-power.c
@@ -580,11 +580,11 @@ static int bcm2835_reset_status(struct r
switch (id) {
case BCM2835_RESET_V3D:
- return !PM_READ(PM_GRAFX & PM_V3DRSTN);
+ return !(PM_READ(PM_GRAFX) & PM_V3DRSTN);
case BCM2835_RESET_H264:
- return !PM_READ(PM_IMAGE & PM_H264RSTN);
+ return !(PM_READ(PM_IMAGE) & PM_H264RSTN);
case BCM2835_RESET_ISP:
- return !PM_READ(PM_IMAGE & PM_ISPRSTN);
+ return !(PM_READ(PM_IMAGE) & PM_ISPRSTN);
default:
return -EINVAL;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 243/567] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 242/567] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 244/567] netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels Greg Kroah-Hartman
` (134 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Florian Westphal,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit 6dcee8496d53165b2d8a5909b3050b62ae71fe89 ]
nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label
inside the for loop body. When the "last" helper saved in cb->args[1]
is deleted between dump rounds, every entry fails the (cur != last)
check, so cb->args[1] is never cleared. The for loop finishes with
cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back
into the loop body bypassing the bounds check, causing an 8-byte
out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize].
The 'goto restart' block was meant to re-traverse the current bucket
when "last" is no longer found, but it was placed after the for loop
instead of inside it. Move the block into the for loop body so that
the restart only occurs while cb->args[0] is still within bounds.
BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0
Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131
Call Trace:
nfnl_cthelper_dump_table+0x9f/0x1b0
netlink_dump+0x333/0x880
netlink_recvmsg+0x3e2/0x4b0
sock_recvmsg+0xde/0xf0
__sys_recvfrom+0x150/0x200
__x64_sys_recvfrom+0x76/0x90
do_syscall_64+0xc3/0x6e0
Allocated by task 1:
__kvmalloc_node_noprof+0x21b/0x700
nf_ct_alloc_hashtable+0x65/0xd0
nf_conntrack_helper_init+0x21/0x60
nf_conntrack_init_start+0x18d/0x300
nf_conntrack_standalone_init+0x12/0xc0
Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_cthelper.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index 97248963a7d3b..71a248cca746a 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -603,10 +603,10 @@ nfnl_cthelper_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
goto out;
}
}
- }
- if (cb->args[1]) {
- cb->args[1] = 0;
- goto restart;
+ if (cb->args[1]) {
+ cb->args[1] = 0;
+ goto restart;
+ }
}
out:
rcu_read_unlock();
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 181/481] regulator: pca9450: Make IRQ optional
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 180/481] netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 182/481] regulator: pca9450: Correct interrupt type Greg Kroah-Hartman
` (134 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frieder Schrempf, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frieder Schrempf <frieder.schrempf@kontron.de>
[ Upstream commit 83808c54064eef620ad8645dfdcaffe125551532 ]
The IRQ line might not be connected on some boards. Allow the driver
to be probed without it.
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Link: https://patch.msgid.link/20240708084107.38986-5-frieder@fris.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 5d0efaf47ee9 ("regulator: pca9450: Correct interrupt type")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/pca9450-regulator.c | 41 +++++++++++++--------------
1 file changed, 19 insertions(+), 22 deletions(-)
diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c
index 0fcda40cefa6d..8848afa48598f 100644
--- a/drivers/regulator/pca9450-regulator.c
+++ b/drivers/regulator/pca9450-regulator.c
@@ -713,11 +713,6 @@ static int pca9450_i2c_probe(struct i2c_client *i2c,
unsigned int reset_ctrl;
int ret;
- if (!i2c->irq) {
- dev_err(&i2c->dev, "No IRQ configured?\n");
- return -EINVAL;
- }
-
pca9450 = devm_kzalloc(&i2c->dev, sizeof(struct pca9450), GFP_KERNEL);
if (!pca9450)
return -ENOMEM;
@@ -784,23 +779,25 @@ static int pca9450_i2c_probe(struct i2c_client *i2c,
}
}
- ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL,
- pca9450_irq_handler,
- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT),
- "pca9450-irq", pca9450);
- if (ret != 0) {
- dev_err(pca9450->dev, "Failed to request IRQ: %d\n",
- pca9450->irq);
- return ret;
- }
- /* Unmask all interrupt except PWRON/WDOG/RSVD */
- ret = regmap_update_bits(pca9450->regmap, PCA9450_REG_INT1_MSK,
- IRQ_VR_FLT1 | IRQ_VR_FLT2 | IRQ_LOWVSYS |
- IRQ_THERM_105 | IRQ_THERM_125,
- IRQ_PWRON | IRQ_WDOGB | IRQ_RSVD);
- if (ret) {
- dev_err(&i2c->dev, "Unmask irq error\n");
- return ret;
+ if (pca9450->irq) {
+ ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL,
+ pca9450_irq_handler,
+ (IRQF_TRIGGER_FALLING | IRQF_ONESHOT),
+ "pca9450-irq", pca9450);
+ if (ret != 0) {
+ dev_err(pca9450->dev, "Failed to request IRQ: %d\n",
+ pca9450->irq);
+ return ret;
+ }
+ /* Unmask all interrupt except PWRON/WDOG/RSVD */
+ ret = regmap_update_bits(pca9450->regmap, PCA9450_REG_INT1_MSK,
+ IRQ_VR_FLT1 | IRQ_VR_FLT2 | IRQ_LOWVSYS |
+ IRQ_THERM_105 | IRQ_THERM_125,
+ IRQ_PWRON | IRQ_WDOGB | IRQ_RSVD);
+ if (ret) {
+ dev_err(&i2c->dev, "Unmask irq error\n");
+ return ret;
+ }
}
/* Clear PRESET_EN bit in BUCK123_DVS to use DVS registers */
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 168/460] ata: libata-core: Disable LPM on ST1000DM010-2EP102
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 167/460] pmdomain: bcm: bcm2835-power: Fix broken reset status read Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 169/460] drm/amd/display: Fallback to boot snapshot for dispclk Greg Kroah-Hartman
` (134 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filippo Baiamonte,
Maximilian Pezzullo, Damien Le Moal, Niklas Cassel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maximilian Pezzullo <maximilianpezzullo@gmail.com>
commit b3b1d3ae1d87bc9398fb715c945968bf4c75a09a upstream.
According to a user report, the ST1000DM010-2EP102 has problems with LPM,
causing random system freezes. The drive belongs to the same BarraCuda
family as the ST2000DM008-2FR102 which has the same issue.
Cc: stable@vger.kernel.org
Fixes: 7627a0edef54 ("ata: ahci: Drop low power policy board type")
Reported-by: Filippo Baiamonte <filippo.ba03@bugzilla.kernel.org>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221163
Signed-off-by: Maximilian Pezzullo <maximilianpezzullo@gmail.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/libata-core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4102,6 +4102,7 @@ static const struct ata_dev_quirks_entry
ATA_QUIRK_FIRMWARE_WARN },
/* Seagate disks with LPM issues */
+ { "ST1000DM010-2EP102", NULL, ATA_QUIRK_NOLPM },
{ "ST2000DM008-2FR102", NULL, ATA_QUIRK_NOLPM },
/* drives which fail FPDMA_AA activation (some may freeze afterwards)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 244/567] netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 243/567] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 245/567] regulator: pca9450: Make IRQ optional Greg Kroah-Hartman
` (133 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Yuan Tan,
Xin Liu, Florian Westphal, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuan Tan <tanyuan98@outlook.com>
[ Upstream commit 329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf ]
IDLETIMER revision 0 rules reuse existing timers by label and always call
mod_timer() on timer->timer.
If the label was created first by revision 1 with XT_IDLETIMER_ALARM,
the object uses alarm timer semantics and timer->timer is never initialized.
Reusing that object from revision 0 causes mod_timer() on an uninitialized
timer_list, triggering debugobjects warnings and possible panic when
panic_on_warn=1.
Fix this by rejecting revision 0 rule insertion when an existing timer with
the same label is of ALARM type.
Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target")
Co-developed-by: Yifan Wu <yifanwucs@gmail.com>
Signed-off-by: Yifan Wu <yifanwucs@gmail.com>
Co-developed-by: Juefei Pu <tomapufckgml@gmail.com>
Signed-off-by: Juefei Pu <tomapufckgml@gmail.com>
Signed-off-by: Yuan Tan <tanyuan98@outlook.com>
Signed-off-by: Xin Liu <dstsmallbird@foxmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_IDLETIMER.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index 9869ef3c2ab37..92a8289b1cb35 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -320,6 +320,12 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par)
info->timer = __idletimer_tg_find_by_label(info->label);
if (info->timer) {
+ if (info->timer->timer_type & XT_IDLETIMER_ALARM) {
+ pr_debug("Adding/Replacing rule with same label and different timer type is not allowed\n");
+ mutex_unlock(&list_mutex);
+ return -EINVAL;
+ }
+
info->timer->refcnt++;
mod_timer(&info->timer->timer,
msecs_to_jiffies(info->timeout * 1000) + jiffies);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 182/481] regulator: pca9450: Correct interrupt type
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 181/481] regulator: pca9450: Make IRQ optional Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 183/481] sched: idle: Make skipping governor callbacks more consistent Greg Kroah-Hartman
` (133 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 5d0efaf47ee90ac60efae790acee3a3ed99ebf80 ]
Kernel warning on i.MX8MP-EVK when doing module test:
irq: type mismatch, failed to map hwirq-3 for gpio@30200000!
Per PCA945[X] specification: The IRQ_B pin is pulled low when any unmasked
interrupt bit status is changed and it is released high once application
processor read INT1 register.
So the interrupt should be configured as IRQF_TRIGGER_LOW, not
IRQF_TRIGGER_FALLING.
Fixes: 0935ff5f1f0a4 ("regulator: pca9450: add pca9450 pmic driver")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Link: https://patch.msgid.link/20260310-pca9450-irq-v1-1-36adf52c2c55@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/pca9450-regulator.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c
index 8848afa48598f..7922af4f7895b 100644
--- a/drivers/regulator/pca9450-regulator.c
+++ b/drivers/regulator/pca9450-regulator.c
@@ -782,7 +782,7 @@ static int pca9450_i2c_probe(struct i2c_client *i2c,
if (pca9450->irq) {
ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL,
pca9450_irq_handler,
- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT),
+ (IRQF_TRIGGER_LOW | IRQF_ONESHOT),
"pca9450-irq", pca9450);
if (ret != 0) {
dev_err(pca9450->dev, "Failed to request IRQ: %d\n",
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 169/460] drm/amd/display: Fallback to boot snapshot for dispclk
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 168/460] ata: libata-core: Disable LPM on ST1000DM010-2EP102 Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 170/460] ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() Greg Kroah-Hartman
` (133 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicholas Kazlauskas, Dillon Varone,
Alex Hung, Mario Limonciello, Alex Deucher, Dan Wheeler
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dillon Varone <Dillon.Varone@amd.com>
commit 30d937f63bd19bbcaafa4b892eb251f8bbbf04ef upstream.
[WHY & HOW]
If the dentist is unavailable, fallback to reading CLKIP via the boot
snapshot to get the current dispclk.
Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Signed-off-by: Dillon Varone <Dillon.Varone@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 2ab77600d1e55a042c02437326d3c7563e853c6c)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c
+++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c
@@ -65,7 +65,11 @@ static void dcn401_initialize_min_clocks
* audio corruption. Read current DISPCLK from DENTIST and request the same
* freq to ensure that the timing is valid and unchanged.
*/
- clocks->dispclk_khz = dc->clk_mgr->funcs->get_dispclk_from_dentist(dc->clk_mgr);
+ if (dc->clk_mgr->funcs->get_dispclk_from_dentist) {
+ clocks->dispclk_khz = dc->clk_mgr->funcs->get_dispclk_from_dentist(dc->clk_mgr);
+ } else {
+ clocks->dispclk_khz = dc->clk_mgr->boot_snapshot.dispclk * 1000;
+ }
}
clocks->ref_dtbclk_khz = dc->clk_mgr->bw_params->clk_table.entries[0].dtbclk_mhz * 1000;
clocks->fclk_p_state_change_support = true;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 245/567] regulator: pca9450: Make IRQ optional
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 244/567] netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 246/567] regulator: pca9450: Correct interrupt type Greg Kroah-Hartman
` (132 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frieder Schrempf, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frieder Schrempf <frieder.schrempf@kontron.de>
[ Upstream commit 83808c54064eef620ad8645dfdcaffe125551532 ]
The IRQ line might not be connected on some boards. Allow the driver
to be probed without it.
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Link: https://patch.msgid.link/20240708084107.38986-5-frieder@fris.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 5d0efaf47ee9 ("regulator: pca9450: Correct interrupt type")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/pca9450-regulator.c | 41 +++++++++++++--------------
1 file changed, 19 insertions(+), 22 deletions(-)
diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c
index 2ab365d2749f9..b8f7b13b0cb08 100644
--- a/drivers/regulator/pca9450-regulator.c
+++ b/drivers/regulator/pca9450-regulator.c
@@ -711,11 +711,6 @@ static int pca9450_i2c_probe(struct i2c_client *i2c)
unsigned int reset_ctrl;
int ret;
- if (!i2c->irq) {
- dev_err(&i2c->dev, "No IRQ configured?\n");
- return -EINVAL;
- }
-
pca9450 = devm_kzalloc(&i2c->dev, sizeof(struct pca9450), GFP_KERNEL);
if (!pca9450)
return -ENOMEM;
@@ -782,23 +777,25 @@ static int pca9450_i2c_probe(struct i2c_client *i2c)
}
}
- ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL,
- pca9450_irq_handler,
- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT),
- "pca9450-irq", pca9450);
- if (ret != 0) {
- dev_err(pca9450->dev, "Failed to request IRQ: %d\n",
- pca9450->irq);
- return ret;
- }
- /* Unmask all interrupt except PWRON/WDOG/RSVD */
- ret = regmap_update_bits(pca9450->regmap, PCA9450_REG_INT1_MSK,
- IRQ_VR_FLT1 | IRQ_VR_FLT2 | IRQ_LOWVSYS |
- IRQ_THERM_105 | IRQ_THERM_125,
- IRQ_PWRON | IRQ_WDOGB | IRQ_RSVD);
- if (ret) {
- dev_err(&i2c->dev, "Unmask irq error\n");
- return ret;
+ if (pca9450->irq) {
+ ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL,
+ pca9450_irq_handler,
+ (IRQF_TRIGGER_FALLING | IRQF_ONESHOT),
+ "pca9450-irq", pca9450);
+ if (ret != 0) {
+ dev_err(pca9450->dev, "Failed to request IRQ: %d\n",
+ pca9450->irq);
+ return ret;
+ }
+ /* Unmask all interrupt except PWRON/WDOG/RSVD */
+ ret = regmap_update_bits(pca9450->regmap, PCA9450_REG_INT1_MSK,
+ IRQ_VR_FLT1 | IRQ_VR_FLT2 | IRQ_LOWVSYS |
+ IRQ_THERM_105 | IRQ_THERM_125,
+ IRQ_PWRON | IRQ_WDOGB | IRQ_RSVD);
+ if (ret) {
+ dev_err(&i2c->dev, "Unmask irq error\n");
+ return ret;
+ }
}
/* Clear PRESET_EN bit in BUCK123_DVS to use DVS registers */
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 183/481] sched: idle: Make skipping governor callbacks more consistent
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 182/481] regulator: pca9450: Correct interrupt type Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 184/481] nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set Greg Kroah-Hartman
` (132 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Christian Loehle,
Aboorva Devarajan, Frederic Weisbecker, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit d557640e4ce589a24dca5ca7ce3b9680f471325f ]
If the cpuidle governor .select() callback is skipped because there
is only one idle state in the cpuidle driver, the .reflect() callback
should be skipped as well, at least for consistency (if not for
correctness), so do it.
Fixes: e5c9ffc6ae1b ("cpuidle: Skip governor when only one idle state is available")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Christian Loehle <christian.loehle@arm.com>
Reviewed-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
Link: https://patch.msgid.link/12857700.O9o76ZdvQC@rafael.j.wysocki
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpuidle/cpuidle.c | 10 ----------
kernel/sched/idle.c | 11 ++++++++++-
2 files changed, 10 insertions(+), 11 deletions(-)
diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c
index 482bf87354a38..fdd25271106a3 100644
--- a/drivers/cpuidle/cpuidle.c
+++ b/drivers/cpuidle/cpuidle.c
@@ -324,16 +324,6 @@ int cpuidle_enter_state(struct cpuidle_device *dev, struct cpuidle_driver *drv,
int cpuidle_select(struct cpuidle_driver *drv, struct cpuidle_device *dev,
bool *stop_tick)
{
- /*
- * If there is only a single idle state (or none), there is nothing
- * meaningful for the governor to choose. Skip the governor and
- * always use state 0 with the tick running.
- */
- if (drv->state_count <= 1) {
- *stop_tick = false;
- return 0;
- }
-
return cpuidle_curr_governor->select(drv, dev, stop_tick);
}
diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c
index 200a0fac03b8e..6ff593a8eeb17 100644
--- a/kernel/sched/idle.c
+++ b/kernel/sched/idle.c
@@ -220,7 +220,7 @@ static void cpuidle_idle_call(void)
next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns);
call_cpuidle(drv, dev, next_state);
- } else {
+ } else if (drv->state_count > 1) {
bool stop_tick = true;
/*
@@ -238,6 +238,15 @@ static void cpuidle_idle_call(void)
* Give the governor an opportunity to reflect on the outcome
*/
cpuidle_reflect(dev, entered_state);
+ } else {
+ tick_nohz_idle_retain_tick();
+
+ /*
+ * If there is only a single idle state (or none), there is
+ * nothing meaningful for the governor to choose. Skip the
+ * governor and always use state 0.
+ */
+ call_cpuidle(drv, dev, 0);
}
exit_idle:
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 170/460] ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 169/460] drm/amd/display: Fallback to boot snapshot for dispclk Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 171/460] smb: server: fix use-after-free in smb2_open() Greg Kroah-Hartman
` (132 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit eac3361e3d5dd8067b3258c69615888eb45e9f25 upstream.
opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is being
accessed after rcu_read_unlock() has been called. This creates a
race condition where the memory could be freed by a concurrent
writer between the unlock and the subsequent pointer dereferences
(opinfo->is_lease, etc.), leading to a use-after-free.
Fixes: 5fb282ba4fef ("ksmbd: fix possible null-deref in smb_lazy_parent_lease_break_close")
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/oplock.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -1123,10 +1123,12 @@ void smb_lazy_parent_lease_break_close(s
rcu_read_lock();
opinfo = rcu_dereference(fp->f_opinfo);
- rcu_read_unlock();
- if (!opinfo || !opinfo->is_lease || opinfo->o_lease->version != 2)
+ if (!opinfo || !opinfo->is_lease || opinfo->o_lease->version != 2) {
+ rcu_read_unlock();
return;
+ }
+ rcu_read_unlock();
p_ci = ksmbd_inode_lookup_lock(fp->filp->f_path.dentry->d_parent);
if (!p_ci)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 246/567] regulator: pca9450: Correct interrupt type
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 245/567] regulator: pca9450: Make IRQ optional Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 247/567] sched: idle: Make skipping governor callbacks more consistent Greg Kroah-Hartman
` (131 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 5d0efaf47ee90ac60efae790acee3a3ed99ebf80 ]
Kernel warning on i.MX8MP-EVK when doing module test:
irq: type mismatch, failed to map hwirq-3 for gpio@30200000!
Per PCA945[X] specification: The IRQ_B pin is pulled low when any unmasked
interrupt bit status is changed and it is released high once application
processor read INT1 register.
So the interrupt should be configured as IRQF_TRIGGER_LOW, not
IRQF_TRIGGER_FALLING.
Fixes: 0935ff5f1f0a4 ("regulator: pca9450: add pca9450 pmic driver")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Link: https://patch.msgid.link/20260310-pca9450-irq-v1-1-36adf52c2c55@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/pca9450-regulator.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c
index b8f7b13b0cb08..8f09f7f15a119 100644
--- a/drivers/regulator/pca9450-regulator.c
+++ b/drivers/regulator/pca9450-regulator.c
@@ -780,7 +780,7 @@ static int pca9450_i2c_probe(struct i2c_client *i2c)
if (pca9450->irq) {
ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL,
pca9450_irq_handler,
- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT),
+ (IRQF_TRIGGER_LOW | IRQF_ONESHOT),
"pca9450-irq", pca9450);
if (ret != 0) {
dev_err(pca9450->dev, "Failed to request IRQ: %d\n",
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 184/481] nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 183/481] sched: idle: Make skipping governor callbacks more consistent Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 185/481] nvme-pci: Fix race bug in nvme_poll_irqdisable() Greg Kroah-Hartman
` (131 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Shi, Weidong Zhu, Dave Tian,
Sungwoo Kim, Keith Busch, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sungwoo Kim <iam@sung-woo.kim>
[ Upstream commit b4e78f1427c7d6859229ae9616df54e1fc05a516 ]
dev->online_queues is a count incremented in nvme_init_queue. Thus,
valid indices are 0 through dev->online_queues − 1.
This patch fixes the loop condition to ensure the index stays within the
valid range. Index 0 is excluded because it is the admin queue.
KASAN splat:
==================================================================
BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]
BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404
Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74
CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: nvme-reset-wq nvme_reset_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xce/0x5d0 mm/kasan/report.c:482
kasan_report+0xdc/0x110 mm/kasan/report.c:595
__asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379
nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]
nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404
nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252
process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x65c/0xe60 kernel/workqueue.c:3421
kthread+0x41a/0x930 kernel/kthread.c:463
ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Allocated by task 34 on cpu 1 at 4.241550s:
kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57
kasan_save_track+0x1c/0x70 mm/kasan/common.c:78
kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__do_kmalloc_node mm/slub.c:5657 [inline]
__kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663
kmalloc_array_node_noprof include/linux/slab.h:1075 [inline]
nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline]
nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534
local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324
pci_call_probe drivers/pci/pci-driver.c:392 [inline]
__pci_device_probe drivers/pci/pci-driver.c:417 [inline]
pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451
call_driver_probe drivers/base/dd.c:583 [inline]
really_probe+0x29b/0xb70 drivers/base/dd.c:661
__driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803
driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833
__driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159
async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129
process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x65c/0xe60 kernel/workqueue.c:3421
kthread+0x41a/0x930 kernel/kthread.c:463
ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
The buggy address belongs to the object at ffff88800592a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 244 bytes to the right of
allocated 1152-byte region [ffff88800592a000, ffff88800592a480)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff)
page_type: f5(slab)
raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001
head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 000fffffc0000003 ffffea0000164a01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88800592a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88800592a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88800592a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88800592a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88800592a600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Fixes: 0f0d2c876c96 (nvme: free sq/cq dbbuf pointers when dbbuf set fails)
Acked-by: Chao Shi <cshi008@fiu.edu>
Acked-by: Weidong Zhu <weizhu@fiu.edu>
Acked-by: Dave Tian <daveti@purdue.edu>
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 7ee4362f0ccae..9f3d5959755fd 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -329,7 +329,7 @@ static void nvme_dbbuf_set(struct nvme_dev *dev)
/* Free memory and continue on */
nvme_dbbuf_dma_free(dev);
- for (i = 1; i <= dev->online_queues; i++)
+ for (i = 1; i < dev->online_queues; i++)
nvme_dbbuf_free(&dev->queues[i]);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 171/460] smb: server: fix use-after-free in smb2_open()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 170/460] ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 172/460] ksmbd: fix use-after-free by using call_rcu() for oplock_info Greg Kroah-Hartman
` (131 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marios Makassikis, Namjae Jeon,
Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marios Makassikis <mmakassikis@freebox.fr>
commit 1e689a56173827669a35da7cb2a3c78ed5c53680 upstream.
The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is
dereferenced after rcu_read_unlock(), creating a use-after-free
window.
Cc: stable@vger.kernel.org
Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -3615,10 +3615,8 @@ int smb2_open(struct ksmbd_work *work)
reconnected_fp:
rsp->StructureSize = cpu_to_le16(89);
- rcu_read_lock();
- opinfo = rcu_dereference(fp->f_opinfo);
+ opinfo = opinfo_get(fp);
rsp->OplockLevel = opinfo != NULL ? opinfo->level : 0;
- rcu_read_unlock();
rsp->Flags = 0;
rsp->CreateAction = cpu_to_le32(file_info);
rsp->CreationTime = cpu_to_le64(fp->create_time);
@@ -3659,6 +3657,7 @@ reconnected_fp:
next_ptr = &lease_ccontext->Next;
next_off = conn->vals->create_lease_size;
}
+ opinfo_put(opinfo);
if (maximal_access_ctxt) {
struct create_context *mxac_ccontext;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 247/567] sched: idle: Make skipping governor callbacks more consistent
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 246/567] regulator: pca9450: Correct interrupt type Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 248/567] nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set Greg Kroah-Hartman
` (130 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Christian Loehle,
Aboorva Devarajan, Frederic Weisbecker, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit d557640e4ce589a24dca5ca7ce3b9680f471325f ]
If the cpuidle governor .select() callback is skipped because there
is only one idle state in the cpuidle driver, the .reflect() callback
should be skipped as well, at least for consistency (if not for
correctness), so do it.
Fixes: e5c9ffc6ae1b ("cpuidle: Skip governor when only one idle state is available")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Christian Loehle <christian.loehle@arm.com>
Reviewed-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
Link: https://patch.msgid.link/12857700.O9o76ZdvQC@rafael.j.wysocki
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpuidle/cpuidle.c | 10 ----------
kernel/sched/idle.c | 11 ++++++++++-
2 files changed, 10 insertions(+), 11 deletions(-)
diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c
index aa117f2967fdf..6704d610573ad 100644
--- a/drivers/cpuidle/cpuidle.c
+++ b/drivers/cpuidle/cpuidle.c
@@ -356,16 +356,6 @@ noinstr int cpuidle_enter_state(struct cpuidle_device *dev,
int cpuidle_select(struct cpuidle_driver *drv, struct cpuidle_device *dev,
bool *stop_tick)
{
- /*
- * If there is only a single idle state (or none), there is nothing
- * meaningful for the governor to choose. Skip the governor and
- * always use state 0 with the tick running.
- */
- if (drv->state_count <= 1) {
- *stop_tick = false;
- return 0;
- }
-
return cpuidle_curr_governor->select(drv, dev, stop_tick);
}
diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c
index 565f8374ddbbf..2ba2f21a1c0f2 100644
--- a/kernel/sched/idle.c
+++ b/kernel/sched/idle.c
@@ -199,7 +199,7 @@ static void cpuidle_idle_call(void)
next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns);
call_cpuidle(drv, dev, next_state);
- } else {
+ } else if (drv->state_count > 1) {
bool stop_tick = true;
/*
@@ -217,6 +217,15 @@ static void cpuidle_idle_call(void)
* Give the governor an opportunity to reflect on the outcome
*/
cpuidle_reflect(dev, entered_state);
+ } else {
+ tick_nohz_idle_retain_tick();
+
+ /*
+ * If there is only a single idle state (or none), there is
+ * nothing meaningful for the governor to choose. Skip the
+ * governor and always use state 0.
+ */
+ call_cpuidle(drv, dev, 0);
}
exit_idle:
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 185/481] nvme-pci: Fix race bug in nvme_poll_irqdisable()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 184/481] nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 186/481] i40e: fix src IP mask checks and memcpy argument names in cloud filter Greg Kroah-Hartman
` (130 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Shi, Weidong Zhu, Dave Tian,
Christoph Hellwig, Sungwoo Kim, Keith Busch, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sungwoo Kim <iam@sung-woo.kim>
[ Upstream commit fc71f409b22ca831a9f87a2712eaa09ef2bb4a5e ]
In the following scenario, pdev can be disabled between (1) and (3) by
(2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will
return MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2).
This causes IRQ warning because it tries to enable INTx IRQ that has
never been disabled before.
To fix this, save IRQ number into a local variable and ensure
disable_irq() and enable_irq() operate on the same IRQ number. Even if
pci_free_irq_vectors() frees the IRQ concurrently, disable_irq() and
enable_irq() on a stale IRQ number is still valid and safe, and the
depth accounting reamins balanced.
task 1:
nvme_poll_irqdisable()
disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(1)
enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(3)
task 2:
nvme_reset_work()
nvme_dev_disable()
pdev->msix_enable = 0; ...(2)
crash log:
------------[ cut here ]------------
Unbalanced enable for IRQ 10
WARNING: kernel/irq/manage.c:753 at __enable_irq+0x102/0x190 kernel/irq/manage.c:753, CPU#1: kworker/1:0H/26
Modules linked in:
CPU: 1 UID: 0 PID: 26 Comm: kworker/1:0H Not tainted 6.19.0-dirty #9 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: kblockd blk_mq_timeout_work
RIP: 0010:__enable_irq+0x107/0x190 kernel/irq/manage.c:753
Code: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 79 48 8d 3d 2e 7a 3f 05 41 8b 74 24 2c <67> 48 0f b9 3a e8 ef b9 21 00 5b 41 5c 5d e9 46 54 66 03 e8 e1 b9
RSP: 0018:ffffc900001bf550 EFLAGS: 00010046
RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffffb20c0e90
RDX: 0000000000000000 RSI: 000000000000000a RDI: ffffffffb74b88f0
RBP: ffffc900001bf560 R08: ffff88800197cf00 R09: 0000000000000001
R10: 0000000000000003 R11: 0000000000000003 R12: ffff8880012a6000
R13: 1ffff92000037eae R14: 000000000000000a R15: 0000000000000293
FS: 0000000000000000(0000) GS:ffff8880b49f7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555da4a25fa8 CR3: 00000000208e8000 CR4: 00000000000006f0
Call Trace:
<TASK>
enable_irq+0x121/0x1e0 kernel/irq/manage.c:797
nvme_poll_irqdisable+0x162/0x1c0 drivers/nvme/host/pci.c:1494
nvme_timeout+0x965/0x14b0 drivers/nvme/host/pci.c:1744
blk_mq_rq_timed_out block/blk-mq.c:1653 [inline]
blk_mq_handle_expired+0x227/0x2d0 block/blk-mq.c:1721
bt_iter+0x2fc/0x3a0 block/blk-mq-tag.c:292
__sbitmap_for_each_set include/linux/sbitmap.h:269 [inline]
sbitmap_for_each_set include/linux/sbitmap.h:290 [inline]
bt_for_each block/blk-mq-tag.c:324 [inline]
blk_mq_queue_tag_busy_iter+0x969/0x1e80 block/blk-mq-tag.c:536
blk_mq_timeout_work+0x627/0x870 block/blk-mq.c:1763
process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x65c/0xe60 kernel/workqueue.c:3421
kthread+0x41a/0x930 kernel/kthread.c:463
ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
irq event stamp: 74478
hardirqs last enabled at (74477): [<ffffffffb5720a9c>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline]
hardirqs last enabled at (74477): [<ffffffffb5720a9c>] _raw_spin_unlock_irq+0x2c/0x60 kernel/locking/spinlock.c:202
hardirqs last disabled at (74478): [<ffffffffb57207b5>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (74478): [<ffffffffb57207b5>] _raw_spin_lock_irqsave+0x85/0xa0 kernel/locking/spinlock.c:162
softirqs last enabled at (74304): [<ffffffffb1e9466c>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last enabled at (74304): [<ffffffffb1e9466c>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last enabled at (74304): [<ffffffffb1e9466c>] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723
softirqs last disabled at (74287): [<ffffffffb1e9466c>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (74287): [<ffffffffb1e9466c>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (74287): [<ffffffffb1e9466c>] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723
---[ end trace 0000000000000000 ]---
Fixes: fa059b856a59 (nvme-pci: Simplify nvme_poll_irqdisable)
Acked-by: Chao Shi <cshi008@fiu.edu>
Acked-by: Weidong Zhu <weizhu@fiu.edu>
Acked-by: Dave Tian <daveti@purdue.edu>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 9f3d5959755fd..518f8c5012bdf 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1150,14 +1150,16 @@ static irqreturn_t nvme_irq_check(int irq, void *data)
static void nvme_poll_irqdisable(struct nvme_queue *nvmeq)
{
struct pci_dev *pdev = to_pci_dev(nvmeq->dev->dev);
+ int irq;
WARN_ON_ONCE(test_bit(NVMEQ_POLLED, &nvmeq->flags));
- disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector));
+ irq = pci_irq_vector(pdev, nvmeq->cq_vector);
+ disable_irq(irq);
spin_lock(&nvmeq->cq_poll_lock);
nvme_poll_cq(nvmeq, NULL);
spin_unlock(&nvmeq->cq_poll_lock);
- enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector));
+ enable_irq(irq);
}
static int nvme_poll(struct blk_mq_hw_ctx *hctx, struct io_comp_batch *iob)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 172/460] ksmbd: fix use-after-free by using call_rcu() for oplock_info
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 171/460] smb: server: fix use-after-free in smb2_open() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 173/460] net: nexthop: fix percpu use-after-free in remove_nh_grp_entry Greg Kroah-Hartman
` (130 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit 1dfd062caa165ec9d7ee0823087930f3ab8a6294 upstream.
ksmbd currently frees oplock_info immediately using kfree(), even
though it is accessed under RCU read-side critical sections in places
like opinfo_get() and proc_show_files().
Since there is no RCU grace period delay between nullifying the pointer
and freeing the memory, a reader can still access oplock_info
structure after it has been freed. This can leads to a use-after-free
especially in opinfo_get() where atomic_inc_not_zero() is called on
already freed memory.
Fix this by switching to deferred freeing using call_rcu().
Fixes: 18b4fac5ef17 ("ksmbd: fix use-after-free in smb_break_all_levII_oplock()")
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/oplock.c | 29 +++++++++++++++++++++--------
fs/smb/server/oplock.h | 5 +++--
2 files changed, 24 insertions(+), 10 deletions(-)
--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -120,7 +120,7 @@ static void free_lease(struct oplock_inf
kfree(lease);
}
-static void free_opinfo(struct oplock_info *opinfo)
+static void __free_opinfo(struct oplock_info *opinfo)
{
if (opinfo->is_lease)
free_lease(opinfo);
@@ -129,6 +129,18 @@ static void free_opinfo(struct oplock_in
kfree(opinfo);
}
+static void free_opinfo_rcu(struct rcu_head *rcu)
+{
+ struct oplock_info *opinfo = container_of(rcu, struct oplock_info, rcu);
+
+ __free_opinfo(opinfo);
+}
+
+static void free_opinfo(struct oplock_info *opinfo)
+{
+ call_rcu(&opinfo->rcu, free_opinfo_rcu);
+}
+
struct oplock_info *opinfo_get(struct ksmbd_file *fp)
{
struct oplock_info *opinfo;
@@ -176,9 +188,9 @@ void opinfo_put(struct oplock_info *opin
free_opinfo(opinfo);
}
-static void opinfo_add(struct oplock_info *opinfo)
+static void opinfo_add(struct oplock_info *opinfo, struct ksmbd_file *fp)
{
- struct ksmbd_inode *ci = opinfo->o_fp->f_ci;
+ struct ksmbd_inode *ci = fp->f_ci;
down_write(&ci->m_lock);
list_add(&opinfo->op_entry, &ci->m_op_list);
@@ -1279,20 +1291,21 @@ set_lev:
set_oplock_level(opinfo, req_op_level, lctx);
out:
- rcu_assign_pointer(fp->f_opinfo, opinfo);
- opinfo->o_fp = fp;
-
opinfo_count_inc(fp);
- opinfo_add(opinfo);
+ opinfo_add(opinfo, fp);
+
if (opinfo->is_lease) {
err = add_lease_global_list(opinfo);
if (err)
goto err_out;
}
+ rcu_assign_pointer(fp->f_opinfo, opinfo);
+ opinfo->o_fp = fp;
+
return 0;
err_out:
- free_opinfo(opinfo);
+ __free_opinfo(opinfo);
return err;
}
--- a/fs/smb/server/oplock.h
+++ b/fs/smb/server/oplock.h
@@ -69,8 +69,9 @@ struct oplock_info {
struct lease *o_lease;
struct list_head op_entry;
struct list_head lease_entry;
- wait_queue_head_t oplock_q; /* Other server threads */
- wait_queue_head_t oplock_brk; /* oplock breaking wait */
+ wait_queue_head_t oplock_q; /* Other server threads */
+ wait_queue_head_t oplock_brk; /* oplock breaking wait */
+ struct rcu_head rcu;
};
struct lease_break_info {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 248/567] nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 247/567] sched: idle: Make skipping governor callbacks more consistent Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 249/567] nvme-pci: Fix race bug in nvme_poll_irqdisable() Greg Kroah-Hartman
` (129 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Shi, Weidong Zhu, Dave Tian,
Sungwoo Kim, Keith Busch, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sungwoo Kim <iam@sung-woo.kim>
[ Upstream commit b4e78f1427c7d6859229ae9616df54e1fc05a516 ]
dev->online_queues is a count incremented in nvme_init_queue. Thus,
valid indices are 0 through dev->online_queues − 1.
This patch fixes the loop condition to ensure the index stays within the
valid range. Index 0 is excluded because it is the admin queue.
KASAN splat:
==================================================================
BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]
BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404
Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74
CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: nvme-reset-wq nvme_reset_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xce/0x5d0 mm/kasan/report.c:482
kasan_report+0xdc/0x110 mm/kasan/report.c:595
__asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379
nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]
nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404
nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252
process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x65c/0xe60 kernel/workqueue.c:3421
kthread+0x41a/0x930 kernel/kthread.c:463
ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Allocated by task 34 on cpu 1 at 4.241550s:
kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57
kasan_save_track+0x1c/0x70 mm/kasan/common.c:78
kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__do_kmalloc_node mm/slub.c:5657 [inline]
__kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663
kmalloc_array_node_noprof include/linux/slab.h:1075 [inline]
nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline]
nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534
local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324
pci_call_probe drivers/pci/pci-driver.c:392 [inline]
__pci_device_probe drivers/pci/pci-driver.c:417 [inline]
pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451
call_driver_probe drivers/base/dd.c:583 [inline]
really_probe+0x29b/0xb70 drivers/base/dd.c:661
__driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803
driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833
__driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159
async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129
process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x65c/0xe60 kernel/workqueue.c:3421
kthread+0x41a/0x930 kernel/kthread.c:463
ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
The buggy address belongs to the object at ffff88800592a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 244 bytes to the right of
allocated 1152-byte region [ffff88800592a000, ffff88800592a480)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff)
page_type: f5(slab)
raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001
head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 000fffffc0000003 ffffea0000164a01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88800592a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88800592a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88800592a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88800592a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88800592a600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Fixes: 0f0d2c876c96 (nvme: free sq/cq dbbuf pointers when dbbuf set fails)
Acked-by: Chao Shi <cshi008@fiu.edu>
Acked-by: Weidong Zhu <weizhu@fiu.edu>
Acked-by: Dave Tian <daveti@purdue.edu>
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 8ea38cd6ff30d..8dd1e71ee215e 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -339,7 +339,7 @@ static void nvme_dbbuf_set(struct nvme_dev *dev)
/* Free memory and continue on */
nvme_dbbuf_dma_free(dev);
- for (i = 1; i <= dev->online_queues; i++)
+ for (i = 1; i < dev->online_queues; i++)
nvme_dbbuf_free(&dev->queues[i]);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 186/481] i40e: fix src IP mask checks and memcpy argument names in cloud filter
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 185/481] nvme-pci: Fix race bug in nvme_poll_irqdisable() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 187/481] e1000/e1000e: Fix leak in DMA error cleanup Greg Kroah-Hartman
` (129 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Aleksandr Loktionov,
Paul Menzel, Tony Nguyen, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit e809085f492842ce7a519c9ef72d40f4bca89c13 ]
Fix following issues in the IPv4 and IPv6 cloud filter handling logic in
both the add and delete paths:
- The source-IP mask check incorrectly compares mask.src_ip[0] against
tcf.dst_ip[0]. Update it to compare against tcf.src_ip[0]. This likely
goes unnoticed because the check is in an "else if" path that only
executes when dst_ip is not set, most cloud filter use cases focus on
destination-IP matching, and the buggy condition can accidentally
evaluate true in some cases.
- memcpy() for the IPv4 source address incorrectly uses
ARRAY_SIZE(tcf.dst_ip) instead of ARRAY_SIZE(tcf.src_ip), although
both arrays are the same size.
- The IPv4 memcpy operations used ARRAY_SIZE(tcf.dst_ip) and ARRAY_SIZE
(tcf.src_ip), Update these to use sizeof(cfilter->ip.v4.dst_ip) and
sizeof(cfilter->ip.v4.src_ip) to ensure correct and explicit copy size.
- In the IPv6 delete path, memcmp() uses sizeof(src_ip6) when comparing
dst_ip6 fields. Replace this with sizeof(dst_ip6) to make the intent
explicit, even though both fields are struct in6_addr.
Fixes: e284fc280473 ("i40e: Add and delete cloud filter")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
index 1bba77347efbb..73ef73c69bd0a 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -3755,10 +3755,10 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg)
cfilter.n_proto = ETH_P_IP;
if (mask.dst_ip[0] & tcf.dst_ip[0])
memcpy(&cfilter.ip.v4.dst_ip, tcf.dst_ip,
- ARRAY_SIZE(tcf.dst_ip));
- else if (mask.src_ip[0] & tcf.dst_ip[0])
+ sizeof(cfilter.ip.v4.dst_ip));
+ else if (mask.src_ip[0] & tcf.src_ip[0])
memcpy(&cfilter.ip.v4.src_ip, tcf.src_ip,
- ARRAY_SIZE(tcf.dst_ip));
+ sizeof(cfilter.ip.v4.src_ip));
break;
case VIRTCHNL_TCP_V6_FLOW:
cfilter.n_proto = ETH_P_IPV6;
@@ -3813,7 +3813,7 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg)
/* for ipv6, mask is set for all sixteen bytes (4 words) */
if (cfilter.n_proto == ETH_P_IPV6 && mask.dst_ip[3])
if (memcmp(&cfilter.ip.v6.dst_ip6, &cf->ip.v6.dst_ip6,
- sizeof(cfilter.ip.v6.src_ip6)))
+ sizeof(cfilter.ip.v6.dst_ip6)))
continue;
if (mask.vlan_id)
if (cfilter.vlan_id != cf->vlan_id)
@@ -3901,10 +3901,10 @@ static int i40e_vc_add_cloud_filter(struct i40e_vf *vf, u8 *msg)
cfilter->n_proto = ETH_P_IP;
if (mask.dst_ip[0] & tcf.dst_ip[0])
memcpy(&cfilter->ip.v4.dst_ip, tcf.dst_ip,
- ARRAY_SIZE(tcf.dst_ip));
- else if (mask.src_ip[0] & tcf.dst_ip[0])
+ sizeof(cfilter->ip.v4.dst_ip));
+ else if (mask.src_ip[0] & tcf.src_ip[0])
memcpy(&cfilter->ip.v4.src_ip, tcf.src_ip,
- ARRAY_SIZE(tcf.dst_ip));
+ sizeof(cfilter->ip.v4.src_ip));
break;
case VIRTCHNL_TCP_V6_FLOW:
cfilter->n_proto = ETH_P_IPV6;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 173/460] net: nexthop: fix percpu use-after-free in remove_nh_grp_entry
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 172/460] ksmbd: fix use-after-free by using call_rcu() for oplock_info Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 174/460] net: ncsi: fix skb leak in error paths Greg Kroah-Hartman
` (129 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mehul Rao, Eric Dumazet,
Ido Schimmel, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mehul Rao <mehulrao@gmail.com>
commit b2662e7593e94ae09b1cf7ee5f09160a3612bcb2 upstream.
When removing a nexthop from a group, remove_nh_grp_entry() publishes
the new group via rcu_assign_pointer() then immediately frees the
removed entry's percpu stats with free_percpu(). However, the
synchronize_net() grace period in the caller remove_nexthop_from_groups()
runs after the free. RCU readers that entered before the publish still
see the old group and can dereference the freed stats via
nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a
use-after-free on percpu memory.
Fix by deferring the free_percpu() until after synchronize_net() in the
caller. Removed entries are chained via nh_list onto a local deferred
free list. After the grace period completes and all RCU readers have
finished, the percpu stats are safely freed.
Fixes: f4676ea74b85 ("net: nexthop: Add nexthop group entry stats")
Cc: stable@vger.kernel.org
Signed-off-by: Mehul Rao <mehulrao@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260306233821.196789-1-mehulrao@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/nexthop.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/net/ipv4/nexthop.c
+++ b/net/ipv4/nexthop.c
@@ -1992,7 +1992,8 @@ static void nh_hthr_group_rebalance(stru
}
static void remove_nh_grp_entry(struct net *net, struct nh_grp_entry *nhge,
- struct nl_info *nlinfo)
+ struct nl_info *nlinfo,
+ struct list_head *deferred_free)
{
struct nh_grp_entry *nhges, *new_nhges;
struct nexthop *nhp = nhge->nh_parent;
@@ -2052,8 +2053,8 @@ static void remove_nh_grp_entry(struct n
rcu_assign_pointer(nhp->nh_grp, newg);
list_del(&nhge->nh_list);
- free_percpu(nhge->stats);
nexthop_put(nhge->nh);
+ list_add(&nhge->nh_list, deferred_free);
/* Removal of a NH from a resilient group is notified through
* bucket notifications.
@@ -2073,6 +2074,7 @@ static void remove_nexthop_from_groups(s
struct nl_info *nlinfo)
{
struct nh_grp_entry *nhge, *tmp;
+ LIST_HEAD(deferred_free);
/* If there is nothing to do, let's avoid the costly call to
* synchronize_net()
@@ -2081,10 +2083,16 @@ static void remove_nexthop_from_groups(s
return;
list_for_each_entry_safe(nhge, tmp, &nh->grp_list, nh_list)
- remove_nh_grp_entry(net, nhge, nlinfo);
+ remove_nh_grp_entry(net, nhge, nlinfo, &deferred_free);
/* make sure all see the newly published array before releasing rtnl */
synchronize_net();
+
+ /* Now safe to free percpu stats — all RCU readers have finished */
+ list_for_each_entry_safe(nhge, tmp, &deferred_free, nh_list) {
+ list_del(&nhge->nh_list);
+ free_percpu(nhge->stats);
+ }
}
static void remove_nexthop_group(struct nexthop *nh, struct nl_info *nlinfo)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 249/567] nvme-pci: Fix race bug in nvme_poll_irqdisable()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 248/567] nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 250/567] i40e: fix src IP mask checks and memcpy argument names in cloud filter Greg Kroah-Hartman
` (128 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Shi, Weidong Zhu, Dave Tian,
Christoph Hellwig, Sungwoo Kim, Keith Busch, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sungwoo Kim <iam@sung-woo.kim>
[ Upstream commit fc71f409b22ca831a9f87a2712eaa09ef2bb4a5e ]
In the following scenario, pdev can be disabled between (1) and (3) by
(2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will
return MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2).
This causes IRQ warning because it tries to enable INTx IRQ that has
never been disabled before.
To fix this, save IRQ number into a local variable and ensure
disable_irq() and enable_irq() operate on the same IRQ number. Even if
pci_free_irq_vectors() frees the IRQ concurrently, disable_irq() and
enable_irq() on a stale IRQ number is still valid and safe, and the
depth accounting reamins balanced.
task 1:
nvme_poll_irqdisable()
disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(1)
enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(3)
task 2:
nvme_reset_work()
nvme_dev_disable()
pdev->msix_enable = 0; ...(2)
crash log:
------------[ cut here ]------------
Unbalanced enable for IRQ 10
WARNING: kernel/irq/manage.c:753 at __enable_irq+0x102/0x190 kernel/irq/manage.c:753, CPU#1: kworker/1:0H/26
Modules linked in:
CPU: 1 UID: 0 PID: 26 Comm: kworker/1:0H Not tainted 6.19.0-dirty #9 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: kblockd blk_mq_timeout_work
RIP: 0010:__enable_irq+0x107/0x190 kernel/irq/manage.c:753
Code: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 79 48 8d 3d 2e 7a 3f 05 41 8b 74 24 2c <67> 48 0f b9 3a e8 ef b9 21 00 5b 41 5c 5d e9 46 54 66 03 e8 e1 b9
RSP: 0018:ffffc900001bf550 EFLAGS: 00010046
RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffffb20c0e90
RDX: 0000000000000000 RSI: 000000000000000a RDI: ffffffffb74b88f0
RBP: ffffc900001bf560 R08: ffff88800197cf00 R09: 0000000000000001
R10: 0000000000000003 R11: 0000000000000003 R12: ffff8880012a6000
R13: 1ffff92000037eae R14: 000000000000000a R15: 0000000000000293
FS: 0000000000000000(0000) GS:ffff8880b49f7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555da4a25fa8 CR3: 00000000208e8000 CR4: 00000000000006f0
Call Trace:
<TASK>
enable_irq+0x121/0x1e0 kernel/irq/manage.c:797
nvme_poll_irqdisable+0x162/0x1c0 drivers/nvme/host/pci.c:1494
nvme_timeout+0x965/0x14b0 drivers/nvme/host/pci.c:1744
blk_mq_rq_timed_out block/blk-mq.c:1653 [inline]
blk_mq_handle_expired+0x227/0x2d0 block/blk-mq.c:1721
bt_iter+0x2fc/0x3a0 block/blk-mq-tag.c:292
__sbitmap_for_each_set include/linux/sbitmap.h:269 [inline]
sbitmap_for_each_set include/linux/sbitmap.h:290 [inline]
bt_for_each block/blk-mq-tag.c:324 [inline]
blk_mq_queue_tag_busy_iter+0x969/0x1e80 block/blk-mq-tag.c:536
blk_mq_timeout_work+0x627/0x870 block/blk-mq.c:1763
process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x65c/0xe60 kernel/workqueue.c:3421
kthread+0x41a/0x930 kernel/kthread.c:463
ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
irq event stamp: 74478
hardirqs last enabled at (74477): [<ffffffffb5720a9c>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline]
hardirqs last enabled at (74477): [<ffffffffb5720a9c>] _raw_spin_unlock_irq+0x2c/0x60 kernel/locking/spinlock.c:202
hardirqs last disabled at (74478): [<ffffffffb57207b5>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (74478): [<ffffffffb57207b5>] _raw_spin_lock_irqsave+0x85/0xa0 kernel/locking/spinlock.c:162
softirqs last enabled at (74304): [<ffffffffb1e9466c>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last enabled at (74304): [<ffffffffb1e9466c>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last enabled at (74304): [<ffffffffb1e9466c>] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723
softirqs last disabled at (74287): [<ffffffffb1e9466c>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (74287): [<ffffffffb1e9466c>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (74287): [<ffffffffb1e9466c>] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723
---[ end trace 0000000000000000 ]---
Fixes: fa059b856a59 (nvme-pci: Simplify nvme_poll_irqdisable)
Acked-by: Chao Shi <cshi008@fiu.edu>
Acked-by: Weidong Zhu <weizhu@fiu.edu>
Acked-by: Dave Tian <daveti@purdue.edu>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 8dd1e71ee215e..03a2ca3edb9c3 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1103,14 +1103,16 @@ static irqreturn_t nvme_irq_check(int irq, void *data)
static void nvme_poll_irqdisable(struct nvme_queue *nvmeq)
{
struct pci_dev *pdev = to_pci_dev(nvmeq->dev->dev);
+ int irq;
WARN_ON_ONCE(test_bit(NVMEQ_POLLED, &nvmeq->flags));
- disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector));
+ irq = pci_irq_vector(pdev, nvmeq->cq_vector);
+ disable_irq(irq);
spin_lock(&nvmeq->cq_poll_lock);
nvme_poll_cq(nvmeq, NULL);
spin_unlock(&nvmeq->cq_poll_lock);
- enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector));
+ enable_irq(irq);
}
static int nvme_poll(struct blk_mq_hw_ctx *hctx, struct io_comp_batch *iob)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 187/481] e1000/e1000e: Fix leak in DMA error cleanup
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 186/481] i40e: fix src IP mask checks and memcpy argument names in cloud filter Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 188/481] ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address() Greg Kroah-Hartman
` (128 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matt Vollrath, Tony Nguyen,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Vollrath <tactii@gmail.com>
[ Upstream commit e94eaef11142b01f77bf8ba4d0b59720b7858109 ]
If an error is encountered while mapping TX buffers, the driver should
unmap any buffers already mapped for that skb.
Because count is incremented after a successful mapping, it will always
match the correct number of unmappings needed when dma_error is reached.
Decrementing count before the while loop in dma_error causes an
off-by-one error. If any mapping was successful before an unsuccessful
mapping, exactly one DMA mapping would leak.
In these commits, a faulty while condition caused an infinite loop in
dma_error:
Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e
driver")
Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver")
Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of
unsigned in *_tx_map()") fixed the infinite loop, but introduced the
off-by-one error.
This issue may still exist in the igbvf driver, but I did not address it
in this patch.
Fixes: c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()")
Assisted-by: Claude:claude-4.6-opus
Signed-off-by: Matt Vollrath <tactii@gmail.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/e1000/e1000_main.c | 2 --
drivers/net/ethernet/intel/e1000e/netdev.c | 2 --
2 files changed, 4 deletions(-)
diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
index 50436fee40463..372481e945513 100644
--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
+++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
@@ -2951,8 +2951,6 @@ static int e1000_tx_map(struct e1000_adapter *adapter,
dma_error:
dev_err(&pdev->dev, "TX DMA map failed\n");
buffer_info->dma = 0;
- if (count)
- count--;
while (count--) {
if (i == 0)
diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
index cbd8357c61edc..fd056c17bd62e 100644
--- a/drivers/net/ethernet/intel/e1000e/netdev.c
+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
@@ -5632,8 +5632,6 @@ static int e1000_tx_map(struct e1000_ring *tx_ring, struct sk_buff *skb,
dma_error:
dev_err(&pdev->dev, "Tx DMA map failed\n");
buffer_info->dma = 0;
- if (count)
- count--;
while (count--) {
if (i == 0)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 174/460] net: ncsi: fix skb leak in error paths
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 173/460] net: nexthop: fix percpu use-after-free in remove_nh_grp_entry Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 175/460] net: ethernet: arc: emac: quiesce interrupts before requesting IRQ Greg Kroah-Hartman
` (128 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jian Zhang, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Zhang <zhangjian.3032@bytedance.com>
commit 5c3398a54266541610c8d0a7082e654e9ff3e259 upstream.
Early return paths in NCSI RX and AEN handlers fail to release
the received skb, resulting in a memory leak.
Specifically, ncsi_aen_handler() returns on invalid AEN packets
without consuming the skb. Similarly, ncsi_rcv_rsp() exits early
when failing to resolve the NCSI device, response handler, or
request, leaving the skb unfreed.
CC: stable@vger.kernel.org
Fixes: 7a82ecf4cfb8 ("net/ncsi: NCSI AEN packet handler")
Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler")
Signed-off-by: Jian Zhang <zhangjian.3032@bytedance.com>
Link: https://patch.msgid.link/20260305060656.3357250-1-zhangjian.3032@bytedance.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ncsi/ncsi-aen.c | 3 ++-
net/ncsi/ncsi-rsp.c | 16 ++++++++++++----
2 files changed, 14 insertions(+), 5 deletions(-)
--- a/net/ncsi/ncsi-aen.c
+++ b/net/ncsi/ncsi-aen.c
@@ -224,7 +224,8 @@ int ncsi_aen_handler(struct ncsi_dev_pri
if (!nah) {
netdev_warn(ndp->ndev.dev, "Invalid AEN (0x%x) received\n",
h->type);
- return -ENOENT;
+ ret = -ENOENT;
+ goto out;
}
ret = ncsi_validate_aen_pkt(h, nah->payload);
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -1176,8 +1176,10 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st
/* Find the NCSI device */
nd = ncsi_find_dev(orig_dev);
ndp = nd ? TO_NCSI_DEV_PRIV(nd) : NULL;
- if (!ndp)
- return -ENODEV;
+ if (!ndp) {
+ ret = -ENODEV;
+ goto err_free_skb;
+ }
/* Check if it is AEN packet */
hdr = (struct ncsi_pkt_hdr *)skb_network_header(skb);
@@ -1199,7 +1201,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st
if (!nrh) {
netdev_err(nd->dev, "Received unrecognized packet (0x%x)\n",
hdr->type);
- return -ENOENT;
+ ret = -ENOENT;
+ goto err_free_skb;
}
/* Associate with the request */
@@ -1207,7 +1210,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st
nr = &ndp->requests[hdr->id];
if (!nr->used) {
spin_unlock_irqrestore(&ndp->lock, flags);
- return -ENODEV;
+ ret = -ENODEV;
+ goto err_free_skb;
}
nr->rsp = skb;
@@ -1261,4 +1265,8 @@ out_netlink:
out:
ncsi_free_request(nr);
return ret;
+
+err_free_skb:
+ kfree_skb(skb);
+ return ret;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 250/567] i40e: fix src IP mask checks and memcpy argument names in cloud filter
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 249/567] nvme-pci: Fix race bug in nvme_poll_irqdisable() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 251/567] e1000/e1000e: Fix leak in DMA error cleanup Greg Kroah-Hartman
` (127 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Aleksandr Loktionov,
Paul Menzel, Tony Nguyen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit e809085f492842ce7a519c9ef72d40f4bca89c13 ]
Fix following issues in the IPv4 and IPv6 cloud filter handling logic in
both the add and delete paths:
- The source-IP mask check incorrectly compares mask.src_ip[0] against
tcf.dst_ip[0]. Update it to compare against tcf.src_ip[0]. This likely
goes unnoticed because the check is in an "else if" path that only
executes when dst_ip is not set, most cloud filter use cases focus on
destination-IP matching, and the buggy condition can accidentally
evaluate true in some cases.
- memcpy() for the IPv4 source address incorrectly uses
ARRAY_SIZE(tcf.dst_ip) instead of ARRAY_SIZE(tcf.src_ip), although
both arrays are the same size.
- The IPv4 memcpy operations used ARRAY_SIZE(tcf.dst_ip) and ARRAY_SIZE
(tcf.src_ip), Update these to use sizeof(cfilter->ip.v4.dst_ip) and
sizeof(cfilter->ip.v4.src_ip) to ensure correct and explicit copy size.
- In the IPv6 delete path, memcmp() uses sizeof(src_ip6) when comparing
dst_ip6 fields. Replace this with sizeof(dst_ip6) to make the intent
explicit, even though both fields are struct in6_addr.
Fixes: e284fc280473 ("i40e: Add and delete cloud filter")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
index 7f5538e2c9de5..a9c492d747b9f 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -3825,10 +3825,10 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg)
cfilter.n_proto = ETH_P_IP;
if (mask.dst_ip[0] & tcf.dst_ip[0])
memcpy(&cfilter.ip.v4.dst_ip, tcf.dst_ip,
- ARRAY_SIZE(tcf.dst_ip));
- else if (mask.src_ip[0] & tcf.dst_ip[0])
+ sizeof(cfilter.ip.v4.dst_ip));
+ else if (mask.src_ip[0] & tcf.src_ip[0])
memcpy(&cfilter.ip.v4.src_ip, tcf.src_ip,
- ARRAY_SIZE(tcf.dst_ip));
+ sizeof(cfilter.ip.v4.src_ip));
break;
case VIRTCHNL_TCP_V6_FLOW:
cfilter.n_proto = ETH_P_IPV6;
@@ -3883,7 +3883,7 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg)
/* for ipv6, mask is set for all sixteen bytes (4 words) */
if (cfilter.n_proto == ETH_P_IPV6 && mask.dst_ip[3])
if (memcmp(&cfilter.ip.v6.dst_ip6, &cf->ip.v6.dst_ip6,
- sizeof(cfilter.ip.v6.src_ip6)))
+ sizeof(cfilter.ip.v6.dst_ip6)))
continue;
if (mask.vlan_id)
if (cfilter.vlan_id != cf->vlan_id)
@@ -3971,10 +3971,10 @@ static int i40e_vc_add_cloud_filter(struct i40e_vf *vf, u8 *msg)
cfilter->n_proto = ETH_P_IP;
if (mask.dst_ip[0] & tcf.dst_ip[0])
memcpy(&cfilter->ip.v4.dst_ip, tcf.dst_ip,
- ARRAY_SIZE(tcf.dst_ip));
- else if (mask.src_ip[0] & tcf.dst_ip[0])
+ sizeof(cfilter->ip.v4.dst_ip));
+ else if (mask.src_ip[0] & tcf.src_ip[0])
memcpy(&cfilter->ip.v4.src_ip, tcf.src_ip,
- ARRAY_SIZE(tcf.dst_ip));
+ sizeof(cfilter->ip.v4.src_ip));
break;
case VIRTCHNL_TCP_V6_FLOW:
cfilter->n_proto = ETH_P_IPV6;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 188/481] ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 187/481] e1000/e1000e: Fix leak in DMA error cleanup Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 189/481] ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition Greg Kroah-Hartman
` (127 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Dooks, Rafael J. Wysocki,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Dooks <ben.dooks@codethink.co.uk>
[ Upstream commit 393815f57651101f1590632092986d1d5a3a41bd ]
The pointer returned from acpi_os_map_generic_address() is
tagged with __iomem, so make the rv it is returned to also
of void __iomem * type.
Fixes the following sparse warning:
drivers/acpi/osl.c:1686:20: warning: incorrect type in assignment (different address spaces)
drivers/acpi/osl.c:1686:20: expected void *rv
drivers/acpi/osl.c:1686:20: got void [noderef] __iomem *
Fixes: 6915564dc5a8 ("ACPI: OSL: Change the type of acpi_os_map_generic_address() return value")
Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
[ rjw: Subject tweak, added Fixes tag ]
Link: https://patch.msgid.link/20260311105835.463030-1-ben.dooks@codethink.co.uk
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/osl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index 3269a888fb7a9..d147c27bc6455 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -1656,7 +1656,7 @@ acpi_status __init acpi_os_initialize(void)
* Use acpi_os_map_generic_address to pre-map the reset
* register if it's in system memory.
*/
- void *rv;
+ void __iomem *rv;
rv = acpi_os_map_generic_address(&acpi_gbl_FADT.reset_register);
pr_debug("%s: Reset register mapping %s\n", __func__,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 175/460] net: ethernet: arc: emac: quiesce interrupts before requesting IRQ
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 174/460] net: ncsi: fix skb leak in error paths Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 176/460] net: dsa: microchip: Fix error path in PTP IRQ setup Greg Kroah-Hartman
` (127 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fan Wu, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fan Wu <fanwu01@zju.edu.cn>
commit 2503d08f8a2de618e5c3a8183b250ff4a2e2d52c upstream.
Normal RX/TX interrupts are enabled later, in arc_emac_open(), so probe
should not see interrupt delivery in the usual case. However, hardware may
still present stale or latched interrupt status left by firmware or the
bootloader.
If probe later unwinds after devm_request_irq() has installed the handler,
such a stale interrupt can still reach arc_emac_intr() during teardown and
race with release of the associated net_device.
Avoid that window by putting the device into a known quiescent state before
requesting the IRQ: disable all EMAC interrupt sources and clear any
pending EMAC interrupt status bits. This keeps the change hardware-focused
and minimal, while preventing spurious IRQ delivery from leftover state.
Fixes: e4f2379db6c6 ("ethernet/arc/arc_emac - Add new driver")
Cc: stable@vger.kernel.org
Signed-off-by: Fan Wu <fanwu01@zju.edu.cn>
Link: https://patch.msgid.link/20260309132409.584966-1-fanwu01@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/arc/emac_main.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/net/ethernet/arc/emac_main.c
+++ b/drivers/net/ethernet/arc/emac_main.c
@@ -934,6 +934,17 @@ int arc_emac_probe(struct net_device *nd
/* Set poll rate so that it polls every 1 ms */
arc_reg_set(priv, R_POLLRATE, clock_frequency / 1000000);
+ /*
+ * Put the device into a known quiescent state before requesting
+ * the IRQ. Clear only EMAC interrupt status bits here; leave the
+ * MDIO completion bit alone and avoid writing TXPL_MASK, which is
+ * used to force TX polling rather than acknowledge interrupts.
+ */
+ arc_reg_set(priv, R_ENABLE, 0);
+ arc_reg_set(priv, R_STATUS, RXINT_MASK | TXINT_MASK | ERR_MASK |
+ TXCH_MASK | MSER_MASK | RXCR_MASK |
+ RXFR_MASK | RXFL_MASK);
+
ndev->irq = irq;
dev_info(dev, "IRQ is %d\n", ndev->irq);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 251/567] e1000/e1000e: Fix leak in DMA error cleanup
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 250/567] i40e: fix src IP mask checks and memcpy argument names in cloud filter Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 252/567] ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address() Greg Kroah-Hartman
` (126 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matt Vollrath, Tony Nguyen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Vollrath <tactii@gmail.com>
[ Upstream commit e94eaef11142b01f77bf8ba4d0b59720b7858109 ]
If an error is encountered while mapping TX buffers, the driver should
unmap any buffers already mapped for that skb.
Because count is incremented after a successful mapping, it will always
match the correct number of unmappings needed when dma_error is reached.
Decrementing count before the while loop in dma_error causes an
off-by-one error. If any mapping was successful before an unsuccessful
mapping, exactly one DMA mapping would leak.
In these commits, a faulty while condition caused an infinite loop in
dma_error:
Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e
driver")
Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver")
Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of
unsigned in *_tx_map()") fixed the infinite loop, but introduced the
off-by-one error.
This issue may still exist in the igbvf driver, but I did not address it
in this patch.
Fixes: c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()")
Assisted-by: Claude:claude-4.6-opus
Signed-off-by: Matt Vollrath <tactii@gmail.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/e1000/e1000_main.c | 2 --
drivers/net/ethernet/intel/e1000e/netdev.c | 2 --
2 files changed, 4 deletions(-)
diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
index d015a0a85f078..8dcb5d7c5a4b3 100644
--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
+++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
@@ -2951,8 +2951,6 @@ static int e1000_tx_map(struct e1000_adapter *adapter,
dma_error:
dev_err(&pdev->dev, "TX DMA map failed\n");
buffer_info->dma = 0;
- if (count)
- count--;
while (count--) {
if (i == 0)
diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
index 7e4fea0e186b6..9e9138ccac421 100644
--- a/drivers/net/ethernet/intel/e1000e/netdev.c
+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
@@ -5633,8 +5633,6 @@ static int e1000_tx_map(struct e1000_ring *tx_ring, struct sk_buff *skb,
dma_error:
dev_err(&pdev->dev, "Tx DMA map failed\n");
buffer_info->dma = 0;
- if (count)
- count--;
while (count--) {
if (i == 0)
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 189/481] ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 188/481] ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 190/481] ASoC: detect empty DMI strings Greg Kroah-Hartman
` (126 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Ni, Mark Brown, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit 53f3a900e9a383d47af7253076e19f510c5708d0 ]
The acp3x_5682_init() function did not check the return value of
clk_get(), which could lead to dereferencing error pointers in
rt5682_clk_enable().
Fix this by:
1. Changing clk_get() to the device-managed devm_clk_get().
2. Adding proper IS_ERR() checks for both clock acquisitions.
Fixes: 6b8e4e7db3cd ("ASoC: amd: Add machine driver for Raven based platform")
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Link: https://patch.msgid.link/20260310024246.2153827-1-nichen@iscas.ac.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/acp3x-rt5682-max9836.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/sound/soc/amd/acp3x-rt5682-max9836.c b/sound/soc/amd/acp3x-rt5682-max9836.c
index 0543dda75b99a..a557de7e39410 100644
--- a/sound/soc/amd/acp3x-rt5682-max9836.c
+++ b/sound/soc/amd/acp3x-rt5682-max9836.c
@@ -83,8 +83,13 @@ static int acp3x_5682_init(struct snd_soc_pcm_runtime *rtd)
return ret;
}
- rt5682_dai_wclk = clk_get(component->dev, "rt5682-dai-wclk");
- rt5682_dai_bclk = clk_get(component->dev, "rt5682-dai-bclk");
+ rt5682_dai_wclk = devm_clk_get(component->dev, "rt5682-dai-wclk");
+ if (IS_ERR(rt5682_dai_wclk))
+ return PTR_ERR(rt5682_dai_wclk);
+
+ rt5682_dai_bclk = devm_clk_get(component->dev, "rt5682-dai-bclk");
+ if (IS_ERR(rt5682_dai_bclk))
+ return PTR_ERR(rt5682_dai_bclk);
ret = snd_soc_card_jack_new(card, "Headset Jack",
SND_JACK_HEADSET | SND_JACK_LINEOUT |
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 176/460] net: dsa: microchip: Fix error path in PTP IRQ setup
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 175/460] net: ethernet: arc: emac: quiesce interrupts before requesting IRQ Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 177/460] drm/amd/pm: remove invalid gpu_metrics.energy_accumulator on smu v13.0.x Greg Kroah-Hartman
` (126 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
Bastien Curutchet (Schneider Electric), Simon Horman,
Vladimir Oltean, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
commit 99c8c16a4aad0b37293cae213e15957c573cf79b upstream.
If request_threaded_irq() fails during the PTP message IRQ setup, the
newly created IRQ mapping is never disposed. Indeed, the
ksz_ptp_irq_setup()'s error path only frees the mappings that were
successfully set up.
Dispose the newly created mapping if the associated
request_threaded_irq() fails at setup.
Cc: stable@vger.kernel.org
Fixes: d0b8fec8ae505 ("net: dsa: microchip: Fix symetry in ksz_ptp_msg_irq_{setup/free}()")
Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
Link: https://patch.msgid.link/20260309-ksz-ptp-irq-fix-v1-1-757b3b985955@bootlin.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dsa/microchip/ksz_ptp.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/drivers/net/dsa/microchip/ksz_ptp.c
+++ b/drivers/net/dsa/microchip/ksz_ptp.c
@@ -1101,6 +1101,7 @@ static int ksz_ptp_msg_irq_setup(struct
const struct ksz_dev_ops *ops = port->ksz_dev->dev_ops;
struct ksz_irq *ptpirq = &port->ptpirq;
struct ksz_ptp_irq *ptpmsg_irq;
+ int ret;
ptpmsg_irq = &port->ptpmsg_irq[n];
ptpmsg_irq->num = irq_create_mapping(ptpirq->domain, n);
@@ -1112,9 +1113,13 @@ static int ksz_ptp_msg_irq_setup(struct
snprintf(ptpmsg_irq->name, sizeof(ptpmsg_irq->name), name[n]);
- return request_threaded_irq(ptpmsg_irq->num, NULL,
- ksz_ptp_msg_thread_fn, IRQF_ONESHOT,
- ptpmsg_irq->name, ptpmsg_irq);
+ ret = request_threaded_irq(ptpmsg_irq->num, NULL,
+ ksz_ptp_msg_thread_fn, IRQF_ONESHOT,
+ ptpmsg_irq->name, ptpmsg_irq);
+ if (ret)
+ irq_dispose_mapping(ptpmsg_irq->num);
+
+ return ret;
}
int ksz_ptp_irq_setup(struct dsa_switch *ds, u8 p)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 252/567] ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 251/567] e1000/e1000e: Fix leak in DMA error cleanup Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 253/567] ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition Greg Kroah-Hartman
` (125 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Dooks, Rafael J. Wysocki,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Dooks <ben.dooks@codethink.co.uk>
[ Upstream commit 393815f57651101f1590632092986d1d5a3a41bd ]
The pointer returned from acpi_os_map_generic_address() is
tagged with __iomem, so make the rv it is returned to also
of void __iomem * type.
Fixes the following sparse warning:
drivers/acpi/osl.c:1686:20: warning: incorrect type in assignment (different address spaces)
drivers/acpi/osl.c:1686:20: expected void *rv
drivers/acpi/osl.c:1686:20: got void [noderef] __iomem *
Fixes: 6915564dc5a8 ("ACPI: OSL: Change the type of acpi_os_map_generic_address() return value")
Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
[ rjw: Subject tweak, added Fixes tag ]
Link: https://patch.msgid.link/20260311105835.463030-1-ben.dooks@codethink.co.uk
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/osl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index f725813d0cce6..28527d246fc36 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -1656,7 +1656,7 @@ acpi_status __init acpi_os_initialize(void)
* Use acpi_os_map_generic_address to pre-map the reset
* register if it's in system memory.
*/
- void *rv;
+ void __iomem *rv;
rv = acpi_os_map_generic_address(&acpi_gbl_FADT.reset_register);
pr_debug("%s: Reset register mapping %s\n", __func__,
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 190/481] ASoC: detect empty DMI strings
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 189/481] ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 191/481] net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled Greg Kroah-Hartman
` (125 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Casey Connolly, Mark Brown,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Casey Connolly <casey.connolly@linaro.org>
[ Upstream commit a9683730e8b1d632674f81844ed03ddfbe4821c0 ]
Some bootloaders like recent versions of U-Boot may install some DMI
properties with empty values rather than not populate them. This manages
to make its way through the validator and cleanup resulting in a rogue
hyphen being appended to the card longname.
Fixes: 4e01e5dbba96 ("ASoC: improve the DMI long card code in asoc-core")
Signed-off-by: Casey Connolly <casey.connolly@linaro.org>
Link: https://patch.msgid.link/20260306174707.283071-2-casey.connolly@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index c673453e8a747..dfd58d9db7c1f 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -1628,12 +1628,15 @@ static void cleanup_dmi_name(char *name)
/*
* Check if a DMI field is valid, i.e. not containing any string
- * in the black list.
+ * in the black list and not the empty string.
*/
static int is_dmi_valid(const char *field)
{
int i = 0;
+ if (!field[0])
+ return 0;
+
while (dmi_blacklist[i]) {
if (strstr(field, dmi_blacklist[i]))
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 177/460] drm/amd/pm: remove invalid gpu_metrics.energy_accumulator on smu v13.0.x
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 176/460] net: dsa: microchip: Fix error path in PTP IRQ setup Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 178/460] drm/amdgpu: Fix use-after-free race in VM acquire Greg Kroah-Hartman
` (125 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Wang, Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Wang <kevinyang.wang@amd.com>
commit 68785c5e79e0fc1eacf63026fbba32be3867f410 upstream.
v1:
The metrics->EnergyAccumulator field has been deprecated on newer pmfw.
v2:
add smu 13.0.0/13.0.7/13.0.10 support.
Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 8de9edb35976fa56565dc8fbb5d1310e8e10187c)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 8 +++++++-
drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 3 ++-
2 files changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
@@ -2033,6 +2033,7 @@ static ssize_t smu_v13_0_0_get_gpu_metri
(struct gpu_metrics_v1_3 *)smu_table->gpu_metrics_table;
SmuMetricsExternal_t metrics_ext;
SmuMetrics_t *metrics = &metrics_ext.SmuMetrics;
+ uint32_t mp1_ver = amdgpu_ip_version(smu->adev, MP1_HWIP, 0);
int ret = 0;
ret = smu_cmn_get_metrics_table(smu,
@@ -2057,7 +2058,12 @@ static ssize_t smu_v13_0_0_get_gpu_metri
metrics->Vcn1ActivityPercentage);
gpu_metrics->average_socket_power = metrics->AverageSocketPower;
- gpu_metrics->energy_accumulator = metrics->EnergyAccumulator;
+
+ if ((mp1_ver == IP_VERSION(13, 0, 0) && smu->smc_fw_version <= 0x004e1e00) ||
+ (mp1_ver == IP_VERSION(13, 0, 10) && smu->smc_fw_version <= 0x00500800))
+ gpu_metrics->energy_accumulator = metrics->EnergyAccumulator;
+ else
+ gpu_metrics->energy_accumulator = UINT_MAX;
if (metrics->AverageGfxActivity <= SMU_13_0_0_BUSY_THRESHOLD)
gpu_metrics->average_gfxclk_frequency = metrics->AverageGfxclkFrequencyPostDs;
--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
@@ -2043,7 +2043,8 @@ static ssize_t smu_v13_0_7_get_gpu_metri
metrics->Vcn1ActivityPercentage);
gpu_metrics->average_socket_power = metrics->AverageSocketPower;
- gpu_metrics->energy_accumulator = metrics->EnergyAccumulator;
+ gpu_metrics->energy_accumulator = smu->smc_fw_version <= 0x00521400 ?
+ metrics->EnergyAccumulator : UINT_MAX;
if (metrics->AverageGfxActivity <= SMU_13_0_7_BUSY_THRESHOLD)
gpu_metrics->average_gfxclk_frequency = metrics->AverageGfxclkFrequencyPostDs;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 253/567] ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 252/567] ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 254/567] ASoC: detect empty DMI strings Greg Kroah-Hartman
` (124 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Ni, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit 53f3a900e9a383d47af7253076e19f510c5708d0 ]
The acp3x_5682_init() function did not check the return value of
clk_get(), which could lead to dereferencing error pointers in
rt5682_clk_enable().
Fix this by:
1. Changing clk_get() to the device-managed devm_clk_get().
2. Adding proper IS_ERR() checks for both clock acquisitions.
Fixes: 6b8e4e7db3cd ("ASoC: amd: Add machine driver for Raven based platform")
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Link: https://patch.msgid.link/20260310024246.2153827-1-nichen@iscas.ac.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/acp3x-rt5682-max9836.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/sound/soc/amd/acp3x-rt5682-max9836.c b/sound/soc/amd/acp3x-rt5682-max9836.c
index 28ad5f5b9a766..73575f6de1ee3 100644
--- a/sound/soc/amd/acp3x-rt5682-max9836.c
+++ b/sound/soc/amd/acp3x-rt5682-max9836.c
@@ -94,8 +94,13 @@ static int acp3x_5682_init(struct snd_soc_pcm_runtime *rtd)
return ret;
}
- rt5682_dai_wclk = clk_get(component->dev, "rt5682-dai-wclk");
- rt5682_dai_bclk = clk_get(component->dev, "rt5682-dai-bclk");
+ rt5682_dai_wclk = devm_clk_get(component->dev, "rt5682-dai-wclk");
+ if (IS_ERR(rt5682_dai_wclk))
+ return PTR_ERR(rt5682_dai_wclk);
+
+ rt5682_dai_bclk = devm_clk_get(component->dev, "rt5682-dai-bclk");
+ if (IS_ERR(rt5682_dai_bclk))
+ return PTR_ERR(rt5682_dai_bclk);
ret = snd_soc_card_jack_new_pins(card, "Headset Jack",
SND_JACK_HEADSET |
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 191/481] net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 190/481] ASoC: detect empty DMI strings Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 192/481] octeontx2-af: devlink: fix NIX RAS reporter recovery condition Greg Kroah-Hartman
` (124 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Ricardo B . Marlière, Hangbin Liu, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo B. Marlière <rbm@suse.com>
[ Upstream commit 30021e969d48e5819d5ae56936c2f34c0f7ce997 ]
When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
initialized because inet6_init() exits before ndisc_init() is called
which initializes it. If bonding ARP/NS validation is enabled, an IPv6
NS/NA packet received on a slave can reach bond_validate_na(), which
calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can
crash in __ipv6_chk_addr_and_flags().
BUG: kernel NULL pointer dereference, address: 00000000000005d8
Oops: Oops: 0000 [#1] SMP NOPTI
RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170
Call Trace:
<IRQ>
ipv6_chk_addr+0x1f/0x30
bond_validate_na+0x12e/0x1d0 [bonding]
? __pfx_bond_handle_frame+0x10/0x10 [bonding]
bond_rcv_validate+0x1a0/0x450 [bonding]
bond_handle_frame+0x5e/0x290 [bonding]
? srso_alias_return_thunk+0x5/0xfbef5
__netif_receive_skb_core.constprop.0+0x3e8/0xe50
? srso_alias_return_thunk+0x5/0xfbef5
? update_cfs_rq_load_avg+0x1a/0x240
? srso_alias_return_thunk+0x5/0xfbef5
? __enqueue_entity+0x5e/0x240
__netif_receive_skb_one_core+0x39/0xa0
process_backlog+0x9c/0x150
__napi_poll+0x30/0x200
? srso_alias_return_thunk+0x5/0xfbef5
net_rx_action+0x338/0x3b0
handle_softirqs+0xc9/0x2a0
do_softirq+0x42/0x60
</IRQ>
<TASK>
__local_bh_enable_ip+0x62/0x70
__dev_queue_xmit+0x2d3/0x1000
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? packet_parse_headers+0x10a/0x1a0
packet_sendmsg+0x10da/0x1700
? kick_pool+0x5f/0x140
? srso_alias_return_thunk+0x5/0xfbef5
? __queue_work+0x12d/0x4f0
__sys_sendto+0x1f3/0x220
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x101/0xf80
? exc_page_fault+0x6e/0x170
? srso_alias_return_thunk+0x5/0xfbef5
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to
bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate()
and avoid the path to ipv6_chk_addr().
Suggested-by: Fernando Fernandez Mancera <fmancera@suse.de>
Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets")
Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20260307-net-nd_tbl_fixes-v4-2-e2677e85628c@suse.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 2296ca9003016..7fe7485fbb160 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -3387,7 +3387,7 @@ int bond_rcv_validate(const struct sk_buff *skb, struct bonding *bond,
} else if (is_arp) {
return bond_arp_rcv(skb, bond, slave);
#if IS_ENABLED(CONFIG_IPV6)
- } else if (is_ipv6) {
+ } else if (is_ipv6 && likely(ipv6_mod_enabled())) {
return bond_na_rcv(skb, bond, slave);
#endif
} else {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 178/460] drm/amdgpu: Fix use-after-free race in VM acquire
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 177/460] drm/amd/pm: remove invalid gpu_metrics.energy_accumulator on smu v13.0.x Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 179/460] drm/amd: Set num IP blocks to 0 if discovery fails Greg Kroah-Hartman
` (124 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harish Kasiviswanathan, Alysa Liu,
Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alysa Liu <Alysa.Liu@amd.com>
commit 2c1030f2e84885cc58bffef6af67d5b9d2e7098f upstream.
Replace non-atomic vm->process_info assignment with cmpxchg()
to prevent race when parent/child processes sharing a drm_file
both try to acquire the same VM after fork().
Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
Signed-off-by: Alysa Liu <Alysa.Liu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
@@ -1403,7 +1403,10 @@ static int init_kfd_vm(struct amdgpu_vm
*process_info = info;
}
- vm->process_info = *process_info;
+ if (cmpxchg(&vm->process_info, NULL, *process_info) != NULL) {
+ ret = -EINVAL;
+ goto already_acquired;
+ }
/* Validate page directory and attach eviction fence */
ret = amdgpu_bo_reserve(vm->root.bo, true);
@@ -1443,6 +1446,7 @@ validate_pd_fail:
amdgpu_bo_unreserve(vm->root.bo);
reserve_pd_fail:
vm->process_info = NULL;
+already_acquired:
if (info) {
dma_fence_put(&info->eviction_fence->base);
*process_info = NULL;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 254/567] ASoC: detect empty DMI strings
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 253/567] ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 255/567] net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled Greg Kroah-Hartman
` (123 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Casey Connolly, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Casey Connolly <casey.connolly@linaro.org>
[ Upstream commit a9683730e8b1d632674f81844ed03ddfbe4821c0 ]
Some bootloaders like recent versions of U-Boot may install some DMI
properties with empty values rather than not populate them. This manages
to make its way through the validator and cleanup resulting in a rogue
hyphen being appended to the card longname.
Fixes: 4e01e5dbba96 ("ASoC: improve the DMI long card code in asoc-core")
Signed-off-by: Casey Connolly <casey.connolly@linaro.org>
Link: https://patch.msgid.link/20260306174707.283071-2-casey.connolly@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index e2a4ff5414099..696f5501a27bc 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -1719,12 +1719,15 @@ static void cleanup_dmi_name(char *name)
/*
* Check if a DMI field is valid, i.e. not containing any string
- * in the black list.
+ * in the black list and not the empty string.
*/
static int is_dmi_valid(const char *field)
{
int i = 0;
+ if (!field[0])
+ return 0;
+
while (dmi_blacklist[i]) {
if (strstr(field, dmi_blacklist[i]))
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 192/481] octeontx2-af: devlink: fix NIX RAS reporter recovery condition
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 191/481] net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 193/481] octeontx2-af: devlink health: use retained error fmsg API Greg Kroah-Hartman
` (123 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit dc26ca99b835e21e76a58b1463b84adb0ca34f58 ]
The NIX RAS health reporter recovery routine checks nix_af_rvu_int to
decide whether to re-enable NIX_AF_RAS interrupts. This is the RVU
interrupt status field and is unrelated to RAS events, so the recovery
flow may incorrectly skip re-enabling NIX_AF_RAS interrupts.
Check nix_af_rvu_ras instead before writing NIX_AF_RAS_ENA_W1S.
Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20260310184824.1183651-1-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
index 32fa8f2c5f4ee..48ce98ae56611 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
@@ -579,7 +579,7 @@ static int rvu_hw_nix_ras_recover(struct devlink_health_reporter *reporter,
if (blkaddr < 0)
return blkaddr;
- if (nix_event_ctx->nix_af_rvu_int)
+ if (nix_event_ctx->nix_af_rvu_ras)
rvu_write64(rvu, blkaddr, NIX_AF_RAS_ENA_W1S, ~0ULL);
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 179/460] drm/amd: Set num IP blocks to 0 if discovery fails
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 178/460] drm/amdgpu: Fix use-after-free race in VM acquire Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 180/460] drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding Greg Kroah-Hartman
` (123 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lijo Lazar, Mario Limonciello,
Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 3646ff28780b4c52c5b5081443199e7a430110e5 upstream.
If discovery has failed for any reason (such as no support for a block)
then there is no need to unwind all the IP blocks in fini. In this
condition there can actually be failures during the unwind too.
Reset num_ip_blocks to zero during failure path and skip the unnecessary
cleanup path.
Suggested-by: Lijo Lazar <lijo.lazar@amd.com>
Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit fae5984296b981c8cc3acca35b701c1f332a6cd8)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 +++-
drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -2570,8 +2570,10 @@ static int amdgpu_device_ip_early_init(s
break;
default:
r = amdgpu_discovery_set_ip_blocks(adev);
- if (r)
+ if (r) {
+ adev->num_ip_blocks = 0;
return r;
+ }
break;
}
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
@@ -82,7 +82,7 @@ void amdgpu_driver_unload_kms(struct drm
{
struct amdgpu_device *adev = drm_to_adev(dev);
- if (adev == NULL)
+ if (adev == NULL || !adev->num_ip_blocks)
return;
amdgpu_unregister_gpu_instance(adev);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 255/567] net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 254/567] ASoC: detect empty DMI strings Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 256/567] octeontx2-af: devlink: fix NIX RAS reporter recovery condition Greg Kroah-Hartman
` (122 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Ricardo B . Marlière, Hangbin Liu, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo B. Marlière <rbm@suse.com>
[ Upstream commit 30021e969d48e5819d5ae56936c2f34c0f7ce997 ]
When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
initialized because inet6_init() exits before ndisc_init() is called
which initializes it. If bonding ARP/NS validation is enabled, an IPv6
NS/NA packet received on a slave can reach bond_validate_na(), which
calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can
crash in __ipv6_chk_addr_and_flags().
BUG: kernel NULL pointer dereference, address: 00000000000005d8
Oops: Oops: 0000 [#1] SMP NOPTI
RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170
Call Trace:
<IRQ>
ipv6_chk_addr+0x1f/0x30
bond_validate_na+0x12e/0x1d0 [bonding]
? __pfx_bond_handle_frame+0x10/0x10 [bonding]
bond_rcv_validate+0x1a0/0x450 [bonding]
bond_handle_frame+0x5e/0x290 [bonding]
? srso_alias_return_thunk+0x5/0xfbef5
__netif_receive_skb_core.constprop.0+0x3e8/0xe50
? srso_alias_return_thunk+0x5/0xfbef5
? update_cfs_rq_load_avg+0x1a/0x240
? srso_alias_return_thunk+0x5/0xfbef5
? __enqueue_entity+0x5e/0x240
__netif_receive_skb_one_core+0x39/0xa0
process_backlog+0x9c/0x150
__napi_poll+0x30/0x200
? srso_alias_return_thunk+0x5/0xfbef5
net_rx_action+0x338/0x3b0
handle_softirqs+0xc9/0x2a0
do_softirq+0x42/0x60
</IRQ>
<TASK>
__local_bh_enable_ip+0x62/0x70
__dev_queue_xmit+0x2d3/0x1000
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? packet_parse_headers+0x10a/0x1a0
packet_sendmsg+0x10da/0x1700
? kick_pool+0x5f/0x140
? srso_alias_return_thunk+0x5/0xfbef5
? __queue_work+0x12d/0x4f0
__sys_sendto+0x1f3/0x220
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x101/0xf80
? exc_page_fault+0x6e/0x170
? srso_alias_return_thunk+0x5/0xfbef5
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to
bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate()
and avoid the path to ipv6_chk_addr().
Suggested-by: Fernando Fernandez Mancera <fmancera@suse.de>
Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets")
Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20260307-net-nd_tbl_fixes-v4-2-e2677e85628c@suse.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index b36d1781d8463..114ebaa284daa 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -3447,7 +3447,7 @@ int bond_rcv_validate(const struct sk_buff *skb, struct bonding *bond,
} else if (is_arp) {
return bond_arp_rcv(skb, bond, slave);
#if IS_ENABLED(CONFIG_IPV6)
- } else if (is_ipv6) {
+ } else if (is_ipv6 && likely(ipv6_mod_enabled())) {
return bond_na_rcv(skb, bond, slave);
#endif
} else {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 193/481] octeontx2-af: devlink health: use retained error fmsg API
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 192/481] octeontx2-af: devlink: fix NIX RAS reporter recovery condition Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 194/481] octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status Greg Kroah-Hartman
` (122 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jesse Brandeburg, Jiri Pirko,
Przemek Kitszel, Simon Horman, David S. Miller, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Przemek Kitszel <przemyslaw.kitszel@intel.com>
[ Upstream commit d8cf03fca3411de8a493dae5e9fcf815a4f0977e ]
Drop unneeded error checking.
devlink_fmsg_*() family of functions is now retaining errors,
so there is no need to check for them after each call.
Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 87f7dff3ec75 ("octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../marvell/octeontx2/af/rvu_devlink.c | 464 +++++-------------
1 file changed, 133 insertions(+), 331 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
index 48ce98ae56611..ae06742670dc8 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
@@ -14,26 +14,16 @@
#define DRV_NAME "octeontx2-af"
-static int rvu_report_pair_start(struct devlink_fmsg *fmsg, const char *name)
+static void rvu_report_pair_start(struct devlink_fmsg *fmsg, const char *name)
{
- int err;
-
- err = devlink_fmsg_pair_nest_start(fmsg, name);
- if (err)
- return err;
-
- return devlink_fmsg_obj_nest_start(fmsg);
+ devlink_fmsg_pair_nest_start(fmsg, name);
+ devlink_fmsg_obj_nest_start(fmsg);
}
-static int rvu_report_pair_end(struct devlink_fmsg *fmsg)
+static void rvu_report_pair_end(struct devlink_fmsg *fmsg)
{
- int err;
-
- err = devlink_fmsg_obj_nest_end(fmsg);
- if (err)
- return err;
-
- return devlink_fmsg_pair_nest_end(fmsg);
+ devlink_fmsg_obj_nest_end(fmsg);
+ devlink_fmsg_pair_nest_end(fmsg);
}
static bool rvu_common_request_irq(struct rvu *rvu, int offset,
@@ -284,175 +274,81 @@ static int rvu_nix_report_show(struct devlink_fmsg *fmsg, void *ctx,
{
struct rvu_nix_event_ctx *nix_event_context;
u64 intr_val;
- int err;
nix_event_context = ctx;
switch (health_reporter) {
case NIX_AF_RVU_INTR:
intr_val = nix_event_context->nix_af_rvu_int;
- err = rvu_report_pair_start(fmsg, "NIX_AF_RVU");
- if (err)
- return err;
- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX RVU Interrupt Reg ",
- nix_event_context->nix_af_rvu_int);
- if (err)
- return err;
- if (intr_val & BIT_ULL(0)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error");
- if (err)
- return err;
- }
- err = rvu_report_pair_end(fmsg);
- if (err)
- return err;
+ rvu_report_pair_start(fmsg, "NIX_AF_RVU");
+ devlink_fmsg_u64_pair_put(fmsg, "\tNIX RVU Interrupt Reg ",
+ nix_event_context->nix_af_rvu_int);
+ if (intr_val & BIT_ULL(0))
+ devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error");
+ rvu_report_pair_end(fmsg);
break;
case NIX_AF_RVU_GEN:
intr_val = nix_event_context->nix_af_rvu_gen;
- err = rvu_report_pair_start(fmsg, "NIX_AF_GENERAL");
- if (err)
- return err;
- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX General Interrupt Reg ",
- nix_event_context->nix_af_rvu_gen);
- if (err)
- return err;
- if (intr_val & BIT_ULL(0)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tRx multicast pkt drop");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(1)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tRx mirror pkt drop");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(4)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tSMQ flush done");
- if (err)
- return err;
- }
- err = rvu_report_pair_end(fmsg);
- if (err)
- return err;
+ rvu_report_pair_start(fmsg, "NIX_AF_GENERAL");
+ devlink_fmsg_u64_pair_put(fmsg, "\tNIX General Interrupt Reg ",
+ nix_event_context->nix_af_rvu_gen);
+ if (intr_val & BIT_ULL(0))
+ devlink_fmsg_string_put(fmsg, "\n\tRx multicast pkt drop");
+ if (intr_val & BIT_ULL(1))
+ devlink_fmsg_string_put(fmsg, "\n\tRx mirror pkt drop");
+ if (intr_val & BIT_ULL(4))
+ devlink_fmsg_string_put(fmsg, "\n\tSMQ flush done");
+ rvu_report_pair_end(fmsg);
break;
case NIX_AF_RVU_ERR:
intr_val = nix_event_context->nix_af_rvu_err;
- err = rvu_report_pair_start(fmsg, "NIX_AF_ERR");
- if (err)
- return err;
- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX Error Interrupt Reg ",
- nix_event_context->nix_af_rvu_err);
- if (err)
- return err;
- if (intr_val & BIT_ULL(14)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_INST_S read");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(13)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_RES_S write");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(12)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(6)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tRx on unmapped PF_FUNC");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(5)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tRx multicast replication error");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(4)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_RX_MCE_S read");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(3)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFault on multicast WQE read");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(2)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFault on mirror WQE read");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(1)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFault on mirror pkt write");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(0)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFault on multicast pkt write");
- if (err)
- return err;
- }
- err = rvu_report_pair_end(fmsg);
- if (err)
- return err;
+ rvu_report_pair_start(fmsg, "NIX_AF_ERR");
+ devlink_fmsg_u64_pair_put(fmsg, "\tNIX Error Interrupt Reg ",
+ nix_event_context->nix_af_rvu_err);
+ if (intr_val & BIT_ULL(14))
+ devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_INST_S read");
+ if (intr_val & BIT_ULL(13))
+ devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_RES_S write");
+ if (intr_val & BIT_ULL(12))
+ devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error");
+ if (intr_val & BIT_ULL(6))
+ devlink_fmsg_string_put(fmsg, "\n\tRx on unmapped PF_FUNC");
+ if (intr_val & BIT_ULL(5))
+ devlink_fmsg_string_put(fmsg, "\n\tRx multicast replication error");
+ if (intr_val & BIT_ULL(4))
+ devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_RX_MCE_S read");
+ if (intr_val & BIT_ULL(3))
+ devlink_fmsg_string_put(fmsg, "\n\tFault on multicast WQE read");
+ if (intr_val & BIT_ULL(2))
+ devlink_fmsg_string_put(fmsg, "\n\tFault on mirror WQE read");
+ if (intr_val & BIT_ULL(1))
+ devlink_fmsg_string_put(fmsg, "\n\tFault on mirror pkt write");
+ if (intr_val & BIT_ULL(0))
+ devlink_fmsg_string_put(fmsg, "\n\tFault on multicast pkt write");
+ rvu_report_pair_end(fmsg);
break;
case NIX_AF_RVU_RAS:
intr_val = nix_event_context->nix_af_rvu_err;
- err = rvu_report_pair_start(fmsg, "NIX_AF_RAS");
- if (err)
- return err;
- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ",
- nix_event_context->nix_af_rvu_err);
- if (err)
- return err;
- err = devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:");
- if (err)
- return err;
- if (intr_val & BIT_ULL(34)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(33)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_RES_S");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(32)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tHW ctx");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(4)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tPacket from mirror buffer");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(3)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tPacket from multicast buffer");
-
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(2)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tWQE read from mirror buffer");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(1)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tWQE read from multicast buffer");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(0)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX_RX_MCE_S read");
- if (err)
- return err;
- }
- err = rvu_report_pair_end(fmsg);
- if (err)
- return err;
+ rvu_report_pair_start(fmsg, "NIX_AF_RAS");
+ devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ",
+ nix_event_context->nix_af_rvu_err);
+ devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:");
+ if (intr_val & BIT_ULL(34))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S");
+ if (intr_val & BIT_ULL(33))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_RES_S");
+ if (intr_val & BIT_ULL(32))
+ devlink_fmsg_string_put(fmsg, "\n\tHW ctx");
+ if (intr_val & BIT_ULL(4))
+ devlink_fmsg_string_put(fmsg, "\n\tPacket from mirror buffer");
+ if (intr_val & BIT_ULL(3))
+ devlink_fmsg_string_put(fmsg, "\n\tPacket from multicast buffer");
+ if (intr_val & BIT_ULL(2))
+ devlink_fmsg_string_put(fmsg, "\n\tWQE read from mirror buffer");
+ if (intr_val & BIT_ULL(1))
+ devlink_fmsg_string_put(fmsg, "\n\tWQE read from multicast buffer");
+ if (intr_val & BIT_ULL(0))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX_RX_MCE_S read");
+ rvu_report_pair_end(fmsg);
break;
default:
return -EINVAL;
@@ -919,181 +815,87 @@ static int rvu_npa_report_show(struct devlink_fmsg *fmsg, void *ctx,
struct rvu_npa_event_ctx *npa_event_context;
unsigned int alloc_dis, free_dis;
u64 intr_val;
- int err;
npa_event_context = ctx;
switch (health_reporter) {
case NPA_AF_RVU_GEN:
intr_val = npa_event_context->npa_af_rvu_gen;
- err = rvu_report_pair_start(fmsg, "NPA_AF_GENERAL");
- if (err)
- return err;
- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA General Interrupt Reg ",
- npa_event_context->npa_af_rvu_gen);
- if (err)
- return err;
- if (intr_val & BIT_ULL(32)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tUnmap PF Error");
- if (err)
- return err;
- }
+ rvu_report_pair_start(fmsg, "NPA_AF_GENERAL");
+ devlink_fmsg_u64_pair_put(fmsg, "\tNPA General Interrupt Reg ",
+ npa_event_context->npa_af_rvu_gen);
+ if (intr_val & BIT_ULL(32))
+ devlink_fmsg_string_put(fmsg, "\n\tUnmap PF Error");
free_dis = FIELD_GET(GENMASK(15, 0), intr_val);
- if (free_dis & BIT(NPA_INPQ_NIX0_RX)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0: free disabled RX");
- if (err)
- return err;
- }
- if (free_dis & BIT(NPA_INPQ_NIX0_TX)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0:free disabled TX");
- if (err)
- return err;
- }
- if (free_dis & BIT(NPA_INPQ_NIX1_RX)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1: free disabled RX");
- if (err)
- return err;
- }
- if (free_dis & BIT(NPA_INPQ_NIX1_TX)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1:free disabled TX");
- if (err)
- return err;
- }
- if (free_dis & BIT(NPA_INPQ_SSO)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for SSO");
- if (err)
- return err;
- }
- if (free_dis & BIT(NPA_INPQ_TIM)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for TIM");
- if (err)
- return err;
- }
- if (free_dis & BIT(NPA_INPQ_DPI)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for DPI");
- if (err)
- return err;
- }
- if (free_dis & BIT(NPA_INPQ_AURA_OP)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for AURA");
- if (err)
- return err;
- }
+ if (free_dis & BIT(NPA_INPQ_NIX0_RX))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX0: free disabled RX");
+ if (free_dis & BIT(NPA_INPQ_NIX0_TX))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX0:free disabled TX");
+ if (free_dis & BIT(NPA_INPQ_NIX1_RX))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX1: free disabled RX");
+ if (free_dis & BIT(NPA_INPQ_NIX1_TX))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX1:free disabled TX");
+ if (free_dis & BIT(NPA_INPQ_SSO))
+ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for SSO");
+ if (free_dis & BIT(NPA_INPQ_TIM))
+ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for TIM");
+ if (free_dis & BIT(NPA_INPQ_DPI))
+ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for DPI");
+ if (free_dis & BIT(NPA_INPQ_AURA_OP))
+ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for AURA");
alloc_dis = FIELD_GET(GENMASK(31, 16), intr_val);
- if (alloc_dis & BIT(NPA_INPQ_NIX0_RX)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0: alloc disabled RX");
- if (err)
- return err;
- }
- if (alloc_dis & BIT(NPA_INPQ_NIX0_TX)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0:alloc disabled TX");
- if (err)
- return err;
- }
- if (alloc_dis & BIT(NPA_INPQ_NIX1_RX)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1: alloc disabled RX");
- if (err)
- return err;
- }
- if (alloc_dis & BIT(NPA_INPQ_NIX1_TX)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1:alloc disabled TX");
- if (err)
- return err;
- }
- if (alloc_dis & BIT(NPA_INPQ_SSO)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for SSO");
- if (err)
- return err;
- }
- if (alloc_dis & BIT(NPA_INPQ_TIM)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for TIM");
- if (err)
- return err;
- }
- if (alloc_dis & BIT(NPA_INPQ_DPI)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for DPI");
- if (err)
- return err;
- }
- if (alloc_dis & BIT(NPA_INPQ_AURA_OP)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for AURA");
- if (err)
- return err;
- }
- err = rvu_report_pair_end(fmsg);
- if (err)
- return err;
+ if (alloc_dis & BIT(NPA_INPQ_NIX0_RX))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX0: alloc disabled RX");
+ if (alloc_dis & BIT(NPA_INPQ_NIX0_TX))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX0:alloc disabled TX");
+ if (alloc_dis & BIT(NPA_INPQ_NIX1_RX))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX1: alloc disabled RX");
+ if (alloc_dis & BIT(NPA_INPQ_NIX1_TX))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX1:alloc disabled TX");
+ if (alloc_dis & BIT(NPA_INPQ_SSO))
+ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for SSO");
+ if (alloc_dis & BIT(NPA_INPQ_TIM))
+ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for TIM");
+ if (alloc_dis & BIT(NPA_INPQ_DPI))
+ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for DPI");
+ if (alloc_dis & BIT(NPA_INPQ_AURA_OP))
+ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for AURA");
+
+ rvu_report_pair_end(fmsg);
break;
case NPA_AF_RVU_ERR:
- err = rvu_report_pair_start(fmsg, "NPA_AF_ERR");
- if (err)
- return err;
- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA Error Interrupt Reg ",
- npa_event_context->npa_af_rvu_err);
- if (err)
- return err;
-
- if (npa_event_context->npa_af_rvu_err & BIT_ULL(14)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_INST_S read");
- if (err)
- return err;
- }
- if (npa_event_context->npa_af_rvu_err & BIT_ULL(13)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_RES_S write");
- if (err)
- return err;
- }
- if (npa_event_context->npa_af_rvu_err & BIT_ULL(12)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error");
- if (err)
- return err;
- }
- err = rvu_report_pair_end(fmsg);
- if (err)
- return err;
+ rvu_report_pair_start(fmsg, "NPA_AF_ERR");
+ devlink_fmsg_u64_pair_put(fmsg, "\tNPA Error Interrupt Reg ",
+ npa_event_context->npa_af_rvu_err);
+ if (npa_event_context->npa_af_rvu_err & BIT_ULL(14))
+ devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_INST_S read");
+ if (npa_event_context->npa_af_rvu_err & BIT_ULL(13))
+ devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_RES_S write");
+ if (npa_event_context->npa_af_rvu_err & BIT_ULL(12))
+ devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error");
+ rvu_report_pair_end(fmsg);
break;
case NPA_AF_RVU_RAS:
- err = rvu_report_pair_start(fmsg, "NPA_AF_RVU_RAS");
- if (err)
- return err;
- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA RAS Interrupt Reg ",
- npa_event_context->npa_af_rvu_ras);
- if (err)
- return err;
- if (npa_event_context->npa_af_rvu_ras & BIT_ULL(34)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_INST_S");
- if (err)
- return err;
- }
- if (npa_event_context->npa_af_rvu_ras & BIT_ULL(33)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_RES_S");
- if (err)
- return err;
- }
- if (npa_event_context->npa_af_rvu_ras & BIT_ULL(32)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tPoison data on HW context");
- if (err)
- return err;
- }
- err = rvu_report_pair_end(fmsg);
- if (err)
- return err;
+ rvu_report_pair_start(fmsg, "NPA_AF_RVU_RAS");
+ devlink_fmsg_u64_pair_put(fmsg, "\tNPA RAS Interrupt Reg ",
+ npa_event_context->npa_af_rvu_ras);
+ if (npa_event_context->npa_af_rvu_ras & BIT_ULL(34))
+ devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_INST_S");
+ if (npa_event_context->npa_af_rvu_ras & BIT_ULL(33))
+ devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_RES_S");
+ if (npa_event_context->npa_af_rvu_ras & BIT_ULL(32))
+ devlink_fmsg_string_put(fmsg, "\n\tPoison data on HW context");
+ rvu_report_pair_end(fmsg);
break;
case NPA_AF_RVU_INTR:
- err = rvu_report_pair_start(fmsg, "NPA_AF_RVU");
- if (err)
- return err;
- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA RVU Interrupt Reg ",
- npa_event_context->npa_af_rvu_int);
- if (err)
- return err;
- if (npa_event_context->npa_af_rvu_int & BIT_ULL(0)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error");
- if (err)
- return err;
- }
- return rvu_report_pair_end(fmsg);
+ rvu_report_pair_start(fmsg, "NPA_AF_RVU");
+ devlink_fmsg_u64_pair_put(fmsg, "\tNPA RVU Interrupt Reg ",
+ npa_event_context->npa_af_rvu_int);
+ if (npa_event_context->npa_af_rvu_int & BIT_ULL(0))
+ devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error");
+ rvu_report_pair_end(fmsg);
+ break;
default:
return -EINVAL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 180/460] drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 179/460] drm/amd: Set num IP blocks to 0 if discovery fails Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 181/460] drm/i915: Fix potential overflow of shmem scatterlist length Greg Kroah-Hartman
` (122 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marek Vasut, Luca Ceresoli
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Ceresoli <luca.ceresoli@bootlin.com>
commit 2f22702dc0fee06a240404e0f7ead5b789b253d8 upstream.
The DSI frequency must be in the range:
(CHA_DSI_CLK_RANGE * 5 MHz) <= DSI freq < ((CHA_DSI_CLK_RANGE + 1) * 5 MHz)
So the register value should point to the lower range value, but
DIV_ROUND_UP() rounds the division to the higher range value, resulting in
an excess of 1 (unless the frequency is an exact multiple of 5 MHz).
For example for a 437100000 MHz clock CHA_DSI_CLK_RANGE should be 87 (0x57):
(87 * 5 = 435) <= 437.1 < (88 * 5 = 440)
but current code returns 88 (0x58).
Fix the computation by removing the DIV_ROUND_UP().
Fixes: ceb515ba29ba ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver")
Cc: stable@vger.kernel.org
Reviewed-by: Marek Vasut <marek.vasut@mailbox.org>
Link: https://patch.msgid.link/20260226-ti-sn65dsi83-dual-lvds-fixes-and-test-pattern-v1-1-2e15f5a9a6a0@bootlin.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/ti-sn65dsi83.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c
+++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c
@@ -303,9 +303,9 @@ static u8 sn65dsi83_get_dsi_range(struct
* DSI_CLK = mode clock * bpp / dsi_data_lanes / 2
* the 2 is there because the bus is DDR.
*/
- return DIV_ROUND_UP(clamp((unsigned int)mode->clock *
- mipi_dsi_pixel_format_to_bpp(ctx->dsi->format) /
- ctx->dsi->lanes / 2, 40000U, 500000U), 5000U);
+ return clamp((unsigned int)mode->clock *
+ mipi_dsi_pixel_format_to_bpp(ctx->dsi->format) /
+ ctx->dsi->lanes / 2, 40000U, 500000U) / 5000U;
}
static u8 sn65dsi83_get_dsi_div(struct sn65dsi83 *ctx)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 256/567] octeontx2-af: devlink: fix NIX RAS reporter recovery condition
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 255/567] net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 257/567] octeontx2-af: devlink health: use retained error fmsg API Greg Kroah-Hartman
` (121 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit dc26ca99b835e21e76a58b1463b84adb0ca34f58 ]
The NIX RAS health reporter recovery routine checks nix_af_rvu_int to
decide whether to re-enable NIX_AF_RAS interrupts. This is the RVU
interrupt status field and is unrelated to RAS events, so the recovery
flow may incorrectly skip re-enabling NIX_AF_RAS interrupts.
Check nix_af_rvu_ras instead before writing NIX_AF_RAS_ENA_W1S.
Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20260310184824.1183651-1-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
index 774d8b034725d..3f86e0c3fa7a8 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
@@ -579,7 +579,7 @@ static int rvu_hw_nix_ras_recover(struct devlink_health_reporter *reporter,
if (blkaddr < 0)
return blkaddr;
- if (nix_event_ctx->nix_af_rvu_int)
+ if (nix_event_ctx->nix_af_rvu_ras)
rvu_write64(rvu, blkaddr, NIX_AF_RAS_ENA_W1S, ~0ULL);
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 194/481] octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 193/481] octeontx2-af: devlink health: use retained error fmsg API Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 195/481] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() Greg Kroah-Hartman
` (121 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Jakub Kicinski,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 87f7dff3ec75b91def0024ebaaf732457f47a63b ]
The NIX RAS health report path uses nix_af_rvu_err when handling the
NIX_AF_RVU_RAS case, so the report prints the ERR interrupt status rather
than the RAS interrupt status.
Use nix_af_rvu_ras for the NIX_AF_RVU_RAS report.
Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20260310184824.1183651-2-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
index ae06742670dc8..d3aed339c69c3 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
@@ -327,10 +327,10 @@ static int rvu_nix_report_show(struct devlink_fmsg *fmsg, void *ctx,
rvu_report_pair_end(fmsg);
break;
case NIX_AF_RVU_RAS:
- intr_val = nix_event_context->nix_af_rvu_err;
+ intr_val = nix_event_context->nix_af_rvu_ras;
rvu_report_pair_start(fmsg, "NIX_AF_RAS");
devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ",
- nix_event_context->nix_af_rvu_err);
+ nix_event_context->nix_af_rvu_ras);
devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:");
if (intr_val & BIT_ULL(34))
devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S");
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 181/460] drm/i915: Fix potential overflow of shmem scatterlist length
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 180/460] drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 182/460] drm/msm: Fix dma_free_attrs() buffer size Greg Kroah-Hartman
` (121 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Andrew Morton, Janusz Krzysztofik, Andi Shyti, Tvrtko Ursulin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
commit 029ae067431ab9d0fca479bdabe780fa436706ea upstream.
When a scatterlists table of a GEM shmem object of size 4 GB or more is
populated with pages allocated from a folio, unsigned int .length
attribute of a scatterlist may get overflowed if total byte length of
pages allocated to that single scatterlist happens to reach or cross the
4GB limit. As a consequence, users of the object may suffer from hitting
unexpected, premature end of the object's backing pages.
[278.780187] ------------[ cut here ]------------
[278.780377] WARNING: CPU: 1 PID: 2326 at drivers/gpu/drm/i915/i915_mm.c:55 remap_sg+0x199/0x1d0 [i915]
...
[278.780654] CPU: 1 UID: 0 PID: 2326 Comm: gem_mmap_offset Tainted: G S U 6.17.0-rc1-CI_DRM_16981-ged823aaa0607+ #1 PREEMPT(voluntary)
[278.780656] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER
[278.780658] Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P LP5x T3 RVP, BIOS MTLPFWI1.R00.3471.D91.2401310918 01/31/2024
[278.780659] RIP: 0010:remap_sg+0x199/0x1d0 [i915]
...
[278.780786] Call Trace:
[278.780787] <TASK>
[278.780788] ? __apply_to_page_range+0x3e6/0x910
[278.780795] ? __pfx_remap_sg+0x10/0x10 [i915]
[278.780906] apply_to_page_range+0x14/0x30
[278.780908] remap_io_sg+0x14d/0x260 [i915]
[278.781013] vm_fault_cpu+0xd2/0x330 [i915]
[278.781137] __do_fault+0x3a/0x1b0
[278.781140] do_fault+0x322/0x640
[278.781143] __handle_mm_fault+0x938/0xfd0
[278.781150] handle_mm_fault+0x12c/0x300
[278.781152] ? lock_mm_and_find_vma+0x4b/0x760
[278.781155] do_user_addr_fault+0x2d6/0x8e0
[278.781160] exc_page_fault+0x96/0x2c0
[278.781165] asm_exc_page_fault+0x27/0x30
...
That issue was apprehended by the author of a change that introduced it,
and potential risk even annotated with a comment, but then never addressed.
When adding folio pages to a scatterlist table, take care of byte length
of any single scatterlist not exceeding max_segment.
Fixes: 0b62af28f249b ("i915: convert shmem_sg_free_table() to use a folio_batch")
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14809
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org # v6.5+
Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
Link: https://lore.kernel.org/r/20260224094944.2447913-2-janusz.krzysztofik@linux.intel.com
(cherry picked from commit 06249b4e691a75694c014a61708c007fb5755f60)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gem/i915_gem_shmem.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/i915/gem/i915_gem_shmem.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_shmem.c
@@ -151,8 +151,12 @@ int shmem_sg_alloc_table(struct drm_i915
}
} while (1);
- nr_pages = min_t(unsigned long,
- folio_nr_pages(folio), page_count - i);
+ nr_pages = min_array(((unsigned long[]) {
+ folio_nr_pages(folio),
+ page_count - i,
+ max_segment / PAGE_SIZE,
+ }), 3);
+
if (!i ||
sg->length >= max_segment ||
folio_pfn(folio) != next_pfn) {
@@ -162,7 +166,9 @@ int shmem_sg_alloc_table(struct drm_i915
st->nents++;
sg_set_folio(sg, folio, nr_pages * PAGE_SIZE, 0);
} else {
- /* XXX: could overflow? */
+ nr_pages = min_t(unsigned long, nr_pages,
+ (max_segment - sg->length) / PAGE_SIZE);
+
sg->length += nr_pages * PAGE_SIZE;
}
next_pfn = folio_pfn(folio) + nr_pages;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 257/567] octeontx2-af: devlink health: use retained error fmsg API
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 256/567] octeontx2-af: devlink: fix NIX RAS reporter recovery condition Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 258/567] octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status Greg Kroah-Hartman
` (120 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jesse Brandeburg, Jiri Pirko,
Przemek Kitszel, Simon Horman, David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Przemek Kitszel <przemyslaw.kitszel@intel.com>
[ Upstream commit d8cf03fca3411de8a493dae5e9fcf815a4f0977e ]
Drop unneeded error checking.
devlink_fmsg_*() family of functions is now retaining errors,
so there is no need to check for them after each call.
Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 87f7dff3ec75 ("octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../marvell/octeontx2/af/rvu_devlink.c | 464 +++++-------------
1 file changed, 133 insertions(+), 331 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
index 3f86e0c3fa7a8..e8c920c7b8d18 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
@@ -14,26 +14,16 @@
#define DRV_NAME "octeontx2-af"
-static int rvu_report_pair_start(struct devlink_fmsg *fmsg, const char *name)
+static void rvu_report_pair_start(struct devlink_fmsg *fmsg, const char *name)
{
- int err;
-
- err = devlink_fmsg_pair_nest_start(fmsg, name);
- if (err)
- return err;
-
- return devlink_fmsg_obj_nest_start(fmsg);
+ devlink_fmsg_pair_nest_start(fmsg, name);
+ devlink_fmsg_obj_nest_start(fmsg);
}
-static int rvu_report_pair_end(struct devlink_fmsg *fmsg)
+static void rvu_report_pair_end(struct devlink_fmsg *fmsg)
{
- int err;
-
- err = devlink_fmsg_obj_nest_end(fmsg);
- if (err)
- return err;
-
- return devlink_fmsg_pair_nest_end(fmsg);
+ devlink_fmsg_obj_nest_end(fmsg);
+ devlink_fmsg_pair_nest_end(fmsg);
}
static bool rvu_common_request_irq(struct rvu *rvu, int offset,
@@ -284,175 +274,81 @@ static int rvu_nix_report_show(struct devlink_fmsg *fmsg, void *ctx,
{
struct rvu_nix_event_ctx *nix_event_context;
u64 intr_val;
- int err;
nix_event_context = ctx;
switch (health_reporter) {
case NIX_AF_RVU_INTR:
intr_val = nix_event_context->nix_af_rvu_int;
- err = rvu_report_pair_start(fmsg, "NIX_AF_RVU");
- if (err)
- return err;
- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX RVU Interrupt Reg ",
- nix_event_context->nix_af_rvu_int);
- if (err)
- return err;
- if (intr_val & BIT_ULL(0)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error");
- if (err)
- return err;
- }
- err = rvu_report_pair_end(fmsg);
- if (err)
- return err;
+ rvu_report_pair_start(fmsg, "NIX_AF_RVU");
+ devlink_fmsg_u64_pair_put(fmsg, "\tNIX RVU Interrupt Reg ",
+ nix_event_context->nix_af_rvu_int);
+ if (intr_val & BIT_ULL(0))
+ devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error");
+ rvu_report_pair_end(fmsg);
break;
case NIX_AF_RVU_GEN:
intr_val = nix_event_context->nix_af_rvu_gen;
- err = rvu_report_pair_start(fmsg, "NIX_AF_GENERAL");
- if (err)
- return err;
- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX General Interrupt Reg ",
- nix_event_context->nix_af_rvu_gen);
- if (err)
- return err;
- if (intr_val & BIT_ULL(0)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tRx multicast pkt drop");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(1)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tRx mirror pkt drop");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(4)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tSMQ flush done");
- if (err)
- return err;
- }
- err = rvu_report_pair_end(fmsg);
- if (err)
- return err;
+ rvu_report_pair_start(fmsg, "NIX_AF_GENERAL");
+ devlink_fmsg_u64_pair_put(fmsg, "\tNIX General Interrupt Reg ",
+ nix_event_context->nix_af_rvu_gen);
+ if (intr_val & BIT_ULL(0))
+ devlink_fmsg_string_put(fmsg, "\n\tRx multicast pkt drop");
+ if (intr_val & BIT_ULL(1))
+ devlink_fmsg_string_put(fmsg, "\n\tRx mirror pkt drop");
+ if (intr_val & BIT_ULL(4))
+ devlink_fmsg_string_put(fmsg, "\n\tSMQ flush done");
+ rvu_report_pair_end(fmsg);
break;
case NIX_AF_RVU_ERR:
intr_val = nix_event_context->nix_af_rvu_err;
- err = rvu_report_pair_start(fmsg, "NIX_AF_ERR");
- if (err)
- return err;
- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX Error Interrupt Reg ",
- nix_event_context->nix_af_rvu_err);
- if (err)
- return err;
- if (intr_val & BIT_ULL(14)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_INST_S read");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(13)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_RES_S write");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(12)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(6)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tRx on unmapped PF_FUNC");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(5)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tRx multicast replication error");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(4)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_RX_MCE_S read");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(3)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFault on multicast WQE read");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(2)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFault on mirror WQE read");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(1)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFault on mirror pkt write");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(0)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFault on multicast pkt write");
- if (err)
- return err;
- }
- err = rvu_report_pair_end(fmsg);
- if (err)
- return err;
+ rvu_report_pair_start(fmsg, "NIX_AF_ERR");
+ devlink_fmsg_u64_pair_put(fmsg, "\tNIX Error Interrupt Reg ",
+ nix_event_context->nix_af_rvu_err);
+ if (intr_val & BIT_ULL(14))
+ devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_INST_S read");
+ if (intr_val & BIT_ULL(13))
+ devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_RES_S write");
+ if (intr_val & BIT_ULL(12))
+ devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error");
+ if (intr_val & BIT_ULL(6))
+ devlink_fmsg_string_put(fmsg, "\n\tRx on unmapped PF_FUNC");
+ if (intr_val & BIT_ULL(5))
+ devlink_fmsg_string_put(fmsg, "\n\tRx multicast replication error");
+ if (intr_val & BIT_ULL(4))
+ devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_RX_MCE_S read");
+ if (intr_val & BIT_ULL(3))
+ devlink_fmsg_string_put(fmsg, "\n\tFault on multicast WQE read");
+ if (intr_val & BIT_ULL(2))
+ devlink_fmsg_string_put(fmsg, "\n\tFault on mirror WQE read");
+ if (intr_val & BIT_ULL(1))
+ devlink_fmsg_string_put(fmsg, "\n\tFault on mirror pkt write");
+ if (intr_val & BIT_ULL(0))
+ devlink_fmsg_string_put(fmsg, "\n\tFault on multicast pkt write");
+ rvu_report_pair_end(fmsg);
break;
case NIX_AF_RVU_RAS:
intr_val = nix_event_context->nix_af_rvu_err;
- err = rvu_report_pair_start(fmsg, "NIX_AF_RAS");
- if (err)
- return err;
- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ",
- nix_event_context->nix_af_rvu_err);
- if (err)
- return err;
- err = devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:");
- if (err)
- return err;
- if (intr_val & BIT_ULL(34)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(33)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_RES_S");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(32)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tHW ctx");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(4)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tPacket from mirror buffer");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(3)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tPacket from multicast buffer");
-
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(2)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tWQE read from mirror buffer");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(1)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tWQE read from multicast buffer");
- if (err)
- return err;
- }
- if (intr_val & BIT_ULL(0)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX_RX_MCE_S read");
- if (err)
- return err;
- }
- err = rvu_report_pair_end(fmsg);
- if (err)
- return err;
+ rvu_report_pair_start(fmsg, "NIX_AF_RAS");
+ devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ",
+ nix_event_context->nix_af_rvu_err);
+ devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:");
+ if (intr_val & BIT_ULL(34))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S");
+ if (intr_val & BIT_ULL(33))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_RES_S");
+ if (intr_val & BIT_ULL(32))
+ devlink_fmsg_string_put(fmsg, "\n\tHW ctx");
+ if (intr_val & BIT_ULL(4))
+ devlink_fmsg_string_put(fmsg, "\n\tPacket from mirror buffer");
+ if (intr_val & BIT_ULL(3))
+ devlink_fmsg_string_put(fmsg, "\n\tPacket from multicast buffer");
+ if (intr_val & BIT_ULL(2))
+ devlink_fmsg_string_put(fmsg, "\n\tWQE read from mirror buffer");
+ if (intr_val & BIT_ULL(1))
+ devlink_fmsg_string_put(fmsg, "\n\tWQE read from multicast buffer");
+ if (intr_val & BIT_ULL(0))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX_RX_MCE_S read");
+ rvu_report_pair_end(fmsg);
break;
default:
return -EINVAL;
@@ -919,181 +815,87 @@ static int rvu_npa_report_show(struct devlink_fmsg *fmsg, void *ctx,
struct rvu_npa_event_ctx *npa_event_context;
unsigned int alloc_dis, free_dis;
u64 intr_val;
- int err;
npa_event_context = ctx;
switch (health_reporter) {
case NPA_AF_RVU_GEN:
intr_val = npa_event_context->npa_af_rvu_gen;
- err = rvu_report_pair_start(fmsg, "NPA_AF_GENERAL");
- if (err)
- return err;
- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA General Interrupt Reg ",
- npa_event_context->npa_af_rvu_gen);
- if (err)
- return err;
- if (intr_val & BIT_ULL(32)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tUnmap PF Error");
- if (err)
- return err;
- }
+ rvu_report_pair_start(fmsg, "NPA_AF_GENERAL");
+ devlink_fmsg_u64_pair_put(fmsg, "\tNPA General Interrupt Reg ",
+ npa_event_context->npa_af_rvu_gen);
+ if (intr_val & BIT_ULL(32))
+ devlink_fmsg_string_put(fmsg, "\n\tUnmap PF Error");
free_dis = FIELD_GET(GENMASK(15, 0), intr_val);
- if (free_dis & BIT(NPA_INPQ_NIX0_RX)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0: free disabled RX");
- if (err)
- return err;
- }
- if (free_dis & BIT(NPA_INPQ_NIX0_TX)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0:free disabled TX");
- if (err)
- return err;
- }
- if (free_dis & BIT(NPA_INPQ_NIX1_RX)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1: free disabled RX");
- if (err)
- return err;
- }
- if (free_dis & BIT(NPA_INPQ_NIX1_TX)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1:free disabled TX");
- if (err)
- return err;
- }
- if (free_dis & BIT(NPA_INPQ_SSO)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for SSO");
- if (err)
- return err;
- }
- if (free_dis & BIT(NPA_INPQ_TIM)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for TIM");
- if (err)
- return err;
- }
- if (free_dis & BIT(NPA_INPQ_DPI)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for DPI");
- if (err)
- return err;
- }
- if (free_dis & BIT(NPA_INPQ_AURA_OP)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for AURA");
- if (err)
- return err;
- }
+ if (free_dis & BIT(NPA_INPQ_NIX0_RX))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX0: free disabled RX");
+ if (free_dis & BIT(NPA_INPQ_NIX0_TX))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX0:free disabled TX");
+ if (free_dis & BIT(NPA_INPQ_NIX1_RX))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX1: free disabled RX");
+ if (free_dis & BIT(NPA_INPQ_NIX1_TX))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX1:free disabled TX");
+ if (free_dis & BIT(NPA_INPQ_SSO))
+ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for SSO");
+ if (free_dis & BIT(NPA_INPQ_TIM))
+ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for TIM");
+ if (free_dis & BIT(NPA_INPQ_DPI))
+ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for DPI");
+ if (free_dis & BIT(NPA_INPQ_AURA_OP))
+ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for AURA");
alloc_dis = FIELD_GET(GENMASK(31, 16), intr_val);
- if (alloc_dis & BIT(NPA_INPQ_NIX0_RX)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0: alloc disabled RX");
- if (err)
- return err;
- }
- if (alloc_dis & BIT(NPA_INPQ_NIX0_TX)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0:alloc disabled TX");
- if (err)
- return err;
- }
- if (alloc_dis & BIT(NPA_INPQ_NIX1_RX)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1: alloc disabled RX");
- if (err)
- return err;
- }
- if (alloc_dis & BIT(NPA_INPQ_NIX1_TX)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1:alloc disabled TX");
- if (err)
- return err;
- }
- if (alloc_dis & BIT(NPA_INPQ_SSO)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for SSO");
- if (err)
- return err;
- }
- if (alloc_dis & BIT(NPA_INPQ_TIM)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for TIM");
- if (err)
- return err;
- }
- if (alloc_dis & BIT(NPA_INPQ_DPI)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for DPI");
- if (err)
- return err;
- }
- if (alloc_dis & BIT(NPA_INPQ_AURA_OP)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for AURA");
- if (err)
- return err;
- }
- err = rvu_report_pair_end(fmsg);
- if (err)
- return err;
+ if (alloc_dis & BIT(NPA_INPQ_NIX0_RX))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX0: alloc disabled RX");
+ if (alloc_dis & BIT(NPA_INPQ_NIX0_TX))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX0:alloc disabled TX");
+ if (alloc_dis & BIT(NPA_INPQ_NIX1_RX))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX1: alloc disabled RX");
+ if (alloc_dis & BIT(NPA_INPQ_NIX1_TX))
+ devlink_fmsg_string_put(fmsg, "\n\tNIX1:alloc disabled TX");
+ if (alloc_dis & BIT(NPA_INPQ_SSO))
+ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for SSO");
+ if (alloc_dis & BIT(NPA_INPQ_TIM))
+ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for TIM");
+ if (alloc_dis & BIT(NPA_INPQ_DPI))
+ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for DPI");
+ if (alloc_dis & BIT(NPA_INPQ_AURA_OP))
+ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for AURA");
+
+ rvu_report_pair_end(fmsg);
break;
case NPA_AF_RVU_ERR:
- err = rvu_report_pair_start(fmsg, "NPA_AF_ERR");
- if (err)
- return err;
- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA Error Interrupt Reg ",
- npa_event_context->npa_af_rvu_err);
- if (err)
- return err;
-
- if (npa_event_context->npa_af_rvu_err & BIT_ULL(14)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_INST_S read");
- if (err)
- return err;
- }
- if (npa_event_context->npa_af_rvu_err & BIT_ULL(13)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_RES_S write");
- if (err)
- return err;
- }
- if (npa_event_context->npa_af_rvu_err & BIT_ULL(12)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error");
- if (err)
- return err;
- }
- err = rvu_report_pair_end(fmsg);
- if (err)
- return err;
+ rvu_report_pair_start(fmsg, "NPA_AF_ERR");
+ devlink_fmsg_u64_pair_put(fmsg, "\tNPA Error Interrupt Reg ",
+ npa_event_context->npa_af_rvu_err);
+ if (npa_event_context->npa_af_rvu_err & BIT_ULL(14))
+ devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_INST_S read");
+ if (npa_event_context->npa_af_rvu_err & BIT_ULL(13))
+ devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_RES_S write");
+ if (npa_event_context->npa_af_rvu_err & BIT_ULL(12))
+ devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error");
+ rvu_report_pair_end(fmsg);
break;
case NPA_AF_RVU_RAS:
- err = rvu_report_pair_start(fmsg, "NPA_AF_RVU_RAS");
- if (err)
- return err;
- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA RAS Interrupt Reg ",
- npa_event_context->npa_af_rvu_ras);
- if (err)
- return err;
- if (npa_event_context->npa_af_rvu_ras & BIT_ULL(34)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_INST_S");
- if (err)
- return err;
- }
- if (npa_event_context->npa_af_rvu_ras & BIT_ULL(33)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_RES_S");
- if (err)
- return err;
- }
- if (npa_event_context->npa_af_rvu_ras & BIT_ULL(32)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tPoison data on HW context");
- if (err)
- return err;
- }
- err = rvu_report_pair_end(fmsg);
- if (err)
- return err;
+ rvu_report_pair_start(fmsg, "NPA_AF_RVU_RAS");
+ devlink_fmsg_u64_pair_put(fmsg, "\tNPA RAS Interrupt Reg ",
+ npa_event_context->npa_af_rvu_ras);
+ if (npa_event_context->npa_af_rvu_ras & BIT_ULL(34))
+ devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_INST_S");
+ if (npa_event_context->npa_af_rvu_ras & BIT_ULL(33))
+ devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_RES_S");
+ if (npa_event_context->npa_af_rvu_ras & BIT_ULL(32))
+ devlink_fmsg_string_put(fmsg, "\n\tPoison data on HW context");
+ rvu_report_pair_end(fmsg);
break;
case NPA_AF_RVU_INTR:
- err = rvu_report_pair_start(fmsg, "NPA_AF_RVU");
- if (err)
- return err;
- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA RVU Interrupt Reg ",
- npa_event_context->npa_af_rvu_int);
- if (err)
- return err;
- if (npa_event_context->npa_af_rvu_int & BIT_ULL(0)) {
- err = devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error");
- if (err)
- return err;
- }
- return rvu_report_pair_end(fmsg);
+ rvu_report_pair_start(fmsg, "NPA_AF_RVU");
+ devlink_fmsg_u64_pair_put(fmsg, "\tNPA RVU Interrupt Reg ",
+ npa_event_context->npa_af_rvu_int);
+ if (npa_event_context->npa_af_rvu_int & BIT_ULL(0))
+ devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error");
+ rvu_report_pair_end(fmsg);
+ break;
default:
return -EINVAL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 195/481] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 194/481] octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 196/481] Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on" Greg Kroah-Hartman
` (120 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Seungjin Bae, Alan Stern,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seungjin Bae <eeodqql09@gmail.com>
[ Upstream commit 8479891d1f04a8ce55366fe4ca361ccdb96f02e1 ]
The `check_command_size_in_blocks()` function calculates the data size
in bytes by left shifting `common->data_size_from_cmnd` by the block
size (`common->curlun->blkbits`). However, it does not validate whether
this shift operation will cause an integer overflow.
Initially, the block size is set up in `fsg_lun_open()` , and the
`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During
initialization, there is no integer overflow check for the interaction
between two variables.
So if a malicious USB host sends a SCSI READ or WRITE command
requesting a large amount of data (`common->data_size_from_cmnd`), the
left shift operation can wrap around. This results in a truncated data
size, which can bypass boundary checks and potentially lead to memory
corruption or out-of-bounds accesses.
Fix this by using the check_shl_overflow() macro to safely perform the
shift and catch any overflows.
Fixes: 144974e7f9e3 ("usb: gadget: mass_storage: support multi-luns with different logic block size")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/20260228104324.1696455-2-eeodqql09@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/function/f_mass_storage.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c
index d35f30a9cae2c..e364b7b4d82b9 100644
--- a/drivers/usb/gadget/function/f_mass_storage.c
+++ b/drivers/usb/gadget/function/f_mass_storage.c
@@ -179,6 +179,7 @@
#include <linux/kthread.h>
#include <linux/sched/signal.h>
#include <linux/limits.h>
+#include <linux/overflow.h>
#include <linux/pagemap.h>
#include <linux/rwsem.h>
#include <linux/slab.h>
@@ -1852,8 +1853,15 @@ static int check_command_size_in_blocks(struct fsg_common *common,
int cmnd_size, enum data_direction data_dir,
unsigned int mask, int needs_medium, const char *name)
{
- if (common->curlun)
- common->data_size_from_cmnd <<= common->curlun->blkbits;
+ if (common->curlun) {
+ if (check_shl_overflow(common->data_size_from_cmnd,
+ common->curlun->blkbits,
+ &common->data_size_from_cmnd)) {
+ common->phase_error = 1;
+ return -EINVAL;
+ }
+ }
+
return check_command(common, cmnd_size, data_dir,
mask, needs_medium, name);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 182/460] drm/msm: Fix dma_free_attrs() buffer size
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 181/460] drm/i915: Fix potential overflow of shmem scatterlist length Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 183/460] tracing: Fix enabling multiple events on the kernel command line and bootconfig Greg Kroah-Hartman
` (120 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Dmitry Baryshkov,
Rob Clark
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit e4eb6e4dd6348dd00e19c2275e3fbaed304ca3bd upstream.
The gpummu->table buffer is alloc'd with size TABLE_SIZE + 32 in
a2xx_gpummu_new() but freed with size TABLE_SIZE in
a2xx_gpummu_destroy().
Change the free size to match the allocation.
Fixes: c2052a4e5c99 ("drm/msm: implement a2xx mmu")
Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/707340/
Message-ID: <20260226095714.12126-2-fourier.thomas@gmail.com>
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/msm/adreno/a2xx_gpummu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/msm/adreno/a2xx_gpummu.c
+++ b/drivers/gpu/drm/msm/adreno/a2xx_gpummu.c
@@ -79,7 +79,7 @@ static void a2xx_gpummu_destroy(struct m
{
struct a2xx_gpummu *gpummu = to_a2xx_gpummu(mmu);
- dma_free_attrs(mmu->dev, TABLE_SIZE, gpummu->table, gpummu->pt_base,
+ dma_free_attrs(mmu->dev, TABLE_SIZE + 32, gpummu->table, gpummu->pt_base,
DMA_ATTR_FORCE_CONTIGUOUS);
kfree(gpummu);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 258/567] octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 257/567] octeontx2-af: devlink health: use retained error fmsg API Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 259/567] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() Greg Kroah-Hartman
` (119 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 87f7dff3ec75b91def0024ebaaf732457f47a63b ]
The NIX RAS health report path uses nix_af_rvu_err when handling the
NIX_AF_RVU_RAS case, so the report prints the ERR interrupt status rather
than the RAS interrupt status.
Use nix_af_rvu_ras for the NIX_AF_RVU_RAS report.
Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20260310184824.1183651-2-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
index e8c920c7b8d18..f524ecb4645a9 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
@@ -327,10 +327,10 @@ static int rvu_nix_report_show(struct devlink_fmsg *fmsg, void *ctx,
rvu_report_pair_end(fmsg);
break;
case NIX_AF_RVU_RAS:
- intr_val = nix_event_context->nix_af_rvu_err;
+ intr_val = nix_event_context->nix_af_rvu_ras;
rvu_report_pair_start(fmsg, "NIX_AF_RAS");
devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ",
- nix_event_context->nix_af_rvu_err);
+ nix_event_context->nix_af_rvu_ras);
devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:");
if (intr_val & BIT_ULL(34))
devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S");
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 196/481] Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on"
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 195/481] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 197/481] cgroup: fix race between task migration and iteration Greg Kroah-Hartman
` (119 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marco Mattiolo, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit d2a3230c1f655e5d1560ec005805f800b9873292.
The backport applied regulator-boot-on to vreg_l12a_1p8 (ldo12) instead
of vreg_l14a_1p88 (ldo14) due to identical surrounding context lines.
Reported-by: Marco Mattiolo <marco.mattiolo@hotmail.it>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi b/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi
index ab2a9d1ff8865..281e1178a2f46 100644
--- a/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi
+++ b/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi
@@ -224,7 +224,6 @@ vreg_l12a_1p8: ldo12 {
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <1800000>;
regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
- regulator-boot-on;
};
vreg_l14a_1p88: ldo14 {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 183/460] tracing: Fix enabling multiple events on the kernel command line and bootconfig
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 182/460] drm/msm: Fix dma_free_attrs() buffer size Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 184/460] tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G Greg Kroah-Hartman
` (119 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Andrei-Alexandru Tachici, Steven Rostedt (Google)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrei-Alexandru Tachici <andrei-alexandru.tachici@oss.qualcomm.com>
commit 3b1679e086bb869ca02722f6bd29b3573a6a0e7e upstream.
Multiple events can be enabled on the kernel command line via a comma
separator. But if the are specified one at a time, then only the last
event is enabled. This is because the event names are saved in a temporary
buffer, and each call by the init cmdline code will reset that buffer.
This also affects names in the boot config file, as it may call the
callback multiple times with an example of:
kernel.trace_event = ":mod:rproc_qcom_common", ":mod:qrtr", ":mod:qcom_aoss"
Change the cmdline callback function to append a comma and the next value
if the temporary buffer already has content.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://patch.msgid.link/20260302-trace-events-allow-multiple-modules-v1-1-ce4436e37fb8@oss.qualcomm.com
Signed-off-by: Andrei-Alexandru Tachici <andrei-alexandru.tachici@oss.qualcomm.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -3999,7 +3999,11 @@ static char bootup_event_buf[COMMAND_LIN
static __init int setup_trace_event(char *str)
{
- strscpy(bootup_event_buf, str, COMMAND_LINE_SIZE);
+ if (bootup_event_buf[0] != '\0')
+ strlcat(bootup_event_buf, ",", COMMAND_LINE_SIZE);
+
+ strlcat(bootup_event_buf, str, COMMAND_LINE_SIZE);
+
trace_set_ring_buffer_expanded(NULL);
disable_tracing_selftest("running event tracing");
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 259/567] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 258/567] octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 260/567] Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on" Greg Kroah-Hartman
` (118 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Seungjin Bae, Alan Stern,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seungjin Bae <eeodqql09@gmail.com>
[ Upstream commit 8479891d1f04a8ce55366fe4ca361ccdb96f02e1 ]
The `check_command_size_in_blocks()` function calculates the data size
in bytes by left shifting `common->data_size_from_cmnd` by the block
size (`common->curlun->blkbits`). However, it does not validate whether
this shift operation will cause an integer overflow.
Initially, the block size is set up in `fsg_lun_open()` , and the
`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During
initialization, there is no integer overflow check for the interaction
between two variables.
So if a malicious USB host sends a SCSI READ or WRITE command
requesting a large amount of data (`common->data_size_from_cmnd`), the
left shift operation can wrap around. This results in a truncated data
size, which can bypass boundary checks and potentially lead to memory
corruption or out-of-bounds accesses.
Fix this by using the check_shl_overflow() macro to safely perform the
shift and catch any overflows.
Fixes: 144974e7f9e3 ("usb: gadget: mass_storage: support multi-luns with different logic block size")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/20260228104324.1696455-2-eeodqql09@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/function/f_mass_storage.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c
index c265a1f62fc14..e01d57a5327c6 100644
--- a/drivers/usb/gadget/function/f_mass_storage.c
+++ b/drivers/usb/gadget/function/f_mass_storage.c
@@ -180,6 +180,7 @@
#include <linux/kthread.h>
#include <linux/sched/signal.h>
#include <linux/limits.h>
+#include <linux/overflow.h>
#include <linux/pagemap.h>
#include <linux/rwsem.h>
#include <linux/slab.h>
@@ -1853,8 +1854,15 @@ static int check_command_size_in_blocks(struct fsg_common *common,
int cmnd_size, enum data_direction data_dir,
unsigned int mask, int needs_medium, const char *name)
{
- if (common->curlun)
- common->data_size_from_cmnd <<= common->curlun->blkbits;
+ if (common->curlun) {
+ if (check_shl_overflow(common->data_size_from_cmnd,
+ common->curlun->blkbits,
+ &common->data_size_from_cmnd)) {
+ common->phase_error = 1;
+ return -EINVAL;
+ }
+ }
+
return check_command(common, cmnd_size, data_dir,
mask, needs_medium, name);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 197/481] cgroup: fix race between task migration and iteration
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 196/481] Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on" Greg Kroah-Hartman
@ 2026-03-23 13:42 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 198/481] ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces Greg Kroah-Hartman
` (118 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qingye Zhao, Michal Koutný,
Tejun Heo
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingye Zhao <zhaoqingye@honor.com>
commit 5ee01f1a7343d6a3547b6802ca2d4cdce0edacb1 upstream.
When a task is migrated out of a css_set, cgroup_migrate_add_task()
first moves it from cset->tasks to cset->mg_tasks via:
list_move_tail(&task->cg_list, &cset->mg_tasks);
If a css_task_iter currently has it->task_pos pointing to this task,
css_set_move_task() calls css_task_iter_skip() to keep the iterator
valid. However, since the task has already been moved to ->mg_tasks,
the iterator is advanced relative to the mg_tasks list instead of the
original tasks list. As a result, remaining tasks on cset->tasks, as
well as tasks queued on cset->mg_tasks, can be skipped by iteration.
Fix this by calling css_set_skip_task_iters() before unlinking
task->cg_list from cset->tasks. This advances all active iterators to
the next task on cset->tasks, so iteration continues correctly even
when a task is concurrently being migrated.
This race is hard to hit in practice without instrumentation, but it
can be reproduced by artificially slowing down cgroup_procs_show().
For example, on an Android device a temporary
/sys/kernel/cgroup/cgroup_test knob can be added to inject a delay
into cgroup_procs_show(), and then:
1) Spawn three long-running tasks (PIDs 101, 102, 103).
2) Create a test cgroup and move the tasks into it.
3) Enable a large delay via /sys/kernel/cgroup/cgroup_test.
4) In one shell, read cgroup.procs from the test cgroup.
5) Within the delay window, in another shell migrate PID 102 by
writing it to a different cgroup.procs file.
Under this setup, cgroup.procs can intermittently show only PID 101
while skipping PID 103. Once the migration completes, reading the
file again shows all tasks as expected.
Note that this change does not allow removing the existing
css_set_skip_task_iters() call in css_set_move_task(). The new call
in cgroup_migrate_add_task() only handles iterators that are racing
with migration while the task is still on cset->tasks. Iterators may
also start after the task has been moved to cset->mg_tasks. If we
dropped css_set_skip_task_iters() from css_set_move_task(), such
iterators could keep task_pos pointing to a migrating task, causing
css_task_iter_advance() to malfunction on the destination css_set,
up to and including crashes or infinite loops.
The race window between migration and iteration is very small, and
css_task_iter is not on a hot path. In the worst case, when an
iterator is positioned on the first thread of the migrating process,
cgroup_migrate_add_task() may have to skip multiple tasks via
css_set_skip_task_iters(). However, this only happens when migration
and iteration actually race, so the performance impact is negligible
compared to the correctness fix provided here.
Fixes: b636fd38dc40 ("cgroup: Implement css_task_iter_skip()")
Cc: stable@vger.kernel.org # v5.2+
Signed-off-by: Qingye Zhao <zhaoqingye@honor.com>
Reviewed-by: Michal Koutný <mkoutny@suse.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/cgroup/cgroup.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -2519,6 +2519,7 @@ static void cgroup_migrate_add_task(stru
mgctx->tset.nr_tasks++;
+ css_set_skip_task_iters(cset, task);
list_move_tail(&task->cg_list, &cset->mg_tasks);
if (list_empty(&cset->mg_node))
list_add_tail(&cset->mg_node,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 184/460] tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.12 183/460] tracing: Fix enabling multiple events on the kernel command line and bootconfig Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 185/460] qmi_wwan: allow max_mtu above hard_mtu to control rx_urb_size Greg Kroah-Hartman
` (118 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Calvin Owens, Steven Rostedt (Google)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Calvin Owens <calvin@wbinvd.org>
commit d008ba8be8984760e36d7dcd4adbd5a41a645708 upstream.
Some of the sizing logic through tracer_alloc_buffers() uses int
internally, causing unexpected behavior if the user passes a value that
does not fit in an int (on my x86 machine, the result is uselessly tiny
buffers).
Fix by plumbing the parameter's real type (unsigned long) through to the
ring buffer allocation functions, which already use unsigned long.
It has always been possible to create larger ring buffers via the sysfs
interface: this only affects the cmdline parameter.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://patch.msgid.link/bff42a4288aada08bdf74da3f5b67a2c28b761f8.1772852067.git.calvin@wbinvd.org
Fixes: 73c5162aa362 ("tracing: keep ring buffer to minimum size till used")
Signed-off-by: Calvin Owens <calvin@wbinvd.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -9227,7 +9227,7 @@ static void
init_tracer_tracefs(struct trace_array *tr, struct dentry *d_tracer);
static int
-allocate_trace_buffer(struct trace_array *tr, struct array_buffer *buf, int size)
+allocate_trace_buffer(struct trace_array *tr, struct array_buffer *buf, unsigned long size)
{
enum ring_buffer_flags rb_flags;
@@ -9277,7 +9277,7 @@ static void free_trace_buffer(struct arr
}
}
-static int allocate_trace_buffers(struct trace_array *tr, int size)
+static int allocate_trace_buffers(struct trace_array *tr, unsigned long size)
{
int ret;
@@ -10479,7 +10479,7 @@ __init static void enable_instances(void
__init static int tracer_alloc_buffers(void)
{
- int ring_buf_size;
+ unsigned long ring_buf_size;
int ret = -ENOMEM;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 260/567] Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on"
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.6 259/567] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 261/567] cgroup: fix race between task migration and iteration Greg Kroah-Hartman
` (117 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marco Mattiolo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit dc62cf0814fa62177bb4ba944c72d9f122568cdc.
The backport applied regulator-boot-on to vreg_l12a_1p8 (ldo12) instead
of vreg_l14a_1p88 (ldo14) due to identical surrounding context lines.
Reported-by: Marco Mattiolo <marco.mattiolo@hotmail.it>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi b/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi
index e028b58a30f31..c50d335e0761f 100644
--- a/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi
+++ b/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi
@@ -245,7 +245,6 @@ vreg_l12a_1p8: ldo12 {
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <1800000>;
regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
- regulator-boot-on;
};
vreg_l14a_1p88: ldo14 {
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 198/481] ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-03-23 13:42 ` [PATCH 6.1 197/481] cgroup: fix race between task migration and iteration Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 199/481] net: usb: lan78xx: fix silent drop of packets with checksum errors Greg Kroah-Hartman
` (117 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8f29539ef9a1c8334f42,
syzbot+ae893a8901067fde2741, Takashi Iwai
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit df1d8abf36ca3681c21a6809eaa9a1e01ef897a6 upstream.
The Scarlett2 mixer quirk in USB-audio driver may hit a NULL
dereference when a malformed USB descriptor is passed, since it
assumes the presence of an endpoint in the parsed interface in
scarlett2_find_fc_interface(), as reported by fuzzer.
For avoiding the NULL dereference, just add the sanity check of
bNumEndpoints and skip the invalid interface.
Reported-by: syzbot+8f29539ef9a1c8334f42@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/69acbbe1.050a0220.310d8.0001.GAE@google.com
Reported-by: syzbot+ae893a8901067fde2741@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/69acf72a.050a0220.310d8.0004.GAE@google.com
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260309104632.141895-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_scarlett2.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/usb/mixer_scarlett2.c
+++ b/sound/usb/mixer_scarlett2.c
@@ -3898,6 +3898,8 @@ static int scarlett2_find_fc_interface(s
if (desc->bInterfaceClass != 255)
continue;
+ if (desc->bNumEndpoints < 1)
+ continue;
epd = get_endpoint(intf->altsetting, 0);
private->bInterfaceNumber = desc->bInterfaceNumber;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 185/460] qmi_wwan: allow max_mtu above hard_mtu to control rx_urb_size
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 184/460] tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 186/460] cifs: make default value of retrans as zero Greg Kroah-Hartman
` (117 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Koen Vandeputte, Daniele Palmas,
Laurent Vivier, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laurent Vivier <lvivier@redhat.com>
commit 55f854dd5bdd8e19b936a00ef1f8d776ac32c7b0 upstream.
Commit c7159e960f14 ("usbnet: limit max_mtu based on device's hard_mtu")
capped net->max_mtu to the device's hard_mtu in usbnet_probe(). While
this correctly prevents oversized packets on standard USB network
devices, it breaks the qmi_wwan driver.
qmi_wwan relies on userspace (e.g. ModemManager) setting a large MTU on
the wwan0 interface to configure rx_urb_size via usbnet_change_mtu().
QMI modems negotiate USB transfer sizes of 16,383 or 32,767 bytes, and
the USB receive buffers must be sized accordingly. With max_mtu capped
to hard_mtu (~1500 bytes), userspace can no longer raise the MTU, the
receive buffers remain small, and download speeds drop from >300 Mbps
to ~0.8 Mbps.
Introduce a FLAG_NOMAXMTU driver flag that allows individual usbnet
drivers to opt out of the max_mtu cap. Set this flag in qmi_wwan's
driver_info structures to restore the previous behavior for QMI devices,
while keeping the safety fix in place for all other usbnet drivers.
Fixes: c7159e960f14 ("usbnet: limit max_mtu based on device's hard_mtu")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/lkml/CAPh3n803k8JcBPV5qEzUB-oKzWkAs-D5CU7z=Vd_nLRCr5ZqQg@mail.gmail.com/
Reported-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
Tested-by: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Link: https://patch.msgid.link/20260304134338.1785002-1-lvivier@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/qmi_wwan.c | 4 ++--
drivers/net/usb/usbnet.c | 7 ++++---
include/linux/usb/usbnet.h | 1 +
3 files changed, 7 insertions(+), 5 deletions(-)
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -928,7 +928,7 @@ err:
static const struct driver_info qmi_wwan_info = {
.description = "WWAN/QMI device",
- .flags = FLAG_WWAN | FLAG_SEND_ZLP,
+ .flags = FLAG_WWAN | FLAG_NOMAXMTU | FLAG_SEND_ZLP,
.bind = qmi_wwan_bind,
.unbind = qmi_wwan_unbind,
.manage_power = qmi_wwan_manage_power,
@@ -937,7 +937,7 @@ static const struct driver_info qmi_wwan
static const struct driver_info qmi_wwan_info_quirk_dtr = {
.description = "WWAN/QMI device",
- .flags = FLAG_WWAN | FLAG_SEND_ZLP,
+ .flags = FLAG_WWAN | FLAG_NOMAXMTU | FLAG_SEND_ZLP,
.bind = qmi_wwan_bind,
.unbind = qmi_wwan_unbind,
.manage_power = qmi_wwan_manage_power,
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1797,11 +1797,12 @@ usbnet_probe (struct usb_interface *udev
if ((dev->driver_info->flags & FLAG_NOARP) != 0)
net->flags |= IFF_NOARP;
- if (net->max_mtu > (dev->hard_mtu - net->hard_header_len))
+ if ((dev->driver_info->flags & FLAG_NOMAXMTU) == 0 &&
+ net->max_mtu > (dev->hard_mtu - net->hard_header_len))
net->max_mtu = dev->hard_mtu - net->hard_header_len;
- if (net->mtu > net->max_mtu)
- net->mtu = net->max_mtu;
+ if (net->mtu > (dev->hard_mtu - net->hard_header_len))
+ net->mtu = dev->hard_mtu - net->hard_header_len;
} else if (!info->in || !info->out)
status = usbnet_get_endpoints (dev, udev);
--- a/include/linux/usb/usbnet.h
+++ b/include/linux/usb/usbnet.h
@@ -130,6 +130,7 @@ struct driver_info {
#define FLAG_MULTI_PACKET 0x2000
#define FLAG_RX_ASSEMBLE 0x4000 /* rx packets may span >1 frames */
#define FLAG_NOARP 0x8000 /* device can't do ARP */
+#define FLAG_NOMAXMTU 0x10000 /* allow max_mtu above hard_mtu */
/* init device ... can sleep, or cause probe() failure */
int (*bind)(struct usbnet *, struct usb_interface *);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 261/567] cgroup: fix race between task migration and iteration
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 260/567] Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on" Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 262/567] ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() Greg Kroah-Hartman
` (116 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qingye Zhao, Michal Koutný,
Tejun Heo
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingye Zhao <zhaoqingye@honor.com>
commit 5ee01f1a7343d6a3547b6802ca2d4cdce0edacb1 upstream.
When a task is migrated out of a css_set, cgroup_migrate_add_task()
first moves it from cset->tasks to cset->mg_tasks via:
list_move_tail(&task->cg_list, &cset->mg_tasks);
If a css_task_iter currently has it->task_pos pointing to this task,
css_set_move_task() calls css_task_iter_skip() to keep the iterator
valid. However, since the task has already been moved to ->mg_tasks,
the iterator is advanced relative to the mg_tasks list instead of the
original tasks list. As a result, remaining tasks on cset->tasks, as
well as tasks queued on cset->mg_tasks, can be skipped by iteration.
Fix this by calling css_set_skip_task_iters() before unlinking
task->cg_list from cset->tasks. This advances all active iterators to
the next task on cset->tasks, so iteration continues correctly even
when a task is concurrently being migrated.
This race is hard to hit in practice without instrumentation, but it
can be reproduced by artificially slowing down cgroup_procs_show().
For example, on an Android device a temporary
/sys/kernel/cgroup/cgroup_test knob can be added to inject a delay
into cgroup_procs_show(), and then:
1) Spawn three long-running tasks (PIDs 101, 102, 103).
2) Create a test cgroup and move the tasks into it.
3) Enable a large delay via /sys/kernel/cgroup/cgroup_test.
4) In one shell, read cgroup.procs from the test cgroup.
5) Within the delay window, in another shell migrate PID 102 by
writing it to a different cgroup.procs file.
Under this setup, cgroup.procs can intermittently show only PID 101
while skipping PID 103. Once the migration completes, reading the
file again shows all tasks as expected.
Note that this change does not allow removing the existing
css_set_skip_task_iters() call in css_set_move_task(). The new call
in cgroup_migrate_add_task() only handles iterators that are racing
with migration while the task is still on cset->tasks. Iterators may
also start after the task has been moved to cset->mg_tasks. If we
dropped css_set_skip_task_iters() from css_set_move_task(), such
iterators could keep task_pos pointing to a migrating task, causing
css_task_iter_advance() to malfunction on the destination css_set,
up to and including crashes or infinite loops.
The race window between migration and iteration is very small, and
css_task_iter is not on a hot path. In the worst case, when an
iterator is positioned on the first thread of the migrating process,
cgroup_migrate_add_task() may have to skip multiple tasks via
css_set_skip_task_iters(). However, this only happens when migration
and iteration actually race, so the performance impact is negligible
compared to the correctness fix provided here.
Fixes: b636fd38dc40 ("cgroup: Implement css_task_iter_skip()")
Cc: stable@vger.kernel.org # v5.2+
Signed-off-by: Qingye Zhao <zhaoqingye@honor.com>
Reviewed-by: Michal Koutný <mkoutny@suse.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/cgroup/cgroup.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -2457,6 +2457,7 @@ static void cgroup_migrate_add_task(stru
mgctx->tset.nr_tasks++;
+ css_set_skip_task_iters(cset, task);
list_move_tail(&task->cg_list, &cset->mg_tasks);
if (list_empty(&cset->mg_node))
list_add_tail(&cset->mg_node,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 199/481] net: usb: lan78xx: fix silent drop of packets with checksum errors
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 198/481] ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 200/481] net: usb: lan78xx: fix TX byte statistics for small packets Greg Kroah-Hartman
` (116 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit e4f774a0cc955ce762aec91c66915a6e15087ab7 upstream.
Do not drop packets with checksum errors at the USB driver level;
pass them to the network stack.
Previously, the driver dropped all packets where the 'Receive Error
Detected' (RED) bit was set, regardless of the specific error type. This
caused packets with only IP or TCP/UDP checksum errors to be dropped
before reaching the kernel, preventing the network stack from accounting
for them or performing software fallback.
Add a mask for hard hardware errors to safely drop genuinely corrupt
frames, while allowing checksum-errored frames to pass with their
ip_summed field explicitly set to CHECKSUM_NONE.
Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20260305143429.530909-2-o.rempel@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/lan78xx.c | 4 +++-
drivers/net/usb/lan78xx.h | 3 +++
2 files changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -3537,6 +3537,7 @@ static void lan78xx_rx_csum_offload(stru
*/
if (!(dev->net->features & NETIF_F_RXCSUM) ||
unlikely(rx_cmd_a & RX_CMD_A_ICSM_) ||
+ unlikely(rx_cmd_a & RX_CMD_A_CSE_MASK_) ||
((rx_cmd_a & RX_CMD_A_FVTG_) &&
!(dev->net->features & NETIF_F_HW_VLAN_CTAG_RX))) {
skb->ip_summed = CHECKSUM_NONE;
@@ -3609,7 +3610,8 @@ static int lan78xx_rx(struct lan78xx_net
return 0;
}
- if (unlikely(rx_cmd_a & RX_CMD_A_RED_)) {
+ if (unlikely(rx_cmd_a & RX_CMD_A_RED_) &&
+ (rx_cmd_a & RX_CMD_A_RX_HARD_ERRS_MASK_)) {
netif_dbg(dev, rx_err, dev->net,
"Error rx_cmd_a=0x%08x", rx_cmd_a);
} else {
--- a/drivers/net/usb/lan78xx.h
+++ b/drivers/net/usb/lan78xx.h
@@ -74,6 +74,9 @@
#define RX_CMD_A_ICSM_ (0x00004000)
#define RX_CMD_A_LEN_MASK_ (0x00003FFF)
+#define RX_CMD_A_RX_HARD_ERRS_MASK_ \
+ (RX_CMD_A_RX_ERRS_MASK_ & ~RX_CMD_A_CSE_MASK_)
+
/* Rx Command B */
#define RX_CMD_B_CSUM_SHIFT_ (16)
#define RX_CMD_B_CSUM_MASK_ (0xFFFF0000)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 186/460] cifs: make default value of retrans as zero
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 185/460] qmi_wwan: allow max_mtu above hard_mtu to control rx_urb_size Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 187/460] xfs: fix returned valued from xfs_defer_can_append Greg Kroah-Hartman
` (116 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bharath SM, Shyam Prasad N,
Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shyam Prasad N <sprasad@microsoft.com>
commit e3beefd3af09f8e460ddaf39063d3d7664d7ab59 upstream.
When retrans mount option was introduced, the default value was set
as 1. However, in the light of some bugs that this has exposed recently
we should change it to 0 and retain the old behaviour before this option
was introduced.
Cc: <stable@vger.kernel.org>
Reviewed-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/fs_context.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/smb/client/fs_context.c
+++ b/fs/smb/client/fs_context.c
@@ -1847,7 +1847,7 @@ int smb3_init_fs_context(struct fs_conte
ctx->backupuid_specified = false; /* no backup intent for a user */
ctx->backupgid_specified = false; /* no backup intent for a group */
- ctx->retrans = 1;
+ ctx->retrans = 0;
ctx->reparse_type = CIFS_REPARSE_TYPE_DEFAULT;
/*
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 262/567] ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 261/567] cgroup: fix race between task migration and iteration Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 263/567] ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces Greg Kroah-Hartman
` (115 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mehul Rao, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mehul Rao <mehulrao@gmail.com>
commit 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6 upstream.
In the drain loop, the local variable 'runtime' is reassigned to a
linked stream's runtime (runtime = s->runtime at line 2157). After
releasing the stream lock at line 2169, the code accesses
runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size
(lines 2170-2178) — all referencing the linked stream's runtime without
any lock or refcount protecting its lifetime.
A concurrent close() on the linked stream's fd triggers
snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private()
→ snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime).
No synchronization prevents kfree(runtime) from completing while the
drain path dereferences the stale pointer.
Fix by caching the needed runtime fields (no_period_wakeup, rate,
buffer_size) into local variables while still holding the stream lock,
and using the cached values after the lock is released.
Fixes: f2b3614cefb6 ("ALSA: PCM - Don't check DMA time-out too shortly")
Cc: stable@vger.kernel.org
Signed-off-by: Mehul Rao <mehulrao@gmail.com>
Link: https://patch.msgid.link/20260305193508.311096-1-mehulrao@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/pcm_native.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -2148,6 +2148,10 @@ static int snd_pcm_drain(struct snd_pcm_
for (;;) {
long tout;
struct snd_pcm_runtime *to_check;
+ unsigned int drain_rate;
+ snd_pcm_uframes_t drain_bufsz;
+ bool drain_no_period_wakeup;
+
if (signal_pending(current)) {
result = -ERESTARTSYS;
break;
@@ -2167,16 +2171,25 @@ static int snd_pcm_drain(struct snd_pcm_
snd_pcm_group_unref(group, substream);
if (!to_check)
break; /* all drained */
+ /*
+ * Cache the runtime fields needed after unlock.
+ * A concurrent close() on the linked stream may free
+ * its runtime via snd_pcm_detach_substream() once we
+ * release the stream lock below.
+ */
+ drain_no_period_wakeup = to_check->no_period_wakeup;
+ drain_rate = to_check->rate;
+ drain_bufsz = to_check->buffer_size;
init_waitqueue_entry(&wait, current);
set_current_state(TASK_INTERRUPTIBLE);
add_wait_queue(&to_check->sleep, &wait);
snd_pcm_stream_unlock_irq(substream);
- if (runtime->no_period_wakeup)
+ if (drain_no_period_wakeup)
tout = MAX_SCHEDULE_TIMEOUT;
else {
tout = 100;
- if (runtime->rate) {
- long t = runtime->buffer_size * 1100 / runtime->rate;
+ if (drain_rate) {
+ long t = drain_bufsz * 1100 / drain_rate;
tout = max(t, tout);
}
tout = msecs_to_jiffies(tout);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 200/481] net: usb: lan78xx: fix TX byte statistics for small packets
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 199/481] net: usb: lan78xx: fix silent drop of packets with checksum errors Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 201/481] net: usb: lan78xx: skip LTM configuration for LAN7850 Greg Kroah-Hartman
` (115 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit 50988747c30df47b73b787f234f746027cb7ec6c upstream.
Account for hardware auto-padding in TX byte counters to reflect actual
wire traffic.
