* [PATCH 6.19 000/342] 6.19.11-rc1 review
@ 2026-03-31 16:17 Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 001/342] cxl/port: Fix use after free of parent_port in cxl_detach_ep() Greg Kroah-Hartman
` (358 more replies)
0 siblings, 359 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.19.11 release.
There are 342 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 02 Apr 2026 16:16:56 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.19.11-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.19.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.19.11-rc1
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix regressions caused by reusing ident
Arnd Bergmann <arnd@arndb.de>
bug: avoid format attribute warning for clang as well
Ye Bin <yebin10@huawei.com>
ext4: fix mballoc-test.c is not compiled when EXT4_KUNIT_TESTS=M
Ye Bin <yebin10@huawei.com>
ext4: introduce EXPORT_SYMBOL_FOR_EXT4_TEST() helper
Hao-Yu Yang <naup96721@gmail.com>
futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()
Peter Zijlstra <peterz@infradead.org>
futex: Require sys_futex_requeue() to have identical flags
Biju Das <biju.das.jz@bp.renesas.com>
irqchip/renesas-rzv2h: Fix error path in rzv2h_icu_probe_common()
David Howells <dhowells@redhat.com>
netfs: Fix the handling of stream->front by removing it
GuoHan Zhao <zhaoguohan@kylinos.cn>
xen/privcmd: unregister xenstore notifier on module exit
Filipe Manana <fdmanana@suse.com>
btrfs: fix lost error when running device stats on multiple devices fs
Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
btrfs: fix leak of kobject name for sub-group space_info
Mark Harmstone <mark@harmstone.com>
btrfs: fix super block offset in error message in btrfs_validate_super()
David Howells <dhowells@redhat.com>
netfs: Fix read abandonment during retry
Christian Brauner <brauner@kernel.org>
selftests/mount_setattr: increase tmpfs size for idmapped mount tests
Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
dmaengine: xilinx_dma: Fix reset related timeout with two-channel AXIDMA
Marek Vasut <marex@nabladev.com>
dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction
Marek Vasut <marex@nabladev.com>
dmaengine: xilinx: xilinx_dma: Fix residue calculation for cyclic DMA
Marek Vasut <marex@nabladev.com>
dmaengine: xilinx: xilinx_dma: Fix dma_device directions
Tuo Li <islituo@gmail.com>
dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()
Deepanshu Kartikey <kartikey406@gmail.com>
netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry
Deepanshu Kartikey <kartikey406@gmail.com>
netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators
Alexander Stein <alexander.stein@ew.tq-group.com>
dmaengine: xilinx: xdma: Fix regmap init error handling
LUO Haowen <luo-hw@foxmail.com>
dmaengine: dw-edma: Fix multiple times setting of the CYCLE_STATE and CYCLE_BIT bits for HDMA.
Felix Gu <ustc.gu@gmail.com>
phy: ti: j721e-wiz: Fix device node reference leak in wiz_get_lane_phy_types()
Vinicius Costa Gomes <vinicius.gomes@intel.com>
dmaengine: idxd: Fix leaking event log memory
Vinicius Costa Gomes <vinicius.gomes@intel.com>
dmaengine: idxd: Fix freeing the allocated ida too late
Vinicius Costa Gomes <vinicius.gomes@intel.com>
dmaengine: idxd: Fix memory leak when a wq is reset
Vinicius Costa Gomes <vinicius.gomes@intel.com>
dmaengine: idxd: Fix not releasing workqueue on .release()
Vinicius Costa Gomes <vinicius.gomes@intel.com>
dmaengine: idxd: Fix possible invalid memory access after FLR
Vinicius Costa Gomes <vinicius.gomes@intel.com>
dmaengine: idxd: Fix crash when the event log is disabled
Werner Kasselman <werner@verivus.com>
ksmbd: fix use-after-free and NULL deref in smb_grant_oplock()
Benno Lossin <lossin@kernel.org>
rust: pin-init: internal: init: document load-bearing fact of field accessors
SeongJae Park <sj@kernel.org>
mm/damon/core: avoid use of half-online-committed context
Hari Bathini <hbathini@linux.ibm.com>
powerpc64/bpf: do not increment tailcall count when prog is NULL
Markus Niebel <Markus.Niebel@ew.tq-group.com>
arm64: dts: imx8mn-tqma8mqnl: fix LDO5 power off
Theodore Ts'o <tytso@mit.edu>
ext4: always drain queued discard work in ext4_mb_release()
Baokun Li <libaokun@linux.alibaba.com>
ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths
Theodore Ts'o <tytso@mit.edu>
ext4: handle wraparound when searching for blocks for indirect mapped blocks
Zqiang <qiang.zhang@linux.dev>
ext4: fix the might_sleep() warnings in kvfree()
Jiayuan Chen <jiayuan.chen@shopee.com>
ext4: fix use-after-free in update_super_work when racing with umount
Helen Koike <koike@igalia.com>
ext4: reject mount if bigalloc with s_first_data_block != 0
Ye Bin <yebin10@huawei.com>
ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()
Edward Adam Davis <eadavis@qq.com>
ext4: avoid infinite loops caused by residual data
Tejas Bharambe <tejas.bharambe@outlook.com>
ext4: validate p_idx bounds in ext4_ext_correct_indexes
Ye Bin <yebin10@huawei.com>
ext4: test if inode's all dirty pages are submitted to disk
Li Chen <me@linux.beauty>
ext4: publish jinode after initialization
Yuto Ohnuki <ytohnuki@amazon.com>
ext4: replace BUG_ON with proper error handling in ext4_read_inline_folio
Jan Kara <jack@suse.cz>
ext4: make recently_deleted() properly work with lazy itable initialization
Jan Kara <jack@suse.cz>
ext4: fix fsync(2) for nojournal mode
Zhang Yi <yi.zhang@huawei.com>
ext4: do not check fast symlink during orphan recovery
Jan Kara <jack@suse.cz>
ext4: fix stale xarray tags after writeback
Deepanshu Kartikey <kartikey406@gmail.com>
ext4: convert inline data to extents when truncate exceeds inline size
Simon Weber <simon.weber.39@gmail.com>
ext4: fix journal credit check when setting fscrypt context
Darrick J. Wong <djwong@kernel.org>
xfs: remove file_path tracepoint data
Darrick J. Wong <djwong@kernel.org>
xfs: don't irele after failing to iget in xfs_attri_recover_work
Long Li <leo.lilong@huawei.com>
xfs: fix ri_total validation in xlog_recover_attri_commit_pass2
hongao <hongao@uniontech.com>
xfs: scrub: unlock dquot before early return in quota scrub
Yuto Ohnuki <ytohnuki@amazon.com>
xfs: avoid dereferencing log items after push callbacks
Yuto Ohnuki <ytohnuki@amazon.com>
xfs: save ailp before dropping the AIL lock in push callbacks
Yuto Ohnuki <ytohnuki@amazon.com>
xfs: stop reclaim before pushing AIL during unmount
Max Boone <mboone@akamai.com>
mm/pagewalk: fix race between concurrent split and refault
Josh Law <objecting@objecting.org>
mm/damon/sysfs: check contexts->nr in repeat_call_fn
Josh Law <objecting@objecting.org>
mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0]
Josh Law <objecting@objecting.org>
mm/damon/sysfs: fix param_ctx leak on damon_sysfs_new_test_ctx() failure
Lorenzo Stoakes (Oracle) <ljs@kernel.org>
mm/mseal: update VMA end correctly on merge
David Hildenbrand (Arm) <david@kernel.org>
mm/memory: fix PMD/PUD checks in follow_pfnmap_start()
Asad Kamal <asad.kamal@amd.com>
drm/amd/pm: Return -EOPNOTSUPP for unsupported OD_MCLK on smu_v13_0_6
Huacai Chen <chenhuacai@kernel.org>
LoongArch: KVM: Handle the case that EIOINTC's coremap is empty
Bibo Mao <maobibo@loongson.cn>
LoongArch: KVM: Fix base address calculation in kvm_eiointc_regs_access()
Huacai Chen <chenhuacai@kernel.org>
LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Workaround LS2K/LS7A GPU DMA hang bug
Xi Ruoyao <xry111@xry111.site>
LoongArch: vDSO: Emit GNU_EH_FRAME correctly
Li Jun <lijun01@kylinos.cn>
LoongArch: Fix missing NULL checks for kstrdup()
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/i915: Unlink NV12 planes earlier
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/i915: Order OP vs. timeout correctly in __wait_for()
Imre Deak <imre.deak@intel.com>
drm/i915/dp_tunnel: Fix error handling when clearing stream BW in atomic state
Alex Deucher <alexander.deucher@amd.com>
drm/amd/display: check if ext_caps is valid in BL setup
Alex Hung <alex.hung@amd.com>
drm/amd/display: Fix drm_edid leak in amdgpu_dm
Alex Deucher <alexander.deucher@amd.com>
drm/amd/display: Fix DCE LVDS handling
Ruijing Dong <ruijing.dong@amd.com>
drm/amdgpu: fix strsep() corrupting lockup_timeout on multi-GPU (v3)
Eric Huang <jinhuieric.huang@amd.com>
drm/amdgpu: prevent immediate PASID reuse case
Claudiu Beznea <claudiu.beznea@tuxon.dev>
dmaengine: sh: rz-dmac: Move CHCTRL updates under spinlock
Claudiu Beznea <claudiu.beznea@tuxon.dev>
dmaengine: sh: rz-dmac: Protect the driver specific lists
Joy Zou <joy.zou@nxp.com>
dmaengine: fsl-edma: fix channel parameter config for fixed channel requests
Stefan Eichenberger <stefan.eichenberger@toradex.com>
i2c: imx: ensure no clock is generated after last read
Stefan Eichenberger <stefan.eichenberger@toradex.com>
i2c: imx: fix i2c issue when reading multiple messages
Davidlohr Bueso <dave@stgolabs.net>
futex: Clear stale exiting pointer in futex_lock_pi() retry path
Pratap Nirujogi <pratap.nirujogi@amd.com>
i2c: designware: amdisp: Fix resume-probe race condition issue
Joanne Koong <joannelkoong@gmail.com>
iomap: fix invalid folio access when i_blkbits differs from I/O granularity
Jassi Brar <jassisinghbrar@gmail.com>
irqchip/qcom-mpm: Add missing mailbox TX done acknowledgment
Milos Nikic <nikic.milos@gmail.com>
jbd2: gracefully abort on checkpointing state corruptions
Sean Christopherson <seanjc@google.com>
KVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE
Sean Christopherson <seanjc@google.com>
KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE
Kevin Hao <haokexin@gmail.com>
net: macb: Use dev_consume_skb_any() to free TX SKBs
Kevin Hao <haokexin@gmail.com>
net: macb: Protect access to net_device::ip_ptr with RCU lock
Kevin Hao <haokexin@gmail.com>
net: macb: Move devm_{free,request}_irq() out of spin lock area
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
scsi: ses: Handle positive SCSI error from ses_recv_diag()
Tyllis Xu <livelycarpet87@gmail.com>
scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
Amir Goldstein <amir73il@gmail.com>
ovl: fix wrong detection of 32bit inode numbers
Fei Lv <feilv@asrmicro.com>
ovl: make fsync after metadata copy-up opt-in mount option
Abel Vesa <abel.vesa@oss.qualcomm.com>
phy: qcom: qmp-ufs: Fix SM8650 PCS table for Gear 4
Nikunj A Dadhania <nikunj@amd.com>
x86/fred: Fix early boot failures on SEV-ES/SNP guests
Borislav Petkov (AMD) <bp@alien8.de>
x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask
Nikunj A Dadhania <nikunj@amd.com>
x86/cpu: Enable FSGSBASE early in cpu_init_exception_handling()
Joanne Koong <joannelkoong@gmail.com>
writeback: don't block sync for filesystems with no data integrity guarantees
Jinjiang Tu <tujinjiang@huawei.com>
mm/huge_memory: fix folio isn't locked in softleaf_to_folio()
Zhan Xusheng <zhanxusheng1024@gmail.com>
alarmtimer: Fix argument order in alarm_timer_forward()
Jiucheng Xu <jiucheng.xu@amlogic.com>
erofs: add GFP_NOIO in the bio completion if needed
Alex Williamson <alex.williamson@nvidia.com>
vfio/pci: Fix double free in dma-buf feature
xietangxin <xietangxin@yeah.net>
virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false
Zubin Mithra <zsm@google.com>
virt: tdx-guest: Fix handling of host controlled 'quote' buffer length
Paul Moses <p@1g4.org>
xfrm: iptfs: only publish mode_data after clone setup
Roshan Kumar <roshaen09@gmail.com>
xfrm: iptfs: validate inner IPv4 header length in IPTFS payload
Ming Qian <ming.qian@oss.nxp.com>
media: verisilicon: Fix kernel panic due to __initconst misuse
Yuchan Nam <entropy1110@gmail.com>
media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
Sanman Pradhan <psanman@juniper.net>
hwmon: (peci/cputemp) Fix off-by-one in cputemp_is_visible()
Sanman Pradhan <psanman@juniper.net>
hwmon: (peci/cputemp) Fix crit_hyst returning delta instead of absolute temperature
Sanman Pradhan <psanman@juniper.net>
hwmon: (pmbus/isl68137) Add mutex protection for AVS enable sysfs attributes
Sanman Pradhan <psanman@juniper.net>
hwmon: (pmbus/ina233) Fix error handling and sign extension in shunt voltage read
Zenghui Yu (Huawei) <zenghui.yu@linux.dev>
KVM: arm64: Fix the descriptor address in __kvm_at_swap_desc()
Marc Zyngier <maz@kernel.org>
KVM: arm64: Discard PC update state on vcpu reset
Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
platform/x86: ISST: Correct locked bit width
Abhijit Gangurde <abhijit.gangurde@amd.com>
RDMA/ionic: Preserve and set Ethernet source MAC after ib_ud_header_init()
Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
thermal: intel: int340x: soc_slider: Set offset only for balanced mode
SeongJae Park <sj@kernel.org>
mm/damon/stat: monitor all System RAM resources
Charles Mirabile <cmirabil@redhat.com>
kbuild: Delete .builtin-dtbs.S when running make clean
Viresh Kumar <viresh.kumar@linaro.org>
cpufreq: conservative: Reset requested_freq on limits change
Viresh Kumar <viresh.kumar@linaro.org>
cpufreq: Don't skip cpufreq_frequency_table_cpuinfo()
Marc Kleine-Budde <mkl@pengutronix.de>
can: netlink: can_changelink(): add missing error handling to call can_ctrlmode_changelink()
Oliver Hartkopp <socketcan@hartkopp.net>
can: isotp: fix tx.buf use-after-free in isotp_sendmsg()
Ali Norouzi <ali.norouzi@keysight.com>
can: gw: fix OOB heap access in cgw_csum_crc8_rel()
Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
ASoC: SOF: ipc4-topology: Allow bytes controls without initial payload
Guangshuo Li <lgs201920130244@gmail.com>
ASoC: sma1307: fix double free of devm_kzalloc() memory
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: codecs: wcd934x: fix typo in dt parsing
Karol Wachowski <karol.wachowski@linux.intel.com>
accel/ivpu: Add disable clock relinquish workaround for NVL-A0
Alexey Nepomnyashih <sdl@nppct.ru>
ALSA: firewire-lib: fix uninitialized local variable
Zhang Heng <zhangheng@kylinos.cn>
ALSA: hda/realtek: add quirk for ASUS Strix G16 G615JMR
Mario Limonciello <mario.limonciello@amd.com>
Revert "ALSA: hda/intel: Add MSI X870E Tomahawk to denylist"
Hyunwoo Kim <imv4bel@gmail.com>
ksmbd: do not expire session on binding failure
Werner Kasselman <werner@verivus.com>
ksmbd: fix memory leaks and NULL deref in smb2_lock()
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix potencial OOB in get_file_all_info() for compound requests
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()
Matthew Auld <matthew.auld@intel.com>
drm/xe: always keep track of remap prev/next
Luo Haiyang <luo.haiyang@zte.com.cn>
tracing: Fix potential deadlock in cpu hotplug with osnoise
Wesley Atwell <atwellwea@gmail.com>
tracing: Drain deferred trigger frees if kthread creation fails
Vasily Gorbik <gor@linux.ibm.com>
s390/entry: Scrub r12 register on kernel entry
Vasily Gorbik <gor@linux.ibm.com>
s390/barrier: Make array_index_mask_nospec() __always_inline
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
s390/syscalls: Add spectre boundary for syscall dispatch table
Geoffrey D. Bennett <g@b4.vu>
ALSA: usb-audio: Exclude Scarlett 2i4 1st Gen from SKIP_IFACE_SETUP
Nicholas Carlini <nicholas@carlini.com>
io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check
Jens Axboe <axboe@kernel.dk>
io_uring/fdinfo: fix SQE_MIXED SQE displaying
Marc Kleine-Budde <mkl@pengutronix.de>
spi: spi-fsl-lpspi: fix teardown order issue (UAF)
Jihed Chaibi <jihed.chaibi.dev@gmail.com>
ASoC: adau1372: Fix clock leak on PLL lock failure
Jihed Chaibi <jihed.chaibi.dev@gmail.com>
ASoC: adau1372: Fix unchecked clk_prepare_enable() return value
Marc Buerg <buermarc@googlemail.com>
sysctl: fix uninitialized variable in proc_do_large_bitmap
Guenter Roeck <linux@roeck-us.net>
hwmon: (pmbus/core) Protect regulator operations with mutex
Guenter Roeck <linux@roeck-us.net>
hwmon: (pmbus) Introduce the concept of "write-only" attributes
Guenter Roeck <linux@roeck-us.net>
hwmon: (pmbus) Mark lowest/average/highest/rated attributes as read-only
Shuming Fan <shumingf@realtek.com>
ASoC: SDCA: fix finding wrong entity
Sanman Pradhan <psanman@juniper.net>
hwmon: (adm1177) fix sysfs ABI violation and current unit conversion
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib
Weiming Shi <bestswngs@gmail.com>
ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()
Danilo Krummrich <dakr@kernel.org>
spi: use generic driver_override infrastructure
Matt Roper <matthew.d.roper@intel.com>
drm/xe: Implement recent spec updates to Wa_16025250150
Alice Ryhl <aliceryhl@google.com>
rust: regulator: do not assume that regulator_get() returns non-null
Jihed Chaibi <jihed.chaibi.dev@gmail.com>
ASoC: dt-bindings: stm32: Fix incorrect compatible string in stm32h7-sai match
Yussuf Khalil <dev@pp3345.net>
drm/amd/display: Do not skip unrelated mode changes in DSC validation
Felix Gu <ustc.gu@gmail.com>
spi: meson-spicc: Fix double-put in remove path
Cezary Rojewski <cezary.rojewski@intel.com>
ASoC: Intel: catpt: Fix the device initialization
Felix Gu <ustc.gu@gmail.com>
spi: sn-f-ospi: Fix resource leak in f_ospi_probe()
Michał Winiarski <michal.winiarski@intel.com>
drm/xe/pf: Fix use-after-free in migration restore
Youngjun Park <youngjun.park@lge.com>
PM: sleep: Drop spurious WARN_ON() from pm_restore_gfp_mask()
Alberto Garcia <berto@igalia.com>
PM: hibernate: Drain trailing zero pages on userspace restore
Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
drm/i915/gmbus: fix spurious timeout on 512-byte burst reads
Luca Leonardo Scorcia <l.scorcia@gmail.com>
drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register
Mike Rapoport (Microsoft) <rppt@kernel.org>
x86/efi: efi_unmap_boot_services: fix calculation of ranges_to_free size
Yihang Li <liyihang9@huawei.com>
scsi: scsi_transport_sas: Fix the maximum channel scanning issue
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl: imx-card: initialize playback_only and capture_only
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: simple-card-utils: Check value of is_playback_only and is_capture_only
Shiraz Saleem <shiraz.saleem@intel.com>
RDMA/irdma: Harden depth calculation functions
Tatyana Nikolova <tatyana.e.nikolova@intel.com>
RDMA/irdma: Return EINVAL for invalid arp index error
Anil Samal <anil.samal@intel.com>
RDMA/irdma: Fix deadlock during netdev reset with active connections
Tatyana Nikolova <tatyana.e.nikolova@intel.com>
RDMA/irdma: Remove reset check from irdma_modify_qp_to_err()
Ivan Barrera <ivan.d.barrera@intel.com>
RDMA/irdma: Clean up unnecessary dereference of event->cm_node
Tatyana Nikolova <tatyana.e.nikolova@intel.com>
RDMA/irdma: Remove a NOP wait_event() in irdma_modify_qp_roce()
Tatyana Nikolova <tatyana.e.nikolova@intel.com>
RDMA/irdma: Update ibqp state to error if QP is already in error state
Jacob Moroni <jmoroni@google.com>
RDMA/irdma: Initialize free_qp completion before using it
Geoffrey D. Bennett <g@b4.vu>
ALSA: usb-audio: Exclude Scarlett 2i2 1st Gen from SKIP_IFACE_SETUP
Ethan Tidmore <ethantidmore06@gmail.com>
RDMA/efa: Fix possible deadlock
Chuck Lever <chuck.lever@oracle.com>
RDMA/rw: Fall back to direct SGE on MR pool exhaustion
Sean Rhodes <sean@starlabs.systems>
ALSA: hda/realtek: Sequence GPIO2 on Star Labs StarFighter
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
regmap: Synchronize cache for the page selector
Yonatan Nachum <ynachum@amazon.com>
RDMA/efa: Fix use of completion ctx after free
Yonatan Nachum <ynachum@amazon.com>
RDMA/efa: Improve admin completion context state machine
Yonatan Nachum <ynachum@amazon.com>
RDMA/efa: Check stored completion CTX command ID with received one
Kamal Heib <kheib@redhat.com>
RDMA/bng_re: Fix silent failure in HWRM version query
Paolo Valerio <pvalerio@redhat.com>
net: macb: use the current queue number for stats
David Carlier <devnexen@gmail.com>
netfilter: ctnetlink: use netlink policy range checks
Weiming Shi <bestswngs@gmail.com>
netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_conntrack_expect: skip expectations in other netns via proc
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_set_rbtree: revisit array resize logic
Ren Wei <n05ec@lzu.edu.cn>
netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
Weiming Shi <bestswngs@gmail.com>
netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
Chuck Lever <chuck.lever@oracle.com>
tls: Purge async_hold in tls_decrypt_async_wait()
Pengpeng Hou <pengpeng@iscas.ac.cn>
Bluetooth: btusb: clamp SCO altsetting table indices
Hyunwoo Kim <imv4bel@gmail.com>
Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
Hyunwoo Kim <imv4bel@gmail.com>
Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix not tracking outstanding TX ident
Cen Zhang <zzzccc427@gmail.com>
Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
Zhang Chen <zhangchen01@kylinos.cn>
Bluetooth: L2CAP: Fix send LE flow credits in ACL link
Miguel Ojeda <ojeda@kernel.org>
dma-mapping: add missing `inline` for `dma_free_attrs`
Jonas Köppeler <j.koeppeler@tu-berlin.de>
net_sched: codel: fix stale state for empty flows in fq_codel
Sabrina Dubroca <sd@queasysnail.net>
rtnetlink: fix leak of SRCU struct in rtnl_link_register
Thangaraj Samynathan <thangaraj.s@microchip.com>
net: lan743x: fix duplex configuration in mac_link_up
David Carlier <devnexen@gmail.com>
net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path
Jiayuan Chen <jiayuan.chen@shopee.com>
team: fix header_ops type confusion with non-Ethernet ports
Xuan Zhuo <xuanzhuo@linux.alibaba.com>
virtio-net: correct hdr_len handling for tunnel gso
Xuan Zhuo <xuanzhuo@linux.alibaba.com>
virtio-net: correct hdr_len handling for VIRTIO_NET_F_GUEST_HDRLEN
Wei Fang <wei.fang@nxp.com>
net: enetc: fix the output issue of 'ethtool --show-ring'
Martin KaFai Lau <martin.lau@kernel.org>
udp: Fix wildcard bind conflict check when using hash2
Arnd Bergmann <arnd@arndb.de>
net: b44: always select CONFIG_FIXED_PHY
Qingfang Deng <dqfext@gmail.com>
net: airoha: add RCU lock around dev_fill_forward_path
Yochai Eisenrich <echelonh@gmail.com>
net: fix fanout UAF in packet_release() via NETDEV_UP race
Kuniyuki Iwashima <kuniyu@google.com>
ipv6: Don't remove permanent routes with exceptions from tb6_gc_hlist.
Kuniyuki Iwashima <kuniyu@google.com>
ipv6: Remove permanent routes from tb6_gc_hlist when all exceptions expire.
Kohei Enju <kohei@enjuk.jp>
iavf: fix out-of-bounds writes in iavf_get_ethtool_stats()
Petr Oros <poros@redhat.com>
ice: use ice_update_eth_stats() for representor stats
Petr Oros <poros@redhat.com>
ice: fix inverted ready check for VF representors
David McFarland <corngood@gmail.com>
platform/x86: intel-hid: disable wakeup_mode during hibernation
Alok Tiwari <alok.a.tiwari@oracle.com>
platform/olpc: olpc-xo175-ec: Fix overflow error message to print inlen
Nathan Chancellor <nathan@kernel.org>
platform/x86: lenovo: wmi-gamezone: Drop gz_chain_head
Li RongQing <lirongqing@baidu.com>
platform/x86: ISST: Check HWP support before MSR access
Justin Chen <justin.chen@broadcom.com>
net: bcmasp: fix double disable of clk
Justin Chen <justin.chen@broadcom.com>
net: bcmasp: fix double free of WoL irq
Justin Chen <justin.chen@broadcom.com>
net: bcmasp: streamline early exit in probe
Sabrina Dubroca <sd@queasysnail.net>
rtnetlink: count IFLA_INFO_SLAVE_KIND in if_nlmsg_size
Sabrina Dubroca <sd@queasysnail.net>
rtnetlink: count IFLA_PARENT_DEV_{NAME,BUS_NAME} in if_nlmsg_size
Qi Tang <tpluszz77@gmail.com>
net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer
Yang Yang <n05ec@lzu.edu.cn>
openvswitch: validate MPLS set/set_masked payload length
Yang Yang <n05ec@lzu.edu.cn>
openvswitch: defer tunnel netdev_put to RCU release
Toke Høiland-Jørgensen <toke@redhat.com>
net: openvswitch: Avoid releasing netdev before teardown completes
Jakub Kicinski <kuba@kernel.org>
nfc: nci: fix circular locking dependency in nci_close_device
Mohammad Heib <mheib@redhat.com>
ionic: fix persistent MAC address override on PF
Luca Leonardo Scorcia <l.scorcia@gmail.com>
pinctrl: mediatek: common: Fix probe failure for devices without EINT
Helen Koike <koike@igalia.com>
Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
Anas Iqbal <mohd.abd.6602@gmail.com>
Bluetooth: hci_ll: Fix firmware leak on error path
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete
Hyunwoo Kim <imv4bel@gmail.com>
Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
Hyunwoo Kim <imv4bel@gmail.com>
Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()
Minseo Park <jacob.park.9436@gmail.com>
Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req
Amelie Delaunay <amelie.delaunay@foss.st.com>
pinctrl: stm32: fix HDP driver dependency on GPIO_GENERIC
Oliver Hartkopp <socketcan@hartkopp.net>
can: statistics: add missing atomic access in hot path
Sheng Yong <shengyong1@xiaomi.com>
erofs: set fileio bio failed in short read case
Shigeru Yoshida <syoshida@redhat.com>
dma: swiotlb: add KMSAN annotations to swiotlb_bounce()
Eric Dumazet <edumazet@google.com>
af_key: validate families in pfkey_send_migrate()
Minwoo Ra <raminwo0202@gmail.com>
xfrm: prevent policy_hthresh.work from racing with netns teardown
Hyunwoo Kim <imv4bel@gmail.com>
xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()
Dmitry Torokhov <dmitry.torokhov@gmail.com>
pinctrl: renesas: rza1: Normalize return value of gpio_get()
Neil Armstrong <neil.armstrong@linaro.org>
pinctrl: qcom: spmi-gpio: implement .get_direction()
Fernando Fernandez Mancera <fmancera@suse.de>
xfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly
Felix Gu <ustc.gu@gmail.com>
pinctrl: renesas: rzt2h: Fix device node leak in rzt2h_gpio_register()
Sabrina Dubroca <sd@queasysnail.net>
esp: fix skb leak with espintcp and async crypto
Sabrina Dubroca <sd@queasysnail.net>
xfrm: call xdo_dev_state_delete during state update
Sabrina Dubroca <sd@queasysnail.net>
xfrm: fix the condition on x->pcpu_num in xfrm_sa_len
Sabrina Dubroca <sd@queasysnail.net>
xfrm: add missing extack for XFRMA_SA_PCPU in add_acquire and allocspi
Peter Yin <peteryin.openbmc@gmail.com>
i3c: master: dw-i3c: Fix missing of_node for virtual I2C adapter
Zhang Heng <zhangheng@kylinos.cn>
ALSA: hda/realtek: add quirk for ASUS UM6702RC
Lianqin Hu <hulianqin@vivo.com>
ALSA: usb-audio: Add iface reset and delay quirk for SPACETOUCH USB Audio
Alan Borzeszkowski <alan.borzeszkowski@linux.intel.com>
spi: intel-pci: Add support for Nova Lake mobile SPI flash
Jie Deng <dengjie03@kylinos.cn>
usb: core: new quirk to handle devices with zero configurations
Yang Wang <kevinyang.wang@amd.com>
drm/amdgpu: fix gpu idle power consumption issue for gfx v12
Chaitanya Kulkarni <kch@nvidia.com>
nvmet: move async event work off nvmet-wq
Josh Poimboeuf <jpoimboe@kernel.org>
objtool: Handle Clang RSP musical chairs
Uzair Mughal <contact@uzair.is-a.dev>
ALSA: hda/realtek: Add headset jack quirk for Thinkpad X390
Zhang Heng <zhangheng@kylinos.cn>
ALSA: hda/realtek: Add quirk for Gigabyte Technology to fix headphone
Josh Poimboeuf <jpoimboe@kernel.org>
objtool/klp: Disable unsupported pr_debug() usage
Liucheng Lu <luliucheng100@outlook.com>
ALSA: hda/realtek: add HP Laptop 14s-dr5xxx mute LED quirk
Hari Bathini <hbathini@linux.ibm.com>
powerpc64/ftrace: fix OOL stub count with clang
HONG Yifan <elsk@google.com>
objtool: Use HOSTCFLAGS for HAVE_XXHASH test
Boris Burkov <boris@bur.io>
btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create
zhidao su <soolaugust@gmail.com>
sched_ext: Use WRITE_ONCE() for the write side of dsq->seq update
Günther Noack <gnoack@google.com>
HID: apple: avoid memory leak in apple_report_fixup()
Eduard Zingerman <eddyz87@gmail.com>
bpf: Fix u32/s32 bounds when ranges cross min/max boundary
Simon Trimmer <simont@opensource.cirrus.com>
ASoC: amd: acp: Add ACP6.3 match entries for Cirrus Logic parts
Maarten Lankhorst <dev@lankhorst.se>
drm/ttm/tests: Fix build failure on PREEMPT_RT
wangdicheng <wangdicheng@kylinos.cn>
ALSA: hda/senary: Ensure EAPD is enabled during init
Nilay Shroff <nilay@linux.ibm.com>
block: break pcpu_alloc_mutex dependency on freeze_lock
Isaac J. Manjarres <isaacmanjarres@google.com>
dma-buf: Include ioctl.h in UAPI header
Vladimir Yakovlev <vovchkir@gmail.com>
spi: spi-dw-dma: fix print error log when wait finish transaction
Richard Fitzgerald <rf@opensource.cirrus.com>
ASoC: cs35l56: Only patch ASP registers if the DAI is part of a DAIlink
Mark Brown <broonie@kernel.org>
ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_put_bits()
Sheetal <sheetal@nvidia.com>
ALSA: hda/hdmi: Add Tegra238 HDA codec device ID
Oliver Freyermuth <o.freyermuth@googlemail.com>
ASoC: Intel: sof_sdw: Add quirk for Alienware Area 51 (2025) 0CCD SKU
Florian Fuchs <fuchsfl@gmail.com>
scsi: devinfo: Add BLIST_SKIP_IO_HINTS for Iomega ZIP
Shuming Fan <shumingf@realtek.com>
ASoC: rt1321: fix DMIC ch2/3 mask issue
Ranjan Kumar <ranjan.kumar@broadcom.com>
scsi: mpi3mr: Clear reset history on ready and recheck state after timeout
Mark Brown <broonie@kernel.org>
ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_set_reg()
Ihor Solodrai <ihor.solodrai@linux.dev>
module: Fix kernel panic when a symbol st_shndx is out of bounds
Denis Benato <denis.benato@linux.dev>
HID: asus: add xg mobile 2023 external hardware support
Romain Sioen <romain.sioen@microchip.com>
HID: mcp2221: cancel last I2C command on read error
Antheas Kapenekakis <lkml@antheas.dev>
platform/x86: oxpec: Add support for OneXPlayer X1 Air
Antheas Kapenekakis <lkml@antheas.dev>
platform/x86: oxpec: Add support for Aokzoe A2 Pro
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
kbuild: install-extmod-build: Package resolve_btfids if necessary
Valentin Spreckels <valentin@spreckels.dev>
net: usb: r8152: add TRENDnet TUC-ET2G
Antheas Kapenekakis <lkml@antheas.dev>
platform/x86: oxpec: Add support for OneXPlayer X1z
Takashi Iwai <tiwai@suse.de>
HID: apple: Add EPOMAKER TH87 to the non-apple keyboards list
Antheas Kapenekakis <lkml@antheas.dev>
platform/x86: oxpec: Add support for OneXPlayer APEX
Zhang Lixu <lixu.zhang@intel.com>
HID: intel-ish-hid: ipc: Add Nova Lake-H/S PCI device IDs
Victor Lattaro Volpini <victorlattaro@proton.me>
platform/x86: hp-wmi: Add Victus 16-d0xxx support
Günther Noack <gnoack@google.com>
HID: magicmouse: avoid memory leak in magicmouse_report_fixup()
Julius Lehmann <lehmanju@devpi.de>
HID: magicmouse: fix battery reporting for Apple Magic Trackpad 2
Keith Busch <kbusch@kernel.org>
nvme-pci: ensure we're polling a polled queue
Anton Plotnikov <plotnikovanton@gmail.com>
platform/x86: hp-wmi: add Omen 14-fb1xxx (board 8E41) support
Hans de Goede <johannes.goede@oss.qualcomm.com>
platform/x86: touchscreen_dmi: Add quirk for y-inverted Goodix touchscreen on SUPI S10
Leif Skunberg <diamondback@cohunt.app>
platform/x86: intel-hid: Enable 5-button array on ThinkPad X1 Fold 16 Gen 1
Krishna Chomal <krishna.chomal108@gmail.com>
platform/x86: hp-wmi: Add Omen 16-xd0xxx fan and thermal support
Daniel Hodges <hodgesd@meta.com>
nvme-fabrics: use kfree_sensitive() for DHCHAP secrets
Keith Busch <kbusch@kernel.org>
nvme-pci: cap queue creation to used queues
Peter Metz <peter.metz@unarin.com>
platform/x86: intel-hid: Add Dell 14 Plus 2-in-1 to dmi_vgbs_allow_list
Günther Noack <gnoack@google.com>
HID: asus: avoid memory leak in asus_report_fixup()
Krishna Chomal <krishna.chomal108@gmail.com>
platform/x86: hp-wmi: Add Omen 16-wf0xxx fan and thermal support
Xuewen Yan <xuewen.yan@unisoc.com>
tracing: Revert "tracing: Remove pid in task_rename tracing output"
Daniel Wade <danjwade95@gmail.com>
bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR
Jenny Guanni Qu <qguanni@gmail.com>
bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN
Ihor Solodrai <ihor.solodrai@linux.dev>
bpf: Fix exception exit lock checking for subprogs
Cui Chao <cuichao1753@phytium.com.cn>
cxl: Adjust the startup priority of cxl_pmem to be higher than that of cxl_acpi
Kumar Kartikeya Dwivedi <memxor@gmail.com>
bpf: Release module BTF IDR before module unload
Ian Rogers <irogers@google.com>
perf metricgroup: Fix metricgroup__has_metric_or_groups()
Danilo Krummrich <dakr@kernel.org>
driver core: platform: use generic driver_override infrastructure
Danilo Krummrich <dakr@kernel.org>
driver core: generalize driver_override in struct device
Danilo Krummrich <dakr@kernel.org>
sh: platform_early: remove pdev->driver_override check
Danilo Krummrich <dakr@kernel.org>
hwmon: axi-fan: don't use driver_override as IRQ name
Smita Koralahalli <Smita.KoralahalliChannabasappa@amd.com>
cxl/hdm: Avoid incorrect DVSEC fallback when HDM decoders are enabled
Josh Poimboeuf <jpoimboe@kernel.org>
livepatch/klp-build: Fix inconsistent kernel version
Joe Lawrence <joe.lawrence@redhat.com>
objtool/klp: fix data alignment in __clone_symbol()
Janosch Frank <frankja@linux.ibm.com>
s390/mm: Add missing secure storage access fixups for donated memory
Peter Zijlstra <peterz@infradead.org>
perf: Make sure to use pmu_ctx->pmu for groups
Peter Zijlstra <peterz@infradead.org>
x86/perf: Make sure to program the counter value for stopped events on migration
Sachin Kumar <xcyfun@protonmail.com>
bpf: Fix constant blinding for PROBE_MEM32 stores
Yazhou Tang <tangyazhou518@outlook.com>
bpf: Reset register ID for BPF_END value tracking
Davidlohr Bueso <dave@stgolabs.net>
cxl/region: Fix leakage in __construct_region()
Alison Schofield <alison.schofield@intel.com>
cxl/port: Fix use after free of parent_port in cxl_detach_ep()
-------------
Diffstat:
Documentation/admin-guide/kernel-parameters.txt | 3 +
.../devicetree/bindings/sound/st,stm32-sai.yaml | 2 +-
Documentation/filesystems/overlayfs.rst | 50 +++
Documentation/hwmon/adm1177.rst | 8 +-
Documentation/hwmon/peci-cputemp.rst | 10 +-
Makefile | 6 +-
.../boot/dts/freescale/imx8mn-tqma8mqnl-mba8mx.dts | 13 +-
.../arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi | 22 ++
arch/arm64/kvm/at.c | 2 +-
arch/arm64/kvm/reset.c | 14 +
arch/loongarch/include/asm/linkage.h | 36 ++
arch/loongarch/include/asm/sigframe.h | 9 +
arch/loongarch/kernel/asm-offsets.c | 2 +
arch/loongarch/kernel/env.c | 7 +-
arch/loongarch/kernel/signal.c | 6 +-
arch/loongarch/kvm/intc/eiointc.c | 16 +-
arch/loongarch/kvm/vcpu.c | 3 +
arch/loongarch/pci/pci.c | 80 ++++
arch/loongarch/vdso/Makefile | 4 +-
arch/loongarch/vdso/sigreturn.S | 6 +-
arch/powerpc/net/bpf_jit_comp64.c | 23 +-
arch/powerpc/tools/ftrace-gen-ool-stubs.sh | 4 +-
arch/s390/include/asm/barrier.h | 4 +-
arch/s390/kernel/entry.S | 3 +
arch/s390/kernel/syscall.c | 5 +-
arch/s390/mm/fault.c | 11 +-
arch/sh/drivers/platform_early.c | 4 -
arch/x86/coco/sev/noinstr.c | 6 +
arch/x86/entry/entry_fred.c | 14 +
arch/x86/events/core.c | 4 +-
arch/x86/kernel/cpu/common.c | 20 +-
arch/x86/kvm/mmu/mmu.c | 17 +-
arch/x86/platform/efi/quirks.c | 2 +-
block/blk-mq.c | 45 ++-
drivers/accel/ivpu/ivpu_drv.h | 1 +
drivers/accel/ivpu/ivpu_hw.c | 6 +-
drivers/acpi/ec.c | 2 +
drivers/base/bus.c | 43 ++-
drivers/base/core.c | 2 +
drivers/base/dd.c | 60 +++
drivers/base/platform.c | 37 +-
drivers/base/regmap/regmap.c | 30 +-
drivers/bluetooth/btintel.c | 11 +-
drivers/bluetooth/btusb.c | 5 +-
drivers/bluetooth/hci_ll.c | 2 +
drivers/bus/simple-pm-bus.c | 4 +-
drivers/clk/imx/clk-scu.c | 3 +-
drivers/cpufreq/cpufreq.c | 9 +-
drivers/cpufreq/cpufreq_conservative.c | 12 +
drivers/cpufreq/cpufreq_governor.c | 3 +
drivers/cpufreq/cpufreq_governor.h | 1 +
drivers/cpufreq/freq_table.c | 4 +
drivers/cxl/core/hdm.c | 25 +-
drivers/cxl/core/port.c | 8 +-
drivers/cxl/core/region.c | 4 +-
drivers/cxl/pmem.c | 2 +-
drivers/dma/dw-edma/dw-hdma-v0-core.c | 6 +-
drivers/dma/fsl-edma-main.c | 26 +-
drivers/dma/idxd/cdev.c | 8 +-
drivers/dma/idxd/device.c | 6 +-
drivers/dma/idxd/init.c | 4 +-
drivers/dma/idxd/submit.c | 2 +-
drivers/dma/idxd/sysfs.c | 1 +
drivers/dma/sh/rz-dmac.c | 68 ++--
drivers/dma/xilinx/xdma.c | 4 +-
drivers/dma/xilinx/xilinx_dma.c | 46 ++-
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 4 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 13 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_ids.c | 45 ++-
drivers/gpu/drm/amd/amdgpu/amdgpu_ids.h | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 1 +
drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 5 +-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 +-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 1 +
.../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 4 +-
.../display/dc/resource/dce100/dce100_resource.c | 6 +-
.../display/dc/resource/dce110/dce110_resource.c | 5 +-
.../display/dc/resource/dce112/dce112_resource.c | 5 +-
.../display/dc/resource/dce120/dce120_resource.c | 5 +-
.../amd/display/dc/resource/dce60/dce60_resource.c | 14 +-
.../amd/display/dc/resource/dce80/dce80_resource.c | 6 +-
.../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_6_ppt.c | 2 +-
drivers/gpu/drm/i915/display/intel_display.c | 8 +-
drivers/gpu/drm/i915/display/intel_dp_tunnel.c | 20 +-
drivers/gpu/drm/i915/display/intel_dp_tunnel.h | 11 +-
drivers/gpu/drm/i915/display/intel_gmbus.c | 4 +-
drivers/gpu/drm/i915/display/intel_plane.c | 11 +-
drivers/gpu/drm/i915/i915_wait_util.h | 2 +-
drivers/gpu/drm/mediatek/mtk_dsi.c | 9 +-
drivers/gpu/drm/ttm/tests/ttm_bo_test.c | 4 +-
drivers/gpu/drm/xe/regs/xe_gt_regs.h | 1 +
drivers/gpu/drm/xe/xe_pt.c | 12 +-
drivers/gpu/drm/xe/xe_sriov_packet.c | 2 +
drivers/gpu/drm/xe/xe_vm.c | 22 +-
drivers/gpu/drm/xe/xe_vm_types.h | 4 +
drivers/gpu/drm/xe/xe_wa.c | 3 +-
drivers/hid/hid-apple.c | 7 +-
drivers/hid/hid-asus.c | 18 +-
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-magicmouse.c | 6 +-
drivers/hid/hid-mcp2221.c | 2 +
drivers/hid/intel-ish-hid/ipc/hw-ish.h | 2 +
drivers/hid/intel-ish-hid/ipc/pci-ish.c | 12 +
drivers/hwmon/adm1177.c | 54 +--
drivers/hwmon/axi-fan-control.c | 2 +-
drivers/hwmon/peci/cputemp.c | 4 +-
drivers/hwmon/pmbus/ina233.c | 3 +-
drivers/hwmon/pmbus/isl68137.c | 21 +-
drivers/hwmon/pmbus/pmbus_core.c | 192 ++++++++--
drivers/i2c/busses/i2c-designware-amdisp.c | 11 +-
drivers/i2c/busses/i2c-imx.c | 51 ++-
drivers/i3c/master/dw-i3c-master.c | 2 +
drivers/infiniband/core/rw.c | 27 +-
drivers/infiniband/hw/bng_re/bng_dev.c | 14 +-
drivers/infiniband/hw/efa/efa_com.c | 175 ++++-----
drivers/infiniband/hw/ionic/ionic_controlpath.c | 4 +-
drivers/infiniband/hw/irdma/cm.c | 29 +-
drivers/infiniband/hw/irdma/uk.c | 39 +-
drivers/infiniband/hw/irdma/utils.c | 2 -
drivers/infiniband/hw/irdma/verbs.c | 9 +-
drivers/irqchip/irq-qcom-mpm.c | 3 +
drivers/irqchip/irq-renesas-rzv2h.c | 2 +-
drivers/media/mc/mc-request.c | 5 +
drivers/media/platform/verisilicon/imx8m_vpu_hw.c | 2 +-
drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
drivers/net/can/dev/netlink.c | 4 +-
drivers/net/ethernet/airoha/airoha_ppe.c | 2 +
drivers/net/ethernet/broadcom/Kconfig | 2 +-
drivers/net/ethernet/broadcom/asp2/bcmasp.c | 66 ++--
drivers/net/ethernet/cadence/macb_main.c | 41 +-
.../net/ethernet/freescale/enetc/enetc_ethtool.c | 2 +
drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 31 +-
drivers/net/ethernet/intel/ice/ice_ethtool.c | 14 +-
drivers/net/ethernet/intel/ice/ice_repr.c | 5 +-
drivers/net/ethernet/microchip/lan743x_main.c | 5 +
drivers/net/ethernet/pensando/ionic/ionic_lif.c | 17 +-
drivers/net/ethernet/ti/icssg/icssg_common.c | 4 +-
drivers/net/team/team_core.c | 65 +++-
drivers/net/tun_vnet.h | 2 +-
drivers/net/usb/r8152.c | 1 +
drivers/net/virtio_net.c | 7 +-
drivers/nvme/host/fabrics.c | 4 +-
drivers/nvme/host/pci.c | 11 +-
drivers/nvme/target/admin-cmd.c | 2 +-
drivers/nvme/target/core.c | 14 +-
drivers/nvme/target/nvmet.h | 1 +
drivers/nvme/target/rdma.c | 1 +
drivers/phy/qualcomm/phy-qcom-qmp-ufs.c | 3 +-
drivers/phy/ti/phy-j721e-wiz.c | 2 +
drivers/pinctrl/mediatek/pinctrl-mtk-common.c | 9 +-
drivers/pinctrl/qcom/pinctrl-spmi-gpio.c | 16 +
drivers/pinctrl/renesas/pinctrl-rza1.c | 2 +-
drivers/pinctrl/renesas/pinctrl-rzt2h.c | 1 +
drivers/pinctrl/stm32/Kconfig | 1 +
drivers/platform/olpc/olpc-xo175-ec.c | 2 +-
drivers/platform/x86/hp/hp-wmi.c | 12 +-
drivers/platform/x86/intel/hid.c | 23 +-
.../x86/intel/speed_select_if/isst_tpmi_core.c | 5 +-
drivers/platform/x86/lenovo/wmi-gamezone.c | 2 -
drivers/platform/x86/oxpec.c | 30 +-
drivers/platform/x86/touchscreen_dmi.c | 18 +
drivers/scsi/ibmvscsi/ibmvfc.c | 3 +-
drivers/scsi/mpi3mr/mpi3mr_fw.c | 10 +
drivers/scsi/scsi_devinfo.c | 2 +-
drivers/scsi/scsi_transport_sas.c | 2 +-
drivers/scsi/ses.c | 2 +-
drivers/slimbus/qcom-ngd-ctrl.c | 6 +-
drivers/spi/spi-dw-dma.c | 2 +-
drivers/spi/spi-fsl-lpspi.c | 3 +-
drivers/spi/spi-intel-pci.c | 1 +
drivers/spi/spi-meson-spicc.c | 2 -
drivers/spi/spi-sn-f-ospi.c | 17 +-
drivers/spi/spi.c | 19 +-
.../int340x_thermal/processor_thermal_soc_slider.c | 8 +-
drivers/usb/core/config.c | 6 +-
drivers/usb/core/quirks.c | 5 +
drivers/vfio/pci/vfio_pci_dmabuf.c | 5 +-
drivers/virt/coco/tdx-guest/tdx-guest.c | 12 +-
drivers/xen/privcmd.c | 3 +
fs/btrfs/block-group.c | 2 +-
fs/btrfs/disk-io.c | 4 +-
fs/btrfs/ioctl.c | 7 +
fs/btrfs/volumes.c | 5 +-
fs/erofs/fileio.c | 6 +-
fs/erofs/zdata.c | 3 +
fs/ext4/Makefile | 4 +-
fs/ext4/crypto.c | 9 +-
fs/ext4/ext4.h | 6 +
fs/ext4/extents.c | 23 +-
fs/ext4/fast_commit.c | 17 +-
fs/ext4/fsync.c | 16 +-
fs/ext4/ialloc.c | 6 +
fs/ext4/inline.c | 10 +-
fs/ext4/inode.c | 75 +++-
fs/ext4/mballoc-test.c | 81 ++--
fs/ext4/mballoc.c | 132 ++++++-
fs/ext4/mballoc.h | 30 ++
fs/ext4/page-io.c | 10 +-
fs/ext4/super.c | 16 +-
fs/ext4/sysfs.c | 10 +-
fs/fs-writeback.c | 18 +-
fs/fuse/file.c | 4 +-
fs/fuse/inode.c | 1 +
fs/iomap/buffered-io.c | 15 +-
fs/jbd2/checkpoint.c | 15 +-
fs/netfs/buffered_read.c | 3 +-
fs/netfs/direct_read.c | 3 +-
fs/netfs/direct_write.c | 15 +-
fs/netfs/iterator.c | 43 +++
fs/netfs/read_collect.c | 4 +-
fs/netfs/read_retry.c | 5 +-
fs/netfs/read_single.c | 1 -
fs/netfs/write_collect.c | 4 +-
fs/netfs/write_issue.c | 3 +-
fs/overlayfs/copy_up.c | 6 +-
fs/overlayfs/overlayfs.h | 21 ++
fs/overlayfs/ovl_entry.h | 7 +-
fs/overlayfs/params.c | 33 +-
fs/overlayfs/super.c | 2 +-
fs/overlayfs/util.c | 5 +-
fs/smb/server/oplock.c | 72 ++--
fs/smb/server/smb2pdu.c | 73 ++--
fs/xfs/scrub/quota.c | 4 +-
fs/xfs/scrub/trace.h | 12 +-
fs/xfs/xfs_attr_item.c | 5 +-
fs/xfs/xfs_dquot_item.c | 9 +-
fs/xfs/xfs_inode_item.c | 9 +-
fs/xfs/xfs_mount.c | 7 +-
fs/xfs/xfs_trace.h | 47 ++-
fs/xfs/xfs_trans_ail.c | 26 +-
include/linux/damon.h | 7 +
include/linux/device.h | 54 +++
include/linux/device/bus.h | 4 +
include/linux/dma-mapping.h | 4 +-
include/linux/fs/super_types.h | 1 +
include/linux/leafops.h | 32 +-
include/linux/mempolicy.h | 1 +
include/linux/netfs.h | 1 -
include/linux/pagemap.h | 11 -
include/linux/platform_device.h | 5 -
include/linux/spi/spi.h | 5 -
include/linux/usb/quirks.h | 3 +
include/linux/usb/r8152.h | 1 +
include/linux/virtio_net.h | 53 ++-
include/net/bluetooth/l2cap.h | 2 +-
include/net/codel_impl.h | 1 +
include/net/inet_hashtables.h | 14 +
include/net/ip6_fib.h | 21 +-
include/sound/cs35l56.h | 1 +
include/trace/events/netfs.h | 8 +-
include/trace/events/task.h | 7 +-
include/uapi/linux/dma-buf.h | 1 +
include/uapi/linux/netfilter/nf_conntrack_common.h | 4 +
io_uring/fdinfo.c | 4 +-
kernel/bpf/btf.c | 24 +-
kernel/bpf/core.c | 43 ++-
kernel/bpf/verifier.c | 36 +-
kernel/dma/swiotlb.c | 21 +-
kernel/events/core.c | 19 +-
kernel/futex/core.c | 2 +-
kernel/futex/pi.c | 3 +-
kernel/futex/syscalls.c | 8 +
kernel/module/main.c | 7 +
kernel/power/main.c | 2 +-
kernel/power/snapshot.c | 11 +
kernel/sched/ext.c | 2 +-
kernel/sysctl.c | 2 +-
kernel/time/alarmtimer.c | 2 +-
kernel/trace/trace_events_trigger.c | 85 ++++-
kernel/trace/trace_osnoise.c | 10 +-
lib/bug.c | 7 +-
mm/damon/core.c | 9 +-
mm/damon/stat.c | 53 ++-
mm/damon/sysfs.c | 10 +-
mm/memory.c | 18 +-
mm/mempolicy.c | 10 +-
mm/mseal.c | 3 +-
mm/pagewalk.c | 25 +-
net/bluetooth/l2cap_core.c | 103 +++--
net/bluetooth/l2cap_sock.c | 3 +
net/bluetooth/mgmt.c | 2 +-
net/bluetooth/sco.c | 10 +-
net/can/af_can.c | 4 +-
net/can/af_can.h | 2 +-
net/can/gw.c | 6 +-
net/can/isotp.c | 24 +-
net/can/proc.c | 3 +-
net/core/rtnetlink.c | 28 +-
net/ipv4/esp4.c | 9 +-
net/ipv4/inet_connection_sock.c | 20 +-
net/ipv4/udp.c | 2 +-
net/ipv6/addrconf.c | 4 +-
net/ipv6/esp6.c | 9 +-
net/ipv6/ip6_fib.c | 15 +-
net/ipv6/netfilter/ip6t_rt.c | 4 +
net/ipv6/route.c | 2 +-
net/key/af_key.c | 19 +-
net/netfilter/nf_conntrack_expect.c | 4 +
net/netfilter/nf_conntrack_netlink.c | 16 +-
net/netfilter/nf_conntrack_proto_tcp.c | 10 +-
net/netfilter/nf_conntrack_sip.c | 14 +-
net/netfilter/nfnetlink_log.c | 8 +-
net/netfilter/nft_set_rbtree.c | 92 ++++-
net/nfc/nci/core.c | 10 +-
net/openvswitch/flow_netlink.c | 2 +
net/openvswitch/vport-netdev.c | 11 +-
net/packet/af_packet.c | 1 +
net/smc/smc_rx.c | 9 +-
net/tls/tls_sw.c | 2 +-
net/xfrm/xfrm_iptfs.c | 17 +-
net/xfrm/xfrm_nat_keepalive.c | 2 +-
net/xfrm/xfrm_policy.c | 2 +
net/xfrm/xfrm_state.c | 1 +
net/xfrm/xfrm_user.c | 7 +-
rust/kernel/regulator.rs | 33 +-
rust/pin-init/src/macros.rs | 16 +
scripts/livepatch/klp-build | 9 +-
scripts/package/install-extmod-build | 4 +
sound/firewire/amdtp-stream.c | 2 +-
sound/hda/codecs/hdmi/tegrahdmi.c | 1 +
sound/hda/codecs/realtek/alc269.c | 42 ++-
sound/hda/codecs/realtek/alc662.c | 9 +
sound/hda/codecs/senarytech.c | 5 +
sound/hda/controllers/intel.c | 1 -
sound/soc/amd/acp/amd-acp63-acpi-match.c | 413 +++++++++++++++++++++
sound/soc/codecs/adau1372.c | 34 +-
sound/soc/codecs/cs35l56-shared.c | 16 +-
sound/soc/codecs/cs35l56.c | 8 +
sound/soc/codecs/rt1320-sdw.c | 5 +-
sound/soc/codecs/sma1307.c | 6 +-
sound/soc/codecs/wcd934x.c | 2 +-
sound/soc/fsl/fsl_easrc.c | 14 +-
sound/soc/fsl/imx-card.c | 2 +
sound/soc/generic/simple-card-utils.c | 4 +-
sound/soc/intel/boards/sof_sdw.c | 8 +
sound/soc/intel/catpt/device.c | 10 +-
sound/soc/intel/catpt/dsp.c | 3 -
sound/soc/samsung/i2s.c | 6 +-
sound/soc/sdca/sdca_functions.c | 11 +-
sound/soc/sof/ipc4-topology.c | 2 +-
sound/usb/quirks.c | 4 +
tools/objtool/Makefile | 2 +-
tools/objtool/arch/x86/decode.c | 68 ++--
tools/objtool/check.c | 14 +
tools/objtool/klp-diff.c | 26 +-
tools/perf/util/metricgroup.c | 6 +-
.../testing/selftests/bpf/prog_tests/reg_bounds.c | 62 +++-
.../testing/selftests/bpf/progs/exceptions_fail.c | 9 +-
.../selftests/mount_setattr/mount_setattr_test.c | 2 +-
349 files changed, 3991 insertions(+), 1331 deletions(-)
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 001/342] cxl/port: Fix use after free of parent_port in cxl_detach_ep()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 002/342] cxl/region: Fix leakage in __construct_region() Greg Kroah-Hartman
` (357 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Jiang, Li Ming,
Alison Schofield, Jonathan Cameron, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alison Schofield <alison.schofield@intel.com>
[ Upstream commit 19d2f0b97a131198efc2c4ca3eb7f980bba8c2b4 ]
cxl_detach_ep() is called during bottom-up removal when all CXL memory
devices beneath a switch port have been removed. For each port in the
hierarchy it locks both the port and its parent, removes the endpoint,
and if the port is now empty, marks it dead and unregisters the port
by calling delete_switch_port(). There are two places during this work
where the parent_port may be used after freeing:
First, a concurrent detach may have already processed a port by the
time a second worker finds it via bus_find_device(). Without pinning
parent_port, it may already be freed when we discover port->dead and
attempt to unlock the parent_port. In a production kernel that's a
silent memory corruption, with lock debug, it looks like this:
[]DEBUG_LOCKS_WARN_ON(__owner_task(owner) != get_current())
[]WARNING: kernel/locking/mutex.c:949 at __mutex_unlock_slowpath+0x1ee/0x310
[]Call Trace:
[]mutex_unlock+0xd/0x20
[]cxl_detach_ep+0x180/0x400 [cxl_core]
[]devm_action_release+0x10/0x20
[]devres_release_all+0xa8/0xe0
[]device_unbind_cleanup+0xd/0xa0
[]really_probe+0x1a6/0x3e0
Second, delete_switch_port() releases three devm actions registered
against parent_port. The last of those is unregister_port() and it
calls device_unregister() on the child port, which can cascade. If
parent_port is now also empty the device core may unregister and free
it too. So by the time delete_switch_port() returns, parent_port may
be free, and the subsequent device_unlock(&parent_port->dev) operates
on freed memory. The kernel log looks same as above, with a different
offset in cxl_detach_ep().
Both of these issues stem from the absence of a lifetime guarantee
between a child port and its parent port.
Establish a lifetime rule for ports: child ports hold a reference to
their parent device until release. Take the reference when the port
is allocated and drop it when released. This ensures the parent is
valid for the full lifetime of the child and eliminates the use after
free window in cxl_detach_ep().
This is easily reproduced with a reload of cxl_acpi in QEMU with CXL
devices present.
Fixes: 2345df54249c ("cxl/memdev: Fix endpoint port removal")
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Reviewed-by: Li Ming <ming.li@zohomail.com>
Signed-off-by: Alison Schofield <alison.schofield@intel.com>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Link: https://patch.msgid.link/20260226184439.1732841-1-alison.schofield@intel.com
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cxl/core/port.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/cxl/core/port.c b/drivers/cxl/core/port.c
index 4717dcff264be..aa8b47c50c962 100644
--- a/drivers/cxl/core/port.c
+++ b/drivers/cxl/core/port.c
@@ -552,10 +552,13 @@ static void cxl_port_release(struct device *dev)
xa_destroy(&port->dports);
xa_destroy(&port->regions);
ida_free(&cxl_port_ida, port->id);
- if (is_cxl_root(port))
+
+ if (is_cxl_root(port)) {
kfree(to_cxl_root(port));
- else
+ } else {
+ put_device(dev->parent);
kfree(port);
+ }
}
static ssize_t decoders_committed_show(struct device *dev,
@@ -721,6 +724,7 @@ static struct cxl_port *cxl_port_alloc(struct device *uport_dev,
struct cxl_port *iter;
dev->parent = &parent_port->dev;
+ get_device(dev->parent);
port->depth = parent_port->depth + 1;
port->parent_dport = parent_dport;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 002/342] cxl/region: Fix leakage in __construct_region()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 001/342] cxl/port: Fix use after free of parent_port in cxl_detach_ep() Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 003/342] bpf: Reset register ID for BPF_END value tracking Greg Kroah-Hartman
` (356 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Davidlohr Bueso, Ira Weiny,
Gregory Price, Dave Jiang, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davidlohr Bueso <dave@stgolabs.net>
[ Upstream commit 77b310bb7b5ff8c017524df83292e0242ba89791 ]
Failing the first sysfs_update_group() needs to explicitly
kfree the resource as it is too early for cxl_region_iomem_release()
to do so.
Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
Reviewed-by: Ira Weiny <ira.weiny@intel.com>
Reviewed-by: Gregory Price <gourry@gourry.net>
Fixes: d6602e25819d (cxl/region: Add support to indicate region has extended linear cache)
Link: https://patch.msgid.link/20260202191330.245608-1-dave@stgolabs.net
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cxl/core/region.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c
index 5bd1213737fa2..a3d06b852d05e 100644
--- a/drivers/cxl/core/region.c
+++ b/drivers/cxl/core/region.c
@@ -3616,8 +3616,10 @@ static int __construct_region(struct cxl_region *cxlr,
}
rc = sysfs_update_group(&cxlr->dev.kobj, &cxl_region_group);
- if (rc)
+ if (rc) {
+ kfree(res);
return rc;
+ }
rc = insert_resource(cxlrd->res, res);
if (rc) {
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 003/342] bpf: Reset register ID for BPF_END value tracking
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 001/342] cxl/port: Fix use after free of parent_port in cxl_detach_ep() Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 002/342] cxl/region: Fix leakage in __construct_region() Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 004/342] bpf: Fix constant blinding for PROBE_MEM32 stores Greg Kroah-Hartman
` (355 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillaume Laporte, Tianci Cao,
Shenghao Yuan, Yazhou Tang, Eduard Zingerman, Alexei Starovoitov,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yazhou Tang <tangyazhou518@outlook.com>
[ Upstream commit a3125bc01884431d30d731461634c8295b6f0529 ]
When a register undergoes a BPF_END (byte swap) operation, its scalar
value is mutated in-place. If this register previously shared a scalar ID
with another register (e.g., after an `r1 = r0` assignment), this tie must
be broken.
Currently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END.
Consequently, if a conditional jump checks the swapped register, the
verifier incorrectly propagates the learned bounds to the linked register,
leading to false confidence in the linked register's value and potentially
allowing out-of-bounds memory accesses.
Fix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case
to break the scalar tie, similar to how BPF_NEG handles it via
`__mark_reg_known`.
Fixes: 9d2119984224 ("bpf: Add bitwise tracking for BPF_END")
Closes: https://lore.kernel.org/bpf/AMBPR06MB108683CFEB1CB8D9E02FC95ECF17EA@AMBPR06MB10868.eurprd06.prod.outlook.com/
Link: https://lore.kernel.org/bpf/4be25f7442a52244d0dd1abb47bc6750e57984c9.camel@gmail.com/
Reported-by: Guillaume Laporte <glapt.pro@outlook.com>
Co-developed-by: Tianci Cao <ziye@zju.edu.cn>
Signed-off-by: Tianci Cao <ziye@zju.edu.cn>
Co-developed-by: Shenghao Yuan <shenghaoyuan0928@163.com>
Signed-off-by: Shenghao Yuan <shenghaoyuan0928@163.com>
Signed-off-by: Yazhou Tang <tangyazhou518@outlook.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20260304083228.142016-2-tangyazhou@zju.edu.cn
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 9c4723cdac700..bf721a1274799 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -15512,6 +15512,13 @@ static void scalar_byte_swap(struct bpf_reg_state *dst_reg, struct bpf_insn *ins
/* Apply bswap if alu64 or switch between big-endian and little-endian machines */
bool need_bswap = alu64 || (to_le == is_big_endian);
+ /*
+ * If the register is mutated, manually reset its scalar ID to break
+ * any existing ties and avoid incorrect bounds propagation.
+ */
+ if (need_bswap || insn->imm == 16 || insn->imm == 32)
+ dst_reg->id = 0;
+
if (need_bswap) {
if (insn->imm == 16)
dst_reg->var_off = tnum_bswap16(dst_reg->var_off);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 004/342] bpf: Fix constant blinding for PROBE_MEM32 stores
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 003/342] bpf: Reset register ID for BPF_END value tracking Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 005/342] x86/perf: Make sure to program the counter value for stopped events on migration Greg Kroah-Hartman
` (354 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Puranjay Mohan, Emil Tsalapatis,
Sachin Kumar, Daniel Borkmann, Alexei Starovoitov, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sachin Kumar <xcyfun@protonmail.com>
[ Upstream commit 2321a9596d2260310267622e0ad8fbfa6f95378f ]
BPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by
bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to
survive unblinded into JIT-compiled native code when bpf_jit_harden >= 1.
The root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM
to BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification,
before bpf_jit_blind_constants() runs during JIT compilation. The
blinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not
BPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through
unblinded.
Add BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the
existing BPF_ST|BPF_MEM cases. The blinding transformation is identical:
load the blinded immediate into BPF_REG_AX via mov+xor, then convert
the immediate store to a register store (BPF_STX).
The rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so
the architecture JIT emits the correct arena addressing (R12-based on
x86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes
BPF_MEM mode; construct the instruction directly instead.
Fixes: 6082b6c328b5 ("bpf: Recognize addr_space_cast instruction in the verifier.")
Reviewed-by: Puranjay Mohan <puranjay@kernel.org>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Signed-off-by: Sachin Kumar <xcyfun@protonmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/Y6IT5VvNRchPBLI5D7JZHBzZrU9rb0ycRJPJzJSXGj7kJlX8RJwZFSM2YZjcDxoQKABkxt1T8Os2gi23PYyFuQe6KkZGWVyfz8K5afdy9ak=@protonmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/core.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 85c0feaae0d3c..1b32333d8f8c6 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -1419,6 +1419,27 @@ static int bpf_jit_blind_insn(const struct bpf_insn *from,
*to++ = BPF_ALU64_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
*to++ = BPF_STX_MEM(from->code, from->dst_reg, BPF_REG_AX, from->off);
break;
+
+ case BPF_ST | BPF_PROBE_MEM32 | BPF_DW:
+ case BPF_ST | BPF_PROBE_MEM32 | BPF_W:
+ case BPF_ST | BPF_PROBE_MEM32 | BPF_H:
+ case BPF_ST | BPF_PROBE_MEM32 | BPF_B:
+ *to++ = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^
+ from->imm);
+ *to++ = BPF_ALU64_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
+ /*
+ * Cannot use BPF_STX_MEM() macro here as it
+ * hardcodes BPF_MEM mode, losing PROBE_MEM32
+ * and breaking arena addressing in the JIT.
+ */
+ *to++ = (struct bpf_insn) {
+ .code = BPF_STX | BPF_PROBE_MEM32 |
+ BPF_SIZE(from->code),
+ .dst_reg = from->dst_reg,
+ .src_reg = BPF_REG_AX,
+ .off = from->off,
+ };
+ break;
}
out:
return to - to_buff;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 005/342] x86/perf: Make sure to program the counter value for stopped events on migration
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 004/342] bpf: Fix constant blinding for PROBE_MEM32 stores Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 006/342] perf: Make sure to use pmu_ctx->pmu for groups Greg Kroah-Hartman
` (353 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dapeng Mi, Ian Rogers,
Peter Zijlstra (Intel), Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit f1cac6ac62d28a9a57b17f51ac5795bf250c12d3 ]
Both Mi Dapeng and Ian Rogers noted that not everything that sets HES_STOPPED
is required to EF_UPDATE. Specifically the 'step 1' loop of rescheduling
explicitly does EF_UPDATE to ensure the counter value is read.
However, then 'step 2' simply leaves the new counter uninitialized when
HES_STOPPED, even though, as noted above, the thing that stopped them might not
be aware it needs to EF_RELOAD -- since it didn't EF_UPDATE on stop.
One such location that is affected is throttling, throttle does pmu->stop(, 0);
and unthrottle does pmu->start(, 0); possibly restarting an uninitialized counter.
Fixes: a4eaf7f14675 ("perf: Rework the PMU methods")
Reported-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Reported-by: Ian Rogers <irogers@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Link: https://patch.msgid.link/20260311204035.GX606826@noisy.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/events/core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
index 818de24921a48..7a6b15b0f1c66 100644
--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -1371,8 +1371,10 @@ static void x86_pmu_enable(struct pmu *pmu)
cpuc->events[hwc->idx] = event;
- if (hwc->state & PERF_HES_ARCH)
+ if (hwc->state & PERF_HES_ARCH) {
+ static_call(x86_pmu_set_period)(event);
continue;
+ }
/*
* if cpuc->enabled = 0, then no wrmsr as
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 006/342] perf: Make sure to use pmu_ctx->pmu for groups
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 005/342] x86/perf: Make sure to program the counter value for stopped events on migration Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 007/342] s390/mm: Add missing secure storage access fixups for donated memory Greg Kroah-Hartman
` (352 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver Rosenberg,
Peter Zijlstra (Intel), Ian Rogers, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 4b9ce671960627b2505b3f64742544ae9801df97 ]
Oliver reported that x86_pmu_del() ended up doing an out-of-bound memory access
when group_sched_in() fails and needs to roll back.
This *should* be handled by the transaction callbacks, but he found that when
the group leader is a software event, the transaction handlers of the wrong PMU
are used. Despite the move_group case in perf_event_open() and group_sched_in()
using pmu_ctx->pmu.
Turns out, inherit uses event->pmu to clone the events, effectively undoing the
move_group case for all inherited contexts. Fix this by also making inherit use
pmu_ctx->pmu, ensuring all inherited counters end up in the same pmu context.
Similarly, __perf_event_read() should use equally use pmu_ctx->pmu for the
group case.
Fixes: bd2756811766 ("perf: Rewrite core context handling")
Reported-by: Oliver Rosenberg <olrose55@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Ian Rogers <irogers@google.com>
Link: https://patch.msgid.link/20260309133713.GB606826@noisy.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 84a79e977580e..39b35f280845b 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -4672,7 +4672,7 @@ static void __perf_event_read(void *info)
struct perf_event *sub, *event = data->event;
struct perf_event_context *ctx = event->ctx;
struct perf_cpu_context *cpuctx = this_cpu_ptr(&perf_cpu_context);
- struct pmu *pmu = event->pmu;
+ struct pmu *pmu;
/*
* If this is a task context, we need to check whether it is
@@ -4684,7 +4684,7 @@ static void __perf_event_read(void *info)
if (ctx->task && cpuctx->task_ctx != ctx)
return;
- raw_spin_lock(&ctx->lock);
+ guard(raw_spinlock)(&ctx->lock);
ctx_time_update_event(ctx, event);
perf_event_update_time(event);
@@ -4692,25 +4692,22 @@ static void __perf_event_read(void *info)
perf_event_update_sibling_time(event);
if (event->state != PERF_EVENT_STATE_ACTIVE)
- goto unlock;
+ return;
if (!data->group) {
- pmu->read(event);
+ perf_pmu_read(event);
data->ret = 0;
- goto unlock;
+ return;
}
+ pmu = event->pmu_ctx->pmu;
pmu->start_txn(pmu, PERF_PMU_TXN_READ);
- pmu->read(event);
-
+ perf_pmu_read(event);
for_each_sibling_event(sub, event)
perf_pmu_read(sub);
data->ret = pmu->commit_txn(pmu);
-
-unlock:
- raw_spin_unlock(&ctx->lock);
}
static inline u64 perf_event_count(struct perf_event *event, bool self)
@@ -14461,7 +14458,7 @@ inherit_event(struct perf_event *parent_event,
get_ctx(child_ctx);
child_event->ctx = child_ctx;
- pmu_ctx = find_get_pmu_context(child_event->pmu, child_ctx, child_event);
+ pmu_ctx = find_get_pmu_context(parent_event->pmu_ctx->pmu, child_ctx, child_event);
if (IS_ERR(pmu_ctx)) {
free_event(child_event);
return ERR_CAST(pmu_ctx);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 007/342] s390/mm: Add missing secure storage access fixups for donated memory
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 006/342] perf: Make sure to use pmu_ctx->pmu for groups Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 008/342] objtool/klp: fix data alignment in __clone_symbol() Greg Kroah-Hartman
` (351 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Carstens, Claudio Imbrenda,
Christian Borntraeger, Janosch Frank, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Janosch Frank <frankja@linux.ibm.com>
[ Upstream commit b00be77302d7ec4ad0367bb236494fce7172b730 ]
There are special cases where secure storage access exceptions happen
in a kernel context for pages that don't have the PG_arch_1 bit
set. That bit is set for non-exported guest secure storage (memory)
but is absent on storage donated to the Ultravisor since the kernel
isn't allowed to export donated pages.
Prior to this patch we would try to export the page by calling
arch_make_folio_accessible() which would instantly return since the
arch bit is absent signifying that the page was already exported and
no further action is necessary. This leads to secure storage access
exception loops which can never be resolved.
With this patch we unconditionally try to export and if that fails we
fixup.
Fixes: 084ea4d611a3 ("s390/mm: add (non)secure page access exceptions handlers")
Reported-by: Heiko Carstens <hca@linux.ibm.com>
Suggested-by: Heiko Carstens <hca@linux.ibm.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Tested-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/mm/fault.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
index e2e13778c36a9..b977150443550 100644
--- a/arch/s390/mm/fault.c
+++ b/arch/s390/mm/fault.c
@@ -441,10 +441,17 @@ void do_secure_storage_access(struct pt_regs *regs)
folio = phys_to_folio(addr);
if (unlikely(!folio_try_get(folio)))
return;
- rc = arch_make_folio_accessible(folio);
+ rc = uv_convert_from_secure(folio_to_phys(folio));
+ if (!rc)
+ clear_bit(PG_arch_1, &folio->flags.f);
folio_put(folio);
+ /*
+ * There are some valid fixup types for kernel
+ * accesses to donated secure memory. zeropad is one
+ * of them.
+ */
if (rc)
- BUG();
+ return handle_fault_error_nolock(regs, 0);
} else {
if (faulthandler_disabled())
return handle_fault_error_nolock(regs, 0);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 008/342] objtool/klp: fix data alignment in __clone_symbol()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 007/342] s390/mm: Add missing secure storage access fixups for donated memory Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 009/342] livepatch/klp-build: Fix inconsistent kernel version Greg Kroah-Hartman
` (350 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joe Lawrence, Josh Poimboeuf,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joe Lawrence <joe.lawrence@redhat.com>
[ Upstream commit 2f2600decb3004938762a3f2d0eba3ea9e01045b ]
Commit 356e4b2f5b80 ("objtool: Fix data alignment in elf_add_data()")
corrected the alignment of data within a section (honoring the section's
sh_addralign). Apply the same alignment when klp-diff mode clones a
symbol, adjusting the new symbol's offset for the output section's
sh_addralign.
Fixes: dd590d4d57eb ("objtool/klp: Introduce klp diff subcommand for diffing object files")
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Link: https://patch.msgid.link/20260310203751.1479229-2-joe.lawrence@redhat.com
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/objtool/klp-diff.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/objtool/klp-diff.c b/tools/objtool/klp-diff.c
index d94632e809558..b1847828217ba 100644
--- a/tools/objtool/klp-diff.c
+++ b/tools/objtool/klp-diff.c
@@ -14,6 +14,7 @@
#include <objtool/util.h>
#include <arch/special.h>
+#include <linux/align.h>
#include <linux/objtool_types.h>
#include <linux/livepatch_external.h>
#include <linux/stringify.h>
@@ -560,7 +561,7 @@ static struct symbol *__clone_symbol(struct elf *elf, struct symbol *patched_sym
}
if (!is_sec_sym(patched_sym))
- offset = sec_size(out_sec);
+ offset = ALIGN(sec_size(out_sec), out_sec->sh.sh_addralign);
if (patched_sym->len || is_sec_sym(patched_sym)) {
void *data = NULL;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 009/342] livepatch/klp-build: Fix inconsistent kernel version
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 008/342] objtool/klp: fix data alignment in __clone_symbol() Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 010/342] cxl/hdm: Avoid incorrect DVSEC fallback when HDM decoders are enabled Greg Kroah-Hartman
` (349 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joe Lawrence, Josh Poimboeuf,
Song Liu, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit 6f93f7b06810d04acc6b106a7d5ecd6000f80545 ]
If .config hasn't been synced with auto.conf, any recent changes to
CONFIG_LOCALVERSION* may not get reflected in the kernel version name.
Use "make syncconfig" to force them to sync, and "make -s kernelrelease"
to get the version instead of having to construct it manually.
Fixes: 24ebfcd65a87 ("livepatch/klp-build: Introduce klp-build script for generating livepatch modules")
Closes: https://lore.kernel.org/20260217160645.3434685-10-joe.lawrence@redhat.com
Reported-by: Joe Lawrence <joe.lawrence@redhat.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Acked-by: Song Liu <song@kernel.org>
Link: https://patch.msgid.link/20260310203751.1479229-10-joe.lawrence@redhat.com
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/livepatch/klp-build | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/scripts/livepatch/klp-build b/scripts/livepatch/klp-build
index 809e198a561d5..7b82c7503c2bf 100755
--- a/scripts/livepatch/klp-build
+++ b/scripts/livepatch/klp-build
@@ -285,15 +285,14 @@ set_module_name() {
# application from appending it with '+' due to a dirty git working tree.
set_kernelversion() {
local file="$SRC/scripts/setlocalversion"
- local localversion
+ local kernelrelease
stash_file "$file"
- localversion="$(cd "$SRC" && make --no-print-directory kernelversion)"
- localversion="$(cd "$SRC" && KERNELVERSION="$localversion" ./scripts/setlocalversion)"
- [[ -z "$localversion" ]] && die "setlocalversion failed"
+ kernelrelease="$(cd "$SRC" && make syncconfig &>/dev/null && make -s kernelrelease)"
+ [[ -z "$kernelrelease" ]] && die "failed to get kernel version"
- sed -i "2i echo $localversion; exit 0" scripts/setlocalversion
+ sed -i "2i echo $kernelrelease; exit 0" scripts/setlocalversion
}
get_patch_files() {
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 010/342] cxl/hdm: Avoid incorrect DVSEC fallback when HDM decoders are enabled
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 009/342] livepatch/klp-build: Fix inconsistent kernel version Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 011/342] hwmon: axi-fan: dont use driver_override as IRQ name Greg Kroah-Hartman
` (348 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Smita Koralahalli, Dan Williams,
Dave Jiang, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Smita Koralahalli <Smita.KoralahalliChannabasappa@amd.com>
[ Upstream commit 75cea0776de502f2a1be5ca02d37c586dc81887e ]
Check the global CXL_HDM_DECODER_ENABLE bit instead of looping over
per-decoder COMMITTED bits to determine whether to fall back to DVSEC
range emulation. When the HDM decoder capability is globally enabled,
ignore DVSEC range registers regardless of individual decoder commit
state.
should_emulate_decoders() currently loops over per-decoder COMMITTED
bits, which leads to an incorrect DVSEC fallback when those bits are
zero. One way to trigger this is to destroy a region and bounce the
memdev:
cxl disable-region region0
cxl destroy-region region0
cxl disable-memdev mem0
cxl enable-memdev mem0
Region teardown zeroes the HDM decoder registers including the committed
bits. The subsequent memdev re-probe finds uncommitted decoders and falls
back to DVSEC emulation, even though HDM remains globally enabled.
Observed failures:
should_emulate_decoders: cxl_port endpoint6: decoder6.0: committed: 0 base: 0x0_00000000 size: 0x0_00000000
devm_cxl_setup_hdm: cxl_port endpoint6: Fallback map 1 range register
..
devm_cxl_add_region: cxl_acpi ACPI0017:00: decoder0.0: created region0
__construct_region: cxl_pci 0000:e1:00.0: mem1:decoder6.0:
__construct_region region0 res: [mem 0x850000000-0x284fffffff flags 0x200] iw: 1 ig: 4096
cxl region0: pci0000:e0:port1 cxl_port_setup_targets expected iw: 1 ig: 4096 ..
cxl region0: pci0000:e0:port1 cxl_port_setup_targets got iw: 1 ig: 256 state: disabled ..
cxl_port endpoint6: failed to attach decoder6.0 to region0: -6
..
devm_cxl_add_region: cxl_acpi ACPI0017:00: decoder0.0: created region4
alloc_hpa: cxl region4: HPA allocation error (-34) ..
Fixes: 52cc48ad2a76 ("cxl/hdm: Limit emulation to the number of range registers")
Signed-off-by: Smita Koralahalli <Smita.KoralahalliChannabasappa@amd.com>
Reviewed-by: Dan Williams <dan.j.williams@intel.com>
Link: https://patch.msgid.link/20260316201950.224567-1-Smita.KoralahalliChannabasappa@amd.com
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cxl/core/hdm.c | 25 +++++++++----------------
1 file changed, 9 insertions(+), 16 deletions(-)
diff --git a/drivers/cxl/core/hdm.c b/drivers/cxl/core/hdm.c
index bc4b0c8607258..ce27074bb5c7d 100644
--- a/drivers/cxl/core/hdm.c
+++ b/drivers/cxl/core/hdm.c
@@ -94,7 +94,6 @@ static bool should_emulate_decoders(struct cxl_endpoint_dvsec_info *info)
struct cxl_hdm *cxlhdm;
void __iomem *hdm;
u32 ctrl;
- int i;
if (!info)
return false;
@@ -113,22 +112,16 @@ static bool should_emulate_decoders(struct cxl_endpoint_dvsec_info *info)
return false;
/*
- * If any decoders are committed already, there should not be any
- * emulated DVSEC decoders.
+ * If HDM decoders are globally enabled, do not fall back to DVSEC
+ * range emulation. Zeroed decoder registers after region teardown
+ * do not imply absence of HDM capability.
+ *
+ * Falling back to DVSEC here would treat the decoder as AUTO and
+ * may incorrectly latch default interleave settings.
*/
- for (i = 0; i < cxlhdm->decoder_count; i++) {
- ctrl = readl(hdm + CXL_HDM_DECODER0_CTRL_OFFSET(i));
- dev_dbg(&info->port->dev,
- "decoder%d.%d: committed: %ld base: %#x_%.8x size: %#x_%.8x\n",
- info->port->id, i,
- FIELD_GET(CXL_HDM_DECODER0_CTRL_COMMITTED, ctrl),
- readl(hdm + CXL_HDM_DECODER0_BASE_HIGH_OFFSET(i)),
- readl(hdm + CXL_HDM_DECODER0_BASE_LOW_OFFSET(i)),
- readl(hdm + CXL_HDM_DECODER0_SIZE_HIGH_OFFSET(i)),
- readl(hdm + CXL_HDM_DECODER0_SIZE_LOW_OFFSET(i)));
- if (FIELD_GET(CXL_HDM_DECODER0_CTRL_COMMITTED, ctrl))
- return false;
- }
+ ctrl = readl(hdm + CXL_HDM_DECODER_CTRL_OFFSET);
+ if (ctrl & CXL_HDM_DECODER_ENABLE)
+ return false;
return true;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 011/342] hwmon: axi-fan: dont use driver_override as IRQ name
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 010/342] cxl/hdm: Avoid incorrect DVSEC fallback when HDM decoders are enabled Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 012/342] sh: platform_early: remove pdev->driver_override check Greg Kroah-Hartman
` (347 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nuno Sá, Guenter Roeck,
Danilo Krummrich, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich <dakr@kernel.org>
[ Upstream commit 813bbc4d33d2ca5b0da63e70ae13b60874f20d37 ]
Do not use driver_override as IRQ name, as it is not guaranteed to point
to a valid string; use NULL instead (which makes the devm IRQ helpers
use dev_name()).
Fixes: 8412b410fa5e ("hwmon: Support ADI Fan Control IP")
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Acked-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/20260303115720.48783-4-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/axi-fan-control.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hwmon/axi-fan-control.c b/drivers/hwmon/axi-fan-control.c
index b7bb325c3ad96..01590dfa55e60 100644
--- a/drivers/hwmon/axi-fan-control.c
+++ b/drivers/hwmon/axi-fan-control.c
@@ -507,7 +507,7 @@ static int axi_fan_control_probe(struct platform_device *pdev)
ret = devm_request_threaded_irq(&pdev->dev, ctl->irq, NULL,
axi_fan_control_irq_handler,
IRQF_ONESHOT | IRQF_TRIGGER_HIGH,
- pdev->driver_override, ctl);
+ NULL, ctl);
if (ret)
return dev_err_probe(&pdev->dev, ret,
"failed to request an irq\n");
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 012/342] sh: platform_early: remove pdev->driver_override check
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 011/342] hwmon: axi-fan: dont use driver_override as IRQ name Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 013/342] driver core: generalize driver_override in struct device Greg Kroah-Hartman
` (346 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Danilo Krummrich,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich <dakr@kernel.org>
[ Upstream commit c5f60e3f07b6609562d21efda878e83ce8860728 ]
In commit 507fd01d5333 ("drivers: move the early platform device support to
arch/sh") platform_match() was copied over to the sh platform_early
code, accidentally including the driver_override check.
This check does not make sense for platform_early, as sysfs is not even
available in first place at this point in the boot process, hence remove
the check.
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Fixes: 507fd01d5333 ("drivers: move the early platform device support to arch/sh")
Link: https://lore.kernel.org/all/DH4M3DJ4P58T.1BGVAVXN71Z09@kernel.org/
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/sh/drivers/platform_early.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/arch/sh/drivers/platform_early.c b/arch/sh/drivers/platform_early.c
index 143747c45206f..48ddbc547bd9a 100644
--- a/arch/sh/drivers/platform_early.c
+++ b/arch/sh/drivers/platform_early.c
@@ -26,10 +26,6 @@ static int platform_match(struct device *dev, struct device_driver *drv)
struct platform_device *pdev = to_platform_device(dev);
struct platform_driver *pdrv = to_platform_driver(drv);
- /* When driver_override is set, only bind to the matching driver */
- if (pdev->driver_override)
- return !strcmp(pdev->driver_override, drv->name);
-
/* Then try to match against the id table */
if (pdrv->id_table)
return platform_match_id(pdrv->id_table, pdev) != NULL;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 013/342] driver core: generalize driver_override in struct device
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 012/342] sh: platform_early: remove pdev->driver_override check Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 014/342] driver core: platform: use generic driver_override infrastructure Greg Kroah-Hartman
` (345 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Danilo Krummrich,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich <dakr@kernel.org>
[ Upstream commit cb3d1049f4ea77d5ad93f17d8ac1f2ed4da70501 ]
Currently, there are 12 busses (including platform and PCI) that
duplicate the driver_override logic for their individual devices.
All of them seem to be prone to the bug described in [1].
While this could be solved for every bus individually using a separate
lock, solving this in the driver-core generically results in less (and
cleaner) changes overall.
Thus, move driver_override to struct device, provide corresponding
accessors for busses and handle locking with a separate lock internally.
In particular, add device_set_driver_override(),
device_has_driver_override(), device_match_driver_override() and
generalize the sysfs store() and show() callbacks via a driver_override
feature flag in struct bus_type.
Until all busses have migrated, keep driver_set_override() in place.
Note that we can't use the device lock for the reasons described in [2].
Link: https://bugzilla.kernel.org/show_bug.cgi?id=220789 [1]
Link: https://lore.kernel.org/driver-core/DGRGTIRHA62X.3RY09D9SOK77P@kernel.org/ [2]
Tested-by: Gui-Dong Han <hanguidong02@gmail.com>
Co-developed-by: Gui-Dong Han <hanguidong02@gmail.com>
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/20260303115720.48783-2-dakr@kernel.org
[ Use dev->bus instead of sp->bus for consistency; fix commit message to
refer to the struct bus_type's driver_override feature flag. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Stable-dep-of: 2b38efc05bf7 ("driver core: platform: use generic driver_override infrastructure")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/bus.c | 43 ++++++++++++++++++++++++++-
drivers/base/core.c | 2 ++
drivers/base/dd.c | 60 ++++++++++++++++++++++++++++++++++++++
include/linux/device.h | 54 ++++++++++++++++++++++++++++++++++
include/linux/device/bus.h | 4 +++
5 files changed, 162 insertions(+), 1 deletion(-)
diff --git a/drivers/base/bus.c b/drivers/base/bus.c
index 9eb7771706f01..7c7d8d97215be 100644
--- a/drivers/base/bus.c
+++ b/drivers/base/bus.c
@@ -504,6 +504,36 @@ int bus_for_each_drv(const struct bus_type *bus, struct device_driver *start,
}
EXPORT_SYMBOL_GPL(bus_for_each_drv);
+static ssize_t driver_override_store(struct device *dev,
+ struct device_attribute *attr,
+ const char *buf, size_t count)
+{
+ int ret;
+
+ ret = __device_set_driver_override(dev, buf, count);
+ if (ret)
+ return ret;
+
+ return count;
+}
+
+static ssize_t driver_override_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+{
+ guard(spinlock)(&dev->driver_override.lock);
+ return sysfs_emit(buf, "%s\n", dev->driver_override.name);
+}
+static DEVICE_ATTR_RW(driver_override);
+
+static struct attribute *driver_override_dev_attrs[] = {
+ &dev_attr_driver_override.attr,
+ NULL,
+};
+
+static const struct attribute_group driver_override_dev_group = {
+ .attrs = driver_override_dev_attrs,
+};
+
/**
* bus_add_device - add device to bus
* @dev: device being added
@@ -537,9 +567,15 @@ int bus_add_device(struct device *dev)
if (error)
goto out_put;
+ if (dev->bus->driver_override) {
+ error = device_add_group(dev, &driver_override_dev_group);
+ if (error)
+ goto out_groups;
+ }
+
error = sysfs_create_link(&sp->devices_kset->kobj, &dev->kobj, dev_name(dev));
if (error)
- goto out_groups;
+ goto out_override;
error = sysfs_create_link(&dev->kobj, &sp->subsys.kobj, "subsystem");
if (error)
@@ -550,6 +586,9 @@ int bus_add_device(struct device *dev)
out_subsys:
sysfs_remove_link(&sp->devices_kset->kobj, dev_name(dev));
+out_override:
+ if (dev->bus->driver_override)
+ device_remove_group(dev, &driver_override_dev_group);
out_groups:
device_remove_groups(dev, sp->bus->dev_groups);
out_put:
@@ -607,6 +646,8 @@ void bus_remove_device(struct device *dev)
sysfs_remove_link(&dev->kobj, "subsystem");
sysfs_remove_link(&sp->devices_kset->kobj, dev_name(dev));
+ if (dev->bus->driver_override)
+ device_remove_group(dev, &driver_override_dev_group);
device_remove_groups(dev, dev->bus->dev_groups);
if (klist_node_attached(&dev->p->knode_bus))
klist_del(&dev->p->knode_bus);
diff --git a/drivers/base/core.c b/drivers/base/core.c
index 40de2f51a1b1a..9863bd3705255 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -2556,6 +2556,7 @@ static void device_release(struct kobject *kobj)
devres_release_all(dev);
kfree(dev->dma_range_map);
+ kfree(dev->driver_override.name);
if (dev->release)
dev->release(dev);
@@ -3159,6 +3160,7 @@ void device_initialize(struct device *dev)
kobject_init(&dev->kobj, &device_ktype);
INIT_LIST_HEAD(&dev->dma_pools);
mutex_init(&dev->mutex);
+ spin_lock_init(&dev->driver_override.lock);
lockdep_set_novalidate_class(&dev->mutex);
spin_lock_init(&dev->devres_lock);
INIT_LIST_HEAD(&dev->devres_head);
diff --git a/drivers/base/dd.c b/drivers/base/dd.c
index bea8da5f8a3a9..37c7e54e0e4c7 100644
--- a/drivers/base/dd.c
+++ b/drivers/base/dd.c
@@ -381,6 +381,66 @@ static void __exit deferred_probe_exit(void)
}
__exitcall(deferred_probe_exit);
+int __device_set_driver_override(struct device *dev, const char *s, size_t len)
+{
+ const char *new, *old;
+ char *cp;
+
+ if (!s)
+ return -EINVAL;
+
+ /*
+ * The stored value will be used in sysfs show callback (sysfs_emit()),
+ * which has a length limit of PAGE_SIZE and adds a trailing newline.
+ * Thus we can store one character less to avoid truncation during sysfs
+ * show.
+ */
+ if (len >= (PAGE_SIZE - 1))
+ return -EINVAL;
+
+ /*
+ * Compute the real length of the string in case userspace sends us a
+ * bunch of \0 characters like python likes to do.
+ */
+ len = strlen(s);
+
+ if (!len) {
+ /* Empty string passed - clear override */
+ spin_lock(&dev->driver_override.lock);
+ old = dev->driver_override.name;
+ dev->driver_override.name = NULL;
+ spin_unlock(&dev->driver_override.lock);
+ kfree(old);
+
+ return 0;
+ }
+
+ cp = strnchr(s, len, '\n');
+ if (cp)
+ len = cp - s;
+
+ new = kstrndup(s, len, GFP_KERNEL);
+ if (!new)
+ return -ENOMEM;
+
+ spin_lock(&dev->driver_override.lock);
+ old = dev->driver_override.name;
+ if (cp != s) {
+ dev->driver_override.name = new;
+ spin_unlock(&dev->driver_override.lock);
+ } else {
+ /* "\n" passed - clear override */
+ dev->driver_override.name = NULL;
+ spin_unlock(&dev->driver_override.lock);
+
+ kfree(new);
+ }
+ kfree(old);
+
+ return 0;
+}
+EXPORT_SYMBOL_GPL(__device_set_driver_override);
+
/**
* device_is_bound() - Check if device is bound to a driver
* @dev: device to check
diff --git a/include/linux/device.h b/include/linux/device.h
index 0be95294b6e61..e65d564f01cd7 100644
--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -483,6 +483,8 @@ struct device_physical_location {
* on. This shrinks the "Board Support Packages" (BSPs) and
* minimizes board-specific #ifdefs in drivers.
* @driver_data: Private pointer for driver specific info.
+ * @driver_override: Driver name to force a match. Do not touch directly; use
+ * device_set_driver_override() instead.
* @links: Links to suppliers and consumers of this device.
* @power: For device power management.
* See Documentation/driver-api/pm/devices.rst for details.
@@ -576,6 +578,10 @@ struct device {
core doesn't touch it */
void *driver_data; /* Driver data, set and get with
dev_set_drvdata/dev_get_drvdata */
+ struct {
+ const char *name;
+ spinlock_t lock;
+ } driver_override;
struct mutex mutex; /* mutex to synchronize calls to
* its driver.
*/
@@ -701,6 +707,54 @@ struct device_link {
#define kobj_to_dev(__kobj) container_of_const(__kobj, struct device, kobj)
+int __device_set_driver_override(struct device *dev, const char *s, size_t len);
+
+/**
+ * device_set_driver_override() - Helper to set or clear driver override.
+ * @dev: Device to change
+ * @s: NUL-terminated string, new driver name to force a match, pass empty
+ * string to clear it ("" or "\n", where the latter is only for sysfs
+ * interface).
+ *
+ * Helper to set or clear driver override of a device.
+ *
+ * Returns: 0 on success or a negative error code on failure.
+ */
+static inline int device_set_driver_override(struct device *dev, const char *s)
+{
+ return __device_set_driver_override(dev, s, s ? strlen(s) : 0);
+}
+
+/**
+ * device_has_driver_override() - Check if a driver override has been set.
+ * @dev: device to check
+ *
+ * Returns true if a driver override has been set for this device.
+ */
+static inline bool device_has_driver_override(struct device *dev)
+{
+ guard(spinlock)(&dev->driver_override.lock);
+ return !!dev->driver_override.name;
+}
+
+/**
+ * device_match_driver_override() - Match a driver against the device's driver_override.
+ * @dev: device to check
+ * @drv: driver to match against
+ *
+ * Returns > 0 if a driver override is set and matches the given driver, 0 if a
+ * driver override is set but does not match, or < 0 if a driver override is not
+ * set at all.
+ */
+static inline int device_match_driver_override(struct device *dev,
+ const struct device_driver *drv)
+{
+ guard(spinlock)(&dev->driver_override.lock);
+ if (dev->driver_override.name)
+ return !strcmp(dev->driver_override.name, drv->name);
+ return -1;
+}
+
/**
* device_iommu_mapped - Returns true when the device DMA is translated
* by an IOMMU
diff --git a/include/linux/device/bus.h b/include/linux/device/bus.h
index 99b1002b3e318..f047b40a30b74 100644
--- a/include/linux/device/bus.h
+++ b/include/linux/device/bus.h
@@ -63,6 +63,9 @@ struct fwnode_handle;
* this bus.
* @pm: Power management operations of this bus, callback the specific
* device driver's pm-ops.
+ * @driver_override: Set to true if this bus supports the driver_override
+ * mechanism, which allows userspace to force a specific
+ * driver to bind to a device via a sysfs attribute.
* @need_parent_lock: When probing or removing a device on this bus, the
* device core should lock the device's parent.
*
@@ -104,6 +107,7 @@ struct bus_type {
const struct dev_pm_ops *pm;
+ bool driver_override;
bool need_parent_lock;
};
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 014/342] driver core: platform: use generic driver_override infrastructure
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 013/342] driver core: generalize driver_override in struct device Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 015/342] perf metricgroup: Fix metricgroup__has_metric_or_groups() Greg Kroah-Hartman
` (344 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Danilo Krummrich,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich <dakr@kernel.org>
[ Upstream commit 2b38efc05bf7a8568ec74bfffea0f5cfa62bc01d ]
When a driver is probed through __driver_attach(), the bus' match()
callback is called without the device lock held, thus accessing the
driver_override field without a lock, which can cause a UAF.
Fix this by using the driver-core driver_override infrastructure taking
care of proper locking internally.
Note that calling match() from __driver_attach() without the device lock
held is intentional. [1]
Link: https://lore.kernel.org/driver-core/DGRGTIRHA62X.3RY09D9SOK77P@kernel.org/ [1]
Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
Fixes: 3d713e0e382e ("driver core: platform: add device binding path 'driver_override'")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/20260303115720.48783-5-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/platform.c | 37 +++++----------------------------
drivers/bus/simple-pm-bus.c | 4 ++--
drivers/clk/imx/clk-scu.c | 3 +--
drivers/slimbus/qcom-ngd-ctrl.c | 6 ++----
include/linux/platform_device.h | 5 -----
sound/soc/samsung/i2s.c | 6 +++---
6 files changed, 13 insertions(+), 48 deletions(-)
diff --git a/drivers/base/platform.c b/drivers/base/platform.c
index b45d41b018ca6..d44591d52e363 100644
--- a/drivers/base/platform.c
+++ b/drivers/base/platform.c
@@ -603,7 +603,6 @@ static void platform_device_release(struct device *dev)
kfree(pa->pdev.dev.platform_data);
kfree(pa->pdev.mfd_cell);
kfree(pa->pdev.resource);
- kfree(pa->pdev.driver_override);
kfree(pa);
}
@@ -1306,38 +1305,9 @@ static ssize_t numa_node_show(struct device *dev,
}
static DEVICE_ATTR_RO(numa_node);
-static ssize_t driver_override_show(struct device *dev,
- struct device_attribute *attr, char *buf)
-{
- struct platform_device *pdev = to_platform_device(dev);
- ssize_t len;
-
- device_lock(dev);
- len = sysfs_emit(buf, "%s\n", pdev->driver_override);
- device_unlock(dev);
-
- return len;
-}
-
-static ssize_t driver_override_store(struct device *dev,
- struct device_attribute *attr,
- const char *buf, size_t count)
-{
- struct platform_device *pdev = to_platform_device(dev);
- int ret;
-
- ret = driver_set_override(dev, &pdev->driver_override, buf, count);
- if (ret)
- return ret;
-
- return count;
-}
-static DEVICE_ATTR_RW(driver_override);
-
static struct attribute *platform_dev_attrs[] = {
&dev_attr_modalias.attr,
&dev_attr_numa_node.attr,
- &dev_attr_driver_override.attr,
NULL,
};
@@ -1377,10 +1347,12 @@ static int platform_match(struct device *dev, const struct device_driver *drv)
{
struct platform_device *pdev = to_platform_device(dev);
struct platform_driver *pdrv = to_platform_driver(drv);
+ int ret;
/* When driver_override is set, only bind to the matching driver */
- if (pdev->driver_override)
- return !strcmp(pdev->driver_override, drv->name);
+ ret = device_match_driver_override(dev, drv);
+ if (ret >= 0)
+ return ret;
/* Attempt an OF style match first */
if (of_driver_match_device(dev, drv))
@@ -1516,6 +1488,7 @@ static const struct dev_pm_ops platform_dev_pm_ops = {
const struct bus_type platform_bus_type = {
.name = "platform",
.dev_groups = platform_dev_groups,
+ .driver_override = true,
.match = platform_match,
.uevent = platform_uevent,
.probe = platform_probe,
diff --git a/drivers/bus/simple-pm-bus.c b/drivers/bus/simple-pm-bus.c
index 3f00d953fb9a0..c920bd6fbaafd 100644
--- a/drivers/bus/simple-pm-bus.c
+++ b/drivers/bus/simple-pm-bus.c
@@ -36,7 +36,7 @@ static int simple_pm_bus_probe(struct platform_device *pdev)
* that's not listed in simple_pm_bus_of_match. We don't want to do any
* of the simple-pm-bus tasks for these devices, so return early.
*/
- if (pdev->driver_override)
+ if (device_has_driver_override(&pdev->dev))
return 0;
match = of_match_device(dev->driver->of_match_table, dev);
@@ -78,7 +78,7 @@ static void simple_pm_bus_remove(struct platform_device *pdev)
{
const void *data = of_device_get_match_data(&pdev->dev);
- if (pdev->driver_override || data)
+ if (device_has_driver_override(&pdev->dev) || data)
return;
dev_dbg(&pdev->dev, "%s\n", __func__);
diff --git a/drivers/clk/imx/clk-scu.c b/drivers/clk/imx/clk-scu.c
index c90d21e05f916..e6b273d8a09ae 100644
--- a/drivers/clk/imx/clk-scu.c
+++ b/drivers/clk/imx/clk-scu.c
@@ -706,8 +706,7 @@ struct clk_hw *imx_clk_scu_alloc_dev(const char *name,
if (ret)
goto put_device;
- ret = driver_set_override(&pdev->dev, &pdev->driver_override,
- "imx-scu-clk", strlen("imx-scu-clk"));
+ ret = device_set_driver_override(&pdev->dev, "imx-scu-clk");
if (ret)
goto put_device;
diff --git a/drivers/slimbus/qcom-ngd-ctrl.c b/drivers/slimbus/qcom-ngd-ctrl.c
index ba3d80d12605c..d2d11f6294b70 100644
--- a/drivers/slimbus/qcom-ngd-ctrl.c
+++ b/drivers/slimbus/qcom-ngd-ctrl.c
@@ -1539,10 +1539,8 @@ static int of_qcom_slim_ngd_register(struct device *parent,
ngd->id = id;
ngd->pdev->dev.parent = parent;
- ret = driver_set_override(&ngd->pdev->dev,
- &ngd->pdev->driver_override,
- QCOM_SLIM_NGD_DRV_NAME,
- strlen(QCOM_SLIM_NGD_DRV_NAME));
+ ret = device_set_driver_override(&ngd->pdev->dev,
+ QCOM_SLIM_NGD_DRV_NAME);
if (ret) {
platform_device_put(ngd->pdev);
kfree(ngd);
diff --git a/include/linux/platform_device.h b/include/linux/platform_device.h
index 813da101b5bf8..ed1d50d1c3c15 100644
--- a/include/linux/platform_device.h
+++ b/include/linux/platform_device.h
@@ -31,11 +31,6 @@ struct platform_device {
struct resource *resource;
const struct platform_device_id *id_entry;
- /*
- * Driver name to force a match. Do not set directly, because core
- * frees it. Use driver_set_override() to set or clear it.
- */
- const char *driver_override;
/* MFD cell pointer */
struct mfd_cell *mfd_cell;
diff --git a/sound/soc/samsung/i2s.c b/sound/soc/samsung/i2s.c
index e9964f0e010ae..140907a41a70d 100644
--- a/sound/soc/samsung/i2s.c
+++ b/sound/soc/samsung/i2s.c
@@ -1360,10 +1360,10 @@ static int i2s_create_secondary_device(struct samsung_i2s_priv *priv)
if (!pdev_sec)
return -ENOMEM;
- pdev_sec->driver_override = kstrdup("samsung-i2s", GFP_KERNEL);
- if (!pdev_sec->driver_override) {
+ ret = device_set_driver_override(&pdev_sec->dev, "samsung-i2s");
+ if (ret) {
platform_device_put(pdev_sec);
- return -ENOMEM;
+ return ret;
}
ret = platform_device_add(pdev_sec);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 015/342] perf metricgroup: Fix metricgroup__has_metric_or_groups()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 014/342] driver core: platform: use generic driver_override infrastructure Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 016/342] bpf: Release module BTF IDR before module unload Greg Kroah-Hartman
` (343 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Yan, Ian Rogers,
Arnaldo Carvalho de Melo, Namhyung Kim, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit 8dd1d9a335321d0829aeb85d8e1a897248d0da29 ]
Use metricgroup__for_each_metric() rather than
pmu_metrics_table__for_each_metric() that combines the
default metric table with, a potentially empty, CPUID table.
Fixes: cee275edcdb1acfd ("perf metricgroup: Don't early exit if no CPUID table exists")
Reviewed-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Ian Rogers <irogers@google.com>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Tested-by: Leo Yan <leo.yan@arm.com>
Cc: Ian Rogers <irogers@google.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/metricgroup.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/tools/perf/util/metricgroup.c b/tools/perf/util/metricgroup.c
index a21f2d4969c5c..45bb94da97b99 100644
--- a/tools/perf/util/metricgroup.c
+++ b/tools/perf/util/metricgroup.c
@@ -1606,9 +1606,9 @@ bool metricgroup__has_metric_or_groups(const char *pmu, const char *metric_or_gr
.metric_or_groups = metric_or_groups,
};
- return pmu_metrics_table__for_each_metric(table,
- metricgroup__has_metric_or_groups_callback,
- &data)
+ return metricgroup__for_each_metric(table,
+ metricgroup__has_metric_or_groups_callback,
+ &data)
? true : false;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 016/342] bpf: Release module BTF IDR before module unload
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 015/342] perf metricgroup: Fix metricgroup__has_metric_or_groups() Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 017/342] cxl: Adjust the startup priority of cxl_pmem to be higher than that of cxl_acpi Greg Kroah-Hartman
` (342 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin KaFai Lau, Gregory Bell,
Emil Tsalapatis, Kumar Kartikeya Dwivedi, Alexei Starovoitov,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
[ Upstream commit 146bd2a87a65aa407bb17fac70d8d583d19aba06 ]
Gregory reported in [0] that the global_map_resize test when run in
repeatedly ends up failing during program load. This stems from the fact
that BTF reference has not dropped to zero after the previous run's
module is unloaded, and the older module's BTF is still discoverable and
visible. Later, in libbpf, load_module_btfs() will find the ID for this
stale BTF, open its fd, and then it will be used during program load
where later steps taking module reference using btf_try_get_module()
fail since the underlying module for the BTF is gone.
Logically, once a module is unloaded, it's associated BTF artifacts
should become hidden. The BTF object inside the kernel may still remain
alive as long its reference counts are alive, but it should no longer be
discoverable.
To fix this, let us call btf_free_id() from the MODULE_STATE_GOING case
for the module unload to free the BTF associated IDR entry, and disable
its discovery once module unload returns to user space. If a race
happens during unload, the outcome is non-deterministic anyway. However,
user space should be able to rely on the guarantee that once it has
synchronously established a successful module unload, no more stale
artifacts associated with this module can be obtained subsequently.
Note that we must be careful to not invoke btf_free_id() in btf_put()
when btf_is_module() is true now. There could be a window where the
module unload drops a non-terminal reference, frees the IDR, but the
same ID gets reused and the second unconditional btf_free_id() ends up
releasing an unrelated entry.
To avoid a special case for btf_is_module() case, set btf->id to zero to
make btf_free_id() idempotent, such that we can unconditionally invoke it
from btf_put(), and also from the MODULE_STATE_GOING case. Since zero is
an invalid IDR, the idr_remove() should be a noop.
Note that we can be sure that by the time we reach final btf_put() for
btf_is_module() case, the btf_free_id() is already done, since the
module itself holds the BTF reference, and it will call this function
for the BTF before dropping its own reference.
[0]: https://lore.kernel.org/bpf/cover.1773170190.git.grbell@redhat.com
Fixes: 36e68442d1af ("bpf: Load and verify kernel module BTFs")
Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
Suggested-by: Martin KaFai Lau <martin.lau@kernel.org>
Reported-by: Gregory Bell <grbell@redhat.com>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20260312205307.1346991-1-memxor@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/btf.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 0de8fc8a0e0b3..75a5df36f9170 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -1676,7 +1676,16 @@ static void btf_free_id(struct btf *btf)
* of the _bh() version.
*/
spin_lock_irqsave(&btf_idr_lock, flags);
- idr_remove(&btf_idr, btf->id);
+ if (btf->id) {
+ idr_remove(&btf_idr, btf->id);
+ /*
+ * Clear the id here to make this function idempotent, since it will get
+ * called a couple of times for module BTFs: on module unload, and then
+ * the final btf_put(). btf_alloc_id() starts IDs with 1, so we can use
+ * 0 as sentinel value.
+ */
+ WRITE_ONCE(btf->id, 0);
+ }
spin_unlock_irqrestore(&btf_idr_lock, flags);
}
@@ -7995,7 +8004,7 @@ static void bpf_btf_show_fdinfo(struct seq_file *m, struct file *filp)
{
const struct btf *btf = filp->private_data;
- seq_printf(m, "btf_id:\t%u\n", btf->id);
+ seq_printf(m, "btf_id:\t%u\n", READ_ONCE(btf->id));
}
#endif
@@ -8077,7 +8086,7 @@ int btf_get_info_by_fd(const struct btf *btf,
if (copy_from_user(&info, uinfo, info_copy))
return -EFAULT;
- info.id = btf->id;
+ info.id = READ_ONCE(btf->id);
ubtf = u64_to_user_ptr(info.btf);
btf_copy = min_t(u32, btf->data_size, info.btf_size);
if (copy_to_user(ubtf, btf->data, btf_copy))
@@ -8140,7 +8149,7 @@ int btf_get_fd_by_id(u32 id)
u32 btf_obj_id(const struct btf *btf)
{
- return btf->id;
+ return READ_ONCE(btf->id);
}
bool btf_is_kernel(const struct btf *btf)
@@ -8262,6 +8271,13 @@ static int btf_module_notify(struct notifier_block *nb, unsigned long op,
if (btf_mod->module != module)
continue;
+ /*
+ * For modules, we do the freeing of BTF IDR as soon as
+ * module goes away to disable BTF discovery, since the
+ * btf_try_get_module() on such BTFs will fail. This may
+ * be called again on btf_put(), but it's ok to do so.
+ */
+ btf_free_id(btf_mod->btf);
list_del(&btf_mod->list);
if (btf_mod->sysfs_attr)
sysfs_remove_bin_file(btf_kobj, btf_mod->sysfs_attr);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 017/342] cxl: Adjust the startup priority of cxl_pmem to be higher than that of cxl_acpi
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 016/342] bpf: Release module BTF IDR before module unload Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 018/342] bpf: Fix exception exit lock checking for subprogs Greg Kroah-Hartman
` (341 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang Yinfeng, Cui Chao, Dan Williams,
Dave Jiang, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cui Chao <cuichao1753@phytium.com.cn>
[ Upstream commit be5c5280cf2b20e363dc8e2a424dd200a29b1c77 ]
During the cxl_acpi probe process, it checks whether the cxl_nvb device
and driver have been attached. Currently, the startup priority of the
cxl_pmem driver is lower than that of the cxl_acpi driver. At this point,
the cxl_nvb driver has not yet been registered on the cxl_bus, causing
the attachment check to fail. This results in a failure to add the root
nvdimm bridge, leading to a cxl_acpi probe failure and ultimately
affecting the subsequent loading of cxl drivers. As a consequence, only
one mem device object exists on the cxl_bus, while the cxl_port device
objects and decoder device objects are missing.
The solution is to raise the startup priority of cxl_pmem to be higher
than that of cxl_acpi, ensuring that the cxl_pmem driver is registered
before the aforementioned attachment check occurs.
Co-developed-by: Wang Yinfeng <wangyinfeng@phytium.com.cn>
Signed-off-by: Wang Yinfeng <wangyinfeng@phytium.com.cn>
Signed-off-by: Cui Chao <cuichao1753@phytium.com.cn>
Fixes: e7e222ad73d9 ("cxl: Move devm_cxl_add_nvdimm_bridge() to cxl_pmem.ko")
Reviewed-by: Dan Williams <dan.j.williams@intel.com>
Link: https://patch.msgid.link/20260319074535.1709250-1-cuichao1753@phytium.com.cn
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cxl/pmem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/cxl/pmem.c b/drivers/cxl/pmem.c
index c00b84b960761..3432fd83b1e2a 100644
--- a/drivers/cxl/pmem.c
+++ b/drivers/cxl/pmem.c
@@ -554,7 +554,7 @@ static __exit void cxl_pmem_exit(void)
MODULE_DESCRIPTION("CXL PMEM: Persistent Memory Support");
MODULE_LICENSE("GPL v2");
-module_init(cxl_pmem_init);
+subsys_initcall(cxl_pmem_init);
module_exit(cxl_pmem_exit);
MODULE_IMPORT_NS("CXL");
MODULE_ALIAS_CXL(CXL_DEVICE_NVDIMM_BRIDGE);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 018/342] bpf: Fix exception exit lock checking for subprogs
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 017/342] cxl: Adjust the startup priority of cxl_pmem to be higher than that of cxl_acpi Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 019/342] bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN Greg Kroah-Hartman
` (340 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ihor Solodrai, Yonghong Song,
Kumar Kartikeya Dwivedi, Alexei Starovoitov, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ihor Solodrai <ihor.solodrai@linux.dev>
[ Upstream commit 6c2128505f61b504c79a20b89596feba61388112 ]
process_bpf_exit_full() passes check_lock = !curframe to
check_resource_leak(), which is false in cases when bpf_throw() is
called from a static subprog. This makes check_resource_leak() to skip
validation of active_rcu_locks, active_preempt_locks, and
active_irq_id on exception exits from subprogs.
At runtime bpf_throw() unwinds the stack via ORC without releasing any
user-acquired locks, which may cause various issues as the result.
Fix by setting check_lock = true for exception exits regardless of
curframe, since exceptions bypass all intermediate frame
cleanup. Update the error message prefix to "bpf_throw" for exception
exits to distinguish them from normal BPF_EXIT.
Fix reject_subprog_with_rcu_read_lock test which was previously
passing for the wrong reason. Test program returned directly from the
subprog call without closing the RCU section, so the error was
triggered by the unclosed RCU lock on normal exit, not by
bpf_throw. Update __msg annotations for affected tests to match the
new "bpf_throw" error prefix.
The spin_lock case is not affected because they are already checked [1]
at the call site in do_check_insn() before bpf_throw can run.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/verifier.c?h=v7.0-rc4#n21098
Assisted-by: Claude:claude-opus-4-6
Fixes: f18b03fabaa9 ("bpf: Implement BPF exceptions")
Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20260320000809.643798-1-ihor.solodrai@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 3 ++-
tools/testing/selftests/bpf/progs/exceptions_fail.c | 9 ++++++---
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index bf721a1274799..0160c6c28af1f 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -20319,7 +20319,8 @@ static int process_bpf_exit_full(struct bpf_verifier_env *env,
* state when it exits.
*/
int err = check_resource_leak(env, exception_exit,
- !env->cur_state->curframe,
+ exception_exit || !env->cur_state->curframe,
+ exception_exit ? "bpf_throw" :
"BPF_EXIT instruction in main prog");
if (err)
return err;
diff --git a/tools/testing/selftests/bpf/progs/exceptions_fail.c b/tools/testing/selftests/bpf/progs/exceptions_fail.c
index 8a0fdff899271..d7f1c492e3dd3 100644
--- a/tools/testing/selftests/bpf/progs/exceptions_fail.c
+++ b/tools/testing/selftests/bpf/progs/exceptions_fail.c
@@ -8,6 +8,7 @@
#include "bpf_experimental.h"
extern void bpf_rcu_read_lock(void) __ksym;
+extern void bpf_rcu_read_unlock(void) __ksym;
#define private(name) SEC(".bss." #name) __hidden __attribute__((aligned(8)))
@@ -131,7 +132,7 @@ int reject_subprog_with_lock(void *ctx)
}
SEC("?tc")
-__failure __msg("BPF_EXIT instruction in main prog cannot be used inside bpf_rcu_read_lock-ed region")
+__failure __msg("bpf_throw cannot be used inside bpf_rcu_read_lock-ed region")
int reject_with_rcu_read_lock(void *ctx)
{
bpf_rcu_read_lock();
@@ -147,11 +148,13 @@ __noinline static int throwing_subprog(struct __sk_buff *ctx)
}
SEC("?tc")
-__failure __msg("BPF_EXIT instruction in main prog cannot be used inside bpf_rcu_read_lock-ed region")
+__failure __msg("bpf_throw cannot be used inside bpf_rcu_read_lock-ed region")
int reject_subprog_with_rcu_read_lock(void *ctx)
{
bpf_rcu_read_lock();
- return throwing_subprog(ctx);
+ throwing_subprog(ctx);
+ bpf_rcu_read_unlock();
+ return 0;
}
static bool rbless(struct bpf_rb_node *n1, const struct bpf_rb_node *n2)
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 019/342] bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 018/342] bpf: Fix exception exit lock checking for subprogs Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 020/342] bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR Greg Kroah-Hartman
` (339 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yonghong Song, Mykyta Yatsenko,
Jenny Guanni Qu, Alexei Starovoitov, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jenny Guanni Qu <qguanni@gmail.com>
[ Upstream commit c77b30bd1dcb61f66c640ff7d2757816210c7cb0 ]
The BPF interpreter's signed 32-bit division and modulo handlers use
the kernel abs() macro on s32 operands. The abs() macro documentation
(include/linux/math.h) explicitly states the result is undefined when
the input is the type minimum. When DST contains S32_MIN (0x80000000),
abs((s32)DST) triggers undefined behavior and returns S32_MIN unchanged
on arm64/x86. This value is then sign-extended to u64 as
0xFFFFFFFF80000000, causing do_div() to compute the wrong result.
The verifier's abstract interpretation (scalar32_min_max_sdiv) computes
the mathematically correct result for range tracking, creating a
verifier/interpreter mismatch that can be exploited for out-of-bounds
map value access.
Introduce abs_s32() which handles S32_MIN correctly by casting to u32
before negating, avoiding signed overflow entirely. Replace all 8
abs((s32)...) call sites in the interpreter's sdiv32/smod32 handlers.
s32 is the only affected case -- the s64 division/modulo handlers do
not use abs().
Fixes: ec0e2da95f72 ("bpf: Support new signed div/mod instructions.")
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Acked-by: Mykyta Yatsenko <yatsenko@meta.com>
Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
Link: https://lore.kernel.org/r/20260311011116.2108005-2-qguanni@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/core.c | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 1b32333d8f8c6..5a56bc2ab900d 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -1754,6 +1754,12 @@ bool bpf_opcode_in_insntable(u8 code)
}
#ifndef CONFIG_BPF_JIT_ALWAYS_ON
+/* Absolute value of s32 without undefined behavior for S32_MIN */
+static u32 abs_s32(s32 x)
+{
+ return x >= 0 ? (u32)x : -(u32)x;
+}
+
/**
* ___bpf_prog_run - run eBPF program on a given context
* @regs: is the array of MAX_BPF_EXT_REG eBPF pseudo-registers
@@ -1918,8 +1924,8 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn)
DST = do_div(AX, (u32) SRC);
break;
case 1:
- AX = abs((s32)DST);
- AX = do_div(AX, abs((s32)SRC));
+ AX = abs_s32((s32)DST);
+ AX = do_div(AX, abs_s32((s32)SRC));
if ((s32)DST < 0)
DST = (u32)-AX;
else
@@ -1946,8 +1952,8 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn)
DST = do_div(AX, (u32) IMM);
break;
case 1:
- AX = abs((s32)DST);
- AX = do_div(AX, abs((s32)IMM));
+ AX = abs_s32((s32)DST);
+ AX = do_div(AX, abs_s32((s32)IMM));
if ((s32)DST < 0)
DST = (u32)-AX;
else
@@ -1973,8 +1979,8 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn)
DST = (u32) AX;
break;
case 1:
- AX = abs((s32)DST);
- do_div(AX, abs((s32)SRC));
+ AX = abs_s32((s32)DST);
+ do_div(AX, abs_s32((s32)SRC));
if (((s32)DST < 0) == ((s32)SRC < 0))
DST = (u32)AX;
else
@@ -2000,8 +2006,8 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn)
DST = (u32) AX;
break;
case 1:
- AX = abs((s32)DST);
- do_div(AX, abs((s32)IMM));
+ AX = abs_s32((s32)DST);
+ do_div(AX, abs_s32((s32)IMM));
if (((s32)DST < 0) == ((s32)IMM < 0))
DST = (u32)AX;
else
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 020/342] bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 019/342] bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 021/342] tracing: Revert "tracing: Remove pid in task_rename tracing output" Greg Kroah-Hartman
` (338 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Wade, Amery Hung,
Eduard Zingerman, Alexei Starovoitov, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Wade <danjwade95@gmail.com>
[ Upstream commit c845894ebd6fb43226b3118d6b017942550910c5 ]
maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the
source operand is a constant. When dst has signed range [-1, 0], it
forks the verifier state: the pushed path gets dst = 0, the current
path gets dst = -1.
For BPF_AND this is correct: 0 & K == 0.
For BPF_OR this is wrong: 0 | K == K, not 0.
The pushed path therefore tracks dst as 0 when the runtime value is K,
producing an exploitable verifier/runtime divergence that allows
out-of-bounds map access.
Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to
push_stack(), so the pushed path re-executes the ALU instruction with
dst = 0 and naturally computes the correct result for any opcode.
Fixes: bffacdb80b93 ("bpf: Recognize special arithmetic shift in the verifier")
Signed-off-by: Daniel Wade <danjwade95@gmail.com>
Reviewed-by: Amery Hung <ameryhung@gmail.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20260314021521.128361-2-danjwade95@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 0160c6c28af1f..ea312acf7d482 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -15593,7 +15593,7 @@ static int maybe_fork_scalars(struct bpf_verifier_env *env, struct bpf_insn *ins
else
return 0;
- branch = push_stack(env, env->insn_idx + 1, env->insn_idx, false);
+ branch = push_stack(env, env->insn_idx, env->insn_idx, false);
if (IS_ERR(branch))
return PTR_ERR(branch);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 021/342] tracing: Revert "tracing: Remove pid in task_rename tracing output"
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 020/342] bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 022/342] platform/x86: hp-wmi: Add Omen 16-wf0xxx fan and thermal support Greg Kroah-Hartman
` (337 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, mhiramat, mathieu.desnoyers, elver,
kees, Guohua Yan, Xuewen Yan, Steven Rostedt (Google),
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xuewen Yan <xuewen.yan@unisoc.com>
[ Upstream commit a6f22e50c7d51aa225c392c62c33f0fae11f734d ]
This reverts commit e3f6a42272e028c46695acc83fc7d7c42f2750ad.
The commit says that the tracepoint only deals with the current task,
however the following case is not current task:
comm_write() {
p = get_proc_task(inode);
if (!p)
return -ESRCH;
if (same_thread_group(current, p))
set_task_comm(p, buffer);
}
where set_task_comm() calls __set_task_comm() which records
the update of p and not current.
So revert the patch to show pid.
Cc: <mhiramat@kernel.org>
Cc: <mathieu.desnoyers@efficios.com>
Cc: <elver@google.com>
Cc: <kees@kernel.org>
Link: https://patch.msgid.link/20260306075954.4533-1-xuewen.yan@unisoc.com
Fixes: e3f6a42272e0 ("tracing: Remove pid in task_rename tracing output")
Reported-by: Guohua Yan <guohua.yan@unisoc.com>
Signed-off-by: Xuewen Yan <xuewen.yan@unisoc.com>
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/trace/events/task.h | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/include/trace/events/task.h b/include/trace/events/task.h
index 4f0759634306c..b9a129eb54d9e 100644
--- a/include/trace/events/task.h
+++ b/include/trace/events/task.h
@@ -38,19 +38,22 @@ TRACE_EVENT(task_rename,
TP_ARGS(task, comm),
TP_STRUCT__entry(
+ __field( pid_t, pid)
__array( char, oldcomm, TASK_COMM_LEN)
__array( char, newcomm, TASK_COMM_LEN)
__field( short, oom_score_adj)
),
TP_fast_assign(
+ __entry->pid = task->pid;
memcpy(entry->oldcomm, task->comm, TASK_COMM_LEN);
strscpy(entry->newcomm, comm, TASK_COMM_LEN);
__entry->oom_score_adj = task->signal->oom_score_adj;
),
- TP_printk("oldcomm=%s newcomm=%s oom_score_adj=%hd",
- __entry->oldcomm, __entry->newcomm, __entry->oom_score_adj)
+ TP_printk("pid=%d oldcomm=%s newcomm=%s oom_score_adj=%hd",
+ __entry->pid, __entry->oldcomm,
+ __entry->newcomm, __entry->oom_score_adj)
);
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 022/342] platform/x86: hp-wmi: Add Omen 16-wf0xxx fan and thermal support
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 021/342] tracing: Revert "tracing: Remove pid in task_rename tracing output" Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 023/342] HID: asus: avoid memory leak in asus_report_fixup() Greg Kroah-Hartman
` (336 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Noah Provenzano, Juan Martin Morales,
Krishna Chomal, Ilpo Järvinen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krishna Chomal <krishna.chomal108@gmail.com>
[ Upstream commit 13fa3aaf02edaad9b41fc61d7f6326d2b6a4bf80 ]
The HP Omen 16-wf0xxx (board ID: 8BAB) has the same WMI interface as
other Victus S boards, but requires quirks for correctly switching
thermal profile (similar to HP Omen 16-wf1xxx, board ID: 8C78).
Add the DMI board name to victus_s_thermal_profile_boards[] table and
map it to omen_v1_thermal_params.
Testing on HP Omen 16-wf0xxx confirmed that platform profile is
registered successfully and fan RPMs are readable and controllable.