The LAN7850 hardware automatically pads undersized frames to the minimum
Ethernet frame length (ETH_ZLEN, 60 bytes). However, the driver tracks
the network statistics based on the unpadded socket buffer length. This
results in the tx_bytes counter under-reporting the actual physical
bytes placed on the Ethernet wire for small packets (like short ARP or
ICMP requests).
Use max_t() to ensure the transmission statistics accurately account for
the hardware-generated padding.
Fixes: d383216a7efe ("lan78xx: Introduce Tx URB processing improvements")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20260305143429.530909-3-o.rempel@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/lan78xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -3886,7 +3886,7 @@ static struct skb_data *lan78xx_tx_buf_f
}
tx_data += len;
- entry->length += len;
+ entry->length += max_t(unsigned int, len, ETH_ZLEN);
entry->num_of_packet += skb_shinfo(skb)->gso_segs ?: 1;
dev_kfree_skb_any(skb);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 187/460] xfs: fix returned valued from xfs_defer_can_append
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 186/460] cifs: make default value of retrans as zero Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 188/460] xfs: fix undersized l_iclog_roundoff values Greg Kroah-Hartman
` (115 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carlos Maiolino, Darrick J. Wong,
Souptick Joarder, Carlos Maiolino
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Maiolino <cem@kernel.org>
commit 54fcd2f95f8d216183965a370ec69e1aab14f5da upstream.
xfs_defer_can_append returns a bool, it shouldn't be returning
a NULL.
Found by code inspection.
Fixes: 4dffb2cbb483 ("xfs: allow pausing of pending deferred work items")
Cc: <stable@vger.kernel.org> # v6.8
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Acked-by: Souptick Joarder <souptick.joarder@hpe.com>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/libxfs/xfs_defer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/xfs/libxfs/xfs_defer.c
+++ b/fs/xfs/libxfs/xfs_defer.c
@@ -809,7 +809,7 @@ xfs_defer_can_append(
/* Paused items cannot absorb more work */
if (dfp->dfp_flags & XFS_DEFER_PAUSED)
- return NULL;
+ return false;
/* Already full? */
if (ops->max_items && dfp->dfp_count >= ops->max_items)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 263/567] ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 262/567] ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 264/567] net: usb: lan78xx: fix silent drop of packets with checksum errors Greg Kroah-Hartman
` (114 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8f29539ef9a1c8334f42,
syzbot+ae893a8901067fde2741, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit df1d8abf36ca3681c21a6809eaa9a1e01ef897a6 upstream.
The Scarlett2 mixer quirk in USB-audio driver may hit a NULL
dereference when a malformed USB descriptor is passed, since it
assumes the presence of an endpoint in the parsed interface in
scarlett2_find_fc_interface(), as reported by fuzzer.
For avoiding the NULL dereference, just add the sanity check of
bNumEndpoints and skip the invalid interface.
Reported-by: syzbot+8f29539ef9a1c8334f42@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/69acbbe1.050a0220.310d8.0001.GAE@google.com
Reported-by: syzbot+ae893a8901067fde2741@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/69acf72a.050a0220.310d8.0004.GAE@google.com
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260309104632.141895-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_scarlett2.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/usb/mixer_scarlett2.c
+++ b/sound/usb/mixer_scarlett2.c
@@ -3898,6 +3898,8 @@ static int scarlett2_find_fc_interface(s
if (desc->bInterfaceClass != 255)
continue;
+ if (desc->bNumEndpoints < 1)
+ continue;
epd = get_endpoint(intf->altsetting, 0);
private->bInterfaceNumber = desc->bInterfaceNumber;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 201/481] net: usb: lan78xx: skip LTM configuration for LAN7850
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 200/481] net: usb: lan78xx: fix TX byte statistics for small packets Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 202/481] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA Greg Kroah-Hartman
` (114 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit d9cc0e440f0664f6f3e2c26e39ab9dd5f3badba7 upstream.
Do not configure Latency Tolerance Messaging (LTM) on USB 2.0 hardware.
The LAN7850 is a High-Speed (USB 2.0) only device and does not support
SuperSpeed features like LTM. Currently, the driver unconditionally
attempts to configure LTM registers during initialization. On the
LAN7850, these registers do not exist, resulting in writes to invalid
or undocumented memory space.
This issue was identified during a port to the regmap API with strict
register validation enabled. While no functional issues or crashes have
been observed from these invalid writes, bypassing LTM initialization
on the LAN7850 ensures the driver strictly adheres to the hardware's
valid register map.
Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20260305143429.530909-4-o.rempel@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/lan78xx.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -2672,6 +2672,10 @@ static void lan78xx_init_ltm(struct lan7
u32 buf;
u32 regs[6] = { 0 };
+ /* LAN7850 is USB 2.0 and does not support LTM */
+ if (dev->chipid == ID_REV_CHIP_ID_7850_)
+ return;
+
ret = lan78xx_read_reg(dev, USB_CFG1, &buf);
if (buf & USB_CFG1_LTM_ENABLE_) {
u8 temp[2];
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 188/460] xfs: fix undersized l_iclog_roundoff values
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 187/460] xfs: fix returned valued from xfs_defer_can_append Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 189/460] xfs: ensure dquot item is deleted from AIL only after log shutdown Greg Kroah-Hartman
` (114 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Christoph Hellwig,
Carlos Maiolino
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
commit 52a8a1ba883defbfe3200baa22cf4cd21985d51a upstream.
If the superblock doesn't list a log stripe unit, we set the incore log
roundoff value to 512. This leads to corrupt logs and unmountable
filesystems in generic/617 on a disk with 4k physical sectors...
XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c
XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197.
XFS (sda1): failed to locate log tail
XFS (sda1): log mount/recovery failed: error -74
XFS (sda1): log mount failed
XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c
XFS (sda1): Ending clean mount
...on the current xfsprogs for-next which has a broken mkfs. xfs_info
shows this...
meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks
= sectsz=4096 attr=2, projid32bit=1
= crc=1 finobt=1, sparse=1, rmapbt=1
= reflink=1 bigtime=1 inobtcount=1 nrext64=1
= exchange=1 metadir=1
data = bsize=4096 blocks=2579968, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1
log =internal log bsize=4096 blocks=16384, version=2
= sectsz=4096 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
= rgcount=0 rgsize=268435456 extents
= zoned=0 start=0 reserved=0
...observe that the log section has sectsz=4096 sunit=0, which means
that the roundoff factor is 512, not 4096 as you'd expect. We should
fix mkfs not to generate broken filesystems, but anyone can fuzz the
ondisk superblock so we should be more cautious. I think the inadequate
logic predates commit a6a65fef5ef8d0, but that's clearly going to
require a different backport.
Cc: stable@vger.kernel.org # v5.14
Fixes: a6a65fef5ef8d0 ("xfs: log stripe roundoff is a property of the log")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_log.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/xfs/xfs_log.c
+++ b/fs/xfs/xfs_log.c
@@ -1396,6 +1396,8 @@ xlog_alloc_log(
if (xfs_has_logv2(mp) && mp->m_sb.sb_logsunit > 1)
log->l_iclog_roundoff = mp->m_sb.sb_logsunit;
+ else if (mp->m_sb.sb_logsectsize > 0)
+ log->l_iclog_roundoff = mp->m_sb.sb_logsectsize;
else
log->l_iclog_roundoff = BBSIZE;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 264/567] net: usb: lan78xx: fix silent drop of packets with checksum errors
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 263/567] ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 265/567] net: usb: lan78xx: fix TX byte statistics for small packets Greg Kroah-Hartman
` (113 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit e4f774a0cc955ce762aec91c66915a6e15087ab7 upstream.
Do not drop packets with checksum errors at the USB driver level;
pass them to the network stack.
Previously, the driver dropped all packets where the 'Receive Error
Detected' (RED) bit was set, regardless of the specific error type. This
caused packets with only IP or TCP/UDP checksum errors to be dropped
before reaching the kernel, preventing the network stack from accounting
for them or performing software fallback.
Add a mask for hard hardware errors to safely drop genuinely corrupt
frames, while allowing checksum-errored frames to pass with their
ip_summed field explicitly set to CHECKSUM_NONE.
Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20260305143429.530909-2-o.rempel@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/lan78xx.c | 4 +++-
drivers/net/usb/lan78xx.h | 3 +++
2 files changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -3537,6 +3537,7 @@ static void lan78xx_rx_csum_offload(stru
*/
if (!(dev->net->features & NETIF_F_RXCSUM) ||
unlikely(rx_cmd_a & RX_CMD_A_ICSM_) ||
+ unlikely(rx_cmd_a & RX_CMD_A_CSE_MASK_) ||
((rx_cmd_a & RX_CMD_A_FVTG_) &&
!(dev->net->features & NETIF_F_HW_VLAN_CTAG_RX))) {
skb->ip_summed = CHECKSUM_NONE;
@@ -3609,7 +3610,8 @@ static int lan78xx_rx(struct lan78xx_net
return 0;
}
- if (unlikely(rx_cmd_a & RX_CMD_A_RED_)) {
+ if (unlikely(rx_cmd_a & RX_CMD_A_RED_) &&
+ (rx_cmd_a & RX_CMD_A_RX_HARD_ERRS_MASK_)) {
netif_dbg(dev, rx_err, dev->net,
"Error rx_cmd_a=0x%08x", rx_cmd_a);
} else {
--- a/drivers/net/usb/lan78xx.h
+++ b/drivers/net/usb/lan78xx.h
@@ -74,6 +74,9 @@
#define RX_CMD_A_ICSM_ (0x00004000)
#define RX_CMD_A_LEN_MASK_ (0x00003FFF)
+#define RX_CMD_A_RX_HARD_ERRS_MASK_ \
+ (RX_CMD_A_RX_ERRS_MASK_ & ~RX_CMD_A_CSE_MASK_)
+
/* Rx Command B */
#define RX_CMD_B_CSUM_SHIFT_ (16)
#define RX_CMD_B_CSUM_MASK_ (0xFFFF0000)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 202/481] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 201/481] net: usb: lan78xx: skip LTM configuration for LAN7850 Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 203/481] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC Greg Kroah-Hartman
` (113 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Heng, Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Heng <zhangheng@kylinos.cn>
commit 325291b20f8a6f14b9c82edbf5d12e4e71f6adaa upstream.
Add a DMI quirk for the ASUS EXPERTBOOK PM1503CDA fixing the
issue where the internal microphone was not detected.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221070
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
Link: https://patch.msgid.link/20260304063255.139331-1-zhangheng@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -556,6 +556,13 @@ static const struct dmi_system_id yc_acp
DMI_MATCH(DMI_PRODUCT_NAME, "ASUS EXPERTBOOK BM1503CDA"),
}
},
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_BOARD_NAME, "PM1503CDA"),
+ }
+ },
{}
};
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 189/460] xfs: ensure dquot item is deleted from AIL only after log shutdown
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 188/460] xfs: fix undersized l_iclog_roundoff values Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 190/460] s390/dasd: Move quiesce state with pprc swap Greg Kroah-Hartman
` (113 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Long Li, Carlos Maiolino,
Christoph Hellwig, Carlos Maiolino
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <leo.lilong@huawei.com>
commit 186ac39b8a7d3ec7ce9c5dd45e5c2730177f375c upstream.
In xfs_qm_dqflush(), when a dquot flush fails due to corruption
(the out_abort error path), the original code removed the dquot log
item from the AIL before calling xfs_force_shutdown(). This ordering
introduces a subtle race condition that can lead to data loss after
a crash.
The AIL tracks the oldest dirty metadata in the journal. The position
of the tail item in the AIL determines the log tail LSN, which is the
oldest LSN that must be preserved for crash recovery. When an item is
removed from the AIL, the log tail can advance past the LSN of that item.
The race window is as follows: if the dquot item happens to be at
the tail of the log, removing it from the AIL allows the log tail
to advance. If a concurrent log write is sampling the tail LSN at
the same time and subsequently writes a complete checkpoint (i.e.,
one containing a commit record) to disk before the shutdown takes
effect, the journal will no longer protect the dquot's last
modification. On the next mount, log recovery will not replay the
dquot changes, even though they were never written back to disk,
resulting in silent data loss.
Fix this by calling xfs_force_shutdown() before xfs_trans_ail_delete()
in the out_abort path. Once the log is shut down, no new log writes
can complete with an updated tail LSN, making it safe to remove the
dquot item from the AIL.
Cc: stable@vger.kernel.org
Fixes: b707fffda6a3 ("xfs: abort consistently on dquot flush failure")
Signed-off-by: Long Li <leo.lilong@huawei.com>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_dquot.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/fs/xfs/xfs_dquot.c
+++ b/fs/xfs/xfs_dquot.c
@@ -1472,9 +1472,15 @@ xfs_qm_dqflush(
return 0;
out_abort:
+ /*
+ * Shut down the log before removing the dquot item from the AIL.
+ * Otherwise, the log tail may advance past this item's LSN while
+ * log writes are still in progress, making these unflushed changes
+ * unrecoverable on the next mount.
+ */
+ xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
dqp->q_flags &= ~XFS_DQFLAG_DIRTY;
xfs_trans_ail_delete(lip, 0);
- xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
xfs_dqfunlock(dqp);
return error;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 265/567] net: usb: lan78xx: fix TX byte statistics for small packets
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 264/567] net: usb: lan78xx: fix silent drop of packets with checksum errors Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 266/567] net: usb: lan78xx: skip LTM configuration for LAN7850 Greg Kroah-Hartman
` (112 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit 50988747c30df47b73b787f234f746027cb7ec6c upstream.
Account for hardware auto-padding in TX byte counters to reflect actual
wire traffic.
The LAN7850 hardware automatically pads undersized frames to the minimum
Ethernet frame length (ETH_ZLEN, 60 bytes). However, the driver tracks
the network statistics based on the unpadded socket buffer length. This
results in the tx_bytes counter under-reporting the actual physical
bytes placed on the Ethernet wire for small packets (like short ARP or
ICMP requests).
Use max_t() to ensure the transmission statistics accurately account for
the hardware-generated padding.
Fixes: d383216a7efe ("lan78xx: Introduce Tx URB processing improvements")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20260305143429.530909-3-o.rempel@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/lan78xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -3886,7 +3886,7 @@ static struct skb_data *lan78xx_tx_buf_f
}
tx_data += len;
- entry->length += len;
+ entry->length += max_t(unsigned int, len, ETH_ZLEN);
entry->num_of_packet += skb_shinfo(skb)->gso_segs ?: 1;
dev_kfree_skb_any(skb);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 203/481] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 202/481] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 204/481] USB: add QUIRK_NO_BOS for video capture several devices Greg Kroah-Hartman
` (112 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naveen N Rao (AMD), Jim Mattson,
Sean Christopherson, Paolo Bonzini
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 3989a6d036c8ec82c0de3614bed23a1dacd45de5 upstream.
Initialize all per-vCPU AVIC control fields in the VMCB if AVIC is enabled
in KVM and the VM has an in-kernel local APIC, i.e. if it's _possible_ the
vCPU could activate AVIC at any point in its lifecycle. Configuring the
VMCB if and only if AVIC is active "works" purely because of optimizations
in kvm_create_lapic() to speculatively set apicv_active if AVIC is enabled
*and* to defer updates until the first KVM_RUN. In quotes because KVM
likely won't do the right thing if kvm_apicv_activated() is false, i.e. if
a vCPU is created while APICv is inhibited at the VM level for whatever
reason. E.g. if the inhibit is *removed* before KVM_REQ_APICV_UPDATE is
handled in KVM_RUN, then __kvm_vcpu_update_apicv() will elide calls to
vendor code due to seeing "apicv_active == activate".
Cleaning up the initialization code will also allow fixing a bug where KVM
incorrectly leaves CR8 interception enabled when AVIC is activated without
creating a mess with respect to whether AVIC is activated or not.
Cc: stable@vger.kernel.org
Fixes: 67034bb9dd5e ("KVM: SVM: Add irqchip_split() checks before enabling AVIC")
Fixes: 6c3e4422dd20 ("svm: Add support for dynamic APICv")
Reviewed-by: Naveen N Rao (AMD) <naveen@kernel.org>
Reviewed-by: Jim Mattson <jmattson@google.com>
Link: https://patch.msgid.link/20260203190711.458413-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/avic.c | 2 +-
arch/x86/kvm/svm/svm.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -245,7 +245,7 @@ void avic_init_vmcb(struct vcpu_svm *svm
vmcb->control.avic_physical_id = ppa & AVIC_HPA_MASK;
vmcb->control.avic_vapic_bar = APIC_DEFAULT_PHYS_BASE & VMCB_AVIC_APIC_BAR_MASK;
- if (kvm_apicv_activated(svm->vcpu.kvm))
+ if (kvm_vcpu_apicv_active(&svm->vcpu))
avic_activate_vmcb(svm);
else
avic_deactivate_vmcb(svm);
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -1307,7 +1307,7 @@ static void init_vmcb(struct kvm_vcpu *v
if (boot_cpu_has(X86_FEATURE_V_SPEC_CTRL))
set_msr_interception(vcpu, svm->msrpm, MSR_IA32_SPEC_CTRL, 1, 1);
- if (kvm_vcpu_apicv_active(vcpu))
+ if (enable_apicv && irqchip_in_kernel(vcpu->kvm))
avic_init_vmcb(svm, vmcb);
if (vgif) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 190/460] s390/dasd: Move quiesce state with pprc swap
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 189/460] xfs: ensure dquot item is deleted from AIL only after log shutdown Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 191/460] s390/dasd: Copy detected format information to secondary device Greg Kroah-Hartman
` (112 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Hoeppner, Stefan Haberland,
Jens Axboe
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Haberland <sth@linux.ibm.com>
commit 40e9cd4ae8ec43b107ed2bff422a8fa39dcf4e4b upstream.
Quiesce and resume is a mechanism to suspend operations on DASD devices.
In the context of a controlled copy pair swap operation, the quiesce
operation is usually issued before the actual swap and a resume
afterwards.
During the swap operation, the underlying device is exchanged. Therefore,
the quiesce flag must be moved to the secondary device to ensure a
consistent quiesce state after the swap.
The secondary device itself cannot be suspended separately because there
is no separate block device representation for it.
Fixes: 413862caad6f ("s390/dasd: add copy pair swap capability")
Cc: stable@vger.kernel.org #6.1
Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Link: https://patch.msgid.link/20260310142330.4080106-2-sth@linux.ibm.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/block/dasd_eckd.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -6192,6 +6192,11 @@ static int dasd_eckd_copy_pair_swap(stru
dev_name(&secondary->cdev->dev), rc);
}
+ if (primary->stopped & DASD_STOPPED_QUIESCE) {
+ dasd_device_set_stop_bits(secondary, DASD_STOPPED_QUIESCE);
+ dasd_device_remove_stop_bits(primary, DASD_STOPPED_QUIESCE);
+ }
+
/* re-enable device */
dasd_device_remove_stop_bits(primary, DASD_STOPPED_PPRC);
dasd_device_remove_stop_bits(secondary, DASD_STOPPED_PPRC);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 266/567] net: usb: lan78xx: skip LTM configuration for LAN7850
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 265/567] net: usb: lan78xx: fix TX byte statistics for small packets Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 267/567] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA Greg Kroah-Hartman
` (111 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit d9cc0e440f0664f6f3e2c26e39ab9dd5f3badba7 upstream.
Do not configure Latency Tolerance Messaging (LTM) on USB 2.0 hardware.
The LAN7850 is a High-Speed (USB 2.0) only device and does not support
SuperSpeed features like LTM. Currently, the driver unconditionally
attempts to configure LTM registers during initialization. On the
LAN7850, these registers do not exist, resulting in writes to invalid
or undocumented memory space.
This issue was identified during a port to the regmap API with strict
register validation enabled. While no functional issues or crashes have
been observed from these invalid writes, bypassing LTM initialization
on the LAN7850 ensures the driver strictly adheres to the hardware's
valid register map.
Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20260305143429.530909-4-o.rempel@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/lan78xx.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -2672,6 +2672,10 @@ static void lan78xx_init_ltm(struct lan7
u32 buf;
u32 regs[6] = { 0 };
+ /* LAN7850 is USB 2.0 and does not support LTM */
+ if (dev->chipid == ID_REV_CHIP_ID_7850_)
+ return;
+
ret = lan78xx_read_reg(dev, USB_CFG1, &buf);
if (buf & USB_CFG1_LTM_ENABLE_) {
u8 temp[2];
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 204/481] USB: add QUIRK_NO_BOS for video capture several devices
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 203/481] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 205/481] usb/core/quirks: Add Huawei ME906S-device to wakeup quirk Greg Kroah-Hartman
` (111 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, A1RM4X
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: A1RM4X <dev@a1rm4x.com>
commit 93cd0d664661f58f7e7bed7373714ab2ace41734 upstream.
Several USB capture devices also need the USB_QUIRK_NO_BOS set for them
to work properly, odds are they are all the same chip inside, just
different vendor/product ids.
This fixes up:
- ASUS TUF 4K PRO
- Avermedia Live Gamer Ultra 2.1 (GC553G2)
- UGREEN 35871
to now run at full speed (10 Gbps/4K 60 fps mode.)
Link: https://lore.kernel.org/r/CACy+XB-f-51xGpNQFCSm5pE_momTQLu=BaZggHYU1DiDmFX=ug@mail.gmail.com
Cc: stable <stable@kernel.org>
Signed-off-by: A1RM4X <dev@a1rm4x.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -377,6 +377,9 @@ static const struct usb_device_id usb_qu
/* SanDisk Extreme 55AE */
{ USB_DEVICE(0x0781, 0x55ae), .driver_info = USB_QUIRK_NO_LPM },
+ /* Avermedia Live Gamer Ultra 2.1 (GC553G2) - BOS descriptor fetch hangs at SuperSpeed Plus */
+ { USB_DEVICE(0x07ca, 0x2553), .driver_info = USB_QUIRK_NO_BOS },
+
/* Realforce 87U Keyboard */
{ USB_DEVICE(0x0853, 0x011b), .driver_info = USB_QUIRK_NO_LPM },
@@ -434,6 +437,9 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x0b05, 0x17e0), .driver_info =
USB_QUIRK_IGNORE_REMOTE_WAKEUP },
+ /* ASUS TUF 4K PRO - BOS descriptor fetch hangs at SuperSpeed Plus */
+ { USB_DEVICE(0x0b05, 0x1ab9), .driver_info = USB_QUIRK_NO_BOS },
+
/* Realtek Semiconductor Corp. Mass Storage Device (Multicard Reader)*/
{ USB_DEVICE(0x0bda, 0x0151), .driver_info = USB_QUIRK_CONFIG_INTF_STRINGS },
@@ -562,6 +568,9 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x2386, 0x350e), .driver_info = USB_QUIRK_NO_LPM },
+ /* UGREEN 35871 - BOS descriptor fetch hangs at SuperSpeed Plus */
+ { USB_DEVICE(0x2b89, 0x5871), .driver_info = USB_QUIRK_NO_BOS },
+
/* APTIV AUTOMOTIVE HUB */
{ USB_DEVICE(0x2c48, 0x0132), .driver_info =
USB_QUIRK_SHORT_SET_ADDRESS_REQ_TIMEOUT },
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 191/460] s390/dasd: Copy detected format information to secondary device
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 190/460] s390/dasd: Move quiesce state with pprc swap Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 192/460] lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error Greg Kroah-Hartman
` (111 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Hoeppner, Eduard Shishkin,
Stefan Haberland, Jens Axboe
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Haberland <sth@linux.ibm.com>
commit 4c527c7e030672efd788d0806d7a68972a7ba3c1 upstream.
During online processing for a DASD device an IO operation is started to
determine the format of the device. CDL format contains specifically
sized blocks at the beginning of the disk.
For a PPRC secondary device no real IO operation is possible therefore
this IO request can not be started and this step is skipped for online
processing of secondary devices. This is generally fine since the
secondary is a copy of the primary device.
In case of an additional partition detection that is run after a swap
operation the format information is needed to properly drive partition
detection IO.
Currently the information is not passed leading to IO errors during
partition detection and a wrongly detected partition table which in turn
might lead to data corruption on the disk with the wrong partition table.
Fix by passing the format information from primary to secondary device.
Fixes: 413862caad6f ("s390/dasd: add copy pair swap capability")
Cc: stable@vger.kernel.org #6.1
Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Acked-by: Eduard Shishkin <edward6@linux.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Link: https://patch.msgid.link/20260310142330.4080106-3-sth@linux.ibm.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/block/dasd_eckd.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -6145,6 +6145,7 @@ static void copy_pair_set_active(struct
static int dasd_eckd_copy_pair_swap(struct dasd_device *device, char *prim_busid,
char *sec_busid)
{
+ struct dasd_eckd_private *prim_priv, *sec_priv;
struct dasd_device *primary, *secondary;
struct dasd_copy_relation *copy;
struct dasd_block *block;
@@ -6165,6 +6166,9 @@ static int dasd_eckd_copy_pair_swap(stru
if (!secondary)
return DASD_COPYPAIRSWAP_SECONDARY;
+ prim_priv = primary->private;
+ sec_priv = secondary->private;
+
/*
* usually the device should be quiesced for swap
* for paranoia stop device and requeue requests again
@@ -6197,6 +6201,13 @@ static int dasd_eckd_copy_pair_swap(stru
dasd_device_remove_stop_bits(primary, DASD_STOPPED_QUIESCE);
}
+ /*
+ * The secondary device never got through format detection, but since it
+ * is a copy of the primary device, the format is exactly the same;
+ * therefore, the detected layout can simply be copied.
+ */
+ sec_priv->uses_cdl = prim_priv->uses_cdl;
+
/* re-enable device */
dasd_device_remove_stop_bits(primary, DASD_STOPPED_PPRC);
dasd_device_remove_stop_bits(secondary, DASD_STOPPED_PPRC);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 267/567] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 266/567] net: usb: lan78xx: skip LTM configuration for LAN7850 Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 268/567] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC Greg Kroah-Hartman
` (110 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Heng, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Heng <zhangheng@kylinos.cn>
commit 325291b20f8a6f14b9c82edbf5d12e4e71f6adaa upstream.
Add a DMI quirk for the ASUS EXPERTBOOK PM1503CDA fixing the
issue where the internal microphone was not detected.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221070
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
Link: https://patch.msgid.link/20260304063255.139331-1-zhangheng@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -703,6 +703,13 @@ static const struct dmi_system_id yc_acp
DMI_MATCH(DMI_PRODUCT_NAME, "ASUS EXPERTBOOK BM1503CDA"),
}
},
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_BOARD_NAME, "PM1503CDA"),
+ }
+ },
{}
};
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 205/481] usb/core/quirks: Add Huawei ME906S-device to wakeup quirk
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 204/481] USB: add QUIRK_NO_BOS for video capture several devices Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 206/481] USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed Greg Kroah-Hartman
` (110 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Christoffer Sandberg,
Werner Sembach
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoffer Sandberg <cs@tuxedo.de>
commit 0326ff28d56b4fa202de36ffc8462a354f383a64 upstream.
Similar to other Huawei LTE modules using this quirk, this version with
another vid/pid suffers from spurious wakeups.
Setting the quirk fixes the issue for this device as well.
Cc: stable <stable@kernel.org>
Signed-off-by: Christoffer Sandberg <cs@tuxedo.de>
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Link: https://patch.msgid.link/20260306172817.2098898-1-wse@tuxedocomputers.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -208,6 +208,10 @@ static const struct usb_device_id usb_qu
/* HP v222w 16GB Mini USB Drive */
{ USB_DEVICE(0x03f0, 0x3f40), .driver_info = USB_QUIRK_DELAY_INIT },
+ /* Huawei 4G LTE module ME906S */
+ { USB_DEVICE(0x03f0, 0xa31d), .driver_info =
+ USB_QUIRK_DISCONNECT_SUSPEND },
+
/* Creative SB Audigy 2 NX */
{ USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME },
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 192/460] lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 191/460] s390/dasd: Copy detected format information to secondary device Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 193/460] scsi: core: Fix error handling for scsi_alloc_sdev() Greg Kroah-Hartman
` (110 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josh Law, Steven Rostedt (Google),
Masami Hiramatsu (Google)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Law <objecting@objecting.org>
commit 39ebc8d7f561e1b64eca87353ef9b18e2825e591 upstream.
__xbc_open_brace() pushes entries with post-increment
(open_brace[brace_index++]), so brace_index always points one past
the last valid entry. xbc_verify_tree() reads open_brace[brace_index]
to report which brace is unclosed, but this is one past the last
pushed entry and contains stale/zero data, causing the error message
to reference the wrong node.
Use open_brace[brace_index - 1] to correctly identify the unclosed
brace. brace_index is known to be > 0 here since we are inside the
if (brace_index) guard.
Link: https://lore.kernel.org/all/20260312191143.28719-2-objecting@objecting.org/
Fixes: ead1e19ad905 ("lib/bootconfig: Fix a bug of breaking existing tree nodes")
Cc: stable@vger.kernel.org
Signed-off-by: Josh Law <objecting@objecting.org>
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/bootconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -791,7 +791,7 @@ static int __init xbc_verify_tree(void)
/* Brace closing */
if (brace_index) {
- n = &xbc_nodes[open_brace[brace_index]];
+ n = &xbc_nodes[open_brace[brace_index - 1]];
return xbc_parse_error("Brace is not closed",
xbc_node_get_data(n));
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 268/567] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 267/567] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 269/567] USB: add QUIRK_NO_BOS for video capture several devices Greg Kroah-Hartman
` (109 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naveen N Rao (AMD), Jim Mattson,
Sean Christopherson, Paolo Bonzini
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 3989a6d036c8ec82c0de3614bed23a1dacd45de5 upstream.
Initialize all per-vCPU AVIC control fields in the VMCB if AVIC is enabled
in KVM and the VM has an in-kernel local APIC, i.e. if it's _possible_ the
vCPU could activate AVIC at any point in its lifecycle. Configuring the
VMCB if and only if AVIC is active "works" purely because of optimizations
in kvm_create_lapic() to speculatively set apicv_active if AVIC is enabled
*and* to defer updates until the first KVM_RUN. In quotes because KVM
likely won't do the right thing if kvm_apicv_activated() is false, i.e. if
a vCPU is created while APICv is inhibited at the VM level for whatever
reason. E.g. if the inhibit is *removed* before KVM_REQ_APICV_UPDATE is
handled in KVM_RUN, then __kvm_vcpu_update_apicv() will elide calls to
vendor code due to seeing "apicv_active == activate".
Cleaning up the initialization code will also allow fixing a bug where KVM
incorrectly leaves CR8 interception enabled when AVIC is activated without
creating a mess with respect to whether AVIC is activated or not.
Cc: stable@vger.kernel.org
Fixes: 67034bb9dd5e ("KVM: SVM: Add irqchip_split() checks before enabling AVIC")
Fixes: 6c3e4422dd20 ("svm: Add support for dynamic APICv")
Reviewed-by: Naveen N Rao (AMD) <naveen@kernel.org>
Reviewed-by: Jim Mattson <jmattson@google.com>
Link: https://patch.msgid.link/20260203190711.458413-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/avic.c | 2 +-
arch/x86/kvm/svm/svm.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -253,7 +253,7 @@ void avic_init_vmcb(struct vcpu_svm *svm
vmcb->control.avic_physical_id = ppa & AVIC_HPA_MASK;
vmcb->control.avic_vapic_bar = APIC_DEFAULT_PHYS_BASE & VMCB_AVIC_APIC_BAR_MASK;
- if (kvm_apicv_activated(svm->vcpu.kvm))
+ if (kvm_vcpu_apicv_active(&svm->vcpu))
avic_activate_vmcb(svm);
else
avic_deactivate_vmcb(svm);
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -1375,7 +1375,7 @@ static void init_vmcb(struct kvm_vcpu *v
if (boot_cpu_has(X86_FEATURE_V_SPEC_CTRL))
set_msr_interception(vcpu, svm->msrpm, MSR_IA32_SPEC_CTRL, 1, 1);
- if (kvm_vcpu_apicv_active(vcpu))
+ if (enable_apicv && irqchip_in_kernel(vcpu->kvm))
avic_init_vmcb(svm, vmcb);
if (vnmi)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 206/481] USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 205/481] usb/core/quirks: Add Huawei ME906S-device to wakeup quirk Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 207/481] usb: xhci: Fix memory leak in xhci_disable_slot() Greg Kroah-Hartman
` (109 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vyacheslav Vahnenko, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vyacheslav Vahnenko <vahnenko2003@gmail.com>
commit d0d9b1f4f5391e6a00cee81d73ed2e8f98446d5f upstream.
Add USB_QUIRK_NO_BOS for ezcap401 capture card, without it dmesg will show
"unable to get BOS descriptor or descriptor too short" and "unable to
read config index 0 descriptor/start: -71" errors and device will not
able to work at full speed at 10gbs
Signed-off-by: Vyacheslav Vahnenko <vahnenko2003@gmail.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260313123638.20481-1-vahnenko2003@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -585,6 +585,9 @@ static const struct usb_device_id usb_qu
/* Alcor Link AK9563 SC Reader used in 2022 Lenovo ThinkPads */
{ USB_DEVICE(0x2ce3, 0x9563), .driver_info = USB_QUIRK_NO_LPM },
+ /* ezcap401 - BOS descriptor fetch hangs at SuperSpeed Plus */
+ { USB_DEVICE(0x32ed, 0x0401), .driver_info = USB_QUIRK_NO_BOS },
+
/* DELL USB GEN2 */
{ USB_DEVICE(0x413c, 0xb062), .driver_info = USB_QUIRK_NO_LPM | USB_QUIRK_RESET_RESUME },
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 193/460] scsi: core: Fix error handling for scsi_alloc_sdev()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 192/460] lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 194/460] x86/apic: Disable x2apic on resume if the kernel expects so Greg Kroah-Hartman
` (109 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junxiao Bi, John Garry,
Bart Van Assche, Martin K. Petersen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junxiao Bi <junxiao.bi@oracle.com>
commit 4ce7ada40c008fa21b7e52ab9d04e8746e2e9325 upstream.
After scsi_sysfs_device_initialize() was called, error paths must call
__scsi_remove_device().
Fixes: 1ac22c8eae81 ("scsi: core: Fix refcount leak for tagset_refcnt")
Cc: stable@vger.kernel.org
Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260304164603.51528-1-junxiao.bi@oracle.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/scsi_scan.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -353,12 +353,8 @@ static struct scsi_device *scsi_alloc_sd
* default device queue depth to figure out sbitmap shift
* since we use this queue depth most of times.
*/
- if (scsi_realloc_sdev_budget_map(sdev, depth)) {
- kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags);
- put_device(&starget->dev);
- kfree(sdev);
- goto out;
- }
+ if (scsi_realloc_sdev_budget_map(sdev, depth))
+ goto out_device_destroy;
scsi_change_queue_depth(sdev, depth);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 269/567] USB: add QUIRK_NO_BOS for video capture several devices
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 268/567] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 270/567] usb/core/quirks: Add Huawei ME906S-device to wakeup quirk Greg Kroah-Hartman
` (108 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, A1RM4X
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: A1RM4X <dev@a1rm4x.com>
commit 93cd0d664661f58f7e7bed7373714ab2ace41734 upstream.
Several USB capture devices also need the USB_QUIRK_NO_BOS set for them
to work properly, odds are they are all the same chip inside, just
different vendor/product ids.
This fixes up:
- ASUS TUF 4K PRO
- Avermedia Live Gamer Ultra 2.1 (GC553G2)
- UGREEN 35871
to now run at full speed (10 Gbps/4K 60 fps mode.)
Link: https://lore.kernel.org/r/CACy+XB-f-51xGpNQFCSm5pE_momTQLu=BaZggHYU1DiDmFX=ug@mail.gmail.com
Cc: stable <stable@kernel.org>
Signed-off-by: A1RM4X <dev@a1rm4x.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -377,6 +377,9 @@ static const struct usb_device_id usb_qu
/* SanDisk Extreme 55AE */
{ USB_DEVICE(0x0781, 0x55ae), .driver_info = USB_QUIRK_NO_LPM },
+ /* Avermedia Live Gamer Ultra 2.1 (GC553G2) - BOS descriptor fetch hangs at SuperSpeed Plus */
+ { USB_DEVICE(0x07ca, 0x2553), .driver_info = USB_QUIRK_NO_BOS },
+
/* Realforce 87U Keyboard */
{ USB_DEVICE(0x0853, 0x011b), .driver_info = USB_QUIRK_NO_LPM },
@@ -434,6 +437,9 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x0b05, 0x17e0), .driver_info =
USB_QUIRK_IGNORE_REMOTE_WAKEUP },
+ /* ASUS TUF 4K PRO - BOS descriptor fetch hangs at SuperSpeed Plus */
+ { USB_DEVICE(0x0b05, 0x1ab9), .driver_info = USB_QUIRK_NO_BOS },
+
/* Realtek Semiconductor Corp. Mass Storage Device (Multicard Reader)*/
{ USB_DEVICE(0x0bda, 0x0151), .driver_info = USB_QUIRK_CONFIG_INTF_STRINGS },
@@ -562,6 +568,9 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x2386, 0x350e), .driver_info = USB_QUIRK_NO_LPM },
+ /* UGREEN 35871 - BOS descriptor fetch hangs at SuperSpeed Plus */
+ { USB_DEVICE(0x2b89, 0x5871), .driver_info = USB_QUIRK_NO_BOS },
+
/* APTIV AUTOMOTIVE HUB */
{ USB_DEVICE(0x2c48, 0x0132), .driver_info =
USB_QUIRK_SHORT_SET_ADDRESS_REQ_TIMEOUT },
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 207/481] usb: xhci: Fix memory leak in xhci_disable_slot()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 206/481] USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 208/481] usb: yurex: fix race in probe Greg Kroah-Hartman
` (108 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zilin Guan, Mathias Nyman
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
commit c1c8550e70401159184130a1afc6261db01fc0ce upstream.
xhci_alloc_command() allocates a command structure and, when the
second argument is true, also allocates a completion structure.
Currently, the error handling path in xhci_disable_slot() only frees
the command structure using kfree(), causing the completion structure
to leak.
Use xhci_free_command() instead of kfree(). xhci_free_command() correctly
frees both the command structure and the associated completion structure.
Since the command structure is allocated with zero-initialization,
command->in_ctx is NULL and will not be erroneously freed by
xhci_free_command().
This bug was found using an experimental static analysis tool we are
developing. The tool is based on the LLVM framework and is specifically
designed to detect memory management issues. It is currently under
active development and not yet publicly available, but we plan to
open-source it after our research is published.
The bug was originally detected on v6.13-rc1 using our static analysis
tool, and we have verified that the issue persists in the latest mainline
kernel.
We performed build testing on x86_64 with allyesconfig using GCC=11.4.0.
Since triggering these error paths in xhci_disable_slot() requires specific
hardware conditions or abnormal state, we were unable to construct a test
case to reliably trigger these specific error paths at runtime.
Fixes: 7faac1953ed1 ("xhci: avoid race between disable slot command and host runtime suspend")
CC: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://patch.msgid.link/20260304223639.3882398-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -4067,7 +4067,7 @@ int xhci_disable_slot(struct xhci_hcd *x
if (state == 0xffffffff || (xhci->xhc_state & XHCI_STATE_DYING) ||
(xhci->xhc_state & XHCI_STATE_HALTED)) {
spin_unlock_irqrestore(&xhci->lock, flags);
- kfree(command);
+ xhci_free_command(xhci, command);
return -ENODEV;
}
@@ -4075,7 +4075,7 @@ int xhci_disable_slot(struct xhci_hcd *x
slot_id);
if (ret) {
spin_unlock_irqrestore(&xhci->lock, flags);
- kfree(command);
+ xhci_free_command(xhci, command);
return ret;
}
xhci_ring_cmd_db(xhci);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 194/460] x86/apic: Disable x2apic on resume if the kernel expects so
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 193/460] scsi: core: Fix error handling for scsi_alloc_sdev() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 195/460] lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after() Greg Kroah-Hartman
` (108 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rahul Bukte, Shashank Balaji,
Borislav Petkov (AMD), Thomas Gleixner, Sohil Mehta
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shashank Balaji <shashank.mahadasyam@sony.com>
commit 8cc7dd77a1466f0ec58c03478b2e735a5b289b96 upstream.
When resuming from s2ram, firmware may re-enable x2apic mode, which may have
been disabled by the kernel during boot either because it doesn't support IRQ
remapping or for other reasons. This causes the kernel to continue using the
xapic interface, while the hardware is in x2apic mode, which causes hangs.
This happens on defconfig + bare metal + s2ram.
Fix this in lapic_resume() by disabling x2apic if the kernel expects it to be
disabled, i.e. when x2apic_mode = 0.
The ACPI v6.6 spec, Section 16.3 [1] says firmware restores either the
pre-sleep configuration or initial boot configuration for each CPU, including
MSR state:
When executing from the power-on reset vector as a result of waking from an
S2 or S3 sleep state, the platform firmware performs only the hardware
initialization required to restore the system to either the state the
platform was in prior to the initial operating system boot, or to the
pre-sleep configuration state. In multiprocessor systems, non-boot
processors should be placed in the same state as prior to the initial
operating system boot.
(further ahead)
If this is an S2 or S3 wake, then the platform runtime firmware restores
minimum context of the system before jumping to the waking vector. This
includes:
CPU configuration. Platform runtime firmware restores the pre-sleep
configuration or initial boot configuration of each CPU (MSR, MTRR,
firmware update, SMBase, and so on). Interrupts must be disabled (for
IA-32 processors, disabled by CLI instruction).
(and other things)
So at least as per the spec, re-enablement of x2apic by the firmware is
allowed if "x2apic on" is a part of the initial boot configuration.
[1] https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization
[ bp: Massage. ]
Fixes: 6e1cb38a2aef ("x64, x2apic/intr-remap: add x2apic support, including enabling interrupt-remapping")
Co-developed-by: Rahul Bukte <rahul.bukte@sony.com>
Signed-off-by: Rahul Bukte <rahul.bukte@sony.com>
Signed-off-by: Shashank Balaji <shashank.mahadasyam@sony.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Sohil Mehta <sohil.mehta@intel.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260306-x2apic-fix-v2-1-bee99c12efa3@sony.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/apic/apic.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -1887,6 +1887,7 @@ void __init check_x2apic(void)
static inline void try_to_enable_x2apic(int remap_mode) { }
static inline void __x2apic_enable(void) { }
+static inline void __x2apic_disable(void) { }
#endif /* !CONFIG_X86_X2APIC */
void __init enable_IR_x2apic(void)
@@ -2449,6 +2450,11 @@ static void lapic_resume(void)
if (x2apic_mode) {
__x2apic_enable();
} else {
+ if (x2apic_enabled()) {
+ pr_warn_once("x2apic: re-enabled by firmware during resume. Disabling\n");
+ __x2apic_disable();
+ }
+
/*
* Make sure the APICBASE points to the right address
*
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 270/567] usb/core/quirks: Add Huawei ME906S-device to wakeup quirk
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 269/567] USB: add QUIRK_NO_BOS for video capture several devices Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 271/567] USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed Greg Kroah-Hartman
` (107 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Christoffer Sandberg,
Werner Sembach
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoffer Sandberg <cs@tuxedo.de>
commit 0326ff28d56b4fa202de36ffc8462a354f383a64 upstream.
Similar to other Huawei LTE modules using this quirk, this version with
another vid/pid suffers from spurious wakeups.
Setting the quirk fixes the issue for this device as well.
Cc: stable <stable@kernel.org>
Signed-off-by: Christoffer Sandberg <cs@tuxedo.de>
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Link: https://patch.msgid.link/20260306172817.2098898-1-wse@tuxedocomputers.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -208,6 +208,10 @@ static const struct usb_device_id usb_qu
/* HP v222w 16GB Mini USB Drive */
{ USB_DEVICE(0x03f0, 0x3f40), .driver_info = USB_QUIRK_DELAY_INIT },
+ /* Huawei 4G LTE module ME906S */
+ { USB_DEVICE(0x03f0, 0xa31d), .driver_info =
+ USB_QUIRK_DISCONNECT_SUSPEND },
+
/* Creative SB Audigy 2 NX */
{ USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME },
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 208/481] usb: yurex: fix race in probe
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 207/481] usb: xhci: Fix memory leak in xhci_disable_slot() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 209/481] usb: misc: uss720: properly clean up reference in uss720_probe() Greg Kroah-Hartman
` (107 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Oliver Neukum
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 7a875c09899ba0404844abfd8f0d54cdc481c151 upstream.
The bbu member of the descriptor must be set to the value
standing for uninitialized values before the URB whose
completion handler sets bbu is submitted. Otherwise there is
a window during which probing can overwrite already retrieved
data.
Cc: stable <stable@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://patch.msgid.link/20260209143720.1507500-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/yurex.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/misc/yurex.c
+++ b/drivers/usb/misc/yurex.c
@@ -272,6 +272,7 @@ static int yurex_probe(struct usb_interf
dev->int_buffer, YUREX_BUF_SIZE, yurex_interrupt,
dev, 1);
dev->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+ dev->bbu = -1;
if (usb_submit_urb(dev->urb, GFP_KERNEL)) {
retval = -EIO;
dev_err(&interface->dev, "Could not submitting URB\n");
@@ -280,7 +281,6 @@ static int yurex_probe(struct usb_interf
/* save our data pointer in this interface device */
usb_set_intfdata(interface, dev);
- dev->bbu = -1;
/* we can register the device now, as it is ready */
retval = usb_register_dev(interface, &yurex_class);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 195/460] lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 194/460] x86/apic: Disable x2apic on resume if the kernel expects so Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 196/460] lib/bootconfig: check bounds before writing in __xbc_open_brace() Greg Kroah-Hartman
` (107 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josh Law, Masami Hiramatsu (Google)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Law <objecting@objecting.org>
commit 1120a36bb1e9b9e22de75ecb4ef0b998f73a97f1 upstream.
snprintf() returns the number of characters that would have been
written excluding the NUL terminator. Output is truncated when the
return value is >= the buffer size, not just > the buffer size.
When ret == size, the current code takes the non-truncated path,
advancing buf by ret and reducing size to 0. This is wrong because
the output was actually truncated (the last character was replaced by
NUL). Fix by using >= so the truncation path is taken correctly.
Link: https://lore.kernel.org/all/20260312191143.28719-4-objecting@objecting.org/
Fixes: 76db5a27a827 ("bootconfig: Add Extra Boot Config support")
Cc: stable@vger.kernel.org
Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/bootconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -316,7 +316,7 @@ int __init xbc_node_compose_key_after(st
depth ? "." : "");
if (ret < 0)
return ret;
- if (ret > size) {
+ if (ret >= size) {
size = 0;
} else {
size -= ret;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 271/567] USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 270/567] usb/core/quirks: Add Huawei ME906S-device to wakeup quirk Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 272/567] usb: xhci: Fix memory leak in xhci_disable_slot() Greg Kroah-Hartman
` (106 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vyacheslav Vahnenko, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vyacheslav Vahnenko <vahnenko2003@gmail.com>
commit d0d9b1f4f5391e6a00cee81d73ed2e8f98446d5f upstream.
Add USB_QUIRK_NO_BOS for ezcap401 capture card, without it dmesg will show
"unable to get BOS descriptor or descriptor too short" and "unable to
read config index 0 descriptor/start: -71" errors and device will not
able to work at full speed at 10gbs
Signed-off-by: Vyacheslav Vahnenko <vahnenko2003@gmail.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260313123638.20481-1-vahnenko2003@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -585,6 +585,9 @@ static const struct usb_device_id usb_qu
/* Alcor Link AK9563 SC Reader used in 2022 Lenovo ThinkPads */
{ USB_DEVICE(0x2ce3, 0x9563), .driver_info = USB_QUIRK_NO_LPM },
+ /* ezcap401 - BOS descriptor fetch hangs at SuperSpeed Plus */
+ { USB_DEVICE(0x32ed, 0x0401), .driver_info = USB_QUIRK_NO_BOS },
+
/* DELL USB GEN2 */
{ USB_DEVICE(0x413c, 0xb062), .driver_info = USB_QUIRK_NO_LPM | USB_QUIRK_RESET_RESUME },
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 209/481] usb: misc: uss720: properly clean up reference in uss720_probe()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 208/481] usb: yurex: fix race in probe Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 210/481] usb: core: dont power off roothub PHYs if phy_set_mode() fails Greg Kroah-Hartman
` (106 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 45dba8011efac11a2f360383221b541f5ea53ce5 upstream.
If get_1284_register() fails, the usb device reference count is
incorrect and needs to be properly dropped before returning. That will
happen when the kref is dropped in the call to destroy_priv(), so jump
to that error path instead of returning directly.
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_2000
Link: https://patch.msgid.link/2026022342-smokiness-stove-d792@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/uss720.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/misc/uss720.c
+++ b/drivers/usb/misc/uss720.c
@@ -733,7 +733,7 @@ static int uss720_probe(struct usb_inter
ret = get_1284_register(pp, 0, ®, GFP_KERNEL);
dev_dbg(&intf->dev, "reg: %7ph\n", priv->reg);
if (ret < 0)
- return ret;
+ goto probe_abort;
ret = usb_find_last_int_in_endpoint(interface, &epd);
if (!ret) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 196/460] lib/bootconfig: check bounds before writing in __xbc_open_brace()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 195/460] lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 197/460] smb: client: fix atomic open with O_DIRECT & O_SYNC Greg Kroah-Hartman
` (106 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josh Law, Masami Hiramatsu (Google)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Law <objecting@objecting.org>
commit 560f763baa0f2c9a44da4294c06af071405ac46f upstream.
The bounds check for brace_index happens after the array write.
While the current call pattern prevents an actual out-of-bounds
access (the previous call would have returned an error), the
write-before-check pattern is fragile and would become a real
out-of-bounds write if the error return were ever not propagated.
Move the bounds check before the array write so the function is
self-contained and safe regardless of caller behavior.
Link: https://lore.kernel.org/all/20260312191143.28719-3-objecting@objecting.org/
Fixes: ead1e19ad905 ("lib/bootconfig: Fix a bug of breaking existing tree nodes")
Cc: stable@vger.kernel.org
Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/bootconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -532,9 +532,9 @@ static char *skip_spaces_until_newline(c
static int __init __xbc_open_brace(char *p)
{
/* Push the last key as open brace */
- open_brace[brace_index++] = xbc_node_index(last_parent);
if (brace_index >= XBC_DEPTH_MAX)
return xbc_parse_error("Exceed max depth of braces", p);
+ open_brace[brace_index++] = xbc_node_index(last_parent);
return 0;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 272/567] usb: xhci: Fix memory leak in xhci_disable_slot()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 271/567] USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 273/567] usb: xhci: Prevent interrupt storm on host controller error (HCE) Greg Kroah-Hartman
` (105 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zilin Guan, Mathias Nyman
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
commit c1c8550e70401159184130a1afc6261db01fc0ce upstream.
xhci_alloc_command() allocates a command structure and, when the
second argument is true, also allocates a completion structure.
Currently, the error handling path in xhci_disable_slot() only frees
the command structure using kfree(), causing the completion structure
to leak.
Use xhci_free_command() instead of kfree(). xhci_free_command() correctly
frees both the command structure and the associated completion structure.
Since the command structure is allocated with zero-initialization,
command->in_ctx is NULL and will not be erroneously freed by
xhci_free_command().
This bug was found using an experimental static analysis tool we are
developing. The tool is based on the LLVM framework and is specifically
designed to detect memory management issues. It is currently under
active development and not yet publicly available, but we plan to
open-source it after our research is published.
The bug was originally detected on v6.13-rc1 using our static analysis
tool, and we have verified that the issue persists in the latest mainline
kernel.
We performed build testing on x86_64 with allyesconfig using GCC=11.4.0.
Since triggering these error paths in xhci_disable_slot() requires specific
hardware conditions or abnormal state, we were unable to construct a test
case to reliably trigger these specific error paths at runtime.
Fixes: 7faac1953ed1 ("xhci: avoid race between disable slot command and host runtime suspend")
CC: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://patch.msgid.link/20260304223639.3882398-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -3939,7 +3939,7 @@ int xhci_disable_slot(struct xhci_hcd *x
if (state == 0xffffffff || (xhci->xhc_state & XHCI_STATE_DYING) ||
(xhci->xhc_state & XHCI_STATE_HALTED)) {
spin_unlock_irqrestore(&xhci->lock, flags);
- kfree(command);
+ xhci_free_command(xhci, command);
return -ENODEV;
}
@@ -3947,7 +3947,7 @@ int xhci_disable_slot(struct xhci_hcd *x
slot_id);
if (ret) {
spin_unlock_irqrestore(&xhci->lock, flags);
- kfree(command);
+ xhci_free_command(xhci, command);
return ret;
}
xhci_ring_cmd_db(xhci);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 210/481] usb: core: dont power off roothub PHYs if phy_set_mode() fails
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 209/481] usb: misc: uss720: properly clean up reference in uss720_probe() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 211/481] usb: cdc-acm: Restore CAP_BRK functionnality to CH343 Greg Kroah-Hartman
` (105 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gabor Juhos, Miquel Raynal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
commit e293015ba76eb96ce4ebed7e3b2cb1a7d319f3e9 upstream.
Remove the error path from the usb_phy_roothub_set_mode() function.
The code is clearly wrong, because phy_set_mode() calls can't be
balanced with phy_power_off() calls.
Additionally, the usb_phy_roothub_set_mode() function is called only
from usb_add_hcd() before it powers on the PHYs, so powering off those
makes no sense anyway.
Presumably, the code is copy-pasted from the phy_power_on() function
without adjusting the error handling.
Cc: stable@vger.kernel.org # v5.1+
Fixes: b97a31348379 ("usb: core: comply to PHY framework")
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://patch.msgid.link/20260218-usb-phy-poweroff-fix-v1-1-66e6831e860e@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/phy.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
--- a/drivers/usb/core/phy.c
+++ b/drivers/usb/core/phy.c
@@ -138,16 +138,10 @@ int usb_phy_roothub_set_mode(struct usb_
list_for_each_entry(roothub_entry, head, list) {
err = phy_set_mode(roothub_entry->phy, mode);
if (err)
- goto err_out;
+ return err;
}
return 0;
-
-err_out:
- list_for_each_entry_continue_reverse(roothub_entry, head, list)
- phy_power_off(roothub_entry->phy);
-
- return err;
}
EXPORT_SYMBOL_GPL(usb_phy_roothub_set_mode);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 197/460] smb: client: fix atomic open with O_DIRECT & O_SYNC
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 196/460] lib/bootconfig: check bounds before writing in __xbc_open_brace() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 198/460] smb: client: fix in-place encryption corruption in SMB2_write() Greg Kroah-Hartman
` (105 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (Red Hat),
David Howells, Henrique Carvalho, Tom Talpey, linux-cifs,
Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.org>
commit 4a7d2729dc99437dbb880a64c47828c0d191b308 upstream.
When user application requests O_DIRECT|O_SYNC along with O_CREAT on
open(2), CREATE_NO_BUFFER and CREATE_WRITE_THROUGH bits were missed in
CREATE request when performing an atomic open, thus leading to
potentially data integrity issues.
Fix this by setting those missing bits in CREATE request when
O_DIRECT|O_SYNC has been specified in cifs_do_create().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Acked-by: Henrique Carvalho <henrique.carvalho@suse.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: linux-cifs@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsglob.h | 11 +++++++++++
fs/smb/client/dir.c | 1 +
fs/smb/client/file.c | 18 +++---------------
3 files changed, 15 insertions(+), 15 deletions(-)
--- a/fs/smb/client/cifsglob.h
+++ b/fs/smb/client/cifsglob.h
@@ -20,6 +20,7 @@
#include <linux/utsname.h>
#include <linux/sched/mm.h>
#include <linux/netfs.h>
+#include <linux/fcntl.h>
#include "cifs_fs_sb.h"
#include "cifsacl.h"
#include <crypto/internal/hash.h>
@@ -2317,4 +2318,14 @@ static inline bool cifs_ses_exiting(stru
return ret;
}
+static inline int cifs_open_create_options(unsigned int oflags, int opts)
+{
+ /* O_SYNC also has bit for O_DSYNC so following check picks up either */
+ if (oflags & O_SYNC)
+ opts |= CREATE_WRITE_THROUGH;
+ if (oflags & O_DIRECT)
+ opts |= CREATE_NO_BUFFER;
+ return opts;
+}
+
#endif /* _CIFS_GLOB_H */
--- a/fs/smb/client/dir.c
+++ b/fs/smb/client/dir.c
@@ -304,6 +304,7 @@ static int cifs_do_create(struct inode *
goto out;
}
+ create_options |= cifs_open_create_options(oflags, create_options);
/*
* if we're not using unix extensions, see if we need to set
* ATTR_READONLY on the create call
--- a/fs/smb/client/file.c
+++ b/fs/smb/client/file.c
@@ -570,15 +570,8 @@ static int cifs_nt_open(const char *full
*********************************************************************/
disposition = cifs_get_disposition(f_flags);
-
/* BB pass O_SYNC flag through on file attributes .. BB */
-
- /* O_SYNC also has bit for O_DSYNC so following check picks up either */
- if (f_flags & O_SYNC)
- create_options |= CREATE_WRITE_THROUGH;
-
- if (f_flags & O_DIRECT)
- create_options |= CREATE_NO_BUFFER;
+ create_options |= cifs_open_create_options(f_flags, create_options);
retry_open:
oparms = (struct cifs_open_parms) {
@@ -1228,13 +1221,8 @@ cifs_reopen_file(struct cifsFileInfo *cf
rdwr_for_fscache = 1;
desired_access = cifs_convert_flags(cfile->f_flags, rdwr_for_fscache);
-
- /* O_SYNC also has bit for O_DSYNC so following check picks up either */
- if (cfile->f_flags & O_SYNC)
- create_options |= CREATE_WRITE_THROUGH;
-
- if (cfile->f_flags & O_DIRECT)
- create_options |= CREATE_NO_BUFFER;
+ create_options |= cifs_open_create_options(cfile->f_flags,
+ create_options);
if (server->ops->get_lease_key)
server->ops->get_lease_key(inode, &cfile->fid);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 273/567] usb: xhci: Prevent interrupt storm on host controller error (HCE)
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 272/567] usb: xhci: Fix memory leak in xhci_disable_slot() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 274/567] usb: yurex: fix race in probe Greg Kroah-Hartman
` (104 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dayu Jiang, Mathias Nyman
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dayu Jiang <jiangdayu@xiaomi.com>
commit d6d5febd12452b7fd951fdd15c3ec262f01901a4 upstream.
The xHCI controller reports a Host Controller Error (HCE) in UAS Storage
Device plug/unplug scenarios on Android devices. HCE is checked in
xhci_irq() function and causes an interrupt storm (since the interrupt
isn’t cleared), leading to severe system-level faults.
When the xHC controller reports HCE in the interrupt handler, the driver
only logs a warning and assumes xHC activity will stop as stated in xHCI
specification. An interrupt storm does however continue on some hosts
even after HCE, and only ceases after manually disabling xHC interrupt
and stopping the controller by calling xhci_halt().
Add xhci_halt() to xhci_irq() function where STS_HCE status is checked,
mirroring the existing error handling pattern used for STS_FATAL errors.
This only fixes the interrupt storm. Proper HCE recovery requires resetting
and re-initializing the xHC.
CC: stable@vger.kernel.org
Signed-off-by: Dayu Jiang <jiangdayu@xiaomi.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://patch.msgid.link/20260304223639.3882398-3-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-ring.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -3219,6 +3219,7 @@ irqreturn_t xhci_irq(struct usb_hcd *hcd
if (status & STS_HCE) {
xhci_warn(xhci, "WARNING: Host Controller Error\n");
+ xhci_halt(xhci);
goto out;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 211/481] usb: cdc-acm: Restore CAP_BRK functionnality to CH343
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 210/481] usb: core: dont power off roothub PHYs if phy_set_mode() fails Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 212/481] USB: usbcore: Introduce usb_bulk_msg_killable() Greg Kroah-Hartman
` (104 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Zyngier, stable, Oliver Neukum
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit 14ae24cba291bddfdc296bbcbfd00cd09d0498ef upstream.
The CH343 USB/serial adapter is as buggy as it is popular (very).
One of its quirks is that despite being capable of signalling a
BREAK condition, it doesn't advertise it.
This used to work nonetheless until 66aad7d8d3ec5 ("usb: cdc-acm:
return correct error code on unsupported break") applied some
reasonable restrictions, preventing breaks from being emitted on
devices that do not advertise CAP_BRK.
Add a quirk for this particular device, so that breaks can still
be produced on some of my machines attached to my console server.
Fixes: 66aad7d8d3ec5 ("usb: cdc-acm: return correct error code on unsupported break")
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable <stable@kernel.org>
Cc: Oliver Neukum <oneukum@suse.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Oliver Neukum <oneukum@suse.com>
Link: https://patch.msgid.link/20260301124440.1192752-1-maz@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-acm.c | 5 +++++
drivers/usb/class/cdc-acm.h | 1 +
2 files changed, 6 insertions(+)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1355,6 +1355,8 @@ made_compressed_probe:
acm->ctrl_caps = h.usb_cdc_acm_descriptor->bmCapabilities;
if (quirks & NO_CAP_LINE)
acm->ctrl_caps &= ~USB_CDC_CAP_LINE;
+ if (quirks & MISSING_CAP_BRK)
+ acm->ctrl_caps |= USB_CDC_CAP_BRK;
acm->ctrlsize = ctrlsize;
acm->readsize = readsize;
acm->rx_buflimit = num_rx_buf;
@@ -1978,6 +1980,9 @@ static const struct usb_device_id acm_id
.driver_info = IGNORE_DEVICE,
},
+ /* CH343 supports CAP_BRK, but doesn't advertise it */
+ { USB_DEVICE(0x1a86, 0x55d3), .driver_info = MISSING_CAP_BRK, },
+
/* control interfaces without any protocol set */
{ USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
USB_CDC_PROTO_NONE) },
--- a/drivers/usb/class/cdc-acm.h
+++ b/drivers/usb/class/cdc-acm.h
@@ -113,3 +113,4 @@ struct acm {
#define CLEAR_HALT_CONDITIONS BIT(5)
#define SEND_ZERO_PACKET BIT(6)
#define DISABLE_ECHO BIT(7)
+#define MISSING_CAP_BRK BIT(8)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 198/460] smb: client: fix in-place encryption corruption in SMB2_write()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 197/460] smb: client: fix atomic open with O_DIRECT & O_SYNC Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 199/460] smb: client: fix iface port assignment in parse_server_interfaces Greg Kroah-Hartman
` (104 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henrique Carvalho, Shyam Prasad N,
Paulo Alcantara (Red Hat), Bharath SM, Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bharath SM <bharathsm@microsoft.com>
commit d78840a6a38d312dc1a51a65317bb67e46f0b929 upstream.
SMB2_write() places write payload in iov[1..n] as part of rq_iov.
smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()
encrypts iov[1] in-place, replacing the original plaintext with
ciphertext. On a replayable error, the retry sends the same iov[1]
which now contains ciphertext instead of the original data,
resulting in corruption.
The corruption is most likely to be observed when connections are
unstable, as reconnects trigger write retries that re-send the
already-encrypted data.
This affects SFU mknod, MF symlinks, etc. On kernels before
6.10 (prior to the netfs conversion), sync writes also used
this path and were similarly affected. The async write path
wasn't unaffected as it uses rq_iter which gets deep-copied.
Fix by moving the write payload into rq_iter via iov_iter_kvec(),
so smb3_init_transform_rq() deep-copies it before encryption.
Cc: stable@vger.kernel.org #6.3+
Acked-by: Henrique Carvalho <henrique.carvalho@suse.com>
Acked-by: Shyam Prasad N <sprasad@microsoft.com>
Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2pdu.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -5163,7 +5163,10 @@ replay_again:
memset(&rqst, 0, sizeof(struct smb_rqst));
rqst.rq_iov = iov;
- rqst.rq_nvec = n_vec + 1;
+ /* iov[0] is the SMB header; move payload to rq_iter for encryption safety */
+ rqst.rq_nvec = 1;
+ iov_iter_kvec(&rqst.rq_iter, ITER_SOURCE, &iov[1], n_vec,
+ io_parms->length);
if (retries)
smb2_set_replay(server, &rqst);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 274/567] usb: yurex: fix race in probe
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 273/567] usb: xhci: Prevent interrupt storm on host controller error (HCE) Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 275/567] usb: dwc3: pci: add support for the Intel Nova Lake -H Greg Kroah-Hartman
` (103 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Oliver Neukum
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 7a875c09899ba0404844abfd8f0d54cdc481c151 upstream.
The bbu member of the descriptor must be set to the value
standing for uninitialized values before the URB whose
completion handler sets bbu is submitted. Otherwise there is
a window during which probing can overwrite already retrieved
data.
Cc: stable <stable@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://patch.msgid.link/20260209143720.1507500-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/yurex.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/misc/yurex.c
+++ b/drivers/usb/misc/yurex.c
@@ -272,6 +272,7 @@ static int yurex_probe(struct usb_interf
dev->int_buffer, YUREX_BUF_SIZE, yurex_interrupt,
dev, 1);
dev->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+ dev->bbu = -1;
if (usb_submit_urb(dev->urb, GFP_KERNEL)) {
retval = -EIO;
dev_err(&interface->dev, "Could not submitting URB\n");
@@ -280,7 +281,6 @@ static int yurex_probe(struct usb_interf
/* save our data pointer in this interface device */
usb_set_intfdata(interface, dev);
- dev->bbu = -1;
/* we can register the device now, as it is ready */
retval = usb_register_dev(interface, &yurex_class);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 212/481] USB: usbcore: Introduce usb_bulk_msg_killable()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 211/481] usb: cdc-acm: Restore CAP_BRK functionnality to CH343 Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 213/481] USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts Greg Kroah-Hartman
` (103 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alan Stern, Oliver Neukum
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 416909962e7cdf29fd01ac523c953f37708df93d upstream.
The synchronous message API in usbcore (usb_control_msg(),
usb_bulk_msg(), and so on) uses uninterruptible waits. However,
drivers may call these routines in the context of a user thread, which
means it ought to be possible to at least kill them.
For this reason, introduce a new usb_bulk_msg_killable() function
which behaves the same as usb_bulk_msg() except for using
wait_for_completion_killable_timeout() instead of
wait_for_completion_timeout(). The same can be done later for
usb_control_msg() later on, if it turns out to be needed.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Suggested-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/linux-usb/3acfe838-6334-4f6d-be7c-4bb01704b33d@rowland.harvard.edu/
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
CC: stable@vger.kernel.org
Link: https://patch.msgid.link/248628b4-cc83-4e81-a620-3ce4e0376d41@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/message.c | 79 +++++++++++++++++++++++++++++++++++++++------
include/linux/usb.h | 5 +-
2 files changed, 72 insertions(+), 12 deletions(-)
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -41,16 +41,17 @@ static void usb_api_blocking_completion(
/*
- * Starts urb and waits for completion or timeout. Note that this call
- * is NOT interruptible. Many device driver i/o requests should be
- * interruptible and therefore these drivers should implement their
- * own interruptible routines.
+ * Starts urb and waits for completion or timeout.
+ * Whether or not the wait is killable depends on the flag passed in.
+ * For example, compare usb_bulk_msg() and usb_bulk_msg_killable().
*/
-static int usb_start_wait_urb(struct urb *urb, int timeout, int *actual_length)
+static int usb_start_wait_urb(struct urb *urb, int timeout, int *actual_length,
+ bool killable)
{
struct api_context ctx;
unsigned long expire;
int retval;
+ long rc;
init_completion(&ctx.done);
urb->context = &ctx;
@@ -60,12 +61,21 @@ static int usb_start_wait_urb(struct urb
goto out;
expire = timeout ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT;
- if (!wait_for_completion_timeout(&ctx.done, expire)) {
+ if (killable)
+ rc = wait_for_completion_killable_timeout(&ctx.done, expire);
+ else
+ rc = wait_for_completion_timeout(&ctx.done, expire);
+ if (rc <= 0) {
usb_kill_urb(urb);
- retval = (ctx.status == -ENOENT ? -ETIMEDOUT : ctx.status);
+ if (ctx.status != -ENOENT)
+ retval = ctx.status;
+ else if (rc == 0)
+ retval = -ETIMEDOUT;
+ else
+ retval = rc;
dev_dbg(&urb->dev->dev,
- "%s timed out on ep%d%s len=%u/%u\n",
+ "%s timed out or killed on ep%d%s len=%u/%u\n",
current->comm,
usb_endpoint_num(&urb->ep->desc),
usb_urb_dir_in(urb) ? "in" : "out",
@@ -99,7 +109,7 @@ static int usb_internal_control_msg(stru
usb_fill_control_urb(urb, usb_dev, pipe, (unsigned char *)cmd, data,
len, usb_api_blocking_completion, NULL);
- retv = usb_start_wait_urb(urb, timeout, &length);
+ retv = usb_start_wait_urb(urb, timeout, &length, false);
if (retv < 0)
return retv;
else
@@ -384,10 +394,59 @@ int usb_bulk_msg(struct usb_device *usb_
usb_fill_bulk_urb(urb, usb_dev, pipe, data, len,
usb_api_blocking_completion, NULL);
- return usb_start_wait_urb(urb, timeout, actual_length);
+ return usb_start_wait_urb(urb, timeout, actual_length, false);
}
EXPORT_SYMBOL_GPL(usb_bulk_msg);
+/**
+ * usb_bulk_msg_killable - Builds a bulk urb, sends it off and waits for completion in a killable state
+ * @usb_dev: pointer to the usb device to send the message to
+ * @pipe: endpoint "pipe" to send the message to
+ * @data: pointer to the data to send
+ * @len: length in bytes of the data to send
+ * @actual_length: pointer to a location to put the actual length transferred
+ * in bytes
+ * @timeout: time in msecs to wait for the message to complete before
+ * timing out (if 0 the wait is forever)
+ *
+ * Context: task context, might sleep.
+ *
+ * This function is just like usb_blk_msg() except that it waits in a
+ * killable state.
+ *
+ * Return:
+ * If successful, 0. Otherwise a negative error number. The number of actual
+ * bytes transferred will be stored in the @actual_length parameter.
+ *
+ */
+int usb_bulk_msg_killable(struct usb_device *usb_dev, unsigned int pipe,
+ void *data, int len, int *actual_length, int timeout)
+{
+ struct urb *urb;
+ struct usb_host_endpoint *ep;
+
+ ep = usb_pipe_endpoint(usb_dev, pipe);
+ if (!ep || len < 0)
+ return -EINVAL;
+
+ urb = usb_alloc_urb(0, GFP_KERNEL);
+ if (!urb)
+ return -ENOMEM;
+
+ if ((ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) ==
+ USB_ENDPOINT_XFER_INT) {
+ pipe = (pipe & ~(3 << 30)) | (PIPE_INTERRUPT << 30);
+ usb_fill_int_urb(urb, usb_dev, pipe, data, len,
+ usb_api_blocking_completion, NULL,
+ ep->desc.bInterval);
+ } else
+ usb_fill_bulk_urb(urb, usb_dev, pipe, data, len,
+ usb_api_blocking_completion, NULL);
+
+ return usb_start_wait_urb(urb, timeout, actual_length, true);
+}
+EXPORT_SYMBOL_GPL(usb_bulk_msg_killable);
+
/*-------------------------------------------------------------------*/
static void sg_clean(struct usb_sg_request *io)
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -1804,8 +1804,9 @@ extern int usb_control_msg(struct usb_de
extern int usb_interrupt_msg(struct usb_device *usb_dev, unsigned int pipe,
void *data, int len, int *actual_length, int timeout);
extern int usb_bulk_msg(struct usb_device *usb_dev, unsigned int pipe,
- void *data, int len, int *actual_length,
- int timeout);
+ void *data, int len, int *actual_length, int timeout);
+extern int usb_bulk_msg_killable(struct usb_device *usb_dev, unsigned int pipe,
+ void *data, int len, int *actual_length, int timeout);
/* wrappers around usb_control_msg() for the most common standard requests */
int usb_control_msg_send(struct usb_device *dev, __u8 endpoint, __u8 request,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 199/460] smb: client: fix iface port assignment in parse_server_interfaces
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 198/460] smb: client: fix in-place encryption corruption in SMB2_write() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 200/460] btrfs: fix transaction abort on file creation due to name hash collision Greg Kroah-Hartman
` (103 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dr. Thomas Orgis, Enzo Matsumiya,
Henrique Carvalho, Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henrique Carvalho <henrique.carvalho@suse.com>
commit d4c7210d2f3ea481a6481f03040a64d9077a6172 upstream.
parse_server_interfaces() initializes interface socket addresses with
CIFS_PORT. When the mount uses a non-default port this overwrites the
configured destination port.
Later, cifs_chan_update_iface() copies this sockaddr into server->dstaddr,
causing reconnect attempts to use the wrong port after server interface
updates.
Use the existing port from server->dstaddr instead.
Cc: stable@vger.kernel.org
Fixes: fe856be475f7 ("CIFS: parse and store info on iface queries")
Tested-by: Dr. Thomas Orgis <thomas.orgis@uni-hamburg.de>
Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2ops.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -628,6 +628,7 @@ parse_server_interfaces(struct network_i
struct iface_info_ipv6 *p6;
struct cifs_server_iface *info = NULL, *iface = NULL, *niface = NULL;
struct cifs_server_iface tmp_iface;
+ __be16 port;
ssize_t bytes_left;
size_t next = 0;
int nb_iface = 0;
@@ -662,6 +663,15 @@ parse_server_interfaces(struct network_i
goto out;
}
+ spin_lock(&ses->server->srv_lock);
+ if (ses->server->dstaddr.ss_family == AF_INET)
+ port = ((struct sockaddr_in *)&ses->server->dstaddr)->sin_port;
+ else if (ses->server->dstaddr.ss_family == AF_INET6)
+ port = ((struct sockaddr_in6 *)&ses->server->dstaddr)->sin6_port;
+ else
+ port = cpu_to_be16(CIFS_PORT);
+ spin_unlock(&ses->server->srv_lock);
+
while (bytes_left >= (ssize_t)sizeof(*p)) {
memset(&tmp_iface, 0, sizeof(tmp_iface));
/* default to 1Gbps when link speed is unset */
@@ -682,7 +692,7 @@ parse_server_interfaces(struct network_i
memcpy(&addr4->sin_addr, &p4->IPv4Address, 4);
/* [MS-SMB2] 2.2.32.5.1.1 Clients MUST ignore these */
- addr4->sin_port = cpu_to_be16(CIFS_PORT);
+ addr4->sin_port = port;
cifs_dbg(FYI, "%s: ipv4 %pI4\n", __func__,
&addr4->sin_addr);
@@ -696,7 +706,7 @@ parse_server_interfaces(struct network_i
/* [MS-SMB2] 2.2.32.5.1.2 Clients MUST ignore these */
addr6->sin6_flowinfo = 0;
addr6->sin6_scope_id = 0;
- addr6->sin6_port = cpu_to_be16(CIFS_PORT);
+ addr6->sin6_port = port;
cifs_dbg(FYI, "%s: ipv6 %pI6\n", __func__,
&addr6->sin6_addr);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 275/567] usb: dwc3: pci: add support for the Intel Nova Lake -H
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 274/567] usb: yurex: fix race in probe Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 276/567] usb: misc: uss720: properly clean up reference in uss720_probe() Greg Kroah-Hartman
` (102 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Heikki Krogerus, stable,
Thinh Nguyen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
commit 17ab4d4078e22be7fd8fd6fc710c15c085a4cb1b upstream.
This patch adds the necessary PCI ID for Intel Nova Lake -H
devices.
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: stable <stable@kernel.org>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/20260309130204.208661-1-heikki.krogerus@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-pci.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/dwc3/dwc3-pci.c
+++ b/drivers/usb/dwc3/dwc3-pci.c
@@ -56,6 +56,7 @@
#define PCI_DEVICE_ID_INTEL_CNPH 0xa36e
#define PCI_DEVICE_ID_INTEL_CNPV 0xa3b0
#define PCI_DEVICE_ID_INTEL_RPL 0xa70e
+#define PCI_DEVICE_ID_INTEL_NVLH 0xd37f
#define PCI_DEVICE_ID_INTEL_PTLH 0xe332
#define PCI_DEVICE_ID_INTEL_PTLH_PCH 0xe37e
#define PCI_DEVICE_ID_INTEL_PTLU 0xe432
@@ -448,6 +449,7 @@ static const struct pci_device_id dwc3_p
{ PCI_DEVICE_DATA(INTEL, CNPH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, CNPV, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, RPL, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, NVLH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, PTLH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, PTLH_PCH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, PTLU, &dwc3_pci_intel_swnode) },
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 213/481] USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 212/481] USB: usbcore: Introduce usb_bulk_msg_killable() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 214/481] USB: core: Limit the length of unkillable synchronous timeouts Greg Kroah-Hartman
` (102 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, syzbot+25ba18e2c5040447585d,
Alan Stern
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 7784caa413a89487dd14dd5c41db8753483b2acb upstream.
The usbtmc driver accepts timeout values specified by the user in an
ioctl command, and uses these timeouts for some usb_bulk_msg() calls.
Since the user can specify arbitrarily long timeouts and
usb_bulk_msg() uses unkillable waits, call usb_bulk_msg_killable()
instead to avoid the possibility of the user hanging a kernel thread
indefinitely.
Reported-by: syzbot+25ba18e2c5040447585d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-usb/8e1c7ac5-e076-44b0-84b8-1b34b20f0ae1@suse.com/T/#t
Tested-by: syzbot+25ba18e2c5040447585d@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Fixes: 048c6d88a021 ("usb: usbtmc: Add ioctls to set/get usb timeout")
CC: stable@vger.kernel.org
Link: https://patch.msgid.link/81c6fc24-0607-40f1-8c20-5270dab2fad5@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usbtmc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -727,7 +727,7 @@ static int usbtmc488_ioctl_trigger(struc
buffer[1] = data->bTag;
buffer[2] = ~data->bTag;
- retval = usb_bulk_msg(data->usb_dev,
+ retval = usb_bulk_msg_killable(data->usb_dev,
usb_sndbulkpipe(data->usb_dev,
data->bulk_out),
buffer, USBTMC_HEADER_SIZE,
@@ -1347,7 +1347,7 @@ static int send_request_dev_dep_msg_in(s
buffer[11] = 0; /* Reserved */
/* Send bulk URB */
- retval = usb_bulk_msg(data->usb_dev,
+ retval = usb_bulk_msg_killable(data->usb_dev,
usb_sndbulkpipe(data->usb_dev,
data->bulk_out),
buffer, USBTMC_HEADER_SIZE,
@@ -1419,7 +1419,7 @@ static ssize_t usbtmc_read(struct file *
actual = 0;
/* Send bulk URB */
- retval = usb_bulk_msg(data->usb_dev,
+ retval = usb_bulk_msg_killable(data->usb_dev,
usb_rcvbulkpipe(data->usb_dev,
data->bulk_in),
buffer, bufsize, &actual,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 200/460] btrfs: fix transaction abort on file creation due to name hash collision
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 199/460] smb: client: fix iface port assignment in parse_server_interfaces Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 201/460] btrfs: fix transaction abort on set received ioctl due to item overflow Greg Kroah-Hartman
` (102 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boris Burkov, Qu Wenruo,
Filipe Manana, David Sterba
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 2d1ababdedd4ba38867c2500eb7f95af5ddeeef7 upstream.
If we attempt to create several files with names that result in the same
hash, we have to pack them in same dir item and that has a limit inherent
to the leaf size. However if we reach that limit, we trigger a transaction
abort and turns the filesystem into RO mode. This allows for a malicious
user to disrupt a system, without the need to have administration
privileges/capabilities.
Reproducer:
$ cat exploit-hash-collisions.sh
#!/bin/bash
DEV=/dev/sdi
MNT=/mnt/sdi
# Use smallest node size to make the test faster and require fewer file
# names that result in hash collision.
mkfs.btrfs -f --nodesize 4K $DEV
mount $DEV $MNT
# List of names that result in the same crc32c hash for btrfs.
declare -a names=(
'foobar'
'%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC'
'AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z'
'CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4'
'ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:'
'HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO'
'Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us'
'KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY'
'NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO'
'Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU'
'Ono7avN5GjC:_6dBJ_'
'WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am'
'WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd--e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k'
'XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2'
'd3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd'
'ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm'
'evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ'
'gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky'
'hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS'
'isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz'
'kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu'
'lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA--@WqWLIuX7o1S_SfS@2FSiUZN'
'rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4='
'uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn'
'UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C'
'y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW'
'8-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc'
'YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mCaaKGxb990jzaagRktDTyp'
'9hD2ApKa_t_7x-a@GCG28kY:7$M@5udI1myQ$x5udtggvagmCQcq9QXWRC5hoB0o-_zHQUqZI5rMcz_kbMgvN5jr63LeYA4Cj-c6F5Ugmx6DgVf@2Jqm%MafecpgooqreJ53P-QTS'
)
# Now create files with all those names in the same parent directory.
# It should not fail since a 4K leaf has enough space for them.
for name in "${names[@]}"; do
touch $MNT/$name
done
# Now add one more file name that causes a crc32c hash collision.
# This should fail, but it should not turn the filesystem into RO mode
# (which could be exploited by malicious users) due to a transaction
# abort.
touch $MNT/'W6tIm-VK2@BGC@IBfcgg6j_p:pxp_QUqtWpGD5Ok_GmijKOJJt'
# Check that we are able to create another file, with a name that does not cause
# a crc32c hash collision.
echo -n "hello world" > $MNT/baz
# Unmount and mount again, verify file baz exists and with the right content.
umount $MNT
mount $DEV $MNT
echo "File baz content: $(cat $MNT/baz)"
umount $MNT
When running the reproducer:
$ ./exploit-hash-collisions.sh
(...)
touch: cannot touch '/mnt/sdi/W6tIm-VK2@BGC@IBfcgg6j_p:pxp_QUqtWpGD5Ok_GmijKOJJt': Value too large for defined data type
./exploit-hash-collisions.sh: line 57: /mnt/sdi/baz: Read-only file system
cat: /mnt/sdi/baz: No such file or directory
File baz content:
And the transaction abort stack trace in dmesg/syslog:
$ dmesg
(...)
[758240.509761] ------------[ cut here ]------------
[758240.510668] BTRFS: Transaction aborted (error -75)
[758240.511577] WARNING: fs/btrfs/inode.c:6854 at btrfs_create_new_inode+0x805/0xb50 [btrfs], CPU#6: touch/888644
[758240.513513] Modules linked in: btrfs dm_zero (...)
[758240.523221] CPU: 6 UID: 0 PID: 888644 Comm: touch Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)
[758240.524621] Tainted: [W]=WARN
[758240.525037] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[758240.526331] RIP: 0010:btrfs_create_new_inode+0x80b/0xb50 [btrfs]
[758240.527093] Code: 0f 82 cf (...)
[758240.529211] RSP: 0018:ffffce64418fbb48 EFLAGS: 00010292
[758240.529935] RAX: 00000000ffffffd3 RBX: 0000000000000000 RCX: 00000000ffffffb5
[758240.531040] RDX: 0000000d04f33e06 RSI: 00000000ffffffb5 RDI: ffffffffc0919dd0
[758240.531920] RBP: ffffce64418fbc10 R08: 0000000000000000 R09: 00000000ffffffb5
[758240.532928] R10: 0000000000000000 R11: ffff8e52c0000000 R12: ffff8e53eee7d0f0
[758240.533818] R13: ffff8e57f70932a0 R14: ffff8e5417629568 R15: 0000000000000000
[758240.534664] FS: 00007f1959a2a740(0000) GS:ffff8e5b27cae000(0000) knlGS:0000000000000000
[758240.535821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[758240.536644] CR2: 00007f1959b10ce0 CR3: 000000012a2cc005 CR4: 0000000000370ef0
[758240.537517] Call Trace:
[758240.537828] <TASK>
[758240.538099] btrfs_create_common+0xbf/0x140 [btrfs]
[758240.538760] path_openat+0x111a/0x15b0
[758240.539252] do_filp_open+0xc2/0x170
[758240.539699] ? preempt_count_add+0x47/0xa0
[758240.540200] ? __virt_addr_valid+0xe4/0x1a0
[758240.540800] ? __check_object_size+0x1b3/0x230
[758240.541661] ? alloc_fd+0x118/0x180
[758240.542315] do_sys_openat2+0x70/0xd0
[758240.543012] __x64_sys_openat+0x50/0xa0
[758240.543723] do_syscall_64+0x50/0xf20
[758240.544462] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[758240.545397] RIP: 0033:0x7f1959abc687
[758240.546019] Code: 48 89 fa (...)
[758240.548522] RSP: 002b:00007ffe16ff8690 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
[758240.566278] RAX: ffffffffffffffda RBX: 00007f1959a2a740 RCX: 00007f1959abc687
[758240.567068] RDX: 0000000000000941 RSI: 00007ffe16ffa333 RDI: ffffffffffffff9c
[758240.567860] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[758240.568707] R10: 00000000000001b6 R11: 0000000000000202 R12: 0000561eec7c4b90
[758240.569712] R13: 0000561eec7c311f R14: 00007ffe16ffa333 R15: 0000000000000000
[758240.570758] </TASK>
[758240.571040] ---[ end trace 0000000000000000 ]---
[758240.571681] BTRFS: error (device sdi state A) in btrfs_create_new_inode:6854: errno=-75 unknown
[758240.572899] BTRFS info (device sdi state EA): forced readonly
Fix this by checking for hash collision, and if the adding a new name is
possible, early in btrfs_create_new_inode() before we do any tree updates,
so that we don't need to abort the transaction if we cannot add the new
name due to the leaf size limit.
A test case for fstests will be sent soon.
Fixes: caae78e03234 ("btrfs: move common inode creation code into btrfs_create_new_inode()")
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Boris Burkov <boris@bur.io>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/inode.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -6358,6 +6358,25 @@ int btrfs_create_new_inode(struct btrfs_
int ret;
bool xa_reserved = false;
+ if (!args->orphan && !args->subvol) {
+ /*
+ * Before anything else, check if we can add the name to the
+ * parent directory. We want to avoid a dir item overflow in
+ * case we have an existing dir item due to existing name
+ * hash collisions. We do this check here before we call
+ * btrfs_add_link() down below so that we can avoid a
+ * transaction abort (which could be exploited by malicious
+ * users).
+ *
+ * For subvolumes we already do this in btrfs_mksubvol().
+ */
+ ret = btrfs_check_dir_item_collision(BTRFS_I(dir)->root,
+ btrfs_ino(BTRFS_I(dir)),
+ name);
+ if (ret < 0)
+ return ret;
+ }
+
path = btrfs_alloc_path();
if (!path)
return -ENOMEM;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 276/567] usb: misc: uss720: properly clean up reference in uss720_probe()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 275/567] usb: dwc3: pci: add support for the Intel Nova Lake -H Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 277/567] usb: core: dont power off roothub PHYs if phy_set_mode() fails Greg Kroah-Hartman
` (101 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 45dba8011efac11a2f360383221b541f5ea53ce5 upstream.
If get_1284_register() fails, the usb device reference count is
incorrect and needs to be properly dropped before returning. That will
happen when the kref is dropped in the call to destroy_priv(), so jump
to that error path instead of returning directly.
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_2000
Link: https://patch.msgid.link/2026022342-smokiness-stove-d792@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/uss720.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/misc/uss720.c
+++ b/drivers/usb/misc/uss720.c
@@ -733,7 +733,7 @@ static int uss720_probe(struct usb_inter
ret = get_1284_register(pp, 0, ®, GFP_KERNEL);
dev_dbg(&intf->dev, "reg: %7ph\n", priv->reg);
if (ret < 0)
- return ret;
+ goto probe_abort;
ret = usb_find_last_int_in_endpoint(interface, &epd);
if (!ret) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 214/481] USB: core: Limit the length of unkillable synchronous timeouts
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 213/481] USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 215/481] usb: class: cdc-wdm: fix reordering issue in read code path Greg Kroah-Hartman
` (101 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alan Stern
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 1015c27a5e1a63efae2b18a9901494474b4d1dc3 upstream.
The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in
usbcore allow unlimited timeout durations. And since they use
uninterruptible waits, this leaves open the possibility of hanging a
task for an indefinitely long time, with no way to kill it short of
unplugging the target device.
To prevent this sort of problem, enforce a maximum limit on the length
of these unkillable timeouts. The limit chosen here, somewhat
arbitrarily, is 60 seconds. On many systems (although not all) this
is short enough to avoid triggering the kernel's hung-task detector.
In addition, clear up the ambiguity of negative timeout values by
treating them the same as 0, i.e., using the maximum allowed timeout.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/linux-usb/3acfe838-6334-4f6d-be7c-4bb01704b33d@rowland.harvard.edu/
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
CC: stable@vger.kernel.org
Link: https://patch.msgid.link/15fc9773-a007-47b0-a703-df89a8cf83dd@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/message.c | 27 +++++++++++++--------------
include/linux/usb.h | 3 +++
2 files changed, 16 insertions(+), 14 deletions(-)
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -44,6 +44,8 @@ static void usb_api_blocking_completion(
* Starts urb and waits for completion or timeout.
* Whether or not the wait is killable depends on the flag passed in.
* For example, compare usb_bulk_msg() and usb_bulk_msg_killable().
+ *
+ * For non-killable waits, we enforce a maximum limit on the timeout value.
*/
static int usb_start_wait_urb(struct urb *urb, int timeout, int *actual_length,
bool killable)
@@ -60,7 +62,9 @@ static int usb_start_wait_urb(struct urb
if (unlikely(retval))
goto out;
- expire = timeout ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT;
+ if (!killable && (timeout <= 0 || timeout > USB_MAX_SYNCHRONOUS_TIMEOUT))
+ timeout = USB_MAX_SYNCHRONOUS_TIMEOUT;
+ expire = (timeout > 0) ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT;
if (killable)
rc = wait_for_completion_killable_timeout(&ctx.done, expire);
else
@@ -126,8 +130,7 @@ static int usb_internal_control_msg(stru
* @index: USB message index value
* @data: pointer to the data to send
* @size: length in bytes of the data to send
- * @timeout: time in msecs to wait for the message to complete before timing
- * out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
*
* Context: task context, might sleep.
*
@@ -182,8 +185,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg);
* @index: USB message index value
* @driver_data: pointer to the data to send
* @size: length in bytes of the data to send
- * @timeout: time in msecs to wait for the message to complete before timing
- * out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
* @memflags: the flags for memory allocation for buffers
*
* Context: !in_interrupt ()
@@ -241,8 +243,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg_send);
* @index: USB message index value
* @driver_data: pointer to the data to be filled in by the message
* @size: length in bytes of the data to be received
- * @timeout: time in msecs to wait for the message to complete before timing
- * out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
* @memflags: the flags for memory allocation for buffers
*
* Context: !in_interrupt ()
@@ -313,8 +314,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg_recv);
* @len: length in bytes of the data to send
* @actual_length: pointer to a location to put the actual length transferred
* in bytes
- * @timeout: time in msecs to wait for the message to complete before
- * timing out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
*
* Context: task context, might sleep.
*
@@ -346,8 +346,7 @@ EXPORT_SYMBOL_GPL(usb_interrupt_msg);
* @len: length in bytes of the data to send
* @actual_length: pointer to a location to put the actual length transferred
* in bytes
- * @timeout: time in msecs to wait for the message to complete before
- * timing out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
*
* Context: task context, might sleep.
*
@@ -407,12 +406,12 @@ EXPORT_SYMBOL_GPL(usb_bulk_msg);
* @actual_length: pointer to a location to put the actual length transferred
* in bytes
* @timeout: time in msecs to wait for the message to complete before
- * timing out (if 0 the wait is forever)
+ * timing out (if <= 0, the wait is as long as possible)
*
* Context: task context, might sleep.
*
- * This function is just like usb_blk_msg() except that it waits in a
- * killable state.
+ * This function is just like usb_blk_msg(), except that it waits in a
+ * killable state and there is no limit on the timeout length.
*
* Return:
* If successful, 0. Otherwise a negative error number. The number of actual
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -1798,6 +1798,9 @@ void usb_buffer_unmap_sg(const struct us
* SYNCHRONOUS CALL SUPPORT *
*-------------------------------------------------------------------*/
+/* Maximum value allowed for timeout in synchronous routines below */
+#define USB_MAX_SYNCHRONOUS_TIMEOUT 60000 /* ms */
+
extern int usb_control_msg(struct usb_device *dev, unsigned int pipe,
__u8 request, __u8 requesttype, __u16 value, __u16 index,
void *data, __u16 size, int timeout);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 201/460] btrfs: fix transaction abort on set received ioctl due to item overflow
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 200/460] btrfs: fix transaction abort on file creation due to name hash collision Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 202/460] btrfs: abort transaction on failure to update root in the received subvol ioctl Greg Kroah-Hartman
` (101 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Anand Jain, Filipe Manana,
David Sterba
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 87f2c46003fce4d739138aab4af1942b1afdadac upstream.
If the set received ioctl fails due to an item overflow when attempting to
add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction
since we did some metadata updates before.
This means that if a user calls this ioctl with the same received UUID
field for a lot of subvolumes, we will hit the overflow, trigger the
transaction abort and turn the filesystem into RO mode. A malicious user
could exploit this, and this ioctl does not even requires that a user
has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.
Fix this by doing an early check for item overflow before starting a
transaction. This is also race safe because we are holding the subvol_sem
semaphore in exclusive (write) mode.
A test case for fstests will follow soon.
Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
CC: stable@vger.kernel.org # 3.12+
Reviewed-by: Anand Jain <asj@kernel.org>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 21 +++++++++++++++++++--
fs/btrfs/uuid-tree.c | 38 ++++++++++++++++++++++++++++++++++++++
fs/btrfs/uuid-tree.h | 2 ++
3 files changed, 59 insertions(+), 2 deletions(-)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -4097,6 +4097,25 @@ static long _btrfs_ioctl_set_received_su
goto out;
}
+ received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid,
+ BTRFS_UUID_SIZE);
+
+ /*
+ * Before we attempt to add the new received uuid, check if we have room
+ * for it in case there's already an item. If the size of the existing
+ * item plus this root's ID (u64) exceeds the maximum item size, we can
+ * return here without the need to abort a transaction. If we don't do
+ * this check, the btrfs_uuid_tree_add() call below would fail with
+ * -EOVERFLOW and result in a transaction abort. Malicious users could
+ * exploit this to turn the fs into RO mode.
+ */
+ if (received_uuid_changed && !btrfs_is_empty_uuid(sa->uuid)) {
+ ret = btrfs_uuid_tree_check_overflow(fs_info, sa->uuid,
+ BTRFS_UUID_KEY_RECEIVED_SUBVOL);
+ if (ret < 0)
+ goto out;
+ }
+
/*
* 1 - root item
* 2 - uuid items (received uuid + subvol uuid)
@@ -4112,8 +4131,6 @@ static long _btrfs_ioctl_set_received_su
sa->rtime.sec = ct.tv_sec;
sa->rtime.nsec = ct.tv_nsec;
- received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid,
- BTRFS_UUID_SIZE);
if (received_uuid_changed &&
!btrfs_is_empty_uuid(root_item->received_uuid)) {
ret = btrfs_uuid_tree_remove(trans, root_item->received_uuid,
--- a/fs/btrfs/uuid-tree.c
+++ b/fs/btrfs/uuid-tree.c
@@ -229,6 +229,44 @@ out:
return ret;
}
+/*
+ * Check if we can add one root ID to a UUID key.
+ * If the key does not yet exists, we can, otherwise only if extended item does
+ * not exceeds the maximum item size permitted by the leaf size.
+ *
+ * Returns 0 on success, negative value on error.
+ */
+int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info,
+ const u8 *uuid, u8 type)
+{
+ BTRFS_PATH_AUTO_FREE(path);
+ int ret;
+ u32 item_size;
+ struct btrfs_key key;
+
+ if (WARN_ON_ONCE(!fs_info->uuid_root))
+ return -EINVAL;
+
+ path = btrfs_alloc_path();
+ if (!path)
+ return -ENOMEM;
+
+ btrfs_uuid_to_key(uuid, type, &key);
+ ret = btrfs_search_slot(NULL, fs_info->uuid_root, &key, path, 0, 0);
+ if (ret < 0)
+ return ret;
+ if (ret > 0)
+ return 0;
+
+ item_size = btrfs_item_size(path->nodes[0], path->slots[0]);
+
+ if (sizeof(struct btrfs_item) + item_size + sizeof(u64) >
+ BTRFS_LEAF_DATA_SIZE(fs_info))
+ return -EOVERFLOW;
+
+ return 0;
+}
+
static int btrfs_uuid_iter_rem(struct btrfs_root *uuid_root, u8 *uuid, u8 type,
u64 subid)
{
--- a/fs/btrfs/uuid-tree.h
+++ b/fs/btrfs/uuid-tree.h
@@ -12,6 +12,8 @@ int btrfs_uuid_tree_add(struct btrfs_tra
u64 subid);
int btrfs_uuid_tree_remove(struct btrfs_trans_handle *trans, const u8 *uuid, u8 type,
u64 subid);
+int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info,
+ const u8 *uuid, u8 type);
int btrfs_uuid_tree_iterate(struct btrfs_fs_info *fs_info);
int btrfs_create_uuid_tree(struct btrfs_fs_info *fs_info);
int btrfs_uuid_scan_kthread(void *data);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 277/567] usb: core: dont power off roothub PHYs if phy_set_mode() fails
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 276/567] usb: misc: uss720: properly clean up reference in uss720_probe() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 278/567] usb: cdc-acm: Restore CAP_BRK functionnality to CH343 Greg Kroah-Hartman
` (100 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gabor Juhos, Miquel Raynal
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
commit e293015ba76eb96ce4ebed7e3b2cb1a7d319f3e9 upstream.
Remove the error path from the usb_phy_roothub_set_mode() function.
The code is clearly wrong, because phy_set_mode() calls can't be
balanced with phy_power_off() calls.
Additionally, the usb_phy_roothub_set_mode() function is called only
from usb_add_hcd() before it powers on the PHYs, so powering off those
makes no sense anyway.
Presumably, the code is copy-pasted from the phy_power_on() function
without adjusting the error handling.
Cc: stable@vger.kernel.org # v5.1+
Fixes: b97a31348379 ("usb: core: comply to PHY framework")
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://patch.msgid.link/20260218-usb-phy-poweroff-fix-v1-1-66e6831e860e@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/phy.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
--- a/drivers/usb/core/phy.c
+++ b/drivers/usb/core/phy.c
@@ -138,16 +138,10 @@ int usb_phy_roothub_set_mode(struct usb_
list_for_each_entry(roothub_entry, head, list) {
err = phy_set_mode(roothub_entry->phy, mode);
if (err)
- goto err_out;
+ return err;
}
return 0;
-
-err_out:
- list_for_each_entry_continue_reverse(roothub_entry, head, list)
- phy_power_off(roothub_entry->phy);
-
- return err;
}
EXPORT_SYMBOL_GPL(usb_phy_roothub_set_mode);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 215/481] usb: class: cdc-wdm: fix reordering issue in read code path
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 214/481] USB: core: Limit the length of unkillable synchronous timeouts Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 216/481] usb: renesas_usbhs: fix use-after-free in ISR during device removal Greg Kroah-Hartman
` (100 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Oliver Neukum, Gui-Dong Han
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 8df672bfe3ec2268c2636584202755898e547173 upstream.
Quoting the bug report:
Due to compiler optimization or CPU out-of-order execution, the
desc->length update can be reordered before the memmove. If this
happens, wdm_read() can see the new length and call copy_to_user() on
uninitialized memory. This also violates LKMM data race rules [1].
Fix it by using WRITE_ONCE and memory barriers.
Fixes: afba937e540c9 ("USB: CDC WDM driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Closes: https://lore.kernel.org/linux-usb/CALbr=LbrUZn_cfp7CfR-7Z5wDTHF96qeuM=3fO2m-q4cDrnC4A@mail.gmail.com/
Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
Reviewed-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://patch.msgid.link/20260304130116.1721682-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-wdm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -225,7 +225,8 @@ static void wdm_in_callback(struct urb *
/* we may already be in overflow */
if (!test_bit(WDM_OVERFLOW, &desc->flags)) {
memmove(desc->ubuf + desc->length, desc->inbuf, length);
- desc->length += length;
+ smp_wmb(); /* against wdm_read() */
+ WRITE_ONCE(desc->length, desc->length + length);
}
}
skip_error:
@@ -533,6 +534,7 @@ static ssize_t wdm_read
return -ERESTARTSYS;
cntr = READ_ONCE(desc->length);
+ smp_rmb(); /* against wdm_in_callback() */
if (cntr == 0) {
desc->read = 0;
retry:
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 202/460] btrfs: abort transaction on failure to update root in the received subvol ioctl
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 201/460] btrfs: fix transaction abort on set received ioctl due to item overflow Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 203/460] iio: dac: ds4424: reject -128 RAW value Greg Kroah-Hartman
` (100 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Anand Jain, Filipe Manana,
David Sterba
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 0f475ee0ebce5c9492b260027cd95270191675fa upstream.
If we failed to update the root we don't abort the transaction, which is
wrong since we already used the transaction to remove an item from the
uuid tree.
Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
CC: stable@vger.kernel.org # 3.12+
Reviewed-by: Anand Jain <asj@kernel.org>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -4152,7 +4152,8 @@ static long _btrfs_ioctl_set_received_su
ret = btrfs_update_root(trans, fs_info->tree_root,
&root->root_key, &root->root_item);
- if (ret < 0) {
+ if (unlikely(ret < 0)) {
+ btrfs_abort_transaction(trans, ret);
btrfs_end_transaction(trans);
goto out;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 278/567] usb: cdc-acm: Restore CAP_BRK functionnality to CH343
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 277/567] usb: core: dont power off roothub PHYs if phy_set_mode() fails Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 279/567] usb: roles: get usb role switch from parent only for usb-b-connector Greg Kroah-Hartman
` (99 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Zyngier, stable, Oliver Neukum
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit 14ae24cba291bddfdc296bbcbfd00cd09d0498ef upstream.
The CH343 USB/serial adapter is as buggy as it is popular (very).
One of its quirks is that despite being capable of signalling a
BREAK condition, it doesn't advertise it.
This used to work nonetheless until 66aad7d8d3ec5 ("usb: cdc-acm:
return correct error code on unsupported break") applied some
reasonable restrictions, preventing breaks from being emitted on
devices that do not advertise CAP_BRK.
Add a quirk for this particular device, so that breaks can still
be produced on some of my machines attached to my console server.
Fixes: 66aad7d8d3ec5 ("usb: cdc-acm: return correct error code on unsupported break")
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable <stable@kernel.org>
Cc: Oliver Neukum <oneukum@suse.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Oliver Neukum <oneukum@suse.com>
Link: https://patch.msgid.link/20260301124440.1192752-1-maz@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-acm.c | 5 +++++
drivers/usb/class/cdc-acm.h | 1 +
2 files changed, 6 insertions(+)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1379,6 +1379,8 @@ made_compressed_probe:
acm->ctrl_caps = h.usb_cdc_acm_descriptor->bmCapabilities;
if (quirks & NO_CAP_LINE)
acm->ctrl_caps &= ~USB_CDC_CAP_LINE;
+ if (quirks & MISSING_CAP_BRK)
+ acm->ctrl_caps |= USB_CDC_CAP_BRK;
acm->ctrlsize = ctrlsize;
acm->readsize = readsize;
acm->rx_buflimit = num_rx_buf;
@@ -2002,6 +2004,9 @@ static const struct usb_device_id acm_id
.driver_info = IGNORE_DEVICE,
},
+ /* CH343 supports CAP_BRK, but doesn't advertise it */
+ { USB_DEVICE(0x1a86, 0x55d3), .driver_info = MISSING_CAP_BRK, },
+
/* control interfaces without any protocol set */
{ USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
USB_CDC_PROTO_NONE) },
--- a/drivers/usb/class/cdc-acm.h
+++ b/drivers/usb/class/cdc-acm.h
@@ -113,3 +113,4 @@ struct acm {
#define CLEAR_HALT_CONDITIONS BIT(5)
#define SEND_ZERO_PACKET BIT(6)
#define DISABLE_ECHO BIT(7)
+#define MISSING_CAP_BRK BIT(8)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 216/481] usb: renesas_usbhs: fix use-after-free in ISR during device removal
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 215/481] usb: class: cdc-wdm: fix reordering issue in read code path Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 217/481] usb: mdc800: handle signal and read racing Greg Kroah-Hartman
` (99 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alan Stern, Fan Wu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fan Wu <fanwu01@zju.edu.cn>
commit 3cbc242b88c607f55da3d0d0d336b49bf1e20412 upstream.
In usbhs_remove(), the driver frees resources (including the pipe array)
while the interrupt handler (usbhs_interrupt) is still registered. If an
interrupt fires after usbhs_pipe_remove() but before the driver is fully
unbound, the ISR may access freed memory, causing a use-after-free.
Fix this by calling devm_free_irq() before freeing resources. This ensures
the interrupt handler is both disabled and synchronized (waits for any
running ISR to complete) before usbhs_pipe_remove() is called.
Fixes: f1407d5c6624 ("usb: renesas_usbhs: Add Renesas USBHS common code")
Cc: stable <stable@kernel.org>
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Fan Wu <fanwu01@zju.edu.cn>
Link: https://patch.msgid.link/20260303073344.34577-1-fanwu01@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/renesas_usbhs/common.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/usb/renesas_usbhs/common.c
+++ b/drivers/usb/renesas_usbhs/common.c
@@ -800,6 +800,15 @@ static void usbhs_remove(struct platform
usbhs_platform_call(priv, hardware_exit, pdev);
reset_control_assert(priv->rsts);
+
+ /*
+ * Explicitly free the IRQ to ensure the interrupt handler is
+ * disabled and synchronized before freeing resources.
+ * devm_free_irq() calls free_irq() which waits for any running
+ * ISR to complete, preventing UAF.
+ */
+ devm_free_irq(&pdev->dev, priv->irq, priv);
+
usbhs_mod_remove(priv);
usbhs_fifo_remove(priv);
usbhs_pipe_remove(priv);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 203/460] iio: dac: ds4424: reject -128 RAW value
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 202/460] btrfs: abort transaction on failure to update root in the received subvol ioctl Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 204/460] iio: frequency: adf4377: Fix duplicated soft reset mask Greg Kroah-Hartman
` (99 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Andy Shevchenko,
Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit 5187e03b817c26c1c3bcb2645a612ea935c4be89 upstream.
The DS442x DAC uses sign-magnitude encoding, so -128 cannot be represented
in hardware (7-bit magnitude).
Previously, passing -128 resulted in a truncated value that programmed
0mA (magnitude 0) instead of the expected maximum negative current,
effectively failing silently.
Reject -128 to avoid producing the wrong current.
Fixes: d632a2bd8ffc ("iio: dac: ds4422/ds4424 dac driver")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ds4424.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/dac/ds4424.c
+++ b/drivers/iio/dac/ds4424.c
@@ -141,7 +141,7 @@ static int ds4424_write_raw(struct iio_d
switch (mask) {
case IIO_CHAN_INFO_RAW:
- if (val < S8_MIN || val > S8_MAX)
+ if (val <= S8_MIN || val > S8_MAX)
return -EINVAL;
if (val > 0) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 279/567] usb: roles: get usb role switch from parent only for usb-b-connector
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 278/567] usb: cdc-acm: Restore CAP_BRK functionnality to CH343 Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 280/567] USB: usbcore: Introduce usb_bulk_msg_killable() Greg Kroah-Hartman
` (98 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Xu Yang, Arnaud Ferraris,
Heikki Krogerus
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 8345b1539faa49fcf9c9439c3cbd97dac6eca171 upstream.
usb_role_switch_is_parent() was walking up to the parent node and checking
for the "usb-role-switch" property regardless of the type of the passed
fwnode. This could cause unrelated device nodes to be probed as potential
role switch parent, leading to spurious matches and "-EPROBE_DEFER" being
returned infinitely.
Till now only Type-B connector node will have a parent node which may
present "usb-role-switch" property and register the role switch device.
For Type-C connector node, its parent node will always be a Type-C chip
device which will never register the role switch device. However, it may
still present a non-boolean "usb-role-switch = <&usb_controller>" property
for historical compatibility.
So restrict the helper to only operate on Type-B connector when attempting
to get the role switch from parent node.
Fixes: 6fadd72943b8 ("usb: roles: get usb-role-switch from parent")
Cc: stable <stable@kernel.org>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Tested-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260309074313.2809867-3-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/roles/class.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/roles/class.c
+++ b/drivers/usb/roles/class.c
@@ -110,9 +110,14 @@ static void *usb_role_switch_match(const
static struct usb_role_switch *
usb_role_switch_is_parent(struct fwnode_handle *fwnode)
{
- struct fwnode_handle *parent = fwnode_get_parent(fwnode);
+ struct fwnode_handle *parent;
struct device *dev;
+ if (!fwnode_device_is_compatible(fwnode, "usb-b-connector"))
+ return NULL;
+
+ parent = fwnode_get_parent(fwnode);
+
if (!fwnode_property_present(parent, "usb-role-switch")) {
fwnode_handle_put(parent);
return NULL;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 217/481] usb: mdc800: handle signal and read racing
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 216/481] usb: renesas_usbhs: fix use-after-free in ISR during device removal Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 218/481] usb: image: mdc800: kill download URB on timeout Greg Kroah-Hartman
` (98 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 2d6d260e9a3576256fe9ef6d1f7930c9ec348723 upstream.
If a signal arrives after a read has partially completed,
we need to return the number of bytes read. -EINTR is correct
only if that number is zero.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260209142048.1503791-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/image/mdc800.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/image/mdc800.c
+++ b/drivers/usb/image/mdc800.c
@@ -708,7 +708,7 @@ static ssize_t mdc800_device_read (struc
if (signal_pending (current))
{
mutex_unlock(&mdc800->io_lock);
- return -EINTR;
+ return len == left ? -EINTR : len-left;
}
sts=left > (mdc800->out_count-mdc800->out_ptr)?mdc800->out_count-mdc800->out_ptr:left;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 204/460] iio: frequency: adf4377: Fix duplicated soft reset mask
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 203/460] iio: dac: ds4424: reject -128 RAW value Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 205/460] iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas() Greg Kroah-Hartman
` (98 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeungJu Cheon, Stable,
Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeungJu Cheon <suunj1331@gmail.com>
commit 6c8bf4b604a8a6346ca71f1c027fa01c2c2e04cb upstream.
The regmap_read_poll_timeout() uses ADF4377_0000_SOFT_RESET_R_MSK
twice instead of checking both SOFT_RESET_MSK (bit 0) and
SOFT_RESET_R_MSK (bit 7). This causes an incomplete reset status check.
The code first sets both SOFT_RESET and SOFT_RESET_R bits to 1 via
regmap_update_bits(), then polls for them to be cleared. Since we set
both bits before polling, we should be waiting for both to clear.
Fix by using both masks as done in regmap_update_bits() above.
Fixes: eda549e2e524 ("iio: frequency: adf4377: add support for ADF4377")
Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
Cc: Stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/frequency/adf4377.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/frequency/adf4377.c
+++ b/drivers/iio/frequency/adf4377.c
@@ -501,7 +501,7 @@ static int adf4377_soft_reset(struct adf
return ret;
return regmap_read_poll_timeout(st->regmap, 0x0, read_val,
- !(read_val & (ADF4377_0000_SOFT_RESET_R_MSK |
+ !(read_val & (ADF4377_0000_SOFT_RESET_MSK |
ADF4377_0000_SOFT_RESET_R_MSK)), 200, 200 * 100);
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 280/567] USB: usbcore: Introduce usb_bulk_msg_killable()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 279/567] usb: roles: get usb role switch from parent only for usb-b-connector Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 281/567] USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts Greg Kroah-Hartman
` (97 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alan Stern, Oliver Neukum
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 416909962e7cdf29fd01ac523c953f37708df93d upstream.
The synchronous message API in usbcore (usb_control_msg(),
usb_bulk_msg(), and so on) uses uninterruptible waits. However,
drivers may call these routines in the context of a user thread, which
means it ought to be possible to at least kill them.
For this reason, introduce a new usb_bulk_msg_killable() function
which behaves the same as usb_bulk_msg() except for using
wait_for_completion_killable_timeout() instead of
wait_for_completion_timeout(). The same can be done later for
usb_control_msg() later on, if it turns out to be needed.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Suggested-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/linux-usb/3acfe838-6334-4f6d-be7c-4bb01704b33d@rowland.harvard.edu/
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
CC: stable@vger.kernel.org
Link: https://patch.msgid.link/248628b4-cc83-4e81-a620-3ce4e0376d41@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/message.c | 79 +++++++++++++++++++++++++++++++++++++++------
include/linux/usb.h | 5 +-
2 files changed, 72 insertions(+), 12 deletions(-)
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -42,16 +42,17 @@ static void usb_api_blocking_completion(
/*
- * Starts urb and waits for completion or timeout. Note that this call
- * is NOT interruptible. Many device driver i/o requests should be
- * interruptible and therefore these drivers should implement their
- * own interruptible routines.
+ * Starts urb and waits for completion or timeout.
+ * Whether or not the wait is killable depends on the flag passed in.
+ * For example, compare usb_bulk_msg() and usb_bulk_msg_killable().
*/
-static int usb_start_wait_urb(struct urb *urb, int timeout, int *actual_length)
+static int usb_start_wait_urb(struct urb *urb, int timeout, int *actual_length,
+ bool killable)
{
struct api_context ctx;
unsigned long expire;
int retval;
+ long rc;
init_completion(&ctx.done);
urb->context = &ctx;
@@ -61,12 +62,21 @@ static int usb_start_wait_urb(struct urb
goto out;
expire = timeout ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT;
- if (!wait_for_completion_timeout(&ctx.done, expire)) {
+ if (killable)
+ rc = wait_for_completion_killable_timeout(&ctx.done, expire);
+ else
+ rc = wait_for_completion_timeout(&ctx.done, expire);
+ if (rc <= 0) {
usb_kill_urb(urb);
- retval = (ctx.status == -ENOENT ? -ETIMEDOUT : ctx.status);
+ if (ctx.status != -ENOENT)
+ retval = ctx.status;
+ else if (rc == 0)
+ retval = -ETIMEDOUT;
+ else
+ retval = rc;
dev_dbg(&urb->dev->dev,
- "%s timed out on ep%d%s len=%u/%u\n",
+ "%s timed out or killed on ep%d%s len=%u/%u\n",
current->comm,
usb_endpoint_num(&urb->ep->desc),
usb_urb_dir_in(urb) ? "in" : "out",
@@ -100,7 +110,7 @@ static int usb_internal_control_msg(stru
usb_fill_control_urb(urb, usb_dev, pipe, (unsigned char *)cmd, data,
len, usb_api_blocking_completion, NULL);
- retv = usb_start_wait_urb(urb, timeout, &length);
+ retv = usb_start_wait_urb(urb, timeout, &length, false);
if (retv < 0)
return retv;
else
@@ -385,10 +395,59 @@ int usb_bulk_msg(struct usb_device *usb_
usb_fill_bulk_urb(urb, usb_dev, pipe, data, len,
usb_api_blocking_completion, NULL);
- return usb_start_wait_urb(urb, timeout, actual_length);
+ return usb_start_wait_urb(urb, timeout, actual_length, false);
}
EXPORT_SYMBOL_GPL(usb_bulk_msg);
+/**
+ * usb_bulk_msg_killable - Builds a bulk urb, sends it off and waits for completion in a killable state
+ * @usb_dev: pointer to the usb device to send the message to
+ * @pipe: endpoint "pipe" to send the message to
+ * @data: pointer to the data to send
+ * @len: length in bytes of the data to send
+ * @actual_length: pointer to a location to put the actual length transferred
+ * in bytes
+ * @timeout: time in msecs to wait for the message to complete before
+ * timing out (if 0 the wait is forever)
+ *
+ * Context: task context, might sleep.
+ *
+ * This function is just like usb_blk_msg() except that it waits in a
+ * killable state.
+ *
+ * Return:
+ * If successful, 0. Otherwise a negative error number. The number of actual
+ * bytes transferred will be stored in the @actual_length parameter.
+ *
+ */
+int usb_bulk_msg_killable(struct usb_device *usb_dev, unsigned int pipe,
+ void *data, int len, int *actual_length, int timeout)
+{
+ struct urb *urb;
+ struct usb_host_endpoint *ep;
+
+ ep = usb_pipe_endpoint(usb_dev, pipe);
+ if (!ep || len < 0)
+ return -EINVAL;
+
+ urb = usb_alloc_urb(0, GFP_KERNEL);
+ if (!urb)
+ return -ENOMEM;
+
+ if ((ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) ==
+ USB_ENDPOINT_XFER_INT) {
+ pipe = (pipe & ~(3 << 30)) | (PIPE_INTERRUPT << 30);
+ usb_fill_int_urb(urb, usb_dev, pipe, data, len,
+ usb_api_blocking_completion, NULL,
+ ep->desc.bInterval);
+ } else
+ usb_fill_bulk_urb(urb, usb_dev, pipe, data, len,
+ usb_api_blocking_completion, NULL);
+
+ return usb_start_wait_urb(urb, timeout, actual_length, true);
+}
+EXPORT_SYMBOL_GPL(usb_bulk_msg_killable);
+
/*-------------------------------------------------------------------*/
static void sg_clean(struct usb_sg_request *io)
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -1849,8 +1849,9 @@ extern int usb_control_msg(struct usb_de
extern int usb_interrupt_msg(struct usb_device *usb_dev, unsigned int pipe,
void *data, int len, int *actual_length, int timeout);
extern int usb_bulk_msg(struct usb_device *usb_dev, unsigned int pipe,
- void *data, int len, int *actual_length,
- int timeout);
+ void *data, int len, int *actual_length, int timeout);
+extern int usb_bulk_msg_killable(struct usb_device *usb_dev, unsigned int pipe,
+ void *data, int len, int *actual_length, int timeout);
/* wrappers around usb_control_msg() for the most common standard requests */
int usb_control_msg_send(struct usb_device *dev, __u8 endpoint, __u8 request,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 218/481] usb: image: mdc800: kill download URB on timeout
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 217/481] usb: mdc800: handle signal and read racing Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 219/481] mm/tracing: rss_stat: ensure curr is false from kthread context Greg Kroah-Hartman
` (97 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ziyi Guo, stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ziyi Guo <n7l8m4@u.northwestern.edu>
commit 1be3b77de4eb89af8ae2fd6610546be778e25589 upstream.
mdc800_device_read() submits download_urb and waits for completion.
If the timeout fires and the device has not responded, the function
returns without killing the URB, leaving it active.
A subsequent read() resubmits the same URB while it is still
in-flight, triggering the WARN in usb_submit_urb():
"URB submitted while active"
Check the return value of wait_event_timeout() and kill the URB if
it indicates timeout, ensuring the URB is complete before its status
is inspected or the URB is resubmitted.
Similar to
- commit 372c93131998 ("USB: yurex: fix control-URB timeout handling")
- commit b98d5000c505 ("media: rc: iguanair: handle timeouts")
Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260209151937.2247202-1-n7l8m4@u.northwestern.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/image/mdc800.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/image/mdc800.c
+++ b/drivers/usb/image/mdc800.c
@@ -731,9 +731,11 @@ static ssize_t mdc800_device_read (struc
mutex_unlock(&mdc800->io_lock);
return len-left;
}
- wait_event_timeout(mdc800->download_wait,
+ retval = wait_event_timeout(mdc800->download_wait,
mdc800->downloaded,
msecs_to_jiffies(TO_DOWNLOAD_GET_READY));
+ if (!retval)
+ usb_kill_urb(mdc800->download_urb);
mdc800->downloaded = 0;
if (mdc800->download_urb->status != 0)
{
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 205/460] iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 204/460] iio: frequency: adf4377: Fix duplicated soft reset mask Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 206/460] iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() Greg Kroah-Hartman
` (97 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Tomasz Duszynski,
Andy Shevchenko, Stable, Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit c3914ce1963c4db25e186112c90fa5d2361e9e0a upstream.
sizeof(num) evaluates to sizeof(size_t) which is 8 bytes on 64-bit,
but the buffer elements are only 4 bytes. The same function already
uses sizeof(*meas) on line 312, making the mismatch evident. Use
sizeof(*meas) consistently.
Fixes: b2e171f5a5c6 ("iio: sps30: add support for serial interface")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Acked-by: Tomasz Duszynski <tduszyns@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/sps30_serial.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/chemical/sps30_serial.c
+++ b/drivers/iio/chemical/sps30_serial.c
@@ -303,7 +303,7 @@ static int sps30_serial_read_meas(struct
if (msleep_interruptible(1000))
return -EINTR;
- ret = sps30_serial_command(state, SPS30_SERIAL_READ_MEAS, NULL, 0, meas, num * sizeof(num));
+ ret = sps30_serial_command(state, SPS30_SERIAL_READ_MEAS, NULL, 0, meas, num * sizeof(*meas));
if (ret < 0)
return ret;
/* if measurements aren't ready sensor returns empty frame */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 281/567] USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 280/567] USB: usbcore: Introduce usb_bulk_msg_killable() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 282/567] USB: core: Limit the length of unkillable synchronous timeouts Greg Kroah-Hartman
` (96 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, syzbot+25ba18e2c5040447585d,
Alan Stern
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 7784caa413a89487dd14dd5c41db8753483b2acb upstream.
The usbtmc driver accepts timeout values specified by the user in an
ioctl command, and uses these timeouts for some usb_bulk_msg() calls.
Since the user can specify arbitrarily long timeouts and
usb_bulk_msg() uses unkillable waits, call usb_bulk_msg_killable()
instead to avoid the possibility of the user hanging a kernel thread
indefinitely.
Reported-by: syzbot+25ba18e2c5040447585d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-usb/8e1c7ac5-e076-44b0-84b8-1b34b20f0ae1@suse.com/T/#t
Tested-by: syzbot+25ba18e2c5040447585d@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Fixes: 048c6d88a021 ("usb: usbtmc: Add ioctls to set/get usb timeout")
CC: stable@vger.kernel.org
Link: https://patch.msgid.link/81c6fc24-0607-40f1-8c20-5270dab2fad5@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usbtmc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -727,7 +727,7 @@ static int usbtmc488_ioctl_trigger(struc
buffer[1] = data->bTag;
buffer[2] = ~data->bTag;
- retval = usb_bulk_msg(data->usb_dev,
+ retval = usb_bulk_msg_killable(data->usb_dev,
usb_sndbulkpipe(data->usb_dev,
data->bulk_out),
buffer, USBTMC_HEADER_SIZE,
@@ -1347,7 +1347,7 @@ static int send_request_dev_dep_msg_in(s
buffer[11] = 0; /* Reserved */
/* Send bulk URB */
- retval = usb_bulk_msg(data->usb_dev,
+ retval = usb_bulk_msg_killable(data->usb_dev,
usb_sndbulkpipe(data->usb_dev,
data->bulk_out),
buffer, USBTMC_HEADER_SIZE,
@@ -1419,7 +1419,7 @@ static ssize_t usbtmc_read(struct file *
actual = 0;
/* Send bulk URB */
- retval = usb_bulk_msg(data->usb_dev,
+ retval = usb_bulk_msg_killable(data->usb_dev,
usb_rcvbulkpipe(data->usb_dev,
data->bulk_in),
buffer, bufsize, &actual,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 219/481] mm/tracing: rss_stat: ensure curr is false from kthread context
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 218/481] usb: image: mdc800: kill download URB on timeout Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 220/481] mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index() Greg Kroah-Hartman
` (96 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kalesh Singh, Zi Yan, SeongJae Park,
Pedro Falcato, David Hildenbrand (Arm), Joel Fernandes,
Lorenzo Stoakes, Minchan Kim, Steven Rostedt, Suren Baghdasaryan,
Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kalesh Singh <kaleshsingh@google.com>
commit 079c24d5690262e83ee476e2a548e416f3237511 upstream.
The rss_stat trace event allows userspace tools, like Perfetto [1], to
inspect per-process RSS metric changes over time.
The curr field was introduced to rss_stat in commit e4dcad204d3a
("rss_stat: add support to detect RSS updates of external mm"). Its
intent is to indicate whether the RSS update is for the mm_struct of the
current execution context; and is set to false when operating on a remote
mm_struct (e.g., via kswapd or a direct reclaimer).
However, an issue arises when a kernel thread temporarily adopts a user
process's mm_struct. Kernel threads do not have their own mm_struct and
normally have current->mm set to NULL. To operate on user memory, they
can "borrow" a memory context using kthread_use_mm(), which sets
current->mm to the user process's mm.
This can be observed, for example, in the USB Function Filesystem (FFS)
driver. The ffs_user_copy_worker() handles AIO completions and uses
kthread_use_mm() to copy data to a user-space buffer. If a page fault
occurs during this copy, the fault handler executes in the kthread's
context.
At this point, current is the kthread, but current->mm points to the user
process's mm. Since the rss_stat event (from the page fault) is for that
same mm, the condition current->mm == mm becomes true, causing curr to be
incorrectly set to true when the trace event is emitted.
This is misleading because it suggests the mm belongs to the kthread,
confusing userspace tools that track per-process RSS changes and
corrupting their mm_id-to-process association.
Fix this by ensuring curr is always false when the trace event is emitted
from a kthread context by checking for the PF_KTHREAD flag.
Link: https://lkml.kernel.org/r/20260219233708.1971199-1-kaleshsingh@google.com
Link: https://perfetto.dev/ [1]
Fixes: e4dcad204d3a ("rss_stat: add support to detect RSS updates of external mm")
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
Acked-by: Zi Yan <ziy@nvidia.com>
Acked-by: SeongJae Park <sj@kernel.org>
Reviewed-by: Pedro Falcato <pfalcato@suse.de>
Cc: "David Hildenbrand (Arm)" <david@kernel.org>
Cc: Joel Fernandes <joel@joelfernandes.org>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: <stable@vger.kernel.org> [5.10+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/trace/events/kmem.h | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/include/trace/events/kmem.h
+++ b/include/trace/events/kmem.h
@@ -360,7 +360,13 @@ TRACE_EVENT(rss_stat,
TP_fast_assign(
__entry->mm_id = mm_ptr_to_hash(mm);
- __entry->curr = !!(current->mm == mm);
+ /*
+ * curr is true if the mm matches the current task's mm_struct.
+ * Since kthreads (PF_KTHREAD) have no mm_struct of their own
+ * but can borrow one via kthread_use_mm(), we must filter them
+ * out to avoid incorrectly attributing the RSS update to them.
+ */
+ __entry->curr = current->mm == mm && !(current->flags & PF_KTHREAD);
__entry->member = member;
__entry->size = (count << PAGE_SHIFT);
),
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 206/460] iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 205/460] iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 207/460] iio: potentiometer: mcp4131: fix double application of wiper shift Greg Kroah-Hartman
` (96 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Tomasz Duszynski,
Andy Shevchenko, Stable, Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit 216345f98cae7fcc84f49728c67478ac00321c87 upstream.
sizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) instead
of the intended __be32 element size (4 bytes). Use sizeof(*meas) to
correctly match the buffer element type.
Fixes: 8f3f13085278 ("iio: sps30: separate core and interface specific code")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Acked-by: Tomasz Duszynski <tduszyns@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/sps30_i2c.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/chemical/sps30_i2c.c
+++ b/drivers/iio/chemical/sps30_i2c.c
@@ -171,7 +171,7 @@ static int sps30_i2c_read_meas(struct sp
if (!sps30_i2c_meas_ready(state))
return -ETIMEDOUT;
- return sps30_i2c_command(state, SPS30_I2C_READ_MEAS, NULL, 0, meas, sizeof(num) * num);
+ return sps30_i2c_command(state, SPS30_I2C_READ_MEAS, NULL, 0, meas, sizeof(*meas) * num);
}
static int sps30_i2c_clean_fan(struct sps30_state *state)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 282/567] USB: core: Limit the length of unkillable synchronous timeouts
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 281/567] USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 283/567] usb: class: cdc-wdm: fix reordering issue in read code path Greg Kroah-Hartman
` (95 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alan Stern
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 1015c27a5e1a63efae2b18a9901494474b4d1dc3 upstream.
The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in
usbcore allow unlimited timeout durations. And since they use
uninterruptible waits, this leaves open the possibility of hanging a
task for an indefinitely long time, with no way to kill it short of
unplugging the target device.
To prevent this sort of problem, enforce a maximum limit on the length
of these unkillable timeouts. The limit chosen here, somewhat
arbitrarily, is 60 seconds. On many systems (although not all) this
is short enough to avoid triggering the kernel's hung-task detector.
In addition, clear up the ambiguity of negative timeout values by
treating them the same as 0, i.e., using the maximum allowed timeout.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/linux-usb/3acfe838-6334-4f6d-be7c-4bb01704b33d@rowland.harvard.edu/
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
CC: stable@vger.kernel.org
Link: https://patch.msgid.link/15fc9773-a007-47b0-a703-df89a8cf83dd@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/message.c | 27 +++++++++++++--------------
include/linux/usb.h | 3 +++
2 files changed, 16 insertions(+), 14 deletions(-)
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -45,6 +45,8 @@ static void usb_api_blocking_completion(
* Starts urb and waits for completion or timeout.
* Whether or not the wait is killable depends on the flag passed in.
* For example, compare usb_bulk_msg() and usb_bulk_msg_killable().
+ *
+ * For non-killable waits, we enforce a maximum limit on the timeout value.
*/
static int usb_start_wait_urb(struct urb *urb, int timeout, int *actual_length,
bool killable)
@@ -61,7 +63,9 @@ static int usb_start_wait_urb(struct urb
if (unlikely(retval))
goto out;
- expire = timeout ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT;
+ if (!killable && (timeout <= 0 || timeout > USB_MAX_SYNCHRONOUS_TIMEOUT))
+ timeout = USB_MAX_SYNCHRONOUS_TIMEOUT;
+ expire = (timeout > 0) ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT;
if (killable)
rc = wait_for_completion_killable_timeout(&ctx.done, expire);
else
@@ -127,8 +131,7 @@ static int usb_internal_control_msg(stru
* @index: USB message index value
* @data: pointer to the data to send
* @size: length in bytes of the data to send
- * @timeout: time in msecs to wait for the message to complete before timing
- * out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
*
* Context: task context, might sleep.
*
@@ -183,8 +186,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg);
* @index: USB message index value
* @driver_data: pointer to the data to send
* @size: length in bytes of the data to send
- * @timeout: time in msecs to wait for the message to complete before timing
- * out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
* @memflags: the flags for memory allocation for buffers
*
* Context: !in_interrupt ()
@@ -242,8 +244,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg_send);
* @index: USB message index value
* @driver_data: pointer to the data to be filled in by the message
* @size: length in bytes of the data to be received
- * @timeout: time in msecs to wait for the message to complete before timing
- * out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
* @memflags: the flags for memory allocation for buffers
*
* Context: !in_interrupt ()
@@ -314,8 +315,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg_recv);
* @len: length in bytes of the data to send
* @actual_length: pointer to a location to put the actual length transferred
* in bytes
- * @timeout: time in msecs to wait for the message to complete before
- * timing out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
*
* Context: task context, might sleep.
*
@@ -347,8 +347,7 @@ EXPORT_SYMBOL_GPL(usb_interrupt_msg);
* @len: length in bytes of the data to send
* @actual_length: pointer to a location to put the actual length transferred
* in bytes
- * @timeout: time in msecs to wait for the message to complete before
- * timing out (if 0 the wait is forever)
+ * @timeout: time in msecs to wait for the message to complete before timing out
*
* Context: task context, might sleep.
*
@@ -408,12 +407,12 @@ EXPORT_SYMBOL_GPL(usb_bulk_msg);
* @actual_length: pointer to a location to put the actual length transferred
* in bytes
* @timeout: time in msecs to wait for the message to complete before
- * timing out (if 0 the wait is forever)
+ * timing out (if <= 0, the wait is as long as possible)
*
* Context: task context, might sleep.
*
- * This function is just like usb_blk_msg() except that it waits in a
- * killable state.
+ * This function is just like usb_blk_msg(), except that it waits in a
+ * killable state and there is no limit on the timeout length.
*
* Return:
* If successful, 0. Otherwise a negative error number. The number of actual
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -1843,6 +1843,9 @@ void usb_buffer_unmap_sg(const struct us
* SYNCHRONOUS CALL SUPPORT *
*-------------------------------------------------------------------*/
+/* Maximum value allowed for timeout in synchronous routines below */
+#define USB_MAX_SYNCHRONOUS_TIMEOUT 60000 /* ms */
+
extern int usb_control_msg(struct usb_device *dev, unsigned int pipe,
__u8 request, __u8 requesttype, __u16 value, __u16 index,
void *data, __u16 size, int timeout);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 220/481] mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 219/481] mm/tracing: rss_stat: ensure curr is false from kthread context Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 221/481] mmc: core: Avoid bitfield RMW for claim/retune flags Greg Kroah-Hartman
` (95 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Felix Gu, Ulf Hansson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
commit af12e64ae0661546e8b4f5d30d55c5f53a11efe7 upstream.
When calling of_parse_phandle_with_args(), the caller is responsible
to call of_node_put() to release the reference of device node.
In of_get_dml_pipe_index(), it does not release the reference.
Fixes: 9cb15142d0e3 ("mmc: mmci: Add qcom dml support to the driver.")
Signed-off-by: Felix Gu <gu_0233@qq.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/mmci_qcom_dml.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mmc/host/mmci_qcom_dml.c
+++ b/drivers/mmc/host/mmci_qcom_dml.c
@@ -109,6 +109,7 @@ static int of_get_dml_pipe_index(struct
&dma_spec))
return -ENODEV;
+ of_node_put(dma_spec.np);
if (dma_spec.args_count)
return dma_spec.args[0];
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 207/460] iio: potentiometer: mcp4131: fix double application of wiper shift
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 206/460] iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 208/460] iio: chemical: bme680: Fix measurement wait duration calculation Greg Kroah-Hartman
` (95 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Jonathan Cameron,
Lukas Schmid
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Schmid <lukas.schmid@netcube.li>
commit 85e4614524dca6c0a43874f475a17de2b9725648 upstream.
The MCP4131 wiper address is shifted twice when preparing the SPI
command in mcp4131_write_raw().
The address is already shifted when assigned to the local variable
"address", but is then shifted again when written to data->buf[0].
This results in an incorrect command being sent to the device and
breaks wiper writes to the second channel.
Remove the second shift and use the pre-shifted address directly
when composing the SPI transfer.
Fixes: 22d199a53910 ("iio: potentiometer: add driver for Microchip MCP413X/414X/415X/416X/423X/424X/425X/426X")
Signed-off-by: Lukas Schmid <lukas.schmid@netcube.li>#
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/potentiometer/mcp4131.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/potentiometer/mcp4131.c
+++ b/drivers/iio/potentiometer/mcp4131.c
@@ -222,7 +222,7 @@ static int mcp4131_write_raw(struct iio_
mutex_lock(&data->lock);
- data->buf[0] = address << MCP4131_WIPER_SHIFT;
+ data->buf[0] = address;
data->buf[0] |= MCP4131_WRITE | (val >> 8);
data->buf[1] = val & 0xFF; /* 8 bits here */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 283/567] usb: class: cdc-wdm: fix reordering issue in read code path
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 282/567] USB: core: Limit the length of unkillable synchronous timeouts Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 284/567] usb: renesas_usbhs: fix use-after-free in ISR during device removal Greg Kroah-Hartman
` (94 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Oliver Neukum, Gui-Dong Han
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 8df672bfe3ec2268c2636584202755898e547173 upstream.
Quoting the bug report:
Due to compiler optimization or CPU out-of-order execution, the
desc->length update can be reordered before the memmove. If this
happens, wdm_read() can see the new length and call copy_to_user() on
uninitialized memory. This also violates LKMM data race rules [1].
Fix it by using WRITE_ONCE and memory barriers.
Fixes: afba937e540c9 ("USB: CDC WDM driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Closes: https://lore.kernel.org/linux-usb/CALbr=LbrUZn_cfp7CfR-7Z5wDTHF96qeuM=3fO2m-q4cDrnC4A@mail.gmail.com/
Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
Reviewed-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://patch.msgid.link/20260304130116.1721682-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-wdm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -225,7 +225,8 @@ static void wdm_in_callback(struct urb *
/* we may already be in overflow */
if (!test_bit(WDM_OVERFLOW, &desc->flags)) {
memmove(desc->ubuf + desc->length, desc->inbuf, length);
- desc->length += length;
+ smp_wmb(); /* against wdm_read() */
+ WRITE_ONCE(desc->length, desc->length + length);
}
}
skip_error:
@@ -533,6 +534,7 @@ static ssize_t wdm_read
return -ERESTARTSYS;
cntr = READ_ONCE(desc->length);
+ smp_rmb(); /* against wdm_in_callback() */
if (cntr == 0) {
desc->read = 0;
retry:
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 221/481] mmc: core: Avoid bitfield RMW for claim/retune flags
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 220/481] mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 222/481] tipc: fix divide-by-zero in tipc_sk_filter_connect() Greg Kroah-Hartman
` (94 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Penghe Geng,
Ulf Hansson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Penghe Geng <pgeng@nvidia.com>
commit 901084c51a0a8fb42a3f37d2e9c62083c495f824 upstream.
Move claimed and retune control flags out of the bitfield word to
avoid unrelated RMW side effects in asynchronous contexts.
The host->claimed bit shared a word with retune flags. Writes to claimed
in __mmc_claim_host() or retune_now in mmc_mq_queue_rq() can overwrite
other bits when concurrent updates happen in other contexts, triggering
spurious WARN_ON(!host->claimed). Convert claimed, can_retune,
retune_now and retune_paused to bool to remove shared-word coupling.
Fixes: 6c0cedd1ef952 ("mmc: core: Introduce host claiming by context")
Fixes: 1e8e55b67030c ("mmc: block: Add CQE support")
Cc: stable@vger.kernel.org
Suggested-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Penghe Geng <pgeng@nvidia.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mmc/host.h | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/include/linux/mmc/host.h
+++ b/include/linux/mmc/host.h
@@ -440,14 +440,12 @@ struct mmc_host {
struct mmc_ios ios; /* current io bus settings */
+ bool claimed; /* host exclusively claimed */
+
/* group bitfields together to minimize padding */
unsigned int use_spi_crc:1;
- unsigned int claimed:1; /* host exclusively claimed */
unsigned int doing_init_tune:1; /* initial tuning in progress */
- unsigned int can_retune:1; /* re-tuning can be used */
unsigned int doing_retune:1; /* re-tuning in progress */
- unsigned int retune_now:1; /* do re-tuning at next req */
- unsigned int retune_paused:1; /* re-tuning is temporarily disabled */
unsigned int retune_crc_disable:1; /* don't trigger retune upon crc */
unsigned int can_dma_map_merge:1; /* merging can be used */
unsigned int vqmmc_enabled:1; /* vqmmc regulator is enabled */
@@ -455,6 +453,9 @@ struct mmc_host {
int rescan_disable; /* disable card detection */
int rescan_entered; /* used with nonremovable devices */
+ bool can_retune; /* re-tuning can be used */
+ bool retune_now; /* do re-tuning at next req */
+ bool retune_paused; /* re-tuning is temporarily disabled */
int need_retune; /* re-tuning is needed */
int hold_retune; /* hold off re-tuning */
unsigned int retune_period; /* re-tuning period in secs */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 208/460] iio: chemical: bme680: Fix measurement wait duration calculation
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 207/460] iio: potentiometer: mcp4131: fix double application of wiper shift Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 209/460] iio: buffer: Fix wait_queue not being removed Greg Kroah-Hartman
` (94 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Spencer, Vasileios Amoiridis,
Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Spencer <spencercw@gmail.com>
commit f55b9510cd9437da3a0efa08b089caeb47595ff1 upstream.
This function refers to the Bosch BME680 API as the source of the
calculation, but one of the constants does not match the Bosch
implementation. This appears to be a simple transposition of two digits,
resulting in a wait time that is too short. This can cause the following
'device measurement cycle incomplete' check to occasionally fail, returning
EBUSY to user space.
Adjust the constant to match the Bosch implementation and resolve the EBUSY
errors.
Fixes: 4241665e6ea0 ("iio: chemical: bme680: Fix sensor data read operation")
Link: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x.c#L521
Signed-off-by: Chris Spencer <spencercw@gmail.com>
Acked-by: Vasileios Amoiridis <vassilisamir@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/bme680_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/chemical/bme680_core.c
+++ b/drivers/iio/chemical/bme680_core.c
@@ -543,7 +543,7 @@ static int bme680_wait_for_eoc(struct bm
* + heater duration
*/
int wait_eoc_us = ((data->oversampling_temp + data->oversampling_press +
- data->oversampling_humid) * 1936) + (477 * 4) +
+ data->oversampling_humid) * 1963) + (477 * 4) +
(477 * 5) + 1000 + (data->heater_dur * 1000);
usleep_range(wait_eoc_us, wait_eoc_us + 100);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 284/567] usb: renesas_usbhs: fix use-after-free in ISR during device removal
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 283/567] usb: class: cdc-wdm: fix reordering issue in read code path Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 285/567] usb: mdc800: handle signal and read racing Greg Kroah-Hartman
` (93 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alan Stern, Fan Wu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fan Wu <fanwu01@zju.edu.cn>
commit 3cbc242b88c607f55da3d0d0d336b49bf1e20412 upstream.
In usbhs_remove(), the driver frees resources (including the pipe array)
while the interrupt handler (usbhs_interrupt) is still registered. If an
interrupt fires after usbhs_pipe_remove() but before the driver is fully
unbound, the ISR may access freed memory, causing a use-after-free.
Fix this by calling devm_free_irq() before freeing resources. This ensures
the interrupt handler is both disabled and synchronized (waits for any
running ISR to complete) before usbhs_pipe_remove() is called.
Fixes: f1407d5c6624 ("usb: renesas_usbhs: Add Renesas USBHS common code")
Cc: stable <stable@kernel.org>
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Fan Wu <fanwu01@zju.edu.cn>
Link: https://patch.msgid.link/20260303073344.34577-1-fanwu01@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/renesas_usbhs/common.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/usb/renesas_usbhs/common.c
+++ b/drivers/usb/renesas_usbhs/common.c
@@ -800,6 +800,15 @@ static void usbhs_remove(struct platform
usbhs_platform_call(priv, hardware_exit, pdev);
reset_control_assert(priv->rsts);
+
+ /*
+ * Explicitly free the IRQ to ensure the interrupt handler is
+ * disabled and synchronized before freeing resources.
+ * devm_free_irq() calls free_irq() which waits for any running
+ * ISR to complete, preventing UAF.
+ */
+ devm_free_irq(&pdev->dev, priv->irq, priv);
+
usbhs_mod_remove(priv);
usbhs_fifo_remove(priv);
usbhs_pipe_remove(priv);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 222/481] tipc: fix divide-by-zero in tipc_sk_filter_connect()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 221/481] mmc: core: Avoid bitfield RMW for claim/retune flags Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 223/481] libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() Greg Kroah-Hartman
` (93 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mehul Rao, Tung Nguyen,
Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mehul Rao <mehulrao@gmail.com>
commit 6c5a9baa15de240e747263aba435a0951da8d8d2 upstream.
A user can set conn_timeout to any value via
setsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a
SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in
tipc_sk_filter_connect() executes:
delay %= (tsk->conn_timeout / 4);
If conn_timeout is in the range [0, 3], the integer division yields 0,
and the modulo operation triggers a divide-by-zero exception, causing a
kernel oops/panic.
Fix this by clamping conn_timeout to a minimum of 4 at the point of use
in tipc_sk_filter_connect().
Oops: divide error: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+
RIP: 0010:tipc_sk_filter_rcv (net/tipc/socket.c:2236 net/tipc/socket.c:2362)
Call Trace:
tipc_sk_backlog_rcv (include/linux/instrumented.h:82 include/linux/atomic/atomic-instrumented.h:32 include/net/sock.h:2357 net/tipc/socket.c:2406)
__release_sock (include/net/sock.h:1185 net/core/sock.c:3213)
release_sock (net/core/sock.c:3797)
tipc_connect (net/tipc/socket.c:2570)
__sys_connect (include/linux/file.h:62 include/linux/file.h:83 net/socket.c:2098)
Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket")
Cc: stable@vger.kernel.org
Signed-off-by: Mehul Rao <mehulrao@gmail.com>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Link: https://patch.msgid.link/20260310170730.28841-1-mehulrao@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tipc/socket.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -2235,6 +2235,8 @@ static bool tipc_sk_filter_connect(struc
if (skb_queue_empty(&sk->sk_write_queue))
break;
get_random_bytes(&delay, 2);
+ if (tsk->conn_timeout < 4)
+ tsk->conn_timeout = 4;
delay %= (tsk->conn_timeout / 4);
delay = msecs_to_jiffies(delay + 100);
sk_reset_timer(sk, &sk->sk_timer, jiffies + delay);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 209/460] iio: buffer: Fix wait_queue not being removed
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 208/460] iio: chemical: bme680: Fix measurement wait duration calculation Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 210/460] iio: gyro: mpu3050-core: fix pm_runtime error handling Greg Kroah-Hartman
` (93 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nuno Sá, David Lechner, Stable,
Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nuno Sá <nuno.sa@analog.com>
commit 064234044056c93a3719d6893e6e5a26a94a61b6 upstream.
In the edge case where the IIO device is unregistered while we're
buffering, we were directly returning an error without removing the wait
queue. Instead, set 'ret' and break out of the loop.
Fixes: 9eeee3b0bf19 ("iio: Add output buffer support")
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-buffer.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -228,8 +228,10 @@ static ssize_t iio_buffer_write(struct f
written = 0;
add_wait_queue(&rb->pollq, &wait);
do {
- if (!indio_dev->info)
- return -ENODEV;
+ if (!indio_dev->info) {
+ ret = -ENODEV;
+ break;
+ }
if (!iio_buffer_space_available(rb)) {
if (signal_pending(current)) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 285/567] usb: mdc800: handle signal and read racing
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 284/567] usb: renesas_usbhs: fix use-after-free in ISR during device removal Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 286/567] usb: image: mdc800: kill download URB on timeout Greg Kroah-Hartman
` (92 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 2d6d260e9a3576256fe9ef6d1f7930c9ec348723 upstream.
If a signal arrives after a read has partially completed,
we need to return the number of bytes read. -EINTR is correct
only if that number is zero.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260209142048.1503791-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/image/mdc800.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/image/mdc800.c
+++ b/drivers/usb/image/mdc800.c
@@ -708,7 +708,7 @@ static ssize_t mdc800_device_read (struc
if (signal_pending (current))
{
mutex_unlock(&mdc800->io_lock);
- return -EINTR;
+ return len == left ? -EINTR : len-left;
}
sts=left > (mdc800->out_count-mdc800->out_ptr)?mdc800->out_count-mdc800->out_ptr:left;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 223/481] libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 222/481] tipc: fix divide-by-zero in tipc_sk_filter_connect() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 224/481] libceph: reject preamble if control segment is empty Greg Kroah-Hartman
` (92 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Viacheslav Dubeyko,
Ilya Dryomov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit b282c43ed156ae15ea76748fc15cd5c39dc9ab72 upstream.
This patch fixes an out-of-bounds access in ceph_handle_auth_reply()
that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In
ceph_handle_auth_reply(), the value of the payload_len field of such a
message is stored in a variable of type int. A value greater than
INT_MAX leads to an integer overflow and is interpreted as a negative
value. This leads to decrementing the pointer address by this value and
subsequently accessing it because ceph_decode_need() only checks that
the memory access does not exceed the end address of the allocation.
This patch fixes the issue by changing the data type of payload_len to
u32. Additionally, the data type of result_msg_len is changed to u32,
as it is also a variable holding a non-negative length.
Also, an additional layer of sanity checks is introduced, ensuring that
directly after reading it from the message, payload_len and
result_msg_len are not greater than the overall segment length.
BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph]
Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262
CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: ceph-msgr ceph_con_workfn [libceph]
Call Trace:
<TASK>
dump_stack_lvl+0x76/0xa0
print_report+0xd1/0x620
? __pfx__raw_spin_lock_irqsave+0x10/0x10
? kasan_complete_mode_report_info+0x72/0x210
kasan_report+0xe7/0x130
? ceph_handle_auth_reply+0x642/0x7a0 [libceph]
? ceph_handle_auth_reply+0x642/0x7a0 [libceph]
__asan_report_load_n_noabort+0xf/0x20
ceph_handle_auth_reply+0x642/0x7a0 [libceph]
mon_dispatch+0x973/0x23d0 [libceph]
? apparmor_socket_recvmsg+0x6b/0xa0
? __pfx_mon_dispatch+0x10/0x10 [libceph]
? __kasan_check_write+0x14/0x30i
? mutex_unlock+0x7f/0xd0
? __pfx_mutex_unlock+0x10/0x10
? __pfx_do_recvmsg+0x10/0x10 [libceph]
ceph_con_process_message+0x1f1/0x650 [libceph]
process_message+0x1e/0x450 [libceph]
ceph_con_v2_try_read+0x2e48/0x6c80 [libceph]
? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph]
? save_fpregs_to_fpstate+0xb0/0x230
? raw_spin_rq_unlock+0x17/0xa0
? finish_task_switch.isra.0+0x13b/0x760
? __switch_to+0x385/0xda0
? __kasan_check_write+0x14/0x30
? mutex_lock+0x8d/0xe0
? __pfx_mutex_lock+0x10/0x10
ceph_con_workfn+0x248/0x10c0 [libceph]
process_one_work+0x629/0xf80
? __kasan_check_write+0x14/0x30
worker_thread+0x87f/0x1570
? __pfx__raw_spin_lock_irqsave+0x10/0x10
? __pfx_try_to_wake_up+0x10/0x10
? kasan_print_address_stack_frame+0x1f7/0x280
? __pfx_worker_thread+0x10/0x10
kthread+0x396/0x830
? __pfx__raw_spin_lock_irq+0x10/0x10
? __pfx_kthread+0x10/0x10
? __kasan_check_write+0x14/0x30
? recalc_sigpending+0x180/0x210
? __pfx_kthread+0x10/0x10
ret_from_fork+0x3f7/0x610
? __pfx_ret_from_fork+0x10/0x10
? __switch_to+0x385/0xda0
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
[ idryomov: replace if statements with ceph_decode_need() for
payload_len and result_msg_len ]
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/auth.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -205,9 +205,9 @@ int ceph_handle_auth_reply(struct ceph_a
s32 result;
u64 global_id;
void *payload, *payload_end;
- int payload_len;
+ u32 payload_len;
char *result_msg;
- int result_msg_len;
+ u32 result_msg_len;
int ret = -EINVAL;
mutex_lock(&ac->mutex);
@@ -217,10 +217,12 @@ int ceph_handle_auth_reply(struct ceph_a
result = ceph_decode_32(&p);
global_id = ceph_decode_64(&p);
payload_len = ceph_decode_32(&p);
+ ceph_decode_need(&p, end, payload_len, bad);
payload = p;
p += payload_len;
ceph_decode_need(&p, end, sizeof(u32), bad);
result_msg_len = ceph_decode_32(&p);
+ ceph_decode_need(&p, end, result_msg_len, bad);
result_msg = p;
p += result_msg_len;
if (p != end)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 210/460] iio: gyro: mpu3050-core: fix pm_runtime error handling
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 209/460] iio: buffer: Fix wait_queue not being removed Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 211/460] iio: gyro: mpu3050-i2c: " Greg Kroah-Hartman
` (92 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Antoniu Miclaus,
Stable, Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit acc3949aab3e8094641a9c7c2768de1958c88378 upstream.
The return value of pm_runtime_get_sync() is not checked, allowing
the driver to access hardware that may fail to resume. The device
usage count is also unconditionally incremented. Use
pm_runtime_resume_and_get() which propagates errors and avoids
incrementing the usage count on failure.
In preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate()
failure since postdisable does not run when preenable fails.
Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope")
Reviewed-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/gyro/mpu3050-core.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
--- a/drivers/iio/gyro/mpu3050-core.c
+++ b/drivers/iio/gyro/mpu3050-core.c
@@ -322,7 +322,9 @@ static int mpu3050_read_raw(struct iio_d
}
case IIO_CHAN_INFO_RAW:
/* Resume device */
- pm_runtime_get_sync(mpu3050->dev);
+ ret = pm_runtime_resume_and_get(mpu3050->dev);
+ if (ret)
+ return ret;
mutex_lock(&mpu3050->lock);
ret = mpu3050_set_8khz_samplerate(mpu3050);
@@ -648,14 +650,20 @@ out_trigger_unlock:
static int mpu3050_buffer_preenable(struct iio_dev *indio_dev)
{
struct mpu3050 *mpu3050 = iio_priv(indio_dev);
+ int ret;
- pm_runtime_get_sync(mpu3050->dev);
+ ret = pm_runtime_resume_and_get(mpu3050->dev);
+ if (ret)
+ return ret;
/* Unless we have OUR trigger active, run at full speed */
- if (!mpu3050->hw_irq_trigger)
- return mpu3050_set_8khz_samplerate(mpu3050);
+ if (!mpu3050->hw_irq_trigger) {
+ ret = mpu3050_set_8khz_samplerate(mpu3050);
+ if (ret)
+ pm_runtime_put_autosuspend(mpu3050->dev);
+ }
- return 0;
+ return ret;
}
static int mpu3050_buffer_postdisable(struct iio_dev *indio_dev)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 286/567] usb: image: mdc800: kill download URB on timeout
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 285/567] usb: mdc800: handle signal and read racing Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 287/567] mm/tracing: rss_stat: ensure curr is false from kthread context Greg Kroah-Hartman
` (91 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ziyi Guo, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ziyi Guo <n7l8m4@u.northwestern.edu>
commit 1be3b77de4eb89af8ae2fd6610546be778e25589 upstream.
mdc800_device_read() submits download_urb and waits for completion.
If the timeout fires and the device has not responded, the function
returns without killing the URB, leaving it active.
A subsequent read() resubmits the same URB while it is still
in-flight, triggering the WARN in usb_submit_urb():
"URB submitted while active"
Check the return value of wait_event_timeout() and kill the URB if
it indicates timeout, ensuring the URB is complete before its status
is inspected or the URB is resubmitted.
Similar to
- commit 372c93131998 ("USB: yurex: fix control-URB timeout handling")
- commit b98d5000c505 ("media: rc: iguanair: handle timeouts")
Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260209151937.2247202-1-n7l8m4@u.northwestern.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/image/mdc800.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/image/mdc800.c
+++ b/drivers/usb/image/mdc800.c
@@ -731,9 +731,11 @@ static ssize_t mdc800_device_read (struc
mutex_unlock(&mdc800->io_lock);
return len-left;
}
- wait_event_timeout(mdc800->download_wait,
+ retval = wait_event_timeout(mdc800->download_wait,
mdc800->downloaded,
msecs_to_jiffies(TO_DOWNLOAD_GET_READY));
+ if (!retval)
+ usb_kill_urb(mdc800->download_urb);
mdc800->downloaded = 0;
if (mdc800->download_urb->status != 0)
{
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 224/481] libceph: reject preamble if control segment is empty
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 223/481] libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 225/481] libceph: prevent potential out-of-bounds reads in process_message_header() Greg Kroah-Hartman
` (91 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ilya Dryomov, Alex Markuze
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit c4c22b846eceff05b1129b8844a80310e55a7f87 upstream.
While head_onwire_len() has a branch to handle ctrl_len == 0 case,
prepare_read_control() always sets up a kvec for the CRC meaning that
a non-empty control segment is effectively assumed. All frames that
clients deal with meet that assumption, so let's make it official and
treat the preamble with an empty control segment as malformed.
Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/messenger_v2.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -392,7 +392,7 @@ static int head_onwire_len(int ctrl_len,
int head_len;
int rem_len;
- BUG_ON(ctrl_len < 0 || ctrl_len > CEPH_MSG_MAX_CONTROL_LEN);
+ BUG_ON(ctrl_len < 1 || ctrl_len > CEPH_MSG_MAX_CONTROL_LEN);
if (secure) {
head_len = CEPH_PREAMBLE_SECURE_LEN;
@@ -401,9 +401,7 @@ static int head_onwire_len(int ctrl_len,
head_len += padded_len(rem_len) + CEPH_GCM_TAG_LEN;
}
} else {
- head_len = CEPH_PREAMBLE_PLAIN_LEN;
- if (ctrl_len)
- head_len += ctrl_len + CEPH_CRC_LEN;
+ head_len = CEPH_PREAMBLE_PLAIN_LEN + ctrl_len + CEPH_CRC_LEN;
}
return head_len;
}
@@ -528,11 +526,16 @@ static int decode_preamble(void *p, stru
desc->fd_aligns[i] = ceph_decode_16(&p);
}
- if (desc->fd_lens[0] < 0 ||
+ /*
+ * This would fire for FRAME_TAG_WAIT (it has one empty
+ * segment), but we should never get it as client.
+ */
+ if (desc->fd_lens[0] < 1 ||
desc->fd_lens[0] > CEPH_MSG_MAX_CONTROL_LEN) {
pr_err("bad control segment length %d\n", desc->fd_lens[0]);
return -EINVAL;
}
+
if (desc->fd_lens[1] < 0 ||
desc->fd_lens[1] > CEPH_MSG_MAX_FRONT_LEN) {
pr_err("bad front segment length %d\n", desc->fd_lens[1]);
@@ -549,10 +552,6 @@ static int decode_preamble(void *p, stru
return -EINVAL;
}
- /*
- * This would fire for FRAME_TAG_WAIT (it has one empty
- * segment), but we should never get it as client.
- */
if (!desc->fd_lens[desc->fd_seg_cnt - 1]) {
pr_err("last segment empty, segment count %d\n",
desc->fd_seg_cnt);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 211/460] iio: gyro: mpu3050-i2c: fix pm_runtime error handling
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 210/460] iio: gyro: mpu3050-core: fix pm_runtime error handling Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 212/460] iio: imu: inv_icm42600: fix odr switch to the same value Greg Kroah-Hartman
` (91 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Stable,
Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit 91f950b4cbb1aa9ea4eb3999f1463e8044b717fb upstream.
The return value of pm_runtime_get_sync() is not checked, and the
function always returns success. This allows I2C mux operations to
proceed even when the device fails to resume.
Use pm_runtime_resume_and_get() and propagate its return value to
properly handle resume failures.
Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/gyro/mpu3050-i2c.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/iio/gyro/mpu3050-i2c.c
+++ b/drivers/iio/gyro/mpu3050-i2c.c
@@ -19,8 +19,7 @@ static int mpu3050_i2c_bypass_select(str
struct mpu3050 *mpu3050 = i2c_mux_priv(mux);
/* Just power up the device, that is all that is needed */
- pm_runtime_get_sync(mpu3050->dev);
- return 0;
+ return pm_runtime_resume_and_get(mpu3050->dev);
}
static int mpu3050_i2c_bypass_deselect(struct i2c_mux_core *mux, u32 chan_id)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 287/567] mm/tracing: rss_stat: ensure curr is false from kthread context
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 286/567] usb: image: mdc800: kill download URB on timeout Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 288/567] mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index() Greg Kroah-Hartman
` (90 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kalesh Singh, Zi Yan, SeongJae Park,
Pedro Falcato, David Hildenbrand (Arm), Joel Fernandes,
Lorenzo Stoakes, Minchan Kim, Steven Rostedt, Suren Baghdasaryan,
Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kalesh Singh <kaleshsingh@google.com>
commit 079c24d5690262e83ee476e2a548e416f3237511 upstream.
The rss_stat trace event allows userspace tools, like Perfetto [1], to
inspect per-process RSS metric changes over time.
The curr field was introduced to rss_stat in commit e4dcad204d3a
("rss_stat: add support to detect RSS updates of external mm"). Its
intent is to indicate whether the RSS update is for the mm_struct of the
current execution context; and is set to false when operating on a remote
mm_struct (e.g., via kswapd or a direct reclaimer).
However, an issue arises when a kernel thread temporarily adopts a user
process's mm_struct. Kernel threads do not have their own mm_struct and
normally have current->mm set to NULL. To operate on user memory, they
can "borrow" a memory context using kthread_use_mm(), which sets
current->mm to the user process's mm.
This can be observed, for example, in the USB Function Filesystem (FFS)
driver. The ffs_user_copy_worker() handles AIO completions and uses
kthread_use_mm() to copy data to a user-space buffer. If a page fault
occurs during this copy, the fault handler executes in the kthread's
context.
At this point, current is the kthread, but current->mm points to the user
process's mm. Since the rss_stat event (from the page fault) is for that
same mm, the condition current->mm == mm becomes true, causing curr to be
incorrectly set to true when the trace event is emitted.
This is misleading because it suggests the mm belongs to the kthread,
confusing userspace tools that track per-process RSS changes and
corrupting their mm_id-to-process association.
Fix this by ensuring curr is always false when the trace event is emitted
from a kthread context by checking for the PF_KTHREAD flag.
Link: https://lkml.kernel.org/r/20260219233708.1971199-1-kaleshsingh@google.com
Link: https://perfetto.dev/ [1]
Fixes: e4dcad204d3a ("rss_stat: add support to detect RSS updates of external mm")
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
Acked-by: Zi Yan <ziy@nvidia.com>
Acked-by: SeongJae Park <sj@kernel.org>
Reviewed-by: Pedro Falcato <pfalcato@suse.de>
Cc: "David Hildenbrand (Arm)" <david@kernel.org>
Cc: Joel Fernandes <joel@joelfernandes.org>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: <stable@vger.kernel.org> [5.10+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/trace/events/kmem.h | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/include/trace/events/kmem.h
+++ b/include/trace/events/kmem.h
@@ -359,7 +359,13 @@ TRACE_EVENT(rss_stat,
TP_fast_assign(
__entry->mm_id = mm_ptr_to_hash(mm);
- __entry->curr = !!(current->mm == mm);
+ /*
+ * curr is true if the mm matches the current task's mm_struct.
+ * Since kthreads (PF_KTHREAD) have no mm_struct of their own
+ * but can borrow one via kthread_use_mm(), we must filter them
+ * out to avoid incorrectly attributing the RSS update to them.
+ */
+ __entry->curr = current->mm == mm && !(current->flags & PF_KTHREAD);
__entry->member = member;
__entry->size = (percpu_counter_sum_positive(&mm->rss_stat[member])
<< PAGE_SHIFT);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 225/481] libceph: prevent potential out-of-bounds reads in process_message_header()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 224/481] libceph: reject preamble if control segment is empty Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 226/481] libceph: Use u32 for non-negative values in ceph_monmap_decode() Greg Kroah-Hartman
` (90 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov,
Alex Markuze, Viacheslav Dubeyko
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit 69fb5d91bba44ecf7eb80530b85fa4fb028921d5 upstream.
If the message frame is (maliciously) corrupted in a way that the
length of the control segment ends up being less than the size of the
message header or a different frame is made to look like a message
frame, out-of-bounds reads may ensue in process_message_header().
Perform an explicit bounds check before decoding the message header.