Suggested-by: Noah Provenzano <noahpro@gmail.com>
Tested-by: Juan Martin Morales <juanm4morales@gmail.com>
Reported-by: Juan Martin Morales <juanm4morales@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220639
Signed-off-by: Krishna Chomal <krishna.chomal108@gmail.com>
Link: https://patch.msgid.link/20260216072003.90151-1-krishna.chomal108@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/hp/hp-wmi.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/platform/x86/hp/hp-wmi.c b/drivers/platform/x86/hp/hp-wmi.c
index 24d065ddfc6ae..9fcc18635e4e7 100644
--- a/drivers/platform/x86/hp/hp-wmi.c
+++ b/drivers/platform/x86/hp/hp-wmi.c
@@ -160,6 +160,10 @@ static const char * const victus_thermal_profile_boards[] = {
/* DMI Board names of Victus 16-r and Victus 16-s laptops */
static const struct dmi_system_id victus_s_thermal_profile_boards[] __initconst = {
+ {
+ .matches = { DMI_MATCH(DMI_BOARD_NAME, "8BAB") },
+ .driver_data = (void *)&omen_v1_thermal_params,
+ },
{
.matches = { DMI_MATCH(DMI_BOARD_NAME, "8BBE") },
.driver_data = (void *)&victus_s_thermal_params,
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 023/342] HID: asus: avoid memory leak in asus_report_fixup()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 022/342] platform/x86: hp-wmi: Add Omen 16-wf0xxx fan and thermal support Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 024/342] platform/x86: intel-hid: Add Dell 14 Plus 2-in-1 to dmi_vgbs_allow_list Greg Kroah-Hartman
` (335 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Günther Noack,
Benjamin Tissoires, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Günther Noack <gnoack@google.com>
[ Upstream commit 2bad24c17742fc88973d6aea526ce1353f5334a3 ]
The asus_report_fixup() function was returning a newly allocated
kmemdup()-allocated buffer, but never freeing it. Switch to
devm_kzalloc() to ensure the memory is managed and freed automatically
when the device is removed.
The caller of report_fixup() does not take ownership of the returned
pointer, but it is permitted to return a pointer whose lifetime is at
least that of the input buffer.
Also fix a harmless out-of-bounds read by copying only the original
descriptor size.
Assisted-by: Gemini-CLI:Google Gemini 3
Signed-off-by: Günther Noack <gnoack@google.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-asus.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
index 472bca54642b9..8487332bf43b0 100644
--- a/drivers/hid/hid-asus.c
+++ b/drivers/hid/hid-asus.c
@@ -1306,14 +1306,21 @@ static const __u8 *asus_report_fixup(struct hid_device *hdev, __u8 *rdesc,
*/
if (*rsize == rsize_orig &&
rdesc[offs] == 0x09 && rdesc[offs + 1] == 0x76) {
- *rsize = rsize_orig + 1;
- rdesc = kmemdup(rdesc, *rsize, GFP_KERNEL);
- if (!rdesc)
- return NULL;
+ __u8 *new_rdesc;
+
+ new_rdesc = devm_kzalloc(&hdev->dev, rsize_orig + 1,
+ GFP_KERNEL);
+ if (!new_rdesc)
+ return rdesc;
hid_info(hdev, "Fixing up %s keyb report descriptor\n",
drvdata->quirks & QUIRK_T100CHI ?
"T100CHI" : "T90CHI");
+
+ memcpy(new_rdesc, rdesc, rsize_orig);
+ *rsize = rsize_orig + 1;
+ rdesc = new_rdesc;
+
memmove(rdesc + offs + 4, rdesc + offs + 2, 12);
rdesc[offs] = 0x19;
rdesc[offs + 1] = 0x00;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 024/342] platform/x86: intel-hid: Add Dell 14 Plus 2-in-1 to dmi_vgbs_allow_list
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 023/342] HID: asus: avoid memory leak in asus_report_fixup() Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 025/342] nvme-pci: cap queue creation to used queues Greg Kroah-Hartman
` (334 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Metz, Hans de Goede,
Ilpo Järvinen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Metz <peter.metz@unarin.com>
[ Upstream commit 6b3fa0615cd8432148581de62a52f83847af3d70 ]
The Dell 14 Plus 2-in-1 (model DB04250) requires the VGBS allow list
entry to correctly enable the tablet mode switch. Without this, the
chassis state is not reported, and the hinge rotation only emits
unknown scancodes.
Verified on Dell 14 Plus 2-in-1 DB04250.
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221090
Signed-off-by: Peter Metz <peter.metz@unarin.com>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Link: https://patch.msgid.link/20260213044627.203638-1-peter.metz@unarin.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/intel/hid.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/platform/x86/intel/hid.c b/drivers/platform/x86/intel/hid.c
index 560cc063198e1..5b475a09645a3 100644
--- a/drivers/platform/x86/intel/hid.c
+++ b/drivers/platform/x86/intel/hid.c
@@ -189,6 +189,12 @@ static const struct dmi_system_id dmi_vgbs_allow_list[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "Dell Pro Rugged 12 Tablet RA02260"),
},
},
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Dell 14 Plus 2-in-1 DB04250"),
+ },
+ },
{ }
};
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 025/342] nvme-pci: cap queue creation to used queues
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 024/342] platform/x86: intel-hid: Add Dell 14 Plus 2-in-1 to dmi_vgbs_allow_list Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 026/342] nvme-fabrics: use kfree_sensitive() for DHCHAP secrets Greg Kroah-Hartman
` (333 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kanchan Joshi, Christoph Hellwig,
Keith Busch, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit 4735b510a00fb2d4ac9e8d21a8c9552cb281f585 ]
If the user reduces the special queue count at runtime and resets the
controller, we need to reduce the number of queues and interrupts
requested accordingly rather than start with the pre-allocated queue
count.
Tested-by: Kanchan Joshi <joshi.k@samsung.com>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 3c83076a57e57..a5eab31c1bb7a 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -2778,7 +2778,13 @@ static int nvme_setup_io_queues(struct nvme_dev *dev)
dev->nr_write_queues = write_queues;
dev->nr_poll_queues = poll_queues;
- nr_io_queues = dev->nr_allocated_queues - 1;
+ /*
+ * The initial number of allocated queue slots may be too large if the
+ * user reduced the special queue parameters. Cap the value to the
+ * number we need for this round.
+ */
+ nr_io_queues = min(nvme_max_io_queues(dev),
+ dev->nr_allocated_queues - 1);
result = nvme_set_queue_count(&dev->ctrl, &nr_io_queues);
if (result < 0)
return result;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 026/342] nvme-fabrics: use kfree_sensitive() for DHCHAP secrets
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 025/342] nvme-pci: cap queue creation to used queues Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 027/342] platform/x86: hp-wmi: Add Omen 16-xd0xxx fan and thermal support Greg Kroah-Hartman
` (332 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Daniel Hodges,
Keith Busch, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Hodges <hodgesd@meta.com>
[ Upstream commit 0a1fc2f301529ac75aec0ce80d5ab9d9e4dc4b16 ]
The DHCHAP secrets (dhchap_secret and dhchap_ctrl_secret) contain
authentication key material for NVMe-oF. Use kfree_sensitive() instead
of kfree() in nvmf_free_options() to ensure secrets are zeroed before
the memory is freed, preventing recovery from freed pages.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Daniel Hodges <hodgesd@meta.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/fabrics.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c
index 55a8afd2efd50..d37cb140d8323 100644
--- a/drivers/nvme/host/fabrics.c
+++ b/drivers/nvme/host/fabrics.c
@@ -1290,8 +1290,8 @@ void nvmf_free_options(struct nvmf_ctrl_options *opts)
kfree(opts->subsysnqn);
kfree(opts->host_traddr);
kfree(opts->host_iface);
- kfree(opts->dhchap_secret);
- kfree(opts->dhchap_ctrl_secret);
+ kfree_sensitive(opts->dhchap_secret);
+ kfree_sensitive(opts->dhchap_ctrl_secret);
kfree(opts);
}
EXPORT_SYMBOL_GPL(nvmf_free_options);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 027/342] platform/x86: hp-wmi: Add Omen 16-xd0xxx fan and thermal support
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 026/342] nvme-fabrics: use kfree_sensitive() for DHCHAP secrets Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 028/342] platform/x86: intel-hid: Enable 5-button array on ThinkPad X1 Fold 16 Gen 1 Greg Kroah-Hartman
` (331 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Varad Amol Pisale, Krishna Chomal,
Ilpo Järvinen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krishna Chomal <krishna.chomal108@gmail.com>
[ Upstream commit 3c99a545b372c77b5d39715968a141f523eccbf2 ]
The HP Omen 16-xd0xxx (board ID: 8BCD) has the same WMI interface as
other Victus S boards, but requires quirks for correctly switching
thermal profile (similar to HP Omen 16-wf1xxx, board ID: 8C78).
Add the DMI board name to victus_s_thermal_profile_boards[] table and
map it to omen_v1_thermal_params.
Testing on HP Omen 16-xd0xxx confirmed that platform profile is
registered successfully and fan RPMs are readable and controllable.
Tested-by: Varad Amol Pisale <varadpisale.work@gmail.com>
Signed-off-by: Krishna Chomal <krishna.chomal108@gmail.com>
Link: https://patch.msgid.link/20260218050235.94687-1-krishna.chomal108@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/hp/hp-wmi.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/platform/x86/hp/hp-wmi.c b/drivers/platform/x86/hp/hp-wmi.c
index 9fcc18635e4e7..bc550da031fa1 100644
--- a/drivers/platform/x86/hp/hp-wmi.c
+++ b/drivers/platform/x86/hp/hp-wmi.c
@@ -168,6 +168,10 @@ static const struct dmi_system_id victus_s_thermal_profile_boards[] __initconst
.matches = { DMI_MATCH(DMI_BOARD_NAME, "8BBE") },
.driver_data = (void *)&victus_s_thermal_params,
},
+ {
+ .matches = { DMI_MATCH(DMI_BOARD_NAME, "8BCD") },
+ .driver_data = (void *)&omen_v1_thermal_params,
+ },
{
.matches = { DMI_MATCH(DMI_BOARD_NAME, "8BD4") },
.driver_data = (void *)&victus_s_thermal_params,
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 028/342] platform/x86: intel-hid: Enable 5-button array on ThinkPad X1 Fold 16 Gen 1
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 027/342] platform/x86: hp-wmi: Add Omen 16-xd0xxx fan and thermal support Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 029/342] platform/x86: touchscreen_dmi: Add quirk for y-inverted Goodix touchscreen on SUPI S10 Greg Kroah-Hartman
` (330 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leif Skunberg, Hans de Goede,
Ilpo Järvinen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leif Skunberg <diamondback@cohunt.app>
[ Upstream commit b38d478dad79e61e8a65931021bdfd7a71741212 ]
The Lenovo ThinkPad X1 Fold 16 Gen 1 has physical volume up/down
buttons that are handled through the intel-hid 5-button array
interface. The firmware does not advertise 5-button array support via
HEBC, so the driver relies on a DMI allowlist to enable it.
Add the ThinkPad X1 Fold 16 Gen 1 to the button_array_table so the
volume buttons work out of the box.
Signed-off-by: Leif Skunberg <diamondback@cohunt.app>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Link: https://patch.msgid.link/20260210085625.34380-1-diamondback@cohunt.app
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/intel/hid.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/platform/x86/intel/hid.c b/drivers/platform/x86/intel/hid.c
index 5b475a09645a3..f2b309f6e458a 100644
--- a/drivers/platform/x86/intel/hid.c
+++ b/drivers/platform/x86/intel/hid.c
@@ -135,6 +135,13 @@ static const struct dmi_system_id button_array_table[] = {
DMI_MATCH(DMI_PRODUCT_FAMILY, "ThinkPad X1 Tablet Gen 2"),
},
},
+ {
+ .ident = "Lenovo ThinkPad X1 Fold 16 Gen 1",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_FAMILY, "ThinkPad X1 Fold 16 Gen 1"),
+ },
+ },
{
.ident = "Microsoft Surface Go 3",
.matches = {
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 029/342] platform/x86: touchscreen_dmi: Add quirk for y-inverted Goodix touchscreen on SUPI S10
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 028/342] platform/x86: intel-hid: Enable 5-button array on ThinkPad X1 Fold 16 Gen 1 Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 030/342] platform/x86: hp-wmi: add Omen 14-fb1xxx (board 8E41) support Greg Kroah-Hartman
` (329 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yajat Kumar, Hans de Goede,
Ilpo Järvinen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <johannes.goede@oss.qualcomm.com>
[ Upstream commit 7d87ed70fc95482c12edf9493c249b6413be485e ]
The touchscreen on the SUPI S10 tablet reports inverted Y coordinates,
causing touch input to be mirrored vertically relative to the display.
Add a quirk to set the "touchscreen-inverted-y" boolean device-property
on the touchscreen device, so that the goodix_ts driver will fixup
the coordinates.
Reported-by: Yajat Kumar <yajatapps3@gmail.com>
Closes: https://lore.kernel.org/linux-input/20251230221639.582406-1-yajatapps3@gmail.com/
Tested-by: Yajat Kumar <yajatapps3@gmail.com>
Signed-off-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Link: https://patch.msgid.link/20260217132346.34535-1-johannes.goede@oss.qualcomm.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/touchscreen_dmi.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/drivers/platform/x86/touchscreen_dmi.c b/drivers/platform/x86/touchscreen_dmi.c
index bdc19cd8d3edf..d83c387821ea1 100644
--- a/drivers/platform/x86/touchscreen_dmi.c
+++ b/drivers/platform/x86/touchscreen_dmi.c
@@ -410,6 +410,16 @@ static const struct ts_dmi_data gdix1002_upside_down_data = {
.properties = gdix1001_upside_down_props,
};
+static const struct property_entry gdix1001_y_inverted_props[] = {
+ PROPERTY_ENTRY_BOOL("touchscreen-inverted-y"),
+ { }
+};
+
+static const struct ts_dmi_data gdix1001_y_inverted_data = {
+ .acpi_name = "GDIX1001",
+ .properties = gdix1001_y_inverted_props,
+};
+
static const struct property_entry gp_electronic_t701_props[] = {
PROPERTY_ENTRY_U32("touchscreen-size-x", 960),
PROPERTY_ENTRY_U32("touchscreen-size-y", 640),
@@ -1658,6 +1668,14 @@ const struct dmi_system_id touchscreen_dmi_table[] = {
DMI_MATCH(DMI_PRODUCT_SKU, "PN20170413488"),
},
},
+ {
+ /* SUPI S10 */
+ .driver_data = (void *)&gdix1001_y_inverted_data,
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "SUPI"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "S10"),
+ },
+ },
{
/* Techbite Arc 11.6 */
.driver_data = (void *)&techbite_arc_11_6_data,
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 030/342] platform/x86: hp-wmi: add Omen 14-fb1xxx (board 8E41) support
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 029/342] platform/x86: touchscreen_dmi: Add quirk for y-inverted Goodix touchscreen on SUPI S10 Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 031/342] nvme-pci: ensure were polling a polled queue Greg Kroah-Hartman
` (328 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anton Plotnikov <plotnikovanton@gmail.com>
[ Upstream commit 729ffcffa73069cb066fd54a2bc7b09e5f782d48 ]
Reverse engineering of the HP Omen Windows utility shows that for performance
mode it uses the same codes listed in hp_thermal_profile_omen_v1. Therefore it
seems sufficient to add the board model name to omen_thermal_profile_boards.
Tested on Omen 14-fb1xxx: CPU power in performance profile reaches the Windows
limit (65W), instead of 45W in automatic BIOS mode. Max fan speed was reached
as well.
Link: https://patch.msgid.link/20260203164832.40514-1-plotnikovanton@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/hp/hp-wmi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/platform/x86/hp/hp-wmi.c b/drivers/platform/x86/hp/hp-wmi.c
index bc550da031fa1..ec87fd96686cf 100644
--- a/drivers/platform/x86/hp/hp-wmi.c
+++ b/drivers/platform/x86/hp/hp-wmi.c
@@ -133,6 +133,7 @@ static const char * const omen_thermal_profile_boards[] = {
"8900", "8901", "8902", "8912", "8917", "8918", "8949", "894A", "89EB",
"8A15", "8A42",
"8BAD",
+ "8E41",
};
/* DMI Board names of Omen laptops that are specifically set to be thermal
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 031/342] nvme-pci: ensure were polling a polled queue
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 030/342] platform/x86: hp-wmi: add Omen 14-fb1xxx (board 8E41) support Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 032/342] HID: magicmouse: fix battery reporting for Apple Magic Trackpad 2 Greg Kroah-Hartman
` (327 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Kanchan Joshi,
Keith Busch, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit 166e31d7dbf6aa44829b98aa446bda5c9580f12a ]
A user can change the polled queue count at run time. There's a brief
window during a reset where a hipri task may try to poll that queue
before the block layer has updated the queue maps, which would race with
the now interrupt driven queue and may cause double completions.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index a5eab31c1bb7a..f6d4f5910bdbc 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1501,7 +1501,8 @@ static int nvme_poll(struct blk_mq_hw_ctx *hctx, struct io_comp_batch *iob)
struct nvme_queue *nvmeq = hctx->driver_data;
bool found;
- if (!nvme_cqe_pending(nvmeq))
+ if (!test_bit(NVMEQ_POLLED, &nvmeq->flags) ||
+ !nvme_cqe_pending(nvmeq))
return 0;
spin_lock(&nvmeq->cq_poll_lock);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 032/342] HID: magicmouse: fix battery reporting for Apple Magic Trackpad 2
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 031/342] nvme-pci: ensure were polling a polled queue Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 033/342] HID: magicmouse: avoid memory leak in magicmouse_report_fixup() Greg Kroah-Hartman
` (326 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julius Lehmann, Jiri Kosina,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julius Lehmann <lehmanju@devpi.de>
[ Upstream commit 5f3518d77419255f8b12bb23c8ec22acbeb6bc5b ]
Battery reporting does not work for the Apple Magic Trackpad 2 if it is
connected via USB. The current hid descriptor fixup code checks for a
hid descriptor length of exactly 83 bytes. If the hid descriptor is
larger, which is the case for newer apple mice, the fixup is not
applied.
This fix checks for hid descriptor sizes greater/equal 83 bytes which
applies the fixup for newer devices as well.
Signed-off-by: Julius Lehmann <lehmanju@devpi.de>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-magicmouse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
index 91f621ceb924b..f4cf29c2e8330 100644
--- a/drivers/hid/hid-magicmouse.c
+++ b/drivers/hid/hid-magicmouse.c
@@ -990,7 +990,7 @@ static const __u8 *magicmouse_report_fixup(struct hid_device *hdev, __u8 *rdesc,
*/
if ((is_usb_magicmouse2(hdev->vendor, hdev->product) ||
is_usb_magictrackpad2(hdev->vendor, hdev->product)) &&
- *rsize == 83 && rdesc[46] == 0x84 && rdesc[58] == 0x85) {
+ *rsize >= 83 && rdesc[46] == 0x84 && rdesc[58] == 0x85) {
hid_info(hdev,
"fixing up magicmouse battery report descriptor\n");
*rsize = *rsize - 1;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 033/342] HID: magicmouse: avoid memory leak in magicmouse_report_fixup()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 032/342] HID: magicmouse: fix battery reporting for Apple Magic Trackpad 2 Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 034/342] platform/x86: hp-wmi: Add Victus 16-d0xxx support Greg Kroah-Hartman
` (325 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Günther Noack,
Benjamin Tissoires, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Günther Noack <gnoack@google.com>
[ Upstream commit 91e8c6e601bdc1ccdf886479b6513c01c7e51c2c ]
The magicmouse_report_fixup() function was returning a
newly kmemdup()-allocated buffer, but never freeing it.
The caller of report_fixup() does not take ownership of the returned
pointer, but it *is* permitted to return a sub-portion of the input
rdesc, whose lifetime is managed by the caller.
Assisted-by: Gemini-CLI:Google Gemini 3
Signed-off-by: Günther Noack <gnoack@google.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-magicmouse.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
index f4cf29c2e8330..9eadf3252d0dc 100644
--- a/drivers/hid/hid-magicmouse.c
+++ b/drivers/hid/hid-magicmouse.c
@@ -994,9 +994,7 @@ static const __u8 *magicmouse_report_fixup(struct hid_device *hdev, __u8 *rdesc,
hid_info(hdev,
"fixing up magicmouse battery report descriptor\n");
*rsize = *rsize - 1;
- rdesc = kmemdup(rdesc + 1, *rsize, GFP_KERNEL);
- if (!rdesc)
- return NULL;
+ rdesc = rdesc + 1;
rdesc[0] = 0x05;
rdesc[1] = 0x01;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 034/342] platform/x86: hp-wmi: Add Victus 16-d0xxx support
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 033/342] HID: magicmouse: avoid memory leak in magicmouse_report_fixup() Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 035/342] HID: intel-ish-hid: ipc: Add Nova Lake-H/S PCI device IDs Greg Kroah-Hartman
` (324 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Victor Lattaro Volpini,
Ilpo Järvinen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Lattaro Volpini <victorlattaro@proton.me>
[ Upstream commit 249f05e625c6e6c14b27fd34a2f06a1afb9b456d ]
This patch enables Victus thermal profile support for the HP
Victus 16-d0xxx. It does so by adding model's DMI board name 88F8 to
victus_thermal_profile_boards.
Tested on a Victus 16-d0xxx:
- Victus thermal profile choices available (quiet, balanced, performance)
instead of the default ones (cool, quiet, balanced, performance);
- Profile switching works correctly;
- About 4% increase in FPS using benchmark Cyberpunk 2077 on
performance profile;
- No noticeable regressions.
Signed-off-by: Victor Lattaro Volpini <victorlattaro@proton.me>
Link: https://patch.msgid.link/20260210000048.250280-1-victorlattaro@proton.me
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/hp/hp-wmi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/x86/hp/hp-wmi.c b/drivers/platform/x86/hp/hp-wmi.c
index ec87fd96686cf..e3a7ac2485d68 100644
--- a/drivers/platform/x86/hp/hp-wmi.c
+++ b/drivers/platform/x86/hp/hp-wmi.c
@@ -154,8 +154,9 @@ static const char * const omen_timed_thermal_profile_boards[] = {
"8BAD",
};
-/* DMI Board names of Victus 16-d1xxx laptops */
+/* DMI Board names of Victus 16-d laptops */
static const char * const victus_thermal_profile_boards[] = {
+ "88F8",
"8A25",
};
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 035/342] HID: intel-ish-hid: ipc: Add Nova Lake-H/S PCI device IDs
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 034/342] platform/x86: hp-wmi: Add Victus 16-d0xxx support Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 036/342] platform/x86: oxpec: Add support for OneXPlayer APEX Greg Kroah-Hartman
` (323 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Lixu, Andy Shevchenko,
Srinivas Pandruvada, Jiri Kosina, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Lixu <lixu.zhang@intel.com>
[ Upstream commit 22f8bcec5aeb05104b3eaa950cb5a345e95f0aa8 ]
Add device IDs of Nova Lake-H and Nova Lake-S into ishtp support list.
Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/intel-ish-hid/ipc/hw-ish.h | 2 ++
drivers/hid/intel-ish-hid/ipc/pci-ish.c | 12 ++++++++++++
2 files changed, 14 insertions(+)
diff --git a/drivers/hid/intel-ish-hid/ipc/hw-ish.h b/drivers/hid/intel-ish-hid/ipc/hw-ish.h
index fa5d68c363134..27389971b96cc 100644
--- a/drivers/hid/intel-ish-hid/ipc/hw-ish.h
+++ b/drivers/hid/intel-ish-hid/ipc/hw-ish.h
@@ -39,6 +39,8 @@
#define PCI_DEVICE_ID_INTEL_ISH_PTL_H 0xE345
#define PCI_DEVICE_ID_INTEL_ISH_PTL_P 0xE445
#define PCI_DEVICE_ID_INTEL_ISH_WCL 0x4D45
+#define PCI_DEVICE_ID_INTEL_ISH_NVL_H 0xD354
+#define PCI_DEVICE_ID_INTEL_ISH_NVL_S 0x6E78
#define REVISION_ID_CHT_A0 0x6
#define REVISION_ID_CHT_Ax_SI 0x0
diff --git a/drivers/hid/intel-ish-hid/ipc/pci-ish.c b/drivers/hid/intel-ish-hid/ipc/pci-ish.c
index 1612e8cb23f0c..ed3405c05e73c 100644
--- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c
+++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c
@@ -28,11 +28,15 @@ enum ishtp_driver_data_index {
ISHTP_DRIVER_DATA_LNL_M,
ISHTP_DRIVER_DATA_PTL,
ISHTP_DRIVER_DATA_WCL,
+ ISHTP_DRIVER_DATA_NVL_H,
+ ISHTP_DRIVER_DATA_NVL_S,
};
#define ISH_FW_GEN_LNL_M "lnlm"
#define ISH_FW_GEN_PTL "ptl"
#define ISH_FW_GEN_WCL "wcl"
+#define ISH_FW_GEN_NVL_H "nvlh"
+#define ISH_FW_GEN_NVL_S "nvls"
#define ISH_FIRMWARE_PATH(gen) "intel/ish/ish_" gen ".bin"
#define ISH_FIRMWARE_PATH_ALL "intel/ish/ish_*.bin"
@@ -47,6 +51,12 @@ static struct ishtp_driver_data ishtp_driver_data[] = {
[ISHTP_DRIVER_DATA_WCL] = {
.fw_generation = ISH_FW_GEN_WCL,
},
+ [ISHTP_DRIVER_DATA_NVL_H] = {
+ .fw_generation = ISH_FW_GEN_NVL_H,
+ },
+ [ISHTP_DRIVER_DATA_NVL_S] = {
+ .fw_generation = ISH_FW_GEN_NVL_S,
+ },
};
static const struct pci_device_id ish_pci_tbl[] = {
@@ -76,6 +86,8 @@ static const struct pci_device_id ish_pci_tbl[] = {
{PCI_DEVICE_DATA(INTEL, ISH_PTL_H, ISHTP_DRIVER_DATA_PTL)},
{PCI_DEVICE_DATA(INTEL, ISH_PTL_P, ISHTP_DRIVER_DATA_PTL)},
{PCI_DEVICE_DATA(INTEL, ISH_WCL, ISHTP_DRIVER_DATA_WCL)},
+ {PCI_DEVICE_DATA(INTEL, ISH_NVL_H, ISHTP_DRIVER_DATA_NVL_H)},
+ {PCI_DEVICE_DATA(INTEL, ISH_NVL_S, ISHTP_DRIVER_DATA_NVL_S)},
{}
};
MODULE_DEVICE_TABLE(pci, ish_pci_tbl);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 036/342] platform/x86: oxpec: Add support for OneXPlayer APEX
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 035/342] HID: intel-ish-hid: ipc: Add Nova Lake-H/S PCI device IDs Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 037/342] HID: apple: Add EPOMAKER TH87 to the non-apple keyboards list Greg Kroah-Hartman
` (322 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antheas Kapenekakis,
Ilpo Järvinen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antheas Kapenekakis <lkml@antheas.dev>
[ Upstream commit 3385ea97c14d271dcb0c6e6fcf16972f819eecd8 ]
OneXPlayer Apex is a new Strix Halo handheld. It uses the same registers
as the OneXPlayer Fly devices. Add a quirk for it to the oxpec driver.
Signed-off-by: Antheas Kapenekakis <lkml@antheas.dev>
Link: https://patch.msgid.link/20260223183004.2696892-2-lkml@antheas.dev
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/oxpec.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/x86/oxpec.c b/drivers/platform/x86/oxpec.c
index 144a454103b93..59d6f9d9a9052 100644
--- a/drivers/platform/x86/oxpec.c
+++ b/drivers/platform/x86/oxpec.c
@@ -11,7 +11,7 @@
*
* Copyright (C) 2022 Joaquín I. Aramendía <samsagax@gmail.com>
* Copyright (C) 2024 Derek J. Clark <derekjohn.clark@gmail.com>
- * Copyright (C) 2025 Antheas Kapenekakis <lkml@antheas.dev>
+ * Copyright (C) 2025-2026 Antheas Kapenekakis <lkml@antheas.dev>
*/
#include <linux/acpi.h>
@@ -142,6 +142,13 @@ static const struct dmi_system_id dmi_table[] = {
},
.driver_data = (void *)oxp_2,
},
+ {
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ONE-NETBOOK"),
+ DMI_EXACT_MATCH(DMI_BOARD_NAME, "ONEXPLAYER APEX"),
+ },
+ .driver_data = (void *)oxp_fly,
+ },
{
.matches = {
DMI_MATCH(DMI_BOARD_VENDOR, "ONE-NETBOOK"),
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 037/342] HID: apple: Add EPOMAKER TH87 to the non-apple keyboards list
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 036/342] platform/x86: oxpec: Add support for OneXPlayer APEX Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 038/342] platform/x86: oxpec: Add support for OneXPlayer X1z Greg Kroah-Hartman
` (321 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Jiri Kosina,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 7c698de0dc5daa1e1a5fd1f0c6aa1b6bb2f5d867 ]
EPOMAKER TH87 has the very same ID as Apple Aluminum keyboard
(05ac:024f) although it doesn't work as expected in compatible way.
Put three entries to the non-apple keyboards list to exclude this
device: one for BT ("TH87"), one for USB ("HFD Epomaker TH87") and one
for dongle ("2.4G Wireless Receiver").
Link: https://bugzilla.suse.com/show_bug.cgi?id=1258455
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-apple.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c
index 233e367cce1d1..2f9a2e07c4263 100644
--- a/drivers/hid/hid-apple.c
+++ b/drivers/hid/hid-apple.c
@@ -365,6 +365,9 @@ static const struct apple_non_apple_keyboard non_apple_keyboards[] = {
{ "A3R" },
{ "hfd.cn" },
{ "WKB603" },
+ { "TH87" }, /* EPOMAKER TH87 BT mode */
+ { "HFD Epomaker TH87" }, /* EPOMAKER TH87 USB mode */
+ { "2.4G Wireless Receiver" }, /* EPOMAKER TH87 dongle */
};
static bool apple_is_non_apple_keyboard(struct hid_device *hdev)
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 038/342] platform/x86: oxpec: Add support for OneXPlayer X1z
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 037/342] HID: apple: Add EPOMAKER TH87 to the non-apple keyboards list Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 039/342] net: usb: r8152: add TRENDnet TUC-ET2G Greg Kroah-Hartman
` (320 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antheas Kapenekakis,
Ilpo Järvinen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antheas Kapenekakis <lkml@antheas.dev>
[ Upstream commit 4049c46edb5d44c0de045f6f504371705dd603dd ]
X1z is a variant of OneXPlayer X1 A with 8840U. It seems that only one
user has this one. Add a quirk for it to the oxpec driver.
Signed-off-by: Antheas Kapenekakis <lkml@antheas.dev>
Link: https://patch.msgid.link/20260223183004.2696892-3-lkml@antheas.dev
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/oxpec.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/platform/x86/oxpec.c b/drivers/platform/x86/oxpec.c
index 59d6f9d9a9052..623d9a452c469 100644
--- a/drivers/platform/x86/oxpec.c
+++ b/drivers/platform/x86/oxpec.c
@@ -219,6 +219,13 @@ static const struct dmi_system_id dmi_table[] = {
},
.driver_data = (void *)oxp_mini_amd_pro,
},
+ {
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ONE-NETBOOK"),
+ DMI_EXACT_MATCH(DMI_BOARD_NAME, "ONEXPLAYER X1z"),
+ },
+ .driver_data = (void *)oxp_x1,
+ },
{
.matches = {
DMI_MATCH(DMI_BOARD_VENDOR, "ONE-NETBOOK"),
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 039/342] net: usb: r8152: add TRENDnet TUC-ET2G
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 038/342] platform/x86: oxpec: Add support for OneXPlayer X1z Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 040/342] kbuild: install-extmod-build: Package resolve_btfids if necessary Greg Kroah-Hartman
` (319 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Valentin Spreckels, Jakub Kicinski,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Valentin Spreckels <valentin@spreckels.dev>
[ Upstream commit 15fba71533bcdfaa8eeba69a5a5a2927afdf664a ]
The TRENDnet TUC-ET2G is a RTL8156 based usb ethernet adapter. Add its
vendor and product IDs.
Signed-off-by: Valentin Spreckels <valentin@spreckels.dev>
Link: https://patch.msgid.link/20260226195409.7891-2-valentin@spreckels.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/r8152.c | 1 +
include/linux/usb/r8152.h | 1 +
2 files changed, 2 insertions(+)
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 6b107cf5f37bd..9eda892beb1f8 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -10062,6 +10062,7 @@ static const struct usb_device_id rtl8152_table[] = {
{ USB_DEVICE(VENDOR_ID_DLINK, 0xb301) },
{ USB_DEVICE(VENDOR_ID_DELL, 0xb097) },
{ USB_DEVICE(VENDOR_ID_ASUS, 0x1976) },
+ { USB_DEVICE(VENDOR_ID_TRENDNET, 0xe02b) },
{}
};
diff --git a/include/linux/usb/r8152.h b/include/linux/usb/r8152.h
index 2ca60828f28bb..1502b2a355f98 100644
--- a/include/linux/usb/r8152.h
+++ b/include/linux/usb/r8152.h
@@ -32,6 +32,7 @@
#define VENDOR_ID_DLINK 0x2001
#define VENDOR_ID_DELL 0x413c
#define VENDOR_ID_ASUS 0x0b05
+#define VENDOR_ID_TRENDNET 0x20f4
#if IS_REACHABLE(CONFIG_USB_RTL8152)
extern u8 rtl8152_get_version(struct usb_interface *intf);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 040/342] kbuild: install-extmod-build: Package resolve_btfids if necessary
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 039/342] net: usb: r8152: add TRENDnet TUC-ET2G Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 041/342] platform/x86: oxpec: Add support for Aokzoe A2 Pro Greg Kroah-Hartman
` (318 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh,
Nicolas Schier, Nathan Chancellor, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
[ Upstream commit 459cb3c054c2352bb321648744b620259a716b60 ]
When CONFIG_DEBUG_INFO_BTF_MODULES is enabled and vmlinux is available,
Makefile.modfinal and gen-btf.sh will try to use resolve_btfids on the
module .ko. install-extmod-build currently does not package
resolve_btfids, so that step fails.
Package resolve_btfids if it may be used.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Nicolas Schier <nsc@kernel.org>
Link: https://patch.msgid.link/20260226-kbuild-resolve_btfids-v1-1-2bf38b93dfe7@linutronix.de
[nathan: Small commit message tweaks]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/package/install-extmod-build | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/scripts/package/install-extmod-build b/scripts/package/install-extmod-build
index 2576cf7902dbb..f12e1ffe409eb 100755
--- a/scripts/package/install-extmod-build
+++ b/scripts/package/install-extmod-build
@@ -32,6 +32,10 @@ mkdir -p "${destdir}"
echo tools/objtool/objtool
fi
+ if is_enabled CONFIG_DEBUG_INFO_BTF_MODULES; then
+ echo tools/bpf/resolve_btfids/resolve_btfids
+ fi
+
echo Module.symvers
echo "arch/${SRCARCH}/include/generated"
echo include/config/auto.conf
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 041/342] platform/x86: oxpec: Add support for Aokzoe A2 Pro
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 040/342] kbuild: install-extmod-build: Package resolve_btfids if necessary Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 042/342] platform/x86: oxpec: Add support for OneXPlayer X1 Air Greg Kroah-Hartman
` (317 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antheas Kapenekakis,
Ilpo Järvinen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antheas Kapenekakis <lkml@antheas.dev>
[ Upstream commit cd0883055b04586770dab43c64159348bf480a3e ]
Aokzoe A2 Pro is an older device that the oxpec driver is missing the
quirk for. It has the same behavior as the AOKZOE A1 devices. Add a
quirk for it to the oxpec driver.
Signed-off-by: Antheas Kapenekakis <lkml@antheas.dev>
Link: https://patch.msgid.link/20260223183004.2696892-5-lkml@antheas.dev
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/oxpec.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/platform/x86/oxpec.c b/drivers/platform/x86/oxpec.c
index 623d9a452c469..158c545d4efbb 100644
--- a/drivers/platform/x86/oxpec.c
+++ b/drivers/platform/x86/oxpec.c
@@ -114,6 +114,13 @@ static const struct dmi_system_id dmi_table[] = {
},
.driver_data = (void *)aok_zoe_a1,
},
+ {
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "AOKZOE"),
+ DMI_EXACT_MATCH(DMI_BOARD_NAME, "AOKZOE A2 Pro"),
+ },
+ .driver_data = (void *)aok_zoe_a1,
+ },
{
.matches = {
DMI_MATCH(DMI_BOARD_VENDOR, "AOKZOE"),
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 042/342] platform/x86: oxpec: Add support for OneXPlayer X1 Air
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 041/342] platform/x86: oxpec: Add support for Aokzoe A2 Pro Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 043/342] HID: mcp2221: cancel last I2C command on read error Greg Kroah-Hartman
` (316 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antheas Kapenekakis,
Ilpo Järvinen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antheas Kapenekakis <lkml@antheas.dev>
[ Upstream commit 2a3b4a8c10a64a62c4243007139d253dc1324dfd ]
X1 Air is an X1 variant with a newer Intel chipset. It uses the same
registers as the X1. Add a quirk for it to the oxpec driver.
Signed-off-by: Antheas Kapenekakis <lkml@antheas.dev>
Link: https://patch.msgid.link/20260223183004.2696892-4-lkml@antheas.dev
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/oxpec.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/platform/x86/oxpec.c b/drivers/platform/x86/oxpec.c
index 158c545d4efbb..6d4a53a2ed603 100644
--- a/drivers/platform/x86/oxpec.c
+++ b/drivers/platform/x86/oxpec.c
@@ -247,6 +247,13 @@ static const struct dmi_system_id dmi_table[] = {
},
.driver_data = (void *)oxp_x1,
},
+ {
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ONE-NETBOOK"),
+ DMI_EXACT_MATCH(DMI_BOARD_NAME, "ONEXPLAYER X1Air"),
+ },
+ .driver_data = (void *)oxp_x1,
+ },
{
.matches = {
DMI_MATCH(DMI_BOARD_VENDOR, "ONE-NETBOOK"),
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 043/342] HID: mcp2221: cancel last I2C command on read error
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 042/342] platform/x86: oxpec: Add support for OneXPlayer X1 Air Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 044/342] HID: asus: add xg mobile 2023 external hardware support Greg Kroah-Hartman
` (315 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Romain Sioen, Jiri Kosina,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Romain Sioen <romain.sioen@microchip.com>
[ Upstream commit e31b556c0ba21f20c298aa61181b96541140b7b9 ]
When an I2C SMBus read operation fails, the MCP2221 internal state machine
may not reset correctly, causing subsequent transactions to fail.
By adding a short delay and explicitly cancelling the last command,
we ensure the device is ready for the next operation.
Fix an issue where i2cdetect was not able to detect all devices correctly
on the bus.
Signed-off-by: Romain Sioen <romain.sioen@microchip.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-mcp2221.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c
index 33603b019f975..ef3b5c77c38e3 100644
--- a/drivers/hid/hid-mcp2221.c
+++ b/drivers/hid/hid-mcp2221.c
@@ -353,6 +353,8 @@ static int mcp_i2c_smbus_read(struct mcp2221 *mcp,
usleep_range(90, 100);
retries++;
} else {
+ usleep_range(980, 1000);
+ mcp_cancel_last_cmd(mcp);
return ret;
}
} else {
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 044/342] HID: asus: add xg mobile 2023 external hardware support
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 043/342] HID: mcp2221: cancel last I2C command on read error Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 045/342] module: Fix kernel panic when a symbol st_shndx is out of bounds Greg Kroah-Hartman
` (314 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Benato, Jiri Kosina,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Benato <denis.benato@linux.dev>
[ Upstream commit 377f8e788945d45b012ed9cfc35ca56c02e86cd8 ]
XG mobile stations have the 0x5a endpoint and has to be initialized:
add them to hid-asus.
Signed-off-by: Denis Benato <denis.benato@linux.dev>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-asus.c | 3 +++
drivers/hid/hid-ids.h | 1 +
2 files changed, 4 insertions(+)
diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
index 8487332bf43b0..b1ad4e9f20c85 100644
--- a/drivers/hid/hid-asus.c
+++ b/drivers/hid/hid-asus.c
@@ -1404,6 +1404,9 @@ static const struct hid_device_id asus_devices[] = {
{ HID_USB_DEVICE(USB_VENDOR_ID_ASUSTEK,
USB_DEVICE_ID_ASUSTEK_ROG_NKEY_ALLY_X),
QUIRK_USE_KBD_BACKLIGHT | QUIRK_ROG_NKEY_KEYBOARD | QUIRK_ROG_ALLY_XPAD },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ASUSTEK,
+ USB_DEVICE_ID_ASUSTEK_XGM_2023),
+ },
{ HID_USB_DEVICE(USB_VENDOR_ID_ASUSTEK,
USB_DEVICE_ID_ASUSTEK_ROG_CLAYMORE_II_KEYBOARD),
QUIRK_ROG_CLAYMORE_II_KEYBOARD },
diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
index 85ab1ac511096..7fd67745ee010 100644
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -229,6 +229,7 @@
#define USB_DEVICE_ID_ASUSTEK_ROG_NKEY_ALLY_X 0x1b4c
#define USB_DEVICE_ID_ASUSTEK_ROG_CLAYMORE_II_KEYBOARD 0x196b
#define USB_DEVICE_ID_ASUSTEK_FX503VD_KEYBOARD 0x1869
+#define USB_DEVICE_ID_ASUSTEK_XGM_2023 0x1a9a
#define USB_VENDOR_ID_ATEN 0x0557
#define USB_DEVICE_ID_ATEN_UC100KM 0x2004
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 045/342] module: Fix kernel panic when a symbol st_shndx is out of bounds
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 044/342] HID: asus: add xg mobile 2023 external hardware support Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 046/342] ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_set_reg() Greg Kroah-Hartman
` (313 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ihor Solodrai, Daniel Gomez,
Petr Pavlu, Sami Tolvanen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ihor Solodrai <ihor.solodrai@linux.dev>
[ Upstream commit f9d69d5e7bde2295eb7488a56f094ac8f5383b92 ]
The module loader doesn't check for bounds of the ELF section index in
simplify_symbols():
for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
const char *name = info->strtab + sym[i].st_name;
switch (sym[i].st_shndx) {
case SHN_COMMON:
[...]
default:
/* Divert to percpu allocation if a percpu var. */
if (sym[i].st_shndx == info->index.pcpu)
secbase = (unsigned long)mod_percpu(mod);
else
/** HERE --> **/ secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
sym[i].st_value += secbase;
break;
}
}
A symbol with an out-of-bounds st_shndx value, for example 0xffff
(known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic:
BUG: unable to handle page fault for address: ...
RIP: 0010:simplify_symbols+0x2b2/0x480
...
Kernel panic - not syncing: Fatal exception
This can happen when module ELF is legitimately using SHN_XINDEX or
when it is corrupted.
Add a bounds check in simplify_symbols() to validate that st_shndx is
within the valid range before using it.
This issue was discovered due to a bug in llvm-objcopy, see relevant
discussion for details [1].
[1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai@linux.dev/
Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
Reviewed-by: Daniel Gomez <da.gomez@samsung.com>
Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/module/main.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/kernel/module/main.c b/kernel/module/main.c
index bcd259505c8b3..21c5c0d14fa83 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -1568,6 +1568,13 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
break;
default:
+ if (sym[i].st_shndx >= info->hdr->e_shnum) {
+ pr_err("%s: Symbol %s has an invalid section index %u (max %u)\n",
+ mod->name, name, sym[i].st_shndx, info->hdr->e_shnum - 1);
+ ret = -ENOEXEC;
+ break;
+ }
+
/* Divert to percpu allocation if a percpu var. */
if (sym[i].st_shndx == info->index.pcpu)
secbase = (unsigned long)mod_percpu(mod);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 046/342] ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_set_reg()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 045/342] module: Fix kernel panic when a symbol st_shndx is out of bounds Greg Kroah-Hartman
@ 2026-03-31 16:17 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 047/342] scsi: mpi3mr: Clear reset history on ready and recheck state after timeout Greg Kroah-Hartman
` (312 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
[ Upstream commit 31ddc62c1cd92e51b9db61d7954b85ae2ec224da ]
ALSA controls should return 1 if the value in the control changed but the
control put operation fsl_easrc_set_reg() only returns 0 or a negative
error code, causing ALSA to not generate any change events. Add a suitable
check by using regmap_update_bits_check() with the underlying regmap, this
is more clearly and simply correct than trying to verify that one of the
generic ops is exactly equivalent to this one.
Signed-off-by: Mark Brown <broonie@kernel.org>
Link: https://patch.msgid.link/20260205-asoc-fsl-easrc-fix-events-v1-2-39d4c766918b@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_easrc.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/sound/soc/fsl/fsl_easrc.c b/sound/soc/fsl/fsl_easrc.c
index e64a0d97afd0c..733374121196e 100644
--- a/sound/soc/fsl/fsl_easrc.c
+++ b/sound/soc/fsl/fsl_easrc.c
@@ -93,14 +93,17 @@ static int fsl_easrc_set_reg(struct snd_kcontrol *kcontrol,
struct snd_soc_component *component = snd_kcontrol_chip(kcontrol);
struct soc_mreg_control *mc =
(struct soc_mreg_control *)kcontrol->private_value;
+ struct fsl_asrc *easrc = snd_soc_component_get_drvdata(component);
unsigned int regval = ucontrol->value.integer.value[0];
+ bool changed;
int ret;
- ret = snd_soc_component_write(component, mc->regbase, regval);
- if (ret < 0)
+ ret = regmap_update_bits_check(easrc->regmap, mc->regbase,
+ GENMASK(31, 0), regval, &changed);
+ if (ret != 0)
return ret;
- return 0;
+ return changed;
}
#define SOC_SINGLE_REG_RW(xname, xreg) \
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 047/342] scsi: mpi3mr: Clear reset history on ready and recheck state after timeout
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-03-31 16:17 ` [PATCH 6.19 046/342] ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_set_reg() Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 048/342] ASoC: rt1321: fix DMIC ch2/3 mask issue Greg Kroah-Hartman
` (311 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ranjan Kumar, Martin K. Petersen,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjan Kumar <ranjan.kumar@broadcom.com>
[ Upstream commit dbd53975ed4132d161b6a97ebe785a262380182d ]
The driver retains reset history even after the IOC has successfully
reached the READY state. That leaves stale reset information active during
normal operation and can mislead recovery and diagnostics. In addition, if
the IOC becomes READY just as the ready timeout loop exits, the driver
still follows the failure path and may retry or report failure incorrectly.
Clear reset history once READY is confirmed so driver state matches actual
IOC status. After the timeout loop, recheck the IOC state and treat READY
as success instead of failing.
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Link: https://patch.msgid.link/20260225082622.82588-1-ranjan.kumar@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mpi3mr/mpi3mr_fw.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/scsi/mpi3mr/mpi3mr_fw.c b/drivers/scsi/mpi3mr/mpi3mr_fw.c
index 8382afed12813..4c8d78b840fc9 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
@@ -1530,6 +1530,7 @@ static int mpi3mr_bring_ioc_ready(struct mpi3mr_ioc *mrioc)
ioc_info(mrioc,
"successfully transitioned to %s state\n",
mpi3mr_iocstate_name(ioc_state));
+ mpi3mr_clear_reset_history(mrioc);
return 0;
}
ioc_status = readl(&mrioc->sysif_regs->ioc_status);
@@ -1549,6 +1550,15 @@ static int mpi3mr_bring_ioc_ready(struct mpi3mr_ioc *mrioc)
elapsed_time_sec = jiffies_to_msecs(jiffies - start_time)/1000;
} while (elapsed_time_sec < mrioc->ready_timeout);
+ ioc_state = mpi3mr_get_iocstate(mrioc);
+ if (ioc_state == MRIOC_STATE_READY) {
+ ioc_info(mrioc,
+ "successfully transitioned to %s state after %llu seconds\n",
+ mpi3mr_iocstate_name(ioc_state), elapsed_time_sec);
+ mpi3mr_clear_reset_history(mrioc);
+ return 0;
+ }
+
out_failed:
elapsed_time_sec = jiffies_to_msecs(jiffies - start_time)/1000;
if ((retry < 2) && (elapsed_time_sec < (mrioc->ready_timeout - 60))) {
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 048/342] ASoC: rt1321: fix DMIC ch2/3 mask issue
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 047/342] scsi: mpi3mr: Clear reset history on ready and recheck state after timeout Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 049/342] scsi: devinfo: Add BLIST_SKIP_IO_HINTS for Iomega ZIP Greg Kroah-Hartman
` (310 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shuming Fan, Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuming Fan <shumingf@realtek.com>
[ Upstream commit 986841dcad257615a6e3f89231bb38e1f3506b77 ]
This patch fixed the DMIC ch2/3 mask missing problem.
Signed-off-by: Shuming Fan <shumingf@realtek.com>
Link: https://patch.msgid.link/20260225091210.3648905-1-shumingf@realtek.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/rt1320-sdw.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/sound/soc/codecs/rt1320-sdw.c b/sound/soc/codecs/rt1320-sdw.c
index e6142645b9038..4d09dd06f2d83 100644
--- a/sound/soc/codecs/rt1320-sdw.c
+++ b/sound/soc/codecs/rt1320-sdw.c
@@ -1455,7 +1455,7 @@ static int rt1320_sdw_hw_params(struct snd_pcm_substream *substream,
struct sdw_port_config port_config;
struct sdw_port_config dmic_port_config[2];
struct sdw_stream_runtime *sdw_stream;
- int retval;
+ int retval, num_channels;
unsigned int sampling_rate;
dev_dbg(dai->dev, "%s %s", __func__, dai->name);
@@ -1487,7 +1487,8 @@ static int rt1320_sdw_hw_params(struct snd_pcm_substream *substream,
dmic_port_config[1].num = 10;
break;
case RT1321_DEV_ID:
- dmic_port_config[0].ch_mask = BIT(0) | BIT(1);
+ num_channels = params_channels(params);
+ dmic_port_config[0].ch_mask = GENMASK(num_channels - 1, 0);
dmic_port_config[0].num = 8;
break;
default:
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 049/342] scsi: devinfo: Add BLIST_SKIP_IO_HINTS for Iomega ZIP
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 048/342] ASoC: rt1321: fix DMIC ch2/3 mask issue Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 050/342] ASoC: Intel: sof_sdw: Add quirk for Alienware Area 51 (2025) 0CCD SKU Greg Kroah-Hartman
` (309 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fuchs, Martin K. Petersen,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fuchs <fuchsfl@gmail.com>
[ Upstream commit 80bf3b28d32b431f84f244a8469488eb6d96afbb ]
The Iomega ZIP 100 (Z100P2) can't process IO Advice Hints Grouping mode
page query. It immediately switches to the status phase 0xb8 after
receiving the subpage code 0x05 of MODE_SENSE_10 command, which fails
imm_out() and turns into DID_ERROR of this command, which leads to unusable
device. This was tested with an Iomega ZIP 100 (Z100P2) connected with a
StarTech PEX1P2 AX99100 PCIe parallel port card.
Prior to this fix, Test Unit Ready fails and the drive can't be used:
IMM: returned SCSI status b8
sd 7:0:6:0: [sdh] Test Unit Ready failed: Result: hostbyte=0x01 driverbyte=DRIVER_OK
Signed-off-by: Florian Fuchs <fuchsfl@gmail.com>
Link: https://patch.msgid.link/20260227181823.892932-1-fuchsfl@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_devinfo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c
index 78346b2b69c91..c51146882a1fa 100644
--- a/drivers/scsi/scsi_devinfo.c
+++ b/drivers/scsi/scsi_devinfo.c
@@ -190,7 +190,7 @@ static struct {
{"IBM", "2076", NULL, BLIST_NO_VPD_SIZE},
{"IBM", "2105", NULL, BLIST_RETRY_HWERROR},
{"iomega", "jaz 1GB", "J.86", BLIST_NOTQ | BLIST_NOLUN},
- {"IOMEGA", "ZIP", NULL, BLIST_NOTQ | BLIST_NOLUN},
+ {"IOMEGA", "ZIP", NULL, BLIST_NOTQ | BLIST_NOLUN | BLIST_SKIP_IO_HINTS},
{"IOMEGA", "Io20S *F", NULL, BLIST_KEY},
{"INSITE", "Floptical F*8I", NULL, BLIST_KEY},
{"INSITE", "I325VM", NULL, BLIST_KEY},
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 050/342] ASoC: Intel: sof_sdw: Add quirk for Alienware Area 51 (2025) 0CCD SKU
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 049/342] scsi: devinfo: Add BLIST_SKIP_IO_HINTS for Iomega ZIP Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 051/342] ALSA: hda/hdmi: Add Tegra238 HDA codec device ID Greg Kroah-Hartman
` (308 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver Freyermuth, Mark Brown,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Freyermuth <o.freyermuth@googlemail.com>
[ Upstream commit 70eddf6a0a3fc6d3ab6f77251676da97cc7f12ae ]
This adds the necessary quirk for the Alienware 18 Area 51 (2025).
Complements commit 1b03391d073d ("ASoC: Intel: sof_sdw: Add quirk
for Alienware Area 51 (2025) 0CCC SKU").
Signed-off-by: Oliver Freyermuth <o.freyermuth@googlemail.com>
Tested-by: Oliver Freyermuth <o.freyermuth@googlemail.com>
Link: https://patch.msgid.link/20260224190224.30630-1-o.freyermuth@googlemail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/boards/sof_sdw.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/sound/soc/intel/boards/sof_sdw.c b/sound/soc/intel/boards/sof_sdw.c
index 50b838be24e95..0186c281296ec 100644
--- a/sound/soc/intel/boards/sof_sdw.c
+++ b/sound/soc/intel/boards/sof_sdw.c
@@ -763,6 +763,14 @@ static const struct dmi_system_id sof_sdw_quirk_table[] = {
},
.driver_data = (void *)(SOC_SDW_CODEC_SPKR),
},
+ {
+ .callback = sof_sdw_quirk_cb,
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Alienware"),
+ DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "0CCD")
+ },
+ .driver_data = (void *)(SOC_SDW_CODEC_SPKR),
+ },
/* Pantherlake devices*/
{
.callback = sof_sdw_quirk_cb,
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 051/342] ALSA: hda/hdmi: Add Tegra238 HDA codec device ID
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 050/342] ASoC: Intel: sof_sdw: Add quirk for Alienware Area 51 (2025) 0CCD SKU Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 052/342] ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_put_bits() Greg Kroah-Hartman
` (307 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sheetal, Takashi Iwai, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sheetal <sheetal@nvidia.com>
[ Upstream commit 5f4338e5633dc034a81000b2516a78cfb51c601d ]
Add Tegra238 HDA codec device in hda_device_id list.
Signed-off-by: Sheetal <sheetal@nvidia.com>
Link: https://patch.msgid.link/20260302084217.3135982-1-sheetal@nvidia.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/codecs/hdmi/tegrahdmi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/hda/codecs/hdmi/tegrahdmi.c b/sound/hda/codecs/hdmi/tegrahdmi.c
index 5f6fe31aa2028..ebb6410a48313 100644
--- a/sound/hda/codecs/hdmi/tegrahdmi.c
+++ b/sound/hda/codecs/hdmi/tegrahdmi.c
@@ -299,6 +299,7 @@ static const struct hda_device_id snd_hda_id_tegrahdmi[] = {
HDA_CODEC_ID_MODEL(0x10de002f, "Tegra194 HDMI/DP2", MODEL_TEGRA),
HDA_CODEC_ID_MODEL(0x10de0030, "Tegra194 HDMI/DP3", MODEL_TEGRA),
HDA_CODEC_ID_MODEL(0x10de0031, "Tegra234 HDMI/DP", MODEL_TEGRA234),
+ HDA_CODEC_ID_MODEL(0x10de0032, "Tegra238 HDMI/DP", MODEL_TEGRA234),
HDA_CODEC_ID_MODEL(0x10de0033, "SoC 33 HDMI/DP", MODEL_TEGRA234),
HDA_CODEC_ID_MODEL(0x10de0034, "Tegra264 HDMI/DP", MODEL_TEGRA234),
HDA_CODEC_ID_MODEL(0x10de0035, "SoC 35 HDMI/DP", MODEL_TEGRA234),
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 052/342] ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_put_bits()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 051/342] ALSA: hda/hdmi: Add Tegra238 HDA codec device ID Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 053/342] ASoC: cs35l56: Only patch ASP registers if the DAI is part of a DAIlink Greg Kroah-Hartman
` (306 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
[ Upstream commit 54a86cf48eaa6d1ab5130d756b718775e81e1748 ]
ALSA controls should return 1 if the value in the control changed but the
control put operation fsl_easrc_iec958_put_bits() unconditionally returns
0, causing ALSA to not generate any change events. This is detected by
mixer-test with large numbers of messages in the form:
No event generated for Context 3 IEC958 CS5
Context 3 IEC958 CS5.0 orig 5224 read 5225, is_volatile 0
Add a suitable check.
Signed-off-by: Mark Brown <broonie@kernel.org>
Link: https://patch.msgid.link/20260205-asoc-fsl-easrc-fix-events-v1-1-39d4c766918b@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_easrc.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/sound/soc/fsl/fsl_easrc.c b/sound/soc/fsl/fsl_easrc.c
index 733374121196e..6c56134c60cc8 100644
--- a/sound/soc/fsl/fsl_easrc.c
+++ b/sound/soc/fsl/fsl_easrc.c
@@ -52,10 +52,13 @@ static int fsl_easrc_iec958_put_bits(struct snd_kcontrol *kcontrol,
struct soc_mreg_control *mc =
(struct soc_mreg_control *)kcontrol->private_value;
unsigned int regval = ucontrol->value.integer.value[0];
+ int ret;
+
+ ret = (easrc_priv->bps_iec958[mc->regbase] != regval);
easrc_priv->bps_iec958[mc->regbase] = regval;
- return 0;
+ return ret;
}
static int fsl_easrc_iec958_get_bits(struct snd_kcontrol *kcontrol,
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 053/342] ASoC: cs35l56: Only patch ASP registers if the DAI is part of a DAIlink
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 052/342] ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_put_bits() Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 054/342] spi: spi-dw-dma: fix print error log when wait finish transaction Greg Kroah-Hartman
` (305 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Fitzgerald, Mark Brown,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Fitzgerald <rf@opensource.cirrus.com>
[ Upstream commit 9351cf3fd92dc1349bb75f2f7f7324607dcf596f ]
Move the ASP register patches to a separate struct and apply this from the
ASP DAI probe() function so that the registers are only patched if the DAI
is part of a DAI link.
Some systems use the ASP as a special-purpose interconnect and on these
systems the ASP registers are configured by a third party (the firmware,
the BIOS, or another device using the amp's secondary host control
interface).
If the machine driver does not hook up the ASP DAI then the ASP registers
must be omitted from the patch to prevent overwriting the third party
configuration.
If the machine driver includes the ASP DAI in a DAI link, this implies that
the machine driver and higher components (such as alsa-ucm) are taking
ownership of the ASP. In this case the ASP registers are patched to known
defaults and the machine driver should configure the ASP.
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Link: https://patch.msgid.link/20260226110137.1664562-1-rf@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/sound/cs35l56.h | 1 +
sound/soc/codecs/cs35l56-shared.c | 16 +++++++++++++++-
sound/soc/codecs/cs35l56.c | 8 ++++++++
3 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/include/sound/cs35l56.h b/include/sound/cs35l56.h
index 5928af539c468..d0ae1ae2ae2a0 100644
--- a/include/sound/cs35l56.h
+++ b/include/sound/cs35l56.h
@@ -374,6 +374,7 @@ extern const char * const cs35l56_cal_set_status_text[3];
extern const char * const cs35l56_tx_input_texts[CS35L56_NUM_INPUT_SRC];
extern const unsigned int cs35l56_tx_input_values[CS35L56_NUM_INPUT_SRC];
+int cs35l56_set_asp_patch(struct cs35l56_base *cs35l56_base);
int cs35l56_set_patch(struct cs35l56_base *cs35l56_base);
int cs35l56_mbox_send(struct cs35l56_base *cs35l56_base, unsigned int command);
int cs35l56_firmware_shutdown(struct cs35l56_base *cs35l56_base);
diff --git a/sound/soc/codecs/cs35l56-shared.c b/sound/soc/codecs/cs35l56-shared.c
index 60100c8f8c952..0ec6a96e80858 100644
--- a/sound/soc/codecs/cs35l56-shared.c
+++ b/sound/soc/codecs/cs35l56-shared.c
@@ -23,7 +23,7 @@
#include "cs35l56.h"
-static const struct reg_sequence cs35l56_patch[] = {
+static const struct reg_sequence cs35l56_asp_patch[] = {
/*
* Firmware can change these to non-defaults to satisfy SDCA.
* Ensure that they are at known defaults.
@@ -40,6 +40,20 @@ static const struct reg_sequence cs35l56_patch[] = {
{ CS35L56_ASP1TX2_INPUT, 0x00000000 },
{ CS35L56_ASP1TX3_INPUT, 0x00000000 },
{ CS35L56_ASP1TX4_INPUT, 0x00000000 },
+};
+
+int cs35l56_set_asp_patch(struct cs35l56_base *cs35l56_base)
+{
+ return regmap_register_patch(cs35l56_base->regmap, cs35l56_asp_patch,
+ ARRAY_SIZE(cs35l56_asp_patch));
+}
+EXPORT_SYMBOL_NS_GPL(cs35l56_set_asp_patch, "SND_SOC_CS35L56_SHARED");
+
+static const struct reg_sequence cs35l56_patch[] = {
+ /*
+ * Firmware can change these to non-defaults to satisfy SDCA.
+ * Ensure that they are at known defaults.
+ */
{ CS35L56_SWIRE_DP3_CH1_INPUT, 0x00000018 },
{ CS35L56_SWIRE_DP3_CH2_INPUT, 0x00000019 },
{ CS35L56_SWIRE_DP3_CH3_INPUT, 0x00000029 },
diff --git a/sound/soc/codecs/cs35l56.c b/sound/soc/codecs/cs35l56.c
index 55b4d0d55712a..1c1924c6f4070 100644
--- a/sound/soc/codecs/cs35l56.c
+++ b/sound/soc/codecs/cs35l56.c
@@ -346,6 +346,13 @@ static int cs35l56_dsp_event(struct snd_soc_dapm_widget *w,
return wm_adsp_event(w, kcontrol, event);
}
+static int cs35l56_asp_dai_probe(struct snd_soc_dai *codec_dai)
+{
+ struct cs35l56_private *cs35l56 = snd_soc_component_get_drvdata(codec_dai->component);
+
+ return cs35l56_set_asp_patch(&cs35l56->base);
+}
+
static int cs35l56_asp_dai_set_fmt(struct snd_soc_dai *codec_dai, unsigned int fmt)
{
struct cs35l56_private *cs35l56 = snd_soc_component_get_drvdata(codec_dai->component);
@@ -550,6 +557,7 @@ static int cs35l56_asp_dai_set_sysclk(struct snd_soc_dai *dai,
}
static const struct snd_soc_dai_ops cs35l56_ops = {
+ .probe = cs35l56_asp_dai_probe,
.set_fmt = cs35l56_asp_dai_set_fmt,
.set_tdm_slot = cs35l56_asp_dai_set_tdm_slot,
.hw_params = cs35l56_asp_dai_hw_params,
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 054/342] spi: spi-dw-dma: fix print error log when wait finish transaction
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 053/342] ASoC: cs35l56: Only patch ASP registers if the DAI is part of a DAIlink Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 055/342] dma-buf: Include ioctl.h in UAPI header Greg Kroah-Hartman
` (304 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Yakovlev, Mark Brown,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Yakovlev <vovchkir@gmail.com>
[ Upstream commit 3b46d61890632c8f8b117147b6923bff4b42ccb7 ]
If an error occurs, the device may not have a current message. In this
case, the system will crash.