Cc: stable@vger.kernel.org
Reported-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/messenger_v2.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -2646,12 +2646,15 @@ static int process_message_header(struct
void *p, void *end)
{
struct ceph_frame_desc *desc = &con->v2.in_desc;
- struct ceph_msg_header2 *hdr2 = p;
+ struct ceph_msg_header2 *hdr2;
struct ceph_msg_header hdr;
int skip;
int ret;
u64 seq;
+ ceph_decode_need(&p, end, sizeof(*hdr2), bad);
+ hdr2 = p;
+
/* verify seq# */
seq = le64_to_cpu(hdr2->seq);
if ((s64)seq - (s64)con->in_seq < 1) {
@@ -2682,6 +2685,10 @@ static int process_message_header(struct
WARN_ON(!con->in_msg);
WARN_ON(con->in_msg->con != con);
return 1;
+
+bad:
+ pr_err("failed to decode message header\n");
+ return -EINVAL;
}
static int process_message(struct ceph_connection *con)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 212/460] iio: imu: inv_icm42600: fix odr switch to the same value
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 211/460] iio: gyro: mpu3050-i2c: " Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 213/460] iio: imu: inv_icm42600: fix odr switch when turning buffer off Greg Kroah-Hartman
` (90 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean-Baptiste Maneyrol,
Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
commit c9f3a593137d862d424130343e77d4b5260a4f5a upstream.
ODR switch is done in 2 steps when FIFO is on : change the ODR register
value and acknowledge change when reading the FIFO ODR change flag.
When we are switching to the same odr value, we end up waiting for a
FIFO ODR flag that is never happening.
Fix the issue by doing nothing and exiting properly when we are
switching to the same ODR value.
Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping")
Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 2 ++
drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 2 ++
2 files changed, 4 insertions(+)
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c
@@ -454,6 +454,8 @@ static int inv_icm42600_accel_write_odr(
return -EINVAL;
conf.odr = inv_icm42600_accel_odr_conv[idx / 2];
+ if (conf.odr == st->conf.accel.odr)
+ return 0;
pm_runtime_get_sync(dev);
mutex_lock(&st->lock);
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c
@@ -361,6 +361,8 @@ static int inv_icm42600_gyro_write_odr(s
return -EINVAL;
conf.odr = inv_icm42600_gyro_odr_conv[idx / 2];
+ if (conf.odr == st->conf.gyro.odr)
+ return 0;
pm_runtime_get_sync(dev);
mutex_lock(&st->lock);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 288/567] mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 287/567] mm/tracing: rss_stat: ensure curr is false from kthread context Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 289/567] mm/kfence: disable KFENCE upon KASAN HW tags enablement Greg Kroah-Hartman
` (89 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Felix Gu, Ulf Hansson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
commit af12e64ae0661546e8b4f5d30d55c5f53a11efe7 upstream.
When calling of_parse_phandle_with_args(), the caller is responsible
to call of_node_put() to release the reference of device node.
In of_get_dml_pipe_index(), it does not release the reference.
Fixes: 9cb15142d0e3 ("mmc: mmci: Add qcom dml support to the driver.")
Signed-off-by: Felix Gu <gu_0233@qq.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/mmci_qcom_dml.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mmc/host/mmci_qcom_dml.c
+++ b/drivers/mmc/host/mmci_qcom_dml.c
@@ -109,6 +109,7 @@ static int of_get_dml_pipe_index(struct
&dma_spec))
return -ENODEV;
+ of_node_put(dma_spec.np);
if (dma_spec.args_count)
return dma_spec.args[0];
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 226/481] libceph: Use u32 for non-negative values in ceph_monmap_decode()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 225/481] libceph: prevent potential out-of-bounds reads in process_message_header() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 227/481] libceph: admit message frames only in CEPH_CON_S_OPEN state Greg Kroah-Hartman
` (89 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Viacheslav Dubeyko,
Ilya Dryomov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit 770444611f047dbfd4517ec0bc1b179d40c2f346 upstream.
This patch fixes unnecessary implicit conversions that change signedness
of blob_len and num_mon in ceph_monmap_decode().
Currently blob_len and num_mon are (signed) int variables. They are used
to hold values that are always non-negative and get assigned in
ceph_decode_32_safe(), which is meant to assign u32 values. Both
variables are subsequently used as unsigned values, and the value of
num_mon is further assigned to monmap->num_mon, which is of type u32.
Therefore, both variables should be of type u32. This is especially
relevant for num_mon. If the value read from the incoming message is
very large, it is interpreted as a negative value, and the check for
num_mon > CEPH_MAX_MON does not catch it. This leads to the attempt to
allocate a very large chunk of memory for monmap, which will most likely
fail. In this case, an unnecessary attempt to allocate memory is
performed, and -ENOMEM is returned instead of -EINVAL.
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/mon_client.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -72,8 +72,8 @@ static struct ceph_monmap *ceph_monmap_d
struct ceph_monmap *monmap = NULL;
struct ceph_fsid fsid;
u32 struct_len;
- int blob_len;
- int num_mon;
+ u32 blob_len;
+ u32 num_mon;
u8 struct_v;
u32 epoch;
int ret;
@@ -112,7 +112,7 @@ static struct ceph_monmap *ceph_monmap_d
}
ceph_decode_32_safe(p, end, num_mon, e_inval);
- dout("%s fsid %pU epoch %u num_mon %d\n", __func__, &fsid, epoch,
+ dout("%s fsid %pU epoch %u num_mon %u\n", __func__, &fsid, epoch,
num_mon);
if (num_mon > CEPH_MAX_MON)
goto e_inval;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 213/460] iio: imu: inv_icm42600: fix odr switch when turning buffer off
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 212/460] iio: imu: inv_icm42600: fix odr switch to the same value Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 214/460] iio: proximity: hx9023s: Protect against division by zero in set_samp_freq Greg Kroah-Hartman
` (89 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean-Baptiste Maneyrol,
Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
commit ffd32db8263d2d785a2c419486a450dc80693235 upstream.
ODR switch is done in 2 steps when FIFO is on : change the ODR register
value and acknowledge change when reading the FIFO ODR change flag.
When we are switching odr and turning buffer off just afterward, we are
losing the FIFO ODR change flag and ODR switch is blocked.
Fix the issue by force applying any waiting ODR change when turning
buffer off.
Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping")
Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c
@@ -389,6 +389,8 @@ out_unlock:
static int inv_icm42600_buffer_postdisable(struct iio_dev *indio_dev)
{
struct inv_icm42600_state *st = iio_device_get_drvdata(indio_dev);
+ struct inv_icm42600_sensor_state *sensor_st = iio_priv(indio_dev);
+ struct inv_sensors_timestamp *ts = &sensor_st->ts;
struct device *dev = regmap_get_device(st->map);
unsigned int sensor;
unsigned int *watermark;
@@ -410,6 +412,8 @@ static int inv_icm42600_buffer_postdisab
mutex_lock(&st->lock);
+ inv_sensors_timestamp_apply_odr(ts, 0, 0, 0);
+
ret = inv_icm42600_buffer_set_fifo_en(st, st->fifo.en & ~sensor);
if (ret)
goto out_unlock;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 289/567] mm/kfence: disable KFENCE upon KASAN HW tags enablement
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 288/567] mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 290/567] mmc: core: Avoid bitfield RMW for claim/retune flags Greg Kroah-Hartman
` (88 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Potapenko, Marco Elver,
Andrey Konovalov, Andrey Ryabinin, Dmitry Vyukov,
Ernesto Martinez Garcia, Kees Cook, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Potapenko <glider@google.com>
commit 09833d99db36d74456a4d13eb29c32d56ff8f2b6 upstream.
KFENCE does not currently support KASAN hardware tags. As a result, the
two features are incompatible when enabled simultaneously.
Given that MTE provides deterministic protection and KFENCE is a
sampling-based debugging tool, prioritize the stronger hardware
protections. Disable KFENCE initialization and free the pre-allocated
pool if KASAN hardware tags are detected to ensure the system maintains
the security guarantees provided by MTE.
Link: https://lkml.kernel.org/r/20260213095410.1862978-1-glider@google.com
Fixes: 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure")
Signed-off-by: Alexander Potapenko <glider@google.com>
Suggested-by: Marco Elver <elver@google.com>
Reviewed-by: Marco Elver <elver@google.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Ernesto Martinez Garcia <ernesto.martinezgarcia@tugraz.at>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Kees Cook <kees@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/kfence/core.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/mm/kfence/core.c
+++ b/mm/kfence/core.c
@@ -13,6 +13,7 @@
#include <linux/hash.h>
#include <linux/irq_work.h>
#include <linux/jhash.h>
+#include <linux/kasan-enabled.h>
#include <linux/kcsan-checks.h>
#include <linux/kfence.h>
#include <linux/kmemleak.h>
@@ -862,6 +863,20 @@ void __init kfence_alloc_pool_and_metada
return;
/*
+ * If KASAN hardware tags are enabled, disable KFENCE, because it
+ * does not support MTE yet.
+ */
+ if (kasan_hw_tags_enabled()) {
+ pr_info("disabled as KASAN HW tags are enabled\n");
+ if (__kfence_pool) {
+ memblock_free(__kfence_pool, KFENCE_POOL_SIZE);
+ __kfence_pool = NULL;
+ }
+ kfence_sample_interval = 0;
+ return;
+ }
+
+ /*
* If the pool has already been initialized by arch, there is no need to
* re-allocate the memory pool.
*/
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 227/481] libceph: admit message frames only in CEPH_CON_S_OPEN state
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 226/481] libceph: Use u32 for non-negative values in ceph_monmap_decode() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 228/481] ceph: fix i_nlink underrun during async unlink Greg Kroah-Hartman
` (88 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilya Dryomov, Alex Markuze,
Viacheslav Dubeyko
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit a5a373705081d7cc6363e16990e2361b0b362314 upstream.
Similar checks are performed for all control frames, but an early check
for message frames was missing. process_message() is already set up to
terminate the loop in case the state changes while con->ops->dispatch()
handler is being executed.
Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/messenger_v2.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -2718,6 +2718,11 @@ static int __handle_control(struct ceph_
if (con->v2.in_desc.fd_tag != FRAME_TAG_MESSAGE)
return process_control(con, p, end);
+ if (con->state != CEPH_CON_S_OPEN) {
+ con->error_msg = "protocol error, unexpected message";
+ return -EINVAL;
+ }
+
ret = process_message_header(con, p, end);
if (ret < 0)
return ret;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 214/460] iio: proximity: hx9023s: Protect against division by zero in set_samp_freq
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 213/460] iio: imu: inv_icm42600: fix odr switch when turning buffer off Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 215/460] i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors Greg Kroah-Hartman
` (88 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yasin Lee, Andy Shevchenko, Stable,
Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yasin Lee <yasin.lee.x@gmail.com>
commit a318cfc0853706f1d6ce682dba660bc455d674ef upstream.
Avoid division by zero when sampling frequency is unspecified.
Fixes: 60df548277b7 ("iio: proximity: Add driver support for TYHX's HX9023S capacitive proximity sensor")
Signed-off-by: Yasin Lee <yasin.lee.x@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/proximity/hx9023s.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/iio/proximity/hx9023s.c
+++ b/drivers/iio/proximity/hx9023s.c
@@ -708,6 +708,9 @@ static int hx9023s_set_samp_freq(struct
struct device *dev = regmap_get_device(data->regmap);
unsigned int i, period_ms;
+ if (!val && !val2)
+ return -EINVAL;
+
period_ms = div_u64(NANO, (val * MEGA + val2));
for (i = 0; i < ARRAY_SIZE(hx9023s_samp_freq_table); i++) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 290/567] mmc: core: Avoid bitfield RMW for claim/retune flags
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 289/567] mm/kfence: disable KFENCE upon KASAN HW tags enablement Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 291/567] ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start Greg Kroah-Hartman
` (87 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Penghe Geng,
Ulf Hansson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Penghe Geng <pgeng@nvidia.com>
commit 901084c51a0a8fb42a3f37d2e9c62083c495f824 upstream.
Move claimed and retune control flags out of the bitfield word to
avoid unrelated RMW side effects in asynchronous contexts.
The host->claimed bit shared a word with retune flags. Writes to claimed
in __mmc_claim_host() or retune_now in mmc_mq_queue_rq() can overwrite
other bits when concurrent updates happen in other contexts, triggering
spurious WARN_ON(!host->claimed). Convert claimed, can_retune,
retune_now and retune_paused to bool to remove shared-word coupling.
Fixes: 6c0cedd1ef952 ("mmc: core: Introduce host claiming by context")
Fixes: 1e8e55b67030c ("mmc: block: Add CQE support")
Cc: stable@vger.kernel.org
Suggested-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Penghe Geng <pgeng@nvidia.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mmc/host.h | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/include/linux/mmc/host.h
+++ b/include/linux/mmc/host.h
@@ -446,14 +446,12 @@ struct mmc_host {
struct mmc_ios ios; /* current io bus settings */
+ bool claimed; /* host exclusively claimed */
+
/* group bitfields together to minimize padding */
unsigned int use_spi_crc:1;
- unsigned int claimed:1; /* host exclusively claimed */
unsigned int doing_init_tune:1; /* initial tuning in progress */
- unsigned int can_retune:1; /* re-tuning can be used */
unsigned int doing_retune:1; /* re-tuning in progress */
- unsigned int retune_now:1; /* do re-tuning at next req */
- unsigned int retune_paused:1; /* re-tuning is temporarily disabled */
unsigned int retune_crc_disable:1; /* don't trigger retune upon crc */
unsigned int can_dma_map_merge:1; /* merging can be used */
unsigned int vqmmc_enabled:1; /* vqmmc regulator is enabled */
@@ -461,6 +459,9 @@ struct mmc_host {
int rescan_disable; /* disable card detection */
int rescan_entered; /* used with nonremovable devices */
+ bool can_retune; /* re-tuning can be used */
+ bool retune_now; /* do re-tuning at next req */
+ bool retune_paused; /* re-tuning is temporarily disabled */
int need_retune; /* re-tuning is needed */
int hold_retune; /* hold off re-tuning */
unsigned int retune_period; /* re-tuning period in secs */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 228/481] ceph: fix i_nlink underrun during async unlink
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 227/481] libceph: admit message frames only in CEPH_CON_S_OPEN state Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 229/481] time: add kernel-doc in time.c Greg Kroah-Hartman
` (87 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Kellermann, Viacheslav Dubeyko,
Ilya Dryomov
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Kellermann <max.kellermann@ionos.com>
commit ce0123cbb4a40a2f1bbb815f292b26e96088639f upstream.
During async unlink, we drop the `i_nlink` counter before we receive
the completion (that will eventually update the `i_nlink`) because "we
assume that the unlink will succeed". That is not a bad idea, but it
races against deletions by other clients (or against the completion of
our own unlink) and can lead to an underrun which emits a WARNING like
this one:
WARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68
Modules linked in:
CPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted 6.14.11-cm4all1-ampere #655
Hardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023
pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : drop_nlink+0x50/0x68
lr : ceph_unlink+0x6c4/0x720
sp : ffff80012173bc90
x29: ffff80012173bc90 x28: ffff086d0a45aaf8 x27: ffff0871d0eb5680
x26: ffff087f2a64a718 x25: 0000020000000180 x24: 0000000061c88647
x23: 0000000000000002 x22: ffff07ff9236d800 x21: 0000000000001203
x20: ffff07ff9237b000 x19: ffff088b8296afc0 x18: 00000000f3c93365
x17: 0000000000070000 x16: ffff08faffcbdfe8 x15: ffff08faffcbdfec
x14: 0000000000000000 x13: 45445f65645f3037 x12: 34385f6369706f74
x11: 0000a2653104bb20 x10: ffffd85f26d73290 x9 : ffffd85f25664f94
x8 : 00000000000000c0 x7 : 0000000000000000 x6 : 0000000000000002
x5 : 0000000000000081 x4 : 0000000000000481 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff08727d3f91e8
Call trace:
drop_nlink+0x50/0x68 (P)
vfs_unlink+0xb0/0x2e8
do_unlinkat+0x204/0x288
__arm64_sys_unlinkat+0x3c/0x80
invoke_syscall.constprop.0+0x54/0xe8
do_el0_svc+0xa4/0xc8
el0_svc+0x18/0x58
el0t_64_sync_handler+0x104/0x130
el0t_64_sync+0x154/0x158
In ceph_unlink(), a call to ceph_mdsc_submit_request() submits the
CEPH_MDS_OP_UNLINK to the MDS, but does not wait for completion.
Meanwhile, between this call and the following drop_nlink() call, a
worker thread may process a CEPH_CAP_OP_IMPORT, CEPH_CAP_OP_GRANT or
just a CEPH_MSG_CLIENT_REPLY (the latter of which could be our own
completion). These will lead to a set_nlink() call, updating the
`i_nlink` counter to the value received from the MDS. If that new
`i_nlink` value happens to be zero, it is illegal to decrement it
further. But that is exactly what ceph_unlink() will do then.
The WARNING can be reproduced this way:
1. Force async unlink; only the async code path is affected. Having
no real clue about Ceph internals, I was unable to find out why the
MDS wouldn't give me the "Fxr" capabilities, so I patched
get_caps_for_async_unlink() to always succeed.
(Note that the WARNING dump above was found on an unpatched kernel,
without this kludge - this is not a theoretical bug.)
2. Add a sleep call after ceph_mdsc_submit_request() so the unlink
completion gets handled by a worker thread before drop_nlink() is
called. This guarantees that the `i_nlink` is already zero before
drop_nlink() runs.
The solution is to skip the counter decrement when it is already zero,
but doing so without a lock is still racy (TOCTOU). Since
ceph_fill_inode() and handle_cap_grant() both hold the
`ceph_inode_info.i_ceph_lock` spinlock while set_nlink() runs, this
seems like the proper lock to protect the `i_nlink` updates.
I found prior art in NFS and SMB (using `inode.i_lock`) and AFS (using
`afs_vnode.cb_lock`). All three have the zero check as well.
Cc: stable@vger.kernel.org
Fixes: 2ccb45462aea ("ceph: perform asynchronous unlink if we have sufficient caps")
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/dir.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/fs/ceph/dir.c
+++ b/fs/ceph/dir.c
@@ -1183,6 +1183,7 @@ static int ceph_unlink(struct inode *dir
struct ceph_fs_client *fsc = ceph_sb_to_client(dir->i_sb);
struct ceph_mds_client *mdsc = fsc->mdsc;
struct inode *inode = d_inode(dentry);
+ struct ceph_inode_info *ci = ceph_inode(inode);
struct ceph_mds_request *req;
bool try_async = ceph_test_mount_opt(fsc, ASYNC_DIROPS);
int err = -EROFS;
@@ -1240,7 +1241,19 @@ retry:
* We have enough caps, so we assume that the unlink
* will succeed. Fix up the target inode and dcache.
*/
- drop_nlink(inode);
+
+ /*
+ * Protect the i_nlink update with i_ceph_lock
+ * to precent racing against ceph_fill_inode()
+ * handling our completion on a worker thread
+ * and don't decrement if i_nlink has already
+ * been updated to zero by this completion.
+ */
+ spin_lock(&ci->i_ceph_lock);
+ if (inode->i_nlink > 0)
+ drop_nlink(inode);
+ spin_unlock(&ci->i_ceph_lock);
+
d_delete(dentry);
} else {
spin_lock(&fsc->async_unlink_conflict_lock);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 215/460] i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 214/460] iio: proximity: hx9023s: Protect against division by zero in set_samp_freq Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 216/460] i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort Greg Kroah-Hartman
` (87 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Alexandre Belloni
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit 4167b8914463132654e01e16259847d097f8a7f7 upstream.
The MIPI I3C HCI driver currently returns -ETIME for various timeout
conditions, while other I3C master drivers consistently use -ETIMEDOUT
for the same class of errors. Align the HCI driver with the rest of the
subsystem by replacing all uses of -ETIME with -ETIMEDOUT.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-2-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/mipi-i3c-hci/cmd_v1.c | 2 +-
drivers/i3c/master/mipi-i3c-hci/cmd_v2.c | 2 +-
drivers/i3c/master/mipi-i3c-hci/core.c | 6 +++---
3 files changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/i3c/master/mipi-i3c-hci/cmd_v1.c
+++ b/drivers/i3c/master/mipi-i3c-hci/cmd_v1.c
@@ -334,7 +334,7 @@ static int hci_cmd_v1_daa(struct i3c_hci
hci->io->queue_xfer(hci, xfer, 1);
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, 1)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
break;
}
if ((RESP_STATUS(xfer->response) == RESP_ERR_ADDR_HEADER ||
--- a/drivers/i3c/master/mipi-i3c-hci/cmd_v2.c
+++ b/drivers/i3c/master/mipi-i3c-hci/cmd_v2.c
@@ -277,7 +277,7 @@ static int hci_cmd_v2_daa(struct i3c_hci
hci->io->queue_xfer(hci, xfer, 2);
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, 2)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
break;
}
if (RESP_STATUS(xfer[0].response) != RESP_SUCCESS) {
--- a/drivers/i3c/master/mipi-i3c-hci/core.c
+++ b/drivers/i3c/master/mipi-i3c-hci/core.c
@@ -236,7 +236,7 @@ static int i3c_hci_send_ccc_cmd(struct i
goto out;
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, nxfers)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
goto out;
}
for (i = prefixed; i < nxfers; i++) {
@@ -348,7 +348,7 @@ static int i3c_hci_priv_xfers(struct i3c
goto out;
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, nxfers)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
goto out;
}
for (i = 0; i < nxfers; i++) {
@@ -402,7 +402,7 @@ static int i3c_hci_i2c_xfers(struct i2c_
goto out;
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, nxfers)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
goto out;
}
for (i = 0; i < nxfers; i++) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 291/567] ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 290/567] mmc: core: Avoid bitfield RMW for claim/retune flags Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 292/567] tipc: fix divide-by-zero in tipc_sk_filter_connect() Greg Kroah-Hartman
` (86 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ravi Hothi, Srinivas Kandagatla,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ravi Hothi <ravi.hothi@oss.qualcomm.com>
commit d6db827b430bdcca3976cebca7bd69cca03cde2c upstream.
During ADSP stop and start, the kernel crashes due to the order in which
ASoC components are removed.
On ADSP stop, the q6apm-audio .remove callback unloads topology and removes
PCM runtimes during ASoC teardown. This deletes the RTDs that contain the
q6apm DAI components before their removal pass runs, leaving those
components still linked to the card and causing crashes on the next rebind.
Fix this by ensuring that all dependent (child) components are removed
first, and the q6apm component is removed last.
[ 48.105720] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0
[ 48.114763] Mem abort info:
[ 48.117650] ESR = 0x0000000096000004
[ 48.121526] EC = 0x25: DABT (current EL), IL = 32 bits
[ 48.127010] SET = 0, FnV = 0
[ 48.130172] EA = 0, S1PTW = 0
[ 48.133415] FSC = 0x04: level 0 translation fault
[ 48.138446] Data abort info:
[ 48.141422] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 48.147079] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 48.152354] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 48.157859] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001173cf000
[ 48.164517] [00000000000000d0] pgd=0000000000000000, p4d=0000000000000000
[ 48.171530] Internal error: Oops: 0000000096000004 [#1] SMP
[ 48.177348] Modules linked in: q6prm_clocks q6apm_lpass_dais q6apm_dai snd_q6dsp_common q6prm snd_q6apm 8021q garp mrp stp llc snd_soc_hdmi_codec apr pdr_interface phy_qcom_edp fastrpc qcom_pd_mapper rpmsg_ctrl qrtr_smd rpmsg_char qcom_pdr_msg qcom_iris v4l2_mem2mem videobuf2_dma_contig ath11k_pci msm ubwc_config at24 ath11k videobuf2_memops mac80211 ocmem videobuf2_v4l2 libarc4 drm_gpuvm mhi qrtr videodev drm_exec snd_soc_sc8280xp gpu_sched videobuf2_common nvmem_qcom_spmi_sdam snd_soc_qcom_sdw drm_dp_aux_bus qcom_q6v5_pas qcom_spmi_temp_alarm snd_soc_qcom_common rtc_pm8xxx qcom_pon drm_display_helper cec qcom_pil_info qcom_stats soundwire_bus drm_client_lib mc dispcc0_sa8775p videocc_sa8775p qcom_q6v5 camcc_sa8775p snd_soc_dmic phy_qcom_sgmii_eth snd_soc_max98357a i2c_qcom_geni snd_soc_core dwmac_qcom_ethqos llcc_qcom icc_bwmon qcom_sysmon snd_compress qcom_refgen_regulator coresight_stm stmmac_platform snd_pcm_dmaengine qcom_common coresight_tmc stmmac coresight_replicator qcom_glink_smem coresight_cti stm_core
[ 48.177444] coresight_funnel snd_pcm ufs_qcom phy_qcom_qmp_usb gpi phy_qcom_snps_femto_v2 coresight phy_qcom_qmp_ufs qcom_wdt gpucc_sa8775p pcs_xpcs mdt_loader qcom_ice icc_osm_l3 qmi_helpers snd_timer snd soundcore display_connector qcom_rng nvmem_reboot_mode drm_kms_helper phy_qcom_qmp_pcie sha256 cfg80211 rfkill socinfo fuse drm backlight ipv6
[ 48.301059] CPU: 2 UID: 0 PID: 293 Comm: kworker/u32:2 Not tainted 6.19.0-rc6-dirty #10 PREEMPT
[ 48.310081] Hardware name: Qualcomm Technologies, Inc. Lemans EVK (DT)
[ 48.316782] Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]
[ 48.323672] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 48.330825] pc : mutex_lock+0xc/0x54
[ 48.334514] lr : soc_dapm_shutdown_dapm+0x44/0x174 [snd_soc_core]
[ 48.340794] sp : ffff800084ddb7b0
[ 48.344207] x29: ffff800084ddb7b0 x28: ffff00009cd9cf30 x27: ffff00009cd9cc00
[ 48.351544] x26: ffff000099610190 x25: ffffa31d2f19c810 x24: ffffa31d2f185098
[ 48.358869] x23: ffff800084ddb7f8 x22: 0000000000000000 x21: 00000000000000d0
[ 48.366198] x20: ffff00009ba6c338 x19: ffff00009ba6c338 x18: 00000000ffffffff
[ 48.373528] x17: 000000040044ffff x16: ffffa31d4ae6dca8 x15: 072007740775076f
[ 48.380853] x14: 0765076d07690774 x13: 00313a323a656369 x12: 767265733a637673
[ 48.388182] x11: 00000000000003f9 x10: ffffa31d4c7dea98 x9 : 0000000000000001
[ 48.395519] x8 : ffff00009a2aadc0 x7 : 0000000000000003 x6 : 0000000000000000
[ 48.402854] x5 : 0000000000000000 x4 : 0000000000000028 x3 : ffff000ef397a698
[ 48.410180] x2 : ffff00009a2aadc0 x1 : 0000000000000000 x0 : 00000000000000d0
[ 48.417506] Call trace:
[ 48.420025] mutex_lock+0xc/0x54 (P)
[ 48.423712] snd_soc_dapm_shutdown+0x44/0xbc [snd_soc_core]
[ 48.429447] soc_cleanup_card_resources+0x30/0x2c0 [snd_soc_core]
[ 48.435719] snd_soc_bind_card+0x4dc/0xcc0 [snd_soc_core]
[ 48.441278] snd_soc_add_component+0x27c/0x2c8 [snd_soc_core]
[ 48.447192] snd_soc_register_component+0x9c/0xf4 [snd_soc_core]
[ 48.453371] devm_snd_soc_register_component+0x64/0xc4 [snd_soc_core]
[ 48.459994] apm_probe+0xb4/0x110 [snd_q6apm]
[ 48.464479] apr_device_probe+0x24/0x40 [apr]
[ 48.468964] really_probe+0xbc/0x298
[ 48.472651] __driver_probe_device+0x78/0x12c
[ 48.477132] driver_probe_device+0x40/0x160
[ 48.481435] __device_attach_driver+0xb8/0x134
[ 48.486011] bus_for_each_drv+0x80/0xdc
[ 48.489964] __device_attach+0xa8/0x1b0
[ 48.493916] device_initial_probe+0x50/0x54
[ 48.498219] bus_probe_device+0x38/0xa0
[ 48.502170] device_add+0x590/0x760
[ 48.505761] device_register+0x20/0x30
[ 48.509623] of_register_apr_devices+0x1d8/0x318 [apr]
[ 48.514905] apr_pd_status+0x2c/0x54 [apr]
[ 48.519114] pdr_notifier_work+0x8c/0xe0 [pdr_interface]
[ 48.524570] process_one_work+0x150/0x294
[ 48.528692] worker_thread+0x2d8/0x3d8
[ 48.532551] kthread+0x130/0x204
[ 48.535874] ret_from_fork+0x10/0x20
[ 48.539559] Code: d65f03c0 d5384102 d503201f d2800001 (c8e17c02)
[ 48.545823] ---[ end trace 0000000000000000 ]---
Fixes: 5477518b8a0e ("ASoC: qdsp6: audioreach: add q6apm support")
Cc: stable@vger.kernel.org
Signed-off-by: Ravi Hothi <ravi.hothi@oss.qualcomm.com>
Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260227144534.278568-1-ravi.hothi@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm-dai.c | 1 +
sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 1 +
sound/soc/qcom/qdsp6/q6apm.c | 1 +
3 files changed, 3 insertions(+)
--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
@@ -841,6 +841,7 @@ static const struct snd_soc_component_dr
.ack = q6apm_dai_ack,
.compress_ops = &q6apm_dai_compress_ops,
.use_dai_pcm_id = true,
+ .remove_order = SND_SOC_COMP_ORDER_EARLY,
};
static int q6apm_dai_probe(struct platform_device *pdev)
--- a/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c
+++ b/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c
@@ -272,6 +272,7 @@ static const struct snd_soc_component_dr
.of_xlate_dai_name = q6dsp_audio_ports_of_xlate_dai_name,
.be_pcm_base = AUDIOREACH_BE_PCM_BASE,
.use_dai_pcm_id = true,
+ .remove_order = SND_SOC_COMP_ORDER_FIRST,
};
static int q6apm_lpass_dai_dev_probe(struct platform_device *pdev)
--- a/sound/soc/qcom/qdsp6/q6apm.c
+++ b/sound/soc/qcom/qdsp6/q6apm.c
@@ -732,6 +732,7 @@ static const struct snd_soc_component_dr
.name = APM_AUDIO_DRV_NAME,
.probe = q6apm_audio_probe,
.remove = q6apm_audio_remove,
+ .remove_order = SND_SOC_COMP_ORDER_LAST,
};
static int apm_probe(gpr_device_t *gdev)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 229/481] time: add kernel-doc in time.c
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 228/481] ceph: fix i_nlink underrun during async unlink Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 230/481] time/jiffies: Mark jiffies_64_to_clock_t() notrace Greg Kroah-Hartman
` (86 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap, John Stultz,
Thomas Gleixner, Stephen Boyd, Jonathan Corbet, linux-doc,
Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit 67b3f564cb1e769ef8e45835129a4866152fcfdb ]
Add kernel-doc for all APIs that do not already have it.
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: John Stultz <jstultz@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Stephen Boyd <sboyd@kernel.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: linux-doc@vger.kernel.org
Acked-by: John Stultz <jstultz@google.com>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Link: https://lore.kernel.org/r/20230704052405.5089-3-rdunlap@infradead.org
Stable-dep-of: 755a648e78f1 ("time/jiffies: Mark jiffies_64_to_clock_t() notrace")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/time.c | 169 ++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 158 insertions(+), 11 deletions(-)
diff --git a/kernel/time/time.c b/kernel/time/time.c
index a92c7f3277ad6..be42ace51255c 100644
--- a/kernel/time/time.c
+++ b/kernel/time/time.c
@@ -365,11 +365,14 @@ SYSCALL_DEFINE1(adjtimex_time32, struct old_timex32 __user *, utp)
}
#endif
-/*
- * Convert jiffies to milliseconds and back.
+/**
+ * jiffies_to_msecs - Convert jiffies to milliseconds
+ * @j: jiffies value
*
* Avoid unnecessary multiplications/divisions in the
- * two most common HZ cases:
+ * two most common HZ cases.
+ *
+ * Return: milliseconds value
*/
unsigned int jiffies_to_msecs(const unsigned long j)
{
@@ -388,6 +391,12 @@ unsigned int jiffies_to_msecs(const unsigned long j)
}
EXPORT_SYMBOL(jiffies_to_msecs);
+/**
+ * jiffies_to_usecs - Convert jiffies to microseconds
+ * @j: jiffies value
+ *
+ * Return: microseconds value
+ */
unsigned int jiffies_to_usecs(const unsigned long j)
{
/*
@@ -408,8 +417,15 @@ unsigned int jiffies_to_usecs(const unsigned long j)
}
EXPORT_SYMBOL(jiffies_to_usecs);
-/*
+/**
* mktime64 - Converts date to seconds.
+ * @year0: year to convert
+ * @mon0: month to convert
+ * @day: day to convert
+ * @hour: hour to convert
+ * @min: minute to convert
+ * @sec: second to convert
+ *
* Converts Gregorian date to seconds since 1970-01-01 00:00:00.
* Assumes input in normal date format, i.e. 1980-12-31 23:59:59
* => year=1980, mon=12, day=31, hour=23, min=59, sec=59.
@@ -427,6 +443,8 @@ EXPORT_SYMBOL(jiffies_to_usecs);
*
* An encoding of midnight at the end of the day as 24:00:00 - ie. midnight
* tomorrow - (allowable under ISO 8601) is supported.
+ *
+ * Return: seconds since the epoch time for the given input date
*/
time64_t mktime64(const unsigned int year0, const unsigned int mon0,
const unsigned int day, const unsigned int hour,
@@ -471,8 +489,7 @@ EXPORT_SYMBOL(ns_to_kernel_old_timeval);
* Set seconds and nanoseconds field of a timespec variable and
* normalize to the timespec storage format
*
- * Note: The tv_nsec part is always in the range of
- * 0 <= tv_nsec < NSEC_PER_SEC
+ * Note: The tv_nsec part is always in the range of 0 <= tv_nsec < NSEC_PER_SEC.
* For negative values only the tv_sec field is negative !
*/
void set_normalized_timespec64(struct timespec64 *ts, time64_t sec, s64 nsec)
@@ -501,7 +518,7 @@ EXPORT_SYMBOL(set_normalized_timespec64);
* ns_to_timespec64 - Convert nanoseconds to timespec64
* @nsec: the nanoseconds value to be converted
*
- * Returns the timespec64 representation of the nsec parameter.
+ * Return: the timespec64 representation of the nsec parameter.
*/
struct timespec64 ns_to_timespec64(s64 nsec)
{
@@ -548,6 +565,8 @@ EXPORT_SYMBOL(ns_to_timespec64);
* runtime.
* the _msecs_to_jiffies helpers are the HZ dependent conversion
* routines found in include/linux/jiffies.h
+ *
+ * Return: jiffies value
*/
unsigned long __msecs_to_jiffies(const unsigned int m)
{
@@ -560,6 +579,12 @@ unsigned long __msecs_to_jiffies(const unsigned int m)
}
EXPORT_SYMBOL(__msecs_to_jiffies);
+/**
+ * __usecs_to_jiffies: - convert microseconds to jiffies
+ * @u: time in milliseconds
+ *
+ * Return: jiffies value
+ */
unsigned long __usecs_to_jiffies(const unsigned int u)
{
if (u > jiffies_to_usecs(MAX_JIFFY_OFFSET))
@@ -568,7 +593,10 @@ unsigned long __usecs_to_jiffies(const unsigned int u)
}
EXPORT_SYMBOL(__usecs_to_jiffies);
-/*
+/**
+ * timespec64_to_jiffies - convert a timespec64 value to jiffies
+ * @value: pointer to &struct timespec64
+ *
* The TICK_NSEC - 1 rounds up the value to the next resolution. Note
* that a remainder subtract here would not do the right thing as the
* resolution values don't fall on second boundaries. I.e. the line:
@@ -582,8 +610,9 @@ EXPORT_SYMBOL(__usecs_to_jiffies);
*
* The >> (NSEC_JIFFIE_SC - SEC_JIFFIE_SC) converts the scaled nsec
* value to a scaled second value.
+ *
+ * Return: jiffies value
*/
-
unsigned long
timespec64_to_jiffies(const struct timespec64 *value)
{
@@ -601,6 +630,11 @@ timespec64_to_jiffies(const struct timespec64 *value)
}
EXPORT_SYMBOL(timespec64_to_jiffies);
+/**
+ * jiffies_to_timespec64 - convert jiffies value to &struct timespec64
+ * @jiffies: jiffies value
+ * @value: pointer to &struct timespec64
+ */
void
jiffies_to_timespec64(const unsigned long jiffies, struct timespec64 *value)
{
@@ -618,6 +652,13 @@ EXPORT_SYMBOL(jiffies_to_timespec64);
/*
* Convert jiffies/jiffies_64 to clock_t and back.
*/
+
+/**
+ * jiffies_to_clock_t - Convert jiffies to clock_t
+ * @x: jiffies value
+ *
+ * Return: jiffies converted to clock_t (CLOCKS_PER_SEC)
+ */
clock_t jiffies_to_clock_t(unsigned long x)
{
#if (TICK_NSEC % (NSEC_PER_SEC / USER_HZ)) == 0
@@ -632,6 +673,12 @@ clock_t jiffies_to_clock_t(unsigned long x)
}
EXPORT_SYMBOL(jiffies_to_clock_t);
+/**
+ * clock_t_to_jiffies - Convert clock_t to jiffies
+ * @x: clock_t value
+ *
+ * Return: clock_t value converted to jiffies
+ */
unsigned long clock_t_to_jiffies(unsigned long x)
{
#if (HZ % USER_HZ)==0
@@ -649,6 +696,12 @@ unsigned long clock_t_to_jiffies(unsigned long x)
}
EXPORT_SYMBOL(clock_t_to_jiffies);
+/**
+ * jiffies_64_to_clock_t - Convert jiffies_64 to clock_t
+ * @x: jiffies_64 value
+ *
+ * Return: jiffies_64 value converted to 64-bit "clock_t" (CLOCKS_PER_SEC)
+ */
u64 jiffies_64_to_clock_t(u64 x)
{
#if (TICK_NSEC % (NSEC_PER_SEC / USER_HZ)) == 0
@@ -671,6 +724,12 @@ u64 jiffies_64_to_clock_t(u64 x)
}
EXPORT_SYMBOL(jiffies_64_to_clock_t);
+/**
+ * nsec_to_clock_t - Convert nsec value to clock_t
+ * @x: nsec value
+ *
+ * Return: nsec value converted to 64-bit "clock_t" (CLOCKS_PER_SEC)
+ */
u64 nsec_to_clock_t(u64 x)
{
#if (NSEC_PER_SEC % USER_HZ) == 0
@@ -687,6 +746,12 @@ u64 nsec_to_clock_t(u64 x)
#endif
}
+/**
+ * jiffies64_to_nsecs - Convert jiffies64 to nanoseconds
+ * @j: jiffies64 value
+ *
+ * Return: nanoseconds value
+ */
u64 jiffies64_to_nsecs(u64 j)
{
#if !(NSEC_PER_SEC % HZ)
@@ -697,6 +762,12 @@ u64 jiffies64_to_nsecs(u64 j)
}
EXPORT_SYMBOL(jiffies64_to_nsecs);
+/**
+ * jiffies64_to_msecs - Convert jiffies64 to milliseconds
+ * @j: jiffies64 value
+ *
+ * Return: milliseconds value
+ */
u64 jiffies64_to_msecs(const u64 j)
{
#if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
@@ -719,6 +790,8 @@ EXPORT_SYMBOL(jiffies64_to_msecs);
* note:
* NSEC_PER_SEC = 10^9 = (5^9 * 2^9) = (1953125 * 512)
* ULLONG_MAX ns = 18446744073.709551615 secs = about 584 years
+ *
+ * Return: nsecs converted to jiffies64 value
*/
u64 nsecs_to_jiffies64(u64 n)
{
@@ -750,6 +823,8 @@ EXPORT_SYMBOL(nsecs_to_jiffies64);
* note:
* NSEC_PER_SEC = 10^9 = (5^9 * 2^9) = (1953125 * 512)
* ULLONG_MAX ns = 18446744073.709551615 secs = about 584 years
+ *
+ * Return: nsecs converted to jiffies value
*/
unsigned long nsecs_to_jiffies(u64 n)
{
@@ -757,10 +832,16 @@ unsigned long nsecs_to_jiffies(u64 n)
}
EXPORT_SYMBOL_GPL(nsecs_to_jiffies);
-/*
- * Add two timespec64 values and do a safety check for overflow.
+/**
+ * timespec64_add_safe - Add two timespec64 values and do a safety check
+ * for overflow.
+ * @lhs: first (left) timespec64 to add
+ * @rhs: second (right) timespec64 to add
+ *
* It's assumed that both values are valid (>= 0).
* And, each timespec64 is in normalized form.
+ *
+ * Return: sum of @lhs + @rhs
*/
struct timespec64 timespec64_add_safe(const struct timespec64 lhs,
const struct timespec64 rhs)
@@ -778,6 +859,15 @@ struct timespec64 timespec64_add_safe(const struct timespec64 lhs,
return res;
}
+/**
+ * get_timespec64 - get user's time value into kernel space
+ * @ts: destination &struct timespec64
+ * @uts: user's time value as &struct __kernel_timespec
+ *
+ * Handles compat or 32-bit modes.
+ *
+ * Return: %0 on success or negative errno on error
+ */
int get_timespec64(struct timespec64 *ts,
const struct __kernel_timespec __user *uts)
{
@@ -801,6 +891,14 @@ int get_timespec64(struct timespec64 *ts,
}
EXPORT_SYMBOL_GPL(get_timespec64);
+/**
+ * put_timespec64 - convert timespec64 value to __kernel_timespec format and
+ * copy the latter to userspace
+ * @ts: input &struct timespec64
+ * @uts: user's &struct __kernel_timespec
+ *
+ * Return: %0 on success or negative errno on error
+ */
int put_timespec64(const struct timespec64 *ts,
struct __kernel_timespec __user *uts)
{
@@ -839,6 +937,15 @@ static int __put_old_timespec32(const struct timespec64 *ts64,
return copy_to_user(cts, &ts, sizeof(ts)) ? -EFAULT : 0;
}
+/**
+ * get_old_timespec32 - get user's old-format time value into kernel space
+ * @ts: destination &struct timespec64
+ * @uts: user's old-format time value (&struct old_timespec32)
+ *
+ * Handles X86_X32_ABI compatibility conversion.
+ *
+ * Return: %0 on success or negative errno on error
+ */
int get_old_timespec32(struct timespec64 *ts, const void __user *uts)
{
if (COMPAT_USE_64BIT_TIME)
@@ -848,6 +955,16 @@ int get_old_timespec32(struct timespec64 *ts, const void __user *uts)
}
EXPORT_SYMBOL_GPL(get_old_timespec32);
+/**
+ * put_old_timespec32 - convert timespec64 value to &struct old_timespec32 and
+ * copy the latter to userspace
+ * @ts: input &struct timespec64
+ * @uts: user's &struct old_timespec32
+ *
+ * Handles X86_X32_ABI compatibility conversion.
+ *
+ * Return: %0 on success or negative errno on error
+ */
int put_old_timespec32(const struct timespec64 *ts, void __user *uts)
{
if (COMPAT_USE_64BIT_TIME)
@@ -857,6 +974,13 @@ int put_old_timespec32(const struct timespec64 *ts, void __user *uts)
}
EXPORT_SYMBOL_GPL(put_old_timespec32);
+/**
+ * get_itimerspec64 - get user's &struct __kernel_itimerspec into kernel space
+ * @it: destination &struct itimerspec64
+ * @uit: user's &struct __kernel_itimerspec
+ *
+ * Return: %0 on success or negative errno on error
+ */
int get_itimerspec64(struct itimerspec64 *it,
const struct __kernel_itimerspec __user *uit)
{
@@ -872,6 +996,14 @@ int get_itimerspec64(struct itimerspec64 *it,
}
EXPORT_SYMBOL_GPL(get_itimerspec64);
+/**
+ * put_itimerspec64 - convert &struct itimerspec64 to __kernel_itimerspec format
+ * and copy the latter to userspace
+ * @it: input &struct itimerspec64
+ * @uit: user's &struct __kernel_itimerspec
+ *
+ * Return: %0 on success or negative errno on error
+ */
int put_itimerspec64(const struct itimerspec64 *it,
struct __kernel_itimerspec __user *uit)
{
@@ -887,6 +1019,13 @@ int put_itimerspec64(const struct itimerspec64 *it,
}
EXPORT_SYMBOL_GPL(put_itimerspec64);
+/**
+ * get_old_itimerspec32 - get user's &struct old_itimerspec32 into kernel space
+ * @its: destination &struct itimerspec64
+ * @uits: user's &struct old_itimerspec32
+ *
+ * Return: %0 on success or negative errno on error
+ */
int get_old_itimerspec32(struct itimerspec64 *its,
const struct old_itimerspec32 __user *uits)
{
@@ -898,6 +1037,14 @@ int get_old_itimerspec32(struct itimerspec64 *its,
}
EXPORT_SYMBOL_GPL(get_old_itimerspec32);
+/**
+ * put_old_itimerspec32 - convert &struct itimerspec64 to &struct
+ * old_itimerspec32 and copy the latter to userspace
+ * @its: input &struct itimerspec64
+ * @uits: user's &struct old_itimerspec32
+ *
+ * Return: %0 on success or negative errno on error
+ */
int put_old_itimerspec32(const struct itimerspec64 *its,
struct old_itimerspec32 __user *uits)
{
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 216/460] i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 215/460] i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 217/460] i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor Greg Kroah-Hartman
` (86 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Alexandre Belloni
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit b6d586431ae20d5157ee468d0ef62ad26798ef13 upstream.
The DMA dequeue path attempts to restart the ring after aborting an
in-flight transfer, but the current sequence is incomplete. The controller
must be brought out of the aborted state and the ring control registers
must be programmed in the correct order: first clearing ABORT, then
re-enabling the ring and asserting RUN_STOP to resume operation.
Add the missing controller resume step and update the ring control writes
so that the ring is restarted using the proper sequence.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-11-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/mipi-i3c-hci/dma.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -500,7 +500,9 @@ static bool hci_dma_dequeue_xfer(struct
}
/* restart the ring */
+ mipi_i3c_hci_resume(hci);
rh_reg_write(RING_CONTROL, RING_CTRL_ENABLE);
+ rh_reg_write(RING_CONTROL, RING_CTRL_ENABLE | RING_CTRL_RUN_STOP);
return did_unqueue;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 292/567] tipc: fix divide-by-zero in tipc_sk_filter_connect()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 291/567] ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 293/567] kprobes: avoid crash when rmmod/insmod after ftrace killed Greg Kroah-Hartman
` (85 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mehul Rao, Tung Nguyen,
Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mehul Rao <mehulrao@gmail.com>
commit 6c5a9baa15de240e747263aba435a0951da8d8d2 upstream.
A user can set conn_timeout to any value via
setsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a
SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in
tipc_sk_filter_connect() executes:
delay %= (tsk->conn_timeout / 4);
If conn_timeout is in the range [0, 3], the integer division yields 0,
and the modulo operation triggers a divide-by-zero exception, causing a
kernel oops/panic.
Fix this by clamping conn_timeout to a minimum of 4 at the point of use
in tipc_sk_filter_connect().
Oops: divide error: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+
RIP: 0010:tipc_sk_filter_rcv (net/tipc/socket.c:2236 net/tipc/socket.c:2362)
Call Trace:
tipc_sk_backlog_rcv (include/linux/instrumented.h:82 include/linux/atomic/atomic-instrumented.h:32 include/net/sock.h:2357 net/tipc/socket.c:2406)
__release_sock (include/net/sock.h:1185 net/core/sock.c:3213)
release_sock (net/core/sock.c:3797)
tipc_connect (net/tipc/socket.c:2570)
__sys_connect (include/linux/file.h:62 include/linux/file.h:83 net/socket.c:2098)
Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket")
Cc: stable@vger.kernel.org
Signed-off-by: Mehul Rao <mehulrao@gmail.com>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Link: https://patch.msgid.link/20260310170730.28841-1-mehulrao@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tipc/socket.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -2238,6 +2238,8 @@ static bool tipc_sk_filter_connect(struc
if (skb_queue_empty(&sk->sk_write_queue))
break;
get_random_bytes(&delay, 2);
+ if (tsk->conn_timeout < 4)
+ tsk->conn_timeout = 4;
delay %= (tsk->conn_timeout / 4);
delay = msecs_to_jiffies(delay + 100);
sk_reset_timer(sk, &sk->sk_timer, jiffies + delay);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 230/481] time/jiffies: Mark jiffies_64_to_clock_t() notrace
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 229/481] time: add kernel-doc in time.c Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 231/481] drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used Greg Kroah-Hartman
` (85 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steven Rostedt (Google),
Thomas Gleixner, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
[ Upstream commit 755a648e78f12574482d4698d877375793867fa1 ]
The trace_clock_jiffies() function that handles the "uptime" clock for
tracing calls jiffies_64_to_clock_t(). This causes the function tracer to
constantly recurse when the tracing clock is set to "uptime". Mark it
notrace to prevent unnecessary recursion when using the "uptime" clock.
Fixes: 58d4e21e50ff3 ("tracing: Fix wraparound problems in "uptime" trace clock")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260306212403.72270bb2@robin
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/time.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/time/time.c b/kernel/time/time.c
index be42ace51255c..170f1f8a0046c 100644
--- a/kernel/time/time.c
+++ b/kernel/time/time.c
@@ -702,7 +702,7 @@ EXPORT_SYMBOL(clock_t_to_jiffies);
*
* Return: jiffies_64 value converted to 64-bit "clock_t" (CLOCKS_PER_SEC)
*/
-u64 jiffies_64_to_clock_t(u64 x)
+notrace u64 jiffies_64_to_clock_t(u64 x)
{
#if (TICK_NSEC % (NSEC_PER_SEC / USER_HZ)) == 0
# if HZ < USER_HZ
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 217/460] i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 216/460] i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 218/460] drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD Greg Kroah-Hartman
` (85 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Alexandre Belloni
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit ec3cfd835f7c4bbd23bc9ad909d2fdc772a578bb upstream.
The internal control command descriptor used for no-op commands includes a
Transaction ID (TID) field, but the no-op command constructed in
hci_dma_dequeue_xfer() omitted it. As a result, the hardware receives a
no-op descriptor without the expected TID.
This bug has gone unnoticed because the TID is currently not validated in
the no-op completion path, but the descriptor format requires it to be
present.
Add the missing TID field when generating a no-op descriptor so that its
layout matches the defined command structure.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-10-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/mipi-i3c-hci/cmd.h | 1 +
drivers/i3c/master/mipi-i3c-hci/dma.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/i3c/master/mipi-i3c-hci/cmd.h
+++ b/drivers/i3c/master/mipi-i3c-hci/cmd.h
@@ -17,6 +17,7 @@
#define CMD_0_TOC W0_BIT_(31)
#define CMD_0_ROC W0_BIT_(30)
#define CMD_0_ATTR W0_MASK(2, 0)
+#define CMD_0_TID W0_MASK(6, 3)
/*
* Response Descriptor Structure
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -482,7 +482,7 @@ static bool hci_dma_dequeue_xfer(struct
u32 *ring_data = rh->xfer + rh->xfer_struct_sz * idx;
/* store no-op cmd descriptor */
- *ring_data++ = FIELD_PREP(CMD_0_ATTR, 0x7);
+ *ring_data++ = FIELD_PREP(CMD_0_ATTR, 0x7) | FIELD_PREP(CMD_0_TID, xfer->cmd_tid);
*ring_data++ = 0;
if (hci->cmd == &mipi_i3c_hci_cmd_v2) {
*ring_data++ = 0;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 293/567] kprobes: avoid crash when rmmod/insmod after ftrace killed
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 292/567] tipc: fix divide-by-zero in tipc_sk_filter_connect() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 294/567] libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() Greg Kroah-Hartman
` (84 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Masami Hiramatsu (Google),
Steven Rostedt (Google)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
commit e113f0b46d19626ec15388bcb91432c9a4fd6261 upstream.
After we hit ftrace is killed by some errors, the kernel crash if
we remove modules in which kprobe probes.
BUG: unable to handle page fault for address: fffffbfff805000d
PGD 817fcc067 P4D 817fcc067 PUD 817fc8067 PMD 101555067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN PTI
CPU: 4 UID: 0 PID: 2012 Comm: rmmod Tainted: G W OE
Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
RIP: 0010:kprobes_module_callback+0x89/0x790
RSP: 0018:ffff88812e157d30 EFLAGS: 00010a02
RAX: 1ffffffff805000d RBX: dffffc0000000000 RCX: ffffffff86a8de90
RDX: ffffed1025c2af9b RSI: 0000000000000008 RDI: ffffffffc0280068
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed1025c2af9a
R10: ffff88812e157cd7 R11: 205d323130325420 R12: 0000000000000002
R13: ffffffffc0290488 R14: 0000000000000002 R15: ffffffffc0280040
FS: 00007fbc450dd740(0000) GS:ffff888420331000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff805000d CR3: 000000010f624000 CR4: 00000000000006f0
Call Trace:
<TASK>
notifier_call_chain+0xc6/0x280
blocking_notifier_call_chain+0x60/0x90
__do_sys_delete_module.constprop.0+0x32a/0x4e0
do_syscall_64+0x5d/0xfa0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
This is because the kprobe on ftrace does not correctly handles
the kprobe_ftrace_disabled flag set by ftrace_kill().
To prevent this error, check kprobe_ftrace_disabled in
__disarm_kprobe_ftrace() and skip all ftrace related operations.
Link: https://lore.kernel.org/all/176473947565.1727781.13110060700668331950.stgit@mhiramat.tok.corp.google.com/
Reported-by: Ye Bin <yebin10@huawei.com>
Closes: https://lore.kernel.org/all/20251125020536.2484381-1-yebin@huaweicloud.com/
Fixes: ae6aa16fdc16 ("kprobes: introduce ftrace based optimization")
Cc: stable@vger.kernel.org
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/kprobes.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1114,6 +1114,10 @@ static int __disarm_kprobe_ftrace(struct
int ret;
lockdep_assert_held(&kprobe_mutex);
+ if (unlikely(kprobe_ftrace_disabled)) {
+ /* Now ftrace is disabled forever, disarm is already done. */
+ return 0;
+ }
if (*cnt == 1) {
ret = unregister_ftrace_function(ops);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 231/481] drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 230/481] time/jiffies: Mark jiffies_64_to_clock_t() notrace Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 232/481] device property: Allow secondary lookup in fwnode_get_next_child_node() Greg Kroah-Hartman
` (84 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Franz Schnyder, Douglas Anderson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Franz Schnyder <franz.schnyder@toradex.com>
commit 0b87d51690dd5131cbe9fbd23746b037aab89815 upstream.
Fallback to polling to detect hotplug events on systems without
interrupts.
On systems where the interrupt line of the bridge is not connected,
the bridge cannot notify hotplug events. Only add the
DRM_BRIDGE_OP_HPD flag if an interrupt has been registered
otherwise remain in polling mode.
Fixes: 55e8ff842051 ("drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type")
Cc: stable@vger.kernel.org # 6.16: 9133bc3f0564: drm/bridge: ti-sn65dsi86: Add
Signed-off-by: Franz Schnyder <franz.schnyder@toradex.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
[dianders: Adjusted Fixes/stable line based on discussion]
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://patch.msgid.link/20260206123758.374555-1-fra.schnyder@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/ti-sn65dsi86.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
@@ -1307,6 +1307,7 @@ static int ti_sn_bridge_probe(struct aux
{
struct ti_sn65dsi86 *pdata = dev_get_drvdata(adev->dev.parent);
struct device_node *np = pdata->dev->of_node;
+ const struct i2c_client *client = to_i2c_client(pdata->dev);
int ret;
pdata->next_bridge = devm_drm_of_get_bridge(&adev->dev, np, 1, 0);
@@ -1326,8 +1327,9 @@ static int ti_sn_bridge_probe(struct aux
? DRM_MODE_CONNECTOR_DisplayPort : DRM_MODE_CONNECTOR_eDP;
if (pdata->bridge.type == DRM_MODE_CONNECTOR_DisplayPort) {
- pdata->bridge.ops = DRM_BRIDGE_OP_EDID | DRM_BRIDGE_OP_DETECT |
- DRM_BRIDGE_OP_HPD;
+ pdata->bridge.ops = DRM_BRIDGE_OP_EDID | DRM_BRIDGE_OP_DETECT;
+ if (client->irq)
+ pdata->bridge.ops |= DRM_BRIDGE_OP_HPD;
/*
* If comms were already enabled they would have been enabled
* with the wrong value of HPD_DISABLE. Update it now. Comms
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 218/460] drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 217/460] i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 219/460] net/tcp-md5: Fix MAC comparison to be constant-time Greg Kroah-Hartman
` (84 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John Ripple, Douglas Anderson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Ripple <john.ripple@keysight.com>
commit 9133bc3f0564890218cbba6cc7e81ebc0841a6f1 upstream.
Add support for DisplayPort to the bridge, which entails the following:
- Get and use an interrupt for HPD;
- Properly clear all status bits in the interrupt handler;
Signed-off-by: John Ripple <john.ripple@keysight.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://lore.kernel.org/r/20250915174543.2564994-1-john.ripple@keysight.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/ti-sn65dsi86.c | 112 ++++++++++++++++++++++++++++++++++
1 file changed, 112 insertions(+)
--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
@@ -106,10 +106,21 @@
#define SN_PWM_EN_INV_REG 0xA5
#define SN_PWM_INV_MASK BIT(0)
#define SN_PWM_EN_MASK BIT(1)
+
+#define SN_IRQ_EN_REG 0xE0
+#define IRQ_EN BIT(0)
+
+#define SN_IRQ_EVENTS_EN_REG 0xE6
+#define HPD_INSERTION_EN BIT(1)
+#define HPD_REMOVAL_EN BIT(2)
+
#define SN_AUX_CMD_STATUS_REG 0xF4
#define AUX_IRQ_STATUS_AUX_RPLY_TOUT BIT(3)
#define AUX_IRQ_STATUS_AUX_SHORT BIT(5)
#define AUX_IRQ_STATUS_NAT_I2C_FAIL BIT(6)
+#define SN_IRQ_STATUS_REG 0xF5
+#define HPD_REMOVAL_STATUS BIT(2)
+#define HPD_INSERTION_STATUS BIT(1)
#define MIN_DSI_CLK_FREQ_MHZ 40
@@ -152,7 +163,9 @@
* @ln_assign: Value to program to the LN_ASSIGN register.
* @ln_polrs: Value for the 4-bit LN_POLRS field of SN_ENH_FRAME_REG.
* @comms_enabled: If true then communication over the aux channel is enabled.
+ * @hpd_enabled: If true then HPD events are enabled.
* @comms_mutex: Protects modification of comms_enabled.
+ * @hpd_mutex: Protects modification of hpd_enabled.
*
* @gchip: If we expose our GPIOs, this is used.
* @gchip_output: A cache of whether we've set GPIOs to output. This
@@ -190,7 +203,9 @@ struct ti_sn65dsi86 {
u8 ln_assign;
u8 ln_polrs;
bool comms_enabled;
+ bool hpd_enabled;
struct mutex comms_mutex;
+ struct mutex hpd_mutex;
#if defined(CONFIG_OF_GPIO)
struct gpio_chip gchip;
@@ -221,6 +236,23 @@ static const struct regmap_config ti_sn6
.max_register = 0xFF,
};
+static int ti_sn65dsi86_read_u8(struct ti_sn65dsi86 *pdata, unsigned int reg,
+ u8 *val)
+{
+ int ret;
+ unsigned int reg_val;
+
+ ret = regmap_read(pdata->regmap, reg, ®_val);
+ if (ret) {
+ dev_err(pdata->dev, "fail to read raw reg %#x: %d\n",
+ reg, ret);
+ return ret;
+ }
+ *val = (u8)reg_val;
+
+ return 0;
+}
+
static int __maybe_unused ti_sn65dsi86_read_u16(struct ti_sn65dsi86 *pdata,
unsigned int reg, u16 *val)
{
@@ -362,6 +394,7 @@ static void ti_sn65dsi86_disable_comms(s
static int __maybe_unused ti_sn65dsi86_resume(struct device *dev)
{
struct ti_sn65dsi86 *pdata = dev_get_drvdata(dev);
+ const struct i2c_client *client = to_i2c_client(pdata->dev);
int ret;
ret = regulator_bulk_enable(SN_REGULATOR_SUPPLY_NUM, pdata->supplies);
@@ -396,6 +429,13 @@ static int __maybe_unused ti_sn65dsi86_r
if (pdata->refclk)
ti_sn65dsi86_enable_comms(pdata);
+ if (client->irq) {
+ ret = regmap_update_bits(pdata->regmap, SN_IRQ_EN_REG, IRQ_EN,
+ IRQ_EN);
+ if (ret)
+ dev_err(pdata->dev, "Failed to enable IRQ events: %d\n", ret);
+ }
+
return ret;
}
@@ -1223,6 +1263,8 @@ static void ti_sn65dsi86_debugfs_init(st
static void ti_sn_bridge_hpd_enable(struct drm_bridge *bridge)
{
struct ti_sn65dsi86 *pdata = bridge_to_ti_sn65dsi86(bridge);
+ const struct i2c_client *client = to_i2c_client(pdata->dev);
+ int ret;
/*
* Device needs to be powered on before reading the HPD state
@@ -1231,11 +1273,35 @@ static void ti_sn_bridge_hpd_enable(stru
*/
pm_runtime_get_sync(pdata->dev);
+
+ mutex_lock(&pdata->hpd_mutex);
+ pdata->hpd_enabled = true;
+ mutex_unlock(&pdata->hpd_mutex);
+
+ if (client->irq) {
+ ret = regmap_set_bits(pdata->regmap, SN_IRQ_EVENTS_EN_REG,
+ HPD_REMOVAL_EN | HPD_INSERTION_EN);
+ if (ret)
+ dev_err(pdata->dev, "Failed to enable HPD events: %d\n", ret);
+ }
}
static void ti_sn_bridge_hpd_disable(struct drm_bridge *bridge)
{
struct ti_sn65dsi86 *pdata = bridge_to_ti_sn65dsi86(bridge);
+ const struct i2c_client *client = to_i2c_client(pdata->dev);
+ int ret;
+
+ if (client->irq) {
+ ret = regmap_clear_bits(pdata->regmap, SN_IRQ_EVENTS_EN_REG,
+ HPD_REMOVAL_EN | HPD_INSERTION_EN);
+ if (ret)
+ dev_err(pdata->dev, "Failed to disable HPD events: %d\n", ret);
+ }
+
+ mutex_lock(&pdata->hpd_mutex);
+ pdata->hpd_enabled = false;
+ mutex_unlock(&pdata->hpd_mutex);
pm_runtime_put_autosuspend(pdata->dev);
}
@@ -1321,6 +1387,41 @@ static int ti_sn_bridge_parse_dsi_host(s
return 0;
}
+static irqreturn_t ti_sn_bridge_interrupt(int irq, void *private)
+{
+ struct ti_sn65dsi86 *pdata = private;
+ struct drm_device *dev = pdata->bridge.dev;
+ u8 status;
+ int ret;
+ bool hpd_event;
+
+ ret = ti_sn65dsi86_read_u8(pdata, SN_IRQ_STATUS_REG, &status);
+ if (ret) {
+ dev_err(pdata->dev, "Failed to read IRQ status: %d\n", ret);
+ return IRQ_NONE;
+ }
+
+ hpd_event = status & (HPD_REMOVAL_STATUS | HPD_INSERTION_STATUS);
+
+ dev_dbg(pdata->dev, "(SN_IRQ_STATUS_REG = %#x)\n", status);
+ if (!status)
+ return IRQ_NONE;
+
+ ret = regmap_write(pdata->regmap, SN_IRQ_STATUS_REG, status);
+ if (ret) {
+ dev_err(pdata->dev, "Failed to clear IRQ status: %d\n", ret);
+ return IRQ_NONE;
+ }
+
+ /* Only send the HPD event if we are bound with a device. */
+ mutex_lock(&pdata->hpd_mutex);
+ if (pdata->hpd_enabled && hpd_event)
+ drm_kms_helper_hotplug_event(dev);
+ mutex_unlock(&pdata->hpd_mutex);
+
+ return IRQ_HANDLED;
+}
+
static int ti_sn_bridge_probe(struct auxiliary_device *adev,
const struct auxiliary_device_id *id)
{
@@ -1954,6 +2055,7 @@ static int ti_sn65dsi86_probe(struct i2c
dev_set_drvdata(dev, pdata);
pdata->dev = dev;
+ mutex_init(&pdata->hpd_mutex);
mutex_init(&pdata->comms_mutex);
pdata->regmap = devm_regmap_init_i2c(client,
@@ -1984,6 +2086,16 @@ static int ti_sn65dsi86_probe(struct i2c
if (ret)
return ret;
+ if (client->irq) {
+ ret = devm_request_threaded_irq(pdata->dev, client->irq, NULL,
+ ti_sn_bridge_interrupt,
+ IRQF_ONESHOT,
+ dev_name(pdata->dev), pdata);
+
+ if (ret)
+ return dev_err_probe(dev, ret, "failed to request interrupt\n");
+ }
+
/*
* Break ourselves up into a collection of aux devices. The only real
* motiviation here is to solve the chicken-and-egg problem of probe
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 294/567] libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 293/567] kprobes: avoid crash when rmmod/insmod after ftrace killed Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 295/567] libceph: reject preamble if control segment is empty Greg Kroah-Hartman
` (83 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Viacheslav Dubeyko,
Ilya Dryomov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit b282c43ed156ae15ea76748fc15cd5c39dc9ab72 upstream.
This patch fixes an out-of-bounds access in ceph_handle_auth_reply()
that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In
ceph_handle_auth_reply(), the value of the payload_len field of such a
message is stored in a variable of type int. A value greater than
INT_MAX leads to an integer overflow and is interpreted as a negative
value. This leads to decrementing the pointer address by this value and
subsequently accessing it because ceph_decode_need() only checks that
the memory access does not exceed the end address of the allocation.
This patch fixes the issue by changing the data type of payload_len to
u32. Additionally, the data type of result_msg_len is changed to u32,
as it is also a variable holding a non-negative length.
Also, an additional layer of sanity checks is introduced, ensuring that
directly after reading it from the message, payload_len and
result_msg_len are not greater than the overall segment length.
BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph]
Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262
CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: ceph-msgr ceph_con_workfn [libceph]
Call Trace:
<TASK>
dump_stack_lvl+0x76/0xa0
print_report+0xd1/0x620
? __pfx__raw_spin_lock_irqsave+0x10/0x10
? kasan_complete_mode_report_info+0x72/0x210
kasan_report+0xe7/0x130
? ceph_handle_auth_reply+0x642/0x7a0 [libceph]
? ceph_handle_auth_reply+0x642/0x7a0 [libceph]
__asan_report_load_n_noabort+0xf/0x20
ceph_handle_auth_reply+0x642/0x7a0 [libceph]
mon_dispatch+0x973/0x23d0 [libceph]
? apparmor_socket_recvmsg+0x6b/0xa0
? __pfx_mon_dispatch+0x10/0x10 [libceph]
? __kasan_check_write+0x14/0x30i
? mutex_unlock+0x7f/0xd0
? __pfx_mutex_unlock+0x10/0x10
? __pfx_do_recvmsg+0x10/0x10 [libceph]
ceph_con_process_message+0x1f1/0x650 [libceph]
process_message+0x1e/0x450 [libceph]
ceph_con_v2_try_read+0x2e48/0x6c80 [libceph]
? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph]
? save_fpregs_to_fpstate+0xb0/0x230
? raw_spin_rq_unlock+0x17/0xa0
? finish_task_switch.isra.0+0x13b/0x760
? __switch_to+0x385/0xda0
? __kasan_check_write+0x14/0x30
? mutex_lock+0x8d/0xe0
? __pfx_mutex_lock+0x10/0x10
ceph_con_workfn+0x248/0x10c0 [libceph]
process_one_work+0x629/0xf80
? __kasan_check_write+0x14/0x30
worker_thread+0x87f/0x1570
? __pfx__raw_spin_lock_irqsave+0x10/0x10
? __pfx_try_to_wake_up+0x10/0x10
? kasan_print_address_stack_frame+0x1f7/0x280
? __pfx_worker_thread+0x10/0x10
kthread+0x396/0x830
? __pfx__raw_spin_lock_irq+0x10/0x10
? __pfx_kthread+0x10/0x10
? __kasan_check_write+0x14/0x30
? recalc_sigpending+0x180/0x210
? __pfx_kthread+0x10/0x10
ret_from_fork+0x3f7/0x610
? __pfx_ret_from_fork+0x10/0x10
? __switch_to+0x385/0xda0
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
[ idryomov: replace if statements with ceph_decode_need() for
payload_len and result_msg_len ]
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/auth.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -205,9 +205,9 @@ int ceph_handle_auth_reply(struct ceph_a
s32 result;
u64 global_id;
void *payload, *payload_end;
- int payload_len;
+ u32 payload_len;
char *result_msg;
- int result_msg_len;
+ u32 result_msg_len;
int ret = -EINVAL;
mutex_lock(&ac->mutex);
@@ -217,10 +217,12 @@ int ceph_handle_auth_reply(struct ceph_a
result = ceph_decode_32(&p);
global_id = ceph_decode_64(&p);
payload_len = ceph_decode_32(&p);
+ ceph_decode_need(&p, end, payload_len, bad);
payload = p;
p += payload_len;
ceph_decode_need(&p, end, sizeof(u32), bad);
result_msg_len = ceph_decode_32(&p);
+ ceph_decode_need(&p, end, result_msg_len, bad);
result_msg = p;
p += result_msg_len;
if (p != end)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 232/481] device property: Allow secondary lookup in fwnode_get_next_child_node()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 231/481] drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 233/481] irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports Greg Kroah-Hartman
` (83 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko,
Rafael J. Wysocki (Intel), Sakari Ailus, Danilo Krummrich
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit 2692c614f8f05929d692b3dbfd3faef1f00fbaf0 upstream.
When device_get_child_node_count() got split to the fwnode and device
respective APIs, the fwnode didn't inherit the ability to traverse over
the secondary fwnode. Hence any user, that switches from device to fwnode
API misses this feature. In particular, this was revealed by the commit
1490cbb9dbfd ("device property: Split fwnode_get_child_node_count()")
that effectively broke the GPIO enumeration on Intel Galileo boards.
Fix this by moving the secondary lookup from device to fwnode API.
Note, in general no device_*() API should go into the depth of the fwnode
implementation.
Fixes: 114dbb4fa7c4 ("drivers property: When no children in primary, try secondary")
Cc: stable@vger.kernel.org
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Link: https://patch.msgid.link/20260210135822.47335-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/property.c | 27 +++++++++++++--------------
1 file changed, 13 insertions(+), 14 deletions(-)
--- a/drivers/base/property.c
+++ b/drivers/base/property.c
@@ -749,7 +749,18 @@ struct fwnode_handle *
fwnode_get_next_child_node(const struct fwnode_handle *fwnode,
struct fwnode_handle *child)
{
- return fwnode_call_ptr_op(fwnode, get_next_child_node, child);
+ struct fwnode_handle *next;
+
+ if (IS_ERR_OR_NULL(fwnode))
+ return NULL;
+
+ /* Try to find a child in primary fwnode */
+ next = fwnode_call_ptr_op(fwnode, get_next_child_node, child);
+ if (next)
+ return next;
+
+ /* When no more children in primary, continue with secondary */
+ return fwnode_call_ptr_op(fwnode->secondary, get_next_child_node, child);
}
EXPORT_SYMBOL_GPL(fwnode_get_next_child_node);
@@ -793,19 +804,7 @@ EXPORT_SYMBOL_GPL(fwnode_get_next_availa
struct fwnode_handle *device_get_next_child_node(const struct device *dev,
struct fwnode_handle *child)
{
- const struct fwnode_handle *fwnode = dev_fwnode(dev);
- struct fwnode_handle *next;
-
- if (IS_ERR_OR_NULL(fwnode))
- return NULL;
-
- /* Try to find a child in primary fwnode */
- next = fwnode_get_next_child_node(fwnode, child);
- if (next)
- return next;
-
- /* When no more children in primary, continue with secondary */
- return fwnode_get_next_child_node(fwnode->secondary, child);
+ return fwnode_get_next_child_node(dev_fwnode(dev), child);
}
EXPORT_SYMBOL_GPL(device_get_next_child_node);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 219/460] net/tcp-md5: Fix MAC comparison to be constant-time
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 218/460] drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 220/460] ksmbd: Compare MACs in constant time Greg Kroah-Hartman
` (83 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 46d0d6f50dab706637f4c18a470aac20a21900d3 upstream.
To prevent timing attacks, MACs need to be compared in constant
time. Use the appropriate helper function for this.
Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
Fixes: 658ddaaf6694 ("tcp: md5: RST: getting md5 key from listener")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Link: https://patch.msgid.link/20260302203409.13388-1-ebiggers@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp.c | 3 ++-
net/ipv4/tcp_ipv4.c | 3 ++-
net/ipv6/tcp_ipv6.c | 3 ++-
3 files changed, 6 insertions(+), 3 deletions(-)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -244,6 +244,7 @@
#define pr_fmt(fmt) "TCP: " fmt
#include <crypto/hash.h>
+#include <crypto/utils.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/types.h>
@@ -4783,7 +4784,7 @@ tcp_inbound_md5_hash(const struct sock *
else
genhash = tp->af_specific->calc_md5_hash(newhash, key,
NULL, skb);
- if (genhash || memcmp(hash_location, newhash, 16) != 0) {
+ if (genhash || crypto_memneq(hash_location, newhash, 16)) {
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE);
trace_tcp_hash_md5_mismatch(sk, skb);
return SKB_DROP_REASON_TCP_MD5FAILURE;
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -82,6 +82,7 @@
#include <linux/skbuff_ref.h>
#include <crypto/hash.h>
+#include <crypto/utils.h>
#include <linux/scatterlist.h>
#include <trace/events/tcp.h>
@@ -839,7 +840,7 @@ static void tcp_v4_send_reset(const stru
genhash = tcp_v4_md5_hash_skb(newhash, key, NULL, skb);
- if (genhash || memcmp(md5_hash_location, newhash, 16) != 0)
+ if (genhash || crypto_memneq(md5_hash_location, newhash, 16))
goto out;
}
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -66,6 +66,7 @@
#include <linux/seq_file.h>
#include <crypto/hash.h>
+#include <crypto/utils.h>
#include <linux/scatterlist.h>
#include <trace/events/tcp.h>
@@ -1084,7 +1085,7 @@ static void tcp_v6_send_reset(const stru
key.type = TCP_KEY_MD5;
genhash = tcp_v6_md5_hash_skb(newhash, key.md5_key, NULL, skb);
- if (genhash || memcmp(md5_hash_location, newhash, 16) != 0)
+ if (genhash || crypto_memneq(md5_hash_location, newhash, 16))
goto out;
}
#endif
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 295/567] libceph: reject preamble if control segment is empty
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 294/567] libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 296/567] libceph: prevent potential out-of-bounds reads in process_message_header() Greg Kroah-Hartman
` (82 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ilya Dryomov, Alex Markuze
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit c4c22b846eceff05b1129b8844a80310e55a7f87 upstream.
While head_onwire_len() has a branch to handle ctrl_len == 0 case,
prepare_read_control() always sets up a kvec for the CRC meaning that
a non-empty control segment is effectively assumed. All frames that
clients deal with meet that assumption, so let's make it official and
treat the preamble with an empty control segment as malformed.
Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/messenger_v2.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -392,7 +392,7 @@ static int head_onwire_len(int ctrl_len,
int head_len;
int rem_len;
- BUG_ON(ctrl_len < 0 || ctrl_len > CEPH_MSG_MAX_CONTROL_LEN);
+ BUG_ON(ctrl_len < 1 || ctrl_len > CEPH_MSG_MAX_CONTROL_LEN);
if (secure) {
head_len = CEPH_PREAMBLE_SECURE_LEN;
@@ -401,9 +401,7 @@ static int head_onwire_len(int ctrl_len,
head_len += padded_len(rem_len) + CEPH_GCM_TAG_LEN;
}
} else {
- head_len = CEPH_PREAMBLE_PLAIN_LEN;
- if (ctrl_len)
- head_len += ctrl_len + CEPH_CRC_LEN;
+ head_len = CEPH_PREAMBLE_PLAIN_LEN + ctrl_len + CEPH_CRC_LEN;
}
return head_len;
}
@@ -528,11 +526,16 @@ static int decode_preamble(void *p, stru
desc->fd_aligns[i] = ceph_decode_16(&p);
}
- if (desc->fd_lens[0] < 0 ||
+ /*
+ * This would fire for FRAME_TAG_WAIT (it has one empty
+ * segment), but we should never get it as client.
+ */
+ if (desc->fd_lens[0] < 1 ||
desc->fd_lens[0] > CEPH_MSG_MAX_CONTROL_LEN) {
pr_err("bad control segment length %d\n", desc->fd_lens[0]);
return -EINVAL;
}
+
if (desc->fd_lens[1] < 0 ||
desc->fd_lens[1] > CEPH_MSG_MAX_FRONT_LEN) {
pr_err("bad front segment length %d\n", desc->fd_lens[1]);
@@ -549,10 +552,6 @@ static int decode_preamble(void *p, stru
return -EINVAL;
}
- /*
- * This would fire for FRAME_TAG_WAIT (it has one empty
- * segment), but we should never get it as client.
- */
if (!desc->fd_lens[desc->fd_seg_cnt - 1]) {
pr_err("last segment empty, segment count %d\n",
desc->fd_seg_cnt);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 233/481] irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 232/481] device property: Allow secondary lookup in fwnode_get_next_child_node() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 234/481] ixgbevf: fix link setup issue Greg Kroah-Hartman
` (82 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marc Zyngier, Thomas Gleixner,
Robin Murphy, Zenghui Yu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit ce9e40a9a5e5cff0b1b0d2fa582b3d71a8ce68e8 upstream.
The ITS driver blindly assumes that EventIDs are in abundant supply, to the
point where it never checks how many the hardware actually supports.
It turns out that some pretty esoteric integrations make it so that only a
few bits are available, all the way down to a single bit.
Enforce the advertised limitation at the point of allocating the device
structure, and hope that the endpoint driver can deal with such limitation.
Fixes: 84a6a2e7fc18d ("irqchip: GICv3: ITS: device allocation and configuration")
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Zenghui Yu <zenghui.yu@linux.dev>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260206154816.3582887-1-maz@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-gic-v3-its.c | 4 ++++
include/linux/irqchip/arm-gic-v3.h | 1 +
2 files changed, 5 insertions(+)
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -3382,6 +3382,7 @@ static struct its_device *its_create_dev
int lpi_base;
int nr_lpis;
int nr_ites;
+ int id_bits;
int sz;
if (!its_alloc_device_table(its, dev_id))
@@ -3394,7 +3395,10 @@ static struct its_device *its_create_dev
/*
* Even if the device wants a single LPI, the ITT must be
* sized as a power of two (and you need at least one bit...).
+ * Also honor the ITS's own EID limit.
*/
+ id_bits = FIELD_GET(GITS_TYPER_IDBITS, its->typer) + 1;
+ nvecs = min_t(unsigned int, nvecs, BIT(id_bits));
nr_ites = max(2, nvecs);
sz = nr_ites * (FIELD_GET(GITS_TYPER_ITT_ENTRY_SIZE, its->typer) + 1);
sz = max(sz, ITS_ITT_ALIGN) + ITS_ITT_ALIGN - 1;
--- a/include/linux/irqchip/arm-gic-v3.h
+++ b/include/linux/irqchip/arm-gic-v3.h
@@ -394,6 +394,7 @@
#define GITS_TYPER_VLPIS (1UL << 1)
#define GITS_TYPER_ITT_ENTRY_SIZE_SHIFT 4
#define GITS_TYPER_ITT_ENTRY_SIZE GENMASK_ULL(7, 4)
+#define GITS_TYPER_IDBITS GENMASK_ULL(12, 8)
#define GITS_TYPER_IDBITS_SHIFT 8
#define GITS_TYPER_DEVBITS_SHIFT 13
#define GITS_TYPER_DEVBITS GENMASK_ULL(17, 13)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 220/460] ksmbd: Compare MACs in constant time
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 219/460] net/tcp-md5: Fix MAC comparison to be constant-time Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 221/460] smb: client: " Greg Kroah-Hartman
` (82 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Namjae Jeon,
Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit c5794709bc9105935dbedef8b9cf9c06f2b559fa upstream.
To prevent timing attacks, MAC comparisons need to be constant-time.
Replace the memcmp() with the correct function, crypto_memneq().
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/Kconfig | 1 +
fs/smb/server/auth.c | 4 +++-
fs/smb/server/smb2pdu.c | 5 +++--
3 files changed, 7 insertions(+), 3 deletions(-)
--- a/fs/smb/server/Kconfig
+++ b/fs/smb/server/Kconfig
@@ -11,6 +11,7 @@ config SMB_SERVER
select CRYPTO_HMAC
select CRYPTO_ECB
select CRYPTO_LIB_DES
+ select CRYPTO_LIB_UTILS
select CRYPTO_SHA256
select CRYPTO_CMAC
select CRYPTO_SHA512
--- a/fs/smb/server/auth.c
+++ b/fs/smb/server/auth.c
@@ -13,6 +13,7 @@
#include <linux/xattr.h>
#include <crypto/hash.h>
#include <crypto/aead.h>
+#include <crypto/utils.h>
#include <linux/random.h>
#include <linux/scatterlist.h>
@@ -283,7 +284,8 @@ int ksmbd_auth_ntlmv2(struct ksmbd_conn
goto out;
}
- if (memcmp(ntlmv2->ntlmv2_hash, ntlmv2_rsp, CIFS_HMAC_MD5_HASH_SIZE) != 0)
+ if (crypto_memneq(ntlmv2->ntlmv2_hash, ntlmv2_rsp,
+ CIFS_HMAC_MD5_HASH_SIZE))
rc = -EINVAL;
out:
if (ctx)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -4,6 +4,7 @@
* Copyright (C) 2018 Samsung Electronics Co., Ltd.
*/
+#include <crypto/utils.h>
#include <linux/inetdevice.h>
#include <net/addrconf.h>
#include <linux/syscalls.h>
@@ -8825,7 +8826,7 @@ int smb2_check_sign_req(struct ksmbd_wor
signature))
return 0;
- if (memcmp(signature, signature_req, SMB2_SIGNATURE_SIZE)) {
+ if (crypto_memneq(signature, signature_req, SMB2_SIGNATURE_SIZE)) {
pr_err("bad smb2 signature\n");
return 0;
}
@@ -8913,7 +8914,7 @@ int smb3_check_sign_req(struct ksmbd_wor
if (ksmbd_sign_smb3_pdu(conn, signing_key, iov, 1, signature))
return 0;
- if (memcmp(signature, signature_req, SMB2_SIGNATURE_SIZE)) {
+ if (crypto_memneq(signature, signature_req, SMB2_SIGNATURE_SIZE)) {
pr_err("bad smb2 signature\n");
return 0;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 296/567] libceph: prevent potential out-of-bounds reads in process_message_header()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 295/567] libceph: reject preamble if control segment is empty Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 297/567] libceph: Use u32 for non-negative values in ceph_monmap_decode() Greg Kroah-Hartman
` (81 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov,
Alex Markuze, Viacheslav Dubeyko
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit 69fb5d91bba44ecf7eb80530b85fa4fb028921d5 upstream.
If the message frame is (maliciously) corrupted in a way that the
length of the control segment ends up being less than the size of the
message header or a different frame is made to look like a message
frame, out-of-bounds reads may ensue in process_message_header().
Perform an explicit bounds check before decoding the message header.
Cc: stable@vger.kernel.org
Reported-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/messenger_v2.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -2868,12 +2868,15 @@ static int process_message_header(struct
void *p, void *end)
{
struct ceph_frame_desc *desc = &con->v2.in_desc;
- struct ceph_msg_header2 *hdr2 = p;
+ struct ceph_msg_header2 *hdr2;
struct ceph_msg_header hdr;
int skip;
int ret;
u64 seq;
+ ceph_decode_need(&p, end, sizeof(*hdr2), bad);
+ hdr2 = p;
+
/* verify seq# */
seq = le64_to_cpu(hdr2->seq);
if ((s64)seq - (s64)con->in_seq < 1) {
@@ -2904,6 +2907,10 @@ static int process_message_header(struct
WARN_ON(!con->in_msg);
WARN_ON(con->in_msg->con != con);
return 1;
+
+bad:
+ pr_err("failed to decode message header\n");
+ return -EINVAL;
}
static int process_message(struct ceph_connection *con)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 234/481] ixgbevf: fix link setup issue
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 233/481] irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 235/481] staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Greg Kroah-Hartman
` (81 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov,
Piotr Kwapulinski, Paul Menzel, Jedrzej Jagielski,
Rafal Romanowski, Tony Nguyen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
commit feae40a6a178bb525a15f19288016e5778102a99 upstream.
It may happen that VF spawned for E610 adapter has problem with setting
link up. This happens when ixgbevf supporting mailbox API 1.6 cooperates
with PF driver which doesn't support this version of API, and hence
doesn't support new approach for getting PF link data.
In that case VF asks PF to provide link data but as PF doesn't support
it, returns -EOPNOTSUPP what leads to early bail from link configuration
sequence.
Avoid such situation by using legacy VFLINKS approach whenever negotiated
API version is less than 1.6.
To reproduce the issue just create VF and set its link up - adapter must
be any from the E610 family, ixgbevf must support API 1.6 or higher while
ixgbevf must not.
Fixes: 53f0eb62b4d2 ("ixgbevf: fix getting link speed data for E610 devices")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Piotr Kwapulinski <piotr.kwapulinski@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Cc: stable@vger.kernel.org
Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ixgbevf/vf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.c b/drivers/net/ethernet/intel/ixgbevf/vf.c
index 74d320879513..b67b580f7f1c 100644
--- a/drivers/net/ethernet/intel/ixgbevf/vf.c
+++ b/drivers/net/ethernet/intel/ixgbevf/vf.c
@@ -852,7 +852,8 @@ static s32 ixgbevf_check_mac_link_vf(struct ixgbe_hw *hw,
if (!mac->get_link_status)
goto out;
- if (hw->mac.type == ixgbe_mac_e610_vf) {
+ if (hw->mac.type == ixgbe_mac_e610_vf &&
+ hw->api_version >= ixgbe_mbox_api_16) {
ret_val = ixgbevf_get_pf_link_state(hw, speed, link_up);
if (ret_val)
goto out;
--
2.53.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.12 221/460] smb: client: Compare MACs in constant time
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 220/460] ksmbd: Compare MACs in constant time Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 222/460] dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() Greg Kroah-Hartman
` (81 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (Red Hat),
Eric Biggers, Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 26bc83b88bbbf054f0980a4a42047a8d1e210e4c upstream.
To prevent timing attacks, MAC comparisons need to be constant-time.
Replace the memcmp() with the correct function, crypto_memneq().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsencrypt.c | 3 ++-
fs/smb/client/smb2transport.c | 4 +++-
2 files changed, 5 insertions(+), 2 deletions(-)
--- a/fs/smb/client/cifsencrypt.c
+++ b/fs/smb/client/cifsencrypt.c
@@ -24,6 +24,7 @@
#include <linux/iov_iter.h>
#include "../common/arc4.h"
#include <crypto/aead.h>
+#include <crypto/utils.h>
static size_t cifs_shash_step(void *iter_base, size_t progress, size_t len,
void *priv, void *priv2)
@@ -257,7 +258,7 @@ int cifs_verify_signature(struct smb_rqs
/* cifs_dump_mem("what we think it should be: ",
what_we_think_sig_should_be, 16); */
- if (memcmp(server_response_sig, what_we_think_sig_should_be, 8))
+ if (crypto_memneq(server_response_sig, what_we_think_sig_should_be, 8))
return -EACCES;
else
return 0;
--- a/fs/smb/client/smb2transport.c
+++ b/fs/smb/client/smb2transport.c
@@ -19,6 +19,7 @@
#include <linux/mempool.h>
#include <linux/highmem.h>
#include <crypto/aead.h>
+#include <crypto/utils.h>
#include "cifsglob.h"
#include "cifsproto.h"
#include "smb2proto.h"
@@ -732,7 +733,8 @@ smb2_verify_signature(struct smb_rqst *r
if (rc)
return rc;
- if (memcmp(server_response_sig, shdr->Signature, SMB2_SIGNATURE_SIZE)) {
+ if (crypto_memneq(server_response_sig, shdr->Signature,
+ SMB2_SIGNATURE_SIZE)) {
cifs_dbg(VFS, "sign fail cmd 0x%x message id 0x%llx\n",
shdr->Command, shdr->MessageId);
return -EACCES;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 297/567] libceph: Use u32 for non-negative values in ceph_monmap_decode()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 296/567] libceph: prevent potential out-of-bounds reads in process_message_header() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 298/567] libceph: admit message frames only in CEPH_CON_S_OPEN state Greg Kroah-Hartman
` (80 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Viacheslav Dubeyko,
Ilya Dryomov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit 770444611f047dbfd4517ec0bc1b179d40c2f346 upstream.
This patch fixes unnecessary implicit conversions that change signedness
of blob_len and num_mon in ceph_monmap_decode().
Currently blob_len and num_mon are (signed) int variables. They are used
to hold values that are always non-negative and get assigned in
ceph_decode_32_safe(), which is meant to assign u32 values. Both
variables are subsequently used as unsigned values, and the value of
num_mon is further assigned to monmap->num_mon, which is of type u32.
Therefore, both variables should be of type u32. This is especially
relevant for num_mon. If the value read from the incoming message is
very large, it is interpreted as a negative value, and the check for
num_mon > CEPH_MAX_MON does not catch it. This leads to the attempt to
allocate a very large chunk of memory for monmap, which will most likely
fail. In this case, an unnecessary attempt to allocate memory is
performed, and -ENOMEM is returned instead of -EINVAL.
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/mon_client.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -72,8 +72,8 @@ static struct ceph_monmap *ceph_monmap_d
struct ceph_monmap *monmap = NULL;
struct ceph_fsid fsid;
u32 struct_len;
- int blob_len;
- int num_mon;
+ u32 blob_len;
+ u32 num_mon;
u8 struct_v;
u32 epoch;
int ret;
@@ -112,7 +112,7 @@ static struct ceph_monmap *ceph_monmap_d
}
ceph_decode_32_safe(p, end, num_mon, e_inval);
- dout("%s fsid %pU epoch %u num_mon %d\n", __func__, &fsid, epoch,
+ dout("%s fsid %pU epoch %u num_mon %u\n", __func__, &fsid, epoch,
num_mon);
if (num_mon > CEPH_MAX_MON)
goto e_inval;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 235/481] staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 234/481] ixgbevf: fix link setup issue Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 236/481] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie Greg Kroah-Hartman
` (80 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Navaneeth K
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f0109b9d3e1e455429279d602f6276e34689750a upstream.
Just like in commit 154828bf9559 ("staging: rtl8723bs: fix out-of-bounds
read in rtw_get_ie() parser"), we don't trust the data in the frame so
we should check the length better before acting on it
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_2000
Tested-by: Navaneeth K <knavaneeth786@gmail.com>
Reviewed-by: Navaneeth K <knavaneeth786@gmail.com>
Link: https://patch.msgid.link/2026022336-arrange-footwork-6e54@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
@@ -186,20 +186,25 @@ u8 *rtw_get_ie_ex(u8 *in_ie, uint in_len
cnt = 0;
- while (cnt < in_len) {
+ while (cnt + 2 <= in_len) {
+ u8 ie_len = in_ie[cnt + 1];
+
+ if (cnt + 2 + ie_len > in_len)
+ break;
+
if (eid == in_ie[cnt]
- && (!oui || !memcmp(&in_ie[cnt+2], oui, oui_len))) {
+ && (!oui || (ie_len >= oui_len && !memcmp(&in_ie[cnt + 2], oui, oui_len)))) {
target_ie = &in_ie[cnt];
if (ie)
- memcpy(ie, &in_ie[cnt], in_ie[cnt+1]+2);
+ memcpy(ie, &in_ie[cnt], ie_len + 2);
if (ielen)
- *ielen = in_ie[cnt+1]+2;
+ *ielen = ie_len + 2;
break;
}
- cnt += in_ie[cnt+1]+2; /* goto next */
+ cnt += ie_len + 2; /* goto next */
}
return target_ie;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 222/460] dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 221/460] smb: client: " Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 223/460] ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths Greg Kroah-Hartman
` (80 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+179fc225724092b8b2b2,
Eric Dumazet, Martin KaFai Lau, David Ahern, Jakub Kicinski,
Rahul Sharma
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 9a6f0c4d5796ab89b5a28a890ce542344d58bd69 ]
syzbot was able to crash the kernel in rt6_uncached_list_flush_dev()
in an interesting way [1]
Crash happens in list_del_init()/INIT_LIST_HEAD() while writing
list->prev, while the prior write on list->next went well.
static inline void INIT_LIST_HEAD(struct list_head *list)
{
WRITE_ONCE(list->next, list); // This went well
WRITE_ONCE(list->prev, list); // Crash, @list has been freed.
}
Issue here is that rt6_uncached_list_del() did not attempt to lock
ul->lock, as list_empty(&rt->dst.rt_uncached) returned
true because the WRITE_ONCE(list->next, list) happened on the other CPU.
We might use list_del_init_careful() and list_empty_careful(),
or make sure rt6_uncached_list_del() always grabs the spinlock
whenever rt->dst.rt_uncached_list has been set.
A similar fix is neeed for IPv4.
[1]
BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline]
BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline]
BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]
BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020
Write of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450
CPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)}
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: netns cleanup_net
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
INIT_LIST_HEAD include/linux/list.h:46 [inline]
list_del_init include/linux/list.h:296 [inline]
rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]
rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020
addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853
addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1
notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85
call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]
call_netdevice_notifiers net/core/dev.c:2282 [inline]
netif_close_many+0x29c/0x410 net/core/dev.c:1785
unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353
ops_exit_rtnl_list net/core/net_namespace.c:187 [inline]
ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248
cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Allocated by task 803:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
unpoison_slab_object mm/kasan/common.c:340 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270
dst_alloc+0x105/0x170 net/core/dst.c:89
ip6_dst_alloc net/ipv6/route.c:342 [inline]
icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333
mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
Freed by task 20:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free mm/slub.c:6670 [inline]
kmem_cache_free+0x18f/0x8d0 mm/slub.c:6781
dst_destroy+0x235/0x350 net/core/dst.c:121
rcu_do_batch kernel/rcu/tree.c:2605 [inline]
rcu_core kernel/rcu/tree.c:2857 [inline]
rcu_cpu_kthread+0xba5/0x1af0 kernel/rcu/tree.c:2945
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
Last potentially related work creation:
kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57
kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556
__call_rcu_common kernel/rcu/tree.c:3119 [inline]
call_rcu+0xee/0x890 kernel/rcu/tree.c:3239
refdst_drop include/net/dst.h:266 [inline]
skb_dst_drop include/net/dst.h:278 [inline]
skb_release_head_state+0x71/0x360 net/core/skbuff.c:1156
skb_release_all net/core/skbuff.c:1180 [inline]
__kfree_skb net/core/skbuff.c:1196 [inline]
sk_skb_reason_drop+0xe9/0x170 net/core/skbuff.c:1234
kfree_skb_reason include/linux/skbuff.h:1322 [inline]
tcf_kfree_skb_list include/net/sch_generic.h:1127 [inline]
__dev_xmit_skb net/core/dev.c:4260 [inline]
__dev_queue_xmit+0x26aa/0x3210 net/core/dev.c:4785
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
The buggy address belongs to the object at ffff8880294cfa00
which belongs to the cache ip6_dst_cache of size 232
The buggy address is located 120 bytes inside of
freed 232-byte region [ffff8880294cfa00, ffff8880294cfae8)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x294cf
memcg:ffff88803536b781
flags: 0x80000000000000(node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000000 ffff88802ff1c8c0 ffffea0000bf2bc0 dead000000000006
raw: 0000000000000000 00000000800c000c 00000000f5000000 ffff88803536b781
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 9, tgid 9 (kworker/0:0), ts 91119585830, free_ts 91088628818
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857
prep_new_page mm/page_alloc.c:1865 [inline]
get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3915
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486
alloc_slab_page mm/slub.c:3075 [inline]
allocate_slab+0x86/0x3b0 mm/slub.c:3248
new_slab mm/slub.c:3302 [inline]
___slab_alloc+0xb10/0x13e0 mm/slub.c:4656
__slab_alloc+0xc6/0x1f0 mm/slub.c:4779
__slab_alloc_node mm/slub.c:4855 [inline]
slab_alloc_node mm/slub.c:5251 [inline]
kmem_cache_alloc_noprof+0x101/0x6c0 mm/slub.c:5270
dst_alloc+0x105/0x170 net/core/dst.c:89
ip6_dst_alloc net/ipv6/route.c:342 [inline]
icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333
mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
page last free pid 5859 tgid 5859 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1406 [inline]
__free_frozen_pages+0xfe1/0x1170 mm/page_alloc.c:2943
discard_slab mm/slub.c:3346 [inline]
__put_partials+0x149/0x170 mm/slub.c:3886
__slab_free+0x2af/0x330 mm/slub.c:5952
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270
getname_flags+0xb8/0x540 fs/namei.c:146
getname include/linux/fs.h:2498 [inline]
do_sys_openat2+0xbc/0x200 fs/open.c:1426
do_sys_open fs/open.c:1436 [inline]
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1447
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
Fixes: 8d0b94afdca8 ("ipv6: Keep track of DST_NOCACHE routes in case of iface down/unregister")
Fixes: 78df76a065ae ("ipv4: take rt_uncached_lock only if needed")
Reported-by: syzbot+179fc225724092b8b2b2@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6964cdf2.050a0220.eaf7.009d.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Martin KaFai Lau <martin.lau@kernel.org>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20260112103825.3810713-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Rahul Sharma <black.hawk@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/dst.c | 1 +
net/ipv4/route.c | 4 ++--
net/ipv6/route.c | 4 ++--
3 files changed, 5 insertions(+), 4 deletions(-)
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -68,6 +68,7 @@ void dst_init(struct dst_entry *dst, str
dst->lwtstate = NULL;
rcuref_init(&dst->__rcuref, 1);
INIT_LIST_HEAD(&dst->rt_uncached);
+ dst->rt_uncached_list = NULL;
dst->__use = 0;
dst->lastuse = jiffies;
dst->flags = flags;
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1533,9 +1533,9 @@ void rt_add_uncached_list(struct rtable
void rt_del_uncached_list(struct rtable *rt)
{
- if (!list_empty(&rt->dst.rt_uncached)) {
- struct uncached_list *ul = rt->dst.rt_uncached_list;
+ struct uncached_list *ul = rt->dst.rt_uncached_list;
+ if (ul) {
spin_lock_bh(&ul->lock);
list_del_init(&rt->dst.rt_uncached);
spin_unlock_bh(&ul->lock);
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -148,9 +148,9 @@ void rt6_uncached_list_add(struct rt6_in
void rt6_uncached_list_del(struct rt6_info *rt)
{
- if (!list_empty(&rt->dst.rt_uncached)) {
- struct uncached_list *ul = rt->dst.rt_uncached_list;
+ struct uncached_list *ul = rt->dst.rt_uncached_list;
+ if (ul) {
spin_lock_bh(&ul->lock);
list_del_init(&rt->dst.rt_uncached);
spin_unlock_bh(&ul->lock);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 298/567] libceph: admit message frames only in CEPH_CON_S_OPEN state
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 297/567] libceph: Use u32 for non-negative values in ceph_monmap_decode() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 299/567] ceph: fix i_nlink underrun during async unlink Greg Kroah-Hartman
` (79 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilya Dryomov, Alex Markuze,
Viacheslav Dubeyko
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit a5a373705081d7cc6363e16990e2361b0b362314 upstream.
Similar checks are performed for all control frames, but an early check
for message frames was missing. process_message() is already set up to
terminate the loop in case the state changes while con->ops->dispatch()
handler is being executed.
Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/messenger_v2.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -2940,6 +2940,11 @@ static int __handle_control(struct ceph_
if (con->v2.in_desc.fd_tag != FRAME_TAG_MESSAGE)
return process_control(con, p, end);
+ if (con->state != CEPH_CON_S_OPEN) {
+ con->error_msg = "protocol error, unexpected message";
+ return -EINVAL;
+ }
+
ret = process_message_header(con, p, end);
if (ret < 0)
return ret;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 236/481] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 235/481] staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 237/481] media: dvb-net: fix OOB access in ULE extension header tables Greg Kroah-Hartman
` (79 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Luka Gejak, Dan Carpenter
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luka Gejak <luka.gejak@linux.dev>
commit a75281626fc8fa6dc6c9cc314ee423e8bc45203b upstream.
The current code checks 'i + 5 < in_len' at the end of the if statement.
However, it accesses 'in_ie[i + 5]' before that check, which can lead
to an out-of-bounds read. Move the length check to the beginning of the
conditional to ensure the index is within bounds before accessing the
array.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Luka Gejak <luka.gejak@linux.dev>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/20260224132647.11642-2-luka.gejak@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_mlme.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
@@ -2010,7 +2010,10 @@ int rtw_restruct_wmm_ie(struct adapter *
while (i < in_len) {
ielength = initial_out_len;
- if (in_ie[i] == 0xDD && in_ie[i+2] == 0x00 && in_ie[i+3] == 0x50 && in_ie[i+4] == 0xF2 && in_ie[i+5] == 0x02 && i+5 < in_len) { /* WMM element ID and OUI */
+ if (i + 5 < in_len &&
+ in_ie[i] == 0xDD && in_ie[i + 2] == 0x00 &&
+ in_ie[i + 3] == 0x50 && in_ie[i + 4] == 0xF2 &&
+ in_ie[i + 5] == 0x02) {
for (j = i; j < i + 9; j++) {
out_ie[ielength] = in_ie[j];
ielength++;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 223/460] ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 222/460] dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 224/460] spi: cadence-quadspi: Implement refcount to handle unbind during busy Greg Kroah-Hartman
` (79 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Namjae Jeon,
Steve French, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit a09dc10d1353f0e92c21eae2a79af1c2b1ddcde8 ]
There are two places where ksmbd_vfs_kern_path_end_removing() needs to be
called in order to balance what the corresponding successful call to
ksmbd_vfs_kern_path_start_removing() has done, i.e. drop inode locks and
put the taken references. Otherwise there might be potential deadlocks
and unbalanced locks which are caught like:
BUG: workqueue leaked lock or atomic: kworker/5:21/0x00000000/7596
last function: handle_ksmbd_work
2 locks held by kworker/5:21/7596:
#0: ffff8881051ae448 (sb_writers#3){.+.+}-{0:0}, at: ksmbd_vfs_kern_path_locked+0x142/0x660
#1: ffff888130e966c0 (&type->i_mutex_dir_key#3/1){+.+.}-{4:4}, at: ksmbd_vfs_kern_path_locked+0x17d/0x660
CPU: 5 PID: 7596 Comm: kworker/5:21 Not tainted 6.1.162-00456-gc29b353f383b #138
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
Workqueue: ksmbd-io handle_ksmbd_work
Call Trace:
<TASK>
dump_stack_lvl+0x44/0x5b
process_one_work.cold+0x57/0x5c
worker_thread+0x82/0x600
kthread+0x153/0x190
ret_from_fork+0x22/0x30
</TASK>
Found by Linux Verification Center (linuxtesting.org).
Fixes: d5fc1400a34b ("smb/server: avoid deadlock when linking with ReplaceIfExists")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ ksmbd_vfs_kern_path_end_removing() call -> ksmbd_vfs_kern_path_unlock() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -6090,14 +6090,14 @@ static int smb2_create_link(struct ksmbd
rc = -EINVAL;
ksmbd_debug(SMB, "cannot delete %s\n",
link_name);
- goto out;
}
} else {
rc = -EEXIST;
ksmbd_debug(SMB, "link already exists\n");
- goto out;
}
ksmbd_vfs_kern_path_unlock(&parent_path, &path);
+ if (rc)
+ goto out;
}
rc = ksmbd_vfs_link(work, target_name, link_name);
if (rc)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 299/567] ceph: fix i_nlink underrun during async unlink
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 298/567] libceph: admit message frames only in CEPH_CON_S_OPEN state Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 300/567] ceph: fix memory leaks in ceph_mdsc_build_path() Greg Kroah-Hartman
` (78 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Kellermann, Viacheslav Dubeyko,
Ilya Dryomov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Kellermann <max.kellermann@ionos.com>
commit ce0123cbb4a40a2f1bbb815f292b26e96088639f upstream.
During async unlink, we drop the `i_nlink` counter before we receive
the completion (that will eventually update the `i_nlink`) because "we
assume that the unlink will succeed". That is not a bad idea, but it
races against deletions by other clients (or against the completion of
our own unlink) and can lead to an underrun which emits a WARNING like
this one:
WARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68
Modules linked in:
CPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted 6.14.11-cm4all1-ampere #655
Hardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023
pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : drop_nlink+0x50/0x68
lr : ceph_unlink+0x6c4/0x720
sp : ffff80012173bc90
x29: ffff80012173bc90 x28: ffff086d0a45aaf8 x27: ffff0871d0eb5680
x26: ffff087f2a64a718 x25: 0000020000000180 x24: 0000000061c88647
x23: 0000000000000002 x22: ffff07ff9236d800 x21: 0000000000001203
x20: ffff07ff9237b000 x19: ffff088b8296afc0 x18: 00000000f3c93365
x17: 0000000000070000 x16: ffff08faffcbdfe8 x15: ffff08faffcbdfec
x14: 0000000000000000 x13: 45445f65645f3037 x12: 34385f6369706f74
x11: 0000a2653104bb20 x10: ffffd85f26d73290 x9 : ffffd85f25664f94
x8 : 00000000000000c0 x7 : 0000000000000000 x6 : 0000000000000002
x5 : 0000000000000081 x4 : 0000000000000481 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff08727d3f91e8
Call trace:
drop_nlink+0x50/0x68 (P)
vfs_unlink+0xb0/0x2e8
do_unlinkat+0x204/0x288
__arm64_sys_unlinkat+0x3c/0x80
invoke_syscall.constprop.0+0x54/0xe8
do_el0_svc+0xa4/0xc8
el0_svc+0x18/0x58
el0t_64_sync_handler+0x104/0x130
el0t_64_sync+0x154/0x158
In ceph_unlink(), a call to ceph_mdsc_submit_request() submits the
CEPH_MDS_OP_UNLINK to the MDS, but does not wait for completion.
Meanwhile, between this call and the following drop_nlink() call, a
worker thread may process a CEPH_CAP_OP_IMPORT, CEPH_CAP_OP_GRANT or
just a CEPH_MSG_CLIENT_REPLY (the latter of which could be our own
completion). These will lead to a set_nlink() call, updating the
`i_nlink` counter to the value received from the MDS. If that new
`i_nlink` value happens to be zero, it is illegal to decrement it
further. But that is exactly what ceph_unlink() will do then.
The WARNING can be reproduced this way:
1. Force async unlink; only the async code path is affected. Having
no real clue about Ceph internals, I was unable to find out why the
MDS wouldn't give me the "Fxr" capabilities, so I patched
get_caps_for_async_unlink() to always succeed.
(Note that the WARNING dump above was found on an unpatched kernel,
without this kludge - this is not a theoretical bug.)
2. Add a sleep call after ceph_mdsc_submit_request() so the unlink
completion gets handled by a worker thread before drop_nlink() is
called. This guarantees that the `i_nlink` is already zero before
drop_nlink() runs.
The solution is to skip the counter decrement when it is already zero,
but doing so without a lock is still racy (TOCTOU). Since
ceph_fill_inode() and handle_cap_grant() both hold the
`ceph_inode_info.i_ceph_lock` spinlock while set_nlink() runs, this
seems like the proper lock to protect the `i_nlink` updates.
I found prior art in NFS and SMB (using `inode.i_lock`) and AFS (using
`afs_vnode.cb_lock`). All three have the zero check as well.
Cc: stable@vger.kernel.org
Fixes: 2ccb45462aea ("ceph: perform asynchronous unlink if we have sufficient caps")
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/dir.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/fs/ceph/dir.c
+++ b/fs/ceph/dir.c
@@ -1292,6 +1292,7 @@ static int ceph_unlink(struct inode *dir
struct ceph_fs_client *fsc = ceph_sb_to_fs_client(dir->i_sb);
struct ceph_mds_client *mdsc = fsc->mdsc;
struct inode *inode = d_inode(dentry);
+ struct ceph_inode_info *ci = ceph_inode(inode);
struct ceph_mds_request *req;
bool try_async = ceph_test_mount_opt(fsc, ASYNC_DIROPS);
int err = -EROFS;
@@ -1349,7 +1350,19 @@ retry:
* We have enough caps, so we assume that the unlink
* will succeed. Fix up the target inode and dcache.
*/
- drop_nlink(inode);
+
+ /*
+ * Protect the i_nlink update with i_ceph_lock
+ * to precent racing against ceph_fill_inode()
+ * handling our completion on a worker thread
+ * and don't decrement if i_nlink has already
+ * been updated to zero by this completion.
+ */
+ spin_lock(&ci->i_ceph_lock);
+ if (inode->i_nlink > 0)
+ drop_nlink(inode);
+ spin_unlock(&ci->i_ceph_lock);
+
d_delete(dentry);
} else {
spin_lock(&fsc->async_unlink_conflict_lock);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 237/481] media: dvb-net: fix OOB access in ULE extension header tables
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 236/481] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 238/481] net: mana: Ring doorbell at 4 CQ wraparounds Greg Kroah-Hartman
` (78 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ariel Silver, Mauro Carvalho Chehab
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ariel Silver <arielsilver77@gmail.com>
commit 24d87712727a5017ad142d63940589a36cd25647 upstream.
The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables
in handle_one_ule_extension() are declared with 255 elements (valid
indices 0-254), but the index htype is derived from network-controlled
data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When
htype equals 255, an out-of-bounds read occurs on the function pointer
table, and the OOB value may be called as a function pointer.
Add a bounds check on htype against the array size before either table
is accessed. Out-of-range values now cause the SNDU to be discarded.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Ariel Silver <arielsilver77@gmail.com>
Signed-off-by: Ariel Silver <arielsilver77@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/dvb-core/dvb_net.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/media/dvb-core/dvb_net.c
+++ b/drivers/media/dvb-core/dvb_net.c
@@ -228,6 +228,9 @@ static int handle_one_ule_extension( str
unsigned char hlen = (p->ule_sndu_type & 0x0700) >> 8;
unsigned char htype = p->ule_sndu_type & 0x00FF;
+ if (htype >= ARRAY_SIZE(ule_mandatory_ext_handlers))
+ return -1;
+
/* Discriminate mandatory and optional extension headers. */
if (hlen == 0) {
/* Mandatory extension header */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 224/460] spi: cadence-quadspi: Implement refcount to handle unbind during busy
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 223/460] ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 225/460] gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL Greg Kroah-Hartman
` (78 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable, stable@vger.kernel.org, Khairul Anuar Romli
Cc: Greg Kroah-Hartman, patches, Matthew Gerlach, Niravkumar L Rabara,
Mark Brown, Robert Garcia
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Khairul Anuar Romli <khairul.anuar.romli@altera.com>
[ Upstream commit 7446284023e8ef694fb392348185349c773eefb3 ]
driver support indirect read and indirect write operation with
assumption no force device removal(unbind) operation. However
force device removal(removal) is still available to root superuser.
Unbinding driver during operation causes kernel crash. This changes
ensure driver able to handle such operation for indirect read and
indirect write by implementing refcount to track attached devices
to the controller and gracefully wait and until attached devices
remove operation completed before proceed with removal operation.
Signed-off-by: Khairul Anuar Romli <khairul.anuar.romli@altera.com>
Reviewed-by: Matthew Gerlach <matthew.gerlach@altera.com>
Reviewed-by: Niravkumar L Rabara <nirav.rabara@altera.com>
Link: https://patch.msgid.link/8704fd6bd2ff4d37bba4a0eacf5eba3ba001079e.1756168074.git.khairul.anuar.romli@altera.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Robert Garcia <rob_garcia@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-cadence-quadspi.c | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
--- a/drivers/spi/spi-cadence-quadspi.c
+++ b/drivers/spi/spi-cadence-quadspi.c
@@ -105,6 +105,8 @@ struct cqspi_st {
bool is_jh7110; /* Flag for StarFive JH7110 SoC */
bool disable_stig_mode;
+ refcount_t refcount;
+ refcount_t inflight_ops;
const struct cqspi_driver_platdata *ddata;
};
@@ -731,6 +733,9 @@ static int cqspi_indirect_read_execute(s
u8 *rxbuf_end = rxbuf + n_rx;
int ret = 0;
+ if (!refcount_read(&cqspi->refcount))
+ return -ENODEV;
+
writel(from_addr, reg_base + CQSPI_REG_INDIRECTRDSTARTADDR);
writel(remaining, reg_base + CQSPI_REG_INDIRECTRDBYTES);
@@ -1058,6 +1063,9 @@ static int cqspi_indirect_write_execute(
unsigned int write_bytes;
int ret;
+ if (!refcount_read(&cqspi->refcount))
+ return -ENODEV;
+
writel(to_addr, reg_base + CQSPI_REG_INDIRECTWRSTARTADDR);
writel(remaining, reg_base + CQSPI_REG_INDIRECTWRBYTES);
@@ -1450,12 +1458,26 @@ static int cqspi_exec_mem_op(struct spi_
struct cqspi_st *cqspi = spi_controller_get_devdata(mem->spi->controller);
struct device *dev = &cqspi->pdev->dev;
+ if (refcount_read(&cqspi->inflight_ops) == 0)
+ return -ENODEV;
+
ret = pm_runtime_resume_and_get(dev);
if (ret) {
dev_err(&mem->spi->dev, "resume failed with %d\n", ret);
return ret;
}
+ if (!refcount_read(&cqspi->refcount))
+ return -EBUSY;
+
+ refcount_inc(&cqspi->inflight_ops);
+
+ if (!refcount_read(&cqspi->refcount)) {
+ if (refcount_read(&cqspi->inflight_ops))
+ refcount_dec(&cqspi->inflight_ops);
+ return -EBUSY;
+ }
+
ret = cqspi_mem_process(mem, op);
pm_runtime_mark_last_busy(dev);
@@ -1464,6 +1486,9 @@ static int cqspi_exec_mem_op(struct spi_
if (ret)
dev_err(&mem->spi->dev, "operation failed with %d\n", ret);
+ if (refcount_read(&cqspi->inflight_ops) > 1)
+ refcount_dec(&cqspi->inflight_ops);
+
return ret;
}
@@ -1916,6 +1941,9 @@ static int cqspi_probe(struct platform_d
}
}
+ refcount_set(&cqspi->refcount, 1);
+ refcount_set(&cqspi->inflight_ops, 1);
+
ret = devm_request_irq(dev, irq, cqspi_irq_handler, 0,
pdev->name, cqspi);
if (ret) {
@@ -1978,6 +2006,11 @@ static void cqspi_remove(struct platform
{
struct cqspi_st *cqspi = platform_get_drvdata(pdev);
+ refcount_set(&cqspi->refcount, 0);
+
+ if (!refcount_dec_and_test(&cqspi->inflight_ops))
+ cqspi_wait_idle(cqspi);
+
spi_unregister_controller(cqspi->host);
cqspi_controller_enable(cqspi, 0);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 300/567] ceph: fix memory leaks in ceph_mdsc_build_path()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 299/567] ceph: fix i_nlink underrun during async unlink Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 301/567] time/jiffies: Mark jiffies_64_to_clock_t() notrace Greg Kroah-Hartman
` (77 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Kellermann, Viacheslav Dubeyko,
Ilya Dryomov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Kellermann <max.kellermann@ionos.com>
commit 040d159a45ded7f33201421a81df0aa2a86e5a0b upstream.
Add __putname() calls to error code paths that did not free the "path"
pointer obtained by __getname(). If ownership of this pointer is not
passed to the caller via path_info.path, the function must free it
before returning.
Cc: stable@vger.kernel.org
Fixes: 3fd945a79e14 ("ceph: encode encrypted name in ceph_mdsc_build_path and dentry release")
Fixes: 550f7ca98ee0 ("ceph: give up on paths longer than PATH_MAX")
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/mds_client.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -2672,6 +2672,7 @@ retry:
if (ret < 0) {
dput(parent);
dput(cur);
+ __putname(path);
return ERR_PTR(ret);
}
@@ -2681,6 +2682,7 @@ retry:
if (len < 0) {
dput(parent);
dput(cur);
+ __putname(path);
return ERR_PTR(len);
}
}
@@ -2717,6 +2719,7 @@ retry:
* cannot ever succeed. Creating paths that long is
* possible with Ceph, but Linux cannot use them.
*/
+ __putname(path);
return ERR_PTR(-ENAMETOOLONG);
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 238/481] net: mana: Ring doorbell at 4 CQ wraparounds
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 237/481] media: dvb-net: fix OOB access in ULE extension header tables Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 239/481] ice: fix retry for AQ command 0x06EE Greg Kroah-Hartman
` (77 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Long Li, Haiyang Zhang,
Vadim Fedorenko, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <longli@microsoft.com>
commit dabffd08545ffa1d7183bc45e387860984025291 upstream.
MANA hardware requires at least one doorbell ring every 8 wraparounds
of the CQ. The driver rings the doorbell as a form of flow control to
inform hardware that CQEs have been consumed.
The NAPI poll functions mana_poll_tx_cq() and mana_poll_rx_cq() can
poll up to CQE_POLLING_BUFFER (512) completions per call. If the CQ
has fewer than 512 entries, a single poll call can process more than
4 wraparounds without ringing the doorbell. The doorbell threshold
check also uses ">" instead of ">=", delaying the ring by one extra
CQE beyond 4 wraparounds. Combined, these issues can cause the driver
to exceed the 8-wraparound hardware limit, leading to missed
completions and stalled queues.
Fix this by capping the number of CQEs polled per call to 4 wraparounds
of the CQ in both TX and RX paths. Also change the doorbell threshold
from ">" to ">=" so the doorbell is rung as soon as 4 wraparounds are
reached.
Cc: stable@vger.kernel.org
Fixes: 58a63729c957 ("net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings")
Signed-off-by: Long Li <longli@microsoft.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20260226192833.1050807-1-longli@microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -973,8 +973,14 @@ static void mana_poll_tx_cq(struct mana_
ndev = txq->ndev;
apc = netdev_priv(ndev);
+ /* Limit CQEs polled to 4 wraparounds of the CQ to ensure the
+ * doorbell can be rung in time for the hardware's requirement
+ * of at least one doorbell ring every 8 wraparounds.
+ */
comp_read = mana_gd_poll_cq(cq->gdma_cq, completions,
- CQE_POLLING_BUFFER);
+ min((cq->gdma_cq->queue_size /
+ COMP_ENTRY_SIZE) * 4,
+ CQE_POLLING_BUFFER));
if (comp_read < 1)
return;
@@ -1288,7 +1294,14 @@ static void mana_poll_rx_cq(struct mana_
struct mana_rxq *rxq = cq->rxq;
int comp_read, i;
- comp_read = mana_gd_poll_cq(cq->gdma_cq, comp, CQE_POLLING_BUFFER);
+ /* Limit CQEs polled to 4 wraparounds of the CQ to ensure the
+ * doorbell can be rung in time for the hardware's requirement
+ * of at least one doorbell ring every 8 wraparounds.
+ */
+ comp_read = mana_gd_poll_cq(cq->gdma_cq, comp,
+ min((cq->gdma_cq->queue_size /
+ COMP_ENTRY_SIZE) * 4,
+ CQE_POLLING_BUFFER));
WARN_ON_ONCE(comp_read > CQE_POLLING_BUFFER);
rxq->xdp_flush = false;
@@ -1327,11 +1340,11 @@ static int mana_cq_handler(void *context
mana_gd_ring_cq(gdma_queue, SET_ARM_BIT);
cq->work_done_since_doorbell = 0;
napi_complete_done(&cq->napi, w);
- } else if (cq->work_done_since_doorbell >
- cq->gdma_cq->queue_size / COMP_ENTRY_SIZE * 4) {
+ } else if (cq->work_done_since_doorbell >=
+ (cq->gdma_cq->queue_size / COMP_ENTRY_SIZE) * 4) {
/* MANA hardware requires at least one doorbell ring every 8
* wraparounds of CQ even if there is no need to arm the CQ.
- * This driver rings the doorbell as soon as we have exceeded
+ * This driver rings the doorbell as soon as it has processed
* 4 wraparounds.
*/
mana_gd_ring_cq(gdma_queue, 0);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 225/460] gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 224/460] spi: cadence-quadspi: Implement refcount to handle unbind during busy Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 226/460] net: phy: register phy led_triggers during probe to avoid AB-BA deadlock Greg Kroah-Hartman
` (77 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ankit Garg, Jordan Rhee,
Harshitha Ramamurthy, Joshua Washington, Simon Horman,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ankit Garg <nktgrg@google.com>
[ Upstream commit fb868db5f4bccd7a78219313ab2917429f715cea ]
In DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA
buffer cleanup path. It iterates num_bufs times and attempts to unmap
entries in the dma array.
This leads to two issues:
1. The dma array shares storage with tx_qpl_buf_ids (union).
Interpreting buffer IDs as DMA addresses results in attempting to
unmap incorrect memory locations.
2. num_bufs in QPL mode (counting 2K chunks) can significantly exceed
the size of the dma array, causing out-of-bounds access warnings
(trace below is how we noticed this issue).
UBSAN: array-index-out-of-bounds in
drivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 index 18 is out of
range for type 'dma_addr_t[18]' (aka 'unsigned long long[18]')
Workqueue: gve gve_service_task [gve]
Call Trace:
<TASK>
dump_stack_lvl+0x33/0xa0
__ubsan_handle_out_of_bounds+0xdc/0x110
gve_tx_stop_ring_dqo+0x182/0x200 [gve]
gve_close+0x1be/0x450 [gve]
gve_reset+0x99/0x120 [gve]
gve_service_task+0x61/0x100 [gve]
process_scheduled_works+0x1e9/0x380
Fix this by properly checking for QPL mode and delegating to
gve_free_tx_qpl_bufs() to reclaim the buffers.
Cc: stable@vger.kernel.org
Fixes: a6fb8d5a8b69 ("gve: Tx path for DQO-QPL")
Signed-off-by: Ankit Garg <nktgrg@google.com>
Reviewed-by: Jordan Rhee <jordanrhee@google.com>
Reviewed-by: Harshitha Ramamurthy <hramamurthy@google.com>
Signed-off-by: Joshua Washington <joshwash@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260220215324.1631350-1-joshwash@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ netmem_dma_unmap_page_attrs() => dma_unmap_page() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/google/gve/gve_tx_dqo.c | 52 +++++++++++----------------
1 file changed, 23 insertions(+), 29 deletions(-)
--- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c
+++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c
@@ -157,6 +157,24 @@ gve_free_pending_packet(struct gve_tx_ri
}
}
+static void gve_unmap_packet(struct device *dev,
+ struct gve_tx_pending_packet_dqo *pkt)
+{
+ int i;
+
+ if (!pkt->num_bufs)
+ return;
+
+ /* SKB linear portion is guaranteed to be mapped */
+ dma_unmap_single(dev, dma_unmap_addr(pkt, dma[0]),
+ dma_unmap_len(pkt, len[0]), DMA_TO_DEVICE);
+ for (i = 1; i < pkt->num_bufs; i++) {
+ dma_unmap_page(dev, dma_unmap_addr(pkt, dma[i]),
+ dma_unmap_len(pkt, len[i]), DMA_TO_DEVICE);
+ }
+ pkt->num_bufs = 0;
+}
+
/* gve_tx_free_desc - Cleans up all pending tx requests and buffers.
*/
static void gve_tx_clean_pending_packets(struct gve_tx_ring *tx)
@@ -166,21 +184,12 @@ static void gve_tx_clean_pending_packets
for (i = 0; i < tx->dqo.num_pending_packets; i++) {
struct gve_tx_pending_packet_dqo *cur_state =
&tx->dqo.pending_packets[i];
- int j;
- for (j = 0; j < cur_state->num_bufs; j++) {
- if (j == 0) {
- dma_unmap_single(tx->dev,
- dma_unmap_addr(cur_state, dma[j]),
- dma_unmap_len(cur_state, len[j]),
- DMA_TO_DEVICE);
- } else {
- dma_unmap_page(tx->dev,
- dma_unmap_addr(cur_state, dma[j]),
- dma_unmap_len(cur_state, len[j]),
- DMA_TO_DEVICE);
- }
- }
+ if (tx->dqo.qpl)
+ gve_free_tx_qpl_bufs(tx, cur_state);
+ else
+ gve_unmap_packet(tx->dev, cur_state);
+
if (cur_state->skb) {
dev_consume_skb_any(cur_state->skb);
cur_state->skb = NULL;
@@ -1039,21 +1048,6 @@ static void remove_from_list(struct gve_
}
}
-static void gve_unmap_packet(struct device *dev,
- struct gve_tx_pending_packet_dqo *pkt)
-{
- int i;
-
- /* SKB linear portion is guaranteed to be mapped */
- dma_unmap_single(dev, dma_unmap_addr(pkt, dma[0]),
- dma_unmap_len(pkt, len[0]), DMA_TO_DEVICE);
- for (i = 1; i < pkt->num_bufs; i++) {
- dma_unmap_page(dev, dma_unmap_addr(pkt, dma[i]),
- dma_unmap_len(pkt, len[i]), DMA_TO_DEVICE);
- }
- pkt->num_bufs = 0;
-}
-
/* Completion types and expected behavior:
* No Miss compl + Packet compl = Packet completed normally.
* Miss compl + Re-inject compl = Packet completed normally.
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 301/567] time/jiffies: Mark jiffies_64_to_clock_t() notrace
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 300/567] ceph: fix memory leaks in ceph_mdsc_build_path() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 302/567] i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach Greg Kroah-Hartman
` (76 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steven Rostedt (Google),
Thomas Gleixner, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
[ Upstream commit 755a648e78f12574482d4698d877375793867fa1 ]
The trace_clock_jiffies() function that handles the "uptime" clock for
tracing calls jiffies_64_to_clock_t(). This causes the function tracer to
constantly recurse when the tracing clock is set to "uptime". Mark it
notrace to prevent unnecessary recursion when using the "uptime" clock.
Fixes: 58d4e21e50ff3 ("tracing: Fix wraparound problems in "uptime" trace clock")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260306212403.72270bb2@robin
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/time.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/time/time.c b/kernel/time/time.c
index 1ad88e97b4ebc..da7e8a02a0964 100644
--- a/kernel/time/time.c
+++ b/kernel/time/time.c
@@ -702,7 +702,7 @@ EXPORT_SYMBOL(clock_t_to_jiffies);
*
* Return: jiffies_64 value converted to 64-bit "clock_t" (CLOCKS_PER_SEC)
*/
-u64 jiffies_64_to_clock_t(u64 x)
+notrace u64 jiffies_64_to_clock_t(u64 x)
{
#if (TICK_NSEC % (NSEC_PER_SEC / USER_HZ)) == 0
# if HZ < USER_HZ
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 239/481] ice: fix retry for AQ command 0x06EE
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 238/481] net: mana: Ring doorbell at 4 CQ wraparounds Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 240/481] batman-adv: Avoid double-rtnl_lock ELP metric worker Greg Kroah-Hartman
` (76 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Staniszewski, Dawid Osuchowski,
Aleksandr Loktionov, Przemek Kitszel, Paul Menzel, Tony Nguyen,
Rinitha S
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
commit fb4903b3354aed4a2301180cf991226f896c87ed upstream.
Executing ethtool -m can fail reporting a netlink I/O error while firmware
link management holds the i2c bus used to communicate with the module.
According to Intel(R) Ethernet Controller E810 Datasheet Rev 2.8 [1]
Section 3.3.10.4 Read/Write SFF EEPROM (0x06EE)
request should to be retried upon receiving EBUSY from firmware.
Commit e9c9692c8a81 ("ice: Reimplement module reads used by ethtool")
implemented it only for part of ice_get_module_eeprom(), leaving all other
calls to ice_aq_sff_eeprom() vulnerable to returning early on getting
EBUSY without retrying.
Remove the retry loop from ice_get_module_eeprom() and add Admin Queue
(AQ) command with opcode 0x06EE to the list of commands that should be
retried on receiving EBUSY from firmware.
Cc: stable@vger.kernel.org
Fixes: e9c9692c8a81 ("ice: Reimplement module reads used by ethtool")
Signed-off-by: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
Co-developed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Signed-off-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Link: https://www.intel.com/content/www/us/en/content-details/613875/intel-ethernet-controller-e810-datasheet.html [1]
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_common.c | 1
drivers/net/ethernet/intel/ice/ice_ethtool.c | 35 ++++++++++-----------------
2 files changed, 15 insertions(+), 21 deletions(-)
--- a/drivers/net/ethernet/intel/ice/ice_common.c
+++ b/drivers/net/ethernet/intel/ice/ice_common.c
@@ -1570,6 +1570,7 @@ static bool ice_should_retry_sq_send_cmd
case ice_aqc_opc_lldp_stop:
case ice_aqc_opc_lldp_start:
case ice_aqc_opc_lldp_filter_ctrl:
+ case ice_aqc_opc_sff_eeprom:
return true;
}
--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
+++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
@@ -4089,7 +4089,7 @@ ice_get_module_eeprom(struct net_device
struct ice_pf *pf = vsi->back;
struct ice_hw *hw = &pf->hw;
bool is_sfp = false;
- unsigned int i, j;
+ unsigned int i;
u16 offset = 0;
u8 page = 0;
int status;
@@ -4131,26 +4131,19 @@ ice_get_module_eeprom(struct net_device
if (page == 0 || !(data[0x2] & 0x4)) {
u32 copy_len;
- /* If i2c bus is busy due to slow page change or
- * link management access, call can fail. This is normal.
- * So we retry this a few times.
- */
- for (j = 0; j < 4; j++) {
- status = ice_aq_sff_eeprom(hw, 0, addr, offset, page,
- !is_sfp, value,
- SFF_READ_BLOCK_SIZE,
- 0, NULL);
- netdev_dbg(netdev, "SFF %02X %02X %02X %X = %02X%02X%02X%02X.%02X%02X%02X%02X (%X)\n",
- addr, offset, page, is_sfp,
- value[0], value[1], value[2], value[3],
- value[4], value[5], value[6], value[7],
- status);
- if (status) {
- usleep_range(1500, 2500);
- memset(value, 0, SFF_READ_BLOCK_SIZE);
- continue;
- }
- break;
+ status = ice_aq_sff_eeprom(hw, 0, addr, offset, page,
+ !is_sfp, value,
+ SFF_READ_BLOCK_SIZE,
+ 0, NULL);
+ netdev_dbg(netdev, "SFF %02X %02X %02X %X = %02X%02X%02X%02X.%02X%02X%02X%02X (%pe)\n",
+ addr, offset, page, is_sfp,
+ value[0], value[1], value[2], value[3],
+ value[4], value[5], value[6], value[7],
+ ERR_PTR(status));
+ if (status) {
+ netdev_err(netdev, "%s: error reading module EEPROM: status %pe\n",
+ __func__, ERR_PTR(status));
+ return status;
}
/* Make sure we have enough room for the new block */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 226/460] net: phy: register phy led_triggers during probe to avoid AB-BA deadlock
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 225/460] gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 227/460] x86/sev: Allow IBPB-on-Entry feature for SNP guests Greg Kroah-Hartman
` (76 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shiji Yang, Andrew Lunn, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Lunn <andrew@lunn.ch>
[ Upstream commit c8dbdc6e380e7e96a51706db3e4b7870d8a9402d ]
There is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV and
LED_TRIGGER_PHY are enabled:
[ 1362.049207] [<8054e4b8>] led_trigger_register+0x5c/0x1fc <-- Trying to get lock "triggers_list_lock" via down_write(&triggers_list_lock);
[ 1362.054536] [<80662830>] phy_led_triggers_register+0xd0/0x234
[ 1362.060329] [<8065e200>] phy_attach_direct+0x33c/0x40c
[ 1362.065489] [<80651fc4>] phylink_fwnode_phy_connect+0x15c/0x23c
[ 1362.071480] [<8066ee18>] mtk_open+0x7c/0xba0
[ 1362.075849] [<806d714c>] __dev_open+0x280/0x2b0
[ 1362.080384] [<806d7668>] __dev_change_flags+0x244/0x24c
[ 1362.085598] [<806d7698>] dev_change_flags+0x28/0x78
[ 1362.090528] [<807150e4>] dev_ioctl+0x4c0/0x654 <-- Hold lock "rtnl_mutex" by calling rtnl_lock();
[ 1362.094985] [<80694360>] sock_ioctl+0x2f4/0x4e0
[ 1362.099567] [<802e9c4c>] sys_ioctl+0x32c/0xd8c
[ 1362.104022] [<80014504>] syscall_common+0x34/0x58
Here LED_TRIGGER_PHY is registering LED triggers during phy_attach
while holding RTNL and then taking triggers_list_lock.
[ 1362.191101] [<806c2640>] register_netdevice_notifier+0x60/0x168 <-- Trying to get lock "rtnl_mutex" via rtnl_lock();
[ 1362.197073] [<805504ac>] netdev_trig_activate+0x194/0x1e4
[ 1362.202490] [<8054e28c>] led_trigger_set+0x1d4/0x360 <-- Hold lock "triggers_list_lock" by down_read(&triggers_list_lock);
[ 1362.207511] [<8054eb38>] led_trigger_write+0xd8/0x14c
[ 1362.212566] [<80381d98>] sysfs_kf_bin_write+0x80/0xbc
[ 1362.217688] [<8037fcd8>] kernfs_fop_write_iter+0x17c/0x28c
[ 1362.223174] [<802cbd70>] vfs_write+0x21c/0x3c4
[ 1362.227712] [<802cc0c4>] ksys_write+0x78/0x12c
[ 1362.232164] [<80014504>] syscall_common+0x34/0x58
Here LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takes
triggers_list_lock and then RTNL. A classical AB-BA deadlock.
phy_led_triggers_registers() does not require the RTNL, it does not
make any calls into the network stack which require protection. There
is also no requirement the PHY has been attached to a MAC, the
triggers only make use of phydev state. This allows the call to
phy_led_triggers_registers() to be placed elsewhere. PHY probe() and
release() don't hold RTNL, so solving the AB-BA deadlock.
Reported-by: Shiji Yang <yangshiji66@outlook.com>
Closes: https://lore.kernel.org/all/OS7PR01MB13602B128BA1AD3FA38B6D1FFBC69A@OS7PR01MB13602.jpnprd01.prod.outlook.com/
Fixes: 06f502f57d0d ("leds: trigger: Introduce a NETDEV trigger")
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Tested-by: Shiji Yang <yangshiji66@outlook.com>
Link: https://patch.msgid.link/20260222152601.1978655-1-andrew@lunn.ch
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ adapted condition to preserve existing `!phy_driver_is_genphy_10g(phydev)` guard ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/phy/phy_device.c | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -1662,8 +1662,6 @@ int phy_attach_direct(struct net_device
goto error;
phy_resume(phydev);
- if (!phydev->is_on_sfp_module)
- phy_led_triggers_register(phydev);
/**
* If the external phy used by current mac interface is managed by
@@ -2033,9 +2031,6 @@ void phy_detach(struct phy_device *phyde
}
phydev->phylink = NULL;
- if (!phydev->is_on_sfp_module)
- phy_led_triggers_unregister(phydev);
-
if (phydev->mdio.dev.driver)
module_put(phydev->mdio.dev.driver->owner);
@@ -3660,17 +3655,28 @@ static int phy_probe(struct device *dev)
/* Set the state to READY by default */
phydev->state = PHY_READY;
+ /* Register the PHY LED triggers */
+ if (!phydev->is_on_sfp_module)
+ phy_led_triggers_register(phydev);
+
/* Get the LEDs from the device tree, and instantiate standard
* LEDs for them.
*/
if (IS_ENABLED(CONFIG_PHYLIB_LEDS) && !phy_driver_is_genphy(phydev) &&
- !phy_driver_is_genphy_10g(phydev))
+ !phy_driver_is_genphy_10g(phydev)) {
err = of_phy_leds(phydev);
+ if (err)
+ goto out;
+ }
+
+ return 0;
out:
+ if (!phydev->is_on_sfp_module)
+ phy_led_triggers_unregister(phydev);
+
/* Re-assert the reset signal on error */
- if (err)
- phy_device_reset(phydev, 1);
+ phy_device_reset(phydev, 1);
return err;
}
@@ -3685,6 +3691,9 @@ static int phy_remove(struct device *dev
!phy_driver_is_genphy_10g(phydev))
phy_leds_unregister(phydev);
+ if (!phydev->is_on_sfp_module)
+ phy_led_triggers_unregister(phydev);
+
phydev->state = PHY_DOWN;
sfp_bus_del_upstream(phydev->sfp_bus);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 302/567] i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 301/567] time/jiffies: Mark jiffies_64_to_clock_t() notrace Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 303/567] scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend Greg Kroah-Hartman
` (75 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Ng Ho Yin, Frank Li,
Alexandre Belloni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Ng Ho Yin <adrianhoyin.ng@altera.com>
[ Upstream commit f311a05784634febd299f03476b80f3f18489767 ]
The DesignWare I3C master controller ACKs IBIs as soon as a valid
Device Address Table (DAT) entry is present. This can create a race
between device attachment (after DAA) and the point where the client
driver enables IBIs via i3c_device_enable_ibi().
Set DEV_ADDR_TABLE_SIR_REJECT in the DAT entry during
attach_i3c_dev() and reattach_i3c_dev() so that IBIs are rejected
by default. The bit is managed thereafter by the existing
dw_i3c_master_set_sir_enabled() function, which clears it in
enable_ibi() after ENEC is issued, and restores it in disable_ibi()
after DISEC.
Fixes: 1dd728f5d4d4 ("i3c: master: Add driver for Synopsys DesignWare IP")
Signed-off-by: Adrian Ng Ho Yin <adrianhoyin.ng@altera.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/53f5b8cbdd8af789ec38b95b02873f32f9182dd6.1770962368.git.adrianhoyin.ng@altera.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/dw-i3c-master.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index cee2805fccd0f..ccb521bcb73e3 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -941,7 +941,7 @@ static int dw_i3c_master_reattach_i3c_dev(struct i3c_dev_desc *dev,
master->free_pos &= ~BIT(pos);
}
- writel(DEV_ADDR_TABLE_DYNAMIC_ADDR(dev->info.dyn_addr),
+ writel(DEV_ADDR_TABLE_DYNAMIC_ADDR(dev->info.dyn_addr) | DEV_ADDR_TABLE_SIR_REJECT,
master->regs +
DEV_ADDR_TABLE_LOC(master->datstartaddr, data->index));
@@ -970,7 +970,7 @@ static int dw_i3c_master_attach_i3c_dev(struct i3c_dev_desc *dev)
master->free_pos &= ~BIT(pos);
i3c_dev_set_master_data(dev, data);
- writel(DEV_ADDR_TABLE_DYNAMIC_ADDR(master->devs[pos].addr),
+ writel(DEV_ADDR_TABLE_DYNAMIC_ADDR(master->devs[pos].addr) | DEV_ADDR_TABLE_SIR_REJECT,
master->regs +
DEV_ADDR_TABLE_LOC(master->datstartaddr, data->index));
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 240/481] batman-adv: Avoid double-rtnl_lock ELP metric worker
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 239/481] ice: fix retry for AQ command 0x06EE Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 241/481] parisc: Increase initial mapping to 64 MB with KALLSYMS Greg Kroah-Hartman
` (75 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Schmidbauer,
Sven Eckelmann, Sören Skaarup, Simon Wunderlich
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit cfc83a3c71517b59c1047db57da31e26a9dc2f33 upstream.
batadv_v_elp_get_throughput() might be called when the RTNL lock is already
held. This could be problematic when the work queue item is cancelled via
cancel_delayed_work_sync() in batadv_v_elp_iface_disable(). In this case,
an rtnl_lock() would cause a deadlock.
To avoid this, rtnl_trylock() was used in this function to skip the
retrieval of the ethtool information in case the RTNL lock was already
held.
But for cfg80211 interfaces, batadv_get_real_netdev() was called - which
also uses rtnl_lock(). The approach for __ethtool_get_link_ksettings() must
also be used instead and the lockless version __batadv_get_real_netdev()
has to be called.
Cc: stable@vger.kernel.org
Fixes: 8c8ecc98f5c6 ("batman-adv: Drop unmanaged ELP metric worker")
Reported-by: Christian Schmidbauer <github@grische.xyz>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Tested-by: Sören Skaarup <freifunk_nordm4nn@gmx.de>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bat_v_elp.c | 10 +++++++++-
net/batman-adv/hard-interface.c | 8 ++++----
net/batman-adv/hard-interface.h | 1 +
3 files changed, 14 insertions(+), 5 deletions(-)
--- a/net/batman-adv/bat_v_elp.c
+++ b/net/batman-adv/bat_v_elp.c
@@ -113,7 +113,15 @@ static bool batadv_v_elp_get_throughput(
/* unsupported WiFi driver version */
goto default_throughput;
- real_netdev = batadv_get_real_netdev(hard_iface->net_dev);
+ /* only use rtnl_trylock because the elp worker will be cancelled while
+ * the rntl_lock is held. the cancel_delayed_work_sync() would otherwise
+ * wait forever when the elp work_item was started and it is then also
+ * trying to rtnl_lock
+ */
+ if (!rtnl_trylock())
+ return false;
+ real_netdev = __batadv_get_real_netdev(hard_iface->net_dev);
+ rtnl_unlock();
if (!real_netdev)
goto default_throughput;
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -202,7 +202,7 @@ static bool batadv_is_valid_iface(const
}
/**
- * batadv_get_real_netdevice() - check if the given netdev struct is a virtual
+ * __batadv_get_real_netdev() - check if the given netdev struct is a virtual
* interface on top of another 'real' interface
* @netdev: the device to check
*
@@ -212,7 +212,7 @@ static bool batadv_is_valid_iface(const
* Return: the 'real' net device or the original net device and NULL in case
* of an error.
*/
-static struct net_device *batadv_get_real_netdevice(struct net_device *netdev)
+struct net_device *__batadv_get_real_netdev(struct net_device *netdev)
{
struct batadv_hard_iface *hard_iface = NULL;
struct net_device *real_netdev = NULL;
@@ -265,7 +265,7 @@ struct net_device *batadv_get_real_netde
struct net_device *real_netdev;
rtnl_lock();
- real_netdev = batadv_get_real_netdevice(net_device);
+ real_netdev = __batadv_get_real_netdev(net_device);
rtnl_unlock();
return real_netdev;
@@ -334,7 +334,7 @@ static u32 batadv_wifi_flags_evaluate(st
if (batadv_is_cfg80211_netdev(net_device))
wifi_flags |= BATADV_HARDIF_WIFI_CFG80211_DIRECT;
- real_netdev = batadv_get_real_netdevice(net_device);
+ real_netdev = __batadv_get_real_netdev(net_device);
if (!real_netdev)
return wifi_flags;
--- a/net/batman-adv/hard-interface.h
+++ b/net/batman-adv/hard-interface.h
@@ -68,6 +68,7 @@ enum batadv_hard_if_bcast {
extern struct notifier_block batadv_hard_if_notifier;
+struct net_device *__batadv_get_real_netdev(struct net_device *net_device);
struct net_device *batadv_get_real_netdev(struct net_device *net_device);
bool batadv_is_cfg80211_hardif(struct batadv_hard_iface *hard_iface);
bool batadv_is_wifi_hardif(struct batadv_hard_iface *hard_iface);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 227/460] x86/sev: Allow IBPB-on-Entry feature for SNP guests
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 226/460] net: phy: register phy led_triggers during probe to avoid AB-BA deadlock Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 228/460] platform/x86: hp-bioscfg: Support allocations of larger data Greg Kroah-Hartman
` (75 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kim Phillips, Borislav Petkov (AMD),
Nikunj A Dadhania, Tom Lendacky, stable, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kim Phillips <kim.phillips@amd.com>
[ Upstream commit 9073428bb204d921ae15326bb7d4558d9d269aab ]
The SEV-SNP IBPB-on-Entry feature does not require a guest-side
implementation. It was added in Zen5 h/w, after the first SNP Zen
implementation, and thus was not accounted for when the initial set of SNP
features were added to the kernel.
In its abundant precaution, commit
8c29f0165405 ("x86/sev: Add SEV-SNP guest feature negotiation support")
included SEV_STATUS' IBPB-on-Entry bit as a reserved bit, thereby masking
guests from using the feature.
Allow guests to make use of IBPB-on-Entry when supported by the hypervisor, as
the bit is now architecturally defined and safe to expose.
Fixes: 8c29f0165405 ("x86/sev: Add SEV-SNP guest feature negotiation support")
Signed-off-by: Kim Phillips <kim.phillips@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Nikunj A Dadhania <nikunj@amd.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Cc: stable@kernel.org
Link: https://patch.msgid.link/20260203222405.4065706-2-kim.phillips@amd.com
[ merged missing SECURE_AVIC into RESERVED_BITS18_22 ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/boot/compressed/sev.c | 1 +
arch/x86/coco/sev/core.c | 1 +
arch/x86/include/asm/msr-index.h | 5 ++++-
3 files changed, 6 insertions(+), 1 deletion(-)
--- a/arch/x86/boot/compressed/sev.c
+++ b/arch/x86/boot/compressed/sev.c
@@ -357,6 +357,7 @@ finish:
MSR_AMD64_SNP_VMSA_REG_PROT | \
MSR_AMD64_SNP_RESERVED_BIT13 | \
MSR_AMD64_SNP_RESERVED_BIT15 | \
+ MSR_AMD64_SNP_RESERVED_BITS18_22 | \
MSR_AMD64_SNP_RESERVED_MASK)
/*
--- a/arch/x86/coco/sev/core.c
+++ b/arch/x86/coco/sev/core.c
@@ -78,6 +78,7 @@ static const char * const sev_status_fea
[MSR_AMD64_SNP_IBS_VIRT_BIT] = "IBSVirt",
[MSR_AMD64_SNP_VMSA_REG_PROT_BIT] = "VMSARegProt",
[MSR_AMD64_SNP_SMT_PROT_BIT] = "SMTProt",
+ [MSR_AMD64_SNP_IBPB_ON_ENTRY_BIT] = "IBPBOnEntry",
};
/* For early boot hypervisor communication in SEV-ES enabled guests */
--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
@@ -691,7 +691,10 @@
#define MSR_AMD64_SNP_VMSA_REG_PROT BIT_ULL(MSR_AMD64_SNP_VMSA_REG_PROT_BIT)
#define MSR_AMD64_SNP_SMT_PROT_BIT 17
#define MSR_AMD64_SNP_SMT_PROT BIT_ULL(MSR_AMD64_SNP_SMT_PROT_BIT)
-#define MSR_AMD64_SNP_RESV_BIT 18
+#define MSR_AMD64_SNP_RESERVED_BITS18_22 GENMASK_ULL(22, 18)
+#define MSR_AMD64_SNP_IBPB_ON_ENTRY_BIT 23
+#define MSR_AMD64_SNP_IBPB_ON_ENTRY BIT_ULL(MSR_AMD64_SNP_IBPB_ON_ENTRY_BIT)
+#define MSR_AMD64_SNP_RESV_BIT 24
#define MSR_AMD64_SNP_RESERVED_MASK GENMASK_ULL(63, MSR_AMD64_SNP_RESV_BIT)
#define MSR_AMD64_VIRT_SPEC_CTRL 0xc001011f
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 303/567] scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 302/567] i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 304/567] scsi: hisi_sas: Add time interval between two H2D FIS following soft reset spec Greg Kroah-Hartman
` (74 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bean Huo, Bart Van Assche,
Wang Shuaiwei, Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Shuaiwei <wangshuaiwei1@xiaomi.com>
[ Upstream commit b0bd84c39289ef6a6c3827dd52c875659291970a ]
In __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancel
the UFS RTC work, but it is placed after ufshcd_vops_suspend(hba, pm_op,
POST_CHANGE). This creates a race condition where ufshcd_rtc_work() can
still be running while ufshcd_vops_suspend() is executing. When
UFSHCD_CAP_CLK_GATING is not supported, the condition
!hba->clk_gating.active_reqs is always true, causing ufshcd_update_rtc()
to be executed. Since ufshcd_vops_suspend() typically performs clock
gating operations, executing ufshcd_update_rtc() at that moment triggers
an SError. The kernel panic trace is as follows:
Kernel panic - not syncing: Asynchronous SError Interrupt
Call trace:
dump_backtrace+0xec/0x128
show_stack+0x18/0x28
dump_stack_lvl+0x40/0xa0
dump_stack+0x18/0x24
panic+0x148/0x374
nmi_panic+0x3c/0x8c
arm64_serror_panic+0x64/0x8c
do_serror+0xc4/0xc8
el1h_64_error_handler+0x34/0x4c
el1h_64_error+0x68/0x6c
el1_interrupt+0x20/0x58
el1h_64_irq_handler+0x18/0x24
el1h_64_irq+0x68/0x6c
ktime_get+0xc4/0x12c
ufshcd_mcq_sq_stop+0x4c/0xec
ufshcd_mcq_sq_cleanup+0x64/0x1dc
ufshcd_clear_cmd+0x38/0x134
ufshcd_issue_dev_cmd+0x298/0x4d0
ufshcd_exec_dev_cmd+0x1a4/0x1c4
ufshcd_query_attr+0xbc/0x19c
ufshcd_rtc_work+0x10c/0x1c8
process_scheduled_works+0x1c4/0x45c
worker_thread+0x32c/0x3e8
kthread+0x120/0x1d8
ret_from_fork+0x10/0x20
Fix this by moving cancel_delayed_work_sync() before the call to
ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE), ensuring the UFS RTC work is
fully completed or cancelled at that point.
Cc: Bean Huo <beanhuo@iokpp.de>
Fixes: 6bf999e0eb41 ("scsi: ufs: core: Add UFS RTC support")
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Wang Shuaiwei <wangshuaiwei1@xiaomi.com>
Link: https://patch.msgid.link/20260307035128.3419687-1-wangshuaiwei1@xiaomi.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufshcd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index d109a0c8f75ff..2dcb0146c17e3 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -9882,6 +9882,7 @@ static int __ufshcd_wl_suspend(struct ufs_hba *hba, enum ufs_pm_op pm_op)
}
flush_work(&hba->eeh_work);
+ cancel_delayed_work_sync(&hba->ufs_rtc_update_work);
ret = ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE);
if (ret)
@@ -9936,7 +9937,6 @@ static int __ufshcd_wl_suspend(struct ufs_hba *hba, enum ufs_pm_op pm_op)
if (ret)
goto set_link_active;
- cancel_delayed_work_sync(&hba->ufs_rtc_update_work);
goto out;
set_link_active:
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 241/481] parisc: Increase initial mapping to 64 MB with KALLSYMS
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 240/481] batman-adv: Avoid double-rtnl_lock ELP metric worker Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 242/481] nouveau/dpcd: return EBUSY for aux xfer if the device is asleep Greg Kroah-Hartman
` (74 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 8e732934fb81282be41602550e7e07baf265e972 upstream.
The 32MB initial kernel mapping can become too small when CONFIG_KALLSYMS
is used. Increase the mapping to 64 MB in this case.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org> # v6.0+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/include/asm/pgtable.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/parisc/include/asm/pgtable.h
+++ b/arch/parisc/include/asm/pgtable.h
@@ -94,7 +94,7 @@ extern void __update_cache(pte_t pte);
printk("%s:%d: bad pgd %08lx.\n", __FILE__, __LINE__, (unsigned long)pgd_val(e))
/* This is the size of the initially mapped kernel memory */
-#if defined(CONFIG_64BIT)
+#if defined(CONFIG_64BIT) || defined(CONFIG_KALLSYMS)
#define KERNEL_INITIAL_ORDER 26 /* 1<<26 = 64MB */
#else
#define KERNEL_INITIAL_ORDER 25 /* 1<<25 = 32MB */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 228/460] platform/x86: hp-bioscfg: Support allocations of larger data
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 227/460] x86/sev: Allow IBPB-on-Entry feature for SNP guests Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 229/460] wifi: libertas: fix use-after-free in lbs_free_adapter() Greg Kroah-Hartman
` (74 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Kerry, Mario Limonciello,
Ilpo Järvinen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit 916727cfdb72cd01fef3fa6746e648f8cb70e713 ]
Some systems have much larger amounts of enumeration attributes
than have been previously encountered. This can lead to page allocation
failures when using kcalloc(). Switch over to using kvcalloc() to
allow larger allocations.
Fixes: 6b2770bfd6f92 ("platform/x86: hp-bioscfg: enum-attributes")
Cc: stable@vger.kernel.org
Reported-by: Paul Kerry <p.kerry@sheffield.ac.uk>
Tested-by: Paul Kerry <p.kerry@sheffield.ac.uk>
Closes: https://bugs.debian.org/1127612
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Link: https://patch.msgid.link/20260225210646.59381-1-mario.limonciello@amd.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
[ kcalloc() => kvcalloc() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
+++ b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
@@ -94,8 +94,11 @@ int hp_alloc_enumeration_data(void)
bioscfg_drv.enumeration_instances_count =
hp_get_instance_count(HP_WMI_BIOS_ENUMERATION_GUID);
- bioscfg_drv.enumeration_data = kcalloc(bioscfg_drv.enumeration_instances_count,
- sizeof(*bioscfg_drv.enumeration_data), GFP_KERNEL);
+ if (!bioscfg_drv.enumeration_instances_count)
+ return -EINVAL;
+ bioscfg_drv.enumeration_data = kvcalloc(bioscfg_drv.enumeration_instances_count,
+ sizeof(*bioscfg_drv.enumeration_data), GFP_KERNEL);
+
if (!bioscfg_drv.enumeration_data) {
bioscfg_drv.enumeration_instances_count = 0;
return -ENOMEM;
@@ -444,6 +447,6 @@ void hp_exit_enumeration_attributes(void
}
bioscfg_drv.enumeration_instances_count = 0;
- kfree(bioscfg_drv.enumeration_data);
+ kvfree(bioscfg_drv.enumeration_data);
bioscfg_drv.enumeration_data = NULL;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 304/567] scsi: hisi_sas: Add time interval between two H2D FIS following soft reset spec
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 303/567] scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 305/567] scsi: hisi_sas: Use macro instead of magic number Greg Kroah-Hartman
` (73 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xingui Yang, Yihang Li,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xingui Yang <yangxingui@huawei.com>
[ Upstream commit 3c62791322e42d1afd65acfdb5b3a371bde21ede ]
Spec says at least 5us between two H2D FIS when do soft reset, but be
generous and sleep for about 1ms.
Signed-off-by: Xingui Yang <yangxingui@huawei.com>
Link: https://lore.kernel.org/r/20241008021822.2617339-11-liyihang9@huawei.com
Reviewed-by: Yihang Li <liyihang9@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Stable-dep-of: 8ddc0c269165 ("scsi: hisi_sas: Fix NULL pointer exception during user_scan()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/hisi_sas/hisi_sas_main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
index 3ad58250bf6b2..17189703454a2 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -1340,6 +1340,7 @@ static int hisi_sas_softreset_ata_disk(struct domain_device *device)
}
if (rc == TMF_RESP_FUNC_COMPLETE) {
+ usleep_range(900, 1000);
ata_for_each_link(link, ap, EDGE) {
int pmp = sata_srst_pmp(link);
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 242/481] nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 241/481] parisc: Increase initial mapping to 64 MB with KALLSYMS Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 243/481] hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read Greg Kroah-Hartman
` (73 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lyude Paul, Dave Airlie,
Danilo Krummrich
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Airlie <airlied@redhat.com>
commit 8f3c6f08ababad2e3bdd239728cf66a9949446b4 upstream.
If we have runtime suspended, and userspace wants to use /dev/drm_dp_*
then just tell it the device is busy instead of crashing in the GSP
code.
WARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau]
CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy)
Hardware name: LENOVO 20QTS0PQ00/20QTS0PQ00, BIOS N2OET65W (1.52 ) 08/05/2024
RIP: 0010:r535_gsp_msgq_wait+0x9a/0xb0 [nouveau]
This is a simple fix to get backported. We should probably engineer a
proper power domain solution to wake up devices and keep them awake
while fw updates are happening.
Cc: stable@vger.kernel.org
Fixes: 8894f4919bc4 ("drm/nouveau: register a drm_dp_aux channel for each dp connector")
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patch.msgid.link/20260224031750.791621-1-airlied@gmail.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
@@ -1210,6 +1210,9 @@ nouveau_connector_aux_xfer(struct drm_dp
u8 size = msg->size;
int ret;
+ if (pm_runtime_suspended(nv_connector->base.dev->dev))
+ return -EBUSY;
+
nv_encoder = find_encoder(&nv_connector->base, DCB_OUTPUT_DP);
if (!nv_encoder || !(aux = nv_encoder->aux))
return -ENODEV;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 229/460] wifi: libertas: fix use-after-free in lbs_free_adapter()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 228/460] platform/x86: hp-bioscfg: Support allocations of larger data Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 230/460] perf/x86/intel/uncore: Support more units on Granite Rapids Greg Kroah-Hartman
` (73 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Hodges, Johannes Berg,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Hodges <git@danielhodges.dev>
[ Upstream commit 03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0 ]
The lbs_free_adapter() function uses timer_delete() (non-synchronous)
for both command_timer and tx_lockup_timer before the structure is
freed. This is incorrect because timer_delete() does not wait for
any running timer callback to complete.
If a timer callback is executing when lbs_free_adapter() is called,
the callback will access freed memory since lbs_cfg_free() frees the
containing structure immediately after lbs_free_adapter() returns.
Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler)
access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields,
which would all be use-after-free violations.
Use timer_delete_sync() instead to ensure any running timer callback
has completed before returning.
This bug was introduced in commit 8f641d93c38a ("libertas: detect TX
lockups and reset hardware") where del_timer() was used instead of
del_timer_sync() in the cleanup path. The command_timer has had the
same issue since the driver was first written.
Fixes: 8f641d93c38a ("libertas: detect TX lockups and reset hardware")
Fixes: 954ee164f4f4 ("[PATCH] libertas: reorganize and simplify init sequence")
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Hodges <git@danielhodges.dev>
Link: https://patch.msgid.link/20260206195356.15647-1-git@danielhodges.dev
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[ del_timer() => timer_delete_sync() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/marvell/libertas/main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/marvell/libertas/main.c
+++ b/drivers/net/wireless/marvell/libertas/main.c
@@ -881,8 +881,8 @@ static void lbs_free_adapter(struct lbs_
{
lbs_free_cmd_buffer(priv);
kfifo_free(&priv->event_fifo);
- del_timer(&priv->command_timer);
- del_timer(&priv->tx_lockup_timer);
+ timer_delete_sync(&priv->command_timer);
+ timer_delete_sync(&priv->tx_lockup_timer);
del_timer(&priv->auto_deepsleep_timer);
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 305/567] scsi: hisi_sas: Use macro instead of magic number
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 304/567] scsi: hisi_sas: Add time interval between two H2D FIS following soft reset spec Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 306/567] scsi: hisi_sas: Fix NULL pointer exception during user_scan() Greg Kroah-Hartman
` (72 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yihang Li, Martin K. Petersen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yihang Li <liyihang9@huawei.com>
[ Upstream commit 4ca7fe99fc8485fcd04b367f37dc7a48f1355419 ]
The hisi_sas driver has a large number of magic numbers which makes for
unfriendly code reading. Use macro definitions instead.