In this case, it's better to use dev from the struct ctlr (struct spi_controller*).
Signed-off-by: Vladimir Yakovlev <vovchkir@gmail.com>
Link: https://patch.msgid.link/20260302222017.992228-2-vovchkir@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-dw-dma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/spi/spi-dw-dma.c b/drivers/spi/spi-dw-dma.c
index 65adec7c7524b..fe726b9b1780d 100644
--- a/drivers/spi/spi-dw-dma.c
+++ b/drivers/spi/spi-dw-dma.c
@@ -271,7 +271,7 @@ static int dw_spi_dma_wait(struct dw_spi *dws, unsigned int len, u32 speed)
msecs_to_jiffies(ms));
if (ms == 0) {
- dev_err(&dws->ctlr->cur_msg->spi->dev,
+ dev_err(&dws->ctlr->dev,
"DMA transaction timed out\n");
return -ETIMEDOUT;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 055/342] dma-buf: Include ioctl.h in UAPI header
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 054/342] spi: spi-dw-dma: fix print error log when wait finish transaction Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 056/342] block: break pcpu_alloc_mutex dependency on freeze_lock Greg Kroah-Hartman
` (303 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Isaac J. Manjarres, T.J. Mercier,
Christian König, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Isaac J. Manjarres <isaacmanjarres@google.com>
[ Upstream commit a116bac87118903925108e57781bbfc7a7eea27b ]
include/uapi/linux/dma-buf.h uses several macros from ioctl.h to define
its ioctl commands. However, it does not include ioctl.h itself. So,
if userspace source code tries to include the dma-buf.h file without
including ioctl.h, it can result in build failures.
Therefore, include ioctl.h in the dma-buf UAPI header.
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
Reviewed-by: T.J. Mercier <tjmercier@google.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Link: https://lore.kernel.org/r/20260303002309.1401849-1-isaacmanjarres@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/dma-buf.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/uapi/linux/dma-buf.h b/include/uapi/linux/dma-buf.h
index 5a6fda66d9adf..e827c9d20c5d3 100644
--- a/include/uapi/linux/dma-buf.h
+++ b/include/uapi/linux/dma-buf.h
@@ -20,6 +20,7 @@
#ifndef _DMA_BUF_UAPI_H_
#define _DMA_BUF_UAPI_H_
+#include <linux/ioctl.h>
#include <linux/types.h>
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 056/342] block: break pcpu_alloc_mutex dependency on freeze_lock
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 055/342] dma-buf: Include ioctl.h in UAPI header Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 057/342] ALSA: hda/senary: Ensure EAPD is enabled during init Greg Kroah-Hartman
` (302 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yi Zhang, Nilay Shroff, Ming Lei,
Yu Kuai, Jens Axboe, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nilay Shroff <nilay@linux.ibm.com>
[ Upstream commit 539d1b47e935e8384977dd7e5cec370c08b7a644 ]
While nr_hw_update allocates tagset tags it acquires ->pcpu_alloc_mutex
after ->freeze_lock is acquired or queue is frozen. This potentially
creates a circular dependency involving ->fs_reclaim if reclaim is
triggered simultaneously in a code path which first acquires ->pcpu_
alloc_mutex. As the queue is already frozen while nr_hw_queue update
allocates tagsets, the reclaim can't forward progress and thus it could
cause a potential deadlock as reported in lockdep splat[1].
Fix this by pre-allocating tagset tags before we freeze queue during
nr_hw_queue update. Later the allocated tagset tags could be safely
installed and used after queue is frozen.
Reported-by: Yi Zhang <yi.zhang@redhat.com>
Closes: https://lore.kernel.org/all/CAHj4cs8F=OV9s3La2kEQ34YndgfZP-B5PHS4Z8_b9euKG6J4mw@mail.gmail.com/ [1]
Signed-off-by: Nilay Shroff <nilay@linux.ibm.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Tested-by: Yi Zhang <yi.zhang@redhat.com>
Reviewed-by: Yu Kuai <yukuai@fnnas.com>
[axboe: fix brace style issue]
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-mq.c | 45 ++++++++++++++++++++++++++++++---------------
1 file changed, 30 insertions(+), 15 deletions(-)
diff --git a/block/blk-mq.c b/block/blk-mq.c
index 968699277c3d5..3b58dd5876114 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -4778,38 +4778,45 @@ static void blk_mq_update_queue_map(struct blk_mq_tag_set *set)
}
}
-static int blk_mq_realloc_tag_set_tags(struct blk_mq_tag_set *set,
- int new_nr_hw_queues)
+static struct blk_mq_tags **blk_mq_prealloc_tag_set_tags(
+ struct blk_mq_tag_set *set,
+ int new_nr_hw_queues)
{
struct blk_mq_tags **new_tags;
int i;
if (set->nr_hw_queues >= new_nr_hw_queues)
- goto done;
+ return NULL;
new_tags = kcalloc_node(new_nr_hw_queues, sizeof(struct blk_mq_tags *),
GFP_KERNEL, set->numa_node);
if (!new_tags)
- return -ENOMEM;
+ return ERR_PTR(-ENOMEM);
if (set->tags)
memcpy(new_tags, set->tags, set->nr_hw_queues *
sizeof(*set->tags));
- kfree(set->tags);
- set->tags = new_tags;
for (i = set->nr_hw_queues; i < new_nr_hw_queues; i++) {
- if (!__blk_mq_alloc_map_and_rqs(set, i)) {
- while (--i >= set->nr_hw_queues)
- __blk_mq_free_map_and_rqs(set, i);
- return -ENOMEM;
+ if (blk_mq_is_shared_tags(set->flags)) {
+ new_tags[i] = set->shared_tags;
+ } else {
+ new_tags[i] = blk_mq_alloc_map_and_rqs(set, i,
+ set->queue_depth);
+ if (!new_tags[i])
+ goto out_unwind;
}
cond_resched();
}
-done:
- set->nr_hw_queues = new_nr_hw_queues;
- return 0;
+ return new_tags;
+out_unwind:
+ while (--i >= set->nr_hw_queues) {
+ if (!blk_mq_is_shared_tags(set->flags))
+ blk_mq_free_map_and_rqs(set, new_tags[i], i);
+ }
+ kfree(new_tags);
+ return ERR_PTR(-ENOMEM);
}
/*
@@ -5093,6 +5100,7 @@ static void __blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set,
unsigned int memflags;
int i;
struct xarray elv_tbl;
+ struct blk_mq_tags **new_tags;
bool queues_frozen = false;
lockdep_assert_held(&set->tag_list_lock);
@@ -5127,11 +5135,18 @@ static void __blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set,
if (blk_mq_elv_switch_none(q, &elv_tbl))
goto switch_back;
+ new_tags = blk_mq_prealloc_tag_set_tags(set, nr_hw_queues);
+ if (IS_ERR(new_tags))
+ goto switch_back;
+
list_for_each_entry(q, &set->tag_list, tag_set_list)
blk_mq_freeze_queue_nomemsave(q);
queues_frozen = true;
- if (blk_mq_realloc_tag_set_tags(set, nr_hw_queues) < 0)
- goto switch_back;
+ if (new_tags) {
+ kfree(set->tags);
+ set->tags = new_tags;
+ }
+ set->nr_hw_queues = nr_hw_queues;
fallback:
blk_mq_update_queue_map(set);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 057/342] ALSA: hda/senary: Ensure EAPD is enabled during init
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 056/342] block: break pcpu_alloc_mutex dependency on freeze_lock Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 058/342] drm/ttm/tests: Fix build failure on PREEMPT_RT Greg Kroah-Hartman
` (301 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, wangdicheng, Takashi Iwai,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: wangdicheng <wangdicheng@kylinos.cn>
[ Upstream commit 7ae0d8f1abbbba6f98cac735145e1206927c67d9 ]
The driver sets spec->gen.own_eapd_ctl to take manual control of the
EAPD (External Amplifier). However, senary_init does not turn on the
EAPD, while senary_shutdown turns it off.
Since the generic driver skips EAPD handling when own_eapd_ctl is set,
the EAPD remains off after initialization (e.g., after resume), leaving
the codec in a non-functional state.
Explicitly call senary_auto_turn_eapd in senary_init to ensure the EAPD
is enabled and the codec is functional.
Signed-off-by: wangdicheng <wangdicheng@kylinos.cn>
Link: https://patch.msgid.link/20260303081516.583438-1-wangdich9700@163.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/codecs/senarytech.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/sound/hda/codecs/senarytech.c b/sound/hda/codecs/senarytech.c
index 63cda57cf7868..f4732a8d7955d 100644
--- a/sound/hda/codecs/senarytech.c
+++ b/sound/hda/codecs/senarytech.c
@@ -28,6 +28,7 @@ struct senary_spec {
/* extra EAPD pins */
unsigned int num_eapds;
hda_nid_t eapds[4];
+ bool dynamic_eapd;
hda_nid_t mute_led_eapd;
unsigned int parse_flags; /* flag for snd_hda_parse_pin_defcfg() */
@@ -134,8 +135,12 @@ static void senary_init_gpio_led(struct hda_codec *codec)
static int senary_init(struct hda_codec *codec)
{
+ struct senary_spec *spec = codec->spec;
+
snd_hda_gen_init(codec);
senary_init_gpio_led(codec);
+ if (!spec->dynamic_eapd)
+ senary_auto_turn_eapd(codec, spec->num_eapds, spec->eapds, true);
snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_INIT);
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 058/342] drm/ttm/tests: Fix build failure on PREEMPT_RT
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 057/342] ALSA: hda/senary: Ensure EAPD is enabled during init Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 059/342] ASoC: amd: acp: Add ACP6.3 match entries for Cirrus Logic parts Greg Kroah-Hartman
` (300 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot,
Jouni Högander, Maarten Lankhorst, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maarten Lankhorst <dev@lankhorst.se>
[ Upstream commit a58d487fb1a52579d3c37544ea371da78ed70c45 ]
Fix a compile error in the kunit tests when CONFIG_PREEMPT_RT is
enabled, and the normal mutex is converted into a rtmutex.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202602261547.3bM6yVAS-lkp@intel.com/
Reviewed-by: Jouni Högander <jouni.hogander@intel.com>
Link: https://patch.msgid.link/20260304085616.1216961-1-dev@lankhorst.se
Signed-off-by: Maarten Lankhorst <dev@lankhorst.se>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/ttm/tests/ttm_bo_test.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/ttm/tests/ttm_bo_test.c b/drivers/gpu/drm/ttm/tests/ttm_bo_test.c
index d468f83220720..f3103307b5df9 100644
--- a/drivers/gpu/drm/ttm/tests/ttm_bo_test.c
+++ b/drivers/gpu/drm/ttm/tests/ttm_bo_test.c
@@ -222,13 +222,13 @@ static void ttm_bo_reserve_interrupted(struct kunit *test)
KUNIT_FAIL(test, "Couldn't create ttm bo reserve task\n");
/* Take a lock so the threaded reserve has to wait */
- mutex_lock(&bo->base.resv->lock.base);
+ dma_resv_lock(bo->base.resv, NULL);
wake_up_process(task);
msleep(20);
err = kthread_stop(task);
- mutex_unlock(&bo->base.resv->lock.base);
+ dma_resv_unlock(bo->base.resv);
KUNIT_ASSERT_EQ(test, err, -ERESTARTSYS);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 059/342] ASoC: amd: acp: Add ACP6.3 match entries for Cirrus Logic parts
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 058/342] drm/ttm/tests: Fix build failure on PREEMPT_RT Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 060/342] bpf: Fix u32/s32 bounds when ranges cross min/max boundary Greg Kroah-Hartman
` (299 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Simon Trimmer, Mark Brown,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Trimmer <simont@opensource.cirrus.com>
[ Upstream commit fd13fc700e3e239826a46448bf7f01847dd26f5a ]
This adds some match entries for a few system configurations:
cs42l43 link 0 UID 0
cs35l56 link 1 UID 0
cs35l56 link 1 UID 1
cs35l56 link 1 UID 2
cs35l56 link 1 UID 3
cs42l45 link 1 UID 0
cs35l63 link 0 UID 0
cs35l63 link 0 UID 2
cs35l63 link 0 UID 4
cs35l63 link 0 UID 6
cs42l45 link 0 UID 0
cs35l63 link 1 UID 0
cs35l63 link 1 UID 1
cs42l45 link 0 UID 0
cs35l63 link 1 UID 1
cs35l63 link 1 UID 3
cs42l45 link 1 UID 0
cs35l63 link 0 UID 0
cs35l63 link 0 UID 1
cs42l43 link 1 UID 0
cs35l56 link 1 UID 0
cs35l56 link 1 UID 1
cs35l56 link 1 UID 2
cs35l56 link 1 UID 3
cs35l56 link 1 UID 0
cs35l56 link 1 UID 1
cs35l56 link 1 UID 2
cs35l56 link 1 UID 3
cs35l63 link 0 UID 0
cs35l63 link 0 UID 2
cs35l63 link 0 UID 4
cs35l63 link 0 UID 6
cs42l43 link 0 UID 1
cs42l43b link 0 UID 1
cs42l45 link 0 UID 0
cs42l45 link 1 UID 0
Signed-off-by: Simon Trimmer <simont@opensource.cirrus.com>
Link: https://patch.msgid.link/20260224130307.526626-1-simont@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/acp/amd-acp63-acpi-match.c | 413 +++++++++++++++++++++++
1 file changed, 413 insertions(+)
diff --git a/sound/soc/amd/acp/amd-acp63-acpi-match.c b/sound/soc/amd/acp/amd-acp63-acpi-match.c
index 9b6a49c051cda..1dbbaba3c75b3 100644
--- a/sound/soc/amd/acp/amd-acp63-acpi-match.c
+++ b/sound/soc/amd/acp/amd-acp63-acpi-match.c
@@ -30,6 +30,20 @@ static const struct snd_soc_acpi_endpoint spk_r_endpoint = {
.group_id = 1
};
+static const struct snd_soc_acpi_endpoint spk_2_endpoint = {
+ .num = 0,
+ .aggregated = 1,
+ .group_position = 2,
+ .group_id = 1
+};
+
+static const struct snd_soc_acpi_endpoint spk_3_endpoint = {
+ .num = 0,
+ .aggregated = 1,
+ .group_position = 3,
+ .group_id = 1
+};
+
static const struct snd_soc_acpi_adr_device rt711_rt1316_group_adr[] = {
{
.adr = 0x000030025D071101ull,
@@ -103,6 +117,345 @@ static const struct snd_soc_acpi_adr_device rt722_0_single_adr[] = {
}
};
+static const struct snd_soc_acpi_endpoint cs42l43_endpoints[] = {
+ { /* Jack Playback Endpoint */
+ .num = 0,
+ .aggregated = 0,
+ .group_position = 0,
+ .group_id = 0,
+ },
+ { /* DMIC Capture Endpoint */
+ .num = 1,
+ .aggregated = 0,
+ .group_position = 0,
+ .group_id = 0,
+ },
+ { /* Jack Capture Endpoint */
+ .num = 2,
+ .aggregated = 0,
+ .group_position = 0,
+ .group_id = 0,
+ },
+ { /* Speaker Playback Endpoint */
+ .num = 3,
+ .aggregated = 0,
+ .group_position = 0,
+ .group_id = 0,
+ },
+};
+
+static const struct snd_soc_acpi_adr_device cs35l56x4_l1u3210_adr[] = {
+ {
+ .adr = 0x00013301FA355601ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_l_endpoint,
+ .name_prefix = "AMP1"
+ },
+ {
+ .adr = 0x00013201FA355601ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_r_endpoint,
+ .name_prefix = "AMP2"
+ },
+ {
+ .adr = 0x00013101FA355601ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_2_endpoint,
+ .name_prefix = "AMP3"
+ },
+ {
+ .adr = 0x00013001FA355601ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_3_endpoint,
+ .name_prefix = "AMP4"
+ },
+};
+
+static const struct snd_soc_acpi_adr_device cs35l63x2_l0u01_adr[] = {
+ {
+ .adr = 0x00003001FA356301ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_l_endpoint,
+ .name_prefix = "AMP1"
+ },
+ {
+ .adr = 0x00003101FA356301ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_r_endpoint,
+ .name_prefix = "AMP2"
+ },
+};
+
+static const struct snd_soc_acpi_adr_device cs35l63x2_l1u01_adr[] = {
+ {
+ .adr = 0x00013001FA356301ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_l_endpoint,
+ .name_prefix = "AMP1"
+ },
+ {
+ .adr = 0x00013101FA356301ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_r_endpoint,
+ .name_prefix = "AMP2"
+ },
+};
+
+static const struct snd_soc_acpi_adr_device cs35l63x2_l1u13_adr[] = {
+ {
+ .adr = 0x00013101FA356301ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_l_endpoint,
+ .name_prefix = "AMP1"
+ },
+ {
+ .adr = 0x00013301FA356301ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_r_endpoint,
+ .name_prefix = "AMP2"
+ },
+};
+
+static const struct snd_soc_acpi_adr_device cs35l63x4_l0u0246_adr[] = {
+ {
+ .adr = 0x00003001FA356301ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_l_endpoint,
+ .name_prefix = "AMP1"
+ },
+ {
+ .adr = 0x00003201FA356301ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_r_endpoint,
+ .name_prefix = "AMP2"
+ },
+ {
+ .adr = 0x00003401FA356301ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_2_endpoint,
+ .name_prefix = "AMP3"
+ },
+ {
+ .adr = 0x00003601FA356301ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_3_endpoint,
+ .name_prefix = "AMP4"
+ },
+};
+
+static const struct snd_soc_acpi_adr_device cs42l43_l0u0_adr[] = {
+ {
+ .adr = 0x00003001FA424301ull,
+ .num_endpoints = ARRAY_SIZE(cs42l43_endpoints),
+ .endpoints = cs42l43_endpoints,
+ .name_prefix = "cs42l43"
+ }
+};
+
+static const struct snd_soc_acpi_adr_device cs42l43_l0u1_adr[] = {
+ {
+ .adr = 0x00003101FA424301ull,
+ .num_endpoints = ARRAY_SIZE(cs42l43_endpoints),
+ .endpoints = cs42l43_endpoints,
+ .name_prefix = "cs42l43"
+ }
+};
+
+static const struct snd_soc_acpi_adr_device cs42l43b_l0u1_adr[] = {
+ {
+ .adr = 0x00003101FA2A3B01ull,
+ .num_endpoints = ARRAY_SIZE(cs42l43_endpoints),
+ .endpoints = cs42l43_endpoints,
+ .name_prefix = "cs42l43"
+ }
+};
+
+static const struct snd_soc_acpi_adr_device cs42l43_l1u0_cs35l56x4_l1u0123_adr[] = {
+ {
+ .adr = 0x00013001FA424301ull,
+ .num_endpoints = ARRAY_SIZE(cs42l43_endpoints),
+ .endpoints = cs42l43_endpoints,
+ .name_prefix = "cs42l43"
+ },
+ {
+ .adr = 0x00013001FA355601ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_l_endpoint,
+ .name_prefix = "AMP1"
+ },
+ {
+ .adr = 0x00013101FA355601ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_r_endpoint,
+ .name_prefix = "AMP2"
+ },
+ {
+ .adr = 0x00013201FA355601ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_2_endpoint,
+ .name_prefix = "AMP3"
+ },
+ {
+ .adr = 0x00013301FA355601ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_3_endpoint,
+ .name_prefix = "AMP4"
+ },
+};
+
+static const struct snd_soc_acpi_adr_device cs42l45_l0u0_adr[] = {
+ {
+ .adr = 0x00003001FA424501ull,
+ /* Re-use endpoints, but cs42l45 has no speaker */
+ .num_endpoints = ARRAY_SIZE(cs42l43_endpoints) - 1,
+ .endpoints = cs42l43_endpoints,
+ .name_prefix = "cs42l45"
+ }
+};
+
+static const struct snd_soc_acpi_adr_device cs42l45_l1u0_adr[] = {
+ {
+ .adr = 0x00013001FA424501ull,
+ /* Re-use endpoints, but cs42l45 has no speaker */
+ .num_endpoints = ARRAY_SIZE(cs42l43_endpoints) - 1,
+ .endpoints = cs42l43_endpoints,
+ .name_prefix = "cs42l45"
+ }
+};
+
+static const struct snd_soc_acpi_link_adr acp63_cs35l56x4_l1u3210[] = {
+ {
+ .mask = BIT(1),
+ .num_adr = ARRAY_SIZE(cs35l56x4_l1u3210_adr),
+ .adr_d = cs35l56x4_l1u3210_adr,
+ },
+ {}
+};
+
+static const struct snd_soc_acpi_link_adr acp63_cs35l63x4_l0u0246[] = {
+ {
+ .mask = BIT(0),
+ .num_adr = ARRAY_SIZE(cs35l63x4_l0u0246_adr),
+ .adr_d = cs35l63x4_l0u0246_adr,
+ },
+ {}
+};
+
+static const struct snd_soc_acpi_link_adr acp63_cs42l43_l0u1[] = {
+ {
+ .mask = BIT(0),
+ .num_adr = ARRAY_SIZE(cs42l43_l0u1_adr),
+ .adr_d = cs42l43_l0u1_adr,
+ },
+ {}
+};
+
+static const struct snd_soc_acpi_link_adr acp63_cs42l43b_l0u1[] = {
+ {
+ .mask = BIT(0),
+ .num_adr = ARRAY_SIZE(cs42l43b_l0u1_adr),
+ .adr_d = cs42l43b_l0u1_adr,
+ },
+ {}
+};
+
+static const struct snd_soc_acpi_link_adr acp63_cs42l43_l0u0_cs35l56x4_l1u3210[] = {
+ {
+ .mask = BIT(0),
+ .num_adr = ARRAY_SIZE(cs42l43_l0u0_adr),
+ .adr_d = cs42l43_l0u0_adr,
+ },
+ {
+ .mask = BIT(1),
+ .num_adr = ARRAY_SIZE(cs35l56x4_l1u3210_adr),
+ .adr_d = cs35l56x4_l1u3210_adr,
+ },
+ {}
+};
+
+static const struct snd_soc_acpi_link_adr acp63_cs42l43_l1u0_cs35l56x4_l1u0123[] = {
+ {
+ .mask = BIT(1),
+ .num_adr = ARRAY_SIZE(cs42l43_l1u0_cs35l56x4_l1u0123_adr),
+ .adr_d = cs42l43_l1u0_cs35l56x4_l1u0123_adr,
+ },
+ {}
+};
+
+static const struct snd_soc_acpi_link_adr acp63_cs42l45_l0u0[] = {
+ {
+ .mask = BIT(0),
+ .num_adr = ARRAY_SIZE(cs42l45_l0u0_adr),
+ .adr_d = cs42l45_l0u0_adr,
+ },
+ {}
+};
+
+static const struct snd_soc_acpi_link_adr acp63_cs42l45_l0u0_cs35l63x2_l1u01[] = {
+ {
+ .mask = BIT(0),
+ .num_adr = ARRAY_SIZE(cs42l45_l0u0_adr),
+ .adr_d = cs42l45_l0u0_adr,
+ },
+ {
+ .mask = BIT(1),
+ .num_adr = ARRAY_SIZE(cs35l63x2_l1u01_adr),
+ .adr_d = cs35l63x2_l1u01_adr,
+ },
+ {}
+};
+
+static const struct snd_soc_acpi_link_adr acp63_cs42l45_l0u0_cs35l63x2_l1u13[] = {
+ {
+ .mask = BIT(0),
+ .num_adr = ARRAY_SIZE(cs42l45_l0u0_adr),
+ .adr_d = cs42l45_l0u0_adr,
+ },
+ {
+ .mask = BIT(1),
+ .num_adr = ARRAY_SIZE(cs35l63x2_l1u13_adr),
+ .adr_d = cs35l63x2_l1u13_adr,
+ },
+ {}
+};
+
+static const struct snd_soc_acpi_link_adr acp63_cs42l45_l1u0[] = {
+ {
+ .mask = BIT(1),
+ .num_adr = ARRAY_SIZE(cs42l45_l1u0_adr),
+ .adr_d = cs42l45_l1u0_adr,
+ },
+ {}
+};
+
+static const struct snd_soc_acpi_link_adr acp63_cs42l45_l1u0_cs35l63x2_l0u01[] = {
+ {
+ .mask = BIT(1),
+ .num_adr = ARRAY_SIZE(cs42l45_l1u0_adr),
+ .adr_d = cs42l45_l1u0_adr,
+ },
+ {
+ .mask = BIT(0),
+ .num_adr = ARRAY_SIZE(cs35l63x2_l0u01_adr),
+ .adr_d = cs35l63x2_l0u01_adr,
+ },
+ {}
+};
+
+static const struct snd_soc_acpi_link_adr acp63_cs42l45_l1u0_cs35l63x4_l0u0246[] = {
+ {
+ .mask = BIT(1),
+ .num_adr = ARRAY_SIZE(cs42l45_l1u0_adr),
+ .adr_d = cs42l45_l1u0_adr,
+ },
+ {
+ .mask = BIT(0),
+ .num_adr = ARRAY_SIZE(cs35l63x4_l0u0246_adr),
+ .adr_d = cs35l63x4_l0u0246_adr,
+ },
+ {}
+};
+
static const struct snd_soc_acpi_link_adr acp63_rt722_only[] = {
{
.mask = BIT(0),
@@ -135,6 +488,66 @@ struct snd_soc_acpi_mach snd_soc_acpi_amd_acp63_sdw_machines[] = {
.links = acp63_4_in_1_sdca,
.drv_name = "amd_sdw",
},
+ {
+ .link_mask = BIT(0) | BIT(1),
+ .links = acp63_cs42l43_l0u0_cs35l56x4_l1u3210,
+ .drv_name = "amd_sdw",
+ },
+ {
+ .link_mask = BIT(0) | BIT(1),
+ .links = acp63_cs42l45_l1u0_cs35l63x4_l0u0246,
+ .drv_name = "amd_sdw",
+ },
+ {
+ .link_mask = BIT(0) | BIT(1),
+ .links = acp63_cs42l45_l0u0_cs35l63x2_l1u01,
+ .drv_name = "amd_sdw",
+ },
+ {
+ .link_mask = BIT(0) | BIT(1),
+ .links = acp63_cs42l45_l0u0_cs35l63x2_l1u13,
+ .drv_name = "amd_sdw",
+ },
+ {
+ .link_mask = BIT(0) | BIT(1),
+ .links = acp63_cs42l45_l1u0_cs35l63x2_l0u01,
+ .drv_name = "amd_sdw",
+ },
+ {
+ .link_mask = BIT(1),
+ .links = acp63_cs42l43_l1u0_cs35l56x4_l1u0123,
+ .drv_name = "amd_sdw",
+ },
+ {
+ .link_mask = BIT(1),
+ .links = acp63_cs35l56x4_l1u3210,
+ .drv_name = "amd_sdw",
+ },
+ {
+ .link_mask = BIT(0),
+ .links = acp63_cs35l63x4_l0u0246,
+ .drv_name = "amd_sdw",
+ },
+ {
+ .link_mask = BIT(0),
+ .links = acp63_cs42l43_l0u1,
+ .drv_name = "amd_sdw",
+ },
+ {
+ .link_mask = BIT(0),
+ .links = acp63_cs42l43b_l0u1,
+ .drv_name = "amd_sdw",
+ },
+ {
+ .link_mask = BIT(0),
+ .links = acp63_cs42l45_l0u0,
+ .drv_name = "amd_sdw",
+ },
+ {
+ .link_mask = BIT(1),
+ .links = acp63_cs42l45_l1u0,
+ .drv_name = "amd_sdw",
+ },
{},
};
EXPORT_SYMBOL(snd_soc_acpi_amd_acp63_sdw_machines);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 060/342] bpf: Fix u32/s32 bounds when ranges cross min/max boundary
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 059/342] ASoC: amd: acp: Add ACP6.3 match entries for Cirrus Logic parts Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 061/342] HID: apple: avoid memory leak in apple_report_fixup() Greg Kroah-Hartman
` (298 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrea Righi, Emil Tsalapatis,
Shung-Hsi Yu, Eduard Zingerman, Alexei Starovoitov, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eduard Zingerman <eddyz87@gmail.com>
[ Upstream commit fbc7aef517d8765e4c425d2792409bb9bf2e1f13 ]
Same as in __reg64_deduce_bounds(), refine s32/u32 ranges
in __reg32_deduce_bounds() in the following situations:
- s32 range crosses U32_MAX/0 boundary, positive part of the s32 range
overlaps with u32 range:
0 U32_MAX
| [xxxxxxxxxxxxxx u32 range xxxxxxxxxxxxxx] |
|----------------------------|----------------------------|
|xxxxx s32 range xxxxxxxxx] [xxxxxxx|
0 S32_MAX S32_MIN -1
- s32 range crosses U32_MAX/0 boundary, negative part of the s32 range
overlaps with u32 range:
0 U32_MAX
| [xxxxxxxxxxxxxx u32 range xxxxxxxxxxxxxx] |
|----------------------------|----------------------------|
|xxxxxxxxx] [xxxxxxxxxxxx s32 range |
0 S32_MAX S32_MIN -1
- No refinement if ranges overlap in two intervals.
This helps for e.g. consider the following program:
call %[bpf_get_prandom_u32];
w0 &= 0xffffffff;
if w0 < 0x3 goto 1f; // on fall-through u32 range [3..U32_MAX]
if w0 s> 0x1 goto 1f; // on fall-through s32 range [S32_MIN..1]
if w0 s< 0x0 goto 1f; // range can be narrowed to [S32_MIN..-1]
r10 = 0;
1: ...;
The reg_bounds.c selftest is updated to incorporate identical logic,
refinement based on non-overflowing range halves:
((x ∩ [0, smax]) ∩ (y ∩ [0, smax])) ∪
((x ∩ [smin,-1]) ∩ (y ∩ [smin,-1]))
Reported-by: Andrea Righi <arighi@nvidia.com>
Reported-by: Emil Tsalapatis <emil@etsalapatis.com>
Closes: https://lore.kernel.org/bpf/aakqucg4vcujVwif@gpd4/T/
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20260306-bpf-32-bit-range-overflow-v3-1-f7f67e060a6b@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 24 +++++++
.../selftests/bpf/prog_tests/reg_bounds.c | 62 +++++++++++++++++--
2 files changed, 82 insertions(+), 4 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index ea312acf7d482..9032c6d4dbbcc 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2490,6 +2490,30 @@ static void __reg32_deduce_bounds(struct bpf_reg_state *reg)
if ((u32)reg->s32_min_value <= (u32)reg->s32_max_value) {
reg->u32_min_value = max_t(u32, reg->s32_min_value, reg->u32_min_value);
reg->u32_max_value = min_t(u32, reg->s32_max_value, reg->u32_max_value);
+ } else {
+ if (reg->u32_max_value < (u32)reg->s32_min_value) {
+ /* See __reg64_deduce_bounds() for detailed explanation.
+ * Refine ranges in the following situation:
+ *
+ * 0 U32_MAX
+ * | [xxxxxxxxxxxxxx u32 range xxxxxxxxxxxxxx] |
+ * |----------------------------|----------------------------|
+ * |xxxxx s32 range xxxxxxxxx] [xxxxxxx|
+ * 0 S32_MAX S32_MIN -1
+ */
+ reg->s32_min_value = (s32)reg->u32_min_value;
+ reg->u32_max_value = min_t(u32, reg->u32_max_value, reg->s32_max_value);
+ } else if ((u32)reg->s32_max_value < reg->u32_min_value) {
+ /*
+ * 0 U32_MAX
+ * | [xxxxxxxxxxxxxx u32 range xxxxxxxxxxxxxx] |
+ * |----------------------------|----------------------------|
+ * |xxxxxxxxx] [xxxxxxxxxxxx s32 range |
+ * 0 S32_MAX S32_MIN -1
+ */
+ reg->s32_max_value = (s32)reg->u32_max_value;
+ reg->u32_min_value = max_t(u32, reg->u32_min_value, reg->s32_min_value);
+ }
}
}
diff --git a/tools/testing/selftests/bpf/prog_tests/reg_bounds.c b/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
index 0322f817d07be..04938d0d431b3 100644
--- a/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
+++ b/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
@@ -422,15 +422,69 @@ static bool is_valid_range(enum num_t t, struct range x)
}
}
-static struct range range_improve(enum num_t t, struct range old, struct range new)
+static struct range range_intersection(enum num_t t, struct range old, struct range new)
{
return range(t, max_t(t, old.a, new.a), min_t(t, old.b, new.b));
}
+/*
+ * Result is precise when 'x' and 'y' overlap or form a continuous range,
+ * result is an over-approximation if 'x' and 'y' do not overlap.
+ */
+static struct range range_union(enum num_t t, struct range x, struct range y)
+{
+ if (!is_valid_range(t, x))
+ return y;
+ if (!is_valid_range(t, y))
+ return x;
+ return range(t, min_t(t, x.a, y.a), max_t(t, x.b, y.b));
+}
+
+/*
+ * This function attempts to improve x range intersecting it with y.
+ * range_cast(... to_t ...) looses precision for ranges that pass to_t
+ * min/max boundaries. To avoid such precision loses this function
+ * splits both x and y into halves corresponding to non-overflowing
+ * sub-ranges: [0, smin] and [smax, -1].
+ * Final result is computed as follows:
+ *
+ * ((x ∩ [0, smax]) ∩ (y ∩ [0, smax])) ∪
+ * ((x ∩ [smin,-1]) ∩ (y ∩ [smin,-1]))
+ *
+ * Precision might still be lost if final union is not a continuous range.
+ */
+static struct range range_refine_in_halves(enum num_t x_t, struct range x,
+ enum num_t y_t, struct range y)
+{
+ struct range x_pos, x_neg, y_pos, y_neg, r_pos, r_neg;
+ u64 smax, smin, neg_one;
+
+ if (t_is_32(x_t)) {
+ smax = (u64)(u32)S32_MAX;
+ smin = (u64)(u32)S32_MIN;
+ neg_one = (u64)(u32)(s32)(-1);
+ } else {
+ smax = (u64)S64_MAX;
+ smin = (u64)S64_MIN;
+ neg_one = U64_MAX;
+ }
+ x_pos = range_intersection(x_t, x, range(x_t, 0, smax));
+ x_neg = range_intersection(x_t, x, range(x_t, smin, neg_one));
+ y_pos = range_intersection(y_t, y, range(x_t, 0, smax));
+ y_neg = range_intersection(y_t, y, range(y_t, smin, neg_one));
+ r_pos = range_intersection(x_t, x_pos, range_cast(y_t, x_t, y_pos));
+ r_neg = range_intersection(x_t, x_neg, range_cast(y_t, x_t, y_neg));
+ return range_union(x_t, r_pos, r_neg);
+
+}
+
static struct range range_refine(enum num_t x_t, struct range x, enum num_t y_t, struct range y)
{
struct range y_cast;
+ if (t_is_32(x_t) == t_is_32(y_t))
+ x = range_refine_in_halves(x_t, x, y_t, y);
+
y_cast = range_cast(y_t, x_t, y);
/* If we know that
@@ -444,7 +498,7 @@ static struct range range_refine(enum num_t x_t, struct range x, enum num_t y_t,
*/
if (x_t == S64 && y_t == S32 && y_cast.a <= S32_MAX && y_cast.b <= S32_MAX &&
(s64)x.a >= S32_MIN && (s64)x.b <= S32_MAX)
- return range_improve(x_t, x, y_cast);
+ return range_intersection(x_t, x, y_cast);
/* the case when new range knowledge, *y*, is a 32-bit subregister
* range, while previous range knowledge, *x*, is a full register
@@ -462,7 +516,7 @@ static struct range range_refine(enum num_t x_t, struct range x, enum num_t y_t,
x_swap = range(x_t, swap_low32(x.a, y_cast.a), swap_low32(x.b, y_cast.b));
if (!is_valid_range(x_t, x_swap))
return x;
- return range_improve(x_t, x, x_swap);
+ return range_intersection(x_t, x, x_swap);
}
if (!t_is_32(x_t) && !t_is_32(y_t) && x_t != y_t) {
@@ -480,7 +534,7 @@ static struct range range_refine(enum num_t x_t, struct range x, enum num_t y_t,
}
/* otherwise, plain range cast and intersection works */
- return range_improve(x_t, x, y_cast);
+ return range_intersection(x_t, x, y_cast);
}
/* =======================
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 061/342] HID: apple: avoid memory leak in apple_report_fixup()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 060/342] bpf: Fix u32/s32 bounds when ranges cross min/max boundary Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 062/342] sched_ext: Use WRITE_ONCE() for the write side of dsq->seq update Greg Kroah-Hartman
` (297 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Günther Noack,
Benjamin Tissoires, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Günther Noack <gnoack@google.com>
[ Upstream commit 239c15116d80f67d32f00acc34575f1a6b699613 ]
The apple_report_fixup() function was returning a
newly kmemdup()-allocated buffer, but never freeing it.
The caller of report_fixup() does not take ownership of the returned
pointer, but it *is* permitted to return a sub-portion of the input
rdesc, whose lifetime is managed by the caller.
Assisted-by: Gemini-CLI:Google Gemini 3
Signed-off-by: Günther Noack <gnoack@google.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-apple.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c
index 2f9a2e07c4263..9dcb252c5d6c7 100644
--- a/drivers/hid/hid-apple.c
+++ b/drivers/hid/hid-apple.c
@@ -689,9 +689,7 @@ static const __u8 *apple_report_fixup(struct hid_device *hdev, __u8 *rdesc,
hid_info(hdev,
"fixing up Magic Keyboard battery report descriptor\n");
*rsize = *rsize - 1;
- rdesc = kmemdup(rdesc + 1, *rsize, GFP_KERNEL);
- if (!rdesc)
- return NULL;
+ rdesc = rdesc + 1;
rdesc[0] = 0x05;
rdesc[1] = 0x01;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 062/342] sched_ext: Use WRITE_ONCE() for the write side of dsq->seq update
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 061/342] HID: apple: avoid memory leak in apple_report_fixup() Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 063/342] btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create Greg Kroah-Hartman
` (296 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, zhidao su, Tejun Heo, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: zhidao su <soolaugust@gmail.com>
[ Upstream commit 7a8464555d2e5f038758bb19e72ab4710b79e9cd ]
bpf_iter_scx_dsq_new() reads dsq->seq via READ_ONCE() without holding
any lock, making dsq->seq a lock-free concurrently accessed variable.
However, dispatch_enqueue(), the sole writer of dsq->seq, uses a plain
increment without the matching WRITE_ONCE() on the write side:
dsq->seq++;
^^^^^^^^^^^
plain write -- KCSAN data race
The KCSAN documentation requires that if one accessor uses READ_ONCE()
or WRITE_ONCE() on a variable to annotate lock-free access, all other
accesses must also use the appropriate accessor. A plain write leaves
the pair incomplete and will trigger KCSAN warnings.
Fix by using WRITE_ONCE() for the write side of the update:
WRITE_ONCE(dsq->seq, dsq->seq + 1);
This is consistent with bpf_iter_scx_dsq_new() and makes the
concurrent access annotation complete and KCSAN-clean.
Signed-off-by: zhidao su <suzhidao@xiaomi.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/ext.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
index f7eeccbd893af..2c32e12af435d 100644
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -1097,7 +1097,7 @@ static void dispatch_enqueue(struct scx_sched *sch, struct scx_dispatch_q *dsq,
}
/* seq records the order tasks are queued, used by BPF DSQ iterator */
- dsq->seq++;
+ WRITE_ONCE(dsq->seq, dsq->seq + 1);
p->scx.dsq_seq = dsq->seq;
dsq_mod_nr(dsq, 1);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 063/342] btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 062/342] sched_ext: Use WRITE_ONCE() for the write side of dsq->seq update Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 064/342] objtool: Use HOSTCFLAGS for HAVE_XXHASH test Greg Kroah-Hartman
` (295 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, Boris Burkov,
David Sterba, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boris Burkov <boris@bur.io>
[ Upstream commit 5131fa077f9bb386a1b901bf5b247041f0ec8f80 ]
We have recently observed a number of subvolumes with broken dentries.
ls-ing the parent dir looks like:
drwxrwxrwt 1 root root 16 Jan 23 16:49 .
drwxr-xr-x 1 root root 24 Jan 23 16:48 ..
d????????? ? ? ? ? ? broken_subvol
and similarly stat-ing the file fails.
In this state, deleting the subvol fails with ENOENT, but attempting to
create a new file or subvol over it errors out with EEXIST and even
aborts the fs. Which leaves us a bit stuck.
dmesg contains a single notable error message reading:
"could not do orphan cleanup -2"
2 is ENOENT and the error comes from the failure handling path of
btrfs_orphan_cleanup(), with the stack leading back up to
btrfs_lookup().
btrfs_lookup
btrfs_lookup_dentry
btrfs_orphan_cleanup // prints that message and returns -ENOENT
After some detailed inspection of the internal state, it became clear
that:
- there are no orphan items for the subvol
- the subvol is otherwise healthy looking, it is not half-deleted or
anything, there is no drop progress, etc.
- the subvol was created a while ago and does the meaningful first
btrfs_orphan_cleanup() call that sets BTRFS_ROOT_ORPHAN_CLEANUP much
later.
- after btrfs_orphan_cleanup() fails, btrfs_lookup_dentry() returns -ENOENT,
which results in a negative dentry for the subvolume via
d_splice_alias(NULL, dentry), leading to the observed behavior. The
bug can be mitigated by dropping the dentry cache, at which point we
can successfully delete the subvolume if we want.
i.e.,
btrfs_lookup()
btrfs_lookup_dentry()
if (!sb_rdonly(inode->vfs_inode)->vfs_inode)
btrfs_orphan_cleanup(sub_root)
test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)
btrfs_search_slot() // finds orphan item for inode N
...
prints "could not do orphan cleanup -2"
if (inode == ERR_PTR(-ENOENT))
inode = NULL;
return d_splice_alias(NULL, dentry) // NEGATIVE DENTRY for valid subvolume
btrfs_orphan_cleanup() does test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)
on the root when it runs, so it cannot run more than once on a given
root, so something else must run concurrently. However, the obvious
routes to deleting an orphan when nlinks goes to 0 should not be able to
run without first doing a lookup into the subvolume, which should run
btrfs_orphan_cleanup() and set the bit.
The final important observation is that create_subvol() calls
d_instantiate_new() but does not set BTRFS_ROOT_ORPHAN_CLEANUP, so if
the dentry cache gets dropped, the next lookup into the subvolume will
make a real call into btrfs_orphan_cleanup() for the first time. This
opens up the possibility of concurrently deleting the inode/orphan items
but most typical evict() paths will be holding a reference on the parent
dentry (child dentry holds parent->d_lockref.count via dget in
d_alloc(), released in __dentry_kill()) and prevent the parent from
being removed from the dentry cache.
The one exception is delayed iputs. Ordered extent creation calls
igrab() on the inode. If the file is unlinked and closed while those
refs are held, iput() in __dentry_kill() decrements i_count but does
not trigger eviction (i_count > 0). The child dentry is freed and the
subvol dentry's d_lockref.count drops to 0, making it evictable while
the inode is still alive.
Since there are two races (the race between writeback and unlink and
the race between lookup and delayed iputs), and there are too many moving
parts, the following three diagrams show the complete picture.
(Only the second and third are races)
Phase 1:
Create Subvol in dentry cache without BTRFS_ROOT_ORPHAN_CLEANUP set
btrfs_mksubvol()
lookup_one_len()
__lookup_slow()
d_alloc_parallel()
__d_alloc() // d_lockref.count = 1
create_subvol(dentry)
// doesn't touch the bit..
d_instantiate_new(dentry, inode) // dentry in cache with d_lockref.count == 1
Phase 2:
Create a delayed iput for a file in the subvol but leave the subvol in
state where its dentry can be evicted (d_lockref.count == 0)
T1 (task) T2 (writeback) T3 (OE workqueue)
write() // dirty pages
btrfs_writepages()
btrfs_run_delalloc_range()
cow_file_range()
btrfs_alloc_ordered_extent()
igrab() // i_count: 1 -> 2
btrfs_unlink_inode()
btrfs_orphan_add()
close()
__fput()
dput()
finish_dput()
__dentry_kill()
dentry_unlink_inode()
iput() // 2 -> 1
--parent->d_lockref.count // 1 -> 0; evictable
finish_ordered_fn()
btrfs_finish_ordered_io()
btrfs_put_ordered_extent()
btrfs_add_delayed_iput()
Phase 3:
Once the delayed iput is pending and the subvol dentry is evictable,
the shrinker can free it, causing the next lookup to go through
btrfs_lookup() and call btrfs_orphan_cleanup() for the first time.
If the cleaner kthread processes the delayed iput concurrently, the
two race:
T1 (shrinker) T2 (cleaner kthread) T3 (lookup)
super_cache_scan()
prune_dcache_sb()
__dentry_kill()
// subvol dentry freed
btrfs_run_delayed_iputs()
iput() // i_count -> 0
evict() // sets I_FREEING
btrfs_evict_inode()
// truncation loop
btrfs_lookup()
btrfs_lookup_dentry()
btrfs_orphan_cleanup()
// first call (bit never set)
btrfs_iget()
// blocks on I_FREEING
btrfs_orphan_del()
// inode freed
// returns -ENOENT
btrfs_del_orphan_item()
// -ENOENT
// "could not do orphan cleanup -2"
d_splice_alias(NULL, dentry)
// negative dentry for valid subvol
The most straightforward fix is to ensure the invariant that a dentry
for a subvolume can exist if and only if that subvolume has
BTRFS_ROOT_ORPHAN_CLEANUP set on its root (and is known to have no
orphans or ran btrfs_orphan_cleanup()).
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Boris Burkov <boris@bur.io>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/ioctl.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 1a5d98811f2b2..b78998815ce72 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -672,6 +672,13 @@ static noinline int create_subvol(struct mnt_idmap *idmap,
goto out;
}
+ /*
+ * Subvolumes have orphans cleaned on first dentry lookup. A new
+ * subvolume cannot have any orphans, so we should set the bit before we
+ * add the subvolume dentry to the dentry cache, so that it is in the
+ * same state as a subvolume after first lookup.
+ */
+ set_bit(BTRFS_ROOT_ORPHAN_CLEANUP, &new_root->state);
d_instantiate_new(dentry, new_inode_args.inode);
new_inode_args.inode = NULL;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 064/342] objtool: Use HOSTCFLAGS for HAVE_XXHASH test
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 063/342] btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 065/342] powerpc64/ftrace: fix OOL stub count with clang Greg Kroah-Hartman
` (294 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, HONG Yifan, Carlos Llamas,
Josh Poimboeuf, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: HONG Yifan <elsk@google.com>
[ Upstream commit 32234049107d012703d50547e815f198f147968b ]
Previously, HAVE_XXHASH is tested by invoking HOSTCC without HOSTCFLAGS.
Consider the following scenario:
- The host machine has libxxhash installed
- We build the kernel with HOSTCFLAGS containing a --sysroot that does
not have xxhash.h (for hermetic builds)
In this case, HAVE_XXHASH is set to y, but when it builds objtool with
HOSTCFLAGS, because the --sysroot does not contain xxhash.h, the
following error is raised:
<...>/common/tools/objtool/include/objtool/checksum_types.h:12:10: fatal error: 'xxhash.h' file not found
12 | #include <xxhash.h>
| ^~~~~~~~~~
To resolve the error, we test HAVE_XXHASH by invoking HOSTCC with
HOSTCFLAGS.
Signed-off-by: HONG Yifan <elsk@google.com>
Reviewed-by: Carlos Llamas <cmllamas@google.com>
Link: https://patch.msgid.link/20260303010340.306164-1-elsk@google.com
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/objtool/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/objtool/Makefile b/tools/objtool/Makefile
index 76bcd4e85de34..b71d1886022e9 100644
--- a/tools/objtool/Makefile
+++ b/tools/objtool/Makefile
@@ -13,7 +13,7 @@ endif
ifeq ($(ARCH_HAS_KLP),y)
HAVE_XXHASH = $(shell printf "$(pound)include <xxhash.h>\nXXH3_state_t *state;int main() {}" | \
- $(HOSTCC) -xc - -o /dev/null -lxxhash 2> /dev/null && echo y || echo n)
+ $(HOSTCC) $(HOSTCFLAGS) -xc - -o /dev/null -lxxhash 2> /dev/null && echo y || echo n)
ifeq ($(HAVE_XXHASH),y)
BUILD_KLP := y
LIBXXHASH_CFLAGS := $(shell $(HOSTPKG_CONFIG) libxxhash --cflags 2>/dev/null) \
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 065/342] powerpc64/ftrace: fix OOL stub count with clang
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 064/342] objtool: Use HOSTCFLAGS for HAVE_XXHASH test Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 066/342] ALSA: hda/realtek: add HP Laptop 14s-dr5xxx mute LED quirk Greg Kroah-Hartman
` (293 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hari Bathini, Venkat Rao Bagalkote,
Madhavan Srinivasan, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hari Bathini <hbathini@linux.ibm.com>
[ Upstream commit 875612a7745013a43c67493cb0583ee3f7476344 ]
The total number of out-of-line (OOL) stubs required for function
tracing is determined using the following command:
$(OBJDUMP) -r -j __patchable_function_entries vmlinux.o
While this works correctly with GNU objdump, llvm-objdump does not
list the expected relocation records for this section. Fix this by
using the -d option and counting R_PPC64_ADDR64 relocation entries.
This works as desired with both objdump and llvm-objdump.
Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260127084926.34497-3-hbathini@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/tools/ftrace-gen-ool-stubs.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/tools/ftrace-gen-ool-stubs.sh b/arch/powerpc/tools/ftrace-gen-ool-stubs.sh
index bac186bdf64a7..9218d43aeb548 100755
--- a/arch/powerpc/tools/ftrace-gen-ool-stubs.sh
+++ b/arch/powerpc/tools/ftrace-gen-ool-stubs.sh
@@ -15,9 +15,9 @@ if [ -z "$is_64bit" ]; then
RELOCATION=R_PPC_ADDR32
fi
-num_ool_stubs_total=$($objdump -r -j __patchable_function_entries "$vmlinux_o" |
+num_ool_stubs_total=$($objdump -r -j __patchable_function_entries -d "$vmlinux_o" |
grep -c "$RELOCATION")
-num_ool_stubs_inittext=$($objdump -r -j __patchable_function_entries "$vmlinux_o" |
+num_ool_stubs_inittext=$($objdump -r -j __patchable_function_entries -d "$vmlinux_o" |
grep -e ".init.text" -e ".text.startup" | grep -c "$RELOCATION")
num_ool_stubs_text=$((num_ool_stubs_total - num_ool_stubs_inittext))
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 066/342] ALSA: hda/realtek: add HP Laptop 14s-dr5xxx mute LED quirk
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 065/342] powerpc64/ftrace: fix OOL stub count with clang Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 067/342] objtool/klp: Disable unsupported pr_debug() usage Greg Kroah-Hartman
` (292 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Liucheng Lu, Takashi Iwai,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liucheng Lu <luliucheng100@outlook.com>
[ Upstream commit 178dd118c0f07fd63a9ed74cfbd8c31ae50e33af ]
HP Laptop 14s-dr5xxx with ALC236 codec does not handle the toggling of
the mute LED.
This patch adds a quirk entry for subsystem ID 0x8a1f using
ALC236_FIXUP_HP_MUTE_LED_COEFBIT2 fixup, enabling correct mute LED
behavior.
Signed-off-by: Liucheng Lu <luliucheng100@outlook.com>
Link: https://patch.msgid.link/PAVPR03MB9774F3FCE9CCD181C585281AE37BA@PAVPR03MB9774.eurprd03.prod.outlook.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/codecs/realtek/alc269.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
index 4c49f1195e1bc..fcddab2cc54b3 100644
--- a/sound/hda/codecs/realtek/alc269.c
+++ b/sound/hda/codecs/realtek/alc269.c
@@ -6940,6 +6940,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x103c, 0x89da, "HP Spectre x360 14t-ea100", ALC245_FIXUP_HP_SPECTRE_X360_EU0XXX),
SND_PCI_QUIRK(0x103c, 0x89e7, "HP Elite x2 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x8a0f, "HP Pavilion 14-ec1xxx", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8a1f, "HP Laptop 14s-dr5xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
SND_PCI_QUIRK(0x103c, 0x8a20, "HP Laptop 15s-fq5xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
SND_PCI_QUIRK(0x103c, 0x8a25, "HP Victus 16-d1xxx (MB 8A25)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
SND_PCI_QUIRK(0x103c, 0x8a26, "HP Victus 16-d1xxx (MB 8A26)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 067/342] objtool/klp: Disable unsupported pr_debug() usage
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 066/342] ALSA: hda/realtek: add HP Laptop 14s-dr5xxx mute LED quirk Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 068/342] ALSA: hda/realtek: Add quirk for Gigabyte Technology to fix headphone Greg Kroah-Hartman
` (291 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josh Poimboeuf, Sasha Levin,
Song Liu
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit e476bb277cf91b7ac3ea803ec78a4f0791bddec3 ]
Instead of erroring out on unsupported pr_debug() (e.g., when patching a
module), issue a warning and make it inert, similar to how unsupported
tracepoints are currently handled.
Reviewed-and-tested-by: Song Liu <song@kernel.org>
Link: https://patch.msgid.link/3a7db3a5b7d4abf9b2534803a74e2e7231322738.1770759954.git.jpoimboe@kernel.org
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/objtool/klp-diff.c | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/tools/objtool/klp-diff.c b/tools/objtool/klp-diff.c
index b1847828217ba..b9340ef8d370c 100644
--- a/tools/objtool/klp-diff.c
+++ b/tools/objtool/klp-diff.c
@@ -1335,18 +1335,18 @@ static bool should_keep_special_sym(struct elf *elf, struct symbol *sym)
* be applied after static branch/call init, resulting in code corruption.
*
* Validate a special section entry to avoid that. Note that an inert
- * tracepoint is harmless enough, in that case just skip the entry and print a
- * warning. Otherwise, return an error.
+ * tracepoint or pr_debug() is harmless enough, in that case just skip the
+ * entry and print a warning. Otherwise, return an error.
*
- * This is only a temporary limitation which will be fixed when livepatch adds
- * support for submodules: fully self-contained modules which are embedded in
- * the top-level livepatch module's data and which can be loaded on demand when
- * their corresponding to-be-patched module gets loaded. Then klp relocs can
- * be retired.
+ * TODO: This is only a temporary limitation which will be fixed when livepatch
+ * adds support for submodules: fully self-contained modules which are embedded
+ * in the top-level livepatch module's data and which can be loaded on demand
+ * when their corresponding to-be-patched module gets loaded. Then klp relocs
+ * can be retired.
*
* Return:
* -1: error: validation failed
- * 1: warning: tracepoint skipped
+ * 1: warning: disabled tracepoint or pr_debug()
* 0: success
*/
static int validate_special_section_klp_reloc(struct elfs *e, struct symbol *sym)
@@ -1404,6 +1404,13 @@ static int validate_special_section_klp_reloc(struct elfs *e, struct symbol *sym
continue;
}
+ if (strstr(reloc->sym->name, "__UNIQUE_ID_ddebug_")) {
+ WARN("%s: disabling unsupported pr_debug()",
+ code_sym->name);
+ ret = 1;
+ continue;
+ }
+
ERROR("%s+0x%lx: unsupported static branch key %s. Use static_key_enabled() instead",
code_sym->name, code_offset, reloc->sym->name);
return -1;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 068/342] ALSA: hda/realtek: Add quirk for Gigabyte Technology to fix headphone
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 067/342] objtool/klp: Disable unsupported pr_debug() usage Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 069/342] ALSA: hda/realtek: Add headset jack quirk for Thinkpad X390 Greg Kroah-Hartman
` (290 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Heng, Takashi Iwai,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Heng <zhangheng@kylinos.cn>
[ Upstream commit 56fbbe096a89ff4b52af78a21a4afd9d94bdcc80 ]
The BIOS of this machine has set 0x19 to mic, which needs to be set
to headphone pin in order to work properly.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=220814
Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
Link: https://patch.msgid.link/b55f6ebe-7449-49f7-ae85-00d2ba1e7af0@kylinos.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/codecs/realtek/alc662.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/sound/hda/codecs/realtek/alc662.c b/sound/hda/codecs/realtek/alc662.c
index 5073165d1f3cf..3a943adf90876 100644
--- a/sound/hda/codecs/realtek/alc662.c
+++ b/sound/hda/codecs/realtek/alc662.c
@@ -313,6 +313,7 @@ enum {
ALC897_FIXUP_HEADSET_MIC_PIN2,
ALC897_FIXUP_UNIS_H3C_X500S,
ALC897_FIXUP_HEADSET_MIC_PIN3,
+ ALC897_FIXUP_H610M_HP_PIN,
};
static const struct hda_fixup alc662_fixups[] = {
@@ -766,6 +767,13 @@ static const struct hda_fixup alc662_fixups[] = {
{ }
},
},
+ [ALC897_FIXUP_H610M_HP_PIN] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+ { 0x19, 0x0321403f }, /* HP out */
+ { }
+ },
+ },
};
static const struct hda_quirk alc662_fixup_tbl[] = {
@@ -815,6 +823,7 @@ static const struct hda_quirk alc662_fixup_tbl[] = {
SND_PCI_QUIRK(0x1043, 0x8469, "ASUS mobo", ALC662_FIXUP_NO_JACK_DETECT),
SND_PCI_QUIRK(0x105b, 0x0cd6, "Foxconn", ALC662_FIXUP_ASUS_MODE2),
SND_PCI_QUIRK(0x144d, 0xc051, "Samsung R720", ALC662_FIXUP_IDEAPAD),
+ SND_PCI_QUIRK(0x1458, 0xa194, "H610M H V2 DDR4", ALC897_FIXUP_H610M_HP_PIN),
SND_PCI_QUIRK(0x14cd, 0x5003, "USI", ALC662_FIXUP_USI_HEADSET_MODE),
SND_PCI_QUIRK(0x17aa, 0x1036, "Lenovo P520", ALC662_FIXUP_LENOVO_MULTI_CODECS),
SND_PCI_QUIRK(0x17aa, 0x1057, "Lenovo P360", ALC897_FIXUP_HEADSET_MIC_PIN),
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 069/342] ALSA: hda/realtek: Add headset jack quirk for Thinkpad X390
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 068/342] ALSA: hda/realtek: Add quirk for Gigabyte Technology to fix headphone Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 070/342] objtool: Handle Clang RSP musical chairs Greg Kroah-Hartman
` (289 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Uzair Mughal, Takashi Iwai,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uzair Mughal <contact@uzair.is-a.dev>
[ Upstream commit 542127f6528ca7cc3cf61e1651d6ccb58495f953 ]
The Lenovo ThinkPad X390 (ALC257 codec, subsystem ID 0x17aa2288)
does not report headset button press events. Headphone insertion is
detected (SW_HEADPHONE_INSERT), but pressing the inline microphone
button on a headset produces no input events.
Add a SND_PCI_QUIRK entry that maps this subsystem ID to
ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK, which enables
headset jack button detection through alc_fixup_headset_jack()
and ThinkPad ACPI integration. This is the same fixup used by
similar ThinkPad models (P1 Gen 3, X1 Extreme Gen 3).
Signed-off-by: Uzair Mughal <contact@uzair.is-a.dev>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260307012906.20093-1-contact@uzair.is-a.dev
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/codecs/realtek/alc269.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
index fcddab2cc54b3..024d0b37574db 100644
--- a/sound/hda/codecs/realtek/alc269.c
+++ b/sound/hda/codecs/realtek/alc269.c
@@ -7494,6 +7494,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x17aa, 0x224c, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
SND_PCI_QUIRK(0x17aa, 0x224d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
SND_PCI_QUIRK(0x17aa, 0x225d, "Thinkpad T480", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x17aa, 0x2288, "Thinkpad X390", ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK),
SND_PCI_QUIRK(0x17aa, 0x2292, "Thinkpad X1 Carbon 7th", ALC285_FIXUP_THINKPAD_HEADSET_JACK),
SND_PCI_QUIRK(0x17aa, 0x22be, "Thinkpad X1 Carbon 8th", ALC285_FIXUP_THINKPAD_HEADSET_JACK),
SND_PCI_QUIRK(0x17aa, 0x22c1, "Thinkpad P1 Gen 3", ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK),
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 070/342] objtool: Handle Clang RSP musical chairs
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 069/342] ALSA: hda/realtek: Add headset jack quirk for Thinkpad X390 Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 071/342] nvmet: move async event work off nvmet-wq Greg Kroah-Hartman
` (288 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Josh Poimboeuf,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit 7fdaa640c810cb42090a182c33f905bcc47a616a ]
For no apparent reason (possibly related to CONFIG_KMSAN), Clang can
randomly pass the value of RSP to other registers and then back again to
RSP. Handle that accordingly.
Fixes the following warnings:
drivers/input/misc/uinput.o: warning: objtool: uinput_str_to_user+0x165: undefined stack state
drivers/input/misc/uinput.o: warning: objtool: uinput_str_to_user+0x165: unknown CFA base reg -1
Reported-by: Arnd Bergmann <arnd@arndb.de>
Closes: https://lore.kernel.org/90956545-2066-46e3-b547-10c884582eb0@app.fastmail.com
Link: https://patch.msgid.link/240e6a172cc73292499334a3724d02ccb3247fc7.1772818491.git.jpoimboe@kernel.org
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/objtool/arch/x86/decode.c | 62 ++++++++++++---------------------
tools/objtool/check.c | 14 ++++++++
2 files changed, 37 insertions(+), 39 deletions(-)
diff --git a/tools/objtool/arch/x86/decode.c b/tools/objtool/arch/x86/decode.c
index f4af825082284..4544c2cb44400 100644
--- a/tools/objtool/arch/x86/decode.c
+++ b/tools/objtool/arch/x86/decode.c
@@ -395,52 +395,36 @@ int arch_decode_instruction(struct objtool_file *file, const struct section *sec
if (!rex_w)
break;
- if (modrm_reg == CFI_SP) {
-
- if (mod_is_reg()) {
- /* mov %rsp, reg */
- ADD_OP(op) {
- op->src.type = OP_SRC_REG;
- op->src.reg = CFI_SP;
- op->dest.type = OP_DEST_REG;
- op->dest.reg = modrm_rm;
- }
- break;
-
- } else {
- /* skip RIP relative displacement */
- if (is_RIP())
- break;
-
- /* skip nontrivial SIB */
- if (have_SIB()) {
- modrm_rm = sib_base;
- if (sib_index != CFI_SP)
- break;
- }
-
- /* mov %rsp, disp(%reg) */
- ADD_OP(op) {
- op->src.type = OP_SRC_REG;
- op->src.reg = CFI_SP;
- op->dest.type = OP_DEST_REG_INDIRECT;
- op->dest.reg = modrm_rm;
- op->dest.offset = ins.displacement.value;
- }
- break;
+ if (mod_is_reg()) {
+ /* mov reg, reg */
+ ADD_OP(op) {
+ op->src.type = OP_SRC_REG;
+ op->src.reg = modrm_reg;
+ op->dest.type = OP_DEST_REG;
+ op->dest.reg = modrm_rm;
}
-
break;
}
- if (rm_is_reg(CFI_SP)) {
+ /* skip RIP relative displacement */
+ if (is_RIP())
+ break;
- /* mov reg, %rsp */
+ /* skip nontrivial SIB */
+ if (have_SIB()) {
+ modrm_rm = sib_base;
+ if (sib_index != CFI_SP)
+ break;
+ }
+
+ /* mov %rsp, disp(%reg) */
+ if (modrm_reg == CFI_SP) {
ADD_OP(op) {
op->src.type = OP_SRC_REG;
- op->src.reg = modrm_reg;
- op->dest.type = OP_DEST_REG;
- op->dest.reg = CFI_SP;
+ op->src.reg = CFI_SP;
+ op->dest.type = OP_DEST_REG_INDIRECT;
+ op->dest.reg = modrm_rm;
+ op->dest.offset = ins.displacement.value;
}
break;
}
diff --git a/tools/objtool/check.c b/tools/objtool/check.c
index eba35bb8c0bdf..30609aed5d37e 100644
--- a/tools/objtool/check.c
+++ b/tools/objtool/check.c
@@ -2960,6 +2960,20 @@ static int update_cfi_state(struct instruction *insn,
cfi->stack_size += 8;
}
+ else if (cfi->vals[op->src.reg].base == CFI_CFA) {
+ /*
+ * Clang RSP musical chairs:
+ *
+ * mov %rsp, %rdx [handled above]
+ * ...