Signed-off-by: Yihang Li <liyihang9@huawei.com>
Link: https://lore.kernel.org/r/20250414080845.1220997-2-liyihang9@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Stable-dep-of: 8ddc0c269165 ("scsi: hisi_sas: Fix NULL pointer exception during user_scan()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/hisi_sas/hisi_sas.h | 43 +++--
drivers/scsi/hisi_sas/hisi_sas_main.c | 41 +++--
drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 244 ++++++++++++++++---------
3 files changed, 213 insertions(+), 115 deletions(-)
diff --git a/drivers/scsi/hisi_sas/hisi_sas.h b/drivers/scsi/hisi_sas/hisi_sas.h
index 1e4550156b735..4e905c9bec28e 100644
--- a/drivers/scsi/hisi_sas/hisi_sas.h
+++ b/drivers/scsi/hisi_sas/hisi_sas.h
@@ -47,6 +47,13 @@
#define HISI_SAS_IOST_ITCT_CACHE_DW_SZ 10
#define HISI_SAS_FIFO_DATA_DW_SIZE 32
+#define HISI_SAS_REG_MEM_SIZE 4
+#define HISI_SAS_MAX_CDB_LEN 16
+#define HISI_SAS_BLK_QUEUE_DEPTH 64
+
+#define BYTE_TO_DW 4
+#define BYTE_TO_DDW 8
+
#define HISI_SAS_STATUS_BUF_SZ (sizeof(struct hisi_sas_status_buffer))
#define HISI_SAS_COMMAND_TABLE_SZ (sizeof(union hisi_sas_command_table))
@@ -93,6 +100,8 @@
#define HISI_SAS_WAIT_PHYUP_TIMEOUT (30 * HZ)
#define HISI_SAS_CLEAR_ITCT_TIMEOUT (20 * HZ)
+#define HISI_SAS_DELAY_FOR_PHY_DISABLE 100
+#define NAME_BUF_SIZE 256
struct hisi_hba;
@@ -168,6 +177,8 @@ struct hisi_sas_debugfs_fifo {
u32 rd_data[HISI_SAS_FIFO_DATA_DW_SIZE];
};
+#define FRAME_RCVD_BUF 32
+#define SAS_PHY_RESV_SIZE 2
struct hisi_sas_phy {
struct work_struct works[HISI_PHYES_NUM];
struct hisi_hba *hisi_hba;
@@ -179,10 +190,10 @@ struct hisi_sas_phy {
spinlock_t lock;
u64 port_id; /* from hw */
u64 frame_rcvd_size;
- u8 frame_rcvd[32];
+ u8 frame_rcvd[FRAME_RCVD_BUF];
u8 phy_attached;
u8 in_reset;
- u8 reserved[2];
+ u8 reserved[SAS_PHY_RESV_SIZE];
u32 phy_type;
u32 code_violation_err_count;
enum sas_linkrate minimum_linkrate;
@@ -349,6 +360,7 @@ struct hisi_sas_hw {
};
#define HISI_SAS_MAX_DEBUGFS_DUMP (50)
+#define HISI_SAS_DEFAULT_DEBUGFS_DUMP 1
struct hisi_sas_debugfs_cq {
struct hisi_sas_cq *cq;
@@ -528,12 +540,13 @@ struct hisi_sas_cmd_hdr {
__le64 dif_prd_table_addr;
};
+#define ITCT_RESV_DDW 12
struct hisi_sas_itct {
__le64 qw0;
__le64 sas_addr;
__le64 qw2;
__le64 qw3;
- __le64 qw4_15[12];
+ __le64 qw4_15[ITCT_RESV_DDW];
};
struct hisi_sas_iost {
@@ -543,22 +556,26 @@ struct hisi_sas_iost {
__le64 qw3;
};
+#define ERROR_RECORD_BUF_DW 4
struct hisi_sas_err_record {
- u32 data[4];
+ u32 data[ERROR_RECORD_BUF_DW];
};
+#define FIS_RESV_DW 3
struct hisi_sas_initial_fis {
struct hisi_sas_err_record err_record;
struct dev_to_host_fis fis;
- u32 rsvd[3];
+ u32 rsvd[FIS_RESV_DW];
};
+#define BREAKPOINT_DATA_SIZE 128
struct hisi_sas_breakpoint {
- u8 data[128];
+ u8 data[BREAKPOINT_DATA_SIZE];
};
+#define BREAKPOINT_TAG_NUM 32
struct hisi_sas_sata_breakpoint {
- struct hisi_sas_breakpoint tag[32];
+ struct hisi_sas_breakpoint tag[BREAKPOINT_TAG_NUM];
};
struct hisi_sas_sge {
@@ -569,13 +586,15 @@ struct hisi_sas_sge {
__le32 data_off;
};
+#define SMP_CMD_TABLE_SIZE 44
struct hisi_sas_command_table_smp {
- u8 bytes[44];
+ u8 bytes[SMP_CMD_TABLE_SIZE];
};
+#define DUMMY_BUF_SIZE 12
struct hisi_sas_command_table_stp {
struct host_to_dev_fis command_fis;
- u8 dummy[12];
+ u8 dummy[DUMMY_BUF_SIZE];
u8 atapi_cdb[ATAPI_CDB_LEN];
};
@@ -589,12 +608,13 @@ struct hisi_sas_sge_dif_page {
struct hisi_sas_sge sge[HISI_SAS_SGE_DIF_PAGE_CNT];
} __aligned(16);
+#define PROT_BUF_SIZE 7
struct hisi_sas_command_table_ssp {
struct ssp_frame_hdr hdr;
union {
struct {
struct ssp_command_iu task;
- u32 prot[7];
+ u32 prot[PROT_BUF_SIZE];
};
struct ssp_tmf_iu ssp_task;
struct xfer_rdy_iu xfer_rdy;
@@ -608,9 +628,10 @@ union hisi_sas_command_table {
struct hisi_sas_command_table_stp stp;
} __aligned(16);
+#define IU_BUF_SIZE 1024
struct hisi_sas_status_buffer {
struct hisi_sas_err_record err;
- u8 iu[1024];
+ u8 iu[IU_BUF_SIZE];
} __aligned(16);
struct hisi_sas_slot_buf_table {
diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
index 17189703454a2..0a52e7ba504cb 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -7,6 +7,16 @@
#include "hisi_sas.h"
#define DRV_NAME "hisi_sas"
+#define LINK_RATE_BIT_MASK 2
+#define FIS_BUF_SIZE 20
+#define WAIT_CMD_COMPLETE_DELAY 100
+#define WAIT_CMD_COMPLETE_TMROUT 5000
+#define DELAY_FOR_LINK_READY 2000
+#define BLK_CNT_OPTIMIZE_MARK 64
+#define HZ_TO_MHZ 1000000
+#define DELAY_FOR_SOFTRESET_MAX 1000
+#define DELAY_FOR_SOFTRESET_MIN 900
+
#define DEV_IS_GONE(dev) \
((!dev) || (dev->dev_type == SAS_PHY_UNUSED))
@@ -127,7 +137,7 @@ u8 hisi_sas_get_prog_phy_linkrate_mask(enum sas_linkrate max)
max -= SAS_LINK_RATE_1_5_GBPS;
for (i = 0; i <= max; i++)
- rate |= 1 << (i * 2);
+ rate |= 1 << (i * LINK_RATE_BIT_MASK);
return rate;
}
EXPORT_SYMBOL_GPL(hisi_sas_get_prog_phy_linkrate_mask);
@@ -876,7 +886,7 @@ int hisi_sas_slave_configure(struct scsi_device *sdev)
if (ret)
return ret;
if (!dev_is_sata(dev))
- sas_change_queue_depth(sdev, 64);
+ sas_change_queue_depth(sdev, HISI_SAS_BLK_QUEUE_DEPTH);
return 0;
}
@@ -1238,7 +1248,7 @@ static int hisi_sas_phy_set_linkrate(struct hisi_hba *hisi_hba, int phy_no,
sas_phy->phy->minimum_linkrate = min;
hisi_sas_phy_enable(hisi_hba, phy_no, 0);
- msleep(100);
+ msleep(HISI_SAS_DELAY_FOR_PHY_DISABLE);
hisi_hba->hw->phy_set_linkrate(hisi_hba, phy_no, &_r);
hisi_sas_phy_enable(hisi_hba, phy_no, 1);
@@ -1268,7 +1278,7 @@ static int hisi_sas_control_phy(struct asd_sas_phy *sas_phy, enum phy_func func,
case PHY_FUNC_LINK_RESET:
hisi_sas_phy_enable(hisi_hba, phy_no, 0);
- msleep(100);
+ msleep(HISI_SAS_DELAY_FOR_PHY_DISABLE);
hisi_sas_phy_enable(hisi_hba, phy_no, 1);
break;
@@ -1323,7 +1333,7 @@ static void hisi_sas_fill_ata_reset_cmd(struct ata_device *dev,
static int hisi_sas_softreset_ata_disk(struct domain_device *device)
{
- u8 fis[20] = {0};
+ u8 fis[FIS_BUF_SIZE] = {0};
struct ata_port *ap = device->sata_dev.ap;
struct ata_link *link;
int rc = TMF_RESP_FUNC_FAILED;
@@ -1340,7 +1350,7 @@ static int hisi_sas_softreset_ata_disk(struct domain_device *device)
}
if (rc == TMF_RESP_FUNC_COMPLETE) {
- usleep_range(900, 1000);
+ usleep_range(DELAY_FOR_SOFTRESET_MIN, DELAY_FOR_SOFTRESET_MAX);
ata_for_each_link(link, ap, EDGE) {
int pmp = sata_srst_pmp(link);
@@ -1459,7 +1469,7 @@ static void hisi_sas_send_ata_reset_each_phy(struct hisi_hba *hisi_hba,
struct device *dev = hisi_hba->dev;
int rc = TMF_RESP_FUNC_FAILED;
struct ata_link *link;
- u8 fis[20] = {0};
+ u8 fis[FIS_BUF_SIZE] = {0};
int i;
for (i = 0; i < hisi_hba->n_phy; i++) {
@@ -1526,7 +1536,9 @@ void hisi_sas_controller_reset_prepare(struct hisi_hba *hisi_hba)
hisi_hba->phy_state = hisi_hba->hw->get_phys_state(hisi_hba);
scsi_block_requests(shost);
- hisi_hba->hw->wait_cmds_complete_timeout(hisi_hba, 100, 5000);
+ hisi_hba->hw->wait_cmds_complete_timeout(hisi_hba,
+ WAIT_CMD_COMPLETE_DELAY,
+ WAIT_CMD_COMPLETE_TMROUT);
del_timer_sync(&hisi_hba->timer);
@@ -1822,7 +1834,7 @@ static int hisi_sas_debug_I_T_nexus_reset(struct domain_device *device)
rc = ata_wait_after_reset(link, jiffies + HISI_SAS_WAIT_PHYUP_TIMEOUT,
smp_ata_check_ready_type);
} else {
- msleep(2000);
+ msleep(DELAY_FOR_LINK_READY);
}
return rc;
@@ -2237,12 +2249,14 @@ int hisi_sas_alloc(struct hisi_hba *hisi_hba)
goto err_out;
/* roundup to avoid overly large block size */
- max_command_entries_ru = roundup(max_command_entries, 64);
+ max_command_entries_ru = roundup(max_command_entries,
+ BLK_CNT_OPTIMIZE_MARK);
if (hisi_hba->prot_mask & HISI_SAS_DIX_PROT_MASK)
sz_slot_buf_ru = sizeof(struct hisi_sas_slot_dif_buf_table);
else
sz_slot_buf_ru = sizeof(struct hisi_sas_slot_buf_table);
- sz_slot_buf_ru = roundup(sz_slot_buf_ru, 64);
+
+ sz_slot_buf_ru = roundup(sz_slot_buf_ru, BLK_CNT_OPTIMIZE_MARK);
s = max(lcm(max_command_entries_ru, sz_slot_buf_ru), PAGE_SIZE);
blk_cnt = (max_command_entries_ru * sz_slot_buf_ru) / s;
slots_per_blk = s / sz_slot_buf_ru;
@@ -2406,7 +2420,8 @@ int hisi_sas_get_fw_info(struct hisi_hba *hisi_hba)
if (IS_ERR(refclk))
dev_dbg(dev, "no ref clk property\n");
else
- hisi_hba->refclk_frequency_mhz = clk_get_rate(refclk) / 1000000;
+ hisi_hba->refclk_frequency_mhz = clk_get_rate(refclk) /
+ HZ_TO_MHZ;
if (device_property_read_u32(dev, "phy-count", &hisi_hba->n_phy)) {
dev_err(dev, "could not get property phy-count\n");
@@ -2523,7 +2538,7 @@ int hisi_sas_probe(struct platform_device *pdev,
shost->max_id = HISI_SAS_MAX_DEVICES;
shost->max_lun = ~0;
shost->max_channel = 1;
- shost->max_cmd_len = 16;
+ shost->max_cmd_len = HISI_SAS_MAX_CDB_LEN;
if (hisi_hba->hw->slot_index_alloc) {
shost->can_queue = HISI_SAS_MAX_COMMANDS;
shost->cmd_per_lun = HISI_SAS_MAX_COMMANDS;
diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
index 596b5426d9953..e8f5a8023a1af 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
@@ -465,6 +465,12 @@
#define ITCT_HDR_RTOLT_OFF 48
#define ITCT_HDR_RTOLT_MSK (0xffffULL << ITCT_HDR_RTOLT_OFF)
+/*debugfs*/
+#define TWO_PARA_PER_LINE 2
+#define FOUR_PARA_PER_LINE 4
+#define DUMP_BUF_SIZE 8
+#define BIST_BUF_SIZE 16
+
struct hisi_sas_protect_iu_v3_hw {
u32 dw0;
u32 lbrtcv;
@@ -535,6 +541,43 @@ struct hisi_sas_err_record_v3 {
#define BASE_VECTORS_V3_HW 16
#define MIN_AFFINE_VECTORS_V3_HW (BASE_VECTORS_V3_HW + 1)
+#define IRQ_PHY_UP_DOWN_INDEX 1
+#define IRQ_CHL_INDEX 2
+#define IRQ_AXI_INDEX 11
+
+#define DELAY_FOR_RESET_HW 100
+#define HDR_SG_MOD 0x2
+#define LUN_SIZE 8
+#define ATTR_PRIO_REGION 9
+#define CDB_REGION 12
+#define PRIO_OFF 3
+#define TMF_REGION 10
+#define TAG_MSB 12
+#define TAG_LSB 13
+#define SMP_FRAME_TYPE 2
+#define SMP_CRC_SIZE 4
+#define HDR_TAG_OFF 3
+#define HOST_NO_OFF 6
+#define PHY_NO_OFF 7
+#define IDENTIFY_REG_READ 6
+#define LINK_RESET_TIMEOUT_OFF 4
+#define DECIMALISM_FLAG 10
+#define WAIT_RETRY 100
+#define WAIT_TMROUT 5000
+
+#define ID_DWORD0_INDEX 0
+#define ID_DWORD1_INDEX 1
+#define ID_DWORD2_INDEX 2
+#define ID_DWORD3_INDEX 3
+#define ID_DWORD4_INDEX 4
+#define ID_DWORD5_INDEX 5
+#define TICKS_BIT_INDEX 24
+#define COUNT_BIT_INDEX 8
+
+#define PORT_REG_LENGTH 0x100
+#define GLOBAL_REG_LENGTH 0x800
+#define AXI_REG_LENGTH 0x61
+#define RAS_REG_LENGTH 0x10
#define CHNL_INT_STS_MSK 0xeeeeeeee
#define CHNL_INT_STS_PHY_MSK 0xe
@@ -807,17 +850,17 @@ static void config_id_frame_v3_hw(struct hisi_hba *hisi_hba, int phy_no)
identify_buffer = (u32 *)(&identify_frame);
hisi_sas_phy_write32(hisi_hba, phy_no, TX_ID_DWORD0,
- __swab32(identify_buffer[0]));
+ __swab32(identify_buffer[ID_DWORD0_INDEX]));
hisi_sas_phy_write32(hisi_hba, phy_no, TX_ID_DWORD1,
- __swab32(identify_buffer[1]));
+ __swab32(identify_buffer[ID_DWORD1_INDEX]));
hisi_sas_phy_write32(hisi_hba, phy_no, TX_ID_DWORD2,
- __swab32(identify_buffer[2]));
+ __swab32(identify_buffer[ID_DWORD2_INDEX]));
hisi_sas_phy_write32(hisi_hba, phy_no, TX_ID_DWORD3,
- __swab32(identify_buffer[3]));
+ __swab32(identify_buffer[ID_DWORD3_INDEX]));
hisi_sas_phy_write32(hisi_hba, phy_no, TX_ID_DWORD4,
- __swab32(identify_buffer[4]));
+ __swab32(identify_buffer[ID_DWORD4_INDEX]));
hisi_sas_phy_write32(hisi_hba, phy_no, TX_ID_DWORD5,
- __swab32(identify_buffer[5]));
+ __swab32(identify_buffer[ID_DWORD5_INDEX]));
}
static void setup_itct_v3_hw(struct hisi_hba *hisi_hba,
@@ -937,7 +980,7 @@ static int reset_hw_v3_hw(struct hisi_hba *hisi_hba)
/* Disable all of the PHYs */
hisi_sas_stop_phys(hisi_hba);
- udelay(50);
+ udelay(HISI_SAS_DELAY_FOR_PHY_DISABLE);
/* Ensure axi bus idle */
ret = hisi_sas_read32_poll_timeout(AXI_CFG, val, !val,
@@ -977,7 +1020,7 @@ static int hw_init_v3_hw(struct hisi_hba *hisi_hba)
return rc;
}
- msleep(100);
+ msleep(DELAY_FOR_RESET_HW);
init_reg_v3_hw(hisi_hba);
if (guid_parse("D5918B4B-37AE-4E10-A99F-E5E8A6EF4C1F", &guid)) {
@@ -1026,7 +1069,7 @@ static void disable_phy_v3_hw(struct hisi_hba *hisi_hba, int phy_no)
cfg &= ~PHY_CFG_ENA_MSK;
hisi_sas_phy_write32(hisi_hba, phy_no, PHY_CFG, cfg);
- mdelay(50);
+ mdelay(HISI_SAS_DELAY_FOR_PHY_DISABLE);
state = hisi_sas_read32(hisi_hba, PHY_STATE);
if (state & BIT(phy_no)) {
@@ -1062,7 +1105,7 @@ static void phy_hard_reset_v3_hw(struct hisi_hba *hisi_hba, int phy_no)
hisi_sas_phy_write32(hisi_hba, phy_no, TXID_AUTO,
txid_auto | TX_HARDRST_MSK);
}
- msleep(100);
+ msleep(HISI_SAS_DELAY_FOR_PHY_DISABLE);
hisi_sas_phy_enable(hisi_hba, phy_no, 1);
}
@@ -1107,7 +1150,8 @@ static int get_wideport_bitmap_v3_hw(struct hisi_hba *hisi_hba, int port_id)
for (i = 0; i < hisi_hba->n_phy; i++)
if (phy_state & BIT(i))
- if (((phy_port_num_ma >> (i * 4)) & 0xf) == port_id)
+ if (((phy_port_num_ma >> (i * HISI_SAS_REG_MEM_SIZE)) & 0xf) ==
+ port_id)
bitmap |= BIT(i);
return bitmap;
@@ -1305,9 +1349,9 @@ static void prep_ssp_v3_hw(struct hisi_hba *hisi_hba,
dw1 |= sas_dev->device_id << CMD_HDR_DEV_ID_OFF;
dw2 = (((sizeof(struct ssp_command_iu) + sizeof(struct ssp_frame_hdr)
- + 3) / 4) << CMD_HDR_CFL_OFF) |
- ((HISI_SAS_MAX_SSP_RESP_SZ / 4) << CMD_HDR_MRFL_OFF) |
- (2 << CMD_HDR_SG_MOD_OFF);
+ + 3) / BYTE_TO_DW) << CMD_HDR_CFL_OFF) |
+ ((HISI_SAS_MAX_SSP_RESP_SZ / BYTE_TO_DW) << CMD_HDR_MRFL_OFF) |
+ (HDR_SG_MOD << CMD_HDR_SG_MOD_OFF);
hdr->dw2 = cpu_to_le32(dw2);
hdr->transfer_tags = cpu_to_le32(slot->idx);
@@ -1327,18 +1371,19 @@ static void prep_ssp_v3_hw(struct hisi_hba *hisi_hba,
buf_cmd = hisi_sas_cmd_hdr_addr_mem(slot) +
sizeof(struct ssp_frame_hdr);
- memcpy(buf_cmd, &task->ssp_task.LUN, 8);
+ memcpy(buf_cmd, &task->ssp_task.LUN, LUN_SIZE);
if (!tmf) {
- buf_cmd[9] = ssp_task->task_attr;
- memcpy(buf_cmd + 12, scsi_cmnd->cmnd, scsi_cmnd->cmd_len);
+ buf_cmd[ATTR_PRIO_REGION] = ssp_task->task_attr;
+ memcpy(buf_cmd + CDB_REGION, scsi_cmnd->cmnd,
+ scsi_cmnd->cmd_len);
} else {
- buf_cmd[10] = tmf->tmf;
+ buf_cmd[TMF_REGION] = tmf->tmf;
switch (tmf->tmf) {
case TMF_ABORT_TASK:
case TMF_QUERY_TASK:
- buf_cmd[12] =
+ buf_cmd[TAG_MSB] =
(tmf->tag_of_task_to_be_managed >> 8) & 0xff;
- buf_cmd[13] =
+ buf_cmd[TAG_LSB] =
tmf->tag_of_task_to_be_managed & 0xff;
break;
default:
@@ -1371,7 +1416,8 @@ static void prep_ssp_v3_hw(struct hisi_hba *hisi_hba,
unsigned int interval = scsi_prot_interval(scsi_cmnd);
unsigned int ilog2_interval = ilog2(interval);
- len = (task->total_xfer_len >> ilog2_interval) * 8;
+ len = (task->total_xfer_len >> ilog2_interval) *
+ BYTE_TO_DDW;
}
}
@@ -1391,6 +1437,7 @@ static void prep_smp_v3_hw(struct hisi_hba *hisi_hba,
struct hisi_sas_device *sas_dev = device->lldd_dev;
dma_addr_t req_dma_addr;
unsigned int req_len;
+ u32 cfl;
/* req */
sg_req = &task->smp_task.smp_req;
@@ -1401,7 +1448,7 @@ static void prep_smp_v3_hw(struct hisi_hba *hisi_hba,
/* dw0 */
hdr->dw0 = cpu_to_le32((port->id << CMD_HDR_PORT_OFF) |
(1 << CMD_HDR_PRIORITY_OFF) | /* high pri */
- (2 << CMD_HDR_CMD_OFF)); /* smp */
+ (SMP_FRAME_TYPE << CMD_HDR_CMD_OFF)); /* smp */
/* map itct entry */
hdr->dw1 = cpu_to_le32((sas_dev->device_id << CMD_HDR_DEV_ID_OFF) |
@@ -1409,8 +1456,9 @@ static void prep_smp_v3_hw(struct hisi_hba *hisi_hba,
(DIR_NO_DATA << CMD_HDR_DIR_OFF));
/* dw2 */
- hdr->dw2 = cpu_to_le32((((req_len - 4) / 4) << CMD_HDR_CFL_OFF) |
- (HISI_SAS_MAX_SMP_RESP_SZ / 4 <<
+ cfl = (req_len - SMP_CRC_SIZE) / BYTE_TO_DW;
+ hdr->dw2 = cpu_to_le32((cfl << CMD_HDR_CFL_OFF) |
+ (HISI_SAS_MAX_SMP_RESP_SZ / BYTE_TO_DW <<
CMD_HDR_MRFL_OFF));
hdr->transfer_tags = cpu_to_le32(slot->idx << CMD_HDR_IPTT_OFF);
@@ -1477,12 +1525,13 @@ static void prep_ata_v3_hw(struct hisi_hba *hisi_hba,
struct ata_queued_cmd *qc = task->uldd_task;
hdr_tag = qc->tag;
- task->ata_task.fis.sector_count |= (u8) (hdr_tag << 3);
+ task->ata_task.fis.sector_count |=
+ (u8)(hdr_tag << HDR_TAG_OFF);
dw2 |= hdr_tag << CMD_HDR_NCQ_TAG_OFF;
}
- dw2 |= (HISI_SAS_MAX_STP_RESP_SZ / 4) << CMD_HDR_CFL_OFF |
- 2 << CMD_HDR_SG_MOD_OFF;
+ dw2 |= (HISI_SAS_MAX_STP_RESP_SZ / BYTE_TO_DW) << CMD_HDR_CFL_OFF |
+ HDR_SG_MOD << CMD_HDR_SG_MOD_OFF;
hdr->dw2 = cpu_to_le32(dw2);
/* dw3 */
@@ -1542,9 +1591,9 @@ static irqreturn_t phy_up_v3_hw(int phy_no, struct hisi_hba *hisi_hba)
hisi_sas_phy_write32(hisi_hba, phy_no, PHYCTRL_PHY_ENA_MSK, 1);
port_id = hisi_sas_read32(hisi_hba, PHY_PORT_NUM_MA);
- port_id = (port_id >> (4 * phy_no)) & 0xf;
+ port_id = (port_id >> (HISI_SAS_REG_MEM_SIZE * phy_no)) & 0xf;
link_rate = hisi_sas_read32(hisi_hba, PHY_CONN_RATE);
- link_rate = (link_rate >> (phy_no * 4)) & 0xf;
+ link_rate = (link_rate >> (phy_no * HISI_SAS_REG_MEM_SIZE)) & 0xf;
if (port_id == 0xf) {
dev_err(dev, "phyup: phy%d invalid portid\n", phy_no);
@@ -1577,8 +1626,8 @@ static irqreturn_t phy_up_v3_hw(int phy_no, struct hisi_hba *hisi_hba)
sas_phy->oob_mode = SATA_OOB_MODE;
attached_sas_addr[0] = 0x50;
- attached_sas_addr[6] = shost->host_no;
- attached_sas_addr[7] = phy_no;
+ attached_sas_addr[HOST_NO_OFF] = shost->host_no;
+ attached_sas_addr[PHY_NO_OFF] = phy_no;
memcpy(sas_phy->attached_sas_addr,
attached_sas_addr,
SAS_ADDR_SIZE);
@@ -1594,7 +1643,7 @@ static irqreturn_t phy_up_v3_hw(int phy_no, struct hisi_hba *hisi_hba)
(struct sas_identify_frame *)frame_rcvd;
dev_info(dev, "phyup: phy%d link_rate=%d\n", phy_no, link_rate);
- for (i = 0; i < 6; i++) {
+ for (i = 0; i < IDENTIFY_REG_READ; i++) {
u32 idaf = hisi_sas_phy_read32(hisi_hba, phy_no,
RX_IDAF_DWORD0 + (i * 4));
frame_rcvd[i] = __swab32(idaf);
@@ -1864,7 +1913,7 @@ static void handle_chl_int2_v3_hw(struct hisi_hba *hisi_hba, int phy_no)
dev_warn(dev, "phy%d stp link timeout (0x%x)\n",
phy_no, reg_value);
- if (reg_value & BIT(4))
+ if (reg_value & BIT(LINK_RESET_TIMEOUT_OFF))
hisi_sas_notify_phy_event(phy, HISI_PHYE_LINK_RESET);
}
@@ -2581,7 +2630,7 @@ static int interrupt_init_v3_hw(struct hisi_hba *hisi_hba)
struct pci_dev *pdev = hisi_hba->pci_dev;
int rc, i;
- rc = devm_request_irq(dev, pci_irq_vector(pdev, 1),
+ rc = devm_request_irq(dev, pci_irq_vector(pdev, IRQ_PHY_UP_DOWN_INDEX),
int_phy_up_down_bcast_v3_hw, 0,
DRV_NAME " phy", hisi_hba);
if (rc) {
@@ -2589,7 +2638,7 @@ static int interrupt_init_v3_hw(struct hisi_hba *hisi_hba)
return -ENOENT;
}
- rc = devm_request_irq(dev, pci_irq_vector(pdev, 2),
+ rc = devm_request_irq(dev, pci_irq_vector(pdev, IRQ_CHL_INDEX),
int_chnl_int_v3_hw, 0,
DRV_NAME " channel", hisi_hba);
if (rc) {
@@ -2597,7 +2646,7 @@ static int interrupt_init_v3_hw(struct hisi_hba *hisi_hba)
return -ENOENT;
}
- rc = devm_request_irq(dev, pci_irq_vector(pdev, 11),
+ rc = devm_request_irq(dev, pci_irq_vector(pdev, IRQ_AXI_INDEX),
fatal_axi_int_v3_hw, 0,
DRV_NAME " fatal", hisi_hba);
if (rc) {
@@ -2610,7 +2659,8 @@ static int interrupt_init_v3_hw(struct hisi_hba *hisi_hba)
for (i = 0; i < hisi_hba->cq_nvecs; i++) {
struct hisi_sas_cq *cq = &hisi_hba->cq[i];
- int nr = hisi_sas_intr_conv ? 16 : 16 + i;
+ int nr = hisi_sas_intr_conv ? BASE_VECTORS_V3_HW :
+ BASE_VECTORS_V3_HW + i;
unsigned long irqflags = hisi_sas_intr_conv ? IRQF_SHARED :
IRQF_ONESHOT;
@@ -2668,14 +2718,14 @@ static void interrupt_disable_v3_hw(struct hisi_hba *hisi_hba)
struct pci_dev *pdev = hisi_hba->pci_dev;
int i;
- synchronize_irq(pci_irq_vector(pdev, 1));
- synchronize_irq(pci_irq_vector(pdev, 2));
- synchronize_irq(pci_irq_vector(pdev, 11));
+ synchronize_irq(pci_irq_vector(pdev, IRQ_PHY_UP_DOWN_INDEX));
+ synchronize_irq(pci_irq_vector(pdev, IRQ_CHL_INDEX));
+ synchronize_irq(pci_irq_vector(pdev, IRQ_AXI_INDEX));
for (i = 0; i < hisi_hba->queue_count; i++)
hisi_sas_write32(hisi_hba, OQ0_INT_SRC_MSK + 0x4 * i, 0x1);
for (i = 0; i < hisi_hba->cq_nvecs; i++)
- synchronize_irq(pci_irq_vector(pdev, i + 16));
+ synchronize_irq(pci_irq_vector(pdev, i + BASE_VECTORS_V3_HW));
hisi_sas_write32(hisi_hba, ENT_INT_SRC_MSK1, 0xffffffff);
hisi_sas_write32(hisi_hba, ENT_INT_SRC_MSK2, 0xffffffff);
@@ -2707,7 +2757,7 @@ static int disable_host_v3_hw(struct hisi_hba *hisi_hba)
hisi_sas_stop_phys(hisi_hba);
- mdelay(10);
+ mdelay(HISI_SAS_DELAY_FOR_PHY_DISABLE);
reg_val = hisi_sas_read32(hisi_hba, AXI_MASTER_CFG_BASE +
AM_CTRL_GLOBAL);
@@ -2843,13 +2893,13 @@ static ssize_t intr_coal_ticks_v3_hw_store(struct device *dev,
u32 intr_coal_ticks;
int ret;
- ret = kstrtou32(buf, 10, &intr_coal_ticks);
+ ret = kstrtou32(buf, DECIMALISM_FLAG, &intr_coal_ticks);
if (ret) {
dev_err(dev, "Input data of interrupt coalesce unmatch\n");
return -EINVAL;
}
- if (intr_coal_ticks >= BIT(24)) {
+ if (intr_coal_ticks >= BIT(TICKS_BIT_INDEX)) {
dev_err(dev, "intr_coal_ticks must be less than 2^24!\n");
return -EINVAL;
}
@@ -2882,13 +2932,13 @@ static ssize_t intr_coal_count_v3_hw_store(struct device *dev,
u32 intr_coal_count;
int ret;
- ret = kstrtou32(buf, 10, &intr_coal_count);
+ ret = kstrtou32(buf, DECIMALISM_FLAG, &intr_coal_count);
if (ret) {
dev_err(dev, "Input data of interrupt coalesce unmatch\n");
return -EINVAL;
}
- if (intr_coal_count >= BIT(8)) {
+ if (intr_coal_count >= BIT(COUNT_BIT_INDEX)) {
dev_err(dev, "intr_coal_count must be less than 2^8!\n");
return -EINVAL;
}
@@ -3014,7 +3064,7 @@ static const struct hisi_sas_debugfs_reg_lu debugfs_port_reg_lu[] = {
static const struct hisi_sas_debugfs_reg debugfs_port_reg = {
.lu = debugfs_port_reg_lu,
- .count = 0x100,
+ .count = PORT_REG_LENGTH,
.base_off = PORT_BASE,
};
@@ -3088,7 +3138,7 @@ static const struct hisi_sas_debugfs_reg_lu debugfs_global_reg_lu[] = {
static const struct hisi_sas_debugfs_reg debugfs_global_reg = {
.lu = debugfs_global_reg_lu,
- .count = 0x800,
+ .count = GLOBAL_REG_LENGTH,
};
static const struct hisi_sas_debugfs_reg_lu debugfs_axi_reg_lu[] = {
@@ -3101,7 +3151,7 @@ static const struct hisi_sas_debugfs_reg_lu debugfs_axi_reg_lu[] = {
static const struct hisi_sas_debugfs_reg debugfs_axi_reg = {
.lu = debugfs_axi_reg_lu,
- .count = 0x61,
+ .count = AXI_REG_LENGTH,
.base_off = AXI_MASTER_CFG_BASE,
};
@@ -3118,7 +3168,7 @@ static const struct hisi_sas_debugfs_reg_lu debugfs_ras_reg_lu[] = {
static const struct hisi_sas_debugfs_reg debugfs_ras_reg = {
.lu = debugfs_ras_reg_lu,
- .count = 0x10,
+ .count = RAS_REG_LENGTH,
.base_off = RAS_BASE,
};
@@ -3127,7 +3177,7 @@ static void debugfs_snapshot_prepare_v3_hw(struct hisi_hba *hisi_hba)
struct Scsi_Host *shost = hisi_hba->shost;
scsi_block_requests(shost);
- wait_cmds_complete_timeout_v3_hw(hisi_hba, 100, 5000);
+ wait_cmds_complete_timeout_v3_hw(hisi_hba, WAIT_RETRY, WAIT_TMROUT);
set_bit(HISI_SAS_REJECT_CMD_BIT, &hisi_hba->flags);
hisi_sas_sync_cqs(hisi_hba);
@@ -3168,7 +3218,7 @@ static void read_iost_itct_cache_v3_hw(struct hisi_hba *hisi_hba,
return;
}
- memset(buf, 0, cache_dw_size * 4);
+ memset(buf, 0, cache_dw_size * BYTE_TO_DW);
buf[0] = val;
for (i = 1; i < cache_dw_size; i++)
@@ -3215,7 +3265,7 @@ static void hisi_sas_bist_test_restore_v3_hw(struct hisi_hba *hisi_hba)
reg_val = hisi_sas_phy_read32(hisi_hba, phy_no, PROG_PHY_LINK_RATE);
/* init OOB link rate as 1.5 Gbits */
reg_val &= ~CFG_PROG_OOB_PHY_LINK_RATE_MSK;
- reg_val |= (0x8 << CFG_PROG_OOB_PHY_LINK_RATE_OFF);
+ reg_val |= (SAS_LINK_RATE_1_5_GBPS << CFG_PROG_OOB_PHY_LINK_RATE_OFF);
hisi_sas_phy_write32(hisi_hba, phy_no, PROG_PHY_LINK_RATE, reg_val);
/* enable PHY */
@@ -3224,6 +3274,9 @@ static void hisi_sas_bist_test_restore_v3_hw(struct hisi_hba *hisi_hba)
#define SAS_PHY_BIST_CODE_INIT 0x1
#define SAS_PHY_BIST_CODE1_INIT 0X80
+#define SAS_PHY_BIST_INIT_DELAY 100
+#define SAS_PHY_BIST_LOOP_TEST_0 1
+#define SAS_PHY_BIST_LOOP_TEST_1 2
static int debugfs_set_bist_v3_hw(struct hisi_hba *hisi_hba, bool enable)
{
u32 reg_val, mode_tmp;
@@ -3242,7 +3295,8 @@ static int debugfs_set_bist_v3_hw(struct hisi_hba *hisi_hba, bool enable)
ffe[FFE_SATA_1_5_GBPS], ffe[FFE_SATA_3_0_GBPS],
ffe[FFE_SATA_6_0_GBPS], fix_code[FIXED_CODE],
fix_code[FIXED_CODE_1]);
- mode_tmp = path_mode ? 2 : 1;
+ mode_tmp = path_mode ? SAS_PHY_BIST_LOOP_TEST_1 :
+ SAS_PHY_BIST_LOOP_TEST_0;
if (enable) {
/* some preparations before bist test */
hisi_sas_bist_test_prep_v3_hw(hisi_hba);
@@ -3285,13 +3339,13 @@ static int debugfs_set_bist_v3_hw(struct hisi_hba *hisi_hba, bool enable)
SAS_PHY_BIST_CODE1_INIT);
}
- mdelay(100);
+ mdelay(SAS_PHY_BIST_INIT_DELAY);
reg_val |= (CFG_RX_BIST_EN_MSK | CFG_TX_BIST_EN_MSK);
hisi_sas_phy_write32(hisi_hba, phy_no, SAS_PHY_BIST_CTRL,
reg_val);
/* clear error bit */
- mdelay(100);
+ mdelay(SAS_PHY_BIST_INIT_DELAY);
hisi_sas_phy_read32(hisi_hba, phy_no, SAS_BIST_ERR_CNT);
} else {
/* disable bist test and recover it */
@@ -3482,7 +3536,7 @@ static void debugfs_snapshot_port_reg_v3_hw(struct hisi_hba *hisi_hba)
for (phy_cnt = 0; phy_cnt < hisi_hba->n_phy; phy_cnt++) {
databuf = hisi_hba->debugfs_port_reg[dump_index][phy_cnt].data;
for (i = 0; i < port->count; i++, databuf++) {
- offset = port->base_off + 4 * i;
+ offset = port->base_off + HISI_SAS_REG_MEM_SIZE * i;
*databuf = hisi_sas_phy_read32(hisi_hba, phy_cnt,
offset);
}
@@ -3496,7 +3550,8 @@ static void debugfs_snapshot_global_reg_v3_hw(struct hisi_hba *hisi_hba)
int i;
for (i = 0; i < debugfs_global_reg.count; i++, databuf++)
- *databuf = hisi_sas_read32(hisi_hba, 4 * i);
+ *databuf = hisi_sas_read32(hisi_hba,
+ HISI_SAS_REG_MEM_SIZE * i);
}
static void debugfs_snapshot_axi_reg_v3_hw(struct hisi_hba *hisi_hba)
@@ -3507,7 +3562,9 @@ static void debugfs_snapshot_axi_reg_v3_hw(struct hisi_hba *hisi_hba)
int i;
for (i = 0; i < axi->count; i++, databuf++)
- *databuf = hisi_sas_read32(hisi_hba, 4 * i + axi->base_off);
+ *databuf = hisi_sas_read32(hisi_hba,
+ HISI_SAS_REG_MEM_SIZE * i +
+ axi->base_off);
}
static void debugfs_snapshot_ras_reg_v3_hw(struct hisi_hba *hisi_hba)
@@ -3518,7 +3575,9 @@ static void debugfs_snapshot_ras_reg_v3_hw(struct hisi_hba *hisi_hba)
int i;
for (i = 0; i < ras->count; i++, databuf++)
- *databuf = hisi_sas_read32(hisi_hba, 4 * i + ras->base_off);
+ *databuf = hisi_sas_read32(hisi_hba,
+ HISI_SAS_REG_MEM_SIZE * i +
+ ras->base_off);
}
static void debugfs_snapshot_itct_reg_v3_hw(struct hisi_hba *hisi_hba)
@@ -3581,7 +3640,7 @@ static void debugfs_print_reg_v3_hw(u32 *regs_val, struct seq_file *s,
int i;
for (i = 0; i < reg->count; i++) {
- int off = i * 4;
+ int off = i * HISI_SAS_REG_MEM_SIZE;
const char *name;
name = debugfs_to_reg_name_v3_hw(off, reg->base_off,
@@ -3659,9 +3718,9 @@ static void debugfs_show_row_64_v3_hw(struct seq_file *s, int index,
/* completion header size not fixed per HW version */
seq_printf(s, "index %04d:\n\t", index);
- for (i = 1; i <= sz / 8; i++, ptr++) {
+ for (i = 1; i <= sz / BYTE_TO_DDW; i++, ptr++) {
seq_printf(s, " 0x%016llx", le64_to_cpu(*ptr));
- if (!(i % 2))
+ if (!(i % TWO_PARA_PER_LINE))
seq_puts(s, "\n\t");
}
@@ -3675,9 +3734,9 @@ static void debugfs_show_row_32_v3_hw(struct seq_file *s, int index,
/* completion header size not fixed per HW version */
seq_printf(s, "index %04d:\n\t", index);
- for (i = 1; i <= sz / 4; i++, ptr++) {
+ for (i = 1; i <= sz / BYTE_TO_DW; i++, ptr++) {
seq_printf(s, " 0x%08x", le32_to_cpu(*ptr));
- if (!(i % 4))
+ if (!(i % FOUR_PARA_PER_LINE))
seq_puts(s, "\n\t");
}
seq_puts(s, "\n");
@@ -3762,7 +3821,7 @@ static int debugfs_iost_cache_v3_hw_show(struct seq_file *s, void *p)
struct hisi_sas_debugfs_iost_cache *debugfs_iost_cache = s->private;
struct hisi_sas_iost_itct_cache *iost_cache =
debugfs_iost_cache->cache;
- u32 cache_size = HISI_SAS_IOST_ITCT_CACHE_DW_SZ * 4;
+ u32 cache_size = HISI_SAS_IOST_ITCT_CACHE_DW_SZ * BYTE_TO_DW;
int i, tab_idx;
__le64 *iost;
@@ -3810,7 +3869,7 @@ static int debugfs_itct_cache_v3_hw_show(struct seq_file *s, void *p)
struct hisi_sas_debugfs_itct_cache *debugfs_itct_cache = s->private;
struct hisi_sas_iost_itct_cache *itct_cache =
debugfs_itct_cache->cache;
- u32 cache_size = HISI_SAS_IOST_ITCT_CACHE_DW_SZ * 4;
+ u32 cache_size = HISI_SAS_IOST_ITCT_CACHE_DW_SZ * BYTE_TO_DW;
int i, tab_idx;
__le64 *itct;
@@ -3839,12 +3898,12 @@ static void debugfs_create_files_v3_hw(struct hisi_hba *hisi_hba, int index)
u64 *debugfs_timestamp;
struct dentry *dump_dentry;
struct dentry *dentry;
- char name[256];
+ char name[NAME_BUF_SIZE];
int p;
int c;
int d;
- snprintf(name, 256, "%d", index);
+ snprintf(name, NAME_BUF_SIZE, "%d", index);
dump_dentry = debugfs_create_dir(name, hisi_hba->debugfs_dump_dentry);
@@ -3860,7 +3919,7 @@ static void debugfs_create_files_v3_hw(struct hisi_hba *hisi_hba, int index)
/* Create port dir and files */
dentry = debugfs_create_dir("port", dump_dentry);
for (p = 0; p < hisi_hba->n_phy; p++) {
- snprintf(name, 256, "%d", p);
+ snprintf(name, NAME_BUF_SIZE, "%d", p);
debugfs_create_file(name, 0400, dentry,
&hisi_hba->debugfs_port_reg[index][p],
@@ -3870,7 +3929,7 @@ static void debugfs_create_files_v3_hw(struct hisi_hba *hisi_hba, int index)
/* Create CQ dir and files */
dentry = debugfs_create_dir("cq", dump_dentry);
for (c = 0; c < hisi_hba->queue_count; c++) {
- snprintf(name, 256, "%d", c);
+ snprintf(name, NAME_BUF_SIZE, "%d", c);
debugfs_create_file(name, 0400, dentry,
&hisi_hba->debugfs_cq[index][c],
@@ -3880,7 +3939,7 @@ static void debugfs_create_files_v3_hw(struct hisi_hba *hisi_hba, int index)
/* Create DQ dir and files */
dentry = debugfs_create_dir("dq", dump_dentry);
for (d = 0; d < hisi_hba->queue_count; d++) {
- snprintf(name, 256, "%d", d);
+ snprintf(name, NAME_BUF_SIZE, "%d", d);
debugfs_create_file(name, 0400, dentry,
&hisi_hba->debugfs_dq[index][d],
@@ -3917,9 +3976,9 @@ static ssize_t debugfs_trigger_dump_v3_hw_write(struct file *file,
size_t count, loff_t *ppos)
{
struct hisi_hba *hisi_hba = file->f_inode->i_private;
- char buf[8];
+ char buf[DUMP_BUF_SIZE];
- if (count > 8)
+ if (count > DUMP_BUF_SIZE)
return -EFAULT;
if (copy_from_user(buf, user_buf, count))
@@ -3983,7 +4042,7 @@ static ssize_t debugfs_bist_linkrate_v3_hw_write(struct file *filp,
{
struct seq_file *m = filp->private_data;
struct hisi_hba *hisi_hba = m->private;
- char kbuf[16] = {}, *pkbuf;
+ char kbuf[BIST_BUF_SIZE] = {}, *pkbuf;
bool found = false;
int i;
@@ -4000,7 +4059,7 @@ static ssize_t debugfs_bist_linkrate_v3_hw_write(struct file *filp,
for (i = 0; i < ARRAY_SIZE(debugfs_loop_linkrate_v3_hw); i++) {
if (!strncmp(debugfs_loop_linkrate_v3_hw[i].name,
- pkbuf, 16)) {
+ pkbuf, BIST_BUF_SIZE)) {
hisi_hba->debugfs_bist_linkrate =
debugfs_loop_linkrate_v3_hw[i].value;
found = true;
@@ -4073,7 +4132,7 @@ static ssize_t debugfs_bist_code_mode_v3_hw_write(struct file *filp,
{
struct seq_file *m = filp->private_data;
struct hisi_hba *hisi_hba = m->private;
- char kbuf[16] = {}, *pkbuf;
+ char kbuf[BIST_BUF_SIZE] = {}, *pkbuf;
bool found = false;
int i;
@@ -4090,7 +4149,7 @@ static ssize_t debugfs_bist_code_mode_v3_hw_write(struct file *filp,
for (i = 0; i < ARRAY_SIZE(debugfs_loop_code_mode_v3_hw); i++) {
if (!strncmp(debugfs_loop_code_mode_v3_hw[i].name,
- pkbuf, 16)) {
+ pkbuf, BIST_BUF_SIZE)) {
hisi_hba->debugfs_bist_code_mode =
debugfs_loop_code_mode_v3_hw[i].value;
found = true;
@@ -4250,7 +4309,7 @@ static ssize_t debugfs_bist_mode_v3_hw_write(struct file *filp,
{
struct seq_file *m = filp->private_data;
struct hisi_hba *hisi_hba = m->private;
- char kbuf[16] = {}, *pkbuf;
+ char kbuf[BIST_BUF_SIZE] = {}, *pkbuf;
bool found = false;
int i;
@@ -4266,7 +4325,8 @@ static ssize_t debugfs_bist_mode_v3_hw_write(struct file *filp,
pkbuf = strstrip(kbuf);
for (i = 0; i < ARRAY_SIZE(debugfs_loop_modes_v3_hw); i++) {
- if (!strncmp(debugfs_loop_modes_v3_hw[i].name, pkbuf, 16)) {
+ if (!strncmp(debugfs_loop_modes_v3_hw[i].name, pkbuf,
+ BIST_BUF_SIZE)) {
hisi_hba->debugfs_bist_mode =
debugfs_loop_modes_v3_hw[i].value;
found = true;
@@ -4604,8 +4664,9 @@ static int debugfs_fifo_data_v3_hw_show(struct seq_file *s, void *p)
debugfs_read_fifo_data_v3_hw(phy);
- debugfs_show_row_32_v3_hw(s, 0, HISI_SAS_FIFO_DATA_DW_SIZE * 4,
- (__le32 *)phy->fifo.rd_data);
+ debugfs_show_row_32_v3_hw(s, 0,
+ HISI_SAS_FIFO_DATA_DW_SIZE * HISI_SAS_REG_MEM_SIZE,
+ phy->fifo.rd_data);
return 0;
}
@@ -4737,14 +4798,14 @@ static int debugfs_alloc_v3_hw(struct hisi_hba *hisi_hba, int dump_index)
struct hisi_sas_debugfs_regs *regs =
&hisi_hba->debugfs_regs[dump_index][r];
- sz = debugfs_reg_array_v3_hw[r]->count * 4;
+ sz = debugfs_reg_array_v3_hw[r]->count * HISI_SAS_REG_MEM_SIZE;
regs->data = devm_kmalloc(dev, sz, GFP_KERNEL);
if (!regs->data)
goto fail;
regs->hisi_hba = hisi_hba;
}
- sz = debugfs_port_reg.count * 4;
+ sz = debugfs_port_reg.count * HISI_SAS_REG_MEM_SIZE;
for (p = 0; p < hisi_hba->n_phy; p++) {
struct hisi_sas_debugfs_port *port =
&hisi_hba->debugfs_port_reg[dump_index][p];
@@ -4854,11 +4915,11 @@ static void debugfs_phy_down_cnt_init_v3_hw(struct hisi_hba *hisi_hba)
{
struct dentry *dir = debugfs_create_dir("phy_down_cnt",
hisi_hba->debugfs_dir);
- char name[16];
+ char name[NAME_BUF_SIZE];
int phy_no;
for (phy_no = 0; phy_no < hisi_hba->n_phy; phy_no++) {
- snprintf(name, 16, "%d", phy_no);
+ snprintf(name, NAME_BUF_SIZE, "%d", phy_no);
debugfs_create_file(name, 0600, dir,
&hisi_hba->phy[phy_no],
&debugfs_phy_down_cnt_v3_hw_fops);
@@ -5027,7 +5088,7 @@ hisi_sas_v3_probe(struct pci_dev *pdev, const struct pci_device_id *id)
shost->max_id = HISI_SAS_MAX_DEVICES;
shost->max_lun = ~0;
shost->max_channel = 1;
- shost->max_cmd_len = 16;
+ shost->max_cmd_len = HISI_SAS_MAX_CDB_LEN;
shost->can_queue = HISI_SAS_UNRESERVED_IPTT;
shost->cmd_per_lun = HISI_SAS_UNRESERVED_IPTT;
if (hisi_hba->iopoll_q_cnt)
@@ -5108,12 +5169,13 @@ hisi_sas_v3_destroy_irqs(struct pci_dev *pdev, struct hisi_hba *hisi_hba)
{
int i;
- devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 1), hisi_hba);
- devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 2), hisi_hba);
- devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 11), hisi_hba);
+ devm_free_irq(&pdev->dev, pci_irq_vector(pdev, IRQ_PHY_UP_DOWN_INDEX), hisi_hba);
+ devm_free_irq(&pdev->dev, pci_irq_vector(pdev, IRQ_CHL_INDEX), hisi_hba);
+ devm_free_irq(&pdev->dev, pci_irq_vector(pdev, IRQ_AXI_INDEX), hisi_hba);
for (i = 0; i < hisi_hba->cq_nvecs; i++) {
struct hisi_sas_cq *cq = &hisi_hba->cq[i];
- int nr = hisi_sas_intr_conv ? 16 : 16 + i;
+ int nr = hisi_sas_intr_conv ? BASE_VECTORS_V3_HW :
+ BASE_VECTORS_V3_HW + i;
devm_free_irq(&pdev->dev, pci_irq_vector(pdev, nr), cq);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 243/481] hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 242/481] nouveau/dpcd: return EBUSY for aux xfer if the device is asleep Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 244/481] parisc: Fix initial page table creation for boot Greg Kroah-Hartman
` (72 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanman Pradhan <psanman@juniper.net>
commit 25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43 upstream.
The q54sj108a2_debugfs_read function suffers from a stack buffer overflow
due to incorrect arguments passed to bin2hex(). The function currently
passes 'data' as the destination and 'data_char' as the source.
Because bin2hex() converts each input byte into two hex characters, a
32-byte block read results in 64 bytes of output. Since 'data' is only
34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end
of the buffer onto the stack.
Additionally, the arguments were swapped: it was reading from the
zero-initialized 'data_char' and writing to 'data', resulting in
all-zero output regardless of the actual I2C read.
Fix this by:
1. Expanding 'data_char' to 66 bytes to safely hold the hex output.
2. Correcting the bin2hex() argument order and using the actual read count.
3. Using a pointer to select the correct output buffer for the final
simple_read_from_buffer call.
Fixes: d014538aa385 ("hwmon: (pmbus) Driver for Delta power supplies Q54SJ108A2")
Cc: stable@vger.kernel.org
Signed-off-by: Sanman Pradhan <psanman@juniper.net>
Link: https://lore.kernel.org/r/20260304235116.1045-1-sanman.p211993@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/q54sj108a2.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
--- a/drivers/hwmon/pmbus/q54sj108a2.c
+++ b/drivers/hwmon/pmbus/q54sj108a2.c
@@ -77,7 +77,8 @@ static ssize_t q54sj108a2_debugfs_read(s
int idx = *idxp;
struct q54sj108a2_data *psu = to_psu(idxp, idx);
char data[I2C_SMBUS_BLOCK_MAX + 2] = { 0 };
- char data_char[I2C_SMBUS_BLOCK_MAX + 2] = { 0 };
+ char data_char[I2C_SMBUS_BLOCK_MAX * 2 + 2] = { 0 };
+ char *out = data;
char *res;
switch (idx) {
@@ -148,27 +149,27 @@ static ssize_t q54sj108a2_debugfs_read(s
if (rc < 0)
return rc;
- res = bin2hex(data, data_char, 32);
- rc = res - data;
-
+ res = bin2hex(data_char, data, rc);
+ rc = res - data_char;
+ out = data_char;
break;
case Q54SJ108A2_DEBUGFS_FLASH_KEY:
rc = i2c_smbus_read_block_data(psu->client, PMBUS_FLASH_KEY_WRITE, data);
if (rc < 0)
return rc;
- res = bin2hex(data, data_char, 4);
- rc = res - data;
-
+ res = bin2hex(data_char, data, rc);
+ rc = res - data_char;
+ out = data_char;
break;
default:
return -EINVAL;
}
- data[rc] = '\n';
+ out[rc] = '\n';
rc += 2;
- return simple_read_from_buffer(buf, count, ppos, data, rc);
+ return simple_read_from_buffer(buf, count, ppos, out, rc);
}
static ssize_t q54sj108a2_debugfs_write(struct file *file, const char __user *buf,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 230/460] perf/x86/intel/uncore: Support more units on Granite Rapids
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 229/460] wifi: libertas: fix use-after-free in lbs_free_adapter() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 231/460] perf/x86/intel/uncore: Add per-scheduler IMC CAS count events Greg Kroah-Hartman
` (72 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kan Liang, Peter Zijlstra (Intel),
Eric Hu, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kan Liang <kan.liang@linux.intel.com>
[ Upstream commit 6d642735cdb6cdb814d2b6c81652caa53ce04842 ]
The same CXL PMONs support is also avaiable on GNR. Apply
spr_uncore_cxlcm and spr_uncore_cxldp to GNR as well.
The other units were broken on early HW samples, so they were ignored in
the early enabling patch. The issue has been fixed and verified on the
later production HW. Add UPI, B2UPI, B2HOT, PCIEX16 and PCIEX8 for GNR.
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Eric Hu <eric.hu@intel.com>
Link: https://lkml.kernel.org/r/20250108143017.1793781-2-kan.liang@linux.intel.com
Stable-dep-of: 6a8a48644c4b ("perf/x86/intel/uncore: Add per-scheduler IMC CAS count events")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/uncore_snbep.c | 48 +++++++++++++++++++++++------------
1 file changed, 32 insertions(+), 16 deletions(-)
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -6597,17 +6597,8 @@ void spr_uncore_mmio_init(void)
/* GNR uncore support */
#define UNCORE_GNR_NUM_UNCORE_TYPES 23
-#define UNCORE_GNR_TYPE_15 15
-#define UNCORE_GNR_B2UPI 18
-#define UNCORE_GNR_TYPE_21 21
-#define UNCORE_GNR_TYPE_22 22
int gnr_uncore_units_ignore[] = {
- UNCORE_SPR_UPI,
- UNCORE_GNR_TYPE_15,
- UNCORE_GNR_B2UPI,
- UNCORE_GNR_TYPE_21,
- UNCORE_GNR_TYPE_22,
UNCORE_IGNORE_END
};
@@ -6616,6 +6607,31 @@ static struct intel_uncore_type gnr_unco
.attr_update = uncore_alias_groups,
};
+static struct intel_uncore_type gnr_uncore_pciex8 = {
+ SPR_UNCORE_PCI_COMMON_FORMAT(),
+ .name = "pciex8",
+};
+
+static struct intel_uncore_type gnr_uncore_pciex16 = {
+ SPR_UNCORE_PCI_COMMON_FORMAT(),
+ .name = "pciex16",
+};
+
+static struct intel_uncore_type gnr_uncore_upi = {
+ SPR_UNCORE_PCI_COMMON_FORMAT(),
+ .name = "upi",
+};
+
+static struct intel_uncore_type gnr_uncore_b2upi = {
+ SPR_UNCORE_PCI_COMMON_FORMAT(),
+ .name = "b2upi",
+};
+
+static struct intel_uncore_type gnr_uncore_b2hot = {
+ .name = "b2hot",
+ .attr_update = uncore_alias_groups,
+};
+
static struct intel_uncore_type gnr_uncore_b2cmi = {
SPR_UNCORE_PCI_COMMON_FORMAT(),
.name = "b2cmi",
@@ -6640,21 +6656,21 @@ static struct intel_uncore_type *gnr_unc
&gnr_uncore_ubox,
&spr_uncore_imc,
NULL,
+ &gnr_uncore_upi,
NULL,
NULL,
NULL,
+ &spr_uncore_cxlcm,
+ &spr_uncore_cxldp,
NULL,
- NULL,
- NULL,
- NULL,
- NULL,
+ &gnr_uncore_b2hot,
&gnr_uncore_b2cmi,
&gnr_uncore_b2cxl,
- NULL,
+ &gnr_uncore_b2upi,
NULL,
&gnr_uncore_mdf_sbo,
- NULL,
- NULL,
+ &gnr_uncore_pciex16,
+ &gnr_uncore_pciex8,
};
static struct freerunning_counters gnr_iio_freerunning[] = {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 306/567] scsi: hisi_sas: Fix NULL pointer exception during user_scan()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 305/567] scsi: hisi_sas: Use macro instead of magic number Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 307/567] Revert "tcpm: allow looking for role_sw device in the main node" Greg Kroah-Hartman
` (71 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xingui Yang, Yihang Li,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xingui Yang <yangxingui@huawei.com>
[ Upstream commit 8ddc0c26916574395447ebf4cff684314f6873a9 ]
user_scan() invokes updated sas_user_scan() for channel 0, and if
successful, iteratively scans remaining channels (1 to shost->max_channel)
via scsi_scan_host_selected() in commit 37c4e72b0651 ("scsi: Fix
sas_user_scan() to handle wildcard and multi-channel scans"). However,
hisi_sas supports only one channel, and the current value of max_channel is
1. sas_user_scan() for channel 1 will trigger the following NULL pointer
exception:
[ 441.554662] Unable to handle kernel NULL pointer dereference at virtual address 00000000000008b0
[ 441.554699] Mem abort info:
[ 441.554710] ESR = 0x0000000096000004
[ 441.554718] EC = 0x25: DABT (current EL), IL = 32 bits
[ 441.554723] SET = 0, FnV = 0
[ 441.554726] EA = 0, S1PTW = 0
[ 441.554730] FSC = 0x04: level 0 translation fault
[ 441.554735] Data abort info:
[ 441.554737] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 441.554742] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 441.554747] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 441.554752] user pgtable: 4k pages, 48-bit VAs, pgdp=00000828377a6000
[ 441.554757] [00000000000008b0] pgd=0000000000000000, p4d=0000000000000000
[ 441.554769] Internal error: Oops: 0000000096000004 [#1] SMP
[ 441.629589] Modules linked in: arm_spe_pmu arm_smmuv3_pmu tpm_tis_spi hisi_uncore_sllc_pmu hisi_uncore_pa_pmu hisi_uncore_l3c_pmu hisi_uncore_hha_pmu hisi_uncore_ddrc_pmu hisi_uncore_cpa_pmu hns3_pmu hisi_ptt hisi_pcie_pmu tpm_tis_core spidev spi_hisi_sfc_v3xx hisi_uncore_pmu spi_dw_mmio fuse hclge hclge_common hisi_sec2 hisi_hpre hisi_zip hisi_qm hns3 hisi_sas_v3_hw sm3_ce sbsa_gwdt hnae3 hisi_sas_main uacce hisi_dma i2c_hisi dm_mirror dm_region_hash dm_log dm_mod
[ 441.670819] CPU: 46 UID: 0 PID: 6994 Comm: bash Kdump: loaded Not tainted 7.0.0-rc2+ #84 PREEMPT
[ 441.691327] pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 441.698277] pc : sas_find_dev_by_rphy+0x44/0x118
[ 441.702896] lr : sas_find_dev_by_rphy+0x3c/0x118
[ 441.707502] sp : ffff80009abbba40
[ 441.710805] x29: ffff80009abbba40 x28: ffff082819a40008 x27: ffff082810c37c08
[ 441.717930] x26: ffff082810c37c28 x25: ffff082819a40290 x24: ffff082810c37c00
[ 441.725054] x23: 0000000000000000 x22: 0000000000000001 x21: ffff082819a40000
[ 441.732179] x20: ffff082819a40290 x19: 0000000000000000 x18: 0000000000000020
[ 441.739304] x17: 0000000000000000 x16: ffffb5dad6bda690 x15: 00000000ffffffff
[ 441.746428] x14: ffff082814c3b26c x13: 00000000ffffffff x12: ffff082814c3b26a
[ 441.753553] x11: 00000000000000c0 x10: 000000000000003a x9 : ffffb5dad5ea94f4
[ 441.760678] x8 : 000000000000003a x7 : ffff80009abbbab0 x6 : 0000000000000030
[ 441.767802] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
[ 441.774926] x2 : ffff08280f35a300 x1 : ffffb5dad7127180 x0 : 0000000000000000
[ 441.782053] Call trace:
[ 441.784488] sas_find_dev_by_rphy+0x44/0x118 (P)
[ 441.789095] sas_target_alloc+0x24/0xb0
[ 441.792920] scsi_alloc_target+0x290/0x330
[ 441.797010] __scsi_scan_target+0x88/0x258
[ 441.801096] scsi_scan_channel+0x74/0xb8
[ 441.805008] scsi_scan_host_selected+0x170/0x188
[ 441.809615] sas_user_scan+0xfc/0x148
[ 441.813267] store_scan+0x10c/0x180
[ 441.816743] dev_attr_store+0x20/0x40
[ 441.820398] sysfs_kf_write+0x84/0xa8
[ 441.824054] kernfs_fop_write_iter+0x130/0x1c8
[ 441.828487] vfs_write+0x2c0/0x370
[ 441.831880] ksys_write+0x74/0x118
[ 441.835271] __arm64_sys_write+0x24/0x38
[ 441.839182] invoke_syscall+0x50/0x120
[ 441.842919] el0_svc_common.constprop.0+0xc8/0xf0
[ 441.847611] do_el0_svc+0x24/0x38
[ 441.850913] el0_svc+0x38/0x158
[ 441.854043] el0t_64_sync_handler+0xa0/0xe8
[ 441.858214] el0t_64_sync+0x1ac/0x1b0
[ 441.861865] Code: aa1303e0 97ff70a8 34ffff80 d10a4273 (f9445a75)
[ 441.867946] ---[ end trace 0000000000000000 ]---
Therefore, set max_channel to 0.
Fixes: e21fe3a52692 ("scsi: hisi_sas: add initialisation for v3 pci-based controller")
Signed-off-by: Xingui Yang <yangxingui@huawei.com>
Signed-off-by: Yihang Li <liyihang9@huawei.com>
Link: https://patch.msgid.link/20260305064039.4096775-1-liyihang9@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/hisi_sas/hisi_sas_main.c | 2 +-
drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
index 0a52e7ba504cb..578f7c6117d3d 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -2537,7 +2537,7 @@ int hisi_sas_probe(struct platform_device *pdev,
shost->transportt = hisi_sas_stt;
shost->max_id = HISI_SAS_MAX_DEVICES;
shost->max_lun = ~0;
- shost->max_channel = 1;
+ shost->max_channel = 0;
shost->max_cmd_len = HISI_SAS_MAX_CDB_LEN;
if (hisi_hba->hw->slot_index_alloc) {
shost->can_queue = HISI_SAS_MAX_COMMANDS;
diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
index e8f5a8023a1af..7075dde4584db 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
@@ -5087,7 +5087,7 @@ hisi_sas_v3_probe(struct pci_dev *pdev, const struct pci_device_id *id)
shost->transportt = hisi_sas_stt;
shost->max_id = HISI_SAS_MAX_DEVICES;
shost->max_lun = ~0;
- shost->max_channel = 1;
+ shost->max_channel = 0;
shost->max_cmd_len = HISI_SAS_MAX_CDB_LEN;
shost->can_queue = HISI_SAS_UNRESERVED_IPTT;
shost->cmd_per_lun = HISI_SAS_UNRESERVED_IPTT;
--
2.51.0
^ permalink raw reply related [flat|nested] 1563+ messages in thread
* [PATCH 6.1 244/481] parisc: Fix initial page table creation for boot
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 243/481] hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 245/481] parisc: Check kernel mapping earlier at bootup Greg Kroah-Hartman
` (71 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 8475d8fe21ec9c7eb2faca555fbc5b68cf0d2597 upstream.
The KERNEL_INITIAL_ORDER value defines the initial size (usually 32 or
64 MB) of the page table during bootup. Up until now the whole area was
initialized with PTE entries, but there was no check if we filled too
many entries. Change the code to fill up with so many entries that the
"_end" symbol can be reached by the kernel, but not more entries than
actually fit into the initial PTE tables.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org> # v6.0+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/head.S | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/arch/parisc/kernel/head.S
+++ b/arch/parisc/kernel/head.S
@@ -56,6 +56,7 @@ ENTRY(parisc_kernel_start)
.import __bss_start,data
.import __bss_stop,data
+ .import __end,data
load32 PA(__bss_start),%r3
load32 PA(__bss_stop),%r4
@@ -149,7 +150,11 @@ $cpu_ok:
* everything ... it will get remapped correctly later */
ldo 0+_PAGE_KERNEL_RWX(%r0),%r3 /* Hardwired 0 phys addr start */
load32 (1<<(KERNEL_INITIAL_ORDER-PAGE_SHIFT)),%r11 /* PFN count */
- load32 PA(pg0),%r1
+ load32 PA(_end),%r1
+ SHRREG %r1,PAGE_SHIFT,%r1 /* %r1 is PFN count for _end symbol */
+ cmpb,<<,n %r11,%r1,1f
+ copy %r1,%r11 /* %r1 PFN count smaller than %r11 */
+1: load32 PA(pg0),%r1
$pgt_fill_loop:
STREGM %r3,ASM_PTE_ENTRY_SIZE(%r1)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 231/460] perf/x86/intel/uncore: Add per-scheduler IMC CAS count events
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 230/460] perf/x86/intel/uncore: Support more units on Granite Rapids Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 232/460] mptcp: pm: in-kernel: always mark signal+subflow endp as used Greg Kroah-Hartman
` (71 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Reinette Chatre, Zide Chen,
Peter Zijlstra (Intel), Dapeng Mi, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zide Chen <zide.chen@intel.com>
[ Upstream commit 6a8a48644c4b804123e59dbfc5d6cd29a0194046 ]
IMC on SPR and EMR does not support sub-channels. In contrast, CPUs
that use gnr_uncores[] (e.g. Granite Rapids and Sierra Forest)
implement two command schedulers (SCH0/SCH1) per memory channel,
providing logically independent command and data paths.
Do not reuse the spr_uncore_imc[] configuration for these CPUs.
Instead, introduce a dedicated gnr_uncore_imc[] with per-scheduler
events, so userspace can monitor SCH0 and SCH1 independently.
On these CPUs, replace cas_count_{read,write} with
cas_count_{read,write}_sch{0,1}. This may break existing userspace
that relies on cas_count_{read,write}, prompting it to switch to the
per-scheduler events, as the legacy event reports only partial
traffic (SCH0).
Fixes: 632c4bf6d007 ("perf/x86/intel/uncore: Support Granite Rapids")
Fixes: cb4a6ccf3583 ("perf/x86/intel/uncore: Support Sierra Forest and Grand Ridge")
Reported-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: Zide Chen <zide.chen@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260210005225.20311-1-zide.chen@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/uncore_snbep.c | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -6607,6 +6607,32 @@ static struct intel_uncore_type gnr_unco
.attr_update = uncore_alias_groups,
};
+static struct uncore_event_desc gnr_uncore_imc_events[] = {
+ INTEL_UNCORE_EVENT_DESC(clockticks, "event=0x01,umask=0x00"),
+ INTEL_UNCORE_EVENT_DESC(cas_count_read_sch0, "event=0x05,umask=0xcf"),
+ INTEL_UNCORE_EVENT_DESC(cas_count_read_sch0.scale, "6.103515625e-5"),
+ INTEL_UNCORE_EVENT_DESC(cas_count_read_sch0.unit, "MiB"),
+ INTEL_UNCORE_EVENT_DESC(cas_count_read_sch1, "event=0x06,umask=0xcf"),
+ INTEL_UNCORE_EVENT_DESC(cas_count_read_sch1.scale, "6.103515625e-5"),
+ INTEL_UNCORE_EVENT_DESC(cas_count_read_sch1.unit, "MiB"),
+ INTEL_UNCORE_EVENT_DESC(cas_count_write_sch0, "event=0x05,umask=0xf0"),
+ INTEL_UNCORE_EVENT_DESC(cas_count_write_sch0.scale, "6.103515625e-5"),
+ INTEL_UNCORE_EVENT_DESC(cas_count_write_sch0.unit, "MiB"),
+ INTEL_UNCORE_EVENT_DESC(cas_count_write_sch1, "event=0x06,umask=0xf0"),
+ INTEL_UNCORE_EVENT_DESC(cas_count_write_sch1.scale, "6.103515625e-5"),
+ INTEL_UNCORE_EVENT_DESC(cas_count_write_sch1.unit, "MiB"),
+ { /* end: all zeroes */ },
+};
+
+static struct intel_uncore_type gnr_uncore_imc = {
+ SPR_UNCORE_MMIO_COMMON_FORMAT(),
+ .name = "imc",
+ .fixed_ctr_bits = 48,
+ .fixed_ctr = SNR_IMC_MMIO_PMON_FIXED_CTR,
+ .fixed_ctl = SNR_IMC_MMIO_PMON_FIXED_CTL,
+ .event_descs = gnr_uncore_imc_events,
+};
+
static struct intel_uncore_type gnr_uncore_pciex8 = {
SPR_UNCORE_PCI_COMMON_FORMAT(),
.name = "pciex8",
@@ -6654,7 +6680,7 @@ static struct intel_uncore_type *gnr_unc
NULL,
&spr_uncore_pcu,
&gnr_uncore_ubox,
- &spr_uncore_imc,
+ &gnr_uncore_imc,
NULL,
&gnr_uncore_upi,
NULL,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 307/567] Revert "tcpm: allow looking for role_sw device in the main node"
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 306/567] scsi: hisi_sas: Fix NULL pointer exception during user_scan() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 308/567] drm/bridge: samsung-dsim: Fix memory leak in error path Greg Kroah-Hartman
` (70 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Xu Yang, Arnaud Ferraris,
Heikki Krogerus
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 6b275bfaa16be3fb1689fa6794e445ecd127a1b4 upstream.
This reverts commit 1366cd228b0c67b60a2c0c26ef37fe9f7cfedb7f.
The fwnode_usb_role_switch_get() returns NULL only if no connection is
found, returns ERR_PTR(-EPROBE_DEFER) if connection is found but deferred
probe is needed, or a valid pointer of usb_role_switch.
When switching from a NULL check to IS_ERR_OR_NULL(), usb_role_switch_get()
returns NULL and overwrites the ERR_PTR(-EPROBE_DEFER) returned by
fwnode_usb_role_switch_get(). This causes the deferred probe indication to
be lost, preventing the USB role switch from ever being retrieved.
Fixes: 1366cd228b0c ("tcpm: allow looking for role_sw device in the main node")
Cc: stable <stable@kernel.org>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Tested-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260309074313.2809867-2-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -6637,7 +6637,7 @@ struct tcpm_port *tcpm_register_port(str
port->port_type = port->typec_caps.type;
port->role_sw = fwnode_usb_role_switch_get(tcpc->fwnode);
- if (IS_ERR_OR_NULL(port->role_sw))
+ if (!port->role_sw)
port->role_sw = usb_role_switch_get(port->dev);
if (IS_ERR(port->role_sw)) {
err = PTR_ERR(port->role_sw);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 245/481] parisc: Check kernel mapping earlier at bootup
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 244/481] parisc: Fix initial page table creation for boot Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 246/481] smb: server: fix use-after-free in smb2_open() Greg Kroah-Hartman
` (70 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 17c144f1104bfc29a3ce3f7d0931a1bfb7a3558c upstream.
The check if the initial mapping is sufficient needs to happen much
earlier during bootup. Move this test directly to the start_parisc()
function and use native PDC iodc functions to print the warning, because
panic() and printk() are not functional yet.
This fixes boot when enabling various KALLSYSMS options which need
much more space.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org> # v6.0+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/setup.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/arch/parisc/kernel/setup.c
+++ b/arch/parisc/kernel/setup.c
@@ -135,14 +135,6 @@ void __init setup_arch(char **cmdline_p)
#endif
printk(KERN_CONT ".\n");
- /*
- * Check if initial kernel page mappings are sufficient.
- * panic early if not, else we may access kernel functions
- * and variables which can't be reached.
- */
- if (__pa((unsigned long) &_end) >= KERNEL_INITIAL_SIZE)
- panic("KERNEL_INITIAL_ORDER too small!");
-
#ifdef CONFIG_64BIT
if(parisc_narrow_firmware) {
printk(KERN_INFO "Kernel is using PDC in 32-bit mode.\n");
@@ -398,6 +390,18 @@ void __init start_parisc(void)
int ret, cpunum;
struct pdc_coproc_cfg coproc_cfg;
+ /*
+ * Check if initial kernel page mapping is sufficient.
+ * Print warning if not, because we may access kernel functions and
+ * variables which can't be reached yet through the initial mappings.
+ * Note that the panic() and printk() functions are not functional
+ * yet, so we need to use direct iodc() firmware calls instead.
+ */
+ const char warn1[] = "CRITICAL: Kernel may crash because "
+ "KERNEL_INITIAL_ORDER is too small.\n";
+ if (__pa((unsigned long) &_end) >= KERNEL_INITIAL_SIZE)
+ pdc_iodc_print(warn1, sizeof(warn1) - 1);
+
/* check QEMU/SeaBIOS marker in PAGE0 */
running_on_qemu = (memcmp(&PAGE0->pad0, "SeaBIOS", 8) == 0);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 232/460] mptcp: pm: in-kernel: always mark signal+subflow endp as used
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 231/460] perf/x86/intel/uncore: Add per-scheduler IMC CAS count events Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 233/460] mptcp: pm: avoid sending RM_ADDR over same subflow Greg Kroah-Hartman
` (70 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 579a752464a64cb5f9139102f0e6b90a1f595ceb ]
Syzkaller managed to find a combination of actions that was generating
this warning:
msk->pm.local_addr_used == 0
WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961
WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961
WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961
Modules linked in:
CPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full)
Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014
RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline]
RIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline]
RIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210
Code: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 <0f> 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a
RSP: 0018:ffffc90001663880 EFLAGS: 00010293
RAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff
R10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640
R13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650
FS: 00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0
Call Trace:
<TASK>
genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0xc9/0xf0 net/socket.c:742
____sys_sendmsg+0x272/0x3b0 net/socket.c:2592
___sys_sendmsg+0x2de/0x320 net/socket.c:2646
__sys_sendmsg net/socket.c:2678 [inline]
__do_sys_sendmsg net/socket.c:2683 [inline]
__se_sys_sendmsg net/socket.c:2681 [inline]
__x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f66346f826d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d
RDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8
R13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770
</TASK>
The actions that caused that seem to be:
- Set the MPTCP subflows limit to 0
- Create an MPTCP endpoint with both the 'signal' and 'subflow' flags
- Create a new MPTCP connection from a different address: an ADD_ADDR
linked to the MPTCP endpoint will be sent ('signal' flag), but no
subflows is initiated ('subflow' flag)
- Remove the MPTCP endpoint
In this case, msk->pm.local_addr_used has been kept to 0 -- because no
subflows have been created -- but the corresponding bit in
msk->pm.id_avail_bitmap has been cleared when the ADD_ADDR has been
sent. This later causes a splat when removing the MPTCP endpoint because
msk->pm.local_addr_used has been kept to 0.
Now, if an endpoint has both the signal and subflow flags, but it is not
possible to create subflows because of the limits or the c-flag case,
then the local endpoint counter is still incremented: the endpoint is
used at the end. This avoids issues later when removing the endpoint and
calling __mark_subflow_endp_available(), which expects
msk->pm.local_addr_used to have been previously incremented if the
endpoint was marked as used according to msk->pm.id_avail_bitmap.
Note that signal_and_subflow variable is reset to false when the limits
and the c-flag case allows subflows creation. Also, local_addr_used is
only incremented for non ID0 subflows.
Fixes: 85df533a787b ("mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set")
Cc: stable@vger.kernel.org
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/613
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-4-4b5462b6f016@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ pm_kernel.c => pm_netlink.c ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -661,6 +661,15 @@ subflow:
}
exit:
+ /* If an endpoint has both the signal and subflow flags, but it is not
+ * possible to create subflows -- the 'while' loop body above never
+ * executed -- then still mark the endp as used, which is somehow the
+ * case. This avoids issues later when removing the endpoint and calling
+ * __mark_subflow_endp_available(), which expects the increment here.
+ */
+ if (signal_and_subflow && local.addr.id != msk->mpc_endpoint_id)
+ msk->pm.local_addr_used++;
+
mptcp_pm_nl_check_work_pending(msk);
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 308/567] drm/bridge: samsung-dsim: Fix memory leak in error path
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 307/567] Revert "tcpm: allow looking for role_sw device in the main node" Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 309/567] drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used Greg Kroah-Hartman
` (69 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Osama Abdelkader, Luca Ceresoli
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Osama Abdelkader <osama.abdelkader@gmail.com>
commit 803ec1faf7c1823e6e3b1f2aaa81be18528c9436 upstream.
In samsung_dsim_host_attach(), drm_bridge_add() is called to add the
bridge. However, if samsung_dsim_register_te_irq() or
pdata->host_ops->attach() fails afterwards, the function returns
without removing the bridge, causing a memory leak.
Fix this by adding proper error handling with goto labels to ensure
drm_bridge_remove() is called in all error paths. Also ensure that
samsung_dsim_unregister_te_irq() is called if the attach operation
fails after the TE IRQ has been registered.
samsung_dsim_unregister_te_irq() function is moved without changes
to be before samsung_dsim_host_attach() to avoid forward declaration.
Fixes: e7447128ca4a ("drm: bridge: Generalize Exynos-DSI driver into a Samsung DSIM bridge")
Cc: stable@vger.kernel.org
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Link: https://patch.msgid.link/20260209184115.10937-1-osama.abdelkader@gmail.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/samsung-dsim.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
--- a/drivers/gpu/drm/bridge/samsung-dsim.c
+++ b/drivers/gpu/drm/bridge/samsung-dsim.c
@@ -1642,6 +1642,14 @@ static int samsung_dsim_register_te_irq(
return 0;
}
+static void samsung_dsim_unregister_te_irq(struct samsung_dsim *dsi)
+{
+ if (dsi->te_gpio) {
+ free_irq(gpiod_to_irq(dsi->te_gpio), dsi);
+ gpiod_put(dsi->te_gpio);
+ }
+}
+
static int samsung_dsim_host_attach(struct mipi_dsi_host *host,
struct mipi_dsi_device *device)
{
@@ -1713,13 +1721,13 @@ of_find_panel_or_bridge:
if (!(device->mode_flags & MIPI_DSI_MODE_VIDEO)) {
ret = samsung_dsim_register_te_irq(dsi, &device->dev);
if (ret)
- return ret;
+ goto err_remove_bridge;
}
if (pdata->host_ops && pdata->host_ops->attach) {
ret = pdata->host_ops->attach(dsi, device);
if (ret)
- return ret;
+ goto err_unregister_te_irq;
}
dsi->lanes = device->lanes;
@@ -1727,14 +1735,13 @@ of_find_panel_or_bridge:
dsi->mode_flags = device->mode_flags;
return 0;
-}
-static void samsung_dsim_unregister_te_irq(struct samsung_dsim *dsi)
-{
- if (dsi->te_gpio) {
- free_irq(gpiod_to_irq(dsi->te_gpio), dsi);
- gpiod_put(dsi->te_gpio);
- }
+err_unregister_te_irq:
+ if (!(device->mode_flags & MIPI_DSI_MODE_VIDEO))
+ samsung_dsim_unregister_te_irq(dsi);
+err_remove_bridge:
+ drm_bridge_remove(&dsi->bridge);
+ return ret;
}
static int samsung_dsim_host_detach(struct mipi_dsi_host *host,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 246/481] smb: server: fix use-after-free in smb2_open()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 245/481] parisc: Check kernel mapping earlier at bootup Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 247/481] net: ncsi: fix skb leak in error paths Greg Kroah-Hartman
` (69 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marios Makassikis, Namjae Jeon,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marios Makassikis <mmakassikis@freebox.fr>
commit 1e689a56173827669a35da7cb2a3c78ed5c53680 upstream.
The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is
dereferenced after rcu_read_unlock(), creating a use-after-free
window.
Cc: stable@vger.kernel.org
Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -3343,10 +3343,8 @@ int smb2_open(struct ksmbd_work *work)
memcpy(fp->client_guid, conn->ClientGUID, SMB2_CLIENT_GUID_SIZE);
rsp->StructureSize = cpu_to_le16(89);
- rcu_read_lock();
- opinfo = rcu_dereference(fp->f_opinfo);
+ opinfo = opinfo_get(fp);
rsp->OplockLevel = opinfo != NULL ? opinfo->level : 0;
- rcu_read_unlock();
rsp->Flags = 0;
rsp->CreateAction = cpu_to_le32(file_info);
rsp->CreationTime = cpu_to_le64(fp->create_time);
@@ -3387,6 +3385,7 @@ int smb2_open(struct ksmbd_work *work)
next_ptr = &lease_ccontext->Next;
next_off = conn->vals->create_lease_size;
}
+ opinfo_put(opinfo);
if (maximal_access_ctxt) {
struct create_context *mxac_ccontext;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 233/460] mptcp: pm: avoid sending RM_ADDR over same subflow
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 232/460] mptcp: pm: in-kernel: always mark signal+subflow endp as used Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 234/460] drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink Greg Kroah-Hartman
` (69 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Lorenz, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit fb8d0bccb221080630efcd9660c9f9349e53cc9e ]
RM_ADDR are sent over an active subflow, the first one in the subflows
list. There is then a high chance the initial subflow is picked. With
the in-kernel PM, when an endpoint is removed, a RM_ADDR is sent, then
linked subflows are closed. This is done for each active MPTCP
connection.
MPTCP endpoints are likely removed because the attached network is no
longer available or usable. In this case, it is better to avoid sending
this RM_ADDR over the subflow that is going to be removed, but prefer
sending it over another active and non stale subflow, if any.
This modification avoids situations where the other end is not notified
when a subflow is no longer usable: typically when the endpoint linked
to the initial subflow is removed, especially on the server side.
Fixes: 8dd5efb1f91b ("mptcp: send ack for rm_addr")
Cc: stable@vger.kernel.org
Reported-by: Frank Lorenz <lorenz-frank@web.de>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/612
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-2-4b5462b6f016@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ adapted to _nl-prefixed function names in pm_netlink.c and omitted stale subflow fallback ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 2 +-
net/mptcp/pm_netlink.c | 43 ++++++++++++++++++++++++++++++++++++++-----
net/mptcp/protocol.h | 2 ++
3 files changed, 41 insertions(+), 6 deletions(-)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -56,7 +56,7 @@ int mptcp_pm_remove_addr(struct mptcp_so
msk->pm.rm_list_tx = *rm_list;
rm_addr |= BIT(MPTCP_RM_ADDR_SIGNAL);
WRITE_ONCE(msk->pm.addr_signal, rm_addr);
- mptcp_pm_nl_addr_send_ack(msk);
+ mptcp_pm_nl_addr_send_ack_avoid_list(msk, rm_list);
return 0;
}
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -855,9 +855,23 @@ bool mptcp_pm_nl_is_init_remote_addr(str
return mptcp_addresses_equal(&mpc_remote, remote, remote->port);
}
-void mptcp_pm_nl_addr_send_ack(struct mptcp_sock *msk)
+static bool subflow_in_rm_list(const struct mptcp_subflow_context *subflow,
+ const struct mptcp_rm_list *rm_list)
+{
+ u8 i, id = subflow_get_local_id(subflow);
+
+ for (i = 0; i < rm_list->nr; i++) {
+ if (rm_list->ids[i] == id)
+ return true;
+ }
+
+ return false;
+}
+
+void mptcp_pm_nl_addr_send_ack_avoid_list(struct mptcp_sock *msk,
+ const struct mptcp_rm_list *rm_list)
{
- struct mptcp_subflow_context *subflow;
+ struct mptcp_subflow_context *subflow, *same_id = NULL;
msk_owned_by_me(msk);
lockdep_assert_held(&msk->pm.lock);
@@ -867,11 +881,30 @@ void mptcp_pm_nl_addr_send_ack(struct mp
return;
mptcp_for_each_subflow(msk, subflow) {
- if (__mptcp_subflow_active(subflow)) {
- mptcp_pm_send_ack(msk, subflow, false, false);
- break;
+ if (!__mptcp_subflow_active(subflow))
+ continue;
+
+ if (unlikely(rm_list &&
+ subflow_in_rm_list(subflow, rm_list))) {
+ if (!same_id)
+ same_id = subflow;
+ } else {
+ goto send_ack;
}
}
+
+ if (same_id)
+ subflow = same_id;
+ else
+ return;
+
+send_ack:
+ mptcp_pm_send_ack(msk, subflow, false, false);
+}
+
+void mptcp_pm_nl_addr_send_ack(struct mptcp_sock *msk)
+{
+ mptcp_pm_nl_addr_send_ack_avoid_list(msk, NULL);
}
int mptcp_pm_nl_mp_prio_send_ack(struct mptcp_sock *msk,
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -1029,6 +1029,8 @@ void mptcp_pm_add_addr_send_ack(struct m
bool mptcp_pm_nl_is_init_remote_addr(struct mptcp_sock *msk,
const struct mptcp_addr_info *remote);
void mptcp_pm_nl_addr_send_ack(struct mptcp_sock *msk);
+void mptcp_pm_nl_addr_send_ack_avoid_list(struct mptcp_sock *msk,
+ const struct mptcp_rm_list *rm_list);
void mptcp_pm_rm_addr_received(struct mptcp_sock *msk,
const struct mptcp_rm_list *rm_list);
void mptcp_pm_mp_prio_received(struct sock *sk, u8 bkup);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 309/567] drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 308/567] drm/bridge: samsung-dsim: Fix memory leak in error path Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 310/567] device property: Allow secondary lookup in fwnode_get_next_child_node() Greg Kroah-Hartman
` (68 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Franz Schnyder, Douglas Anderson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Franz Schnyder <franz.schnyder@toradex.com>
commit 0b87d51690dd5131cbe9fbd23746b037aab89815 upstream.
Fallback to polling to detect hotplug events on systems without
interrupts.
On systems where the interrupt line of the bridge is not connected,
the bridge cannot notify hotplug events. Only add the
DRM_BRIDGE_OP_HPD flag if an interrupt has been registered
otherwise remain in polling mode.
Fixes: 55e8ff842051 ("drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type")
Cc: stable@vger.kernel.org # 6.16: 9133bc3f0564: drm/bridge: ti-sn65dsi86: Add
Signed-off-by: Franz Schnyder <franz.schnyder@toradex.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
[dianders: Adjusted Fixes/stable line based on discussion]
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://patch.msgid.link/20260206123758.374555-1-fra.schnyder@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/ti-sn65dsi86.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
@@ -1326,6 +1326,7 @@ static int ti_sn_bridge_probe(struct aux
{
struct ti_sn65dsi86 *pdata = dev_get_drvdata(adev->dev.parent);
struct device_node *np = pdata->dev->of_node;
+ const struct i2c_client *client = to_i2c_client(pdata->dev);
int ret;
pdata->next_bridge = devm_drm_of_get_bridge(&adev->dev, np, 1, 0);
@@ -1345,8 +1346,9 @@ static int ti_sn_bridge_probe(struct aux
? DRM_MODE_CONNECTOR_DisplayPort : DRM_MODE_CONNECTOR_eDP;
if (pdata->bridge.type == DRM_MODE_CONNECTOR_DisplayPort) {
- pdata->bridge.ops = DRM_BRIDGE_OP_EDID | DRM_BRIDGE_OP_DETECT |
- DRM_BRIDGE_OP_HPD;
+ pdata->bridge.ops = DRM_BRIDGE_OP_EDID | DRM_BRIDGE_OP_DETECT;
+ if (client->irq)
+ pdata->bridge.ops |= DRM_BRIDGE_OP_HPD;
/*
* If comms were already enabled they would have been enabled
* with the wrong value of HPD_DISABLE. Update it now. Comms
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 247/481] net: ncsi: fix skb leak in error paths
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 246/481] smb: server: fix use-after-free in smb2_open() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 248/481] net: ethernet: arc: emac: quiesce interrupts before requesting IRQ Greg Kroah-Hartman
` (68 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jian Zhang, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Zhang <zhangjian.3032@bytedance.com>
commit 5c3398a54266541610c8d0a7082e654e9ff3e259 upstream.
Early return paths in NCSI RX and AEN handlers fail to release
the received skb, resulting in a memory leak.
Specifically, ncsi_aen_handler() returns on invalid AEN packets
without consuming the skb. Similarly, ncsi_rcv_rsp() exits early
when failing to resolve the NCSI device, response handler, or
request, leaving the skb unfreed.
CC: stable@vger.kernel.org
Fixes: 7a82ecf4cfb8 ("net/ncsi: NCSI AEN packet handler")
Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler")
Signed-off-by: Jian Zhang <zhangjian.3032@bytedance.com>
Link: https://patch.msgid.link/20260305060656.3357250-1-zhangjian.3032@bytedance.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ncsi/ncsi-aen.c | 3 ++-
net/ncsi/ncsi-rsp.c | 16 ++++++++++++----
2 files changed, 14 insertions(+), 5 deletions(-)
--- a/net/ncsi/ncsi-aen.c
+++ b/net/ncsi/ncsi-aen.c
@@ -224,7 +224,8 @@ int ncsi_aen_handler(struct ncsi_dev_pri
if (!nah) {
netdev_warn(ndp->ndev.dev, "Invalid AEN (0x%x) received\n",
h->type);
- return -ENOENT;
+ ret = -ENOENT;
+ goto out;
}
ret = ncsi_validate_aen_pkt(h, nah->payload);
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -1176,8 +1176,10 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st
/* Find the NCSI device */
nd = ncsi_find_dev(orig_dev);
ndp = nd ? TO_NCSI_DEV_PRIV(nd) : NULL;
- if (!ndp)
- return -ENODEV;
+ if (!ndp) {
+ ret = -ENODEV;
+ goto err_free_skb;
+ }
/* Check if it is AEN packet */
hdr = (struct ncsi_pkt_hdr *)skb_network_header(skb);
@@ -1199,7 +1201,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st
if (!nrh) {
netdev_err(nd->dev, "Received unrecognized packet (0x%x)\n",
hdr->type);
- return -ENOENT;
+ ret = -ENOENT;
+ goto err_free_skb;
}
/* Associate with the request */
@@ -1207,7 +1210,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st
nr = &ndp->requests[hdr->id];
if (!nr->used) {
spin_unlock_irqrestore(&ndp->lock, flags);
- return -ENODEV;
+ ret = -ENODEV;
+ goto err_free_skb;
}
nr->rsp = skb;
@@ -1261,4 +1265,8 @@ out_netlink:
out:
ncsi_free_request(nr);
return ret;
+
+err_free_skb:
+ kfree_skb(skb);
+ return ret;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 234/460] drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 233/460] mptcp: pm: avoid sending RM_ADDR over same subflow Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 235/460] selftests: mptcp: add a check for add_addr_accepted Greg Kroah-Hartman
` (68 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Natalie Vock, Alex Deucher,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Natalie Vock <natalie.vock@gmx.de>
[ Upstream commit 28dfe4317541e57fe52f9a290394cd29c348228b ]
This can be called while preemption is disabled, for example by
dcn32_internal_validate_bw which is called with the FPU active.
Fixes "BUG: scheduling while atomic" messages I encounter on my Navi31
machine.
Signed-off-by: Natalie Vock <natalie.vock@gmx.de>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit b42dae2ebc5c84a68de63ec4ffdfec49362d53f1)
Cc: stable@vger.kernel.org
[ Context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
@@ -167,7 +167,7 @@ struct dc_stream_state *dc_create_stream
if (sink == NULL)
return NULL;
- stream = kzalloc(sizeof(struct dc_stream_state), GFP_KERNEL);
+ stream = kzalloc(sizeof(struct dc_stream_state), GFP_ATOMIC);
if (stream == NULL)
goto alloc_fail;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 310/567] device property: Allow secondary lookup in fwnode_get_next_child_node()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 309/567] drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 311/567] irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports Greg Kroah-Hartman
` (67 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko,
Rafael J. Wysocki (Intel), Sakari Ailus, Danilo Krummrich
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit 2692c614f8f05929d692b3dbfd3faef1f00fbaf0 upstream.
When device_get_child_node_count() got split to the fwnode and device
respective APIs, the fwnode didn't inherit the ability to traverse over
the secondary fwnode. Hence any user, that switches from device to fwnode
API misses this feature. In particular, this was revealed by the commit
1490cbb9dbfd ("device property: Split fwnode_get_child_node_count()")
that effectively broke the GPIO enumeration on Intel Galileo boards.
Fix this by moving the secondary lookup from device to fwnode API.
Note, in general no device_*() API should go into the depth of the fwnode
implementation.
Fixes: 114dbb4fa7c4 ("drivers property: When no children in primary, try secondary")
Cc: stable@vger.kernel.org
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Link: https://patch.msgid.link/20260210135822.47335-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/property.c | 27 +++++++++++++--------------
1 file changed, 13 insertions(+), 14 deletions(-)
--- a/drivers/base/property.c
+++ b/drivers/base/property.c
@@ -750,7 +750,18 @@ struct fwnode_handle *
fwnode_get_next_child_node(const struct fwnode_handle *fwnode,
struct fwnode_handle *child)
{
- return fwnode_call_ptr_op(fwnode, get_next_child_node, child);
+ struct fwnode_handle *next;
+
+ if (IS_ERR_OR_NULL(fwnode))
+ return NULL;
+
+ /* Try to find a child in primary fwnode */
+ next = fwnode_call_ptr_op(fwnode, get_next_child_node, child);
+ if (next)
+ return next;
+
+ /* When no more children in primary, continue with secondary */
+ return fwnode_call_ptr_op(fwnode->secondary, get_next_child_node, child);
}
EXPORT_SYMBOL_GPL(fwnode_get_next_child_node);
@@ -794,19 +805,7 @@ EXPORT_SYMBOL_GPL(fwnode_get_next_availa
struct fwnode_handle *device_get_next_child_node(const struct device *dev,
struct fwnode_handle *child)
{
- const struct fwnode_handle *fwnode = dev_fwnode(dev);
- struct fwnode_handle *next;
-
- if (IS_ERR_OR_NULL(fwnode))
- return NULL;
-
- /* Try to find a child in primary fwnode */
- next = fwnode_get_next_child_node(fwnode, child);
- if (next)
- return next;
-
- /* When no more children in primary, continue with secondary */
- return fwnode_get_next_child_node(fwnode->secondary, child);
+ return fwnode_get_next_child_node(dev_fwnode(dev), child);
}
EXPORT_SYMBOL_GPL(device_get_next_child_node);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 248/481] net: ethernet: arc: emac: quiesce interrupts before requesting IRQ
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 247/481] net: ncsi: fix skb leak in error paths Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 249/481] drm/amdgpu: Fix use-after-free race in VM acquire Greg Kroah-Hartman
` (67 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fan Wu, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fan Wu <fanwu01@zju.edu.cn>
commit 2503d08f8a2de618e5c3a8183b250ff4a2e2d52c upstream.
Normal RX/TX interrupts are enabled later, in arc_emac_open(), so probe
should not see interrupt delivery in the usual case. However, hardware may
still present stale or latched interrupt status left by firmware or the
bootloader.
If probe later unwinds after devm_request_irq() has installed the handler,
such a stale interrupt can still reach arc_emac_intr() during teardown and
race with release of the associated net_device.
Avoid that window by putting the device into a known quiescent state before
requesting the IRQ: disable all EMAC interrupt sources and clear any
pending EMAC interrupt status bits. This keeps the change hardware-focused
and minimal, while preventing spurious IRQ delivery from leftover state.
Fixes: e4f2379db6c6 ("ethernet/arc/arc_emac - Add new driver")
Cc: stable@vger.kernel.org
Signed-off-by: Fan Wu <fanwu01@zju.edu.cn>
Link: https://patch.msgid.link/20260309132409.584966-1-fanwu01@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/arc/emac_main.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/net/ethernet/arc/emac_main.c
+++ b/drivers/net/ethernet/arc/emac_main.c
@@ -934,6 +934,17 @@ int arc_emac_probe(struct net_device *nd
/* Set poll rate so that it polls every 1 ms */
arc_reg_set(priv, R_POLLRATE, clock_frequency / 1000000);
+ /*
+ * Put the device into a known quiescent state before requesting
+ * the IRQ. Clear only EMAC interrupt status bits here; leave the
+ * MDIO completion bit alone and avoid writing TXPL_MASK, which is
+ * used to force TX polling rather than acknowledge interrupts.
+ */
+ arc_reg_set(priv, R_ENABLE, 0);
+ arc_reg_set(priv, R_STATUS, RXINT_MASK | TXINT_MASK | ERR_MASK |
+ TXCH_MASK | MSER_MASK | RXCR_MASK |
+ RXFR_MASK | RXFL_MASK);
+
ndev->irq = irq;
dev_info(dev, "IRQ is %d\n", ndev->irq);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 235/460] selftests: mptcp: add a check for add_addr_accepted
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 234/460] drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 236/460] selftests: mptcp: join: check RM_ADDR not sent over same subflow Greg Kroah-Hartman
` (67 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gang Yan, Geliang Tang,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gang Yan <yangang@kylinos.cn>
[ Upstream commit 0eee0fdf9b7b0baf698f9b426384aa9714d76a51 ]
The previous patch fixed an issue with the 'add_addr_accepted' counter.
This was not spot by the test suite.
Check this counter and 'add_addr_signal' in MPTCP Join 'delete re-add
signal' test. This should help spotting similar regressions later on.
These counters are crucial for ensuring the MPTCP path manager correctly
handles the subflow creation via 'ADD_ADDR'.
Signed-off-by: Gang Yan <yangang@kylinos.cn>
Reviewed-by: Geliang Tang <geliang@kernel.org>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251118-net-mptcp-misc-fixes-6-18-rc6-v1-11-806d3781c95f@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 560edd99b5f5 ("selftests: mptcp: join: check RM_ADDR not sent over same subflow")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_join.sh | 7 +++++++
1 file changed, 7 insertions(+)
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -3922,38 +3922,45 @@ endpoint_tests()
$ns1 10.0.2.1 id 1 flags signal
chk_subflow_nr "before delete" 2
chk_mptcp_info subflows 1 subflows 1
+ chk_mptcp_info add_addr_signal 2 add_addr_accepted 1
pm_nl_del_endpoint $ns1 1 10.0.2.1
pm_nl_del_endpoint $ns1 2 224.0.0.1
sleep 0.5
chk_subflow_nr "after delete" 1
chk_mptcp_info subflows 0 subflows 0
+ chk_mptcp_info add_addr_signal 0 add_addr_accepted 0
pm_nl_add_endpoint $ns1 10.0.2.1 id 1 flags signal
pm_nl_add_endpoint $ns1 10.0.3.1 id 2 flags signal
wait_mpj $ns2
chk_subflow_nr "after re-add" 3
chk_mptcp_info subflows 2 subflows 2
+ chk_mptcp_info add_addr_signal 2 add_addr_accepted 2
pm_nl_del_endpoint $ns1 42 10.0.1.1
sleep 0.5
chk_subflow_nr "after delete ID 0" 2
chk_mptcp_info subflows 2 subflows 2
+ chk_mptcp_info add_addr_signal 2 add_addr_accepted 2
pm_nl_add_endpoint $ns1 10.0.1.1 id 99 flags signal
wait_mpj $ns2
chk_subflow_nr "after re-add ID 0" 3
chk_mptcp_info subflows 3 subflows 3
+ chk_mptcp_info add_addr_signal 3 add_addr_accepted 2
pm_nl_del_endpoint $ns1 99 10.0.1.1
sleep 0.5
chk_subflow_nr "after re-delete ID 0" 2
chk_mptcp_info subflows 2 subflows 2
+ chk_mptcp_info add_addr_signal 2 add_addr_accepted 2
pm_nl_add_endpoint $ns1 10.0.1.1 id 88 flags signal
wait_mpj $ns2
chk_subflow_nr "after re-re-add ID 0" 3
chk_mptcp_info subflows 3 subflows 3
+ chk_mptcp_info add_addr_signal 3 add_addr_accepted 2
mptcp_lib_kill_group_wait $tests_pid
kill_events_pids
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 311/567] irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 310/567] device property: Allow secondary lookup in fwnode_get_next_child_node() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 312/567] ice: reintroduce retry mechanism for indirect AQ Greg Kroah-Hartman
` (66 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marc Zyngier, Thomas Gleixner,
Robin Murphy, Zenghui Yu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit ce9e40a9a5e5cff0b1b0d2fa582b3d71a8ce68e8 upstream.
The ITS driver blindly assumes that EventIDs are in abundant supply, to the
point where it never checks how many the hardware actually supports.
It turns out that some pretty esoteric integrations make it so that only a
few bits are available, all the way down to a single bit.
Enforce the advertised limitation at the point of allocating the device
structure, and hope that the endpoint driver can deal with such limitation.
Fixes: 84a6a2e7fc18d ("irqchip: GICv3: ITS: device allocation and configuration")
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Zenghui Yu <zenghui.yu@linux.dev>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260206154816.3582887-1-maz@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-gic-v3-its.c | 4 ++++
include/linux/irqchip/arm-gic-v3.h | 1 +
2 files changed, 5 insertions(+)
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -3402,6 +3402,7 @@ static struct its_device *its_create_dev
int lpi_base;
int nr_lpis;
int nr_ites;
+ int id_bits;
int sz;
if (!its_alloc_device_table(its, dev_id))
@@ -3414,7 +3415,10 @@ static struct its_device *its_create_dev
/*
* Even if the device wants a single LPI, the ITT must be
* sized as a power of two (and you need at least one bit...).
+ * Also honor the ITS's own EID limit.
*/
+ id_bits = FIELD_GET(GITS_TYPER_IDBITS, its->typer) + 1;
+ nvecs = min_t(unsigned int, nvecs, BIT(id_bits));
nr_ites = max(2, nvecs);
sz = nr_ites * (FIELD_GET(GITS_TYPER_ITT_ENTRY_SIZE, its->typer) + 1);
sz = max(sz, ITS_ITT_ALIGN) + ITS_ITT_ALIGN - 1;
--- a/include/linux/irqchip/arm-gic-v3.h
+++ b/include/linux/irqchip/arm-gic-v3.h
@@ -394,6 +394,7 @@
#define GITS_TYPER_VLPIS (1UL << 1)
#define GITS_TYPER_ITT_ENTRY_SIZE_SHIFT 4
#define GITS_TYPER_ITT_ENTRY_SIZE GENMASK_ULL(7, 4)
+#define GITS_TYPER_IDBITS GENMASK_ULL(12, 8)
#define GITS_TYPER_IDBITS_SHIFT 8
#define GITS_TYPER_DEVBITS_SHIFT 13
#define GITS_TYPER_DEVBITS GENMASK_ULL(17, 13)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 249/481] drm/amdgpu: Fix use-after-free race in VM acquire
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 248/481] net: ethernet: arc: emac: quiesce interrupts before requesting IRQ Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 250/481] drm/amd: Set num IP blocks to 0 if discovery fails Greg Kroah-Hartman
` (66 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harish Kasiviswanathan, Alysa Liu,
Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alysa Liu <Alysa.Liu@amd.com>
commit 2c1030f2e84885cc58bffef6af67d5b9d2e7098f upstream.
Replace non-atomic vm->process_info assignment with cmpxchg()
to prevent race when parent/child processes sharing a drm_file
both try to acquire the same VM after fork().
Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
Signed-off-by: Alysa Liu <Alysa.Liu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
@@ -1371,7 +1371,10 @@ static int init_kfd_vm(struct amdgpu_vm
*ef = dma_fence_get(&info->eviction_fence->base);
}
- vm->process_info = *process_info;
+ if (cmpxchg(&vm->process_info, NULL, *process_info) != NULL) {
+ ret = -EINVAL;
+ goto already_acquired;
+ }
/* Validate page directory and attach eviction fence */
ret = amdgpu_bo_reserve(vm->root.bo, true);
@@ -1409,6 +1412,7 @@ validate_pd_fail:
amdgpu_bo_unreserve(vm->root.bo);
reserve_pd_fail:
vm->process_info = NULL;
+already_acquired:
if (info) {
/* Two fence references: one in info and one in *ef */
dma_fence_put(&info->eviction_fence->base);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 236/460] selftests: mptcp: join: check RM_ADDR not sent over same subflow
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 235/460] selftests: mptcp: add a check for add_addr_accepted Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 237/460] kbuild: Leave objtool binary around with make clean Greg Kroah-Hartman
` (66 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 560edd99b5f58b2d4bbe3c8e51e1eed68d887b0e ]
This validates the previous commit: RM_ADDR were sent over the first
found active subflow which could be the same as the one being removed.
It is more likely to loose this notification.
For this check, RM_ADDR are explicitly dropped when trying to send them
over the initial subflow, when removing the endpoint attached to it. If
it is dropped, the test will complain because some RM_ADDR have not been
received.
Note that only the RM_ADDR are dropped, to allow the linked subflow to
be quickly and cleanly closed. To only drop those RM_ADDR, a cBPF byte
code is used. If the IPTables commands fail, that's OK, the tests will
continue to pass, but not validate this part. This can be ignored:
another subtest fully depends on such command, and will be marked as
skipped.
The 'Fixes' tag here below is the same as the one from the previous
commit: this patch here is not fixing anything wrong in the selftests,
but it validates the previous fix for an issue introduced by this commit
ID.
Fixes: 8dd5efb1f91b ("mptcp: send ack for rm_addr")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-3-4b5462b6f016@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_join.sh | 36 ++++++++++++++++++++++++
1 file changed, 36 insertions(+)
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -91,6 +91,24 @@ CBPF_MPTCP_SUBOPTION_ADD_ADDR="14,
6 0 0 65535,
6 0 0 0"
+# IPv4: TCP hdr of 48B, a first suboption of 12B (DACK8), the RM_ADDR suboption
+# generated using "nfbpf_compile '(ip[32] & 0xf0) == 0xc0 && ip[53] == 0x0c &&
+# (ip[66] & 0xf0) == 0x40'"
+CBPF_MPTCP_SUBOPTION_RM_ADDR="13,
+ 48 0 0 0,
+ 84 0 0 240,
+ 21 0 9 64,
+ 48 0 0 32,
+ 84 0 0 240,
+ 21 0 6 192,
+ 48 0 0 53,
+ 21 0 4 12,
+ 48 0 0 66,
+ 84 0 0 240,
+ 21 0 1 64,
+ 6 0 0 65535,
+ 6 0 0 0"
+
init_partial()
{
capout=$(mktemp)
@@ -3867,6 +3885,14 @@ endpoint_tests()
chk_subflow_nr "after no reject" 3
chk_mptcp_info subflows 2 subflows 2
+ # To make sure RM_ADDR are sent over a different subflow, but
+ # allow the rest to quickly and cleanly close the subflow
+ local ipt=1
+ ip netns exec "${ns2}" ${iptables} -I OUTPUT -s "10.0.1.2" \
+ -p tcp -m tcp --tcp-option 30 \
+ -m bpf --bytecode \
+ "$CBPF_MPTCP_SUBOPTION_RM_ADDR" \
+ -j DROP || ipt=0
local i
for i in $(seq 3); do
pm_nl_del_endpoint $ns2 1 10.0.1.2
@@ -3879,6 +3905,7 @@ endpoint_tests()
chk_subflow_nr "after re-add id 0 ($i)" 3
chk_mptcp_info subflows 3 subflows 3
done
+ [ ${ipt} = 1 ] && ip netns exec "${ns2}" ${iptables} -D OUTPUT 1
mptcp_lib_kill_group_wait $tests_pid
@@ -3938,11 +3965,20 @@ endpoint_tests()
chk_mptcp_info subflows 2 subflows 2
chk_mptcp_info add_addr_signal 2 add_addr_accepted 2
+ # To make sure RM_ADDR are sent over a different subflow, but
+ # allow the rest to quickly and cleanly close the subflow
+ local ipt=1
+ ip netns exec "${ns1}" ${iptables} -I OUTPUT -s "10.0.1.1" \
+ -p tcp -m tcp --tcp-option 30 \
+ -m bpf --bytecode \
+ "$CBPF_MPTCP_SUBOPTION_RM_ADDR" \
+ -j DROP || ipt=0
pm_nl_del_endpoint $ns1 42 10.0.1.1
sleep 0.5
chk_subflow_nr "after delete ID 0" 2
chk_mptcp_info subflows 2 subflows 2
chk_mptcp_info add_addr_signal 2 add_addr_accepted 2
+ [ ${ipt} = 1 ] && ip netns exec "${ns1}" ${iptables} -D OUTPUT 1
pm_nl_add_endpoint $ns1 10.0.1.1 id 99 flags signal
wait_mpj $ns2
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 312/567] ice: reintroduce retry mechanism for indirect AQ
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 311/567] irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 313/567] ixgbevf: fix link setup issue Greg Kroah-Hartman
` (65 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Schmidt, Jakub Staniszewski,
Dawid Osuchowski, Aleksandr Loktionov, Przemek Kitszel,
Paul Menzel, Tony Nguyen, Rinitha S
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
commit 326256c0a72d4877cec1d4df85357da106233128 upstream.
Add retry mechanism for indirect Admin Queue (AQ) commands. To do so we
need to keep the command buffer.
This technically reverts commit 43a630e37e25
("ice: remove unused buffer copy code in ice_sq_send_cmd_retry()"),
but combines it with a fix in the logic by using a kmemdup() call,
making it more robust and less likely to break in the future due to
programmer error.
Cc: Michal Schmidt <mschmidt@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 3056df93f7a8 ("ice: Re-send some AQ commands, as result of EBUSY AQ error")
Signed-off-by: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
Co-developed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Signed-off-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_common.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/intel/ice/ice_common.c
+++ b/drivers/net/ethernet/intel/ice/ice_common.c
@@ -1636,6 +1636,7 @@ ice_sq_send_cmd_retry(struct ice_hw *hw,
{
struct ice_aq_desc desc_cpy;
bool is_cmd_for_retry;
+ u8 *buf_cpy = NULL;
u8 idx = 0;
u16 opcode;
int status;
@@ -1645,8 +1646,11 @@ ice_sq_send_cmd_retry(struct ice_hw *hw,
memset(&desc_cpy, 0, sizeof(desc_cpy));
if (is_cmd_for_retry) {
- /* All retryable cmds are direct, without buf. */
- WARN_ON(buf);
+ if (buf) {
+ buf_cpy = kmemdup(buf, buf_size, GFP_KERNEL);
+ if (!buf_cpy)
+ return -ENOMEM;
+ }
memcpy(&desc_cpy, desc, sizeof(desc_cpy));
}
@@ -1658,12 +1662,14 @@ ice_sq_send_cmd_retry(struct ice_hw *hw,
hw->adminq.sq_last_status != ICE_AQ_RC_EBUSY)
break;
+ if (buf_cpy)
+ memcpy(buf, buf_cpy, buf_size);
memcpy(desc, &desc_cpy, sizeof(desc_cpy));
-
msleep(ICE_SQ_SEND_DELAY_TIME_MS);
} while (++idx < ICE_SQ_SEND_MAX_EXECUTE);
+ kfree(buf_cpy);
return status;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 250/481] drm/amd: Set num IP blocks to 0 if discovery fails
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 249/481] drm/amdgpu: Fix use-after-free race in VM acquire Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 251/481] drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding Greg Kroah-Hartman
` (65 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lijo Lazar, Mario Limonciello,
Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 3646ff28780b4c52c5b5081443199e7a430110e5 upstream.
If discovery has failed for any reason (such as no support for a block)
then there is no need to unwind all the IP blocks in fini. In this
condition there can actually be failures during the unwind too.
Reset num_ip_blocks to zero during failure path and skip the unnecessary
cleanup path.
Suggested-by: Lijo Lazar <lijo.lazar@amd.com>
Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit fae5984296b981c8cc3acca35b701c1f332a6cd8)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 +++-
drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -2182,8 +2182,10 @@ static int amdgpu_device_ip_early_init(s
break;
default:
r = amdgpu_discovery_set_ip_blocks(adev);
- if (r)
+ if (r) {
+ adev->num_ip_blocks = 0;
return r;
+ }
break;
}
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
@@ -79,7 +79,7 @@ void amdgpu_driver_unload_kms(struct drm
{
struct amdgpu_device *adev = drm_to_adev(dev);
- if (adev == NULL)
+ if (adev == NULL || !adev->num_ip_blocks)
return;
amdgpu_unregister_gpu_instance(adev);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 237/460] kbuild: Leave objtool binary around with make clean
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 236/460] selftests: mptcp: join: check RM_ADDR not sent over same subflow Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 238/460] net/sched: act_gate: snapshot parameters with RCU on replace Greg Kroah-Hartman
` (65 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Suchanek, Rainer Fiebig,
Josh Poimboeuf, Peter Zijlstra (Intel), Nicolas Schier,
Nathan Chancellor, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit fdb12c8a24a453bdd6759979b6ef1e04ebd4beb4 ]
The difference between 'make clean' and 'make mrproper' is documented in
'make help' as:
clean - Remove most generated files but keep the config and
enough build support to build external modules
mrproper - Remove all generated files + config + various backup files
After commit 68b4fe32d737 ("kbuild: Add objtool to top-level clean
target"), running 'make clean' then attempting to build an external
module with the resulting build directory fails with
$ make ARCH=x86_64 O=build clean
$ make -C build M=... MO=...
...
/bin/sh: line 1: .../build/tools/objtool/objtool: No such file or directory
as 'make clean' removes the objtool binary.
Split the objtool clean target into mrproper and clean like Kbuild does
and remove all generated artifacts with 'make clean' except for the
objtool binary, which is removed with 'make mrproper'. To avoid a small
race when running the objtool clean target through both objtool_mrproper
and objtool_clean when running 'make mrproper', modify objtool's clean
up find command to avoid using find's '-delete' command by piping the
files into 'xargs rm -f' like the rest of Kbuild does.
Cc: stable@vger.kernel.org
Fixes: 68b4fe32d737 ("kbuild: Add objtool to top-level clean target")
Reported-by: Michal Suchanek <msuchanek@suse.de>
Closes: https://lore.kernel.org/20260225112633.6123-1-msuchanek@suse.de/
Reported-by: Rainer Fiebig <jrf@mailbox.org>
Closes: https://lore.kernel.org/62d12399-76e5-3d40-126a-7490b4795b17@mailbox.org/
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Nicolas Schier <nsc@kernel.org>
Tested-by: Nicolas Schier <nsc@kernel.org>
Link: https://patch.msgid.link/20260227-avoid-objtool-binary-removal-clean-v1-1-122f3e55eae9@kernel.org
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
[ Context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Makefile | 8 ++++----
tools/objtool/Makefile | 8 +++++---
2 files changed, 9 insertions(+), 7 deletions(-)
--- a/Makefile
+++ b/Makefile
@@ -1371,13 +1371,13 @@ ifneq ($(wildcard $(resolve_btfids_O)),)
$(Q)$(MAKE) -sC $(srctree)/tools/bpf/resolve_btfids O=$(resolve_btfids_O) clean
endif
-PHONY += objtool_clean
+PHONY += objtool_clean objtool_mrproper
objtool_O = $(abspath $(objtree))/tools/objtool
-objtool_clean:
+objtool_clean objtool_mrproper:
ifneq ($(wildcard $(objtool_O)),)
- $(Q)$(MAKE) -sC $(abs_srctree)/tools/objtool O=$(objtool_O) srctree=$(abs_srctree) clean
+ $(Q)$(MAKE) -sC $(abs_srctree)/tools/objtool O=$(objtool_O) srctree=$(abs_srctree) $(patsubst objtool_%,%,$@)
endif
tools/: FORCE
@@ -1548,7 +1548,7 @@ PHONY += $(mrproper-dirs) mrproper
$(mrproper-dirs):
$(Q)$(MAKE) $(clean)=$(patsubst _mrproper_%,%,$@)
-mrproper: clean $(mrproper-dirs)
+mrproper: clean objtool_mrproper $(mrproper-dirs)
$(call cmd,rmfiles)
@find . $(RCS_FIND_IGNORE) \
\( -name '*.rmeta' \) \
--- a/tools/objtool/Makefile
+++ b/tools/objtool/Makefile
@@ -91,10 +91,12 @@ $(LIBSUBCMD)-clean:
$(Q)$(RM) -r -- $(LIBSUBCMD_OUTPUT)
clean: $(LIBSUBCMD)-clean
- $(call QUIET_CLEAN, objtool) $(RM) $(OBJTOOL)
- $(Q)find $(OUTPUT) -name '*.o' -delete -o -name '\.*.cmd' -delete -o -name '\.*.d' -delete
+ $(Q)find $(OUTPUT) \( -name '*.o' -o -name '\.*.cmd' -o -name '\.*.d' \) -type f -print | xargs $(RM)
$(Q)$(RM) $(OUTPUT)arch/x86/lib/inat-tables.c $(OUTPUT)fixdep
+mrproper: clean
+ $(call QUIET_CLEAN, objtool) $(RM) $(OBJTOOL)
+
FORCE:
-.PHONY: clean FORCE
+.PHONY: clean mrproper FORCE
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 313/567] ixgbevf: fix link setup issue
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 312/567] ice: reintroduce retry mechanism for indirect AQ Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 314/567] staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Greg Kroah-Hartman
` (64 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov,
Piotr Kwapulinski, Paul Menzel, Jedrzej Jagielski,
Rafal Romanowski, Tony Nguyen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
commit feae40a6a178bb525a15f19288016e5778102a99 upstream.
It may happen that VF spawned for E610 adapter has problem with setting
link up. This happens when ixgbevf supporting mailbox API 1.6 cooperates
with PF driver which doesn't support this version of API, and hence
doesn't support new approach for getting PF link data.
In that case VF asks PF to provide link data but as PF doesn't support
it, returns -EOPNOTSUPP what leads to early bail from link configuration
sequence.
Avoid such situation by using legacy VFLINKS approach whenever negotiated
API version is less than 1.6.
To reproduce the issue just create VF and set its link up - adapter must
be any from the E610 family, ixgbevf must support API 1.6 or higher while
ixgbevf must not.
Fixes: 53f0eb62b4d2 ("ixgbevf: fix getting link speed data for E610 devices")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Piotr Kwapulinski <piotr.kwapulinski@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Cc: stable@vger.kernel.org
Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ixgbevf/vf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/intel/ixgbevf/vf.c
+++ b/drivers/net/ethernet/intel/ixgbevf/vf.c
@@ -852,7 +852,8 @@ static s32 ixgbevf_check_mac_link_vf(str
if (!mac->get_link_status)
goto out;
- if (hw->mac.type == ixgbe_mac_e610_vf) {
+ if (hw->mac.type == ixgbe_mac_e610_vf &&
+ hw->api_version >= ixgbe_mbox_api_16) {
ret_val = ixgbevf_get_pf_link_state(hw, speed, link_up);
if (ret_val)
goto out;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 251/481] drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 250/481] drm/amd: Set num IP blocks to 0 if discovery fails Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 252/481] tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G Greg Kroah-Hartman
` (64 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marek Vasut, Luca Ceresoli
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Ceresoli <luca.ceresoli@bootlin.com>
commit 2f22702dc0fee06a240404e0f7ead5b789b253d8 upstream.
The DSI frequency must be in the range:
(CHA_DSI_CLK_RANGE * 5 MHz) <= DSI freq < ((CHA_DSI_CLK_RANGE + 1) * 5 MHz)
So the register value should point to the lower range value, but
DIV_ROUND_UP() rounds the division to the higher range value, resulting in
an excess of 1 (unless the frequency is an exact multiple of 5 MHz).
For example for a 437100000 MHz clock CHA_DSI_CLK_RANGE should be 87 (0x57):
(87 * 5 = 435) <= 437.1 < (88 * 5 = 440)
but current code returns 88 (0x58).
Fix the computation by removing the DIV_ROUND_UP().
Fixes: ceb515ba29ba ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver")
Cc: stable@vger.kernel.org
Reviewed-by: Marek Vasut <marek.vasut@mailbox.org>
Link: https://patch.msgid.link/20260226-ti-sn65dsi83-dual-lvds-fixes-and-test-pattern-v1-1-2e15f5a9a6a0@bootlin.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/ti-sn65dsi83.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c
+++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c
@@ -303,9 +303,9 @@ static u8 sn65dsi83_get_dsi_range(struct
* DSI_CLK = mode clock * bpp / dsi_data_lanes / 2
* the 2 is there because the bus is DDR.
*/
- return DIV_ROUND_UP(clamp((unsigned int)mode->clock *
- mipi_dsi_pixel_format_to_bpp(ctx->dsi->format) /
- ctx->dsi->lanes / 2, 40000U, 500000U), 5000U);
+ return clamp((unsigned int)mode->clock *
+ mipi_dsi_pixel_format_to_bpp(ctx->dsi->format) /
+ ctx->dsi->lanes / 2, 40000U, 500000U) / 5000U;
}
static u8 sn65dsi83_get_dsi_div(struct sn65dsi83 *ctx)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 238/460] net/sched: act_gate: snapshot parameters with RCU on replace
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 237/460] kbuild: Leave objtool binary around with make clean Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 239/460] xfs: Fix error pointer dereference Greg Kroah-Hartman
` (64 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Moses, Vladimir Oltean,
Jamal Hadi Salim, Victor Nogueira, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Moses <p@1g4.org>
[ Upstream commit 62413a9c3cb183afb9bb6e94dd68caf4e4145f4c ]
The gate action can be replaced while the hrtimer callback or dump path is
walking the schedule list.
Convert the parameters to an RCU-protected snapshot and swap updates under
tcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits
the entry list, preserve the existing schedule so the effective state is
unchanged.
Fixes: a51c328df310 ("net: qos: introduce a gate control flow action")
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moses <p@1g4.org>
Tested-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
Link: https://patch.msgid.link/20260223150512.2251594-2-p@1g4.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ hrtimer_setup() => hrtimer_init() + keep is_tcf_gate() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/tc_act/tc_gate.h | 33 ++++-
net/sched/act_gate.c | 266 ++++++++++++++++++++++++++++++-------------
2 files changed, 212 insertions(+), 87 deletions(-)
--- a/include/net/tc_act/tc_gate.h
+++ b/include/net/tc_act/tc_gate.h
@@ -32,6 +32,7 @@ struct tcf_gate_params {
s32 tcfg_clockid;
size_t num_entries;
struct list_head entries;
+ struct rcu_head rcu;
};
#define GATE_ACT_GATE_OPEN BIT(0)
@@ -39,7 +40,7 @@ struct tcf_gate_params {
struct tcf_gate {
struct tc_action common;
- struct tcf_gate_params param;
+ struct tcf_gate_params __rcu *param;
u8 current_gate_status;
ktime_t current_close_time;
u32 current_entry_octets;
@@ -60,47 +61,65 @@ static inline bool is_tcf_gate(const str
return false;
}
+static inline struct tcf_gate_params *tcf_gate_params_locked(const struct tc_action *a)
+{
+ struct tcf_gate *gact = to_gate(a);
+
+ return rcu_dereference_protected(gact->param,
+ lockdep_is_held(&gact->tcf_lock));
+}
+
static inline s32 tcf_gate_prio(const struct tc_action *a)
{
+ struct tcf_gate_params *p;
s32 tcfg_prio;
- tcfg_prio = to_gate(a)->param.tcfg_priority;
+ p = tcf_gate_params_locked(a);
+ tcfg_prio = p->tcfg_priority;
return tcfg_prio;
}
static inline u64 tcf_gate_basetime(const struct tc_action *a)
{
+ struct tcf_gate_params *p;
u64 tcfg_basetime;
- tcfg_basetime = to_gate(a)->param.tcfg_basetime;
+ p = tcf_gate_params_locked(a);
+ tcfg_basetime = p->tcfg_basetime;
return tcfg_basetime;
}
static inline u64 tcf_gate_cycletime(const struct tc_action *a)
{
+ struct tcf_gate_params *p;
u64 tcfg_cycletime;
- tcfg_cycletime = to_gate(a)->param.tcfg_cycletime;
+ p = tcf_gate_params_locked(a);
+ tcfg_cycletime = p->tcfg_cycletime;
return tcfg_cycletime;
}
static inline u64 tcf_gate_cycletimeext(const struct tc_action *a)
{
+ struct tcf_gate_params *p;
u64 tcfg_cycletimeext;
- tcfg_cycletimeext = to_gate(a)->param.tcfg_cycletime_ext;
+ p = tcf_gate_params_locked(a);
+ tcfg_cycletimeext = p->tcfg_cycletime_ext;
return tcfg_cycletimeext;
}
static inline u32 tcf_gate_num_entries(const struct tc_action *a)
{
+ struct tcf_gate_params *p;
u32 num_entries;
- num_entries = to_gate(a)->param.num_entries;
+ p = tcf_gate_params_locked(a);
+ num_entries = p->num_entries;
return num_entries;
}
@@ -114,7 +133,7 @@ static inline struct action_gate_entry
u32 num_entries;
int i = 0;
- p = &to_gate(a)->param;
+ p = tcf_gate_params_locked(a);
num_entries = p->num_entries;
list_for_each_entry(entry, &p->entries, list)
--- a/net/sched/act_gate.c
+++ b/net/sched/act_gate.c
@@ -32,9 +32,12 @@ static ktime_t gate_get_time(struct tcf_
return KTIME_MAX;
}
-static void gate_get_start_time(struct tcf_gate *gact, ktime_t *start)
+static void tcf_gate_params_free_rcu(struct rcu_head *head);
+
+static void gate_get_start_time(struct tcf_gate *gact,
+ const struct tcf_gate_params *param,
+ ktime_t *start)
{
- struct tcf_gate_params *param = &gact->param;
ktime_t now, base, cycle;
u64 n;
@@ -69,12 +72,14 @@ static enum hrtimer_restart gate_timer_f
{
struct tcf_gate *gact = container_of(timer, struct tcf_gate,
hitimer);
- struct tcf_gate_params *p = &gact->param;
struct tcfg_gate_entry *next;
+ struct tcf_gate_params *p;
ktime_t close_time, now;
spin_lock(&gact->tcf_lock);
+ p = rcu_dereference_protected(gact->param,
+ lockdep_is_held(&gact->tcf_lock));
next = gact->next_entry;
/* cycle start, clear pending bit, clear total octets */
@@ -230,6 +235,35 @@ static void release_entry_list(struct li
}
}
+static int tcf_gate_copy_entries(struct tcf_gate_params *dst,
+ const struct tcf_gate_params *src,
+ struct netlink_ext_ack *extack)
+{
+ struct tcfg_gate_entry *entry;
+ int i = 0;
+
+ list_for_each_entry(entry, &src->entries, list) {
+ struct tcfg_gate_entry *new;
+
+ new = kzalloc(sizeof(*new), GFP_ATOMIC);
+ if (!new) {
+ NL_SET_ERR_MSG(extack, "Not enough memory for entry");
+ return -ENOMEM;
+ }
+
+ new->index = entry->index;
+ new->gate_state = entry->gate_state;
+ new->interval = entry->interval;
+ new->ipv = entry->ipv;
+ new->maxoctets = entry->maxoctets;
+ list_add_tail(&new->list, &dst->entries);
+ i++;
+ }
+
+ dst->num_entries = i;
+ return 0;
+}
+
static int parse_gate_list(struct nlattr *list_attr,
struct tcf_gate_params *sched,
struct netlink_ext_ack *extack)
@@ -275,23 +309,42 @@ release_list:
return err;
}
-static void gate_setup_timer(struct tcf_gate *gact, u64 basetime,
- enum tk_offsets tko, s32 clockid,
- bool do_init)
-{
- if (!do_init) {
- if (basetime == gact->param.tcfg_basetime &&
- tko == gact->tk_offset &&
- clockid == gact->param.tcfg_clockid)
- return;
-
- spin_unlock_bh(&gact->tcf_lock);
- hrtimer_cancel(&gact->hitimer);
- spin_lock_bh(&gact->tcf_lock);
+static bool gate_timer_needs_cancel(u64 basetime, u64 old_basetime,
+ enum tk_offsets tko,
+ enum tk_offsets old_tko,
+ s32 clockid, s32 old_clockid)
+{
+ return basetime != old_basetime ||
+ clockid != old_clockid ||
+ tko != old_tko;
+}
+
+static int gate_clock_resolve(s32 clockid, enum tk_offsets *tko,
+ struct netlink_ext_ack *extack)
+{
+ switch (clockid) {
+ case CLOCK_REALTIME:
+ *tko = TK_OFFS_REAL;
+ return 0;
+ case CLOCK_MONOTONIC:
+ *tko = TK_OFFS_MAX;
+ return 0;
+ case CLOCK_BOOTTIME:
+ *tko = TK_OFFS_BOOT;
+ return 0;
+ case CLOCK_TAI:
+ *tko = TK_OFFS_TAI;
+ return 0;
+ default:
+ NL_SET_ERR_MSG(extack, "Invalid 'clockid'");
+ return -EINVAL;
}
- gact->param.tcfg_basetime = basetime;
- gact->param.tcfg_clockid = clockid;
- gact->tk_offset = tko;
+}
+
+static void gate_setup_timer(struct tcf_gate *gact, s32 clockid,
+ enum tk_offsets tko)
+{
+ WRITE_ONCE(gact->tk_offset, tko);
hrtimer_init(&gact->hitimer, clockid, HRTIMER_MODE_ABS_SOFT);
gact->hitimer.function = gate_timer_func;
}
@@ -302,15 +355,22 @@ static int tcf_gate_init(struct net *net
struct netlink_ext_ack *extack)
{
struct tc_action_net *tn = net_generic(net, act_gate_ops.net_id);
- enum tk_offsets tk_offset = TK_OFFS_TAI;
+ u64 cycletime = 0, basetime = 0, cycletime_ext = 0;
+ struct tcf_gate_params *p = NULL, *old_p = NULL;
+ enum tk_offsets old_tk_offset = TK_OFFS_TAI;
+ const struct tcf_gate_params *cur_p = NULL;
bool bind = flags & TCA_ACT_FLAGS_BIND;
struct nlattr *tb[TCA_GATE_MAX + 1];
+ enum tk_offsets tko = TK_OFFS_TAI;
struct tcf_chain *goto_ch = NULL;
- u64 cycletime = 0, basetime = 0;
- struct tcf_gate_params *p;
+ s32 timer_clockid = CLOCK_TAI;
+ bool use_old_entries = false;
+ s32 old_clockid = CLOCK_TAI;
+ bool need_cancel = false;
s32 clockid = CLOCK_TAI;
struct tcf_gate *gact;
struct tc_gate *parm;
+ u64 old_basetime = 0;
int ret = 0, err;
u32 gflags = 0;
s32 prio = -1;
@@ -327,26 +387,8 @@ static int tcf_gate_init(struct net *net
if (!tb[TCA_GATE_PARMS])
return -EINVAL;
- if (tb[TCA_GATE_CLOCKID]) {
+ if (tb[TCA_GATE_CLOCKID])
clockid = nla_get_s32(tb[TCA_GATE_CLOCKID]);
- switch (clockid) {
- case CLOCK_REALTIME:
- tk_offset = TK_OFFS_REAL;
- break;
- case CLOCK_MONOTONIC:
- tk_offset = TK_OFFS_MAX;
- break;
- case CLOCK_BOOTTIME:
- tk_offset = TK_OFFS_BOOT;
- break;
- case CLOCK_TAI:
- tk_offset = TK_OFFS_TAI;
- break;
- default:
- NL_SET_ERR_MSG(extack, "Invalid 'clockid'");
- return -EINVAL;
- }
- }
parm = nla_data(tb[TCA_GATE_PARMS]);
index = parm->index;
@@ -372,6 +414,60 @@ static int tcf_gate_init(struct net *net
return -EEXIST;
}
+ gact = to_gate(*a);
+
+ err = tcf_action_check_ctrlact(parm->action, tp, &goto_ch, extack);
+ if (err < 0)
+ goto release_idr;
+
+ p = kzalloc(sizeof(*p), GFP_KERNEL);
+ if (!p) {
+ err = -ENOMEM;
+ goto chain_put;
+ }
+ INIT_LIST_HEAD(&p->entries);
+
+ use_old_entries = !tb[TCA_GATE_ENTRY_LIST];
+ if (!use_old_entries) {
+ err = parse_gate_list(tb[TCA_GATE_ENTRY_LIST], p, extack);
+ if (err < 0)
+ goto err_free;
+ use_old_entries = !err;
+ }
+
+ if (ret == ACT_P_CREATED && use_old_entries) {
+ NL_SET_ERR_MSG(extack, "The entry list is empty");
+ err = -EINVAL;
+ goto err_free;
+ }
+
+ if (ret != ACT_P_CREATED) {
+ rcu_read_lock();
+ cur_p = rcu_dereference(gact->param);
+
+ old_basetime = cur_p->tcfg_basetime;
+ old_clockid = cur_p->tcfg_clockid;
+ old_tk_offset = READ_ONCE(gact->tk_offset);
+
+ basetime = old_basetime;
+ cycletime_ext = cur_p->tcfg_cycletime_ext;
+ prio = cur_p->tcfg_priority;
+ gflags = cur_p->tcfg_flags;
+
+ if (!tb[TCA_GATE_CLOCKID])
+ clockid = old_clockid;
+
+ err = 0;
+ if (use_old_entries) {
+ err = tcf_gate_copy_entries(p, cur_p, extack);
+ if (!err && !tb[TCA_GATE_CYCLE_TIME])
+ cycletime = cur_p->tcfg_cycletime;
+ }
+ rcu_read_unlock();
+ if (err)
+ goto err_free;
+ }
+
if (tb[TCA_GATE_PRIORITY])
prio = nla_get_s32(tb[TCA_GATE_PRIORITY]);
@@ -381,25 +477,26 @@ static int tcf_gate_init(struct net *net
if (tb[TCA_GATE_FLAGS])
gflags = nla_get_u32(tb[TCA_GATE_FLAGS]);
- gact = to_gate(*a);
- if (ret == ACT_P_CREATED)
- INIT_LIST_HEAD(&gact->param.entries);
+ if (tb[TCA_GATE_CYCLE_TIME])
+ cycletime = nla_get_u64(tb[TCA_GATE_CYCLE_TIME]);
- err = tcf_action_check_ctrlact(parm->action, tp, &goto_ch, extack);
- if (err < 0)
- goto release_idr;
+ if (tb[TCA_GATE_CYCLE_TIME_EXT])
+ cycletime_ext = nla_get_u64(tb[TCA_GATE_CYCLE_TIME_EXT]);
- spin_lock_bh(&gact->tcf_lock);
- p = &gact->param;
+ err = gate_clock_resolve(clockid, &tko, extack);
+ if (err)
+ goto err_free;
+ timer_clockid = clockid;
+
+ need_cancel = ret != ACT_P_CREATED &&
+ gate_timer_needs_cancel(basetime, old_basetime,
+ tko, old_tk_offset,
+ timer_clockid, old_clockid);
- if (tb[TCA_GATE_CYCLE_TIME])
- cycletime = nla_get_u64(tb[TCA_GATE_CYCLE_TIME]);
+ if (need_cancel)
+ hrtimer_cancel(&gact->hitimer);
- if (tb[TCA_GATE_ENTRY_LIST]) {
- err = parse_gate_list(tb[TCA_GATE_ENTRY_LIST], p, extack);
- if (err < 0)
- goto chain_put;
- }
+ spin_lock_bh(&gact->tcf_lock);
if (!cycletime) {
struct tcfg_gate_entry *entry;
@@ -408,22 +505,20 @@ static int tcf_gate_init(struct net *net
list_for_each_entry(entry, &p->entries, list)
cycle = ktime_add_ns(cycle, entry->interval);
cycletime = cycle;
- if (!cycletime) {
- err = -EINVAL;
- goto chain_put;
- }
}
p->tcfg_cycletime = cycletime;
+ p->tcfg_cycletime_ext = cycletime_ext;
- if (tb[TCA_GATE_CYCLE_TIME_EXT])
- p->tcfg_cycletime_ext =
- nla_get_u64(tb[TCA_GATE_CYCLE_TIME_EXT]);
-
- gate_setup_timer(gact, basetime, tk_offset, clockid,
- ret == ACT_P_CREATED);
+ if (need_cancel || ret == ACT_P_CREATED)
+ gate_setup_timer(gact, timer_clockid, tko);
p->tcfg_priority = prio;
p->tcfg_flags = gflags;
- gate_get_start_time(gact, &start);
+ p->tcfg_basetime = basetime;
+ p->tcfg_clockid = timer_clockid;
+ gate_get_start_time(gact, p, &start);
+
+ old_p = rcu_replace_pointer(gact->param, p,
+ lockdep_is_held(&gact->tcf_lock));
gact->current_close_time = start;
gact->current_gate_status = GATE_ACT_GATE_OPEN | GATE_ACT_PENDING;
@@ -440,11 +535,15 @@ static int tcf_gate_init(struct net *net
if (goto_ch)
tcf_chain_put_by_act(goto_ch);
+ if (old_p)
+ call_rcu(&old_p->rcu, tcf_gate_params_free_rcu);
+
return ret;
+err_free:
+ release_entry_list(&p->entries);
+ kfree(p);
chain_put:
- spin_unlock_bh(&gact->tcf_lock);
-
if (goto_ch)
tcf_chain_put_by_act(goto_ch);
release_idr:
@@ -452,21 +551,29 @@ release_idr:
* without taking tcf_lock.
*/
if (ret == ACT_P_CREATED)
- gate_setup_timer(gact, gact->param.tcfg_basetime,
- gact->tk_offset, gact->param.tcfg_clockid,
- true);
+ gate_setup_timer(gact, timer_clockid, tko);
+
tcf_idr_release(*a, bind);
return err;
}
+static void tcf_gate_params_free_rcu(struct rcu_head *head)
+{
+ struct tcf_gate_params *p = container_of(head, struct tcf_gate_params, rcu);
+
+ release_entry_list(&p->entries);
+ kfree(p);
+}
+
static void tcf_gate_cleanup(struct tc_action *a)
{
struct tcf_gate *gact = to_gate(a);
struct tcf_gate_params *p;
- p = &gact->param;
hrtimer_cancel(&gact->hitimer);
- release_entry_list(&p->entries);
+ p = rcu_dereference_protected(gact->param, 1);
+ if (p)
+ call_rcu(&p->rcu, tcf_gate_params_free_rcu);
}
static int dumping_entry(struct sk_buff *skb,
@@ -515,10 +622,9 @@ static int tcf_gate_dump(struct sk_buff
struct nlattr *entry_list;
struct tcf_t t;
- spin_lock_bh(&gact->tcf_lock);
- opt.action = gact->tcf_action;
-
- p = &gact->param;
+ rcu_read_lock();
+ opt.action = READ_ONCE(gact->tcf_action);
+ p = rcu_dereference(gact->param);
if (nla_put(skb, TCA_GATE_PARMS, sizeof(opt), &opt))
goto nla_put_failure;
@@ -558,12 +664,12 @@ static int tcf_gate_dump(struct sk_buff
tcf_tm_dump(&t, &gact->tcf_tm);
if (nla_put_64bit(skb, TCA_GATE_TM, sizeof(t), &t, TCA_GATE_PAD))
goto nla_put_failure;
- spin_unlock_bh(&gact->tcf_lock);
+ rcu_read_unlock();
return skb->len;
nla_put_failure:
- spin_unlock_bh(&gact->tcf_lock);
+ rcu_read_unlock();
nlmsg_trim(skb, b);
return -1;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 314/567] staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 313/567] ixgbevf: fix link setup issue Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 315/567] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie Greg Kroah-Hartman
` (63 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Navaneeth K
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f0109b9d3e1e455429279d602f6276e34689750a upstream.
Just like in commit 154828bf9559 ("staging: rtl8723bs: fix out-of-bounds
read in rtw_get_ie() parser"), we don't trust the data in the frame so
we should check the length better before acting on it
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_2000
Tested-by: Navaneeth K <knavaneeth786@gmail.com>
Reviewed-by: Navaneeth K <knavaneeth786@gmail.com>
Link: https://patch.msgid.link/2026022336-arrange-footwork-6e54@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
@@ -186,20 +186,25 @@ u8 *rtw_get_ie_ex(u8 *in_ie, uint in_len
cnt = 0;
- while (cnt < in_len) {
+ while (cnt + 2 <= in_len) {
+ u8 ie_len = in_ie[cnt + 1];
+
+ if (cnt + 2 + ie_len > in_len)
+ break;
+
if (eid == in_ie[cnt]
- && (!oui || !memcmp(&in_ie[cnt+2], oui, oui_len))) {
+ && (!oui || (ie_len >= oui_len && !memcmp(&in_ie[cnt + 2], oui, oui_len)))) {
target_ie = &in_ie[cnt];
if (ie)
- memcpy(ie, &in_ie[cnt], in_ie[cnt+1]+2);
+ memcpy(ie, &in_ie[cnt], ie_len + 2);
if (ielen)
- *ielen = in_ie[cnt+1]+2;
+ *ielen = ie_len + 2;
break;
}
- cnt += in_ie[cnt+1]+2; /* goto next */
+ cnt += ie_len + 2; /* goto next */
}
return target_ie;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 252/481] tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 251/481] drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 253/481] xfs: fix undersized l_iclog_roundoff values Greg Kroah-Hartman
` (63 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Calvin Owens, Steven Rostedt (Google)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Calvin Owens <calvin@wbinvd.org>
commit d008ba8be8984760e36d7dcd4adbd5a41a645708 upstream.
Some of the sizing logic through tracer_alloc_buffers() uses int
internally, causing unexpected behavior if the user passes a value that
does not fit in an int (on my x86 machine, the result is uselessly tiny
buffers).
Fix by plumbing the parameter's real type (unsigned long) through to the
ring buffer allocation functions, which already use unsigned long.
It has always been possible to create larger ring buffers via the sysfs
interface: this only affects the cmdline parameter.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://patch.msgid.link/bff42a4288aada08bdf74da3f5b67a2c28b761f8.1772852067.git.calvin@wbinvd.org
Fixes: 73c5162aa362 ("tracing: keep ring buffer to minimum size till used")
Signed-off-by: Calvin Owens <calvin@wbinvd.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -9298,7 +9298,7 @@ static void
init_tracer_tracefs(struct trace_array *tr, struct dentry *d_tracer);
static int
-allocate_trace_buffer(struct trace_array *tr, struct array_buffer *buf, int size)
+allocate_trace_buffer(struct trace_array *tr, struct array_buffer *buf, unsigned long size)
{
enum ring_buffer_flags rb_flags;
@@ -9334,7 +9334,7 @@ static void free_trace_buffer(struct arr
}
}
-static int allocate_trace_buffers(struct trace_array *tr, int size)
+static int allocate_trace_buffers(struct trace_array *tr, unsigned long size)
{
int ret;
@@ -10278,7 +10278,7 @@ out:
__init static int tracer_alloc_buffers(void)
{
- int ring_buf_size;
+ unsigned long ring_buf_size;
int ret = -ENOMEM;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 239/460] xfs: Fix error pointer dereference
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 238/460] net/sched: act_gate: snapshot parameters with RCU on replace Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 240/460] can: gs_usb: gs_can_open(): always configure bitrates before starting device Greg Kroah-Hartman
` (63 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Tidmore, Darrick J. Wong,
Nirjhar Roy (IBM), Carlos Maiolino, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Tidmore <ethantidmore06@gmail.com>
[ Upstream commit cddfa648f1ab99e30e91455be19cd5ade26338c2 ]
The function try_lookup_noperm() can return an error pointer and is not
checked for one.
Add checks for error pointer in xrep_adoption_check_dcache() and
xrep_adoption_zap_dcache().
Detected by Smatch:
fs/xfs/scrub/orphanage.c:449 xrep_adoption_check_dcache() error:
'd_child' dereferencing possible ERR_PTR()
fs/xfs/scrub/orphanage.c:485 xrep_adoption_zap_dcache() error:
'd_child' dereferencing possible ERR_PTR()
Fixes: 73597e3e42b4 ("xfs: ensure dentry consistency when the orphanage adopts a file")
Cc: stable@vger.kernel.org # v6.16
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Nirjhar Roy (IBM) <nirjhar.roy.lists@gmail.com>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
[ adapted try_lookup_noperm() calls to d_hash_and_lookup() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/scrub/orphanage.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/fs/xfs/scrub/orphanage.c
+++ b/fs/xfs/scrub/orphanage.c
@@ -443,6 +443,11 @@ xrep_adoption_check_dcache(
return 0;
d_child = d_hash_and_lookup(d_orphanage, &qname);
+ if (IS_ERR(d_child)) {
+ dput(d_orphanage);
+ return PTR_ERR(d_child);
+ }
+
if (d_child) {
trace_xrep_adoption_check_child(sc->mp, d_child);
@@ -480,7 +485,7 @@ xrep_adoption_zap_dcache(
return;
d_child = d_hash_and_lookup(d_orphanage, &qname);
- while (d_child != NULL) {
+ while (!IS_ERR_OR_NULL(d_child)) {
trace_xrep_adoption_invalidate_child(sc->mp, d_child);
ASSERT(d_is_negative(d_child));
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 315/567] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 314/567] staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 316/567] media: dvb-net: fix OOB access in ULE extension header tables Greg Kroah-Hartman
` (62 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Luka Gejak, Dan Carpenter
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luka Gejak <luka.gejak@linux.dev>
commit a75281626fc8fa6dc6c9cc314ee423e8bc45203b upstream.
The current code checks 'i + 5 < in_len' at the end of the if statement.
However, it accesses 'in_ie[i + 5]' before that check, which can lead
to an out-of-bounds read. Move the length check to the beginning of the
conditional to ensure the index is within bounds before accessing the
array.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Luka Gejak <luka.gejak@linux.dev>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/20260224132647.11642-2-luka.gejak@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_mlme.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
@@ -2000,7 +2000,10 @@ int rtw_restruct_wmm_ie(struct adapter *
while (i < in_len) {
ielength = initial_out_len;
- if (in_ie[i] == 0xDD && in_ie[i+2] == 0x00 && in_ie[i+3] == 0x50 && in_ie[i+4] == 0xF2 && in_ie[i+5] == 0x02 && i+5 < in_len) { /* WMM element ID and OUI */
+ if (i + 5 < in_len &&
+ in_ie[i] == 0xDD && in_ie[i + 2] == 0x00 &&
+ in_ie[i + 3] == 0x50 && in_ie[i + 4] == 0xF2 &&
+ in_ie[i + 5] == 0x02) {
for (j = i; j < i + 9; j++) {
out_ie[ielength] = in_ie[j];
ielength++;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 253/481] xfs: fix undersized l_iclog_roundoff values
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 252/481] tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 254/481] s390/dasd: Move quiesce state with pprc swap Greg Kroah-Hartman
` (62 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Christoph Hellwig,
Carlos Maiolino
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
commit 52a8a1ba883defbfe3200baa22cf4cd21985d51a upstream.
If the superblock doesn't list a log stripe unit, we set the incore log
roundoff value to 512. This leads to corrupt logs and unmountable
filesystems in generic/617 on a disk with 4k physical sectors...
XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c
XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197.
XFS (sda1): failed to locate log tail
XFS (sda1): log mount/recovery failed: error -74
XFS (sda1): log mount failed
XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c
XFS (sda1): Ending clean mount
...on the current xfsprogs for-next which has a broken mkfs. xfs_info
shows this...
meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks
= sectsz=4096 attr=2, projid32bit=1
= crc=1 finobt=1, sparse=1, rmapbt=1
= reflink=1 bigtime=1 inobtcount=1 nrext64=1
= exchange=1 metadir=1
data = bsize=4096 blocks=2579968, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1
log =internal log bsize=4096 blocks=16384, version=2
= sectsz=4096 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
= rgcount=0 rgsize=268435456 extents
= zoned=0 start=0 reserved=0
...observe that the log section has sectsz=4096 sunit=0, which means
that the roundoff factor is 512, not 4096 as you'd expect. We should
fix mkfs not to generate broken filesystems, but anyone can fuzz the
ondisk superblock so we should be more cautious. I think the inadequate
logic predates commit a6a65fef5ef8d0, but that's clearly going to
require a different backport.
Cc: stable@vger.kernel.org # v5.14
Fixes: a6a65fef5ef8d0 ("xfs: log stripe roundoff is a property of the log")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_log.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/xfs/xfs_log.c
+++ b/fs/xfs/xfs_log.c
@@ -1549,6 +1549,8 @@ xlog_alloc_log(
if (xfs_has_logv2(mp) && mp->m_sb.sb_logsunit > 1)
log->l_iclog_roundoff = mp->m_sb.sb_logsunit;
+ else if (mp->m_sb.sb_logsectsize > 0)
+ log->l_iclog_roundoff = mp->m_sb.sb_logsectsize;
else
log->l_iclog_roundoff = BBSIZE;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 240/460] can: gs_usb: gs_can_open(): always configure bitrates before starting device
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 239/460] xfs: Fix error pointer dereference Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 241/460] cleanup: Provide retain_and_null_ptr() Greg Kroah-Hartman
` (62 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
[ Upstream commit 2df6162785f31f1bbb598cfc3b08e4efc88f80b6 ]
So far the driver populated the struct can_priv::do_set_bittiming() and
struct can_priv::fd::do_set_data_bittiming() callbacks.
Before bringing up the interface, user space has to configure the bitrates.
With these callbacks the configuration is directly forwarded into the CAN
hardware. Then the interface can be brought up.
An ifdown-ifup cycle (without changing the bit rates) doesn't re-configure
the bitrates in the CAN hardware. This leads to a problem with the
CANable-2.5 [1] firmware, which resets the configured bit rates during
ifdown.
To fix the problem remove both bit timing callbacks and always configure
the bitrates in the struct net_device_ops::ndo_open() callback.
[1] https://github.com/Elmue/CANable-2.5-firmware-Slcan-and-Candlelight
Cc: stable@vger.kernel.org
Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
Link: https://patch.msgid.link/20260219-gs_usb-always-configure-bitrates-v2-1-671f8ba5b0a5@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
[ adapted the `.fd` sub-struct ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/gs_usb.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -769,9 +769,8 @@ device_detach:
}
}
-static int gs_usb_set_bittiming(struct net_device *netdev)
+static int gs_usb_set_bittiming(struct gs_can *dev)
{
- struct gs_can *dev = netdev_priv(netdev);
struct can_bittiming *bt = &dev->can.bittiming;
struct gs_device_bittiming dbt = {
.prop_seg = cpu_to_le32(bt->prop_seg),
@@ -788,9 +787,8 @@ static int gs_usb_set_bittiming(struct n
GFP_KERNEL);
}
-static int gs_usb_set_data_bittiming(struct net_device *netdev)
+static int gs_usb_set_data_bittiming(struct gs_can *dev)
{
- struct gs_can *dev = netdev_priv(netdev);
struct can_bittiming *bt = &dev->can.data_bittiming;
struct gs_device_bittiming dbt = {
.prop_seg = cpu_to_le32(bt->prop_seg),
@@ -1054,6 +1052,20 @@ static int gs_can_open(struct net_device
if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP)
flags |= GS_CAN_MODE_HW_TIMESTAMP;
+ rc = gs_usb_set_bittiming(dev);
+ if (rc) {
+ netdev_err(netdev, "failed to set bittiming: %pe\n", ERR_PTR(rc));
+ goto out_usb_kill_anchored_urbs;
+ }
+
+ if (ctrlmode & CAN_CTRLMODE_FD) {
+ rc = gs_usb_set_data_bittiming(dev);
+ if (rc) {
+ netdev_err(netdev, "failed to set data bittiming: %pe\n", ERR_PTR(rc));
+ goto out_usb_kill_anchored_urbs;
+ }
+ }
+
/* finally start device */
dev->can.state = CAN_STATE_ERROR_ACTIVE;
dm.flags = cpu_to_le32(flags);
@@ -1354,7 +1366,6 @@ static struct gs_can *gs_make_candev(uns
dev->can.state = CAN_STATE_STOPPED;
dev->can.clock.freq = le32_to_cpu(bt_const.fclk_can);
dev->can.bittiming_const = &dev->bt_const;
- dev->can.do_set_bittiming = gs_usb_set_bittiming;
dev->can.ctrlmode_supported = CAN_CTRLMODE_CC_LEN8_DLC;
@@ -1378,7 +1389,6 @@ static struct gs_can *gs_make_candev(uns
* GS_CAN_FEATURE_BT_CONST_EXT is set.
*/
dev->can.data_bittiming_const = &dev->bt_const;
- dev->can.do_set_data_bittiming = gs_usb_set_data_bittiming;
}
if (feature & GS_CAN_FEATURE_TERMINATION) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 316/567] media: dvb-net: fix OOB access in ULE extension header tables
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 315/567] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 317/567] net: mana: Ring doorbell at 4 CQ wraparounds Greg Kroah-Hartman
` (61 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ariel Silver, Mauro Carvalho Chehab
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ariel Silver <arielsilver77@gmail.com>
commit 24d87712727a5017ad142d63940589a36cd25647 upstream.
The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables
in handle_one_ule_extension() are declared with 255 elements (valid
indices 0-254), but the index htype is derived from network-controlled
data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When
htype equals 255, an out-of-bounds read occurs on the function pointer
table, and the OOB value may be called as a function pointer.
Add a bounds check on htype against the array size before either table
is accessed. Out-of-range values now cause the SNDU to be discarded.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Ariel Silver <arielsilver77@gmail.com>
Signed-off-by: Ariel Silver <arielsilver77@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/dvb-core/dvb_net.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/media/dvb-core/dvb_net.c
+++ b/drivers/media/dvb-core/dvb_net.c
@@ -228,6 +228,9 @@ static int handle_one_ule_extension( str
unsigned char hlen = (p->ule_sndu_type & 0x0700) >> 8;
unsigned char htype = p->ule_sndu_type & 0x00FF;
+ if (htype >= ARRAY_SIZE(ule_mandatory_ext_handlers))
+ return -1;
+
/* Discriminate mandatory and optional extension headers. */
if (hlen == 0) {
/* Mandatory extension header */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 254/481] s390/dasd: Move quiesce state with pprc swap
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 253/481] xfs: fix undersized l_iclog_roundoff values Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 255/481] s390/dasd: Copy detected format information to secondary device Greg Kroah-Hartman
` (61 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Hoeppner, Stefan Haberland,
Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Haberland <sth@linux.ibm.com>
commit 40e9cd4ae8ec43b107ed2bff422a8fa39dcf4e4b upstream.
Quiesce and resume is a mechanism to suspend operations on DASD devices.
In the context of a controlled copy pair swap operation, the quiesce
operation is usually issued before the actual swap and a resume
afterwards.
During the swap operation, the underlying device is exchanged. Therefore,
the quiesce flag must be moved to the secondary device to ensure a
consistent quiesce state after the swap.
The secondary device itself cannot be suspended separately because there
is no separate block device representation for it.
Fixes: 413862caad6f ("s390/dasd: add copy pair swap capability")
Cc: stable@vger.kernel.org #6.1
Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Link: https://patch.msgid.link/20260310142330.4080106-2-sth@linux.ibm.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/block/dasd_eckd.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -6233,6 +6233,11 @@ static int dasd_eckd_copy_pair_swap(stru
dev_name(&secondary->cdev->dev), rc);
}
+ if (primary->stopped & DASD_STOPPED_QUIESCE) {
+ dasd_device_set_stop_bits(secondary, DASD_STOPPED_QUIESCE);
+ dasd_device_remove_stop_bits(primary, DASD_STOPPED_QUIESCE);
+ }
+
/* re-enable device */
dasd_device_remove_stop_bits(primary, DASD_STOPPED_PPRC);
dasd_device_remove_stop_bits(secondary, DASD_STOPPED_PPRC);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 241/460] cleanup: Provide retain_and_null_ptr()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 240/460] can: gs_usb: gs_can_open(): always configure bitrates before starting device Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 242/460] usb: gadget: f_ncm: Fix net_device lifecycle with device_move Greg Kroah-Hartman
` (61 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner, Jonathan Cameron,
James Bottomley, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit 092d00ead733563f6d278295e0b5c5f97558b726 ]
In cases where an allocation is consumed by another function, the
allocation needs to be retained on success or freed on failure. The code
pattern is usually:
struct foo *f = kzalloc(sizeof(*f), GFP_KERNEL);
struct bar *b;
,,,
// Initialize f
...
if (ret)
goto free;
...
bar = bar_create(f);
if (!bar) {
ret = -ENOMEM;
goto free;
}
...
return 0;
free:
kfree(f);
return ret;
This prevents using __free(kfree) on @f because there is no canonical way
to tell the cleanup code that the allocation should not be freed.
Abusing no_free_ptr() by force ignoring the return value is not really a
sensible option either.
Provide an explicit macro retain_and_null_ptr(), which NULLs the cleanup
pointer. That makes it easy to analyze and reason about.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Link: https://lore.kernel.org/all/20250319105506.083538907@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/cleanup.h | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/include/linux/cleanup.h
+++ b/include/linux/cleanup.h
@@ -216,6 +216,25 @@ const volatile void * __must_check_fn(co
#define return_ptr(p) return no_free_ptr(p)
+/*
+ * Only for situations where an allocation is handed in to another function
+ * and consumed by that function on success.
+ *
+ * struct foo *f __free(kfree) = kzalloc(sizeof(*f), GFP_KERNEL);
+ *
+ * setup(f);
+ * if (some_condition)
+ * return -EINVAL;
+ * ....
+ * ret = bar(f);
+ * if (!ret)
+ * retain_and_null_ptr(f);
+ * return ret;
+ *
+ * After retain_and_null_ptr(f) the variable f is NULL and cannot be
+ * dereferenced anymore.
+ */
+#define retain_and_null_ptr(p) ((void)__get_and_null(p, NULL))
/*
* DEFINE_CLASS(name, type, exit, init, init_args...):
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 317/567] net: mana: Ring doorbell at 4 CQ wraparounds
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 316/567] media: dvb-net: fix OOB access in ULE extension header tables Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 318/567] ice: fix retry for AQ command 0x06EE Greg Kroah-Hartman
` (60 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Long Li, Haiyang Zhang,
Vadim Fedorenko, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <longli@microsoft.com>
commit dabffd08545ffa1d7183bc45e387860984025291 upstream.
MANA hardware requires at least one doorbell ring every 8 wraparounds
of the CQ. The driver rings the doorbell as a form of flow control to
inform hardware that CQEs have been consumed.
The NAPI poll functions mana_poll_tx_cq() and mana_poll_rx_cq() can
poll up to CQE_POLLING_BUFFER (512) completions per call. If the CQ
has fewer than 512 entries, a single poll call can process more than
4 wraparounds without ringing the doorbell. The doorbell threshold
check also uses ">" instead of ">=", delaying the ring by one extra
CQE beyond 4 wraparounds. Combined, these issues can cause the driver
to exceed the 8-wraparound hardware limit, leading to missed
completions and stalled queues.
Fix this by capping the number of CQEs polled per call to 4 wraparounds
of the CQ in both TX and RX paths. Also change the doorbell threshold
from ">" to ">=" so the doorbell is rung as soon as 4 wraparounds are
reached.
Cc: stable@vger.kernel.org
Fixes: 58a63729c957 ("net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings")
Signed-off-by: Long Li <longli@microsoft.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20260226192833.1050807-1-longli@microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -1368,8 +1368,14 @@ static void mana_poll_tx_cq(struct mana_
ndev = txq->ndev;
apc = netdev_priv(ndev);
+ /* Limit CQEs polled to 4 wraparounds of the CQ to ensure the
+ * doorbell can be rung in time for the hardware's requirement
+ * of at least one doorbell ring every 8 wraparounds.
+ */
comp_read = mana_gd_poll_cq(cq->gdma_cq, completions,
- CQE_POLLING_BUFFER);
+ min((cq->gdma_cq->queue_size /
+ COMP_ENTRY_SIZE) * 4,
+ CQE_POLLING_BUFFER));
if (comp_read < 1)
return;
@@ -1749,7 +1755,14 @@ static void mana_poll_rx_cq(struct mana_
struct mana_rxq *rxq = cq->rxq;
int comp_read, i;
- comp_read = mana_gd_poll_cq(cq->gdma_cq, comp, CQE_POLLING_BUFFER);
+ /* Limit CQEs polled to 4 wraparounds of the CQ to ensure the
+ * doorbell can be rung in time for the hardware's requirement
+ * of at least one doorbell ring every 8 wraparounds.
+ */
+ comp_read = mana_gd_poll_cq(cq->gdma_cq, comp,
+ min((cq->gdma_cq->queue_size /
+ COMP_ENTRY_SIZE) * 4,
+ CQE_POLLING_BUFFER));
WARN_ON_ONCE(comp_read > CQE_POLLING_BUFFER);
rxq->xdp_flush = false;
@@ -1794,11 +1807,11 @@ static int mana_cq_handler(void *context
mana_gd_ring_cq(gdma_queue, SET_ARM_BIT);
cq->work_done_since_doorbell = 0;
napi_complete_done(&cq->napi, w);
- } else if (cq->work_done_since_doorbell >
- cq->gdma_cq->queue_size / COMP_ENTRY_SIZE * 4) {
+ } else if (cq->work_done_since_doorbell >=
+ (cq->gdma_cq->queue_size / COMP_ENTRY_SIZE) * 4) {
/* MANA hardware requires at least one doorbell ring every 8
* wraparounds of CQ even if there is no need to arm the CQ.
- * This driver rings the doorbell as soon as we have exceeded
+ * This driver rings the doorbell as soon as it has processed
* 4 wraparounds.
*/
mana_gd_ring_cq(gdma_queue, 0);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 255/481] s390/dasd: Copy detected format information to secondary device
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 254/481] s390/dasd: Move quiesce state with pprc swap Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 256/481] lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error Greg Kroah-Hartman
` (60 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Hoeppner, Eduard Shishkin,
Stefan Haberland, Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Haberland <sth@linux.ibm.com>
commit 4c527c7e030672efd788d0806d7a68972a7ba3c1 upstream.
During online processing for a DASD device an IO operation is started to
determine the format of the device. CDL format contains specifically
sized blocks at the beginning of the disk.
For a PPRC secondary device no real IO operation is possible therefore
this IO request can not be started and this step is skipped for online
processing of secondary devices. This is generally fine since the
secondary is a copy of the primary device.
In case of an additional partition detection that is run after a swap
operation the format information is needed to properly drive partition
detection IO.
Currently the information is not passed leading to IO errors during
partition detection and a wrongly detected partition table which in turn
might lead to data corruption on the disk with the wrong partition table.
Fix by passing the format information from primary to secondary device.
Fixes: 413862caad6f ("s390/dasd: add copy pair swap capability")
Cc: stable@vger.kernel.org #6.1
Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Acked-by: Eduard Shishkin <edward6@linux.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Link: https://patch.msgid.link/20260310142330.4080106-3-sth@linux.ibm.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/block/dasd_eckd.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -6186,6 +6186,7 @@ static void copy_pair_set_active(struct
static int dasd_eckd_copy_pair_swap(struct dasd_device *device, char *prim_busid,
char *sec_busid)
{
+ struct dasd_eckd_private *prim_priv, *sec_priv;
struct dasd_device *primary, *secondary;
struct dasd_copy_relation *copy;
struct dasd_block *block;
@@ -6206,6 +6207,9 @@ static int dasd_eckd_copy_pair_swap(stru
if (!secondary)
return DASD_COPYPAIRSWAP_SECONDARY;
+ prim_priv = primary->private;
+ sec_priv = secondary->private;
+
/*
* usually the device should be quiesced for swap
* for paranoia stop device and requeue requests again
@@ -6238,6 +6242,13 @@ static int dasd_eckd_copy_pair_swap(stru
dasd_device_remove_stop_bits(primary, DASD_STOPPED_QUIESCE);
}
+ /*
+ * The secondary device never got through format detection, but since it
+ * is a copy of the primary device, the format is exactly the same;
+ * therefore, the detected layout can simply be copied.
+ */
+ sec_priv->uses_cdl = prim_priv->uses_cdl;
+
/* re-enable device */
dasd_device_remove_stop_bits(primary, DASD_STOPPED_PPRC);
dasd_device_remove_stop_bits(secondary, DASD_STOPPED_PPRC);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 242/460] usb: gadget: f_ncm: Fix net_device lifecycle with device_move
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 241/460] cleanup: Provide retain_and_null_ptr() Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 243/460] usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling Greg Kroah-Hartman
` (60 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Kuen-Han Tsai, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuen-Han Tsai <khtsai@google.com>
[ Upstream commit ec35c1969650e7cb6c8a91020e568ed46e3551b0 ]
The network device outlived its parent gadget device during
disconnection, resulting in dangling sysfs links and null pointer
dereference problems.
A prior attempt to solve this by removing SET_NETDEV_DEV entirely [1]
was reverted due to power management ordering concerns and a NO-CARRIER
regression.
A subsequent attempt to defer net_device allocation to bind [2] broke
1:1 mapping between function instance and network device, making it
impossible for configfs to report the resolved interface name. This
results in a regression where the DHCP server fails on pmOS.
Use device_move to reparent the net_device between the gadget device and
/sys/devices/virtual/ across bind/unbind cycles. This preserves the
network interface across USB reconnection, allowing the DHCP server to
retain their binding.
Introduce gether_attach_gadget()/gether_detach_gadget() helpers and use
__free(detach_gadget) macro to undo attachment on bind failure. The
bind_count ensures device_move executes only on the first bind.
[1] https://lore.kernel.org/lkml/f2a4f9847617a0929d62025748384092e5f35cce.camel@crapouillou.net/
[2] https://lore.kernel.org/linux-usb/795ea759-7eaf-4f78-81f4-01ffbf2d7961@ixit.cz/
Fixes: 40d133d7f542 ("usb: gadget: f_ncm: convert to new function interface with backward compatibility")
Cc: stable <stable@kernel.org>
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://patch.msgid.link/20260309-f-ncm-revert-v2-7-ea2afbc7d9b2@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_ncm.c | 38 ++++++++++++++++++++++------------
drivers/usb/gadget/function/u_ether.c | 22 +++++++++++++++++++
drivers/usb/gadget/function/u_ether.h | 26 +++++++++++++++++++++++
drivers/usb/gadget/function/u_ncm.h | 2 -
4 files changed, 74 insertions(+), 14 deletions(-)
--- a/drivers/usb/gadget/function/f_ncm.c
+++ b/drivers/usb/gadget/function/f_ncm.c
@@ -1438,6 +1438,7 @@ static int ncm_bind(struct usb_configura
struct f_ncm_opts *ncm_opts;
struct usb_os_desc_table *os_desc_table __free(kfree) = NULL;
+ struct net_device *net __free(detach_gadget) = NULL;
struct usb_request *request __free(free_usb_request) = NULL;
if (!can_support_ecm(cdev->gadget))
@@ -1451,18 +1452,19 @@ static int ncm_bind(struct usb_configura
return -ENOMEM;
}
- mutex_lock(&ncm_opts->lock);
- gether_set_gadget(ncm_opts->net, cdev->gadget);
- if (!ncm_opts->bound) {
- ncm_opts->net->mtu = (ncm_opts->max_segment_size - ETH_HLEN);
- status = gether_register_netdev(ncm_opts->net);
- }
- mutex_unlock(&ncm_opts->lock);
-
- if (status)
- return status;
-
- ncm_opts->bound = true;
+ scoped_guard(mutex, &ncm_opts->lock)
+ if (ncm_opts->bind_count == 0) {
+ if (!device_is_registered(&ncm_opts->net->dev)) {
+ ncm_opts->net->mtu = (ncm_opts->max_segment_size - ETH_HLEN);
+ gether_set_gadget(ncm_opts->net, cdev->gadget);
+ status = gether_register_netdev(ncm_opts->net);
+ } else
+ status = gether_attach_gadget(ncm_opts->net, cdev->gadget);
+
+ if (status)
+ return status;
+ net = ncm_opts->net;
+ }
ncm_string_defs[1].s = ncm->ethaddr;
@@ -1564,6 +1566,9 @@ static int ncm_bind(struct usb_configura
}
ncm->notify_req = no_free_ptr(request);
+ ncm_opts->bind_count++;
+ retain_and_null_ptr(net);
+
DBG(cdev, "CDC Network: IN/%s OUT/%s NOTIFY/%s\n",
ncm->port.in_ep->name, ncm->port.out_ep->name,
ncm->notify->name);
@@ -1655,7 +1660,7 @@ static void ncm_free_inst(struct usb_fun
struct f_ncm_opts *opts;
opts = container_of(f, struct f_ncm_opts, func_inst);
- if (opts->bound)
+ if (device_is_registered(&opts->net->dev))
gether_cleanup(netdev_priv(opts->net));
else
free_netdev(opts->net);
@@ -1718,9 +1723,12 @@ static void ncm_free(struct usb_function
static void ncm_unbind(struct usb_configuration *c, struct usb_function *f)
{
struct f_ncm *ncm = func_to_ncm(f);
+ struct f_ncm_opts *ncm_opts;
DBG(c->cdev, "ncm unbind\n");
+ ncm_opts = container_of(f->fi, struct f_ncm_opts, func_inst);
+
hrtimer_cancel(&ncm->task_timer);
kfree(f->os_desc_table);
@@ -1736,6 +1744,10 @@ static void ncm_unbind(struct usb_config
kfree(ncm->notify_req->buf);
usb_ep_free_request(ncm->notify, ncm->notify_req);
+
+ ncm_opts->bind_count--;
+ if (ncm_opts->bind_count == 0)
+ gether_detach_gadget(ncm_opts->net);
}
static struct usb_function *ncm_alloc(struct usb_function_instance *fi)
--- a/drivers/usb/gadget/function/u_ether.c
+++ b/drivers/usb/gadget/function/u_ether.c
@@ -896,6 +896,28 @@ void gether_set_gadget(struct net_device
}
EXPORT_SYMBOL_GPL(gether_set_gadget);
+int gether_attach_gadget(struct net_device *net, struct usb_gadget *g)
+{
+ int ret;
+
+ ret = device_move(&net->dev, &g->dev, DPM_ORDER_DEV_AFTER_PARENT);
+ if (ret)
+ return ret;
+
+ gether_set_gadget(net, g);
+ return 0;
+}
+EXPORT_SYMBOL_GPL(gether_attach_gadget);
+
+void gether_detach_gadget(struct net_device *net)
+{
+ struct eth_dev *dev = netdev_priv(net);
+
+ device_move(&net->dev, NULL, DPM_ORDER_NONE);
+ dev->gadget = NULL;
+}
+EXPORT_SYMBOL_GPL(gether_detach_gadget);
+
int gether_set_dev_addr(struct net_device *net, const char *dev_addr)
{
struct eth_dev *dev;
--- a/drivers/usb/gadget/function/u_ether.h
+++ b/drivers/usb/gadget/function/u_ether.h
@@ -151,6 +151,32 @@ static inline struct net_device *gether_
void gether_set_gadget(struct net_device *net, struct usb_gadget *g);
/**
+ * gether_attach_gadget - Reparent net_device to the gadget device.
+ * @net: The network device to reparent.
+ * @g: The target USB gadget device to parent to.
+ *
+ * This function moves the network device to be a child of the USB gadget
+ * device in the device hierarchy. This is typically done when the function
+ * is bound to a configuration.
+ *
+ * Returns 0 on success, or a negative error code on failure.
+ */
+int gether_attach_gadget(struct net_device *net, struct usb_gadget *g);
+
+/**
+ * gether_detach_gadget - Detach net_device from its gadget parent.
+ * @net: The network device to detach.
+ *
+ * This function moves the network device to be a child of the virtual
+ * devices parent, effectively detaching it from the USB gadget device
+ * hierarchy. This is typically done when the function is unbound
+ * from a configuration but the instance is not yet freed.
+ */
+void gether_detach_gadget(struct net_device *net);
+
+DEFINE_FREE(detach_gadget, struct net_device *, if (_T) gether_detach_gadget(_T))
+
+/**
* gether_set_dev_addr - initialize an ethernet-over-usb link with eth address
* @net: device representing this link
* @dev_addr: eth address of this device
--- a/drivers/usb/gadget/function/u_ncm.h
+++ b/drivers/usb/gadget/function/u_ncm.h
@@ -18,7 +18,7 @@
struct f_ncm_opts {
struct usb_function_instance func_inst;
struct net_device *net;
- bool bound;
+ int bind_count;
struct config_group *ncm_interf_group;
struct usb_os_desc ncm_os_desc;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 318/567] ice: fix retry for AQ command 0x06EE
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 317/567] net: mana: Ring doorbell at 4 CQ wraparounds Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 319/567] tracing: Fix syscall events activation by ensuring refcount hits zero Greg Kroah-Hartman
` (59 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Staniszewski, Dawid Osuchowski,
Aleksandr Loktionov, Przemek Kitszel, Paul Menzel, Tony Nguyen,
Rinitha S
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
commit fb4903b3354aed4a2301180cf991226f896c87ed upstream.
Executing ethtool -m can fail reporting a netlink I/O error while firmware
link management holds the i2c bus used to communicate with the module.
According to Intel(R) Ethernet Controller E810 Datasheet Rev 2.8 [1]
Section 3.3.10.4 Read/Write SFF EEPROM (0x06EE)
request should to be retried upon receiving EBUSY from firmware.
Commit e9c9692c8a81 ("ice: Reimplement module reads used by ethtool")
implemented it only for part of ice_get_module_eeprom(), leaving all other
calls to ice_aq_sff_eeprom() vulnerable to returning early on getting
EBUSY without retrying.
Remove the retry loop from ice_get_module_eeprom() and add Admin Queue
(AQ) command with opcode 0x06EE to the list of commands that should be
retried on receiving EBUSY from firmware.
Cc: stable@vger.kernel.org
Fixes: e9c9692c8a81 ("ice: Reimplement module reads used by ethtool")
Signed-off-by: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
Co-developed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Signed-off-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Link: https://www.intel.com/content/www/us/en/content-details/613875/intel-ethernet-controller-e810-datasheet.html [1]
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_common.c | 1
drivers/net/ethernet/intel/ice/ice_ethtool.c | 35 ++++++++++-----------------
2 files changed, 15 insertions(+), 21 deletions(-)
--- a/drivers/net/ethernet/intel/ice/ice_common.c
+++ b/drivers/net/ethernet/intel/ice/ice_common.c
@@ -1611,6 +1611,7 @@ static bool ice_should_retry_sq_send_cmd
case ice_aqc_opc_lldp_stop:
case ice_aqc_opc_lldp_start:
case ice_aqc_opc_lldp_filter_ctrl:
+ case ice_aqc_opc_sff_eeprom:
return true;
}
--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
+++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
@@ -4045,7 +4045,7 @@ ice_get_module_eeprom(struct net_device
struct ice_pf *pf = vsi->back;
struct ice_hw *hw = &pf->hw;
bool is_sfp = false;
- unsigned int i, j;
+ unsigned int i;
u16 offset = 0;
u8 page = 0;
int status;
@@ -4087,26 +4087,19 @@ ice_get_module_eeprom(struct net_device
if (page == 0 || !(data[0x2] & 0x4)) {
u32 copy_len;
- /* If i2c bus is busy due to slow page change or
- * link management access, call can fail. This is normal.
- * So we retry this a few times.
- */
- for (j = 0; j < 4; j++) {
- status = ice_aq_sff_eeprom(hw, 0, addr, offset, page,
- !is_sfp, value,
- SFF_READ_BLOCK_SIZE,
- 0, NULL);
- netdev_dbg(netdev, "SFF %02X %02X %02X %X = %02X%02X%02X%02X.%02X%02X%02X%02X (%X)\n",
- addr, offset, page, is_sfp,
- value[0], value[1], value[2], value[3],
- value[4], value[5], value[6], value[7],
- status);
- if (status) {
- usleep_range(1500, 2500);
- memset(value, 0, SFF_READ_BLOCK_SIZE);
- continue;
- }
- break;
+ status = ice_aq_sff_eeprom(hw, 0, addr, offset, page,
+ !is_sfp, value,
+ SFF_READ_BLOCK_SIZE,
+ 0, NULL);
+ netdev_dbg(netdev, "SFF %02X %02X %02X %X = %02X%02X%02X%02X.%02X%02X%02X%02X (%pe)\n",
+ addr, offset, page, is_sfp,
+ value[0], value[1], value[2], value[3],
+ value[4], value[5], value[6], value[7],
+ ERR_PTR(status));
+ if (status) {
+ netdev_err(netdev, "%s: error reading module EEPROM: status %pe\n",
+ __func__, ERR_PTR(status));
+ return status;
}
/* Make sure we have enough room for the new block */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 256/481] lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 255/481] s390/dasd: Copy detected format information to secondary device Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 257/481] scsi: core: Fix error handling for scsi_alloc_sdev() Greg Kroah-Hartman
` (59 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josh Law, Steven Rostedt (Google),
Masami Hiramatsu (Google)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Law <objecting@objecting.org>
commit 39ebc8d7f561e1b64eca87353ef9b18e2825e591 upstream.
__xbc_open_brace() pushes entries with post-increment
(open_brace[brace_index++]), so brace_index always points one past
the last valid entry. xbc_verify_tree() reads open_brace[brace_index]
to report which brace is unclosed, but this is one past the last
pushed entry and contains stale/zero data, causing the error message
to reference the wrong node.
Use open_brace[brace_index - 1] to correctly identify the unclosed
brace. brace_index is known to be > 0 here since we are inside the
if (brace_index) guard.
Link: https://lore.kernel.org/all/20260312191143.28719-2-objecting@objecting.org/
Fixes: ead1e19ad905 ("lib/bootconfig: Fix a bug of breaking existing tree nodes")
Cc: stable@vger.kernel.org
Signed-off-by: Josh Law <objecting@objecting.org>
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/bootconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -793,7 +793,7 @@ static int __init xbc_verify_tree(void)
/* Brace closing */
if (brace_index) {
- n = &xbc_nodes[open_brace[brace_index]];
+ n = &xbc_nodes[open_brace[brace_index - 1]];
return xbc_parse_error("Brace is not closed",
xbc_node_get_data(n));
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 243/460] usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 242/460] usb: gadget: f_ncm: Fix net_device lifecycle with device_move Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 244/460] KVM: SVM: Limit AVIC physical max index based on configured max_vcpu_ids Greg Kroah-Hartman
` (59 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jiasheng Jiang, Thinh Nguyen,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
[ Upstream commit b9fde507355342a2d64225d582dc8b98ff5ecb19 ]
The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically
managed and tied to userspace configuration via ConfigFS. It can be
NULL if the USB host sends requests before the nexus is fully
established or immediately after it is dropped.
Currently, functions like `bot_submit_command()` and the data
transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately
dereference `tv_nexus->tvn_se_sess` without any validation. If a
malicious or misconfigured USB host sends a BOT (Bulk-Only Transport)
command during this race window, it triggers a NULL pointer
dereference, leading to a kernel panic (local DoS).
This exposes an inconsistent API usage within the module, as peer
functions like `usbg_submit_command()` and `bot_send_bad_response()`
correctly implement a NULL check for `tv_nexus` before proceeding.
Fix this by bringing consistency to the nexus handling. Add the
missing `if (!tv_nexus)` checks to the vulnerable BOT command and
request processing paths, aborting the command gracefully with an
error instead of crashing the system.
Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT")
Cc: stable <stable@kernel.org>
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Reviewed-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/20260219023834.17976-1-jiashengjiangcool@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_tcm.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/usb/gadget/function/f_tcm.c
+++ b/drivers/usb/gadget/function/f_tcm.c
@@ -1032,6 +1032,13 @@ static void usbg_cmd_work(struct work_st
se_cmd = &cmd->se_cmd;
tpg = cmd->fu->tpg;
tv_nexus = tpg->tpg_nexus;
+ if (!tv_nexus) {
+ struct usb_gadget *gadget = fuas_to_gadget(cmd->fu);
+
+ dev_err(&gadget->dev, "Missing nexus, ignoring command\n");
+ return;
+ }
+
dir = get_cmd_dir(cmd->cmd_buf);
if (dir < 0) {
__target_init_cmd(se_cmd,
@@ -1160,6 +1167,13 @@ static void bot_cmd_work(struct work_str
se_cmd = &cmd->se_cmd;
tpg = cmd->fu->tpg;
tv_nexus = tpg->tpg_nexus;
+ if (!tv_nexus) {
+ struct usb_gadget *gadget = fuas_to_gadget(cmd->fu);
+
+ dev_err(&gadget->dev, "Missing nexus, ignoring command\n");
+ return;
+ }
+
dir = get_cmd_dir(cmd->cmd_buf);
if (dir < 0) {
__target_init_cmd(se_cmd,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 319/567] tracing: Fix syscall events activation by ensuring refcount hits zero
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 318/567] ice: fix retry for AQ command 0x06EE Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 320/567] batman-adv: Avoid double-rtnl_lock ELP metric worker Greg Kroah-Hartman
` (58 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Huiwen He, Steven Rostedt (Google)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huiwen He <hehuiwen@kylinos.cn>
commit 0a663b764dbdf135a126284f454c9f01f95a87d4 upstream.
When multiple syscall events are specified in the kernel command line
(e.g., trace_event=syscalls:sys_enter_openat,syscalls:sys_enter_close),
they are often not captured after boot, even though they appear enabled
in the tracing/set_event file.
The issue stems from how syscall events are initialized. Syscall
tracepoints require the global reference count (sys_tracepoint_refcount)
to transition from 0 to 1 to trigger the registration of the syscall
work (TIF_SYSCALL_TRACEPOINT) for tasks, including the init process (pid 1).
The current implementation of early_enable_events() with disable_first=true
used an interleaved sequence of "Disable A -> Enable A -> Disable B -> Enable B".
If multiple syscalls are enabled, the refcount never drops to zero,
preventing the 0->1 transition that triggers actual registration.
Fix this by splitting early_enable_events() into two distinct phases:
1. Disable all events specified in the buffer.
2. Enable all events specified in the buffer.
This ensures the refcount hits zero before re-enabling, allowing syscall
events to be properly activated during early boot.
The code is also refactored to use a helper function to avoid logic
duplication between the disable and enable phases.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://patch.msgid.link/20260224023544.1250787-1-hehuiwen@kylinos.cn
Fixes: ce1039bd3a89 ("tracing: Fix enabling of syscall events on the command line")
Signed-off-by: Huiwen He <hehuiwen@kylinos.cn>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events.c | 52 +++++++++++++++++++++++++++++++-------------
1 file changed, 37 insertions(+), 15 deletions(-)
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -4140,26 +4140,22 @@ static __init int event_trace_memsetup(v
return 0;
}
-__init void
-early_enable_events(struct trace_array *tr, char *buf, bool disable_first)
+/*
+ * Helper function to enable or disable a comma-separated list of events
+ * from the bootup buffer.
+ */
+static __init void __early_set_events(struct trace_array *tr, char *buf, bool enable)
{
char *token;
- int ret;
-
- while (true) {
- token = strsep(&buf, ",");
-
- if (!token)
- break;
+ while ((token = strsep(&buf, ","))) {
if (*token) {
- /* Restarting syscalls requires that we stop them first */
- if (disable_first)
+ if (enable) {
+ if (ftrace_set_clr_event(tr, token, 1))
+ pr_warn("Failed to enable trace event: %s\n", token);
+ } else {
ftrace_set_clr_event(tr, token, 0);
-
- ret = ftrace_set_clr_event(tr, token, 1);
- if (ret)
- pr_warn("Failed to enable trace event: %s\n", token);
+ }
}
/* Put back the comma to allow this to be called again */
@@ -4168,6 +4164,32 @@ early_enable_events(struct trace_array *
}
}
+/**
+ * early_enable_events - enable events from the bootup buffer
+ * @tr: The trace array to enable the events in
+ * @buf: The buffer containing the comma separated list of events
+ * @disable_first: If true, disable all events in @buf before enabling them
+ *
+ * This function enables events from the bootup buffer. If @disable_first
+ * is true, it will first disable all events in the buffer before enabling
+ * them.
+ *
+ * For syscall events, which rely on a global refcount to register the
+ * SYSCALL_WORK_SYSCALL_TRACEPOINT flag (especially for pid 1), we must
+ * ensure the refcount hits zero before re-enabling them. A simple
+ * "disable then enable" per-event is not enough if multiple syscalls are
+ * used, as the refcount will stay above zero. Thus, we need a two-phase
+ * approach: disable all, then enable all.
+ */
+__init void
+early_enable_events(struct trace_array *tr, char *buf, bool disable_first)
+{
+ if (disable_first)
+ __early_set_events(tr, buf, false);
+
+ __early_set_events(tr, buf, true);
+}
+
static __init int event_trace_enable(void)
{
struct trace_array *tr = top_trace_array();
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 257/481] scsi: core: Fix error handling for scsi_alloc_sdev()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 256/481] lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error Greg Kroah-Hartman
@ 2026-03-23 13:43 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 258/481] x86/apic: Disable x2apic on resume if the kernel expects so Greg Kroah-Hartman
` (58 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junxiao Bi, John Garry,
Bart Van Assche, Martin K. Petersen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junxiao Bi <junxiao.bi@oracle.com>
commit 4ce7ada40c008fa21b7e52ab9d04e8746e2e9325 upstream.
After scsi_sysfs_device_initialize() was called, error paths must call
__scsi_remove_device().
Fixes: 1ac22c8eae81 ("scsi: core: Fix refcount leak for tagset_refcnt")
Cc: stable@vger.kernel.org
Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260304164603.51528-1-junxiao.bi@oracle.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/scsi_scan.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -354,12 +354,8 @@ static struct scsi_device *scsi_alloc_sd
* default device queue depth to figure out sbitmap shift
* since we use this queue depth most of times.
*/
- if (scsi_realloc_sdev_budget_map(sdev, depth)) {
- kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags);
- put_device(&starget->dev);
- kfree(sdev);
- goto out;
- }
+ if (scsi_realloc_sdev_budget_map(sdev, depth))
+ goto out_device_destroy;
scsi_change_queue_depth(sdev, depth);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 244/460] KVM: SVM: Limit AVIC physical max index based on configured max_vcpu_ids
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.12 243/460] usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 245/460] KVM: SVM: Add a helper to look up the max physical ID for AVIC Greg Kroah-Hartman
` (58 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naveen N Rao (AMD),
Sean Christopherson, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naveen N Rao <naveen@kernel.org>
[ Upstream commit 574ef752d4aea04134bc121294d717f4422c2755 ]
KVM allows VMMs to specify the maximum possible APIC ID for a virtual
machine through KVM_CAP_MAX_VCPU_ID capability so as to limit data
structures related to APIC/x2APIC. Utilize the same to set the AVIC
physical max index in the VMCB, similar to VMX. This helps hardware
limit the number of entries to be scanned in the physical APIC ID table
speeding up IPI broadcasts for virtual machines with smaller number of
vCPUs.
Unlike VMX, SVM AVIC requires a single page to be allocated for the
Physical APIC ID table and the Logical APIC ID table, so retain the
existing approach of allocating those during VM init.
Signed-off-by: Naveen N Rao (AMD) <naveen@kernel.org>
Link: https://lore.kernel.org/r/adb07ccdb3394cd79cb372ba6bcc69a4e4d4ef54.1757009416.git.naveen@kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Stable-dep-of: 87d0f901a9bd ("KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/avic.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -85,6 +85,7 @@ struct amd_svm_iommu_ir {
static void avic_activate_vmcb(struct vcpu_svm *svm)
{
struct vmcb *vmcb = svm->vmcb01.ptr;
+ struct kvm *kvm = svm->vcpu.kvm;
vmcb->control.int_ctl &= ~(AVIC_ENABLE_MASK | X2APIC_MODE_MASK);
vmcb->control.avic_physical_id &= ~AVIC_PHYSICAL_MAX_INDEX_MASK;
@@ -100,7 +101,8 @@ static void avic_activate_vmcb(struct vc
*/
if (x2avic_enabled && apic_x2apic_mode(svm->vcpu.arch.apic)) {
vmcb->control.int_ctl |= X2APIC_MODE_MASK;
- vmcb->control.avic_physical_id |= X2AVIC_MAX_PHYSICAL_ID;
+ vmcb->control.avic_physical_id |= min(kvm->arch.max_vcpu_ids - 1,
+ X2AVIC_MAX_PHYSICAL_ID);
/* Disabling MSR intercept for x2APIC registers */
svm_set_x2apic_msr_interception(svm, false);
} else {
@@ -111,7 +113,8 @@ static void avic_activate_vmcb(struct vc
kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, &svm->vcpu);
/* For xAVIC and hybrid-xAVIC modes */
- vmcb->control.avic_physical_id |= AVIC_MAX_PHYSICAL_ID;
+ vmcb->control.avic_physical_id |= min(kvm->arch.max_vcpu_ids - 1,
+ AVIC_MAX_PHYSICAL_ID);
/* Enabling MSR intercept for x2APIC registers */
svm_set_x2apic_msr_interception(svm, true);
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 320/567] batman-adv: Avoid double-rtnl_lock ELP metric worker
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.6 319/567] tracing: Fix syscall events activation by ensuring refcount hits zero Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 321/567] parisc: Increase initial mapping to 64 MB with KALLSYMS Greg Kroah-Hartman
` (57 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Schmidbauer,
Sven Eckelmann, Sören Skaarup, Simon Wunderlich
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit cfc83a3c71517b59c1047db57da31e26a9dc2f33 upstream.
batadv_v_elp_get_throughput() might be called when the RTNL lock is already
held. This could be problematic when the work queue item is cancelled via
cancel_delayed_work_sync() in batadv_v_elp_iface_disable(). In this case,
an rtnl_lock() would cause a deadlock.
To avoid this, rtnl_trylock() was used in this function to skip the
retrieval of the ethtool information in case the RTNL lock was already
held.
But for cfg80211 interfaces, batadv_get_real_netdev() was called - which
also uses rtnl_lock(). The approach for __ethtool_get_link_ksettings() must
also be used instead and the lockless version __batadv_get_real_netdev()
has to be called.
Cc: stable@vger.kernel.org
Fixes: 8c8ecc98f5c6 ("batman-adv: Drop unmanaged ELP metric worker")
Reported-by: Christian Schmidbauer <github@grische.xyz>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Tested-by: Sören Skaarup <freifunk_nordm4nn@gmx.de>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/bat_v_elp.c | 10 +++++++++-
net/batman-adv/hard-interface.c | 8 ++++----
net/batman-adv/hard-interface.h | 1 +
3 files changed, 14 insertions(+), 5 deletions(-)
--- a/net/batman-adv/bat_v_elp.c
+++ b/net/batman-adv/bat_v_elp.c
@@ -112,7 +112,15 @@ static bool batadv_v_elp_get_throughput(
/* unsupported WiFi driver version */
goto default_throughput;
- real_netdev = batadv_get_real_netdev(hard_iface->net_dev);
+ /* only use rtnl_trylock because the elp worker will be cancelled while
+ * the rntl_lock is held. the cancel_delayed_work_sync() would otherwise
+ * wait forever when the elp work_item was started and it is then also
+ * trying to rtnl_lock
+ */
+ if (!rtnl_trylock())
+ return false;
+ real_netdev = __batadv_get_real_netdev(hard_iface->net_dev);
+ rtnl_unlock();
if (!real_netdev)
goto default_throughput;
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -203,7 +203,7 @@ static bool batadv_is_valid_iface(const
}
/**
- * batadv_get_real_netdevice() - check if the given netdev struct is a virtual
+ * __batadv_get_real_netdev() - check if the given netdev struct is a virtual
* interface on top of another 'real' interface
* @netdev: the device to check
*
@@ -213,7 +213,7 @@ static bool batadv_is_valid_iface(const
* Return: the 'real' net device or the original net device and NULL in case
* of an error.
*/
-static struct net_device *batadv_get_real_netdevice(struct net_device *netdev)
+struct net_device *__batadv_get_real_netdev(struct net_device *netdev)
{
struct batadv_hard_iface *hard_iface = NULL;
struct net_device *real_netdev = NULL;
@@ -266,7 +266,7 @@ struct net_device *batadv_get_real_netde
struct net_device *real_netdev;
rtnl_lock();
- real_netdev = batadv_get_real_netdevice(net_device);
+ real_netdev = __batadv_get_real_netdev(net_device);
rtnl_unlock();
return real_netdev;
@@ -335,7 +335,7 @@ static u32 batadv_wifi_flags_evaluate(st
if (batadv_is_cfg80211_netdev(net_device))
wifi_flags |= BATADV_HARDIF_WIFI_CFG80211_DIRECT;
- real_netdev = batadv_get_real_netdevice(net_device);
+ real_netdev = __batadv_get_real_netdev(net_device);
if (!real_netdev)
return wifi_flags;
--- a/net/batman-adv/hard-interface.h
+++ b/net/batman-adv/hard-interface.h
@@ -68,6 +68,7 @@ enum batadv_hard_if_bcast {
extern struct notifier_block batadv_hard_if_notifier;
+struct net_device *__batadv_get_real_netdev(struct net_device *net_device);
struct net_device *batadv_get_real_netdev(struct net_device *net_device);
bool batadv_is_cfg80211_hardif(struct batadv_hard_iface *hard_iface);
bool batadv_is_wifi_hardif(struct batadv_hard_iface *hard_iface);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 258/481] x86/apic: Disable x2apic on resume if the kernel expects so
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-03-23 13:43 ` [PATCH 6.1 257/481] scsi: core: Fix error handling for scsi_alloc_sdev() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 259/481] lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after() Greg Kroah-Hartman
` (57 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rahul Bukte, Shashank Balaji,
Borislav Petkov (AMD), Thomas Gleixner, Sohil Mehta
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shashank Balaji <shashank.mahadasyam@sony.com>
commit 8cc7dd77a1466f0ec58c03478b2e735a5b289b96 upstream.
When resuming from s2ram, firmware may re-enable x2apic mode, which may have
been disabled by the kernel during boot either because it doesn't support IRQ
remapping or for other reasons. This causes the kernel to continue using the
xapic interface, while the hardware is in x2apic mode, which causes hangs.
This happens on defconfig + bare metal + s2ram.
Fix this in lapic_resume() by disabling x2apic if the kernel expects it to be
disabled, i.e. when x2apic_mode = 0.
The ACPI v6.6 spec, Section 16.3 [1] says firmware restores either the
pre-sleep configuration or initial boot configuration for each CPU, including
MSR state:
When executing from the power-on reset vector as a result of waking from an
S2 or S3 sleep state, the platform firmware performs only the hardware
initialization required to restore the system to either the state the
platform was in prior to the initial operating system boot, or to the
pre-sleep configuration state. In multiprocessor systems, non-boot
processors should be placed in the same state as prior to the initial
operating system boot.
(further ahead)
If this is an S2 or S3 wake, then the platform runtime firmware restores
minimum context of the system before jumping to the waking vector. This
includes:
CPU configuration. Platform runtime firmware restores the pre-sleep
configuration or initial boot configuration of each CPU (MSR, MTRR,
firmware update, SMBase, and so on). Interrupts must be disabled (for
IA-32 processors, disabled by CLI instruction).
(and other things)
So at least as per the spec, re-enablement of x2apic by the firmware is
allowed if "x2apic on" is a part of the initial boot configuration.
[1] https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization
[ bp: Massage. ]
Fixes: 6e1cb38a2aef ("x64, x2apic/intr-remap: add x2apic support, including enabling interrupt-remapping")
Co-developed-by: Rahul Bukte <rahul.bukte@sony.com>
Signed-off-by: Rahul Bukte <rahul.bukte@sony.com>
Signed-off-by: Shashank Balaji <shashank.mahadasyam@sony.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Sohil Mehta <sohil.mehta@intel.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260306-x2apic-fix-v2-1-bee99c12efa3@sony.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/apic/apic.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -1958,6 +1958,7 @@ void __init check_x2apic(void)
static inline void try_to_enable_x2apic(int remap_mode) { }
static inline void __x2apic_enable(void) { }
+static inline void __x2apic_disable(void) { }
#endif /* !CONFIG_X86_X2APIC */
void __init enable_IR_x2apic(void)
@@ -2778,6 +2779,11 @@ static void lapic_resume(void)
if (x2apic_mode) {
__x2apic_enable();
} else {
+ if (x2apic_enabled()) {
+ pr_warn_once("x2apic: re-enabled by firmware during resume. Disabling\n");
+ __x2apic_disable();
+ }
+
/*
* Make sure the APICBASE points to the right address
*
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 245/460] KVM: SVM: Add a helper to look up the max physical ID for AVIC
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 244/460] KVM: SVM: Limit AVIC physical max index based on configured max_vcpu_ids Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 246/460] KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated Greg Kroah-Hartman
` (57 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Christopherson,
Naveen N Rao (AMD), Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naveen N Rao <naveen@kernel.org>
[ Upstream commit f2f6e67a56dc88fea7e9b10c4e79bb01d97386b7 ]
To help with a future change, add a helper to look up the maximum
physical ID depending on the vCPU AVIC mode. No functional change
intended.
Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Naveen N Rao (AMD) <naveen@kernel.org>
Link: https://lore.kernel.org/r/0ab9bf5e20a3463a4aa3a5ea9bbbac66beedf1d1.1757009416.git.naveen@kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Stable-dep-of: 87d0f901a9bd ("KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/avic.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -82,13 +82,31 @@ struct amd_svm_iommu_ir {
void *data; /* Storing pointer to struct amd_ir_data */
};
+static u32 avic_get_max_physical_id(struct kvm_vcpu *vcpu)
+{
+ u32 arch_max;
+
+ if (x2avic_enabled && apic_x2apic_mode(vcpu->arch.apic))
+ arch_max = X2AVIC_MAX_PHYSICAL_ID;
+ else
+ arch_max = AVIC_MAX_PHYSICAL_ID;
+
+ /*
+ * Despite its name, KVM_CAP_MAX_VCPU_ID represents the maximum APIC ID
+ * plus one, so the max possible APIC ID is one less than that.
+ */
+ return min(vcpu->kvm->arch.max_vcpu_ids - 1, arch_max);
+}
+
static void avic_activate_vmcb(struct vcpu_svm *svm)
{
struct vmcb *vmcb = svm->vmcb01.ptr;
- struct kvm *kvm = svm->vcpu.kvm;
+ struct kvm_vcpu *vcpu = &svm->vcpu;
vmcb->control.int_ctl &= ~(AVIC_ENABLE_MASK | X2APIC_MODE_MASK);
+
vmcb->control.avic_physical_id &= ~AVIC_PHYSICAL_MAX_INDEX_MASK;
+ vmcb->control.avic_physical_id |= avic_get_max_physical_id(vcpu);
vmcb->control.int_ctl |= AVIC_ENABLE_MASK;
@@ -101,8 +119,7 @@ static void avic_activate_vmcb(struct vc
*/
if (x2avic_enabled && apic_x2apic_mode(svm->vcpu.arch.apic)) {
vmcb->control.int_ctl |= X2APIC_MODE_MASK;
- vmcb->control.avic_physical_id |= min(kvm->arch.max_vcpu_ids - 1,
- X2AVIC_MAX_PHYSICAL_ID);
+
/* Disabling MSR intercept for x2APIC registers */
svm_set_x2apic_msr_interception(svm, false);
} else {
@@ -112,9 +129,6 @@ static void avic_activate_vmcb(struct vc
*/
kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, &svm->vcpu);
- /* For xAVIC and hybrid-xAVIC modes */
- vmcb->control.avic_physical_id |= min(kvm->arch.max_vcpu_ids - 1,
- AVIC_MAX_PHYSICAL_ID);
/* Enabling MSR intercept for x2APIC registers */
svm_set_x2apic_msr_interception(svm, true);
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 321/567] parisc: Increase initial mapping to 64 MB with KALLSYMS
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 320/567] batman-adv: Avoid double-rtnl_lock ELP metric worker Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 322/567] nouveau/dpcd: return EBUSY for aux xfer if the device is asleep Greg Kroah-Hartman
` (56 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 8e732934fb81282be41602550e7e07baf265e972 upstream.
The 32MB initial kernel mapping can become too small when CONFIG_KALLSYMS
is used. Increase the mapping to 64 MB in this case.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org> # v6.0+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/include/asm/pgtable.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/parisc/include/asm/pgtable.h
+++ b/arch/parisc/include/asm/pgtable.h
@@ -85,7 +85,7 @@ extern void __update_cache(pte_t pte);
printk("%s:%d: bad pgd %08lx.\n", __FILE__, __LINE__, (unsigned long)pgd_val(e))
/* This is the size of the initially mapped kernel memory */
-#if defined(CONFIG_64BIT)
+#if defined(CONFIG_64BIT) || defined(CONFIG_KALLSYMS)
#define KERNEL_INITIAL_ORDER 26 /* 1<<26 = 64MB */
#else
#define KERNEL_INITIAL_ORDER 25 /* 1<<25 = 32MB */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 259/481] lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 258/481] x86/apic: Disable x2apic on resume if the kernel expects so Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 260/481] lib/bootconfig: check bounds before writing in __xbc_open_brace() Greg Kroah-Hartman
` (56 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josh Law, Masami Hiramatsu (Google)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Law <objecting@objecting.org>
commit 1120a36bb1e9b9e22de75ecb4ef0b998f73a97f1 upstream.
snprintf() returns the number of characters that would have been
written excluding the NUL terminator. Output is truncated when the
return value is >= the buffer size, not just > the buffer size.
When ret == size, the current code takes the non-truncated path,
advancing buf by ret and reducing size to 0. This is wrong because
the output was actually truncated (the last character was replaced by
NUL). Fix by using >= so the truncation path is taken correctly.
Link: https://lore.kernel.org/all/20260312191143.28719-4-objecting@objecting.org/
Fixes: 76db5a27a827 ("bootconfig: Add Extra Boot Config support")
Cc: stable@vger.kernel.org
Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/bootconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -318,7 +318,7 @@ int __init xbc_node_compose_key_after(st
depth ? "." : "");
if (ret < 0)
return ret;
- if (ret > size) {
+ if (ret >= size) {
size = 0;
} else {
size -= ret;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 246/460] KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 245/460] KVM: SVM: Add a helper to look up the max physical ID for AVIC Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 247/460] mmc: dw_mmc-rockchip: use modern PM macros Greg Kroah-Hartman
` (56 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jim Mattson, Naveen N Rao (AMD),
Maciej S. Szmigiero, Sean Christopherson, Paolo Bonzini,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 87d0f901a9bd8ae6be57249c737f20ac0cace93d ]
Explicitly set/clear CR8 write interception when AVIC is (de)activated to
fix a bug where KVM leaves the interception enabled after AVIC is
activated. E.g. if KVM emulates INIT=>WFS while AVIC is deactivated, CR8
will remain intercepted in perpetuity.
On its own, the dangling CR8 intercept is "just" a performance issue, but
combined with the TPR sync bug fixed by commit d02e48830e3f ("KVM: SVM:
Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active"), the danging
intercept is fatal to Windows guests as the TPR seen by hardware gets
wildly out of sync with reality.
Note, VMX isn't affected by the bug as TPR_THRESHOLD is explicitly ignored
when Virtual Interrupt Delivery is enabled, i.e. when APICv is active in
KVM's world. I.e. there's no need to trigger update_cr8_intercept(), this
is firmly an SVM implementation flaw/detail.
WARN if KVM gets a CR8 write #VMEXIT while AVIC is active, as KVM should
never enter the guest with AVIC enabled and CR8 writes intercepted.
Fixes: 3bbf3565f48c ("svm: Do not intercept CR8 when enable AVIC")
Cc: stable@vger.kernel.org
Cc: Jim Mattson <jmattson@google.com>
Cc: Naveen N Rao (AMD) <naveen@kernel.org>
Cc: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
Reviewed-by: Naveen N Rao (AMD) <naveen@kernel.org>
Reviewed-by: Jim Mattson <jmattson@google.com>
Link: https://patch.msgid.link/20260203190711.458413-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[Squash fix to avic_deactivate_vmcb. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/avic.c | 7 +++++--
arch/x86/kvm/svm/svm.c | 7 ++++---
2 files changed, 9 insertions(+), 5 deletions(-)
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -104,12 +104,12 @@ static void avic_activate_vmcb(struct vc
struct kvm_vcpu *vcpu = &svm->vcpu;
vmcb->control.int_ctl &= ~(AVIC_ENABLE_MASK | X2APIC_MODE_MASK);
-
vmcb->control.avic_physical_id &= ~AVIC_PHYSICAL_MAX_INDEX_MASK;
vmcb->control.avic_physical_id |= avic_get_max_physical_id(vcpu);
-
vmcb->control.int_ctl |= AVIC_ENABLE_MASK;
+ svm_clr_intercept(svm, INTERCEPT_CR8_WRITE);
+
/*
* Note: KVM supports hybrid-AVIC mode, where KVM emulates x2APIC MSR
* accesses, while interrupt injection to a running vCPU can be
@@ -141,6 +141,9 @@ static void avic_deactivate_vmcb(struct
vmcb->control.int_ctl &= ~(AVIC_ENABLE_MASK | X2APIC_MODE_MASK);
vmcb->control.avic_physical_id &= ~AVIC_PHYSICAL_MAX_INDEX_MASK;
+ if (!sev_es_guest(svm->vcpu.kvm))
+ svm_set_intercept(svm, INTERCEPT_CR8_WRITE);
+
/*
* If running nested and the guest uses its own MSR bitmap, there
* is no need to update L0's msr bitmap
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -1246,8 +1246,7 @@ static void init_vmcb(struct kvm_vcpu *v
svm_set_intercept(svm, INTERCEPT_CR0_WRITE);
svm_set_intercept(svm, INTERCEPT_CR3_WRITE);
svm_set_intercept(svm, INTERCEPT_CR4_WRITE);
- if (!kvm_vcpu_apicv_active(vcpu))
- svm_set_intercept(svm, INTERCEPT_CR8_WRITE);
+ svm_set_intercept(svm, INTERCEPT_CR8_WRITE);
set_dr_intercepts(svm);
@@ -2862,9 +2861,11 @@ static int dr_interception(struct kvm_vc
static int cr8_write_interception(struct kvm_vcpu *vcpu)
{
+ u8 cr8_prev = kvm_get_cr8(vcpu);
int r;
- u8 cr8_prev = kvm_get_cr8(vcpu);
+ WARN_ON_ONCE(kvm_vcpu_apicv_active(vcpu));
+
/* instruction emulation calls kvm_set_cr8() */
r = cr_interception(vcpu);
if (lapic_in_kernel(vcpu))
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 322/567] nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 321/567] parisc: Increase initial mapping to 64 MB with KALLSYMS Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 323/567] arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation Greg Kroah-Hartman
` (55 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lyude Paul, Dave Airlie,
Danilo Krummrich
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Airlie <airlied@redhat.com>
commit 8f3c6f08ababad2e3bdd239728cf66a9949446b4 upstream.
If we have runtime suspended, and userspace wants to use /dev/drm_dp_*
then just tell it the device is busy instead of crashing in the GSP
code.
WARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau]
CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy)
Hardware name: LENOVO 20QTS0PQ00/20QTS0PQ00, BIOS N2OET65W (1.52 ) 08/05/2024
RIP: 0010:r535_gsp_msgq_wait+0x9a/0xb0 [nouveau]
This is a simple fix to get backported. We should probably engineer a
proper power domain solution to wake up devices and keep them awake
while fw updates are happening.
Cc: stable@vger.kernel.org
Fixes: 8894f4919bc4 ("drm/nouveau: register a drm_dp_aux channel for each dp connector")
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patch.msgid.link/20260224031750.791621-1-airlied@gmail.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
@@ -1212,6 +1212,9 @@ nouveau_connector_aux_xfer(struct drm_dp
u8 size = msg->size;
int ret;
+ if (pm_runtime_suspended(nv_connector->base.dev->dev))
+ return -EBUSY;
+
nv_encoder = find_encoder(&nv_connector->base, DCB_OUTPUT_DP);
if (!nv_encoder || !(aux = nv_encoder->aux))
return -ENODEV;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 260/481] lib/bootconfig: check bounds before writing in __xbc_open_brace()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 259/481] lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 261/481] smb: client: fix atomic open with O_DIRECT & O_SYNC Greg Kroah-Hartman
` (55 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josh Law, Masami Hiramatsu (Google)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Law <objecting@objecting.org>
commit 560f763baa0f2c9a44da4294c06af071405ac46f upstream.
The bounds check for brace_index happens after the array write.
While the current call pattern prevents an actual out-of-bounds
access (the previous call would have returned an error), the
write-before-check pattern is fragile and would become a real
out-of-bounds write if the error return were ever not propagated.
Move the bounds check before the array write so the function is
self-contained and safe regardless of caller behavior.
Link: https://lore.kernel.org/all/20260312191143.28719-3-objecting@objecting.org/
Fixes: ead1e19ad905 ("lib/bootconfig: Fix a bug of breaking existing tree nodes")
Cc: stable@vger.kernel.org
Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/bootconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -534,9 +534,9 @@ static char *skip_spaces_until_newline(c
static int __init __xbc_open_brace(char *p)
{
/* Push the last key as open brace */
- open_brace[brace_index++] = xbc_node_index(last_parent);
if (brace_index >= XBC_DEPTH_MAX)
return xbc_parse_error("Exceed max depth of braces", p);
+ open_brace[brace_index++] = xbc_node_index(last_parent);
return 0;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 247/460] mmc: dw_mmc-rockchip: use modern PM macros
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 246/460] KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 248/460] mmc: dw_mmc-rockchip: Add memory clock auto-gating support Greg Kroah-Hartman
` (55 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jisheng Zhang, Ulf Hansson,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jisheng Zhang <jszhang@kernel.org>
[ Upstream commit 4b43f2bcc84dd550c1a847318db02165d2829573 ]
Use the modern PM macros for the suspend and resume functions to be
automatically dropped by the compiler when CONFIG_PM or
CONFIG_PM_SLEEP are disabled, without having to use #ifdef guards.
This has the advantage of always compiling these functions in,
independently of any Kconfig option. Thanks to that, bugs and other
regressions are subsequently easier to catch.
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
Link: https://lore.kernel.org/r/20250815013413.28641-39-jszhang@kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Stable-dep-of: 6465a8bbb0f6 ("mmc: dw_mmc-rockchip: Fix runtime PM support for internal phase support")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/dw_mmc-rockchip.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
--- a/drivers/mmc/host/dw_mmc-rockchip.c
+++ b/drivers/mmc/host/dw_mmc-rockchip.c
@@ -568,11 +568,8 @@ static void dw_mci_rockchip_remove(struc
}
static const struct dev_pm_ops dw_mci_rockchip_dev_pm_ops = {
- SET_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend,
- pm_runtime_force_resume)
- SET_RUNTIME_PM_OPS(dw_mci_runtime_suspend,
- dw_mci_runtime_resume,
- NULL)
+ SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend, pm_runtime_force_resume)
+ RUNTIME_PM_OPS(dw_mci_runtime_suspend, dw_mci_runtime_resume, NULL)
};
static struct platform_driver dw_mci_rockchip_pltfm_driver = {
@@ -582,7 +579,7 @@ static struct platform_driver dw_mci_roc
.name = "dwmmc_rockchip",
.probe_type = PROBE_PREFER_ASYNCHRONOUS,
.of_match_table = dw_mci_rockchip_match,
- .pm = &dw_mci_rockchip_dev_pm_ops,
+ .pm = pm_ptr(&dw_mci_rockchip_dev_pm_ops),
},
};
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 323/567] arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 322/567] nouveau/dpcd: return EBUSY for aux xfer if the device is asleep Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 324/567] hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read Greg Kroah-Hartman
` (54 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Catalin Marinas, Jianpeng Chang,
Will Deacon, Huang, Ying, Guenter Roeck
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Catalin Marinas <catalin.marinas@arm.com>
commit c25c4aa3f79a488cc270507935a29c07dc6bddfc upstream.
Commit 143937ca51cc ("arm64, mm: avoid always making PTE dirty in
pte_mkwrite()") changed pte_mkwrite_novma() to only clear PTE_RDONLY
when PTE_DIRTY is set. This was to allow writable-clean PTEs for swap
pages that haven't actually been written.
However, this broke kexec and hibernation for some platforms. Both go
through trans_pgd_create_copy() -> _copy_pte(), which calls
pte_mkwrite_novma() to make the temporary linear-map copy fully
writable. With the updated pte_mkwrite_novma(), read-only kernel pages
(without PTE_DIRTY) remain read-only in the temporary mapping.
While such behaviour is fine for user pages where hardware DBM or
trapping will make them writeable, subsequent in-kernel writes by the
kexec relocation code will fault.
Add PTE_DIRTY back to all _PAGE_KERNEL* protection definitions. This was
the case prior to 5.4, commit aa57157be69f ("arm64: Ensure
VM_WRITE|VM_SHARED ptes are clean by default"). With the kernel
linear-map PTEs always having PTE_DIRTY set, pte_mkwrite_novma()
correctly clears PTE_RDONLY.
Fixes: 143937ca51cc ("arm64, mm: avoid always making PTE dirty in pte_mkwrite()")
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: stable@vger.kernel.org
Reported-by: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
Link: https://lore.kernel.org/r/20251204062722.3367201-1-jianpeng.chang.cn@windriver.com
Cc: Will Deacon <will@kernel.org>
Cc: Huang, Ying <ying.huang@linux.alibaba.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Huang Ying <ying.huang@linux.alibaba.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/pgtable-prot.h | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/arch/arm64/include/asm/pgtable-prot.h
+++ b/arch/arm64/include/asm/pgtable-prot.h
@@ -45,11 +45,11 @@
#define _PAGE_DEFAULT (_PROT_DEFAULT | PTE_ATTRINDX(MT_NORMAL))
-#define _PAGE_KERNEL (PROT_NORMAL)
-#define _PAGE_KERNEL_RO ((PROT_NORMAL & ~PTE_WRITE) | PTE_RDONLY)
-#define _PAGE_KERNEL_ROX ((PROT_NORMAL & ~(PTE_WRITE | PTE_PXN)) | PTE_RDONLY)
-#define _PAGE_KERNEL_EXEC (PROT_NORMAL & ~PTE_PXN)
-#define _PAGE_KERNEL_EXEC_CONT ((PROT_NORMAL & ~PTE_PXN) | PTE_CONT)
+#define _PAGE_KERNEL (PROT_NORMAL | PTE_DIRTY)
+#define _PAGE_KERNEL_RO ((PROT_NORMAL & ~PTE_WRITE) | PTE_RDONLY | PTE_DIRTY)
+#define _PAGE_KERNEL_ROX ((PROT_NORMAL & ~(PTE_WRITE | PTE_PXN)) | PTE_RDONLY | PTE_DIRTY)
+#define _PAGE_KERNEL_EXEC ((PROT_NORMAL & ~PTE_PXN) | PTE_DIRTY)
+#define _PAGE_KERNEL_EXEC_CONT ((PROT_NORMAL & ~PTE_PXN) | PTE_CONT | PTE_DIRTY)
#define _PAGE_SHARED (_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN | PTE_WRITE)
#define _PAGE_SHARED_EXEC (_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_WRITE)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 261/481] smb: client: fix atomic open with O_DIRECT & O_SYNC
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 260/481] lib/bootconfig: check bounds before writing in __xbc_open_brace() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 262/481] smb: client: fix iface port assignment in parse_server_interfaces Greg Kroah-Hartman
` (54 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (Red Hat),
David Howells, Henrique Carvalho, Tom Talpey, linux-cifs,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.org>
commit 4a7d2729dc99437dbb880a64c47828c0d191b308 upstream.
When user application requests O_DIRECT|O_SYNC along with O_CREAT on
open(2), CREATE_NO_BUFFER and CREATE_WRITE_THROUGH bits were missed in
CREATE request when performing an atomic open, thus leading to
potentially data integrity issues.
Fix this by setting those missing bits in CREATE request when
O_DIRECT|O_SYNC has been specified in cifs_do_create().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Acked-by: Henrique Carvalho <henrique.carvalho@suse.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: linux-cifs@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsglob.h | 11 +++++++++++
fs/smb/client/dir.c | 1 +
fs/smb/client/file.c | 18 +++---------------
3 files changed, 15 insertions(+), 15 deletions(-)
--- a/fs/smb/client/cifsglob.h
+++ b/fs/smb/client/cifsglob.h
@@ -20,6 +20,7 @@
#include <linux/utsname.h>
#include <linux/sched/mm.h>
#include <linux/netfs.h>
+#include <linux/fcntl.h>
#include "cifs_fs_sb.h"
#include "cifsacl.h"
#include <crypto/internal/hash.h>
@@ -2194,4 +2195,14 @@ static inline bool cifs_ses_exiting(stru
return ret;
}
+static inline int cifs_open_create_options(unsigned int oflags, int opts)
+{
+ /* O_SYNC also has bit for O_DSYNC so following check picks up either */
+ if (oflags & O_SYNC)
+ opts |= CREATE_WRITE_THROUGH;
+ if (oflags & O_DIRECT)
+ opts |= CREATE_NO_BUFFER;
+ return opts;
+}
+
#endif /* _CIFS_GLOB_H */
--- a/fs/smb/client/dir.c
+++ b/fs/smb/client/dir.c
@@ -304,6 +304,7 @@ static int cifs_do_create(struct inode *
goto out;
}
+ create_options |= cifs_open_create_options(oflags, create_options);
/*
* if we're not using unix extensions, see if we need to set
* ATTR_READONLY on the create call
--- a/fs/smb/client/file.c
+++ b/fs/smb/client/file.c
@@ -255,15 +255,8 @@ static int cifs_nt_open(const char *full
*********************************************************************/
disposition = cifs_get_disposition(f_flags);
-
/* BB pass O_SYNC flag through on file attributes .. BB */
-
- /* O_SYNC also has bit for O_DSYNC so following check picks up either */
- if (f_flags & O_SYNC)
- create_options |= CREATE_WRITE_THROUGH;
-
- if (f_flags & O_DIRECT)
- create_options |= CREATE_NO_BUFFER;
+ create_options |= cifs_open_create_options(f_flags, create_options);
retry_open:
oparms = (struct cifs_open_parms) {
@@ -913,13 +906,8 @@ cifs_reopen_file(struct cifsFileInfo *cf
rdwr_for_fscache = 1;
desired_access = cifs_convert_flags(cfile->f_flags, rdwr_for_fscache);
-
- /* O_SYNC also has bit for O_DSYNC so following check picks up either */
- if (cfile->f_flags & O_SYNC)
- create_options |= CREATE_WRITE_THROUGH;
-
- if (cfile->f_flags & O_DIRECT)
- create_options |= CREATE_NO_BUFFER;
+ create_options |= cifs_open_create_options(cfile->f_flags,
+ create_options);
if (server->ops->get_lease_key)
server->ops->get_lease_key(inode, &cfile->fid);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 248/460] mmc: dw_mmc-rockchip: Add memory clock auto-gating support
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 247/460] mmc: dw_mmc-rockchip: use modern PM macros Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 249/460] mmc: dw_mmc-rockchip: Fix runtime PM support for internal phase support Greg Kroah-Hartman
` (54 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shawn Lin, Ulf Hansson, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shawn Lin <shawn.lin@rock-chips.com>
[ Upstream commit ff6f0286c896f062853552097220dd93961be9c4 ]
Per design recommendations, the memory clock can be gated when there
is no in-flight transfer, which helps save power. This feature is
introduced alongside internal phase support, and this patch enables it.
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Stable-dep-of: 6465a8bbb0f6 ("mmc: dw_mmc-rockchip: Fix runtime PM support for internal phase support")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/dw_mmc-rockchip.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/mmc/host/dw_mmc-rockchip.c
+++ b/drivers/mmc/host/dw_mmc-rockchip.c
@@ -18,6 +18,8 @@
#define RK3288_CLKGEN_DIV 2
#define SDMMC_TIMING_CON0 0x130
#define SDMMC_TIMING_CON1 0x134
+#define SDMMC_MISC_CON 0x138
+#define MEM_CLK_AUTOGATE_ENABLE BIT(5)
#define ROCKCHIP_MMC_DELAY_SEL BIT(10)
#define ROCKCHIP_MMC_DEGREE_MASK 0x3
#define ROCKCHIP_MMC_DEGREE_OFFSET 1
@@ -469,6 +471,7 @@ static int dw_mci_rk3576_parse_dt(struct
static int dw_mci_rockchip_init(struct dw_mci *host)
{
+ struct dw_mci_rockchip_priv_data *priv = host->priv;
int ret, i;
/* It is slot 8 on Rockchip SoCs */
@@ -493,6 +496,9 @@ static int dw_mci_rockchip_init(struct d
dev_warn(host->dev, "no valid minimum freq: %d\n", ret);
}
+ if (priv->internal_phase)
+ mci_writel(host, MISC_CON, MEM_CLK_AUTOGATE_ENABLE);
+
return 0;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 324/567] hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 323/567] arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 325/567] parisc: Fix initial page table creation for boot Greg Kroah-Hartman
` (53 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanman Pradhan <psanman@juniper.net>
commit 25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43 upstream.
The q54sj108a2_debugfs_read function suffers from a stack buffer overflow
due to incorrect arguments passed to bin2hex(). The function currently
passes 'data' as the destination and 'data_char' as the source.
Because bin2hex() converts each input byte into two hex characters, a
32-byte block read results in 64 bytes of output. Since 'data' is only
34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end
of the buffer onto the stack.
Additionally, the arguments were swapped: it was reading from the
zero-initialized 'data_char' and writing to 'data', resulting in
all-zero output regardless of the actual I2C read.
Fix this by:
1. Expanding 'data_char' to 66 bytes to safely hold the hex output.
2. Correcting the bin2hex() argument order and using the actual read count.
3. Using a pointer to select the correct output buffer for the final
simple_read_from_buffer call.
Fixes: d014538aa385 ("hwmon: (pmbus) Driver for Delta power supplies Q54SJ108A2")
Cc: stable@vger.kernel.org
Signed-off-by: Sanman Pradhan <psanman@juniper.net>
Link: https://lore.kernel.org/r/20260304235116.1045-1-sanman.p211993@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/q54sj108a2.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
--- a/drivers/hwmon/pmbus/q54sj108a2.c
+++ b/drivers/hwmon/pmbus/q54sj108a2.c
@@ -78,7 +78,8 @@ static ssize_t q54sj108a2_debugfs_read(s
int idx = *idxp;
struct q54sj108a2_data *psu = to_psu(idxp, idx);
char data[I2C_SMBUS_BLOCK_MAX + 2] = { 0 };
- char data_char[I2C_SMBUS_BLOCK_MAX + 2] = { 0 };
+ char data_char[I2C_SMBUS_BLOCK_MAX * 2 + 2] = { 0 };
+ char *out = data;
char *res;
switch (idx) {
@@ -149,27 +150,27 @@ static ssize_t q54sj108a2_debugfs_read(s
if (rc < 0)
return rc;
- res = bin2hex(data, data_char, 32);
- rc = res - data;
-
+ res = bin2hex(data_char, data, rc);
+ rc = res - data_char;
+ out = data_char;
break;
case Q54SJ108A2_DEBUGFS_FLASH_KEY:
rc = i2c_smbus_read_block_data(psu->client, PMBUS_FLASH_KEY_WRITE, data);
if (rc < 0)
return rc;
- res = bin2hex(data, data_char, 4);
- rc = res - data;
-
+ res = bin2hex(data_char, data, rc);
+ rc = res - data_char;
+ out = data_char;
break;
default:
return -EINVAL;
}
- data[rc] = '\n';
+ out[rc] = '\n';
rc += 2;
- return simple_read_from_buffer(buf, count, ppos, data, rc);
+ return simple_read_from_buffer(buf, count, ppos, out, rc);
}
static ssize_t q54sj108a2_debugfs_write(struct file *file, const char __user *buf,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 262/481] smb: client: fix iface port assignment in parse_server_interfaces
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 261/481] smb: client: fix atomic open with O_DIRECT & O_SYNC Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 263/481] btrfs: fix transaction abort on file creation due to name hash collision Greg Kroah-Hartman
` (53 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dr. Thomas Orgis, Enzo Matsumiya,
Henrique Carvalho, Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henrique Carvalho <henrique.carvalho@suse.com>
commit d4c7210d2f3ea481a6481f03040a64d9077a6172 upstream.
parse_server_interfaces() initializes interface socket addresses with
CIFS_PORT. When the mount uses a non-default port this overwrites the
configured destination port.
Later, cifs_chan_update_iface() copies this sockaddr into server->dstaddr,
causing reconnect attempts to use the wrong port after server interface
updates.
Use the existing port from server->dstaddr instead.
Cc: stable@vger.kernel.org
Fixes: fe856be475f7 ("CIFS: parse and store info on iface queries")
Tested-by: Dr. Thomas Orgis <thomas.orgis@uni-hamburg.de>
Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2ops.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -569,6 +569,7 @@ parse_server_interfaces(struct network_i
struct iface_info_ipv6 *p6;
struct cifs_server_iface *info = NULL, *iface = NULL, *niface = NULL;
struct cifs_server_iface tmp_iface;
+ __be16 port;
ssize_t bytes_left;
size_t next = 0;
int nb_iface = 0;
@@ -610,6 +611,15 @@ parse_server_interfaces(struct network_i
goto out;
}
+ spin_lock(&ses->server->srv_lock);
+ if (ses->server->dstaddr.ss_family == AF_INET)
+ port = ((struct sockaddr_in *)&ses->server->dstaddr)->sin_port;
+ else if (ses->server->dstaddr.ss_family == AF_INET6)
+ port = ((struct sockaddr_in6 *)&ses->server->dstaddr)->sin6_port;
+ else
+ port = cpu_to_be16(CIFS_PORT);
+ spin_unlock(&ses->server->srv_lock);
+
while (bytes_left >= (ssize_t)sizeof(*p)) {
memset(&tmp_iface, 0, sizeof(tmp_iface));
/* default to 1Gbps when link speed is unset */
@@ -630,7 +640,7 @@ parse_server_interfaces(struct network_i
memcpy(&addr4->sin_addr, &p4->IPv4Address, 4);
/* [MS-SMB2] 2.2.32.5.1.1 Clients MUST ignore these */
- addr4->sin_port = cpu_to_be16(CIFS_PORT);
+ addr4->sin_port = port;
cifs_dbg(FYI, "%s: ipv4 %pI4\n", __func__,
&addr4->sin_addr);
@@ -644,7 +654,7 @@ parse_server_interfaces(struct network_i
/* [MS-SMB2] 2.2.32.5.1.2 Clients MUST ignore these */
addr6->sin6_flowinfo = 0;
addr6->sin6_scope_id = 0;
- addr6->sin6_port = cpu_to_be16(CIFS_PORT);
+ addr6->sin6_port = port;
cifs_dbg(FYI, "%s: ipv6 %pI6\n", __func__,
&addr6->sin6_addr);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 249/460] mmc: dw_mmc-rockchip: Fix runtime PM support for internal phase support
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 248/460] mmc: dw_mmc-rockchip: Add memory clock auto-gating support Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 250/460] mm/page_alloc: move set_page_refcounted() to callers of post_alloc_hook() Greg Kroah-Hartman
` (53 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shawn Lin, Marco Schirrmeister,
Heiko Stuebner, Ulf Hansson, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shawn Lin <shawn.lin@rock-chips.com>
[ Upstream commit 6465a8bbb0f6ad98aeb66dc9ea19c32c193a610b ]
RK3576 is the first platform to introduce internal phase support, and
subsequent platforms are expected to adopt a similar design. In this
architecture, runtime suspend powers off the attached power domain, which
resets registers, including vendor-specific ones such as SDMMC_TIMING_CON0,
SDMMC_TIMING_CON1, and SDMMC_MISC_CON. These registers must be saved and
restored, a requirement that falls outside the scope of the dw_mmc core.
Fixes: 59903441f5e4 ("mmc: dw_mmc-rockchip: Add internal phase support")
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Tested-by: Marco Schirrmeister <mschirrmeister@gmail.com>
Reviewed-by: Heiko Stuebner <heiko@sntech.de>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/dw_mmc-rockchip.c | 38 ++++++++++++++++++++++++++++++++++++-
1 file changed, 37 insertions(+), 1 deletion(-)
--- a/drivers/mmc/host/dw_mmc-rockchip.c
+++ b/drivers/mmc/host/dw_mmc-rockchip.c
@@ -37,6 +37,8 @@ struct dw_mci_rockchip_priv_data {
int default_sample_phase;
int num_phases;
bool internal_phase;
+ int sample_phase;
+ int drv_phase;
};
/*
@@ -573,9 +575,43 @@ static void dw_mci_rockchip_remove(struc
dw_mci_pltfm_remove(pdev);
}
+static int dw_mci_rockchip_runtime_suspend(struct device *dev)
+{
+ struct platform_device *pdev = to_platform_device(dev);
+ struct dw_mci *host = platform_get_drvdata(pdev);
+ struct dw_mci_rockchip_priv_data *priv = host->priv;
+
+ if (priv->internal_phase) {
+ priv->sample_phase = rockchip_mmc_get_phase(host, true);
+ priv->drv_phase = rockchip_mmc_get_phase(host, false);
+ }
+
+ return dw_mci_runtime_suspend(dev);
+}
+
+static int dw_mci_rockchip_runtime_resume(struct device *dev)
+{
+ struct platform_device *pdev = to_platform_device(dev);
+ struct dw_mci *host = platform_get_drvdata(pdev);
+ struct dw_mci_rockchip_priv_data *priv = host->priv;
+ int ret;
+
+ ret = dw_mci_runtime_resume(dev);
+ if (ret)
+ return ret;
+
+ if (priv->internal_phase) {
+ rockchip_mmc_set_phase(host, true, priv->sample_phase);
+ rockchip_mmc_set_phase(host, false, priv->drv_phase);
+ mci_writel(host, MISC_CON, MEM_CLK_AUTOGATE_ENABLE);
+ }
+
+ return ret;
+}
+
static const struct dev_pm_ops dw_mci_rockchip_dev_pm_ops = {
SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend, pm_runtime_force_resume)
- RUNTIME_PM_OPS(dw_mci_runtime_suspend, dw_mci_runtime_resume, NULL)
+ RUNTIME_PM_OPS(dw_mci_rockchip_runtime_suspend, dw_mci_rockchip_runtime_resume, NULL)
};
static struct platform_driver dw_mci_rockchip_pltfm_driver = {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 325/567] parisc: Fix initial page table creation for boot
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 324/567] hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 326/567] parisc: Check kernel mapping earlier at bootup Greg Kroah-Hartman
` (52 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 8475d8fe21ec9c7eb2faca555fbc5b68cf0d2597 upstream.
The KERNEL_INITIAL_ORDER value defines the initial size (usually 32 or
64 MB) of the page table during bootup. Up until now the whole area was
initialized with PTE entries, but there was no check if we filled too
many entries. Change the code to fill up with so many entries that the
"_end" symbol can be reached by the kernel, but not more entries than
actually fit into the initial PTE tables.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org> # v6.0+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/head.S | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/arch/parisc/kernel/head.S
+++ b/arch/parisc/kernel/head.S
@@ -56,6 +56,7 @@ ENTRY(parisc_kernel_start)
.import __bss_start,data
.import __bss_stop,data
+ .import __end,data
load32 PA(__bss_start),%r3
load32 PA(__bss_stop),%r4
@@ -149,7 +150,11 @@ $cpu_ok:
* everything ... it will get remapped correctly later */
ldo 0+_PAGE_KERNEL_RWX(%r0),%r3 /* Hardwired 0 phys addr start */
load32 (1<<(KERNEL_INITIAL_ORDER-PAGE_SHIFT)),%r11 /* PFN count */
- load32 PA(pg0),%r1
+ load32 PA(_end),%r1
+ SHRREG %r1,PAGE_SHIFT,%r1 /* %r1 is PFN count for _end symbol */
+ cmpb,<<,n %r11,%r1,1f
+ copy %r1,%r11 /* %r1 PFN count smaller than %r11 */
+1: load32 PA(pg0),%r1
$pgt_fill_loop:
STREGM %r3,ASM_PTE_ENTRY_SIZE(%r1)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 263/481] btrfs: fix transaction abort on file creation due to name hash collision
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 262/481] smb: client: fix iface port assignment in parse_server_interfaces Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 264/481] btrfs: abort transaction on failure to update root in the received subvol ioctl Greg Kroah-Hartman
` (52 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boris Burkov, Qu Wenruo,
Filipe Manana, David Sterba
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 2d1ababdedd4ba38867c2500eb7f95af5ddeeef7 upstream.
If we attempt to create several files with names that result in the same
hash, we have to pack them in same dir item and that has a limit inherent
to the leaf size. However if we reach that limit, we trigger a transaction
abort and turns the filesystem into RO mode. This allows for a malicious
user to disrupt a system, without the need to have administration
privileges/capabilities.
Reproducer:
$ cat exploit-hash-collisions.sh
#!/bin/bash
DEV=/dev/sdi
MNT=/mnt/sdi
# Use smallest node size to make the test faster and require fewer file
# names that result in hash collision.
mkfs.btrfs -f --nodesize 4K $DEV
mount $DEV $MNT
# List of names that result in the same crc32c hash for btrfs.
declare -a names=(
'foobar'
'%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC'
'AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z'
'CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4'
'ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:'
'HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO'
'Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us'
'KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY'
'NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO'
'Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU'
'Ono7avN5GjC:_6dBJ_'
'WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am'
'WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd--e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k'
'XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2'
'd3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd'
'ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm'
'evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ'
'gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky'
'hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS'
'isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz'
'kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu'
'lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA--@WqWLIuX7o1S_SfS@2FSiUZN'
'rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4='
'uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn'
'UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C'
'y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW'
'8-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc'
'YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mCaaKGxb990jzaagRktDTyp'
'9hD2ApKa_t_7x-a@GCG28kY:7$M@5udI1myQ$x5udtggvagmCQcq9QXWRC5hoB0o-_zHQUqZI5rMcz_kbMgvN5jr63LeYA4Cj-c6F5Ugmx6DgVf@2Jqm%MafecpgooqreJ53P-QTS'
)
# Now create files with all those names in the same parent directory.
# It should not fail since a 4K leaf has enough space for them.
for name in "${names[@]}"; do
touch $MNT/$name
done
# Now add one more file name that causes a crc32c hash collision.
# This should fail, but it should not turn the filesystem into RO mode
# (which could be exploited by malicious users) due to a transaction
# abort.
touch $MNT/'W6tIm-VK2@BGC@IBfcgg6j_p:pxp_QUqtWpGD5Ok_GmijKOJJt'
# Check that we are able to create another file, with a name that does not cause
# a crc32c hash collision.
echo -n "hello world" > $MNT/baz
# Unmount and mount again, verify file baz exists and with the right content.
umount $MNT
mount $DEV $MNT
echo "File baz content: $(cat $MNT/baz)"
umount $MNT
When running the reproducer:
$ ./exploit-hash-collisions.sh
(...)
touch: cannot touch '/mnt/sdi/W6tIm-VK2@BGC@IBfcgg6j_p:pxp_QUqtWpGD5Ok_GmijKOJJt': Value too large for defined data type
./exploit-hash-collisions.sh: line 57: /mnt/sdi/baz: Read-only file system
cat: /mnt/sdi/baz: No such file or directory
File baz content:
And the transaction abort stack trace in dmesg/syslog:
$ dmesg
(...)
[758240.509761] ------------[ cut here ]------------
[758240.510668] BTRFS: Transaction aborted (error -75)
[758240.511577] WARNING: fs/btrfs/inode.c:6854 at btrfs_create_new_inode+0x805/0xb50 [btrfs], CPU#6: touch/888644
[758240.513513] Modules linked in: btrfs dm_zero (...)
[758240.523221] CPU: 6 UID: 0 PID: 888644 Comm: touch Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)
[758240.524621] Tainted: [W]=WARN
[758240.525037] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[758240.526331] RIP: 0010:btrfs_create_new_inode+0x80b/0xb50 [btrfs]
[758240.527093] Code: 0f 82 cf (...)
[758240.529211] RSP: 0018:ffffce64418fbb48 EFLAGS: 00010292
[758240.529935] RAX: 00000000ffffffd3 RBX: 0000000000000000 RCX: 00000000ffffffb5
[758240.531040] RDX: 0000000d04f33e06 RSI: 00000000ffffffb5 RDI: ffffffffc0919dd0
[758240.531920] RBP: ffffce64418fbc10 R08: 0000000000000000 R09: 00000000ffffffb5
[758240.532928] R10: 0000000000000000 R11: ffff8e52c0000000 R12: ffff8e53eee7d0f0
[758240.533818] R13: ffff8e57f70932a0 R14: ffff8e5417629568 R15: 0000000000000000
[758240.534664] FS: 00007f1959a2a740(0000) GS:ffff8e5b27cae000(0000) knlGS:0000000000000000
[758240.535821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[758240.536644] CR2: 00007f1959b10ce0 CR3: 000000012a2cc005 CR4: 0000000000370ef0
[758240.537517] Call Trace:
[758240.537828] <TASK>
[758240.538099] btrfs_create_common+0xbf/0x140 [btrfs]
[758240.538760] path_openat+0x111a/0x15b0
[758240.539252] do_filp_open+0xc2/0x170
[758240.539699] ? preempt_count_add+0x47/0xa0
[758240.540200] ? __virt_addr_valid+0xe4/0x1a0
[758240.540800] ? __check_object_size+0x1b3/0x230
[758240.541661] ? alloc_fd+0x118/0x180
[758240.542315] do_sys_openat2+0x70/0xd0
[758240.543012] __x64_sys_openat+0x50/0xa0
[758240.543723] do_syscall_64+0x50/0xf20
[758240.544462] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[758240.545397] RIP: 0033:0x7f1959abc687
[758240.546019] Code: 48 89 fa (...)
[758240.548522] RSP: 002b:00007ffe16ff8690 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
[758240.566278] RAX: ffffffffffffffda RBX: 00007f1959a2a740 RCX: 00007f1959abc687
[758240.567068] RDX: 0000000000000941 RSI: 00007ffe16ffa333 RDI: ffffffffffffff9c
[758240.567860] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[758240.568707] R10: 00000000000001b6 R11: 0000000000000202 R12: 0000561eec7c4b90
[758240.569712] R13: 0000561eec7c311f R14: 00007ffe16ffa333 R15: 0000000000000000
[758240.570758] </TASK>
[758240.571040] ---[ end trace 0000000000000000 ]---
[758240.571681] BTRFS: error (device sdi state A) in btrfs_create_new_inode:6854: errno=-75 unknown
[758240.572899] BTRFS info (device sdi state EA): forced readonly
Fix this by checking for hash collision, and if the adding a new name is
possible, early in btrfs_create_new_inode() before we do any tree updates,
so that we don't need to abort the transaction if we cannot add the new
name due to the leaf size limit.
A test case for fstests will be sent soon.
Fixes: caae78e03234 ("btrfs: move common inode creation code into btrfs_create_new_inode()")
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Boris Burkov <boris@bur.io>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/inode.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -6466,6 +6466,25 @@ int btrfs_create_new_inode(struct btrfs_
unsigned long ptr;
int ret;
+ if (!args->orphan && !args->subvol) {
+ /*
+ * Before anything else, check if we can add the name to the
+ * parent directory. We want to avoid a dir item overflow in
+ * case we have an existing dir item due to existing name
+ * hash collisions. We do this check here before we call
+ * btrfs_add_link() down below so that we can avoid a
+ * transaction abort (which could be exploited by malicious
+ * users).
+ *
+ * For subvolumes we already do this in btrfs_mksubvol().
+ */
+ ret = btrfs_check_dir_item_collision(BTRFS_I(dir)->root,
+ btrfs_ino(BTRFS_I(dir)),
+ name);
+ if (ret < 0)
+ return ret;
+ }
+
path = btrfs_alloc_path();
if (!path)
return -ENOMEM;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 250/460] mm/page_alloc: move set_page_refcounted() to callers of post_alloc_hook()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 249/460] mmc: dw_mmc-rockchip: Fix runtime PM support for internal phase support Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 251/460] mm/page_alloc: sort out the alloc_contig_range() gfp flags mess Greg Kroah-Hartman
` (52 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle), Miaohe Lin,
Zi Yan, David Hildenbrand, Vlastimil Babka, Hyeonggon Yoo,
Mel Gorman, Muchun Song, William Kucharski, Andrew Morton,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
[ Upstream commit 8fd10a892a8db797fffb59a9a60bce23a56eef46 ]
In preparation for allocating frozen pages, stop initialising the page
refcount in post_alloc_hook().
Link: https://lkml.kernel.org/r/20241125210149.2976098-5-willy@infradead.org
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>
Reviewed-by: Zi Yan <ziy@nvidia.com>
Acked-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Muchun Song <songmuchun@bytedance.com>
Cc: William Kucharski <william.kucharski@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: d155aab90fff ("mm/kfence: fix KASAN hardware tag faults during late enablement")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/compaction.c | 2 ++
mm/internal.h | 3 +--
mm/page_alloc.c | 3 ++-
3 files changed, 5 insertions(+), 3 deletions(-)
--- a/mm/compaction.c
+++ b/mm/compaction.c
@@ -83,6 +83,7 @@ static inline bool is_via_compact_memory
static struct page *mark_allocated_noprof(struct page *page, unsigned int order, gfp_t gfp_flags)
{
post_alloc_hook(page, order, __GFP_MOVABLE);
+ set_page_refcounted(page);
return page;
}
#define mark_allocated(...) alloc_hooks(mark_allocated_noprof(__VA_ARGS__))
@@ -1869,6 +1870,7 @@ again:
dst = (struct folio *)freepage;
post_alloc_hook(&dst->page, order, __GFP_MOVABLE);
+ set_page_refcounted(&dst->page);
if (order)
prep_compound_page(&dst->page, order);
cc->nr_freepages -= 1 << order;
--- a/mm/internal.h
+++ b/mm/internal.h
@@ -729,8 +729,7 @@ static inline void prep_compound_tail(st
extern void prep_compound_page(struct page *page, unsigned int order);
-extern void post_alloc_hook(struct page *page, unsigned int order,
- gfp_t gfp_flags);
+void post_alloc_hook(struct page *page, unsigned int order, gfp_t gfp_flags);
extern bool free_pages_prepare(struct page *page, unsigned int order);
extern int user_min_free_kbytes;
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -1542,7 +1542,6 @@ inline void post_alloc_hook(struct page
int i;
set_page_private(page, 0);
- set_page_refcounted(page);
arch_alloc_page(page, order);
debug_pagealloc_map_pages(page, 1 << order);
@@ -1598,6 +1597,7 @@ static void prep_new_page(struct page *p
unsigned int alloc_flags)
{
post_alloc_hook(page, order, gfp_flags);
+ set_page_refcounted(page);
if (order && (gfp_flags & __GFP_COMP))
prep_compound_page(page, order);
@@ -6591,6 +6591,7 @@ static void split_free_pages(struct list
int i;
post_alloc_hook(page, order, __GFP_MOVABLE);
+ set_page_refcounted(page);
if (!order)
continue;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 326/567] parisc: Check kernel mapping earlier at bootup
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 325/567] parisc: Fix initial page table creation for boot Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 327/567] pmdomain: bcm: bcm2835-power: Fix broken reset status read Greg Kroah-Hartman
` (51 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 17c144f1104bfc29a3ce3f7d0931a1bfb7a3558c upstream.
The check if the initial mapping is sufficient needs to happen much
earlier during bootup. Move this test directly to the start_parisc()
function and use native PDC iodc functions to print the warning, because
panic() and printk() are not functional yet.
This fixes boot when enabling various KALLSYSMS options which need
much more space.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org> # v6.0+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/setup.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/arch/parisc/kernel/setup.c
+++ b/arch/parisc/kernel/setup.c
@@ -123,14 +123,6 @@ void __init setup_arch(char **cmdline_p)
#endif
printk(KERN_CONT ".\n");
- /*
- * Check if initial kernel page mappings are sufficient.
- * panic early if not, else we may access kernel functions
- * and variables which can't be reached.
- */
- if (__pa((unsigned long) &_end) >= KERNEL_INITIAL_SIZE)
- panic("KERNEL_INITIAL_ORDER too small!");
-
#ifdef CONFIG_64BIT
if(parisc_narrow_firmware) {
printk(KERN_INFO "Kernel is using PDC in 32-bit mode.\n");
@@ -282,6 +274,18 @@ void __init start_parisc(void)
int ret, cpunum;
struct pdc_coproc_cfg coproc_cfg;
+ /*
+ * Check if initial kernel page mapping is sufficient.
+ * Print warning if not, because we may access kernel functions and
+ * variables which can't be reached yet through the initial mappings.
+ * Note that the panic() and printk() functions are not functional
+ * yet, so we need to use direct iodc() firmware calls instead.
+ */
+ const char warn1[] = "CRITICAL: Kernel may crash because "
+ "KERNEL_INITIAL_ORDER is too small.\n";
+ if (__pa((unsigned long) &_end) >= KERNEL_INITIAL_SIZE)
+ pdc_iodc_print(warn1, sizeof(warn1) - 1);
+
/* check QEMU/SeaBIOS marker in PAGE0 */
running_on_qemu = (memcmp(&PAGE0->pad0, "SeaBIOS", 8) == 0);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 264/481] btrfs: abort transaction on failure to update root in the received subvol ioctl
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 263/481] btrfs: fix transaction abort on file creation due to name hash collision Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 265/481] iio: dac: ds4424: reject -128 RAW value Greg Kroah-Hartman
` (51 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Anand Jain, Filipe Manana,
David Sterba
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 0f475ee0ebce5c9492b260027cd95270191675fa upstream.
If we failed to update the root we don't abort the transaction, which is
wrong since we already used the transaction to remove an item from the
uuid tree.
Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
CC: stable@vger.kernel.org # 3.12+
Reviewed-by: Anand Jain <asj@kernel.org>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -4921,7 +4921,8 @@ static long _btrfs_ioctl_set_received_su
ret = btrfs_update_root(trans, fs_info->tree_root,
&root->root_key, &root->root_item);
- if (ret < 0) {
+ if (unlikely(ret < 0)) {
+ btrfs_abort_transaction(trans, ret);
btrfs_end_transaction(trans);
goto out;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 251/460] mm/page_alloc: sort out the alloc_contig_range() gfp flags mess
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 250/460] mm/page_alloc: move set_page_refcounted() to callers of post_alloc_hook() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 252/460] mm/page_alloc: forward the gfp flags from alloc_contig_range() to post_alloc_hook() Greg Kroah-Hartman
` (51 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand, Zi Yan,
Vlastimil Babka, Oscar Salvador, Christophe Leroy,
Madhavan Srinivasan, Michael Ellerman, Naveen N Rao,
Nicholas Piggin, Vishal Moola (Oracle), Andrew Morton,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
[ Upstream commit f6037a4a686523dee1967ef7620349822e019ff8 ]
It's all a bit complicated for alloc_contig_range(). For example, we
don't support many flags, so let's start bailing out on unsupported ones
-- ignoring the placement hints, as we are already given the range to
allocate.
While we currently set cc.gfp_mask, in __alloc_contig_migrate_range() we
simply create yet another GFP mask whereby we ignore the reclaim flags
specify by the caller. That looks very inconsistent.
Let's clean it up, constructing the gfp flags used for
compaction/migration exactly once. Update the documentation of the
gfp_mask parameter for alloc_contig_range() and alloc_contig_pages().
Link: https://lkml.kernel.org/r/20241203094732.200195-5-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Acked-by: Zi Yan <ziy@nvidia.com>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Naveen N Rao <naveen@kernel.org>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Vishal Moola (Oracle) <vishal.moola@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: d155aab90fff ("mm/kfence: fix KASAN hardware tag faults during late enablement")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/page_alloc.c | 48 ++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 44 insertions(+), 4 deletions(-)
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -6509,7 +6509,7 @@ int __alloc_contig_migrate_range(struct
int ret = 0;
struct migration_target_control mtc = {
.nid = zone_to_nid(cc->zone),
- .gfp_mask = GFP_USER | __GFP_MOVABLE | __GFP_RETRY_MAYFAIL,
+ .gfp_mask = cc->gfp_mask,
.reason = MR_CONTIG_RANGE,
};
struct page *page;
@@ -6605,6 +6605,39 @@ static void split_free_pages(struct list
}
}
+static int __alloc_contig_verify_gfp_mask(gfp_t gfp_mask, gfp_t *gfp_cc_mask)
+{
+ const gfp_t reclaim_mask = __GFP_IO | __GFP_FS | __GFP_RECLAIM;
+ const gfp_t action_mask = __GFP_COMP | __GFP_RETRY_MAYFAIL | __GFP_NOWARN;
+ const gfp_t cc_action_mask = __GFP_RETRY_MAYFAIL | __GFP_NOWARN;
+
+ /*
+ * We are given the range to allocate; node, mobility and placement
+ * hints are irrelevant at this point. We'll simply ignore them.
+ */
+ gfp_mask &= ~(GFP_ZONEMASK | __GFP_RECLAIMABLE | __GFP_WRITE |
+ __GFP_HARDWALL | __GFP_THISNODE | __GFP_MOVABLE);
+
+ /*
+ * We only support most reclaim flags (but not NOFAIL/NORETRY), and
+ * selected action flags.
+ */
+ if (gfp_mask & ~(reclaim_mask | action_mask))
+ return -EINVAL;
+
+ /*
+ * Flags to control page compaction/migration/reclaim, to free up our
+ * page range. Migratable pages are movable, __GFP_MOVABLE is implied
+ * for them.
+ *
+ * Traditionally we always had __GFP_HARDWALL|__GFP_RETRY_MAYFAIL set,
+ * keep doing that to not degrade callers.
+ */
+ *gfp_cc_mask = (gfp_mask & (reclaim_mask | cc_action_mask)) |
+ __GFP_HARDWALL | __GFP_MOVABLE | __GFP_RETRY_MAYFAIL;
+ return 0;
+}
+
/**
* alloc_contig_range() -- tries to allocate given range of pages
* @start: start PFN to allocate
@@ -6613,7 +6646,9 @@ static void split_free_pages(struct list
* #MIGRATE_MOVABLE or #MIGRATE_CMA). All pageblocks
* in range must have the same migratetype and it must
* be either of the two.
- * @gfp_mask: GFP mask to use during compaction
+ * @gfp_mask: GFP mask. Node/zone/placement hints are ignored; only some
+ * action and reclaim modifiers are supported. Reclaim modifiers
+ * control allocation behavior during compaction/migration/reclaim.
*
* The PFN range does not have to be pageblock aligned. The PFN range must
* belong to a single zone.
@@ -6639,11 +6674,14 @@ int alloc_contig_range_noprof(unsigned l
.mode = MIGRATE_SYNC,
.ignore_skip_hint = true,
.no_set_skip_hint = true,
- .gfp_mask = current_gfp_context(gfp_mask),
.alloc_contig = true,
};
INIT_LIST_HEAD(&cc.migratepages);
+ gfp_mask = current_gfp_context(gfp_mask);
+ if (__alloc_contig_verify_gfp_mask(gfp_mask, (gfp_t *)&cc.gfp_mask))
+ return -EINVAL;
+
/*
* What we do here is we mark all pageblocks in range as
* MIGRATE_ISOLATE. Because pageblock and max order pages may
@@ -6785,7 +6823,9 @@ static bool zone_spans_last_pfn(const st
/**
* alloc_contig_pages() -- tries to find and allocate contiguous range of pages
* @nr_pages: Number of contiguous pages to allocate
- * @gfp_mask: GFP mask to limit search and used during compaction
+ * @gfp_mask: GFP mask. Node/zone/placement hints limit the search; only some
+ * action and reclaim modifiers are supported. Reclaim modifiers
+ * control allocation behavior during compaction/migration/reclaim.
* @nid: Target node
* @nodemask: Mask for other possible nodes
*
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 327/567] pmdomain: bcm: bcm2835-power: Fix broken reset status read
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 326/567] parisc: Check kernel mapping earlier at bootup Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 328/567] ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() Greg Kroah-Hartman
` (50 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maíra Canal, Florian Fainelli,
Stefan Wahren, Ulf Hansson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maíra Canal <mcanal@igalia.com>
commit 550bae2c0931dbb664a61b08c21cf156f0a5362a upstream.
bcm2835_reset_status() has a misplaced parenthesis on every PM_READ()
call. Since PM_READ(reg) expands to readl(power->base + (reg)), the
expression:
PM_READ(PM_GRAFX & PM_V3DRSTN)
computes the bitwise AND of the register offset PM_GRAFX with the
bitmask PM_V3DRSTN before using the result as a register offset, reading
from the wrong MMIO address instead of the intended PM_GRAFX register.
The same issue affects the PM_IMAGE cases.
Fix by moving the closing parenthesis so PM_READ() receives only the
register offset, and the bitmask is applied to the value returned by
the read.
Fixes: 670c672608a1 ("soc: bcm: bcm2835-pm: Add support for power domains under a new binding.")
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Stefan Wahren <wahrenst@gmx.net>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pmdomain/bcm/bcm2835-power.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/pmdomain/bcm/bcm2835-power.c
+++ b/drivers/pmdomain/bcm/bcm2835-power.c
@@ -580,11 +580,11 @@ static int bcm2835_reset_status(struct r
switch (id) {
case BCM2835_RESET_V3D:
- return !PM_READ(PM_GRAFX & PM_V3DRSTN);
+ return !(PM_READ(PM_GRAFX) & PM_V3DRSTN);
case BCM2835_RESET_H264:
- return !PM_READ(PM_IMAGE & PM_H264RSTN);
+ return !(PM_READ(PM_IMAGE) & PM_H264RSTN);
case BCM2835_RESET_ISP:
- return !PM_READ(PM_IMAGE & PM_ISPRSTN);
+ return !(PM_READ(PM_IMAGE) & PM_ISPRSTN);
default:
return -EINVAL;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 265/481] iio: dac: ds4424: reject -128 RAW value
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 264/481] btrfs: abort transaction on failure to update root in the received subvol ioctl Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 266/481] iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas() Greg Kroah-Hartman
` (50 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Andy Shevchenko,
Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit 5187e03b817c26c1c3bcb2645a612ea935c4be89 upstream.
The DS442x DAC uses sign-magnitude encoding, so -128 cannot be represented
in hardware (7-bit magnitude).
Previously, passing -128 resulted in a truncated value that programmed
0mA (magnitude 0) instead of the expected maximum negative current,
effectively failing silently.
Reject -128 to avoid producing the wrong current.
Fixes: d632a2bd8ffc ("iio: dac: ds4422/ds4424 dac driver")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ds4424.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/dac/ds4424.c
+++ b/drivers/iio/dac/ds4424.c
@@ -141,7 +141,7 @@ static int ds4424_write_raw(struct iio_d
switch (mask) {
case IIO_CHAN_INFO_RAW:
- if (val < S8_MIN || val > S8_MAX)
+ if (val <= S8_MIN || val > S8_MAX)
return -EINVAL;
if (val > 0) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 252/460] mm/page_alloc: forward the gfp flags from alloc_contig_range() to post_alloc_hook()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 251/460] mm/page_alloc: sort out the alloc_contig_range() gfp flags mess Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 253/460] mm/kfence: fix KASAN hardware tag faults during late enablement Greg Kroah-Hartman
` (50 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand, Vlastimil Babka,
Oscar Salvador, Christophe Leroy, Madhavan Srinivasan,
Michael Ellerman, Naveen N Rao, Nicholas Piggin,
Vishal Moola (Oracle), Zi Yan, Andrew Morton, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
[ Upstream commit 7b755570064fcb9cde37afd48f6bc65151097ba7 ]
In the __GFP_COMP case, we already pass the gfp_flags to
prep_new_page()->post_alloc_hook(). However, in the !__GFP_COMP case, we
essentially pass only hardcoded __GFP_MOVABLE to post_alloc_hook(),
preventing some action modifiers from being effective..
Let's pass our now properly adjusted gfp flags there as well.
This way, we can now support __GFP_ZERO for alloc_contig_*().
As a side effect, we now also support __GFP_SKIP_ZERO and__GFP_ZEROTAGS;
but we'll keep the more special stuff (KASAN, NOLOCKDEP) disabled for now.
It's worth noting that with __GFP_ZERO, we might unnecessarily zero pages
when we have to release part of our range using free_contig_range() again.
This can be optimized in the future, if ever required; the caller we'll
be converting (powernv/memtrace) next won't trigger this.
Link: https://lkml.kernel.org/r/20241203094732.200195-6-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Naveen N Rao <naveen@kernel.org>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Vishal Moola (Oracle) <vishal.moola@gmail.com>
Cc: Zi Yan <ziy@nvidia.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: d155aab90fff ("mm/kfence: fix KASAN hardware tag faults during late enablement")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/page_alloc.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -6579,7 +6579,7 @@ int __alloc_contig_migrate_range(struct
return (ret < 0) ? ret : 0;
}
-static void split_free_pages(struct list_head *list)
+static void split_free_pages(struct list_head *list, gfp_t gfp_mask)
{
int order;
@@ -6590,7 +6590,7 @@ static void split_free_pages(struct list
list_for_each_entry_safe(page, next, &list[order], lru) {
int i;
- post_alloc_hook(page, order, __GFP_MOVABLE);
+ post_alloc_hook(page, order, gfp_mask);
set_page_refcounted(page);
if (!order)
continue;
@@ -6608,7 +6608,8 @@ static void split_free_pages(struct list
static int __alloc_contig_verify_gfp_mask(gfp_t gfp_mask, gfp_t *gfp_cc_mask)
{
const gfp_t reclaim_mask = __GFP_IO | __GFP_FS | __GFP_RECLAIM;
- const gfp_t action_mask = __GFP_COMP | __GFP_RETRY_MAYFAIL | __GFP_NOWARN;
+ const gfp_t action_mask = __GFP_COMP | __GFP_RETRY_MAYFAIL | __GFP_NOWARN |
+ __GFP_ZERO | __GFP_ZEROTAGS | __GFP_SKIP_ZERO;
const gfp_t cc_action_mask = __GFP_RETRY_MAYFAIL | __GFP_NOWARN;
/*
@@ -6756,7 +6757,7 @@ int alloc_contig_range_noprof(unsigned l
}
if (!(gfp_mask & __GFP_COMP)) {
- split_free_pages(cc.freepages);
+ split_free_pages(cc.freepages, gfp_mask);
/* Free head and tail (if any) */
if (start != outer_start)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 328/567] ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 327/567] pmdomain: bcm: bcm2835-power: Fix broken reset status read Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 329/567] smb: server: fix use-after-free in smb2_open() Greg Kroah-Hartman
` (49 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit eac3361e3d5dd8067b3258c69615888eb45e9f25 upstream.
opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is being
accessed after rcu_read_unlock() has been called. This creates a
race condition where the memory could be freed by a concurrent
writer between the unlock and the subsequent pointer dereferences
(opinfo->is_lease, etc.), leading to a use-after-free.
Fixes: 5fb282ba4fef ("ksmbd: fix possible null-deref in smb_lazy_parent_lease_break_close")
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/oplock.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -1123,10 +1123,12 @@ void smb_lazy_parent_lease_break_close(s
rcu_read_lock();
opinfo = rcu_dereference(fp->f_opinfo);
- rcu_read_unlock();
- if (!opinfo || !opinfo->is_lease || opinfo->o_lease->version != 2)
+ if (!opinfo || !opinfo->is_lease || opinfo->o_lease->version != 2) {
+ rcu_read_unlock();
return;
+ }
+ rcu_read_unlock();
p_ci = ksmbd_inode_lookup_lock(fp->filp->f_path.dentry->d_parent);
if (!p_ci)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 266/481] iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 265/481] iio: dac: ds4424: reject -128 RAW value Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 267/481] iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() Greg Kroah-Hartman
` (49 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Tomasz Duszynski,
Andy Shevchenko, Stable, Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit c3914ce1963c4db25e186112c90fa5d2361e9e0a upstream.
sizeof(num) evaluates to sizeof(size_t) which is 8 bytes on 64-bit,
but the buffer elements are only 4 bytes. The same function already
uses sizeof(*meas) on line 312, making the mismatch evident. Use
sizeof(*meas) consistently.
Fixes: b2e171f5a5c6 ("iio: sps30: add support for serial interface")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Acked-by: Tomasz Duszynski <tduszyns@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/sps30_serial.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/chemical/sps30_serial.c
+++ b/drivers/iio/chemical/sps30_serial.c
@@ -303,7 +303,7 @@ static int sps30_serial_read_meas(struct
if (msleep_interruptible(1000))
return -EINTR;
- ret = sps30_serial_command(state, SPS30_SERIAL_READ_MEAS, NULL, 0, meas, num * sizeof(num));
+ ret = sps30_serial_command(state, SPS30_SERIAL_READ_MEAS, NULL, 0, meas, num * sizeof(*meas));
if (ret < 0)
return ret;
/* if measurements aren't ready sensor returns empty frame */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 253/460] mm/kfence: fix KASAN hardware tag faults during late enablement
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 252/460] mm/page_alloc: forward the gfp flags from alloc_contig_range() to post_alloc_hook() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 254/460] nsfs: tighten permission checks for ns iteration ioctls Greg Kroah-Hartman
` (49 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Potapenko,
Ernesto Martinez Garcia, Andrey Konovalov, Andrey Ryabinin,
Dmitry Vyukov, Kees Cook, Marco Elver, Andrew Morton, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Potapenko <glider@google.com>
[ Upstream commit d155aab90fffa00f93cea1f107aef0a3d548b2ff ]
When KASAN hardware tags are enabled, re-enabling KFENCE late (via
/sys/module/kfence/parameters/sample_interval) causes KASAN faults.
This happens because the KFENCE pool and metadata are allocated via the
page allocator, which tags the memory, while KFENCE continues to access it
using untagged pointers during initialization.
Use __GFP_SKIP_KASAN for late KFENCE pool and metadata allocations to
ensure the memory remains untagged, consistent with early allocations from
memblock. To support this, add __GFP_SKIP_KASAN to the allowlist in
__alloc_contig_verify_gfp_mask().
Link: https://lkml.kernel.org/r/20260220144940.2779209-1-glider@google.com
Fixes: 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure")
Signed-off-by: Alexander Potapenko <glider@google.com>
Suggested-by: Ernesto Martinez Garcia <ernesto.martinezgarcia@tugraz.at>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Kees Cook <kees@kernel.org>
Cc: Marco Elver <elver@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/kfence/core.c | 14 ++++++++------
mm/page_alloc.c | 3 ++-
2 files changed, 10 insertions(+), 7 deletions(-)
--- a/mm/kfence/core.c
+++ b/mm/kfence/core.c
@@ -964,14 +964,14 @@ static int kfence_init_late(void)
#ifdef CONFIG_CONTIG_ALLOC
struct page *pages;
- pages = alloc_contig_pages(nr_pages_pool, GFP_KERNEL, first_online_node,
- NULL);
+ pages = alloc_contig_pages(nr_pages_pool, GFP_KERNEL | __GFP_SKIP_KASAN,
+ first_online_node, NULL);
if (!pages)
return -ENOMEM;
__kfence_pool = page_to_virt(pages);
- pages = alloc_contig_pages(nr_pages_meta, GFP_KERNEL, first_online_node,
- NULL);
+ pages = alloc_contig_pages(nr_pages_meta, GFP_KERNEL | __GFP_SKIP_KASAN,
+ first_online_node, NULL);
if (pages)
kfence_metadata_init = page_to_virt(pages);
#else
@@ -981,11 +981,13 @@ static int kfence_init_late(void)
return -EINVAL;
}
- __kfence_pool = alloc_pages_exact(KFENCE_POOL_SIZE, GFP_KERNEL);
+ __kfence_pool = alloc_pages_exact(KFENCE_POOL_SIZE,
+ GFP_KERNEL | __GFP_SKIP_KASAN);
if (!__kfence_pool)
return -ENOMEM;
- kfence_metadata_init = alloc_pages_exact(KFENCE_METADATA_SIZE, GFP_KERNEL);
+ kfence_metadata_init = alloc_pages_exact(KFENCE_METADATA_SIZE,
+ GFP_KERNEL | __GFP_SKIP_KASAN);
#endif
if (!kfence_metadata_init)
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -6609,7 +6609,8 @@ static int __alloc_contig_verify_gfp_mas
{
const gfp_t reclaim_mask = __GFP_IO | __GFP_FS | __GFP_RECLAIM;
const gfp_t action_mask = __GFP_COMP | __GFP_RETRY_MAYFAIL | __GFP_NOWARN |
- __GFP_ZERO | __GFP_ZEROTAGS | __GFP_SKIP_ZERO;
+ __GFP_ZERO | __GFP_ZEROTAGS | __GFP_SKIP_ZERO |
+ __GFP_SKIP_KASAN;
const gfp_t cc_action_mask = __GFP_RETRY_MAYFAIL | __GFP_NOWARN;
/*
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 329/567] smb: server: fix use-after-free in smb2_open()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 328/567] ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 330/567] ksmbd: fix use-after-free by using call_rcu() for oplock_info Greg Kroah-Hartman
` (48 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marios Makassikis, Namjae Jeon,
Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marios Makassikis <mmakassikis@freebox.fr>
commit 1e689a56173827669a35da7cb2a3c78ed5c53680 upstream.
The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is
dereferenced after rcu_read_unlock(), creating a use-after-free
window.
Cc: stable@vger.kernel.org
Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -3593,10 +3593,8 @@ int smb2_open(struct ksmbd_work *work)
reconnected_fp:
rsp->StructureSize = cpu_to_le16(89);
- rcu_read_lock();
- opinfo = rcu_dereference(fp->f_opinfo);
+ opinfo = opinfo_get(fp);
rsp->OplockLevel = opinfo != NULL ? opinfo->level : 0;
- rcu_read_unlock();
rsp->Flags = 0;
rsp->CreateAction = cpu_to_le32(file_info);
rsp->CreationTime = cpu_to_le64(fp->create_time);
@@ -3637,6 +3635,7 @@ reconnected_fp:
next_ptr = &lease_ccontext->Next;
next_off = conn->vals->create_lease_size;
}
+ opinfo_put(opinfo);
if (maximal_access_ctxt) {
struct create_context *mxac_ccontext;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 267/481] iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 266/481] iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 268/481] iio: potentiometer: mcp4131: fix double application of wiper shift Greg Kroah-Hartman
` (48 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Tomasz Duszynski,
Andy Shevchenko, Stable, Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit 216345f98cae7fcc84f49728c67478ac00321c87 upstream.
sizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) instead
of the intended __be32 element size (4 bytes). Use sizeof(*meas) to
correctly match the buffer element type.
Fixes: 8f3f13085278 ("iio: sps30: separate core and interface specific code")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Acked-by: Tomasz Duszynski <tduszyns@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/sps30_i2c.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/chemical/sps30_i2c.c
+++ b/drivers/iio/chemical/sps30_i2c.c
@@ -171,7 +171,7 @@ static int sps30_i2c_read_meas(struct sp
if (!sps30_i2c_meas_ready(state))
return -ETIMEDOUT;
- return sps30_i2c_command(state, SPS30_I2C_READ_MEAS, NULL, 0, meas, sizeof(num) * num);
+ return sps30_i2c_command(state, SPS30_I2C_READ_MEAS, NULL, 0, meas, sizeof(*meas) * num);
}
static int sps30_i2c_clean_fan(struct sps30_state *state)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 254/460] nsfs: tighten permission checks for ns iteration ioctls
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 253/460] mm/kfence: fix KASAN hardware tag faults during late enablement Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 255/460] sched_ext: Disable preemption between scx_claim_exit() and kicking helper work Greg Kroah-Hartman
` (48 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeff Layton, Christian Brauner,
Sasha Levin, stable
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
[ Upstream commit e6b899f08066e744f89df16ceb782e06868bd148 ]
Even privileged services should not necessarily be able to see other
privileged service's namespaces so they can't leak information to each
other. Use may_see_all_namespaces() helper that centralizes this policy
until the nstree adapts.
Link: https://patch.msgid.link/20260226-work-visibility-fixes-v1-1-d2c2853313bd@kernel.org
Fixes: a1d220d9dafa ("nsfs: iterate through mount namespaces")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@kernel.org # v6.12+
Signed-off-by: Christian Brauner <brauner@kernel.org>
[ Different file names ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nsfs.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
--- a/fs/nsfs.c
+++ b/fs/nsfs.c
@@ -12,6 +12,7 @@
#include <linux/user_namespace.h>
#include <linux/nsfs.h>
#include <linux/uaccess.h>
+#include <linux/capability.h>
#include <linux/mnt_namespace.h>
#include "mount.h"
@@ -152,6 +153,23 @@ static int copy_ns_info_to_user(const st
return 0;
}
+static bool may_see_all_namespaces(void)
+{
+ return (task_active_pid_ns(current) == &init_pid_ns) &&
+ ns_capable_noaudit(init_pid_ns.user_ns, CAP_SYS_ADMIN);
+}
+
+static bool may_use_nsfs_ioctl(unsigned int cmd)
+{
+ switch (_IOC_NR(cmd)) {
+ case _IOC_NR(NS_MNT_GET_NEXT):
+ fallthrough;
+ case _IOC_NR(NS_MNT_GET_PREV):
+ return may_see_all_namespaces();
+ }
+ return true;
+}
+
static long ns_ioctl(struct file *filp, unsigned int ioctl,
unsigned long arg)
{
@@ -165,6 +183,9 @@ static long ns_ioctl(struct file *filp,
uid_t uid;
int ret;
+ if (!may_use_nsfs_ioctl(ioctl))
+ return -EPERM;
+
switch (ioctl) {
case NS_GET_USERNS:
return open_related_ns(ns, ns_get_owner);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 330/567] ksmbd: fix use-after-free by using call_rcu() for oplock_info
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 329/567] smb: server: fix use-after-free in smb2_open() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 331/567] net: ncsi: fix skb leak in error paths Greg Kroah-Hartman
` (47 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit 1dfd062caa165ec9d7ee0823087930f3ab8a6294 upstream.
ksmbd currently frees oplock_info immediately using kfree(), even
though it is accessed under RCU read-side critical sections in places
like opinfo_get() and proc_show_files().
Since there is no RCU grace period delay between nullifying the pointer
and freeing the memory, a reader can still access oplock_info
structure after it has been freed. This can leads to a use-after-free
especially in opinfo_get() where atomic_inc_not_zero() is called on
already freed memory.
Fix this by switching to deferred freeing using call_rcu().
Fixes: 18b4fac5ef17 ("ksmbd: fix use-after-free in smb_break_all_levII_oplock()")
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/oplock.c | 29 +++++++++++++++++++++--------
fs/smb/server/oplock.h | 5 +++--
2 files changed, 24 insertions(+), 10 deletions(-)
--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -120,7 +120,7 @@ static void free_lease(struct oplock_inf
kfree(lease);
}
-static void free_opinfo(struct oplock_info *opinfo)
+static void __free_opinfo(struct oplock_info *opinfo)
{
if (opinfo->is_lease)
free_lease(opinfo);
@@ -129,6 +129,18 @@ static void free_opinfo(struct oplock_in
kfree(opinfo);
}
+static void free_opinfo_rcu(struct rcu_head *rcu)
+{
+ struct oplock_info *opinfo = container_of(rcu, struct oplock_info, rcu);
+
+ __free_opinfo(opinfo);
+}
+
+static void free_opinfo(struct oplock_info *opinfo)
+{
+ call_rcu(&opinfo->rcu, free_opinfo_rcu);
+}
+
struct oplock_info *opinfo_get(struct ksmbd_file *fp)
{
struct oplock_info *opinfo;
@@ -176,9 +188,9 @@ void opinfo_put(struct oplock_info *opin
free_opinfo(opinfo);
}
-static void opinfo_add(struct oplock_info *opinfo)
+static void opinfo_add(struct oplock_info *opinfo, struct ksmbd_file *fp)
{
- struct ksmbd_inode *ci = opinfo->o_fp->f_ci;
+ struct ksmbd_inode *ci = fp->f_ci;
down_write(&ci->m_lock);
list_add(&opinfo->op_entry, &ci->m_op_list);
@@ -1279,20 +1291,21 @@ set_lev:
set_oplock_level(opinfo, req_op_level, lctx);
out:
- rcu_assign_pointer(fp->f_opinfo, opinfo);
- opinfo->o_fp = fp;
-
opinfo_count_inc(fp);
- opinfo_add(opinfo);
+ opinfo_add(opinfo, fp);
+
if (opinfo->is_lease) {
err = add_lease_global_list(opinfo);
if (err)
goto err_out;
}
+ rcu_assign_pointer(fp->f_opinfo, opinfo);
+ opinfo->o_fp = fp;
+
return 0;
err_out:
- free_opinfo(opinfo);
+ __free_opinfo(opinfo);
return err;
}
--- a/fs/smb/server/oplock.h
+++ b/fs/smb/server/oplock.h
@@ -76,8 +76,9 @@ struct oplock_info {
struct lease *o_lease;
struct list_head op_entry;
struct list_head lease_entry;
- wait_queue_head_t oplock_q; /* Other server threads */
- wait_queue_head_t oplock_brk; /* oplock breaking wait */
+ wait_queue_head_t oplock_q; /* Other server threads */
+ wait_queue_head_t oplock_brk; /* oplock breaking wait */
+ struct rcu_head rcu;
};
struct lease_break_info {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 268/481] iio: potentiometer: mcp4131: fix double application of wiper shift
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 267/481] iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 269/481] iio: chemical: bme680: Fix measurement wait duration calculation Greg Kroah-Hartman
` (47 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Jonathan Cameron,
Lukas Schmid
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Schmid <lukas.schmid@netcube.li>
commit 85e4614524dca6c0a43874f475a17de2b9725648 upstream.
The MCP4131 wiper address is shifted twice when preparing the SPI
command in mcp4131_write_raw().
The address is already shifted when assigned to the local variable
"address", but is then shifted again when written to data->buf[0].
This results in an incorrect command being sent to the device and
breaks wiper writes to the second channel.
Remove the second shift and use the pre-shifted address directly
when composing the SPI transfer.
Fixes: 22d199a53910 ("iio: potentiometer: add driver for Microchip MCP413X/414X/415X/416X/423X/424X/425X/426X")
Signed-off-by: Lukas Schmid <lukas.schmid@netcube.li>#
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/potentiometer/mcp4131.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/potentiometer/mcp4131.c
+++ b/drivers/iio/potentiometer/mcp4131.c
@@ -222,7 +222,7 @@ static int mcp4131_write_raw(struct iio_
mutex_lock(&data->lock);
- data->buf[0] = address << MCP4131_WIPER_SHIFT;
+ data->buf[0] = address;
data->buf[0] |= MCP4131_WRITE | (val >> 8);
data->buf[1] = val & 0xFF; /* 8 bits here */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 255/460] sched_ext: Disable preemption between scx_claim_exit() and kicking helper work
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 254/460] nsfs: tighten permission checks for ns iteration ioctls Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 256/460] sched_ext: Fix starvation of scx_enable() under fair-class saturation Greg Kroah-Hartman
` (47 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrea Righi, Tejun Heo, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
[ Upstream commit 83236b2e43dba00bee5b82eb5758816b1a674f6a ]
scx_claim_exit() atomically sets exit_kind, which prevents scx_error() from
triggering further error handling. After claiming exit, the caller must kick
the helper kthread work which initiates bypass mode and teardown.
If the calling task gets preempted between claiming exit and kicking the
helper work, and the BPF scheduler fails to schedule it back (since error
handling is now disabled), the helper work is never queued, bypass mode
never activates, tasks stop being dispatched, and the system wedges.
Disable preemption across scx_claim_exit() and the subsequent work kicking
in all callers - scx_disable() and scx_vexit(). Add
lockdep_assert_preemption_disabled() to scx_claim_exit() to enforce the
requirement.
Fixes: f0e1a0643a59 ("sched_ext: Implement BPF extensible scheduler class")
Cc: stable@vger.kernel.org # v6.12+
Reviewed-by: Andrea Righi <arighi@nvidia.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
[ adapted per-scheduler struct (sch->exit_kind, scx_disable, scx_vexit) to global variables (scx_exit_kind, scx_ops_disable, scx_ops_exit_kind) ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/ext.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -4775,14 +4775,29 @@ static void schedule_scx_ops_disable_wor
kthread_queue_work(helper, &scx_ops_disable_work);
}
-static void scx_ops_disable(enum scx_exit_kind kind)
+/*
+ * Claim the exit. The caller must ensure that the helper kthread work
+ * is kicked before the current task can be preempted. Once exit_kind is
+ * claimed, scx_error() can no longer trigger, so if the current task gets
+ * preempted and the BPF scheduler fails to schedule it back, the helper work
+ * will never be kicked and the whole system can wedge.
+ */
+static bool scx_claim_exit(enum scx_exit_kind kind)
{
int none = SCX_EXIT_NONE;
+ lockdep_assert_preemption_disabled();
+
+ return atomic_try_cmpxchg(&scx_exit_kind, &none, kind);
+}
+
+static void scx_ops_disable(enum scx_exit_kind kind)
+{
if (WARN_ON_ONCE(kind == SCX_EXIT_NONE || kind == SCX_EXIT_DONE))
kind = SCX_EXIT_ERROR;
- atomic_try_cmpxchg(&scx_exit_kind, &none, kind);
+ guard(preempt)();
+ scx_claim_exit(kind);
schedule_scx_ops_disable_work();
}
@@ -5082,10 +5097,11 @@ static __printf(3, 4) void scx_ops_exit_
const char *fmt, ...)
{
struct scx_exit_info *ei = scx_exit_info;
- int none = SCX_EXIT_NONE;
va_list args;
- if (!atomic_try_cmpxchg(&scx_exit_kind, &none, kind))
+ guard(preempt)();
+
+ if (!scx_claim_exit(kind))
return;
ei->exit_code = exit_code;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 331/567] net: ncsi: fix skb leak in error paths
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 330/567] ksmbd: fix use-after-free by using call_rcu() for oplock_info Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 332/567] net: ethernet: arc: emac: quiesce interrupts before requesting IRQ Greg Kroah-Hartman
` (46 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jian Zhang, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Zhang <zhangjian.3032@bytedance.com>
commit 5c3398a54266541610c8d0a7082e654e9ff3e259 upstream.
Early return paths in NCSI RX and AEN handlers fail to release
the received skb, resulting in a memory leak.
Specifically, ncsi_aen_handler() returns on invalid AEN packets
without consuming the skb. Similarly, ncsi_rcv_rsp() exits early
when failing to resolve the NCSI device, response handler, or
request, leaving the skb unfreed.
CC: stable@vger.kernel.org
Fixes: 7a82ecf4cfb8 ("net/ncsi: NCSI AEN packet handler")
Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler")
Signed-off-by: Jian Zhang <zhangjian.3032@bytedance.com>
Link: https://patch.msgid.link/20260305060656.3357250-1-zhangjian.3032@bytedance.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ncsi/ncsi-aen.c | 3 ++-
net/ncsi/ncsi-rsp.c | 16 ++++++++++++----
2 files changed, 14 insertions(+), 5 deletions(-)
--- a/net/ncsi/ncsi-aen.c
+++ b/net/ncsi/ncsi-aen.c
@@ -224,7 +224,8 @@ int ncsi_aen_handler(struct ncsi_dev_pri
if (!nah) {
netdev_warn(ndp->ndev.dev, "Invalid AEN (0x%x) received\n",
h->type);
- return -ENOENT;
+ ret = -ENOENT;
+ goto out;
}
ret = ncsi_validate_aen_pkt(h, nah->payload);
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -1176,8 +1176,10 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st
/* Find the NCSI device */
nd = ncsi_find_dev(orig_dev);
ndp = nd ? TO_NCSI_DEV_PRIV(nd) : NULL;
- if (!ndp)
- return -ENODEV;
+ if (!ndp) {
+ ret = -ENODEV;
+ goto err_free_skb;
+ }
/* Check if it is AEN packet */
hdr = (struct ncsi_pkt_hdr *)skb_network_header(skb);
@@ -1199,7 +1201,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st
if (!nrh) {
netdev_err(nd->dev, "Received unrecognized packet (0x%x)\n",
hdr->type);
- return -ENOENT;
+ ret = -ENOENT;
+ goto err_free_skb;
}
/* Associate with the request */
@@ -1207,7 +1210,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st
nr = &ndp->requests[hdr->id];
if (!nr->used) {
spin_unlock_irqrestore(&ndp->lock, flags);
- return -ENODEV;
+ ret = -ENODEV;
+ goto err_free_skb;
}
nr->rsp = skb;
@@ -1261,4 +1265,8 @@ out_netlink:
out:
ncsi_free_request(nr);
return ret;
+
+err_free_skb:
+ kfree_skb(skb);
+ return ret;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 269/481] iio: chemical: bme680: Fix measurement wait duration calculation
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 268/481] iio: potentiometer: mcp4131: fix double application of wiper shift Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 270/481] iio: gyro: mpu3050-core: fix pm_runtime error handling Greg Kroah-Hartman
` (46 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Spencer, Vasileios Amoiridis,
Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Spencer <spencercw@gmail.com>
commit f55b9510cd9437da3a0efa08b089caeb47595ff1 upstream.
This function refers to the Bosch BME680 API as the source of the
calculation, but one of the constants does not match the Bosch
implementation. This appears to be a simple transposition of two digits,
resulting in a wait time that is too short. This can cause the following
'device measurement cycle incomplete' check to occasionally fail, returning
EBUSY to user space.
Adjust the constant to match the Bosch implementation and resolve the EBUSY
errors.
Fixes: 4241665e6ea0 ("iio: chemical: bme680: Fix sensor data read operation")
Link: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x.c#L521
Signed-off-by: Chris Spencer <spencercw@gmail.com>
Acked-by: Vasileios Amoiridis <vassilisamir@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/bme680_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/chemical/bme680_core.c
+++ b/drivers/iio/chemical/bme680_core.c
@@ -550,7 +550,7 @@ static int bme680_wait_for_eoc(struct bm
* + heater duration
*/
int wait_eoc_us = ((data->oversampling_temp + data->oversampling_press +
- data->oversampling_humid) * 1936) + (477 * 4) +
+ data->oversampling_humid) * 1963) + (477 * 4) +
(477 * 5) + 1000 + (data->heater_dur * 1000);
usleep_range(wait_eoc_us, wait_eoc_us + 100);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 256/460] sched_ext: Fix starvation of scx_enable() under fair-class saturation
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 255/460] sched_ext: Disable preemption between scx_claim_exit() and kicking helper work Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 257/460] iomap: reject delalloc mappings during writeback Greg Kroah-Hartman
` (46 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tejun Heo, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
[ Upstream commit b06ccbabe2506fd70b9167a644978b049150224a ]
During scx_enable(), the READY -> ENABLED task switching loop changes the
calling thread's sched_class from fair to ext. Since fair has higher
priority than ext, saturating fair-class workloads can indefinitely starve
the enable thread, hanging the system. This was introduced when the enable
path switched from preempt_disable() to scx_bypass() which doesn't protect
against fair-class starvation. Note that the original preempt_disable()
protection wasn't complete either - in partial switch modes, the calling
thread could still be starved after preempt_enable() as it may have been
switched to ext class.
Fix it by offloading the enable body to a dedicated system-wide RT
(SCHED_FIFO) kthread which cannot be starved by either fair or ext class
tasks. scx_enable() lazily creates the kthread on first use and passes the
ops pointer through a struct scx_enable_cmd containing the kthread_work,
then synchronously waits for completion.
The workfn runs on a different kthread from sch->helper (which runs
disable_work), so it can safely flush disable_work on the error path
without deadlock.
Fixes: 8c2090c504e9 ("sched_ext: Initialize in bypass mode")
Cc: stable@vger.kernel.org # v6.12+
Signed-off-by: Tejun Heo <tj@kernel.org>
[ adapted per-scheduler scx_sched struct references to globals ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/ext.c | 64 ++++++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 54 insertions(+), 10 deletions(-)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -5166,19 +5166,29 @@ static int validate_ops(const struct sch
return 0;
}
-static int scx_ops_enable(struct sched_ext_ops *ops, struct bpf_link *link)
+/*
+ * scx_ops_enable() is offloaded to a dedicated system-wide RT kthread to avoid
+ * starvation. During the READY -> ENABLED task switching loop, the calling
+ * thread's sched_class gets switched from fair to ext. As fair has higher
+ * priority than ext, the calling thread can be indefinitely starved under
+ * fair-class saturation, leading to a system hang.
+ */
+struct scx_enable_cmd {
+ struct kthread_work work;
+ struct sched_ext_ops *ops;
+ int ret;
+};
+
+static void scx_ops_enable_workfn(struct kthread_work *work)
{
+ struct scx_enable_cmd *cmd =
+ container_of(work, struct scx_enable_cmd, work);
+ struct sched_ext_ops *ops = cmd->ops;
struct scx_task_iter sti;
struct task_struct *p;
unsigned long timeout;
int i, cpu, node, ret;
- if (!cpumask_equal(housekeeping_cpumask(HK_TYPE_DOMAIN),
- cpu_possible_mask)) {
- pr_err("sched_ext: Not compatible with \"isolcpus=\" domain isolation\n");
- return -EINVAL;
- }
-
mutex_lock(&scx_ops_enable_mutex);
if (!scx_ops_helper) {
@@ -5445,7 +5455,8 @@ static int scx_ops_enable(struct sched_e
atomic_long_inc(&scx_enable_seq);
- return 0;
+ cmd->ret = 0;
+ return;
err_del:
kobject_del(scx_root_kobj);
@@ -5458,7 +5469,8 @@ err:
}
err_unlock:
mutex_unlock(&scx_ops_enable_mutex);
- return ret;
+ cmd->ret = ret;
+ return;
err_disable_unlock_all:
scx_cgroup_unlock();
@@ -5477,7 +5489,39 @@ err_disable:
*/
scx_ops_error("scx_ops_enable() failed (%d)", ret);
kthread_flush_work(&scx_ops_disable_work);
- return 0;
+ cmd->ret = 0;
+}
+
+static int scx_ops_enable(struct sched_ext_ops *ops, struct bpf_link *link)
+{
+ static struct kthread_worker *helper;
+ static DEFINE_MUTEX(helper_mutex);
+ struct scx_enable_cmd cmd;
+
+ if (!cpumask_equal(housekeeping_cpumask(HK_TYPE_DOMAIN),
+ cpu_possible_mask)) {
+ pr_err("sched_ext: Not compatible with \"isolcpus=\" domain isolation\n");
+ return -EINVAL;
+ }
+
+ if (!READ_ONCE(helper)) {
+ mutex_lock(&helper_mutex);
+ if (!helper) {
+ helper = scx_create_rt_helper("scx_ops_enable_helper");
+ if (!helper) {
+ mutex_unlock(&helper_mutex);
+ return -ENOMEM;
+ }
+ }
+ mutex_unlock(&helper_mutex);
+ }
+
+ kthread_init_work(&cmd.work, scx_ops_enable_workfn);
+ cmd.ops = ops;
+
+ kthread_queue_work(READ_ONCE(helper), &cmd.work);
+ kthread_flush_work(&cmd.work);
+ return cmd.ret;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 332/567] net: ethernet: arc: emac: quiesce interrupts before requesting IRQ
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 331/567] net: ncsi: fix skb leak in error paths Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 333/567] net: dsa: microchip: Fix error path in PTP IRQ setup Greg Kroah-Hartman
` (45 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fan Wu, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fan Wu <fanwu01@zju.edu.cn>
commit 2503d08f8a2de618e5c3a8183b250ff4a2e2d52c upstream.
Normal RX/TX interrupts are enabled later, in arc_emac_open(), so probe
should not see interrupt delivery in the usual case. However, hardware may
still present stale or latched interrupt status left by firmware or the
bootloader.
If probe later unwinds after devm_request_irq() has installed the handler,
such a stale interrupt can still reach arc_emac_intr() during teardown and
race with release of the associated net_device.
Avoid that window by putting the device into a known quiescent state before
requesting the IRQ: disable all EMAC interrupt sources and clear any
pending EMAC interrupt status bits. This keeps the change hardware-focused
and minimal, while preventing spurious IRQ delivery from leftover state.
Fixes: e4f2379db6c6 ("ethernet/arc/arc_emac - Add new driver")
Cc: stable@vger.kernel.org
Signed-off-by: Fan Wu <fanwu01@zju.edu.cn>
Link: https://patch.msgid.link/20260309132409.584966-1-fanwu01@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/arc/emac_main.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/net/ethernet/arc/emac_main.c
+++ b/drivers/net/ethernet/arc/emac_main.c
@@ -934,6 +934,17 @@ int arc_emac_probe(struct net_device *nd
/* Set poll rate so that it polls every 1 ms */
arc_reg_set(priv, R_POLLRATE, clock_frequency / 1000000);
+ /*
+ * Put the device into a known quiescent state before requesting
+ * the IRQ. Clear only EMAC interrupt status bits here; leave the
+ * MDIO completion bit alone and avoid writing TXPL_MASK, which is
+ * used to force TX polling rather than acknowledge interrupts.
+ */
+ arc_reg_set(priv, R_ENABLE, 0);
+ arc_reg_set(priv, R_STATUS, RXINT_MASK | TXINT_MASK | ERR_MASK |
+ TXCH_MASK | MSER_MASK | RXCR_MASK |
+ RXFR_MASK | RXFL_MASK);
+
ndev->irq = irq;
dev_info(dev, "IRQ is %d\n", ndev->irq);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 270/481] iio: gyro: mpu3050-core: fix pm_runtime error handling
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 269/481] iio: chemical: bme680: Fix measurement wait duration calculation Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 271/481] iio: gyro: mpu3050-i2c: " Greg Kroah-Hartman
` (45 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Antoniu Miclaus,
Stable, Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit acc3949aab3e8094641a9c7c2768de1958c88378 upstream.
The return value of pm_runtime_get_sync() is not checked, allowing
the driver to access hardware that may fail to resume. The device
usage count is also unconditionally incremented. Use
pm_runtime_resume_and_get() which propagates errors and avoids
incrementing the usage count on failure.
In preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate()
failure since postdisable does not run when preenable fails.
Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope")
Reviewed-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/gyro/mpu3050-core.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
--- a/drivers/iio/gyro/mpu3050-core.c
+++ b/drivers/iio/gyro/mpu3050-core.c
@@ -322,7 +322,9 @@ static int mpu3050_read_raw(struct iio_d
}
case IIO_CHAN_INFO_RAW:
/* Resume device */
- pm_runtime_get_sync(mpu3050->dev);
+ ret = pm_runtime_resume_and_get(mpu3050->dev);
+ if (ret)
+ return ret;
mutex_lock(&mpu3050->lock);
ret = mpu3050_set_8khz_samplerate(mpu3050);
@@ -651,14 +653,20 @@ out_trigger_unlock:
static int mpu3050_buffer_preenable(struct iio_dev *indio_dev)
{
struct mpu3050 *mpu3050 = iio_priv(indio_dev);
+ int ret;
- pm_runtime_get_sync(mpu3050->dev);
+ ret = pm_runtime_resume_and_get(mpu3050->dev);
+ if (ret)
+ return ret;
/* Unless we have OUR trigger active, run at full speed */
- if (!mpu3050->hw_irq_trigger)
- return mpu3050_set_8khz_samplerate(mpu3050);
+ if (!mpu3050->hw_irq_trigger) {
+ ret = mpu3050_set_8khz_samplerate(mpu3050);
+ if (ret)
+ pm_runtime_put_autosuspend(mpu3050->dev);
+ }
- return 0;
+ return ret;
}
static int mpu3050_buffer_postdisable(struct iio_dev *indio_dev)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 257/460] iomap: reject delalloc mappings during writeback
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 256/460] sched_ext: Fix starvation of scx_enable() under fair-class saturation Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 258/460] fgraph: Fix thresh_return clear per-task notrace Greg Kroah-Hartman
` (45 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Christoph Hellwig,
Carlos Maiolino, Christian Brauner, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Darrick J. Wong" <djwong@kernel.org>
[ Upstream commit d320f160aa5ff36cdf83c645cca52b615e866e32 ]
Filesystems should never provide a delayed allocation mapping to
writeback; they're supposed to allocate the space before replying.
This can lead to weird IO errors and crashes in the block layer if the
filesystem is being malicious, or if it hadn't set iomap->dev because
it's a delalloc mapping.
Fix this by failing writeback on delalloc mappings. Currently no
filesystems actually misbehave in this manner, but we ought to be
stricter about things like that.
Cc: stable@vger.kernel.org # v5.5
Fixes: 598ecfbaa742ac ("iomap: lift the xfs writeback code to iomap")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Link: https://patch.msgid.link/20260302173002.GL13829@frogsfrogsfrogs
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
[ iomap_add_to_ioend() => iomap_writepage_map_blocks() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/iomap/buffered-io.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
--- a/fs/iomap/buffered-io.c
+++ b/fs/iomap/buffered-io.c
@@ -1879,18 +1879,19 @@ static int iomap_writepage_map_blocks(st
WARN_ON_ONCE(!folio->private && map_len < dirty_len);
switch (wpc->iomap.type) {
- case IOMAP_INLINE:
- WARN_ON_ONCE(1);
- error = -EIO;
- break;
- case IOMAP_HOLE:
- break;
- default:
+ case IOMAP_UNWRITTEN:
+ case IOMAP_MAPPED:
error = iomap_add_to_ioend(wpc, wbc, folio, inode, pos,
end_pos, map_len);
if (!error)
(*count)++;
break;
+ case IOMAP_HOLE:
+ break;
+ default:
+ WARN_ON_ONCE(1);
+ error = -EIO;
+ break;
}
dirty_len -= map_len;
pos += map_len;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 333/567] net: dsa: microchip: Fix error path in PTP IRQ setup
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 332/567] net: ethernet: arc: emac: quiesce interrupts before requesting IRQ Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 334/567] drm/amdgpu: Fix use-after-free race in VM acquire Greg Kroah-Hartman
` (44 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
Bastien Curutchet (Schneider Electric), Simon Horman,
Vladimir Oltean, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
commit 99c8c16a4aad0b37293cae213e15957c573cf79b upstream.
If request_threaded_irq() fails during the PTP message IRQ setup, the
newly created IRQ mapping is never disposed. Indeed, the
ksz_ptp_irq_setup()'s error path only frees the mappings that were
successfully set up.
Dispose the newly created mapping if the associated
request_threaded_irq() fails at setup.
Cc: stable@vger.kernel.org
Fixes: d0b8fec8ae505 ("net: dsa: microchip: Fix symetry in ksz_ptp_msg_irq_{setup/free}()")
Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
Link: https://patch.msgid.link/20260309-ksz-ptp-irq-fix-v1-1-757b3b985955@bootlin.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dsa/microchip/ksz_ptp.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/drivers/net/dsa/microchip/ksz_ptp.c
+++ b/drivers/net/dsa/microchip/ksz_ptp.c
@@ -1101,6 +1101,7 @@ static int ksz_ptp_msg_irq_setup(struct
const struct ksz_dev_ops *ops = port->ksz_dev->dev_ops;
struct ksz_irq *ptpirq = &port->ptpirq;
struct ksz_ptp_irq *ptpmsg_irq;
+ int ret;
ptpmsg_irq = &port->ptpmsg_irq[n];
ptpmsg_irq->num = irq_create_mapping(ptpirq->domain, n);
@@ -1112,9 +1113,13 @@ static int ksz_ptp_msg_irq_setup(struct
snprintf(ptpmsg_irq->name, sizeof(ptpmsg_irq->name), name[n]);
- return request_threaded_irq(ptpmsg_irq->num, NULL,
- ksz_ptp_msg_thread_fn, IRQF_ONESHOT,
- ptpmsg_irq->name, ptpmsg_irq);
+ ret = request_threaded_irq(ptpmsg_irq->num, NULL,
+ ksz_ptp_msg_thread_fn, IRQF_ONESHOT,
+ ptpmsg_irq->name, ptpmsg_irq);
+ if (ret)
+ irq_dispose_mapping(ptpmsg_irq->num);
+
+ return ret;
}
int ksz_ptp_irq_setup(struct dsa_switch *ds, u8 p)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 271/481] iio: gyro: mpu3050-i2c: fix pm_runtime error handling
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 270/481] iio: gyro: mpu3050-core: fix pm_runtime error handling Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 272/481] iio: imu: inv_icm42600: fix odr switch to the same value Greg Kroah-Hartman
` (44 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Stable,
Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit 91f950b4cbb1aa9ea4eb3999f1463e8044b717fb upstream.
The return value of pm_runtime_get_sync() is not checked, and the
function always returns success. This allows I2C mux operations to
proceed even when the device fails to resume.
Use pm_runtime_resume_and_get() and propagate its return value to
properly handle resume failures.
Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/gyro/mpu3050-i2c.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/iio/gyro/mpu3050-i2c.c
+++ b/drivers/iio/gyro/mpu3050-i2c.c
@@ -19,8 +19,7 @@ static int mpu3050_i2c_bypass_select(str
struct mpu3050 *mpu3050 = i2c_mux_priv(mux);
/* Just power up the device, that is all that is needed */
- pm_runtime_get_sync(mpu3050->dev);
- return 0;
+ return pm_runtime_resume_and_get(mpu3050->dev);
}
static int mpu3050_i2c_bypass_deselect(struct i2c_mux_core *mux, u32 chan_id)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 258/460] fgraph: Fix thresh_return clear per-task notrace
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 257/460] iomap: reject delalloc mappings during writeback Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 259/460] KVM: x86: Co-locate initialization of feature MSRs in kvm_arch_vcpu_create() Greg Kroah-Hartman
` (44 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu (Google),
Shengming Hu, Steven Rostedt (Google), Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengming Hu <hu.shengming@zte.com.cn>
[ Upstream commit 6ca8379b5d36e22b04e6315c3e49a6083377c862 ]
When tracing_thresh is enabled, function graph tracing uses
trace_graph_thresh_return() as the return handler. Unlike
trace_graph_return(), it did not clear the per-task TRACE_GRAPH_NOTRACE
flag set by the entry handler for set_graph_notrace addresses. This could
leave the task permanently in "notrace" state and effectively disable
function graph tracing for that task.
Mirror trace_graph_return()'s per-task notrace handling by clearing
TRACE_GRAPH_NOTRACE and returning early when set.
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260221113007819YgrZsMGABff4Rc-O_fZxL@zte.com.cn
Fixes: b84214890a9bc ("function_graph: Move graph notrace bit to shadow stack global var")
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Shengming Hu <hu.shengming@zte.com.cn>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_functions_graph.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/kernel/trace/trace_functions_graph.c
+++ b/kernel/trace/trace_functions_graph.c
@@ -271,10 +271,12 @@ void trace_graph_return(struct ftrace_gr
static void trace_graph_thresh_return(struct ftrace_graph_ret *trace,
struct fgraph_ops *gops)
{
+ unsigned long *task_var = fgraph_get_task_var(gops);
+
ftrace_graph_addr_finish(gops, trace);
- if (trace_recursion_test(TRACE_GRAPH_NOTRACE_BIT)) {
- trace_recursion_clear(TRACE_GRAPH_NOTRACE_BIT);
+ if (*task_var & TRACE_GRAPH_NOTRACE) {
+ *task_var &= ~TRACE_GRAPH_NOTRACE;
return;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 334/567] drm/amdgpu: Fix use-after-free race in VM acquire
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 333/567] net: dsa: microchip: Fix error path in PTP IRQ setup Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 335/567] drm/amd: Set num IP blocks to 0 if discovery fails Greg Kroah-Hartman
` (43 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harish Kasiviswanathan, Alysa Liu,
Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alysa Liu <Alysa.Liu@amd.com>
commit 2c1030f2e84885cc58bffef6af67d5b9d2e7098f upstream.
Replace non-atomic vm->process_info assignment with cmpxchg()
to prevent race when parent/child processes sharing a drm_file
both try to acquire the same VM after fork().
Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
Signed-off-by: Alysa Liu <Alysa.Liu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
@@ -1351,7 +1351,10 @@ static int init_kfd_vm(struct amdgpu_vm
*ef = dma_fence_get(&info->eviction_fence->base);
}
- vm->process_info = *process_info;
+ if (cmpxchg(&vm->process_info, NULL, *process_info) != NULL) {
+ ret = -EINVAL;
+ goto already_acquired;
+ }
/* Validate page directory and attach eviction fence */
ret = amdgpu_bo_reserve(vm->root.bo, true);
@@ -1389,6 +1392,7 @@ validate_pd_fail:
amdgpu_bo_unreserve(vm->root.bo);
reserve_pd_fail:
vm->process_info = NULL;
+already_acquired:
if (info) {
/* Two fence references: one in info and one in *ef */
dma_fence_put(&info->eviction_fence->base);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 272/481] iio: imu: inv_icm42600: fix odr switch to the same value
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 271/481] iio: gyro: mpu3050-i2c: " Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 273/481] i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors Greg Kroah-Hartman
` (43 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean-Baptiste Maneyrol,
Jonathan Cameron
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
commit c9f3a593137d862d424130343e77d4b5260a4f5a upstream.
ODR switch is done in 2 steps when FIFO is on : change the ODR register
value and acknowledge change when reading the FIFO ODR change flag.
When we are switching to the same odr value, we end up waiting for a
FIFO ODR flag that is never happening.
Fix the issue by doing nothing and exiting properly when we are
switching to the same ODR value.
Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping")
Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 2 ++
drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 2 ++
2 files changed, 4 insertions(+)
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c
@@ -322,6 +322,8 @@ static int inv_icm42600_accel_write_odr(
return -EINVAL;
conf.odr = inv_icm42600_accel_odr_conv[idx / 2];
+ if (conf.odr == st->conf.accel.odr)
+ return 0;
pm_runtime_get_sync(dev);
mutex_lock(&st->lock);
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c
@@ -334,6 +334,8 @@ static int inv_icm42600_gyro_write_odr(s
return -EINVAL;
conf.odr = inv_icm42600_gyro_odr_conv[idx / 2];
+ if (conf.odr == st->conf.gyro.odr)
+ return 0;
pm_runtime_get_sync(dev);
mutex_lock(&st->lock);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 259/460] KVM: x86: Co-locate initialization of feature MSRs in kvm_arch_vcpu_create()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 258/460] fgraph: Fix thresh_return clear per-task notrace Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 260/460] KVM: x86: Quirk initialization of feature MSRs to KVMs max configuration Greg Kroah-Hartman
` (43 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit 2142ac663a6a72ac868d0768681b1355e3a703eb ]
Bunch all of the feature MSR initialization in kvm_arch_vcpu_create() so
that it can be easily quirked in a future patch.
No functional change intended.
Link: https://lore.kernel.org/r/20240802185511.305849-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Stable-dep-of: e2ffe85b6d2b ("KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/x86.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -12383,6 +12383,8 @@ int kvm_arch_vcpu_create(struct kvm_vcpu
kvm_async_pf_hash_reset(vcpu);
+ vcpu->arch.arch_capabilities = kvm_get_arch_capabilities();
+ vcpu->arch.msr_platform_info = MSR_PLATFORM_INFO_CPUID_FAULT;
vcpu->arch.perf_capabilities = kvm_caps.supported_perf_cap;
kvm_pmu_init(vcpu);
@@ -12397,8 +12399,6 @@ int kvm_arch_vcpu_create(struct kvm_vcpu
if (r)
goto free_guest_fpu;
- vcpu->arch.arch_capabilities = kvm_get_arch_capabilities();
- vcpu->arch.msr_platform_info = MSR_PLATFORM_INFO_CPUID_FAULT;
kvm_xen_init_vcpu(vcpu);
vcpu_load(vcpu);
kvm_set_tsc_khz(vcpu, vcpu->kvm->arch.default_tsc_khz);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 335/567] drm/amd: Set num IP blocks to 0 if discovery fails
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 334/567] drm/amdgpu: Fix use-after-free race in VM acquire Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 336/567] drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding Greg Kroah-Hartman
` (42 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lijo Lazar, Mario Limonciello,
Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 3646ff28780b4c52c5b5081443199e7a430110e5 upstream.
If discovery has failed for any reason (such as no support for a block)
then there is no need to unwind all the IP blocks in fini. In this
condition there can actually be failures during the unwind too.
Reset num_ip_blocks to zero during failure path and skip the unnecessary
cleanup path.
Suggested-by: Lijo Lazar <lijo.lazar@amd.com>
Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit fae5984296b981c8cc3acca35b701c1f332a6cd8)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 +++-
drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -2096,8 +2096,10 @@ static int amdgpu_device_ip_early_init(s
break;
default:
r = amdgpu_discovery_set_ip_blocks(adev);
- if (r)
+ if (r) {
+ adev->num_ip_blocks = 0;
return r;
+ }
break;
}
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
@@ -82,7 +82,7 @@ void amdgpu_driver_unload_kms(struct drm
{
struct amdgpu_device *adev = drm_to_adev(dev);
- if (adev == NULL)
+ if (adev == NULL || !adev->num_ip_blocks)
return;
amdgpu_unregister_gpu_instance(adev);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 273/481] i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 272/481] iio: imu: inv_icm42600: fix odr switch to the same value Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 274/481] i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort Greg Kroah-Hartman
` (42 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Alexandre Belloni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit 4167b8914463132654e01e16259847d097f8a7f7 upstream.
The MIPI I3C HCI driver currently returns -ETIME for various timeout
conditions, while other I3C master drivers consistently use -ETIMEDOUT
for the same class of errors. Align the HCI driver with the rest of the
subsystem by replacing all uses of -ETIME with -ETIMEDOUT.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-2-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/mipi-i3c-hci/cmd_v1.c | 2 +-
drivers/i3c/master/mipi-i3c-hci/cmd_v2.c | 2 +-
drivers/i3c/master/mipi-i3c-hci/core.c | 6 +++---
3 files changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/i3c/master/mipi-i3c-hci/cmd_v1.c
+++ b/drivers/i3c/master/mipi-i3c-hci/cmd_v1.c
@@ -335,7 +335,7 @@ static int hci_cmd_v1_daa(struct i3c_hci
hci->io->queue_xfer(hci, xfer, 1);
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, 1)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
break;
}
if (RESP_STATUS(xfer[0].response) == RESP_ERR_NACK &&
--- a/drivers/i3c/master/mipi-i3c-hci/cmd_v2.c
+++ b/drivers/i3c/master/mipi-i3c-hci/cmd_v2.c
@@ -277,7 +277,7 @@ static int hci_cmd_v2_daa(struct i3c_hci
hci->io->queue_xfer(hci, xfer, 2);
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, 2)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
break;
}
if (RESP_STATUS(xfer[0].response) != RESP_SUCCESS) {
--- a/drivers/i3c/master/mipi-i3c-hci/core.c
+++ b/drivers/i3c/master/mipi-i3c-hci/core.c
@@ -237,7 +237,7 @@ static int i3c_hci_send_ccc_cmd(struct i
goto out;
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, nxfers)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
goto out;
}
for (i = prefixed; i < nxfers; i++) {
@@ -311,7 +311,7 @@ static int i3c_hci_priv_xfers(struct i3c
goto out;
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, nxfers)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
goto out;
}
for (i = 0; i < nxfers; i++) {
@@ -359,7 +359,7 @@ static int i3c_hci_i2c_xfers(struct i2c_
goto out;
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, nxfers)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
goto out;
}
for (i = 0; i < nxfers; i++) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 260/460] KVM: x86: Quirk initialization of feature MSRs to KVMs max configuration
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 259/460] KVM: x86: Co-locate initialization of feature MSRs in kvm_arch_vcpu_create() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 261/460] KVM: x86: do not allow re-enabling quirks Greg Kroah-Hartman
` (42 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit dcb988cdac85bad177de86fbf409524eda4f9467 ]
Add a quirk to control KVM's misguided initialization of select feature
MSRs to KVM's max configuration, as enabling features by default violates
KVM's approach of letting userspace own the vCPU model, and is actively
problematic for MSRs that are conditionally supported, as the vCPU will
end up with an MSR value that userspace can't restore. E.g. if the vCPU
is configured with PDCM=0, userspace will save and attempt to restore a
non-zero PERF_CAPABILITIES, thanks to KVM's meddling.
Link: https://lore.kernel.org/r/20240802185511.305849-4-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Stable-dep-of: e2ffe85b6d2b ("KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/virt/kvm/api.rst | 22 ++++++++++++++++++++++
arch/x86/include/asm/kvm_host.h | 3 ++-
arch/x86/include/uapi/asm/kvm.h | 1 +
arch/x86/kvm/svm/svm.c | 4 +++-
arch/x86/kvm/vmx/vmx.c | 9 ++++++---
arch/x86/kvm/x86.c | 8 +++++---
6 files changed, 39 insertions(+), 8 deletions(-)
--- a/Documentation/virt/kvm/api.rst
+++ b/Documentation/virt/kvm/api.rst
@@ -8107,6 +8107,28 @@ KVM_X86_QUIRK_SLOT_ZAP_ALL By d
or moved memslot isn't reachable, i.e KVM
_may_ invalidate only SPTEs related to the
memslot.
+
+KVM_X86_QUIRK_STUFF_FEATURE_MSRS By default, at vCPU creation, KVM sets the
+ vCPU's MSR_IA32_PERF_CAPABILITIES (0x345),
+ MSR_IA32_ARCH_CAPABILITIES (0x10a),
+ MSR_PLATFORM_INFO (0xce), and all VMX MSRs
+ (0x480..0x492) to the maximal capabilities
+ supported by KVM. KVM also sets
+ MSR_IA32_UCODE_REV (0x8b) to an arbitrary
+ value (which is different for Intel vs.
+ AMD). Lastly, when guest CPUID is set (by
+ userspace), KVM modifies select VMX MSR
+ fields to force consistency between guest
+ CPUID and L2's effective ISA. When this
+ quirk is disabled, KVM zeroes the vCPU's MSR
+ values (with two exceptions, see below),
+ i.e. treats the feature MSRs like CPUID
+ leaves and gives userspace full control of
+ the vCPU model definition. This quirk does
+ not affect VMX MSRs CR0/CR4_FIXED1 (0x487
+ and 0x489), as KVM does now allow them to
+ be set by userspace (KVM sets them based on
+ guest CPUID, for safety purposes).
=================================== ============================================
7.32 KVM_CAP_MAX_VCPU_ID
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -2385,7 +2385,8 @@ int memslot_rmap_alloc(struct kvm_memory
KVM_X86_QUIRK_MISC_ENABLE_NO_MWAIT | \
KVM_X86_QUIRK_FIX_HYPERCALL_INSN | \
KVM_X86_QUIRK_MWAIT_NEVER_UD_FAULTS | \
- KVM_X86_QUIRK_SLOT_ZAP_ALL)
+ KVM_X86_QUIRK_SLOT_ZAP_ALL | \
+ KVM_X86_QUIRK_STUFF_FEATURE_MSRS)
/*
* KVM previously used a u32 field in kvm_run to indicate the hypercall was
--- a/arch/x86/include/uapi/asm/kvm.h
+++ b/arch/x86/include/uapi/asm/kvm.h
@@ -440,6 +440,7 @@ struct kvm_sync_regs {
#define KVM_X86_QUIRK_FIX_HYPERCALL_INSN (1 << 5)
#define KVM_X86_QUIRK_MWAIT_NEVER_UD_FAULTS (1 << 6)
#define KVM_X86_QUIRK_SLOT_ZAP_ALL (1 << 7)
+#define KVM_X86_QUIRK_STUFF_FEATURE_MSRS (1 << 8)
#define KVM_STATE_NESTED_FORMAT_VMX 0
#define KVM_STATE_NESTED_FORMAT_SVM 1
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -1389,7 +1389,9 @@ static void __svm_vcpu_reset(struct kvm_
svm_vcpu_init_msrpm(vcpu, svm->msrpm);
svm_init_osvw(vcpu);
- vcpu->arch.microcode_version = 0x01000065;
+
+ if (kvm_check_has_quirk(vcpu->kvm, KVM_X86_QUIRK_STUFF_FEATURE_MSRS))
+ vcpu->arch.microcode_version = 0x01000065;
svm->tsc_ratio_msr = kvm_caps.default_tsc_scaling_ratio;
svm->nmi_masked = false;
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -4562,7 +4562,8 @@ vmx_adjust_secondary_exec_control(struct
* Update the nested MSR settings so that a nested VMM can/can't set
* controls for features that are/aren't exposed to the guest.
*/
- if (nested) {
+ if (nested &&
+ kvm_check_has_quirk(vmx->vcpu.kvm, KVM_X86_QUIRK_STUFF_FEATURE_MSRS)) {
/*
* All features that can be added or removed to VMX MSRs must
* be supported in the first place for nested virtualization.
@@ -4853,7 +4854,8 @@ static void __vmx_vcpu_reset(struct kvm_
init_vmcs(vmx);
- if (nested)
+ if (nested &&
+ kvm_check_has_quirk(vcpu->kvm, KVM_X86_QUIRK_STUFF_FEATURE_MSRS))
memcpy(&vmx->nested.msrs, &vmcs_config.nested, sizeof(vmx->nested.msrs));
vcpu_setup_sgx_lepubkeyhash(vcpu);
@@ -4866,7 +4868,8 @@ static void __vmx_vcpu_reset(struct kvm_
vmx->nested.hv_evmcs_vmptr = EVMPTR_INVALID;
#endif
- vcpu->arch.microcode_version = 0x100000000ULL;
+ if (kvm_check_has_quirk(vcpu->kvm, KVM_X86_QUIRK_STUFF_FEATURE_MSRS))
+ vcpu->arch.microcode_version = 0x100000000ULL;
vmx->msr_ia32_feature_control_valid_bits = FEAT_CTL_LOCKED;
/*
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -12383,9 +12383,11 @@ int kvm_arch_vcpu_create(struct kvm_vcpu
kvm_async_pf_hash_reset(vcpu);
- vcpu->arch.arch_capabilities = kvm_get_arch_capabilities();
- vcpu->arch.msr_platform_info = MSR_PLATFORM_INFO_CPUID_FAULT;
- vcpu->arch.perf_capabilities = kvm_caps.supported_perf_cap;
+ if (kvm_check_has_quirk(vcpu->kvm, KVM_X86_QUIRK_STUFF_FEATURE_MSRS)) {
+ vcpu->arch.arch_capabilities = kvm_get_arch_capabilities();
+ vcpu->arch.msr_platform_info = MSR_PLATFORM_INFO_CPUID_FAULT;
+ vcpu->arch.perf_capabilities = kvm_caps.supported_perf_cap;
+ }
kvm_pmu_init(vcpu);
vcpu->arch.pending_external_vector = -1;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 336/567] drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 335/567] drm/amd: Set num IP blocks to 0 if discovery fails Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 337/567] drm/i915: Fix potential overflow of shmem scatterlist length Greg Kroah-Hartman
` (41 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marek Vasut, Luca Ceresoli
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Ceresoli <luca.ceresoli@bootlin.com>
commit 2f22702dc0fee06a240404e0f7ead5b789b253d8 upstream.
The DSI frequency must be in the range:
(CHA_DSI_CLK_RANGE * 5 MHz) <= DSI freq < ((CHA_DSI_CLK_RANGE + 1) * 5 MHz)
So the register value should point to the lower range value, but
DIV_ROUND_UP() rounds the division to the higher range value, resulting in
an excess of 1 (unless the frequency is an exact multiple of 5 MHz).
For example for a 437100000 MHz clock CHA_DSI_CLK_RANGE should be 87 (0x57):
(87 * 5 = 435) <= 437.1 < (88 * 5 = 440)
but current code returns 88 (0x58).
Fix the computation by removing the DIV_ROUND_UP().
Fixes: ceb515ba29ba ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver")
Cc: stable@vger.kernel.org
Reviewed-by: Marek Vasut <marek.vasut@mailbox.org>
Link: https://patch.msgid.link/20260226-ti-sn65dsi83-dual-lvds-fixes-and-test-pattern-v1-1-2e15f5a9a6a0@bootlin.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/ti-sn65dsi83.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c
+++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c
@@ -303,9 +303,9 @@ static u8 sn65dsi83_get_dsi_range(struct
* DSI_CLK = mode clock * bpp / dsi_data_lanes / 2
* the 2 is there because the bus is DDR.
*/
- return DIV_ROUND_UP(clamp((unsigned int)mode->clock *
- mipi_dsi_pixel_format_to_bpp(ctx->dsi->format) /
- ctx->dsi->lanes / 2, 40000U, 500000U), 5000U);
+ return clamp((unsigned int)mode->clock *
+ mipi_dsi_pixel_format_to_bpp(ctx->dsi->format) /
+ ctx->dsi->lanes / 2, 40000U, 500000U) / 5000U;
}
static u8 sn65dsi83_get_dsi_div(struct sn65dsi83 *ctx)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 274/481] i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 273/481] i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 275/481] i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor Greg Kroah-Hartman
` (41 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Alexandre Belloni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit b6d586431ae20d5157ee468d0ef62ad26798ef13 upstream.
The DMA dequeue path attempts to restart the ring after aborting an
in-flight transfer, but the current sequence is incomplete. The controller
must be brought out of the aborted state and the ring control registers
must be programmed in the correct order: first clearing ABORT, then
re-enabling the ring and asserting RUN_STOP to resume operation.
Add the missing controller resume step and update the ring control writes
so that the ring is restarted using the proper sequence.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-11-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/mipi-i3c-hci/dma.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -491,7 +491,9 @@ static bool hci_dma_dequeue_xfer(struct
}
/* restart the ring */
+ mipi_i3c_hci_resume(hci);
rh_reg_write(RING_CONTROL, RING_CTRL_ENABLE);
+ rh_reg_write(RING_CONTROL, RING_CTRL_ENABLE | RING_CTRL_RUN_STOP);
return did_unqueue;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 261/460] KVM: x86: do not allow re-enabling quirks
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 260/460] KVM: x86: Quirk initialization of feature MSRs to KVMs max configuration Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 262/460] KVM: x86: Allow vendor code to disable quirks Greg Kroah-Hartman
` (41 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paolo Bonzini, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
[ Upstream commit 9966b7822b3f49b3aea5d926ece4bc92f1f0a700 ]
Allowing arbitrary re-enabling of quirks puts a limit on what the
quirks themselves can do, since you cannot assume that the quirk
prevents a particular state. More important, it also prevents
KVM from disabling a quirk at VM creation time, because userspace
can always go back and re-enable that.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Stable-dep-of: e2ffe85b6d2b ("KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/x86.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6538,7 +6538,7 @@ int kvm_vm_ioctl_enable_cap(struct kvm *
break;
fallthrough;
case KVM_CAP_DISABLE_QUIRKS:
- kvm->arch.disabled_quirks = cap->args[0];
+ kvm->arch.disabled_quirks |= cap->args[0];
r = 0;
break;
case KVM_CAP_SPLIT_IRQCHIP: {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 337/567] drm/i915: Fix potential overflow of shmem scatterlist length
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 336/567] drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 338/567] tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G Greg Kroah-Hartman
` (40 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Andrew Morton, Janusz Krzysztofik, Andi Shyti, Tvrtko Ursulin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
commit 029ae067431ab9d0fca479bdabe780fa436706ea upstream.
When a scatterlists table of a GEM shmem object of size 4 GB or more is
populated with pages allocated from a folio, unsigned int .length
attribute of a scatterlist may get overflowed if total byte length of
pages allocated to that single scatterlist happens to reach or cross the
4GB limit. As a consequence, users of the object may suffer from hitting
unexpected, premature end of the object's backing pages.
[278.780187] ------------[ cut here ]------------
[278.780377] WARNING: CPU: 1 PID: 2326 at drivers/gpu/drm/i915/i915_mm.c:55 remap_sg+0x199/0x1d0 [i915]
...
[278.780654] CPU: 1 UID: 0 PID: 2326 Comm: gem_mmap_offset Tainted: G S U 6.17.0-rc1-CI_DRM_16981-ged823aaa0607+ #1 PREEMPT(voluntary)
[278.780656] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER
[278.780658] Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P LP5x T3 RVP, BIOS MTLPFWI1.R00.3471.D91.2401310918 01/31/2024
[278.780659] RIP: 0010:remap_sg+0x199/0x1d0 [i915]
...
[278.780786] Call Trace:
[278.780787] <TASK>
[278.780788] ? __apply_to_page_range+0x3e6/0x910
[278.780795] ? __pfx_remap_sg+0x10/0x10 [i915]
[278.780906] apply_to_page_range+0x14/0x30
[278.780908] remap_io_sg+0x14d/0x260 [i915]
[278.781013] vm_fault_cpu+0xd2/0x330 [i915]
[278.781137] __do_fault+0x3a/0x1b0
[278.781140] do_fault+0x322/0x640
[278.781143] __handle_mm_fault+0x938/0xfd0
[278.781150] handle_mm_fault+0x12c/0x300
[278.781152] ? lock_mm_and_find_vma+0x4b/0x760
[278.781155] do_user_addr_fault+0x2d6/0x8e0
[278.781160] exc_page_fault+0x96/0x2c0
[278.781165] asm_exc_page_fault+0x27/0x30
...
That issue was apprehended by the author of a change that introduced it,
and potential risk even annotated with a comment, but then never addressed.
When adding folio pages to a scatterlist table, take care of byte length
of any single scatterlist not exceeding max_segment.
Fixes: 0b62af28f249b ("i915: convert shmem_sg_free_table() to use a folio_batch")
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14809
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org # v6.5+
Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
Link: https://lore.kernel.org/r/20260224094944.2447913-2-janusz.krzysztofik@linux.intel.com
(cherry picked from commit 06249b4e691a75694c014a61708c007fb5755f60)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gem/i915_gem_shmem.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/i915/gem/i915_gem_shmem.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_shmem.c
@@ -151,8 +151,12 @@ int shmem_sg_alloc_table(struct drm_i915
}
} while (1);
- nr_pages = min_t(unsigned long,
- folio_nr_pages(folio), page_count - i);
+ nr_pages = min_array(((unsigned long[]) {
+ folio_nr_pages(folio),
+ page_count - i,
+ max_segment / PAGE_SIZE,
+ }), 3);
+
if (!i ||
sg->length >= max_segment ||
folio_pfn(folio) != next_pfn) {
@@ -162,7 +166,9 @@ int shmem_sg_alloc_table(struct drm_i915
st->nents++;
sg_set_folio(sg, folio, nr_pages * PAGE_SIZE, 0);
} else {
- /* XXX: could overflow? */
+ nr_pages = min_t(unsigned long, nr_pages,
+ (max_segment - sg->length) / PAGE_SIZE);
+
sg->length += nr_pages * PAGE_SIZE;
}
next_pfn = folio_pfn(folio) + nr_pages;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 275/481] i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 274/481] i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 276/481] drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD Greg Kroah-Hartman
` (40 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Alexandre Belloni
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit ec3cfd835f7c4bbd23bc9ad909d2fdc772a578bb upstream.
The internal control command descriptor used for no-op commands includes a
Transaction ID (TID) field, but the no-op command constructed in
hci_dma_dequeue_xfer() omitted it. As a result, the hardware receives a
no-op descriptor without the expected TID.
This bug has gone unnoticed because the TID is currently not validated in
the no-op completion path, but the descriptor format requires it to be
present.
Add the missing TID field when generating a no-op descriptor so that its
layout matches the defined command structure.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-10-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/mipi-i3c-hci/cmd.h | 1 +
drivers/i3c/master/mipi-i3c-hci/dma.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/i3c/master/mipi-i3c-hci/cmd.h
+++ b/drivers/i3c/master/mipi-i3c-hci/cmd.h
@@ -17,6 +17,7 @@
#define CMD_0_TOC W0_BIT_(31)
#define CMD_0_ROC W0_BIT_(30)
#define CMD_0_ATTR W0_MASK(2, 0)
+#define CMD_0_TID W0_MASK(6, 3)
/*
* Response Descriptor Structure
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -473,7 +473,7 @@ static bool hci_dma_dequeue_xfer(struct
u32 *ring_data = rh->xfer + rh->xfer_struct_sz * idx;
/* store no-op cmd descriptor */
- *ring_data++ = FIELD_PREP(CMD_0_ATTR, 0x7);
+ *ring_data++ = FIELD_PREP(CMD_0_ATTR, 0x7) | FIELD_PREP(CMD_0_TID, xfer->cmd_tid);
*ring_data++ = 0;
if (hci->cmd == &mipi_i3c_hci_cmd_v2) {
*ring_data++ = 0;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 262/460] KVM: x86: Allow vendor code to disable quirks
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 261/460] KVM: x86: do not allow re-enabling quirks Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 263/460] KVM: x86: Introduce supported_quirks to block disabling quirks Greg Kroah-Hartman
` (40 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paolo Bonzini, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
[ Upstream commit a4dae7c7a41d803a05192015b2d47aca8aca4abf ]
In some cases, the handling of quirks is split between platform-specific
code and generic code, or it is done entirely in generic code, but the
relevant bug does not trigger on some platforms; for example,
this will be the case for "ignore guest PAT". Allow unaffected vendor
modules to disable handling of a quirk for all VMs via a new entry in
kvm_caps.
Such quirks remain available in KVM_CAP_DISABLE_QUIRKS2, because that API
tells userspace that KVM *knows* that some of its past behavior was bogus
or just undesirable. In other words, it's plausible for userspace to
refuse to run if a quirk is not listed by KVM_CAP_DISABLE_QUIRKS2, so
preserve that and make it part of the API.
As an example, mark KVM_X86_QUIRK_CD_NW_CLEARED as auto-disabled on
Intel systems.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Stable-dep-of: e2ffe85b6d2b ("KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/kvm_host.h | 3 +++
arch/x86/kvm/svm/svm.c | 1 +
arch/x86/kvm/x86.c | 2 ++
arch/x86/kvm/x86.h | 1 +
4 files changed, 7 insertions(+)
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -2388,6 +2388,9 @@ int memslot_rmap_alloc(struct kvm_memory
KVM_X86_QUIRK_SLOT_ZAP_ALL | \
KVM_X86_QUIRK_STUFF_FEATURE_MSRS)
+#define KVM_X86_CONDITIONAL_QUIRKS \
+ KVM_X86_QUIRK_CD_NW_CLEARED
+
/*
* KVM previously used a u32 field in kvm_run to indicate the hypercall was
* initiated from long mode. KVM now sets bit 0 to indicate long mode, but the
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -5563,6 +5563,7 @@ static __init int svm_hardware_setup(voi
*/
allow_smaller_maxphyaddr = !npt_enabled;
+ kvm_caps.inapplicable_quirks &= ~KVM_X86_QUIRK_CD_NW_CLEARED;
return 0;
err:
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -9782,6 +9782,7 @@ int kvm_x86_vendor_init(struct kvm_x86_i
kvm_host.xcr0 = xgetbv(XCR_XFEATURE_ENABLED_MASK);
kvm_caps.supported_xcr0 = kvm_host.xcr0 & KVM_SUPPORTED_XCR0;
}
+ kvm_caps.inapplicable_quirks = KVM_X86_CONDITIONAL_QUIRKS;
rdmsrl_safe(MSR_EFER, &kvm_host.efer);
@@ -12780,6 +12781,7 @@ int kvm_arch_init_vm(struct kvm *kvm, un
/* Decided by the vendor code for other VM types. */
kvm->arch.pre_fault_allowed =
type == KVM_X86_DEFAULT_VM || type == KVM_X86_SW_PROTECTED_VM;
+ kvm->arch.disabled_quirks = kvm_caps.inapplicable_quirks;
ret = kvm_page_track_init(kvm);
if (ret)
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -32,6 +32,7 @@ struct kvm_caps {
u64 supported_xcr0;
u64 supported_xss;
u64 supported_perf_cap;
+ u64 inapplicable_quirks;
};
struct kvm_host_values {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 338/567] tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 337/567] drm/i915: Fix potential overflow of shmem scatterlist length Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 339/567] cifs: make default value of retrans as zero Greg Kroah-Hartman
` (39 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Calvin Owens, Steven Rostedt (Google)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Calvin Owens <calvin@wbinvd.org>
commit d008ba8be8984760e36d7dcd4adbd5a41a645708 upstream.
Some of the sizing logic through tracer_alloc_buffers() uses int
internally, causing unexpected behavior if the user passes a value that
does not fit in an int (on my x86 machine, the result is uselessly tiny
buffers).
Fix by plumbing the parameter's real type (unsigned long) through to the
ring buffer allocation functions, which already use unsigned long.