+ * mov %rdx, %rbx [handled here]
+ * ...
+ * mov %rbx, %rsp [handled above]
+ */
+ cfi->vals[op->dest.reg].base = CFI_CFA;
+ cfi->vals[op->dest.reg].offset = cfi->vals[op->src.reg].offset;
+ }
+
break;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 071/342] nvmet: move async event work off nvmet-wq
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 070/342] objtool: Handle Clang RSP musical chairs Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 072/342] drm/amdgpu: fix gpu idle power consumption issue for gfx v12 Greg Kroah-Hartman
` (287 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig,
Chaitanya Kulkarni, Keith Busch, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chaitanya Kulkarni <kch@nvidia.com>
[ Upstream commit 2922e3507f6d5caa7f1d07f145e186fc6f317a4e ]
For target nvmet_ctrl_free() flushes ctrl->async_event_work.
If nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueue
completion for the same worker:-
A. Async event work queued on nvmet-wq (prior to disconnect):
nvmet_execute_async_event()
queue_work(nvmet_wq, &ctrl->async_event_work)
nvmet_add_async_event()
queue_work(nvmet_wq, &ctrl->async_event_work)
B. Full pre-work chain (RDMA CM path):
nvmet_rdma_cm_handler()
nvmet_rdma_queue_disconnect()
__nvmet_rdma_queue_disconnect()
queue_work(nvmet_wq, &queue->release_work)
process_one_work()
lock((wq_completion)nvmet-wq) <--------- 1st
nvmet_rdma_release_queue_work()
C. Recursive path (same worker):
nvmet_rdma_release_queue_work()
nvmet_rdma_free_queue()
nvmet_sq_destroy()
nvmet_ctrl_put()
nvmet_ctrl_free()
flush_work(&ctrl->async_event_work)
__flush_work()
touch_wq_lockdep_map()
lock((wq_completion)nvmet-wq) <--------- 2nd
Lockdep splat:
============================================
WARNING: possible recursive locking detected
6.19.0-rc3nvme+ #14 Tainted: G N
--------------------------------------------
kworker/u192:42/44933 is trying to acquire lock:
ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90
but task is already holding lock:
ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660
3 locks held by kworker/u192:42/44933:
#0: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660
#1: ffffc9000e6cbe28 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x660
#2: ffffffff82d4db60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530
Workqueue: nvmet-wq nvmet_rdma_release_queue_work [nvmet_rdma]
Call Trace:
__flush_work+0x268/0x530
nvmet_ctrl_free+0x140/0x310 [nvmet]
nvmet_cq_put+0x74/0x90 [nvmet]
nvmet_rdma_free_queue+0x23/0xe0 [nvmet_rdma]
nvmet_rdma_release_queue_work+0x19/0x50 [nvmet_rdma]
process_one_work+0x206/0x660
worker_thread+0x184/0x320
kthread+0x10c/0x240
ret_from_fork+0x319/0x390
Move async event work to a dedicated nvmet-aen-wq to avoid reentrant
flush on nvmet-wq.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/admin-cmd.c | 2 +-
drivers/nvme/target/core.c | 14 ++++++++++++--
drivers/nvme/target/nvmet.h | 1 +
drivers/nvme/target/rdma.c | 1 +
4 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/drivers/nvme/target/admin-cmd.c b/drivers/nvme/target/admin-cmd.c
index 3da31bb1183eb..100d1466ff841 100644
--- a/drivers/nvme/target/admin-cmd.c
+++ b/drivers/nvme/target/admin-cmd.c
@@ -1586,7 +1586,7 @@ void nvmet_execute_async_event(struct nvmet_req *req)
ctrl->async_event_cmds[ctrl->nr_async_event_cmds++] = req;
mutex_unlock(&ctrl->lock);
- queue_work(nvmet_wq, &ctrl->async_event_work);
+ queue_work(nvmet_aen_wq, &ctrl->async_event_work);
}
void nvmet_execute_keep_alive(struct nvmet_req *req)
diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index cc88e5a28c8a9..5075f7123358a 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -26,6 +26,8 @@ static DEFINE_IDA(cntlid_ida);
struct workqueue_struct *nvmet_wq;
EXPORT_SYMBOL_GPL(nvmet_wq);
+struct workqueue_struct *nvmet_aen_wq;
+EXPORT_SYMBOL_GPL(nvmet_aen_wq);
/*
* This read/write semaphore is used to synchronize access to configuration
@@ -205,7 +207,7 @@ void nvmet_add_async_event(struct nvmet_ctrl *ctrl, u8 event_type,
list_add_tail(&aen->entry, &ctrl->async_events);
mutex_unlock(&ctrl->lock);
- queue_work(nvmet_wq, &ctrl->async_event_work);
+ queue_work(nvmet_aen_wq, &ctrl->async_event_work);
}
static void nvmet_add_to_changed_ns_log(struct nvmet_ctrl *ctrl, __le32 nsid)
@@ -1958,9 +1960,14 @@ static int __init nvmet_init(void)
if (!nvmet_wq)
goto out_free_buffered_work_queue;
+ nvmet_aen_wq = alloc_workqueue("nvmet-aen-wq",
+ WQ_MEM_RECLAIM | WQ_UNBOUND, 0);
+ if (!nvmet_aen_wq)
+ goto out_free_nvmet_work_queue;
+
error = nvmet_init_debugfs();
if (error)
- goto out_free_nvmet_work_queue;
+ goto out_free_nvmet_aen_work_queue;
error = nvmet_init_discovery();
if (error)
@@ -1976,6 +1983,8 @@ static int __init nvmet_init(void)
nvmet_exit_discovery();
out_exit_debugfs:
nvmet_exit_debugfs();
+out_free_nvmet_aen_work_queue:
+ destroy_workqueue(nvmet_aen_wq);
out_free_nvmet_work_queue:
destroy_workqueue(nvmet_wq);
out_free_buffered_work_queue:
@@ -1993,6 +2002,7 @@ static void __exit nvmet_exit(void)
nvmet_exit_discovery();
nvmet_exit_debugfs();
ida_destroy(&cntlid_ida);
+ destroy_workqueue(nvmet_aen_wq);
destroy_workqueue(nvmet_wq);
destroy_workqueue(buffered_io_wq);
destroy_workqueue(zbd_wq);
diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h
index b664b584fdc8e..319d6a5e9cf05 100644
--- a/drivers/nvme/target/nvmet.h
+++ b/drivers/nvme/target/nvmet.h
@@ -501,6 +501,7 @@ extern struct kmem_cache *nvmet_bvec_cache;
extern struct workqueue_struct *buffered_io_wq;
extern struct workqueue_struct *zbd_wq;
extern struct workqueue_struct *nvmet_wq;
+extern struct workqueue_struct *nvmet_aen_wq;
static inline void nvmet_set_result(struct nvmet_req *req, u32 result)
{
diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c
index 9c12b2361a6d7..0384323649671 100644
--- a/drivers/nvme/target/rdma.c
+++ b/drivers/nvme/target/rdma.c
@@ -2088,6 +2088,7 @@ static void nvmet_rdma_remove_one(struct ib_device *ib_device, void *client_data
mutex_unlock(&nvmet_rdma_queue_mutex);
flush_workqueue(nvmet_wq);
+ flush_workqueue(nvmet_aen_wq);
}
static struct ib_client nvmet_rdma_ib_client = {
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 072/342] drm/amdgpu: fix gpu idle power consumption issue for gfx v12
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 071/342] nvmet: move async event work off nvmet-wq Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 073/342] usb: core: new quirk to handle devices with zero configurations Greg Kroah-Hartman
` (286 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Wang, Alex Deucher, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Wang <kevinyang.wang@amd.com>
[ Upstream commit a6571045cf06c4aa749b4801382ae96650e2f0e1 ]
Older versions of the MES firmware may cause abnormal GPU power consumption.
When performing inference tasks on the GPU (e.g., with Ollama using ROCm),
the GPU may show abnormal power consumption in idle state and incorrect GPU load information.
This issue has been fixed in firmware version 0x8b and newer.
Closes: https://github.com/ROCm/ROCm/issues/5706
Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 4e22a5fe6ea6e0b057e7f246df4ac3ff8bfbc46a)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/mes_v12_0.c b/drivers/gpu/drm/amd/amdgpu/mes_v12_0.c
index 231aba48d8d28..dcafbd7066c40 100644
--- a/drivers/gpu/drm/amd/amdgpu/mes_v12_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/mes_v12_0.c
@@ -731,6 +731,9 @@ static int mes_v12_0_set_hw_resources(struct amdgpu_mes *mes, int pipe)
int i;
struct amdgpu_device *adev = mes->adev;
union MESAPI_SET_HW_RESOURCES mes_set_hw_res_pkt;
+ uint32_t mes_rev = (pipe == AMDGPU_MES_SCHED_PIPE) ?
+ (mes->sched_version & AMDGPU_MES_VERSION_MASK) :
+ (mes->kiq_version & AMDGPU_MES_VERSION_MASK);
memset(&mes_set_hw_res_pkt, 0, sizeof(mes_set_hw_res_pkt));
@@ -785,7 +788,7 @@ static int mes_v12_0_set_hw_resources(struct amdgpu_mes *mes, int pipe)
* handling support, other queue will not use the oversubscribe timer.
* handling mode - 0: disabled; 1: basic version; 2: basic+ version
*/
- mes_set_hw_res_pkt.oversubscription_timer = 50;
+ mes_set_hw_res_pkt.oversubscription_timer = mes_rev < 0x8b ? 0 : 50;
mes_set_hw_res_pkt.unmapped_doorbell_handling = 1;
if (amdgpu_mes_log_enable) {
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 073/342] usb: core: new quirk to handle devices with zero configurations
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 072/342] drm/amdgpu: fix gpu idle power consumption issue for gfx v12 Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 074/342] spi: intel-pci: Add support for Nova Lake mobile SPI flash Greg Kroah-Hartman
` (285 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jie Deng, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jie Deng <dengjie03@kylinos.cn>
[ Upstream commit 9f6a983cfa22ac662c86e60816d3a357d4b551e9 ]
Some USB devices incorrectly report bNumConfigurations as 0 in their
device descriptor, which causes the USB core to reject them during
enumeration.
logs:
usb 1-2: device descriptor read/64, error -71
usb 1-2: no configurations
usb 1-2: can't read configurations, error -22
However, these devices actually work correctly when
treated as having a single configuration.
Add a new quirk USB_QUIRK_FORCE_ONE_CONFIG to handle such devices.
When this quirk is set, assume the device has 1 configuration instead
of failing with -EINVAL.
This quirk is applied to the device with VID:PID 5131:2007 which
exhibits this behavior.
Signed-off-by: Jie Deng <dengjie03@kylinos.cn>
Link: https://patch.msgid.link/20260227084931.1527461-1-dengjie03@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/admin-guide/kernel-parameters.txt | 3 +++
drivers/usb/core/config.c | 6 +++++-
drivers/usb/core/quirks.c | 5 +++++
include/linux/usb/quirks.h | 3 +++
4 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index aa0031108bc1d..f31e9e4c598fc 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -8090,6 +8090,9 @@ Kernel parameters
p = USB_QUIRK_SHORT_SET_ADDRESS_REQ_TIMEOUT
(Reduce timeout of the SET_ADDRESS
request from 5000 ms to 500 ms);
+ q = USB_QUIRK_FORCE_ONE_CONFIG (Device
+ claims zero configurations,
+ forcing to 1);
Example: quirks=0781:5580:bk,0a5c:5834:gij
usbhid.mousepoll=
diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 2bb1ceb9d621a..3067e18ec4d8a 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -927,7 +927,11 @@ int usb_get_configuration(struct usb_device *dev)
dev->descriptor.bNumConfigurations = ncfg = USB_MAXCONFIG;
}
- if (ncfg < 1) {
+ if (ncfg < 1 && dev->quirks & USB_QUIRK_FORCE_ONE_CONFIG) {
+ dev_info(ddev, "Device claims zero configurations, forcing to 1\n");
+ dev->descriptor.bNumConfigurations = 1;
+ ncfg = 1;
+ } else if (ncfg < 1) {
dev_err(ddev, "no configurations\n");
return -EINVAL;
}
diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
index 9fef2f4d604a5..65168eb89295c 100644
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -141,6 +141,8 @@ static int quirks_param_set(const char *value, const struct kernel_param *kp)
case 'p':
flags |= USB_QUIRK_SHORT_SET_ADDRESS_REQ_TIMEOUT;
break;
+ case 'q':
+ flags |= USB_QUIRK_FORCE_ONE_CONFIG;
/* Ignore unrecognized flag characters */
}
}
@@ -597,6 +599,9 @@ static const struct usb_device_id usb_quirk_list[] = {
/* VCOM device */
{ USB_DEVICE(0x4296, 0x7570), .driver_info = USB_QUIRK_CONFIG_INTF_STRINGS },
+ /* Noji-MCS SmartCard Reader */
+ { USB_DEVICE(0x5131, 0x2007), .driver_info = USB_QUIRK_FORCE_ONE_CONFIG },
+
/* INTEL VALUE SSD */
{ USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME },
diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h
index 2f7bd2fdc6164..b3cc7beab4a3c 100644
--- a/include/linux/usb/quirks.h
+++ b/include/linux/usb/quirks.h
@@ -78,4 +78,7 @@
/* skip BOS descriptor request */
#define USB_QUIRK_NO_BOS BIT(17)
+/* Device claims zero configurations, forcing to 1 */
+#define USB_QUIRK_FORCE_ONE_CONFIG BIT(18)
+
#endif /* __LINUX_USB_QUIRKS_H */
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 074/342] spi: intel-pci: Add support for Nova Lake mobile SPI flash
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 073/342] usb: core: new quirk to handle devices with zero configurations Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 075/342] ALSA: usb-audio: Add iface reset and delay quirk for SPACETOUCH USB Audio Greg Kroah-Hartman
` (284 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alan Borzeszkowski, Mika Westerberg,
Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Borzeszkowski <alan.borzeszkowski@linux.intel.com>
[ Upstream commit 85b731ad4bbf6eb3fedf267ab00be3596f148432 ]
Add Intel Nova Lake PCD-H SPI serial flash PCI ID to the list of
supported devices.
Signed-off-by: Alan Borzeszkowski <alan.borzeszkowski@linux.intel.com>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Link: https://patch.msgid.link/20260309153703.74282-1-alan.borzeszkowski@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-intel-pci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/spi/spi-intel-pci.c b/drivers/spi/spi-intel-pci.c
index bce3d149bea18..d8ef8f89330ac 100644
--- a/drivers/spi/spi-intel-pci.c
+++ b/drivers/spi/spi-intel-pci.c
@@ -96,6 +96,7 @@ static const struct pci_device_id intel_spi_pci_ids[] = {
{ PCI_VDEVICE(INTEL, 0xa324), (unsigned long)&cnl_info },
{ PCI_VDEVICE(INTEL, 0xa3a4), (unsigned long)&cnl_info },
{ PCI_VDEVICE(INTEL, 0xa823), (unsigned long)&cnl_info },
+ { PCI_VDEVICE(INTEL, 0xd323), (unsigned long)&cnl_info },
{ PCI_VDEVICE(INTEL, 0xe323), (unsigned long)&cnl_info },
{ PCI_VDEVICE(INTEL, 0xe423), (unsigned long)&cnl_info },
{ },
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 075/342] ALSA: usb-audio: Add iface reset and delay quirk for SPACETOUCH USB Audio
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 074/342] spi: intel-pci: Add support for Nova Lake mobile SPI flash Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 076/342] ALSA: hda/realtek: add quirk for ASUS UM6702RC Greg Kroah-Hartman
` (283 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lianqin Hu, Takashi Iwai,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lianqin Hu <hulianqin@vivo.com>
[ Upstream commit 5182e5ec4355dd690307f5d5c28cbfc5b2c06a97 ]
Setting up the interface when suspended/resumeing fail on this card.
Adding a reset and delay quirk will eliminate this problem.
usb 1-1: New USB device found, idVendor=0666, idProduct=0880
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: USB Audio
usb 1-1: Manufacturer: SPACETOUCH
usb 1-1: SerialNumber: 000000000
Signed-off-by: Lianqin Hu <hulianqin@vivo.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/TYUPR06MB6217ACC80B70BE25D87456B0D247A@TYUPR06MB6217.apcprd06.prod.outlook.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index caca0e586d832..d87b988516bbf 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -2239,6 +2239,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
QUIRK_FLAG_IFACE_DELAY | QUIRK_FLAG_FORCE_IFACE_RESET),
DEVICE_FLG(0x0661, 0x0883, /* iBasso DC04 Ultra */
QUIRK_FLAG_DSD_RAW),
+ DEVICE_FLG(0x0666, 0x0880, /* SPACETOUCH USB Audio */
+ QUIRK_FLAG_FORCE_IFACE_RESET | QUIRK_FLAG_IFACE_DELAY),
DEVICE_FLG(0x06f8, 0xb000, /* Hercules DJ Console (Windows Edition) */
QUIRK_FLAG_IGNORE_CTL_ERROR),
DEVICE_FLG(0x06f8, 0xd002, /* Hercules DJ Console (Macintosh Edition) */
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 076/342] ALSA: hda/realtek: add quirk for ASUS UM6702RC
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 075/342] ALSA: usb-audio: Add iface reset and delay quirk for SPACETOUCH USB Audio Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 077/342] i3c: master: dw-i3c: Fix missing of_node for virtual I2C adapter Greg Kroah-Hartman
` (282 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Heng, Takashi Iwai,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Heng <zhangheng@kylinos.cn>
[ Upstream commit 0d3429f12133c2ca47aa82ddab2342bc360c47d3 ]
The sound card of this machine cannot adjust the volume, it can only
be 0 or 100%. The reason is that the DAC with pin 0x17 is connected
to 0x06. Testing found that connecting 0x02 can fix this problem.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=220356
Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
Link: https://patch.msgid.link/20260306123317.575346-1-zhangheng@kylinos.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/codecs/realtek/alc269.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
index 024d0b37574db..ab4b22fcb72ed 100644
--- a/sound/hda/codecs/realtek/alc269.c
+++ b/sound/hda/codecs/realtek/alc269.c
@@ -7274,6 +7274,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x1043, 0x1e93, "ASUS ExpertBook B9403CVAR", ALC294_FIXUP_ASUS_HPE),
SND_PCI_QUIRK(0x1043, 0x1eb3, "ASUS Ally RCLA72", ALC287_FIXUP_TAS2781_I2C),
SND_PCI_QUIRK(0x1043, 0x1ed3, "ASUS HN7306W", ALC287_FIXUP_CS35L41_I2C_2),
+ HDA_CODEC_QUIRK(0x1043, 0x1ee2, "ASUS UM6702RA/RC", ALC285_FIXUP_ASUS_I2C_SPEAKER2_TO_DAC1),
SND_PCI_QUIRK(0x1043, 0x1ee2, "ASUS UM6702RA/RC", ALC287_FIXUP_CS35L41_I2C_2),
SND_PCI_QUIRK(0x1043, 0x1c52, "ASUS Zephyrus G15 2022", ALC289_FIXUP_ASUS_GA401),
SND_PCI_QUIRK(0x1043, 0x1f11, "ASUS Zephyrus G14", ALC289_FIXUP_ASUS_GA401),
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 077/342] i3c: master: dw-i3c: Fix missing of_node for virtual I2C adapter
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 076/342] ALSA: hda/realtek: add quirk for ASUS UM6702RC Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 078/342] xfrm: add missing extack for XFRMA_SA_PCPU in add_acquire and allocspi Greg Kroah-Hartman
` (281 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Yin, Frank Li,
Alexandre Belloni, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Yin <peteryin.openbmc@gmail.com>
[ Upstream commit f26ecaa0f0abfe5db173416214098a00d3b7db79 ]
The DesignWare I3C master driver creates a virtual I2C adapter to
provide backward compatibility with I2C devices. However, the current
implementation does not associate this virtual adapter with any
Device Tree node.
Propagate the of_node from the I3C master platform device to the
virtual I2C adapter's device structure. This ensures that standard
I2C aliases are correctly resolved and bus numbering remains consistent.
Signed-off-by: Peter Yin <peteryin.openbmc@gmail.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260302075645.1492766-1-peteryin.openbmc@gmail.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/dw-i3c-master.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index f9b981abd10c5..1368c834ca5e8 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1614,6 +1614,8 @@ int dw_i3c_common_probe(struct dw_i3c_master *master,
pm_runtime_get_noresume(&pdev->dev);
INIT_WORK(&master->hj_work, dw_i3c_hj_work);
+
+ device_set_of_node_from_dev(&master->base.i2c.dev, &pdev->dev);
ret = i3c_master_register(&master->base, &pdev->dev,
&dw_mipi_i3c_ops, false);
if (ret)
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 078/342] xfrm: add missing extack for XFRMA_SA_PCPU in add_acquire and allocspi
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 077/342] i3c: master: dw-i3c: Fix missing of_node for virtual I2C adapter Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 079/342] xfrm: fix the condition on x->pcpu_num in xfrm_sa_len Greg Kroah-Hartman
` (280 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sabrina Dubroca, Simon Horman,
Steffen Klassert, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit aa8a3f3c67235422a0c3608a8772f69ca3b7b63f ]
We're returning an error caused by invalid user input without setting
an extack. Add one.
Fixes: 1ddf9916ac09 ("xfrm: Add support for per cpu xfrm state handling.")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_user.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 403b5ecac2c54..3e6477c6082e7 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1850,6 +1850,7 @@ static int xfrm_alloc_userspi(struct sk_buff *skb, struct nlmsghdr *nlh,
pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]);
if (pcpu_num >= num_possible_cpus()) {
err = -EINVAL;
+ NL_SET_ERR_MSG(extack, "pCPU number too big");
goto out_noput;
}
}
@@ -3001,8 +3002,10 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh,
if (attrs[XFRMA_SA_PCPU]) {
x->pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]);
err = -EINVAL;
- if (x->pcpu_num >= num_possible_cpus())
+ if (x->pcpu_num >= num_possible_cpus()) {
+ NL_SET_ERR_MSG(extack, "pCPU number too big");
goto free_state;
+ }
}
err = verify_newpolicy_info(&ua->policy, extack);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 079/342] xfrm: fix the condition on x->pcpu_num in xfrm_sa_len
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 078/342] xfrm: add missing extack for XFRMA_SA_PCPU in add_acquire and allocspi Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 080/342] xfrm: call xdo_dev_state_delete during state update Greg Kroah-Hartman
` (279 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sabrina Dubroca, Simon Horman,
Steffen Klassert, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit b57defcf8f109da5ba9cf59b2a736606faf3d846 ]
pcpu_num = 0 is a valid value. The marker for "unset pcpu_num" which
makes copy_to_user_state_extra not add the XFRMA_SA_PCPU attribute is
UINT_MAX.
Fixes: 1ddf9916ac09 ("xfrm: Add support for per cpu xfrm state handling.")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 3e6477c6082e7..4dd8341225bce 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -3676,7 +3676,7 @@ static inline unsigned int xfrm_sa_len(struct xfrm_state *x)
}
if (x->if_id)
l += nla_total_size(sizeof(x->if_id));
- if (x->pcpu_num)
+ if (x->pcpu_num != UINT_MAX)
l += nla_total_size(sizeof(x->pcpu_num));
/* Must count x->lastused as it may become non-zero behind our back. */
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 080/342] xfrm: call xdo_dev_state_delete during state update
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 079/342] xfrm: fix the condition on x->pcpu_num in xfrm_sa_len Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 081/342] esp: fix skb leak with espintcp and async crypto Greg Kroah-Hartman
` (278 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sabrina Dubroca, Simon Horman,
Steffen Klassert, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit 7d2fc41f91bc69acb6e01b0fa23cd7d0109a6a23 ]
When we update an SA, we construct a new state and call
xdo_dev_state_add, but never insert it. The existing state is updated,
then we immediately destroy the new state. Since we haven't added it,
we don't go through the standard state delete code, and we're skipping
removing it from the device (but xdo_dev_state_free will get called
when we destroy the temporary state).
This is similar to commit c5d4d7d83165 ("xfrm: Fix deletion of
offloaded SAs on failure.").
Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_state.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 98b362d518363..a00c4fe1ab0ce 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2264,6 +2264,7 @@ int xfrm_state_update(struct xfrm_state *x)
err = 0;
x->km.state = XFRM_STATE_DEAD;
+ xfrm_dev_state_delete(x);
__xfrm_state_put(x);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 081/342] esp: fix skb leak with espintcp and async crypto
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 080/342] xfrm: call xdo_dev_state_delete during state update Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 082/342] pinctrl: renesas: rzt2h: Fix device node leak in rzt2h_gpio_register() Greg Kroah-Hartman
` (277 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sabrina Dubroca, Simon Horman,
Steffen Klassert, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit 0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2 ]
When the TX queue for espintcp is full, esp_output_tail_tcp will
return an error and not free the skb, because with synchronous crypto,
the common xfrm output code will drop the packet for us.
With async crypto (esp_output_done), we need to drop the skb when
esp_output_tail_tcp returns an error.
Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/esp4.c | 9 ++++++---
net/ipv6/esp6.c | 9 ++++++---
2 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 2c922afadb8f6..6dfc0bcdef654 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -235,10 +235,13 @@ static void esp_output_done(void *data, int err)
xfrm_dev_resume(skb);
} else {
if (!err &&
- x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP)
- esp_output_tail_tcp(x, skb);
- else
+ x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP) {
+ err = esp_output_tail_tcp(x, skb);
+ if (err != -EINPROGRESS)
+ kfree_skb(skb);
+ } else {
xfrm_output_resume(skb_to_full_sk(skb), skb, err);
+ }
}
}
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index e75da98f52838..9f75313734f8c 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -271,10 +271,13 @@ static void esp_output_done(void *data, int err)
xfrm_dev_resume(skb);
} else {
if (!err &&
- x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP)
- esp_output_tail_tcp(x, skb);
- else
+ x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP) {
+ err = esp_output_tail_tcp(x, skb);
+ if (err != -EINPROGRESS)
+ kfree_skb(skb);
+ } else {
xfrm_output_resume(skb_to_full_sk(skb), skb, err);
+ }
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 082/342] pinctrl: renesas: rzt2h: Fix device node leak in rzt2h_gpio_register()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 081/342] esp: fix skb leak with espintcp and async crypto Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 083/342] xfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly Greg Kroah-Hartman
` (276 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Geert Uytterhoeven,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit e825c79ef914bd55cf7c2476ddcfb2738eb689c3 ]
When calling of_parse_phandle_with_fixed_args(), the caller is
responsible for calling of_node_put() to release the device node
reference.
In rzt2h_gpio_register(), the driver fails to call of_node_put() to
release the reference in of_args.np, which causes a memory leak.
Add the missing of_node_put() call to fix the leak.
Fixes: 34d4d093077a ("pinctrl: renesas: Add support for RZ/T2H")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20260127-rzt2h-v1-1-86472e7421b8@gmail.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/renesas/pinctrl-rzt2h.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/pinctrl/renesas/pinctrl-rzt2h.c b/drivers/pinctrl/renesas/pinctrl-rzt2h.c
index 40df706210119..24b90c80f5131 100644
--- a/drivers/pinctrl/renesas/pinctrl-rzt2h.c
+++ b/drivers/pinctrl/renesas/pinctrl-rzt2h.c
@@ -648,6 +648,7 @@ static int rzt2h_gpio_register(struct rzt2h_pinctrl *pctrl)
if (ret)
return dev_err_probe(dev, ret, "Unable to parse gpio-ranges\n");
+ of_node_put(of_args.np);
if (of_args.args[0] != 0 || of_args.args[1] != 0 ||
of_args.args[2] != pctrl->data->n_port_pins)
return dev_err_probe(dev, -EINVAL,
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 083/342] xfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 082/342] pinctrl: renesas: rzt2h: Fix device node leak in rzt2h_gpio_register() Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 084/342] pinctrl: qcom: spmi-gpio: implement .get_direction() Greg Kroah-Hartman
` (275 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hao Long, Fernando Fernandez Mancera,
Steffen Klassert, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 0b352f83cabfefdaafa806d6471f0eca117dc7d5 ]
In iptfs_reassem_cont(), IP-TFS attempts to append data to the new inner
packet 'newskb' that is being reassembled. First a zero-copy approach is
tried if it succeeds then newskb becomes non-linear.
When a subsequent fragment in the same datagram does not meet the
fast-path conditions, a memory copy is performed. It calls skb_put() to
append the data and as newskb is non-linear it triggers
SKB_LINEAR_ASSERT check.
Oops: invalid opcode: 0000 [#1] SMP NOPTI
[...]
RIP: 0010:skb_put+0x3c/0x40
[...]
Call Trace:
<IRQ>
iptfs_reassem_cont+0x1ab/0x5e0 [xfrm_iptfs]
iptfs_input_ordered+0x2af/0x380 [xfrm_iptfs]
iptfs_input+0x122/0x3e0 [xfrm_iptfs]
xfrm_input+0x91e/0x1a50
xfrm4_esp_rcv+0x3a/0x110
ip_protocol_deliver_rcu+0x1d7/0x1f0
ip_local_deliver_finish+0xbe/0x1e0
__netif_receive_skb_core.constprop.0+0xb56/0x1120
__netif_receive_skb_list_core+0x133/0x2b0
netif_receive_skb_list_internal+0x1ff/0x3f0
napi_complete_done+0x81/0x220
virtnet_poll+0x9d6/0x116e [virtio_net]
__napi_poll.constprop.0+0x2b/0x270
net_rx_action+0x162/0x360
handle_softirqs+0xdc/0x510
__irq_exit_rcu+0xe7/0x110
irq_exit_rcu+0xe/0x20
common_interrupt+0x85/0xa0
</IRQ>
<TASK>
Fix this by checking if the skb is non-linear. If it is, linearize it by
calling skb_linearize(). As the initial allocation of newskb originally
reserved enough tailroom for the entire reassembled packet we do not
need to check if we have enough tailroom or extend it.
Fixes: 5f2b6a909574 ("xfrm: iptfs: add skb-fragment sharing code")
Reported-by: Hao Long <me@imlonghao.com>
Closes: https://lore.kernel.org/netdev/DGRCO9SL0T5U.JTINSHJQ9KPK@imlonghao.com/
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_iptfs.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/xfrm/xfrm_iptfs.c b/net/xfrm/xfrm_iptfs.c
index 3b6d7284fc70a..4e270628fc347 100644
--- a/net/xfrm/xfrm_iptfs.c
+++ b/net/xfrm/xfrm_iptfs.c
@@ -901,6 +901,12 @@ static u32 iptfs_reassem_cont(struct xfrm_iptfs_data *xtfs, u64 seq,
iptfs_skb_can_add_frags(newskb, fragwalk, data, copylen)) {
iptfs_skb_add_frags(newskb, fragwalk, data, copylen);
} else {
+ if (skb_linearize(newskb)) {
+ XFRM_INC_STATS(xs_net(xtfs->x),
+ LINUX_MIB_XFRMINBUFFERERROR);
+ goto abandon;
+ }
+
/* copy fragment data into newskb */
if (skb_copy_seq_read(st, data, skb_put(newskb, copylen),
copylen)) {
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 084/342] pinctrl: qcom: spmi-gpio: implement .get_direction()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 083/342] xfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 085/342] pinctrl: renesas: rza1: Normalize return value of gpio_get() Greg Kroah-Hartman
` (274 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Konrad Dybcio,
Bartosz Golaszewski, Linus Walleij, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neil Armstrong <neil.armstrong@linaro.org>
[ Upstream commit 263447532463cf4444a3595e835b99a4e90952fa ]
GPIO controller driver should typically implement the .get_direction()
callback as GPIOLIB internals may try to use it to determine the state
of a pin. Since introduction of shared proxy, it prints a warning splat
when using a shared spmi gpio.
The implementation is not easy because the controller supports enabling
the input and output logic at the same time, so we aligns on the
behaviour of the .get() operation and return -EINVAL in other
situations.
Fixes: eadff3024472 ("pinctrl: Qualcomm SPMI PMIC GPIO pin controller driver")
Fixes: d7b5f5cc5eb4 ("pinctrl: qcom: spmi-gpio: Add support for GPIO LV/MV subtype")
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/qcom/pinctrl-spmi-gpio.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c b/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c
index 83f940fe30b26..d02d42513ebbc 100644
--- a/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c
+++ b/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c
@@ -723,6 +723,21 @@ static const struct pinconf_ops pmic_gpio_pinconf_ops = {
.pin_config_group_dbg_show = pmic_gpio_config_dbg_show,
};
+static int pmic_gpio_get_direction(struct gpio_chip *chip, unsigned pin)
+{
+ struct pmic_gpio_state *state = gpiochip_get_data(chip);
+ struct pmic_gpio_pad *pad;
+
+ pad = state->ctrl->desc->pins[pin].drv_data;
+
+ if (!pad->is_enabled || pad->analog_pass ||
+ (!pad->input_enabled && !pad->output_enabled))
+ return -EINVAL;
+
+ /* Make sure the state is aligned on what pmic_gpio_get() returns */
+ return pad->input_enabled ? GPIO_LINE_DIRECTION_IN : GPIO_LINE_DIRECTION_OUT;
+}
+
static int pmic_gpio_direction_input(struct gpio_chip *chip, unsigned pin)
{
struct pmic_gpio_state *state = gpiochip_get_data(chip);
@@ -801,6 +816,7 @@ static void pmic_gpio_dbg_show(struct seq_file *s, struct gpio_chip *chip)
}
static const struct gpio_chip pmic_gpio_gpio_template = {
+ .get_direction = pmic_gpio_get_direction,
.direction_input = pmic_gpio_direction_input,
.direction_output = pmic_gpio_direction_output,
.get = pmic_gpio_get,
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 085/342] pinctrl: renesas: rza1: Normalize return value of gpio_get()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 084/342] pinctrl: qcom: spmi-gpio: implement .get_direction() Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 086/342] xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() Greg Kroah-Hartman
` (273 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Torokhov, Andy Shevchenko,
Bartosz Golaszewski, Linus Walleij, Geert Uytterhoeven,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
[ Upstream commit fb22bb9701d48c4b0e81fe204c2f96a37a520568 ]
The GPIO .get() callback is expected to return 0 or 1 (or a negative
error code). Ensure that the value returned by rza1_gpio_get() is
normalized to the [0, 1] range.
Fixes: 86ef402d805d606a ("gpiolib: sanitize the return value of gpio_chip::get()")
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/aZYnyl-Nf4S1U2yj@google.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/renesas/pinctrl-rza1.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/renesas/pinctrl-rza1.c b/drivers/pinctrl/renesas/pinctrl-rza1.c
index 3cfa4c8be80ea..d83c7d8ee82c4 100644
--- a/drivers/pinctrl/renesas/pinctrl-rza1.c
+++ b/drivers/pinctrl/renesas/pinctrl-rza1.c
@@ -589,7 +589,7 @@ static inline unsigned int rza1_get_bit(struct rza1_port *port,
{
void __iomem *mem = RZA1_ADDR(port->base, reg, port->id);
- return ioread16(mem) & BIT(bit);
+ return !!(ioread16(mem) & BIT(bit));
}
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 086/342] xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 085/342] pinctrl: renesas: rza1: Normalize return value of gpio_get() Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 087/342] xfrm: prevent policy_hthresh.work from racing with netns teardown Greg Kroah-Hartman
` (272 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Sabrina Dubroca,
Steffen Klassert, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit daf8e3b253aa760ff9e96c7768a464bc1d6b3c90 ]
After cancel_delayed_work_sync() is called from
xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining
states via __xfrm_state_delete(), which calls
xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work.
The following is a simple race scenario:
cpu0 cpu1
cleanup_net() [Round 1]
ops_undo_list()
xfrm_net_exit()
xfrm_nat_keepalive_net_fini()
cancel_delayed_work_sync(nat_keepalive_work);
xfrm_state_fini()
xfrm_state_flush()
xfrm_state_delete(x)
__xfrm_state_delete(x)
xfrm_nat_keepalive_state_updated(x)
schedule_delayed_work(nat_keepalive_work);
rcu_barrier();
net_complete_free();
net_passive_dec(net);
llist_add(&net->defer_free_list, &defer_free_list);
cleanup_net() [Round 2]
rcu_barrier();
net_complete_free()
kmem_cache_free(net_cachep, net);
nat_keepalive_work()
// on freed net
To prevent this, cancel_delayed_work_sync() is replaced with
disable_delayed_work_sync().
Fixes: f531d13bdfe3 ("xfrm: support sending NAT keepalives in ESP in UDP states")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_nat_keepalive.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_nat_keepalive.c b/net/xfrm/xfrm_nat_keepalive.c
index ebf95d48e86c1..1856beee0149b 100644
--- a/net/xfrm/xfrm_nat_keepalive.c
+++ b/net/xfrm/xfrm_nat_keepalive.c
@@ -261,7 +261,7 @@ int __net_init xfrm_nat_keepalive_net_init(struct net *net)
int xfrm_nat_keepalive_net_fini(struct net *net)
{
- cancel_delayed_work_sync(&net->xfrm.nat_keepalive_work);
+ disable_delayed_work_sync(&net->xfrm.nat_keepalive_work);
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 087/342] xfrm: prevent policy_hthresh.work from racing with netns teardown
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 086/342] xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 088/342] af_key: validate families in pfkey_send_migrate() Greg Kroah-Hartman
` (271 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Minwoo Ra, Steffen Klassert,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Minwoo Ra <raminwo0202@gmail.com>
[ Upstream commit 29fe3a61bcdce398ee3955101c39f89c01a8a77e ]
A XFRM_MSG_NEWSPDINFO request can queue the per-net work item
policy_hthresh.work onto the system workqueue.
The queued callback, xfrm_hash_rebuild(), retrieves the enclosing
struct net via container_of(). If the net namespace is torn down
before that work runs, the associated struct net may already have
been freed, and xfrm_hash_rebuild() may then dereference stale memory.
xfrm_policy_fini() already flushes policy_hash_work during teardown,
but it does not synchronize policy_hthresh.work.
Synchronize policy_hthresh.work in xfrm_policy_fini() as well, so the
queued work cannot outlive the net namespace teardown and access a
freed struct net.
Fixes: 880a6fab8f6b ("xfrm: configure policy hash table thresholds by netlink")
Signed-off-by: Minwoo Ra <raminwo0202@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_policy.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 5428185196a1f..c32d34c441ee0 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -4282,6 +4282,8 @@ static void xfrm_policy_fini(struct net *net)
unsigned int sz;
int dir;
+ disable_work_sync(&net->xfrm.policy_hthresh.work);
+
flush_work(&net->xfrm.policy_hash_work);
#ifdef CONFIG_XFRM_SUB_POLICY
xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, false);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 088/342] af_key: validate families in pfkey_send_migrate()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 087/342] xfrm: prevent policy_hthresh.work from racing with netns teardown Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 089/342] dma: swiotlb: add KMSAN annotations to swiotlb_bounce() Greg Kroah-Hartman
` (270 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b518dfc8e021988fbd55,
Eric Dumazet, Steffen Klassert, Herbert Xu, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit eb2d16a7d599dc9d4df391b5e660df9949963786 ]
syzbot was able to trigger a crash in skb_put() [1]
Issue is that pfkey_send_migrate() does not check old/new families,
and that set_ipsecrequest() @family argument was truncated,
thus possibly overfilling the skb.
Validate families early, do not wait set_ipsecrequest().
[1]
skbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:<NULL>
kernel BUG at net/core/skbuff.c:214 !
Call Trace:
<TASK>
skb_over_panic net/core/skbuff.c:219 [inline]
skb_put+0x159/0x210 net/core/skbuff.c:2655
skb_put_zero include/linux/skbuff.h:2788 [inline]
set_ipsecrequest net/key/af_key.c:3532 [inline]
pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636
km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848
xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705
xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150
Fixes: 08de61beab8a ("[PFKEYV2]: Extension for dynamic update of endpoint address(es)")
Reported-by: syzbot+b518dfc8e021988fbd55@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/69b5933c.050a0220.248e02.00f2.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/key/af_key.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 571200433aa90..bc91aeeb74bbf 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3518,7 +3518,7 @@ static int set_sadb_kmaddress(struct sk_buff *skb, const struct xfrm_kmaddress *
static int set_ipsecrequest(struct sk_buff *skb,
uint8_t proto, uint8_t mode, int level,
- uint32_t reqid, uint8_t family,
+ uint32_t reqid, sa_family_t family,
const xfrm_address_t *src, const xfrm_address_t *dst)
{
struct sadb_x_ipsecrequest *rq;
@@ -3583,12 +3583,17 @@ static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
/* ipsecrequests */
for (i = 0, mp = m; i < num_bundles; i++, mp++) {
- /* old locator pair */
- size_pol += sizeof(struct sadb_x_ipsecrequest) +
- pfkey_sockaddr_pair_size(mp->old_family);
- /* new locator pair */
- size_pol += sizeof(struct sadb_x_ipsecrequest) +
- pfkey_sockaddr_pair_size(mp->new_family);
+ int pair_size;
+
+ pair_size = pfkey_sockaddr_pair_size(mp->old_family);
+ if (!pair_size)
+ return -EINVAL;
+ size_pol += sizeof(struct sadb_x_ipsecrequest) + pair_size;
+
+ pair_size = pfkey_sockaddr_pair_size(mp->new_family);
+ if (!pair_size)
+ return -EINVAL;
+ size_pol += sizeof(struct sadb_x_ipsecrequest) + pair_size;
}
size += sizeof(struct sadb_msg) + size_pol;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 089/342] dma: swiotlb: add KMSAN annotations to swiotlb_bounce()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 088/342] af_key: validate families in pfkey_send_migrate() Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 090/342] erofs: set fileio bio failed in short read case Greg Kroah-Hartman
` (269 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Potapenko, Shigeru Yoshida,
Marek Szyprowski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shigeru Yoshida <syoshida@redhat.com>
[ Upstream commit 6f770b73d0311a5b099277653199bb6421c4fed2 ]
When a device performs DMA to a bounce buffer, KMSAN is unaware of
the write and does not mark the data as initialized. When
swiotlb_bounce() later copies the bounce buffer back to the original
buffer, memcpy propagates the uninitialized shadow to the original
buffer, causing false positive uninit-value reports.
Fix this by calling kmsan_unpoison_memory() on the bounce buffer
before copying it back in the DMA_FROM_DEVICE path, so that memcpy
naturally propagates initialized shadow to the destination.
Suggested-by: Alexander Potapenko <glider@google.com>
Link: https://lore.kernel.org/CAG_fn=WUGta-paG1BgsGRoAR+fmuCgh3xo=R3XdzOt_-DqSdHw@mail.gmail.com/
Fixes: 7ade4f10779c ("dma: kmsan: unpoison DMA mappings")
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://lore.kernel.org/r/20260315082750.2375581-1-syoshida@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/dma/swiotlb.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c
index a547c7693135b..b4bc7ce01dadc 100644
--- a/kernel/dma/swiotlb.c
+++ b/kernel/dma/swiotlb.c
@@ -30,6 +30,7 @@
#include <linux/gfp.h>
#include <linux/highmem.h>
#include <linux/io.h>
+#include <linux/kmsan-checks.h>
#include <linux/iommu-helper.h>
#include <linux/init.h>
#include <linux/memblock.h>
@@ -901,10 +902,19 @@ static void swiotlb_bounce(struct device *dev, phys_addr_t tlb_addr, size_t size
local_irq_save(flags);
page = pfn_to_page(pfn);
- if (dir == DMA_TO_DEVICE)
+ if (dir == DMA_TO_DEVICE) {
+ /*
+ * Ideally, kmsan_check_highmem_page()
+ * could be used here to detect infoleaks,
+ * but callers may map uninitialized buffers
+ * that will be written by the device,
+ * causing false positives.
+ */
memcpy_from_page(vaddr, page, offset, sz);
- else
+ } else {
+ kmsan_unpoison_memory(vaddr, sz);
memcpy_to_page(page, offset, vaddr, sz);
+ }
local_irq_restore(flags);
size -= sz;
@@ -913,8 +923,15 @@ static void swiotlb_bounce(struct device *dev, phys_addr_t tlb_addr, size_t size
offset = 0;
}
} else if (dir == DMA_TO_DEVICE) {
+ /*
+ * Ideally, kmsan_check_memory() could be used here to detect
+ * infoleaks (uninitialized data being sent to device), but
+ * callers may map uninitialized buffers that will be written
+ * by the device, causing false positives.
+ */
memcpy(vaddr, phys_to_virt(orig_addr), size);
} else {
+ kmsan_unpoison_memory(vaddr, size);
memcpy(phys_to_virt(orig_addr), vaddr, size);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 090/342] erofs: set fileio bio failed in short read case
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 089/342] dma: swiotlb: add KMSAN annotations to swiotlb_bounce() Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 091/342] can: statistics: add missing atomic access in hot path Greg Kroah-Hartman
` (268 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, chenguanyou, Yunlei He, Sheng Yong,
Gao Xiang, Chao Yu, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sheng Yong <shengyong1@xiaomi.com>
[ Upstream commit eade54040384f54b7fb330e4b0975c5734850b3c ]
For file-backed mount, IO requests are handled by vfs_iocb_iter_read().
However, it can be interrupted by SIGKILL, returning the number of
bytes actually copied. Unused folios in bio are unexpectedly marked
as uptodate.
vfs_read
filemap_read
filemap_get_pages
filemap_readahead
erofs_fileio_readahead
erofs_fileio_rq_submit
vfs_iocb_iter_read
filemap_read
filemap_get_pages <= detect signal
erofs_fileio_ki_complete <= set all folios uptodate
This patch addresses this by setting short read bio with an error
directly.
Fixes: bc804a8d7e86 ("erofs: handle end of filesystem properly for file-backed mounts")
Reported-by: chenguanyou <chenguanyou@xiaomi.com>
Signed-off-by: Yunlei He <heyunlei@xiaomi.com>
Signed-off-by: Sheng Yong <shengyong1@xiaomi.com>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/erofs/fileio.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/fs/erofs/fileio.c b/fs/erofs/fileio.c
index 2a778a02681a0..aa580c59fe645 100644
--- a/fs/erofs/fileio.c
+++ b/fs/erofs/fileio.c
@@ -25,10 +25,8 @@ static void erofs_fileio_ki_complete(struct kiocb *iocb, long ret)
container_of(iocb, struct erofs_fileio_rq, iocb);
struct folio_iter fi;
- if (ret >= 0 && ret != rq->bio.bi_iter.bi_size) {
- bio_advance(&rq->bio, ret);
- zero_fill_bio(&rq->bio);
- }
+ if (ret >= 0 && ret != rq->bio.bi_iter.bi_size)
+ ret = -EIO;
if (!rq->bio.bi_end_io) {
bio_for_each_folio_all(fi, &rq->bio) {
DBG_BUGON(folio_test_uptodate(fi.folio));
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 091/342] can: statistics: add missing atomic access in hot path
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 090/342] erofs: set fileio bio failed in short read case Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 092/342] pinctrl: stm32: fix HDP driver dependency on GPIO_GENERIC Greg Kroah-Hartman
` (267 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver Hartkopp, Marc Kleine-Budde,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Hartkopp <socketcan@hartkopp.net>
[ Upstream commit 46eee1661aa9b49966e6c43d07126fe408edda57 ]
Commit 80b5f90158d1 ("can: statistics: use atomic access in hot path")
fixed a KCSAN issue in can_receive() but missed to convert the 'matches'
variable used in can_rcv_filter().
Fixes: 80b5f90158d1 ("can: statistics: use atomic access in hot path")
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Link: https://patch.msgid.link/20260318173413.28235-1-socketcan@hartkopp.net
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/can/af_can.c | 4 ++--
net/can/af_can.h | 2 +-
net/can/proc.c | 3 ++-
3 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/can/af_can.c b/net/can/af_can.c
index 770173d8db428..a624c04ed5c63 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -469,7 +469,7 @@ int can_rx_register(struct net *net, struct net_device *dev, canid_t can_id,
rcv->can_id = can_id;
rcv->mask = mask;
- rcv->matches = 0;
+ atomic_long_set(&rcv->matches, 0);
rcv->func = func;
rcv->data = data;
rcv->ident = ident;
@@ -573,7 +573,7 @@ EXPORT_SYMBOL(can_rx_unregister);
static inline void deliver(struct sk_buff *skb, struct receiver *rcv)
{
rcv->func(skb, rcv->data);
- rcv->matches++;
+ atomic_long_inc(&rcv->matches);
}
static int can_rcv_filter(struct can_dev_rcv_lists *dev_rcv_lists, struct sk_buff *skb)
diff --git a/net/can/af_can.h b/net/can/af_can.h
index 22f3352c77fec..87887014f5628 100644
--- a/net/can/af_can.h
+++ b/net/can/af_can.h
@@ -52,7 +52,7 @@ struct receiver {
struct hlist_node list;
canid_t can_id;
canid_t mask;
- unsigned long matches;
+ atomic_long_t matches;
void (*func)(struct sk_buff *skb, void *data);
void *data;
char *ident;
diff --git a/net/can/proc.c b/net/can/proc.c
index 0938bf7dd646a..de4d05ae34597 100644
--- a/net/can/proc.c
+++ b/net/can/proc.c
@@ -196,7 +196,8 @@ static void can_print_rcvlist(struct seq_file *m, struct hlist_head *rx_list,
" %-5s %03x %08x %pK %pK %8ld %s\n";
seq_printf(m, fmt, DNAME(dev), r->can_id, r->mask,
- r->func, r->data, r->matches, r->ident);
+ r->func, r->data, atomic_long_read(&r->matches),
+ r->ident);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 092/342] pinctrl: stm32: fix HDP driver dependency on GPIO_GENERIC
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 091/342] can: statistics: add missing atomic access in hot path Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 093/342] Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req Greg Kroah-Hartman
` (266 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amelie Delaunay, Linus Walleij,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amelie Delaunay <amelie.delaunay@foss.st.com>
[ Upstream commit c8cfeb4b9dda2cdfce79519aee4aaff16310a7b6 ]
The HDP driver uses the generic GPIO chip API, but this configuration
may not be enabled.
Ensure it is enabled by selecting the appropriate option.
Fixes: 4bcff9c05b9d ("pinctrl: stm32: use new generic GPIO chip API")
Signed-off-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/stm32/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/pinctrl/stm32/Kconfig b/drivers/pinctrl/stm32/Kconfig
index 5f67e1ee66dd9..d6a1715230121 100644
--- a/drivers/pinctrl/stm32/Kconfig
+++ b/drivers/pinctrl/stm32/Kconfig
@@ -65,6 +65,7 @@ config PINCTRL_STM32_HDP
select PINMUX
select GENERIC_PINCONF
select GPIOLIB
+ select GPIO_GENERIC
help
The Hardware Debug Port allows the observation of internal signals.
It uses configurable multiplexer to route signals in a dedicated observation register.
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 093/342] Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 092/342] pinctrl: stm32: fix HDP driver dependency on GPIO_GENERIC Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 094/342] Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv() Greg Kroah-Hartman
` (265 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b7f3e7d9a596bf6a63e3,
Minseo Park, Luiz Augusto von Dentz, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Minseo Park <jacob.park.9436@gmail.com>
[ Upstream commit 9d87cb22195b2c67405f5485d525190747ad5493 ]
Syzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd()
that is triggered by a malformed Enhanced Credit Based Connection Request.
The vulnerability stems from l2cap_ecred_conn_req(). The function allocates
a local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel
IDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more
than 5 SCIDs, the function calculates `rsp_len` based on this unvalidated
`cmd_len` before checking if the number of SCIDs exceeds
L2CAP_ECRED_MAX_CID.
If the SCID count is too high, the function correctly jumps to the
`response` label to reject the packet, but `rsp_len` retains the
attacker's oversized value. Consequently, l2cap_send_cmd() is instructed
to read past the end of the 18-byte `pdu` buffer, triggering a
KASAN panic.
Fix this by moving the assignment of `rsp_len` to after the `num_scid`
boundary check. If the packet is rejected, `rsp_len` will safely
remain 0, and the error response will only read the 8-byte base header
from the stack.
Fixes: c28d2bff7044 ("Bluetooth: L2CAP: Fix result of L2CAP_ECRED_CONN_RSP when MTU is too short")
Reported-by: syzbot+b7f3e7d9a596bf6a63e3@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b7f3e7d9a596bf6a63e3
Tested-by: syzbot+b7f3e7d9a596bf6a63e3@syzkaller.appspotmail.com
Signed-off-by: Minseo Park <jacob.park.9436@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 9ea030fc9a9cc..583fe3b654c11 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5065,14 +5065,14 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
cmd_len -= sizeof(*req);
num_scid = cmd_len / sizeof(u16);
- /* Always respond with the same number of scids as in the request */
- rsp_len = cmd_len;
-
if (num_scid > L2CAP_ECRED_MAX_CID) {
result = L2CAP_CR_LE_INVALID_PARAMS;
goto response;
}
+ /* Always respond with the same number of scids as in the request */
+ rsp_len = cmd_len;
+
mtu = __le16_to_cpu(req->mtu);
mps = __le16_to_cpu(req->mps);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 094/342] Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 093/342] Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 095/342] Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold Greg Kroah-Hartman
` (264 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Luiz Augusto von Dentz,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit c65bd945d1c08c3db756821b6bf9f1c4a77b29c6 ]
l2cap_ecred_data_rcv() reads the SDU length field from skb->data using
get_unaligned_le16() without first verifying that skb contains at least
L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads
past the valid data in the skb.
The ERTM reassembly path correctly calls pskb_may_pull() before reading
the SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the
same validation to the Enhanced Credit Based Flow Control data path.
Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 583fe3b654c11..848a9b945de89 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6672,6 +6672,11 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
if (!chan->sdu) {
u16 sdu_len;
+ if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE)) {
+ err = -EINVAL;
+ goto failed;
+ }
+
sdu_len = get_unaligned_le16(skb->data);
skb_pull(skb, L2CAP_SDULEN_SIZE);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 095/342] Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 094/342] Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv() Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 096/342] Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete Greg Kroah-Hartman
` (263 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Luiz Augusto von Dentz,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit 598dbba9919c5e36c54fe1709b557d64120cb94b ]
sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately
releases the lock without holding a reference to the socket. A concurrent
close() can free the socket between the lock release and the subsequent
sk->sk_state access, resulting in a use-after-free.
Other functions in the same file (sco_sock_timeout(), sco_conn_del())
correctly use sco_sock_hold() to safely hold a reference under the lock.
Fix by using sco_sock_hold() to take a reference before releasing the
lock, and adding sock_put() on all exit paths.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/sco.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index cccfaf5603174..6741b067d28b5 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -401,7 +401,7 @@ static void sco_recv_frame(struct sco_conn *conn, struct sk_buff *skb)
struct sock *sk;
sco_conn_lock(conn);
- sk = conn->sk;
+ sk = sco_sock_hold(conn);
sco_conn_unlock(conn);
if (!sk)
@@ -410,11 +410,15 @@ static void sco_recv_frame(struct sco_conn *conn, struct sk_buff *skb)
BT_DBG("sk %p len %u", sk, skb->len);
if (sk->sk_state != BT_CONNECTED)
- goto drop;
+ goto drop_put;
- if (!sock_queue_rcv_skb(sk, skb))
+ if (!sock_queue_rcv_skb(sk, skb)) {
+ sock_put(sk);
return;
+ }
+drop_put:
+ sock_put(sk);
drop:
kfree_skb(skb);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 096/342] Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 095/342] Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 097/342] Bluetooth: hci_ll: Fix firmware leak on error path Greg Kroah-Hartman
` (262 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Paul Menzel,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 5f5fa4cd35f707344f65ce9e225b6528691dbbaa ]
This fixes the condition checking so mgmt_pending_valid is executed
whenever status != -ECANCELED otherwise calling mgmt_pending_free(cmd)
would kfree(cmd) without unlinking it from the list first, leaving a
dangling pointer. Any subsequent list traversal (e.g.,
mgmt_pending_foreach during __mgmt_power_off, or another
mgmt_pending_valid call) would dereference freed memory.
Link: https://lore.kernel.org/linux-bluetooth/20260315132013.75ab40c5@kernel.org/T/#m1418f9c82eeff8510c1beaa21cf53af20db96c06
Fixes: 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/mgmt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 2c63f49c33018..f3da1bc38a551 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -5355,7 +5355,7 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
* hci_adv_monitors_clear is about to be called which will take care of
* freeing the adv_monitor instances.
*/
- if (status == -ECANCELED && !mgmt_pending_valid(hdev, cmd))
+ if (status == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
monitor = cmd->user_data;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 097/342] Bluetooth: hci_ll: Fix firmware leak on error path
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 096/342] Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 098/342] Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb Greg Kroah-Hartman
` (261 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Menzel, Anas Iqbal,
Luiz Augusto von Dentz, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anas Iqbal <mohd.abd.6602@gmail.com>
[ Upstream commit 31148a7be723aa9f2e8fbd62424825ab8d577973 ]
Smatch reports:
drivers/bluetooth/hci_ll.c:587 download_firmware() warn:
'fw' from request_firmware() not released on lines: 544.
In download_firmware(), if request_firmware() succeeds but the returned
firmware content is invalid (no data or zero size), the function returns
without releasing the firmware, resulting in a resource leak.
Fix this by calling release_firmware() before returning when
request_firmware() succeeded but the firmware content is invalid.
Fixes: 371805522f87 ("bluetooth: hci_uart: add LL protocol serdev driver support")
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Anas Iqbal <mohd.abd.6602@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/hci_ll.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/hci_ll.c b/drivers/bluetooth/hci_ll.c
index 6f4e25917b863..c4584f4085766 100644
--- a/drivers/bluetooth/hci_ll.c
+++ b/drivers/bluetooth/hci_ll.c
@@ -541,6 +541,8 @@ static int download_firmware(struct ll_device *lldev)
if (err || !fw->data || !fw->size) {
bt_dev_err(lldev->hu.hdev, "request_firmware failed(errno %d) for %s",
err, bts_scr_name);
+ if (!err)
+ release_firmware(fw);
return -EINVAL;
}
ptr = (void *)fw->data;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 098/342] Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 097/342] Bluetooth: hci_ll: Fix firmware leak on error path Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 099/342] pinctrl: mediatek: common: Fix probe failure for devices without EINT Greg Kroah-Hartman
` (260 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Helen Koike, Luiz Augusto von Dentz,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helen Koike <koike@igalia.com>
[ Upstream commit b6552e0503973daf6f23bd6ed9273ef131ee364f ]
Before using sk pointer, check if it is null.
Fix the following:
KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267]
CPU: 0 UID: 0 PID: 5985 Comm: kworker/0:5 Not tainted 7.0.0-rc4-00029-ga989fde763f4 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-9.fc43 06/10/2025
Workqueue: events l2cap_info_timeout
RIP: 0010:kasan_byte_accessible+0x12/0x30
Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cce
veth0_macvtap: entered promiscuous mode
RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001
RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000
R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005582615a5008 CR3: 000000007007e000 CR4: 0000000000752ef0
PKRU: 55555554
Call Trace:
<TASK>
__kasan_check_byte+0x12/0x40
lock_acquire+0x79/0x2e0
lock_sock_nested+0x48/0x100
? l2cap_sock_ready_cb+0x46/0x160
l2cap_sock_ready_cb+0x46/0x160
l2cap_conn_start+0x779/0xff0
? __pfx_l2cap_conn_start+0x10/0x10
? l2cap_info_timeout+0x60/0xa0
? __pfx___mutex_lock+0x10/0x10
l2cap_info_timeout+0x68/0xa0
? process_scheduled_works+0xa8d/0x18c0
process_scheduled_works+0xb6e/0x18c0
? __pfx_process_scheduled_works+0x10/0x10
? assign_work+0x3d5/0x5e0
worker_thread+0xa53/0xfc0
kthread+0x388/0x470
? __pfx_worker_thread+0x10/0x10
? __pfx_kthread+0x10/0x10
ret_from_fork+0x51e/0xb90
? __pfx_ret_from_fork+0x10/0x10
veth1_macvtap: entered promiscuous mode
? __switch_to+0xc7d/0x1450
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
batman_adv: batadv0: Interface activated: batadv_slave_0
batman_adv: batadv0: Interface activated: batadv_slave_1
netdevsim netdevsim7 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim7 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim7 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim7 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
RIP: 0010:kasan_byte_accessible+0x12/0x30
Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cce
ieee80211 phy39: Selected rate control algorithm 'minstrel_ht'
RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001
RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000
R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7e16139e9c CR3: 000000000e74e000 CR4: 0000000000752ef0
PKRU: 55555554
Kernel panic - not syncing: Fatal exception
Fixes: 54a59aa2b562 ("Bluetooth: Add l2cap_chan->ops->ready()")
Signed-off-by: Helen Koike <koike@igalia.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_sock.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index bc9760e0abaf8..f1131e4415c95 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1681,6 +1681,9 @@ static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
struct sock *sk = chan->data;
struct sock *parent;
+ if (!sk)
+ return;
+
lock_sock(sk);
parent = bt_sk(sk)->parent;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 099/342] pinctrl: mediatek: common: Fix probe failure for devices without EINT
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 098/342] Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 100/342] ionic: fix persistent MAC address override on PF Greg Kroah-Hartman
` (259 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Leonardo Scorcia,
AngeloGioacchino Del Regno, Linus Walleij, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Leonardo Scorcia <l.scorcia@gmail.com>
[ Upstream commit 8f9f64c8f90dca07d3b9f1d7ce5d34ccd246c9dd ]
Some pinctrl devices like mt6397 or mt6392 don't support EINT at all, but
the mtk_eint_init function is always called and returns -ENODEV, which
then bubbles up and causes probe failure.
To address this only call mtk_eint_init if EINT pins are present.
Tested on Xiaomi Mi Smart Clock x04g (mt6392).
Fixes: e46df235b4e6 ("pinctrl: mediatek: refactor EINT related code for all MediaTek pinctrl can fit")
Signed-off-by: Luca Leonardo Scorcia <l.scorcia@gmail.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/mediatek/pinctrl-mtk-common.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/pinctrl/mediatek/pinctrl-mtk-common.c b/drivers/pinctrl/mediatek/pinctrl-mtk-common.c
index d6a46fe0cda89..3f518dce6d23f 100644
--- a/drivers/pinctrl/mediatek/pinctrl-mtk-common.c
+++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common.c
@@ -1135,9 +1135,12 @@ int mtk_pctrl_init(struct platform_device *pdev,
goto chip_error;
}
- ret = mtk_eint_init(pctl, pdev);
- if (ret)
- goto chip_error;
+ /* Only initialize EINT if we have EINT pins */
+ if (data->eint_hw.ap_num > 0) {
+ ret = mtk_eint_init(pctl, pdev);
+ if (ret)
+ goto chip_error;
+ }
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 100/342] ionic: fix persistent MAC address override on PF
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 099/342] pinctrl: mediatek: common: Fix probe failure for devices without EINT Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 101/342] nfc: nci: fix circular locking dependency in nci_close_device Greg Kroah-Hartman
` (258 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mohammad Heib, Simon Horman,
Brett Creeley, Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mohammad Heib <mheib@redhat.com>
[ Upstream commit cbcb3cfcdc436d6f91a3d95ecfa9c831abe14aed ]
The use of IONIC_CMD_LIF_SETATTR in the MAC address update path causes
the ionic firmware to update the LIF's identity in its persistent state.