It has always been possible to create larger ring buffers via the sysfs
interface: this only affects the cmdline parameter.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://patch.msgid.link/bff42a4288aada08bdf74da3f5b67a2c28b761f8.1772852067.git.calvin@wbinvd.org
Fixes: 73c5162aa362 ("tracing: keep ring buffer to minimum size till used")
Signed-off-by: Calvin Owens <calvin@wbinvd.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -9271,7 +9271,7 @@ static void
init_tracer_tracefs(struct trace_array *tr, struct dentry *d_tracer);
static int
-allocate_trace_buffer(struct trace_array *tr, struct array_buffer *buf, int size)
+allocate_trace_buffer(struct trace_array *tr, struct array_buffer *buf, unsigned long size)
{
enum ring_buffer_flags rb_flags;
@@ -9307,7 +9307,7 @@ static void free_trace_buffer(struct arr
}
}
-static int allocate_trace_buffers(struct trace_array *tr, int size)
+static int allocate_trace_buffers(struct trace_array *tr, unsigned long size)
{
int ret;
@@ -10330,7 +10330,7 @@ __init static void enable_instances(void
__init static int tracer_alloc_buffers(void)
{
- int ring_buf_size;
+ unsigned long ring_buf_size;
int ret = -ENOMEM;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 276/481] drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 275/481] i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 277/481] ipv6: use RCU in ip6_xmit() Greg Kroah-Hartman
` (39 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John Ripple, Douglas Anderson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Ripple <john.ripple@keysight.com>
commit 9133bc3f0564890218cbba6cc7e81ebc0841a6f1 upstream.
Add support for DisplayPort to the bridge, which entails the following:
- Get and use an interrupt for HPD;
- Properly clear all status bits in the interrupt handler;
Signed-off-by: John Ripple <john.ripple@keysight.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://lore.kernel.org/r/20250915174543.2564994-1-john.ripple@keysight.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/ti-sn65dsi86.c | 112 ++++++++++++++++++++++++++++++++++
1 file changed, 112 insertions(+)
--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
@@ -106,10 +106,21 @@
#define SN_PWM_EN_INV_REG 0xA5
#define SN_PWM_INV_MASK BIT(0)
#define SN_PWM_EN_MASK BIT(1)
+
+#define SN_IRQ_EN_REG 0xE0
+#define IRQ_EN BIT(0)
+
+#define SN_IRQ_EVENTS_EN_REG 0xE6
+#define HPD_INSERTION_EN BIT(1)
+#define HPD_REMOVAL_EN BIT(2)
+
#define SN_AUX_CMD_STATUS_REG 0xF4
#define AUX_IRQ_STATUS_AUX_RPLY_TOUT BIT(3)
#define AUX_IRQ_STATUS_AUX_SHORT BIT(5)
#define AUX_IRQ_STATUS_NAT_I2C_FAIL BIT(6)
+#define SN_IRQ_STATUS_REG 0xF5
+#define HPD_REMOVAL_STATUS BIT(2)
+#define HPD_INSERTION_STATUS BIT(1)
#define MIN_DSI_CLK_FREQ_MHZ 40
@@ -152,7 +163,9 @@
* @ln_assign: Value to program to the LN_ASSIGN register.
* @ln_polrs: Value for the 4-bit LN_POLRS field of SN_ENH_FRAME_REG.
* @comms_enabled: If true then communication over the aux channel is enabled.
+ * @hpd_enabled: If true then HPD events are enabled.
* @comms_mutex: Protects modification of comms_enabled.
+ * @hpd_mutex: Protects modification of hpd_enabled.
*
* @gchip: If we expose our GPIOs, this is used.
* @gchip_output: A cache of whether we've set GPIOs to output. This
@@ -190,7 +203,9 @@ struct ti_sn65dsi86 {
u8 ln_assign;
u8 ln_polrs;
bool comms_enabled;
+ bool hpd_enabled;
struct mutex comms_mutex;
+ struct mutex hpd_mutex;
#if defined(CONFIG_OF_GPIO)
struct gpio_chip gchip;
@@ -221,6 +236,23 @@ static const struct regmap_config ti_sn6
.max_register = 0xFF,
};
+static int ti_sn65dsi86_read_u8(struct ti_sn65dsi86 *pdata, unsigned int reg,
+ u8 *val)
+{
+ int ret;
+ unsigned int reg_val;
+
+ ret = regmap_read(pdata->regmap, reg, ®_val);
+ if (ret) {
+ dev_err(pdata->dev, "fail to read raw reg %#x: %d\n",
+ reg, ret);
+ return ret;
+ }
+ *val = (u8)reg_val;
+
+ return 0;
+}
+
static int __maybe_unused ti_sn65dsi86_read_u16(struct ti_sn65dsi86 *pdata,
unsigned int reg, u16 *val)
{
@@ -362,6 +394,7 @@ static void ti_sn65dsi86_disable_comms(s
static int __maybe_unused ti_sn65dsi86_resume(struct device *dev)
{
struct ti_sn65dsi86 *pdata = dev_get_drvdata(dev);
+ const struct i2c_client *client = to_i2c_client(pdata->dev);
int ret;
ret = regulator_bulk_enable(SN_REGULATOR_SUPPLY_NUM, pdata->supplies);
@@ -396,6 +429,13 @@ static int __maybe_unused ti_sn65dsi86_r
if (pdata->refclk)
ti_sn65dsi86_enable_comms(pdata);
+ if (client->irq) {
+ ret = regmap_update_bits(pdata->regmap, SN_IRQ_EN_REG, IRQ_EN,
+ IRQ_EN);
+ if (ret)
+ dev_err(pdata->dev, "Failed to enable IRQ events: %d\n", ret);
+ }
+
return ret;
}
@@ -1204,6 +1244,8 @@ static void ti_sn65dsi86_debugfs_init(st
static void ti_sn_bridge_hpd_enable(struct drm_bridge *bridge)
{
struct ti_sn65dsi86 *pdata = bridge_to_ti_sn65dsi86(bridge);
+ const struct i2c_client *client = to_i2c_client(pdata->dev);
+ int ret;
/*
* Device needs to be powered on before reading the HPD state
@@ -1212,11 +1254,35 @@ static void ti_sn_bridge_hpd_enable(stru
*/
pm_runtime_get_sync(pdata->dev);
+
+ mutex_lock(&pdata->hpd_mutex);
+ pdata->hpd_enabled = true;
+ mutex_unlock(&pdata->hpd_mutex);
+
+ if (client->irq) {
+ ret = regmap_set_bits(pdata->regmap, SN_IRQ_EVENTS_EN_REG,
+ HPD_REMOVAL_EN | HPD_INSERTION_EN);
+ if (ret)
+ dev_err(pdata->dev, "Failed to enable HPD events: %d\n", ret);
+ }
}
static void ti_sn_bridge_hpd_disable(struct drm_bridge *bridge)
{
struct ti_sn65dsi86 *pdata = bridge_to_ti_sn65dsi86(bridge);
+ const struct i2c_client *client = to_i2c_client(pdata->dev);
+ int ret;
+
+ if (client->irq) {
+ ret = regmap_clear_bits(pdata->regmap, SN_IRQ_EVENTS_EN_REG,
+ HPD_REMOVAL_EN | HPD_INSERTION_EN);
+ if (ret)
+ dev_err(pdata->dev, "Failed to disable HPD events: %d\n", ret);
+ }
+
+ mutex_lock(&pdata->hpd_mutex);
+ pdata->hpd_enabled = false;
+ mutex_unlock(&pdata->hpd_mutex);
pm_runtime_put_autosuspend(pdata->dev);
}
@@ -1302,6 +1368,41 @@ static int ti_sn_bridge_parse_dsi_host(s
return 0;
}
+static irqreturn_t ti_sn_bridge_interrupt(int irq, void *private)
+{
+ struct ti_sn65dsi86 *pdata = private;
+ struct drm_device *dev = pdata->bridge.dev;
+ u8 status;
+ int ret;
+ bool hpd_event;
+
+ ret = ti_sn65dsi86_read_u8(pdata, SN_IRQ_STATUS_REG, &status);
+ if (ret) {
+ dev_err(pdata->dev, "Failed to read IRQ status: %d\n", ret);
+ return IRQ_NONE;
+ }
+
+ hpd_event = status & (HPD_REMOVAL_STATUS | HPD_INSERTION_STATUS);
+
+ dev_dbg(pdata->dev, "(SN_IRQ_STATUS_REG = %#x)\n", status);
+ if (!status)
+ return IRQ_NONE;
+
+ ret = regmap_write(pdata->regmap, SN_IRQ_STATUS_REG, status);
+ if (ret) {
+ dev_err(pdata->dev, "Failed to clear IRQ status: %d\n", ret);
+ return IRQ_NONE;
+ }
+
+ /* Only send the HPD event if we are bound with a device. */
+ mutex_lock(&pdata->hpd_mutex);
+ if (pdata->hpd_enabled && hpd_event)
+ drm_kms_helper_hotplug_event(dev);
+ mutex_unlock(&pdata->hpd_mutex);
+
+ return IRQ_HANDLED;
+}
+
static int ti_sn_bridge_probe(struct auxiliary_device *adev,
const struct auxiliary_device_id *id)
{
@@ -1933,6 +2034,7 @@ static int ti_sn65dsi86_probe(struct i2c
dev_set_drvdata(dev, pdata);
pdata->dev = dev;
+ mutex_init(&pdata->hpd_mutex);
mutex_init(&pdata->comms_mutex);
pdata->regmap = devm_regmap_init_i2c(client,
@@ -1963,6 +2065,16 @@ static int ti_sn65dsi86_probe(struct i2c
if (ret)
return ret;
+ if (client->irq) {
+ ret = devm_request_threaded_irq(pdata->dev, client->irq, NULL,
+ ti_sn_bridge_interrupt,
+ IRQF_ONESHOT,
+ dev_name(pdata->dev), pdata);
+
+ if (ret)
+ return dev_err_probe(dev, ret, "failed to request interrupt\n");
+ }
+
/*
* Break ourselves up into a collection of aux devices. The only real
* motiviation here is to solve the chicken-and-egg problem of probe
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 263/460] KVM: x86: Introduce supported_quirks to block disabling quirks
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 262/460] KVM: x86: Allow vendor code to disable quirks Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 264/460] KVM: x86: Introduce Intel specific quirk KVM_X86_QUIRK_IGNORE_GUEST_PAT Greg Kroah-Hartman
` (39 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yan Zhao, Paolo Bonzini, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yan Zhao <yan.y.zhao@intel.com>
[ Upstream commit bd7d5362b4c4ac8b951385867a0fadfae0ba3c07 ]
Introduce supported_quirks in kvm_caps to store platform-specific force-enabled
quirks.
No functional changes intended.
Signed-off-by: Yan Zhao <yan.y.zhao@intel.com>
Message-ID: <20250224070832.31394-1-yan.y.zhao@intel.com>
[Remove unsupported quirks at KVM_ENABLE_CAP time. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Stable-dep-of: e2ffe85b6d2b ("KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/x86.c | 9 +++++----
arch/x86/kvm/x86.h | 2 ++
2 files changed, 7 insertions(+), 4 deletions(-)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4801,7 +4801,7 @@ int kvm_vm_ioctl_check_extension(struct
r = enable_pmu ? KVM_CAP_PMU_VALID_MASK : 0;
break;
case KVM_CAP_DISABLE_QUIRKS2:
- r = KVM_X86_VALID_QUIRKS;
+ r = kvm_caps.supported_quirks;
break;
case KVM_CAP_X86_NOTIFY_VMEXIT:
r = kvm_caps.has_notify_vmexit;
@@ -6534,11 +6534,11 @@ int kvm_vm_ioctl_enable_cap(struct kvm *
switch (cap->cap) {
case KVM_CAP_DISABLE_QUIRKS2:
r = -EINVAL;
- if (cap->args[0] & ~KVM_X86_VALID_QUIRKS)
+ if (cap->args[0] & ~kvm_caps.supported_quirks)
break;
fallthrough;
case KVM_CAP_DISABLE_QUIRKS:
- kvm->arch.disabled_quirks |= cap->args[0];
+ kvm->arch.disabled_quirks |= cap->args[0] & kvm_caps.supported_quirks;
r = 0;
break;
case KVM_CAP_SPLIT_IRQCHIP: {
@@ -9782,6 +9782,7 @@ int kvm_x86_vendor_init(struct kvm_x86_i
kvm_host.xcr0 = xgetbv(XCR_XFEATURE_ENABLED_MASK);
kvm_caps.supported_xcr0 = kvm_host.xcr0 & KVM_SUPPORTED_XCR0;
}
+ kvm_caps.supported_quirks = KVM_X86_VALID_QUIRKS;
kvm_caps.inapplicable_quirks = KVM_X86_CONDITIONAL_QUIRKS;
rdmsrl_safe(MSR_EFER, &kvm_host.efer);
@@ -12781,7 +12782,7 @@ int kvm_arch_init_vm(struct kvm *kvm, un
/* Decided by the vendor code for other VM types. */
kvm->arch.pre_fault_allowed =
type == KVM_X86_DEFAULT_VM || type == KVM_X86_SW_PROTECTED_VM;
- kvm->arch.disabled_quirks = kvm_caps.inapplicable_quirks;
+ kvm->arch.disabled_quirks = kvm_caps.inapplicable_quirks & kvm_caps.supported_quirks;
ret = kvm_page_track_init(kvm);
if (ret)
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -32,6 +32,8 @@ struct kvm_caps {
u64 supported_xcr0;
u64 supported_xss;
u64 supported_perf_cap;
+
+ u64 supported_quirks;
u64 inapplicable_quirks;
};
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 339/567] cifs: make default value of retrans as zero
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 338/567] tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 340/567] xfs: fix undersized l_iclog_roundoff values Greg Kroah-Hartman
` (38 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bharath SM, Shyam Prasad N,
Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shyam Prasad N <sprasad@microsoft.com>
commit e3beefd3af09f8e460ddaf39063d3d7664d7ab59 upstream.
When retrans mount option was introduced, the default value was set
as 1. However, in the light of some bugs that this has exposed recently
we should change it to 0 and retain the old behaviour before this option
was introduced.
Cc: <stable@vger.kernel.org>
Reviewed-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/fs_context.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/smb/client/fs_context.c
+++ b/fs/smb/client/fs_context.c
@@ -1809,7 +1809,7 @@ int smb3_init_fs_context(struct fs_conte
ctx->backupuid_specified = false; /* no backup intent for a user */
ctx->backupgid_specified = false; /* no backup intent for a group */
- ctx->retrans = 1;
+ ctx->retrans = 0;
ctx->reparse_type = CIFS_REPARSE_TYPE_DEFAULT;
/*
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 277/481] ipv6: use RCU in ip6_xmit()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 276/481] drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 278/481] bpf: Forget ranges when refining tnum after JSET Greg Kroah-Hartman
` (38 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David Ahern,
Jakub Kicinski, Keerthana K, Shivani Agarwal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 9085e56501d93af9f2d7bd16f7fcfacdde47b99c upstream.
Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent
possible UAF.
Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250828195823.3958522-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
---
net/ipv6/ip6_output.c | 35 +++++++++++++++++++++--------------
1 file changed, 21 insertions(+), 14 deletions(-)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -258,35 +258,36 @@ bool ip6_autoflowlabel(struct net *net,
int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
__u32 mark, struct ipv6_txoptions *opt, int tclass, u32 priority)
{
- struct net *net = sock_net(sk);
const struct ipv6_pinfo *np = inet6_sk(sk);
struct in6_addr *first_hop = &fl6->daddr;
struct dst_entry *dst = skb_dst(skb);
- struct net_device *dev = dst->dev;
struct inet6_dev *idev = ip6_dst_idev(dst);
struct hop_jumbo_hdr *hop_jumbo;
int hoplen = sizeof(*hop_jumbo);
+ struct net *net = sock_net(sk);
unsigned int head_room;
+ struct net_device *dev;
struct ipv6hdr *hdr;
u8 proto = fl6->flowi6_proto;
int seg_len = skb->len;
- int hlimit = -1;
+ int ret, hlimit = -1;
u32 mtu;
+ rcu_read_lock();
+
+ dev = dst_dev_rcu(dst);
head_room = sizeof(struct ipv6hdr) + hoplen + LL_RESERVED_SPACE(dev);
if (opt)
head_room += opt->opt_nflen + opt->opt_flen;
if (unlikely(head_room > skb_headroom(skb))) {
- /* Make sure idev stays alive */
- rcu_read_lock();
+ /* idev stays alive while we hold rcu_read_lock(). */
skb = skb_expand_head(skb, head_room);
if (!skb) {
IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
- rcu_read_unlock();
- return -ENOBUFS;
+ ret = -ENOBUFS;
+ goto unlock;
}
- rcu_read_unlock();
}
if (opt) {
@@ -348,17 +349,21 @@ int ip6_xmit(const struct sock *sk, stru
* skb to its handler for processing
*/
skb = l3mdev_ip6_out((struct sock *)sk, skb);
- if (unlikely(!skb))
- return 0;
+ if (unlikely(!skb)) {
+ ret = 0;
+ goto unlock;
+ }
/* hooks should never assume socket lock is held.
* we promote our socket to non const
*/
- return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
- net, (struct sock *)sk, skb, NULL, dev,
- dst_output);
+ ret = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
+ net, (struct sock *)sk, skb, NULL, dev,
+ dst_output);
+ goto unlock;
}
+ ret = -EMSGSIZE;
skb->dev = dev;
/* ipv6_local_error() does not require socket lock,
* we promote our socket to non const
@@ -367,7 +372,9 @@ int ip6_xmit(const struct sock *sk, stru
IP6_INC_STATS(net, idev, IPSTATS_MIB_FRAGFAILS);
kfree_skb(skb);
- return -EMSGSIZE;
+unlock:
+ rcu_read_unlock();
+ return ret;
}
EXPORT_SYMBOL(ip6_xmit);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 264/460] KVM: x86: Introduce Intel specific quirk KVM_X86_QUIRK_IGNORE_GUEST_PAT
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 263/460] KVM: x86: Introduce supported_quirks to block disabling quirks Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 265/460] KVM: nVMX: Add consistency checks for CR0.WP and CR4.CET Greg Kroah-Hartman
` (38 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Bonzini, Sean Christopherson,
Kevin Tian, Yan Zhao, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yan Zhao <yan.y.zhao@intel.com>
[ Upstream commit c9c1e20b4c7d60fa084b3257525d21a49fe651a1 ]
Introduce an Intel specific quirk KVM_X86_QUIRK_IGNORE_GUEST_PAT to have
KVM ignore guest PAT when this quirk is enabled.
On AMD platforms, KVM always honors guest PAT. On Intel however there are
two issues. First, KVM *cannot* honor guest PAT if CPU feature self-snoop
is not supported. Second, UC access on certain Intel platforms can be very
slow[1] and honoring guest PAT on those platforms may break some old
guests that accidentally specify video RAM as UC. Those old guests may
never expect the slowness since KVM always forces WB previously. See [2].
So, introduce a quirk that KVM can enable by default on all Intel platforms
to avoid breaking old unmodifiable guests. Newer userspace can disable this
quirk if it wishes KVM to honor guest PAT; disabling the quirk will fail
if self-snoop is not supported, i.e. if KVM cannot obey the wish.
The quirk is a no-op on AMD and also if any assigned devices have
non-coherent DMA. This is not an issue, as KVM_X86_QUIRK_CD_NW_CLEARED is
another example of a quirk that is sometimes automatically disabled.
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Suggested-by: Sean Christopherson <seanjc@google.com>
Cc: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Yan Zhao <yan.y.zhao@intel.com>
Link: https://lore.kernel.org/all/Ztl9NWCOupNfVaCA@yzhao56-desk.sh.intel.com # [1]
Link: https://lore.kernel.org/all/87jzfutmfc.fsf@redhat.com # [2]
Message-ID: <20250224070946.31482-1-yan.y.zhao@intel.com>
[Use supported_quirks/inapplicable_quirks to support both AMD and
no-self-snoop cases, as well as to remove the shadow_memtype_mask check
from kvm_mmu_may_ignore_guest_pat(). - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Stable-dep-of: e2ffe85b6d2b ("KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/virt/kvm/api.rst | 22 +++++++++++++++++++++
arch/x86/include/asm/kvm_host.h | 6 +++--
arch/x86/include/uapi/asm/kvm.h | 1
arch/x86/kvm/mmu.h | 2 -
arch/x86/kvm/mmu/mmu.c | 10 +++++----
arch/x86/kvm/vmx/vmx.c | 41 +++++++++++++++++++++++++++++++++-------
arch/x86/kvm/x86.c | 6 ++++-
7 files changed, 73 insertions(+), 15 deletions(-)
--- a/Documentation/virt/kvm/api.rst
+++ b/Documentation/virt/kvm/api.rst
@@ -8129,6 +8129,28 @@ KVM_X86_QUIRK_STUFF_FEATURE_MSRS By d
and 0x489), as KVM does now allow them to
be set by userspace (KVM sets them based on
guest CPUID, for safety purposes).
+
+KVM_X86_QUIRK_IGNORE_GUEST_PAT By default, on Intel platforms, KVM ignores
+ guest PAT and forces the effective memory
+ type to WB in EPT. The quirk is not available
+ on Intel platforms which are incapable of
+ safely honoring guest PAT (i.e., without CPU
+ self-snoop, KVM always ignores guest PAT and
+ forces effective memory type to WB). It is
+ also ignored on AMD platforms or, on Intel,
+ when a VM has non-coherent DMA devices
+ assigned; KVM always honors guest PAT in
+ such case. The quirk is needed to avoid
+ slowdowns on certain Intel Xeon platforms
+ (e.g. ICX, SPR) where self-snoop feature is
+ supported but UC is slow enough to cause
+ issues with some older guests that use
+ UC instead of WC to map the video RAM.
+ Userspace can disable the quirk to honor
+ guest PAT if it knows that there is no such
+ guest software, for example if it does not
+ expose a bochs graphics device (which is
+ known to have had a buggy driver).
=================================== ============================================
7.32 KVM_CAP_MAX_VCPU_ID
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -2386,10 +2386,12 @@ int memslot_rmap_alloc(struct kvm_memory
KVM_X86_QUIRK_FIX_HYPERCALL_INSN | \
KVM_X86_QUIRK_MWAIT_NEVER_UD_FAULTS | \
KVM_X86_QUIRK_SLOT_ZAP_ALL | \
- KVM_X86_QUIRK_STUFF_FEATURE_MSRS)
+ KVM_X86_QUIRK_STUFF_FEATURE_MSRS | \
+ KVM_X86_QUIRK_IGNORE_GUEST_PAT)
#define KVM_X86_CONDITIONAL_QUIRKS \
- KVM_X86_QUIRK_CD_NW_CLEARED
+ (KVM_X86_QUIRK_CD_NW_CLEARED | \
+ KVM_X86_QUIRK_IGNORE_GUEST_PAT)
/*
* KVM previously used a u32 field in kvm_run to indicate the hypercall was
--- a/arch/x86/include/uapi/asm/kvm.h
+++ b/arch/x86/include/uapi/asm/kvm.h
@@ -441,6 +441,7 @@ struct kvm_sync_regs {
#define KVM_X86_QUIRK_MWAIT_NEVER_UD_FAULTS (1 << 6)
#define KVM_X86_QUIRK_SLOT_ZAP_ALL (1 << 7)
#define KVM_X86_QUIRK_STUFF_FEATURE_MSRS (1 << 8)
+#define KVM_X86_QUIRK_IGNORE_GUEST_PAT (1 << 9)
#define KVM_STATE_NESTED_FORMAT_VMX 0
#define KVM_STATE_NESTED_FORMAT_SVM 1
--- a/arch/x86/kvm/mmu.h
+++ b/arch/x86/kvm/mmu.h
@@ -222,7 +222,7 @@ static inline u8 permission_fault(struct
return -(u32)fault & errcode;
}
-bool kvm_mmu_may_ignore_guest_pat(void);
+bool kvm_mmu_may_ignore_guest_pat(struct kvm *kvm);
int kvm_mmu_post_init_vm(struct kvm *kvm);
void kvm_mmu_pre_destroy_vm(struct kvm *kvm);
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -4713,17 +4713,19 @@ out_unlock:
}
#endif
-bool kvm_mmu_may_ignore_guest_pat(void)
+bool kvm_mmu_may_ignore_guest_pat(struct kvm *kvm)
{
/*
* When EPT is enabled (shadow_memtype_mask is non-zero), and the VM
* has non-coherent DMA (DMA doesn't snoop CPU caches), KVM's ABI is to
* honor the memtype from the guest's PAT so that guest accesses to
* memory that is DMA'd aren't cached against the guest's wishes. As a
- * result, KVM _may_ ignore guest PAT, whereas without non-coherent DMA,
- * KVM _always_ ignores guest PAT (when EPT is enabled).
+ * result, KVM _may_ ignore guest PAT, whereas without non-coherent DMA.
+ * KVM _always_ ignores guest PAT, when EPT is enabled and when quirk
+ * KVM_X86_QUIRK_IGNORE_GUEST_PAT is enabled or the CPU lacks the
+ * ability to safely honor guest PAT.
*/
- return shadow_memtype_mask;
+ return kvm_check_has_quirk(kvm, KVM_X86_QUIRK_IGNORE_GUEST_PAT);
}
int kvm_tdp_page_fault(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault)
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -7665,6 +7665,17 @@ int vmx_vm_init(struct kvm *kvm)
return 0;
}
+static inline bool vmx_ignore_guest_pat(struct kvm *kvm)
+{
+ /*
+ * Non-coherent DMA devices need the guest to flush CPU properly.
+ * In that case it is not possible to map all guest RAM as WB, so
+ * always trust guest PAT.
+ */
+ return !kvm_arch_has_noncoherent_dma(kvm) &&
+ kvm_check_has_quirk(kvm, KVM_X86_QUIRK_IGNORE_GUEST_PAT);
+}
+
u8 vmx_get_mt_mask(struct kvm_vcpu *vcpu, gfn_t gfn, bool is_mmio)
{
/*
@@ -7674,13 +7685,8 @@ u8 vmx_get_mt_mask(struct kvm_vcpu *vcpu
if (is_mmio)
return MTRR_TYPE_UNCACHABLE << VMX_EPT_MT_EPTE_SHIFT;
- /*
- * Force WB and ignore guest PAT if the VM does NOT have a non-coherent
- * device attached. Letting the guest control memory types on Intel
- * CPUs may result in unexpected behavior, and so KVM's ABI is to trust
- * the guest to behave only as a last resort.
- */
- if (!kvm_arch_has_noncoherent_dma(vcpu->kvm))
+ /* Force WB if ignoring guest PAT */
+ if (vmx_ignore_guest_pat(vcpu->kvm))
return (MTRR_TYPE_WRBACK << VMX_EPT_MT_EPTE_SHIFT) | VMX_EPT_IPAT_BIT;
return (MTRR_TYPE_WRBACK << VMX_EPT_MT_EPTE_SHIFT);
@@ -8579,6 +8585,27 @@ __init int vmx_hardware_setup(void)
kvm_set_posted_intr_wakeup_handler(pi_wakeup_handler);
+ /*
+ * On Intel CPUs that lack self-snoop feature, letting the guest control
+ * memory types may result in unexpected behavior. So always ignore guest
+ * PAT on those CPUs and map VM as writeback, not allowing userspace to
+ * disable the quirk.
+ *
+ * On certain Intel CPUs (e.g. SPR, ICX), though self-snoop feature is
+ * supported, UC is slow enough to cause issues with some older guests (e.g.
+ * an old version of bochs driver uses ioremap() instead of ioremap_wc() to
+ * map the video RAM, causing wayland desktop to fail to get started
+ * correctly). To avoid breaking those older guests that rely on KVM to force
+ * memory type to WB, provide KVM_X86_QUIRK_IGNORE_GUEST_PAT to preserve the
+ * safer (for performance) default behavior.
+ *
+ * On top of this, non-coherent DMA devices need the guest to flush CPU
+ * caches properly. This also requires honoring guest PAT, and is forced
+ * independent of the quirk in vmx_ignore_guest_pat().
+ */
+ if (!static_cpu_has(X86_FEATURE_SELFSNOOP))
+ kvm_caps.supported_quirks &= ~KVM_X86_QUIRK_IGNORE_GUEST_PAT;
+ kvm_caps.inapplicable_quirks &= ~KVM_X86_QUIRK_IGNORE_GUEST_PAT;
return r;
}
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -9828,6 +9828,10 @@ int kvm_x86_vendor_init(struct kvm_x86_i
if (IS_ENABLED(CONFIG_KVM_SW_PROTECTED_VM) && tdp_mmu_enabled)
kvm_caps.supported_vm_types |= BIT(KVM_X86_SW_PROTECTED_VM);
+ /* KVM always ignores guest PAT for shadow paging. */
+ if (!tdp_enabled)
+ kvm_caps.supported_quirks &= ~KVM_X86_QUIRK_IGNORE_GUEST_PAT;
+
if (!kvm_cpu_cap_has(X86_FEATURE_XSAVES))
kvm_caps.supported_xss = 0;
@@ -13601,7 +13605,7 @@ static void kvm_noncoherent_dma_assignme
* (or last) non-coherent device is (un)registered to so that new SPTEs
* with the correct "ignore guest PAT" setting are created.
*/
- if (kvm_mmu_may_ignore_guest_pat())
+ if (kvm_mmu_may_ignore_guest_pat(kvm))
kvm_zap_gfn_range(kvm, gpa_to_gfn(0), gpa_to_gfn(~0ULL));
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 340/567] xfs: fix undersized l_iclog_roundoff values
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 339/567] cifs: make default value of retrans as zero Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 341/567] s390/dasd: Move quiesce state with pprc swap Greg Kroah-Hartman
` (37 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Christoph Hellwig,
Carlos Maiolino
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
commit 52a8a1ba883defbfe3200baa22cf4cd21985d51a upstream.
If the superblock doesn't list a log stripe unit, we set the incore log
roundoff value to 512. This leads to corrupt logs and unmountable
filesystems in generic/617 on a disk with 4k physical sectors...
XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c
XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197.
XFS (sda1): failed to locate log tail
XFS (sda1): log mount/recovery failed: error -74
XFS (sda1): log mount failed
XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c
XFS (sda1): Ending clean mount
...on the current xfsprogs for-next which has a broken mkfs. xfs_info
shows this...
meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks
= sectsz=4096 attr=2, projid32bit=1
= crc=1 finobt=1, sparse=1, rmapbt=1
= reflink=1 bigtime=1 inobtcount=1 nrext64=1
= exchange=1 metadir=1
data = bsize=4096 blocks=2579968, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1
log =internal log bsize=4096 blocks=16384, version=2
= sectsz=4096 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
= rgcount=0 rgsize=268435456 extents
= zoned=0 start=0 reserved=0
...observe that the log section has sectsz=4096 sunit=0, which means
that the roundoff factor is 512, not 4096 as you'd expect. We should
fix mkfs not to generate broken filesystems, but anyone can fuzz the
ondisk superblock so we should be more cautious. I think the inadequate
logic predates commit a6a65fef5ef8d0, but that's clearly going to
require a different backport.
Cc: stable@vger.kernel.org # v5.14
Fixes: a6a65fef5ef8d0 ("xfs: log stripe roundoff is a property of the log")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_log.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/xfs/xfs_log.c
+++ b/fs/xfs/xfs_log.c
@@ -1552,6 +1552,8 @@ xlog_alloc_log(
if (xfs_has_logv2(mp) && mp->m_sb.sb_logsunit > 1)
log->l_iclog_roundoff = mp->m_sb.sb_logsunit;
+ else if (mp->m_sb.sb_logsectsize > 0)
+ log->l_iclog_roundoff = mp->m_sb.sb_logsectsize;
else
log->l_iclog_roundoff = BBSIZE;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 278/481] bpf: Forget ranges when refining tnum after JSET
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 277/481] ipv6: use RCU in ip6_xmit() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 279/481] l2tp: do not use sock_hold() in pppol2tp_session_get_sock() Greg Kroah-Hartman
` (37 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+c711ce17dd78e5d4fdcf,
Eduard Zingerman, Yonghong Song, Paul Chaignon,
Alexei Starovoitov, Shung-Hsi Yu
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Chaignon <paul.chaignon@gmail.com>
commit 6279846b9b2532e1b04559ef8bd0dec049f29383 upstream.
Syzbot reported a kernel warning due to a range invariant violation on
the following BPF program.
0: call bpf_get_netns_cookie
1: if r0 == 0 goto <exit>
2: if r0 & Oxffffffff goto <exit>
The issue is on the path where we fall through both jumps.
That path is unreachable at runtime: after insn 1, we know r0 != 0, but
with the sign extension on the jset, we would only fallthrough insn 2
if r0 == 0. Unfortunately, is_branch_taken() isn't currently able to
figure this out, so the verifier walks all branches. The verifier then
refines the register bounds using the second condition and we end
up with inconsistent bounds on this unreachable path:
1: if r0 == 0 goto <exit>
r0: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0xffffffffffffffff)
2: if r0 & 0xffffffff goto <exit>
r0 before reg_bounds_sync: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0)
r0 after reg_bounds_sync: u64=[0x1, 0] var_off=(0, 0)
Improving the range refinement for JSET to cover all cases is tricky. We
also don't expect many users to rely on JSET given LLVM doesn't generate
those instructions. So instead of improving the range refinement for
JSETs, Eduard suggested we forget the ranges whenever we're narrowing
tnums after a JSET. This patch implements that approach.
Reported-by: syzbot+c711ce17dd78e5d4fdcf@syzkaller.appspotmail.com
Suggested-by: Eduard Zingerman <eddyz87@gmail.com>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/9d4fd6432a095d281f815770608fdcd16028ce0b.1752171365.git.paul.chaignon@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
[ shung-hsi.yu: no detection or kernel warning for invariant violation before
6.8, but the same umin=1,umax=0 state can occur when jset is preceed by r0 < 1.
Changes were made to adapt to older range refinement logic before commit
67420501e868 ("bpf: generalize reg_set_min_max() to handle non-const register
comparisons"). ]
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/verifier.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -10012,6 +10012,10 @@ static void reg_set_min_max(struct bpf_r
}
break;
case BPF_JSET:
+ /* Forget the ranges before narrowing tnums, to avoid invariant
+ * violations if we're on a dead branch.
+ */
+ __mark_reg_unbounded(false_reg);
if (is_jmp32) {
false_32off = tnum_and(false_32off, tnum_const(~val32));
if (is_power_of_2(val32))
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 265/460] KVM: nVMX: Add consistency checks for CR0.WP and CR4.CET
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 264/460] KVM: x86: Introduce Intel specific quirk KVM_X86_QUIRK_IGNORE_GUEST_PAT Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 266/460] KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM Greg Kroah-Hartman
` (37 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathias Krause, John Allen,
Rick Edgecombe, Chao Gao, Binbin Wu, Sean Christopherson,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Gao <chao.gao@intel.com>
[ Upstream commit 8060b2bd2dd05a19ad7ec248489d374f2bd2b057 ]
Add consistency checks for CR4.CET and CR0.WP in guest-state or host-state
area in the VMCS12. This ensures that configurations with CR4.CET set and
CR0.WP not set result in VM-entry failure, aligning with architectural
behavior.
Tested-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Link: https://lore.kernel.org/r/20250919223258.1604852-33-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Stable-dep-of: e2ffe85b6d2b ("KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx/nested.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -3022,6 +3022,9 @@ static int nested_vmx_check_host_state(s
CC(!kvm_vcpu_is_legal_cr3(vcpu, vmcs12->host_cr3)))
return -EINVAL;
+ if (CC(vmcs12->host_cr4 & X86_CR4_CET && !(vmcs12->host_cr0 & X86_CR0_WP)))
+ return -EINVAL;
+
if (CC(is_noncanonical_msr_address(vmcs12->host_ia32_sysenter_esp, vcpu)) ||
CC(is_noncanonical_msr_address(vmcs12->host_ia32_sysenter_eip, vcpu)))
return -EINVAL;
@@ -3136,6 +3139,9 @@ static int nested_vmx_check_guest_state(
CC(!nested_guest_cr4_valid(vcpu, vmcs12->guest_cr4)))
return -EINVAL;
+ if (CC(vmcs12->guest_cr4 & X86_CR4_CET && !(vmcs12->guest_cr0 & X86_CR0_WP)))
+ return -EINVAL;
+
if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) &&
(CC(!kvm_dr7_valid(vmcs12->guest_dr7)) ||
CC(!vmx_is_valid_debugctl(vcpu, vmcs12->guest_ia32_debugctl, false))))
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 341/567] s390/dasd: Move quiesce state with pprc swap
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 340/567] xfs: fix undersized l_iclog_roundoff values Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 342/567] s390/dasd: Copy detected format information to secondary device Greg Kroah-Hartman
` (36 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Hoeppner, Stefan Haberland,
Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Haberland <sth@linux.ibm.com>
commit 40e9cd4ae8ec43b107ed2bff422a8fa39dcf4e4b upstream.
Quiesce and resume is a mechanism to suspend operations on DASD devices.
In the context of a controlled copy pair swap operation, the quiesce
operation is usually issued before the actual swap and a resume
afterwards.
During the swap operation, the underlying device is exchanged. Therefore,
the quiesce flag must be moved to the secondary device to ensure a
consistent quiesce state after the swap.
The secondary device itself cannot be suspended separately because there
is no separate block device representation for it.
Fixes: 413862caad6f ("s390/dasd: add copy pair swap capability")
Cc: stable@vger.kernel.org #6.1
Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Link: https://patch.msgid.link/20260310142330.4080106-2-sth@linux.ibm.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/block/dasd_eckd.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -6232,6 +6232,11 @@ static int dasd_eckd_copy_pair_swap(stru
dev_name(&secondary->cdev->dev), rc);
}
+ if (primary->stopped & DASD_STOPPED_QUIESCE) {
+ dasd_device_set_stop_bits(secondary, DASD_STOPPED_QUIESCE);
+ dasd_device_remove_stop_bits(primary, DASD_STOPPED_QUIESCE);
+ }
+
/* re-enable device */
dasd_device_remove_stop_bits(primary, DASD_STOPPED_PPRC);
dasd_device_remove_stop_bits(secondary, DASD_STOPPED_PPRC);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 279/481] l2tp: do not use sock_hold() in pppol2tp_session_get_sock()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 278/481] bpf: Forget ranges when refining tnum after JSET Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 280/481] io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop Greg Kroah-Hartman
` (36 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, James Chapman,
Guillaume Nault, Jakub Kicinski, Qingfang Deng
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 9b8c88f875c04d4cb9111bd5dd9291c7e9691bf5 upstream.
pppol2tp_session_get_sock() is using RCU, it must be ready
for sk_refcnt being zero.
Commit ee40fb2e1eb5 ("l2tp: protect sock pointer of
struct pppol2tp_session with RCU") was correct because it
had a call_rcu(..., pppol2tp_put_sk) which was later removed in blamed commit.
pppol2tp_recv() can use pppol2tp_session_get_sock() as well.
Fixes: c5cbaef992d6 ("l2tp: refactor ppp socket/session relationship")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: James Chapman <jchapman@katalix.com>
Reviewed-by: Guillaume Nault <gnault@redhat.com>
Link: https://patch.msgid.link/20250826134435.1683435-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/l2tp/l2tp_ppp.c | 25 ++++++++-----------------
1 file changed, 8 insertions(+), 17 deletions(-)
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -130,22 +130,12 @@ static const struct ppp_channel_ops pppo
static const struct proto_ops pppol2tp_ops;
-/* Retrieves the pppol2tp socket associated to a session.
- * A reference is held on the returned socket, so this function must be paired
- * with sock_put().
- */
+/* Retrieves the pppol2tp socket associated to a session. */
static struct sock *pppol2tp_session_get_sock(struct l2tp_session *session)
{
struct pppol2tp_session *ps = l2tp_session_priv(session);
- struct sock *sk;
- rcu_read_lock();
- sk = rcu_dereference(ps->sk);
- if (sk)
- sock_hold(sk);
- rcu_read_unlock();
-
- return sk;
+ return rcu_dereference(ps->sk);
}
/* Helpers to obtain tunnel/session contexts from sockets.
@@ -211,14 +201,13 @@ end:
static void pppol2tp_recv(struct l2tp_session *session, struct sk_buff *skb, int data_len)
{
- struct pppol2tp_session *ps = l2tp_session_priv(session);
- struct sock *sk = NULL;
+ struct sock *sk;
/* If the socket is bound, send it in to PPP's input queue. Otherwise
* queue it on the session socket.
*/
rcu_read_lock();
- sk = rcu_dereference(ps->sk);
+ sk = pppol2tp_session_get_sock(session);
if (!sk)
goto no_sock;
@@ -528,13 +517,14 @@ static void pppol2tp_show(struct seq_fil
struct l2tp_session *session = arg;
struct sock *sk;
+ rcu_read_lock();
sk = pppol2tp_session_get_sock(session);
if (sk) {
struct pppox_sock *po = pppox_sk(sk);
seq_printf(m, " interface %s\n", ppp_dev_name(&po->chan));
- sock_put(sk);
}
+ rcu_read_unlock();
}
static void pppol2tp_session_init(struct l2tp_session *session)
@@ -1540,6 +1530,7 @@ static void pppol2tp_seq_session_show(st
port = ntohs(inet->inet_sport);
}
+ rcu_read_lock();
sk = pppol2tp_session_get_sock(session);
if (sk) {
state = sk->sk_state;
@@ -1575,8 +1566,8 @@ static void pppol2tp_seq_session_show(st
struct pppox_sock *po = pppox_sk(sk);
seq_printf(m, " interface %s\n", ppp_dev_name(&po->chan));
- sock_put(sk);
}
+ rcu_read_unlock();
}
static int pppol2tp_seq_show(struct seq_file *m, void *v)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 266/460] KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 265/460] KVM: nVMX: Add consistency checks for CR0.WP and CR4.CET Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 267/460] ksmbd: Dont log keys in SMB3 signing and encryption key generation Greg Kroah-Hartman
` (36 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jim Mattson, Sean Christopherson,
Paolo Bonzini, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jim Mattson <jmattson@google.com>
[ Upstream commit e2ffe85b6d2bb7780174b87aa4468a39be17eb81 ]
Add KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM to allow L1 to set
FREEZE_IN_SMM in vmcs12's GUEST_IA32_DEBUGCTL field, as permitted
prior to commit 6b1dd26544d0 ("KVM: VMX: Preserve host's
DEBUGCTLMSR_FREEZE_IN_SMM while running the guest"). Enable the quirk
by default for backwards compatibility (like all quirks); userspace
can disable it via KVM_CAP_DISABLE_QUIRKS2 for consistency with the
constraints on WRMSR(IA32_DEBUGCTL).
Note that the quirk only bypasses the consistency check. The vmcs02 bit is
still owned by the host, and PMCs are not frozen during virtualized SMM.
In particular, if a host administrator decides that PMCs should not be
frozen during physical SMM, then L1 has no say in the matter.
Fixes: 095686e6fcb4 ("KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested VM-Enter")
Cc: stable@vger.kernel.org
Signed-off-by: Jim Mattson <jmattson@google.com>
Link: https://patch.msgid.link/20260205231537.1278753-1-jmattson@google.com
[sean: tag for stable@, clean-up and fix goofs in the comment and docs]
Signed-off-by: Sean Christopherson <seanjc@google.com>
[Rename quirk. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/virt/kvm/api.rst | 8 ++++++++
arch/x86/include/asm/kvm_host.h | 3 ++-
arch/x86/include/uapi/asm/kvm.h | 1 +
arch/x86/kvm/vmx/nested.c | 22 ++++++++++++++++++----
4 files changed, 29 insertions(+), 5 deletions(-)
--- a/Documentation/virt/kvm/api.rst
+++ b/Documentation/virt/kvm/api.rst
@@ -8151,6 +8151,14 @@ KVM_X86_QUIRK_IGNORE_GUEST_PAT By d
guest software, for example if it does not
expose a bochs graphics device (which is
known to have had a buggy driver).
+
+KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM By default, KVM relaxes the consistency
+ check for GUEST_IA32_DEBUGCTL in vmcs12
+ to allow FREEZE_IN_SMM to be set. When
+ this quirk is disabled, KVM requires this
+ bit to be cleared. Note that the vmcs02
+ bit is still completely controlled by the
+ host, regardless of the quirk setting.
=================================== ============================================
7.32 KVM_CAP_MAX_VCPU_ID
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -2387,7 +2387,8 @@ int memslot_rmap_alloc(struct kvm_memory
KVM_X86_QUIRK_MWAIT_NEVER_UD_FAULTS | \
KVM_X86_QUIRK_SLOT_ZAP_ALL | \
KVM_X86_QUIRK_STUFF_FEATURE_MSRS | \
- KVM_X86_QUIRK_IGNORE_GUEST_PAT)
+ KVM_X86_QUIRK_IGNORE_GUEST_PAT | \
+ KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM)
#define KVM_X86_CONDITIONAL_QUIRKS \
(KVM_X86_QUIRK_CD_NW_CLEARED | \
--- a/arch/x86/include/uapi/asm/kvm.h
+++ b/arch/x86/include/uapi/asm/kvm.h
@@ -442,6 +442,7 @@ struct kvm_sync_regs {
#define KVM_X86_QUIRK_SLOT_ZAP_ALL (1 << 7)
#define KVM_X86_QUIRK_STUFF_FEATURE_MSRS (1 << 8)
#define KVM_X86_QUIRK_IGNORE_GUEST_PAT (1 << 9)
+#define KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM (1 << 10)
#define KVM_STATE_NESTED_FORMAT_VMX 0
#define KVM_STATE_NESTED_FORMAT_SVM 1
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -3142,10 +3142,24 @@ static int nested_vmx_check_guest_state(
if (CC(vmcs12->guest_cr4 & X86_CR4_CET && !(vmcs12->guest_cr0 & X86_CR0_WP)))
return -EINVAL;
- if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) &&
- (CC(!kvm_dr7_valid(vmcs12->guest_dr7)) ||
- CC(!vmx_is_valid_debugctl(vcpu, vmcs12->guest_ia32_debugctl, false))))
- return -EINVAL;
+ if (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) {
+ u64 debugctl = vmcs12->guest_ia32_debugctl;
+
+ /*
+ * FREEZE_IN_SMM is not virtualized, but allow L1 to set it in
+ * vmcs12's DEBUGCTL under a quirk for backwards compatibility.
+ * Note that the quirk only relaxes the consistency check. The
+ * vmcc02 bit is still under the control of the host. In
+ * particular, if a host administrator decides to clear the bit,
+ * then L1 has no say in the matter.
+ */
+ if (kvm_check_has_quirk(vcpu->kvm, KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM))
+ debugctl &= ~DEBUGCTLMSR_FREEZE_IN_SMM;
+
+ if (CC(!kvm_dr7_valid(vmcs12->guest_dr7)) ||
+ CC(!vmx_is_valid_debugctl(vcpu, debugctl, false)))
+ return -EINVAL;
+ }
if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_PAT) &&
CC(!kvm_pat_valid(vmcs12->guest_ia32_pat)))
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 342/567] s390/dasd: Copy detected format information to secondary device
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 341/567] s390/dasd: Move quiesce state with pprc swap Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 343/567] lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error Greg Kroah-Hartman
` (35 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Hoeppner, Eduard Shishkin,
Stefan Haberland, Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Haberland <sth@linux.ibm.com>
commit 4c527c7e030672efd788d0806d7a68972a7ba3c1 upstream.
During online processing for a DASD device an IO operation is started to
determine the format of the device. CDL format contains specifically
sized blocks at the beginning of the disk.
For a PPRC secondary device no real IO operation is possible therefore
this IO request can not be started and this step is skipped for online
processing of secondary devices. This is generally fine since the
secondary is a copy of the primary device.
In case of an additional partition detection that is run after a swap
operation the format information is needed to properly drive partition
detection IO.
Currently the information is not passed leading to IO errors during
partition detection and a wrongly detected partition table which in turn
might lead to data corruption on the disk with the wrong partition table.
Fix by passing the format information from primary to secondary device.
Fixes: 413862caad6f ("s390/dasd: add copy pair swap capability")
Cc: stable@vger.kernel.org #6.1
Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Acked-by: Eduard Shishkin <edward6@linux.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Link: https://patch.msgid.link/20260310142330.4080106-3-sth@linux.ibm.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/block/dasd_eckd.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -6185,6 +6185,7 @@ static void copy_pair_set_active(struct
static int dasd_eckd_copy_pair_swap(struct dasd_device *device, char *prim_busid,
char *sec_busid)
{
+ struct dasd_eckd_private *prim_priv, *sec_priv;
struct dasd_device *primary, *secondary;
struct dasd_copy_relation *copy;
struct dasd_block *block;
@@ -6205,6 +6206,9 @@ static int dasd_eckd_copy_pair_swap(stru
if (!secondary)
return DASD_COPYPAIRSWAP_SECONDARY;
+ prim_priv = primary->private;
+ sec_priv = secondary->private;
+
/*
* usually the device should be quiesced for swap
* for paranoia stop device and requeue requests again
@@ -6237,6 +6241,13 @@ static int dasd_eckd_copy_pair_swap(stru
dasd_device_remove_stop_bits(primary, DASD_STOPPED_QUIESCE);
}
+ /*
+ * The secondary device never got through format detection, but since it
+ * is a copy of the primary device, the format is exactly the same;
+ * therefore, the detected layout can simply be copied.
+ */
+ sec_priv->uses_cdl = prim_priv->uses_cdl;
+
/* re-enable device */
dasd_device_remove_stop_bits(primary, DASD_STOPPED_PPRC);
dasd_device_remove_stop_bits(secondary, DASD_STOPPED_PPRC);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 280/481] io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 279/481] l2tp: do not use sock_hold() in pppol2tp_session_get_sock() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 281/481] io_uring/kbuf: check if target buffer list is still legacy on recycle Greg Kroah-Hartman
` (35 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4eb282331cab6d5b6588,
Jens Axboe, Jianqiang kang
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
commit 10dc959398175736e495f71c771f8641e1ca1907 upstream.
Currently this is checked before running the pending work. Normally this
is quite fine, as work items either end up blocking (which will create a
new worker for other items), or they complete fairly quickly. But syzbot
reports an issue where io-wq takes seemingly forever to exit, and with a
bit of debugging, this turns out to be because it queues a bunch of big
(2GB - 4096b) reads with a /dev/msr* file. Since this file type doesn't
support ->read_iter(), loop_rw_iter() ends up handling them. Each read
returns 16MB of data read, which takes 20 (!!) seconds. With a bunch of
these pending, processing the whole chain can take a long time. Easily
longer than the syzbot uninterruptible sleep timeout of 140 seconds.
This then triggers a complaint off the io-wq exit path:
INFO: task syz.4.135:6326 blocked for more than 143 seconds.
Not tainted syzkaller #0
Blocked by coredump.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.135 state:D stack:26824 pid:6326 tgid:6324 ppid:5957 task_flags:0x400548 flags:0x00080000
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5256 [inline]
__schedule+0x1139/0x6150 kernel/sched/core.c:6863
__schedule_loop kernel/sched/core.c:6945 [inline]
schedule+0xe7/0x3a0 kernel/sched/core.c:6960
schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common+0x2fc/0x4e0 kernel/sched/completion.c:121
io_wq_exit_workers io_uring/io-wq.c:1328 [inline]
io_wq_put_and_exit+0x271/0x8a0 io_uring/io-wq.c:1356
io_uring_clean_tctx+0x10d/0x190 io_uring/tctx.c:203
io_uring_cancel_generic+0x69c/0x9a0 io_uring/cancel.c:651
io_uring_files_cancel include/linux/io_uring.h:19 [inline]
do_exit+0x2ce/0x2bd0 kernel/exit.c:911
do_group_exit+0xd3/0x2a0 kernel/exit.c:1112
get_signal+0x2671/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7e0 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
exit_to_user_mode_loop+0x8c/0x540 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x4ee/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa02738f749
RSP: 002b:00007fa0281ae0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fa0275e6098 RCX: 00007fa02738f749
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa0275e6098
RBP: 00007fa0275e6090 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa0275e6128 R14: 00007fff14e4fcb0 R15: 00007fff14e4fd98
There's really nothing wrong here, outside of processing these reads
will take a LONG time. However, we can speed up the exit by checking the
IO_WQ_BIT_EXIT inside the io_worker_handle_work() loop, as syzbot will
exit the ring after queueing up all of these reads. Then once the first
item is processed, io-wq will simply cancel the rest. That should avoid
syzbot running into this complaint again.
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/68a2decc.050a0220.e29e5.0099.GAE@google.com/
Reported-by: syzbot+4eb282331cab6d5b6588@syzkaller.appspotmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[ Minor conflict resolved. ]
Signed-off-by: Jianqiang kang <jianqkang@sina.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io-wq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/io_uring/io-wq.c
+++ b/io_uring/io-wq.c
@@ -554,9 +554,9 @@ static void io_worker_handle_work(struct
struct io_wqe_acct *acct = io_wqe_get_acct(worker);
struct io_wqe *wqe = worker->wqe;
struct io_wq *wq = wqe->wq;
- bool do_kill = test_bit(IO_WQ_BIT_EXIT, &wq->state);
do {
+ bool do_kill = test_bit(IO_WQ_BIT_EXIT, &wq->state);
struct io_wq_work *work;
/*
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 267/460] ksmbd: Dont log keys in SMB3 signing and encryption key generation
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 266/460] KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 268/460] drm/bridge: ti-sn65dsi83: halve horizontal syncs for dual LVDS output Greg Kroah-Hartman
` (35 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Namjae Jeon,
Steve French, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit 441336115df26b966575de56daf7107ed474faed ]
When KSMBD_DEBUG_AUTH logging is enabled, generate_smb3signingkey() and
generate_smb3encryptionkey() log the session, signing, encryption, and
decryption key bytes. Remove the logs to avoid exposing credentials.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ Context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/auth.c | 22 ++--------------------
1 file changed, 2 insertions(+), 20 deletions(-)
--- a/fs/smb/server/auth.c
+++ b/fs/smb/server/auth.c
@@ -803,12 +803,8 @@ static int generate_smb3signingkey(struc
if (!(conn->dialect >= SMB30_PROT_ID && signing->binding))
memcpy(chann->smb3signingkey, key, SMB3_SIGN_KEY_SIZE);
- ksmbd_debug(AUTH, "dumping generated AES signing keys\n");
+ ksmbd_debug(AUTH, "generated SMB3 signing key\n");
ksmbd_debug(AUTH, "Session Id %llu\n", sess->id);
- ksmbd_debug(AUTH, "Session Key %*ph\n",
- SMB2_NTLMV2_SESSKEY_SIZE, sess->sess_key);
- ksmbd_debug(AUTH, "Signing Key %*ph\n",
- SMB3_SIGN_KEY_SIZE, key);
return 0;
}
@@ -872,23 +868,9 @@ static int generate_smb3encryptionkey(st
if (rc)
return rc;
- ksmbd_debug(AUTH, "dumping generated AES encryption keys\n");
+ ksmbd_debug(AUTH, "generated SMB3 encryption/decryption keys\n");
ksmbd_debug(AUTH, "Cipher type %d\n", conn->cipher_type);
ksmbd_debug(AUTH, "Session Id %llu\n", sess->id);
- ksmbd_debug(AUTH, "Session Key %*ph\n",
- SMB2_NTLMV2_SESSKEY_SIZE, sess->sess_key);
- if (conn->cipher_type == SMB2_ENCRYPTION_AES256_CCM ||
- conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM) {
- ksmbd_debug(AUTH, "ServerIn Key %*ph\n",
- SMB3_GCM256_CRYPTKEY_SIZE, sess->smb3encryptionkey);
- ksmbd_debug(AUTH, "ServerOut Key %*ph\n",
- SMB3_GCM256_CRYPTKEY_SIZE, sess->smb3decryptionkey);
- } else {
- ksmbd_debug(AUTH, "ServerIn Key %*ph\n",
- SMB3_GCM128_CRYPTKEY_SIZE, sess->smb3encryptionkey);
- ksmbd_debug(AUTH, "ServerOut Key %*ph\n",
- SMB3_GCM128_CRYPTKEY_SIZE, sess->smb3decryptionkey);
- }
return 0;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 343/567] lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 342/567] s390/dasd: Copy detected format information to secondary device Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 344/567] scsi: core: Fix error handling for scsi_alloc_sdev() Greg Kroah-Hartman
` (34 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josh Law, Steven Rostedt (Google),
Masami Hiramatsu (Google)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Law <objecting@objecting.org>
commit 39ebc8d7f561e1b64eca87353ef9b18e2825e591 upstream.
__xbc_open_brace() pushes entries with post-increment
(open_brace[brace_index++]), so brace_index always points one past
the last valid entry. xbc_verify_tree() reads open_brace[brace_index]
to report which brace is unclosed, but this is one past the last
pushed entry and contains stale/zero data, causing the error message
to reference the wrong node.
Use open_brace[brace_index - 1] to correctly identify the unclosed
brace. brace_index is known to be > 0 here since we are inside the
if (brace_index) guard.
Link: https://lore.kernel.org/all/20260312191143.28719-2-objecting@objecting.org/
Fixes: ead1e19ad905 ("lib/bootconfig: Fix a bug of breaking existing tree nodes")
Cc: stable@vger.kernel.org
Signed-off-by: Josh Law <objecting@objecting.org>
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/bootconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -793,7 +793,7 @@ static int __init xbc_verify_tree(void)
/* Brace closing */
if (brace_index) {
- n = &xbc_nodes[open_brace[brace_index]];
+ n = &xbc_nodes[open_brace[brace_index - 1]];
return xbc_parse_error("Brace is not closed",
xbc_node_get_data(n));
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 281/481] io_uring/kbuf: check if target buffer list is still legacy on recycle
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 280/481] io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 282/481] sunrpc: fix cache_request leak in cache_release Greg Kroah-Hartman
` (34 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Keenan Dong, Jens Axboe
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
Commit c2c185be5c85d37215397c8e8781abf0a69bec1f upstream.
There's a gap between when the buffer was grabbed and when it
potentially gets recycled, where if the list is empty, someone could've
upgraded it to a ring provided type. This can happen if the request
is forced via io-wq. The legacy recycling is missing checking if the
buffer_list still exists, and if it's of the correct type. Add those
checks.
Cc: stable@vger.kernel.org
Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers")
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/kbuf.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -69,9 +69,15 @@ void io_kbuf_recycle_legacy(struct io_ki
buf = req->kbuf;
bl = io_buffer_get_list(ctx, buf->bgid);
- list_add(&buf->list, &bl->buf_list);
+ /*
+ * If the buffer list was upgraded to a ring-based one, or removed,
+ * while the request was in-flight in io-wq, drop it.
+ */
+ if (bl && !bl->buf_nr_pages)
+ list_add(&buf->list, &bl->buf_list);
req->flags &= ~REQ_F_BUFFER_SELECTED;
req->buf_index = buf->bgid;
+ req->kbuf = NULL;
io_ring_submit_unlock(ctx, issue_flags);
return;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 268/460] drm/bridge: ti-sn65dsi83: halve horizontal syncs for dual LVDS output
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 267/460] ksmbd: Dont log keys in SMB3 signing and encryption key generation Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 269/460] net: macb: Shuffle the tx ring before enabling tx Greg Kroah-Hartman
` (34 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marek Vasut, Luca Ceresoli,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Ceresoli <luca.ceresoli@bootlin.com>
[ Upstream commit d0d727746944096a6681dc6adb5f123fc5aa018d ]
Dual LVDS output (available on the SN65DSI84) requires HSYNC_PULSE_WIDTH
and HORIZONTAL_BACK_PORCH to be divided by two with respect to the values
used for single LVDS output.
While not clearly stated in the datasheet, this is needed according to the
DSI Tuner [0] output. It also makes sense intuitively because in dual LVDS
output two pixels at a time are output and so the output clock is half of
the pixel clock.
Some dual-LVDS panels refuse to show any picture without this fix.
Divide by two HORIZONTAL_FRONT_PORCH too, even though this register is used
only for test pattern generation which is not currently implemented by this
driver.
[0] https://www.ti.com/tool/DSI-TUNER
Fixes: ceb515ba29ba ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver")
Cc: stable@vger.kernel.org
Reviewed-by: Marek Vasut <marek.vasut@mailbox.org>
Link: https://patch.msgid.link/20260226-ti-sn65dsi83-dual-lvds-fixes-and-test-pattern-v1-2-2e15f5a9a6a0@bootlin.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
[ adapted variable declaration placement ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/ti-sn65dsi83.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c
+++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c
@@ -325,6 +325,7 @@ static void sn65dsi83_atomic_pre_enable(
struct drm_bridge_state *old_bridge_state)
{
struct sn65dsi83 *ctx = bridge_to_sn65dsi83(bridge);
+ const unsigned int dual_factor = ctx->lvds_dual_link ? 2 : 1;
struct drm_atomic_state *state = old_bridge_state->base.state;
const struct drm_bridge_state *bridge_state;
const struct drm_crtc_state *crtc_state;
@@ -452,18 +453,18 @@ static void sn65dsi83_atomic_pre_enable(
/* 32 + 1 pixel clock to ensure proper operation */
le16val = cpu_to_le16(32 + 1);
regmap_bulk_write(ctx->regmap, REG_VID_CHA_SYNC_DELAY_LOW, &le16val, 2);
- le16val = cpu_to_le16(mode->hsync_end - mode->hsync_start);
+ le16val = cpu_to_le16((mode->hsync_end - mode->hsync_start) / dual_factor);
regmap_bulk_write(ctx->regmap, REG_VID_CHA_HSYNC_PULSE_WIDTH_LOW,
&le16val, 2);
le16val = cpu_to_le16(mode->vsync_end - mode->vsync_start);
regmap_bulk_write(ctx->regmap, REG_VID_CHA_VSYNC_PULSE_WIDTH_LOW,
&le16val, 2);
regmap_write(ctx->regmap, REG_VID_CHA_HORIZONTAL_BACK_PORCH,
- mode->htotal - mode->hsync_end);
+ (mode->htotal - mode->hsync_end) / dual_factor);
regmap_write(ctx->regmap, REG_VID_CHA_VERTICAL_BACK_PORCH,
mode->vtotal - mode->vsync_end);
regmap_write(ctx->regmap, REG_VID_CHA_HORIZONTAL_FRONT_PORCH,
- mode->hsync_start - mode->hdisplay);
+ (mode->hsync_start - mode->hdisplay) / dual_factor);
regmap_write(ctx->regmap, REG_VID_CHA_VERTICAL_FRONT_PORCH,
mode->vsync_start - mode->vdisplay);
regmap_write(ctx->regmap, REG_VID_CHA_TEST_PATTERN, 0x00);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 344/567] scsi: core: Fix error handling for scsi_alloc_sdev()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 343/567] lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 345/567] x86/apic: Disable x2apic on resume if the kernel expects so Greg Kroah-Hartman
` (33 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junxiao Bi, John Garry,
Bart Van Assche, Martin K. Petersen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junxiao Bi <junxiao.bi@oracle.com>
commit 4ce7ada40c008fa21b7e52ab9d04e8746e2e9325 upstream.
After scsi_sysfs_device_initialize() was called, error paths must call
__scsi_remove_device().
Fixes: 1ac22c8eae81 ("scsi: core: Fix refcount leak for tagset_refcnt")
Cc: stable@vger.kernel.org
Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260304164603.51528-1-junxiao.bi@oracle.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/scsi_scan.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -353,12 +353,8 @@ static struct scsi_device *scsi_alloc_sd
* default device queue depth to figure out sbitmap shift
* since we use this queue depth most of times.
*/
- if (scsi_realloc_sdev_budget_map(sdev, depth)) {
- kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags);
- put_device(&starget->dev);
- kfree(sdev);
- goto out;
- }
+ if (scsi_realloc_sdev_budget_map(sdev, depth))
+ goto out_device_destroy;
scsi_change_queue_depth(sdev, depth);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 282/481] sunrpc: fix cache_request leak in cache_release
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 281/481] io_uring/kbuf: check if target buffer list is still legacy on recycle Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 283/481] nvdimm/bus: Fix potential use after free in asynchronous initialization Greg Kroah-Hartman
` (33 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, NeilBrown, stable, Jeff Layton,
Chuck Lever
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
commit 17ad31b3a43b72aec3a3d83605891e1397d0d065 upstream.
When a reader's file descriptor is closed while in the middle of reading
a cache_request (rp->offset != 0), cache_release() decrements the
request's readers count but never checks whether it should free the
request.
In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the
cache_request is removed from the queue and freed along with its buffer
and cache_head reference. cache_release() lacks this cleanup.
The only other path that frees requests with readers == 0 is
cache_dequeue(), but it runs only when CACHE_PENDING transitions from
set to clear. If that transition already happened while readers was
still non-zero, cache_dequeue() will have skipped the request, and no
subsequent call will clean it up.
Add the same cleanup logic from cache_read() to cache_release(): after
decrementing readers, check if it reached 0 with CACHE_PENDING clear,
and if so, dequeue and free the cache_request.
Reported-by: NeilBrown <neilb@ownmail.net>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@kernel.org
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sunrpc/cache.c | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -1052,14 +1052,25 @@ static int cache_release(struct inode *i
struct cache_reader *rp = filp->private_data;
if (rp) {
+ struct cache_request *rq = NULL;
+
spin_lock(&queue_lock);
if (rp->offset) {
struct cache_queue *cq;
- for (cq= &rp->q; &cq->list != &cd->queue;
- cq = list_entry(cq->list.next, struct cache_queue, list))
+ for (cq = &rp->q; &cq->list != &cd->queue;
+ cq = list_entry(cq->list.next,
+ struct cache_queue, list))
if (!cq->reader) {
- container_of(cq, struct cache_request, q)
- ->readers--;
+ struct cache_request *cr =
+ container_of(cq,
+ struct cache_request, q);
+ cr->readers--;
+ if (cr->readers == 0 &&
+ !test_bit(CACHE_PENDING,
+ &cr->item->flags)) {
+ list_del(&cr->q.list);
+ rq = cr;
+ }
break;
}
rp->offset = 0;
@@ -1067,9 +1078,14 @@ static int cache_release(struct inode *i
list_del(&rp->q.list);
spin_unlock(&queue_lock);
+ if (rq) {
+ cache_put(rq->item, cd);
+ kfree(rq->buf);
+ kfree(rq);
+ }
+
filp->private_data = NULL;
kfree(rp);
-
}
if (filp->f_mode & FMODE_WRITE) {
atomic_dec(&cd->writers);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 269/460] net: macb: Shuffle the tx ring before enabling tx
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 268/460] drm/bridge: ti-sn65dsi83: halve horizontal syncs for dual LVDS output Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 270/460] cifs: open files should not hold ref on superblock Greg Kroah-Hartman
` (33 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quanyang Wang, Kevin Hao,
Simon Horman, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Hao <haokexin@gmail.com>
[ Upstream commit 881a0263d502e1a93ebc13a78254e9ad19520232 ]
Quanyang observed that when using an NFS rootfs on an AMD ZynqMp board,
the rootfs may take an extended time to recover after a suspend.
Upon investigation, it was determined that the issue originates from a
problem in the macb driver.
According to the Zynq UltraScale TRM [1], when transmit is disabled,
the transmit buffer queue pointer resets to point to the address
specified by the transmit buffer queue base address register.
In the current implementation, the code merely resets `queue->tx_head`
and `queue->tx_tail` to '0'. This approach presents several issues:
- Packets already queued in the tx ring are silently lost,
leading to memory leaks since the associated skbs cannot be released.
- Concurrent write access to `queue->tx_head` and `queue->tx_tail` may
occur from `macb_tx_poll()` or `macb_start_xmit()` when these values
are reset to '0'.
- The transmission may become stuck on a packet that has already been sent
out, with its 'TX_USED' bit set, but has not yet been processed. However,
due to the manipulation of 'queue->tx_head' and 'queue->tx_tail',
`macb_tx_poll()` incorrectly assumes there are no packets to handle
because `queue->tx_head == queue->tx_tail`. This issue is only resolved
when a new packet is placed at this position. This is the root cause of
the prolonged recovery time observed for the NFS root filesystem.
To resolve this issue, shuffle the tx ring and tx skb array so that
the first unsent packet is positioned at the start of the tx ring.
Additionally, ensure that updates to `queue->tx_head` and
`queue->tx_tail` are properly protected with the appropriate lock.
[1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm
Fixes: bf9cf80cab81 ("net: macb: Fix tx/rx malfunction after phy link down and up")
Reported-by: Quanyang Wang <quanyang.wang@windriver.com>
Signed-off-by: Kevin Hao <haokexin@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260307-zynqmp-v2-1-6ef98a70e1d0@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ adapted include block context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/cadence/macb_main.c | 98 ++++++++++++++++++++++++++++++-
1 file changed, 95 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/cadence/macb_main.c
+++ b/drivers/net/ethernet/cadence/macb_main.c
@@ -38,6 +38,7 @@
#include <linux/ptp_classify.h>
#include <linux/reset.h>
#include <linux/firmware/xlnx-zynqmp.h>
+#include <linux/gcd.h>
#include <linux/inetdevice.h>
#include "macb.h"
@@ -719,6 +720,97 @@ static void macb_mac_link_down(struct ph
netif_tx_stop_all_queues(ndev);
}
+/* Use juggling algorithm to left rotate tx ring and tx skb array */
+static void gem_shuffle_tx_one_ring(struct macb_queue *queue)
+{
+ unsigned int head, tail, count, ring_size, desc_size;
+ struct macb_tx_skb tx_skb, *skb_curr, *skb_next;
+ struct macb_dma_desc *desc_curr, *desc_next;
+ unsigned int i, cycles, shift, curr, next;
+ struct macb *bp = queue->bp;
+ unsigned char desc[24];
+ unsigned long flags;
+
+ desc_size = macb_dma_desc_get_size(bp);
+
+ if (WARN_ON_ONCE(desc_size > ARRAY_SIZE(desc)))
+ return;
+
+ spin_lock_irqsave(&queue->tx_ptr_lock, flags);
+ head = queue->tx_head;
+ tail = queue->tx_tail;
+ ring_size = bp->tx_ring_size;
+ count = CIRC_CNT(head, tail, ring_size);
+
+ if (!(tail % ring_size))
+ goto unlock;
+
+ if (!count) {
+ queue->tx_head = 0;
+ queue->tx_tail = 0;
+ goto unlock;
+ }
+
+ shift = tail % ring_size;
+ cycles = gcd(ring_size, shift);
+
+ for (i = 0; i < cycles; i++) {
+ memcpy(&desc, macb_tx_desc(queue, i), desc_size);
+ memcpy(&tx_skb, macb_tx_skb(queue, i),
+ sizeof(struct macb_tx_skb));
+
+ curr = i;
+ next = (curr + shift) % ring_size;
+
+ while (next != i) {
+ desc_curr = macb_tx_desc(queue, curr);
+ desc_next = macb_tx_desc(queue, next);
+
+ memcpy(desc_curr, desc_next, desc_size);
+
+ if (next == ring_size - 1)
+ desc_curr->ctrl &= ~MACB_BIT(TX_WRAP);
+ if (curr == ring_size - 1)
+ desc_curr->ctrl |= MACB_BIT(TX_WRAP);
+
+ skb_curr = macb_tx_skb(queue, curr);
+ skb_next = macb_tx_skb(queue, next);
+ memcpy(skb_curr, skb_next, sizeof(struct macb_tx_skb));
+
+ curr = next;
+ next = (curr + shift) % ring_size;
+ }
+
+ desc_curr = macb_tx_desc(queue, curr);
+ memcpy(desc_curr, &desc, desc_size);
+ if (i == ring_size - 1)
+ desc_curr->ctrl &= ~MACB_BIT(TX_WRAP);
+ if (curr == ring_size - 1)
+ desc_curr->ctrl |= MACB_BIT(TX_WRAP);
+ memcpy(macb_tx_skb(queue, curr), &tx_skb,
+ sizeof(struct macb_tx_skb));
+ }
+
+ queue->tx_head = count;
+ queue->tx_tail = 0;
+
+ /* Make descriptor updates visible to hardware */
+ wmb();
+
+unlock:
+ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags);
+}
+
+/* Rotate the queue so that the tail is at index 0 */
+static void gem_shuffle_tx_rings(struct macb *bp)
+{
+ struct macb_queue *queue;
+ int q;
+
+ for (q = 0, queue = bp->queues; q < bp->num_queues; q++, queue++)
+ gem_shuffle_tx_one_ring(queue);
+}
+
static void macb_mac_link_up(struct phylink_config *config,
struct phy_device *phy,
unsigned int mode, phy_interface_t interface,
@@ -757,8 +849,6 @@ static void macb_mac_link_up(struct phyl
ctrl |= MACB_BIT(PAE);
for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue) {
- queue->tx_head = 0;
- queue->tx_tail = 0;
queue_writel(queue, IER,
bp->rx_intr_mask | MACB_TX_INT_FLAGS | MACB_BIT(HRESP));
}
@@ -772,8 +862,10 @@ static void macb_mac_link_up(struct phyl
spin_unlock_irqrestore(&bp->lock, flags);
- if (!(bp->caps & MACB_CAPS_MACB_IS_EMAC))
+ if (!(bp->caps & MACB_CAPS_MACB_IS_EMAC)) {
macb_set_tx_clk(bp, speed);
+ gem_shuffle_tx_rings(bp);
+ }
/* Enable Rx and Tx; Enable PTP unicast */
ctrl = macb_readl(bp, NCR);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 345/567] x86/apic: Disable x2apic on resume if the kernel expects so
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 344/567] scsi: core: Fix error handling for scsi_alloc_sdev() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 346/567] lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after() Greg Kroah-Hartman
` (32 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rahul Bukte, Shashank Balaji,
Borislav Petkov (AMD), Thomas Gleixner, Sohil Mehta
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shashank Balaji <shashank.mahadasyam@sony.com>
commit 8cc7dd77a1466f0ec58c03478b2e735a5b289b96 upstream.
When resuming from s2ram, firmware may re-enable x2apic mode, which may have
been disabled by the kernel during boot either because it doesn't support IRQ
remapping or for other reasons. This causes the kernel to continue using the
xapic interface, while the hardware is in x2apic mode, which causes hangs.
This happens on defconfig + bare metal + s2ram.
Fix this in lapic_resume() by disabling x2apic if the kernel expects it to be
disabled, i.e. when x2apic_mode = 0.
The ACPI v6.6 spec, Section 16.3 [1] says firmware restores either the
pre-sleep configuration or initial boot configuration for each CPU, including
MSR state:
When executing from the power-on reset vector as a result of waking from an
S2 or S3 sleep state, the platform firmware performs only the hardware
initialization required to restore the system to either the state the
platform was in prior to the initial operating system boot, or to the
pre-sleep configuration state. In multiprocessor systems, non-boot
processors should be placed in the same state as prior to the initial
operating system boot.
(further ahead)
If this is an S2 or S3 wake, then the platform runtime firmware restores
minimum context of the system before jumping to the waking vector. This
includes:
CPU configuration. Platform runtime firmware restores the pre-sleep
configuration or initial boot configuration of each CPU (MSR, MTRR,
firmware update, SMBase, and so on). Interrupts must be disabled (for
IA-32 processors, disabled by CLI instruction).
(and other things)
So at least as per the spec, re-enablement of x2apic by the firmware is
allowed if "x2apic on" is a part of the initial boot configuration.
[1] https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization
[ bp: Massage. ]
Fixes: 6e1cb38a2aef ("x64, x2apic/intr-remap: add x2apic support, including enabling interrupt-remapping")
Co-developed-by: Rahul Bukte <rahul.bukte@sony.com>
Signed-off-by: Rahul Bukte <rahul.bukte@sony.com>
Signed-off-by: Shashank Balaji <shashank.mahadasyam@sony.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Sohil Mehta <sohil.mehta@intel.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260306-x2apic-fix-v2-1-bee99c12efa3@sony.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/apic/apic.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -1931,6 +1931,7 @@ void __init check_x2apic(void)
static inline void try_to_enable_x2apic(int remap_mode) { }
static inline void __x2apic_enable(void) { }
+static inline void __x2apic_disable(void) { }
#endif /* !CONFIG_X86_X2APIC */
void __init enable_IR_x2apic(void)
@@ -2652,6 +2653,11 @@ static void lapic_resume(void)
if (x2apic_mode) {
__x2apic_enable();
} else {
+ if (x2apic_enabled()) {
+ pr_warn_once("x2apic: re-enabled by firmware during resume. Disabling\n");
+ __x2apic_disable();
+ }
+
/*
* Make sure the APICBASE points to the right address
*
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 283/481] nvdimm/bus: Fix potential use after free in asynchronous initialization
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 282/481] sunrpc: fix cache_request leak in cache_release Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 284/481] LoongArch: Give more information if kmem access failed Greg Kroah-Hartman
` (32 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dingisoul, Dave Jiang, Ira Weiny
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ira Weiny <ira.weiny@intel.com>
commit a8aec14230322ed8f1e8042b6d656c1631d41163 upstream.
Dingisoul with KASAN reports a use after free if device_add() fails in
nd_async_device_register().
Commit b6eae0f61db2 ("libnvdimm: Hold reference on parent while
scheduling async init") correctly added a reference on the parent device
to be held until asynchronous initialization was complete. However, if
device_add() results in an allocation failure the ref count of the
device drops to 0 prior to the parent pointer being accessed. Thus
resulting in use after free.
The bug bot AI correctly identified the fix. Save a reference to the
parent pointer to be used to drop the parent reference regardless of the
outcome of device_add().
Reported-by: Dingisoul <dingiso.kernel@gmail.com>
Closes: http://lore.kernel.org/8855544b-be9e-4153-aa55-0bc328b13733@gmail.com
Fixes: b6eae0f61db2 ("libnvdimm: Hold reference on parent while scheduling async init")
Cc: stable@vger.kernel.org
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://patch.msgid.link/20260306-fix-uaf-async-init-v1-1-a28fd7526723@intel.com
Signed-off-by: Ira Weiny <ira.weiny@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvdimm/bus.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/nvdimm/bus.c
+++ b/drivers/nvdimm/bus.c
@@ -486,14 +486,15 @@ EXPORT_SYMBOL_GPL(nd_synchronize);
static void nd_async_device_register(void *d, async_cookie_t cookie)
{
struct device *dev = d;
+ struct device *parent = dev->parent;
if (device_add(dev) != 0) {
dev_err(dev, "%s: failed\n", __func__);
put_device(dev);
}
put_device(dev);
- if (dev->parent)
- put_device(dev->parent);
+ if (parent)
+ put_device(parent);
}
static void nd_async_device_unregister(void *d, async_cookie_t cookie)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 270/460] cifs: open files should not hold ref on superblock
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 269/460] net: macb: Shuffle the tx ring before enabling tx Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 271/460] crypto: atmel-sha204a - Fix OOM ->tfm_count leak Greg Kroah-Hartman
` (32 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shyam Prasad N, Steve French,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shyam Prasad N <sprasad@microsoft.com>
[ Upstream commit 340cea84f691c5206561bb2e0147158fe02070be ]
Today whenever we deal with a file, in addition to holding
a reference on the dentry, we also get a reference on the
superblock. This happens in two cases:
1. when a new cinode is allocated
2. when an oplock break is being processed
The reasoning for holding the superblock ref was to make sure
that when umount happens, if there are users of inodes and
dentries, it does not try to clean them up and wait for the
last ref to superblock to be dropped by last of such users.
But the side effect of doing that is that umount silently drops
a ref on the superblock and we could have deferred closes and
lease breaks still holding these refs.
Ideally, we should ensure that all of these users of inodes and
dentries are cleaned up at the time of umount, which is what this
code is doing.
This code change allows these code paths to use a ref on the
dentry (and hence the inode). That way, umount is
ensured to clean up SMB client resources when it's the last
ref on the superblock (For ex: when same objects are shared).
The code change also moves the call to close all the files in
deferred close list to the umount code path. It also waits for
oplock_break workers to be flushed before calling
kill_anon_super (which eventually frees up those objects).
Fixes: 24261fc23db9 ("cifs: delay super block destruction until all cifsFileInfo objects are gone")
Fixes: 705c79101ccf ("smb: client: fix use-after-free in cifs_oplock_break")
Cc: <stable@vger.kernel.org>
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ replaced kmalloc_obj() with kmalloc(sizeof(...)) ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsfs.c | 7 +++++--
fs/smb/client/cifsproto.h | 1 +
fs/smb/client/file.c | 11 -----------
fs/smb/client/misc.c | 42 ++++++++++++++++++++++++++++++++++++++++++
fs/smb/client/trace.h | 2 ++
5 files changed, 50 insertions(+), 13 deletions(-)
--- a/fs/smb/client/cifsfs.c
+++ b/fs/smb/client/cifsfs.c
@@ -291,10 +291,14 @@ static void cifs_kill_sb(struct super_bl
/*
* We need to release all dentries for the cached directories
- * before we kill the sb.
+ * and close all deferred file handles before we kill the sb.
*/
if (cifs_sb->root) {
close_all_cached_dirs(cifs_sb);
+ cifs_close_all_deferred_files_sb(cifs_sb);
+
+ /* Wait for all pending oplock breaks to complete */
+ flush_workqueue(cifsoplockd_wq);
/* finally release root dentry */
dput(cifs_sb->root);
@@ -799,7 +803,6 @@ static void cifs_umount_begin(struct sup
spin_unlock(&tcon->tc_lock);
spin_unlock(&cifs_tcp_ses_lock);
- cifs_close_all_deferred_files(tcon);
/* cancel_brl_requests(tcon); */ /* BB mark all brl mids as exiting */
/* cancel_notify_requests(tcon); */
if (tcon->ses && tcon->ses->server) {
--- a/fs/smb/client/cifsproto.h
+++ b/fs/smb/client/cifsproto.h
@@ -298,6 +298,7 @@ extern void cifs_close_deferred_file(str
extern void cifs_close_all_deferred_files(struct cifs_tcon *cifs_tcon);
+void cifs_close_all_deferred_files_sb(struct cifs_sb_info *cifs_sb);
void cifs_close_deferred_file_under_dentry(struct cifs_tcon *cifs_tcon,
struct dentry *dentry);
--- a/fs/smb/client/file.c
+++ b/fs/smb/client/file.c
@@ -690,8 +690,6 @@ struct cifsFileInfo *cifs_new_fileinfo(s
mutex_init(&cfile->fh_mutex);
spin_lock_init(&cfile->file_info_lock);
- cifs_sb_active(inode->i_sb);
-
/*
* If the server returned a read oplock and we have mandatory brlocks,
* set oplock level to None.
@@ -746,7 +744,6 @@ static void cifsFileInfo_put_final(struc
struct inode *inode = d_inode(cifs_file->dentry);
struct cifsInodeInfo *cifsi = CIFS_I(inode);
struct cifsLockInfo *li, *tmp;
- struct super_block *sb = inode->i_sb;
/*
* Delete any outstanding lock records. We'll lose them when the file
@@ -764,7 +761,6 @@ static void cifsFileInfo_put_final(struc
cifs_put_tlink(cifs_file->tlink);
dput(cifs_file->dentry);
- cifs_sb_deactive(sb);
kfree(cifs_file->symlink_target);
kfree(cifs_file);
}
@@ -3075,12 +3071,6 @@ void cifs_oplock_break(struct work_struc
__u64 persistent_fid, volatile_fid;
__u16 net_fid;
- /*
- * Hold a reference to the superblock to prevent it and its inodes from
- * being freed while we are accessing cinode. Otherwise, _cifsFileInfo_put()
- * may release the last reference to the sb and trigger inode eviction.
- */
- cifs_sb_active(sb);
wait_on_bit(&cinode->flags, CIFS_INODE_PENDING_WRITERS,
TASK_UNINTERRUPTIBLE);
@@ -3153,7 +3143,6 @@ oplock_break_ack:
cifs_put_tlink(tlink);
out:
cifs_done_oplock_break(cinode);
- cifs_sb_deactive(sb);
}
static int cifs_swap_activate(struct swap_info_struct *sis,
--- a/fs/smb/client/misc.c
+++ b/fs/smb/client/misc.c
@@ -27,6 +27,11 @@
#include "fs_context.h"
#include "cached_dir.h"
+struct tcon_list {
+ struct list_head entry;
+ struct cifs_tcon *tcon;
+};
+
/* The xid serves as a useful identifier for each incoming vfs request,
in a similar way to the mid which is useful to track each sent smb,
and CurrentXid can also provide a running counter (although it
@@ -829,6 +834,43 @@ cifs_close_all_deferred_files(struct cif
kfree(tmp_list);
}
}
+
+void cifs_close_all_deferred_files_sb(struct cifs_sb_info *cifs_sb)
+{
+ struct rb_root *root = &cifs_sb->tlink_tree;
+ struct rb_node *node;
+ struct cifs_tcon *tcon;
+ struct tcon_link *tlink;
+ struct tcon_list *tmp_list, *q;
+ LIST_HEAD(tcon_head);
+
+ spin_lock(&cifs_sb->tlink_tree_lock);
+ for (node = rb_first(root); node; node = rb_next(node)) {
+ tlink = rb_entry(node, struct tcon_link, tl_rbnode);
+ tcon = tlink_tcon(tlink);
+ if (IS_ERR(tcon))
+ continue;
+ tmp_list = kmalloc(sizeof(struct tcon_list), GFP_ATOMIC);
+ if (tmp_list == NULL)
+ break;
+ tmp_list->tcon = tcon;
+ /* Take a reference on tcon to prevent it from being freed */
+ spin_lock(&tcon->tc_lock);
+ ++tcon->tc_count;
+ trace_smb3_tcon_ref(tcon->debug_id, tcon->tc_count,
+ netfs_trace_tcon_ref_get_close_defer_files);
+ spin_unlock(&tcon->tc_lock);
+ list_add_tail(&tmp_list->entry, &tcon_head);
+ }
+ spin_unlock(&cifs_sb->tlink_tree_lock);
+
+ list_for_each_entry_safe(tmp_list, q, &tcon_head, entry) {
+ cifs_close_all_deferred_files(tmp_list->tcon);
+ list_del(&tmp_list->entry);
+ cifs_put_tcon(tmp_list->tcon, netfs_trace_tcon_ref_put_close_defer_files);
+ kfree(tmp_list);
+ }
+}
void cifs_close_deferred_file_under_dentry(struct cifs_tcon *tcon,
struct dentry *dentry)
--- a/fs/smb/client/trace.h
+++ b/fs/smb/client/trace.h
@@ -47,6 +47,7 @@
EM(netfs_trace_tcon_ref_get_cached_laundromat, "GET Ch-Lau") \
EM(netfs_trace_tcon_ref_get_cached_lease_break, "GET Ch-Lea") \
EM(netfs_trace_tcon_ref_get_cancelled_close, "GET Cn-Cls") \
+ EM(netfs_trace_tcon_ref_get_close_defer_files, "GET Cl-Def") \
EM(netfs_trace_tcon_ref_get_dfs_refer, "GET DfsRef") \
EM(netfs_trace_tcon_ref_get_find, "GET Find ") \
EM(netfs_trace_tcon_ref_get_find_sess_tcon, "GET FndSes") \
@@ -58,6 +59,7 @@
EM(netfs_trace_tcon_ref_put_cancelled_close, "PUT Cn-Cls") \
EM(netfs_trace_tcon_ref_put_cancelled_close_fid, "PUT Cn-Fid") \
EM(netfs_trace_tcon_ref_put_cancelled_mid, "PUT Cn-Mid") \
+ EM(netfs_trace_tcon_ref_put_close_defer_files, "PUT Cl-Def") \
EM(netfs_trace_tcon_ref_put_mnt_ctx, "PUT MntCtx") \
EM(netfs_trace_tcon_ref_put_dfs_refer, "PUT DfsRfr") \
EM(netfs_trace_tcon_ref_put_reconnect_server, "PUT Reconn") \
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 346/567] lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 345/567] x86/apic: Disable x2apic on resume if the kernel expects so Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 347/567] lib/bootconfig: check bounds before writing in __xbc_open_brace() Greg Kroah-Hartman
` (31 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josh Law, Masami Hiramatsu (Google)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Law <objecting@objecting.org>
commit 1120a36bb1e9b9e22de75ecb4ef0b998f73a97f1 upstream.
snprintf() returns the number of characters that would have been
written excluding the NUL terminator. Output is truncated when the
return value is >= the buffer size, not just > the buffer size.
When ret == size, the current code takes the non-truncated path,
advancing buf by ret and reducing size to 0. This is wrong because
the output was actually truncated (the last character was replaced by
NUL). Fix by using >= so the truncation path is taken correctly.
Link: https://lore.kernel.org/all/20260312191143.28719-4-objecting@objecting.org/
Fixes: 76db5a27a827 ("bootconfig: Add Extra Boot Config support")
Cc: stable@vger.kernel.org
Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/bootconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -318,7 +318,7 @@ int __init xbc_node_compose_key_after(st
depth ? "." : "");
if (ret < 0)
return ret;
- if (ret > size) {
+ if (ret >= size) {
size = 0;
} else {
size -= ret;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 284/481] LoongArch: Give more information if kmem access failed
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 283/481] nvdimm/bus: Fix potential use after free in asynchronous initialization Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 285/481] NFC: nxp-nci: allow GPIOs to sleep Greg Kroah-Hartman
` (31 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tiezhu Yang, Huacai Chen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tiezhu Yang <yangtiezhu@loongson.cn>
commit a47f0754bdd01f971c9715acdbdd3a07515c8f83 upstream.
If memory access such as copy_{from, to}_kernel_nofault() failed, its
users do not know what happened, so it is very useful to print the
exception code for such cases. Furthermore, it is better to print the
caller function to know where is the entry.
Here are the low level call chains:
copy_from_kernel_nofault()
copy_from_kernel_nofault_loop()
__get_kernel_nofault()
copy_to_kernel_nofault()
copy_to_kernel_nofault_loop()
__put_kernel_nofault()
Cc: stable@vger.kernel.org
Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/include/asm/uaccess.h | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/arch/loongarch/include/asm/uaccess.h
+++ b/arch/loongarch/include/asm/uaccess.h
@@ -209,8 +209,13 @@ do { \
\
__get_kernel_common(*((type *)(dst)), sizeof(type), \
(__force type *)(src)); \
- if (unlikely(__gu_err)) \
+ if (unlikely(__gu_err)) { \
+ pr_info("%s: memory access failed, ecode 0x%x\n", \
+ __func__, read_csr_excode()); \
+ pr_info("%s: the caller is %pS\n", \
+ __func__, __builtin_return_address(0)); \
goto err_label; \
+ } \
} while (0)
#define __put_kernel_nofault(dst, src, type, err_label) \
@@ -220,8 +225,13 @@ do { \
\
__pu_val = *(__force type *)(src); \
__put_kernel_common(((type *)(dst)), sizeof(type)); \
- if (unlikely(__pu_err)) \
+ if (unlikely(__pu_err)) { \
+ pr_info("%s: memory access failed, ecode 0x%x\n", \
+ __func__, read_csr_excode()); \
+ pr_info("%s: the caller is %pS\n", \
+ __func__, __builtin_return_address(0)); \
goto err_label; \
+ } \
} while (0)
extern unsigned long __copy_user(void *to, const void *from, __kernel_size_t n);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 271/460] crypto: atmel-sha204a - Fix OOM ->tfm_count leak
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 270/460] cifs: open files should not hold ref on superblock Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 272/460] xfs: fix integer overflow in bmap intent sort comparator Greg Kroah-Hartman
` (31 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit d240b079a37e90af03fd7dfec94930eb6c83936e ]
If memory allocation fails, decrement ->tfm_count to avoid blocking
future reads.
Cc: stable@vger.kernel.org
Fixes: da001fb651b0 ("crypto: atmel-i2c - add support for SHA204A random number generator")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[ adapted kmalloc_obj() macro to kmalloc(sizeof()) ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/atmel-sha204a.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/crypto/atmel-sha204a.c
+++ b/drivers/crypto/atmel-sha204a.c
@@ -52,9 +52,10 @@ static int atmel_sha204a_rng_read_nonblo
rng->priv = 0;
} else {
work_data = kmalloc(sizeof(*work_data), GFP_ATOMIC);
- if (!work_data)
+ if (!work_data) {
+ atomic_dec(&i2c_priv->tfm_count);
return -ENOMEM;
-
+ }
work_data->ctx = i2c_priv;
work_data->client = i2c_priv->client;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 347/567] lib/bootconfig: check bounds before writing in __xbc_open_brace()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 346/567] lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 348/567] smb: client: fix atomic open with O_DIRECT & O_SYNC Greg Kroah-Hartman
` (30 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josh Law, Masami Hiramatsu (Google)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Law <objecting@objecting.org>
commit 560f763baa0f2c9a44da4294c06af071405ac46f upstream.
The bounds check for brace_index happens after the array write.
While the current call pattern prevents an actual out-of-bounds
access (the previous call would have returned an error), the
write-before-check pattern is fragile and would become a real
out-of-bounds write if the error return were ever not propagated.
Move the bounds check before the array write so the function is
self-contained and safe regardless of caller behavior.
Link: https://lore.kernel.org/all/20260312191143.28719-3-objecting@objecting.org/
Fixes: ead1e19ad905 ("lib/bootconfig: Fix a bug of breaking existing tree nodes")
Cc: stable@vger.kernel.org
Signed-off-by: Josh Law <objecting@objecting.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/bootconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -534,9 +534,9 @@ static char *skip_spaces_until_newline(c
static int __init __xbc_open_brace(char *p)
{
/* Push the last key as open brace */
- open_brace[brace_index++] = xbc_node_index(last_parent);
if (brace_index >= XBC_DEPTH_MAX)
return xbc_parse_error("Exceed max depth of braces", p);
+ open_brace[brace_index++] = xbc_node_index(last_parent);
return 0;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 285/481] NFC: nxp-nci: allow GPIOs to sleep
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 284/481] LoongArch: Give more information if kmem access failed Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 286/481] net: macb: fix use-after-free access to PTP clock Greg Kroah-Hartman
` (30 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Ray, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Ray <ian.ray@gehealthcare.com>
commit 55dc632ab2ac2889b15995a9eef56c753d48ebc7 upstream.
Allow the firmware and enable GPIOs to sleep.
This fixes a `WARN_ON' and allows the driver to operate GPIOs which are
connected to I2C GPIO expanders.
-- >8 --
kernel: WARNING: CPU: 3 PID: 2636 at drivers/gpio/gpiolib.c:3880 gpiod_set_value+0x88/0x98
-- >8 --
Fixes: 43201767b44c ("NFC: nxp-nci: Convert to use GPIO descriptor")
Cc: stable@vger.kernel.org
Signed-off-by: Ian Ray <ian.ray@gehealthcare.com>
Link: https://patch.msgid.link/20260317085337.146545-1-ian.ray@gehealthcare.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nfc/nxp-nci/i2c.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/nfc/nxp-nci/i2c.c
+++ b/drivers/nfc/nxp-nci/i2c.c
@@ -47,8 +47,8 @@ static int nxp_nci_i2c_set_mode(void *ph
{
struct nxp_nci_i2c_phy *phy = (struct nxp_nci_i2c_phy *) phy_id;
- gpiod_set_value(phy->gpiod_fw, (mode == NXP_NCI_MODE_FW) ? 1 : 0);
- gpiod_set_value(phy->gpiod_en, (mode != NXP_NCI_MODE_COLD) ? 1 : 0);
+ gpiod_set_value_cansleep(phy->gpiod_fw, (mode == NXP_NCI_MODE_FW) ? 1 : 0);
+ gpiod_set_value_cansleep(phy->gpiod_en, (mode != NXP_NCI_MODE_COLD) ? 1 : 0);
usleep_range(10000, 15000);
if (mode == NXP_NCI_MODE_COLD)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 272/460] xfs: fix integer overflow in bmap intent sort comparator
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 271/460] crypto: atmel-sha204a - Fix OOM ->tfm_count leak Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 273/460] drm/xe/sync: Cleanup partially initialized sync on parse failure Greg Kroah-Hartman
` (30 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Long Li, Darrick J. Wong,
Carlos Maiolino, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <leo.lilong@huawei.com>
[ Upstream commit 362c490980867930a098b99f421268fbd7ca05fd ]
xfs_bmap_update_diff_items() sorts bmap intents by inode number using
a subtraction of two xfs_ino_t (uint64_t) values, with the result
truncated to int. This is incorrect when two inode numbers differ by
more than INT_MAX (2^31 - 1), which is entirely possible on large XFS
filesystems.
Fix this by replacing the subtraction with cmp_int().
Cc: <stable@vger.kernel.org> # v4.9
Fixes: 9f3afb57d5f1 ("xfs: implement deferred bmbt map/unmap operations")
Signed-off-by: Long Li <leo.lilong@huawei.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
[ No cmp_int() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_bmap_item.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/xfs/xfs_bmap_item.c
+++ b/fs/xfs/xfs_bmap_item.c
@@ -237,7 +237,8 @@ xfs_bmap_update_diff_items(
struct xfs_bmap_intent *ba = bi_entry(a);
struct xfs_bmap_intent *bb = bi_entry(b);
- return ba->bi_owner->i_ino - bb->bi_owner->i_ino;
+ return ((ba->bi_owner->i_ino > bb->bi_owner->i_ino) -
+ (ba->bi_owner->i_ino < bb->bi_owner->i_ino));
}
/* Log bmap updates in the intent item. */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 348/567] smb: client: fix atomic open with O_DIRECT & O_SYNC
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 347/567] lib/bootconfig: check bounds before writing in __xbc_open_brace() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 349/567] smb: client: fix in-place encryption corruption in SMB2_write() Greg Kroah-Hartman
` (29 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (Red Hat),
David Howells, Henrique Carvalho, Tom Talpey, linux-cifs,
Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.org>
commit 4a7d2729dc99437dbb880a64c47828c0d191b308 upstream.
When user application requests O_DIRECT|O_SYNC along with O_CREAT on
open(2), CREATE_NO_BUFFER and CREATE_WRITE_THROUGH bits were missed in
CREATE request when performing an atomic open, thus leading to
potentially data integrity issues.
Fix this by setting those missing bits in CREATE request when
O_DIRECT|O_SYNC has been specified in cifs_do_create().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Acked-by: Henrique Carvalho <henrique.carvalho@suse.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: linux-cifs@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsglob.h | 11 +++++++++++
fs/smb/client/dir.c | 1 +
fs/smb/client/file.c | 18 +++---------------
3 files changed, 15 insertions(+), 15 deletions(-)
--- a/fs/smb/client/cifsglob.h
+++ b/fs/smb/client/cifsglob.h
@@ -20,6 +20,7 @@
#include <linux/utsname.h>
#include <linux/sched/mm.h>
#include <linux/netfs.h>
+#include <linux/fcntl.h>
#include "cifs_fs_sb.h"
#include "cifsacl.h"
#include <crypto/internal/hash.h>
@@ -2354,4 +2355,14 @@ static inline bool cifs_ses_exiting(stru
return ret;
}
+static inline int cifs_open_create_options(unsigned int oflags, int opts)
+{
+ /* O_SYNC also has bit for O_DSYNC so following check picks up either */
+ if (oflags & O_SYNC)
+ opts |= CREATE_WRITE_THROUGH;
+ if (oflags & O_DIRECT)
+ opts |= CREATE_NO_BUFFER;
+ return opts;
+}
+
#endif /* _CIFS_GLOB_H */
--- a/fs/smb/client/dir.c
+++ b/fs/smb/client/dir.c
@@ -304,6 +304,7 @@ static int cifs_do_create(struct inode *
goto out;
}
+ create_options |= cifs_open_create_options(oflags, create_options);
/*
* if we're not using unix extensions, see if we need to set
* ATTR_READONLY on the create call
--- a/fs/smb/client/file.c
+++ b/fs/smb/client/file.c
@@ -459,15 +459,8 @@ static int cifs_nt_open(const char *full
*********************************************************************/
disposition = cifs_get_disposition(f_flags);
-
/* BB pass O_SYNC flag through on file attributes .. BB */
-
- /* O_SYNC also has bit for O_DSYNC so following check picks up either */
- if (f_flags & O_SYNC)
- create_options |= CREATE_WRITE_THROUGH;
-
- if (f_flags & O_DIRECT)
- create_options |= CREATE_NO_BUFFER;
+ create_options |= cifs_open_create_options(f_flags, create_options);
retry_open:
oparms = (struct cifs_open_parms) {
@@ -1117,13 +1110,8 @@ cifs_reopen_file(struct cifsFileInfo *cf
rdwr_for_fscache = 1;
desired_access = cifs_convert_flags(cfile->f_flags, rdwr_for_fscache);
-
- /* O_SYNC also has bit for O_DSYNC so following check picks up either */
- if (cfile->f_flags & O_SYNC)
- create_options |= CREATE_WRITE_THROUGH;
-
- if (cfile->f_flags & O_DIRECT)
- create_options |= CREATE_NO_BUFFER;
+ create_options |= cifs_open_create_options(cfile->f_flags,
+ create_options);
if (server->ops->get_lease_key)
server->ops->get_lease_key(inode, &cfile->fid);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 286/481] net: macb: fix use-after-free access to PTP clock
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 285/481] NFC: nxp-nci: allow GPIOs to sleep Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 287/481] Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp() Greg Kroah-Hartman
` (29 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Jakub Kicinski
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit 8da13e6d63c1a97f7302d342c89c4a56a55c7015 upstream.
PTP clock is registered on every opening of the interface and destroyed on
every closing. However it may be accessed via get_ts_info ethtool call
which is possible while the interface is just present in the kernel.
BUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426
Read of size 4 at addr ffff8880194345cc by task syz.0.6/948
CPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106
print_address_description mm/kasan/report.c:316 [inline]
print_report+0x17f/0x496 mm/kasan/report.c:420
kasan_report+0xd9/0x180 mm/kasan/report.c:524
ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426
gem_get_ts_info+0x138/0x1e0 drivers/net/ethernet/cadence/macb_main.c:3349
macb_get_ts_info+0x68/0xb0 drivers/net/ethernet/cadence/macb_main.c:3371
__ethtool_get_ts_info+0x17c/0x260 net/ethtool/common.c:558
ethtool_get_ts_info net/ethtool/ioctl.c:2367 [inline]
__dev_ethtool net/ethtool/ioctl.c:3017 [inline]
dev_ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095
dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510
sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215
sock_ioctl+0x577/0x6d0 net/socket.c:1320
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
</TASK>
Allocated by task 457:
kmalloc include/linux/slab.h:563 [inline]
kzalloc include/linux/slab.h:699 [inline]
ptp_clock_register+0x144/0x10e0 drivers/ptp/ptp_clock.c:235
gem_ptp_init+0x46f/0x930 drivers/net/ethernet/cadence/macb_ptp.c:375
macb_open+0x901/0xd10 drivers/net/ethernet/cadence/macb_main.c:2920
__dev_open+0x2ce/0x500 net/core/dev.c:1501
__dev_change_flags+0x56a/0x740 net/core/dev.c:8651
dev_change_flags+0x92/0x170 net/core/dev.c:8722
do_setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833
__rtnl_newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608
rtnl_newlink+0x63/0xa0 net/core/rtnetlink.c:3655
rtnetlink_rcv_msg+0x3c6/0xed0 net/core/rtnetlink.c:6150
netlink_rcv_skb+0x15d/0x430 net/netlink/af_netlink.c:2511
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x6d7/0xa30 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x97e/0xeb0 net/netlink/af_netlink.c:1872
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg+0x14b/0x180 net/socket.c:730
__sys_sendto+0x320/0x3b0 net/socket.c:2152
__do_sys_sendto net/socket.c:2164 [inline]
__se_sys_sendto net/socket.c:2160 [inline]
__x64_sys_sendto+0xdc/0x1b0 net/socket.c:2160
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Freed by task 938:
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1729 [inline]
slab_free_freelist_hook mm/slub.c:1755 [inline]
slab_free mm/slub.c:3687 [inline]
__kmem_cache_free+0xbc/0x320 mm/slub.c:3700
device_release+0xa0/0x240 drivers/base/core.c:2507
kobject_cleanup lib/kobject.c:681 [inline]
kobject_release lib/kobject.c:712 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1cd/0x350 lib/kobject.c:729
put_device+0x1b/0x30 drivers/base/core.c:3805
ptp_clock_unregister+0x171/0x270 drivers/ptp/ptp_clock.c:391
gem_ptp_remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb_ptp.c:404
macb_close+0x1c8/0x270 drivers/net/ethernet/cadence/macb_main.c:2966
__dev_close_many+0x1b9/0x310 net/core/dev.c:1585
__dev_close net/core/dev.c:1597 [inline]
__dev_change_flags+0x2bb/0x740 net/core/dev.c:8649
dev_change_flags+0x92/0x170 net/core/dev.c:8722
dev_ifsioc+0x151/0xe00 net/core/dev_ioctl.c:326
dev_ioctl+0x33e/0x1070 net/core/dev_ioctl.c:572
sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215
sock_ioctl+0x577/0x6d0 net/socket.c:1320
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Set the PTP clock pointer to NULL after unregistering.
Fixes: c2594d804d5c ("macb: Common code to enable ptp support for MACB/GEM")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Link: https://patch.msgid.link/20260316103826.74506-1-pchelkin@ispras.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/cadence/macb_ptp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/cadence/macb_ptp.c
+++ b/drivers/net/ethernet/cadence/macb_ptp.c
@@ -400,8 +400,10 @@ void gem_ptp_remove(struct net_device *n
{
struct macb *bp = netdev_priv(ndev);
- if (bp->ptp_clock)
+ if (bp->ptp_clock) {
ptp_clock_unregister(bp->ptp_clock);
+ bp->ptp_clock = NULL;
+ }
gem_ptp_clear_timer(bp);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 273/460] drm/xe/sync: Cleanup partially initialized sync on parse failure
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 272/460] xfs: fix integer overflow in bmap intent sort comparator Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 274/460] ipv6: use RCU in ip6_xmit() Greg Kroah-Hartman
` (29 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Brost, Shuicheng Lin,
Rodrigo Vivi
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuicheng Lin <shuicheng.lin@intel.com>
commit 1bfd7575092420ba5a0b944953c95b74a5646ff8 upstream.
xe_sync_entry_parse() can allocate references (syncobj, fence, chain fence,
or user fence) before hitting a later failure path. Several of those paths
returned directly, leaving partially initialized state and leaking refs.
Route these error paths through a common free_sync label and call
xe_sync_entry_cleanup(sync) before returning the error.
Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
Cc: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20260219233516.2938172-5-shuicheng.lin@intel.com
(cherry picked from commit f939bdd9207a5d1fc55cced5459858480686ce22)
Cc: stable@vger.kernel.org
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_sync.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
--- a/drivers/gpu/drm/xe/xe_sync.c
+++ b/drivers/gpu/drm/xe/xe_sync.c
@@ -142,8 +142,10 @@ int xe_sync_entry_parse(struct xe_device
if (!signal) {
sync->fence = drm_syncobj_fence_get(sync->syncobj);
- if (XE_IOCTL_DBG(xe, !sync->fence))
- return -EINVAL;
+ if (XE_IOCTL_DBG(xe, !sync->fence)) {
+ err = -EINVAL;
+ goto free_sync;
+ }
}
break;
@@ -163,17 +165,21 @@ int xe_sync_entry_parse(struct xe_device
if (signal) {
sync->chain_fence = dma_fence_chain_alloc();
- if (!sync->chain_fence)
- return -ENOMEM;
+ if (!sync->chain_fence) {
+ err = -ENOMEM;
+ goto free_sync;
+ }
} else {
sync->fence = drm_syncobj_fence_get(sync->syncobj);
- if (XE_IOCTL_DBG(xe, !sync->fence))
- return -EINVAL;
+ if (XE_IOCTL_DBG(xe, !sync->fence)) {
+ err = -EINVAL;
+ goto free_sync;
+ }
err = dma_fence_chain_find_seqno(&sync->fence,
sync_in.timeline_value);
if (err)
- return err;
+ goto free_sync;
}
break;
@@ -207,6 +213,10 @@ int xe_sync_entry_parse(struct xe_device
sync->timeline_value = sync_in.timeline_value;
return 0;
+
+free_sync:
+ xe_sync_entry_cleanup(sync);
+ return err;
}
int xe_sync_entry_add_deps(struct xe_sync_entry *sync, struct xe_sched_job *job)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 349/567] smb: client: fix in-place encryption corruption in SMB2_write()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 348/567] smb: client: fix atomic open with O_DIRECT & O_SYNC Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 350/567] smb: client: fix iface port assignment in parse_server_interfaces Greg Kroah-Hartman
` (28 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henrique Carvalho, Shyam Prasad N,
Paulo Alcantara (Red Hat), Bharath SM, Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bharath SM <bharathsm@microsoft.com>
commit d78840a6a38d312dc1a51a65317bb67e46f0b929 upstream.
SMB2_write() places write payload in iov[1..n] as part of rq_iov.
smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()
encrypts iov[1] in-place, replacing the original plaintext with
ciphertext. On a replayable error, the retry sends the same iov[1]
which now contains ciphertext instead of the original data,
resulting in corruption.
The corruption is most likely to be observed when connections are
unstable, as reconnects trigger write retries that re-send the
already-encrypted data.
This affects SFU mknod, MF symlinks, etc. On kernels before
6.10 (prior to the netfs conversion), sync writes also used
this path and were similarly affected. The async write path
wasn't unaffected as it uses rq_iter which gets deep-copied.
Fix by moving the write payload into rq_iter via iov_iter_kvec(),
so smb3_init_transform_rq() deep-copies it before encryption.
Cc: stable@vger.kernel.org #6.3+
Acked-by: Henrique Carvalho <henrique.carvalho@suse.com>
Acked-by: Shyam Prasad N <sprasad@microsoft.com>
Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2pdu.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -5073,7 +5073,10 @@ replay_again:
memset(&rqst, 0, sizeof(struct smb_rqst));
rqst.rq_iov = iov;
- rqst.rq_nvec = n_vec + 1;
+ /* iov[0] is the SMB header; move payload to rq_iter for encryption safety */
+ rqst.rq_nvec = 1;
+ iov_iter_kvec(&rqst.rq_iter, ITER_SOURCE, &iov[1], n_vec,
+ io_parms->length);
if (retries)
smb2_set_replay(server, &rqst);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 287/481] Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 286/481] net: macb: fix use-after-free access to PTP clock Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 288/481] Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access Greg Kroah-Hartman
` (28 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Johannes Möller,
Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Johannes Möller <research@johannes-moeller.dev>
commit 15145675690cab2de1056e7ed68e59cbd0452529 upstream.
l2cap_ecred_reconf_rsp() casts the incoming data to struct
l2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes with
result at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes
with result at offset 0).
This causes two problems:
- The sizeof(*rsp) length check requires 8 bytes instead of the
correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected
with -EPROTO.
- rsp->result reads from offset 6 instead of offset 0, returning
wrong data when the packet is large enough to pass the check.
Fix by using the correct type. Also pass the already byte-swapped
result variable to BT_DBG instead of the raw __le16 field.
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Cc: stable@vger.kernel.org
Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6429,7 +6429,7 @@ static inline int l2cap_ecred_reconf_rsp
u8 *data)
{
struct l2cap_chan *chan, *tmp;
- struct l2cap_ecred_conn_rsp *rsp = (void *) data;
+ struct l2cap_ecred_reconf_rsp *rsp = (void *)data;
u16 result;
if (cmd_len < sizeof(*rsp))
@@ -6437,7 +6437,7 @@ static inline int l2cap_ecred_reconf_rsp
result = __le16_to_cpu(rsp->result);
- BT_DBG("result 0x%4.4x", rsp->result);
+ BT_DBG("result 0x%4.4x", result);
if (!result)
return 0;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 274/460] ipv6: use RCU in ip6_xmit()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 273/460] drm/xe/sync: Cleanup partially initialized sync on parse failure Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 275/460] dm-verity: disable recursive forward error correction Greg Kroah-Hartman
` (28 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David Ahern,
Jakub Kicinski, Keerthana K, Shivani Agarwal
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 9085e56501d93af9f2d7bd16f7fcfacdde47b99c upstream.
Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent
possible UAF.
Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250828195823.3958522-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_output.c | 35 +++++++++++++++++++++--------------
1 file changed, 21 insertions(+), 14 deletions(-)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -267,35 +267,36 @@ bool ip6_autoflowlabel(struct net *net,
int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
__u32 mark, struct ipv6_txoptions *opt, int tclass, u32 priority)
{
- struct net *net = sock_net(sk);
const struct ipv6_pinfo *np = inet6_sk(sk);
struct in6_addr *first_hop = &fl6->daddr;
struct dst_entry *dst = skb_dst(skb);
- struct net_device *dev = dst_dev(dst);
struct inet6_dev *idev = ip6_dst_idev(dst);
struct hop_jumbo_hdr *hop_jumbo;
int hoplen = sizeof(*hop_jumbo);
+ struct net *net = sock_net(sk);
unsigned int head_room;
+ struct net_device *dev;
struct ipv6hdr *hdr;
u8 proto = fl6->flowi6_proto;
int seg_len = skb->len;
- int hlimit = -1;
+ int ret, hlimit = -1;
u32 mtu;
+ rcu_read_lock();
+
+ dev = dst_dev_rcu(dst);
head_room = sizeof(struct ipv6hdr) + hoplen + LL_RESERVED_SPACE(dev);
if (opt)
head_room += opt->opt_nflen + opt->opt_flen;
if (unlikely(head_room > skb_headroom(skb))) {
- /* Make sure idev stays alive */
- rcu_read_lock();
+ /* idev stays alive while we hold rcu_read_lock(). */
skb = skb_expand_head(skb, head_room);
if (!skb) {
IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
- rcu_read_unlock();
- return -ENOBUFS;
+ ret = -ENOBUFS;
+ goto unlock;
}
- rcu_read_unlock();
}
if (opt) {
@@ -357,17 +358,21 @@ int ip6_xmit(const struct sock *sk, stru
* skb to its handler for processing
*/
skb = l3mdev_ip6_out((struct sock *)sk, skb);
- if (unlikely(!skb))
- return 0;
+ if (unlikely(!skb)) {
+ ret = 0;
+ goto unlock;
+ }
/* hooks should never assume socket lock is held.
* we promote our socket to non const
*/
- return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
- net, (struct sock *)sk, skb, NULL, dev,
- dst_output);
+ ret = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
+ net, (struct sock *)sk, skb, NULL, dev,
+ dst_output);
+ goto unlock;
}
+ ret = -EMSGSIZE;
skb->dev = dev;
/* ipv6_local_error() does not require socket lock,
* we promote our socket to non const
@@ -376,7 +381,9 @@ int ip6_xmit(const struct sock *sk, stru
IP6_INC_STATS(net, idev, IPSTATS_MIB_FRAGFAILS);
kfree_skb(skb);
- return -EMSGSIZE;
+unlock:
+ rcu_read_unlock();
+ return ret;
}
EXPORT_SYMBOL(ip6_xmit);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 350/567] smb: client: fix iface port assignment in parse_server_interfaces
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 349/567] smb: client: fix in-place encryption corruption in SMB2_write() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 351/567] btrfs: abort transaction on failure to update root in the received subvol ioctl Greg Kroah-Hartman
` (27 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dr. Thomas Orgis, Enzo Matsumiya,
Henrique Carvalho, Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henrique Carvalho <henrique.carvalho@suse.com>
commit d4c7210d2f3ea481a6481f03040a64d9077a6172 upstream.
parse_server_interfaces() initializes interface socket addresses with
CIFS_PORT. When the mount uses a non-default port this overwrites the
configured destination port.
Later, cifs_chan_update_iface() copies this sockaddr into server->dstaddr,
causing reconnect attempts to use the wrong port after server interface
updates.
Use the existing port from server->dstaddr instead.
Cc: stable@vger.kernel.org
Fixes: fe856be475f7 ("CIFS: parse and store info on iface queries")
Tested-by: Dr. Thomas Orgis <thomas.orgis@uni-hamburg.de>
Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2ops.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -586,6 +586,7 @@ parse_server_interfaces(struct network_i
struct iface_info_ipv6 *p6;
struct cifs_server_iface *info = NULL, *iface = NULL, *niface = NULL;
struct cifs_server_iface tmp_iface;
+ __be16 port;
ssize_t bytes_left;
size_t next = 0;
int nb_iface = 0;
@@ -620,6 +621,15 @@ parse_server_interfaces(struct network_i
goto out;
}
+ spin_lock(&ses->server->srv_lock);
+ if (ses->server->dstaddr.ss_family == AF_INET)
+ port = ((struct sockaddr_in *)&ses->server->dstaddr)->sin_port;
+ else if (ses->server->dstaddr.ss_family == AF_INET6)
+ port = ((struct sockaddr_in6 *)&ses->server->dstaddr)->sin6_port;
+ else
+ port = cpu_to_be16(CIFS_PORT);
+ spin_unlock(&ses->server->srv_lock);
+
while (bytes_left >= (ssize_t)sizeof(*p)) {
memset(&tmp_iface, 0, sizeof(tmp_iface));
/* default to 1Gbps when link speed is unset */
@@ -640,7 +650,7 @@ parse_server_interfaces(struct network_i
memcpy(&addr4->sin_addr, &p4->IPv4Address, 4);
/* [MS-SMB2] 2.2.32.5.1.1 Clients MUST ignore these */
- addr4->sin_port = cpu_to_be16(CIFS_PORT);
+ addr4->sin_port = port;
cifs_dbg(FYI, "%s: ipv4 %pI4\n", __func__,
&addr4->sin_addr);
@@ -654,7 +664,7 @@ parse_server_interfaces(struct network_i
/* [MS-SMB2] 2.2.32.5.1.2 Clients MUST ignore these */
addr6->sin6_flowinfo = 0;
addr6->sin6_scope_id = 0;
- addr6->sin6_port = cpu_to_be16(CIFS_PORT);
+ addr6->sin6_port = port;
cifs_dbg(FYI, "%s: ipv6 %pI6\n", __func__,
&addr6->sin6_addr);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 288/481] Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 287/481] Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 289/481] smb: client: fix krb5 mount with username option Greg Kroah-Hartman
` (27 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Johannes Möller,
Luiz Augusto von Dentz
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Johannes Möller <research@johannes-moeller.dev>
commit dd815e6e3918dc75a49aaabac36e4f024d675101 upstream.
l2cap_information_rsp() checks that cmd_len covers the fixed
l2cap_info_rsp header (type + result, 4 bytes) but then reads
rsp->data without verifying that the payload is present:
- L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads
4 bytes past the header (needs cmd_len >= 8).
- L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header
(needs cmd_len >= 5).
A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an
out-of-bounds read of adjacent skb data.
Guard each data access with the required payload length check. If the
payload is too short, skip the read and let the state machine complete
with safe defaults (feat_mask and remote_fixed_chan remain zero from
kzalloc), so the info timer cleanup and l2cap_conn_start() still run
and the connection is not stalled.
Fixes: 4e8402a3f884 ("[Bluetooth] Retrieve L2CAP features mask on connection setup")
Cc: stable@vger.kernel.org
Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_core.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4861,7 +4861,8 @@ static inline int l2cap_information_rsp(
switch (type) {
case L2CAP_IT_FEAT_MASK:
- conn->feat_mask = get_unaligned_le32(rsp->data);
+ if (cmd_len >= sizeof(*rsp) + sizeof(u32))
+ conn->feat_mask = get_unaligned_le32(rsp->data);
if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
struct l2cap_info_req req;
@@ -4880,7 +4881,8 @@ static inline int l2cap_information_rsp(
break;
case L2CAP_IT_FIXED_CHAN:
- conn->remote_fixed_chan = rsp->data[0];
+ if (cmd_len >= sizeof(*rsp) + sizeof(rsp->data[0]))
+ conn->remote_fixed_chan = rsp->data[0];
conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
conn->info_ident = 0;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 275/460] dm-verity: disable recursive forward error correction
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 274/460] ipv6: use RCU in ip6_xmit() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 276/460] rxrpc: Fix recvmsg() unconditional requeue Greg Kroah-Hartman
` (27 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Guangwu Zhang,
Sami Tolvanen, Eric Biggers, Rahul Sharma
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
[ Upstream commit d9f3e47d3fae0c101d9094bc956ed24e7a0ee801 ]
There are two problems with the recursive correction:
1. It may cause denial-of-service. In fec_read_bufs, there is a loop that
has 253 iterations. For each iteration, we may call verity_hash_for_block
recursively. There is a limit of 4 nested recursions - that means that
there may be at most 253^4 (4 billion) iterations. Red Hat QE team
actually created an image that pushes dm-verity to this limit - and this
image just makes the udev-worker process get stuck in the 'D' state.
2. It doesn't work. In fec_read_bufs we store data into the variable
"fio->bufs", but fio bufs is shared between recursive invocations, if
"verity_hash_for_block" invoked correction recursively, it would
overwrite partially filled fio->bufs.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Guangwu Zhang <guazhang@redhat.com>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
[ The context change is due to the commit bdf253d580d7
("dm-verity: remove support for asynchronous hashes")
in v6.18 which is irrelevant to the logic of this patch. ]
Signed-off-by: Rahul Sharma <black.hawk@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-verity-fec.c | 4 +---
drivers/md/dm-verity-fec.h | 3 ---
2 files changed, 1 insertion(+), 6 deletions(-)
--- a/drivers/md/dm-verity-fec.c
+++ b/drivers/md/dm-verity-fec.c
@@ -424,10 +424,8 @@ int verity_fec_decode(struct dm_verity *
if (!verity_fec_is_enabled(v))
return -EOPNOTSUPP;
- if (fio->level >= DM_VERITY_FEC_MAX_RECURSION) {
- DMWARN_LIMIT("%s: FEC: recursion too deep", v->data_dev->name);
+ if (fio->level)
return -EIO;
- }
fio->level++;
--- a/drivers/md/dm-verity-fec.h
+++ b/drivers/md/dm-verity-fec.h
@@ -23,9 +23,6 @@
#define DM_VERITY_FEC_BUF_MAX \
(1 << (PAGE_SHIFT - DM_VERITY_FEC_BUF_RS_BITS))
-/* maximum recursion level for verity_fec_decode */
-#define DM_VERITY_FEC_MAX_RECURSION 4
-
#define DM_VERITY_OPT_FEC_DEV "use_fec_from_device"
#define DM_VERITY_OPT_FEC_BLOCKS "fec_blocks"
#define DM_VERITY_OPT_FEC_START "fec_start"
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 351/567] btrfs: abort transaction on failure to update root in the received subvol ioctl
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 350/567] smb: client: fix iface port assignment in parse_server_interfaces Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 352/567] iio: dac: ds4424: reject -128 RAW value Greg Kroah-Hartman
` (26 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Anand Jain, Filipe Manana,
David Sterba
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 0f475ee0ebce5c9492b260027cd95270191675fa upstream.
If we failed to update the root we don't abort the transaction, which is
wrong since we already used the transaction to remove an item from the
uuid tree.
Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
CC: stable@vger.kernel.org # 3.12+
Reviewed-by: Anand Jain <asj@kernel.org>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -4037,7 +4037,8 @@ static long _btrfs_ioctl_set_received_su
ret = btrfs_update_root(trans, fs_info->tree_root,
&root->root_key, &root->root_item);
- if (ret < 0) {
+ if (unlikely(ret < 0)) {
+ btrfs_abort_transaction(trans, ret);
btrfs_end_transaction(trans);
goto out;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 289/481] smb: client: fix krb5 mount with username option
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 288/481] Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 290/481] ksmbd: unset conn->binding on failed binding request Greg Kroah-Hartman
` (26 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oscar Santos,
Paulo Alcantara (Red Hat), David Howells, linux-cifs,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.org>
commit 12b4c5d98cd7ca46d5035a57bcd995df614c14e1 upstream.
Customer reported that some of their krb5 mounts were failing against
a single server as the client was trying to mount the shares with
wrong credentials. It turned out the client was reusing SMB session
from first mount to try mounting the other shares, even though a
different username= option had been specified to the other mounts.
By using username mount option along with sec=krb5 to search for
principals from keytab is supported by cifs.upcall(8) since
cifs-utils-4.8. So fix this by matching username mount option in
match_session() even with Kerberos.
For example, the second mount below should fail with -ENOKEY as there
is no 'foobar' principal in keytab (/etc/krb5.keytab). The client
ends up reusing SMB session from first mount to perform the second
one, which is wrong.
```
$ ktutil
ktutil: add_entry -password -p testuser -k 1 -e aes256-cts
Password for testuser@ZELDA.TEST:
ktutil: write_kt /etc/krb5.keytab
ktutil: quit
$ klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ----------------------------------------------------------------
1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96)
$ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser
$ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar
$ mount -t cifs | grep -Po 'username=\K\w+'
testuser
testuser
```
Reported-by: Oscar Santos <ossantos@redhat.com>
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Cc: David Howells <dhowells@redhat.com>
Cc: linux-cifs@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/connect.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/smb/client/connect.c
+++ b/fs/smb/client/connect.c
@@ -1909,6 +1909,10 @@ static int match_session(struct cifs_ses
case Kerberos:
if (!uid_eq(ctx->cred_uid, ses->cred_uid))
return 0;
+ if (strncmp(ses->user_name ?: "",
+ ctx->username ?: "",
+ CIFS_MAX_USERNAME_LEN))
+ return 0;
break;
case NTLMv2:
case RawNTLMSSP:
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 276/460] rxrpc: Fix recvmsg() unconditional requeue
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 275/460] dm-verity: disable recursive forward error correction Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 277/460] btrfs: do not strictly require dirty metadata threshold for metadata writepages Greg Kroah-Hartman
` (26 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable, stable@vger.kernel.org, David Howells
Cc: Greg Kroah-Hartman, patches, Faith, Pumpkin Chang, Marc Dionne,
Nir Ohfeld, Willy Tarreau, Simon Horman, linux-afs, stable,
Jakub Kicinski, Robert Garcia
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 2c28769a51deb6022d7fbd499987e237a01dd63a ]
If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at
the front of the recvmsg queue already has its mutex locked, it requeues
the call - whether or not the call is already queued. The call may be on
the queue because MSG_PEEK was also passed and so the call was not dequeued
or because the I/O thread requeued it.
The unconditional requeue may then corrupt the recvmsg queue, leading to
things like UAFs or refcount underruns.
Fix this by only requeuing the call if it isn't already on the queue - and
moving it to the front if it is already queued. If we don't queue it, we
have to put the ref we obtained by dequeuing it.
Also, MSG_PEEK doesn't dequeue the call so shouldn't call
rxrpc_notify_socket() for the call if we didn't use up all the data on the
queue, so fix that also.
Fixes: 540b1c48c37a ("rxrpc: Fix deadlock between call creation and sendmsg/recvmsg")
Reported-by: Faith <faith@zellic.io>
Reported-by: Pumpkin Chang <pumpkin@devco.re>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Marc Dionne <marc.dionne@auristor.com>
cc: Nir Ohfeld <niro@wiz.io>
cc: Willy Tarreau <w@1wt.eu>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/95163.1768428203@warthog.procyon.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[Use spin_unlock instead of spin_unlock_irq to maintain context consistency.]
Signed-off-by: Robert Garcia <rob_garcia@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/trace/events/rxrpc.h | 4 ++++
net/rxrpc/recvmsg.c | 19 +++++++++++++++----
2 files changed, 19 insertions(+), 4 deletions(-)
--- a/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -274,6 +274,7 @@
EM(rxrpc_call_put_kernel, "PUT kernel ") \
EM(rxrpc_call_put_poke, "PUT poke ") \
EM(rxrpc_call_put_recvmsg, "PUT recvmsg ") \
+ EM(rxrpc_call_put_recvmsg_peek_nowait, "PUT peek-nwt") \
EM(rxrpc_call_put_release_sock, "PUT rls-sock") \
EM(rxrpc_call_put_release_sock_tba, "PUT rls-sk-a") \
EM(rxrpc_call_put_sendmsg, "PUT sendmsg ") \
@@ -291,6 +292,9 @@
EM(rxrpc_call_see_distribute_error, "SEE dist-err") \
EM(rxrpc_call_see_input, "SEE input ") \
EM(rxrpc_call_see_recvmsg, "SEE recvmsg ") \
+ EM(rxrpc_call_see_recvmsg_requeue, "SEE recv-rqu") \
+ EM(rxrpc_call_see_recvmsg_requeue_first, "SEE recv-rqF") \
+ EM(rxrpc_call_see_recvmsg_requeue_move, "SEE recv-rqM") \
EM(rxrpc_call_see_release, "SEE release ") \
EM(rxrpc_call_see_userid_exists, "SEE u-exists") \
EM(rxrpc_call_see_waiting_call, "SEE q-conn ") \
--- a/net/rxrpc/recvmsg.c
+++ b/net/rxrpc/recvmsg.c
@@ -430,7 +430,8 @@ try_again:
if (rxrpc_call_has_failed(call))
goto call_failed;
- if (!skb_queue_empty(&call->recvmsg_queue))
+ if (!(flags & MSG_PEEK) &&
+ !skb_queue_empty(&call->recvmsg_queue))
rxrpc_notify_socket(call);
goto not_yet_complete;
@@ -461,11 +462,21 @@ error_unlock_call:
error_requeue_call:
if (!(flags & MSG_PEEK)) {
spin_lock(&rx->recvmsg_lock);
- list_add(&call->recvmsg_link, &rx->recvmsg_q);
- spin_unlock(&rx->recvmsg_lock);
+ if (list_empty(&call->recvmsg_link)) {
+ list_add(&call->recvmsg_link, &rx->recvmsg_q);
+ rxrpc_see_call(call, rxrpc_call_see_recvmsg_requeue);
+ spin_unlock(&rx->recvmsg_lock);
+ } else if (list_is_first(&call->recvmsg_link, &rx->recvmsg_q)) {
+ spin_unlock(&rx->recvmsg_lock);
+ rxrpc_put_call(call, rxrpc_call_see_recvmsg_requeue_first);
+ } else {
+ list_move(&call->recvmsg_link, &rx->recvmsg_q);
+ spin_unlock(&rx->recvmsg_lock);
+ rxrpc_put_call(call, rxrpc_call_see_recvmsg_requeue_move);
+ }
trace_rxrpc_recvmsg(call_debug_id, rxrpc_recvmsg_requeue, 0);
} else {
- rxrpc_put_call(call, rxrpc_call_put_recvmsg);
+ rxrpc_put_call(call, rxrpc_call_put_recvmsg_peek_nowait);
}
error_no_call:
release_sock(&rx->sk);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 352/567] iio: dac: ds4424: reject -128 RAW value
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 351/567] btrfs: abort transaction on failure to update root in the received subvol ioctl Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 353/567] iio: frequency: adf4377: Fix duplicated soft reset mask Greg Kroah-Hartman
` (25 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Andy Shevchenko,
Jonathan Cameron
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <o.rempel@pengutronix.de>
commit 5187e03b817c26c1c3bcb2645a612ea935c4be89 upstream.
The DS442x DAC uses sign-magnitude encoding, so -128 cannot be represented
in hardware (7-bit magnitude).
Previously, passing -128 resulted in a truncated value that programmed
0mA (magnitude 0) instead of the expected maximum negative current,
effectively failing silently.
Reject -128 to avoid producing the wrong current.
Fixes: d632a2bd8ffc ("iio: dac: ds4422/ds4424 dac driver")
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ds4424.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/dac/ds4424.c
+++ b/drivers/iio/dac/ds4424.c
@@ -141,7 +141,7 @@ static int ds4424_write_raw(struct iio_d
switch (mask) {
case IIO_CHAN_INFO_RAW:
- if (val < S8_MIN || val > S8_MAX)
+ if (val <= S8_MIN || val > S8_MAX)
return -EINVAL;
if (val > 0) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 290/481] ksmbd: unset conn->binding on failed binding request
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 289/481] smb: client: fix krb5 mount with username option Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 291/481] mmc: sdhci-pci-gli: fix GL9750 DMA write corruption Greg Kroah-Hartman
` (25 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Namjae Jeon,
Steve French
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit 282343cf8a4a5a3603b1cb0e17a7083e4a593b03 upstream.
When a multichannel SMB2_SESSION_SETUP request with
SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true
but never clears it on the error path. This leaves the connection in
a binding state where all subsequent ksmbd_session_lookup_all() calls
fall back to the global sessions table. This fix it by clearing
conn->binding = false in the error path.
Cc: stable@vger.kernel.org
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -1936,6 +1936,7 @@ out_err:
}
}
smb2_set_err_rsp(work);
+ conn->binding = false;
} else {
unsigned int iov_len;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 277/460] btrfs: do not strictly require dirty metadata threshold for metadata writepages
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 276/460] rxrpc: Fix recvmsg() unconditional requeue Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 278/460] ice: fix devlink reload call trace Greg Kroah-Hartman
` (25 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Boris Burkov, Qu Wenruo,
David Sterba, Rahul Sharma
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
[ Upstream commit 4e159150a9a56d66d247f4b5510bed46fe58aa1c ]
[BUG]
There is an internal report that over 1000 processes are
waiting at the io_schedule_timeout() of balance_dirty_pages(), causing
a system hang and trigger a kernel coredump.
The kernel is v6.4 kernel based, but the root problem still applies to
any upstream kernel before v6.18.
[CAUSE]
>From Jan Kara for his wisdom on the dirty page balance behavior first.
This cgroup dirty limit was what was actually playing the role here
because the cgroup had only a small amount of memory and so the dirty
limit for it was something like 16MB.
Dirty throttling is responsible for enforcing that nobody can dirty
(significantly) more dirty memory than there's dirty limit. Thus when
a task is dirtying pages it periodically enters into balance_dirty_pages()
and we let it sleep there to slow down the dirtying.
When the system is over dirty limit already (either globally or within
a cgroup of the running task), we will not let the task exit from
balance_dirty_pages() until the number of dirty pages drops below the
limit.
So in this particular case, as I already mentioned, there was a cgroup
with relatively small amount of memory and as a result with dirty limit
set at 16MB. A task from that cgroup has dirtied about 28MB worth of
pages in btrfs btree inode and these were practically the only dirty
pages in that cgroup.
So that means the only way to reduce the dirty pages of that cgroup is
to writeback the dirty pages of btrfs btree inode, and only after that
those processes can exit balance_dirty_pages().
Now back to the btrfs part, btree_writepages() is responsible for
writing back dirty btree inode pages.
The problem here is, there is a btrfs internal threshold that if the
btree inode's dirty bytes are below the 32M threshold, it will not
do any writeback.
This behavior is to batch as much metadata as possible so we won't write
back those tree blocks and then later re-COW them again for another
modification.
This internal 32MiB is higher than the existing dirty page size (28MiB),
meaning no writeback will happen, causing a deadlock between btrfs and
cgroup:
- Btrfs doesn't want to write back btree inode until more dirty pages
- Cgroup/MM doesn't want more dirty pages for btrfs btree inode
Thus any process touching that btree inode is put into sleep until
the number of dirty pages is reduced.
Thanks Jan Kara a lot for the analysis of the root cause.
[ENHANCEMENT]
Since kernel commit b55102826d7d ("btrfs: set AS_KERNEL_FILE on the
btree_inode"), btrfs btree inode pages will only be charged to the root
cgroup which should have a much larger limit than btrfs' 32MiB
threshold.
So it should not affect newer kernels.
But for all current LTS kernels, they are all affected by this problem,
and backporting the whole AS_KERNEL_FILE may not be a good idea.
Even for newer kernels I still think it's a good idea to get
rid of the internal threshold at btree_writepages(), since for most cases
cgroup/MM has a better view of full system memory usage than btrfs' fixed
threshold.
For internal callers using btrfs_btree_balance_dirty() since that
function is already doing internal threshold check, we don't need to
bother them.
But for external callers of btree_writepages(), just respect their
requests and write back whatever they want, ignoring the internal
btrfs threshold to avoid such deadlock on btree inode dirty page
balancing.
CC: stable@vger.kernel.org
CC: Jan Kara <jack@suse.cz>
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[ The context change is due to the commit 5e121ae687b8
("btrfs: use buffer xarray for extent buffer writeback operations")
in v6.16 which is irrelevant to the logic of this patch. ]
Signed-off-by: Rahul Sharma <black.hawk@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/disk-io.c | 22 ----------------------
fs/btrfs/extent_io.c | 3 +--
fs/btrfs/extent_io.h | 3 +--
3 files changed, 2 insertions(+), 26 deletions(-)
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -498,28 +498,6 @@ static int btree_migrate_folio(struct ad
#define btree_migrate_folio NULL
#endif
-static int btree_writepages(struct address_space *mapping,
- struct writeback_control *wbc)
-{
- int ret;
-
- if (wbc->sync_mode == WB_SYNC_NONE) {
- struct btrfs_fs_info *fs_info;
-
- if (wbc->for_kupdate)
- return 0;
-
- fs_info = inode_to_fs_info(mapping->host);
- /* this is a bit racy, but that's ok */
- ret = __percpu_counter_compare(&fs_info->dirty_metadata_bytes,
- BTRFS_DIRTY_METADATA_THRESH,
- fs_info->dirty_metadata_batch);
- if (ret < 0)
- return 0;
- }
- return btree_write_cache_pages(mapping, wbc);
-}
-
static bool btree_release_folio(struct folio *folio, gfp_t gfp_flags)
{
if (folio_test_writeback(folio) || folio_test_dirty(folio))
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -2088,8 +2088,7 @@ static int submit_eb_page(struct folio *
return 1;
}
-int btree_write_cache_pages(struct address_space *mapping,
- struct writeback_control *wbc)
+int btree_writepages(struct address_space *mapping, struct writeback_control *wbc)
{
struct btrfs_eb_write_context ctx = { .wbc = wbc };
struct btrfs_fs_info *fs_info = inode_to_fs_info(mapping->host);
--- a/fs/btrfs/extent_io.h
+++ b/fs/btrfs/extent_io.h
@@ -244,8 +244,7 @@ void extent_write_locked_range(struct in
u64 start, u64 end, struct writeback_control *wbc,
bool pages_dirty);
int btrfs_writepages(struct address_space *mapping, struct writeback_control *wbc);
-int btree_write_cache_pages(struct address_space *mapping,
- struct writeback_control *wbc);
+int btree_writepages(struct address_space *mapping, struct writeback_control *wbc);
void btrfs_readahead(struct readahead_control *rac);
int set_folio_extent_mapped(struct folio *folio);
int set_page_extent_mapped(struct page *page);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 353/567] iio: frequency: adf4377: Fix duplicated soft reset mask
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 352/567] iio: dac: ds4424: reject -128 RAW value Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 354/567] iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas() Greg Kroah-Hartman
` (24 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeungJu Cheon, Stable,
Jonathan Cameron
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeungJu Cheon <suunj1331@gmail.com>
commit 6c8bf4b604a8a6346ca71f1c027fa01c2c2e04cb upstream.
The regmap_read_poll_timeout() uses ADF4377_0000_SOFT_RESET_R_MSK
twice instead of checking both SOFT_RESET_MSK (bit 0) and
SOFT_RESET_R_MSK (bit 7). This causes an incomplete reset status check.
The code first sets both SOFT_RESET and SOFT_RESET_R bits to 1 via
regmap_update_bits(), then polls for them to be cleared. Since we set
both bits before polling, we should be waiting for both to clear.
Fix by using both masks as done in regmap_update_bits() above.
Fixes: eda549e2e524 ("iio: frequency: adf4377: add support for ADF4377")
Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
Cc: Stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/frequency/adf4377.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/frequency/adf4377.c
+++ b/drivers/iio/frequency/adf4377.c
@@ -495,7 +495,7 @@ static int adf4377_soft_reset(struct adf
return ret;
return regmap_read_poll_timeout(st->regmap, 0x0, read_val,
- !(read_val & (ADF4377_0000_SOFT_RESET_R_MSK |
+ !(read_val & (ADF4377_0000_SOFT_RESET_MSK |
ADF4377_0000_SOFT_RESET_R_MSK)), 200, 200 * 100);
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 291/481] mmc: sdhci-pci-gli: fix GL9750 DMA write corruption
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 290/481] ksmbd: unset conn->binding on failed binding request Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 292/481] mmc: sdhci: fix timing selection for 1-bit bus width Greg Kroah-Hartman
` (24 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Matthew Schwartz,
Ben Chuang, Ulf Hansson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Schwartz <matthew.schwartz@linux.dev>
commit 2b76e0cc7803e5ab561c875edaba7f6bbd87fbb0 upstream.
The GL9750 SD host controller has intermittent data corruption during
DMA write operations. The GM_BURST register's R_OSRC_Lmt field
(bits 17:16), which limits outstanding DMA read requests from system
memory, is not being cleared during initialization. The Windows driver
sets R_OSRC_Lmt to zero, limiting requests to the smallest unit.
Clear R_OSRC_Lmt to match the Windows driver behavior. This eliminates
write corruption verified with f3write/f3read tests while maintaining
DMA performance.
Cc: stable@vger.kernel.org
Fixes: e51df6ce668a ("mmc: host: sdhci-pci: Add Genesys Logic GL975x support")
Closes: https://lore.kernel.org/linux-mmc/33d12807-5c72-41ce-8679-57aa11831fad@linux.dev/
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Matthew Schwartz <matthew.schwartz@linux.dev>
Reviewed-by: Ben Chuang <ben.chuang@genesyslogic.com.tw>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-pci-gli.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/mmc/host/sdhci-pci-gli.c
+++ b/drivers/mmc/host/sdhci-pci-gli.c
@@ -70,6 +70,9 @@
#define GLI_9750_MISC_TX1_DLY_VALUE 0x5
#define SDHCI_GLI_9750_MISC_SSC_OFF BIT(26)
+#define SDHCI_GLI_9750_GM_BURST_SIZE 0x510
+#define SDHCI_GLI_9750_GM_BURST_SIZE_R_OSRC_LMT GENMASK(17, 16)
+
#define SDHCI_GLI_9750_TUNING_CONTROL 0x540
#define SDHCI_GLI_9750_TUNING_CONTROL_EN BIT(4)
#define GLI_9750_TUNING_CONTROL_EN_ON 0x1
@@ -212,10 +215,16 @@ static void gli_set_9750(struct sdhci_ho
u32 misc_value;
u32 parameter_value;
u32 control_value;
+ u32 burst_value;
u16 ctrl2;
gl9750_wt_on(host);
+ /* clear R_OSRC_Lmt to avoid DMA write corruption */
+ burst_value = sdhci_readl(host, SDHCI_GLI_9750_GM_BURST_SIZE);
+ burst_value &= ~SDHCI_GLI_9750_GM_BURST_SIZE_R_OSRC_LMT;
+ sdhci_writel(host, burst_value, SDHCI_GLI_9750_GM_BURST_SIZE);
+
driving_value = sdhci_readl(host, SDHCI_GLI_9750_DRIVING);
pll_value = sdhci_readl(host, SDHCI_GLI_9750_PLL);
sw_ctrl_value = sdhci_readl(host, SDHCI_GLI_9750_SW_CTRL);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 278/460] ice: fix devlink reload call trace
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 277/460] btrfs: do not strictly require dirty metadata threshold for metadata writepages Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 279/460] tracing: Add recursion protection in kernel stack trace recording Greg Kroah-Hartman
` (24 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov, Paul Greenwalt,
Paul Menzel, Tony Nguyen, Wenshan Lan, Rinitha S
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Greenwalt <paul.greenwalt@intel.com>
[ Upstream commit d3f867e7a04678640ebcbfb81893c59f4af48586 ]
Commit 4da71a77fc3b ("ice: read internal temperature sensor") introduced
internal temperature sensor reading via HWMON. ice_hwmon_init() was added
to ice_init_feature() and ice_hwmon_exit() was added to ice_remove(). As a
result if devlink reload is used to reinit the device and then the driver
is removed, a call trace can occur.
BUG: unable to handle page fault for address: ffffffffc0fd4b5d
Call Trace:
string+0x48/0xe0
vsnprintf+0x1f9/0x650
sprintf+0x62/0x80
name_show+0x1f/0x30
dev_attr_show+0x19/0x60
The call trace repeats approximately every 10 minutes when system
monitoring tools (e.g., sadc) attempt to read the orphaned hwmon sysfs
attributes that reference freed module memory.
The sequence is:
1. Driver load, ice_hwmon_init() gets called from ice_init_feature()
2. Devlink reload down, flow does not call ice_remove()
3. Devlink reload up, ice_hwmon_init() gets called from
ice_init_feature() resulting in a second instance
4. Driver unload, ice_hwmon_exit() called from ice_remove() leaving the
first hwmon instance orphaned with dangling pointer
Fix this by moving ice_hwmon_exit() from ice_remove() to
ice_deinit_features() to ensure proper cleanup symmetry with
ice_hwmon_init().
Fixes: 4da71a77fc3b ("ice: read internal temperature sensor")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Paul Greenwalt <paul.greenwalt@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
[ Adjust context. The context change is irrelevant to the current patch
logic. ]
Signed-off-by: Wenshan Lan <jetlan9@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_main.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/net/ethernet/intel/ice/ice_main.c
+++ b/drivers/net/ethernet/intel/ice/ice_main.c
@@ -4920,6 +4920,7 @@ static void ice_deinit_features(struct i
ice_dpll_deinit(pf);
if (pf->eswitch_mode == DEVLINK_ESWITCH_MODE_SWITCHDEV)
xa_destroy(&pf->eswitch.reprs);
+ ice_hwmon_exit(pf);
}
static void ice_init_wakeup(struct ice_pf *pf)
@@ -5451,8 +5452,6 @@ static void ice_remove(struct pci_dev *p
ice_free_vfs(pf);
}
- ice_hwmon_exit(pf);
-
ice_service_task_stop(pf);
ice_aq_cancel_waiting_tasks(pf);
set_bit(ICE_DOWN, pf->state);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 354/567] iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 353/567] iio: frequency: adf4377: Fix duplicated soft reset mask Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 355/567] iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() Greg Kroah-Hartman
` (23 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Tomasz Duszynski,
Andy Shevchenko, Stable, Jonathan Cameron
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit c3914ce1963c4db25e186112c90fa5d2361e9e0a upstream.
sizeof(num) evaluates to sizeof(size_t) which is 8 bytes on 64-bit,
but the buffer elements are only 4 bytes. The same function already
uses sizeof(*meas) on line 312, making the mismatch evident. Use
sizeof(*meas) consistently.
Fixes: b2e171f5a5c6 ("iio: sps30: add support for serial interface")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Acked-by: Tomasz Duszynski <tduszyns@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/sps30_serial.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/chemical/sps30_serial.c
+++ b/drivers/iio/chemical/sps30_serial.c
@@ -303,7 +303,7 @@ static int sps30_serial_read_meas(struct
if (msleep_interruptible(1000))
return -EINTR;
- ret = sps30_serial_command(state, SPS30_SERIAL_READ_MEAS, NULL, 0, meas, num * sizeof(num));
+ ret = sps30_serial_command(state, SPS30_SERIAL_READ_MEAS, NULL, 0, meas, num * sizeof(*meas));
if (ret < 0)
return ret;
/* if measurements aren't ready sensor returns empty frame */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 292/481] mmc: sdhci: fix timing selection for 1-bit bus width
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 291/481] mmc: sdhci-pci-gli: fix GL9750 DMA write corruption Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 293/481] spi: fix use-after-free on controller registration failure Greg Kroah-Hartman
` (23 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luke Wang, Adrian Hunter,
Ulf Hansson
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luke Wang <ziniu.wang_1@nxp.com>
commit 5e3486e64094c28a526543f1e8aa0d5964b7f02d upstream.
When 1-bit bus width is used with HS200/HS400 capabilities set,
mmc_select_hs200() returns 0 without actually switching. This
causes mmc_select_timing() to skip mmc_select_hs(), leaving eMMC
in legacy mode (26MHz) instead of High Speed SDR (52MHz).
Per JEDEC eMMC spec section 5.3.2, 1-bit mode supports High Speed
SDR. Drop incompatible HS200/HS400/UHS/DDR caps early so timing
selection falls through to mmc_select_hs() correctly.
Fixes: f2119df6b764 ("mmc: sd: add support for signal voltage switch procedure")
Signed-off-by: Luke Wang <ziniu.wang_1@nxp.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -4523,8 +4523,15 @@ int sdhci_setup_host(struct sdhci_host *
* their platform code before calling sdhci_add_host(), and we
* won't assume 8-bit width for hosts without that CAP.
*/
- if (!(host->quirks & SDHCI_QUIRK_FORCE_1_BIT_DATA))
+ if (host->quirks & SDHCI_QUIRK_FORCE_1_BIT_DATA) {
+ host->caps1 &= ~(SDHCI_SUPPORT_SDR104 | SDHCI_SUPPORT_SDR50 | SDHCI_SUPPORT_DDR50);
+ if (host->quirks2 & SDHCI_QUIRK2_CAPS_BIT63_FOR_HS400)
+ host->caps1 &= ~SDHCI_SUPPORT_HS400;
+ mmc->caps2 &= ~(MMC_CAP2_HS200 | MMC_CAP2_HS400 | MMC_CAP2_HS400_ES);
+ mmc->caps &= ~(MMC_CAP_DDR | MMC_CAP_UHS);
+ } else {
mmc->caps |= MMC_CAP_4_BIT_DATA;
+ }
if (host->quirks2 & SDHCI_QUIRK2_HOST_NO_CMD23)
mmc->caps &= ~MMC_CAP_CMD23;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 279/460] tracing: Add recursion protection in kernel stack trace recording
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 278/460] ice: fix devlink reload call trace Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 280/460] Octeontx2-af: Add proper checks for fwdata Greg Kroah-Hartman
` (23 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Joel Fernandes, Paul E. McKenney, Boqun Feng, Yao Kai,
Steven Rostedt (Google), Leon Chen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
[ Upstream commit 5f1ef0dfcb5b7f4a91a9b0e0ba533efd9f7e2cdb ]
A bug was reported about an infinite recursion caused by tracing the rcu
events with the kernel stack trace trigger enabled. The stack trace code
called back into RCU which then called the stack trace again.
Expand the ftrace recursion protection to add a set of bits to protect
events from recursion. Each bit represents the context that the event is
in (normal, softirq, interrupt and NMI).
Have the stack trace code use the interrupt context to protect against
recursion.
Note, the bug showed an issue in both the RCU code as well as the tracing
stacktrace code. This only handles the tracing stack trace side of the
bug. The RCU fix will be handled separately.
Link: https://lore.kernel.org/all/20260102122807.7025fc87@gandalf.local.home/
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Joel Fernandes <joel@joelfernandes.org>
Cc: "Paul E. McKenney" <paulmck@kernel.org>
Cc: Boqun Feng <boqun.feng@gmail.com>
Link: https://patch.msgid.link/20260105203141.515cd49f@gandalf.local.home
Reported-by: Yao Kai <yaokai34@huawei.com>
Tested-by: Yao Kai <yaokai34@huawei.com>
Fixes: 5f5fa7ea89dc ("rcu: Don't use negative nesting depth in __rcu_read_unlock()")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Leon Chen <leonchen.oss@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/trace_recursion.h | 9 +++++++++
kernel/trace/trace.c | 6 ++++++
2 files changed, 15 insertions(+)
--- a/include/linux/trace_recursion.h
+++ b/include/linux/trace_recursion.h
@@ -34,6 +34,13 @@ enum {
TRACE_INTERNAL_SIRQ_BIT,
TRACE_INTERNAL_TRANSITION_BIT,
+ /* Internal event use recursion bits */
+ TRACE_INTERNAL_EVENT_BIT,
+ TRACE_INTERNAL_EVENT_NMI_BIT,
+ TRACE_INTERNAL_EVENT_IRQ_BIT,
+ TRACE_INTERNAL_EVENT_SIRQ_BIT,
+ TRACE_INTERNAL_EVENT_TRANSITION_BIT,
+
TRACE_BRANCH_BIT,
/*
* Abuse of the trace_recursion.
@@ -58,6 +65,8 @@ enum {
#define TRACE_LIST_START TRACE_INTERNAL_BIT
+#define TRACE_EVENT_START TRACE_INTERNAL_EVENT_BIT
+
#define TRACE_CONTEXT_MASK ((1 << (TRACE_LIST_START + TRACE_CONTEXT_BITS)) - 1)
/*
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -2944,6 +2944,11 @@ static void __ftrace_trace_stack(struct
struct ftrace_stack *fstack;
struct stack_entry *entry;
int stackidx;
+ int bit;
+
+ bit = trace_test_and_set_recursion(_THIS_IP_, _RET_IP_, TRACE_EVENT_START);
+ if (bit < 0)
+ return;
/*
* Add one, for this function and the call to save_stack_trace()
@@ -3015,6 +3020,7 @@ static void __ftrace_trace_stack(struct
__this_cpu_dec(ftrace_stack_reserve);
preempt_enable_notrace();
+ trace_clear_recursion(bit);
}
static inline void ftrace_trace_stack(struct trace_array *tr,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 355/567] iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 354/567] iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 356/567] iio: potentiometer: mcp4131: fix double application of wiper shift Greg Kroah-Hartman
` (22 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Tomasz Duszynski,
Andy Shevchenko, Stable, Jonathan Cameron
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit 216345f98cae7fcc84f49728c67478ac00321c87 upstream.
sizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) instead
of the intended __be32 element size (4 bytes). Use sizeof(*meas) to
correctly match the buffer element type.
Fixes: 8f3f13085278 ("iio: sps30: separate core and interface specific code")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Acked-by: Tomasz Duszynski <tduszyns@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/sps30_i2c.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/chemical/sps30_i2c.c
+++ b/drivers/iio/chemical/sps30_i2c.c
@@ -171,7 +171,7 @@ static int sps30_i2c_read_meas(struct sp
if (!sps30_i2c_meas_ready(state))
return -ETIMEDOUT;
- return sps30_i2c_command(state, SPS30_I2C_READ_MEAS, NULL, 0, meas, sizeof(num) * num);
+ return sps30_i2c_command(state, SPS30_I2C_READ_MEAS, NULL, 0, meas, sizeof(*meas) * num);
}
static int sps30_i2c_clean_fan(struct sps30_state *state)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 293/481] spi: fix use-after-free on controller registration failure
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 292/481] mmc: sdhci: fix timing selection for 1-bit bus width Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 294/481] spi: fix statistics allocation Greg Kroah-Hartman
` (22 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Jander, Johan Hovold,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 8634e05b08ead636e926022f4a98416e13440df9 upstream.
Make sure to deregister from driver core also in the unlikely event that
per-cpu statistics allocation fails during controller registration to
avoid use-after-free (of driver resources) and unclocked register
accesses.
Fixes: 6598b91b5ac3 ("spi: spi.c: Convert statistics to per-cpu u64_stats_t")
Cc: stable@vger.kernel.org # 6.0
Cc: David Jander <david@protonic.nl>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260312151817.32100-2-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -3212,10 +3212,8 @@ int spi_register_controller(struct spi_c
dev_info(dev, "controller is unqueued, this is deprecated\n");
} else if (ctlr->transfer_one || ctlr->transfer_one_message) {
status = spi_controller_initialize_queue(ctlr);
- if (status) {
- device_del(&ctlr->dev);
- goto free_bus_id;
- }
+ if (status)
+ goto del_ctrl;
}
/* Add statistics */
ctlr->pcpu_statistics = spi_alloc_pcpu_stats(dev);
@@ -3238,6 +3236,8 @@ int spi_register_controller(struct spi_c
destroy_queue:
spi_destroy_queue(ctlr);
+del_ctrl:
+ device_del(&ctlr->dev);
free_bus_id:
mutex_lock(&board_lock);
idr_remove(&spi_master_idr, ctlr->bus_num);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 280/460] Octeontx2-af: Add proper checks for fwdata
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 279/460] tracing: Add recursion protection in kernel stack trace recording Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 281/460] io_uring/uring_cmd: fix too strict requirement on ioctl Greg Kroah-Hartman
` (22 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hariprasad Kelam, Jakub Kicinski,
Rajani Kantha
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hariprasad Kelam <hkelam@marvell.com>
[ Upstream commit 4a3dba48188208e4f66822800e042686784d29d1 ]
firmware populates MAC address, link modes (supported, advertised)
and EEPROM data in shared firmware structure which kernel access
via MAC block(CGX/RPM).
Accessing fwdata, on boards booted with out MAC block leading to
kernel panics.
Internal error: Oops: 0000000096000005 [#1] SMP
[ 10.460721] Modules linked in:
[ 10.463779] CPU: 0 UID: 0 PID: 174 Comm: kworker/0:3 Not tainted 6.19.0-rc5-00154-g76ec646abdf7-dirty #3 PREEMPT
[ 10.474045] Hardware name: Marvell OcteonTX CN98XX board (DT)
[ 10.479793] Workqueue: events work_for_cpu_fn
[ 10.484159] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 10.491124] pc : rvu_sdp_init+0x18/0x114
[ 10.495051] lr : rvu_probe+0xe58/0x1d18
Fixes: 997814491cee ("Octeontx2-af: Fetch MAC channel info from firmware")
Fixes: 5f21226b79fd ("Octeontx2-pf: ethtool: support multi advertise mode")
Signed-off-by: Hariprasad Kelam <hkelam@marvell.com>
Link: https://patch.msgid.link/20260121094819.2566786-1-hkelam@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Rajani Kantha <681739313@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c | 3 +++
drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c
@@ -1224,6 +1224,9 @@ int rvu_mbox_handler_cgx_set_link_mode(s
u8 cgx_idx, lmac;
void *cgxd;
+ if (!rvu->fwdata)
+ return LMAC_AF_ERR_FIRMWARE_DATA_NOT_MAPPED;
+
if (!is_cgx_config_permitted(rvu, req->hdr.pcifunc))
return -EPERM;
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c
@@ -56,7 +56,7 @@ int rvu_sdp_init(struct rvu *rvu)
struct rvu_pfvf *pfvf;
u32 i = 0;
- if (rvu->fwdata->channel_data.valid) {
+ if (rvu->fwdata && rvu->fwdata->channel_data.valid) {
sdp_pf_num[0] = 0;
pfvf = &rvu->pf[sdp_pf_num[0]];
pfvf->sdp_info = &rvu->fwdata->channel_data.info;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 356/567] iio: potentiometer: mcp4131: fix double application of wiper shift
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 355/567] iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 357/567] iio: chemical: bme680: Fix measurement wait duration calculation Greg Kroah-Hartman
` (21 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Jonathan Cameron,
Lukas Schmid
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Schmid <lukas.schmid@netcube.li>
commit 85e4614524dca6c0a43874f475a17de2b9725648 upstream.
The MCP4131 wiper address is shifted twice when preparing the SPI
command in mcp4131_write_raw().
The address is already shifted when assigned to the local variable
"address", but is then shifted again when written to data->buf[0].
This results in an incorrect command being sent to the device and
breaks wiper writes to the second channel.
Remove the second shift and use the pre-shifted address directly
when composing the SPI transfer.
Fixes: 22d199a53910 ("iio: potentiometer: add driver for Microchip MCP413X/414X/415X/416X/423X/424X/425X/426X")
Signed-off-by: Lukas Schmid <lukas.schmid@netcube.li>#
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/potentiometer/mcp4131.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/potentiometer/mcp4131.c
+++ b/drivers/iio/potentiometer/mcp4131.c
@@ -222,7 +222,7 @@ static int mcp4131_write_raw(struct iio_
mutex_lock(&data->lock);
- data->buf[0] = address << MCP4131_WIPER_SHIFT;
+ data->buf[0] = address;
data->buf[0] |= MCP4131_WRITE | (val >> 8);
data->buf[1] = val & 0xFF; /* 8 bits here */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 294/481] spi: fix statistics allocation
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 293/481] spi: fix use-after-free on controller registration failure Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 295/481] mtd: rawnand: pl353: make sure optimal timings are applied Greg Kroah-Hartman
` (21 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Jander, Johan Hovold,
Mark Brown
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit dee0774bbb2abb172e9069ce5ffef579b12b3ae9 upstream.
The controller per-cpu statistics is not allocated until after the
controller has been registered with driver core, which leaves a window
where accessing the sysfs attributes can trigger a NULL-pointer
dereference.
Fix this by moving the statistics allocation to controller allocation
while tying its lifetime to that of the controller (rather than using
implicit devres).
Fixes: 6598b91b5ac3 ("spi: spi.c: Convert statistics to per-cpu u64_stats_t")
Cc: stable@vger.kernel.org # 6.0
Cc: David Jander <david@protonic.nl>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260312151817.32100-3-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -2768,6 +2768,8 @@ static void spi_controller_release(struc
struct spi_controller *ctlr;
ctlr = container_of(dev, struct spi_controller, dev);
+
+ free_percpu(ctlr->pcpu_statistics);
kfree(ctlr);
}
@@ -2922,6 +2924,12 @@ struct spi_controller *__spi_alloc_contr
if (!ctlr)
return NULL;
+ ctlr->pcpu_statistics = spi_alloc_pcpu_stats(NULL);
+ if (!ctlr->pcpu_statistics) {
+ kfree(ctlr);
+ return NULL;
+ }
+
device_initialize(&ctlr->dev);
INIT_LIST_HEAD(&ctlr->queue);
spin_lock_init(&ctlr->queue_lock);
@@ -3215,13 +3223,6 @@ int spi_register_controller(struct spi_c
if (status)
goto del_ctrl;
}
- /* Add statistics */
- ctlr->pcpu_statistics = spi_alloc_pcpu_stats(dev);
- if (!ctlr->pcpu_statistics) {
- dev_err(dev, "Error allocating per-cpu statistics\n");
- status = -ENOMEM;
- goto destroy_queue;
- }
mutex_lock(&board_lock);
list_add_tail(&ctlr->list, &spi_controller_list);
@@ -3234,8 +3235,6 @@ int spi_register_controller(struct spi_c
acpi_register_spi_devices(ctlr);
return status;
-destroy_queue:
- spi_destroy_queue(ctlr);
del_ctrl:
device_del(&ctlr->dev);
free_bus_id:
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 281/460] io_uring/uring_cmd: fix too strict requirement on ioctl
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 280/460] Octeontx2-af: Add proper checks for fwdata Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 282/460] x86/uprobes: Fix XOL allocation failure for 32-bit tasks Greg Kroah-Hartman
` (21 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Asbjørn Sloth Tønnesen,
Gabriel Krisman Bertazi, Jens Axboe
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 1951 bytes --]
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Asbjørn Sloth Tønnesen" <ast@fiberby.net>
[ Upstream commit 600b665b903733bd60334e86031b157cc823ee55 ]
Attempting SOCKET_URING_OP_SETSOCKOPT on an AF_NETLINK socket resulted
in an -EOPNOTSUPP, as AF_NETLINK doesn't have an ioctl in its struct
proto, but only in struct proto_ops.
Prior to the blamed commit, io_uring_cmd_sock() only had two cmd_op
operations, both requiring ioctl, thus the check was warranted.
Since then, 4 new cmd_op operations have been added, none of which
depend on ioctl. This patch moves the ioctl check, so it only applies
to the original operations.
AFAICT, the ioctl requirement was unintentional, and it wasn't
visible in the blamed patch within 3 lines of context.
Cc: stable@vger.kernel.org
Fixes: a5d2f99aff6b ("io_uring/cmd: Introduce SOCKET_URING_OP_GETSOCKOPT")
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net>
Reviewed-by: Gabriel Krisman Bertazi <krisman@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[Asbjørn: function moved in commit 91db6edc573b; updated subject prefix]
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/uring_cmd.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/io_uring/uring_cmd.c
+++ b/io_uring/uring_cmd.c
@@ -338,16 +338,19 @@ int io_uring_cmd_sock(struct io_uring_cm
struct proto *prot = READ_ONCE(sk->sk_prot);
int ret, arg = 0;
- if (!prot || !prot->ioctl)
- return -EOPNOTSUPP;
-
switch (cmd->cmd_op) {
case SOCKET_URING_OP_SIOCINQ:
+ if (!prot || !prot->ioctl)
+ return -EOPNOTSUPP;
+
ret = prot->ioctl(sk, SIOCINQ, &arg);
if (ret)
return ret;
return arg;
case SOCKET_URING_OP_SIOCOUTQ:
+ if (!prot || !prot->ioctl)
+ return -EOPNOTSUPP;
+
ret = prot->ioctl(sk, SIOCOUTQ, &arg);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 357/567] iio: chemical: bme680: Fix measurement wait duration calculation
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 356/567] iio: potentiometer: mcp4131: fix double application of wiper shift Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 358/567] iio: buffer: Fix wait_queue not being removed Greg Kroah-Hartman
` (20 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Spencer, Vasileios Amoiridis,
Jonathan Cameron
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Spencer <spencercw@gmail.com>
commit f55b9510cd9437da3a0efa08b089caeb47595ff1 upstream.