Since the firmware state is maintained across host warm boots and driver
reloads, any MAC change on the Physical Function (PF) becomes "sticky.
This is problematic because it causes ethtool -P to report the
user-configured MAC as the permanent factory address, which breaks
system management tools that rely on a stable hardware identity.
While Virtual Functions (VFs) need this hardware-level programming to
properly handle MAC assignments in guest environments, the PF should
maintain standard transient behavior. This patch gates the
ionic_program_mac call using is_virtfn so that PF MAC changes remain
local to the netdev filters and do not overwrite the firmware's
permanent identity block.
Fixes: 19058be7c48c ("ionic: VF initial random MAC address if no assigned mac")
Signed-off-by: Mohammad Heib <mheib@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Brett Creeley <brett.creeley@amd.com>
Link: https://patch.msgid.link/20260317170806.35390-1-mheib@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/pensando/ionic/ionic_lif.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
index 058eea86e141c..38a827203a2f7 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
@@ -1719,13 +1719,18 @@ static int ionic_set_mac_address(struct net_device *netdev, void *sa)
if (ether_addr_equal(netdev->dev_addr, mac))
return 0;
- err = ionic_program_mac(lif, mac);
- if (err < 0)
- return err;
+ /* Only program macs for virtual functions to avoid losing the permanent
+ * Mac across warm reset/reboot.
+ */
+ if (lif->ionic->pdev->is_virtfn) {
+ err = ionic_program_mac(lif, mac);
+ if (err < 0)
+ return err;
- if (err > 0)
- netdev_dbg(netdev, "%s: SET and GET ATTR Mac are not equal-due to old FW running\n",
- __func__);
+ if (err > 0)
+ netdev_dbg(netdev, "%s: SET and GET ATTR Mac are not equal-due to old FW running\n",
+ __func__);
+ }
err = eth_prepare_mac_addr_change(netdev, addr);
if (err)
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 101/342] nfc: nci: fix circular locking dependency in nci_close_device
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 100/342] ionic: fix persistent MAC address override on PF Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 102/342] net: openvswitch: Avoid releasing netdev before teardown completes Greg Kroah-Hartman
` (257 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Ray, Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 4527025d440ce84bf56e75ce1df2e84cb8178616 ]
nci_close_device() flushes rx_wq and tx_wq while holding req_lock.
This causes a circular locking dependency because nci_rx_work()
running on rx_wq can end up taking req_lock too:
nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete
-> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target
-> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock)
Move the flush of rx_wq after req_lock has been released.
This should safe (I think) because NCI_UP has already been cleared
and the transport is closed, so the work will see it and return
-ENETDOWN.
NIPA has been hitting this running the nci selftest with a debug
kernel on roughly 4% of the runs.
Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
Reviewed-by: Ian Ray <ian.ray@gehealthcare.com>
Link: https://patch.msgid.link/20260317193334.988609-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/nci/core.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index d334b7aa8c172..25ba4cbb00e1e 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -579,8 +579,7 @@ static int nci_close_device(struct nci_dev *ndev)
skb_queue_purge(&ndev->rx_q);
skb_queue_purge(&ndev->tx_q);
- /* Flush RX and TX wq */
- flush_workqueue(ndev->rx_wq);
+ /* Flush TX wq, RX wq flush can't be under the lock */
flush_workqueue(ndev->tx_wq);
/* Reset device */
@@ -592,13 +591,13 @@ static int nci_close_device(struct nci_dev *ndev)
msecs_to_jiffies(NCI_RESET_TIMEOUT));
/* After this point our queues are empty
- * and no works are scheduled.
+ * rx work may be running but will see that NCI_UP was cleared
*/
ndev->ops->close(ndev);
clear_bit(NCI_INIT, &ndev->flags);
- /* Flush cmd wq */
+ /* Flush cmd and tx wq */
flush_workqueue(ndev->cmd_wq);
timer_delete_sync(&ndev->cmd_timer);
@@ -613,6 +612,9 @@ static int nci_close_device(struct nci_dev *ndev)
mutex_unlock(&ndev->req_lock);
+ /* rx_work may take req_lock via nci_deactivate_target */
+ flush_workqueue(ndev->rx_wq);
+
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 102/342] net: openvswitch: Avoid releasing netdev before teardown completes
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 101/342] nfc: nci: fix circular locking dependency in nci_close_device Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 103/342] openvswitch: defer tunnel netdev_put to RCU release Greg Kroah-Hartman
` (256 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Minxi Hou,
Toke Høiland-Jørgensen, Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Toke Høiland-Jørgensen <toke@redhat.com>
[ Upstream commit 7c770dadfda5cbbde6aa3c4363ed513f1d212bf8 ]
The patch cited in the Fixes tag below changed the teardown code for
OVS ports to no longer unconditionally take the RTNL. After this change,
the netdev_destroy() callback can proceed immediately to the call_rcu()
invocation if the IFF_OVS_DATAPATH flag is already cleared on the
netdev.
The ovs_netdev_detach_dev() function clears the flag before completing
the unregistration, and if it gets preempted after clearing the flag (as
can happen on an -rt kernel), netdev_destroy() can complete and the
device can be freed before the unregistration completes. This leads to a
splat like:
[ 998.393867] Oops: general protection fault, probably for non-canonical address 0xff00000001000239: 0000 [#1] SMP PTI
[ 998.393877] CPU: 42 UID: 0 PID: 55177 Comm: ip Kdump: loaded Not tainted 6.12.0-211.1.1.el10_2.x86_64+rt #1 PREEMPT_RT
[ 998.393886] Hardware name: Dell Inc. PowerEdge R740/0JMK61, BIOS 2.24.0 03/27/2025
[ 998.393889] RIP: 0010:dev_set_promiscuity+0x8d/0xa0
[ 998.393901] Code: 00 00 75 d8 48 8b 53 08 48 83 ba b0 02 00 00 00 75 ca 48 83 c4 08 5b c3 cc cc cc cc 48 83 bf 48 09 00 00 00 75 91 48 8b 47 08 <48> 83 b8 b0 02 00 00 00 74 97 eb 81 0f 1f 80 00 00 00 00 90 90 90
[ 998.393906] RSP: 0018:ffffce5864a5f6a0 EFLAGS: 00010246
[ 998.393912] RAX: ff00000000ffff89 RBX: ffff894d0adf5a05 RCX: 0000000000000000
[ 998.393917] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffff894d0adf5a05
[ 998.393921] RBP: ffff894d19252000 R08: ffff894d19252000 R09: 0000000000000000
[ 998.393924] R10: ffff894d19252000 R11: ffff894d192521b8 R12: 0000000000000006
[ 998.393927] R13: ffffce5864a5f738 R14: 00000000ffffffe2 R15: 0000000000000000
[ 998.393931] FS: 00007fad61971800(0000) GS:ffff894cc0140000(0000) knlGS:0000000000000000
[ 998.393936] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 998.393940] CR2: 000055df0a2a6e40 CR3: 000000011c7fe003 CR4: 00000000007726f0
[ 998.393944] PKRU: 55555554
[ 998.393946] Call Trace:
[ 998.393949] <TASK>
[ 998.393952] ? show_trace_log_lvl+0x1b0/0x2f0
[ 998.393961] ? show_trace_log_lvl+0x1b0/0x2f0
[ 998.393975] ? dp_device_event+0x41/0x80 [openvswitch]
[ 998.394009] ? __die_body.cold+0x8/0x12
[ 998.394016] ? die_addr+0x3c/0x60
[ 998.394027] ? exc_general_protection+0x16d/0x390
[ 998.394042] ? asm_exc_general_protection+0x26/0x30
[ 998.394058] ? dev_set_promiscuity+0x8d/0xa0
[ 998.394066] ? ovs_netdev_detach_dev+0x3a/0x80 [openvswitch]
[ 998.394092] dp_device_event+0x41/0x80 [openvswitch]
[ 998.394102] notifier_call_chain+0x5a/0xd0
[ 998.394106] unregister_netdevice_many_notify+0x51b/0xa60
[ 998.394110] rtnl_dellink+0x169/0x3e0
[ 998.394121] ? rt_mutex_slowlock.constprop.0+0x95/0xd0
[ 998.394125] rtnetlink_rcv_msg+0x142/0x3f0
[ 998.394128] ? avc_has_perm_noaudit+0x69/0xf0
[ 998.394130] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[ 998.394132] netlink_rcv_skb+0x50/0x100
[ 998.394138] netlink_unicast+0x292/0x3f0
[ 998.394141] netlink_sendmsg+0x21b/0x470
[ 998.394145] ____sys_sendmsg+0x39d/0x3d0
[ 998.394149] ___sys_sendmsg+0x9a/0xe0
[ 998.394156] __sys_sendmsg+0x7a/0xd0
[ 998.394160] do_syscall_64+0x7f/0x170
[ 998.394162] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 998.394165] RIP: 0033:0x7fad61bf4724
[ 998.394188] Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d c5 e9 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
[ 998.394189] RSP: 002b:00007ffd7e2f7cb8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
[ 998.394191] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fad61bf4724
[ 998.394193] RDX: 0000000000000000 RSI: 00007ffd7e2f7d20 RDI: 0000000000000003
[ 998.394194] RBP: 00007ffd7e2f7d90 R08: 0000000000000010 R09: 000000000000003f
[ 998.394195] R10: 000055df11558010 R11: 0000000000000202 R12: 00007ffd7e2f8380
[ 998.394196] R13: 0000000069b233d7 R14: 000055df0a256040 R15: 0000000000000000
[ 998.394200] </TASK>
To fix this, reorder the operations in ovs_netdev_detach_dev() to only
clear the flag after completing the other operations, and introduce an
smp_wmb() to make the ordering requirement explicit. The smp_wmb() is
paired with a full smp_mb() in netdev_destroy() to make sure the
call_rcu() invocation does not happen before the unregister operations
are visible.
Reported-by: Minxi Hou <mhou@redhat.com>
Tested-by: Minxi Hou <mhou@redhat.com>
Fixes: 549822767630 ("net: openvswitch: Avoid needlessly taking the RTNL on vport destroy")
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Link: https://patch.msgid.link/20260318155554.1133405-1-toke@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/vport-netdev.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c
index 6574f9bcdc026..c688dee96503f 100644
--- a/net/openvswitch/vport-netdev.c
+++ b/net/openvswitch/vport-netdev.c
@@ -151,11 +151,15 @@ static void vport_netdev_free(struct rcu_head *rcu)
void ovs_netdev_detach_dev(struct vport *vport)
{
ASSERT_RTNL();
- vport->dev->priv_flags &= ~IFF_OVS_DATAPATH;
netdev_rx_handler_unregister(vport->dev);
netdev_upper_dev_unlink(vport->dev,
netdev_master_upper_dev_get(vport->dev));
dev_set_promiscuity(vport->dev, -1);
+
+ /* paired with smp_mb() in netdev_destroy() */
+ smp_wmb();
+
+ vport->dev->priv_flags &= ~IFF_OVS_DATAPATH;
}
static void netdev_destroy(struct vport *vport)
@@ -174,6 +178,9 @@ static void netdev_destroy(struct vport *vport)
rtnl_unlock();
}
+ /* paired with smp_wmb() in ovs_netdev_detach_dev() */
+ smp_mb();
+
call_rcu(&vport->rcu, vport_netdev_free);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 103/342] openvswitch: defer tunnel netdev_put to RCU release
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 102/342] net: openvswitch: Avoid releasing netdev before teardown completes Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 104/342] openvswitch: validate MPLS set/set_masked payload length Greg Kroah-Hartman
` (255 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Ao Zhou,
Yuan Tan, Xin Liu, Ilya Maximets, Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yang <n05ec@lzu.edu.cn>
[ Upstream commit 6931d21f87bc6d657f145798fad0bf077b82486c ]
ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already
detached the device. Dropping the netdev reference in destroy can race
with concurrent readers that still observe vport->dev.
Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let
vport_netdev_free() drop the reference from the RCU callback, matching
the non-tunnel destroy path and avoiding additional synchronization
under RTNL.
Fixes: a9020fde67a6 ("openvswitch: Move tunnel destroy function to oppenvswitch module.")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Tested-by: Ao Zhou <n05ec@lzu.edu.cn>
Co-developed-by: Yuan Tan <tanyuan98@outlook.com>
Signed-off-by: Yuan Tan <tanyuan98@outlook.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yang Yang <n05ec@lzu.edu.cn>
Reviewed-by: Ilya Maximets <i.maximets@ovn.org>
Link: https://patch.msgid.link/20260319074241.3405262-1-n05ec@lzu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/vport-netdev.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c
index c688dee96503f..12055af832dc0 100644
--- a/net/openvswitch/vport-netdev.c
+++ b/net/openvswitch/vport-netdev.c
@@ -196,8 +196,6 @@ void ovs_netdev_tunnel_destroy(struct vport *vport)
*/
if (vport->dev->reg_state == NETREG_REGISTERED)
rtnl_delete_link(vport->dev, 0, NULL);
- netdev_put(vport->dev, &vport->dev_tracker);
- vport->dev = NULL;
rtnl_unlock();
call_rcu(&vport->rcu, vport_netdev_free);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 104/342] openvswitch: validate MPLS set/set_masked payload length
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 103/342] openvswitch: defer tunnel netdev_put to RCU release Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 105/342] net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer Greg Kroah-Hartman
` (254 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Ao Zhou,
Yuan Tan, Xin Liu, Ilya Maximets, Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yang <n05ec@lzu.edu.cn>
[ Upstream commit 546b68ac893595877ffbd7751e5c55fd1c43ede6 ]
validate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload for
SET/SET_MASKED actions. In action handling, OVS expects fixed-size
MPLS key data (struct ovs_key_mpls).
Use the already normalized key_len (masked case included) and reject
non-matching MPLS action key sizes.
Reject invalid MPLS action payload lengths early.
Fixes: fbdcdd78da7c ("Change in Openvswitch to support MPLS label depth of 3 in ingress direction")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Tested-by: Ao Zhou <n05ec@lzu.edu.cn>
Co-developed-by: Yuan Tan <tanyuan98@outlook.com>
Signed-off-by: Yuan Tan <tanyuan98@outlook.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yang Yang <n05ec@lzu.edu.cn>
Reviewed-by: Ilya Maximets <i.maximets@ovn.org>
Link: https://patch.msgid.link/20260319080228.3423307-1-n05ec@lzu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/flow_netlink.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index 2d536901309ea..2dc4a6c2aecec 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -2953,6 +2953,8 @@ static int validate_set(const struct nlattr *a,
case OVS_KEY_ATTR_MPLS:
if (!eth_p_mpls(eth_type))
return -EINVAL;
+ if (key_len != sizeof(struct ovs_key_mpls))
+ return -EINVAL;
break;
case OVS_KEY_ATTR_SCTP:
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 105/342] net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 104/342] openvswitch: validate MPLS set/set_masked payload length Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 106/342] rtnetlink: count IFLA_PARENT_DEV_{NAME,BUS_NAME} in if_nlmsg_size Greg Kroah-Hartman
` (253 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qi Tang, Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qi Tang <tpluszz77@gmail.com>
[ Upstream commit 24dd586bb4cbba1889a50abe74143817a095c1c9 ]
smc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores
the pointer in pipe_buffer.private. The pipe_buf_operations for these
buffers used .get = generic_pipe_buf_get, which only increments the page
reference count when tee(2) duplicates a pipe buffer. The smc_spd_priv
pointer itself was not handled, so after tee() both the original and the
cloned pipe_buffer share the same smc_spd_priv *.
When both pipes are subsequently released, smc_rx_pipe_buf_release() is
called twice against the same object:
1st call: kfree(priv) sock_put(sk) smc_rx_update_cons() [correct]
2nd call: kfree(priv) sock_put(sk) smc_rx_update_cons() [UAF]
KASAN reports a slab-use-after-free in smc_rx_pipe_buf_release(), which
then escalates to a NULL-pointer dereference and kernel panic via
smc_rx_update_consumer() when it chases the freed priv->smc pointer:
BUG: KASAN: slab-use-after-free in smc_rx_pipe_buf_release+0x78/0x2a0
Read of size 8 at addr ffff888004a45740 by task smc_splice_tee_/74
Call Trace:
<TASK>
dump_stack_lvl+0x53/0x70
print_report+0xce/0x650
kasan_report+0xc6/0x100
smc_rx_pipe_buf_release+0x78/0x2a0
free_pipe_info+0xd4/0x130
pipe_release+0x142/0x160
__fput+0x1c6/0x490
__x64_sys_close+0x4f/0x90
do_syscall_64+0xa6/0x1a0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
BUG: kernel NULL pointer dereference, address: 0000000000000020
RIP: 0010:smc_rx_update_consumer+0x8d/0x350
Call Trace:
<TASK>
smc_rx_pipe_buf_release+0x121/0x2a0
free_pipe_info+0xd4/0x130
pipe_release+0x142/0x160
__fput+0x1c6/0x490
__x64_sys_close+0x4f/0x90
do_syscall_64+0xa6/0x1a0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Kernel panic - not syncing: Fatal exception
Beyond the memory-safety problem, duplicating an SMC splice buffer is
semantically questionable: smc_rx_update_cons() would advance the
consumer cursor twice for the same data, corrupting receive-window
accounting. A refcount on smc_spd_priv could fix the double-free, but
the cursor-accounting issue would still need to be addressed separately.
The .get callback is invoked by both tee(2) and splice_pipe_to_pipe()
for partial transfers; both will now return -EFAULT. Users who need
to duplicate SMC socket data must use a copy-based read path.
Fixes: 9014db202cb7 ("smc: add support for splice()")
Signed-off-by: Qi Tang <tpluszz77@gmail.com>
Link: https://patch.msgid.link/20260318064847.23341-1-tpluszz77@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/smc/smc_rx.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/smc/smc_rx.c b/net/smc/smc_rx.c
index e7f1134453ef4..4a3d7b405132e 100644
--- a/net/smc/smc_rx.c
+++ b/net/smc/smc_rx.c
@@ -135,9 +135,16 @@ static void smc_rx_pipe_buf_release(struct pipe_inode_info *pipe,
sock_put(sk);
}
+static bool smc_rx_pipe_buf_get(struct pipe_inode_info *pipe,
+ struct pipe_buffer *buf)
+{
+ /* smc_spd_priv in buf->private is not shareable; disallow cloning. */
+ return false;
+}
+
static const struct pipe_buf_operations smc_pipe_ops = {
.release = smc_rx_pipe_buf_release,
- .get = generic_pipe_buf_get
+ .get = smc_rx_pipe_buf_get,
};
static void smc_rx_spd_release(struct splice_pipe_desc *spd,
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 106/342] rtnetlink: count IFLA_PARENT_DEV_{NAME,BUS_NAME} in if_nlmsg_size
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 105/342] net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer Greg Kroah-Hartman
@ 2026-03-31 16:18 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 107/342] rtnetlink: count IFLA_INFO_SLAVE_KIND " Greg Kroah-Hartman
` (252 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sabrina Dubroca, Jakub Kicinski,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit 52501989c76206462d9b11a8485beef40ef41821 ]
Commit 00e77ed8e64d ("rtnetlink: add IFLA_PARENT_[DEV|DEV_BUS]_NAME")
added those attributes to rtnl_fill_ifinfo, but forgot to extend
if_nlmsg_size.
Fixes: 00e77ed8e64d ("rtnetlink: add IFLA_PARENT_[DEV|DEV_BUS]_NAME")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/0b849da95562af45487080528d60f578636aba5c.1773919462.git.sd@queasysnail.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/rtnetlink.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index b1ed55141d8a7..63cbba9e46b93 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1267,6 +1267,21 @@ static size_t rtnl_dpll_pin_size(const struct net_device *dev)
return size;
}
+static size_t rtnl_dev_parent_size(const struct net_device *dev)
+{
+ size_t size = 0;
+
+ /* IFLA_PARENT_DEV_NAME */
+ if (dev->dev.parent)
+ size += nla_total_size(strlen(dev_name(dev->dev.parent)) + 1);
+
+ /* IFLA_PARENT_DEV_BUS_NAME */
+ if (dev->dev.parent && dev->dev.parent->bus)
+ size += nla_total_size(strlen(dev->dev.parent->bus->name) + 1);
+
+ return size;
+}
+
static noinline size_t if_nlmsg_size(const struct net_device *dev,
u32 ext_filter_mask)
{
@@ -1328,6 +1343,7 @@ static noinline size_t if_nlmsg_size(const struct net_device *dev,
+ nla_total_size(8) /* IFLA_MAX_PACING_OFFLOAD_HORIZON */
+ nla_total_size(2) /* IFLA_HEADROOM */
+ nla_total_size(2) /* IFLA_TAILROOM */
+ + rtnl_dev_parent_size(dev)
+ 0;
if (!(ext_filter_mask & RTEXT_FILTER_SKIP_STATS))
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 107/342] rtnetlink: count IFLA_INFO_SLAVE_KIND in if_nlmsg_size
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-03-31 16:18 ` [PATCH 6.19 106/342] rtnetlink: count IFLA_PARENT_DEV_{NAME,BUS_NAME} in if_nlmsg_size Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 108/342] net: bcmasp: streamline early exit in probe Greg Kroah-Hartman
` (251 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Pirko, Sabrina Dubroca,
Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit ee00a12593ffb69db4dd1a1c00ecb0253376874a ]
rtnl_link_get_slave_info_data_size counts IFLA_INFO_SLAVE_DATA, but
rtnl_link_slave_info_fill adds both IFLA_INFO_SLAVE_DATA and
IFLA_INFO_SLAVE_KIND.
Fixes: ba7d49b1f0f8 ("rtnetlink: provide api for getting and setting slave info")
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/049843b532e23cde7ddba263c0bbe35ba6f0d26d.1773919462.git.sd@queasysnail.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/rtnetlink.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 63cbba9e46b93..6cdf6ee8be216 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -707,11 +707,14 @@ static size_t rtnl_link_get_slave_info_data_size(const struct net_device *dev)
goto out;
ops = master_dev->rtnl_link_ops;
- if (!ops || !ops->get_slave_size)
+ if (!ops)
+ goto out;
+ size += nla_total_size(strlen(ops->kind) + 1); /* IFLA_INFO_SLAVE_KIND */
+ if (!ops->get_slave_size)
goto out;
/* IFLA_INFO_SLAVE_DATA + nested data */
- size = nla_total_size(sizeof(struct nlattr)) +
- ops->get_slave_size(master_dev, dev);
+ size += nla_total_size(sizeof(struct nlattr)) +
+ ops->get_slave_size(master_dev, dev);
out:
rcu_read_unlock();
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 108/342] net: bcmasp: streamline early exit in probe
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 107/342] rtnetlink: count IFLA_INFO_SLAVE_KIND " Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 109/342] net: bcmasp: fix double free of WoL irq Greg Kroah-Hartman
` (250 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Chen, Florian Fainelli,
Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Chen <justin.chen@broadcom.com>
[ Upstream commit 1fd1281250c38408d793863c8dcaa43c7de8932c ]
Streamline the bcmasp_probe early exit. As support for other
functionality is added(i.e. ptp), it is easier to keep track of early
exit cleanup when it is all in one place.
Signed-off-by: Justin Chen <justin.chen@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20260122194949.1145107-3-justin.chen@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: cbfa5be2bf64 ("net: bcmasp: fix double free of WoL irq")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/asp2/bcmasp.c | 27 +++++++++++----------
1 file changed, 14 insertions(+), 13 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp.c b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
index 014340f33345a..de5f540f78049 100644
--- a/drivers/net/ethernet/broadcom/asp2/bcmasp.c
+++ b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
@@ -1322,6 +1322,8 @@ static int bcmasp_probe(struct platform_device *pdev)
bcmasp_core_init_filters(priv);
+ bcmasp_init_wol(priv);
+
ports_node = of_find_node_by_name(dev->of_node, "ethernet-ports");
if (!ports_node) {
dev_warn(dev, "No ports found\n");
@@ -1333,16 +1335,14 @@ static int bcmasp_probe(struct platform_device *pdev)
intf = bcmasp_interface_create(priv, intf_node, i);
if (!intf) {
dev_err(dev, "Cannot create eth interface %d\n", i);
- bcmasp_remove_intfs(priv);
- ret = -ENOMEM;
- goto of_put_exit;
+ of_node_put(ports_node);
+ ret = -EINVAL;
+ goto err_cleanup;
}
list_add_tail(&intf->list, &priv->intfs);
i++;
}
-
- /* Check and enable WoL */
- bcmasp_init_wol(priv);
+ of_node_put(ports_node);
/* Drop the clock reference count now and let ndo_open()/ndo_close()
* manage it for us from now on.
@@ -1357,19 +1357,20 @@ static int bcmasp_probe(struct platform_device *pdev)
list_for_each_entry(intf, &priv->intfs, list) {
ret = register_netdev(intf->ndev);
if (ret) {
- netdev_err(intf->ndev,
- "failed to register net_device: %d\n", ret);
- bcmasp_wol_irq_destroy(priv);
- bcmasp_remove_intfs(priv);
- goto of_put_exit;
+ dev_err(dev, "failed to register net_device: %d\n", ret);
+ goto err_cleanup;
}
count++;
}
dev_info(dev, "Initialized %d port(s)\n", count);
-of_put_exit:
- of_node_put(ports_node);
+ return ret;
+
+err_cleanup:
+ bcmasp_wol_irq_destroy(priv);
+ bcmasp_remove_intfs(priv);
+
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 109/342] net: bcmasp: fix double free of WoL irq
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 108/342] net: bcmasp: streamline early exit in probe Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 110/342] net: bcmasp: fix double disable of clk Greg Kroah-Hartman
` (249 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Chen, Florian Fainelli,
Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Chen <justin.chen@broadcom.com>
[ Upstream commit cbfa5be2bf64511d49b854a0f9fd6d0b5118621f ]
We do not need to free wol_irq since it was instantiated with
devm_request_irq(). So devres will free for us.
Fixes: a2f0751206b0 ("net: bcmasp: Add support for WoL magic packet")
Signed-off-by: Justin Chen <justin.chen@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20260319234813.1937315-2-justin.chen@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/asp2/bcmasp.c | 8 --------
1 file changed, 8 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp.c b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
index de5f540f78049..fac795ac0fcee 100644
--- a/drivers/net/ethernet/broadcom/asp2/bcmasp.c
+++ b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
@@ -1157,12 +1157,6 @@ void bcmasp_enable_wol(struct bcmasp_intf *intf, bool en)
}
}
-static void bcmasp_wol_irq_destroy(struct bcmasp_priv *priv)
-{
- if (priv->wol_irq > 0)
- free_irq(priv->wol_irq, priv);
-}
-
static void bcmasp_eee_fixup(struct bcmasp_intf *intf, bool en)
{
u32 reg, phy_lpi_overwrite;
@@ -1368,7 +1362,6 @@ static int bcmasp_probe(struct platform_device *pdev)
return ret;
err_cleanup:
- bcmasp_wol_irq_destroy(priv);
bcmasp_remove_intfs(priv);
return ret;
@@ -1381,7 +1374,6 @@ static void bcmasp_remove(struct platform_device *pdev)
if (!priv)
return;
- bcmasp_wol_irq_destroy(priv);
bcmasp_remove_intfs(priv);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 110/342] net: bcmasp: fix double disable of clk
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 109/342] net: bcmasp: fix double free of WoL irq Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 111/342] platform/x86: ISST: Check HWP support before MSR access Greg Kroah-Hartman
` (248 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Chen, Florian Fainelli,
Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Chen <justin.chen@broadcom.com>
[ Upstream commit 27dfe9030acbc601c260b42ecdbb4e5858a97b53 ]
Switch to devm_clk_get_optional() so we can manage the clock ourselves.
We dynamically control the clocks depending on the state of the interface
for power savings. The default state is clock disabled, so unbinding the
driver causes a double disable.
Fixes: 490cb412007d ("net: bcmasp: Add support for ASP2.0 Ethernet controller")
Signed-off-by: Justin Chen <justin.chen@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20260319234813.1937315-3-justin.chen@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/asp2/bcmasp.c | 33 ++++++++++++++-------
1 file changed, 23 insertions(+), 10 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp.c b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
index fac795ac0fcee..1fdf0822c8a02 100644
--- a/drivers/net/ethernet/broadcom/asp2/bcmasp.c
+++ b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
@@ -1254,7 +1254,7 @@ static int bcmasp_probe(struct platform_device *pdev)
if (priv->irq <= 0)
return -EINVAL;
- priv->clk = devm_clk_get_optional_enabled(dev, "sw_asp");
+ priv->clk = devm_clk_get_optional(dev, "sw_asp");
if (IS_ERR(priv->clk))
return dev_err_probe(dev, PTR_ERR(priv->clk),
"failed to request clock\n");
@@ -1282,6 +1282,10 @@ static int bcmasp_probe(struct platform_device *pdev)
bcmasp_set_pdata(priv, pdata);
+ ret = clk_prepare_enable(priv->clk);
+ if (ret)
+ return dev_err_probe(dev, ret, "failed to start clock\n");
+
/* Enable all clocks to ensure successful probing */
bcmasp_core_clock_set(priv, ASP_CTRL_CLOCK_CTRL_ASP_ALL_DISABLE, 0);
@@ -1293,8 +1297,10 @@ static int bcmasp_probe(struct platform_device *pdev)
ret = devm_request_irq(&pdev->dev, priv->irq, bcmasp_isr, 0,
pdev->name, priv);
- if (ret)
- return dev_err_probe(dev, ret, "failed to request ASP interrupt: %d", ret);
+ if (ret) {
+ dev_err(dev, "Failed to request ASP interrupt: %d", ret);
+ goto err_clock_disable;
+ }
/* Register mdio child nodes */
of_platform_populate(dev->of_node, bcmasp_mdio_of_match, NULL, dev);
@@ -1306,13 +1312,17 @@ static int bcmasp_probe(struct platform_device *pdev)
priv->mda_filters = devm_kcalloc(dev, priv->num_mda_filters,
sizeof(*priv->mda_filters), GFP_KERNEL);
- if (!priv->mda_filters)
- return -ENOMEM;
+ if (!priv->mda_filters) {
+ ret = -ENOMEM;
+ goto err_clock_disable;
+ }
priv->net_filters = devm_kcalloc(dev, priv->num_net_filters,
sizeof(*priv->net_filters), GFP_KERNEL);
- if (!priv->net_filters)
- return -ENOMEM;
+ if (!priv->net_filters) {
+ ret = -ENOMEM;
+ goto err_clock_disable;
+ }
bcmasp_core_init_filters(priv);
@@ -1321,7 +1331,8 @@ static int bcmasp_probe(struct platform_device *pdev)
ports_node = of_find_node_by_name(dev->of_node, "ethernet-ports");
if (!ports_node) {
dev_warn(dev, "No ports found\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_clock_disable;
}
i = 0;
@@ -1343,8 +1354,6 @@ static int bcmasp_probe(struct platform_device *pdev)
*/
bcmasp_core_clock_set(priv, 0, ASP_CTRL_CLOCK_CTRL_ASP_ALL_DISABLE);
- clk_disable_unprepare(priv->clk);
-
/* Now do the registration of the network ports which will take care
* of managing the clock properly.
*/
@@ -1357,12 +1366,16 @@ static int bcmasp_probe(struct platform_device *pdev)
count++;
}
+ clk_disable_unprepare(priv->clk);
+
dev_info(dev, "Initialized %d port(s)\n", count);
return ret;
err_cleanup:
bcmasp_remove_intfs(priv);
+err_clock_disable:
+ clk_disable_unprepare(priv->clk);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 111/342] platform/x86: ISST: Check HWP support before MSR access
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 110/342] net: bcmasp: fix double disable of clk Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 112/342] platform/x86: lenovo: wmi-gamezone: Drop gz_chain_head Greg Kroah-Hartman
` (247 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li RongQing, Srinivas Pandruvada,
Ilpo Järvinen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li RongQing <lirongqing@baidu.com>
[ Upstream commit 9f11d9b15efb5f77e810b6dfbeb01b4650a79eae ]
On some systems, HWP can be explicitly disabled in the BIOS settings
When HWP is disabled by firmware, the HWP CPUID bit is not set, and
attempting to read MSR_PM_ENABLE will result in a General Protection
(GP) fault.
unchecked MSR access error: RDMSR from 0x770 at rIP: 0xffffffffc33db92e (disable_dynamic_sst_features+0xe/0x50 [isst_tpmi_core])
Call Trace:
<TASK>
? ex_handler_msr+0xf6/0x150
? fixup_exception+0x1ad/0x340
? gp_try_fixup_and_notify+0x1e/0xb0
? exc_general_protection+0xc9/0x390
? terminate_walk+0x64/0x100
? asm_exc_general_protection+0x22/0x30
? disable_dynamic_sst_features+0xe/0x50 [isst_tpmi_core]
isst_if_def_ioctl+0xece/0x1050 [isst_tpmi_core]
? ioctl_has_perm.constprop.42+0xe0/0x130
isst_if_def_ioctl+0x10d/0x1a0 [isst_if_common]
__se_sys_ioctl+0x86/0xc0
do_syscall_64+0x8a/0x100
entry_SYSCALL_64_after_hwframe+0x78/0xe2
RIP: 0033:0x7f36eaef54a7
Add a check for X86_FEATURE_HWP before accessing the MSR. If HWP is
not available, return true safely.
Fixes: 12a7d2cb811d ("platform/x86: ISST: Add SST-CP support via TPMI")
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Link: https://patch.msgid.link/20260303074635.2218-1-lirongqing@baidu.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c b/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
index 13b11c3a2ec4e..e657b88bfd36e 100644
--- a/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
+++ b/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
@@ -558,6 +558,9 @@ static bool disable_dynamic_sst_features(void)
{
u64 value;
+ if (!static_cpu_has(X86_FEATURE_HWP))
+ return true;
+
rdmsrq(MSR_PM_ENABLE, value);
return !(value & 0x1);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 112/342] platform/x86: lenovo: wmi-gamezone: Drop gz_chain_head
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 111/342] platform/x86: ISST: Check HWP support before MSR access Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 113/342] platform/olpc: olpc-xo175-ec: Fix overflow error message to print inlen Greg Kroah-Hartman
` (246 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Mark Pearson,
Ilpo Järvinen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 5a3955f3602950d1888df743a5b1889e43b5cb60 ]
The gz_chain_head variable has been unused since the driver's initial
addition to the tree. Its use was eliminated between v3 and v4 during
development but due to the reference of gz_chain_head's wait_list
member, the compiler could not warn that it was unused.
After a (tip) commit ("locking/rwsem: Remove the list_head from struct
rw_semaphore"), which removed a reference to the variable passed to
__RWSEM_INITIALIZER(), certain configurations show an unused variable
warning from the Lenovo wmi-gamezone driver:
drivers/platform/x86/lenovo/wmi-gamezone.c:34:31: warning: 'gz_chain_head' defined but not used [-Wunused-variable]
34 | static BLOCKING_NOTIFIER_HEAD(gz_chain_head);
| ^~~~~~~~~~~~~
include/linux/notifier.h:119:39: note: in definition of macro 'BLOCKING_NOTIFIER_HEAD'
119 | struct blocking_notifier_head name = \
| ^~~~
Remove the variable to prevent the warning from showing up.
Fixes: 22024ac5366f ("platform/x86: Add Lenovo Gamezone WMI Driver")
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Link: https://patch.msgid.link/20260313-lenovo-wmi-gamezone-remove-gz_chain_head-v1-1-ce5231f0c6fa@kernel.org
[ij: reorganized the changelog]
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/lenovo/wmi-gamezone.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/platform/x86/lenovo/wmi-gamezone.c b/drivers/platform/x86/lenovo/wmi-gamezone.c
index 381836d29a964..c7fe7e3c9f179 100644
--- a/drivers/platform/x86/lenovo/wmi-gamezone.c
+++ b/drivers/platform/x86/lenovo/wmi-gamezone.c
@@ -31,8 +31,6 @@
#define LWMI_GZ_METHOD_ID_SMARTFAN_SET 44
#define LWMI_GZ_METHOD_ID_SMARTFAN_GET 45
-static BLOCKING_NOTIFIER_HEAD(gz_chain_head);
-
struct lwmi_gz_priv {
enum thermal_mode current_mode;
struct notifier_block event_nb;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 113/342] platform/olpc: olpc-xo175-ec: Fix overflow error message to print inlen
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 112/342] platform/x86: lenovo: wmi-gamezone: Drop gz_chain_head Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 114/342] platform/x86: intel-hid: disable wakeup_mode during hibernation Greg Kroah-Hartman
` (245 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Lubomir Rintel,
Randy Dunlap, Ilpo Järvinen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 2061f7b042f88d372cca79615f8425f3564c0b40 ]
The command length check validates inlen (> 5), but the error message
incorrectly printed resp_len. Print inlen so the log reflects the
actual command length.
Fixes: 0c3d931b3ab9e ("Platform: OLPC: Add XO-1.75 EC driver")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Acked-by: Lubomir Rintel <lkundrak@v3.sk>
Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
Link: https://patch.msgid.link/20260310130138.700687-1-alok.a.tiwari@oracle.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/olpc/olpc-xo175-ec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/platform/olpc/olpc-xo175-ec.c b/drivers/platform/olpc/olpc-xo175-ec.c
index fa7b3bda688a6..bee271a4fda1a 100644
--- a/drivers/platform/olpc/olpc-xo175-ec.c
+++ b/drivers/platform/olpc/olpc-xo175-ec.c
@@ -482,7 +482,7 @@ static int olpc_xo175_ec_cmd(u8 cmd, u8 *inbuf, size_t inlen, u8 *resp,
dev_dbg(dev, "CMD %x, %zd bytes expected\n", cmd, resp_len);
if (inlen > 5) {
- dev_err(dev, "command len %zd too big!\n", resp_len);
+ dev_err(dev, "command len %zd too big!\n", inlen);
return -EOVERFLOW;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 114/342] platform/x86: intel-hid: disable wakeup_mode during hibernation
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 113/342] platform/olpc: olpc-xo175-ec: Fix overflow error message to print inlen Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 115/342] ice: fix inverted ready check for VF representors Greg Kroah-Hartman
` (244 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David McFarland, Ilpo Järvinen,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: David McFarland <corngood@gmail.com>
[ Upstream commit e02ea3ae8ee40d5835a845884c7b161a27c10bcb ]
Add a freeze handler which clears wakeup_mode. This fixes aborted hibernation on
Dell Precision 3880.
Wakeup event detected during hibernation, rolling back
This system sends power button events during hibernation, even when triggered by
software.
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218634
Fixes: 0c4cae1bc00d ("PM: hibernate: Avoid missing wakeup events during hibernation")
Signed-off-by: David McFarland <corngood@gmail.com>
Link: https://patch.msgid.link/20260205231629.1336348-1-corngood@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/intel/hid.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/x86/intel/hid.c b/drivers/platform/x86/intel/hid.c
index f2b309f6e458a..c5e80887d0cb0 100644
--- a/drivers/platform/x86/intel/hid.c
+++ b/drivers/platform/x86/intel/hid.c
@@ -432,6 +432,14 @@ static int intel_hid_pl_suspend_handler(struct device *device)
return 0;
}
+static int intel_hid_pl_freeze_handler(struct device *device)
+{
+ struct intel_hid_priv *priv = dev_get_drvdata(device);
+
+ priv->wakeup_mode = false;
+ return intel_hid_pl_suspend_handler(device);
+}
+
static int intel_hid_pl_resume_handler(struct device *device)
{
intel_hid_pm_complete(device);
@@ -446,7 +454,7 @@ static int intel_hid_pl_resume_handler(struct device *device)
static const struct dev_pm_ops intel_hid_pl_pm_ops = {
.prepare = intel_hid_pm_prepare,
.complete = intel_hid_pm_complete,
- .freeze = intel_hid_pl_suspend_handler,
+ .freeze = intel_hid_pl_freeze_handler,
.thaw = intel_hid_pl_resume_handler,
.restore = intel_hid_pl_resume_handler,
.suspend = intel_hid_pl_suspend_handler,
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 115/342] ice: fix inverted ready check for VF representors
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 114/342] platform/x86: intel-hid: disable wakeup_mode during hibernation Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 116/342] ice: use ice_update_eth_stats() for representor stats Greg Kroah-Hartman
` (243 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Aleksandr Loktionov,
Michal Swiatkowski, Patryk Holda, Tony Nguyen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit ad85de0fc09eb3236e73df5acb2bc257625103f5 ]
Commit 0f00a897c9fcbd ("ice: check if SF is ready in ethtool ops")
refactored the VF readiness check into a generic repr->ops.ready()
callback but implemented ice_repr_ready_vf() with inverted logic:
return !ice_check_vf_ready_for_cfg(repr->vf);
ice_check_vf_ready_for_cfg() returns 0 on success, so the negation
makes ready() return non-zero when the VF is ready. All callers treat
non-zero as "not ready, skip", causing ndo_get_stats64, get_drvinfo,
get_strings and get_ethtool_stats to always bail out in switchdev mode.
Remove the erroneous negation. The SF variant ice_repr_ready_sf() is
already correct (returns !active, i.e. non-zero when not active).
Fixes: 0f00a897c9fcbd ("ice: check if SF is ready in ethtool ops")
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Tested-by: Patryk Holda <patryk.holda@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_repr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_repr.c b/drivers/net/ethernet/intel/ice/ice_repr.c
index cb08746556a67..2a84f65640582 100644
--- a/drivers/net/ethernet/intel/ice/ice_repr.c
+++ b/drivers/net/ethernet/intel/ice/ice_repr.c
@@ -315,7 +315,7 @@ ice_repr_reg_netdev(struct net_device *netdev, const struct net_device_ops *ops)
static int ice_repr_ready_vf(struct ice_repr *repr)
{
- return !ice_check_vf_ready_for_cfg(repr->vf);
+ return ice_check_vf_ready_for_cfg(repr->vf);
}
static int ice_repr_ready_sf(struct ice_repr *repr)
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 116/342] ice: use ice_update_eth_stats() for representor stats
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 115/342] ice: fix inverted ready check for VF representors Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 117/342] iavf: fix out-of-bounds writes in iavf_get_ethtool_stats() Greg Kroah-Hartman
` (242 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Aleksandr Loktionov,
Patryk Holda, Tony Nguyen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit 2526e440df2725e7328d59b835a164826f179b93 ]
ice_repr_get_stats64() and __ice_get_ethtool_stats() call
ice_update_vsi_stats() on the VF's src_vsi. This always returns early
because ICE_VSI_DOWN is permanently set for VF VSIs - ice_up() is never
called on them since queues are managed by iavf through virtchnl.
In __ice_get_ethtool_stats() the original code called
ice_update_vsi_stats() for all VSIs including representors, iterated
over ice_gstrings_vsi_stats[] to populate the data, and then bailed out
with an early return before the per-queue ring stats section. That early
return was necessary because representor VSIs have no rings on the PF
side - the rings belong to the VF driver (iavf), so accessing per-queue
stats would be invalid.
Move the representor handling to the top of __ice_get_ethtool_stats()
and call ice_update_eth_stats() directly to read the hardware GLV_*
counters. This matches ice_get_vf_stats() which already uses
ice_update_eth_stats() for the same VF VSI in legacy mode. Apply the
same fix to ice_repr_get_stats64().
Note that ice_gstrings_vsi_stats[] contains five software ring counters
(rx_buf_failed, rx_page_failed, tx_linearize, tx_busy, tx_restart) that
are always zero for representors since the PF never processes packets on
VF rings. This is pre-existing behavior unchanged by this patch.
Fixes: 7aae80cef7ba ("ice: add port representor ethtool ops and stats")
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Patryk Holda <patryk.holda@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_ethtool.c | 14 +++++++++++---
drivers/net/ethernet/intel/ice/ice_repr.c | 3 ++-
2 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c
index fa4c7ae9ff6b1..3125dc1b27654 100644
--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
+++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
@@ -1930,6 +1930,17 @@ __ice_get_ethtool_stats(struct net_device *netdev,
int i = 0;
char *p;
+ if (ice_is_port_repr_netdev(netdev)) {
+ ice_update_eth_stats(vsi);
+
+ for (j = 0; j < ICE_VSI_STATS_LEN; j++) {
+ p = (char *)vsi + ice_gstrings_vsi_stats[j].stat_offset;
+ data[i++] = (ice_gstrings_vsi_stats[j].sizeof_stat ==
+ sizeof(u64)) ? *(u64 *)p : *(u32 *)p;
+ }
+ return;
+ }
+
ice_update_pf_stats(pf);
ice_update_vsi_stats(vsi);
@@ -1939,9 +1950,6 @@ __ice_get_ethtool_stats(struct net_device *netdev,
sizeof(u64)) ? *(u64 *)p : *(u32 *)p;
}
- if (ice_is_port_repr_netdev(netdev))
- return;
-
/* populate per queue stats */
rcu_read_lock();
diff --git a/drivers/net/ethernet/intel/ice/ice_repr.c b/drivers/net/ethernet/intel/ice/ice_repr.c
index 2a84f65640582..f1e82ba155cff 100644
--- a/drivers/net/ethernet/intel/ice/ice_repr.c
+++ b/drivers/net/ethernet/intel/ice/ice_repr.c
@@ -2,6 +2,7 @@
/* Copyright (C) 2019-2021, Intel Corporation. */
#include "ice.h"
+#include "ice_lib.h"
#include "ice_eswitch.h"
#include "devlink/devlink.h"
#include "devlink/port.h"
@@ -67,7 +68,7 @@ ice_repr_get_stats64(struct net_device *netdev, struct rtnl_link_stats64 *stats)
return;
vsi = repr->src_vsi;
- ice_update_vsi_stats(vsi);
+ ice_update_eth_stats(vsi);
eth_stats = &vsi->eth_stats;
stats->tx_packets = eth_stats->tx_unicast + eth_stats->tx_broadcast +
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 117/342] iavf: fix out-of-bounds writes in iavf_get_ethtool_stats()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 116/342] ice: use ice_update_eth_stats() for representor stats Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 118/342] ipv6: Remove permanent routes from tb6_gc_hlist when all exceptions expire Greg Kroah-Hartman
` (241 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kohei Enju, Simon Horman,
Przemek Kitszel, Paul Menzel, Rafal Romanowski, Tony Nguyen,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kohei Enju <kohei@enjuk.jp>
[ Upstream commit fecacfc95f195b99c71c579a472120d0b4ed65fa ]
iavf incorrectly uses real_num_tx_queues for ETH_SS_STATS. Since the
value could change in runtime, we should use num_tx_queues instead.
Moreover iavf_get_ethtool_stats() uses num_active_queues while
iavf_get_sset_count() and iavf_get_stat_strings() use
real_num_tx_queues, which triggers out-of-bounds writes when we do
"ethtool -L" and "ethtool -S" simultaneously [1].
For example when we change channels from 1 to 8, Thread 3 could be
scheduled before Thread 2, and out-of-bounds writes could be triggered
in Thread 3:
Thread 1 (ethtool -L) Thread 2 (work) Thread 3 (ethtool -S)
iavf_set_channels()
...
iavf_alloc_queues()
-> num_active_queues = 8
iavf_schedule_finish_config()
iavf_get_sset_count()
real_num_tx_queues: 1
-> buffer for 1 queue
iavf_get_ethtool_stats()
num_active_queues: 8
-> out-of-bounds!
iavf_finish_config()
-> real_num_tx_queues = 8
Use immutable num_tx_queues in all related functions to avoid the issue.
[1]
BUG: KASAN: vmalloc-out-of-bounds in iavf_add_one_ethtool_stat+0x200/0x270
Write of size 8 at addr ffffc900031c9080 by task ethtool/5800
CPU: 1 UID: 0 PID: 5800 Comm: ethtool Not tainted 6.19.0-enjuk-08403-g8137e3db7f1c #241 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xb0
print_report+0x170/0x4f3
kasan_report+0xe1/0x180
iavf_add_one_ethtool_stat+0x200/0x270
iavf_get_ethtool_stats+0x14c/0x2e0
__dev_ethtool+0x3d0c/0x5830
dev_ethtool+0x12d/0x270
dev_ioctl+0x53c/0xe30
sock_do_ioctl+0x1a9/0x270
sock_ioctl+0x3d4/0x5e0
__x64_sys_ioctl+0x137/0x1c0
do_syscall_64+0xf3/0x690
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7da0e6e36d
...
</TASK>
The buggy address belongs to a 1-page vmalloc region starting at 0xffffc900031c9000 allocated at __dev_ethtool+0x3cc9/0x5830
The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000
index:0xffff88813a013de0 pfn:0x13a013
flags: 0x200000000000000(node=0|zone=2)
raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff88813a013de0 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffffc900031c8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc900031c9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc900031c9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc900031c9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc900031c9180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Fixes: 64430f70ba6f ("iavf: Fix displaying queue statistics shown by ethtool")
Signed-off-by: Kohei Enju <kohei@enjuk.jp>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/intel/iavf/iavf_ethtool.c | 31 +++++++++----------
1 file changed, 15 insertions(+), 16 deletions(-)
diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c
index 6ff3842a1ff1f..98bec3afc2006 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c
@@ -313,14 +313,13 @@ static int iavf_get_sset_count(struct net_device *netdev, int sset)
{
/* Report the maximum number queues, even if not every queue is
* currently configured. Since allocation of queues is in pairs,
- * use netdev->real_num_tx_queues * 2. The real_num_tx_queues is set
- * at device creation and never changes.
+ * use netdev->num_tx_queues * 2. The num_tx_queues is set at
+ * device creation and never changes.
*/
if (sset == ETH_SS_STATS)
return IAVF_STATS_LEN +
- (IAVF_QUEUE_STATS_LEN * 2 *
- netdev->real_num_tx_queues);
+ (IAVF_QUEUE_STATS_LEN * 2 * netdev->num_tx_queues);
else
return -EINVAL;
}
@@ -345,19 +344,19 @@ static void iavf_get_ethtool_stats(struct net_device *netdev,
iavf_add_ethtool_stats(&data, adapter, iavf_gstrings_stats);
rcu_read_lock();
- /* As num_active_queues describe both tx and rx queues, we can use
- * it to iterate over rings' stats.
+ /* Use num_tx_queues to report stats for the maximum number of queues.
+ * Queues beyond num_active_queues will report zero.
*/
- for (i = 0; i < adapter->num_active_queues; i++) {
- struct iavf_ring *ring;
+ for (i = 0; i < netdev->num_tx_queues; i++) {
+ struct iavf_ring *tx_ring = NULL, *rx_ring = NULL;
- /* Tx rings stats */
- ring = &adapter->tx_rings[i];
- iavf_add_queue_stats(&data, ring);
+ if (i < adapter->num_active_queues) {
+ tx_ring = &adapter->tx_rings[i];
+ rx_ring = &adapter->rx_rings[i];
+ }
- /* Rx rings stats */
- ring = &adapter->rx_rings[i];
- iavf_add_queue_stats(&data, ring);
+ iavf_add_queue_stats(&data, tx_ring);
+ iavf_add_queue_stats(&data, rx_ring);
}
rcu_read_unlock();
}
@@ -376,9 +375,9 @@ static void iavf_get_stat_strings(struct net_device *netdev, u8 *data)
iavf_add_stat_strings(&data, iavf_gstrings_stats);
/* Queues are always allocated in pairs, so we just use
- * real_num_tx_queues for both Tx and Rx queues.
+ * num_tx_queues for both Tx and Rx queues.
*/
- for (i = 0; i < netdev->real_num_tx_queues; i++) {
+ for (i = 0; i < netdev->num_tx_queues; i++) {
iavf_add_stat_strings(&data, iavf_gstrings_queue_stats,
"tx", i);
iavf_add_stat_strings(&data, iavf_gstrings_queue_stats,
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 118/342] ipv6: Remove permanent routes from tb6_gc_hlist when all exceptions expire.
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 117/342] iavf: fix out-of-bounds writes in iavf_get_ethtool_stats() Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 119/342] ipv6: Dont remove permanent routes with exceptions from tb6_gc_hlist Greg Kroah-Hartman
` (240 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Xin Long,
David Ahern, Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 6af51e9f31336632263c4680b2a3712295103e1f ]
Commit 5eb902b8e719 ("net/ipv6: Remove expired routes with a
separated list of routes.") introduced a per-table GC list and
changed GC to iterate over that list instead of traversing
the entire route table.
However, it forgot to add permanent routes to tb6_gc_hlist
when exception routes are added.
Commit cfe82469a00f ("ipv6: add exception routes to GC list
in rt6_insert_exception") fixed that issue but introduced
another one.
Even after all exception routes expire, the permanent routes
remain in tb6_gc_hlist, potentially negating the performance
benefits intended by the initial change.
Let's count gc_args->more before and after rt6_age_exceptions()
and remove the permanent route when the delta is 0.
Note that the next patch will reuse fib6_age_exceptions().
Fixes: cfe82469a00f ("ipv6: add exception routes to GC list in rt6_insert_exception")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20260320072317.2561779-2-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_fib.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index cc149227b49f4..a22af1c8f93ac 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -2348,6 +2348,17 @@ static void fib6_flush_trees(struct net *net)
/*
* Garbage collection
*/
+static void fib6_age_exceptions(struct fib6_info *rt, struct fib6_gc_args *gc_args,
+ unsigned long now)
+{
+ bool may_expire = rt->fib6_flags & RTF_EXPIRES && rt->expires;
+ int old_more = gc_args->more;
+
+ rt6_age_exceptions(rt, gc_args, now);
+
+ if (!may_expire && old_more == gc_args->more)
+ fib6_remove_gc_list(rt);
+}
static int fib6_age(struct fib6_info *rt, struct fib6_gc_args *gc_args)
{
@@ -2370,7 +2381,7 @@ static int fib6_age(struct fib6_info *rt, struct fib6_gc_args *gc_args)
* Note, that clones are aged out
* only if they are not in use now.
*/
- rt6_age_exceptions(rt, gc_args, now);
+ fib6_age_exceptions(rt, gc_args, now);
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 119/342] ipv6: Dont remove permanent routes with exceptions from tb6_gc_hlist.
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 118/342] ipv6: Remove permanent routes from tb6_gc_hlist when all exceptions expire Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 120/342] net: fix fanout UAF in packet_release() via NETDEV_UP race Greg Kroah-Hartman
` (239 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, David Ahern,
Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 4be7b99c253f0c85a255cc1db7127ba3232dfa30 ]
The cited commit mechanically put fib6_remove_gc_list()
just after every fib6_clean_expires() call.
When a temporary route is promoted to a permanent route,
there may already be exception routes tied to it.
If fib6_remove_gc_list() removes the route from tb6_gc_hlist,
such exception routes will no longer be aged.
Let's replace fib6_remove_gc_list() with a new helper
fib6_may_remove_gc_list() and use fib6_age_exceptions() there.
Note that net->ipv6 is only compiled when CONFIG_IPV6 is
enabled, so fib6_{add,remove,may_remove}_gc_list() are guarded.
Fixes: 5eb902b8e719 ("net/ipv6: Remove expired routes with a separated list of routes.")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20260320072317.2561779-3-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/ip6_fib.h | 21 ++++++++++++++++++++-
net/ipv6/addrconf.c | 4 ++--
net/ipv6/ip6_fib.c | 6 +++---
net/ipv6/route.c | 2 +-
4 files changed, 26 insertions(+), 7 deletions(-)
diff --git a/include/net/ip6_fib.h b/include/net/ip6_fib.h
index 88b0dd4d8e094..9f8b6814a96a0 100644
--- a/include/net/ip6_fib.h
+++ b/include/net/ip6_fib.h
@@ -507,12 +507,14 @@ void fib6_rt_update(struct net *net, struct fib6_info *rt,
void inet6_rt_notify(int event, struct fib6_info *rt, struct nl_info *info,
unsigned int flags);
+void fib6_age_exceptions(struct fib6_info *rt, struct fib6_gc_args *gc_args,
+ unsigned long now);
void fib6_run_gc(unsigned long expires, struct net *net, bool force);
-
void fib6_gc_cleanup(void);
int fib6_init(void);
+#if IS_ENABLED(CONFIG_IPV6)
/* Add the route to the gc list if it is not already there
*
* The callers should hold f6i->fib6_table->tb6_lock.
@@ -545,6 +547,23 @@ static inline void fib6_remove_gc_list(struct fib6_info *f6i)
hlist_del_init(&f6i->gc_link);
}
+static inline void fib6_may_remove_gc_list(struct net *net,
+ struct fib6_info *f6i)
+{
+ struct fib6_gc_args gc_args;
+
+ if (hlist_unhashed(&f6i->gc_link))
+ return;
+
+ gc_args.timeout = READ_ONCE(net->ipv6.sysctl.ip6_rt_gc_interval);
+ gc_args.more = 0;
+
+ rcu_read_lock();
+ fib6_age_exceptions(f6i, &gc_args, jiffies);
+ rcu_read_unlock();
+}
+#endif
+
struct ipv6_route_iter {
struct seq_net_private p;
struct fib6_walker w;
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 27ab9d7adc649..3dcfa4b3094a8 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -2863,7 +2863,7 @@ void addrconf_prefix_rcv(struct net_device *dev, u8 *opt, int len, bool sllao)
fib6_add_gc_list(rt);
} else {
fib6_clean_expires(rt);
- fib6_remove_gc_list(rt);
+ fib6_may_remove_gc_list(net, rt);
}
spin_unlock_bh(&table->tb6_lock);
@@ -4836,7 +4836,7 @@ static int modify_prefix_route(struct net *net, struct inet6_ifaddr *ifp,
if (!(flags & RTF_EXPIRES)) {
fib6_clean_expires(f6i);
- fib6_remove_gc_list(f6i);
+ fib6_may_remove_gc_list(net, f6i);
} else {
fib6_set_expires(f6i, expires);
fib6_add_gc_list(f6i);
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index a22af1c8f93ac..ffa7733598333 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -1133,7 +1133,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt,
return -EEXIST;
if (!(rt->fib6_flags & RTF_EXPIRES)) {
fib6_clean_expires(iter);
- fib6_remove_gc_list(iter);
+ fib6_may_remove_gc_list(info->nl_net, iter);
} else {
fib6_set_expires(iter, rt->expires);
fib6_add_gc_list(iter);
@@ -2348,8 +2348,8 @@ static void fib6_flush_trees(struct net *net)
/*
* Garbage collection
*/
-static void fib6_age_exceptions(struct fib6_info *rt, struct fib6_gc_args *gc_args,
- unsigned long now)
+void fib6_age_exceptions(struct fib6_info *rt, struct fib6_gc_args *gc_args,
+ unsigned long now)
{
bool may_expire = rt->fib6_flags & RTF_EXPIRES && rt->expires;
int old_more = gc_args->more;
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index e01331d965313..446f4de7d6a22 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1033,7 +1033,7 @@ int rt6_route_rcv(struct net_device *dev, u8 *opt, int len,
if (!addrconf_finite_timeout(lifetime)) {
fib6_clean_expires(rt);
- fib6_remove_gc_list(rt);
+ fib6_may_remove_gc_list(net, rt);
} else {
fib6_set_expires(rt, jiffies + HZ * lifetime);
fib6_add_gc_list(rt);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 120/342] net: fix fanout UAF in packet_release() via NETDEV_UP race
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 119/342] ipv6: Dont remove permanent routes with exceptions from tb6_gc_hlist Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 121/342] net: airoha: add RCU lock around dev_fill_forward_path Greg Kroah-Hartman
` (238 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yochai Eisenrich, Willem de Bruijn,
Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yochai Eisenrich <echelonh@gmail.com>
[ Upstream commit 42156f93d123436f2a27c468f18c966b7e5db796 ]
`packet_release()` has a race window where `NETDEV_UP` can re-register a
socket into a fanout group's `arr[]` array. The re-registration is not
cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout
array.
`packet_release()` does NOT zero `po->num` in its `bind_lock` section.
After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`
still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`
that already found the socket in `sklist` can re-register the hook.
For fanout sockets, this re-registration calls `__fanout_link(sk, po)`
which adds the socket back into `f->arr[]` and increments `f->num_members`,
but does NOT increment `f->sk_ref`.
The fix sets `po->num` to zero in `packet_release` while `bind_lock` is
held to prevent NETDEV_UP from linking, preventing the race window.
This bug was found following an additional audit with Claude Code based
on CVE-2025-38617.
Fixes: ce06b03e60fc ("packet: Add helpers to register/unregister ->prot_hook")
Link: https://blog.calif.io/p/a-race-within-a-race-exploiting-cve
Signed-off-by: Yochai Eisenrich <echelonh@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260319200610.25101-1-echelonh@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/packet/af_packet.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 494d628d10a51..070f7eba6b837 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3135,6 +3135,7 @@ static int packet_release(struct socket *sock)
spin_lock(&po->bind_lock);
unregister_prot_hook(sk, false);
+ WRITE_ONCE(po->num, 0);
packet_cached_dev_reset(po);
if (po->prot_hook.dev) {
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 121/342] net: airoha: add RCU lock around dev_fill_forward_path
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 120/342] net: fix fanout UAF in packet_release() via NETDEV_UP race Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 122/342] net: b44: always select CONFIG_FIXED_PHY Greg Kroah-Hartman
` (237 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qingfang Deng, Lorenzo Bianconi,
Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingfang Deng <dqfext@gmail.com>
[ Upstream commit 1065913dedfd3a8269816835bfe810b6e2c28579 ]
Since 0417adf367a0 ("ppp: fix race conditions in ppp_fill_forward_path")
dev_fill_forward_path() should be called with RCU read lock held. This
fix was applied to net, while the Airoha flowtable commit was applied to
net-next, so it hadn't been an issue until net was merged into net-next.
Fixes: a8bdd935d1dd ("net: airoha: Add wlan flowtable TX offload")
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260320094315.525126-1-dqfext@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_ppe.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/airoha/airoha_ppe.c b/drivers/net/ethernet/airoha/airoha_ppe.c
index 2221bafaf7c9f..36e4f328c6e81 100644
--- a/drivers/net/ethernet/airoha/airoha_ppe.c
+++ b/drivers/net/ethernet/airoha/airoha_ppe.c
@@ -227,7 +227,9 @@ static int airoha_ppe_get_wdma_info(struct net_device *dev, const u8 *addr,
if (!dev)
return -ENODEV;
+ rcu_read_lock();
err = dev_fill_forward_path(dev, addr, &stack);
+ rcu_read_unlock();
if (err)
return err;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 122/342] net: b44: always select CONFIG_FIXED_PHY
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 121/342] net: airoha: add RCU lock around dev_fill_forward_path Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 123/342] udp: Fix wildcard bind conflict check when using hash2 Greg Kroah-Hartman
` (236 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Jakub Kicinski,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 3f0f591b44b04a77ff561676ae53fcfd7532a54c ]
When CONFIG_FIXED_PHY=m but CONFIG_B44=y, the kernel fails to link:
ld.lld: error: undefined symbol: fixed_phy_unregister
>>> referenced by b44.c
>>> drivers/net/ethernet/broadcom/b44.o:(b44_remove_one) in archive vmlinux.a
ld.lld: error: undefined symbol: fixed_phy_register_100fd
>>> referenced by b44.c
>>> drivers/net/ethernet/broadcom/b44.o:(b44_register_phy_one) in archive vmlinux.a
The fixed phy support is small enough that just always enabling it
for b44 is the simplest solution, and it avoids adding ugly #ifdef
checks.
Fixes: 10d2f15afba2 ("net: b44: register a fixed phy using fixed_phy_register_100fd if needed")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://patch.msgid.link/20260320154927.674555-1-arnd@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/broadcom/Kconfig b/drivers/net/ethernet/broadcom/Kconfig
index cd7dddeb91dd6..9787c1857e13b 100644
--- a/drivers/net/ethernet/broadcom/Kconfig
+++ b/drivers/net/ethernet/broadcom/Kconfig
@@ -25,7 +25,7 @@ config B44
select SSB
select MII
select PHYLIB
- select FIXED_PHY if BCM47XX
+ select FIXED_PHY
help
If you have a network (Ethernet) controller of this type, say Y
or M here.
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 123/342] udp: Fix wildcard bind conflict check when using hash2
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 122/342] net: b44: always select CONFIG_FIXED_PHY Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 124/342] net: enetc: fix the output issue of ethtool --show-ring Greg Kroah-Hartman
` (235 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Onyshchuk, Martin KaFai Lau,
Kuniyuki Iwashima, Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin KaFai Lau <martin.lau@kernel.org>
[ Upstream commit e537dd15d0d4ad989d56a1021290f0c674dd8b28 ]
When binding a udp_sock to a local address and port, UDP uses
two hashes (udptable->hash and udptable->hash2) for collision
detection. The current code switches to "hash2" when
hslot->count > 10.
"hash2" is keyed by local address and local port.
"hash" is keyed by local port only.
The issue can be shown in the following bind sequence (pseudo code):
bind(fd1, "[fd00::1]:8888")
bind(fd2, "[fd00::2]:8888")
bind(fd3, "[fd00::3]:8888")
bind(fd4, "[fd00::4]:8888")
bind(fd5, "[fd00::5]:8888")
bind(fd6, "[fd00::6]:8888")
bind(fd7, "[fd00::7]:8888")
bind(fd8, "[fd00::8]:8888")
bind(fd9, "[fd00::9]:8888")
bind(fd10, "[fd00::10]:8888")
/* Correctly return -EADDRINUSE because "hash" is used
* instead of "hash2". udp_lib_lport_inuse() detects the
* conflict.
*/
bind(fail_fd, "[::]:8888")
/* After one more socket is bound to "[fd00::11]:8888",
* hslot->count exceeds 10 and "hash2" is used instead.
*/
bind(fd11, "[fd00::11]:8888")
bind(fail_fd, "[::]:8888") /* succeeds unexpectedly */
The same issue applies to the IPv4 wildcard address "0.0.0.0"
and the IPv4-mapped wildcard address "::ffff:0.0.0.0". For
example, if there are existing sockets bound to
"192.168.1.[1-11]:8888", then binding "0.0.0.0:8888" or
"[::ffff:0.0.0.0]:8888" can also miss the conflict when
hslot->count > 10.
TCP inet_csk_get_port() already has the correct check in
inet_use_bhash2_on_bind(). Rename it to
inet_use_hash2_on_bind() and move it to inet_hashtables.h
so udp.c can reuse it in this fix.
Fixes: 30fff9231fad ("udp: bind() optimisation")
Reported-by: Andrew Onyshchuk <oandrew@meta.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260319181817.1901357-1-martin.lau@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/inet_hashtables.h | 14 ++++++++++++++
net/ipv4/inet_connection_sock.c | 20 +++-----------------
net/ipv4/udp.c | 2 +-
3 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h
index 5a979dcab5383..6d936e9f2fd32 100644
--- a/include/net/inet_hashtables.h
+++ b/include/net/inet_hashtables.h
@@ -264,6 +264,20 @@ inet_bhashfn_portaddr(const struct inet_hashinfo *hinfo, const struct sock *sk,
return &hinfo->bhash2[hash & (hinfo->bhash_size - 1)];
}
+static inline bool inet_use_hash2_on_bind(const struct sock *sk)
+{
+#if IS_ENABLED(CONFIG_IPV6)
+ if (sk->sk_family == AF_INET6) {
+ if (ipv6_addr_any(&sk->sk_v6_rcv_saddr))
+ return false;
+
+ if (!ipv6_addr_v4mapped(&sk->sk_v6_rcv_saddr))
+ return true;
+ }
+#endif
+ return sk->sk_rcv_saddr != htonl(INADDR_ANY);
+}
+
struct inet_bind_hashbucket *
inet_bhash2_addr_any_hashbucket(const struct sock *sk, const struct net *net, int port);
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 97d57c52b9ad9..d587c5df84389 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -153,20 +153,6 @@ bool inet_sk_get_local_port_range(const struct sock *sk, int *low, int *high)
}
EXPORT_SYMBOL(inet_sk_get_local_port_range);
-static bool inet_use_bhash2_on_bind(const struct sock *sk)
-{
-#if IS_ENABLED(CONFIG_IPV6)
- if (sk->sk_family == AF_INET6) {
- if (ipv6_addr_any(&sk->sk_v6_rcv_saddr))
- return false;
-
- if (!ipv6_addr_v4mapped(&sk->sk_v6_rcv_saddr))
- return true;
- }
-#endif
- return sk->sk_rcv_saddr != htonl(INADDR_ANY);
-}
-
static bool inet_bind_conflict(const struct sock *sk, struct sock *sk2,
kuid_t uid, bool relax,
bool reuseport_cb_ok, bool reuseport_ok)
@@ -258,7 +244,7 @@ static int inet_csk_bind_conflict(const struct sock *sk,
* checks separately because their spinlocks have to be acquired/released
* independently of each other, to prevent possible deadlocks
*/
- if (inet_use_bhash2_on_bind(sk))
+ if (inet_use_hash2_on_bind(sk))
return tb2 && inet_bhash2_conflict(sk, tb2, uid, relax,
reuseport_cb_ok, reuseport_ok);
@@ -375,7 +361,7 @@ inet_csk_find_open_port(const struct sock *sk, struct inet_bind_bucket **tb_ret,
head = &hinfo->bhash[inet_bhashfn(net, port,
hinfo->bhash_size)];
spin_lock_bh(&head->lock);
- if (inet_use_bhash2_on_bind(sk)) {
+ if (inet_use_hash2_on_bind(sk)) {
if (inet_bhash2_addr_any_conflict(sk, port, l3mdev, relax, false))
goto next_port;
}
@@ -561,7 +547,7 @@ int inet_csk_get_port(struct sock *sk, unsigned short snum)
check_bind_conflict = false;
}
- if (check_bind_conflict && inet_use_bhash2_on_bind(sk)) {
+ if (check_bind_conflict && inet_use_hash2_on_bind(sk)) {
if (inet_bhash2_addr_any_conflict(sk, port, l3mdev, true, true))
goto fail_unlock;
}
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index fbdbb65676e0d..bbb076c6042b2 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -287,7 +287,7 @@ int udp_lib_get_port(struct sock *sk, unsigned short snum,
} else {
hslot = udp_hashslot(udptable, net, snum);
spin_lock_bh(&hslot->lock);
- if (hslot->count > 10) {
+ if (inet_use_hash2_on_bind(sk) && hslot->count > 10) {
int exist;
unsigned int slot2 = udp_sk(sk)->udp_portaddr_hash ^ snum;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 124/342] net: enetc: fix the output issue of ethtool --show-ring
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 123/342] udp: Fix wildcard bind conflict check when using hash2 Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 125/342] virtio-net: correct hdr_len handling for VIRTIO_NET_F_GUEST_HDRLEN Greg Kroah-Hartman
` (234 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wei Fang, Jakub Kicinski,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit 70b439bf06f6a12e491f827fa81a9887a11501f9 ]
Currently, enetc_get_ringparam() only provides rx_pending and tx_pending,
but 'ethtool --show-ring' no longer displays these fields. Because the
ringparam retrieval path has moved to the new netlink interface, where
rings_fill_reply() emits the *x_pending only if the *x_max_pending values
are non-zero. So rx_max_pending and tx_max_pending to are added to
enetc_get_ringparam() to fix the issue.
Note that the maximum tx/rx ring size of hardware is 64K, but we haven't
added set_ringparam() to make the ring size configurable. To avoid users
mistakenly believing that the ring size can be increased, so set
the *x_max_pending to priv->*x_bd_count.
Fixes: e4a1717b677c ("ethtool: provide ring sizes with RINGS_GET request")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Link: https://patch.msgid.link/20260320094222.706339-1-wei.fang@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/enetc/enetc_ethtool.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/freescale/enetc/enetc_ethtool.c b/drivers/net/ethernet/freescale/enetc/enetc_ethtool.c
index fed89d4f1e1dc..2fe140ddebb23 100644
--- a/drivers/net/ethernet/freescale/enetc/enetc_ethtool.c
+++ b/drivers/net/ethernet/freescale/enetc/enetc_ethtool.c
@@ -813,6 +813,8 @@ static void enetc_get_ringparam(struct net_device *ndev,
{
struct enetc_ndev_priv *priv = netdev_priv(ndev);
+ ring->rx_max_pending = priv->rx_bd_count;
+ ring->tx_max_pending = priv->tx_bd_count;
ring->rx_pending = priv->rx_bd_count;
ring->tx_pending = priv->tx_bd_count;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 125/342] virtio-net: correct hdr_len handling for VIRTIO_NET_F_GUEST_HDRLEN
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 124/342] net: enetc: fix the output issue of ethtool --show-ring Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 126/342] virtio-net: correct hdr_len handling for tunnel gso Greg Kroah-Hartman
` (233 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xuan Zhuo, Michael S. Tsirkin,
Paolo Abeni, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
[ Upstream commit 38ec410b99a5ee6566f75650ce3d4fd632940fd0 ]
The commit be50da3e9d4a ("net: virtio_net: implement exact header length
guest feature") introduces support for the VIRTIO_NET_F_GUEST_HDRLEN
feature in virtio-net.
This feature requires virtio-net to set hdr_len to the actual header
length of the packet when transmitting, the number of
bytes from the start of the packet to the beginning of the
transport-layer payload.
However, in practice, hdr_len was being set using skb_headlen(skb),
which is clearly incorrect. This commit fixes that issue.
Fixes: be50da3e9d4a ("net: virtio_net: implement exact header length guest feature")
Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Link: https://patch.msgid.link/20260320021818.111741-2-xuanzhuo@linux.alibaba.com
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/tun_vnet.h | 2 +-
drivers/net/virtio_net.c | 6 +++++-
include/linux/virtio_net.h | 34 ++++++++++++++++++++++++++++++----
3 files changed, 36 insertions(+), 6 deletions(-)
diff --git a/drivers/net/tun_vnet.h b/drivers/net/tun_vnet.h
index a5f93b6c4482c..fa5cab9d3e55c 100644
--- a/drivers/net/tun_vnet.h
+++ b/drivers/net/tun_vnet.h
@@ -244,7 +244,7 @@ tun_vnet_hdr_tnl_from_skb(unsigned int flags,
if (virtio_net_hdr_tnl_from_skb(skb, tnl_hdr, has_tnl_offload,
tun_vnet_is_little_endian(flags),
- vlan_hlen, true)) {
+ vlan_hlen, true, false)) {
struct virtio_net_hdr_v1 *hdr = &tnl_hdr->hash_hdr.hdr;
struct skb_shared_info *sinfo = skb_shinfo(skb);
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index db88dcaefb20b..80f08c228407c 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -3267,8 +3267,12 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb, bool orphan)
struct virtio_net_hdr_v1_hash_tunnel *hdr;
int num_sg;
unsigned hdr_len = vi->hdr_len;
+ bool feature_hdrlen;
bool can_push;
+ feature_hdrlen = virtio_has_feature(vi->vdev,
+ VIRTIO_NET_F_GUEST_HDRLEN);
+
pr_debug("%s: xmit %p %pM\n", vi->dev->name, skb, dest);
/* Make sure it's safe to cast between formats */
@@ -3288,7 +3292,7 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb, bool orphan)
if (virtio_net_hdr_tnl_from_skb(skb, hdr, vi->tx_tnl,
virtio_is_little_endian(vi->vdev), 0,
- false))
+ false, feature_hdrlen))
return -EPROTO;
if (vi->mergeable_rx_bufs)
diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h
index 75dabb763c650..361b60c8be680 100644
--- a/include/linux/virtio_net.h
+++ b/include/linux/virtio_net.h
@@ -207,6 +207,23 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb,
return __virtio_net_hdr_to_skb(skb, hdr, little_endian, hdr->gso_type);
}
+/* This function must be called after virtio_net_hdr_from_skb(). */
+static inline void __virtio_net_set_hdrlen(const struct sk_buff *skb,
+ struct virtio_net_hdr *hdr,
+ bool little_endian)
+{
+ u16 hdr_len;
+
+ hdr_len = skb_transport_offset(skb);
+
+ if (hdr->gso_type == VIRTIO_NET_HDR_GSO_UDP_L4)
+ hdr_len += sizeof(struct udphdr);
+ else
+ hdr_len += tcp_hdrlen(skb);
+
+ hdr->hdr_len = __cpu_to_virtio16(little_endian, hdr_len);
+}
+
static inline int virtio_net_hdr_from_skb(const struct sk_buff *skb,
struct virtio_net_hdr *hdr,
bool little_endian,
@@ -385,7 +402,8 @@ virtio_net_hdr_tnl_from_skb(const struct sk_buff *skb,
bool tnl_hdr_negotiated,
bool little_endian,
int vlan_hlen,
- bool has_data_valid)
+ bool has_data_valid,
+ bool feature_hdrlen)
{
struct virtio_net_hdr *hdr = (struct virtio_net_hdr *)vhdr;
unsigned int inner_nh, outer_th;
@@ -394,9 +412,17 @@ virtio_net_hdr_tnl_from_skb(const struct sk_buff *skb,
tnl_gso_type = skb_shinfo(skb)->gso_type & (SKB_GSO_UDP_TUNNEL |
SKB_GSO_UDP_TUNNEL_CSUM);
- if (!tnl_gso_type)
- return virtio_net_hdr_from_skb(skb, hdr, little_endian,
- has_data_valid, vlan_hlen);
+ if (!tnl_gso_type) {
+ ret = virtio_net_hdr_from_skb(skb, hdr, little_endian,
+ has_data_valid, vlan_hlen);
+ if (ret)
+ return ret;
+
+ if (feature_hdrlen && hdr->hdr_len)
+ __virtio_net_set_hdrlen(skb, hdr, little_endian);
+
+ return ret;
+ }
/* Tunnel support not negotiated but skb ask for it. */
if (!tnl_hdr_negotiated)
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 126/342] virtio-net: correct hdr_len handling for tunnel gso
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 125/342] virtio-net: correct hdr_len handling for VIRTIO_NET_F_GUEST_HDRLEN Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 127/342] team: fix header_ops type confusion with non-Ethernet ports Greg Kroah-Hartman
` (232 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xuan Zhuo, Michael S. Tsirkin,
Paolo Abeni, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
[ Upstream commit 6c860dc02a8e60b438e26940227dfa641fcdb66a ]
The commit a2fb4bc4e2a6a03 ("net: implement virtio helpers to handle UDP
GSO tunneling.") introduces support for the UDP GSO tunnel feature in
virtio-net.
The virtio spec says:
If the \field{gso_type} has the VIRTIO_NET_HDR_GSO_UDP_TUNNEL_IPV4 bit or
VIRTIO_NET_HDR_GSO_UDP_TUNNEL_IPV6 bit set, \field{hdr_len} accounts for
all the headers up to and including the inner transport.
The commit did not update the hdr_len to include the inner transport.
I observed that the "hdr_len" is 116 for this packet:
17:36:18.241105 52:55:00:d1:27:0a > 2e:2c:df:46:a9:e1, ethertype IPv4 (0x0800), length 2912: (tos 0x0, ttl 64, id 45197, offset 0, flags [none], proto UDP (17), length 2898)
192.168.122.100.50613 > 192.168.122.1.4789: [bad udp cksum 0x8106 -> 0x26a0!] VXLAN, flags [I] (0x08), vni 1
fa:c3:ba:82:05:ee > ce:85:0c:31:77:e5, ethertype IPv4 (0x0800), length 2862: (tos 0x0, ttl 64, id 14678, offset 0, flags [DF], proto TCP (6), length 2848)
192.168.3.1.49880 > 192.168.3.2.9898: Flags [P.], cksum 0x9266 (incorrect -> 0xaa20), seq 515667:518463, ack 1, win 64, options [nop,nop,TS val 2990048824 ecr 2798801412], length 2796
116 = 14(mac) + 20(ip) + 8(udp) + 8(vxlan) + 14(inner mac) + 20(inner ip) + 32(innner tcp)
Fixes: a2fb4bc4e2a6a03 ("net: implement virtio helpers to handle UDP GSO tunneling.")
Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Link: https://patch.msgid.link/20260320021818.111741-3-xuanzhuo@linux.alibaba.com
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/virtio_net.h | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h
index 361b60c8be680..f36d21b5bc19e 100644
--- a/include/linux/virtio_net.h
+++ b/include/linux/virtio_net.h
@@ -224,6 +224,22 @@ static inline void __virtio_net_set_hdrlen(const struct sk_buff *skb,
hdr->hdr_len = __cpu_to_virtio16(little_endian, hdr_len);
}
+/* This function must be called after virtio_net_hdr_from_skb(). */
+static inline void __virtio_net_set_tnl_hdrlen(const struct sk_buff *skb,
+ struct virtio_net_hdr *hdr)
+{
+ u16 hdr_len;
+
+ hdr_len = skb_inner_transport_offset(skb);
+
+ if (hdr->gso_type == VIRTIO_NET_HDR_GSO_UDP_L4)
+ hdr_len += sizeof(struct udphdr);
+ else
+ hdr_len += inner_tcp_hdrlen(skb);
+
+ hdr->hdr_len = __cpu_to_virtio16(true, hdr_len);
+}
+
static inline int virtio_net_hdr_from_skb(const struct sk_buff *skb,
struct virtio_net_hdr *hdr,
bool little_endian,
@@ -440,6 +456,9 @@ virtio_net_hdr_tnl_from_skb(const struct sk_buff *skb,
if (ret)
return ret;
+ if (feature_hdrlen && hdr->hdr_len)
+ __virtio_net_set_tnl_hdrlen(skb, hdr);
+
if (skb->protocol == htons(ETH_P_IPV6))
hdr->gso_type |= VIRTIO_NET_HDR_GSO_UDP_TUNNEL_IPV6;
else
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 127/342] team: fix header_ops type confusion with non-Ethernet ports
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 126/342] virtio-net: correct hdr_len handling for tunnel gso Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 128/342] net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path Greg Kroah-Hartman
` (231 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3d8bc31c45e11450f24c,
Jiayuan Chen, Jiayuan Chen, Paolo Abeni, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@shopee.com>
[ Upstream commit 425000dbf17373a4ab8be9428f5dc055ef870a56 ]
Similar to commit 950803f72547 ("bonding: fix type confusion in
bond_setup_by_slave()") team has the same class of header_ops type
confusion.
For non-Ethernet ports, team_setup_by_port() copies port_dev->header_ops
directly. When the team device later calls dev_hard_header() or
dev_parse_header(), these callbacks can run with the team net_device
instead of the real lower device, so netdev_priv(dev) is interpreted as
the wrong private type and can crash.
The syzbot report shows a crash in bond_header_create(), but the root
cause is in team: the topology is gre -> bond -> team, and team calls
the inherited header_ops with its own net_device instead of the lower
device, so bond_header_create() receives a team device and interprets
netdev_priv() as bonding private data, causing a type confusion crash.
Fix this by introducing team header_ops wrappers for create/parse,
selecting a team port under RCU, and calling the lower device callbacks
with port->dev, so each callback always sees the correct net_device
context.
Also pass the selected lower device to the lower parse callback, so
recursion is bounded in stacked non-Ethernet topologies and parse
callbacks always run with the correct device context.
Fixes: 1d76efe1577b ("team: add support for non-ethernet devices")
Reported-by: syzbot+3d8bc31c45e11450f24c@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69b46af7.050a0220.36eb34.000e.GAE@google.com/T/
Cc: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
Link: https://patch.msgid.link/20260320072139.134249-2-jiayuan.chen@linux.dev
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/team/team_core.c | 65 +++++++++++++++++++++++++++++++++++-
1 file changed, 64 insertions(+), 1 deletion(-)
diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c
index a0fe998cc055d..98772d749f2bf 100644
--- a/drivers/net/team/team_core.c
+++ b/drivers/net/team/team_core.c
@@ -2060,6 +2060,68 @@ static const struct ethtool_ops team_ethtool_ops = {
* rt netlink interface
***********************/
+/* For tx path we need a linkup && enabled port and for parse any port
+ * suffices.
+ */
+static struct team_port *team_header_port_get_rcu(struct team *team,
+ bool txable)
+{
+ struct team_port *port;
+
+ list_for_each_entry_rcu(port, &team->port_list, list) {
+ if (!txable || team_port_txable(port))
+ return port;
+ }
+
+ return NULL;
+}
+
+static int team_header_create(struct sk_buff *skb, struct net_device *team_dev,
+ unsigned short type, const void *daddr,
+ const void *saddr, unsigned int len)
+{
+ struct team *team = netdev_priv(team_dev);
+ const struct header_ops *port_ops;
+ struct team_port *port;
+ int ret = 0;
+
+ rcu_read_lock();
+ port = team_header_port_get_rcu(team, true);
+ if (port) {
+ port_ops = READ_ONCE(port->dev->header_ops);
+ if (port_ops && port_ops->create)
+ ret = port_ops->create(skb, port->dev,
+ type, daddr, saddr, len);
+ }
+ rcu_read_unlock();
+ return ret;
+}
+
+static int team_header_parse(const struct sk_buff *skb,
+ const struct net_device *team_dev,
+ unsigned char *haddr)
+{
+ struct team *team = netdev_priv(team_dev);
+ const struct header_ops *port_ops;
+ struct team_port *port;
+ int ret = 0;
+
+ rcu_read_lock();
+ port = team_header_port_get_rcu(team, false);
+ if (port) {
+ port_ops = READ_ONCE(port->dev->header_ops);
+ if (port_ops && port_ops->parse)
+ ret = port_ops->parse(skb, port->dev, haddr);
+ }
+ rcu_read_unlock();
+ return ret;
+}
+
+static const struct header_ops team_header_ops = {
+ .create = team_header_create,
+ .parse = team_header_parse,
+};
+
static void team_setup_by_port(struct net_device *dev,
struct net_device *port_dev)
{
@@ -2068,7 +2130,8 @@ static void team_setup_by_port(struct net_device *dev,
if (port_dev->type == ARPHRD_ETHER)
dev->header_ops = team->header_ops_cache;
else
- dev->header_ops = port_dev->header_ops;
+ dev->header_ops = port_dev->header_ops ?
+ &team_header_ops : NULL;
dev->type = port_dev->type;
dev->hard_header_len = port_dev->hard_header_len;
dev->needed_headroom = port_dev->needed_headroom;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 128/342] net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 127/342] team: fix header_ops type confusion with non-Ethernet ports Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 129/342] net: lan743x: fix duplex configuration in mac_link_up Greg Kroah-Hartman
` (230 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Simon Horman,
Paolo Abeni, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
[ Upstream commit eb8c426c9803beb171f89d15fea17505eb517714 ]
cppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor.
In both emac_rx_packet() and emac_rx_packet_zc(), the descriptor is
freed via k3_cppi_desc_pool_free() before the psdata pointer is used
by emac_rx_timestamp(), which dereferences psdata[0] and psdata[1].
This constitutes a use-after-free on every received packet that goes
through the timestamp path.
Defer the descriptor free until after all accesses through the psdata
pointer are complete. For emac_rx_packet(), move the free into the
requeue label so both early-exit and success paths free the descriptor
after all accesses are done. For emac_rx_packet_zc(), move the free to
the end of the loop body after emac_dispatch_skb_zc() (which calls
emac_rx_timestamp()) has returned.
Fixes: 46eeb90f03e0 ("net: ti: icssg-prueth: Use page_pool API for RX buffer allocation")
Signed-off-by: David Carlier <devnexen@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260320174439.41080-1-devnexen@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/ti/icssg/icssg_common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/ti/icssg/icssg_common.c b/drivers/net/ethernet/ti/icssg/icssg_common.c
index a9b5f86bc71bc..11d5b23a61bad 100644
--- a/drivers/net/ethernet/ti/icssg/icssg_common.c
+++ b/drivers/net/ethernet/ti/icssg/icssg_common.c
@@ -962,7 +962,6 @@ static int emac_rx_packet_zc(struct prueth_emac *emac, u32 flow_id,
pkt_len -= 4;
cppi5_desc_get_tags_ids(&desc_rx->hdr, &port_id, NULL);
psdata = cppi5_hdesc_get_psdata(desc_rx);
- k3_cppi_desc_pool_free(rx_chn->desc_pool, desc_rx);
count++;
xsk_buff_set_size(xdp, pkt_len);
xsk_buff_dma_sync_for_cpu(xdp);
@@ -988,6 +987,7 @@ static int emac_rx_packet_zc(struct prueth_emac *emac, u32 flow_id,
emac_dispatch_skb_zc(emac, xdp, psdata);
xsk_buff_free(xdp);
}
+ k3_cppi_desc_pool_free(rx_chn->desc_pool, desc_rx);
}
if (xdp_status & ICSSG_XDP_REDIR)
@@ -1057,7 +1057,6 @@ static int emac_rx_packet(struct prueth_emac *emac, u32 flow_id, u32 *xdp_state)
/* firmware adds 4 CRC bytes, strip them */
pkt_len -= 4;
cppi5_desc_get_tags_ids(&desc_rx->hdr, &port_id, NULL);
- k3_cppi_desc_pool_free(rx_chn->desc_pool, desc_rx);
/* if allocation fails we drop the packet but push the
* descriptor back to the ring with old page to prevent a stall
@@ -1115,6 +1114,7 @@ static int emac_rx_packet(struct prueth_emac *emac, u32 flow_id, u32 *xdp_state)
ndev->stats.rx_packets++;
requeue:
+ k3_cppi_desc_pool_free(rx_chn->desc_pool, desc_rx);
/* queue another RX DMA */
ret = prueth_dma_rx_push_mapped(emac, &emac->rx_chns, new_page,
PRUETH_MAX_PKT_SIZE);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 129/342] net: lan743x: fix duplex configuration in mac_link_up
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 128/342] net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 130/342] rtnetlink: fix leak of SRCU struct in rtnl_link_register Greg Kroah-Hartman
` (229 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thangaraj Samynathan,
Russell King (Oracle), Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thangaraj Samynathan <thangaraj.s@microchip.com>
[ Upstream commit 71399707876b93240f236f48b8062f3423a5fe97 ]
The driver does not explicitly configure the MAC duplex mode when
bringing the link up. As a result, the MAC may retain a stale duplex
setting from a previous link state, leading to duplex mismatches with
the link partner and degraded network performance.
Update lan743x_phylink_mac_link_up() to set or clear the MAC_CR_DPX_
bit according to the negotiated duplex mode.
This ensures the MAC configuration is consistent with the phylink
resolved state.
Fixes: a5f199a8d8a03 ("net: lan743x: Migrate phylib to phylink")
Signed-off-by: Thangaraj Samynathan <thangaraj.s@microchip.com>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Link: https://patch.msgid.link/20260323065345.144915-1-thangaraj.s@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microchip/lan743x_main.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c
index e4c542fc6c2b8..09d255e78f6cd 100644
--- a/drivers/net/ethernet/microchip/lan743x_main.c
+++ b/drivers/net/ethernet/microchip/lan743x_main.c
@@ -3054,6 +3054,11 @@ static void lan743x_phylink_mac_link_up(struct phylink_config *config,
else if (speed == SPEED_100)
mac_cr |= MAC_CR_CFG_L_;
+ if (duplex == DUPLEX_FULL)
+ mac_cr |= MAC_CR_DPX_;
+ else
+ mac_cr &= ~MAC_CR_DPX_;
+
lan743x_csr_write(adapter, MAC_CR, mac_cr);
lan743x_ptp_update_latency(adapter, speed);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 130/342] rtnetlink: fix leak of SRCU struct in rtnl_link_register
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 129/342] net: lan743x: fix duplex configuration in mac_link_up Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 131/342] net_sched: codel: fix stale state for empty flows in fq_codel Greg Kroah-Hartman
` (228 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sabrina Dubroca, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit 09474055f2619be9445ba4245e4013741ed01a5e ]
Commit 6b57ff21a310 ("rtnetlink: Protect link_ops by mutex.") swapped
the EEXIST check with the init_srcu_struct, but didn't add cleanup of
the SRCU struct we just allocated in case of error.
Fixes: 6b57ff21a310 ("rtnetlink: Protect link_ops by mutex.")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/e77fe499f9a58c547b33b5212b3596dad417cec6.1774025341.git.sd@queasysnail.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/rtnetlink.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 6cdf6ee8be216..11cdad3972ad8 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -629,6 +629,9 @@ int rtnl_link_register(struct rtnl_link_ops *ops)
unlock:
mutex_unlock(&link_ops_mutex);
+ if (err)
+ cleanup_srcu_struct(&ops->srcu);
+
return err;
}
EXPORT_SYMBOL_GPL(rtnl_link_register);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 131/342] net_sched: codel: fix stale state for empty flows in fq_codel
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 130/342] rtnetlink: fix leak of SRCU struct in rtnl_link_register Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 132/342] dma-mapping: add missing `inline` for `dma_free_attrs` Greg Kroah-Hartman
` (227 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jesper Dangaard Brouer,
Jonas Köppeler, Chris Arges,
Toke Høiland-Jørgensen, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Köppeler <j.koeppeler@tu-berlin.de>
[ Upstream commit 815980fe6dbb01ad4007e8b260a45617f598b76d ]
When codel_dequeue() finds an empty queue, it resets vars->dropping
but does not reset vars->first_above_time. The reference CoDel
algorithm (Nichols & Jacobson, ACM Queue 2012) resets both:
dodeque_result codel_queue_t::dodeque(time_t now) {
...
if (r.p == NULL) {
first_above_time = 0; // <-- Linux omits this
}
...
}
Note that codel_should_drop() does reset first_above_time when called
with a NULL skb, but codel_dequeue() returns early before ever calling
codel_should_drop() in the empty-queue case. The post-drop code paths
do reach codel_should_drop(NULL) and correctly reset the timer, so a
dropped packet breaks the cycle -- but the next delivered packet
re-arms first_above_time and the cycle repeats.
For sparse flows such as ICMP ping (one packet every 200ms-1s), the
first packet arms first_above_time, the flow goes empty, and the
second packet arrives after the interval has elapsed and gets dropped.
The pattern repeats, producing sustained loss on flows that are not
actually congested.
Test: veth pair, fq_codel, BQL disabled, 30000 iptables rules in the
consumer namespace (NAPI-64 cycle ~14ms, well above fq_codel's 5ms
target), ping at 5 pps under UDP flood:
Before fix: 26% ping packet loss
After fix: 0% ping packet loss
Fix by resetting first_above_time to zero in the empty-queue path
of codel_dequeue(), matching the reference algorithm.
Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM")
Fixes: d068ca2ae2e6 ("codel: split into multiple files")
Co-developed-by: Jesper Dangaard Brouer <hawk@kernel.org>
Signed-off-by: Jesper Dangaard Brouer <hawk@kernel.org>
Signed-off-by: Jonas Köppeler <j.koeppeler@tu-berlin.de>
Reported-by: Chris Arges <carges@cloudflare.com>
Tested-by: Jonas Köppeler <j.koeppeler@tu-berlin.de>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Link: https://lore.kernel.org/all/20260318134826.1281205-7-hawk@kernel.org/
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260323174920.253526-1-hawk@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/codel_impl.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/net/codel_impl.h b/include/net/codel_impl.h
index 78a27ac730700..b2c359c6dd1b8 100644
--- a/include/net/codel_impl.h
+++ b/include/net/codel_impl.h
@@ -158,6 +158,7 @@ static struct sk_buff *codel_dequeue(void *ctx,
bool drop;
if (!skb) {
+ vars->first_above_time = 0;
vars->dropping = false;
return skb;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 132/342] dma-mapping: add missing `inline` for `dma_free_attrs`
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 131/342] net_sched: codel: fix stale state for empty flows in fq_codel Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 133/342] Bluetooth: L2CAP: Fix send LE flow credits in ACL link Greg Kroah-Hartman
` (226 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miguel Ojeda, Marek Szyprowski,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miguel Ojeda <ojeda@kernel.org>
[ Upstream commit 2cdaff22ed26f1e619aa2b43f27bb84f2c6ef8f8 ]
Under an UML build for an upcoming series [1], I got `-Wstatic-in-inline`
for `dma_free_attrs`:
BINDGEN rust/bindings/bindings_generated.rs - due to target missing
In file included from rust/helpers/helpers.c:59:
rust/helpers/dma.c:17:2: warning: static function 'dma_free_attrs' is used in an inline function with external linkage [-Wstatic-in-inline]
17 | dma_free_attrs(dev, size, cpu_addr, dma_handle, attrs);
| ^
rust/helpers/dma.c:12:1: note: use 'static' to give inline function 'rust_helper_dma_free_attrs' internal linkage
12 | __rust_helper void rust_helper_dma_free_attrs(struct device *dev, size_t size,
| ^
| static
The issue is that `dma_free_attrs` was not marked `inline` when it was
introduced alongside the rest of the stubs.
Thus mark it.
Fixes: ed6ccf10f24b ("dma-mapping: properly stub out the DMA API for !CONFIG_HAS_DMA")
Closes: https://lore.kernel.org/rust-for-linux/20260322194616.89847-1-ojeda@kernel.org/ [1]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://lore.kernel.org/r/20260325015548.70912-1-ojeda@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/dma-mapping.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/dma-mapping.h b/include/linux/dma-mapping.h
index aa36a0d1d9df6..190eab9f5e8c2 100644
--- a/include/linux/dma-mapping.h
+++ b/include/linux/dma-mapping.h
@@ -240,8 +240,8 @@ static inline void *dma_alloc_attrs(struct device *dev, size_t size,
{
return NULL;
}
-static void dma_free_attrs(struct device *dev, size_t size, void *cpu_addr,
- dma_addr_t dma_handle, unsigned long attrs)
+static inline void dma_free_attrs(struct device *dev, size_t size,
+ void *cpu_addr, dma_addr_t dma_handle, unsigned long attrs)
{
}
static inline void *dmam_alloc_attrs(struct device *dev, size_t size,
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 133/342] Bluetooth: L2CAP: Fix send LE flow credits in ACL link
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 132/342] dma-mapping: add missing `inline` for `dma_free_attrs` Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 134/342] Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock Greg Kroah-Hartman
` (225 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Chen, Luiz Augusto von Dentz,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Chen <zhangchen01@kylinos.cn>
[ Upstream commit f39f905e55f529b036321220af1ba4f4085564a5 ]
When the L2CAP channel mode is L2CAP_MODE_ERTM/L2CAP_MODE_STREAMING,
l2cap_publish_rx_avail will be called and le flow credits will be sent in
l2cap_chan_rx_avail, even though the link type is ACL.
The logs in question as follows:
> ACL Data RX: Handle 129 flags 0x02 dlen 12
L2CAP: Unknown (0x16) ident 4 len 4
40 00 ed 05
< ACL Data TX: Handle 129 flags 0x00 dlen 10
L2CAP: Command Reject (0x01) ident 4 len 2
Reason: Command not understood (0x0000)
Bluetooth: Unknown BR/EDR signaling command 0x16
Bluetooth: Wrong link type (-22)
Fixes: ce60b9231b66 ("Bluetooth: compute LE flow credits based on recvbuf space")
Signed-off-by: Zhang Chen <zhangchen01@kylinos.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 848a9b945de89..b5e393e4f3eb1 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6589,6 +6589,10 @@ static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
struct l2cap_le_credits pkt;
u16 return_credits = l2cap_le_rx_credits(chan);
+ if (chan->mode != L2CAP_MODE_LE_FLOWCTL &&
+ chan->mode != L2CAP_MODE_EXT_FLOWCTL)
+ return;
+
if (chan->rx_credits >= return_credits)
return;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 134/342] Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 133/342] Bluetooth: L2CAP: Fix send LE flow credits in ACL link Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 135/342] Bluetooth: L2CAP: Fix not tracking outstanding TX ident Greg Kroah-Hartman
` (224 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cen Zhang, Luiz Augusto von Dentz,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cen Zhang <zzzccc427@gmail.com>
[ Upstream commit 94d8e6fe5d0818e9300e514e095a200bd5ff93ae ]
btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET
and Intel exception-info retrieval) without holding
hci_req_sync_lock(). This lets it race against
hci_dev_do_close() -> btintel_shutdown_combined(), which also runs
__hci_cmd_sync() under the same lock. When both paths manipulate
hdev->req_status/req_rsp concurrently, the close path may free the
response skb first, and the still-running hw_error path hits a
slab-use-after-free in kfree_skb().
Wrap the whole recovery sequence in hci_req_sync_lock/unlock so it
is serialized with every other synchronous HCI command issuer.
Below is the data race report and the kasan report:
BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined
read of hdev->req_rsp at net/bluetooth/hci_sync.c:199
by task kworker/u17:1/83:
__hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200
__hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223
btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254
hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030
write/free by task ioctl/22580:
btintel_shutdown_combined+0xd0/0x360
drivers/bluetooth/btintel.c:3648
hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246
hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526
BUG: KASAN: slab-use-after-free in
sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202
Read of size 4 at addr ffff888144a738dc
by task kworker/u17:1/83:
__hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200
__hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223
btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260
Fixes: 973bb97e5aee ("Bluetooth: btintel: Add generic function for handling hardware errors")
Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btintel.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index 9d29ab811f802..5e0a05edcbfd1 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -251,11 +251,13 @@ void btintel_hw_error(struct hci_dev *hdev, u8 code)
bt_dev_err(hdev, "Hardware error 0x%2.2x", code);
+ hci_req_sync_lock(hdev);
+
skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
if (IS_ERR(skb)) {
bt_dev_err(hdev, "Reset after hardware error failed (%ld)",
PTR_ERR(skb));
- return;
+ goto unlock;
}
kfree_skb(skb);
@@ -263,18 +265,21 @@ void btintel_hw_error(struct hci_dev *hdev, u8 code)
if (IS_ERR(skb)) {
bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)",
PTR_ERR(skb));
- return;
+ goto unlock;
}
if (skb->len != 13) {
bt_dev_err(hdev, "Exception info size mismatch");
kfree_skb(skb);
- return;
+ goto unlock;
}
bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1));
kfree_skb(skb);
+
+unlock:
+ hci_req_sync_unlock(hdev);
}
EXPORT_SYMBOL_GPL(btintel_hw_error);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 135/342] Bluetooth: L2CAP: Fix not tracking outstanding TX ident
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 134/342] Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 136/342] Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del() Greg Kroah-Hartman
` (223 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Paul Menzel,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 6c3ea155e5ee3e56606233acde8309afda66d483 ]
This attempts to proper track outstanding request by using struct ida
and allocating from it in l2cap_get_ident using ida_alloc_range which
would reuse ids as they are free, then upon completion release
the id using ida_free.
This fixes the qualification test case L2CAP/COS/CED/BI-29-C which
attempts to check if the host stack is able to work after 256 attempts
to connect which requires Ident field to use the full range of possible
values in order to pass the test.
Link: https://github.com/bluez/bluez/issues/1829
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Stable-dep-of: 00fdebbbc557 ("Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/bluetooth/l2cap.h | 3 +--
net/bluetooth/l2cap_core.c | 46 ++++++++++++++++++++++++-----------
2 files changed, 33 insertions(+), 16 deletions(-)
diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index f08ed93bb6fa3..010f1a8fd15f8 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -657,8 +657,7 @@ struct l2cap_conn {
struct sk_buff *rx_skb;
__u32 rx_len;
- __u8 tx_ident;
- struct mutex ident_lock;
+ struct ida tx_ida;
struct sk_buff_head pending_rx;
struct work_struct pending_rx_work;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index b5e393e4f3eb1..5bd5561a8dbf5 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -924,26 +924,18 @@ int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
initiator);
}
-static u8 l2cap_get_ident(struct l2cap_conn *conn)
+static int l2cap_get_ident(struct l2cap_conn *conn)
{
- u8 id;
+ /* LE link does not support tools like l2ping so use the full range */
+ if (conn->hcon->type == LE_LINK)
+ return ida_alloc_range(&conn->tx_ida, 1, 255, GFP_ATOMIC);
/* Get next available identificator.
* 1 - 128 are used by kernel.
* 129 - 199 are reserved.
* 200 - 254 are used by utilities like l2ping, etc.
*/
-
- mutex_lock(&conn->ident_lock);
-
- if (++conn->tx_ident > 128)
- conn->tx_ident = 1;
-
- id = conn->tx_ident;
-
- mutex_unlock(&conn->ident_lock);
-
- return id;
+ return ida_alloc_range(&conn->tx_ida, 1, 128, GFP_ATOMIC);
}
static void l2cap_send_acl(struct l2cap_conn *conn, struct sk_buff *skb,
@@ -1769,6 +1761,8 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
if (work_pending(&conn->pending_rx_work))
cancel_work_sync(&conn->pending_rx_work);
+ ida_destroy(&conn->tx_ida);
+
cancel_delayed_work_sync(&conn->id_addr_timer);
l2cap_unregister_all_users(conn);
@@ -4780,12 +4774,34 @@ static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
return err;
}
+static void l2cap_put_ident(struct l2cap_conn *conn, u8 code, u8 id)
+{
+ switch (code) {
+ case L2CAP_COMMAND_REJ:
+ case L2CAP_CONN_RSP:
+ case L2CAP_CONF_RSP:
+ case L2CAP_DISCONN_RSP:
+ case L2CAP_ECHO_RSP:
+ case L2CAP_INFO_RSP:
+ case L2CAP_CONN_PARAM_UPDATE_RSP:
+ case L2CAP_ECRED_CONN_RSP:
+ case L2CAP_ECRED_RECONF_RSP:
+ /* First do a lookup since the remote may send bogus ids that
+ * would make ida_free to generate warnings.
+ */
+ if (ida_find_first_range(&conn->tx_ida, id, id) >= 0)
+ ida_free(&conn->tx_ida, id);
+ }
+}
+
static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
struct l2cap_cmd_hdr *cmd, u16 cmd_len,
u8 *data)
{
int err = 0;
+ l2cap_put_ident(conn, cmd->code, cmd->ident);
+
switch (cmd->code) {
case L2CAP_COMMAND_REJ:
l2cap_command_rej(conn, cmd, cmd_len, data);
@@ -5470,6 +5486,8 @@ static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
{
int err = 0;
+ l2cap_put_ident(conn, cmd->code, cmd->ident);
+
switch (cmd->code) {
case L2CAP_COMMAND_REJ:
l2cap_le_command_rej(conn, cmd, cmd_len, data);
@@ -6972,13 +6990,13 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
- mutex_init(&conn->ident_lock);
mutex_init(&conn->lock);
INIT_LIST_HEAD(&conn->chan_l);
INIT_LIST_HEAD(&conn->users);
INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
+ ida_init(&conn->tx_ida);
skb_queue_head_init(&conn->pending_rx);
INIT_WORK(&conn->pending_rx_work, process_pending_rx);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 136/342] Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 135/342] Bluetooth: L2CAP: Fix not tracking outstanding TX ident Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 137/342] Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop Greg Kroah-Hartman
` (222 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Luiz Augusto von Dentz,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit 00fdebbbc557a2fc21321ff2eaa22fd70c078608 ]
l2cap_conn_del() calls cancel_delayed_work_sync() for both info_timer
and id_addr_timer while holding conn->lock. However, the work functions
l2cap_info_timeout() and l2cap_conn_update_id_addr() both acquire
conn->lock, creating a potential AB-BA deadlock if the work is already
executing when l2cap_conn_del() takes the lock.
Move the work cancellations before acquiring conn->lock and use
disable_delayed_work_sync() to additionally prevent the works from
being rearmed after cancellation, consistent with the pattern used in
hci_conn_del().
Fixes: ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 5bd5561a8dbf5..734cbb5dc1bfa 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1748,6 +1748,9 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
+ disable_delayed_work_sync(&conn->info_timer);
+ disable_delayed_work_sync(&conn->id_addr_timer);
+
mutex_lock(&conn->lock);
kfree_skb(conn->rx_skb);
@@ -1763,8 +1766,6 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
ida_destroy(&conn->tx_ida);
- cancel_delayed_work_sync(&conn->id_addr_timer);
-
l2cap_unregister_all_users(conn);
/* Force the connection to be immediately dropped */
@@ -1783,9 +1784,6 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
l2cap_chan_put(chan);
}
- if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
- cancel_delayed_work_sync(&conn->info_timer);
-
hci_chan_del(conn->hchan);
conn->hchan = NULL;
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 137/342] Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 136/342] Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del() Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 138/342] Bluetooth: btusb: clamp SCO altsetting table indices Greg Kroah-Hartman
` (221 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Luiz Augusto von Dentz,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit 25f420a0d4cfd61d3d23ec4b9c56d9f443d91377 ]
l2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED
state to support L2CAP reconfiguration (e.g. MTU changes). However,
since both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from
the initial configuration, the reconfiguration path falls through to
l2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and
retrans_list without freeing the previous allocations and sets
chan->sdu to NULL without freeing the existing skb. This leaks all
previously allocated ERTM resources.
Additionally, l2cap_parse_conf_req() does not validate the minimum
value of remote_mps derived from the RFC max_pdu_size option. A zero
value propagates to l2cap_segment_sdu() where pdu_len becomes zero,
causing the while loop to never terminate since len is never
decremented, exhausting all available memory.
Fix the double-init by skipping l2cap_ertm_init() and
l2cap_chan_ready() when the channel is already in BT_CONNECTED state,
while still allowing the reconfiguration parameters to be updated
through l2cap_parse_conf_req(). Also add a pdu_len zero check in
l2cap_segment_sdu() as a safeguard.
Fixes: 96298f640104 ("Bluetooth: L2CAP: handle l2cap config request during open state")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 734cbb5dc1bfa..b72f2da57257d 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -2375,6 +2375,9 @@ static int l2cap_segment_sdu(struct l2cap_chan *chan,
/* Remote device may have requested smaller PDUs */
pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
+ if (!pdu_len)
+ return -EINVAL;
+
if (len <= pdu_len) {
sar = L2CAP_SAR_UNSEGMENTED;
sdu_len = 0;
@@ -4310,14 +4313,16 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
set_default_fcs(chan);
- if (chan->mode == L2CAP_MODE_ERTM ||
- chan->mode == L2CAP_MODE_STREAMING)
- err = l2cap_ertm_init(chan);
+ if (chan->state != BT_CONNECTED) {
+ if (chan->mode == L2CAP_MODE_ERTM ||
+ chan->mode == L2CAP_MODE_STREAMING)
+ err = l2cap_ertm_init(chan);
- if (err < 0)
- l2cap_send_disconn_req(chan, -err);
- else
- l2cap_chan_ready(chan);
+ if (err < 0)
+ l2cap_send_disconn_req(chan, -err);
+ else
+ l2cap_chan_ready(chan);
+ }
goto unlock;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 138/342] Bluetooth: btusb: clamp SCO altsetting table indices
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 137/342] Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 139/342] tls: Purge async_hold in tls_decrypt_async_wait() Greg Kroah-Hartman
` (220 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengpeng Hou, Luiz Augusto von Dentz,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
[ Upstream commit 129fa608b6ad08b8ab7178eeb2ec272c993aaccc ]
btusb_work() maps the number of active SCO links to USB alternate
settings through a three-entry lookup table when CVSD traffic uses
transparent voice settings. The lookup currently indexes alts[] with
data->sco_num - 1 without first constraining sco_num to the number of
available table entries.
While the table only defines alternate settings for up to three SCO
links, data->sco_num comes from hci_conn_num() and is used directly.
Cap the lookup to the last table entry before indexing it so the
driver keeps selecting the highest supported alternate setting without
reading past alts[].
Fixes: baac6276c0a9 ("Bluetooth: btusb: handle mSBC audio over USB Endpoints")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index a41bb1e2a279a..4e161dcca00d8 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2378,8 +2378,11 @@ static void btusb_work(struct work_struct *work)
if (data->air_mode == HCI_NOTIFY_ENABLE_SCO_CVSD) {
if (hdev->voice_setting & 0x0020) {
static const int alts[3] = { 2, 4, 5 };
+ unsigned int sco_idx;
- new_alts = alts[data->sco_num - 1];
+ sco_idx = min_t(unsigned int, data->sco_num - 1,
+ ARRAY_SIZE(alts) - 1);
+ new_alts = alts[sco_idx];
} else {
new_alts = data->sco_num;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 139/342] tls: Purge async_hold in tls_decrypt_async_wait()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 138/342] Bluetooth: btusb: clamp SCO altsetting table indices Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 140/342] netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD Greg Kroah-Hartman
` (219 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuck Lever, Yiming Qian,
Paolo Abeni, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 84a8335d8300576f1b377ae24abca1d9f197807f ]
The async_hold queue pins encrypted input skbs while
the AEAD engine references their scatterlist data. Once
tls_decrypt_async_wait() returns, every AEAD operation
has completed and the engine no longer references those
skbs, so they can be freed unconditionally.
A subsequent patch adds batch async decryption to
tls_sw_read_sock(), introducing a new call site that
must drain pending AEAD operations and release held
skbs. Move __skb_queue_purge(&ctx->async_hold) into
tls_decrypt_async_wait() so the purge is centralized
and every caller -- recvmsg's drain path, the -EBUSY
fallback in tls_do_decryption(), and the new read_sock
batch path -- releases held skbs on synchronization
without each site managing the purge independently.
This fixes a leak when tls_strp_msg_hold() fails part-way through,
after having added some cloned skbs to the async_hold
queue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to
process all pending decrypts, and drop back to synchronous mode, but
tls_sw_recvmsg() only flushes the async_hold queue when one record has
been processed in "fully-async" mode, which may not be the case here.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Fixes: b8a6ff84abbc ("tls: wait for pending async decryptions if tls_strp_msg_hold fails")
Link: https://patch.msgid.link/20260324-tls-read-sock-v5-1-5408befe5774@oracle.com
[pabeni@redhat.com: added leak comment]
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls_sw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index b1fa62de9dab5..c0aadc8dce146 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -246,6 +246,7 @@ static int tls_decrypt_async_wait(struct tls_sw_context_rx *ctx)
crypto_wait_req(-EINPROGRESS, &ctx->async_wait);
atomic_inc(&ctx->decrypt_pending);
+ __skb_queue_purge(&ctx->async_hold);
return ctx->async_wait.err;
}
@@ -2225,7 +2226,6 @@ int tls_sw_recvmsg(struct sock *sk,
/* Wait for all previously submitted records to be decrypted */
ret = tls_decrypt_async_wait(ctx);
- __skb_queue_purge(&ctx->async_hold);
if (ret) {
if (err >= 0 || err == -EINPROGRESS)
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 140/342] netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 139/342] tls: Purge async_hold in tls_decrypt_async_wait() Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 141/342] netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Greg Kroah-Hartman
` (218 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 52025ebaa29f4eb4ed8bf92ce83a68f24ab7fdf7 ]
__build_packet_message() manually constructs the NFULA_PAYLOAD netlink
attribute using skb_put() and skb_copy_bits(), bypassing the standard
nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes
are allocated (including NLA alignment padding), only data_len bytes
of actual packet data are copied. The trailing nla_padlen(data_len)
bytes (1-3 when data_len is not 4-byte aligned) are never initialized,
leaking stale heap contents to userspace via the NFLOG netlink socket.
Replace the manual attribute construction with nla_reserve(), which
handles the tailroom check, header setup, and padding zeroing via
__nla_reserve(). The subsequent skb_copy_bits() fills in the payload
data on top of the properly initialized attribute.
Fixes: df6fb868d611 ("[NETFILTER]: nfnetlink: convert to generic netlink attribute functions")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_log.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index bfcb9cd335bff..27dd35224e629 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -647,15 +647,11 @@ __build_packet_message(struct nfnl_log_net *log,
if (data_len) {
struct nlattr *nla;
- int size = nla_attr_size(data_len);
- if (skb_tailroom(inst->skb) < nla_total_size(data_len))
+ nla = nla_reserve(inst->skb, NFULA_PAYLOAD, data_len);
+ if (!nla)
goto nla_put_failure;
- nla = skb_put(inst->skb, nla_total_size(data_len));
- nla->nla_type = NFULA_PAYLOAD;
- nla->nla_len = size;
-
if (skb_copy_bits(skb, 0, nla_data(nla), data_len))
BUG();
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 141/342] netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 140/342] netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 142/342] netfilter: nft_set_rbtree: revisit array resize logic Greg Kroah-Hartman
` (217 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Yuan Tan,
Xin Liu, Yuhang Zheng, Ren Wei, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ren Wei <n05ec@lzu.edu.cn>
[ Upstream commit 9d3f027327c2fa265f7f85ead41294792c3296ed ]
Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS.
rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[].
Validate addrnr during rule installation so malformed rules are rejected
before the match logic can use an out-of-range value.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Yuhang Zheng <z1652074432@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/netfilter/ip6t_rt.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 4ad8b2032f1f9..5561bd9cea818 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -157,6 +157,10 @@ static int rt_mt6_check(const struct xt_mtchk_param *par)
pr_debug("unknown flags %X\n", rtinfo->invflags);
return -EINVAL;
}
+ if (rtinfo->addrnr > IP6T_RT_HOPS) {
+ pr_debug("too many addresses specified\n");
+ return -EINVAL;
+ }
if ((rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST_MASK)) &&
(!(rtinfo->flags & IP6T_RT_TYP) ||
(rtinfo->rt_type != 0) ||
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 142/342] netfilter: nft_set_rbtree: revisit array resize logic
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 141/342] netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 143/342] netfilter: nf_conntrack_expect: skip expectations in other netns via proc Greg Kroah-Hartman
` (216 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Arges, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit fafdd92b9e30fe057740c5bb5cd4f92ecea9bf26 ]
Chris Arges reports high memory consumption with thousands of
containers, this patch revisits the array allocation logic.
For anonymous sets, start by 16 slots (which takes 256 bytes on x86_64).
Expand it by x2 until threshold of 512 slots is reached, over that
threshold, expand it by x1.5.
For non-anonymous set, start by 1024 slots in the array (which takes 16
Kbytes initially on x86_64). Expand it by x1.5.
Use set->ndeact to subtract deactivated elements when calculating the
number of the slots in the array, otherwise the array size array gets
increased artifically. Add special case shrink logic to deal with flush
set too.
The shrink logic is skipped by anonymous sets.
Use check_add_overflow() to calculate the new array size.
Add a WARN_ON_ONCE check to make sure elements fit into the new array
size.
Reported-by: Chris Arges <carges@cloudflare.com>
Fixes: 7e43e0a1141d ("netfilter: nft_set_rbtree: translate rbtree to array for binary search")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_set_rbtree.c | 92 +++++++++++++++++++++++++++-------
1 file changed, 75 insertions(+), 17 deletions(-)
diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
index 5d91b7d08d33a..154bf2772e27d 100644
--- a/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -572,14 +572,12 @@ static struct nft_array *nft_array_alloc(u32 max_intervals)
return array;
}
-#define NFT_ARRAY_EXTRA_SIZE 10240
-
/* Similar to nft_rbtree_{u,k}size to hide details to userspace, but consider
* packed representation coming from userspace for anonymous sets too.
*/
static u32 nft_array_elems(const struct nft_set *set)
{
- u32 nelems = atomic_read(&set->nelems);
+ u32 nelems = atomic_read(&set->nelems) - set->ndeact;
/* Adjacent intervals are represented with a single start element in
* anonymous sets, use the current element counter as is.
@@ -595,27 +593,87 @@ static u32 nft_array_elems(const struct nft_set *set)
return (nelems / 2) + 2;
}
-static int nft_array_may_resize(const struct nft_set *set)
+#define NFT_ARRAY_INITIAL_SIZE 1024
+#define NFT_ARRAY_INITIAL_ANON_SIZE 16
+#define NFT_ARRAY_INITIAL_ANON_THRESH (8192U / sizeof(struct nft_array_interval))
+
+static int nft_array_may_resize(const struct nft_set *set, bool flush)
{
- u32 nelems = nft_array_elems(set), new_max_intervals;
+ u32 initial_intervals, max_intervals, new_max_intervals, delta;
+ u32 shrinked_max_intervals, nelems = nft_array_elems(set);
struct nft_rbtree *priv = nft_set_priv(set);
struct nft_array *array;
- if (!priv->array_next) {
- array = nft_array_alloc(nelems + NFT_ARRAY_EXTRA_SIZE);
- if (!array)
- return -ENOMEM;
+ if (nft_set_is_anonymous(set))
+ initial_intervals = NFT_ARRAY_INITIAL_ANON_SIZE;
+ else
+ initial_intervals = NFT_ARRAY_INITIAL_SIZE;
+
+ if (priv->array_next) {
+ max_intervals = priv->array_next->max_intervals;
+ new_max_intervals = priv->array_next->max_intervals;
+ } else {
+ if (priv->array) {
+ max_intervals = priv->array->max_intervals;
+ new_max_intervals = priv->array->max_intervals;
+ } else {
+ max_intervals = 0;
+ new_max_intervals = initial_intervals;
+ }
+ }
- priv->array_next = array;
+ if (nft_set_is_anonymous(set))
+ goto maybe_grow;
+
+ if (flush) {
+ /* Set flush just started, nelems still report elements.*/
+ nelems = 0;
+ new_max_intervals = NFT_ARRAY_INITIAL_SIZE;
+ goto realloc_array;
}
- if (nelems < priv->array_next->max_intervals)
- return 0;
+ if (check_add_overflow(new_max_intervals, new_max_intervals,
+ &shrinked_max_intervals))
+ return -EOVERFLOW;
+
+ shrinked_max_intervals = DIV_ROUND_UP(shrinked_max_intervals, 3);
- new_max_intervals = priv->array_next->max_intervals + NFT_ARRAY_EXTRA_SIZE;
- if (nft_array_intervals_alloc(priv->array_next, new_max_intervals) < 0)
+ if (shrinked_max_intervals > NFT_ARRAY_INITIAL_SIZE &&
+ nelems < shrinked_max_intervals) {
+ new_max_intervals = shrinked_max_intervals;
+ goto realloc_array;
+ }
+maybe_grow:
+ if (nelems > new_max_intervals) {
+ if (nft_set_is_anonymous(set) &&
+ new_max_intervals < NFT_ARRAY_INITIAL_ANON_THRESH) {
+ new_max_intervals <<= 1;
+ } else {
+ delta = new_max_intervals >> 1;
+ if (check_add_overflow(new_max_intervals, delta,
+ &new_max_intervals))
+ return -EOVERFLOW;
+ }
+ }
+
+realloc_array:
+ if (WARN_ON_ONCE(nelems > new_max_intervals))
return -ENOMEM;
+ if (priv->array_next) {
+ if (max_intervals == new_max_intervals)
+ return 0;
+
+ if (nft_array_intervals_alloc(priv->array_next, new_max_intervals) < 0)
+ return -ENOMEM;
+ } else {
+ array = nft_array_alloc(new_max_intervals);
+ if (!array)
+ return -ENOMEM;
+
+ priv->array_next = array;
+ }
+
return 0;
}
@@ -630,7 +688,7 @@ static int nft_rbtree_insert(const struct net *net, const struct nft_set *set,
nft_rbtree_maybe_reset_start_cookie(priv, tstamp);
- if (nft_array_may_resize(set) < 0)
+ if (nft_array_may_resize(set, false) < 0)
return -ENOMEM;
do {
@@ -741,7 +799,7 @@ nft_rbtree_deactivate(const struct net *net, const struct nft_set *set,
nft_rbtree_interval_null(set, this))
priv->start_rbe_cookie = 0;
- if (nft_array_may_resize(set) < 0)
+ if (nft_array_may_resize(set, false) < 0)
return NULL;
while (parent != NULL) {
@@ -811,7 +869,7 @@ static void nft_rbtree_walk(const struct nft_ctx *ctx,
switch (iter->type) {
case NFT_ITER_UPDATE_CLONE:
- if (nft_array_may_resize(set) < 0) {
+ if (nft_array_may_resize(set, true) < 0) {
iter->err = -ENOMEM;
break;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 143/342] netfilter: nf_conntrack_expect: skip expectations in other netns via proc
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 142/342] netfilter: nft_set_rbtree: revisit array resize logic Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 144/342] netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp Greg Kroah-Hartman
` (215 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Pablo Neira Ayuso,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 3db5647984de03d9cae0dcddb509b058351f0ee4 ]
Skip expectations that do not reside in this netns.
Similar to e77e6ff502ea ("netfilter: conntrack: do not dump other netns's
conntrack entries via proc").
Fixes: 9b03f38d0487 ("netfilter: netns nf_conntrack: per-netns expectations")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_expect.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index cfc2daa3fc7f3..227fb5dc39e27 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -627,11 +627,15 @@ static int exp_seq_show(struct seq_file *s, void *v)
{
struct nf_conntrack_expect *expect;
struct nf_conntrack_helper *helper;
+ struct net *net = seq_file_net(s);
struct hlist_node *n = v;
char *delim = "";
expect = hlist_entry(n, struct nf_conntrack_expect, hnode);
+ if (!net_eq(nf_ct_exp_net(expect), net))
+ return 0;
+
if (expect->timeout.function)
seq_printf(s, "%ld ", timer_pending(&expect->timeout)
? (long)(expect->timeout.expires - jiffies)/HZ : 0);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 144/342] netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 143/342] netfilter: nf_conntrack_expect: skip expectations in other netns via proc Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 145/342] netfilter: ctnetlink: use netlink policy range checks Greg Kroah-Hartman
` (214 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 6a2b724460cb67caed500c508c2ae5cf012e4db4 ]
process_sdp() declares union nf_inet_addr rtp_addr on the stack and
passes it to the nf_nat_sip sdp_session hook after walking the SDP
media descriptions. However rtp_addr is only initialized inside the
media loop when a recognized media type with a non-zero port is found.
If the SDP body contains no m= lines, only inactive media sections
(m=audio 0 ...) or only unrecognized media types, rtp_addr is never
assigned. Despite that, the function still calls hooks->sdp_session()
with &rtp_addr, causing nf_nat_sdp_session() to format the stale stack
value as an IP address and rewrite the SDP session owner and connection
lines with it.
With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this
results in the session-level o= and c= addresses being rewritten to
0.0.0.0 for inactive SDP sessions. Without stack auto-init the
rewritten address is whatever happened to be on the stack.
Fix this by pre-initializing rtp_addr from the session-level connection
address (caddr) when available, and tracking via a have_rtp_addr flag
whether any valid address was established. Skip the sdp_session hook
entirely when no valid address exists.
Fixes: 4ab9e64e5e3c ("[NETFILTER]: nf_nat_sip: split up SDP mangling")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_sip.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 4ab5ef71d96db..17af0ff4ea7ab 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1040,6 +1040,7 @@ static int process_sdp(struct sk_buff *skb, unsigned int protoff,
unsigned int port;
const struct sdp_media_type *t;
int ret = NF_ACCEPT;
+ bool have_rtp_addr = false;
hooks = rcu_dereference(nf_nat_sip_hooks);
@@ -1056,8 +1057,11 @@ static int process_sdp(struct sk_buff *skb, unsigned int protoff,
caddr_len = 0;
if (ct_sip_parse_sdp_addr(ct, *dptr, sdpoff, *datalen,
SDP_HDR_CONNECTION, SDP_HDR_MEDIA,
- &matchoff, &matchlen, &caddr) > 0)
+ &matchoff, &matchlen, &caddr) > 0) {
caddr_len = matchlen;
+ memcpy(&rtp_addr, &caddr, sizeof(rtp_addr));
+ have_rtp_addr = true;
+ }
mediaoff = sdpoff;
for (i = 0; i < ARRAY_SIZE(sdp_media_types); ) {
@@ -1091,9 +1095,11 @@ static int process_sdp(struct sk_buff *skb, unsigned int protoff,
&matchoff, &matchlen, &maddr) > 0) {
maddr_len = matchlen;
memcpy(&rtp_addr, &maddr, sizeof(rtp_addr));
- } else if (caddr_len)
+ have_rtp_addr = true;
+ } else if (caddr_len) {
memcpy(&rtp_addr, &caddr, sizeof(rtp_addr));
- else {
+ have_rtp_addr = true;
+ } else {
nf_ct_helper_log(skb, ct, "cannot parse SDP message");
return NF_DROP;
}
@@ -1125,7 +1131,7 @@ static int process_sdp(struct sk_buff *skb, unsigned int protoff,
/* Update session connection and owner addresses */
hooks = rcu_dereference(nf_nat_sip_hooks);
- if (hooks && ct->status & IPS_NAT_MASK)
+ if (hooks && ct->status & IPS_NAT_MASK && have_rtp_addr)
ret = hooks->sdp_session(skb, protoff, dataoff,
dptr, datalen, sdpoff,
&rtp_addr);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 145/342] netfilter: ctnetlink: use netlink policy range checks
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 144/342] netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 146/342] net: macb: use the current queue number for stats Greg Kroah-Hartman
` (213 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Pablo Neira Ayuso,
Sasha Levin, Florian Westphal
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
[ Upstream commit 8f15b5071b4548b0aafc03b366eb45c9c6566704 ]
Replace manual range and mask validations with netlink policy
annotations in ctnetlink code paths, so that the netlink core rejects
invalid values early and can generate extack errors.
- CTA_PROTOINFO_TCP_STATE: reject values > TCP_CONNTRACK_SYN_SENT2 at
policy level, removing the manual >= TCP_CONNTRACK_MAX check.
- CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values > TCP_MAX_WSCALE
(14). The normal TCP option parsing path already clamps to this value,
but the ctnetlink path accepted 0-255, causing undefined behavior when
used as a u32 shift count.
- CTA_FILTER_ORIG_FLAGS/REPLY_FLAGS: use NLA_POLICY_MASK with
CTA_FILTER_F_ALL, removing the manual mask checks.
- CTA_EXPECT_FLAGS: use NLA_POLICY_MASK with NF_CT_EXPECT_MASK, adding
a new mask define grouping all valid expect flags.
Extracted from a broader nf-next patch by Florian Westphal, scoped to
ctnetlink for the fixes tree.
Fixes: c8e2078cfe41 ("[NETFILTER]: ctnetlink: add support for internal tcp connection tracking flags handling")
Signed-off-by: David Carlier <devnexen@gmail.com>
Co-developed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../uapi/linux/netfilter/nf_conntrack_common.h | 4 ++++
net/netfilter/nf_conntrack_netlink.c | 16 +++++-----------
net/netfilter/nf_conntrack_proto_tcp.c | 10 +++-------
3 files changed, 12 insertions(+), 18 deletions(-)
diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h
index 26071021e986f..56b6b60a814f5 100644
--- a/include/uapi/linux/netfilter/nf_conntrack_common.h
+++ b/include/uapi/linux/netfilter/nf_conntrack_common.h
@@ -159,5 +159,9 @@ enum ip_conntrack_expect_events {
#define NF_CT_EXPECT_INACTIVE 0x2
#define NF_CT_EXPECT_USERSPACE 0x4
+#ifdef __KERNEL__
+#define NF_CT_EXPECT_MASK (NF_CT_EXPECT_PERMANENT | NF_CT_EXPECT_INACTIVE | \
+ NF_CT_EXPECT_USERSPACE)
+#endif
#endif /* _UAPI_NF_CONNTRACK_COMMON_H */
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index d9f33a6c807c8..fea750653e967 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -909,8 +909,8 @@ struct ctnetlink_filter {
};
static const struct nla_policy cta_filter_nla_policy[CTA_FILTER_MAX + 1] = {
- [CTA_FILTER_ORIG_FLAGS] = { .type = NLA_U32 },
- [CTA_FILTER_REPLY_FLAGS] = { .type = NLA_U32 },
+ [CTA_FILTER_ORIG_FLAGS] = NLA_POLICY_MASK(NLA_U32, CTA_FILTER_F_ALL),
+ [CTA_FILTER_REPLY_FLAGS] = NLA_POLICY_MASK(NLA_U32, CTA_FILTER_F_ALL),
};
static int ctnetlink_parse_filter(const struct nlattr *attr,
@@ -924,17 +924,11 @@ static int ctnetlink_parse_filter(const struct nlattr *attr,
if (ret)
return ret;
- if (tb[CTA_FILTER_ORIG_FLAGS]) {
+ if (tb[CTA_FILTER_ORIG_FLAGS])
filter->orig_flags = nla_get_u32(tb[CTA_FILTER_ORIG_FLAGS]);
- if (filter->orig_flags & ~CTA_FILTER_F_ALL)
- return -EOPNOTSUPP;
- }
- if (tb[CTA_FILTER_REPLY_FLAGS]) {
+ if (tb[CTA_FILTER_REPLY_FLAGS])
filter->reply_flags = nla_get_u32(tb[CTA_FILTER_REPLY_FLAGS]);
- if (filter->reply_flags & ~CTA_FILTER_F_ALL)
- return -EOPNOTSUPP;
- }
return 0;
}
@@ -2633,7 +2627,7 @@ static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
[CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING,
.len = NF_CT_HELPER_NAME_LEN - 1 },
[CTA_EXPECT_ZONE] = { .type = NLA_U16 },
- [CTA_EXPECT_FLAGS] = { .type = NLA_U32 },
+ [CTA_EXPECT_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NF_CT_EXPECT_MASK),
[CTA_EXPECT_CLASS] = { .type = NLA_U32 },
[CTA_EXPECT_NAT] = { .type = NLA_NESTED },
[CTA_EXPECT_FN] = { .type = NLA_NUL_STRING },
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 0c1d086e96cb3..b67426c2189b2 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1385,9 +1385,9 @@ static int tcp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
}
static const struct nla_policy tcp_nla_policy[CTA_PROTOINFO_TCP_MAX+1] = {
- [CTA_PROTOINFO_TCP_STATE] = { .type = NLA_U8 },
- [CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] = { .type = NLA_U8 },
- [CTA_PROTOINFO_TCP_WSCALE_REPLY] = { .type = NLA_U8 },
+ [CTA_PROTOINFO_TCP_STATE] = NLA_POLICY_MAX(NLA_U8, TCP_CONNTRACK_SYN_SENT2),
+ [CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] = NLA_POLICY_MAX(NLA_U8, TCP_MAX_WSCALE),
+ [CTA_PROTOINFO_TCP_WSCALE_REPLY] = NLA_POLICY_MAX(NLA_U8, TCP_MAX_WSCALE),
[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL] = { .len = sizeof(struct nf_ct_tcp_flags) },
[CTA_PROTOINFO_TCP_FLAGS_REPLY] = { .len = sizeof(struct nf_ct_tcp_flags) },
};
@@ -1414,10 +1414,6 @@ static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct)
if (err < 0)
return err;
- if (tb[CTA_PROTOINFO_TCP_STATE] &&
- nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]) >= TCP_CONNTRACK_MAX)
- return -EINVAL;
-
spin_lock_bh(&ct->lock);
if (tb[CTA_PROTOINFO_TCP_STATE])
ct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]);
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 146/342] net: macb: use the current queue number for stats
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 145/342] netfilter: ctnetlink: use netlink policy range checks Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 147/342] RDMA/bng_re: Fix silent failure in HWRM version query Greg Kroah-Hartman
` (212 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Valerio, Nicolai Buchwitz,
Paolo Abeni, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Valerio <pvalerio@redhat.com>
[ Upstream commit 72d96e4e24bbefdcfbc68bdb9341a05d8f5cb6e5 ]
There's a potential mismatch between the memory reserved for statistics
and the amount of memory written.
gem_get_sset_count() correctly computes the number of stats based on the
active queues, whereas gem_get_ethtool_stats() indiscriminately copies
data using the maximum number of queues, and in the case the number of
active queues is less than MACB_MAX_QUEUES, this results in a OOB write
as observed in the KASAN splat.
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in gem_get_ethtool_stats+0x54/0x78
[macb]
Write of size 760 at addr ffff80008080b000 by task ethtool/1027
CPU: [...]
Tainted: [E]=UNSIGNED_MODULE
Hardware name: raspberrypi rpi/rpi, BIOS 2025.10 10/01/2025
Call trace:
show_stack+0x20/0x38 (C)
dump_stack_lvl+0x80/0xf8
print_report+0x384/0x5e0
kasan_report+0xa0/0xf0
kasan_check_range+0xe8/0x190
__asan_memcpy+0x54/0x98
gem_get_ethtool_stats+0x54/0x78 [macb
926c13f3af83b0c6fe64badb21ec87d5e93fcf65]
dev_ethtool+0x1220/0x38c0
dev_ioctl+0x4ac/0xca8
sock_do_ioctl+0x170/0x1d8
sock_ioctl+0x484/0x5d8
__arm64_sys_ioctl+0x12c/0x1b8
invoke_syscall+0xd4/0x258
el0_svc_common.constprop.0+0xb4/0x240
do_el0_svc+0x48/0x68
el0_svc+0x40/0xf8
el0t_64_sync_handler+0xa0/0xe8
el0t_64_sync+0x1b0/0x1b8
The buggy address belongs to a 1-page vmalloc region starting at
0xffff80008080b000 allocated at dev_ethtool+0x11f0/0x38c0
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000
index:0xffff00000a333000 pfn:0xa333
flags: 0x7fffc000000000(node=0|zone=0|lastcpupid=0x1ffff)
raw: 007fffc000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff00000a333000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff80008080b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff80008080b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff80008080b180: 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffff80008080b200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffff80008080b280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
Fix it by making sure the copied size only considers the active number of
queues.
Fixes: 512286bbd4b7 ("net: macb: Added some queue statistics")
Signed-off-by: Paolo Valerio <pvalerio@redhat.com>
Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de>
Link: https://patch.msgid.link/20260323191634.2185840-1-pvalerio@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/cadence/macb_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
index 1a46e27bfbb4a..094e04980c782 100644
--- a/drivers/net/ethernet/cadence/macb_main.c
+++ b/drivers/net/ethernet/cadence/macb_main.c
@@ -3224,7 +3224,7 @@ static void gem_get_ethtool_stats(struct net_device *dev,
spin_lock_irq(&bp->stats_lock);
gem_update_stats(bp);
memcpy(data, &bp->ethtool_stats, sizeof(u64)
- * (GEM_STATS_LEN + QUEUE_STATS_LEN * MACB_MAX_QUEUES));
+ * (GEM_STATS_LEN + QUEUE_STATS_LEN * bp->num_queues));
spin_unlock_irq(&bp->stats_lock);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 147/342] RDMA/bng_re: Fix silent failure in HWRM version query
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 146/342] net: macb: use the current queue number for stats Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 148/342] RDMA/efa: Check stored completion CTX command ID with received one Greg Kroah-Hartman
` (211 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kamal Heib, Siva Reddy Kallam,
Leon Romanovsky, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kamal Heib <kheib@redhat.com>
[ Upstream commit c242e92c9da456d361d1d4482fb6e93ee95bd8cf ]
If the firmware version query fails, the driver currently ignores the
error and continues initializing. This leaves the device in a bad state.
Fix this by making bng_re_query_hwrm_version() return the error code and
update the driver to check for this error and stop the setup process
safely if it happens.
Fixes: 745065770c2d ("RDMA/bng_re: Register and get the resources from bnge driver")
Signed-off-by: Kamal Heib <kheib@redhat.com>
Link: https://patch.msgid.link/20260303043645.425724-1-kheib@redhat.com
Reviewed-by: Siva Reddy Kallam <siva.kallam@broadcom.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bng_re/bng_dev.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/infiniband/hw/bng_re/bng_dev.c b/drivers/infiniband/hw/bng_re/bng_dev.c
index fd0a4fe274ca6..9cf73f87070ec 100644
--- a/drivers/infiniband/hw/bng_re/bng_dev.c
+++ b/drivers/infiniband/hw/bng_re/bng_dev.c
@@ -210,7 +210,7 @@ static int bng_re_stats_ctx_alloc(struct bng_re_dev *rdev)
return rc;
}
-static void bng_re_query_hwrm_version(struct bng_re_dev *rdev)
+static int bng_re_query_hwrm_version(struct bng_re_dev *rdev)
{
struct bnge_auxr_dev *aux_dev = rdev->aux_dev;
struct hwrm_ver_get_output ver_get_resp = {};
@@ -230,7 +230,7 @@ static void bng_re_query_hwrm_version(struct bng_re_dev *rdev)
if (rc) {
ibdev_err(&rdev->ibdev, "Failed to query HW version, rc = 0x%x",
rc);
- return;
+ return rc;
}
cctx = rdev->chip_ctx;
@@ -244,6 +244,8 @@ static void bng_re_query_hwrm_version(struct bng_re_dev *rdev)
if (!cctx->hwrm_cmd_max_timeout)
cctx->hwrm_cmd_max_timeout = BNG_ROCE_FW_MAX_TIMEOUT;
+
+ return 0;
}
static void bng_re_dev_uninit(struct bng_re_dev *rdev)
@@ -306,13 +308,15 @@ static int bng_re_dev_init(struct bng_re_dev *rdev)
goto msix_ctx_fail;
}
- bng_re_query_hwrm_version(rdev);
+ rc = bng_re_query_hwrm_version(rdev);
+ if (rc)
+ goto destroy_chip_ctx;
rc = bng_re_alloc_fw_channel(&rdev->bng_res, &rdev->rcfw);
if (rc) {
ibdev_err(&rdev->ibdev,
"Failed to allocate RCFW Channel: %#x\n", rc);
- goto alloc_fw_chl_fail;
+ goto destroy_chip_ctx;
}
/* Allocate nq record memory */
@@ -391,7 +395,7 @@ static int bng_re_dev_init(struct bng_re_dev *rdev)
kfree(rdev->nqr);
nq_alloc_fail:
bng_re_free_rcfw_channel(&rdev->rcfw);
-alloc_fw_chl_fail:
+destroy_chip_ctx:
bng_re_destroy_chip_ctx(rdev);
msix_ctx_fail:
bnge_unregister_dev(rdev->aux_dev);
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 148/342] RDMA/efa: Check stored completion CTX command ID with received one
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 147/342] RDMA/bng_re: Fix silent failure in HWRM version query Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 149/342] RDMA/efa: Improve admin completion context state machine Greg Kroah-Hartman
` (210 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Kranzdorf, Michael Margolin,
Yonatan Nachum, Leon Romanovsky, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yonatan Nachum <ynachum@amazon.com>
[ Upstream commit 4b01ec0f133b3fe1038dc538d6bfcbd72462d2f0 ]
In admin command completion, we receive a CQE with the command ID which
is constructed from context index and entropy bits from the admin queue
producer counter. To try to detect memory corruptions in the received
CQE, validate the full command ID of the fetched context with the CQE
command ID. If there is a mismatch, complete the CQE with error.
Also use LSBs of the admin queue producer counter to better detect
entropy mismatch between smaller number of commands.
Reviewed-by: Daniel Kranzdorf <dkkranzd@amazon.com>
Reviewed-by: Michael Margolin <mrgolin@amazon.com>
Signed-off-by: Yonatan Nachum <ynachum@amazon.com>
Link: https://patch.msgid.link/20251210130614.36460-2-ynachum@amazon.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Stable-dep-of: ef3b06742c8a ("RDMA/efa: Fix use of completion ctx after free")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/efa/efa_com.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/efa/efa_com.c b/drivers/infiniband/hw/efa/efa_com.c
index 0e979ca10d240..b31478f3a1212 100644
--- a/drivers/infiniband/hw/efa/efa_com.c
+++ b/drivers/infiniband/hw/efa/efa_com.c
@@ -3,6 +3,8 @@
* Copyright 2018-2025 Amazon.com, Inc. or its affiliates. All rights reserved.
*/
+#include <linux/log2.h>
+
#include "efa_com.h"
#include "efa_regs_defs.h"
@@ -317,7 +319,7 @@ static struct efa_comp_ctx *__efa_com_submit_admin_cmd(struct efa_com_admin_queu
/* cmd_id LSBs are the ctx_id and MSBs are entropy bits from pc */
cmd_id = ctx_id & queue_size_mask;
- cmd_id |= aq->sq.pc & ~queue_size_mask;
+ cmd_id |= aq->sq.pc << ilog2(aq->depth);
cmd_id &= EFA_ADMIN_AQ_COMMON_DESC_COMMAND_ID_MASK;
cmd->aq_common_descriptor.command_id = cmd_id;
@@ -418,7 +420,7 @@ static int efa_com_handle_single_admin_completion(struct efa_com_admin_queue *aq
EFA_ADMIN_ACQ_COMMON_DESC_COMMAND_ID);
comp_ctx = efa_com_get_comp_ctx(aq, cmd_id, false);
- if (comp_ctx->status != EFA_CMD_SUBMITTED) {
+ if (comp_ctx->status != EFA_CMD_SUBMITTED || comp_ctx->cmd_id != cmd_id) {
ibdev_err(aq->efa_dev,
"Received completion with unexpected command id[%d], sq producer: %d, sq consumer: %d, cq consumer: %d\n",
cmd_id, aq->sq.pc, aq->sq.cc, aq->cq.cc);
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 149/342] RDMA/efa: Improve admin completion context state machine
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 148/342] RDMA/efa: Check stored completion CTX command ID with received one Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 150/342] RDMA/efa: Fix use of completion ctx after free Greg Kroah-Hartman
` (209 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Kranzdorf, Michael Margolin,
Yonatan Nachum, Leon Romanovsky, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yonatan Nachum <ynachum@amazon.com>
[ Upstream commit dab5825491f7b0ea92a09390f39df0a51100f12f ]
Add a new unused state to the admin completion contexts state machine
instead of the occupied field. This improves the completion validity
check because it now enforce the context to be in submitted state prior
to completing it. Also add allocated state as a intermediate state
between unused and submitted.
Reviewed-by: Daniel Kranzdorf <dkkranzd@amazon.com>
Reviewed-by: Michael Margolin <mrgolin@amazon.com>
Signed-off-by: Yonatan Nachum <ynachum@amazon.com>
Link: https://patch.msgid.link/20251210130614.36460-3-ynachum@amazon.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Stable-dep-of: ef3b06742c8a ("RDMA/efa: Fix use of completion ctx after free")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/efa/efa_com.c | 91 ++++++++++++++++-------------
1 file changed, 50 insertions(+), 41 deletions(-)
diff --git a/drivers/infiniband/hw/efa/efa_com.c b/drivers/infiniband/hw/efa/efa_com.c
index b31478f3a1212..229b0ad3b0cbb 100644
--- a/drivers/infiniband/hw/efa/efa_com.c
+++ b/drivers/infiniband/hw/efa/efa_com.c
@@ -23,6 +23,8 @@
#define EFA_CTRL_SUB_MINOR 1
enum efa_cmd_status {
+ EFA_CMD_UNUSED,
+ EFA_CMD_ALLOCATED,
EFA_CMD_SUBMITTED,
EFA_CMD_COMPLETED,
};
@@ -34,7 +36,6 @@ struct efa_comp_ctx {
enum efa_cmd_status status;
u16 cmd_id;
u8 cmd_opcode;
- u8 occupied;
};
static const char *efa_com_cmd_str(u8 cmd)
@@ -243,7 +244,6 @@ static int efa_com_admin_init_aenq(struct efa_com_dev *edev,
return 0;
}
-/* ID to be used with efa_com_get_comp_ctx */
static u16 efa_com_alloc_ctx_id(struct efa_com_admin_queue *aq)
{
u16 ctx_id;
@@ -265,36 +265,47 @@ static void efa_com_dealloc_ctx_id(struct efa_com_admin_queue *aq,
spin_unlock(&aq->comp_ctx_lock);
}
-static inline void efa_com_put_comp_ctx(struct efa_com_admin_queue *aq,
- struct efa_comp_ctx *comp_ctx)
+static struct efa_comp_ctx *efa_com_alloc_comp_ctx(struct efa_com_admin_queue *aq)
{
- u16 cmd_id = EFA_GET(&comp_ctx->user_cqe->acq_common_descriptor.command,
- EFA_ADMIN_ACQ_COMMON_DESC_COMMAND_ID);
- u16 ctx_id = cmd_id & (aq->depth - 1);
+ struct efa_comp_ctx *comp_ctx;
+ u16 ctx_id;
- ibdev_dbg(aq->efa_dev, "Put completion command_id %#x\n", cmd_id);
- comp_ctx->occupied = 0;
- efa_com_dealloc_ctx_id(aq, ctx_id);
+ ctx_id = efa_com_alloc_ctx_id(aq);
+
+ comp_ctx = &aq->comp_ctx[ctx_id];
+ if (comp_ctx->status != EFA_CMD_UNUSED) {
+ efa_com_dealloc_ctx_id(aq, ctx_id);
+ ibdev_err_ratelimited(aq->efa_dev,
+ "Completion context[%u] is used[%u]\n",
+ ctx_id, comp_ctx->status);
+ return NULL;
+ }
+
+ comp_ctx->status = EFA_CMD_ALLOCATED;
+ ibdev_dbg(aq->efa_dev, "Take completion context[%u]\n", ctx_id);
+ return comp_ctx;
}
-static struct efa_comp_ctx *efa_com_get_comp_ctx(struct efa_com_admin_queue *aq,
- u16 cmd_id, bool capture)
+static inline u16 efa_com_get_comp_ctx_id(struct efa_com_admin_queue *aq,
+ struct efa_comp_ctx *comp_ctx)
{
- u16 ctx_id = cmd_id & (aq->depth - 1);
+ return comp_ctx - aq->comp_ctx;
+}
- if (aq->comp_ctx[ctx_id].occupied && capture) {
- ibdev_err_ratelimited(
- aq->efa_dev,
- "Completion context for command_id %#x is occupied\n",
- cmd_id);
- return NULL;
- }
+static inline void efa_com_dealloc_comp_ctx(struct efa_com_admin_queue *aq,
+ struct efa_comp_ctx *comp_ctx)
+{
+ u16 ctx_id = efa_com_get_comp_ctx_id(aq, comp_ctx);
- if (capture) {
- aq->comp_ctx[ctx_id].occupied = 1;
- ibdev_dbg(aq->efa_dev,
- "Take completion ctxt for command_id %#x\n", cmd_id);
- }
+ ibdev_dbg(aq->efa_dev, "Put completion context[%u]\n", ctx_id);
+ comp_ctx->status = EFA_CMD_UNUSED;
+ efa_com_dealloc_ctx_id(aq, ctx_id);
+}
+
+static inline struct efa_comp_ctx *efa_com_get_comp_ctx_by_cmd_id(struct efa_com_admin_queue *aq,
+ u16 cmd_id)
+{
+ u16 ctx_id = cmd_id & (aq->depth - 1);
return &aq->comp_ctx[ctx_id];
}
@@ -312,10 +323,13 @@ static struct efa_comp_ctx *__efa_com_submit_admin_cmd(struct efa_com_admin_queu
u16 ctx_id;
u16 pi;
+ comp_ctx = efa_com_alloc_comp_ctx(aq);
+ if (!comp_ctx)
+ return ERR_PTR(-EINVAL);
+
queue_size_mask = aq->depth - 1;
pi = aq->sq.pc & queue_size_mask;
-
- ctx_id = efa_com_alloc_ctx_id(aq);
+ ctx_id = efa_com_get_comp_ctx_id(aq, comp_ctx);
/* cmd_id LSBs are the ctx_id and MSBs are entropy bits from pc */
cmd_id = ctx_id & queue_size_mask;
@@ -326,12 +340,6 @@ static struct efa_comp_ctx *__efa_com_submit_admin_cmd(struct efa_com_admin_queu
EFA_SET(&cmd->aq_common_descriptor.flags,
EFA_ADMIN_AQ_COMMON_DESC_PHASE, aq->sq.phase);
- comp_ctx = efa_com_get_comp_ctx(aq, cmd_id, true);
- if (!comp_ctx) {
- efa_com_dealloc_ctx_id(aq, ctx_id);
- return ERR_PTR(-EINVAL);
- }
-
comp_ctx->status = EFA_CMD_SUBMITTED;
comp_ctx->comp_size = comp_size_in_bytes;
comp_ctx->user_cqe = comp;
@@ -372,9 +380,9 @@ static inline int efa_com_init_comp_ctxt(struct efa_com_admin_queue *aq)
}
for (i = 0; i < aq->depth; i++) {
- comp_ctx = efa_com_get_comp_ctx(aq, i, false);
- if (comp_ctx)
- init_completion(&comp_ctx->wait_event);
+ comp_ctx = &aq->comp_ctx[i];
+ comp_ctx->status = EFA_CMD_UNUSED;
+ init_completion(&comp_ctx->wait_event);
aq->comp_ctx_pool[i] = i;
}
@@ -419,11 +427,12 @@ static int efa_com_handle_single_admin_completion(struct efa_com_admin_queue *aq
cmd_id = EFA_GET(&cqe->acq_common_descriptor.command,
EFA_ADMIN_ACQ_COMMON_DESC_COMMAND_ID);
- comp_ctx = efa_com_get_comp_ctx(aq, cmd_id, false);
+ comp_ctx = efa_com_get_comp_ctx_by_cmd_id(aq, cmd_id);
if (comp_ctx->status != EFA_CMD_SUBMITTED || comp_ctx->cmd_id != cmd_id) {
ibdev_err(aq->efa_dev,
- "Received completion with unexpected command id[%d], sq producer: %d, sq consumer: %d, cq consumer: %d\n",
- cmd_id, aq->sq.pc, aq->sq.cc, aq->cq.cc);
+ "Received completion with unexpected command id[%x], status[%d] sq producer[%d], sq consumer[%d], cq consumer[%d]\n",
+ cmd_id, comp_ctx->status, aq->sq.pc, aq->sq.cc,
+ aq->cq.cc);
return -EINVAL;
}
@@ -532,7 +541,7 @@ static int efa_com_wait_and_process_admin_cq_polling(struct efa_comp_ctx *comp_c
err = efa_com_comp_status_to_errno(comp_ctx->user_cqe->acq_common_descriptor.status);
out:
- efa_com_put_comp_ctx(aq, comp_ctx);
+ efa_com_dealloc_comp_ctx(aq, comp_ctx);
return err;
}
@@ -582,7 +591,7 @@ static int efa_com_wait_and_process_admin_cq_interrupts(struct efa_comp_ctx *com
err = efa_com_comp_status_to_errno(comp_ctx->user_cqe->acq_common_descriptor.status);
out:
- efa_com_put_comp_ctx(aq, comp_ctx);
+ efa_com_dealloc_comp_ctx(aq, comp_ctx);
return err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 150/342] RDMA/efa: Fix use of completion ctx after free
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 149/342] RDMA/efa: Improve admin completion context state machine Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 151/342] regmap: Synchronize cache for the page selector Greg Kroah-Hartman
` (208 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Kranzdorf, Michael Margolin,
Yonatan Nachum, Leon Romanovsky, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yonatan Nachum <ynachum@amazon.com>
[ Upstream commit ef3b06742c8a201d0e83edc9a33a89a4fe3009f8 ]
On admin queue completion handling, if the admin command completed with
error we print data from the completion context. The issue is that we
already freed the completion context in polling/interrupts handler which
means we print data from context in an unknown state (it might be
already used again).
Change the admin submission flow so alloc/dealloc of the context will be
symmetric and dealloc will be called after any potential use of the
context.
Fixes: 68fb9f3e312a ("RDMA/efa: Remove redundant NULL pointer check of CQE")
Reviewed-by: Daniel Kranzdorf <dkkranzd@amazon.com>
Reviewed-by: Michael Margolin <mrgolin@amazon.com>
Signed-off-by: Yonatan Nachum <ynachum@amazon.com>
Link: https://patch.msgid.link/20260308165350.18219-1-ynachum@amazon.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/efa/efa_com.c | 87 +++++++++++++----------------
1 file changed, 39 insertions(+), 48 deletions(-)
diff --git a/drivers/infiniband/hw/efa/efa_com.c b/drivers/infiniband/hw/efa/efa_com.c
index 229b0ad3b0cbb..56caba612139f 100644
--- a/drivers/infiniband/hw/efa/efa_com.c
+++ b/drivers/infiniband/hw/efa/efa_com.c
@@ -1,6 +1,6 @@
// SPDX-License-Identifier: GPL-2.0 OR BSD-2-Clause
/*
- * Copyright 2018-2025 Amazon.com, Inc. or its affiliates. All rights reserved.
+ * Copyright 2018-2026 Amazon.com, Inc. or its affiliates. All rights reserved.
*/
#include <linux/log2.h>
@@ -310,23 +310,19 @@ static inline struct efa_comp_ctx *efa_com_get_comp_ctx_by_cmd_id(struct efa_com
return &aq->comp_ctx[ctx_id];
}
-static struct efa_comp_ctx *__efa_com_submit_admin_cmd(struct efa_com_admin_queue *aq,
- struct efa_admin_aq_entry *cmd,
- size_t cmd_size_in_bytes,
- struct efa_admin_acq_entry *comp,
- size_t comp_size_in_bytes)
+static void __efa_com_submit_admin_cmd(struct efa_com_admin_queue *aq,
+ struct efa_comp_ctx *comp_ctx,
+ struct efa_admin_aq_entry *cmd,
+ size_t cmd_size_in_bytes,
+ struct efa_admin_acq_entry *comp,
+ size_t comp_size_in_bytes)
{
struct efa_admin_aq_entry *aqe;
- struct efa_comp_ctx *comp_ctx;
u16 queue_size_mask;
u16 cmd_id;
u16 ctx_id;
u16 pi;
- comp_ctx = efa_com_alloc_comp_ctx(aq);
- if (!comp_ctx)
- return ERR_PTR(-EINVAL);
-
queue_size_mask = aq->depth - 1;
pi = aq->sq.pc & queue_size_mask;
ctx_id = efa_com_get_comp_ctx_id(aq, comp_ctx);
@@ -360,8 +356,6 @@ static struct efa_comp_ctx *__efa_com_submit_admin_cmd(struct efa_com_admin_queu
/* barrier not needed in case of writel */
writel(aq->sq.pc, aq->sq.db_addr);
-
- return comp_ctx;
}
static inline int efa_com_init_comp_ctxt(struct efa_com_admin_queue *aq)
@@ -394,28 +388,25 @@ static inline int efa_com_init_comp_ctxt(struct efa_com_admin_queue *aq)
return 0;
}
-static struct efa_comp_ctx *efa_com_submit_admin_cmd(struct efa_com_admin_queue *aq,
- struct efa_admin_aq_entry *cmd,
- size_t cmd_size_in_bytes,
- struct efa_admin_acq_entry *comp,
- size_t comp_size_in_bytes)
+static int efa_com_submit_admin_cmd(struct efa_com_admin_queue *aq,
+ struct efa_comp_ctx *comp_ctx,
+ struct efa_admin_aq_entry *cmd,
+ size_t cmd_size_in_bytes,
+ struct efa_admin_acq_entry *comp,
+ size_t comp_size_in_bytes)
{
- struct efa_comp_ctx *comp_ctx;
-
spin_lock(&aq->sq.lock);
if (!test_bit(EFA_AQ_STATE_RUNNING_BIT, &aq->state)) {
ibdev_err_ratelimited(aq->efa_dev, "Admin queue is closed\n");
spin_unlock(&aq->sq.lock);
- return ERR_PTR(-ENODEV);
+ return -ENODEV;
}
- comp_ctx = __efa_com_submit_admin_cmd(aq, cmd, cmd_size_in_bytes, comp,
- comp_size_in_bytes);
+ __efa_com_submit_admin_cmd(aq, comp_ctx, cmd, cmd_size_in_bytes, comp,
+ comp_size_in_bytes);
spin_unlock(&aq->sq.lock);
- if (IS_ERR(comp_ctx))
- clear_bit(EFA_AQ_STATE_RUNNING_BIT, &aq->state);
- return comp_ctx;
+ return 0;
}
static int efa_com_handle_single_admin_completion(struct efa_com_admin_queue *aq,
@@ -512,7 +503,6 @@ static int efa_com_wait_and_process_admin_cq_polling(struct efa_comp_ctx *comp_c
{
unsigned long timeout;
unsigned long flags;
- int err;
timeout = jiffies + usecs_to_jiffies(aq->completion_timeout);
@@ -532,24 +522,20 @@ static int efa_com_wait_and_process_admin_cq_polling(struct efa_comp_ctx *comp_c
atomic64_inc(&aq->stats.no_completion);
clear_bit(EFA_AQ_STATE_RUNNING_BIT, &aq->state);
- err = -ETIME;
- goto out;
+ return -ETIME;
}
msleep(aq->poll_interval);
}
- err = efa_com_comp_status_to_errno(comp_ctx->user_cqe->acq_common_descriptor.status);
-out:
- efa_com_dealloc_comp_ctx(aq, comp_ctx);
- return err;
+ return efa_com_comp_status_to_errno(
+ comp_ctx->user_cqe->acq_common_descriptor.status);
}
static int efa_com_wait_and_process_admin_cq_interrupts(struct efa_comp_ctx *comp_ctx,
struct efa_com_admin_queue *aq)
{
unsigned long flags;
- int err;
wait_for_completion_timeout(&comp_ctx->wait_event,
usecs_to_jiffies(aq->completion_timeout));
@@ -585,14 +571,11 @@ static int efa_com_wait_and_process_admin_cq_interrupts(struct efa_comp_ctx *com
aq->cq.cc);
clear_bit(EFA_AQ_STATE_RUNNING_BIT, &aq->state);
- err = -ETIME;
- goto out;
+ return -ETIME;
}
- err = efa_com_comp_status_to_errno(comp_ctx->user_cqe->acq_common_descriptor.status);
-out:
- efa_com_dealloc_comp_ctx(aq, comp_ctx);
- return err;
+ return efa_com_comp_status_to_errno(
+ comp_ctx->user_cqe->acq_common_descriptor.status);
}
/*
@@ -642,30 +625,38 @@ int efa_com_cmd_exec(struct efa_com_admin_queue *aq,
ibdev_dbg(aq->efa_dev, "%s (opcode %d)\n",
efa_com_cmd_str(cmd->aq_common_descriptor.opcode),
cmd->aq_common_descriptor.opcode);
- comp_ctx = efa_com_submit_admin_cmd(aq, cmd, cmd_size, comp, comp_size);
- if (IS_ERR(comp_ctx)) {
+
+ comp_ctx = efa_com_alloc_comp_ctx(aq);
+ if (!comp_ctx) {
+ clear_bit(EFA_AQ_STATE_RUNNING_BIT, &aq->state);
+ return -EINVAL;
+ }
+
+ err = efa_com_submit_admin_cmd(aq, comp_ctx, cmd, cmd_size, comp, comp_size);
+ if (err) {
ibdev_err_ratelimited(
aq->efa_dev,
- "Failed to submit command %s (opcode %u) err %pe\n",
+ "Failed to submit command %s (opcode %u) err %d\n",
efa_com_cmd_str(cmd->aq_common_descriptor.opcode),
- cmd->aq_common_descriptor.opcode, comp_ctx);
+ cmd->aq_common_descriptor.opcode, err);
+ efa_com_dealloc_comp_ctx(aq, comp_ctx);
up(&aq->avail_cmds);
atomic64_inc(&aq->stats.cmd_err);
- return PTR_ERR(comp_ctx);
+ return err;
}
err = efa_com_wait_and_process_admin_cq(comp_ctx, aq);
if (err) {
ibdev_err_ratelimited(
aq->efa_dev,
- "Failed to process command %s (opcode %u) comp_status %d err %d\n",
+ "Failed to process command %s (opcode %u) err %d\n",
efa_com_cmd_str(cmd->aq_common_descriptor.opcode),
- cmd->aq_common_descriptor.opcode,
- comp_ctx->user_cqe->acq_common_descriptor.status, err);
+ cmd->aq_common_descriptor.opcode, err);
atomic64_inc(&aq->stats.cmd_err);
}
+ efa_com_dealloc_comp_ctx(aq, comp_ctx);
up(&aq->avail_cmds);
return err;
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 151/342] regmap: Synchronize cache for the page selector
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 150/342] RDMA/efa: Fix use of completion ctx after free Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 152/342] ALSA: hda/realtek: Sequence GPIO2 on Star Labs StarFighter Greg Kroah-Hartman
` (207 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Marek Szyprowski,
Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 09e70e4f119ff650d24c96161fd2f62ac7e424b0 ]
If the selector register is represented in each page, its value
according to the debugfs is stale because it gets synchronized
only after the real page switch happens. Hence the regmap cache
initialisation from the HW inherits outdated data in the selector
register.
Synchronize cache for the page selector just in time.
Before (offset followed by hexdump, the first byte is selector):
// Real registers
18: 05 ff 00 00 ff 0f 00 00 f0 00 00 00
...
// Virtual (per port)
40: 05 ff 00 00 e0 e0 00 00 00 00 00 1f
50: 00 ff 00 00 e0 e0 00 00 00 00 00 1f
60: 01 ff 00 00 ff ff 00 00 00 00 00 00
70: 02 ff 00 00 cf f3 00 00 00 00 00 0c
80: 03 ff 00 00 00 00 00 00 00 00 00 ff
90: 04 ff 00 00 ff 0f 00 00 f0 00 00 00
After:
// Real registers
18: 05 ff 00 00 ff 0f 00 00 f0 00 00 00
...
// Virtual (per port)
40: 00 ff 00 00 e0 e0 00 00 00 00 00 1f
50: 01 ff 00 00 e0 e0 00 00 00 00 00 1f
60: 02 ff 00 00 ff ff 00 00 00 00 00 00
70: 03 ff 00 00 cf f3 00 00 00 00 00 0c
80: 04 ff 00 00 00 00 00 00 00 00 00 ff
90: 05 ff 00 00 ff 0f 00 00 f0 00 00 00
Fixes: 6863ca622759 ("regmap: Add support for register indirect addressing.")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/20260302184753.2693803-1-andriy.shevchenko@linux.intel.com
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/regmap/regmap.c | 30 ++++++++++++++++++++++++++----
1 file changed, 26 insertions(+), 4 deletions(-)
diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
index ae2215d4e61c3..a648218507236 100644
--- a/drivers/base/regmap/regmap.c
+++ b/drivers/base/regmap/regmap.c
@@ -1543,6 +1543,7 @@ static int _regmap_select_page(struct regmap *map, unsigned int *reg,
unsigned int val_num)
{
void *orig_work_buf;
+ unsigned int selector_reg;
unsigned int win_offset;
unsigned int win_page;
bool page_chg;
@@ -1561,10 +1562,31 @@ static int _regmap_select_page(struct regmap *map, unsigned int *reg,
return -EINVAL;
}
- /* It is possible to have selector register inside data window.
- In that case, selector register is located on every page and
- it needs no page switching, when accessed alone. */
+ /*
+ * Calculate the address of the selector register in the corresponding
+ * data window if it is located on every page.
+ */
+ page_chg = in_range(range->selector_reg, range->window_start, range->window_len);
+ if (page_chg)
+ selector_reg = range->range_min + win_page * range->window_len +
+ range->selector_reg - range->window_start;
+
+ /*
+ * It is possible to have selector register inside data window.
+ * In that case, selector register is located on every page and it
+ * needs no page switching, when accessed alone.
+ *
+ * Nevertheless we should synchronize the cache values for it.
+ * This can't be properly achieved if the selector register is
+ * the first and the only one to be read inside the data window.
+ * That's why we update it in that case as well.
+ *
+ * However, we specifically avoid updating it for the default page,
+ * when it's overlapped with the real data window, to prevent from
+ * infinite looping.
+ */
if (val_num > 1 ||
+ (page_chg && selector_reg != range->selector_reg) ||
range->window_start + win_offset != range->selector_reg) {
/* Use separate work_buf during page switching */
orig_work_buf = map->work_buf;
@@ -1573,7 +1595,7 @@ static int _regmap_select_page(struct regmap *map, unsigned int *reg,
ret = _regmap_update_bits(map, range->selector_reg,
range->selector_mask,
win_page << range->selector_shift,
- &page_chg, false);
+ NULL, false);
map->work_buf = orig_work_buf;
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 152/342] ALSA: hda/realtek: Sequence GPIO2 on Star Labs StarFighter
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 151/342] regmap: Synchronize cache for the page selector Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 153/342] RDMA/rw: Fall back to direct SGE on MR pool exhaustion Greg Kroah-Hartman
` (206 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Rhodes, Takashi Iwai,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Rhodes <sean@starlabs.systems>
[ Upstream commit a6919f2a01f8fbf807b015e5b26aecae7db8117b ]
The initial StarFighter quirk fixed the runtime suspend pop by muting
speakers in the shutup callback before power-down. Further hardware
validation showed that the speaker path is controlled directly by LINE2
EAPD on NID 0x1b together with GPIO2 for the external amplifier.
Replace the shutup-delay workaround with explicit sequencing of those
controls at playback start and stop:
- assert LINE2 EAPD and drive GPIO2 high on PREPARE
- deassert LINE2 EAPD and drive GPIO2 low on CLEANUP
This avoids the runtime suspend pop without a sleep, and also fixes pops
around G3 entry and display-manager start that the original workaround
did not cover.
Fixes: 1cb3c20688fc ("ALSA: hda/realtek: Fix speaker pop on Star Labs StarFighter")
Tested-by: Sean Rhodes <sean@starlabs.systems>
Signed-off-by: Sean Rhodes <sean@starlabs.systems>
Link: https://patch.msgid.link/20260315201127.33744-1-sean@starlabs.systems
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/codecs/realtek/alc269.c | 38 ++++++++++++++++++++++++++-----
1 file changed, 32 insertions(+), 6 deletions(-)
diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
index ab4b22fcb72ed..eba7afef302f7 100644
--- a/sound/hda/codecs/realtek/alc269.c
+++ b/sound/hda/codecs/realtek/alc269.c
@@ -1017,12 +1017,30 @@ static int alc269_resume(struct hda_codec *codec)
return 0;
}
-#define STARLABS_STARFIGHTER_SHUTUP_DELAY_MS 30
+#define ALC233_STARFIGHTER_SPK_PIN 0x1b
+#define ALC233_STARFIGHTER_GPIO2 0x04
-static void starlabs_starfighter_shutup(struct hda_codec *codec)
+static void alc233_starfighter_update_amp(struct hda_codec *codec, bool on)
{
- if (snd_hda_gen_shutup_speakers(codec))
- msleep(STARLABS_STARFIGHTER_SHUTUP_DELAY_MS);
+ snd_hda_codec_write(codec, ALC233_STARFIGHTER_SPK_PIN, 0,
+ AC_VERB_SET_EAPD_BTLENABLE,
+ on ? AC_EAPDBTL_EAPD : 0);
+ alc_update_gpio_data(codec, ALC233_STARFIGHTER_GPIO2, on);
+}
+
+static void alc233_starfighter_pcm_hook(struct hda_pcm_stream *hinfo,
+ struct hda_codec *codec,
+ struct snd_pcm_substream *substream,
+ int action)
+{
+ switch (action) {
+ case HDA_GEN_PCM_ACT_PREPARE:
+ alc233_starfighter_update_amp(codec, true);
+ break;
+ case HDA_GEN_PCM_ACT_CLEANUP:
+ alc233_starfighter_update_amp(codec, false);
+ break;
+ }
}
static void alc233_fixup_starlabs_starfighter(struct hda_codec *codec,
@@ -1031,8 +1049,16 @@ static void alc233_fixup_starlabs_starfighter(struct hda_codec *codec,
{
struct alc_spec *spec = codec->spec;
- if (action == HDA_FIXUP_ACT_PRE_PROBE)
- spec->shutup = starlabs_starfighter_shutup;
+ switch (action) {
+ case HDA_FIXUP_ACT_PRE_PROBE:
+ spec->gpio_mask |= ALC233_STARFIGHTER_GPIO2;
+ spec->gpio_dir |= ALC233_STARFIGHTER_GPIO2;
+ spec->gpio_data &= ~ALC233_STARFIGHTER_GPIO2;
+ break;
+ case HDA_FIXUP_ACT_PROBE:
+ spec->gen.pcm_playback_hook = alc233_starfighter_pcm_hook;
+ break;
+ }
}
static void alc269_fixup_pincfg_no_hp_to_lineout(struct hda_codec *codec,
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 153/342] RDMA/rw: Fall back to direct SGE on MR pool exhaustion
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 152/342] ALSA: hda/realtek: Sequence GPIO2 on Star Labs StarFighter Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 154/342] RDMA/efa: Fix possible deadlock Greg Kroah-Hartman
` (205 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuck Lever, Christoph Hellwig,
Leon Romanovsky, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 00da250c21b074ea9494c375d0117b69e5b1d0a4 ]
When IOMMU passthrough mode is active, ib_dma_map_sgtable_attrs()
produces no coalescing: each scatterlist page maps 1:1 to a DMA
entry, so sgt.nents equals the raw page count. A 1 MB transfer
yields 256 DMA entries. If that count exceeds the device's
max_sgl_rd threshold (an optimization hint from mlx5 firmware),
rdma_rw_io_needs_mr() steers the operation into the MR
registration path. Each such operation consumes one or more MRs
from a pool sized at max_rdma_ctxs -- roughly one MR per
concurrent context. Under write-intensive workloads that issue
many concurrent RDMA READs, the pool is rapidly exhausted,
ib_mr_pool_get() returns NULL, and rdma_rw_init_one_mr() returns
-EAGAIN. Upper layer protocols treat this as a fatal DMA mapping
failure and tear down the connection.
The max_sgl_rd check is a performance optimization, not a
correctness requirement: the device can handle large SGE counts
via direct posting, just less efficiently than with MR
registration. When the MR pool cannot satisfy a request, falling
back to the direct SGE (map_wrs) path avoids the connection
reset while preserving the MR optimization for the common case
where pool resources are available.
Add a fallback in rdma_rw_ctx_init() so that -EAGAIN from
rdma_rw_init_mr_wrs() triggers direct SGE posting instead of
propagating the error. iWARP devices, which mandate MR
registration for RDMA READs, and force_mr debug mode continue
to treat -EAGAIN as terminal.
Fixes: 00bd1439f464 ("RDMA/rw: Support threshold for registration vs scattering to local pages")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://patch.msgid.link/20260313194201.5818-2-cel@kernel.org
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/rw.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/core/rw.c b/drivers/infiniband/core/rw.c
index 2522ff1cc462c..49fbfe1cef689 100644
--- a/drivers/infiniband/core/rw.c
+++ b/drivers/infiniband/core/rw.c
@@ -326,14 +326,29 @@ int rdma_rw_ctx_init(struct rdma_rw_ctx *ctx, struct ib_qp *qp, u32 port_num,
if (rdma_rw_io_needs_mr(qp->device, port_num, dir, sg_cnt)) {
ret = rdma_rw_init_mr_wrs(ctx, qp, port_num, sg, sg_cnt,
sg_offset, remote_addr, rkey, dir);
- } else if (sg_cnt > 1) {
+ /*
+ * If MR init succeeded or failed for a reason other
+ * than pool exhaustion, that result is final.
+ *
+ * Pool exhaustion (-EAGAIN) from the max_sgl_rd
+ * optimization is recoverable: fall back to
+ * direct SGE posting. iWARP and force_mr require
+ * MRs unconditionally, so -EAGAIN is terminal.
+ */
+ if (ret != -EAGAIN ||
+ rdma_protocol_iwarp(qp->device, port_num) ||
+ unlikely(rdma_rw_force_mr))
+ goto out;
+ }
+
+ if (sg_cnt > 1)
ret = rdma_rw_init_map_wrs(ctx, qp, sg, sg_cnt, sg_offset,
remote_addr, rkey, dir);
- } else {
+ else
ret = rdma_rw_init_single_wr(ctx, qp, sg, sg_offset,
remote_addr, rkey, dir);
- }
+out:
if (ret < 0)
goto out_unmap_sg;
return ret;
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 154/342] RDMA/efa: Fix possible deadlock
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 153/342] RDMA/rw: Fall back to direct SGE on MR pool exhaustion Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 155/342] ALSA: usb-audio: Exclude Scarlett 2i2 1st Gen from SKIP_IFACE_SETUP Greg Kroah-Hartman
` (204 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Tidmore, Leon Romanovsky,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Tidmore <ethantidmore06@gmail.com>
[ Upstream commit 0f2055db7b630559870afb40fc84490816ab8ec5 ]
In the error path for efa_com_alloc_comp_ctx() the semaphore assigned to
&aq->avail_cmds is not released.
Detected by Smatch:
drivers/infiniband/hw/efa/efa_com.c:662 efa_com_cmd_exec() warn:
inconsistent returns '&aq->avail_cmds'
Add release for &aq->avail_cmds in efa_com_alloc_comp_ctx() error path.
Fixes: ef3b06742c8a2 ("RDMA/efa: Fix use of completion ctx after free")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Link: https://patch.msgid.link/20260314045730.1143862-1-ethantidmore06@gmail.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/efa/efa_com.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/infiniband/hw/efa/efa_com.c b/drivers/infiniband/hw/efa/efa_com.c
index 56caba612139f..e97b5f0d70038 100644
--- a/drivers/infiniband/hw/efa/efa_com.c
+++ b/drivers/infiniband/hw/efa/efa_com.c
@@ -629,6 +629,7 @@ int efa_com_cmd_exec(struct efa_com_admin_queue *aq,
comp_ctx = efa_com_alloc_comp_ctx(aq);
if (!comp_ctx) {
clear_bit(EFA_AQ_STATE_RUNNING_BIT, &aq->state);
+ up(&aq->avail_cmds);
return -EINVAL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 155/342] ALSA: usb-audio: Exclude Scarlett 2i2 1st Gen from SKIP_IFACE_SETUP
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 154/342] RDMA/efa: Fix possible deadlock Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 156/342] RDMA/irdma: Initialize free_qp completion before using it Greg Kroah-Hartman
` (203 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geoffrey D. Bennett, Takashi Iwai,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geoffrey D. Bennett <g@b4.vu>
[ Upstream commit 8780f561f6717dec52351251881bff79e960eb46 ]
The Focusrite Scarlett 2i2 1st Gen (1235:8006) produces
distorted/silent audio when QUIRK_FLAG_SKIP_IFACE_SETUP is active, as
that flag causes the feedback format to be detected as 17.15 instead
of 16.16.
Add a DEVICE_FLG entry for this device before the Focusrite VENDOR_FLG
entry so that it gets no quirk flags, overriding the vendor-wide
SKIP_IFACE_SETUP. This device doesn't have the internal mixer, Air, or
Safe modes that the quirk was designed to protect.
Fixes: 38c322068a26 ("ALSA: usb-audio: Add QUIRK_FLAG_SKIP_IFACE_SETUP")
Reported-by: pairomaniac [https://github.com/geoffreybennett/linux-fcp/issues/54]
Tested-by: pairomaniac [https://github.com/geoffreybennett/linux-fcp/issues/54]
Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
Link: https://patch.msgid.link/abmsTjKmQMKbhYtK@m.b4.vu
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index d87b988516bbf..461d7d254e378 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -2425,6 +2425,7 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
QUIRK_FLAG_CTL_MSG_DELAY | QUIRK_FLAG_IFACE_DELAY),
VENDOR_FLG(0x07fd, /* MOTU */
QUIRK_FLAG_VALIDATE_RATES),
+ DEVICE_FLG(0x1235, 0x8006, 0), /* Focusrite Scarlett 2i2 1st Gen */
VENDOR_FLG(0x1235, /* Focusrite Novation */
QUIRK_FLAG_SKIP_IFACE_SETUP),
VENDOR_FLG(0x1511, /* AURALiC */
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 156/342] RDMA/irdma: Initialize free_qp completion before using it
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 155/342] ALSA: usb-audio: Exclude Scarlett 2i2 1st Gen from SKIP_IFACE_SETUP Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 157/342] RDMA/irdma: Update ibqp state to error if QP is already in error state Greg Kroah-Hartman
` (202 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacob Moroni, Tatyana Nikolova,
Leon Romanovsky, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacob Moroni <jmoroni@google.com>
[ Upstream commit 11a95521fb93c91e2d4ef9d53dc80ef0a755549b ]
In irdma_create_qp, if ib_copy_to_udata fails, it will call
irdma_destroy_qp to clean up which will attempt to wait on
the free_qp completion, which is not initialized yet. Fix this
by initializing the completion before the ib_copy_to_udata call.
Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
Signed-off-by: Jacob Moroni <jmoroni@google.com>
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/irdma/verbs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
index 68fb81b7bd221..d279a015094be 100644
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -1105,6 +1105,7 @@ static int irdma_create_qp(struct ib_qp *ibqp,
spin_lock_init(&iwqp->sc_qp.pfpdu.lock);
iwqp->sig_all = init_attr->sq_sig_type == IB_SIGNAL_ALL_WR;
rf->qp_table[qp_num] = iwqp;
+ init_completion(&iwqp->free_qp);
if (udata) {
/* GEN_1 legacy support with libi40iw does not have expanded uresp struct */
@@ -1129,7 +1130,6 @@ static int irdma_create_qp(struct ib_qp *ibqp,
}
}
- init_completion(&iwqp->free_qp);
return 0;
error:
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 157/342] RDMA/irdma: Update ibqp state to error if QP is already in error state
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 156/342] RDMA/irdma: Initialize free_qp completion before using it Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 158/342] RDMA/irdma: Remove a NOP wait_event() in irdma_modify_qp_roce() Greg Kroah-Hartman
` (201 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tatyana Nikolova, Leon Romanovsky,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
[ Upstream commit 8c1f19a2225cf37b3f8ab0b5a8a5322291cda620 ]
In irdma_modify_qp() update ibqp state to error if the irdma QP is already
in error state, otherwise the ibqp state which is visible to the consumer
app remains stale.
Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/irdma/verbs.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
index d279a015094be..c34188e322085 100644
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -1540,6 +1540,7 @@ int irdma_modify_qp_roce(struct ib_qp *ibqp, struct ib_qp_attr *attr,
case IB_QPS_ERR:
case IB_QPS_RESET:
if (iwqp->iwarp_state == IRDMA_QP_STATE_ERROR) {
+ iwqp->ibqp_state = attr->qp_state;
spin_unlock_irqrestore(&iwqp->lock, flags);
if (udata && udata->inlen) {
if (ib_copy_from_udata(&ureq, udata,
@@ -1745,6 +1746,7 @@ int irdma_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, int attr_mask,
case IB_QPS_ERR:
case IB_QPS_RESET:
if (iwqp->iwarp_state == IRDMA_QP_STATE_ERROR) {
+ iwqp->ibqp_state = attr->qp_state;
spin_unlock_irqrestore(&iwqp->lock, flags);
if (udata && udata->inlen) {
if (ib_copy_from_udata(&ureq, udata,
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 158/342] RDMA/irdma: Remove a NOP wait_event() in irdma_modify_qp_roce()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 157/342] RDMA/irdma: Update ibqp state to error if QP is already in error state Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 159/342] RDMA/irdma: Clean up unnecessary dereference of event->cm_node Greg Kroah-Hartman
` (200 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tatyana Nikolova, Leon Romanovsky,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
[ Upstream commit 5e8f0239731a83753473b7aa91bda67bbdff5053 ]
Remove a NOP wait_event() in irdma_modify_qp_roce() which is relevant
for iWARP and likely a copy and paste artifact for RoCEv2. The wait event
is for sending a reset on a TCP connection, after the reset has been
requested in irdma_modify_qp(), which occurs only in iWarp mode.
Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/irdma/verbs.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
index c34188e322085..ac3a8f3f95b7f 100644
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -1462,8 +1462,6 @@ int irdma_modify_qp_roce(struct ib_qp *ibqp, struct ib_qp_attr *attr,
ctx_info->remote_atomics_en = true;
}
- wait_event(iwqp->mod_qp_waitq, !atomic_read(&iwqp->hw_mod_qp_pend));
-
ibdev_dbg(&iwdev->ibdev,
"VERBS: caller: %pS qp_id=%d to_ibqpstate=%d ibqpstate=%d irdma_qpstate=%d attr_mask=0x%x\n",
__builtin_return_address(0), ibqp->qp_num, attr->qp_state,
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 159/342] RDMA/irdma: Clean up unnecessary dereference of event->cm_node
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 158/342] RDMA/irdma: Remove a NOP wait_event() in irdma_modify_qp_roce() Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 160/342] RDMA/irdma: Remove reset check from irdma_modify_qp_to_err() Greg Kroah-Hartman
` (199 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ivan Barrera, Tatyana Nikolova,
Leon Romanovsky, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Barrera <ivan.d.barrera@intel.com>
[ Upstream commit b415399c9a024d574b65479636f0d4eb625b9abd ]
The cm_node is available and the usage of cm_node and event->cm_node
seems arbitrary. Clean up unnecessary dereference of event->cm_node.
Fixes: 146b9756f14c ("RDMA/irdma: Add connection manager")
Signed-off-by: Ivan Barrera <ivan.d.barrera@intel.com>
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/irdma/cm.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/infiniband/hw/irdma/cm.c b/drivers/infiniband/hw/irdma/cm.c
index f4f4f92ba63ac..128cfcf27714d 100644
--- a/drivers/infiniband/hw/irdma/cm.c
+++ b/drivers/infiniband/hw/irdma/cm.c
@@ -4239,21 +4239,21 @@ static void irdma_cm_event_handler(struct work_struct *work)
irdma_cm_event_reset(event);
break;
case IRDMA_CM_EVENT_CONNECTED:
- if (!event->cm_node->cm_id ||
- event->cm_node->state != IRDMA_CM_STATE_OFFLOADED)
+ if (!cm_node->cm_id ||
+ cm_node->state != IRDMA_CM_STATE_OFFLOADED)
break;
irdma_cm_event_connected(event);
break;
case IRDMA_CM_EVENT_MPA_REJECT:
- if (!event->cm_node->cm_id ||
+ if (!cm_node->cm_id ||
cm_node->state == IRDMA_CM_STATE_OFFLOADED)
break;
irdma_send_cm_event(cm_node, cm_node->cm_id,
IW_CM_EVENT_CONNECT_REPLY, -ECONNREFUSED);
break;
case IRDMA_CM_EVENT_ABORTED:
- if (!event->cm_node->cm_id ||
- event->cm_node->state == IRDMA_CM_STATE_OFFLOADED)
+ if (!cm_node->cm_id ||
+ cm_node->state == IRDMA_CM_STATE_OFFLOADED)
break;
irdma_event_connect_error(event);
break;
@@ -4263,7 +4263,7 @@ static void irdma_cm_event_handler(struct work_struct *work)
break;
}
- irdma_rem_ref_cm_node(event->cm_node);
+ irdma_rem_ref_cm_node(cm_node);
kfree(event);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 160/342] RDMA/irdma: Remove reset check from irdma_modify_qp_to_err()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 159/342] RDMA/irdma: Clean up unnecessary dereference of event->cm_node Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 161/342] RDMA/irdma: Fix deadlock during netdev reset with active connections Greg Kroah-Hartman
` (198 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tatyana Nikolova, Leon Romanovsky,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
[ Upstream commit c45c6ebd693b944f1ffe429fdfb6cc1674c237be ]
During reset, irdma_modify_qp() to error should be called to disconnect
the QP. Without this fix, if not preceded by irdma_modify_qp() to error, the
API call irdma_destroy_qp() gets stuck waiting for the QP refcount to go
to zero, because the cm_node associated with this QP isn't disconnected.
Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions")
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/irdma/utils.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c
index 13d7499131d48..89c4fe05763e4 100644
--- a/drivers/infiniband/hw/irdma/utils.c
+++ b/drivers/infiniband/hw/irdma/utils.c
@@ -2321,8 +2321,6 @@ void irdma_modify_qp_to_err(struct irdma_sc_qp *sc_qp)
struct irdma_qp *qp = sc_qp->qp_uk.back_qp;
struct ib_qp_attr attr;
- if (qp->iwdev->rf->reset)
- return;
attr.qp_state = IB_QPS_ERR;
if (rdma_protocol_roce(qp->ibqp.device, 1))
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 161/342] RDMA/irdma: Fix deadlock during netdev reset with active connections
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 160/342] RDMA/irdma: Remove reset check from irdma_modify_qp_to_err() Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 162/342] RDMA/irdma: Return EINVAL for invalid arp index error Greg Kroah-Hartman
` (197 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anil Samal, Tatyana Nikolova,
Leon Romanovsky, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anil Samal <anil.samal@intel.com>
[ Upstream commit 6f52370970ac07d352a7af4089e55e0e6425f827 ]
Resolve deadlock that occurs when user executes netdev reset while RDMA
applications (e.g., rping) are active. The netdev reset causes ice
driver to remove irdma auxiliary driver, triggering device_delete and
subsequent client removal. During client removal, uverbs_client waits
for QP reference count to reach zero while cma_client holds the final
reference, creating circular dependency and indefinite wait in iWARP
mode. Skip QP reference count wait during device reset to prevent
deadlock.
Fixes: c8f304d75f6c ("RDMA/irdma: Prevent QP use after free")
Signed-off-by: Anil Samal <anil.samal@intel.com>
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/irdma/verbs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
index ac3a8f3f95b7f..c454a006c78e0 100644
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -558,7 +558,8 @@ static int irdma_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata)
}
irdma_qp_rem_ref(&iwqp->ibqp);
- wait_for_completion(&iwqp->free_qp);
+ if (!iwdev->rf->reset)
+ wait_for_completion(&iwqp->free_qp);
irdma_free_lsmm_rsrc(iwqp);
irdma_cqp_qp_destroy_cmd(&iwdev->rf->sc_dev, &iwqp->sc_qp);
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 162/342] RDMA/irdma: Return EINVAL for invalid arp index error
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 161/342] RDMA/irdma: Fix deadlock during netdev reset with active connections Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 163/342] RDMA/irdma: Harden depth calculation functions Greg Kroah-Hartman
` (196 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tatyana Nikolova, Leon Romanovsky,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
[ Upstream commit 7221f581eefa79ead06e171044f393fb7ee22f87 ]
When rdma_connect() fails due to an invalid arp index, user space rdma core
reports ENOMEM which is confusing. Modify irdma_make_cm_node() to return the
correct error code.
Fixes: 146b9756f14c ("RDMA/irdma: Add connection manager")
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/irdma/cm.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/drivers/infiniband/hw/irdma/cm.c b/drivers/infiniband/hw/irdma/cm.c
index 128cfcf27714d..d14a381beb661 100644
--- a/drivers/infiniband/hw/irdma/cm.c
+++ b/drivers/infiniband/hw/irdma/cm.c
@@ -2241,11 +2241,12 @@ irdma_make_cm_node(struct irdma_cm_core *cm_core, struct irdma_device *iwdev,
int oldarpindex;
int arpindex;
struct net_device *netdev = iwdev->netdev;
+ int ret;
/* create an hte and cm_node for this instance */
cm_node = kzalloc(sizeof(*cm_node), GFP_ATOMIC);
if (!cm_node)
- return NULL;
+ return ERR_PTR(-ENOMEM);
/* set our node specific transport info */
cm_node->ipv4 = cm_info->ipv4;
@@ -2348,8 +2349,10 @@ irdma_make_cm_node(struct irdma_cm_core *cm_core, struct irdma_device *iwdev,
arpindex = -EINVAL;
}
- if (arpindex < 0)
+ if (arpindex < 0) {
+ ret = -EINVAL;
goto err;
+ }
ether_addr_copy(cm_