This function refers to the Bosch BME680 API as the source of the
calculation, but one of the constants does not match the Bosch
implementation. This appears to be a simple transposition of two digits,
resulting in a wait time that is too short. This can cause the following
'device measurement cycle incomplete' check to occasionally fail, returning
EBUSY to user space.
Adjust the constant to match the Bosch implementation and resolve the EBUSY
errors.
Fixes: 4241665e6ea0 ("iio: chemical: bme680: Fix sensor data read operation")
Link: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x.c#L521
Signed-off-by: Chris Spencer <spencercw@gmail.com>
Acked-by: Vasileios Amoiridis <vassilisamir@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/bme680_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/chemical/bme680_core.c
+++ b/drivers/iio/chemical/bme680_core.c
@@ -550,7 +550,7 @@ static int bme680_wait_for_eoc(struct bm
* + heater duration
*/
int wait_eoc_us = ((data->oversampling_temp + data->oversampling_press +
- data->oversampling_humid) * 1936) + (477 * 4) +
+ data->oversampling_humid) * 1963) + (477 * 4) +
(477 * 5) + 1000 + (data->heater_dur * 1000);
usleep_range(wait_eoc_us, wait_eoc_us + 100);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 295/481] mtd: rawnand: pl353: make sure optimal timings are applied
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 294/481] spi: fix statistics allocation Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 296/481] mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in cadence_nand_init() Greg Kroah-Hartman
` (20 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Olivier Sobrie, Miquel Raynal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Olivier Sobrie <olivier@sobrie.be>
commit b9465b04de4b90228de03db9a1e0d56b00814366 upstream.
Timings of the nand are adjusted by pl35x_nfc_setup_interface() but
actually applied by the pl35x_nand_select_target() function.
If there is only one nand chip, the pl35x_nand_select_target() will only
apply the timings once since the test at its beginning will always be true
after the first call to this function. As a result, the hardware will
keep using the default timings set at boot to detect the nand chip, not
the optimal ones.
With this patch, we program directly the new timings when
pl35x_nfc_setup_interface() is called.
Fixes: 08d8c62164a3 ("mtd: rawnand: pl353: Add support for the ARM PL353 SMC NAND controller")
Signed-off-by: Olivier Sobrie <olivier@sobrie.be>
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/pl35x-nand-controller.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/mtd/nand/raw/pl35x-nand-controller.c
+++ b/drivers/mtd/nand/raw/pl35x-nand-controller.c
@@ -864,6 +864,9 @@ static int pl35x_nfc_setup_interface(str
PL35X_SMC_NAND_TAR_CYCLES(tmgs.t_ar) |
PL35X_SMC_NAND_TRR_CYCLES(tmgs.t_rr);
+ writel(plnand->timings, nfc->conf_regs + PL35X_SMC_CYCLES);
+ pl35x_smc_update_regs(nfc);
+
return 0;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 282/460] x86/uprobes: Fix XOL allocation failure for 32-bit tasks
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 281/460] io_uring/uring_cmd: fix too strict requirement on ioctl Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 283/460] platform/x86/amd/pmc: Add support for Van Gogh SoC Greg Kroah-Hartman
` (20 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable, Sasha Levin
Cc: Greg Kroah-Hartman, patches, Paulo Andrade, Oleg Nesterov,
Peter Zijlstra (Intel)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
[ Upstream commit d55c571e4333fac71826e8db3b9753fadfbead6a ]
This script
#!/usr/bin/bash
echo 0 > /proc/sys/kernel/randomize_va_space
echo 'void main(void) {}' > TEST.c
# -fcf-protection to ensure that the 1st endbr32 insn can't be emulated
gcc -m32 -fcf-protection=branch TEST.c -o test
bpftrace -e 'uprobe:./test:main {}' -c ./test
"hangs", the probed ./test task enters an endless loop.
The problem is that with randomize_va_space == 0
get_unmapped_area(TASK_SIZE - PAGE_SIZE) called by xol_add_vma() can not
just return the "addr == TASK_SIZE - PAGE_SIZE" hint, this addr is used
by the stack vma.
arch_get_unmapped_area_topdown() doesn't take TIF_ADDR32 into account and
in_32bit_syscall() is false, this leads to info.high_limit > TASK_SIZE.
vm_unmapped_area() happily returns the high address > TASK_SIZE and then
get_unmapped_area() returns -ENOMEM after the "if (addr > TASK_SIZE - len)"
check.
handle_swbp() doesn't report this failure (probably it should) and silently
restarts the probed insn. Endless loop.
I think that the right fix should change the x86 get_unmapped_area() paths
to rely on TIF_ADDR32 rather than in_32bit_syscall(). Note also that if
CONFIG_X86_X32_ABI=y, in_x32_syscall() falsely returns true in this case
because ->orig_ax = -1.
But we need a simple fix for -stable, so this patch just sets TS_COMPAT if
the probed task is 32-bit to make in_ia32_syscall() true.
Fixes: 1b028f784e8c ("x86/mm: Introduce mmap_compat_base() for 32-bit mmap()")
Reported-by: Paulo Andrade <pandrade@redhat.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/all/aV5uldEvV7pb4RA8@redhat.com/
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/aWO7Fdxn39piQnxu@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/uprobes.c | 24 ++++++++++++++++++++++++
include/linux/uprobes.h | 1 +
kernel/events/uprobes.c | 10 +++++++---
3 files changed, 32 insertions(+), 3 deletions(-)
--- a/arch/x86/kernel/uprobes.c
+++ b/arch/x86/kernel/uprobes.c
@@ -1223,3 +1223,27 @@ bool arch_uretprobe_is_alive(struct retu
else
return regs->sp <= ret->stack;
}
+
+#ifdef CONFIG_IA32_EMULATION
+unsigned long arch_uprobe_get_xol_area(void)
+{
+ struct thread_info *ti = current_thread_info();
+ unsigned long vaddr;
+
+ /*
+ * HACK: we are not in a syscall, but x86 get_unmapped_area() paths
+ * ignore TIF_ADDR32 and rely on in_32bit_syscall() to calculate
+ * vm_unmapped_area_info.high_limit.
+ *
+ * The #ifdef above doesn't cover the CONFIG_X86_X32_ABI=y case,
+ * but in this case in_32bit_syscall() -> in_x32_syscall() always
+ * (falsely) returns true because ->orig_ax == -1.
+ */
+ if (test_thread_flag(TIF_ADDR32))
+ ti->status |= TS_COMPAT;
+ vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, PAGE_SIZE, 0, 0);
+ ti->status &= ~TS_COMPAT;
+
+ return vaddr;
+}
+#endif
--- a/include/linux/uprobes.h
+++ b/include/linux/uprobes.h
@@ -146,6 +146,7 @@ extern void arch_uprobe_copy_ixol(struct
extern void uprobe_handle_trampoline(struct pt_regs *regs);
extern void *arch_uprobe_trampoline(unsigned long *psize);
extern unsigned long uprobe_get_trampoline_vaddr(void);
+extern unsigned long arch_uprobe_get_xol_area(void);
#else /* !CONFIG_UPROBES */
struct uprobes_state {
};
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -1493,6 +1493,12 @@ static const struct vm_special_mapping x
.fault = xol_fault,
};
+unsigned long __weak arch_uprobe_get_xol_area(void)
+{
+ /* Try to map as high as possible, this is only a hint. */
+ return get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, PAGE_SIZE, 0, 0);
+}
+
/* Slot allocation for XOL */
static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
{
@@ -1508,9 +1514,7 @@ static int xol_add_vma(struct mm_struct
}
if (!area->vaddr) {
- /* Try to map as high as possible, this is only a hint. */
- area->vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE,
- PAGE_SIZE, 0, 0);
+ area->vaddr = arch_uprobe_get_xol_area();
if (IS_ERR_VALUE(area->vaddr)) {
ret = area->vaddr;
goto fail;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 358/567] iio: buffer: Fix wait_queue not being removed
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 357/567] iio: chemical: bme680: Fix measurement wait duration calculation Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 359/567] iio: gyro: mpu3050-core: fix pm_runtime error handling Greg Kroah-Hartman
` (19 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nuno Sá, David Lechner, Stable,
Jonathan Cameron
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nuno Sá <nuno.sa@analog.com>
commit 064234044056c93a3719d6893e6e5a26a94a61b6 upstream.
In the edge case where the IIO device is unregistered while we're
buffering, we were directly returning an error without removing the wait
queue. Instead, set 'ret' and break out of the loop.
Fixes: 9eeee3b0bf19 ("iio: Add output buffer support")
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-buffer.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -194,8 +194,10 @@ static ssize_t iio_buffer_write(struct f
written = 0;
add_wait_queue(&rb->pollq, &wait);
do {
- if (!indio_dev->info)
- return -ENODEV;
+ if (!indio_dev->info) {
+ ret = -ENODEV;
+ break;
+ }
if (!iio_buffer_space_available(rb)) {
if (signal_pending(current)) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 296/481] mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in cadence_nand_init()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 295/481] mtd: rawnand: pl353: make sure optimal timings are applied Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 297/481] mtd: Avoid boot crash in RedBoot partition table parser Greg Kroah-Hartman
` (19 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Ni, Alok Tiwari, Miquel Raynal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
commit 0410e1a4c545c769c59c6eda897ad5d574d0c865 upstream.
Fix wrong variable used for error checking after dma_alloc_coherent()
call. The function checks cdns_ctrl->dma_cdma_desc instead of
cdns_ctrl->cdma_desc, which could lead to incorrect error handling.
Fixes: ec4ba01e894d ("mtd: rawnand: Add new Cadence NAND driver to MTD subsystem")
Cc: stable@vger.kernel.org
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Reviewed-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/cadence-nand-controller.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mtd/nand/raw/cadence-nand-controller.c
+++ b/drivers/mtd/nand/raw/cadence-nand-controller.c
@@ -2837,7 +2837,7 @@ static int cadence_nand_init(struct cdns
sizeof(*cdns_ctrl->cdma_desc),
&cdns_ctrl->dma_cdma_desc,
GFP_KERNEL);
- if (!cdns_ctrl->dma_cdma_desc)
+ if (!cdns_ctrl->cdma_desc)
return -ENOMEM;
cdns_ctrl->buf_size = SZ_16K;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 283/460] platform/x86/amd/pmc: Add support for Van Gogh SoC
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 282/460] x86/uprobes: Fix XOL allocation failure for 32-bit tasks Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 284/460] mptcp: pm: in-kernel: always set ID as avail when rm endp Greg Kroah-Hartman
` (19 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antheas Kapenekakis,
Mario Limonciello (AMD), Shyam Sundar S K, Ilpo Järvinen,
Alva Lan
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antheas Kapenekakis <lkml@antheas.dev>
[ Upstream commit db4a3f0fbedb0398f77b9047e8b8bb2b49f355bb ]
The ROG Xbox Ally (non-X) SoC features a similar architecture to the
Steam Deck. While the Steam Deck supports S3 (s2idle causes a crash),
this support was dropped by the Xbox Ally which only S0ix suspend.
Since the handler is missing here, this causes the device to not suspend
and the AMD GPU driver to crash while trying to resume afterwards due to
a power hang.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4659
Signed-off-by: Antheas Kapenekakis <lkml@antheas.dev>
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Acked-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
Link: https://patch.msgid.link/20251024152152.3981721-2-lkml@antheas.dev
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
[ Adjust context ]
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/amd/pmc/pmc.c | 3 +++
drivers/platform/x86/amd/pmc/pmc.h | 1 +
2 files changed, 4 insertions(+)
--- a/drivers/platform/x86/amd/pmc/pmc.c
+++ b/drivers/platform/x86/amd/pmc/pmc.c
@@ -347,6 +347,7 @@ static void amd_pmc_get_ip_info(struct a
switch (dev->cpu_id) {
case AMD_CPU_ID_PCO:
case AMD_CPU_ID_RN:
+ case AMD_CPU_ID_VG:
case AMD_CPU_ID_YC:
case AMD_CPU_ID_CB:
dev->num_ips = 12;
@@ -765,6 +766,7 @@ static int amd_pmc_get_os_hint(struct am
case AMD_CPU_ID_PCO:
return MSG_OS_HINT_PCO;
case AMD_CPU_ID_RN:
+ case AMD_CPU_ID_VG:
case AMD_CPU_ID_YC:
case AMD_CPU_ID_CB:
case AMD_CPU_ID_PS:
@@ -977,6 +979,7 @@ static const struct pci_device_id pmc_pc
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, AMD_CPU_ID_PCO) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, AMD_CPU_ID_RV) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, AMD_CPU_ID_SP) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, AMD_CPU_ID_VG) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M20H_ROOT) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M60H_ROOT) },
{ }
--- a/drivers/platform/x86/amd/pmc/pmc.h
+++ b/drivers/platform/x86/amd/pmc/pmc.h
@@ -62,6 +62,7 @@ void amd_mp2_stb_deinit(struct amd_pmc_d
#define AMD_CPU_ID_RN 0x1630
#define AMD_CPU_ID_PCO AMD_CPU_ID_RV
#define AMD_CPU_ID_CZN AMD_CPU_ID_RN
+#define AMD_CPU_ID_VG 0x1645
#define AMD_CPU_ID_YC 0x14B5
#define AMD_CPU_ID_CB 0x14D8
#define AMD_CPU_ID_PS 0x14E8
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 359/567] iio: gyro: mpu3050-core: fix pm_runtime error handling
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 358/567] iio: buffer: Fix wait_queue not being removed Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 360/567] iio: gyro: mpu3050-i2c: " Greg Kroah-Hartman
` (18 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Antoniu Miclaus,
Stable, Jonathan Cameron
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit acc3949aab3e8094641a9c7c2768de1958c88378 upstream.
The return value of pm_runtime_get_sync() is not checked, allowing
the driver to access hardware that may fail to resume. The device
usage count is also unconditionally incremented. Use
pm_runtime_resume_and_get() which propagates errors and avoids
incrementing the usage count on failure.
In preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate()
failure since postdisable does not run when preenable fails.
Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope")
Reviewed-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/gyro/mpu3050-core.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
--- a/drivers/iio/gyro/mpu3050-core.c
+++ b/drivers/iio/gyro/mpu3050-core.c
@@ -322,7 +322,9 @@ static int mpu3050_read_raw(struct iio_d
}
case IIO_CHAN_INFO_RAW:
/* Resume device */
- pm_runtime_get_sync(mpu3050->dev);
+ ret = pm_runtime_resume_and_get(mpu3050->dev);
+ if (ret)
+ return ret;
mutex_lock(&mpu3050->lock);
ret = mpu3050_set_8khz_samplerate(mpu3050);
@@ -651,14 +653,20 @@ out_trigger_unlock:
static int mpu3050_buffer_preenable(struct iio_dev *indio_dev)
{
struct mpu3050 *mpu3050 = iio_priv(indio_dev);
+ int ret;
- pm_runtime_get_sync(mpu3050->dev);
+ ret = pm_runtime_resume_and_get(mpu3050->dev);
+ if (ret)
+ return ret;
/* Unless we have OUR trigger active, run at full speed */
- if (!mpu3050->hw_irq_trigger)
- return mpu3050_set_8khz_samplerate(mpu3050);
+ if (!mpu3050->hw_irq_trigger) {
+ ret = mpu3050_set_8khz_samplerate(mpu3050);
+ if (ret)
+ pm_runtime_put_autosuspend(mpu3050->dev);
+ }
- return 0;
+ return ret;
}
static int mpu3050_buffer_postdisable(struct iio_dev *indio_dev)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 297/481] mtd: Avoid boot crash in RedBoot partition table parser
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 296/481] mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in cadence_nand_init() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 298/481] iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry Greg Kroah-Hartman
` (18 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kees Cook, linux-hardening,
Finn Thain, Miquel Raynal
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Finn Thain <fthain@linux-m68k.org>
commit 8e2f8020270af7777d49c2e7132260983e4fc566 upstream.
Given CONFIG_FORTIFY_SOURCE=y and a recent compiler,
commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when
available") produces the warning below and an oops.
Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000
------------[ cut here ]------------
WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1
memcmp: detected buffer overflow: 15 byte read of buffer size 14
Modules linked in:
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE
As Kees said, "'names' is pointing to the final 'namelen' many bytes
of the allocation ... 'namelen' could be basically any length at all.
This fortify warning looks legit to me -- this code used to be reading
beyond the end of the allocation."
Since the size of the dynamic allocation is calculated with strlen()
we can use strcmp() instead of memcmp() and remain within bounds.
Cc: Kees Cook <kees@kernel.org>
Cc: stable@vger.kernel.org
Cc: linux-hardening@vger.kernel.org
Link: https://lore.kernel.org/all/202602151911.AD092DFFCD@keescook/
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Suggested-by: Kees Cook <kees@kernel.org>
Signed-off-by: Finn Thain <fthain@linux-m68k.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/parsers/redboot.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/mtd/parsers/redboot.c
+++ b/drivers/mtd/parsers/redboot.c
@@ -270,9 +270,9 @@ nogood:
strcpy(names, fl->img->name);
#ifdef CONFIG_MTD_REDBOOT_PARTS_READONLY
- if (!memcmp(names, "RedBoot", 8) ||
- !memcmp(names, "RedBoot config", 15) ||
- !memcmp(names, "FIS directory", 14)) {
+ if (!strcmp(names, "RedBoot") ||
+ !strcmp(names, "RedBoot config") ||
+ !strcmp(names, "FIS directory")) {
parts[i].mask_flags = MTD_WRITEABLE;
}
#endif
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 284/460] mptcp: pm: in-kernel: always set ID as avail when rm endp
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 283/460] platform/x86/amd/pmc: Add support for Van Gogh SoC Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 285/460] net: stmmac: remove support for lpi_intr_o Greg Kroah-Hartman
` (18 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f56f7d56e2c6e11a01b6,
Mat Martineau, Matthieu Baerts (NGI0), Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
commit d191101dee25567c2af3b28565f45346c33d65f5 upstream.
Syzkaller managed to find a combination of actions that was generating
this warning:
WARNING: net/mptcp/pm_kernel.c:1074 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1074 [inline], CPU#1: syz.7.48/2535
WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline], CPU#1: syz.7.48/2535
WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline], CPU#1: syz.7.48/2535
WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538, CPU#1: syz.7.48/2535
Modules linked in:
CPU: 1 UID: 0 PID: 2535 Comm: syz.7.48 Not tainted 6.18.0-03987-gea5f5e676cf5 #17 PREEMPT(voluntary)
Hardware name: QEMU Ubuntu 25.10 PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1074 [inline]
RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline]
RIP: 0010:mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline]
RIP: 0010:mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538
Code: 89 c7 e8 c5 8c 73 fe e9 f7 fd ff ff 49 83 ef 80 e8 b7 8c 73 fe 4c 89 ff be 03 00 00 00 e8 4a 29 e3 fe eb ac e8 a3 8c 73 fe 90 <0f> 0b 90 e9 3d ff ff ff e8 95 8c 73 fe b8 a1 ff ff ff eb 1a e8 89
RSP: 0018:ffffc9001535b820 EFLAGS: 00010287
netdevsim0: tun_chr_ioctl cmd 1074025677
RAX: ffffffff82da294d RBX: 0000000000000001 RCX: 0000000000080000
RDX: ffffc900096d0000 RSI: 00000000000006d6 RDI: 00000000000006d7
netdevsim0: linktype set to 823
RBP: ffff88802cdb2240 R08: 00000000000104ae R09: ffffffffffffffff
R10: ffffffff82da27d4 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88801246d8c0 R14: ffffc9001535b8b8 R15: ffff88802cdb1800
FS: 00007fc6ac5a76c0(0000) GS:ffff8880f90c8000(0000) knlGS:0000000000000000
netlink: 'syz.3.50': attribute type 5 has an invalid length.
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
netlink: 1232 bytes leftover after parsing attributes in process `syz.3.50'.
CR2: 0000200000010000 CR3: 0000000025b1a000 CR4: 0000000000350ef0
Call Trace:
<TASK>
mptcp_pm_set_flags net/mptcp/pm_netlink.c:277 [inline]
mptcp_pm_nl_set_flags_doit+0x1d7/0x210 net/mptcp/pm_netlink.c:282
genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x4ab/0x5b0 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg+0xc9/0xf0 net/socket.c:733
____sys_sendmsg+0x272/0x3b0 net/socket.c:2608
___sys_sendmsg+0x2de/0x320 net/socket.c:2662
__sys_sendmsg net/socket.c:2694 [inline]
__do_sys_sendmsg net/socket.c:2699 [inline]
__se_sys_sendmsg net/socket.c:2697 [inline]
__x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2697
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xed/0x360 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc6adb66f6d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc6ac5a6ff8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fc6addf5fa0 RCX: 00007fc6adb66f6d
RDX: 0000000000048084 RSI: 00002000000002c0 RDI: 000000000000000e
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
netlink: 'syz.5.51': attribute type 2 has an invalid length.
R13: 00007fff25e91fe0 R14: 00007fc6ac5a7ce4 R15: 00007fff25e920d7
</TASK>
The actions that caused that seem to be:
- Create an MPTCP endpoint for address A without any flags
- Create a new MPTCP connection from address A
- Remove the MPTCP endpoint: the corresponding subflows will be removed
- Recreate the endpoint with the same ID, but with the subflow flag
- Change the same endpoint to add the fullmesh flag
In this case, msk->pm.local_addr_used has been kept to 0 as expected,
but the corresponding bit in msk->pm.id_avail_bitmap was still unset
after having removed the endpoint, causing the splat later on.
When removing an endpoint, the corresponding endpoint ID was only marked
as available for "signal" types with an announced address, plus all
"subflow" types, but not the other types like an endpoint corresponding
to the initial subflow. In these cases, re-creating an endpoint with the
same ID didn't signal/create anything. Here, adding the fullmesh flag
was creating the splat when calling __mark_subflow_endp_available() from
mptcp_pm_nl_fullmesh(), because msk->pm.local_addr_used was set to 0
while the ID was marked as used.
To fix this issue, the corresponding bit in msk->pm.id_avail_bitmap can
always be set as available when removing an MPTCP in-kernel endpoint. In
other words, moving the call to __set_bit() to do it in all cases,
except for "subflow" types where this bit is handled in a dedicated
helper.
Note: instead of adding a new spin_(un)lock_bh that would be taken in
all cases, do all the actions requiring the spin lock under the same
block.
This modification potentially fixes another issue reported by syzbot,
see [1]. But without a reproducer or more details about what exactly
happened before, it is hard to confirm.
Fixes: e255683c06df ("mptcp: pm: re-using ID of unused removed ADD_ADDR")
Cc: stable@vger.kernel.org
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/606
Reported-by: syzbot+f56f7d56e2c6e11a01b6@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/68fcfc4a.050a0220.346f24.02fb.GAE@google.com [1]
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260205-net-mptcp-misc-fixes-6-19-rc8-v2-1-c2720ce75c34@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Conflict in pm_netlink.c, because commit 8617e85e04bd ("mptcp: pm:
split in-kernel PM specific code") is not in this version, and move
code from pm_netlink.c to pm_kernel.c. Also, commit 636113918508
("mptcp: pm: remove '_nl' from mptcp_pm_nl_rm_addr_received") renamed
mptcp_pm_nl_rm_subflow_received() to mptcp_pm_rm_subflow(). Apart from
that, the same patch can be applied in pm_netlink.c. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 20 ++++++++------------
1 file changed, 8 insertions(+), 12 deletions(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -1599,10 +1599,8 @@ static bool mptcp_pm_remove_anno_addr(st
ret = remove_anno_list_by_saddr(msk, addr);
if (ret || force) {
spin_lock_bh(&msk->pm.lock);
- if (ret) {
- __set_bit(addr->id, msk->pm.id_avail_bitmap);
+ if (ret)
msk->pm.add_addr_signaled--;
- }
mptcp_pm_remove_addr(msk, &list);
spin_unlock_bh(&msk->pm.lock);
}
@@ -1640,17 +1638,15 @@ static int mptcp_nl_remove_subflow_and_s
!(entry->flags & MPTCP_PM_ADDR_FLAG_IMPLICIT));
list.ids[0] = mptcp_endp_get_local_id(msk, addr);
- if (remove_subflow) {
- spin_lock_bh(&msk->pm.lock);
- mptcp_pm_nl_rm_subflow_received(msk, &list);
- spin_unlock_bh(&msk->pm.lock);
- }
- if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) {
- spin_lock_bh(&msk->pm.lock);
+ spin_lock_bh(&msk->pm.lock);
+ if (remove_subflow)
+ mptcp_pm_nl_rm_subflow_received(msk, &list);
+ if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW)
__mark_subflow_endp_available(msk, list.ids[0]);
- spin_unlock_bh(&msk->pm.lock);
- }
+ else /* mark endp ID as available, e.g. Signal or MPC endp */
+ __set_bit(addr->id, msk->pm.id_avail_bitmap);
+ spin_unlock_bh(&msk->pm.lock);
if (msk->mpc_endpoint_id == entry->addr.id)
msk->mpc_endpoint_id = 0;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 360/567] iio: gyro: mpu3050-i2c: fix pm_runtime error handling
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 359/567] iio: gyro: mpu3050-core: fix pm_runtime error handling Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 361/567] iio: imu: inv_icm42600: fix odr switch to the same value Greg Kroah-Hartman
` (17 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Stable,
Jonathan Cameron
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit 91f950b4cbb1aa9ea4eb3999f1463e8044b717fb upstream.
The return value of pm_runtime_get_sync() is not checked, and the
function always returns success. This allows I2C mux operations to
proceed even when the device fails to resume.
Use pm_runtime_resume_and_get() and propagate its return value to
properly handle resume failures.
Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/gyro/mpu3050-i2c.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/iio/gyro/mpu3050-i2c.c
+++ b/drivers/iio/gyro/mpu3050-i2c.c
@@ -19,8 +19,7 @@ static int mpu3050_i2c_bypass_select(str
struct mpu3050 *mpu3050 = i2c_mux_priv(mux);
/* Just power up the device, that is all that is needed */
- pm_runtime_get_sync(mpu3050->dev);
- return 0;
+ return pm_runtime_resume_and_get(mpu3050->dev);
}
static int mpu3050_i2c_bypass_deselect(struct i2c_mux_core *mux, u32 chan_id)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 298/481] iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 297/481] mtd: Avoid boot crash in RedBoot partition table parser Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 299/481] serial: 8250_pci: add support for the AX99100 Greg Kroah-Hartman
` (17 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guanghui Feng, Shuai Xue,
Samiullah Khawaja, Lu Baolu, Joerg Roedel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guanghui Feng <guanghuifeng@linux.alibaba.com>
commit fe89277c9ceb0d6af0aa665bcf24a41d8b1b79cd upstream.
During the qi_check_fault process after an IOMMU ITE event, requests at
odd-numbered positions in the queue are set to QI_ABORT, only satisfying
single-request submissions. However, qi_submit_sync now supports multiple
simultaneous submissions, and can't guarantee that the wait_desc will be
at an odd-numbered position. Therefore, if an item times out, IOMMU can't
re-initiate the request, resulting in an infinite polling wait.
This modifies the process by setting the status of all requests already
fetched by IOMMU and recorded as QI_IN_USE status (including wait_desc
requests) to QI_ABORT, thus enabling multiple requests to be resubmitted.
Fixes: 8a1d82462540 ("iommu/vt-d: Multiple descriptors per qi_submit_sync()")
Cc: stable@vger.kernel.org
Signed-off-by: Guanghui Feng <guanghuifeng@linux.alibaba.com>
Tested-by: Shuai Xue <xueshuai@linux.alibaba.com>
Reviewed-by: Shuai Xue <xueshuai@linux.alibaba.com>
Reviewed-by: Samiullah Khawaja <skhawaja@google.com>
Link: https://lore.kernel.org/r/20260306101516.3885775-1-guanghuifeng@linux.alibaba.com
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Fixes: 8a1d82462540 ("iommu/vt-d: Multiple descriptors per qi_submit_sync()")
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/intel/dmar.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/iommu/intel/dmar.c
+++ b/drivers/iommu/intel/dmar.c
@@ -1282,7 +1282,6 @@ static int qi_check_fault(struct intel_i
if (fault & DMA_FSTS_ITE) {
head = readl(iommu->reg + DMAR_IQH_REG);
head = ((head >> shift) - 1 + QI_LENGTH) % QI_LENGTH;
- head |= 1;
tail = readl(iommu->reg + DMAR_IQT_REG);
tail = ((tail >> shift) - 1 + QI_LENGTH) % QI_LENGTH;
@@ -1292,7 +1291,7 @@ static int qi_check_fault(struct intel_i
do {
if (qi->desc_status[head] == QI_IN_USE)
qi->desc_status[head] = QI_ABORT;
- head = (head - 2 + QI_LENGTH) % QI_LENGTH;
+ head = (head - 1 + QI_LENGTH) % QI_LENGTH;
} while (head != tail);
if (qi->desc_status[wait_index] == QI_ABORT)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 285/460] net: stmmac: remove support for lpi_intr_o
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 284/460] mptcp: pm: in-kernel: always set ID as avail when rm endp Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 286/460] f2fs: compress: change the first parameter of page_array_{alloc,free} to sbi Greg Kroah-Hartman
` (17 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ovidiu Panait, Russell King (Oracle),
Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Russell King (Oracle)" <rmk+kernel@armlinux.org.uk>
commit 14eb64db8ff07b58a35b98375f446d9e20765674 upstream.
The dwmac databook for v3.74a states that lpi_intr_o is a sideband
signal which should be used to ungate the application clock, and this
signal is synchronous to the receive clock. The receive clock can run
at 2.5, 25 or 125MHz depending on the media speed, and can stop under
the control of the link partner. This means that the time it takes to
clear is dependent on the negotiated media speed, and thus can be 8,
40, or 400ns after reading the LPI control and status register.
It has been observed with some aggressive link partners, this clock
can stop while lpi_intr_o is still asserted, meaning that the signal
remains asserted for an indefinite period that the local system has
no direct control over.
The LPI interrupts will still be signalled through the main interrupt
path in any case, and this path is not dependent on the receive clock.
This, since we do not gate the application clock, and the chances of
adding clock gating in the future are slim due to the clocks being
ill-defined, lpi_intr_o serves no useful purpose. Remove the code which
requests the interrupt, and all associated code.
Reported-by: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
Tested-by: Ovidiu Panait <ovidiu.panait.rb@renesas.com> # Renesas RZ/V2H board
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Link: https://patch.msgid.link/E1vnJbt-00000007YYN-28nm@rmk-PC.armlinux.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/stmicro/stmmac/common.h | 1
drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c | 4 --
drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c | 7 ---
drivers/net/ethernet/stmicro/stmmac/stmmac.h | 2 -
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 36 ------------------
drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 8 ----
include/linux/stmmac.h | 1
7 files changed, 59 deletions(-)
--- a/drivers/net/ethernet/stmicro/stmmac/common.h
+++ b/drivers/net/ethernet/stmicro/stmmac/common.h
@@ -374,7 +374,6 @@ enum request_irq_err {
REQ_IRQ_ERR_SFTY,
REQ_IRQ_ERR_SFTY_UE,
REQ_IRQ_ERR_SFTY_CE,
- REQ_IRQ_ERR_LPI,
REQ_IRQ_ERR_WOL,
REQ_IRQ_ERR_MAC,
REQ_IRQ_ERR_NO,
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c
@@ -618,7 +618,6 @@ static int intel_mgbe_common_data(struct
/* Setup MSI vector offset specific to Intel mGbE controller */
plat->msi_mac_vec = 29;
- plat->msi_lpi_vec = 28;
plat->msi_sfty_ce_vec = 27;
plat->msi_sfty_ue_vec = 26;
plat->msi_rx_base_vec = 0;
@@ -1004,8 +1003,6 @@ static int stmmac_config_multi_msi(struc
res->irq = pci_irq_vector(pdev, plat->msi_mac_vec);
if (plat->msi_wol_vec < STMMAC_MSI_VEC_MAX)
res->wol_irq = pci_irq_vector(pdev, plat->msi_wol_vec);
- if (plat->msi_lpi_vec < STMMAC_MSI_VEC_MAX)
- res->lpi_irq = pci_irq_vector(pdev, plat->msi_lpi_vec);
if (plat->msi_sfty_ce_vec < STMMAC_MSI_VEC_MAX)
res->sfty_ce_irq = pci_irq_vector(pdev, plat->msi_sfty_ce_vec);
if (plat->msi_sfty_ue_vec < STMMAC_MSI_VEC_MAX)
@@ -1087,7 +1084,6 @@ static int intel_eth_pci_probe(struct pc
*/
plat->msi_mac_vec = STMMAC_MSI_VEC_MAX;
plat->msi_wol_vec = STMMAC_MSI_VEC_MAX;
- plat->msi_lpi_vec = STMMAC_MSI_VEC_MAX;
plat->msi_sfty_ce_vec = STMMAC_MSI_VEC_MAX;
plat->msi_sfty_ue_vec = STMMAC_MSI_VEC_MAX;
plat->msi_rx_base_vec = STMMAC_MSI_VEC_MAX;
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
@@ -476,13 +476,6 @@ static int loongson_dwmac_dt_config(stru
res->wol_irq = res->irq;
}
- res->lpi_irq = of_irq_get_byname(np, "eth_lpi");
- if (res->lpi_irq < 0) {
- dev_err(&pdev->dev, "IRQ eth_lpi not found\n");
- ret = -ENODEV;
- goto err_put_node;
- }
-
ret = device_get_phy_mode(&pdev->dev);
if (ret < 0) {
dev_err(&pdev->dev, "phy_mode not found\n");
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac.h
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac.h
@@ -29,7 +29,6 @@ struct stmmac_resources {
void __iomem *addr;
u8 mac[ETH_ALEN];
int wol_irq;
- int lpi_irq;
int irq;
int sfty_irq;
int sfty_ce_irq;
@@ -314,7 +313,6 @@ struct stmmac_priv {
bool wol_irq_disabled;
int clk_csr;
struct timer_list eee_ctrl_timer;
- int lpi_irq;
int eee_enabled;
int eee_active;
int tx_lpi_timer;
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -3580,10 +3580,6 @@ static void stmmac_free_irq(struct net_d
free_irq(priv->sfty_ce_irq, dev);
fallthrough;
case REQ_IRQ_ERR_SFTY_CE:
- if (priv->lpi_irq > 0 && priv->lpi_irq != dev->irq)
- free_irq(priv->lpi_irq, dev);
- fallthrough;
- case REQ_IRQ_ERR_LPI:
if (priv->wol_irq > 0 && priv->wol_irq != dev->irq)
free_irq(priv->wol_irq, dev);
fallthrough;
@@ -3642,24 +3638,6 @@ static int stmmac_request_irq_multi_msi(
}
}
- /* Request the LPI IRQ in case of another line
- * is used for LPI
- */
- if (priv->lpi_irq > 0 && priv->lpi_irq != dev->irq) {
- int_name = priv->int_name_lpi;
- sprintf(int_name, "%s:%s", dev->name, "lpi");
- ret = request_irq(priv->lpi_irq,
- stmmac_mac_interrupt,
- 0, int_name, dev);
- if (unlikely(ret < 0)) {
- netdev_err(priv->dev,
- "%s: alloc lpi MSI %d (error: %d)\n",
- __func__, priv->lpi_irq, ret);
- irq_err = REQ_IRQ_ERR_LPI;
- goto irq_error;
- }
- }
-
/* Request the common Safety Feature Correctible/Uncorrectible
* Error line in case of another line is used
*/
@@ -3800,19 +3778,6 @@ static int stmmac_request_irq_single(str
}
}
- /* Request the IRQ lines */
- if (priv->lpi_irq > 0 && priv->lpi_irq != dev->irq) {
- ret = request_irq(priv->lpi_irq, stmmac_interrupt,
- IRQF_SHARED, dev->name, dev);
- if (unlikely(ret < 0)) {
- netdev_err(priv->dev,
- "%s: ERROR: allocating the LPI IRQ %d (%d)\n",
- __func__, priv->lpi_irq, ret);
- irq_err = REQ_IRQ_ERR_LPI;
- goto irq_error;
- }
- }
-
/* Request the common Safety Feature Correctible/Uncorrectible
* Error line in case of another line is used
*/
@@ -7576,7 +7541,6 @@ int stmmac_dvr_probe(struct device *devi
priv->dev->irq = res->irq;
priv->wol_irq = res->wol_irq;
- priv->lpi_irq = res->lpi_irq;
priv->sfty_irq = res->sfty_irq;
priv->sfty_ce_irq = res->sfty_ce_irq;
priv->sfty_ue_irq = res->sfty_ue_irq;
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
@@ -733,14 +733,6 @@ int stmmac_get_platform_resources(struct
stmmac_res->wol_irq = stmmac_res->irq;
}
- stmmac_res->lpi_irq =
- platform_get_irq_byname_optional(pdev, "eth_lpi");
- if (stmmac_res->lpi_irq < 0) {
- if (stmmac_res->lpi_irq == -EPROBE_DEFER)
- return -EPROBE_DEFER;
- dev_info(&pdev->dev, "IRQ eth_lpi not found\n");
- }
-
stmmac_res->sfty_irq =
platform_get_irq_byname_optional(pdev, "sfty");
if (stmmac_res->sfty_irq < 0) {
--- a/include/linux/stmmac.h
+++ b/include/linux/stmmac.h
@@ -268,7 +268,6 @@ struct plat_stmmacenet_data {
int int_snapshot_num;
int msi_mac_vec;
int msi_wol_vec;
- int msi_lpi_vec;
int msi_sfty_ce_vec;
int msi_sfty_ue_vec;
int msi_rx_base_vec;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 361/567] iio: imu: inv_icm42600: fix odr switch to the same value
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 360/567] iio: gyro: mpu3050-i2c: " Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 362/567] i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors Greg Kroah-Hartman
` (16 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean-Baptiste Maneyrol,
Jonathan Cameron
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
commit c9f3a593137d862d424130343e77d4b5260a4f5a upstream.
ODR switch is done in 2 steps when FIFO is on : change the ODR register
value and acknowledge change when reading the FIFO ODR change flag.
When we are switching to the same odr value, we end up waiting for a
FIFO ODR flag that is never happening.
Fix the issue by doing nothing and exiting properly when we are
switching to the same ODR value.
Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping")
Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 2 ++
drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 2 ++
2 files changed, 4 insertions(+)
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c
@@ -321,6 +321,8 @@ static int inv_icm42600_accel_write_odr(
return -EINVAL;
conf.odr = inv_icm42600_accel_odr_conv[idx / 2];
+ if (conf.odr == st->conf.accel.odr)
+ return 0;
pm_runtime_get_sync(dev);
mutex_lock(&st->lock);
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c
@@ -333,6 +333,8 @@ static int inv_icm42600_gyro_write_odr(s
return -EINVAL;
conf.odr = inv_icm42600_gyro_odr_conv[idx / 2];
+ if (conf.odr == st->conf.gyro.odr)
+ return 0;
pm_runtime_get_sync(dev);
mutex_lock(&st->lock);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 299/481] serial: 8250_pci: add support for the AX99100
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 298/481] iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 300/481] serial: 8250: Fix TX deadlock when using DMA Greg Kroah-Hartman
` (16 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Martin Roukala , stable
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Roukala (né Peres) <martin.roukala@mupuf.org>
commit 9c0072bc33d349c83d223e64be30794e11938a6b upstream.
This is found in popular brands such as StarTech.com or Delock, and has
been a source of frustration to quite a few people, if I can trust
Amazon comments complaining about Linux support via the official
out-of-the-tree driver.
Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260309-8250_pci_ax99100-v1-1-3328bdfd8e94@mupuf.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_pci.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -58,6 +58,8 @@ struct serial_private {
};
#define PCI_DEVICE_ID_HPE_PCI_SERIAL 0x37e
+#define PCIE_VENDOR_ID_ASIX 0x125B
+#define PCIE_DEVICE_ID_AX99100 0x9100
static const struct pci_device_id pci_use_msi[] = {
{ PCI_DEVICE_SUB(PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9900,
@@ -70,6 +72,8 @@ static const struct pci_device_id pci_us
0xA000, 0x1000) },
{ PCI_DEVICE_SUB(PCI_VENDOR_ID_HP_3PAR, PCI_DEVICE_ID_HPE_PCI_SERIAL,
PCI_ANY_ID, PCI_ANY_ID) },
+ { PCI_DEVICE_SUB(PCIE_VENDOR_ID_ASIX, PCIE_DEVICE_ID_AX99100,
+ 0xA000, 0x1000) },
{ }
};
@@ -854,6 +858,7 @@ static int pci_netmos_init(struct pci_de
case PCI_DEVICE_ID_NETMOS_9912:
case PCI_DEVICE_ID_NETMOS_9922:
case PCI_DEVICE_ID_NETMOS_9900:
+ case PCIE_DEVICE_ID_AX99100:
num_serial = pci_netmos_9900_numports(dev);
break;
@@ -2416,6 +2421,14 @@ static struct pci_serial_quirk pci_seria
.init = pci_netmos_init,
.setup = pci_netmos_9900_setup,
},
+ {
+ .vendor = PCIE_VENDOR_ID_ASIX,
+ .device = PCI_ANY_ID,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .init = pci_netmos_init,
+ .setup = pci_netmos_9900_setup,
+ },
/*
* EndRun Technologies
*/
@@ -5960,6 +5973,10 @@ static const struct pci_device_id serial
0xA000, 0x3002,
0, 0, pbn_NETMOS9900_2s_115200 },
+ { PCIE_VENDOR_ID_ASIX, PCIE_DEVICE_ID_AX99100,
+ 0xA000, 0x1000,
+ 0, 0, pbn_b0_1_115200 },
+
/*
* Best Connectivity and Rosewill PCI Multi I/O cards
*/
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 286/460] f2fs: compress: change the first parameter of page_array_{alloc,free} to sbi
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 285/460] net: stmmac: remove support for lpi_intr_o Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 287/460] f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic Greg Kroah-Hartman
` (16 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhiguo Niu, Baocong Liu, Chao Yu,
Jaegeuk Kim, Bin Lan
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhiguo Niu <zhiguo.niu@unisoc.com>
[ Upstream commit 8e2a9b656474d67c55010f2c003ea2cf889a19ff ]
No logic changes, just cleanup and prepare for fixing the UAF issue
in f2fs_free_dic.
Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Signed-off-by: Baocong Liu <baocong.liu@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Bin Lan <lanbincn@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/compress.c | 40 ++++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 20 deletions(-)
--- a/fs/f2fs/compress.c
+++ b/fs/f2fs/compress.c
@@ -23,20 +23,18 @@
static struct kmem_cache *cic_entry_slab;
static struct kmem_cache *dic_entry_slab;
-static void *page_array_alloc(struct inode *inode, int nr)
+static void *page_array_alloc(struct f2fs_sb_info *sbi, int nr)
{
- struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
unsigned int size = sizeof(struct page *) * nr;
if (likely(size <= sbi->page_array_slab_size))
return f2fs_kmem_cache_alloc(sbi->page_array_slab,
- GFP_F2FS_ZERO, false, F2FS_I_SB(inode));
+ GFP_F2FS_ZERO, false, sbi);
return f2fs_kzalloc(sbi, size, GFP_NOFS);
}
-static void page_array_free(struct inode *inode, void *pages, int nr)
+static void page_array_free(struct f2fs_sb_info *sbi, void *pages, int nr)
{
- struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
unsigned int size = sizeof(struct page *) * nr;
if (!pages)
@@ -147,13 +145,13 @@ int f2fs_init_compress_ctx(struct compre
if (cc->rpages)
return 0;
- cc->rpages = page_array_alloc(cc->inode, cc->cluster_size);
+ cc->rpages = page_array_alloc(F2FS_I_SB(cc->inode), cc->cluster_size);
return cc->rpages ? 0 : -ENOMEM;
}
void f2fs_destroy_compress_ctx(struct compress_ctx *cc, bool reuse)
{
- page_array_free(cc->inode, cc->rpages, cc->cluster_size);
+ page_array_free(F2FS_I_SB(cc->inode), cc->rpages, cc->cluster_size);
cc->rpages = NULL;
cc->nr_rpages = 0;
cc->nr_cpages = 0;
@@ -616,6 +614,7 @@ static void *f2fs_vmap(struct page **pag
static int f2fs_compress_pages(struct compress_ctx *cc)
{
+ struct f2fs_sb_info *sbi = F2FS_I_SB(cc->inode);
struct f2fs_inode_info *fi = F2FS_I(cc->inode);
const struct f2fs_compress_ops *cops =
f2fs_cops[fi->i_compress_algorithm];
@@ -636,7 +635,7 @@ static int f2fs_compress_pages(struct co
cc->nr_cpages = DIV_ROUND_UP(max_len, PAGE_SIZE);
cc->valid_nr_cpages = cc->nr_cpages;
- cc->cpages = page_array_alloc(cc->inode, cc->nr_cpages);
+ cc->cpages = page_array_alloc(sbi, cc->nr_cpages);
if (!cc->cpages) {
ret = -ENOMEM;
goto destroy_compress_ctx;
@@ -711,7 +710,7 @@ out_free_cpages:
if (cc->cpages[i])
f2fs_compress_free_page(cc->cpages[i]);
}
- page_array_free(cc->inode, cc->cpages, cc->nr_cpages);
+ page_array_free(sbi, cc->cpages, cc->nr_cpages);
cc->cpages = NULL;
destroy_compress_ctx:
if (cops->destroy_compress_ctx)
@@ -1325,7 +1324,7 @@ static int f2fs_write_compressed_pages(s
cic->magic = F2FS_COMPRESSED_PAGE_MAGIC;
cic->inode = inode;
atomic_set(&cic->pending_pages, cc->valid_nr_cpages);
- cic->rpages = page_array_alloc(cc->inode, cc->cluster_size);
+ cic->rpages = page_array_alloc(sbi, cc->cluster_size);
if (!cic->rpages)
goto out_put_cic;
@@ -1427,13 +1426,13 @@ unlock_continue:
spin_unlock(&fi->i_size_lock);
f2fs_put_rpages(cc);
- page_array_free(cc->inode, cc->cpages, cc->nr_cpages);
+ page_array_free(sbi, cc->cpages, cc->nr_cpages);
cc->cpages = NULL;
f2fs_destroy_compress_ctx(cc, false);
return 0;
out_destroy_crypt:
- page_array_free(cc->inode, cic->rpages, cc->cluster_size);
+ page_array_free(sbi, cic->rpages, cc->cluster_size);
for (--i; i >= 0; i--) {
if (!cc->cpages[i])
@@ -1454,7 +1453,7 @@ out_free:
f2fs_compress_free_page(cc->cpages[i]);
cc->cpages[i] = NULL;
}
- page_array_free(cc->inode, cc->cpages, cc->nr_cpages);
+ page_array_free(sbi, cc->cpages, cc->nr_cpages);
cc->cpages = NULL;
return -EAGAIN;
}
@@ -1484,7 +1483,7 @@ void f2fs_compress_write_end_io(struct b
end_page_writeback(cic->rpages[i]);
}
- page_array_free(cic->inode, cic->rpages, cic->nr_rpages);
+ page_array_free(sbi, cic->rpages, cic->nr_rpages);
kmem_cache_free(cic_entry_slab, cic);
}
@@ -1623,7 +1622,7 @@ static int f2fs_prepare_decomp_mem(struc
if (!allow_memalloc_for_decomp(F2FS_I_SB(dic->inode), pre_alloc))
return 0;
- dic->tpages = page_array_alloc(dic->inode, dic->cluster_size);
+ dic->tpages = page_array_alloc(F2FS_I_SB(dic->inode), dic->cluster_size);
if (!dic->tpages)
return -ENOMEM;
@@ -1683,7 +1682,7 @@ struct decompress_io_ctx *f2fs_alloc_dic
if (!dic)
return ERR_PTR(-ENOMEM);
- dic->rpages = page_array_alloc(cc->inode, cc->cluster_size);
+ dic->rpages = page_array_alloc(sbi, cc->cluster_size);
if (!dic->rpages) {
kmem_cache_free(dic_entry_slab, dic);
return ERR_PTR(-ENOMEM);
@@ -1704,7 +1703,7 @@ struct decompress_io_ctx *f2fs_alloc_dic
dic->rpages[i] = cc->rpages[i];
dic->nr_rpages = cc->cluster_size;
- dic->cpages = page_array_alloc(dic->inode, dic->nr_cpages);
+ dic->cpages = page_array_alloc(sbi, dic->nr_cpages);
if (!dic->cpages) {
ret = -ENOMEM;
goto out_free;
@@ -1734,6 +1733,7 @@ static void f2fs_free_dic(struct decompr
bool bypass_destroy_callback)
{
int i;
+ struct f2fs_sb_info *sbi = F2FS_I_SB(dic->inode);
f2fs_release_decomp_mem(dic, bypass_destroy_callback, true);
@@ -1745,7 +1745,7 @@ static void f2fs_free_dic(struct decompr
continue;
f2fs_compress_free_page(dic->tpages[i]);
}
- page_array_free(dic->inode, dic->tpages, dic->cluster_size);
+ page_array_free(sbi, dic->tpages, dic->cluster_size);
}
if (dic->cpages) {
@@ -1754,10 +1754,10 @@ static void f2fs_free_dic(struct decompr
continue;
f2fs_compress_free_page(dic->cpages[i]);
}
- page_array_free(dic->inode, dic->cpages, dic->nr_cpages);
+ page_array_free(sbi, dic->cpages, dic->nr_cpages);
}
- page_array_free(dic->inode, dic->rpages, dic->nr_rpages);
+ page_array_free(sbi, dic->rpages, dic->nr_rpages);
kmem_cache_free(dic_entry_slab, dic);
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 362/567] i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 361/567] iio: imu: inv_icm42600: fix odr switch to the same value Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 363/567] i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort Greg Kroah-Hartman
` (15 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Alexandre Belloni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit 4167b8914463132654e01e16259847d097f8a7f7 upstream.
The MIPI I3C HCI driver currently returns -ETIME for various timeout
conditions, while other I3C master drivers consistently use -ETIMEDOUT
for the same class of errors. Align the HCI driver with the rest of the
subsystem by replacing all uses of -ETIME with -ETIMEDOUT.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-2-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/mipi-i3c-hci/cmd_v1.c | 2 +-
drivers/i3c/master/mipi-i3c-hci/cmd_v2.c | 2 +-
drivers/i3c/master/mipi-i3c-hci/core.c | 6 +++---
3 files changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/i3c/master/mipi-i3c-hci/cmd_v1.c
+++ b/drivers/i3c/master/mipi-i3c-hci/cmd_v1.c
@@ -335,7 +335,7 @@ static int hci_cmd_v1_daa(struct i3c_hci
hci->io->queue_xfer(hci, xfer, 1);
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, 1)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
break;
}
if (RESP_STATUS(xfer[0].response) == RESP_ERR_NACK &&
--- a/drivers/i3c/master/mipi-i3c-hci/cmd_v2.c
+++ b/drivers/i3c/master/mipi-i3c-hci/cmd_v2.c
@@ -277,7 +277,7 @@ static int hci_cmd_v2_daa(struct i3c_hci
hci->io->queue_xfer(hci, xfer, 2);
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, 2)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
break;
}
if (RESP_STATUS(xfer[0].response) != RESP_SUCCESS) {
--- a/drivers/i3c/master/mipi-i3c-hci/core.c
+++ b/drivers/i3c/master/mipi-i3c-hci/core.c
@@ -237,7 +237,7 @@ static int i3c_hci_send_ccc_cmd(struct i
goto out;
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, nxfers)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
goto out;
}
for (i = prefixed; i < nxfers; i++) {
@@ -311,7 +311,7 @@ static int i3c_hci_priv_xfers(struct i3c
goto out;
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, nxfers)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
goto out;
}
for (i = 0; i < nxfers; i++) {
@@ -359,7 +359,7 @@ static int i3c_hci_i2c_xfers(struct i2c_
goto out;
if (!wait_for_completion_timeout(&done, HZ) &&
hci->io->dequeue_xfer(hci, xfer, nxfers)) {
- ret = -ETIME;
+ ret = -ETIMEDOUT;
goto out;
}
for (i = 0; i < nxfers; i++) {
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 300/481] serial: 8250: Fix TX deadlock when using DMA
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 299/481] serial: 8250_pci: add support for the AX99100 Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 301/481] serial: 8250: Add late synchronize_irq() to shutdown to handle DW UART BUSY Greg Kroah-Hartman
` (15 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Raul E Rangel
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raul E Rangel <rrangel@chromium.org>
commit a424a34b8faddf97b5af41689087e7a230f79ba7 upstream.
`dmaengine_terminate_async` does not guarantee that the
`__dma_tx_complete` callback will run. The callback is currently the
only place where `dma->tx_running` gets cleared. If the transaction is
canceled and the callback never runs, then `dma->tx_running` will never
get cleared and we will never schedule new TX DMA transactions again.
This change makes it so we clear `dma->tx_running` after we terminate
the DMA transaction. This is "safe" because `serial8250_tx_dma_flush`
is holding the UART port lock. The first thing the callback does is also
grab the UART port lock, so access to `dma->tx_running` is serialized.
Fixes: 9e512eaaf8f4 ("serial: 8250: Fix fifo underflow on flush")
Cc: stable <stable@kernel.org>
Signed-off-by: Raul E Rangel <rrangel@google.com>
Link: https://patch.msgid.link/20260209135815.1.I16366ecb0f62f3c96fe3dd5763fcf6f3c2b4d8cd@changeid
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_dma.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/drivers/tty/serial/8250/8250_dma.c
+++ b/drivers/tty/serial/8250/8250_dma.c
@@ -146,7 +146,22 @@ void serial8250_tx_dma_flush(struct uart
*/
dma->tx_size = 0;
+ /*
+ * We can't use `dmaengine_terminate_sync` because `uart_flush_buffer` is
+ * holding the uart port spinlock.
+ */
dmaengine_terminate_async(dma->txchan);
+
+ /*
+ * The callback might or might not run. If it doesn't run, we need to ensure
+ * that `tx_running` is cleared so that we can schedule new transactions.
+ * If it does run, then the zombie callback will clear `tx_running` again
+ * and perform a no-op since `tx_size` was cleared above.
+ *
+ * In either case, we ASSUME the DMA transaction will terminate before we
+ * issue a new `serial8250_tx_dma`.
+ */
+ dma->tx_running = 0;
}
int serial8250_rx_dma(struct uart_8250_port *p)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 287/460] f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 286/460] f2fs: compress: change the first parameter of page_array_{alloc,free} to sbi Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 288/460] f2fs: fix to avoid migrating empty section Greg Kroah-Hartman
` (15 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daeho Jeong, Zhiguo Niu, Baocong Liu,
Chao Yu, Jaegeuk Kim, Bin Lan
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhiguo Niu <zhiguo.niu@unisoc.com>
[ Upstream commit 39868685c2a94a70762bc6d77dc81d781d05bff5 ]
The decompress_io_ctx may be released asynchronously after
I/O completion. If this file is deleted immediately after read,
and the kworker of processing post_read_wq has not been executed yet
due to high workloads, It is possible that the inode(f2fs_inode_info)
is evicted and freed before it is used f2fs_free_dic.
The UAF case as below:
Thread A Thread B
- f2fs_decompress_end_io
- f2fs_put_dic
- queue_work
add free_dic work to post_read_wq
- do_unlink
- iput
- evict
- call_rcu
This file is deleted after read.
Thread C kworker to process post_read_wq
- rcu_do_batch
- f2fs_free_inode
- kmem_cache_free
inode is freed by rcu
- process_scheduled_works
- f2fs_late_free_dic
- f2fs_free_dic
- f2fs_release_decomp_mem
read (dic->inode)->i_compress_algorithm
This patch store compress_algorithm and sbi in dic to avoid inode UAF.
In addition, the previous solution is deprecated in [1] may cause system hang.
[1] https://lore.kernel.org/all/c36ab955-c8db-4a8b-a9d0-f07b5f426c3f@kernel.org
Cc: Daeho Jeong <daehojeong@google.com>
Fixes: bff139b49d9f ("f2fs: handle decompress only post processing in softirq")
Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Signed-off-by: Baocong Liu <baocong.liu@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ Keep the original f2fs_vmalloc(workspace_size) in v6.12.y instead of
f2fs_vmalloc(dic->sbi, workspace_size) per commit
54ca9be0bc58 ("f2fs: introduce FAULT_VMALLOC"). ]
Signed-off-by: Bin Lan <lanbincn@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/compress.c | 38 +++++++++++++++++++-------------------
fs/f2fs/f2fs.h | 2 ++
2 files changed, 21 insertions(+), 19 deletions(-)
--- a/fs/f2fs/compress.c
+++ b/fs/f2fs/compress.c
@@ -211,13 +211,13 @@ static int lzo_decompress_pages(struct d
ret = lzo1x_decompress_safe(dic->cbuf->cdata, dic->clen,
dic->rbuf, &dic->rlen);
if (ret != LZO_E_OK) {
- f2fs_err_ratelimited(F2FS_I_SB(dic->inode),
+ f2fs_err_ratelimited(dic->sbi,
"lzo decompress failed, ret:%d", ret);
return -EIO;
}
if (dic->rlen != PAGE_SIZE << dic->log_cluster_size) {
- f2fs_err_ratelimited(F2FS_I_SB(dic->inode),
+ f2fs_err_ratelimited(dic->sbi,
"lzo invalid rlen:%zu, expected:%lu",
dic->rlen, PAGE_SIZE << dic->log_cluster_size);
return -EIO;
@@ -291,13 +291,13 @@ static int lz4_decompress_pages(struct d
ret = LZ4_decompress_safe(dic->cbuf->cdata, dic->rbuf,
dic->clen, dic->rlen);
if (ret < 0) {
- f2fs_err_ratelimited(F2FS_I_SB(dic->inode),
+ f2fs_err_ratelimited(dic->sbi,
"lz4 decompress failed, ret:%d", ret);
return -EIO;
}
if (ret != PAGE_SIZE << dic->log_cluster_size) {
- f2fs_err_ratelimited(F2FS_I_SB(dic->inode),
+ f2fs_err_ratelimited(dic->sbi,
"lz4 invalid ret:%d, expected:%lu",
ret, PAGE_SIZE << dic->log_cluster_size);
return -EIO;
@@ -425,7 +425,7 @@ static int zstd_init_decompress_ctx(stru
stream = zstd_init_dstream(max_window_size, workspace, workspace_size);
if (!stream) {
- f2fs_err_ratelimited(F2FS_I_SB(dic->inode),
+ f2fs_err_ratelimited(dic->sbi,
"%s zstd_init_dstream failed", __func__);
vfree(workspace);
return -EIO;
@@ -461,14 +461,14 @@ static int zstd_decompress_pages(struct
ret = zstd_decompress_stream(stream, &outbuf, &inbuf);
if (zstd_is_error(ret)) {
- f2fs_err_ratelimited(F2FS_I_SB(dic->inode),
+ f2fs_err_ratelimited(dic->sbi,
"%s zstd_decompress_stream failed, ret: %d",
__func__, zstd_get_error_code(ret));
return -EIO;
}
if (dic->rlen != outbuf.pos) {
- f2fs_err_ratelimited(F2FS_I_SB(dic->inode),
+ f2fs_err_ratelimited(dic->sbi,
"%s ZSTD invalid rlen:%zu, expected:%lu",
__func__, dic->rlen,
PAGE_SIZE << dic->log_cluster_size);
@@ -728,7 +728,7 @@ static void f2fs_release_decomp_mem(stru
void f2fs_decompress_cluster(struct decompress_io_ctx *dic, bool in_task)
{
- struct f2fs_sb_info *sbi = F2FS_I_SB(dic->inode);
+ struct f2fs_sb_info *sbi = dic->sbi;
struct f2fs_inode_info *fi = F2FS_I(dic->inode);
const struct f2fs_compress_ops *cops =
f2fs_cops[fi->i_compress_algorithm];
@@ -798,7 +798,7 @@ void f2fs_end_read_compressed_page(struc
{
struct decompress_io_ctx *dic =
(struct decompress_io_ctx *)page_private(page);
- struct f2fs_sb_info *sbi = F2FS_I_SB(dic->inode);
+ struct f2fs_sb_info *sbi = dic->sbi;
dec_page_count(sbi, F2FS_RD_DATA);
@@ -1615,14 +1615,13 @@ static inline bool allow_memalloc_for_de
static int f2fs_prepare_decomp_mem(struct decompress_io_ctx *dic,
bool pre_alloc)
{
- const struct f2fs_compress_ops *cops =
- f2fs_cops[F2FS_I(dic->inode)->i_compress_algorithm];
+ const struct f2fs_compress_ops *cops = f2fs_cops[dic->compress_algorithm];
int i;
- if (!allow_memalloc_for_decomp(F2FS_I_SB(dic->inode), pre_alloc))
+ if (!allow_memalloc_for_decomp(dic->sbi, pre_alloc))
return 0;
- dic->tpages = page_array_alloc(F2FS_I_SB(dic->inode), dic->cluster_size);
+ dic->tpages = page_array_alloc(dic->sbi, dic->cluster_size);
if (!dic->tpages)
return -ENOMEM;
@@ -1652,10 +1651,9 @@ static int f2fs_prepare_decomp_mem(struc
static void f2fs_release_decomp_mem(struct decompress_io_ctx *dic,
bool bypass_destroy_callback, bool pre_alloc)
{
- const struct f2fs_compress_ops *cops =
- f2fs_cops[F2FS_I(dic->inode)->i_compress_algorithm];
+ const struct f2fs_compress_ops *cops = f2fs_cops[dic->compress_algorithm];
- if (!allow_memalloc_for_decomp(F2FS_I_SB(dic->inode), pre_alloc))
+ if (!allow_memalloc_for_decomp(dic->sbi, pre_alloc))
return;
if (!bypass_destroy_callback && cops->destroy_decompress_ctx)
@@ -1690,6 +1688,8 @@ struct decompress_io_ctx *f2fs_alloc_dic
dic->magic = F2FS_COMPRESSED_PAGE_MAGIC;
dic->inode = cc->inode;
+ dic->sbi = sbi;
+ dic->compress_algorithm = F2FS_I(cc->inode)->i_compress_algorithm;
atomic_set(&dic->remaining_pages, cc->nr_cpages);
dic->cluster_idx = cc->cluster_idx;
dic->cluster_size = cc->cluster_size;
@@ -1733,7 +1733,8 @@ static void f2fs_free_dic(struct decompr
bool bypass_destroy_callback)
{
int i;
- struct f2fs_sb_info *sbi = F2FS_I_SB(dic->inode);
+ /* use sbi in dic to avoid UFA of dic->inode*/
+ struct f2fs_sb_info *sbi = dic->sbi;
f2fs_release_decomp_mem(dic, bypass_destroy_callback, true);
@@ -1776,8 +1777,7 @@ static void f2fs_put_dic(struct decompre
f2fs_free_dic(dic, false);
} else {
INIT_WORK(&dic->free_work, f2fs_late_free_dic);
- queue_work(F2FS_I_SB(dic->inode)->post_read_wq,
- &dic->free_work);
+ queue_work(dic->sbi->post_read_wq, &dic->free_work);
}
}
}
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -1525,6 +1525,7 @@ struct compress_io_ctx {
struct decompress_io_ctx {
u32 magic; /* magic number to indicate page is compressed */
struct inode *inode; /* inode the context belong to */
+ struct f2fs_sb_info *sbi; /* f2fs_sb_info pointer */
pgoff_t cluster_idx; /* cluster index number */
unsigned int cluster_size; /* page count in cluster */
unsigned int log_cluster_size; /* log of cluster size */
@@ -1565,6 +1566,7 @@ struct decompress_io_ctx {
bool failed; /* IO error occurred before decompression? */
bool need_verity; /* need fs-verity verification after decompression? */
+ unsigned char compress_algorithm; /* backup algorithm type */
void *private; /* payload buffer for specified decompression algorithm */
void *private2; /* extra payload buffer */
struct work_struct verity_work; /* work to verify the decompressed pages */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 363/567] i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 362/567] i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 364/567] i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor Greg Kroah-Hartman
` (14 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Alexandre Belloni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit b6d586431ae20d5157ee468d0ef62ad26798ef13 upstream.
The DMA dequeue path attempts to restart the ring after aborting an
in-flight transfer, but the current sequence is incomplete. The controller
must be brought out of the aborted state and the ring control registers
must be programmed in the correct order: first clearing ABORT, then
re-enabling the ring and asserting RUN_STOP to resume operation.
Add the missing controller resume step and update the ring control writes
so that the ring is restarted using the proper sequence.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-11-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/mipi-i3c-hci/dma.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -491,7 +491,9 @@ static bool hci_dma_dequeue_xfer(struct
}
/* restart the ring */
+ mipi_i3c_hci_resume(hci);
rh_reg_write(RING_CONTROL, RING_CTRL_ENABLE);
+ rh_reg_write(RING_CONTROL, RING_CTRL_ENABLE | RING_CTRL_RUN_STOP);
return did_unqueue;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 301/481] serial: 8250: Add late synchronize_irq() to shutdown to handle DW UART BUSY
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 300/481] serial: 8250: Fix TX deadlock when using DMA Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 302/481] serial: uartlite: fix PM runtime usage count underflow on probe Greg Kroah-Hartman
` (14 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Bandal, Shankar,
Murthy, Shanth, Andy Shevchenko, Ilpo Järvinen
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
commit e0a368ae79531ff92105a2692f10d83052055856 upstream.
When DW UART is !uart_16550_compatible, it can indicate BUSY at any
point (when under constant Rx pressure) unless a complex sequence of
steps is performed. Any LCR write can run a foul with the condition
that prevents writing LCR while the UART is BUSY, which triggers
BUSY_DETECT interrupt that seems unmaskable using IER bits.
Normal flow is that dw8250_handle_irq() handles BUSY_DETECT condition
by reading USR register. This BUSY feature, however, breaks the
assumptions made in serial8250_do_shutdown(), which runs
synchronize_irq() after clearing IER and assumes no interrupts can
occur after that point but then proceeds to update LCR, which on DW
UART can trigger an interrupt.
If serial8250_do_shutdown() releases the interrupt handler before the
handler has run and processed the BUSY_DETECT condition by read the USR
register, the IRQ is not deasserted resulting in interrupt storm that
triggers "irq x: nobody cared" warning leading to disabling the IRQ.
Add late synchronize_irq() into serial8250_do_shutdown() to ensure
BUSY_DETECT from DW UART is handled before port's interrupt handler is
released. Alternative would be to add DW UART specific shutdown
function but it would mostly duplicate the generic code and the extra
synchronize_irq() seems pretty harmless in serial8250_do_shutdown().
Fixes: 7d4008ebb1c9 ("tty: add a DesignWare 8250 driver")
Cc: stable <stable@kernel.org>
Reported-by: Bandal, Shankar <shankar.bandal@intel.com>
Tested-by: Bandal, Shankar <shankar.bandal@intel.com>
Tested-by: Murthy, Shanth <shanth.murthy@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://patch.msgid.link/20260203171049.4353-7-ilpo.jarvinen@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_port.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/tty/serial/8250/8250_port.c
+++ b/drivers/tty/serial/8250/8250_port.c
@@ -2526,6 +2526,12 @@ void serial8250_do_shutdown(struct uart_
* the IRQ chain.
*/
serial_port_in(port, UART_RX);
+ /*
+ * LCR writes on DW UART can trigger late (unmaskable) IRQs.
+ * Handle them before releasing the handler.
+ */
+ synchronize_irq(port->irq);
+
serial8250_rpm_put(up);
up->ops->release_irq(up);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 288/460] f2fs: fix to avoid migrating empty section
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 287/460] f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 289/460] blk-throttle: fix access race during throttle policy activation Greg Kroah-Hartman
` (14 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable, stable@vger.kernel.org, Chao Yu
Cc: Greg Kroah-Hartman, patches, Daeho Jeong, Jaegeuk Kim,
Robert Garcia
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit d625a2b08c089397d3a03bff13fa8645e4ec7a01 ]
It reports a bug from device w/ zufs:
F2FS-fs (dm-64): Inconsistent segment (173822) type [1, 0] in SSA and SIT
F2FS-fs (dm-64): Stopped filesystem due to reason: 4
Thread A Thread B
- f2fs_expand_inode_data
- f2fs_allocate_pinning_section
- f2fs_gc_range
- do_garbage_collect w/ segno #x
- writepage
- f2fs_allocate_data_block
- new_curseg
- allocate segno #x
The root cause is: fallocate on pinning file may race w/ block allocation
as above, result in do_garbage_collect() from fallocate() may migrate
segment which is just allocated by a log, the log will update segment type
in its in-memory structure, however GC will get segment type from on-disk
SSA block, once segment type changes by log, we can detect such
inconsistency, then shutdown filesystem.
In this case, on-disk SSA shows type of segno #173822 is 1 (SUM_TYPE_NODE),
however segno #173822 was just allocated as data type segment, so in-memory
SIT shows type of segno #173822 is 0 (SUM_TYPE_DATA).
Change as below to fix this issue:
- check whether current section is empty before gc
- add sanity checks on do_garbage_collect() to avoid any race case, result
in migrating segment used by log.
- btw, it fixes misc issue in printed logs: "SSA and SIT" -> "SIT and SSA".
Fixes: 9703d69d9d15 ("f2fs: support file pinning for zoned devices")
Cc: Daeho Jeong <daehojeong@google.com>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ Use IS_CURSEC instead of is_cursec according to
commit c1cfc87e49525 ("f2fs: introduce is_cur{seg,sec}()"). ]
Signed-off-by: Robert Garcia <rob_garcia@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/gc.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -1805,6 +1805,13 @@ static int do_garbage_collect(struct f2f
GET_SUM_BLOCK(sbi, segno));
f2fs_put_page(sum_page, 0);
+ if (IS_CURSEC(sbi, GET_SEC_FROM_SEG(sbi, segno))) {
+ f2fs_err(sbi, "%s: segment %u is used by log",
+ __func__, segno);
+ f2fs_bug_on(sbi, 1);
+ goto skip;
+ }
+
if (get_valid_blocks(sbi, segno, false) == 0)
goto freed;
if (gc_type == BG_GC && __is_large_section(sbi) &&
@@ -1815,7 +1822,7 @@ static int do_garbage_collect(struct f2f
sum = page_address(sum_page);
if (type != GET_SUM_TYPE((&sum->footer))) {
- f2fs_err(sbi, "Inconsistent segment (%u) type [%d, %d] in SSA and SIT",
+ f2fs_err(sbi, "Inconsistent segment (%u) type [%d, %d] in SIT and SSA",
segno, type, GET_SUM_TYPE((&sum->footer)));
f2fs_stop_checkpoint(sbi, false,
STOP_CP_REASON_CORRUPTED_SUMMARY);
@@ -2079,6 +2086,13 @@ int f2fs_gc_range(struct f2fs_sb_info *s
.iroot = RADIX_TREE_INIT(gc_list.iroot, GFP_NOFS),
};
+ /*
+ * avoid migrating empty section, as it can be allocated by
+ * log in parallel.
+ */
+ if (!get_valid_blocks(sbi, segno, true))
+ continue;
+
if (IS_CURSEC(sbi, GET_SEC_FROM_SEG(sbi, segno)))
continue;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 364/567] i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 363/567] i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 365/567] drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD Greg Kroah-Hartman
` (13 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Alexandre Belloni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit ec3cfd835f7c4bbd23bc9ad909d2fdc772a578bb upstream.
The internal control command descriptor used for no-op commands includes a
Transaction ID (TID) field, but the no-op command constructed in
hci_dma_dequeue_xfer() omitted it. As a result, the hardware receives a
no-op descriptor without the expected TID.
This bug has gone unnoticed because the TID is currently not validated in
the no-op completion path, but the descriptor format requires it to be
present.
Add the missing TID field when generating a no-op descriptor so that its
layout matches the defined command structure.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-10-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/mipi-i3c-hci/cmd.h | 1 +
drivers/i3c/master/mipi-i3c-hci/dma.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/i3c/master/mipi-i3c-hci/cmd.h
+++ b/drivers/i3c/master/mipi-i3c-hci/cmd.h
@@ -17,6 +17,7 @@
#define CMD_0_TOC W0_BIT_(31)
#define CMD_0_ROC W0_BIT_(30)
#define CMD_0_ATTR W0_MASK(2, 0)
+#define CMD_0_TID W0_MASK(6, 3)
/*
* Response Descriptor Structure
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -473,7 +473,7 @@ static bool hci_dma_dequeue_xfer(struct
u32 *ring_data = rh->xfer + rh->xfer_struct_sz * idx;
/* store no-op cmd descriptor */
- *ring_data++ = FIELD_PREP(CMD_0_ATTR, 0x7);
+ *ring_data++ = FIELD_PREP(CMD_0_ATTR, 0x7) | FIELD_PREP(CMD_0_TID, xfer->cmd_tid);
*ring_data++ = 0;
if (hci->cmd == &mipi_i3c_hci_cmd_v2) {
*ring_data++ = 0;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 302/481] serial: uartlite: fix PM runtime usage count underflow on probe
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 301/481] serial: 8250: Add late synchronize_irq() to shutdown to handle DW UART BUSY Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 303/481] drm/amdgpu/mmhub2.0: add bounds checking for cid Greg Kroah-Hartman
` (13 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Maciej Andrzejewski ICEYE
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej Andrzejewski ICEYE <maciej.andrzejewski@m-works.net>
commit d54801cd509515f674a5aac1d3ea1401d2a05863 upstream.
ulite_probe() calls pm_runtime_put_autosuspend() at the end of probe
without holding a corresponding PM runtime reference for non-console
ports.
During ulite_assign(), uart_add_one_port() triggers uart_configure_port()
which calls ulite_pm() via uart_change_pm(). For non-console ports, the
UART core performs a balanced get/put cycle:
uart_change_pm(ON) -> ulite_pm() -> pm_runtime_get_sync() +1
uart_change_pm(OFF) -> ulite_pm() -> pm_runtime_put_autosuspend() -1
This leaves no spare reference for the pm_runtime_put_autosuspend() at
the end of probe. The PM runtime core prevents the count from actually
going below zero, and instead triggers a
"Runtime PM usage count underflow!" warning.
For console ports the bug is masked: the UART core skips the
uart_change_pm(OFF) call, so the UART core's unbalanced get happens to
pair with probe's trailing put.
Add pm_runtime_get_noresume() before pm_runtime_enable() to take an
explicit probe-owned reference that the trailing
pm_runtime_put_autosuspend() can release. This ensures a correct usage
count regardless of whether the port is a console.
Fixes: 5bbe10a6942d ("tty: serial: uartlite: Add runtime pm support")
Cc: stable <stable@kernel.org>
Signed-off-by: Maciej Andrzejewski ICEYE <maciej.andrzejewski@m-works.net>
Link: https://patch.msgid.link/20260305123746.4152800-1-maciej.andrzejewski@m-works.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/uartlite.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/tty/serial/uartlite.c
+++ b/drivers/tty/serial/uartlite.c
@@ -874,6 +874,7 @@ of_err:
pm_runtime_use_autosuspend(&pdev->dev);
pm_runtime_set_autosuspend_delay(&pdev->dev, UART_AUTOSUSPEND_TIMEOUT);
pm_runtime_set_active(&pdev->dev);
+ pm_runtime_get_noresume(&pdev->dev);
pm_runtime_enable(&pdev->dev);
ret = ulite_assign(&pdev->dev, id, res->start, irq, pdata);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 289/460] blk-throttle: fix access race during throttle policy activation
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 288/460] f2fs: fix to avoid migrating empty section Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 290/460] dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Greg Kroah-Hartman
` (13 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable, stable@vger.kernel.org, Han Guangjiang
Cc: Greg Kroah-Hartman, patches, Liang Jie, Yu Kuai, Jens Axboe,
Robert Garcia
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Han Guangjiang <hanguangjiang@lixiang.com>
[ Upstream commit bd9fd5be6bc0836820500f68fff144609fbd85a9 ]
On repeated cold boots we occasionally hit a NULL pointer crash in
blk_should_throtl() when throttling is consulted before the throttle
policy is fully enabled for the queue. Checking only q->td != NULL is
insufficient during early initialization, so blkg_to_pd() for the
throttle policy can still return NULL and blkg_to_tg() becomes NULL,
which later gets dereferenced.
Unable to handle kernel NULL pointer dereference
at virtual address 0000000000000156
...
pc : submit_bio_noacct+0x14c/0x4c8
lr : submit_bio_noacct+0x48/0x4c8
sp : ffff800087f0b690
x29: ffff800087f0b690 x28: 0000000000005f90 x27: ffff00068af393c0
x26: 0000000000080000 x25: 000000000002fbc0 x24: ffff000684ddcc70
x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000
x20: 0000000000080000 x19: ffff000684ddcd08 x18: ffffffffffffffff
x17: 0000000000000000 x16: ffff80008132a550 x15: 0000ffff98020fff
x14: 0000000000000000 x13: 1fffe000d11d7021 x12: ffff000688eb810c
x11: ffff00077ec4bb80 x10: ffff000688dcb720 x9 : ffff80008068ef60
x8 : 00000a6fb8a86e85 x7 : 000000000000111e x6 : 0000000000000002
x5 : 0000000000000246 x4 : 0000000000015cff x3 : 0000000000394500
x2 : ffff000682e35e40 x1 : 0000000000364940 x0 : 000000000000001a
Call trace:
submit_bio_noacct+0x14c/0x4c8
verity_map+0x178/0x2c8
__map_bio+0x228/0x250
dm_submit_bio+0x1c4/0x678
__submit_bio+0x170/0x230
submit_bio_noacct_nocheck+0x16c/0x388
submit_bio_noacct+0x16c/0x4c8
submit_bio+0xb4/0x210
f2fs_submit_read_bio+0x4c/0xf0
f2fs_mpage_readpages+0x3b0/0x5f0
f2fs_readahead+0x90/0xe8
Tighten blk_throtl_activated() to also require that the throttle policy
bit is set on the queue:
return q->td != NULL &&
test_bit(blkcg_policy_throtl.plid, q->blkcg_pols);
This prevents blk_should_throtl() from accessing throttle group state
until policy data has been attached to blkgs.
Fixes: a3166c51702b ("blk-throttle: delay initialization until configuration")
Co-developed-by: Liang Jie <liangjie@lixiang.com>
Signed-off-by: Liang Jie <liangjie@lixiang.com>
Signed-off-by: Han Guangjiang <hanguangjiang@lixiang.com>
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Robert Garcia <rob_garcia@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-cgroup.c | 6 ------
block/blk-cgroup.h | 6 ++++++
block/blk-throttle.c | 6 +-----
block/blk-throttle.h | 18 +++++++++++-------
4 files changed, 18 insertions(+), 18 deletions(-)
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -110,12 +110,6 @@ static struct cgroup_subsys_state *blkcg
return task_css(current, io_cgrp_id);
}
-static bool blkcg_policy_enabled(struct request_queue *q,
- const struct blkcg_policy *pol)
-{
- return pol && test_bit(pol->plid, q->blkcg_pols);
-}
-
static void blkg_free_workfn(struct work_struct *work)
{
struct blkcg_gq *blkg = container_of(work, struct blkcg_gq,
--- a/block/blk-cgroup.h
+++ b/block/blk-cgroup.h
@@ -455,6 +455,12 @@ static inline bool blk_cgroup_mergeable(
bio_issue_as_root_blkg(rq->bio) == bio_issue_as_root_blkg(bio);
}
+static inline bool blkcg_policy_enabled(struct request_queue *q,
+ const struct blkcg_policy *pol)
+{
+ return pol && test_bit(pol->plid, q->blkcg_pols);
+}
+
void blk_cgroup_bio_start(struct bio *bio);
void blkcg_add_delay(struct blkcg_gq *blkg, u64 now, u64 delta);
#else /* CONFIG_BLK_CGROUP */
--- a/block/blk-throttle.c
+++ b/block/blk-throttle.c
@@ -1209,17 +1209,13 @@ static int blk_throtl_init(struct gendis
INIT_WORK(&td->dispatch_work, blk_throtl_dispatch_work_fn);
throtl_service_queue_init(&td->service_queue);
- /*
- * Freeze queue before activating policy, to synchronize with IO path,
- * which is protected by 'q_usage_counter'.
- */
blk_mq_freeze_queue(disk->queue);
blk_mq_quiesce_queue(disk->queue);
q->td = td;
td->queue = q;
- /* activate policy */
+ /* activate policy, blk_throtl_activated() will return true */
ret = blkcg_activate_policy(disk, &blkcg_policy_throtl);
if (ret) {
q->td = NULL;
--- a/block/blk-throttle.h
+++ b/block/blk-throttle.h
@@ -154,7 +154,13 @@ void blk_throtl_cancel_bios(struct gendi
static inline bool blk_throtl_activated(struct request_queue *q)
{
- return q->td != NULL;
+ /*
+ * q->td guarantees that the blk-throttle module is already loaded,
+ * and the plid of blk-throttle is assigned.
+ * blkcg_policy_enabled() guarantees that the policy is activated
+ * in the request_queue.
+ */
+ return q->td != NULL && blkcg_policy_enabled(q, &blkcg_policy_throtl);
}
static inline bool blk_should_throtl(struct bio *bio)
@@ -162,11 +168,6 @@ static inline bool blk_should_throtl(str
struct throtl_grp *tg;
int rw = bio_data_dir(bio);
- /*
- * This is called under bio_queue_enter(), and it's synchronized with
- * the activation of blk-throtl, which is protected by
- * blk_mq_freeze_queue().
- */
if (!blk_throtl_activated(bio->bi_bdev->bd_queue))
return false;
@@ -192,7 +193,10 @@ static inline bool blk_should_throtl(str
static inline bool blk_throtl_bio(struct bio *bio)
{
-
+ /*
+ * block throttling takes effect if the policy is activated
+ * in the bio's request_queue.
+ */
if (!blk_should_throtl(bio))
return false;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 365/567] drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 364/567] i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 366/567] gve: defer interrupt enabling until NAPI registration Greg Kroah-Hartman
` (12 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John Ripple, Douglas Anderson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Ripple <john.ripple@keysight.com>
commit 9133bc3f0564890218cbba6cc7e81ebc0841a6f1 upstream.
Add support for DisplayPort to the bridge, which entails the following:
- Get and use an interrupt for HPD;
- Properly clear all status bits in the interrupt handler;
Signed-off-by: John Ripple <john.ripple@keysight.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://lore.kernel.org/r/20250915174543.2564994-1-john.ripple@keysight.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/ti-sn65dsi86.c | 112 ++++++++++++++++++++++++++++++++++
1 file changed, 112 insertions(+)
--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
@@ -106,10 +106,21 @@
#define SN_PWM_EN_INV_REG 0xA5
#define SN_PWM_INV_MASK BIT(0)
#define SN_PWM_EN_MASK BIT(1)
+
+#define SN_IRQ_EN_REG 0xE0
+#define IRQ_EN BIT(0)
+
+#define SN_IRQ_EVENTS_EN_REG 0xE6
+#define HPD_INSERTION_EN BIT(1)
+#define HPD_REMOVAL_EN BIT(2)
+
#define SN_AUX_CMD_STATUS_REG 0xF4
#define AUX_IRQ_STATUS_AUX_RPLY_TOUT BIT(3)
#define AUX_IRQ_STATUS_AUX_SHORT BIT(5)
#define AUX_IRQ_STATUS_NAT_I2C_FAIL BIT(6)
+#define SN_IRQ_STATUS_REG 0xF5
+#define HPD_REMOVAL_STATUS BIT(2)
+#define HPD_INSERTION_STATUS BIT(1)
#define MIN_DSI_CLK_FREQ_MHZ 40
@@ -152,7 +163,9 @@
* @ln_assign: Value to program to the LN_ASSIGN register.
* @ln_polrs: Value for the 4-bit LN_POLRS field of SN_ENH_FRAME_REG.
* @comms_enabled: If true then communication over the aux channel is enabled.
+ * @hpd_enabled: If true then HPD events are enabled.
* @comms_mutex: Protects modification of comms_enabled.
+ * @hpd_mutex: Protects modification of hpd_enabled.
*
* @gchip: If we expose our GPIOs, this is used.
* @gchip_output: A cache of whether we've set GPIOs to output. This
@@ -190,7 +203,9 @@ struct ti_sn65dsi86 {
u8 ln_assign;
u8 ln_polrs;
bool comms_enabled;
+ bool hpd_enabled;
struct mutex comms_mutex;
+ struct mutex hpd_mutex;
#if defined(CONFIG_OF_GPIO)
struct gpio_chip gchip;
@@ -221,6 +236,23 @@ static const struct regmap_config ti_sn6
.max_register = 0xFF,
};
+static int ti_sn65dsi86_read_u8(struct ti_sn65dsi86 *pdata, unsigned int reg,
+ u8 *val)
+{
+ int ret;
+ unsigned int reg_val;
+
+ ret = regmap_read(pdata->regmap, reg, ®_val);
+ if (ret) {
+ dev_err(pdata->dev, "fail to read raw reg %#x: %d\n",
+ reg, ret);
+ return ret;
+ }
+ *val = (u8)reg_val;
+
+ return 0;
+}
+
static int __maybe_unused ti_sn65dsi86_read_u16(struct ti_sn65dsi86 *pdata,
unsigned int reg, u16 *val)
{
@@ -362,6 +394,7 @@ static void ti_sn65dsi86_disable_comms(s
static int __maybe_unused ti_sn65dsi86_resume(struct device *dev)
{
struct ti_sn65dsi86 *pdata = dev_get_drvdata(dev);
+ const struct i2c_client *client = to_i2c_client(pdata->dev);
int ret;
ret = regulator_bulk_enable(SN_REGULATOR_SUPPLY_NUM, pdata->supplies);
@@ -396,6 +429,13 @@ static int __maybe_unused ti_sn65dsi86_r
if (pdata->refclk)
ti_sn65dsi86_enable_comms(pdata);
+ if (client->irq) {
+ ret = regmap_update_bits(pdata->regmap, SN_IRQ_EN_REG, IRQ_EN,
+ IRQ_EN);
+ if (ret)
+ dev_err(pdata->dev, "Failed to enable IRQ events: %d\n", ret);
+ }
+
return ret;
}
@@ -1223,6 +1263,8 @@ static void ti_sn65dsi86_debugfs_init(st
static void ti_sn_bridge_hpd_enable(struct drm_bridge *bridge)
{
struct ti_sn65dsi86 *pdata = bridge_to_ti_sn65dsi86(bridge);
+ const struct i2c_client *client = to_i2c_client(pdata->dev);
+ int ret;
/*
* Device needs to be powered on before reading the HPD state
@@ -1231,11 +1273,35 @@ static void ti_sn_bridge_hpd_enable(stru
*/
pm_runtime_get_sync(pdata->dev);
+
+ mutex_lock(&pdata->hpd_mutex);
+ pdata->hpd_enabled = true;
+ mutex_unlock(&pdata->hpd_mutex);
+
+ if (client->irq) {
+ ret = regmap_set_bits(pdata->regmap, SN_IRQ_EVENTS_EN_REG,
+ HPD_REMOVAL_EN | HPD_INSERTION_EN);
+ if (ret)
+ dev_err(pdata->dev, "Failed to enable HPD events: %d\n", ret);
+ }
}
static void ti_sn_bridge_hpd_disable(struct drm_bridge *bridge)
{
struct ti_sn65dsi86 *pdata = bridge_to_ti_sn65dsi86(bridge);
+ const struct i2c_client *client = to_i2c_client(pdata->dev);
+ int ret;
+
+ if (client->irq) {
+ ret = regmap_clear_bits(pdata->regmap, SN_IRQ_EVENTS_EN_REG,
+ HPD_REMOVAL_EN | HPD_INSERTION_EN);
+ if (ret)
+ dev_err(pdata->dev, "Failed to disable HPD events: %d\n", ret);
+ }
+
+ mutex_lock(&pdata->hpd_mutex);
+ pdata->hpd_enabled = false;
+ mutex_unlock(&pdata->hpd_mutex);
pm_runtime_put_autosuspend(pdata->dev);
}
@@ -1321,6 +1387,41 @@ static int ti_sn_bridge_parse_dsi_host(s
return 0;
}
+static irqreturn_t ti_sn_bridge_interrupt(int irq, void *private)
+{
+ struct ti_sn65dsi86 *pdata = private;
+ struct drm_device *dev = pdata->bridge.dev;
+ u8 status;
+ int ret;
+ bool hpd_event;
+
+ ret = ti_sn65dsi86_read_u8(pdata, SN_IRQ_STATUS_REG, &status);
+ if (ret) {
+ dev_err(pdata->dev, "Failed to read IRQ status: %d\n", ret);
+ return IRQ_NONE;
+ }
+
+ hpd_event = status & (HPD_REMOVAL_STATUS | HPD_INSERTION_STATUS);
+
+ dev_dbg(pdata->dev, "(SN_IRQ_STATUS_REG = %#x)\n", status);
+ if (!status)
+ return IRQ_NONE;
+
+ ret = regmap_write(pdata->regmap, SN_IRQ_STATUS_REG, status);
+ if (ret) {
+ dev_err(pdata->dev, "Failed to clear IRQ status: %d\n", ret);
+ return IRQ_NONE;
+ }
+
+ /* Only send the HPD event if we are bound with a device. */
+ mutex_lock(&pdata->hpd_mutex);
+ if (pdata->hpd_enabled && hpd_event)
+ drm_kms_helper_hotplug_event(dev);
+ mutex_unlock(&pdata->hpd_mutex);
+
+ return IRQ_HANDLED;
+}
+
static int ti_sn_bridge_probe(struct auxiliary_device *adev,
const struct auxiliary_device_id *id)
{
@@ -1951,6 +2052,7 @@ static int ti_sn65dsi86_probe(struct i2c
dev_set_drvdata(dev, pdata);
pdata->dev = dev;
+ mutex_init(&pdata->hpd_mutex);
mutex_init(&pdata->comms_mutex);
pdata->regmap = devm_regmap_init_i2c(client,
@@ -1981,6 +2083,16 @@ static int ti_sn65dsi86_probe(struct i2c
if (ret)
return ret;
+ if (client->irq) {
+ ret = devm_request_threaded_irq(pdata->dev, client->irq, NULL,
+ ti_sn_bridge_interrupt,
+ IRQF_ONESHOT,
+ dev_name(pdata->dev), pdata);
+
+ if (ret)
+ return dev_err_probe(dev, ret, "failed to request interrupt\n");
+ }
+
/*
* Break ourselves up into a collection of aux devices. The only real
* motiviation here is to solve the chicken-and-egg problem of probe
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 303/481] drm/amdgpu/mmhub2.0: add bounds checking for cid
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 302/481] serial: uartlite: fix PM runtime usage count underflow on probe Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 304/481] drm/amdgpu/mmhub2.3: " Greg Kroah-Hartman
` (12 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Benjamin Cheng, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 0b26edac4ac5535df1f63e6e8ab44c24fe1acad7 upstream.
The value should never exceed the array size as those
are the only values the hardware is expected to return,
but add checks anyway.
Reviewed-by: Benjamin Cheng <benjamin.cheng@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit e064cef4b53552602bb6ac90399c18f662f3cacd)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c
@@ -154,14 +154,17 @@ mmhub_v2_0_print_l2_protection_fault_sta
switch (adev->ip_versions[MMHUB_HWIP][0]) {
case IP_VERSION(2, 0, 0):
case IP_VERSION(2, 0, 2):
- mmhub_cid = mmhub_client_ids_navi1x[cid][rw];
+ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_navi1x) ?
+ mmhub_client_ids_navi1x[cid][rw] : NULL;
break;
case IP_VERSION(2, 1, 0):
case IP_VERSION(2, 1, 1):
- mmhub_cid = mmhub_client_ids_sienna_cichlid[cid][rw];
+ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_sienna_cichlid) ?
+ mmhub_client_ids_sienna_cichlid[cid][rw] : NULL;
break;
case IP_VERSION(2, 1, 2):
- mmhub_cid = mmhub_client_ids_beige_goby[cid][rw];
+ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_beige_goby) ?
+ mmhub_client_ids_beige_goby[cid][rw] : NULL;
break;
default:
mmhub_cid = NULL;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 290/460] dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 289/460] blk-throttle: fix access race during throttle policy activation Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 291/460] net: dsa: properly keep track of conduit reference Greg Kroah-Hartman
` (12 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Juan Li, Guodong Xu, Vinod Koul,
Wenshan Lan
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guodong Xu <guodong@riscstar.com>
[ Upstream commit a143545855bc2c6e1330f6f57ae375ac44af00a7 ]
Add proper locking in mmp_pdma_residue() to prevent use-after-free when
accessing descriptor list and descriptor contents.
The race occurs when multiple threads call tx_status() while the tasklet
on another CPU is freeing completed descriptors:
CPU 0 CPU 1
----- -----
mmp_pdma_tx_status()
mmp_pdma_residue()
-> NO LOCK held
list_for_each_entry(sw, ..)
DMA interrupt
dma_do_tasklet()
-> spin_lock(&desc_lock)
list_move(sw->node, ...)
spin_unlock(&desc_lock)
| dma_pool_free(sw) <- FREED!
-> access sw->desc <- UAF!
This issue can be reproduced when running dmatest on the same channel with
multiple threads (threads_per_chan > 1).
Fix by protecting the chain_running list iteration and descriptor access
with the chan->desc_lock spinlock.
Signed-off-by: Juan Li <lijuan@linux.spacemit.com>
Signed-off-by: Guodong Xu <guodong@riscstar.com>
Link: https://patch.msgid.link/20251216-mmp-pdma-race-v1-1-976a224bb622@riscstar.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
[ Minor context conflict resolved. ]
Signed-off-by: Wenshan Lan <jetlan9@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/mmp_pdma.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/dma/mmp_pdma.c
+++ b/drivers/dma/mmp_pdma.c
@@ -763,6 +763,7 @@ static unsigned int mmp_pdma_residue(str
{
struct mmp_pdma_desc_sw *sw;
u32 curr, residue = 0;
+ unsigned long flags;
bool passed = false;
bool cyclic = chan->cyclic_first != NULL;
@@ -778,6 +779,8 @@ static unsigned int mmp_pdma_residue(str
else
curr = readl(chan->phy->base + DSADR(chan->phy->idx));
+ spin_lock_irqsave(&chan->desc_lock, flags);
+
list_for_each_entry(sw, &chan->chain_running, node) {
u32 start, end, len;
@@ -821,6 +824,7 @@ static unsigned int mmp_pdma_residue(str
continue;
if (sw->async_tx.cookie == cookie) {
+ spin_unlock_irqrestore(&chan->desc_lock, flags);
return residue;
} else {
residue = 0;
@@ -828,6 +832,8 @@ static unsigned int mmp_pdma_residue(str
}
}
+ spin_unlock_irqrestore(&chan->desc_lock, flags);
+
/* We should only get here in case of cyclic transactions */
return residue;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 366/567] gve: defer interrupt enabling until NAPI registration
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 365/567] drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 367/567] ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths Greg Kroah-Hartman
` (11 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ankit Garg, Jordan Rhee,
Harshitha Ramamurthy, Paolo Abeni, Joshua Washington
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ankit Garg <nktgrg@google.com>
[ Upstream commit 3d970eda003441f66551a91fda16478ac0711617 ]
Currently, interrupts are automatically enabled immediately upon
request. This allows interrupt to fire before the associated NAPI
context is fully initialized and cause failures like below:
[ 0.946369] Call Trace:
[ 0.946369] <IRQ>
[ 0.946369] __napi_poll+0x2a/0x1e0
[ 0.946369] net_rx_action+0x2f9/0x3f0
[ 0.946369] handle_softirqs+0xd6/0x2c0
[ 0.946369] ? handle_edge_irq+0xc1/0x1b0
[ 0.946369] __irq_exit_rcu+0xc3/0xe0
[ 0.946369] common_interrupt+0x81/0xa0
[ 0.946369] </IRQ>
[ 0.946369] <TASK>
[ 0.946369] asm_common_interrupt+0x22/0x40
[ 0.946369] RIP: 0010:pv_native_safe_halt+0xb/0x10
Use the `IRQF_NO_AUTOEN` flag when requesting interrupts to prevent auto
enablement and explicitly enable the interrupt in NAPI initialization
path (and disable it during NAPI teardown).
This ensures that interrupt lifecycle is strictly coupled with
readiness of NAPI context.
Cc: stable@vger.kernel.org
Fixes: 893ce44df565 ("gve: Add basic driver framework for Compute Engine Virtual NIC")
Signed-off-by: Ankit Garg <nktgrg@google.com>
Reviewed-by: Jordan Rhee <jordanrhee@google.com>
Signed-off-by: Harshitha Ramamurthy <hramamurthy@google.com>
Link: https://patch.msgid.link/20251219102945.2193617-1-hramamurthy@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ modified to re-introduce the irq member to struct gve_notify_block,
which was introuduced in commit 9a5e0776d11f ("gve: Avoid rescheduling
napi if on wrong cpu"). ]
Signed-off-by: Joshua Washington <joshwash@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/google/gve/gve.h | 1 +
drivers/net/ethernet/google/gve/gve_main.c | 5 ++++-
2 files changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/google/gve/gve.h
+++ b/drivers/net/ethernet/google/gve/gve.h
@@ -585,6 +585,7 @@ struct gve_notify_block {
struct gve_priv *priv;
struct gve_tx_ring *tx; /* tx rings on this block */
struct gve_rx_ring *rx; /* rx rings on this block */
+ u32 irq;
};
/* Tracks allowed and current queue settings */
--- a/drivers/net/ethernet/google/gve/gve_main.c
+++ b/drivers/net/ethernet/google/gve/gve_main.c
@@ -407,9 +407,10 @@ static int gve_alloc_notify_blocks(struc
snprintf(block->name, sizeof(block->name), "gve-ntfy-blk%d@pci:%s",
i, pci_name(priv->pdev));
block->priv = priv;
+ block->irq = priv->msix_vectors[msix_idx].vector;
err = request_irq(priv->msix_vectors[msix_idx].vector,
gve_is_gqi(priv) ? gve_intr : gve_intr_dqo,
- 0, block->name, block);
+ IRQF_NO_AUTOEN, block->name, block);
if (err) {
dev_err(&priv->pdev->dev,
"Failed to receive msix vector %d\n", i);
@@ -575,6 +576,7 @@ static void gve_add_napi(struct gve_priv
struct gve_notify_block *block = &priv->ntfy_blocks[ntfy_idx];
netif_napi_add(priv->dev, &block->napi, gve_poll);
+ enable_irq(block->irq);
}
static void gve_remove_napi(struct gve_priv *priv, int ntfy_idx)
@@ -582,6 +584,7 @@ static void gve_remove_napi(struct gve_p
struct gve_notify_block *block = &priv->ntfy_blocks[ntfy_idx];
netif_napi_del(&block->napi);
+ disable_irq(block->irq);
}
static int gve_register_xdp_qpls(struct gve_priv *priv)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 304/481] drm/amdgpu/mmhub2.3: add bounds checking for cid
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 303/481] drm/amdgpu/mmhub2.0: add bounds checking for cid Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 305/481] drm/amdgpu/mmhub3.0.1: " Greg Kroah-Hartman
` (11 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Benjamin Cheng, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit a54403a534972af5d9ba5aaa3bb6ead612500ec6 upstream.
The value should never exceed the array size as those
are the only values the hardware is expected to return,
but add checks anyway.
Reviewed-by: Benjamin Cheng <benjamin.cheng@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 89cd90375c19fb45138990b70e9f4ba4806f05c4)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/mmhub_v2_3.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v2_3.c
+++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v2_3.c
@@ -94,7 +94,8 @@ mmhub_v2_3_print_l2_protection_fault_sta
case IP_VERSION(2, 3, 0):
case IP_VERSION(2, 4, 0):
case IP_VERSION(2, 4, 1):
- mmhub_cid = mmhub_client_ids_vangogh[cid][rw];
+ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_vangogh) ?
+ mmhub_client_ids_vangogh[cid][rw] : NULL;
break;
default:
mmhub_cid = NULL;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 291/460] net: dsa: properly keep track of conduit reference
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 290/460] dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 292/460] binfmt_misc: restore write access before closing files opened by open_exec() Greg Kroah-Hartman
` (11 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable, stable@vger.kernel.org, Vladimir Oltean
Cc: Greg Kroah-Hartman, patches, Ma Ke, Jonas Gorski, Paolo Abeni,
Robert Garcia
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit 06e219f6a706c367c93051f408ac61417643d2f9 ]
Problem description
-------------------
DSA has a mumbo-jumbo of reference handling of the conduit net device
and its kobject which, sadly, is just wrong and doesn't make sense.
There are two distinct problems.
1. The OF path, which uses of_find_net_device_by_node(), never releases
the elevated refcount on the conduit's kobject. Nominally, the OF and
non-OF paths should result in objects having identical reference
counts taken, and it is already suspicious that
dsa_dev_to_net_device() has a put_device() call which is missing in
dsa_port_parse_of(), but we can actually even verify that an issue
exists. With CONFIG_DEBUG_KOBJECT_RELEASE=y, if we run this command
"before" and "after" applying this patch:
(unbind the conduit driver for net device eno2)
echo 0000:00:00.2 > /sys/bus/pci/drivers/fsl_enetc/unbind
we see these lines in the output diff which appear only with the patch
applied:
kobject: 'eno2' (ffff002009a3a6b8): kobject_release, parent 0000000000000000 (delayed 1000)
kobject: '109' (ffff0020099d59a0): kobject_release, parent 0000000000000000 (delayed 1000)
2. After we find the conduit interface one way (OF) or another (non-OF),
it can get unregistered at any time, and DSA remains with a long-lived,
but in this case stale, cpu_dp->conduit pointer. Holding the net
device's underlying kobject isn't actually of much help, it just
prevents it from being freed (but we never need that kobject
directly). What helps us to prevent the net device from being
unregistered is the parallel netdev reference mechanism (dev_hold()
and dev_put()).
Actually we actually use that netdev tracker mechanism implicitly on
user ports since commit 2f1e8ea726e9 ("net: dsa: link interfaces with
the DSA master to get rid of lockdep warnings"), via netdev_upper_dev_link().
But time still passes at DSA switch probe time between the initial
of_find_net_device_by_node() code and the user port creation time, time
during which the conduit could unregister itself and DSA wouldn't know
about it.
So we have to run of_find_net_device_by_node() under rtnl_lock() to
prevent that from happening, and release the lock only with the netdev
tracker having acquired the reference.
Do we need to keep the reference until dsa_unregister_switch() /
dsa_switch_shutdown()?
1: Maybe yes. A switch device will still be registered even if all user
ports failed to probe, see commit 86f8b1c01a0a ("net: dsa: Do not
make user port errors fatal"), and the cpu_dp->conduit pointers
remain valid. I haven't audited all call paths to see whether they
will actually use the conduit in lack of any user port, but if they
do, it seems safer to not rely on user ports for that reference.
2. Definitely yes. We support changing the conduit which a user port is
associated to, and we can get into a situation where we've moved all
user ports away from a conduit, thus no longer hold any reference to
it via the net device tracker. But we shouldn't let it go nonetheless
- see the next change in relation to dsa_tree_find_first_conduit()
and LAG conduits which disappear.
We have to be prepared to return to the physical conduit, so the CPU
port must explicitly keep another reference to it. This is also to
say: the user ports and their CPU ports may not always keep a
reference to the same conduit net device, and both are needed.
As for the conduit's kobject for the /sys/class/net/ entry, we don't
care about it, we can release it as soon as we hold the net device
object itself.
History and blame attribution
-----------------------------
The code has been refactored so many times, it is very difficult to
follow and properly attribute a blame, but I'll try to make a short
history which I hope to be correct.
We have two distinct probing paths:
- one for OF, introduced in 2016 in commit 83c0afaec7b7 ("net: dsa: Add
new binding implementation")
- one for non-OF, introduced in 2017 in commit 71e0bbde0d88 ("net: dsa:
Add support for platform data")
These are both complete rewrites of the original probing paths (which
used struct dsa_switch_driver and other weird stuff, instead of regular
devices on their respective buses for register access, like MDIO, SPI,
I2C etc):
- one for OF, introduced in 2013 in commit 5e95329b701c ("dsa: add
device tree bindings to register DSA switches")
- one for non-OF, introduced in 2008 in commit 91da11f870f0 ("net:
Distributed Switch Architecture protocol support")
except for tiny bits and pieces like dsa_dev_to_net_device() which were
seemingly carried over since the original commit, and used to this day.
The point is that the original probing paths received a fix in 2015 in
the form of commit 679fb46c5785 ("net: dsa: Add missing master netdev
dev_put() calls"), but the fix never made it into the "new" (dsa2)
probing paths that can still be traced to today, and the fixed probing
path was later deleted in 2019 in commit 93e86b3bc842 ("net: dsa: Remove
legacy probing support").
That is to say, the new probing paths were never quite correct in this
area.
The existence of the legacy probing support which was deleted in 2019
explains why dsa_dev_to_net_device() returns a conduit with elevated
refcount (because it was supposed to be released during
dsa_remove_dst()). After the removal of the legacy code, the only user
of dsa_dev_to_net_device() calls dev_put(conduit) immediately after this
function returns. This pattern makes no sense today, and can only be
interpreted historically to understand why dev_hold() was there in the
first place.
Change details
--------------
Today we have a better netdev tracking infrastructure which we should
use. Logically netdev_hold() belongs in common code
(dsa_port_parse_cpu(), where dp->conduit is assigned), but there is a
tradeoff to be made with the rtnl_lock() section which would become a
bit too long if we did that - dsa_port_parse_cpu() also calls
request_module(). So we duplicate a bit of logic in order for the
callers of dsa_port_parse_cpu() to be the ones responsible of holding
the conduit reference and releasing it on error. This shortens the
rtnl_lock() section significantly.
In the dsa_switch_probe() error path, dsa_switch_release_ports() will be
called in a number of situations, one being where dsa_port_parse_cpu()
maybe didn't get the chance to run at all (a different port failed
earlier, etc). So we have to test for the conduit being NULL prior to
calling netdev_put().
There have still been so many transformations to the code since the
blamed commits (rename master -> conduit, commit 0650bf52b31f ("net:
dsa: be compatible with masters which unregister on shutdown")), that it
only makes sense to fix the code using the best methods available today
and see how it can be backported to stable later. I suspect the fix
cannot even be backported to kernels which lack dsa_switch_shutdown(),
and I suspect this is also maybe why the long-lived conduit reference
didn't make it into the new DSA probing paths at the time (problems
during shutdown).
Because dsa_dev_to_net_device() has a single call site and has to be
changed anyway, the logic was just absorbed into the non-OF
dsa_port_parse().
Tested on the ocelot/felix switch and on dsa_loop, both on the NXP
LS1028A with CONFIG_DEBUG_KOBJECT_RELEASE=y.
Reported-by: Ma Ke <make24@iscas.ac.cn>
Closes: https://lore.kernel.org/netdev/20251214131204.4684-1-make24@iscas.ac.cn/
Fixes: 83c0afaec7b7 ("net: dsa: Add new binding implementation")
Fixes: 71e0bbde0d88 ("net: dsa: Add support for platform data")
Reviewed-by: Jonas Gorski <jonas.gorski@gmail.com>
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/20251215150236.3931670-1-vladimir.oltean@nxp.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Robert Garcia <rob_garcia@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/dsa.h | 1
net/dsa/dsa.c | 59 +++++++++++++++++++++++++++++++-----------------------
2 files changed, 35 insertions(+), 25 deletions(-)
--- a/include/net/dsa.h
+++ b/include/net/dsa.h
@@ -296,6 +296,7 @@ struct dsa_port {
struct devlink_port devlink_port;
struct phylink *pl;
struct phylink_config pl_config;
+ netdevice_tracker conduit_tracker;
struct dsa_lag *lag;
struct net_device *hsr_dev;
--- a/net/dsa/dsa.c
+++ b/net/dsa/dsa.c
@@ -1246,14 +1246,25 @@ static int dsa_port_parse_of(struct dsa_
if (ethernet) {
struct net_device *conduit;
const char *user_protocol;
+ int err;
+ rtnl_lock();
conduit = of_find_net_device_by_node(ethernet);
of_node_put(ethernet);
- if (!conduit)
+ if (!conduit) {
+ rtnl_unlock();
return -EPROBE_DEFER;
+ }
+
+ netdev_hold(conduit, &dp->conduit_tracker, GFP_KERNEL);
+ put_device(&conduit->dev);
+ rtnl_unlock();
user_protocol = of_get_property(dn, "dsa-tag-protocol", NULL);
- return dsa_port_parse_cpu(dp, conduit, user_protocol);
+ err = dsa_port_parse_cpu(dp, conduit, user_protocol);
+ if (err)
+ netdev_put(conduit, &dp->conduit_tracker);
+ return err;
}
if (link)
@@ -1386,37 +1397,30 @@ static struct device *dev_find_class(str
return device_find_child(parent, class, dev_is_class);
}
-static struct net_device *dsa_dev_to_net_device(struct device *dev)
-{
- struct device *d;
-
- d = dev_find_class(dev, "net");
- if (d != NULL) {
- struct net_device *nd;
-
- nd = to_net_dev(d);
- dev_hold(nd);
- put_device(d);
-
- return nd;
- }
-
- return NULL;
-}
-
static int dsa_port_parse(struct dsa_port *dp, const char *name,
struct device *dev)
{
if (!strcmp(name, "cpu")) {
struct net_device *conduit;
+ struct device *d;
+ int err;
- conduit = dsa_dev_to_net_device(dev);
- if (!conduit)
+ rtnl_lock();
+ d = dev_find_class(dev, "net");
+ if (!d) {
+ rtnl_unlock();
return -EPROBE_DEFER;
+ }
- dev_put(conduit);
+ conduit = to_net_dev(d);
+ netdev_hold(conduit, &dp->conduit_tracker, GFP_KERNEL);
+ put_device(d);
+ rtnl_unlock();
- return dsa_port_parse_cpu(dp, conduit, NULL);
+ err = dsa_port_parse_cpu(dp, conduit, NULL);
+ if (err)
+ netdev_put(conduit, &dp->conduit_tracker);
+ return err;
}
if (!strcmp(name, "dsa"))
@@ -1484,6 +1488,9 @@ static void dsa_switch_release_ports(str
struct dsa_vlan *v, *n;
dsa_switch_for_each_port_safe(dp, next, ds) {
+ if (dsa_port_is_cpu(dp) && dp->conduit)
+ netdev_put(dp->conduit, &dp->conduit_tracker);
+
/* These are either entries that upper layers lost track of
* (probably due to bugs), or installed through interfaces
* where one does not necessarily have to remove them, like
@@ -1636,8 +1643,10 @@ void dsa_switch_shutdown(struct dsa_swit
/* Disconnect from further netdevice notifiers on the conduit,
* since netdev_uses_dsa() will now return false.
*/
- dsa_switch_for_each_cpu_port(dp, ds)
+ dsa_switch_for_each_cpu_port(dp, ds) {
dp->conduit->dsa_ptr = NULL;
+ netdev_put(dp->conduit, &dp->conduit_tracker);
+ }
rtnl_unlock();
out:
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 367/567] ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 366/567] gve: defer interrupt enabling until NAPI registration Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 368/567] wifi: libertas: fix use-after-free in lbs_free_adapter() Greg Kroah-Hartman
` (10 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Namjae Jeon,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit a09dc10d1353f0e92c21eae2a79af1c2b1ddcde8 ]
There are two places where ksmbd_vfs_kern_path_end_removing() needs to be
called in order to balance what the corresponding successful call to
ksmbd_vfs_kern_path_start_removing() has done, i.e. drop inode locks and
put the taken references. Otherwise there might be potential deadlocks
and unbalanced locks which are caught like:
BUG: workqueue leaked lock or atomic: kworker/5:21/0x00000000/7596
last function: handle_ksmbd_work
2 locks held by kworker/5:21/7596:
#0: ffff8881051ae448 (sb_writers#3){.+.+}-{0:0}, at: ksmbd_vfs_kern_path_locked+0x142/0x660
#1: ffff888130e966c0 (&type->i_mutex_dir_key#3/1){+.+.}-{4:4}, at: ksmbd_vfs_kern_path_locked+0x17d/0x660
CPU: 5 PID: 7596 Comm: kworker/5:21 Not tainted 6.1.162-00456-gc29b353f383b #138
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
Workqueue: ksmbd-io handle_ksmbd_work
Call Trace:
<TASK>
dump_stack_lvl+0x44/0x5b
process_one_work.cold+0x57/0x5c
worker_thread+0x82/0x600
kthread+0x153/0x190
ret_from_fork+0x22/0x30
</TASK>
Found by Linux Verification Center (linuxtesting.org).
Fixes: d5fc1400a34b ("smb/server: avoid deadlock when linking with ReplaceIfExists")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ ksmbd_vfs_kern_path_end_removing() call -> ksmbd_vfs_kern_path_unlock() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -6067,14 +6067,14 @@ static int smb2_create_link(struct ksmbd
rc = -EINVAL;
ksmbd_debug(SMB, "cannot delete %s\n",
link_name);
- goto out;
}
} else {
rc = -EEXIST;
ksmbd_debug(SMB, "link already exists\n");
- goto out;
}
ksmbd_vfs_kern_path_unlock(&parent_path, &path);
+ if (rc)
+ goto out;
}
rc = ksmbd_vfs_link(work, target_name, link_name);
if (rc)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 305/481] drm/amdgpu/mmhub3.0.1: add bounds checking for cid
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 304/481] drm/amdgpu/mmhub2.3: " Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 306/481] drm/amdgpu/mmhub3.0.2: " Greg Kroah-Hartman
` (10 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Benjamin Cheng, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 5d4e88bcfef29569a1db224ef15e28c603666c6d upstream.
The value should never exceed the array size as those
are the only values the hardware is expected to return,
but add checks anyway.
Reviewed-by: Benjamin Cheng <benjamin.cheng@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 5f76083183363c4528a4aaa593f5d38c28fe7d7b)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_1.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_1.c
+++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_1.c
@@ -117,7 +117,8 @@ mmhub_v3_0_1_print_l2_protection_fault_s
switch (adev->ip_versions[MMHUB_HWIP][0]) {
case IP_VERSION(3, 0, 1):
- mmhub_cid = mmhub_client_ids_v3_0_1[cid][rw];
+ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_v3_0_1) ?
+ mmhub_client_ids_v3_0_1[cid][rw] : NULL;
break;
default:
mmhub_cid = NULL;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 292/460] binfmt_misc: restore write access before closing files opened by open_exec()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 291/460] net: dsa: properly keep track of conduit reference Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 293/460] xfs: get rid of the xchk_xfile_*_descr calls Greg Kroah-Hartman
` (10 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable, stable@vger.kernel.org, Zilin Guan
Cc: Greg Kroah-Hartman, patches, Christian Brauner, Robert Garcia
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 90f601b497d76f40fa66795c3ecf625b6aced9fd ]
bm_register_write() opens an executable file using open_exec(), which
internally calls do_open_execat() and denies write access on the file to
avoid modification while it is being executed.
However, when an error occurs, bm_register_write() closes the file using
filp_close() directly. This does not restore the write permission, which
may cause subsequent write operations on the same file to fail.
Fix this by calling exe_file_allow_write_access() before filp_close() to
restore the write permission properly.
Fixes: e7850f4d844e ("binfmt_misc: fix possible deadlock in bm_register_write")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Link: https://patch.msgid.link/20251105022923.1813587-1-zilin@seu.edu.cn
Signed-off-by: Christian Brauner <brauner@kernel.org>
[ Use allow_write_access() instead of exe_file_allow_write_access()
according to commit 0357ef03c94ef
("fs: don't block write during exec on pre-content watched files"). ]
Signed-off-by: Robert Garcia <rob_garcia@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/binfmt_misc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/binfmt_misc.c
+++ b/fs/binfmt_misc.c
@@ -875,8 +875,10 @@ out:
inode_unlock(d_inode(root));
if (err) {
- if (f)
+ if (f) {
+ allow_write_access(f);
filp_close(f, NULL);
+ }
kfree(e);
return err;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 368/567] wifi: libertas: fix use-after-free in lbs_free_adapter()
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 367/567] ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 369/567] platform/x86: hp-bioscfg: Support allocations of larger data Greg Kroah-Hartman
` (9 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Hodges, Johannes Berg,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Hodges <git@danielhodges.dev>
[ Upstream commit 03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0 ]
The lbs_free_adapter() function uses timer_delete() (non-synchronous)
for both command_timer and tx_lockup_timer before the structure is
freed. This is incorrect because timer_delete() does not wait for
any running timer callback to complete.
If a timer callback is executing when lbs_free_adapter() is called,
the callback will access freed memory since lbs_cfg_free() frees the
containing structure immediately after lbs_free_adapter() returns.
Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler)
access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields,
which would all be use-after-free violations.
Use timer_delete_sync() instead to ensure any running timer callback
has completed before returning.
This bug was introduced in commit 8f641d93c38a ("libertas: detect TX
lockups and reset hardware") where del_timer() was used instead of
del_timer_sync() in the cleanup path. The command_timer has had the
same issue since the driver was first written.
Fixes: 8f641d93c38a ("libertas: detect TX lockups and reset hardware")
Fixes: 954ee164f4f4 ("[PATCH] libertas: reorganize and simplify init sequence")
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Hodges <git@danielhodges.dev>
Link: https://patch.msgid.link/20260206195356.15647-1-git@danielhodges.dev
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[ del_timer() => timer_delete_sync() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/marvell/libertas/main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/marvell/libertas/main.c
+++ b/drivers/net/wireless/marvell/libertas/main.c
@@ -881,8 +881,8 @@ static void lbs_free_adapter(struct lbs_
{
lbs_free_cmd_buffer(priv);
kfifo_free(&priv->event_fifo);
- del_timer(&priv->command_timer);
- del_timer(&priv->tx_lockup_timer);
+ timer_delete_sync(&priv->command_timer);
+ timer_delete_sync(&priv->tx_lockup_timer);
del_timer(&priv->auto_deepsleep_timer);
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 306/481] drm/amdgpu/mmhub3.0.2: add bounds checking for cid
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 305/481] drm/amdgpu/mmhub3.0.1: " Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 307/481] drm/amdgpu/mmhub3.0: " Greg Kroah-Hartman
` (9 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Benjamin Cheng, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit e5e6d67b1ce9764e67aef2d0eef9911af53ad99a upstream.
The value should never exceed the array size as those
are the only values the hardware is expected to return,
but add checks anyway.
Reviewed-by: Benjamin Cheng <benjamin.cheng@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 1441f52c7f6ae6553664aa9e3e4562f6fc2fe8ea)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_2.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_2.c
+++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_2.c
@@ -108,7 +108,8 @@ mmhub_v3_0_2_print_l2_protection_fault_s
"MMVM_L2_PROTECTION_FAULT_STATUS:0x%08X\n",
status);
- mmhub_cid = mmhub_client_ids_v3_0_2[cid][rw];
+ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_v3_0_2) ?
+ mmhub_client_ids_v3_0_2[cid][rw] : NULL;
dev_err(adev->dev, "\t Faulty UTCL2 client ID: %s (0x%x)\n",
mmhub_cid ? mmhub_cid : "unknown", cid);
dev_err(adev->dev, "\t MORE_FAULTS: 0x%lx\n",
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 293/460] xfs: get rid of the xchk_xfile_*_descr calls
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 292/460] binfmt_misc: restore write access before closing files opened by open_exec() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 294/460] erofs: fix inline data read failure for ztailpacking pclusters Greg Kroah-Hartman
` (9 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable, Sasha Levin
Cc: Greg Kroah-Hartman, patches, r772577952, Darrick J. Wong,
Christoph Hellwig
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit 60382993a2e18041f88c7969f567f168cd3b4de3 ]
The xchk_xfile_*_descr macros call kasprintf, which can fail to allocate
memory if the formatted string is larger than 16 bytes (or whatever the
nofail guarantees are nowadays). Some of them could easily exceed that,
and Jiaming Zhang found a few places where that can happen with syzbot.
The descriptions are debugging aids and aren't required to be unique, so
let's just pass in static strings and eliminate this path to failure.
Note this patch touches a number of commits, most of which were merged
between 6.6 and 6.14.
Cc: r772577952@gmail.com
Cc: <stable@vger.kernel.org> # v6.12
Fixes: ab97f4b1c03075 ("xfs: repair AGI unlinked inode bucket lists")
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Tested-by: Jiaming Zhang <r772577952@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
| 13 ++++---------
fs/xfs/scrub/alloc_repair.c | 5 +----
fs/xfs/scrub/attr_repair.c | 20 +++++---------------
fs/xfs/scrub/bmap_repair.c | 6 +-----
fs/xfs/scrub/common.h | 18 ------------------
fs/xfs/scrub/dir.c | 13 ++++---------
fs/xfs/scrub/dir_repair.c | 11 +++--------
fs/xfs/scrub/dirtree.c | 11 +++--------
fs/xfs/scrub/ialloc_repair.c | 5 +----
fs/xfs/scrub/nlinks.c | 6 ++----
fs/xfs/scrub/parent.c | 11 +++--------
fs/xfs/scrub/parent_repair.c | 23 ++++++-----------------
fs/xfs/scrub/quotacheck.c | 13 +++----------
fs/xfs/scrub/refcount_repair.c | 13 ++-----------
fs/xfs/scrub/rmap_repair.c | 5 +----
fs/xfs/scrub/rtsummary.c | 7 ++-----
16 files changed, 41 insertions(+), 139 deletions(-)
--- a/fs/xfs/scrub/agheader_repair.c
+++ b/fs/xfs/scrub/agheader_repair.c
@@ -1720,7 +1720,6 @@ xrep_agi(
{
struct xrep_agi *ragi;
struct xfs_mount *mp = sc->mp;
- char *descr;
unsigned int i;
int error;
@@ -1754,17 +1753,13 @@ xrep_agi(
xagino_bitmap_init(&ragi->iunlink_bmp);
sc->buf_cleanup = xrep_agi_buf_cleanup;
- descr = xchk_xfile_ag_descr(sc, "iunlinked next pointers");
- error = xfarray_create(descr, 0, sizeof(xfs_agino_t),
- &ragi->iunlink_next);
- kfree(descr);
+ error = xfarray_create("iunlinked next pointers", 0,
+ sizeof(xfs_agino_t), &ragi->iunlink_next);
if (error)
return error;
- descr = xchk_xfile_ag_descr(sc, "iunlinked prev pointers");
- error = xfarray_create(descr, 0, sizeof(xfs_agino_t),
- &ragi->iunlink_prev);
- kfree(descr);
+ error = xfarray_create("iunlinked prev pointers", 0,
+ sizeof(xfs_agino_t), &ragi->iunlink_prev);
if (error)
return error;
--- a/fs/xfs/scrub/alloc_repair.c
+++ b/fs/xfs/scrub/alloc_repair.c
@@ -849,7 +849,6 @@ xrep_allocbt(
{
struct xrep_abt *ra;
struct xfs_mount *mp = sc->mp;
- char *descr;
int error;
/* We require the rmapbt to rebuild anything. */
@@ -875,11 +874,9 @@ xrep_allocbt(
}
/* Set up enough storage to handle maximally fragmented free space. */
- descr = xchk_xfile_ag_descr(sc, "free space records");
- error = xfarray_create(descr, mp->m_sb.sb_agblocks / 2,
+ error = xfarray_create("free space records", mp->m_sb.sb_agblocks / 2,
sizeof(struct xfs_alloc_rec_incore),
&ra->free_records);
- kfree(descr);
if (error)
goto out_ra;
--- a/fs/xfs/scrub/attr_repair.c
+++ b/fs/xfs/scrub/attr_repair.c
@@ -1531,7 +1531,6 @@ xrep_xattr_setup_scan(
struct xrep_xattr **rxp)
{
struct xrep_xattr *rx;
- char *descr;
int max_len;
int error;
@@ -1557,35 +1556,26 @@ xrep_xattr_setup_scan(
goto out_rx;
/* Set up some staging for salvaged attribute keys and values */
- descr = xchk_xfile_ino_descr(sc, "xattr keys");
- error = xfarray_create(descr, 0, sizeof(struct xrep_xattr_key),
+ error = xfarray_create("xattr keys", 0, sizeof(struct xrep_xattr_key),
&rx->xattr_records);
- kfree(descr);
if (error)
goto out_rx;
- descr = xchk_xfile_ino_descr(sc, "xattr names");
- error = xfblob_create(descr, &rx->xattr_blobs);
- kfree(descr);
+ error = xfblob_create("xattr names", &rx->xattr_blobs);
if (error)
goto out_keys;
if (xfs_has_parent(sc->mp)) {
ASSERT(sc->flags & XCHK_FSGATES_DIRENTS);
- descr = xchk_xfile_ino_descr(sc,
- "xattr retained parent pointer entries");
- error = xfarray_create(descr, 0,
+ error = xfarray_create("xattr parent pointer entries", 0,
sizeof(struct xrep_xattr_pptr),
&rx->pptr_recs);
- kfree(descr);
if (error)
goto out_values;
- descr = xchk_xfile_ino_descr(sc,
- "xattr retained parent pointer names");
- error = xfblob_create(descr, &rx->pptr_names);
- kfree(descr);
+ error = xfblob_create("xattr parent pointer names",
+ &rx->pptr_names);
if (error)
goto out_pprecs;
--- a/fs/xfs/scrub/bmap_repair.c
+++ b/fs/xfs/scrub/bmap_repair.c
@@ -800,7 +800,6 @@ xrep_bmap(
bool allow_unwritten)
{
struct xrep_bmap *rb;
- char *descr;
xfs_extnum_t max_bmbt_recs;
bool large_extcount;
int error = 0;
@@ -822,11 +821,8 @@ xrep_bmap(
/* Set up enough storage to handle the max records for this fork. */
large_extcount = xfs_has_large_extent_counts(sc->mp);
max_bmbt_recs = xfs_iext_max_nextents(large_extcount, whichfork);
- descr = xchk_xfile_ino_descr(sc, "%s fork mapping records",
- whichfork == XFS_DATA_FORK ? "data" : "attr");
- error = xfarray_create(descr, max_bmbt_recs,
+ error = xfarray_create("fork mapping records", max_bmbt_recs,
sizeof(struct xfs_bmbt_rec), &rb->bmap_records);
- kfree(descr);
if (error)
goto out_rb;
--- a/fs/xfs/scrub/common.h
+++ b/fs/xfs/scrub/common.h
@@ -202,24 +202,6 @@ static inline bool xchk_could_repair(con
int xchk_metadata_inode_forks(struct xfs_scrub *sc);
/*
- * Helper macros to allocate and format xfile description strings.
- * Callers must kfree the pointer returned.
- */
-#define xchk_xfile_descr(sc, fmt, ...) \
- kasprintf(XCHK_GFP_FLAGS, "XFS (%s): " fmt, \
- (sc)->mp->m_super->s_id, ##__VA_ARGS__)
-#define xchk_xfile_ag_descr(sc, fmt, ...) \
- kasprintf(XCHK_GFP_FLAGS, "XFS (%s): AG 0x%x " fmt, \
- (sc)->mp->m_super->s_id, \
- (sc)->sa.pag ? (sc)->sa.pag->pag_agno : (sc)->sm->sm_agno, \
- ##__VA_ARGS__)
-#define xchk_xfile_ino_descr(sc, fmt, ...) \
- kasprintf(XCHK_GFP_FLAGS, "XFS (%s): inode 0x%llx " fmt, \
- (sc)->mp->m_super->s_id, \
- (sc)->ip ? (sc)->ip->i_ino : (sc)->sm->sm_ino, \
- ##__VA_ARGS__)
-
-/*
* Setting up a hook to wait for intents to drain is costly -- we have to take
* the CPU hotplug lock and force an i-cache flush on all CPUs once to set it
* up, and again to tear it down. These costs add up quickly, so we only want
--- a/fs/xfs/scrub/dir.c
+++ b/fs/xfs/scrub/dir.c
@@ -1094,22 +1094,17 @@ xchk_directory(
sd->xname.name = sd->namebuf;
if (xfs_has_parent(sc->mp)) {
- char *descr;
-
/*
* Set up some staging memory for dirents that we can't check
* due to locking contention.
*/
- descr = xchk_xfile_ino_descr(sc, "slow directory entries");
- error = xfarray_create(descr, 0, sizeof(struct xchk_dirent),
- &sd->dir_entries);
- kfree(descr);
+ error = xfarray_create("slow directory entries", 0,
+ sizeof(struct xchk_dirent), &sd->dir_entries);
if (error)
goto out_sd;
- descr = xchk_xfile_ino_descr(sc, "slow directory entry names");
- error = xfblob_create(descr, &sd->dir_names);
- kfree(descr);
+ error = xfblob_create("slow directory entry names",
+ &sd->dir_names);
if (error)
goto out_entries;
}
--- a/fs/xfs/scrub/dir_repair.c
+++ b/fs/xfs/scrub/dir_repair.c
@@ -1782,20 +1782,15 @@ xrep_dir_setup_scan(
struct xrep_dir *rd)
{
struct xfs_scrub *sc = rd->sc;
- char *descr;
int error;
/* Set up some staging memory for salvaging dirents. */
- descr = xchk_xfile_ino_descr(sc, "directory entries");
- error = xfarray_create(descr, 0, sizeof(struct xrep_dirent),
- &rd->dir_entries);
- kfree(descr);
+ error = xfarray_create("directory entries", 0,
+ sizeof(struct xrep_dirent), &rd->dir_entries);
if (error)
return error;
- descr = xchk_xfile_ino_descr(sc, "directory entry names");
- error = xfblob_create(descr, &rd->dir_names);
- kfree(descr);
+ error = xfblob_create("directory entry names", &rd->dir_names);
if (error)
goto out_xfarray;
--- a/fs/xfs/scrub/dirtree.c
+++ b/fs/xfs/scrub/dirtree.c
@@ -96,7 +96,6 @@ xchk_setup_dirtree(
struct xfs_scrub *sc)
{
struct xchk_dirtree *dl;
- char *descr;
int error;
xchk_fsgates_enable(sc, XCHK_FSGATES_DIRENTS);
@@ -120,16 +119,12 @@ xchk_setup_dirtree(
mutex_init(&dl->lock);
- descr = xchk_xfile_ino_descr(sc, "dirtree path steps");
- error = xfarray_create(descr, 0, sizeof(struct xchk_dirpath_step),
- &dl->path_steps);
- kfree(descr);
+ error = xfarray_create("dirtree path steps", 0,
+ sizeof(struct xchk_dirpath_step), &dl->path_steps);
if (error)
goto out_dl;
- descr = xchk_xfile_ino_descr(sc, "dirtree path names");
- error = xfblob_create(descr, &dl->path_names);
- kfree(descr);
+ error = xfblob_create("dirtree path names", &dl->path_names);
if (error)
goto out_steps;
--- a/fs/xfs/scrub/ialloc_repair.c
+++ b/fs/xfs/scrub/ialloc_repair.c
@@ -804,7 +804,6 @@ xrep_iallocbt(
{
struct xrep_ibt *ri;
struct xfs_mount *mp = sc->mp;
- char *descr;
xfs_agino_t first_agino, last_agino;
int error = 0;
@@ -823,11 +822,9 @@ xrep_iallocbt(
/* Set up enough storage to handle an AG with nothing but inodes. */
xfs_agino_range(mp, sc->sa.pag->pag_agno, &first_agino, &last_agino);
last_agino /= XFS_INODES_PER_CHUNK;
- descr = xchk_xfile_ag_descr(sc, "inode index records");
- error = xfarray_create(descr, last_agino,
+ error = xfarray_create("inode index records", last_agino,
sizeof(struct xfs_inobt_rec_incore),
&ri->inode_records);
- kfree(descr);
if (error)
goto out_ri;
--- a/fs/xfs/scrub/nlinks.c
+++ b/fs/xfs/scrub/nlinks.c
@@ -995,7 +995,6 @@ xchk_nlinks_setup_scan(
struct xchk_nlink_ctrs *xnc)
{
struct xfs_mount *mp = sc->mp;
- char *descr;
unsigned long long max_inos;
xfs_agnumber_t last_agno = mp->m_sb.sb_agcount - 1;
xfs_agino_t first_agino, last_agino;
@@ -1012,10 +1011,9 @@ xchk_nlinks_setup_scan(
*/
xfs_agino_range(mp, last_agno, &first_agino, &last_agino);
max_inos = XFS_AGINO_TO_INO(mp, last_agno, last_agino) + 1;
- descr = xchk_xfile_descr(sc, "file link counts");
- error = xfarray_create(descr, min(XFS_MAXINUMBER + 1, max_inos),
+ error = xfarray_create("file link counts",
+ min(XFS_MAXINUMBER + 1, max_inos),
sizeof(struct xchk_nlink), &xnc->nlinks);
- kfree(descr);
if (error)
goto out_teardown;
--- a/fs/xfs/scrub/parent.c
+++ b/fs/xfs/scrub/parent.c
@@ -733,7 +733,6 @@ xchk_parent_pptr(
struct xfs_scrub *sc)
{
struct xchk_pptrs *pp;
- char *descr;
int error;
pp = kvzalloc(sizeof(struct xchk_pptrs), XCHK_GFP_FLAGS);
@@ -746,16 +745,12 @@ xchk_parent_pptr(
* Set up some staging memory for parent pointers that we can't check
* due to locking contention.
*/
- descr = xchk_xfile_ino_descr(sc, "slow parent pointer entries");
- error = xfarray_create(descr, 0, sizeof(struct xchk_pptr),
- &pp->pptr_entries);
- kfree(descr);
+ error = xfarray_create("slow parent pointer entries", 0,
+ sizeof(struct xchk_pptr), &pp->pptr_entries);
if (error)
goto out_pp;
- descr = xchk_xfile_ino_descr(sc, "slow parent pointer names");
- error = xfblob_create(descr, &pp->pptr_names);
- kfree(descr);
+ error = xfblob_create("slow parent pointer names", &pp->pptr_names);
if (error)
goto out_entries;
--- a/fs/xfs/scrub/parent_repair.c
+++ b/fs/xfs/scrub/parent_repair.c
@@ -1476,7 +1476,6 @@ xrep_parent_setup_scan(
struct xrep_parent *rp)
{
struct xfs_scrub *sc = rp->sc;
- char *descr;
struct xfs_da_geometry *geo = sc->mp->m_attr_geo;
int max_len;
int error;
@@ -1504,32 +1503,22 @@ xrep_parent_setup_scan(
goto out_xattr_name;
/* Set up some staging memory for logging parent pointer updates. */
- descr = xchk_xfile_ino_descr(sc, "parent pointer entries");
- error = xfarray_create(descr, 0, sizeof(struct xrep_pptr),
- &rp->pptr_recs);
- kfree(descr);
+ error = xfarray_create("parent pointer entries", 0,
+ sizeof(struct xrep_pptr), &rp->pptr_recs);
if (error)
goto out_xattr_value;
- descr = xchk_xfile_ino_descr(sc, "parent pointer names");
- error = xfblob_create(descr, &rp->pptr_names);
- kfree(descr);
+ error = xfblob_create("parent pointer names", &rp->pptr_names);
if (error)
goto out_recs;
/* Set up some storage for copying attrs before the mapping exchange */
- descr = xchk_xfile_ino_descr(sc,
- "parent pointer retained xattr entries");
- error = xfarray_create(descr, 0, sizeof(struct xrep_parent_xattr),
- &rp->xattr_records);
- kfree(descr);
+ error = xfarray_create("parent pointer xattr entries", 0,
+ sizeof(struct xrep_parent_xattr), &rp->xattr_records);
if (error)
goto out_names;
- descr = xchk_xfile_ino_descr(sc,
- "parent pointer retained xattr values");
- error = xfblob_create(descr, &rp->xattr_blobs);
- kfree(descr);
+ error = xfblob_create("parent pointer xattr values", &rp->xattr_blobs);
if (error)
goto out_attr_keys;
--- a/fs/xfs/scrub/quotacheck.c
+++ b/fs/xfs/scrub/quotacheck.c
@@ -741,7 +741,6 @@ xqcheck_setup_scan(
struct xfs_scrub *sc,
struct xqcheck *xqc)
{
- char *descr;
struct xfs_quotainfo *qi = sc->mp->m_quotainfo;
unsigned long long max_dquots = XFS_DQ_ID_MAX + 1ULL;
int error;
@@ -756,28 +755,22 @@ xqcheck_setup_scan(
error = -ENOMEM;
if (xfs_this_quota_on(sc->mp, XFS_DQTYPE_USER)) {
- descr = xchk_xfile_descr(sc, "user dquot records");
- error = xfarray_create(descr, max_dquots,
+ error = xfarray_create("user dquot records", max_dquots,
sizeof(struct xqcheck_dquot), &xqc->ucounts);
- kfree(descr);
if (error)
goto out_teardown;
}
if (xfs_this_quota_on(sc->mp, XFS_DQTYPE_GROUP)) {
- descr = xchk_xfile_descr(sc, "group dquot records");
- error = xfarray_create(descr, max_dquots,
+ error = xfarray_create("group dquot records", max_dquots,
sizeof(struct xqcheck_dquot), &xqc->gcounts);
- kfree(descr);
if (error)
goto out_teardown;
}
if (xfs_this_quota_on(sc->mp, XFS_DQTYPE_PROJ)) {
- descr = xchk_xfile_descr(sc, "project dquot records");
- error = xfarray_create(descr, max_dquots,
+ error = xfarray_create("project dquot records", max_dquots,
sizeof(struct xqcheck_dquot), &xqc->pcounts);
- kfree(descr);
if (error)
goto out_teardown;
}
--- a/fs/xfs/scrub/refcount_repair.c
+++ b/fs/xfs/scrub/refcount_repair.c
@@ -123,13 +123,7 @@ int
xrep_setup_ag_refcountbt(
struct xfs_scrub *sc)
{
- char *descr;
- int error;
-
- descr = xchk_xfile_ag_descr(sc, "rmap record bag");
- error = xrep_setup_xfbtree(sc, descr);
- kfree(descr);
- return error;
+ return xrep_setup_xfbtree(sc, "rmap record bag");
}
/* Check for any obvious conflicts with this shared/CoW staging extent. */
@@ -705,7 +699,6 @@ xrep_refcountbt(
{
struct xrep_refc *rr;
struct xfs_mount *mp = sc->mp;
- char *descr;
int error;
/* We require the rmapbt to rebuild anything. */
@@ -718,11 +711,9 @@ xrep_refcountbt(
rr->sc = sc;
/* Set up enough storage to handle one refcount record per block. */
- descr = xchk_xfile_ag_descr(sc, "reference count records");
- error = xfarray_create(descr, mp->m_sb.sb_agblocks,
+ error = xfarray_create("reference count records", mp->m_sb.sb_agblocks,
sizeof(struct xfs_refcount_irec),
&rr->refcount_records);
- kfree(descr);
if (error)
goto out_rr;
--- a/fs/xfs/scrub/rmap_repair.c
+++ b/fs/xfs/scrub/rmap_repair.c
@@ -161,14 +161,11 @@ xrep_setup_ag_rmapbt(
struct xfs_scrub *sc)
{
struct xrep_rmap *rr;
- char *descr;
int error;
xchk_fsgates_enable(sc, XCHK_FSGATES_RMAP);
- descr = xchk_xfile_ag_descr(sc, "reverse mapping records");
- error = xrep_setup_xfbtree(sc, descr);
- kfree(descr);
+ error = xrep_setup_xfbtree(sc, "reverse mapping records");
if (error)
return error;
--- a/fs/xfs/scrub/rtsummary.c
+++ b/fs/xfs/scrub/rtsummary.c
@@ -42,7 +42,6 @@ xchk_setup_rtsummary(
struct xfs_scrub *sc)
{
struct xfs_mount *mp = sc->mp;
- char *descr;
struct xchk_rtsummary *rts;
int error;
@@ -62,10 +61,8 @@ xchk_setup_rtsummary(
* Create an xfile to construct a new rtsummary file. The xfile allows
* us to avoid pinning kernel memory for this purpose.
*/
- descr = xchk_xfile_descr(sc, "realtime summary file");
- error = xfile_create(descr, XFS_FSB_TO_B(mp, mp->m_rsumblocks),
- &sc->xfile);
- kfree(descr);
+ error = xfile_create("realtime summary file",
+ XFS_FSB_TO_B(mp, mp->m_rsumblocks), &sc->xfile);
if (error)
return error;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 369/567] platform/x86: hp-bioscfg: Support allocations of larger data
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 368/567] wifi: libertas: fix use-after-free in lbs_free_adapter() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 370/567] x86/sev: Allow IBPB-on-Entry feature for SNP guests Greg Kroah-Hartman
` (8 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Kerry, Mario Limonciello,
Ilpo Järvinen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit 916727cfdb72cd01fef3fa6746e648f8cb70e713 ]
Some systems have much larger amounts of enumeration attributes
than have been previously encountered. This can lead to page allocation
failures when using kcalloc(). Switch over to using kvcalloc() to
allow larger allocations.
Fixes: 6b2770bfd6f92 ("platform/x86: hp-bioscfg: enum-attributes")
Cc: stable@vger.kernel.org
Reported-by: Paul Kerry <p.kerry@sheffield.ac.uk>
Tested-by: Paul Kerry <p.kerry@sheffield.ac.uk>
Closes: https://bugs.debian.org/1127612
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Link: https://patch.msgid.link/20260225210646.59381-1-mario.limonciello@amd.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
[ kcalloc() => kvcalloc() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
+++ b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
@@ -96,8 +96,11 @@ int hp_alloc_enumeration_data(void)
bioscfg_drv.enumeration_instances_count =
hp_get_instance_count(HP_WMI_BIOS_ENUMERATION_GUID);
- bioscfg_drv.enumeration_data = kcalloc(bioscfg_drv.enumeration_instances_count,
- sizeof(*bioscfg_drv.enumeration_data), GFP_KERNEL);
+ if (!bioscfg_drv.enumeration_instances_count)
+ return -EINVAL;
+ bioscfg_drv.enumeration_data = kvcalloc(bioscfg_drv.enumeration_instances_count,
+ sizeof(*bioscfg_drv.enumeration_data), GFP_KERNEL);
+
if (!bioscfg_drv.enumeration_data) {
bioscfg_drv.enumeration_instances_count = 0;
return -ENOMEM;
@@ -452,6 +455,6 @@ void hp_exit_enumeration_attributes(void
}
bioscfg_drv.enumeration_instances_count = 0;
- kfree(bioscfg_drv.enumeration_data);
+ kvfree(bioscfg_drv.enumeration_data);
bioscfg_drv.enumeration_data = NULL;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 307/481] drm/amdgpu/mmhub3.0: add bounds checking for cid
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 306/481] drm/amdgpu/mmhub3.0.2: " Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 308/481] drm/radeon: apply state adjust rules to some additional HAINAN vairants Greg Kroah-Hartman
` (8 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Benjamin Cheng, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit cdb82ecbeccb55fae75a3c956b605f7801a30db1 upstream.
The value should never exceed the array size as those
are the only values the hardware is expected to return,
but add checks anyway.
Reviewed-by: Benjamin Cheng <benjamin.cheng@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit f14f27bbe2a3ed7af32d5f6eaf3f417139f45253)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c
@@ -110,7 +110,8 @@ mmhub_v3_0_print_l2_protection_fault_sta
switch (adev->ip_versions[MMHUB_HWIP][0]) {
case IP_VERSION(3, 0, 0):
case IP_VERSION(3, 0, 1):
- mmhub_cid = mmhub_client_ids_v3_0_0[cid][rw];
+ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_v3_0_0) ?
+ mmhub_client_ids_v3_0_0[cid][rw] : NULL;
break;
default:
mmhub_cid = NULL;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 294/460] erofs: fix inline data read failure for ztailpacking pclusters
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 293/460] xfs: get rid of the xchk_xfile_*_descr calls Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 295/460] mm: thp: deny THP for files on anonymous inodes Greg Kroah-Hartman
` (8 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhiguo Niu, Gao Xiang
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gao Xiang <hsiangkao@linux.alibaba.com>
[ Upstream commit c134a40f86efb8d6b5a949ef70e06d5752209be5 ]
Compressed folios for ztailpacking pclusters must be valid before adding
these pclusters to I/O chains. Otherwise, z_erofs_decompress_pcluster()
may assume they are already valid and then trigger a NULL pointer
dereference.
It is somewhat hard to reproduce because the inline data is in the same
block as the tail of the compressed indexes, which are usually read just
before. However, it may still happen if a fatal signal arrives while
read_mapping_folio() is running, as shown below:
erofs: (device dm-1): z_erofs_pcluster_begin: failed to get inline data -4
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
...
pc : z_erofs_decompress_queue+0x4c8/0xa14
lr : z_erofs_decompress_queue+0x160/0xa14
sp : ffffffc08b3eb3a0
x29: ffffffc08b3eb570 x28: ffffffc08b3eb418 x27: 0000000000001000
x26: ffffff8086ebdbb8 x25: ffffff8086ebdbb8 x24: 0000000000000001
x23: 0000000000000008 x22: 00000000fffffffb x21: dead000000000700
x20: 00000000000015e7 x19: ffffff808babb400 x18: ffffffc089edc098
x17: 00000000c006287d x16: 00000000c006287d x15: 0000000000000004
x14: ffffff80ba8f8000 x13: 0000000000000004 x12: 00000006589a77c9
x11: 0000000000000015 x10: 0000000000000000 x9 : 0000000000000000
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f
x5 : 0000000000000040 x4 : ffffffffffffffe0 x3 : 0000000000000020
x2 : 0000000000000008 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
z_erofs_decompress_queue+0x4c8/0xa14
z_erofs_runqueue+0x908/0x97c
z_erofs_read_folio+0x128/0x228
filemap_read_folio+0x68/0x128
filemap_get_pages+0x44c/0x8b4
filemap_read+0x12c/0x5b8
generic_file_read_iter+0x4c/0x15c
do_iter_readv_writev+0x188/0x1e0
vfs_iter_read+0xac/0x1a4
backing_file_read_iter+0x170/0x34c
ovl_read_iter+0xf0/0x140
vfs_read+0x28c/0x344
ksys_read+0x80/0xf0
__arm64_sys_read+0x24/0x34
invoke_syscall+0x60/0x114
el0_svc_common+0x88/0xe4
do_el0_svc+0x24/0x30
el0_svc+0x40/0xa8
el0t_64_sync_handler+0x70/0xbc
el0t_64_sync+0x1bc/0x1c0
Fix this by reading the inline data before allocating and adding
the pclusters to the I/O chains.
Fixes: cecf864d3d76 ("erofs: support inline data decompression")
Reported-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Reviewed-and-tested-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/erofs/zdata.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
--- a/fs/erofs/zdata.c
+++ b/fs/erofs/zdata.c
@@ -787,6 +787,7 @@ static int z_erofs_pcluster_begin(struct
struct super_block *sb = fe->inode->i_sb;
erofs_blk_t blknr = erofs_blknr(sb, map->m_pa);
struct z_erofs_pcluster *pcl = NULL;
+ void *ptr = NULL;
int ret;
DBG_BUGON(fe->pcl);
@@ -807,6 +808,14 @@ static int z_erofs_pcluster_begin(struct
} else if ((map->m_pa & ~PAGE_MASK) + map->m_plen > PAGE_SIZE) {
DBG_BUGON(1);
return -EFSCORRUPTED;
+ } else {
+ ptr = erofs_read_metabuf(&map->buf, sb, map->m_pa, EROFS_NO_KMAP);
+ if (IS_ERR(ptr)) {
+ erofs_err(sb, "failed to read inline data %pe @ pa %llu of nid %llu",
+ ptr, map->m_pa, EROFS_I(fe->inode)->nid);
+ return PTR_ERR(ptr);
+ }
+ ptr = map->buf.page;
}
if (pcl) {
@@ -836,16 +845,8 @@ static int z_erofs_pcluster_begin(struct
/* bind cache first when cached decompression is preferred */
z_erofs_bind_cache(fe);
} else {
- void *mptr;
-
- mptr = erofs_read_metabuf(&map->buf, sb, map->m_pa, EROFS_NO_KMAP);
- if (IS_ERR(mptr)) {
- ret = PTR_ERR(mptr);
- erofs_err(sb, "failed to get inline data %d", ret);
- return ret;
- }
- get_page(map->buf.page);
- WRITE_ONCE(fe->pcl->compressed_bvecs[0].page, map->buf.page);
+ get_page((struct page *)ptr);
+ WRITE_ONCE(fe->pcl->compressed_bvecs[0].page, ptr);
fe->pcl->pageofs_in = map->m_pa & ~PAGE_MASK;
fe->mode = Z_EROFS_PCLUSTER_FOLLOWED_NOINPLACE;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 370/567] x86/sev: Allow IBPB-on-Entry feature for SNP guests
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 369/567] platform/x86: hp-bioscfg: Support allocations of larger data Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 371/567] gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL Greg Kroah-Hartman
` (7 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kim Phillips, Borislav Petkov (AMD),
Nikunj A Dadhania, Tom Lendacky, stable, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kim Phillips <kim.phillips@amd.com>
[ Upstream commit 9073428bb204d921ae15326bb7d4558d9d269aab ]
The SEV-SNP IBPB-on-Entry feature does not require a guest-side
implementation. It was added in Zen5 h/w, after the first SNP Zen
implementation, and thus was not accounted for when the initial set of SNP
features were added to the kernel.
In its abundant precaution, commit
8c29f0165405 ("x86/sev: Add SEV-SNP guest feature negotiation support")
included SEV_STATUS' IBPB-on-Entry bit as a reserved bit, thereby masking
guests from using the feature.
Allow guests to make use of IBPB-on-Entry when supported by the hypervisor, as
the bit is now architecturally defined and safe to expose.
Fixes: 8c29f0165405 ("x86/sev: Add SEV-SNP guest feature negotiation support")
Signed-off-by: Kim Phillips <kim.phillips@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Nikunj A Dadhania <nikunj@amd.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Cc: stable@kernel.org
Link: https://patch.msgid.link/20260203222405.4065706-2-kim.phillips@amd.com
[ No SECURE_AVIC ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/boot/compressed/sev.c | 1 +
arch/x86/include/asm/msr-index.h | 5 ++++-
2 files changed, 5 insertions(+), 1 deletion(-)
--- a/arch/x86/boot/compressed/sev.c
+++ b/arch/x86/boot/compressed/sev.c
@@ -341,6 +341,7 @@ static void enforce_vmpl0(void)
MSR_AMD64_SNP_VMSA_REG_PROTECTION | \
MSR_AMD64_SNP_RESERVED_BIT13 | \
MSR_AMD64_SNP_RESERVED_BIT15 | \
+ MSR_AMD64_SNP_RESERVED_BITS18_22 | \
MSR_AMD64_SNP_RESERVED_MASK)
/*
--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
@@ -632,11 +632,14 @@
#define MSR_AMD64_SNP_IBS_VIRT BIT_ULL(14)
#define MSR_AMD64_SNP_VMSA_REG_PROTECTION BIT_ULL(16)
#define MSR_AMD64_SNP_SMT_PROTECTION BIT_ULL(17)
+#define MSR_AMD64_SNP_IBPB_ON_ENTRY_BIT 23
+#define MSR_AMD64_SNP_IBPB_ON_ENTRY BIT_ULL(MSR_AMD64_SNP_IBPB_ON_ENTRY_BIT)
/* SNP feature bits reserved for future use. */
#define MSR_AMD64_SNP_RESERVED_BIT13 BIT_ULL(13)
#define MSR_AMD64_SNP_RESERVED_BIT15 BIT_ULL(15)
-#define MSR_AMD64_SNP_RESERVED_MASK GENMASK_ULL(63, 18)
+#define MSR_AMD64_SNP_RESERVED_BITS18_22 GENMASK_ULL(22, 18)
+#define MSR_AMD64_SNP_RESERVED_MASK GENMASK_ULL(63, 24)
#define MSR_AMD64_VIRT_SPEC_CTRL 0xc001011f
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 308/481] drm/radeon: apply state adjust rules to some additional HAINAN vairants
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 307/481] drm/amdgpu/mmhub3.0: " Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 309/481] drm/amdgpu: " Greg Kroah-Hartman
` (7 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 86650ee2241ff84207eaa298ab318533f3c21a38 upstream.
They need a similar workaround.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/1839
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 87327658c848f56eac166cb382b57b83bf06c5ac)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/radeon/si_dpm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/radeon/si_dpm.c
+++ b/drivers/gpu/drm/radeon/si_dpm.c
@@ -2959,9 +2959,11 @@ static void si_apply_state_adjust_rules(
if (rdev->family == CHIP_HAINAN) {
if ((rdev->pdev->revision == 0x81) ||
(rdev->pdev->revision == 0xC3) ||
+ (rdev->pdev->device == 0x6660) ||
(rdev->pdev->device == 0x6664) ||
(rdev->pdev->device == 0x6665) ||
- (rdev->pdev->device == 0x6667)) {
+ (rdev->pdev->device == 0x6667) ||
+ (rdev->pdev->device == 0x666F)) {
max_sclk = 75000;
}
if ((rdev->pdev->revision == 0xC3) ||
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 295/460] mm: thp: deny THP for files on anonymous inodes
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 294/460] erofs: fix inline data read failure for ztailpacking pclusters Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 296/460] sched_ext: Remove redundant css_put() in scx_cgroup_init() Greg Kroah-Hartman
` (7 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Deepanshu Kartikey,
syzbot+33a04338019ac7e43a44, Lance Yang, David Hildenbrand (Arm),
Barry Song, Ackerley Tng, Lorenzo Stoakes, Baolin Wang, Dev Jain,
Fangrui Song, Liam Howlett, Nico Pache, Ryan Roberts, Yang Shi,
Zi Yan, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit dd085fe9a8ebfc5d10314c60452db38d2b75e609 upstream.
file_thp_enabled() incorrectly allows THP for files on anonymous inodes
(e.g. guest_memfd and secretmem). These files are created via
alloc_file_pseudo(), which does not call get_write_access() and leaves
inode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being
true, they appear as read-only regular files when
CONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP
collapse.
Anonymous inodes can never pass the inode_is_open_for_write() check
since their i_writecount is never incremented through the normal VFS
open path. The right thing to do is to exclude them from THP eligibility
altogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real
filesystem files (e.g. shared libraries), not for pseudo-filesystem
inodes.
For guest_memfd, this allows khugepaged and MADV_COLLAPSE to create
large folios in the page cache via the collapse path, but the
guest_memfd fault handler does not support large folios. This triggers
WARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping().
For secretmem, collapse_file() tries to copy page contents through the
direct map, but secretmem pages are removed from the direct map. This
can result in a kernel crash:
BUG: unable to handle page fault for address: ffff88810284d000
RIP: 0010:memcpy_orig+0x16/0x130
Call Trace:
collapse_file
hpage_collapse_scan_file
madvise_collapse
Secretmem is not affected by the crash on upstream as the memory failure
recovery handles the failed copy gracefully, but it still triggers
confusing false memory failure reports:
Memory failure: 0x106d96f: recovery action for clean unevictable
LRU page: Recovered
Check IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all
anonymous inode files.
Link: https://syzkaller.appspot.com/bug?extid=33a04338019ac7e43a44
Link: https://lore.kernel.org/linux-mm/CAEvNRgHegcz3ro35ixkDw39ES8=U6rs6S7iP0gkR9enr7HoGtA@mail.gmail.com
Link: https://lkml.kernel.org/r/20260214001535.435626-1-kartikey406@gmail.com
Fixes: 7fbb5e188248 ("mm: remove VM_EXEC requirement for THP eligibility")
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
Reported-by: syzbot+33a04338019ac7e43a44@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=33a04338019ac7e43a44
Tested-by: syzbot+33a04338019ac7e43a44@syzkaller.appspotmail.com
Tested-by: Lance Yang <lance.yang@linux.dev>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Reviewed-by: Barry Song <baohua@kernel.org>
Reviewed-by: Ackerley Tng <ackerleytng@google.com>
Tested-by: Ackerley Tng <ackerleytng@google.com>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Dev Jain <dev.jain@arm.com>
Cc: Fangrui Song <i@maskray.me>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Nico Pache <npache@redhat.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Yang Shi <shy828301@gmail.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ Ackerley: we don't have IS_ANON_FILE() yet. As guest_memfd does
not apply yet, simply check for secretmem explicitly. ]
Signed-off-by: Ackerley Tng <ackerleytng@google.com>
Reviewed-by: David Hildenbrand (Arm) <david@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/huge_mm.h | 4 ++++
1 file changed, 4 insertions(+)
--- a/include/linux/huge_mm.h
+++ b/include/linux/huge_mm.h
@@ -7,6 +7,7 @@
#include <linux/fs.h> /* only for vma_is_dax() */
#include <linux/kobject.h>
+#include <linux/secretmem.h>
vm_fault_t do_huge_pmd_anonymous_page(struct vm_fault *vmf);
int copy_huge_pmd(struct mm_struct *dst_mm, struct mm_struct *src_mm,
@@ -262,6 +263,9 @@ static inline bool file_thp_enabled(stru
inode = vma->vm_file->f_inode;
+ if (secretmem_mapping(inode->i_mapping))
+ return false;
+
return (IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS)) &&
!inode_is_open_for_write(inode) && S_ISREG(inode->i_mode);
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 371/567] gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 370/567] x86/sev: Allow IBPB-on-Entry feature for SNP guests Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 372/567] net: phy: register phy led_triggers during probe to avoid AB-BA deadlock Greg Kroah-Hartman
` (6 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ankit Garg, Jordan Rhee,
Harshitha Ramamurthy, Joshua Washington, Simon Horman,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ankit Garg <nktgrg@google.com>
[ Upstream commit fb868db5f4bccd7a78219313ab2917429f715cea ]
In DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA
buffer cleanup path. It iterates num_bufs times and attempts to unmap
entries in the dma array.
This leads to two issues:
1. The dma array shares storage with tx_qpl_buf_ids (union).
Interpreting buffer IDs as DMA addresses results in attempting to
unmap incorrect memory locations.
2. num_bufs in QPL mode (counting 2K chunks) can significantly exceed
the size of the dma array, causing out-of-bounds access warnings
(trace below is how we noticed this issue).
UBSAN: array-index-out-of-bounds in
drivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 index 18 is out of
range for type 'dma_addr_t[18]' (aka 'unsigned long long[18]')
Workqueue: gve gve_service_task [gve]
Call Trace:
<TASK>
dump_stack_lvl+0x33/0xa0
__ubsan_handle_out_of_bounds+0xdc/0x110
gve_tx_stop_ring_dqo+0x182/0x200 [gve]
gve_close+0x1be/0x450 [gve]
gve_reset+0x99/0x120 [gve]
gve_service_task+0x61/0x100 [gve]
process_scheduled_works+0x1e9/0x380
Fix this by properly checking for QPL mode and delegating to
gve_free_tx_qpl_bufs() to reclaim the buffers.
Cc: stable@vger.kernel.org
Fixes: a6fb8d5a8b69 ("gve: Tx path for DQO-QPL")
Signed-off-by: Ankit Garg <nktgrg@google.com>
Reviewed-by: Jordan Rhee <jordanrhee@google.com>
Reviewed-by: Harshitha Ramamurthy <hramamurthy@google.com>
Signed-off-by: Joshua Washington <joshwash@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260220215324.1631350-1-joshwash@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ netmem_dma_unmap_page_attrs() => dma_unmap_page() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/google/gve/gve_tx_dqo.c | 52 +++++++++++----------------
1 file changed, 23 insertions(+), 29 deletions(-)
--- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c
+++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c
@@ -157,6 +157,24 @@ gve_free_pending_packet(struct gve_tx_ri
}
}
+static void gve_unmap_packet(struct device *dev,
+ struct gve_tx_pending_packet_dqo *pkt)
+{
+ int i;
+
+ if (!pkt->num_bufs)
+ return;
+
+ /* SKB linear portion is guaranteed to be mapped */
+ dma_unmap_single(dev, dma_unmap_addr(pkt, dma[0]),
+ dma_unmap_len(pkt, len[0]), DMA_TO_DEVICE);
+ for (i = 1; i < pkt->num_bufs; i++) {
+ dma_unmap_page(dev, dma_unmap_addr(pkt, dma[i]),
+ dma_unmap_len(pkt, len[i]), DMA_TO_DEVICE);
+ }
+ pkt->num_bufs = 0;
+}
+
/* gve_tx_free_desc - Cleans up all pending tx requests and buffers.
*/
static void gve_tx_clean_pending_packets(struct gve_tx_ring *tx)
@@ -166,21 +184,12 @@ static void gve_tx_clean_pending_packets
for (i = 0; i < tx->dqo.num_pending_packets; i++) {
struct gve_tx_pending_packet_dqo *cur_state =
&tx->dqo.pending_packets[i];
- int j;
- for (j = 0; j < cur_state->num_bufs; j++) {
- if (j == 0) {
- dma_unmap_single(tx->dev,
- dma_unmap_addr(cur_state, dma[j]),
- dma_unmap_len(cur_state, len[j]),
- DMA_TO_DEVICE);
- } else {
- dma_unmap_page(tx->dev,
- dma_unmap_addr(cur_state, dma[j]),
- dma_unmap_len(cur_state, len[j]),
- DMA_TO_DEVICE);
- }
- }
+ if (tx->dqo.qpl)
+ gve_free_tx_qpl_bufs(tx, cur_state);
+ else
+ gve_unmap_packet(tx->dev, cur_state);
+
if (cur_state->skb) {
dev_consume_skb_any(cur_state->skb);
cur_state->skb = NULL;
@@ -992,21 +1001,6 @@ static void remove_from_list(struct gve_
}
}
-static void gve_unmap_packet(struct device *dev,
- struct gve_tx_pending_packet_dqo *pkt)
-{
- int i;
-
- /* SKB linear portion is guaranteed to be mapped */
- dma_unmap_single(dev, dma_unmap_addr(pkt, dma[0]),
- dma_unmap_len(pkt, len[0]), DMA_TO_DEVICE);
- for (i = 1; i < pkt->num_bufs; i++) {
- dma_unmap_page(dev, dma_unmap_addr(pkt, dma[i]),
- dma_unmap_len(pkt, len[i]), DMA_TO_DEVICE);
- }
- pkt->num_bufs = 0;
-}
-
/* Completion types and expected behavior:
* No Miss compl + Packet compl = Packet completed normally.
* Miss compl + Re-inject compl = Packet completed normally.
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 309/481] drm/amdgpu: apply state adjust rules to some additional HAINAN vairants
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 308/481] drm/radeon: apply state adjust rules to some additional HAINAN vairants Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 310/481] mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count Greg Kroah-Hartman
` (6 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Deucher
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 9787f7da186ee8143b7b6d914cfa0b6e7fee2648 upstream.
They need a similar workaround.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/1839
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 0de31d92a173d3d94f28051b0b80a6c98913aed4)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c
+++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c
@@ -3439,9 +3439,11 @@ static void si_apply_state_adjust_rules(
if (adev->asic_type == CHIP_HAINAN) {
if ((adev->pdev->revision == 0x81) ||
(adev->pdev->revision == 0xC3) ||
+ (adev->pdev->device == 0x6660) ||
(adev->pdev->device == 0x6664) ||
(adev->pdev->device == 0x6665) ||
- (adev->pdev->device == 0x6667)) {
+ (adev->pdev->device == 0x6667) ||
+ (adev->pdev->device == 0x666F)) {
max_sclk = 75000;
}
if ((adev->pdev->revision == 0xC3) ||
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 296/460] sched_ext: Remove redundant css_put() in scx_cgroup_init()
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 295/460] mm: thp: deny THP for files on anonymous inodes Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 297/460] io_uring/kbuf: check if target buffer list is still legacy on recycle Greg Kroah-Hartman
` (6 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cheng-Yang Chou, Andrea Righi,
Tejun Heo
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cheng-Yang Chou <yphbchou0911@gmail.com>
commit 1336b579f6079fb8520be03624fcd9ba443c930b upstream.
The iterator css_for_each_descendant_pre() walks the cgroup hierarchy
under cgroup_lock(). It does not increment the reference counts on
yielded css structs.
According to the cgroup documentation, css_put() should only be used
to release a reference obtained via css_get() or css_tryget_online().
Since the iterator does not use either of these to acquire a reference,
calling css_put() in the error path of scx_cgroup_init() causes a
refcount underflow.
Remove the unbalanced css_put() to prevent a potential Use-After-Free
(UAF) vulnerability.
Fixes: 819513666966 ("sched_ext: Add cgroup support")
Cc: stable@vger.kernel.org # v6.12+
Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com>
Reviewed-by: Andrea Righi <arighi@nvidia.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/ext.c | 1 -
1 file changed, 1 deletion(-)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -4319,7 +4319,6 @@ static int scx_cgroup_init(void)
ret = SCX_CALL_OP_RET(SCX_KF_UNLOCKED, cgroup_init,
css->cgroup, &args);
if (ret) {
- css_put(css);
scx_ops_error("ops.cgroup_init() failed (%d)", ret);
return ret;
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 372/567] net: phy: register phy led_triggers during probe to avoid AB-BA deadlock
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 371/567] gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 373/567] drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink Greg Kroah-Hartman
` (5 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shiji Yang, Andrew Lunn, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Lunn <andrew@lunn.ch>
[ Upstream commit c8dbdc6e380e7e96a51706db3e4b7870d8a9402d ]
There is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV and
LED_TRIGGER_PHY are enabled:
[ 1362.049207] [<8054e4b8>] led_trigger_register+0x5c/0x1fc <-- Trying to get lock "triggers_list_lock" via down_write(&triggers_list_lock);
[ 1362.054536] [<80662830>] phy_led_triggers_register+0xd0/0x234
[ 1362.060329] [<8065e200>] phy_attach_direct+0x33c/0x40c
[ 1362.065489] [<80651fc4>] phylink_fwnode_phy_connect+0x15c/0x23c
[ 1362.071480] [<8066ee18>] mtk_open+0x7c/0xba0
[ 1362.075849] [<806d714c>] __dev_open+0x280/0x2b0
[ 1362.080384] [<806d7668>] __dev_change_flags+0x244/0x24c
[ 1362.085598] [<806d7698>] dev_change_flags+0x28/0x78
[ 1362.090528] [<807150e4>] dev_ioctl+0x4c0/0x654 <-- Hold lock "rtnl_mutex" by calling rtnl_lock();
[ 1362.094985] [<80694360>] sock_ioctl+0x2f4/0x4e0
[ 1362.099567] [<802e9c4c>] sys_ioctl+0x32c/0xd8c
[ 1362.104022] [<80014504>] syscall_common+0x34/0x58
Here LED_TRIGGER_PHY is registering LED triggers during phy_attach
while holding RTNL and then taking triggers_list_lock.
[ 1362.191101] [<806c2640>] register_netdevice_notifier+0x60/0x168 <-- Trying to get lock "rtnl_mutex" via rtnl_lock();
[ 1362.197073] [<805504ac>] netdev_trig_activate+0x194/0x1e4
[ 1362.202490] [<8054e28c>] led_trigger_set+0x1d4/0x360 <-- Hold lock "triggers_list_lock" by down_read(&triggers_list_lock);
[ 1362.207511] [<8054eb38>] led_trigger_write+0xd8/0x14c
[ 1362.212566] [<80381d98>] sysfs_kf_bin_write+0x80/0xbc
[ 1362.217688] [<8037fcd8>] kernfs_fop_write_iter+0x17c/0x28c
[ 1362.223174] [<802cbd70>] vfs_write+0x21c/0x3c4
[ 1362.227712] [<802cc0c4>] ksys_write+0x78/0x12c
[ 1362.232164] [<80014504>] syscall_common+0x34/0x58
Here LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takes
triggers_list_lock and then RTNL. A classical AB-BA deadlock.
phy_led_triggers_registers() does not require the RTNL, it does not
make any calls into the network stack which require protection. There
is also no requirement the PHY has been attached to a MAC, the
triggers only make use of phydev state. This allows the call to
phy_led_triggers_registers() to be placed elsewhere. PHY probe() and
release() don't hold RTNL, so solving the AB-BA deadlock.
Reported-by: Shiji Yang <yangshiji66@outlook.com>
Closes: https://lore.kernel.org/all/OS7PR01MB13602B128BA1AD3FA38B6D1FFBC69A@OS7PR01MB13602.jpnprd01.prod.outlook.com/
Fixes: 06f502f57d0d ("leds: trigger: Introduce a NETDEV trigger")
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Tested-by: Shiji Yang <yangshiji66@outlook.com>
Link: https://patch.msgid.link/20260222152601.1978655-1-andrew@lunn.ch
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ adapted condition to preserve existing `!phy_driver_is_genphy_10g(phydev)` guard ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/phy/phy_device.c | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -1582,8 +1582,6 @@ int phy_attach_direct(struct net_device
goto error;
phy_resume(phydev);
- if (!phydev->is_on_sfp_module)
- phy_led_triggers_register(phydev);
/**
* If the external phy used by current mac interface is managed by
@@ -1856,9 +1854,6 @@ void phy_detach(struct phy_device *phyde
phydev->phy_link_change = NULL;
phydev->phylink = NULL;
- if (!phydev->is_on_sfp_module)
- phy_led_triggers_unregister(phydev);
-
if (phydev->mdio.dev.driver)
module_put(phydev->mdio.dev.driver->owner);
@@ -3402,17 +3397,28 @@ static int phy_probe(struct device *dev)
/* Set the state to READY by default */
phydev->state = PHY_READY;
+ /* Register the PHY LED triggers */
+ if (!phydev->is_on_sfp_module)
+ phy_led_triggers_register(phydev);
+
/* Get the LEDs from the device tree, and instantiate standard
* LEDs for them.
*/
if (IS_ENABLED(CONFIG_PHYLIB_LEDS) && !phy_driver_is_genphy(phydev) &&
- !phy_driver_is_genphy_10g(phydev))
+ !phy_driver_is_genphy_10g(phydev)) {
err = of_phy_leds(phydev);
+ if (err)
+ goto out;
+ }
+
+ return 0;
out:
+ if (!phydev->is_on_sfp_module)
+ phy_led_triggers_unregister(phydev);
+
/* Re-assert the reset signal on error */
- if (err)
- phy_device_reset(phydev, 1);
+ phy_device_reset(phydev, 1);
return err;
}
@@ -3427,6 +3433,9 @@ static int phy_remove(struct device *dev
!phy_driver_is_genphy_10g(phydev))
phy_leds_unregister(phydev);
+ if (!phydev->is_on_sfp_module)
+ phy_led_triggers_unregister(phydev);
+
phydev->state = PHY_DOWN;
sfp_bus_del_upstream(phydev->sfp_bus);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 310/481] mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 309/481] drm/amdgpu: " Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 311/481] mm/hugetlb: fix hugetlb_pmd_shared() Greg Kroah-Hartman
` (5 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jane Chu, Harry Yoo, Oscar Salvador,
David Hildenbrand, Jann Horn, Liu Shixin, Muchun Song,
Andrew Morton, David Hildenbrand (Arm)
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jane Chu <jane.chu@oracle.com>
commit 14967a9c7d247841b0312c48dcf8cd29e55a4cc8 upstream.
commit 59d9094df3d79 ("mm: hugetlb: independent PMD page table shared
count") introduced ->pt_share_count dedicated to hugetlb PMD share count
tracking, but omitted fixing copy_hugetlb_page_range(), leaving the
function relying on page_count() for tracking that no longer works.
When lazy page table copy for hugetlb is disabled, that is, revert commit
bcd51a3c679d ("hugetlb: lazy page table copies in fork()") fork()'ing with
hugetlb PMD sharing quickly lockup -
[ 239.446559] watchdog: BUG: soft lockup - CPU#75 stuck for 27s!
[ 239.446611] RIP: 0010:native_queued_spin_lock_slowpath+0x7e/0x2e0
[ 239.446631] Call Trace:
[ 239.446633] <TASK>
[ 239.446636] _raw_spin_lock+0x3f/0x60
[ 239.446639] copy_hugetlb_page_range+0x258/0xb50
[ 239.446645] copy_page_range+0x22b/0x2c0
[ 239.446651] dup_mmap+0x3e2/0x770
[ 239.446654] dup_mm.constprop.0+0x5e/0x230
[ 239.446657] copy_process+0xd17/0x1760
[ 239.446660] kernel_clone+0xc0/0x3e0
[ 239.446661] __do_sys_clone+0x65/0xa0
[ 239.446664] do_syscall_64+0x82/0x930
[ 239.446668] ? count_memcg_events+0xd2/0x190
[ 239.446671] ? syscall_trace_enter+0x14e/0x1f0
[ 239.446676] ? syscall_exit_work+0x118/0x150
[ 239.446677] ? arch_exit_to_user_mode_prepare.constprop.0+0x9/0xb0
[ 239.446681] ? clear_bhb_loop+0x30/0x80
[ 239.446684] ? clear_bhb_loop+0x30/0x80
[ 239.446686] entry_SYSCALL_64_after_hwframe+0x76/0x7e
There are two options to resolve the potential latent issue:
1. warn against PMD sharing in copy_hugetlb_page_range(),
2. fix it.
This patch opts for the second option.
While at it, simplify the comment, the details are not actually relevant
anymore.
Link: https://lkml.kernel.org/r/20250916004520.1604530-1-jane.chu@oracle.com
Fixes: 59d9094df3d7 ("mm: hugetlb: independent PMD page table shared count")
Signed-off-by: Jane Chu <jane.chu@oracle.com>
Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
Acked-by: Oscar Salvador <osalvador@suse.de>
Acked-by: David Hildenbrand <david@redhat.com>
Cc: Jann Horn <jannh@google.com>
Cc: Liu Shixin <liushixin2@huawei.com>
Cc: Muchun Song <muchun.song@linux.dev>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ David: We don't have ptdesc and the wrappers, so work directly on the
page->pt_share_count. CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING is still
called CONFIG_ARCH_WANT_HUGE_PMD_SHARE. ]
Signed-off-by: David Hildenbrand (Arm) <david@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/hugetlb.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -5084,18 +5084,13 @@ int copy_hugetlb_page_range(struct mm_st
break;
}
- /*
- * If the pagetables are shared don't copy or take references.
- *
- * dst_pte == src_pte is the common case of src/dest sharing.
- * However, src could have 'unshared' and dst shares with
- * another vma. So page_count of ptep page is checked instead
- * to reliably determine whether pte is shared.
- */
- if (page_count(virt_to_page(dst_pte)) > 1) {
+#ifdef CONFIG_ARCH_WANT_HUGE_PMD_SHARE
+ /* If the pagetables are shared, there is nothing to do */
+ if (atomic_read(&virt_to_page(dst_pte)->pt_share_count)) {
addr |= last_addr_mask;
continue;
}
+#endif
dst_ptl = huge_pte_lock(h, dst, dst_pte);
src_ptl = huge_pte_lockptr(h, src, src_pte);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 297/460] io_uring/kbuf: check if target buffer list is still legacy on recycle
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 296/460] sched_ext: Remove redundant css_put() in scx_cgroup_init() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 298/460] sched/fair: Fix zero_vruntime tracking Greg Kroah-Hartman
` (5 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Keenan Dong, Jens Axboe
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
Commit c2c185be5c85d37215397c8e8781abf0a69bec1f upstream.
There's a gap between when the buffer was grabbed and when it
potentially gets recycled, where if the list is empty, someone could've
upgraded it to a ring provided type. This can happen if the request
is forced via io-wq. The legacy recycling is missing checking if the
buffer_list still exists, and if it's of the correct type. Add those
checks.
Cc: stable@vger.kernel.org
Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers")
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/kbuf.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -62,9 +62,17 @@ bool io_kbuf_recycle_legacy(struct io_ki
buf = req->kbuf;
bl = io_buffer_get_list(ctx, buf->bgid);
- list_add(&buf->list, &bl->buf_list);
- req->flags &= ~REQ_F_BUFFER_SELECTED;
+ /*
+ * If the buffer list was upgraded to a ring-based one, or removed,
+ * while the request was in-flight in io-wq, drop it.
+ */
req->buf_index = buf->bgid;
+ if (bl && !(bl->flags & IOBL_BUF_RING))
+ list_add(&buf->list, &bl->buf_list);
+ else
+ kmem_cache_free(io_buf_cachep, buf);
+ req->flags &= ~REQ_F_BUFFER_SELECTED;
+ req->kbuf = NULL;
io_ring_submit_unlock(ctx, issue_flags);
return true;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 373/567] drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 372/567] net: phy: register phy led_triggers during probe to avoid AB-BA deadlock Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 374/567] mptcp: pm: avoid sending RM_ADDR over same subflow Greg Kroah-Hartman
` (4 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Natalie Vock, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Natalie Vock <natalie.vock@gmx.de>
[ Upstream commit 28dfe4317541e57fe52f9a290394cd29c348228b ]
This can be called while preemption is disabled, for example by
dcn32_internal_validate_bw which is called with the FPU active.
Fixes "BUG: scheduling while atomic" messages I encounter on my Navi31
machine.
Signed-off-by: Natalie Vock <natalie.vock@gmx.de>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit b42dae2ebc5c84a68de63ec4ffdfec49362d53f1)
Cc: stable@vger.kernel.org
[ Context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
@@ -164,7 +164,7 @@ struct dc_stream_state *dc_create_stream
if (sink == NULL)
return NULL;
- stream = kzalloc(sizeof(struct dc_stream_state), GFP_KERNEL);
+ stream = kzalloc(sizeof(struct dc_stream_state), GFP_ATOMIC);
if (stream == NULL)
goto alloc_fail;
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 311/481] mm/hugetlb: fix hugetlb_pmd_shared()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 310/481] mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 312/481] mm/hugetlb: fix two comments related to huge_pmd_unshare() Greg Kroah-Hartman
` (4 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand (Red Hat),
Rik van Riel, Lance Yang, Harry Yoo, Laurence Oberman,
Lorenzo Stoakes, Oscar Salvador, Liu Shixin, Uschakow, Stanislav,
Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand (Red Hat) <david@kernel.org>
commit ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216 upstream.
Patch series "mm/hugetlb: fixes for PMD table sharing (incl. using
mmu_gather)", v3.
One functional fix, one performance regression fix, and two related
comment fixes.
I cleaned up my prototype I recently shared [1] for the performance fix,
deferring most of the cleanups I had in the prototype to a later point.
While doing that I identified the other things.
The goal of this patch set is to be backported to stable trees "fairly"
easily. At least patch #1 and #4.
Patch #1 fixes hugetlb_pmd_shared() not detecting any sharing
Patch #2 + #3 are simple comment fixes that patch #4 interacts with.
Patch #4 is a fix for the reported performance regression due to excessive
IPI broadcasts during fork()+exit().
The last patch is all about TLB flushes, IPIs and mmu_gather.
Read: complicated
There are plenty of cleanups in the future to be had + one reasonable
optimization on x86. But that's all out of scope for this series.
Runtime tested, with a focus on fixing the performance regression using
the original reproducer [2] on x86.
This patch (of 4):
We switched from (wrongly) using the page count to an independent shared
count. Now, shared page tables have a refcount of 1 (excluding
speculative references) and instead use ptdesc->pt_share_count to identify
sharing.
We didn't convert hugetlb_pmd_shared(), so right now, we would never
detect a shared PMD table as such, because sharing/unsharing no longer
touches the refcount of a PMD table.
Page migration, like mbind() or migrate_pages() would allow for migrating
folios mapped into such shared PMD tables, even though the folios are not
exclusive. In smaps we would account them as "private" although they are
"shared", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the
pagemap interface.
Fix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared().
Link: https://lkml.kernel.org/r/20251223214037.580860-1-david@kernel.org
Link: https://lkml.kernel.org/r/20251223214037.580860-2-david@kernel.org
Link: https://lore.kernel.org/all/8cab934d-4a56-44aa-b641-bfd7e23bd673@kernel.org/ [1]
Link: https://lore.kernel.org/all/8cab934d-4a56-44aa-b641-bfd7e23bd673@kernel.org/ [2]
Fixes: 59d9094df3d7 ("mm: hugetlb: independent PMD page table shared count")
Signed-off-by: David Hildenbrand (Red Hat) <david@kernel.org>
Reviewed-by: Rik van Riel <riel@surriel.com>
Reviewed-by: Lance Yang <lance.yang@linux.dev>
Tested-by: Lance Yang <lance.yang@linux.dev>
Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
Tested-by: Laurence Oberman <loberman@redhat.com>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Oscar Salvador <osalvador@suse.de>
Cc: Liu Shixin <liushixin2@huawei.com>
Cc: "Uschakow, Stanislav" <suschako@amazon.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ David: We don't have ptdesc and the wrappers, so work directly on
page->pt_share_count. ]
Signed-off-by: David Hildenbrand (Arm) <david@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/hugetlb.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/linux/hugetlb.h
+++ b/include/linux/hugetlb.h
@@ -1241,7 +1241,7 @@ static inline __init void hugetlb_cma_re
#ifdef CONFIG_ARCH_WANT_HUGE_PMD_SHARE
static inline bool hugetlb_pmd_shared(pte_t *pte)
{
- return page_count(virt_to_page(pte)) > 1;
+ return atomic_read(&virt_to_page(pte)->pt_share_count);
}
#else
static inline bool hugetlb_pmd_shared(pte_t *pte)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 298/460] sched/fair: Fix zero_vruntime tracking
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 297/460] io_uring/kbuf: check if target buffer list is still legacy on recycle Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 299/460] s390/stackleak: Fix __stackleak_poison() inline assembly constraint Greg Kroah-Hartman
` (4 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, K Prateek Nayak,
Peter Zijlstra (Intel), Shubhang Kaushik, Eric Hagberg
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit b3d99f43c72b56cf7a104a364e7fb34b0702828b upstream.
It turns out that zero_vruntime tracking is broken when there is but a single
task running. Current update paths are through __{en,de}queue_entity(), and
when there is but a single task, pick_next_task() will always return that one
task, and put_prev_set_next_task() will end up in neither function.
This can cause entity_key() to grow indefinitely large and cause overflows,
leading to much pain and suffering.
Furtermore, doing update_zero_vruntime() from __{de,en}queue_entity(), which
are called from {set_next,put_prev}_entity() has problems because:
- set_next_entity() calls __dequeue_entity() before it does cfs_rq->curr = se.
This means the avg_vruntime() will see the removal but not current, missing
the entity for accounting.
- put_prev_entity() calls __enqueue_entity() before it does cfs_rq->curr =
NULL. This means the avg_vruntime() will see the addition *and* current,
leading to double accounting.
Both cases are incorrect/inconsistent.
Noting that avg_vruntime is already called on each {en,de}queue, remove the
explicit avg_vruntime() calls (which removes an extra 64bit division for each
{en,de}queue) and have avg_vruntime() update zero_vruntime itself.
Additionally, have the tick call avg_vruntime() -- discarding the result, but
for the side-effect of updating zero_vruntime.
While there, optimize avg_vruntime() by noting that the average of one value is
rather trivial to compute.
Test case:
# taskset -c -p 1 $$
# taskset -c 2 bash -c 'while :; do :; done&'
# cat /sys/kernel/debug/sched/debug | awk '/^cpu#/ {P=0} /^cpu#2,/ {P=1} {if (P) print $0}' | grep -e zero_vruntime -e "^>"
PRE:
.zero_vruntime : 31316.407903
>R bash 487 50787.345112 E 50789.145972 2.800000 50780.298364 16 120 0.000000 0.000000 0.000000 /
.zero_vruntime : 382548.253179
>R bash 487 427275.204288 E 427276.003584 2.800000 427268.157540 23 120 0.000000 0.000000 0.000000 /
POST:
.zero_vruntime : 17259.709467
>R bash 526 17259.709467 E 17262.509467 2.800000 16915.031624 9 120 0.000000 0.000000 0.000000 /
.zero_vruntime : 18702.723356
>R bash 526 18702.723356 E 18705.523356 2.800000 18358.045513 9 120 0.000000 0.000000 0.000000 /
Fixes: 79f3f9bedd14 ("sched/eevdf: Fix min_vruntime vs avg_vruntime")
Reported-by: K Prateek Nayak <kprateek.nayak@amd.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: K Prateek Nayak <kprateek.nayak@amd.com>
Tested-by: Shubhang Kaushik <shubhang@os.amperecomputing.com>
Link: https://patch.msgid.link/20260219080624.438854780%40infradead.org
Tested-by: Eric Hagberg <ehagberg@janestreet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/fair.c | 84 +++++++++++++++++++++++++++++++++++-----------------
1 file changed, 57 insertions(+), 27 deletions(-)
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -551,6 +551,21 @@ static inline bool entity_before(const s
return (s64)(a->deadline - b->deadline) < 0;
}
+/*
+ * Per avg_vruntime() below, cfs_rq::zero_vruntime is only slightly stale
+ * and this value should be no more than two lag bounds. Which puts it in the
+ * general order of:
+ *
+ * (slice + TICK_NSEC) << NICE_0_LOAD_SHIFT
+ *
+ * which is around 44 bits in size (on 64bit); that is 20 for
+ * NICE_0_LOAD_SHIFT, another 20 for NSEC_PER_MSEC and then a handful for
+ * however many msec the actual slice+tick ends up begin.
+ *
+ * (disregarding the actual divide-by-weight part makes for the worst case
+ * weight of 2, which nicely cancels vs the fuzz in zero_vruntime not actually
+ * being the zero-lag point).
+ */
static inline s64 entity_key(struct cfs_rq *cfs_rq, struct sched_entity *se)
{
return (s64)(se->vruntime - cfs_rq->zero_vruntime);
@@ -638,39 +653,61 @@ avg_vruntime_sub(struct cfs_rq *cfs_rq,
}
static inline
-void avg_vruntime_update(struct cfs_rq *cfs_rq, s64 delta)
+void update_zero_vruntime(struct cfs_rq *cfs_rq, s64 delta)
{
/*
- * v' = v + d ==> avg_vruntime' = avg_runtime - d*avg_load
+ * v' = v + d ==> avg_vruntime' = avg_vruntime - d*avg_load
*/
cfs_rq->avg_vruntime -= cfs_rq->avg_load * delta;
+ cfs_rq->zero_vruntime += delta;
}
/*
- * Specifically: avg_runtime() + 0 must result in entity_eligible() := true
+ * Specifically: avg_vruntime() + 0 must result in entity_eligible() := true
* For this to be so, the result of this function must have a left bias.
+ *
+ * Called in:
+ * - place_entity() -- before enqueue
+ * - update_entity_lag() -- before dequeue
+ * - entity_tick()
+ *
+ * This means it is one entry 'behind' but that puts it close enough to where
+ * the bound on entity_key() is at most two lag bounds.
*/
u64 avg_vruntime(struct cfs_rq *cfs_rq)
{
struct sched_entity *curr = cfs_rq->curr;
- s64 avg = cfs_rq->avg_vruntime;
- long load = cfs_rq->avg_load;
+ long weight = cfs_rq->avg_load;
+ s64 delta = 0;
- if (curr && curr->on_rq) {
- unsigned long weight = scale_load_down(curr->load.weight);
+ if (curr && !curr->on_rq)
+ curr = NULL;
- avg += entity_key(cfs_rq, curr) * weight;
- load += weight;
- }
+ if (weight) {
+ s64 runtime = cfs_rq->avg_vruntime;
+
+ if (curr) {
+ unsigned long w = scale_load_down(curr->load.weight);
+
+ runtime += entity_key(cfs_rq, curr) * w;
+ weight += w;
+ }
- if (load) {
/* sign flips effective floor / ceiling */
- if (avg < 0)
- avg -= (load - 1);
- avg = div_s64(avg, load);
+ if (runtime < 0)
+ runtime -= (weight - 1);
+
+ delta = div_s64(runtime, weight);
+ } else if (curr) {
+ /*
+ * When there is but one element, it is the average.
+ */
+ delta = curr->vruntime - cfs_rq->zero_vruntime;
}
- return cfs_rq->zero_vruntime + avg;
+ update_zero_vruntime(cfs_rq, delta);
+
+ return cfs_rq->zero_vruntime;
}
/*
@@ -744,16 +781,6 @@ int entity_eligible(struct cfs_rq *cfs_r
return vruntime_eligible(cfs_rq, se->vruntime);
}
-static void update_zero_vruntime(struct cfs_rq *cfs_rq)
-{
- u64 vruntime = avg_vruntime(cfs_rq);
- s64 delta = (s64)(vruntime - cfs_rq->zero_vruntime);
-
- avg_vruntime_update(cfs_rq, delta);
-
- cfs_rq->zero_vruntime = vruntime;
-}
-
static inline u64 cfs_rq_min_slice(struct cfs_rq *cfs_rq)
{
struct sched_entity *root = __pick_root_entity(cfs_rq);
@@ -824,7 +851,6 @@ RB_DECLARE_CALLBACKS(static, min_vruntim
static void __enqueue_entity(struct cfs_rq *cfs_rq, struct sched_entity *se)
{
avg_vruntime_add(cfs_rq, se);
- update_zero_vruntime(cfs_rq);
se->min_vruntime = se->vruntime;
se->min_slice = se->slice;
rb_add_augmented_cached(&se->run_node, &cfs_rq->tasks_timeline,
@@ -836,7 +862,6 @@ static void __dequeue_entity(struct cfs_
rb_erase_augmented_cached(&se->run_node, &cfs_rq->tasks_timeline,
&min_vruntime_cb);
avg_vruntime_sub(cfs_rq, se);
- update_zero_vruntime(cfs_rq);
}
struct sched_entity *__pick_root_entity(struct cfs_rq *cfs_rq)
@@ -5700,6 +5725,11 @@ entity_tick(struct cfs_rq *cfs_rq, struc
update_load_avg(cfs_rq, curr, UPDATE_TG);
update_cfs_group(curr);
+ /*
+ * Pulls along cfs_rq::zero_vruntime.
+ */
+ avg_vruntime(cfs_rq);
+
#ifdef CONFIG_SCHED_HRTICK
/*
* queued ticks are scheduled to match the slice, so don't bother
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 374/567] mptcp: pm: avoid sending RM_ADDR over same subflow
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 373/567] drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 375/567] mptcp: pm: in-kernel: always mark signal+subflow endp as used Greg Kroah-Hartman
` (3 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Lorenz, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit fb8d0bccb221080630efcd9660c9f9349e53cc9e ]
RM_ADDR are sent over an active subflow, the first one in the subflows
list. There is then a high chance the initial subflow is picked. With
the in-kernel PM, when an endpoint is removed, a RM_ADDR is sent, then
linked subflows are closed. This is done for each active MPTCP
connection.
MPTCP endpoints are likely removed because the attached network is no
longer available or usable. In this case, it is better to avoid sending
this RM_ADDR over the subflow that is going to be removed, but prefer
sending it over another active and non stale subflow, if any.
This modification avoids situations where the other end is not notified
when a subflow is no longer usable: typically when the endpoint linked
to the initial subflow is removed, especially on the server side.
Fixes: 8dd5efb1f91b ("mptcp: send ack for rm_addr")
Cc: stable@vger.kernel.org
Reported-by: Frank Lorenz <lorenz-frank@web.de>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/612
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-2-4b5462b6f016@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ adapted to _nl-prefixed function names in pm_netlink.c and omitted stale subflow fallback ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 2 +-
net/mptcp/pm_netlink.c | 43 ++++++++++++++++++++++++++++++++++++++-----
net/mptcp/protocol.h | 2 ++
3 files changed, 41 insertions(+), 6 deletions(-)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -57,7 +57,7 @@ int mptcp_pm_remove_addr(struct mptcp_so
msk->pm.rm_list_tx = *rm_list;
rm_addr |= BIT(MPTCP_RM_ADDR_SIGNAL);
WRITE_ONCE(msk->pm.addr_signal, rm_addr);
- mptcp_pm_nl_addr_send_ack(msk);
+ mptcp_pm_nl_addr_send_ack_avoid_list(msk, rm_list);
return 0;
}
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -849,9 +849,23 @@ bool mptcp_pm_nl_is_init_remote_addr(str
return mptcp_addresses_equal(&mpc_remote, remote, remote->port);
}
-void mptcp_pm_nl_addr_send_ack(struct mptcp_sock *msk)
+static bool subflow_in_rm_list(const struct mptcp_subflow_context *subflow,
+ const struct mptcp_rm_list *rm_list)
+{
+ u8 i, id = subflow_get_local_id(subflow);
+
+ for (i = 0; i < rm_list->nr; i++) {
+ if (rm_list->ids[i] == id)
+ return true;
+ }
+
+ return false;
+}
+
+void mptcp_pm_nl_addr_send_ack_avoid_list(struct mptcp_sock *msk,
+ const struct mptcp_rm_list *rm_list)
{
- struct mptcp_subflow_context *subflow;
+ struct mptcp_subflow_context *subflow, *same_id = NULL;
msk_owned_by_me(msk);
lockdep_assert_held(&msk->pm.lock);
@@ -861,11 +875,30 @@ void mptcp_pm_nl_addr_send_ack(struct mp
return;
mptcp_for_each_subflow(msk, subflow) {
- if (__mptcp_subflow_active(subflow)) {
- mptcp_pm_send_ack(msk, subflow, false, false);
- break;
+ if (!__mptcp_subflow_active(subflow))
+ continue;
+
+ if (unlikely(rm_list &&
+ subflow_in_rm_list(subflow, rm_list))) {
+ if (!same_id)
+ same_id = subflow;
+ } else {
+ goto send_ack;
}
}
+
+ if (same_id)
+ subflow = same_id;
+ else
+ return;
+
+send_ack:
+ mptcp_pm_send_ack(msk, subflow, false, false);
+}
+
+void mptcp_pm_nl_addr_send_ack(struct mptcp_sock *msk)
+{
+ mptcp_pm_nl_addr_send_ack_avoid_list(msk, NULL);
}
int mptcp_pm_nl_mp_prio_send_ack(struct mptcp_sock *msk,
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -932,6 +932,8 @@ void mptcp_pm_add_addr_send_ack(struct m
bool mptcp_pm_nl_is_init_remote_addr(struct mptcp_sock *msk,
const struct mptcp_addr_info *remote);
void mptcp_pm_nl_addr_send_ack(struct mptcp_sock *msk);
+void mptcp_pm_nl_addr_send_ack_avoid_list(struct mptcp_sock *msk,
+ const struct mptcp_rm_list *rm_list);
void mptcp_pm_rm_addr_received(struct mptcp_sock *msk,
const struct mptcp_rm_list *rm_list);
void mptcp_pm_mp_prio_received(struct sock *sk, u8 bkup);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 312/481] mm/hugetlb: fix two comments related to huge_pmd_unshare()
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 311/481] mm/hugetlb: fix hugetlb_pmd_shared() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 313/481] mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather Greg Kroah-Hartman
` (3 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand (Red Hat),
Rik van Riel, Laurence Oberman, Lorenzo Stoakes, Oscar Salvador,
Harry Yoo, Liu Shixin, Lance Yang, Uschakow, Stanislav,
Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand (Red Hat) <david@kernel.org>
commit 3937027caecb4f8251e82dd857ba1d749bb5a428 upstream.
Ever since we stopped using the page count to detect shared PMD page
tables, these comments are outdated.
The only reason we have to flush the TLB early is because once we drop the
i_mmap_rwsem, the previously shared page table could get freed (to then
get reallocated and used for other purpose). So we really have to flush
the TLB before that could happen.
So let's simplify the comments a bit.
The "If we unshared PMDs, the TLB flush was not recorded in mmu_gather."
part introduced as in commit a4a118f2eead ("hugetlbfs: flush TLBs
correctly after huge_pmd_unshare") was confusing: sure it is recorded in
the mmu_gather, otherwise tlb_flush_mmu_tlbonly() wouldn't do anything.
So let's drop that comment while at it as well.
We'll centralize these comments in a single helper as we rework the code
next.
Link: https://lkml.kernel.org/r/20251223214037.580860-3-david@kernel.org
Fixes: 59d9094df3d7 ("mm: hugetlb: independent PMD page table shared count")
Signed-off-by: David Hildenbrand (Red Hat) <david@kernel.org>
Reviewed-by: Rik van Riel <riel@surriel.com>
Tested-by: Laurence Oberman <loberman@redhat.com>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Oscar Salvador <osalvador@suse.de>
Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
Cc: Liu Shixin <liushixin2@huawei.com>
Cc: Lance Yang <lance.yang@linux.dev>
Cc: "Uschakow, Stanislav" <suschako@amazon.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David Hildenbrand (Arm) <david@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/hugetlb.c | 24 ++++++++----------------
1 file changed, 8 insertions(+), 16 deletions(-)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -5432,17 +5432,10 @@ static void __unmap_hugepage_range(struc
tlb_end_vma(tlb, vma);
/*
- * If we unshared PMDs, the TLB flush was not recorded in mmu_gather. We
- * could defer the flush until now, since by holding i_mmap_rwsem we
- * guaranteed that the last refernece would not be dropped. But we must
- * do the flushing before we return, as otherwise i_mmap_rwsem will be
- * dropped and the last reference to the shared PMDs page might be
- * dropped as well.
- *
- * In theory we could defer the freeing of the PMD pages as well, but
- * huge_pmd_unshare() relies on the exact page_count for the PMD page to
- * detect sharing, so we cannot defer the release of the page either.
- * Instead, do flush now.
+ * There is nothing protecting a previously-shared page table that we
+ * unshared through huge_pmd_unshare() from getting freed after we
+ * release i_mmap_rwsem, so flush the TLB now. If huge_pmd_unshare()
+ * succeeded, flush the range corresponding to the pud.
*/
if (force_flush)
tlb_flush_mmu_tlbonly(tlb);
@@ -6781,11 +6774,10 @@ long hugetlb_change_protection(struct vm
cond_resched();
}
/*
- * Must flush TLB before releasing i_mmap_rwsem: x86's huge_pmd_unshare
- * may have cleared our pud entry and done put_page on the page table:
- * once we release i_mmap_rwsem, another task can do the final put_page
- * and that page table be reused and filled with junk. If we actually
- * did unshare a page of pmds, flush the range corresponding to the pud.
+ * There is nothing protecting a previously-shared page table that we
+ * unshared through huge_pmd_unshare() from getting freed after we
+ * release i_mmap_rwsem, so flush the TLB now. If huge_pmd_unshare()
+ * succeeded, flush the range corresponding to the pud.
*/
if (shared_pmd)
flush_hugetlb_tlb_range(vma, range.start, range.end);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 299/460] s390/stackleak: Fix __stackleak_poison() inline assembly constraint
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 298/460] sched/fair: Fix zero_vruntime tracking Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 300/460] s390/xor: Fix xor_xc_2() inline assembly constraints Greg Kroah-Hartman
` (3 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Heiko Carstens, Vasily Gorbik
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
commit 674c5ff0f440a051ebf299d29a4c013133d81a65 upstream.
The __stackleak_poison() inline assembly comes with a "count" operand where
the "d" constraint is used. "count" is used with the exrl instruction and
"d" means that the compiler may allocate any register from 0 to 15.
If the compiler would allocate register 0 then the exrl instruction would
not or the value of "count" into the executed instruction - resulting in a
stackframe which is only partially poisoned.
Use the correct "a" constraint, which excludes register 0 from register
allocation.
Fixes: 2a405f6bb3a5 ("s390/stackleak: provide fast __stackleak_poison() implementation")
Cc: stable@vger.kernel.org
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
Link: https://lore.kernel.org/r/20260302133500.1560531-4-hca@linux.ibm.com
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/include/asm/processor.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/s390/include/asm/processor.h
+++ b/arch/s390/include/asm/processor.h
@@ -168,7 +168,7 @@ static __always_inline void __stackleak_
" j 4f\n"
"3: mvc 8(1,%[addr]),0(%[addr])\n"
"4:\n"
- : [addr] "+&a" (erase_low), [count] "+&d" (count), [tmp] "=&a" (tmp)
+ : [addr] "+&a" (erase_low), [count] "+&a" (count), [tmp] "=&a" (tmp)
: [poison] "d" (poison)
: "memory", "cc"
);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 375/567] mptcp: pm: in-kernel: always mark signal+subflow endp as used
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 374/567] mptcp: pm: avoid sending RM_ADDR over same subflow Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 376/567] selftests: mptcp: add a check for add_addr_accepted Greg Kroah-Hartman
` (2 subsequent siblings)
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 579a752464a64cb5f9139102f0e6b90a1f595ceb ]
Syzkaller managed to find a combination of actions that was generating
this warning:
msk->pm.local_addr_used == 0
WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961
WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961
WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961
Modules linked in:
CPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full)
Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014
RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline]
RIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline]
RIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210
Code: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 <0f> 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a
RSP: 0018:ffffc90001663880 EFLAGS: 00010293
RAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff
R10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640
R13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650
FS: 00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0
Call Trace:
<TASK>
genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0xc9/0xf0 net/socket.c:742
____sys_sendmsg+0x272/0x3b0 net/socket.c:2592
___sys_sendmsg+0x2de/0x320 net/socket.c:2646
__sys_sendmsg net/socket.c:2678 [inline]
__do_sys_sendmsg net/socket.c:2683 [inline]
__se_sys_sendmsg net/socket.c:2681 [inline]
__x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f66346f826d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d
RDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8
R13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770
</TASK>
The actions that caused that seem to be:
- Set the MPTCP subflows limit to 0
- Create an MPTCP endpoint with both the 'signal' and 'subflow' flags
- Create a new MPTCP connection from a different address: an ADD_ADDR
linked to the MPTCP endpoint will be sent ('signal' flag), but no
subflows is initiated ('subflow' flag)
- Remove the MPTCP endpoint
In this case, msk->pm.local_addr_used has been kept to 0 -- because no
subflows have been created -- but the corresponding bit in
msk->pm.id_avail_bitmap has been cleared when the ADD_ADDR has been
sent. This later causes a splat when removing the MPTCP endpoint because
msk->pm.local_addr_used has been kept to 0.
Now, if an endpoint has both the signal and subflow flags, but it is not
possible to create subflows because of the limits or the c-flag case,
then the local endpoint counter is still incremented: the endpoint is
used at the end. This avoids issues later when removing the endpoint and
calling __mark_subflow_endp_available(), which expects
msk->pm.local_addr_used to have been previously incremented if the
endpoint was marked as used according to msk->pm.id_avail_bitmap.
Note that signal_and_subflow variable is reset to false when the limits
and the c-flag case allows subflows creation. Also, local_addr_used is
only incremented for non ID0 subflows.
Fixes: 85df533a787b ("mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set")
Cc: stable@vger.kernel.org
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/613
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-4-4b5462b6f016@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ pm_kernel.c => pm_netlink.c ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -662,6 +662,15 @@ subflow:
}
exit:
+ /* If an endpoint has both the signal and subflow flags, but it is not
+ * possible to create subflows -- the 'while' loop body above never
+ * executed -- then still mark the endp as used, which is somehow the
+ * case. This avoids issues later when removing the endpoint and calling
+ * __mark_subflow_endp_available(), which expects the increment here.
+ */
+ if (signal_and_subflow && local.addr.id != msk->mpc_endpoint_id)
+ msk->pm.local_addr_used++;
+
mptcp_pm_nl_check_work_pending(msk);
}
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 313/481] mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 312/481] mm/hugetlb: fix two comments related to huge_pmd_unshare() Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 314/481] ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths Greg Kroah-Hartman
` (2 subsequent siblings)
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand (Red Hat),
Uschakow, Stanislav, Laurence Oberman, Harry Yoo, Lorenzo Stoakes,
Lance Yang, Liu Shixin, Oscar Salvador, Rik van Riel,
Andrew Morton
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand (Red Hat) <david@kernel.org>
commit 8ce720d5bd91e9dc16db3604aa4b1bf76770a9a1 upstream.
As reported, ever since commit 1013af4f585f ("mm/hugetlb: fix
huge_pmd_unshare() vs GUP-fast race") we can end up in some situations
where we perform so many IPI broadcasts when unsharing hugetlb PMD page
tables that it severely regresses some workloads.
In particular, when we fork()+exit(), or when we munmap() a large
area backed by many shared PMD tables, we perform one IPI broadcast per
unshared PMD table.
There are two optimizations to be had:
(1) When we process (unshare) multiple such PMD tables, such as during
exit(), it is sufficient to send a single IPI broadcast (as long as
we respect locking rules) instead of one per PMD table.
Locking prevents that any of these PMD tables could get reused before
we drop the lock.
(2) When we are not the last sharer (> 2 users including us), there is
no need to send the IPI broadcast. The shared PMD tables cannot
become exclusive (fully unshared) before an IPI will be broadcasted
by the last sharer.
Concurrent GUP-fast could walk into a PMD table just before we
unshared it. It could then succeed in grabbing a page from the
shared page table even after munmap() etc succeeded (and supressed
an IPI). But there is not difference compared to GUP-fast just
sleeping for a while after grabbing the page and re-enabling IRQs.
Most importantly, GUP-fast will never walk into page tables that are
no-longer shared, because the last sharer will issue an IPI
broadcast.
(if ever required, checking whether the PUD changed in GUP-fast
after grabbing the page like we do in the PTE case could handle
this)
So let's rework PMD sharing TLB flushing + IPI sync to use the mmu_gather
infrastructure so we can implement these optimizations and demystify the
code at least a bit. Extend the mmu_gather infrastructure to be able to
deal with our special hugetlb PMD table sharing implementation.
To make initialization of the mmu_gather easier when working on a single
VMA (in particular, when dealing with hugetlb), provide
tlb_gather_mmu_vma().
We'll consolidate the handling for (full) unsharing of PMD tables in
tlb_unshare_pmd_ptdesc() and tlb_flush_unshared_tables(), and track
in "struct mmu_gather" whether we had (full) unsharing of PMD tables.
Because locking is very special (concurrent unsharing+reuse must be
prevented), we disallow deferring flushing to tlb_finish_mmu() and instead
require an explicit earlier call to tlb_flush_unshared_tables().
>From hugetlb code, we call huge_pmd_unshare_flush() where we make sure
that the expected lock protecting us from concurrent unsharing+reuse is
still held.
Check with a VM_WARN_ON_ONCE() in tlb_finish_mmu() that
tlb_flush_unshared_tables() was properly called earlier.
Document it all properly.
Notes about tlb_remove_table_sync_one() interaction with unsharing:
There are two fairly tricky things:
(1) tlb_remove_table_sync_one() is a NOP on architectures without
CONFIG_MMU_GATHER_RCU_TABLE_FREE.
Here, the assumption is that the previous TLB flush would send an
IPI to all relevant CPUs. Careful: some architectures like x86 only
send IPIs to all relevant CPUs when tlb->freed_tables is set.
The relevant architectures should be selecting
MMU_GATHER_RCU_TABLE_FREE, but x86 might not do that in stable
kernels and it might have been problematic before this patch.
Also, the arch flushing behavior (independent of IPIs) is different
when tlb->freed_tables is set. Do we have to enlighten them to also
take care of tlb->unshared_tables? So far we didn't care, so
hopefully we are fine. Of course, we could be setting
tlb->freed_tables as well, but that might then unnecessarily flush
too much, because the semantics of tlb->freed_tables are a bit
fuzzy.
This patch changes nothing in this regard.
(2) tlb_remove_table_sync_one() is not a NOP on architectures with
CONFIG_MMU_GATHER_RCU_TABLE_FREE that actually don't need a sync.
Take x86 as an example: in the common case (!pv, !X86_FEATURE_INVLPGB)
we still issue IPIs during TLB flushes and don't actually need the
second tlb_remove_table_sync_one().
This optimized can be implemented on top of this, by checking e.g., in
tlb_remove_table_sync_one() whether we really need IPIs. But as
described in (1), it really must honor tlb->freed_tables then to
send IPIs to all relevant CPUs.
Notes on TLB flushing changes:
(1) Flushing for non-shared PMD tables
We're converting from flush_hugetlb_tlb_range() to
tlb_remove_huge_tlb_entry(). Given that we properly initialize the
MMU gather in tlb_gather_mmu_vma() to be hugetlb aware, similar to
__unmap_hugepage_range(), that should be fine.
(2) Flushing for shared PMD tables
We're converting from various things (flush_hugetlb_tlb_range(),
tlb_flush_pmd_range(), flush_tlb_range()) to tlb_flush_pmd_range().
tlb_flush_pmd_range() achieves the same that
tlb_remove_huge_tlb_entry() would achieve in these scenarios.
Note that tlb_remove_huge_tlb_entry() also calls
__tlb_remove_tlb_entry(), however that is only implemented on
powerpc, which does not support PMD table sharing.
Similar to (1), tlb_gather_mmu_vma() should make sure that TLB
flushing keeps on working as expected.
Further, note that the ptdesc_pmd_pts_dec() in huge_pmd_share() is not a
concern, as we are holding the i_mmap_lock the whole time, preventing
concurrent unsharing. That ptdesc_pmd_pts_dec() usage will be removed
separately as a cleanup later.
There are plenty more cleanups to be had, but they have to wait until
this is fixed.
[david@kernel.org: fix kerneldoc]
Link: https://lkml.kernel.org/r/f223dd74-331c-412d-93fc-69e360a5006c@kernel.org
Link: https://lkml.kernel.org/r/20251223214037.580860-5-david@kernel.org
Fixes: 1013af4f585f ("mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race")
Signed-off-by: David Hildenbrand (Red Hat) <david@kernel.org>
Reported-by: "Uschakow, Stanislav" <suschako@amazon.de>
Closes: https://lore.kernel.org/all/4d3878531c76479d9f8ca9789dc6485d@amazon.de/
Tested-by: Laurence Oberman <loberman@redhat.com>
Acked-by: Harry Yoo <harry.yoo@oracle.com>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Lance Yang <lance.yang@linux.dev>
Cc: Liu Shixin <liushixin2@huawei.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Rik van Riel <riel@surriel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ David: We don't have ptdesc and the wrappers, so work directly on
page->pt_share_count and pass "struct page" instead of "struct ptdesc".
CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING is still called
CONFIG_ARCH_WANT_HUGE_PMD_SHARE and is set even without
CONFIG_HUGETLB_PAGE. move_hugetlb_page_tables() still uses
flush_tlb_range() instead of flush_hugetlb_tlb_range(). Some smaller
contextual stuff. ]
Signed-off-by: David Hildenbrand (Arm) <david@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/asm-generic/tlb.h | 77 ++++++++++++++++++++++++++++-
include/linux/hugetlb.h | 15 +++--
include/linux/mm_types.h | 1
mm/hugetlb.c | 122 ++++++++++++++++++++++++++--------------------
mm/mmu_gather.c | 33 ++++++++++++
mm/rmap.c | 25 ++++++---
6 files changed, 207 insertions(+), 66 deletions(-)
--- a/include/asm-generic/tlb.h
+++ b/include/asm-generic/tlb.h
@@ -46,7 +46,8 @@
*
* The mmu_gather API consists of:
*
- * - tlb_gather_mmu() / tlb_gather_mmu_fullmm() / tlb_finish_mmu()
+ * - tlb_gather_mmu() / tlb_gather_mmu_fullmm() / tlb_gather_mmu_vma() /
+ * tlb_finish_mmu()
*
* start and finish a mmu_gather
*
@@ -309,6 +310,20 @@ struct mmu_gather {
unsigned int vma_huge : 1;
unsigned int vma_pfn : 1;
+ /*
+ * Did we unshare (unmap) any shared page tables? For now only
+ * used for hugetlb PMD table sharing.
+ */
+ unsigned int unshared_tables : 1;
+
+ /*
+ * Did we unshare any page tables such that they are now exclusive
+ * and could get reused+modified by the new owner? When setting this
+ * flag, "unshared_tables" will be set as well. For now only used
+ * for hugetlb PMD table sharing.
+ */
+ unsigned int fully_unshared_tables : 1;
+
unsigned int batch_count;
#ifndef CONFIG_MMU_GATHER_NO_GATHER
@@ -345,6 +360,7 @@ static inline void __tlb_reset_range(str
tlb->cleared_pmds = 0;
tlb->cleared_puds = 0;
tlb->cleared_p4ds = 0;
+ tlb->unshared_tables = 0;
/*
* Do not reset mmu_gather::vma_* fields here, we do not
* call into tlb_start_vma() again to set them if there is an
@@ -424,7 +440,7 @@ static inline void tlb_flush_mmu_tlbonly
* these bits.
*/
if (!(tlb->freed_tables || tlb->cleared_ptes || tlb->cleared_pmds ||
- tlb->cleared_puds || tlb->cleared_p4ds))
+ tlb->cleared_puds || tlb->cleared_p4ds || tlb->unshared_tables))
return;
tlb_flush(tlb);
@@ -680,6 +696,63 @@ static inline bool huge_pmd_needs_flush(
}
#endif
+#if defined(CONFIG_ARCH_WANT_HUGE_PMD_SHARE) && defined(CONFIG_HUGETLB_PAGE)
+static inline void tlb_unshare_pmd_ptdesc(struct mmu_gather *tlb, struct page *pt,
+ unsigned long addr)
+{
+ /*
+ * The caller must make sure that concurrent unsharing + exclusive
+ * reuse is impossible until tlb_flush_unshared_tables() was called.
+ */
+ VM_WARN_ON_ONCE(!atomic_read(&pt->pt_share_count));
+ atomic_dec(&pt->pt_share_count);
+
+ /* Clearing a PUD pointing at a PMD table with PMD leaves. */
+ tlb_flush_pmd_range(tlb, addr & PUD_MASK, PUD_SIZE);
+
+ /*
+ * If the page table is now exclusively owned, we fully unshared
+ * a page table.
+ */
+ if (!atomic_read(&pt->pt_share_count))
+ tlb->fully_unshared_tables = true;
+ tlb->unshared_tables = true;
+}
+
+static inline void tlb_flush_unshared_tables(struct mmu_gather *tlb)
+{
+ /*
+ * As soon as the caller drops locks to allow for reuse of
+ * previously-shared tables, these tables could get modified and
+ * even reused outside of hugetlb context, so we have to make sure that
+ * any page table walkers (incl. TLB, GUP-fast) are aware of that
+ * change.
+ *
+ * Even if we are not fully unsharing a PMD table, we must
+ * flush the TLB for the unsharer now.
+ */
+ if (tlb->unshared_tables)
+ tlb_flush_mmu_tlbonly(tlb);
+
+ /*
+ * Similarly, we must make sure that concurrent GUP-fast will not
+ * walk previously-shared page tables that are getting modified+reused
+ * elsewhere. So broadcast an IPI to wait for any concurrent GUP-fast.
+ *
+ * We only perform this when we are the last sharer of a page table,
+ * as the IPI will reach all CPUs: any GUP-fast.
+ *
+ * Note that on configs where tlb_remove_table_sync_one() is a NOP,
+ * the expectation is that the tlb_flush_mmu_tlbonly() would have issued
+ * required IPIs already for us.
+ */
+ if (tlb->fully_unshared_tables) {
+ tlb_remove_table_sync_one();
+ tlb->fully_unshared_tables = false;
+ }
+}
+#endif
+
#endif /* CONFIG_MMU */
#endif /* _ASM_GENERIC__TLB_H */
--- a/include/linux/hugetlb.h
+++ b/include/linux/hugetlb.h
@@ -207,8 +207,9 @@ pte_t *huge_pte_alloc(struct mm_struct *
pte_t *huge_pte_offset(struct mm_struct *mm,
unsigned long addr, unsigned long sz);
unsigned long hugetlb_mask_last_page(struct hstate *h);
-int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma,
- unsigned long addr, pte_t *ptep);
+int huge_pmd_unshare(struct mmu_gather *tlb, struct vm_area_struct *vma,
+ unsigned long addr, pte_t *ptep);
+void huge_pmd_unshare_flush(struct mmu_gather *tlb, struct vm_area_struct *vma);
void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma,
unsigned long *start, unsigned long *end);
struct page *follow_huge_addr(struct mm_struct *mm, unsigned long address,
@@ -262,13 +263,17 @@ static inline struct address_space *huge
return NULL;
}
-static inline int huge_pmd_unshare(struct mm_struct *mm,
- struct vm_area_struct *vma,
- unsigned long addr, pte_t *ptep)
+static inline int huge_pmd_unshare(struct mmu_gather *tlb,
+ struct vm_area_struct *vma, unsigned long addr, pte_t *ptep)
{
return 0;
}
+static inline void huge_pmd_unshare_flush(struct mmu_gather *tlb,
+ struct vm_area_struct *vma)
+{
+}
+
static inline void adjust_range_if_pmd_sharing_possible(
struct vm_area_struct *vma,
unsigned long *start, unsigned long *end)
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -845,6 +845,7 @@ static inline void vma_iter_init(struct
struct mmu_gather;
extern void tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm);
extern void tlb_gather_mmu_fullmm(struct mmu_gather *tlb, struct mm_struct *mm);
+void tlb_gather_mmu_vma(struct mmu_gather *tlb, struct vm_area_struct *vma);
extern void tlb_finish_mmu(struct mmu_gather *tlb);
struct vm_fault;
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -5255,7 +5255,7 @@ int move_hugetlb_page_tables(struct vm_a
unsigned long last_addr_mask;
pte_t *src_pte, *dst_pte;
struct mmu_notifier_range range;
- bool shared_pmd = false;
+ struct mmu_gather tlb;
mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma, mm, old_addr,
old_end);
@@ -5265,6 +5265,7 @@ int move_hugetlb_page_tables(struct vm_a
* range.
*/
flush_cache_range(vma, range.start, range.end);
+ tlb_gather_mmu_vma(&tlb, vma);
mmu_notifier_invalidate_range_start(&range);
last_addr_mask = hugetlb_mask_last_page(h);
@@ -5281,8 +5282,7 @@ int move_hugetlb_page_tables(struct vm_a
if (huge_pte_none(huge_ptep_get(src_pte)))
continue;
- if (huge_pmd_unshare(mm, vma, old_addr, src_pte)) {
- shared_pmd = true;
+ if (huge_pmd_unshare(&tlb, vma, old_addr, src_pte)) {
old_addr |= last_addr_mask;
new_addr |= last_addr_mask;
continue;
@@ -5293,15 +5293,16 @@ int move_hugetlb_page_tables(struct vm_a
break;
move_huge_pte(vma, old_addr, new_addr, src_pte, dst_pte);
+ tlb_remove_huge_tlb_entry(h, &tlb, src_pte, old_addr);
}
- if (shared_pmd)
- flush_tlb_range(vma, range.start, range.end);
- else
- flush_tlb_range(vma, old_end - len, old_end);
+ tlb_flush_mmu_tlbonly(&tlb);
+ huge_pmd_unshare_flush(&tlb, vma);
+
mmu_notifier_invalidate_range_end(&range);
i_mmap_unlock_write(mapping);
hugetlb_vma_unlock_write(vma);
+ tlb_finish_mmu(&tlb);
return len + old_addr - old_end;
}
@@ -5320,7 +5321,6 @@ static void __unmap_hugepage_range(struc
unsigned long sz = huge_page_size(h);
struct mmu_notifier_range range;
unsigned long last_addr_mask;
- bool force_flush = false;
WARN_ON(!is_vm_hugetlb_page(vma));
BUG_ON(start & ~huge_page_mask(h));
@@ -5350,10 +5350,8 @@ static void __unmap_hugepage_range(struc
}
ptl = huge_pte_lock(h, mm, ptep);
- if (huge_pmd_unshare(mm, vma, address, ptep)) {
+ if (huge_pmd_unshare(tlb, vma, address, ptep)) {
spin_unlock(ptl);
- tlb_flush_pmd_range(tlb, address & PUD_MASK, PUD_SIZE);
- force_flush = true;
address |= last_addr_mask;
continue;
}
@@ -5431,14 +5429,7 @@ static void __unmap_hugepage_range(struc
mmu_notifier_invalidate_range_end(&range);
tlb_end_vma(tlb, vma);
- /*
- * There is nothing protecting a previously-shared page table that we
- * unshared through huge_pmd_unshare() from getting freed after we
- * release i_mmap_rwsem, so flush the TLB now. If huge_pmd_unshare()
- * succeeded, flush the range corresponding to the pud.
- */
- if (force_flush)
- tlb_flush_mmu_tlbonly(tlb);
+ huge_pmd_unshare_flush(tlb, vma);
}
void __unmap_hugepage_range_final(struct mmu_gather *tlb,
@@ -6666,11 +6657,11 @@ long hugetlb_change_protection(struct vm
pte_t pte;
struct hstate *h = hstate_vma(vma);
long pages = 0, psize = huge_page_size(h);
- bool shared_pmd = false;
struct mmu_notifier_range range;
unsigned long last_addr_mask;
bool uffd_wp = cp_flags & MM_CP_UFFD_WP;
bool uffd_wp_resolve = cp_flags & MM_CP_UFFD_WP_RESOLVE;
+ struct mmu_gather tlb;
/*
* In the case of shared PMDs, the area to flush could be beyond
@@ -6683,6 +6674,7 @@ long hugetlb_change_protection(struct vm
BUG_ON(address >= end);
flush_cache_range(vma, range.start, range.end);
+ tlb_gather_mmu_vma(&tlb, vma);
mmu_notifier_invalidate_range_start(&range);
hugetlb_vma_lock_write(vma);
@@ -6705,7 +6697,7 @@ long hugetlb_change_protection(struct vm
break;
}
ptl = huge_pte_lock(h, mm, ptep);
- if (huge_pmd_unshare(mm, vma, address, ptep)) {
+ if (huge_pmd_unshare(&tlb, vma, address, ptep)) {
/*
* When uffd-wp is enabled on the vma, unshare
* shouldn't happen at all. Warn about it if it
@@ -6714,7 +6706,6 @@ long hugetlb_change_protection(struct vm
WARN_ON_ONCE(uffd_wp || uffd_wp_resolve);
pages++;
spin_unlock(ptl);
- shared_pmd = true;
address |= last_addr_mask;
continue;
}
@@ -6762,6 +6753,7 @@ long hugetlb_change_protection(struct vm
pte = huge_pte_clear_uffd_wp(pte);
huge_ptep_modify_prot_commit(vma, address, ptep, old_pte, pte);
pages++;
+ tlb_remove_huge_tlb_entry(h, &tlb, ptep, address);
} else {
/* None pte */
if (unlikely(uffd_wp))
@@ -6773,16 +6765,9 @@ long hugetlb_change_protection(struct vm
cond_resched();
}
- /*
- * There is nothing protecting a previously-shared page table that we
- * unshared through huge_pmd_unshare() from getting freed after we
- * release i_mmap_rwsem, so flush the TLB now. If huge_pmd_unshare()
- * succeeded, flush the range corresponding to the pud.
- */
- if (shared_pmd)
- flush_hugetlb_tlb_range(vma, range.start, range.end);
- else
- flush_hugetlb_tlb_range(vma, start, end);
+
+ tlb_flush_mmu_tlbonly(&tlb);
+ huge_pmd_unshare_flush(&tlb, vma);
/*
* No need to call mmu_notifier_invalidate_range() we are downgrading
* page table protection not changing it to point to a new page.
@@ -6792,6 +6777,7 @@ long hugetlb_change_protection(struct vm
i_mmap_unlock_write(vma->vm_file->f_mapping);
hugetlb_vma_unlock_write(vma);
mmu_notifier_invalidate_range_end(&range);
+ tlb_finish_mmu(&tlb);
return pages << h->order;
}
@@ -7130,18 +7116,27 @@ out:
return pte;
}
-/*
- * unmap huge page backed by shared pte.
+/**
+ * huge_pmd_unshare - Unmap a pmd table if it is shared by multiple users
+ * @tlb: the current mmu_gather.
+ * @vma: the vma covering the pmd table.
+ * @addr: the address we are trying to unshare.
+ * @ptep: pointer into the (pmd) page table.
+ *
+ * Called with the page table lock held, the i_mmap_rwsem held in write mode
+ * and the hugetlb vma lock held in write mode.
*
- * Called with page table lock held.
+ * Note: The caller must call huge_pmd_unshare_flush() before dropping the
+ * i_mmap_rwsem.
*
- * returns: 1 successfully unmapped a shared pte page
- * 0 the underlying pte page is not shared, or it is the last user
+ * Returns: 1 if it was a shared PMD table and it got unmapped, or 0 if it
+ * was not a shared PMD table.
*/
-int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma,
- unsigned long addr, pte_t *ptep)
+int huge_pmd_unshare(struct mmu_gather *tlb, struct vm_area_struct *vma,
+ unsigned long addr, pte_t *ptep)
{
unsigned long sz = huge_page_size(hstate_vma(vma));
+ struct mm_struct *mm = vma->vm_mm;
pgd_t *pgd = pgd_offset(mm, addr);
p4d_t *p4d = p4d_offset(pgd, addr);
pud_t *pud = pud_offset(p4d, addr);
@@ -7154,18 +7149,35 @@ int huge_pmd_unshare(struct mm_struct *m
return 0;
pud_clear(pud);
- /*
- * Once our caller drops the rmap lock, some other process might be
- * using this page table as a normal, non-hugetlb page table.
- * Wait for pending gup_fast() in other threads to finish before letting
- * that happen.
- */
- tlb_remove_table_sync_one();
- atomic_dec(&virt_to_page(ptep)->pt_share_count);
+ tlb_unshare_pmd_ptdesc(tlb, virt_to_page(ptep), addr);
+
mm_dec_nr_pmds(mm);
return 1;
}
+/*
+ * huge_pmd_unshare_flush - Complete a sequence of huge_pmd_unshare() calls
+ * @tlb: the current mmu_gather.
+ * @vma: the vma covering the pmd table.
+ *
+ * Perform necessary TLB flushes or IPI broadcasts to synchronize PMD table
+ * unsharing with concurrent page table walkers.
+ *
+ * This function must be called after a sequence of huge_pmd_unshare()
+ * calls while still holding the i_mmap_rwsem.
+ */
+void huge_pmd_unshare_flush(struct mmu_gather *tlb, struct vm_area_struct *vma)
+{
+ /*
+ * We must synchronize page table unsharing such that nobody will
+ * try reusing a previously-shared page table while it might still
+ * be in use by previous sharers (TLB, GUP_fast).
+ */
+ i_mmap_assert_write_locked(vma->vm_file->f_mapping);
+
+ tlb_flush_unshared_tables(tlb);
+}
+
#else /* !CONFIG_ARCH_WANT_HUGE_PMD_SHARE */
pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
@@ -7174,12 +7186,16 @@ pte_t *huge_pmd_share(struct mm_struct *
return NULL;
}
-int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma,
- unsigned long addr, pte_t *ptep)
+int huge_pmd_unshare(struct mmu_gather *tlb, struct vm_area_struct *vma,
+ unsigned long addr, pte_t *ptep)
{
return 0;
}
+void huge_pmd_unshare_flush(struct mmu_gather *tlb, struct vm_area_struct *vma)
+{
+}
+
void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma,
unsigned long *start, unsigned long *end)
{
@@ -7521,6 +7537,7 @@ static void hugetlb_unshare_pmds(struct
unsigned long sz = huge_page_size(h);
struct mm_struct *mm = vma->vm_mm;
struct mmu_notifier_range range;
+ struct mmu_gather tlb;
unsigned long address;
spinlock_t *ptl;
pte_t *ptep;
@@ -7532,6 +7549,8 @@ static void hugetlb_unshare_pmds(struct
return;
flush_cache_range(vma, start, end);
+ tlb_gather_mmu_vma(&tlb, vma);
+
/*
* No need to call adjust_range_if_pmd_sharing_possible(), because
* we have already done the PUD_SIZE alignment.
@@ -7550,10 +7569,10 @@ static void hugetlb_unshare_pmds(struct
if (!ptep)
continue;
ptl = huge_pte_lock(h, mm, ptep);
- huge_pmd_unshare(mm, vma, address, ptep);
+ huge_pmd_unshare(&tlb, vma, address, ptep);
spin_unlock(ptl);
}
- flush_hugetlb_tlb_range(vma, start, end);
+ huge_pmd_unshare_flush(&tlb, vma);
if (take_locks) {
i_mmap_unlock_write(vma->vm_file->f_mapping);
hugetlb_vma_unlock_write(vma);
@@ -7563,6 +7582,7 @@ static void hugetlb_unshare_pmds(struct
* Documentation/mm/mmu_notifier.rst.
*/
mmu_notifier_invalidate_range_end(&range);
+ tlb_finish_mmu(&tlb);
}
/*
--- a/mm/mmu_gather.c
+++ b/mm/mmu_gather.c
@@ -9,6 +9,7 @@
#include <linux/rcupdate.h>
#include <linux/smp.h>
#include <linux/swap.h>
+#include <linux/hugetlb.h>
#include <asm/pgalloc.h>
#include <asm/tlb.h>
@@ -290,6 +291,7 @@ static void __tlb_gather_mmu(struct mmu_
tlb->page_size = 0;
#endif
+ tlb->fully_unshared_tables = 0;
__tlb_reset_range(tlb);
inc_tlb_flush_pending(tlb->mm);
}
@@ -324,6 +326,31 @@ void tlb_gather_mmu_fullmm(struct mmu_ga
}
/**
+ * tlb_gather_mmu_vma - initialize an mmu_gather structure for operating on a
+ * single VMA
+ * @tlb: the mmu_gather structure to initialize
+ * @vma: the vm_area_struct
+ *
+ * Called to initialize an (on-stack) mmu_gather structure for operating on
+ * a single VMA. In contrast to tlb_gather_mmu(), calling this function will
+ * not require another call to tlb_start_vma(). In contrast to tlb_start_vma(),
+ * this function will *not* call flush_cache_range().
+ *
+ * For hugetlb VMAs, this function will also initialize the mmu_gather
+ * page_size accordingly, not requiring a separate call to
+ * tlb_change_page_size().
+ *
+ */
+void tlb_gather_mmu_vma(struct mmu_gather *tlb, struct vm_area_struct *vma)
+{
+ tlb_gather_mmu(tlb, vma->vm_mm);
+ tlb_update_vma_flags(tlb, vma);
+ if (is_vm_hugetlb_page(vma))
+ /* All entries have the same size. */
+ tlb_change_page_size(tlb, huge_page_size(hstate_vma(vma)));
+}
+
+/**
* tlb_finish_mmu - finish an mmu_gather structure
* @tlb: the mmu_gather structure to finish
*
@@ -333,6 +360,12 @@ void tlb_gather_mmu_fullmm(struct mmu_ga
void tlb_finish_mmu(struct mmu_gather *tlb)
{
/*
+ * We expect an earlier huge_pmd_unshare_flush() call to sort this out,
+ * due to complicated locking requirements with page table unsharing.
+ */
+ VM_WARN_ON_ONCE(tlb->fully_unshared_tables);
+
+ /*
* If there are parallel threads are doing PTE changes on same range
* under non-exclusive lock (e.g., mmap_lock read-side) but defer TLB
* flush by batching, one thread may end up seeing inconsistent PTEs
--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -75,7 +75,7 @@
#include <linux/userfaultfd_k.h>
#include <linux/mm_inline.h>
-#include <asm/tlbflush.h>
+#include <asm/tlb.h>
#define CREATE_TRACE_POINTS
#include <trace/events/tlb.h>
@@ -1561,18 +1561,22 @@ static bool try_to_unmap_one(struct foli
* if unsuccessful.
*/
if (!anon) {
+ struct mmu_gather tlb;
+
VM_BUG_ON(!(flags & TTU_RMAP_LOCKED));
if (!hugetlb_vma_trylock_write(vma)) {
page_vma_mapped_walk_done(&pvmw);
ret = false;
break;
}
- if (huge_pmd_unshare(mm, vma, address, pvmw.pte)) {
+
+ tlb_gather_mmu_vma(&tlb, vma);
+ if (huge_pmd_unshare(&tlb, vma, address, pvmw.pte)) {
hugetlb_vma_unlock_write(vma);
- flush_tlb_range(vma,
- range.start, range.end);
+ huge_pmd_unshare_flush(&tlb, vma);
mmu_notifier_invalidate_range(mm,
range.start, range.end);
+ tlb_finish_mmu(&tlb);
/*
* The PMD table was unmapped,
* consequently unmapping the folio.
@@ -1581,6 +1585,7 @@ static bool try_to_unmap_one(struct foli
break;
}
hugetlb_vma_unlock_write(vma);
+ tlb_finish_mmu(&tlb);
}
pteval = huge_ptep_clear_flush(vma, address, pvmw.pte);
} else {
@@ -1945,19 +1950,22 @@ static bool try_to_migrate_one(struct fo
* fail if unsuccessful.
*/
if (!anon) {
+ struct mmu_gather tlb;
+
VM_BUG_ON(!(flags & TTU_RMAP_LOCKED));
if (!hugetlb_vma_trylock_write(vma)) {
page_vma_mapped_walk_done(&pvmw);
ret = false;
break;
}
- if (huge_pmd_unshare(mm, vma, address, pvmw.pte)) {
+
+ tlb_gather_mmu_vma(&tlb, vma);
+ if (huge_pmd_unshare(&tlb, vma, address, pvmw.pte)) {
hugetlb_vma_unlock_write(vma);
- flush_tlb_range(vma,
- range.start, range.end);
+ huge_pmd_unshare_flush(&tlb, vma);
mmu_notifier_invalidate_range(mm,
range.start, range.end);
-
+ tlb_finish_mmu(&tlb);
/*
* The PMD table was unmapped,
* consequently unmapping the folio.
@@ -1966,6 +1974,7 @@ static bool try_to_migrate_one(struct fo
break;
}
hugetlb_vma_unlock_write(vma);
+ tlb_finish_mmu(&tlb);
}
/* Nuke the hugetlb page table entry */
pteval = huge_ptep_clear_flush(vma, address, pvmw.pte);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 300/460] s390/xor: Fix xor_xc_2() inline assembly constraints
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 299/460] s390/stackleak: Fix __stackleak_poison() inline assembly constraint Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 301/460] drm/i915/alpm: ALPM disable fixes Greg Kroah-Hartman
` (2 subsequent siblings)
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Heiko Carstens, Vasily Gorbik
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
commit f775276edc0c505dc0f782773796c189f31a1123 upstream.
The inline assembly constraints for xor_xc_2() are incorrect. "bytes",
"p1", and "p2" are input operands, while all three of them are modified
within the inline assembly. Given that the function consists only of this
inline assembly it seems unlikely that this may cause any problems, however
fix this in any case.
Fixes: 2cfc5f9ce7f5 ("s390/xor: optimized xor routing using the XC instruction")
Cc: stable@vger.kernel.org
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
Link: https://lore.kernel.org/r/20260302133500.1560531-2-hca@linux.ibm.com
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/lib/xor.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/s390/lib/xor.c
+++ b/arch/s390/lib/xor.c
@@ -29,8 +29,8 @@ static void xor_xc_2(unsigned long bytes
" j 3f\n"
"2: xc 0(1,%1),0(%2)\n"
"3:\n"
- : : "d" (bytes), "a" (p1), "a" (p2)
- : "0", "1", "cc", "memory");
+ : "+d" (bytes), "+a" (p1), "+a" (p2)
+ : : "0", "1", "cc", "memory");
}
static void xor_xc_3(unsigned long bytes, unsigned long * __restrict p1,
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 376/567] selftests: mptcp: add a check for add_addr_accepted
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 375/567] mptcp: pm: in-kernel: always mark signal+subflow endp as used Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 377/567] selftests: mptcp: join: check RM_ADDR not sent over same subflow Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 378/567] kbuild: Leave objtool binary around with make clean Greg Kroah-Hartman
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gang Yan, Geliang Tang,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gang Yan <yangang@kylinos.cn>
[ Upstream commit 0eee0fdf9b7b0baf698f9b426384aa9714d76a51 ]
The previous patch fixed an issue with the 'add_addr_accepted' counter.
This was not spot by the test suite.
Check this counter and 'add_addr_signal' in MPTCP Join 'delete re-add
signal' test. This should help spotting similar regressions later on.
These counters are crucial for ensuring the MPTCP path manager correctly
handles the subflow creation via 'ADD_ADDR'.
Signed-off-by: Gang Yan <yangang@kylinos.cn>
Reviewed-by: Geliang Tang <geliang@kernel.org>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251118-net-mptcp-misc-fixes-6-18-rc6-v1-11-806d3781c95f@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 560edd99b5f5 ("selftests: mptcp: join: check RM_ADDR not sent over same subflow")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_join.sh | 7 +++++++
1 file changed, 7 insertions(+)
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -3934,38 +3934,45 @@ endpoint_tests()
$ns1 10.0.2.1 id 1 flags signal
chk_subflow_nr "before delete" 2
chk_mptcp_info subflows 1 subflows 1
+ chk_mptcp_info add_addr_signal 2 add_addr_accepted 1
pm_nl_del_endpoint $ns1 1 10.0.2.1
pm_nl_del_endpoint $ns1 2 224.0.0.1
sleep 0.5
chk_subflow_nr "after delete" 1
chk_mptcp_info subflows 0 subflows 0
+ chk_mptcp_info add_addr_signal 0 add_addr_accepted 0
pm_nl_add_endpoint $ns1 10.0.2.1 id 1 flags signal
pm_nl_add_endpoint $ns1 10.0.3.1 id 2 flags signal
wait_mpj $ns2
chk_subflow_nr "after re-add" 3
chk_mptcp_info subflows 2 subflows 2
+ chk_mptcp_info add_addr_signal 2 add_addr_accepted 2
pm_nl_del_endpoint $ns1 42 10.0.1.1
sleep 0.5
chk_subflow_nr "after delete ID 0" 2
chk_mptcp_info subflows 2 subflows 2
+ chk_mptcp_info add_addr_signal 2 add_addr_accepted 2
pm_nl_add_endpoint $ns1 10.0.1.1 id 99 flags signal
wait_mpj $ns2
chk_subflow_nr "after re-add ID 0" 3
chk_mptcp_info subflows 3 subflows 3
+ chk_mptcp_info add_addr_signal 3 add_addr_accepted 2
pm_nl_del_endpoint $ns1 99 10.0.1.1
sleep 0.5
chk_subflow_nr "after re-delete ID 0" 2
chk_mptcp_info subflows 2 subflows 2
+ chk_mptcp_info add_addr_signal 2 add_addr_accepted 2
pm_nl_add_endpoint $ns1 10.0.1.1 id 88 flags signal
wait_mpj $ns2
chk_subflow_nr "after re-re-add ID 0" 3
chk_mptcp_info subflows 3 subflows 3
+ chk_mptcp_info add_addr_signal 3 add_addr_accepted 2
mptcp_lib_kill_group_wait $tests_pid
kill_events_pids
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 314/481] ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 313/481] mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 315/481] ext4: fix dirtyclusters double decrement on fs shutdown Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 316/481] ext4: always allocate blocks only from groups inode can use Greg Kroah-Hartman
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Namjae Jeon,
Steve French, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit a09dc10d1353f0e92c21eae2a79af1c2b1ddcde8 ]
There are two places where ksmbd_vfs_kern_path_end_removing() needs to be
called in order to balance what the corresponding successful call to
ksmbd_vfs_kern_path_start_removing() has done, i.e. drop inode locks and
put the taken references. Otherwise there might be potential deadlocks
and unbalanced locks which are caught like:
BUG: workqueue leaked lock or atomic: kworker/5:21/0x00000000/7596
last function: handle_ksmbd_work
2 locks held by kworker/5:21/7596:
#0: ffff8881051ae448 (sb_writers#3){.+.+}-{0:0}, at: ksmbd_vfs_kern_path_locked+0x142/0x660
#1: ffff888130e966c0 (&type->i_mutex_dir_key#3/1){+.+.}-{4:4}, at: ksmbd_vfs_kern_path_locked+0x17d/0x660
CPU: 5 PID: 7596 Comm: kworker/5:21 Not tainted 6.1.162-00456-gc29b353f383b #138
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
Workqueue: ksmbd-io handle_ksmbd_work
Call Trace:
<TASK>
dump_stack_lvl+0x44/0x5b
process_one_work.cold+0x57/0x5c
worker_thread+0x82/0x600
kthread+0x153/0x190
ret_from_fork+0x22/0x30
</TASK>
Found by Linux Verification Center (linuxtesting.org).
Fixes: d5fc1400a34b ("smb/server: avoid deadlock when linking with ReplaceIfExists")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ ksmbd_vfs_kern_path_end_removing() call -> ksmbd_vfs_kern_path_unlock() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -5693,14 +5693,14 @@ static int smb2_create_link(struct ksmbd
rc = -EINVAL;
ksmbd_debug(SMB, "cannot delete %s\n",
link_name);
- goto out;
}
} else {
rc = -EEXIST;
ksmbd_debug(SMB, "link already exists\n");
- goto out;
}
ksmbd_vfs_kern_path_unlock(&parent_path, &path);
+ if (rc)
+ goto out;
}
rc = ksmbd_vfs_link(work, target_name, link_name);
if (rc)
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 301/460] drm/i915/alpm: ALPM disable fixes
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 300/460] s390/xor: Fix xor_xc_2() inline assembly constraints Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 302/460] drm/i915/psr: Repeat Selective Update area alignment Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 303/460] drm/amd/display: Add pixel_clock to amd_pp_display_configuration Greg Kroah-Hartman
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Animesh Manna, Jani Nikula,
Jouni Högander, Michał Grzelak, Joonas Lahtinen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
commit eb4a7139e97374f42b7242cc754e77f1623fbcd5 upstream.
PORT_ALPM_CTL is supposed to be written only before link training. Remove
writing it from ALPM disable.
Also clearing ALPM_CTL_ALPM_AUX_LESS_ENABLE and is not about disabling ALPM
but switching to AUX-Wake ALPM. Stop touching this bit on ALPM disable.
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/7153
Fixes: 1ccbf135862b ("drm/i915/psr: Enable ALPM on source side for eDP Panel replay")
Cc: Animesh Manna <animesh.manna@intel.com>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: <stable@vger.kernel.org> # v6.10+
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Michał Grzelak <michal.grzelak@intel.com>
Link: https://patch.msgid.link/20260212062731.397801-1-jouni.hogander@intel.com
(cherry picked from commit 008304c9ae75c772d3460040de56e12112cdf5e6)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/display/intel_psr.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
--- a/drivers/gpu/drm/i915/display/intel_psr.c
+++ b/drivers/gpu/drm/i915/display/intel_psr.c
@@ -2114,12 +2114,7 @@ static void intel_psr_disable_locked(str
/* Panel Replay on eDP is always using ALPM aux less. */
if (intel_dp->psr.panel_replay_enabled && intel_dp_is_edp(intel_dp)) {
intel_de_rmw(display, ALPM_CTL(display, cpu_transcoder),
- ALPM_CTL_ALPM_ENABLE |
- ALPM_CTL_ALPM_AUX_LESS_ENABLE, 0);
-
- intel_de_rmw(display,
- PORT_ALPM_CTL(display, cpu_transcoder),
- PORT_ALPM_CTL_ALPM_AUX_LESS_ENABLE, 0);
+ ALPM_CTL_ALPM_ENABLE, 0);
}
/* Disable PSR on Sink */
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 377/567] selftests: mptcp: join: check RM_ADDR not sent over same subflow
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 376/567] selftests: mptcp: add a check for add_addr_accepted Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 378/567] kbuild: Leave objtool binary around with make clean Greg Kroah-Hartman
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 560edd99b5f58b2d4bbe3c8e51e1eed68d887b0e ]
This validates the previous commit: RM_ADDR were sent over the first
found active subflow which could be the same as the one being removed.
It is more likely to loose this notification.
For this check, RM_ADDR are explicitly dropped when trying to send them
over the initial subflow, when removing the endpoint attached to it. If
it is dropped, the test will complain because some RM_ADDR have not been
received.
Note that only the RM_ADDR are dropped, to allow the linked subflow to
be quickly and cleanly closed. To only drop those RM_ADDR, a cBPF byte
code is used. If the IPTables commands fail, that's OK, the tests will
continue to pass, but not validate this part. This can be ignored:
another subtest fully depends on such command, and will be marked as
skipped.
The 'Fixes' tag here below is the same as the one from the previous
commit: this patch here is not fixing anything wrong in the selftests,
but it validates the previous fix for an issue introduced by this commit
ID.
Fixes: 8dd5efb1f91b ("mptcp: send ack for rm_addr")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-3-4b5462b6f016@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_join.sh | 36 ++++++++++++++++++++++++
1 file changed, 36 insertions(+)
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -81,6 +81,24 @@ CBPF_MPTCP_SUBOPTION_ADD_ADDR="14,
6 0 0 65535,
6 0 0 0"
+# IPv4: TCP hdr of 48B, a first suboption of 12B (DACK8), the RM_ADDR suboption
+# generated using "nfbpf_compile '(ip[32] & 0xf0) == 0xc0 && ip[53] == 0x0c &&
+# (ip[66] & 0xf0) == 0x40'"
+CBPF_MPTCP_SUBOPTION_RM_ADDR="13,
+ 48 0 0 0,
+ 84 0 0 240,
+ 21 0 9 64,
+ 48 0 0 32,
+ 84 0 0 240,
+ 21 0 6 192,
+ 48 0 0 53,
+ 21 0 4 12,
+ 48 0 0 66,
+ 84 0 0 240,
+ 21 0 1 64,
+ 6 0 0 65535,
+ 6 0 0 0"
+
init_partial()
{
capout=$(mktemp)
@@ -3880,6 +3898,14 @@ endpoint_tests()
chk_subflow_nr "after no reject" 3
chk_mptcp_info subflows 2 subflows 2
+ # To make sure RM_ADDR are sent over a different subflow, but
+ # allow the rest to quickly and cleanly close the subflow
+ local ipt=1
+ ip netns exec "${ns2}" ${iptables} -I OUTPUT -s "10.0.1.2" \
+ -p tcp -m tcp --tcp-option 30 \
+ -m bpf --bytecode \
+ "$CBPF_MPTCP_SUBOPTION_RM_ADDR" \
+ -j DROP || ipt=0
local i
for i in $(seq 3); do
pm_nl_del_endpoint $ns2 1 10.0.1.2
@@ -3892,6 +3918,7 @@ endpoint_tests()
chk_subflow_nr "after re-add id 0 ($i)" 3
chk_mptcp_info subflows 3 subflows 3
done
+ [ ${ipt} = 1 ] && ip netns exec "${ns2}" ${iptables} -D OUTPUT 1
mptcp_lib_kill_group_wait $tests_pid
@@ -3950,11 +3977,20 @@ endpoint_tests()
chk_mptcp_info subflows 2 subflows 2
chk_mptcp_info add_addr_signal 2 add_addr_accepted 2
+ # To make sure RM_ADDR are sent over a different subflow, but
+ # allow the rest to quickly and cleanly close the subflow
+ local ipt=1
+ ip netns exec "${ns1}" ${iptables} -I OUTPUT -s "10.0.1.1" \
+ -p tcp -m tcp --tcp-option 30 \
+ -m bpf --bytecode \
+ "$CBPF_MPTCP_SUBOPTION_RM_ADDR" \
+ -j DROP || ipt=0
pm_nl_del_endpoint $ns1 42 10.0.1.1
sleep 0.5
chk_subflow_nr "after delete ID 0" 2
chk_mptcp_info subflows 2 subflows 2
chk_mptcp_info add_addr_signal 2 add_addr_accepted 2
+ [ ${ipt} = 1 ] && ip netns exec "${ns1}" ${iptables} -D OUTPUT 1
pm_nl_add_endpoint $ns1 10.0.1.1 id 99 flags signal
wait_mpj $ns2
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 315/481] ext4: fix dirtyclusters double decrement on fs shutdown
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 314/481] ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 316/481] ext4: always allocate blocks only from groups inode can use Greg Kroah-Hartman
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Foster, Baokun Li,
Theodore Tso, stable, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Foster <bfoster@redhat.com>
[ Upstream commit 94a8cea54cd935c54fa2fba70354757c0fc245e3 ]
fstests test generic/388 occasionally reproduces a warning in
ext4_put_super() associated with the dirty clusters count:
WARNING: CPU: 7 PID: 76064 at fs/ext4/super.c:1324 ext4_put_super+0x48c/0x590 [ext4]
Tracing the failure shows that the warning fires due to an
s_dirtyclusters_counter value of -1. IOW, this appears to be a
spurious decrement as opposed to some sort of leak. Further tracing
of the dirty cluster count deltas and an LLM scan of the resulting
output identified the cause as a double decrement in the error path
between ext4_mb_mark_diskspace_used() and the caller
ext4_mb_new_blocks().
First, note that generic/388 is a shutdown vs. fsstress test and so
produces a random set of operations and shutdown injections. In the
problematic case, the shutdown triggers an error return from the
ext4_handle_dirty_metadata() call(s) made from
ext4_mb_mark_context(). The changed value is non-zero at this point,
so ext4_mb_mark_diskspace_used() does not exit after the error
bubbles up from ext4_mb_mark_context(). Instead, the former
decrements both cluster counters and returns the error up to
ext4_mb_new_blocks(). The latter falls into the !ar->len out path
which decrements the dirty clusters counter a second time, creating
the inconsistency.
To avoid this problem and simplify ownership of the cluster
reservation in this codepath, lift the counter reduction to a single
place in the caller. This makes it more clear that
ext4_mb_new_blocks() is responsible for acquiring cluster
reservation (via ext4_claim_free_clusters()) in the !delalloc case
as well as releasing it, regardless of whether it ends up consumed
or returned due to failure.
Fixes: 0087d9fb3f29 ("ext4: Fix s_dirty_blocks_counter if block allocation failed with nodelalloc")
Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Link: https://patch.msgid.link/20260113171905.118284-1-bfoster@redhat.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
[ Drop mballoc-test changes ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/mballoc.c | 21 +++++----------------
1 file changed, 5 insertions(+), 16 deletions(-)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -3815,8 +3815,7 @@ void ext4_exit_mballoc(void)
* Returns 0 if success or error code
*/
static noinline_for_stack int
-ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac,
- handle_t *handle, unsigned int reserv_clstrs)
+ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac, handle_t *handle)
{
struct buffer_head *bitmap_bh = NULL;
struct ext4_group_desc *gdp;
@@ -3904,13 +3903,6 @@ ext4_mb_mark_diskspace_used(struct ext4_
ext4_unlock_group(sb, ac->ac_b_ex.fe_group);
percpu_counter_sub(&sbi->s_freeclusters_counter, ac->ac_b_ex.fe_len);
- /*
- * Now reduce the dirty block count also. Should not go negative
- */
- if (!(ac->ac_flags & EXT4_MB_DELALLOC_RESERVED))
- /* release all the reserved blocks if non delalloc */
- percpu_counter_sub(&sbi->s_dirtyclusters_counter,
- reserv_clstrs);
if (sbi->s_log_groups_per_flex) {
ext4_group_t flex_group = ext4_flex_group(sbi,
@@ -5804,7 +5796,7 @@ repeat:
ext4_mb_pa_free(ac);
}
if (likely(ac->ac_status == AC_STATUS_FOUND)) {
- *errp = ext4_mb_mark_diskspace_used(ac, handle, reserv_clstrs);
+ *errp = ext4_mb_mark_diskspace_used(ac, handle);
if (*errp) {
ext4_discard_allocated_blocks(ac);
goto errout;
@@ -5836,12 +5828,9 @@ out:
kmem_cache_free(ext4_ac_cachep, ac);
if (inquota && ar->len < inquota)
dquot_free_block(ar->inode, EXT4_C2B(sbi, inquota - ar->len));
- if (!ar->len) {
- if ((ar->flags & EXT4_MB_DELALLOC_RESERVED) == 0)
- /* release all the reserved blocks if non delalloc */
- percpu_counter_sub(&sbi->s_dirtyclusters_counter,
- reserv_clstrs);
- }
+ /* release any reserved blocks */
+ if (reserv_clstrs)
+ percpu_counter_sub(&sbi->s_dirtyclusters_counter, reserv_clstrs);
trace_ext4_allocate_blocks(ar, (unsigned long long)block);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 302/460] drm/i915/psr: Repeat Selective Update area alignment
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 301/460] drm/i915/alpm: ALPM disable fixes Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 303/460] drm/amd/display: Add pixel_clock to amd_pp_display_configuration Greg Kroah-Hartman
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Högander, Ankit Nautiyal,
Tvrtko Ursulin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
commit 1be2fca84f520105413d0d89ed04bb0ff742ab16 upstream.
Currently we are aligning Selective Update area to cover cursor fully if
needed only once. It may happen that cursor is in Selective Update area
after pipe alignment and after that covering cursor plane only
partially. Fix this by looping alignment as long as alignment isn't needed
anymore.
v2:
- do not unecessarily loop if cursor was already fully covered
- rename aligned as su_area_changed
Fixes: 1bff93b8bc27 ("drm/i915/psr: Extend SU area to cover cursor fully if needed")
Cc: <stable@vger.kernel.org> # v6.9+
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
Link: https://patch.msgid.link/20260304113011.626542-2-jouni.hogander@intel.com
(cherry picked from commit 681e12440d8b110350a5709101169f319e10ccbb)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/display/intel_psr.c | 50 +++++++++++++++++++++++--------
1 file changed, 38 insertions(+), 12 deletions(-)
--- a/drivers/gpu/drm/i915/display/intel_psr.c
+++ b/drivers/gpu/drm/i915/display/intel_psr.c
@@ -2385,12 +2385,13 @@ static void clip_area_update(struct drm_
overlap_damage_area->y2 = damage_area->y2;
}
-static void intel_psr2_sel_fetch_pipe_alignment(struct intel_crtc_state *crtc_state)
+static bool intel_psr2_sel_fetch_pipe_alignment(struct intel_crtc_state *crtc_state)
{
struct intel_display *display = to_intel_display(crtc_state);
struct drm_i915_private *dev_priv = to_i915(crtc_state->uapi.crtc->dev);
const struct drm_dsc_config *vdsc_cfg = &crtc_state->dsc.config;
u16 y_alignment;
+ bool su_area_changed = false;
/* ADLP aligns the SU region to vdsc slice height in case dsc is enabled */
if (crtc_state->dsc.compression_enable &&
@@ -2399,10 +2400,18 @@ static void intel_psr2_sel_fetch_pipe_al
else
y_alignment = crtc_state->su_y_granularity;
- crtc_state->psr2_su_area.y1 -= crtc_state->psr2_su_area.y1 % y_alignment;
- if (crtc_state->psr2_su_area.y2 % y_alignment)
+ if (crtc_state->psr2_su_area.y1 % y_alignment) {
+ crtc_state->psr2_su_area.y1 -= crtc_state->psr2_su_area.y1 % y_alignment;
+ su_area_changed = true;
+ }
+
+ if (crtc_state->psr2_su_area.y2 % y_alignment) {
crtc_state->psr2_su_area.y2 = ((crtc_state->psr2_su_area.y2 /
y_alignment) + 1) * y_alignment;
+ su_area_changed = true;
+ }
+
+ return su_area_changed;
}
/*
@@ -2487,7 +2496,7 @@ int intel_psr2_sel_fetch_update(struct i
struct intel_crtc_state *crtc_state = intel_atomic_get_new_crtc_state(state, crtc);
struct intel_plane_state *new_plane_state, *old_plane_state;
struct intel_plane *plane;
- bool full_update = false, cursor_in_su_area = false;
+ bool full_update = false, su_area_changed;
int i, ret;
if (!crtc_state->enable_psr2_sel_fetch)
@@ -2599,15 +2608,32 @@ int intel_psr2_sel_fetch_update(struct i
if (ret)
return ret;
- /*
- * Adjust su area to cover cursor fully as necessary (early
- * transport). This needs to be done after
- * drm_atomic_add_affected_planes to ensure visible cursor is added into
- * affected planes even when cursor is not updated by itself.
- */
- intel_psr2_sel_fetch_et_alignment(state, crtc, &cursor_in_su_area);
+ do {
+ bool cursor_in_su_area;
- intel_psr2_sel_fetch_pipe_alignment(crtc_state);
+ /*
+ * Adjust su area to cover cursor fully as necessary
+ * (early transport). This needs to be done after
+ * drm_atomic_add_affected_planes to ensure visible
+ * cursor is added into affected planes even when
+ * cursor is not updated by itself.
+ */
+ intel_psr2_sel_fetch_et_alignment(state, crtc, &cursor_in_su_area);
+
+ su_area_changed = intel_psr2_sel_fetch_pipe_alignment(crtc_state);
+
+ /*
+ * If the cursor was outside the SU area before
+ * alignment, the alignment step (which only expands
+ * SU) may pull the cursor partially inside, so we
+ * must run ET alignment again to fully cover it. But
+ * if the cursor was already fully inside before
+ * alignment, expanding the SU area won't change that,
+ * so no further work is needed.
+ */
+ if (cursor_in_su_area)
+ break;
+ } while (su_area_changed);
/*
* Now that we have the pipe damaged area check if it intersect with
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.6 378/567] kbuild: Leave objtool binary around with make clean
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.6 377/567] selftests: mptcp: join: check RM_ADDR not sent over same subflow Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
377 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Suchanek, Rainer Fiebig,
Josh Poimboeuf, Peter Zijlstra (Intel), Nicolas Schier,
Nathan Chancellor, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit fdb12c8a24a453bdd6759979b6ef1e04ebd4beb4 ]
The difference between 'make clean' and 'make mrproper' is documented in
'make help' as:
clean - Remove most generated files but keep the config and
enough build support to build external modules
mrproper - Remove all generated files + config + various backup files
After commit 68b4fe32d737 ("kbuild: Add objtool to top-level clean
target"), running 'make clean' then attempting to build an external
module with the resulting build directory fails with
$ make ARCH=x86_64 O=build clean
$ make -C build M=... MO=...
...
/bin/sh: line 1: .../build/tools/objtool/objtool: No such file or directory
as 'make clean' removes the objtool binary.
Split the objtool clean target into mrproper and clean like Kbuild does
and remove all generated artifacts with 'make clean' except for the
objtool binary, which is removed with 'make mrproper'. To avoid a small
race when running the objtool clean target through both objtool_mrproper
and objtool_clean when running 'make mrproper', modify objtool's clean
up find command to avoid using find's '-delete' command by piping the
files into 'xargs rm -f' like the rest of Kbuild does.
Cc: stable@vger.kernel.org
Fixes: 68b4fe32d737 ("kbuild: Add objtool to top-level clean target")
Reported-by: Michal Suchanek <msuchanek@suse.de>
Closes: https://lore.kernel.org/20260225112633.6123-1-msuchanek@suse.de/
Reported-by: Rainer Fiebig <jrf@mailbox.org>
Closes: https://lore.kernel.org/62d12399-76e5-3d40-126a-7490b4795b17@mailbox.org/
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Nicolas Schier <nsc@kernel.org>
Tested-by: Nicolas Schier <nsc@kernel.org>
Link: https://patch.msgid.link/20260227-avoid-objtool-binary-removal-clean-v1-1-122f3e55eae9@kernel.org
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
[ Context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Makefile | 8 ++++----
tools/objtool/Makefile | 8 +++++---
2 files changed, 9 insertions(+), 7 deletions(-)
--- a/Makefile
+++ b/Makefile
@@ -1356,13 +1356,13 @@ ifneq ($(wildcard $(resolve_btfids_O)),)
$(Q)$(MAKE) -sC $(srctree)/tools/bpf/resolve_btfids O=$(resolve_btfids_O) clean
endif
-PHONY += objtool_clean
+PHONY += objtool_clean objtool_mrproper
objtool_O = $(abspath $(objtree))/tools/objtool
-objtool_clean:
+objtool_clean objtool_mrproper:
ifneq ($(wildcard $(objtool_O)),)
- $(Q)$(MAKE) -sC $(abs_srctree)/tools/objtool O=$(objtool_O) srctree=$(abs_srctree) clean
+ $(Q)$(MAKE) -sC $(abs_srctree)/tools/objtool O=$(objtool_O) srctree=$(abs_srctree) $(patsubst objtool_%,%,$@)
endif
tools/: FORCE
@@ -1529,7 +1529,7 @@ PHONY += $(mrproper-dirs) mrproper
$(mrproper-dirs):
$(Q)$(MAKE) $(clean)=$(patsubst _mrproper_%,%,$@)
-mrproper: clean $(mrproper-dirs)
+mrproper: clean objtool_mrproper $(mrproper-dirs)
$(call cmd,rmfiles)
@find . $(RCS_FIND_IGNORE) \
\( -name '*.rmeta' \) \
--- a/tools/objtool/Makefile
+++ b/tools/objtool/Makefile
@@ -87,10 +87,12 @@ $(LIBSUBCMD)-clean:
$(Q)$(RM) -r -- $(LIBSUBCMD_OUTPUT)
clean: $(LIBSUBCMD)-clean
- $(call QUIET_CLEAN, objtool) $(RM) $(OBJTOOL)
- $(Q)find $(OUTPUT) -name '*.o' -delete -o -name '\.*.cmd' -delete -o -name '\.*.d' -delete
+ $(Q)find $(OUTPUT) \( -name '*.o' -o -name '\.*.cmd' -o -name '\.*.d' \) -type f -print | xargs $(RM)
$(Q)$(RM) $(OUTPUT)arch/x86/lib/inat-tables.c $(OUTPUT)fixdep
+mrproper: clean
+ $(call QUIET_CLEAN, objtool) $(RM) $(OBJTOOL)
+
FORCE:
-.PHONY: clean FORCE
+.PHONY: clean mrproper FORCE
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.1 316/481] ext4: always allocate blocks only from groups inode can use
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.1 315/481] ext4: fix dirtyclusters double decrement on fs shutdown Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
315 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Zhang Yi, Jan Kara,
Pedro Falcato, stable, Theodore Tso, Sasha Levin
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
[ Upstream commit 4865c768b563deff1b6a6384e74a62f143427b42 ]
For filesystems with more than 2^32 blocks inodes using indirect block
based format cannot use blocks beyond the 32-bit limit.
ext4_mb_scan_groups_linear() takes care to not select these unsupported
groups for such inodes however other functions selecting groups for
allocation don't. So far this is harmless because the other selection
functions are used only with mb_optimize_scan and this is currently
disabled for inodes with indirect blocks however in the following patch
we want to enable mb_optimize_scan regardless of inode format.
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Acked-by: Pedro Falcato <pfalcato@suse.de>
Cc: stable@kernel.org
Link: https://patch.msgid.link/20260114182836.14120-3-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[ Drop a few hunks not needed in older trees ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/mballoc.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -871,6 +871,21 @@ mb_update_avg_fragment_size(struct super
}
}
+static ext4_group_t ext4_get_allocation_groups_count(
+ struct ext4_allocation_context *ac)
+{
+ ext4_group_t ngroups = ext4_get_groups_count(ac->ac_sb);
+
+ /* non-extent files are limited to low blocks/groups */
+ if (!(ext4_test_inode_flag(ac->ac_inode, EXT4_INODE_EXTENTS)))
+ ngroups = EXT4_SB(ac->ac_sb)->s_blockfile_groups;
+
+ /* Pairs with smp_wmb() in ext4_update_super() */
+ smp_rmb();
+
+ return ngroups;
+}
+
/*
* Choose next group by traversing largest_free_order lists. Updates *new_cr if
* cr level needs an update.
@@ -2672,10 +2687,7 @@ ext4_mb_regular_allocator(struct ext4_al
sb = ac->ac_sb;
sbi = EXT4_SB(sb);
- ngroups = ext4_get_groups_count(sb);
- /* non-extent files are limited to low blocks/groups */
- if (!(ext4_test_inode_flag(ac->ac_inode, EXT4_INODE_EXTENTS)))
- ngroups = sbi->s_blockfile_groups;
+ ngroups = ext4_get_allocation_groups_count(ac);
BUG_ON(ac->ac_status == AC_STATUS_FOUND);
^ permalink raw reply [flat|nested] 1563+ messages in thread
* [PATCH 6.12 303/460] drm/amd/display: Add pixel_clock to amd_pp_display_configuration
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2026-03-23 13:44 ` [PATCH 6.12 302/460] drm/i915/psr: Repeat Selective Update area alignment Greg Kroah-Hartman
@ 2026-03-23 13:44 ` Greg Kroah-Hartman
302 siblings, 0 replies; 1563+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-23 13:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Rosen Penev
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
commit b515dcb0dc4e85d8254f5459cfb32fce88dacbfb upstream.
This commit adds the pixel_clock field to the display config
struct so that power management (DPM) can use it.
We currently don't have a proper bandwidth calculation on old
GPUs with DCE 6-10 because dce_calcs only supports DCE 11+.
So the power management (DPM) on these GPUs may need to make
ad-hoc decisions for display based on the pixel clock.
Also rename sym_clock to pixel_clock in dm_pp_single_disp_config
to avoid confusion with other code where the sym_clock refers to
the DisplayPort symbol clock.
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_pp_smu.c | 1 +
drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c | 2 +-
drivers/gpu/drm/amd/display/dc/dm_services_types.h | 2 +-
drivers/gpu/drm/amd/include/dm_pp_interface.h | 1 +
4 files changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_pp_smu.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_pp_smu.c
@@ -97,6 +97,7 @@ bool dm_pp_apply_display_requirements(
const struct dm_pp_single_disp_config *dc_cfg =
&pp_display_cfg->disp_configs[i];
adev->pm.pm_display_cfg.displays[i].controller_id = dc_cfg->pipe_idx + 1;
+ adev->pm.pm_display_cfg.displays[i].pixel_clock = dc_cfg->pixel_clock;
}
amdgpu_dpm_display_configuration_change(adev, &adev->pm.pm_display_cfg);
--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c
@@ -164,7 +164,7 @@ void dce110_fill_display_configs(
stream->link->cur_link_settings.link_rate;
cfg->link_settings.link_spread =
stream->link->cur_link_settings.link_spread;
- cfg->sym_clock = stream->phy_pix_clk;
+ cfg->pixel_clock = stream->phy_pix_clk;
/* Round v_refresh*/
cfg->v_refresh = stream->timing.pix_clk_100hz * 100;
cfg->v_refresh /= stream->timing.h_total;
--- a/drivers/gpu/drm/amd/display/dc/dm_services_types.h
+++ b/drivers/gpu/drm/amd/display/dc/dm_services_types.h
@@ -127,7 +127,7 @@ struct dm_pp_single_disp_config {
uint32_t src_height;
uint32_t src_width;
uint32_t v_refresh;
- uint32_t sym_clock; /* HDMI only */
+ uint32_t pixel_clock; /* Pixel clock in KHz (for HDMI only: normalized) */
struct dc_link_settings link_settings; /* DP only */
};
--- a/drivers/gpu/drm/amd/include/dm_pp_interface.h
+++ b/drivers/gpu/drm/amd/include/dm_pp_interface.h
@@ -65,6 +65,7 @@ struct single_display_configuration {
uint32_t view_resolution_cy;
enum amd_pp_display_config_type displayconfigtype;
uint32_t vertical_refresh; /* for active display */
+ uint32_t pixel_clock; /* Pixel clock in KHz (for HDMI only: normalized) */
};
#define MAX_NUM_DISPLAY 32
^ permalink raw reply [flat|nested] 1563+ messages in thread
end of thread, other threads:[~2026-03-23 16:31 UTC | newest]
Thread overview: 1563+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-23 13:38 [PATCH 6.6 000/567] 6.6.130-rc1 review Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 001/567] drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 002/567] drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 003/567] drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse() Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 004/567] irqchip/sifive-plic: Fix frozen interrupt due to affinity setting Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 005/567] scsi: lpfc: Properly set WC for DPP mapping Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 006/567] scsi: pm8001: Fix use-after-free in pm8001_queue_command() Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 007/567] ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 008/567] rseq: Clarify rseq registration rseq_size bound check comment Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 009/567] scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 010/567] ALSA: usb-audio: Cap the packet size pre-calculations Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 011/567] ALSA: usb-audio: Use inclusive terms Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 012/567] perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 013/567] ALSA: pci: hda: use snd_kcontrol_chip() Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 014/567] ALSA: hda: cs35l56: Fix signedness error in cs35l56_hda_posture_put() Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 015/567] btrfs: move btrfs_crc32c_final into free-space-cache.c Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 016/567] btrfs: remove btrfs_crc32c wrapper Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 017/567] btrfs: move btrfs_extref_hash into inode-item.h Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 018/567] btrfs: add raid stripe tree definitions Greg Kroah-Hartman
2026-03-23 13:38 ` [PATCH 6.6 019/567] btrfs: read raid stripe tree from disk Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 020/567] btrfs: add support for inserting raid stripe extents Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 021/567] btrfs: fix incorrect key offset in error message in check_dev_extent_item() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 022/567] btrfs: fix objectid value in error message in check_extent_data_ref() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 023/567] btrfs: fix warning in scrub_verify_one_metadata() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 024/567] btrfs: fix compat mask in error messages in btrfs_check_features() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 025/567] bpf: Fix stack-out-of-bounds write in devmap Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 026/567] PCI: Correct PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 value Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 027/567] memory: mtk-smi: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 028/567] memory: mtk-smi: fix device leaks on common probe Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 029/567] memory: mtk-smi: fix device leak on larb probe Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 030/567] PCI: Update BAR # and window messages Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 031/567] PCI: Use resource names in PCI log messages Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 032/567] resource: Add resource set range and size helpers Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 033/567] PCI: Use resource_set_range() that correctly sets ->end Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 034/567] KVM: x86: Fix KVM_GET_MSRS stack info leak Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 035/567] KVM: x86: Rename KVM_MSR_RET_INVALID to KVM_MSR_RET_UNSUPPORTED Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 036/567] KVM: x86: Return "unsupported" instead of "invalid" on access to unsupported PV MSR Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 037/567] media: tegra-video: Use accessors for pad config try_* fields Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 038/567] media: tegra-video: Fix memory leak in __tegra_channel_try_format() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 039/567] KVM: x86: WARN if a vCPU gets a valid wakeup that KVM cant yet inject Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 040/567] KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 041/567] drm/tegra: dsi: fix device leak on probe Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 042/567] bus: omap-ocp2scp: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 043/567] bus: omap-ocp2scp: fix OF populate on driver rebind Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 044/567] ext4: get rid of ppath in ext4_find_extent() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 045/567] ext4: get rid of ppath in ext4_ext_create_new_leaf() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 046/567] ext4: get rid of ppath in ext4_ext_insert_extent() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 047/567] ext4: get rid of ppath in ext4_split_extent_at() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 048/567] ext4: subdivide EXT4_EXT_DATA_VALID1 Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 049/567] ext4: dont zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1 Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 050/567] ext4: get rid of ppath in ext4_split_extent() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 051/567] ext4: get rid of ppath in ext4_split_convert_extents() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 052/567] ext4: get rid of ppath in ext4_convert_unwritten_extents_endio() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 053/567] ext4: get rid of ppath in ext4_ext_convert_to_initialized() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 054/567] ext4: get rid of ppath in ext4_ext_handle_unwritten_extents() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 055/567] ext4: correct the comments place for EXT4_EXT_MAY_ZEROOUT Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 056/567] ext4: dont set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 057/567] ext4: drop extent cache after doing PARTIAL_VALID1 zeroout Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 058/567] ext4: drop extent cache when splitting extent fails Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 059/567] mailbox: Use of_property_match_string() instead of open-coding Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 060/567] mailbox: dont protect of_parse_phandle_with_args with con_mutex Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 061/567] mailbox: sort headers alphabetically Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 062/567] mailbox: remove unused header files Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 063/567] mailbox: Use dev_err when there is error Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 064/567] mailbox: Use guard/scoped_guard for con_mutex Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 065/567] mailbox: Allow controller specific mapping using fwnode Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 066/567] mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 067/567] ext4: delete redundant calculations in ext4_mb_get_buddy_page_lock() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 068/567] ext4: convert bd_bitmap_page to bd_bitmap_folio Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 069/567] ext4: convert bd_buddy_page to bd_buddy_folio Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 070/567] ext4: fix e4b bitmap inconsistency reports Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 071/567] mfd: qcom-pm8xxx: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 072/567] mfd: qcom-pm8xxx: Fix OF populate on driver rebind Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 073/567] mfd: omap-usb-host: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 074/567] mfd: omap-usb-host: Fix OF populate on driver rebind Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 075/567] arm64: dts: rockchip: Fix rk356x PCIe range mappings Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 076/567] clk: tegra: tegra124-emc: fix device leak on set_rate() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 077/567] usb: cdns3: remove redundant if branch Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 078/567] usb: cdns3: call cdns_power_is_lost() only once in cdns_resume() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.6 079/567] usb: cdns3: fix role switching during resume Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 080/567] drm/amd: Fix hang on amdgpu unload by using pci_dev_is_disconnected() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 081/567] ALSA: hda/conexant: Add quirk for HP ZBook Studio G4 Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 082/567] hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization induced race Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 083/567] ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314 Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 084/567] net: arcnet: com20020-pci: fix support for 2.5Mbit cards Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 085/567] drm/amd: Drop special case for yellow carp without discovery Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 086/567] drm/amdgpu: keep vga memory on MacBooks with switchable graphics Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 087/567] eventpoll: Fix integer overflow in ep_loop_check_proc() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 088/567] media: dvb-core: fix wrong reinitialization of ringbuffer on reopen Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 089/567] nfc: pn533: properly drop the usb interface reference on disconnect Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 090/567] net: usb: kaweth: validate USB endpoints Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 091/567] net: usb: kalmia: " Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 092/567] net: usb: pegasus: " Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 093/567] can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 094/567] can: usb: f81604: correctly anchor the urb in the read bulk callback Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 095/567] can: ucan: Fix infinite loop from zero-length messages Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 096/567] can: usb: etas_es58x: correctly anchor the urb in the read bulk callback Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 097/567] can: usb: f81604: handle short interrupt urb messages properly Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 098/567] can: usb: f81604: handle bulk write errors properly Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 099/567] HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 100/567] x86/efi: defer freeing of boot services memory Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 101/567] platform/x86: dell-wmi-sysman: Dont hex dump plaintext password data Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 102/567] platform/x86: dell-wmi: Add audio/mic mute key codes Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 103/567] ALSA: usb-audio: Use correct version for UAC3 header validation Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 104/567] wifi: radiotap: reject radiotap with unknown bits Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 105/567] wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 106/567] wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 107/567] wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 108/567] IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 109/567] RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 110/567] net/sched: ets: fix divide by zero in the offload path Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 111/567] scsi: target: Fix recursive locking in __configfs_open_file() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 112/567] Squashfs: check metadata block offset is within range Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 113/567] drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 114/567] drbd: fix null-pointer dereference on local read error Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 115/567] smb: client: fix cifs_pick_channel when channels are equally loaded Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 116/567] smb: client: fix broken multichannel with krb5+signing Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 117/567] smb: client: Dont log plaintext credentials in cifs_set_cifscreds Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 118/567] scsi: core: Fix refcount leak for tagset_refcnt Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 119/567] selftests: mptcp: more stable simult_flows tests Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 120/567] selftests: mptcp: join: check removing signal+subflow endp Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 121/567] ARM: clean up the memset64() C wrapper Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 122/567] hwmon: (aht10) Add support for dht20 Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 123/567] hwmon: (aht10) Fix initialization commands for AHT20 Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 124/567] pinctrl: equilibrium: rename irq_chip function callbacks Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 125/567] pinctrl: equilibrium: fix warning trace on load Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 126/567] platform/x86: thinkpad_acpi: Fix errors reading battery thresholds Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 127/567] pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 128/567] hwmon: (it87) Check the it87_lock() return value Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 129/567] e1000e: clear DPG_EN after reset to avoid autonomous power-gating Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 130/567] drm/ssd130x: Use bool for ssd130x_deviceinfo flags Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 131/567] drm/ssd130x: Store the HW buffer in the driver-private CRTC state Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 132/567] drm/ssd130x: Replace .page_height field in device info with a constant Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 133/567] drm/solomon: Fix page start when updating rectangle in page addressing mode Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 134/567] net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling in ALE table Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 135/567] xsk: Get rid of xdp_buff_xsk::xskb_list_node Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 136/567] xsk: s/free_list_node/list_node/ Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 137/567] xsk: Fix fragment node deletion to prevent buffer leak Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 138/567] xsk: Fix zero-copy AF_XDP fragment drop Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.6 139/567] dpaa2-switch: do not clear any interrupts automatically Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 140/567] dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 141/567] atm: lec: fix null-ptr-deref in lec_arp_clear_vccs Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 142/567] amd-xgbe: fix MAC_TCR_SS register width for 2.5G and 10M speeds Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 143/567] can: bcm: fix locking for bcm_op runtime updates Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 144/567] can: mcp251x: fix deadlock in error path of mcp251x_open Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 145/567] rust: kunit: fix warning when !CONFIG_PRINTK Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 146/567] kunit: tool: copy caller args in run_kernel to prevent mutation Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 147/567] net: dsa: realtek: rtl8365mb: fix rtl8365mb_phy_ocp_write return value Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 148/567] bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 149/567] octeon_ep: Relocate counter updates before NAPI Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 150/567] octeon_ep: avoid compiler and IQ/OQ reordering Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 151/567] wifi: cw1200: Fix locking in error paths Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 152/567] wifi: wlcore: Fix a locking bug Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 153/567] wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 154/567] wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 155/567] indirect_call_wrapper: do not reevaluate function pointer Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 156/567] net/rds: Fix circular locking dependency in rds_tcp_tune Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 157/567] xen/acpi-processor: fix _CST detection using undersized evaluation buffer Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 158/567] bpf: export bpf_link_inc_not_zero Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 159/567] bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 160/567] smb/client: fix buffer size for smb311_posix_qinfo in smb2_compound_op() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 161/567] smb/client: fix buffer size for smb311_posix_qinfo in SMB311_posix_query_info() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 162/567] ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 163/567] amd-xgbe: fix sleep while atomic on suspend/resume Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 164/567] drm/sched: Fix kernel-doc warning for drm_sched_job_done() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 165/567] nvme: reject invalid pr_read_keys() num_keys values Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 166/567] nvme: fix memory allocation in nvme_pr_read_keys() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 167/567] net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 168/567] net: nfc: nci: Fix zero-length proprietary notifications Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 169/567] nfc: nci: free skb on nci_transceive early error paths Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 170/567] nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 171/567] nfc: rawsock: cancel tx_work before socket teardown Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 172/567] net: stmmac: Fix error handling in VLAN add and delete paths Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 173/567] net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 174/567] net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 175/567] net: vxlan: " Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 176/567] net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 177/567] net/sched: act_ife: Fix metalist update behavior Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 178/567] xdp: use modulo operation to calculate XDP frag tailroom Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 179/567] xsk: introduce helper to determine rxq->frag_size Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 180/567] i40e: fix registering XDP RxQ info Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 181/567] i40e: use xdp.frame_sz as XDP RxQ info frag_size Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 182/567] xdp: produce a warning when calculated tailroom is negative Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 183/567] selftest/arm64: Fix sve2p1_sigill() to hwcap test Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 184/567] tracing: Add NULL pointer check to trigger_data_free() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 185/567] net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 186/567] net: tcp: accept old ack during closing Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 187/567] apparmor: validate DFA start states are in bounds in unpack_pdb Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 188/567] apparmor: fix memory leak in verify_header Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 189/567] apparmor: replace recursive profile removal with iterative approach Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 190/567] apparmor: fix: limit the number of levels of policy namespaces Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 191/567] apparmor: fix side-effect bug in match_char() macro usage Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 192/567] apparmor: fix missing bounds check on DEFAULT table in verify_dfa() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 193/567] apparmor: Fix double free of ns_name in aa_replace_profiles() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 194/567] apparmor: fix unprivileged local user can do privileged policy management Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 195/567] apparmor: fix differential encoding verification Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 196/567] apparmor: fix race on rawdata dereference Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 197/567] apparmor: fix race between freeing data and fs accessing it Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 198/567] scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.6 199/567] ACPI: PM: Save NVS memory on Lenovo G70-35 Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 200/567] scsi: mpi3mr: Add NULL checks when resetting request and reply queues Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 201/567] unshare: fix unshare_fs() handling Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 202/567] wifi: mac80211: set default WMM parameters on all links Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 203/567] ACPI: OSI: Add DMI quirk for Acer Aspire One D255 Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 204/567] scsi: ses: Fix devices attaching to different hosts Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 205/567] ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 206/567] ASoC: cs42l43: Report insert for exotic peripherals Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 207/567] scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 208/567] scsi: ufs: core: Fix shift out of bounds when MAXQ=32 Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 209/567] ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0 Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 210/567] ALSA: usb-audio: Check max frame size for implicit feedback mode, too Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 211/567] powerpc/uaccess: Fix inline assembly for clang build on PPC32 Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 212/567] remoteproc: sysmon: Correct subsys_name_len type in QMI request Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 213/567] remoteproc: mediatek: Unprepare SCP clock during system suspend Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 214/567] powerpc: 83xx: km83xx: Fix keymile vendor prefix Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 215/567] smb/server: Fix another refcount leak in smb2_open() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 216/567] xprtrdma: Decrement re_receiving on the early exit paths Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 217/567] net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 218/567] drm/msm/dsi: Document DSC related pclk_rate and hdisplay calculations Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 219/567] drm/msm/dsi: fix pclk rate calculation for bonded dsi Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 220/567] bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 221/567] net/mlx5: IFC updates for disabled host PF Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 222/567] net/mlx5: Query to see if host PF is disabled Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 223/567] net/mlx5: Fix deadlock between devlink lock and esw->wq Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 224/567] net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 225/567] net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 226/567] ASoC: soc-core: drop delayed_work_pending() check before flush Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 227/567] ASoC: soc-core: flush delayed work before removing DAIs and widgets Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 228/567] ASoC: simple-card-utils: use __free(device_node) for device node Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 229/567] ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 230/567] net: sfp: re-implement ignoring the hardware TX_FAULT signal Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 231/567] net: sfp: improve Nokia GPON sfp fixup Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 232/567] net: sfp: add quirk for Potron SFP+ XGSPON ONU Stick Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 233/567] net: sfp: improve Huawei MA5671a fixup Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 234/567] serial: caif: hold tty->link reference in ldisc_open and ser_release Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 235/567] mctp: i2c: fix skb memory leak in receive path Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 236/567] can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 237/567] mctp: route: hold key->lock in mctp_flow_prepare_output() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 238/567] amd-xgbe: fix link status handling in xgbe_rx_adaptation Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 239/567] amd-xgbe: prevent CRC errors during RX adaptation with AN disabled Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 240/567] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 241/567] netfilter: x_tables: guard option walkers against 1-byte tail reads Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 242/567] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 243/567] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 244/567] netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 245/567] regulator: pca9450: Make IRQ optional Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 246/567] regulator: pca9450: Correct interrupt type Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 247/567] sched: idle: Make skipping governor callbacks more consistent Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 248/567] nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 249/567] nvme-pci: Fix race bug in nvme_poll_irqdisable() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 250/567] i40e: fix src IP mask checks and memcpy argument names in cloud filter Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 251/567] e1000/e1000e: Fix leak in DMA error cleanup Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 252/567] ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 253/567] ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 254/567] ASoC: detect empty DMI strings Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 255/567] net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 256/567] octeontx2-af: devlink: fix NIX RAS reporter recovery condition Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 257/567] octeontx2-af: devlink health: use retained error fmsg API Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 258/567] octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.6 259/567] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 260/567] Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on" Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 261/567] cgroup: fix race between task migration and iteration Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 262/567] ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 263/567] ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 264/567] net: usb: lan78xx: fix silent drop of packets with checksum errors Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 265/567] net: usb: lan78xx: fix TX byte statistics for small packets Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 266/567] net: usb: lan78xx: skip LTM configuration for LAN7850 Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 267/567] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 268/567] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 269/567] USB: add QUIRK_NO_BOS for video capture several devices Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 270/567] usb/core/quirks: Add Huawei ME906S-device to wakeup quirk Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 271/567] USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 272/567] usb: xhci: Fix memory leak in xhci_disable_slot() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 273/567] usb: xhci: Prevent interrupt storm on host controller error (HCE) Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 274/567] usb: yurex: fix race in probe Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 275/567] usb: dwc3: pci: add support for the Intel Nova Lake -H Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 276/567] usb: misc: uss720: properly clean up reference in uss720_probe() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 277/567] usb: core: dont power off roothub PHYs if phy_set_mode() fails Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 278/567] usb: cdc-acm: Restore CAP_BRK functionnality to CH343 Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 279/567] usb: roles: get usb role switch from parent only for usb-b-connector Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 280/567] USB: usbcore: Introduce usb_bulk_msg_killable() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 281/567] USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 282/567] USB: core: Limit the length of unkillable synchronous timeouts Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 283/567] usb: class: cdc-wdm: fix reordering issue in read code path Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 284/567] usb: renesas_usbhs: fix use-after-free in ISR during device removal Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 285/567] usb: mdc800: handle signal and read racing Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 286/567] usb: image: mdc800: kill download URB on timeout Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 287/567] mm/tracing: rss_stat: ensure curr is false from kthread context Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 288/567] mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 289/567] mm/kfence: disable KFENCE upon KASAN HW tags enablement Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 290/567] mmc: core: Avoid bitfield RMW for claim/retune flags Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 291/567] ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 292/567] tipc: fix divide-by-zero in tipc_sk_filter_connect() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 293/567] kprobes: avoid crash when rmmod/insmod after ftrace killed Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 294/567] libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 295/567] libceph: reject preamble if control segment is empty Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 296/567] libceph: prevent potential out-of-bounds reads in process_message_header() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 297/567] libceph: Use u32 for non-negative values in ceph_monmap_decode() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 298/567] libceph: admit message frames only in CEPH_CON_S_OPEN state Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 299/567] ceph: fix i_nlink underrun during async unlink Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 300/567] ceph: fix memory leaks in ceph_mdsc_build_path() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 301/567] time/jiffies: Mark jiffies_64_to_clock_t() notrace Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 302/567] i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 303/567] scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 304/567] scsi: hisi_sas: Add time interval between two H2D FIS following soft reset spec Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 305/567] scsi: hisi_sas: Use macro instead of magic number Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 306/567] scsi: hisi_sas: Fix NULL pointer exception during user_scan() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 307/567] Revert "tcpm: allow looking for role_sw device in the main node" Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 308/567] drm/bridge: samsung-dsim: Fix memory leak in error path Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 309/567] drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 310/567] device property: Allow secondary lookup in fwnode_get_next_child_node() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 311/567] irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 312/567] ice: reintroduce retry mechanism for indirect AQ Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 313/567] ixgbevf: fix link setup issue Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 314/567] staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 315/567] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 316/567] media: dvb-net: fix OOB access in ULE extension header tables Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 317/567] net: mana: Ring doorbell at 4 CQ wraparounds Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 318/567] ice: fix retry for AQ command 0x06EE Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.6 319/567] tracing: Fix syscall events activation by ensuring refcount hits zero Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 320/567] batman-adv: Avoid double-rtnl_lock ELP metric worker Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 321/567] parisc: Increase initial mapping to 64 MB with KALLSYMS Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 322/567] nouveau/dpcd: return EBUSY for aux xfer if the device is asleep Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 323/567] arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 324/567] hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 325/567] parisc: Fix initial page table creation for boot Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 326/567] parisc: Check kernel mapping earlier at bootup Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 327/567] pmdomain: bcm: bcm2835-power: Fix broken reset status read Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 328/567] ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 329/567] smb: server: fix use-after-free in smb2_open() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 330/567] ksmbd: fix use-after-free by using call_rcu() for oplock_info Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 331/567] net: ncsi: fix skb leak in error paths Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 332/567] net: ethernet: arc: emac: quiesce interrupts before requesting IRQ Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 333/567] net: dsa: microchip: Fix error path in PTP IRQ setup Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 334/567] drm/amdgpu: Fix use-after-free race in VM acquire Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 335/567] drm/amd: Set num IP blocks to 0 if discovery fails Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 336/567] drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 337/567] drm/i915: Fix potential overflow of shmem scatterlist length Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 338/567] tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 339/567] cifs: make default value of retrans as zero Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 340/567] xfs: fix undersized l_iclog_roundoff values Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 341/567] s390/dasd: Move quiesce state with pprc swap Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 342/567] s390/dasd: Copy detected format information to secondary device Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 343/567] lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 344/567] scsi: core: Fix error handling for scsi_alloc_sdev() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 345/567] x86/apic: Disable x2apic on resume if the kernel expects so Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 346/567] lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 347/567] lib/bootconfig: check bounds before writing in __xbc_open_brace() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 348/567] smb: client: fix atomic open with O_DIRECT & O_SYNC Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 349/567] smb: client: fix in-place encryption corruption in SMB2_write() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 350/567] smb: client: fix iface port assignment in parse_server_interfaces Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 351/567] btrfs: abort transaction on failure to update root in the received subvol ioctl Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 352/567] iio: dac: ds4424: reject -128 RAW value Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 353/567] iio: frequency: adf4377: Fix duplicated soft reset mask Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 354/567] iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 355/567] iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 356/567] iio: potentiometer: mcp4131: fix double application of wiper shift Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 357/567] iio: chemical: bme680: Fix measurement wait duration calculation Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 358/567] iio: buffer: Fix wait_queue not being removed Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 359/567] iio: gyro: mpu3050-core: fix pm_runtime error handling Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 360/567] iio: gyro: mpu3050-i2c: " Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 361/567] iio: imu: inv_icm42600: fix odr switch to the same value Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 362/567] i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 363/567] i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 364/567] i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 365/567] drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 366/567] gve: defer interrupt enabling until NAPI registration Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 367/567] ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 368/567] wifi: libertas: fix use-after-free in lbs_free_adapter() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 369/567] platform/x86: hp-bioscfg: Support allocations of larger data Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 370/567] x86/sev: Allow IBPB-on-Entry feature for SNP guests Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 371/567] gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 372/567] net: phy: register phy led_triggers during probe to avoid AB-BA deadlock Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 373/567] drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 374/567] mptcp: pm: avoid sending RM_ADDR over same subflow Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 375/567] mptcp: pm: in-kernel: always mark signal+subflow endp as used Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 376/567] selftests: mptcp: add a check for add_addr_accepted Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 377/567] selftests: mptcp: join: check RM_ADDR not sent over same subflow Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.6 378/567] kbuild: Leave objtool binary around with make clean Greg Kroah-Hartman
-- strict thread matches above, loose matches on Subject: below --
2026-03-23 13:39 [PATCH 6.1 000/481] 6.1.167-rc1 review Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 001/481] drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 002/481] drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 003/481] drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 004/481] irqchip/sifive-plic: Fix frozen interrupt due to affinity setting Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 005/481] scsi: lpfc: Properly set WC for DPP mapping Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 006/481] scsi: pm8001: Fix use-after-free in pm8001_queue_command() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 007/481] ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 008/481] scsi: ufs: core: Always initialize the UIC done completion Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 009/481] scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 010/481] ALSA: usb-audio: Cap the packet size pre-calculations Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 011/481] ALSA: usb-audio: Use inclusive terms Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 012/481] perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 013/481] btrfs: move btrfs_crc32c_final into free-space-cache.c Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 014/481] btrfs: fix incorrect key offset in error message in check_dev_extent_item() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 015/481] btrfs: fix compat mask in error messages in btrfs_check_features() Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 016/481] bpf: Fix stack-out-of-bounds write in devmap Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.1 017/481] memory: mtk-smi: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 018/481] memory: mtk-smi: fix device leaks on common probe Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 019/481] memory: mtk-smi: fix device leak on larb probe Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 020/481] PCI: Introduce pci_dev_for_each_resource() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 021/481] PCI: Fix printk field formatting Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 022/481] PCI: Update BAR # and window messages Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 023/481] PCI: Use resource names in PCI log messages Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 024/481] resource: Add resource set range and size helpers Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 025/481] PCI: Use resource_set_range() that correctly sets ->end Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 026/481] KVM: x86/pmu: Provide "error" semantics for unsupported-but-known PMU MSRs Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 027/481] KVM: x86: Fix KVM_GET_MSRS stack info leak Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 028/481] KVM: x86: Rename KVM_MSR_RET_INVALID to KVM_MSR_RET_UNSUPPORTED Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 029/481] KVM: x86: Return "unsupported" instead of "invalid" on access to unsupported PV MSR Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 030/481] media: tegra-video: Use accessors for pad config try_* fields Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 031/481] media: tegra-video: Fix memory leak in __tegra_channel_try_format() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 032/481] media: camss: vfe-480: Multiple outputs support for SM8250 Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 033/481] media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 034/481] KVM: x86: WARN if a vCPU gets a valid wakeup that KVM cant yet inject Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 035/481] KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 036/481] drm/tegra: dsi: fix device leak on probe Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 037/481] bus: omap-ocp2scp: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 038/481] bus: omap-ocp2scp: fix OF populate on driver rebind Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 039/481] ext4: make ext4_es_remove_extent() return void Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 040/481] ext4: get rid of ppath in ext4_find_extent() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 041/481] ext4: get rid of ppath in ext4_ext_create_new_leaf() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 042/481] ext4: get rid of ppath in ext4_ext_insert_extent() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 043/481] ext4: get rid of ppath in ext4_split_extent_at() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 044/481] ext4: subdivide EXT4_EXT_DATA_VALID1 Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 045/481] ext4: dont zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1 Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 046/481] ext4: drop extent cache after doing PARTIAL_VALID1 zeroout Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 047/481] ext4: drop extent cache when splitting extent fails Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 048/481] ext4: remove unnecessary e4b->bd_buddy_page check in ext4_mb_load_buddy_gfp Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 049/481] ext4: convert some BUG_ONs in mballoc to use WARN_RATELIMITED instead Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 050/481] ext4: delete redundant calculations in ext4_mb_get_buddy_page_lock() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 051/481] ext4: convert bd_bitmap_page to bd_bitmap_folio Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 052/481] ext4: convert bd_buddy_page to bd_buddy_folio Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 053/481] ext4: fix e4b bitmap inconsistency reports Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 054/481] mfd: qcom-pm8xxx: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 055/481] mfd: qcom-pm8xxx: Fix OF populate on driver rebind Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 056/481] mfd: omap-usb-host: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 057/481] mfd: omap-usb-host: Fix OF populate on driver rebind Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 058/481] arm64: dts: rockchip: Fix rk356x PCIe range mappings Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 059/481] clk: tegra: tegra124-emc: fix device leak on set_rate() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 060/481] usb: cdns3: remove redundant if branch Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 061/481] usb: cdns3: call cdns_power_is_lost() only once in cdns_resume() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 062/481] usb: cdns3: fix role switching during resume Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 063/481] ALSA: hda/conexant: Add quirk for HP ZBook Studio G4 Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 064/481] hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization induced race Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 065/481] ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314 Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 066/481] net: arcnet: com20020-pci: fix support for 2.5Mbit cards Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 067/481] drm/amd: Drop special case for yellow carp without discovery Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 068/481] drm/amdgpu: keep vga memory on MacBooks with switchable graphics Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 069/481] eventpoll: Fix integer overflow in ep_loop_check_proc() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 070/481] media: dvb-core: fix wrong reinitialization of ringbuffer on reopen Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 071/481] nfc: pn533: properly drop the usb interface reference on disconnect Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 072/481] net: usb: kaweth: validate USB endpoints Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 073/481] net: usb: kalmia: " Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 074/481] net: usb: pegasus: " Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 075/481] can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 076/481] can: ucan: Fix infinite loop from zero-length messages Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.1 077/481] can: usb: etas_es58x: correctly anchor the urb in the read bulk callback Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 078/481] HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 079/481] x86/efi: defer freeing of boot services memory Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 080/481] platform/x86: dell-wmi-sysman: Dont hex dump plaintext password data Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 081/481] platform/x86: dell-wmi: Add audio/mic mute key codes Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 082/481] ALSA: usb-audio: Use correct version for UAC3 header validation Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 083/481] wifi: radiotap: reject radiotap with unknown bits Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 084/481] wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 085/481] IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 086/481] RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 087/481] net/sched: ets: fix divide by zero in the offload path Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 088/481] scsi: target: Fix recursive locking in __configfs_open_file() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 089/481] Squashfs: check metadata block offset is within range Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 090/481] drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 091/481] smb: client: fix broken multichannel with krb5+signing Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 092/481] smb: client: Dont log plaintext credentials in cifs_set_cifscreds Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 093/481] scsi: core: Fix refcount leak for tagset_refcnt Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 094/481] selftests: mptcp: more stable simult_flows tests Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 095/481] selftests: mptcp: join: check removing signal+subflow endp Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 096/481] ARM: clean up the memset64() C wrapper Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 097/481] platform/x86: thinkpad_acpi: Fix errors reading battery thresholds Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 098/481] net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling in ALE table Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 099/481] net: dpaa2: replace dpaa2_mac_is_type_fixed() with dpaa2_mac_is_type_phy() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 100/481] net: dpaa2-switch: assign port_priv->mac after dpaa2_mac_connect() call Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 101/481] net: dpaa2-switch replace direct MAC access with dpaa2_switch_port_has_mac() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 102/481] net: dpaa2-switch: serialize changes to priv->mac with a mutex Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 103/481] dpaa2-switch: do not clear any interrupts automatically Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 104/481] dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 105/481] atm: lec: fix null-ptr-deref in lec_arp_clear_vccs Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 106/481] can: bcm: fix locking for bcm_op runtime updates Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 107/481] can: mcp251x: fix deadlock in error path of mcp251x_open Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 108/481] kunit: tool: print summary of failed tests if a few failed out of a lot Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 109/481] kunit: tool: make --json do nothing if --raw_ouput is set Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 110/481] kunit: tool: parse KTAP compliant test output Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 111/481] kunit: tool: dont include KTAP headers and the like in the test log Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 112/481] kunit: tool: make parser preserve whitespace when printing " Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 113/481] kunit: kunit.py extract handlers Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 114/481] kunit: tool: remove unused imports and variables Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 115/481] kunit: tool: fix pre-existing `mypy --strict` errors and update run_checks.py Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 116/481] kunit: tool: Add command line interface to filter and report attributes Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 117/481] kunit: tool: copy caller args in run_kernel to prevent mutation Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 118/481] net: dsa: realtek: rtl8365mb: fix rtl8365mb_phy_ocp_write return value Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 119/481] octeon_ep: Relocate counter updates before NAPI Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 120/481] octeon_ep: avoid compiler and IQ/OQ reordering Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 121/481] wifi: cw1200: Fix locking in error paths Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 122/481] wifi: wlcore: Fix a locking bug Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 123/481] wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 124/481] indirect_call_wrapper: do not reevaluate function pointer Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 125/481] xen/acpi-processor: fix _CST detection using undersized evaluation buffer Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 126/481] bpf: export bpf_link_inc_not_zero Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 127/481] bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 128/481] ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 129/481] amd-xgbe: fix sleep while atomic on suspend/resume Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 130/481] net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 131/481] net: nfc: nci: Fix zero-length proprietary notifications Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 132/481] nfc: nci: free skb on nci_transceive early error paths Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 133/481] nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 134/481] nfc: rawsock: cancel tx_work before socket teardown Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 135/481] net: stmmac: Fix error handling in VLAN add and delete paths Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 136/481] net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.1 137/481] net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 138/481] net: vxlan: " Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 139/481] net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 140/481] net/sched: act_ife: Fix metalist update behavior Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 141/481] xdp: use modulo operation to calculate XDP frag tailroom Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 142/481] xdp: produce a warning when calculated tailroom is negative Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 143/481] tracing: Add NULL pointer check to trigger_data_free() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 144/481] net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 145/481] net: tcp: accept old ack during closing Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 146/481] scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 147/481] ACPI: PM: Save NVS memory on Lenovo G70-35 Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 148/481] scsi: mpi3mr: Add NULL checks when resetting request and reply queues Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 149/481] unshare: fix unshare_fs() handling Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 150/481] wifi: mac80211: set default WMM parameters on all links Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 151/481] ACPI: OSI: Add DMI quirk for Acer Aspire One D255 Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 152/481] scsi: ses: Fix devices attaching to different hosts Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 153/481] ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 154/481] ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0 Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 155/481] ALSA: usb-audio: Check max frame size for implicit feedback mode, too Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 156/481] powerpc/uaccess: Fix inline assembly for clang build on PPC32 Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 157/481] remoteproc: sysmon: Correct subsys_name_len type in QMI request Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 158/481] remoteproc: mediatek: Unprepare SCP clock during system suspend Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 159/481] powerpc: 83xx: km83xx: Fix keymile vendor prefix Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 160/481] xprtrdma: Decrement re_receiving on the early exit paths Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 161/481] net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 162/481] bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 163/481] net/mlx5: IFC updates for disabled host PF Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 164/481] net/mlx5: Query to see if host PF is disabled Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 165/481] net/mlx5: Fix deadlock between devlink lock and esw->wq Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 166/481] net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 167/481] net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 168/481] ASoC: soc-core: drop delayed_work_pending() check before flush Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 169/481] ASoC: core: Exit all links before removing their components Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 170/481] ASoC: core: Do not call link_exit() on uninitialized rtd objects Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 171/481] ASoC: soc-core: flush delayed work before removing DAIs and widgets Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 172/481] serial: caif: hold tty->link reference in ldisc_open and ser_release Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 173/481] mctp: i2c: fix skb memory leak in receive path Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 174/481] can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 175/481] mctp: route: hold key->lock in mctp_flow_prepare_output() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 176/481] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 177/481] netfilter: x_tables: guard option walkers against 1-byte tail reads Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 178/481] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 179/481] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 180/481] netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 181/481] regulator: pca9450: Make IRQ optional Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 182/481] regulator: pca9450: Correct interrupt type Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 183/481] sched: idle: Make skipping governor callbacks more consistent Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 184/481] nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 185/481] nvme-pci: Fix race bug in nvme_poll_irqdisable() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 186/481] i40e: fix src IP mask checks and memcpy argument names in cloud filter Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 187/481] e1000/e1000e: Fix leak in DMA error cleanup Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 188/481] ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 189/481] ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 190/481] ASoC: detect empty DMI strings Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 191/481] net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 192/481] octeontx2-af: devlink: fix NIX RAS reporter recovery condition Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 193/481] octeontx2-af: devlink health: use retained error fmsg API Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 194/481] octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 195/481] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 196/481] Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on" Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.1 197/481] cgroup: fix race between task migration and iteration Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 198/481] ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 199/481] net: usb: lan78xx: fix silent drop of packets with checksum errors Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 200/481] net: usb: lan78xx: fix TX byte statistics for small packets Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 201/481] net: usb: lan78xx: skip LTM configuration for LAN7850 Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 202/481] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 203/481] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 204/481] USB: add QUIRK_NO_BOS for video capture several devices Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 205/481] usb/core/quirks: Add Huawei ME906S-device to wakeup quirk Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 206/481] USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 207/481] usb: xhci: Fix memory leak in xhci_disable_slot() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 208/481] usb: yurex: fix race in probe Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 209/481] usb: misc: uss720: properly clean up reference in uss720_probe() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 210/481] usb: core: dont power off roothub PHYs if phy_set_mode() fails Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 211/481] usb: cdc-acm: Restore CAP_BRK functionnality to CH343 Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 212/481] USB: usbcore: Introduce usb_bulk_msg_killable() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 213/481] USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 214/481] USB: core: Limit the length of unkillable synchronous timeouts Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 215/481] usb: class: cdc-wdm: fix reordering issue in read code path Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 216/481] usb: renesas_usbhs: fix use-after-free in ISR during device removal Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 217/481] usb: mdc800: handle signal and read racing Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 218/481] usb: image: mdc800: kill download URB on timeout Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 219/481] mm/tracing: rss_stat: ensure curr is false from kthread context Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 220/481] mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 221/481] mmc: core: Avoid bitfield RMW for claim/retune flags Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 222/481] tipc: fix divide-by-zero in tipc_sk_filter_connect() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 223/481] libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 224/481] libceph: reject preamble if control segment is empty Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 225/481] libceph: prevent potential out-of-bounds reads in process_message_header() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 226/481] libceph: Use u32 for non-negative values in ceph_monmap_decode() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 227/481] libceph: admit message frames only in CEPH_CON_S_OPEN state Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 228/481] ceph: fix i_nlink underrun during async unlink Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 229/481] time: add kernel-doc in time.c Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 230/481] time/jiffies: Mark jiffies_64_to_clock_t() notrace Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 231/481] drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 232/481] device property: Allow secondary lookup in fwnode_get_next_child_node() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 233/481] irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 234/481] ixgbevf: fix link setup issue Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 235/481] staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 236/481] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 237/481] media: dvb-net: fix OOB access in ULE extension header tables Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 238/481] net: mana: Ring doorbell at 4 CQ wraparounds Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 239/481] ice: fix retry for AQ command 0x06EE Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 240/481] batman-adv: Avoid double-rtnl_lock ELP metric worker Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 241/481] parisc: Increase initial mapping to 64 MB with KALLSYMS Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 242/481] nouveau/dpcd: return EBUSY for aux xfer if the device is asleep Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 243/481] hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 244/481] parisc: Fix initial page table creation for boot Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 245/481] parisc: Check kernel mapping earlier at bootup Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 246/481] smb: server: fix use-after-free in smb2_open() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 247/481] net: ncsi: fix skb leak in error paths Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 248/481] net: ethernet: arc: emac: quiesce interrupts before requesting IRQ Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 249/481] drm/amdgpu: Fix use-after-free race in VM acquire Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 250/481] drm/amd: Set num IP blocks to 0 if discovery fails Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 251/481] drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 252/481] tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 253/481] xfs: fix undersized l_iclog_roundoff values Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 254/481] s390/dasd: Move quiesce state with pprc swap Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 255/481] s390/dasd: Copy detected format information to secondary device Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 256/481] lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.1 257/481] scsi: core: Fix error handling for scsi_alloc_sdev() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 258/481] x86/apic: Disable x2apic on resume if the kernel expects so Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 259/481] lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 260/481] lib/bootconfig: check bounds before writing in __xbc_open_brace() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 261/481] smb: client: fix atomic open with O_DIRECT & O_SYNC Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 262/481] smb: client: fix iface port assignment in parse_server_interfaces Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 263/481] btrfs: fix transaction abort on file creation due to name hash collision Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 264/481] btrfs: abort transaction on failure to update root in the received subvol ioctl Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 265/481] iio: dac: ds4424: reject -128 RAW value Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 266/481] iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 267/481] iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 268/481] iio: potentiometer: mcp4131: fix double application of wiper shift Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 269/481] iio: chemical: bme680: Fix measurement wait duration calculation Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 270/481] iio: gyro: mpu3050-core: fix pm_runtime error handling Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 271/481] iio: gyro: mpu3050-i2c: " Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 272/481] iio: imu: inv_icm42600: fix odr switch to the same value Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 273/481] i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 274/481] i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 275/481] i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 276/481] drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 277/481] ipv6: use RCU in ip6_xmit() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 278/481] bpf: Forget ranges when refining tnum after JSET Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 279/481] l2tp: do not use sock_hold() in pppol2tp_session_get_sock() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 280/481] io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 281/481] io_uring/kbuf: check if target buffer list is still legacy on recycle Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 282/481] sunrpc: fix cache_request leak in cache_release Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 283/481] nvdimm/bus: Fix potential use after free in asynchronous initialization Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 284/481] LoongArch: Give more information if kmem access failed Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 285/481] NFC: nxp-nci: allow GPIOs to sleep Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 286/481] net: macb: fix use-after-free access to PTP clock Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 287/481] Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 288/481] Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 289/481] smb: client: fix krb5 mount with username option Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 290/481] ksmbd: unset conn->binding on failed binding request Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 291/481] mmc: sdhci-pci-gli: fix GL9750 DMA write corruption Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 292/481] mmc: sdhci: fix timing selection for 1-bit bus width Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 293/481] spi: fix use-after-free on controller registration failure Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 294/481] spi: fix statistics allocation Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 295/481] mtd: rawnand: pl353: make sure optimal timings are applied Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 296/481] mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in cadence_nand_init() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 297/481] mtd: Avoid boot crash in RedBoot partition table parser Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 298/481] iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 299/481] serial: 8250_pci: add support for the AX99100 Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 300/481] serial: 8250: Fix TX deadlock when using DMA Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 301/481] serial: 8250: Add late synchronize_irq() to shutdown to handle DW UART BUSY Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 302/481] serial: uartlite: fix PM runtime usage count underflow on probe Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 303/481] drm/amdgpu/mmhub2.0: add bounds checking for cid Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 304/481] drm/amdgpu/mmhub2.3: " Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 305/481] drm/amdgpu/mmhub3.0.1: " Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 306/481] drm/amdgpu/mmhub3.0.2: " Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 307/481] drm/amdgpu/mmhub3.0: " Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 308/481] drm/radeon: apply state adjust rules to some additional HAINAN vairants Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 309/481] drm/amdgpu: " Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 310/481] mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 311/481] mm/hugetlb: fix hugetlb_pmd_shared() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 312/481] mm/hugetlb: fix two comments related to huge_pmd_unshare() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 313/481] mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 314/481] ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 315/481] ext4: fix dirtyclusters double decrement on fs shutdown Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.1 316/481] ext4: always allocate blocks only from groups inode can use Greg Kroah-Hartman
2026-03-23 13:39 [PATCH 6.12 000/460] 6.12.78-rc1 review Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.12 001/460] scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.12 002/460] ACPI: PM: Save NVS memory on Lenovo G70-35 Greg Kroah-Hartman
2026-03-23 13:39 ` [PATCH 6.12 003/460] scsi: mpi3mr: Add NULL checks when resetting request and reply queues Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 004/460] ALSA: hda/realtek: Fix speaker pop on Star Labs StarFighter Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 005/460] unshare: fix unshare_fs() handling Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 006/460] wifi: mac80211: set default WMM parameters on all links Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 007/460] ACPI: OSI: Add DMI quirk for Acer Aspire One D255 Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 008/460] scsi: ses: Fix devices attaching to different hosts Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 009/460] ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 010/460] ASoC: cs42l43: Report insert for exotic peripherals Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 011/460] scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 012/460] scsi: ufs: core: Fix shift out of bounds when MAXQ=32 Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 013/460] ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0 Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 014/460] drm/amdgpu/vcn5: Add SMU dpm interface type Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 015/460] ALSA: usb-audio: Check max frame size for implicit feedback mode, too Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 016/460] powerpc/uaccess: Fix inline assembly for clang build on PPC32 Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 017/460] kexec: Consolidate machine_kexec_mask_interrupts() implementation Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 018/460] kexec: Include kernel-end even without crashkernel Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 019/460] powerpc/kexec/core: use big-endian types for crash variables Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 020/460] powerpc/crash: adjust the elfcorehdr size Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 021/460] remoteproc: sysmon: Correct subsys_name_len type in QMI request Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 022/460] remoteproc: mediatek: Unprepare SCP clock during system suspend Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 023/460] powerpc: 83xx: km83xx: Fix keymile vendor prefix Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 024/460] smb/server: Fix another refcount leak in smb2_open() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 025/460] nfs: return EISDIR on nfs3_proc_create if d_alias is a dir Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 026/460] drm/msm/dsi: fix hdisplay calculation when programming dsi registers Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 027/460] xprtrdma: Decrement re_receiving on the early exit paths Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 028/460] btrfs: hold space_info->lock when clearing periodic reclaim ready Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 029/460] workqueue: Use POOL_BH instead of WQ_BH when checking pool flags Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 030/460] perf disasm: Fix off-by-one bug in outside check Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 031/460] net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 032/460] drm/msm/dsi: fix pclk rate calculation for bonded dsi Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 033/460] drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v14 Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 034/460] bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 035/460] net/mlx5: IFC updates for disabled host PF Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 036/460] net/mlx5: Query to see if host PF is disabled Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 037/460] net/mlx5: Fix deadlock between devlink lock and esw->wq Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 038/460] net/mlx5: Fix crash when moving to switchdev mode Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 039/460] net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 040/460] net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 041/460] drm/sitronix/st7586: fix bad pixel data due to byte swap Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 042/460] ASoC: soc-core: drop delayed_work_pending() check before flush Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 043/460] ASoC: soc-core: flush delayed work before removing DAIs and widgets Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 044/460] ASoC: simple-card-utils: use __free(device_node) for device node Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 045/460] ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 046/460] net: sfp: improve Huawei MA5671a fixup Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 047/460] serial: caif: hold tty->link reference in ldisc_open and ser_release Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 048/460] bnxt_en: Fix RSS table size check when changing ethtool channels Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 049/460] mctp: i2c: fix skb memory leak in receive path Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 050/460] can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 051/460] bonding: add ESP offload features when slaves support Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 052/460] bonding: Correctly support GSO ESP offload Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 053/460] net: add a common function to compute features for upper devices Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 054/460] bonding: use common function to compute the features Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 055/460] bonding: fix type confusion in bond_setup_by_slave() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 056/460] mctp: route: hold key->lock in mctp_flow_prepare_output() Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 057/460] amd-xgbe: fix link status handling in xgbe_rx_adaptation Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 058/460] amd-xgbe: prevent CRC errors during RX adaptation with AN disabled Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 059/460] xdp: allow attaching already registered memory model to xdp_rxq_info Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 060/460] xdp: register system page pool as an XDP memory model Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 061/460] net: add xmit recursion limit to tunnel xmit functions Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 062/460] netfilter: nf_tables: always walk all pending catchall elements Greg Kroah-Hartman
2026-03-23 13:40 ` [PATCH 6.12 063/460] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 064/460] netfilter: x_tables: guard option walkers against 1-byte tail reads Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 065/460] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 066/460] netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 067/460] netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 068/460] perf annotate: Fix hashmap__new() error checking Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 069/460] regulator: pca9450: Correct interrupt type Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 070/460] perf ftrace: Fix hashmap__new() error checking Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 071/460] sched: idle: Make skipping governor callbacks more consistent Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 072/460] nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 073/460] nvme-pci: Fix race bug in nvme_poll_irqdisable() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 074/460] i40e: fix src IP mask checks and memcpy argument names in cloud filter Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 075/460] e1000/e1000e: Fix leak in DMA error cleanup Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 076/460] net: bcmgenet: fix broken EEE by converting to phylib-managed state Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 077/460] ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 078/460] ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 079/460] ASoC: detect empty DMI strings Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 080/460] drm/amdkfd: Unreserve bo if queue update failed Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 081/460] net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 082/460] net: dsa: realtek: Fix LED group port bit for non-zero LED group Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 083/460] octeontx2-af: devlink: fix NIX RAS reporter recovery condition Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 084/460] octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 085/460] net: prevent NULL deref in ip[6]tunnel_xmit() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 086/460] iio: imu: inv-mpu9150: fix irq ack preventing irq storms Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 087/460] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 088/460] Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on" Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 089/460] cgroup: fix race between task migration and iteration Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 090/460] ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 091/460] ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 092/460] net: usb: lan78xx: fix silent drop of packets with checksum errors Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 093/460] net: usb: lan78xx: fix TX byte statistics for small packets Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 094/460] net: usb: lan78xx: skip LTM configuration for LAN7850 Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 095/460] ata: libata-core: Add BRIDGE_OK quirk for QEMU drives Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 096/460] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 097/460] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 098/460] USB: add QUIRK_NO_BOS for video capture several devices Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 099/460] usb/core/quirks: Add Huawei ME906S-device to wakeup quirk Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 100/460] USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 101/460] usb: xhci: Fix memory leak in xhci_disable_slot() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 102/460] usb: xhci: Prevent interrupt storm on host controller error (HCE) Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 103/460] usb: yurex: fix race in probe Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 104/460] usb: dwc3: pci: add support for the Intel Nova Lake -H Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 105/460] usb: misc: uss720: properly clean up reference in uss720_probe() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 106/460] usb: core: dont power off roothub PHYs if phy_set_mode() fails Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 107/460] usb: cdc-acm: Restore CAP_BRK functionnality to CH343 Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 108/460] usb: roles: get usb role switch from parent only for usb-b-connector Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 109/460] usb: typec: altmode/displayport: set displayport signaling rate in configure message Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 110/460] USB: usbcore: Introduce usb_bulk_msg_killable() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 111/460] USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 112/460] USB: core: Limit the length of unkillable synchronous timeouts Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 113/460] usb: class: cdc-wdm: fix reordering issue in read code path Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 114/460] usb: renesas_usbhs: fix use-after-free in ISR during device removal Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 115/460] usb: mdc800: handle signal and read racing Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 116/460] usb: image: mdc800: kill download URB on timeout Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 117/460] rust: kbuild: allow `unused_features` Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 118/460] mm/tracing: rss_stat: ensure curr is false from kthread context Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 119/460] mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index() Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 120/460] mm/kfence: disable KFENCE upon KASAN HW tags enablement Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 121/460] mmc: core: Avoid bitfield RMW for claim/retune flags Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 122/460] ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start Greg Kroah-Hartman
2026-03-23 13:41 ` [PATCH 6.12 123/460] tipc: fix divide-by-zero in tipc_sk_filter_connect() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 124/460] kprobes: avoid crash when rmmod/insmod after ftrace killed Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 125/460] ceph: add a bunch of missing ceph_path_info initializers Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 126/460] libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 127/460] libceph: reject preamble if control segment is empty Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 128/460] libceph: prevent potential out-of-bounds reads in process_message_header() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 129/460] libceph: Use u32 for non-negative values in ceph_monmap_decode() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 130/460] libceph: admit message frames only in CEPH_CON_S_OPEN state Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 131/460] ceph: fix i_nlink underrun during async unlink Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 132/460] ceph: fix memory leaks in ceph_mdsc_build_path() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 133/460] time/jiffies: Mark jiffies_64_to_clock_t() notrace Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 134/460] i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 135/460] scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 136/460] scsi: hisi_sas: Add time interval between two H2D FIS following soft reset spec Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 137/460] scsi: hisi_sas: Use macro instead of magic number Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 138/460] scsi: hisi_sas: Fix NULL pointer exception during user_scan() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 139/460] kbuild: Disable CC_HAS_ASM_GOTO_OUTPUT on clang < 17 Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 140/460] Fix CC_HAS_ASM_GOTO_OUTPUT on non-x86 architectures Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 141/460] Revert "tcpm: allow looking for role_sw device in the main node" Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 142/460] drm/amd: Disable MES LR compute W/A Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 143/460] drm/bridge: samsung-dsim: Fix memory leak in error path Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 144/460] drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 145/460] s390/pfault: Fix virtual vs physical address confusion Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 146/460] nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 147/460] device property: Allow secondary lookup in fwnode_get_next_child_node() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 148/460] irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 149/460] btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 150/460] ice: reintroduce retry mechanism for indirect AQ Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 151/460] ixgbevf: fix link setup issue Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 152/460] staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 153/460] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 154/460] media: dvb-net: fix OOB access in ULE extension header tables Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 155/460] net: mana: Ring doorbell at 4 CQ wraparounds Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 156/460] ice: fix retry for AQ command 0x06EE Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 157/460] tracing: Fix syscall events activation by ensuring refcount hits zero Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 158/460] net/tcp-ao: Fix MAC comparison to be constant-time Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 159/460] batman-adv: Avoid double-rtnl_lock ELP metric worker Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 160/460] parisc: Increase initial mapping to 64 MB with KALLSYMS Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 161/460] nouveau/dpcd: return EBUSY for aux xfer if the device is asleep Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 162/460] arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 163/460] hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 164/460] parisc: Fix initial page table creation for boot Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 165/460] arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 166/460] parisc: Check kernel mapping earlier at bootup Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 167/460] pmdomain: bcm: bcm2835-power: Fix broken reset status read Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 168/460] ata: libata-core: Disable LPM on ST1000DM010-2EP102 Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 169/460] drm/amd/display: Fallback to boot snapshot for dispclk Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 170/460] ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 171/460] smb: server: fix use-after-free in smb2_open() Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 172/460] ksmbd: fix use-after-free by using call_rcu() for oplock_info Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 173/460] net: nexthop: fix percpu use-after-free in remove_nh_grp_entry Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 174/460] net: ncsi: fix skb leak in error paths Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 175/460] net: ethernet: arc: emac: quiesce interrupts before requesting IRQ Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 176/460] net: dsa: microchip: Fix error path in PTP IRQ setup Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 177/460] drm/amd/pm: remove invalid gpu_metrics.energy_accumulator on smu v13.0.x Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 178/460] drm/amdgpu: Fix use-after-free race in VM acquire Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 179/460] drm/amd: Set num IP blocks to 0 if discovery fails Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 180/460] drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 181/460] drm/i915: Fix potential overflow of shmem scatterlist length Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 182/460] drm/msm: Fix dma_free_attrs() buffer size Greg Kroah-Hartman
2026-03-23 13:42 ` [PATCH 6.12 183/460] tracing: Fix enabling multiple events on the kernel command line and bootconfig Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 184/460] tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 185/460] qmi_wwan: allow max_mtu above hard_mtu to control rx_urb_size Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 186/460] cifs: make default value of retrans as zero Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 187/460] xfs: fix returned valued from xfs_defer_can_append Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 188/460] xfs: fix undersized l_iclog_roundoff values Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 189/460] xfs: ensure dquot item is deleted from AIL only after log shutdown Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 190/460] s390/dasd: Move quiesce state with pprc swap Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 191/460] s390/dasd: Copy detected format information to secondary device Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 192/460] lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 193/460] scsi: core: Fix error handling for scsi_alloc_sdev() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 194/460] x86/apic: Disable x2apic on resume if the kernel expects so Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 195/460] lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 196/460] lib/bootconfig: check bounds before writing in __xbc_open_brace() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 197/460] smb: client: fix atomic open with O_DIRECT & O_SYNC Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 198/460] smb: client: fix in-place encryption corruption in SMB2_write() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 199/460] smb: client: fix iface port assignment in parse_server_interfaces Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 200/460] btrfs: fix transaction abort on file creation due to name hash collision Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 201/460] btrfs: fix transaction abort on set received ioctl due to item overflow Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 202/460] btrfs: abort transaction on failure to update root in the received subvol ioctl Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 203/460] iio: dac: ds4424: reject -128 RAW value Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 204/460] iio: frequency: adf4377: Fix duplicated soft reset mask Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 205/460] iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 206/460] iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 207/460] iio: potentiometer: mcp4131: fix double application of wiper shift Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 208/460] iio: chemical: bme680: Fix measurement wait duration calculation Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 209/460] iio: buffer: Fix wait_queue not being removed Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 210/460] iio: gyro: mpu3050-core: fix pm_runtime error handling Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 211/460] iio: gyro: mpu3050-i2c: " Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 212/460] iio: imu: inv_icm42600: fix odr switch to the same value Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 213/460] iio: imu: inv_icm42600: fix odr switch when turning buffer off Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 214/460] iio: proximity: hx9023s: Protect against division by zero in set_samp_freq Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 215/460] i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 216/460] i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 217/460] i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 218/460] drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 219/460] net/tcp-md5: Fix MAC comparison to be constant-time Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 220/460] ksmbd: Compare MACs in constant time Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 221/460] smb: client: " Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 222/460] dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 223/460] ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 224/460] spi: cadence-quadspi: Implement refcount to handle unbind during busy Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 225/460] gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 226/460] net: phy: register phy led_triggers during probe to avoid AB-BA deadlock Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 227/460] x86/sev: Allow IBPB-on-Entry feature for SNP guests Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 228/460] platform/x86: hp-bioscfg: Support allocations of larger data Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 229/460] wifi: libertas: fix use-after-free in lbs_free_adapter() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 230/460] perf/x86/intel/uncore: Support more units on Granite Rapids Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 231/460] perf/x86/intel/uncore: Add per-scheduler IMC CAS count events Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 232/460] mptcp: pm: in-kernel: always mark signal+subflow endp as used Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 233/460] mptcp: pm: avoid sending RM_ADDR over same subflow Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 234/460] drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 235/460] selftests: mptcp: add a check for add_addr_accepted Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 236/460] selftests: mptcp: join: check RM_ADDR not sent over same subflow Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 237/460] kbuild: Leave objtool binary around with make clean Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 238/460] net/sched: act_gate: snapshot parameters with RCU on replace Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 239/460] xfs: Fix error pointer dereference Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 240/460] can: gs_usb: gs_can_open(): always configure bitrates before starting device Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 241/460] cleanup: Provide retain_and_null_ptr() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 242/460] usb: gadget: f_ncm: Fix net_device lifecycle with device_move Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.12 243/460] usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 244/460] KVM: SVM: Limit AVIC physical max index based on configured max_vcpu_ids Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 245/460] KVM: SVM: Add a helper to look up the max physical ID for AVIC Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 246/460] KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 247/460] mmc: dw_mmc-rockchip: use modern PM macros Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 248/460] mmc: dw_mmc-rockchip: Add memory clock auto-gating support Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 249/460] mmc: dw_mmc-rockchip: Fix runtime PM support for internal phase support Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 250/460] mm/page_alloc: move set_page_refcounted() to callers of post_alloc_hook() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 251/460] mm/page_alloc: sort out the alloc_contig_range() gfp flags mess Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 252/460] mm/page_alloc: forward the gfp flags from alloc_contig_range() to post_alloc_hook() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 253/460] mm/kfence: fix KASAN hardware tag faults during late enablement Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 254/460] nsfs: tighten permission checks for ns iteration ioctls Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 255/460] sched_ext: Disable preemption between scx_claim_exit() and kicking helper work Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 256/460] sched_ext: Fix starvation of scx_enable() under fair-class saturation Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 257/460] iomap: reject delalloc mappings during writeback Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 258/460] fgraph: Fix thresh_return clear per-task notrace Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 259/460] KVM: x86: Co-locate initialization of feature MSRs in kvm_arch_vcpu_create() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 260/460] KVM: x86: Quirk initialization of feature MSRs to KVMs max configuration Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 261/460] KVM: x86: do not allow re-enabling quirks Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 262/460] KVM: x86: Allow vendor code to disable quirks Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 263/460] KVM: x86: Introduce supported_quirks to block disabling quirks Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 264/460] KVM: x86: Introduce Intel specific quirk KVM_X86_QUIRK_IGNORE_GUEST_PAT Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 265/460] KVM: nVMX: Add consistency checks for CR0.WP and CR4.CET Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 266/460] KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 267/460] ksmbd: Dont log keys in SMB3 signing and encryption key generation Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 268/460] drm/bridge: ti-sn65dsi83: halve horizontal syncs for dual LVDS output Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 269/460] net: macb: Shuffle the tx ring before enabling tx Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 270/460] cifs: open files should not hold ref on superblock Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 271/460] crypto: atmel-sha204a - Fix OOM ->tfm_count leak Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 272/460] xfs: fix integer overflow in bmap intent sort comparator Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 273/460] drm/xe/sync: Cleanup partially initialized sync on parse failure Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 274/460] ipv6: use RCU in ip6_xmit() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 275/460] dm-verity: disable recursive forward error correction Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 276/460] rxrpc: Fix recvmsg() unconditional requeue Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 277/460] btrfs: do not strictly require dirty metadata threshold for metadata writepages Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 278/460] ice: fix devlink reload call trace Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 279/460] tracing: Add recursion protection in kernel stack trace recording Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 280/460] Octeontx2-af: Add proper checks for fwdata Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 281/460] io_uring/uring_cmd: fix too strict requirement on ioctl Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 282/460] x86/uprobes: Fix XOL allocation failure for 32-bit tasks Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 283/460] platform/x86/amd/pmc: Add support for Van Gogh SoC Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 284/460] mptcp: pm: in-kernel: always set ID as avail when rm endp Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 285/460] net: stmmac: remove support for lpi_intr_o Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 286/460] f2fs: compress: change the first parameter of page_array_{alloc,free} to sbi Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 287/460] f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 288/460] f2fs: fix to avoid migrating empty section Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 289/460] blk-throttle: fix access race during throttle policy activation Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 290/460] dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 291/460] net: dsa: properly keep track of conduit reference Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 292/460] binfmt_misc: restore write access before closing files opened by open_exec() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 293/460] xfs: get rid of the xchk_xfile_*_descr calls Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 294/460] erofs: fix inline data read failure for ztailpacking pclusters Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 295/460] mm: thp: deny THP for files on anonymous inodes Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 296/460] sched_ext: Remove redundant css_put() in scx_cgroup_init() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 297/460] io_uring/kbuf: check if target buffer list is still legacy on recycle Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 298/460] sched/fair: Fix zero_vruntime tracking Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 299/460] s390/stackleak: Fix __stackleak_poison() inline assembly constraint Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 300/460] s390/xor: Fix xor_xc_2() inline assembly constraints Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 301/460] drm/i915/alpm: ALPM disable fixes Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 302/460] drm/i915/psr: Repeat Selective Update area alignment Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.12 303/460] drm/amd/display: Add pixel_clock to amd_pp_display_configuration Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox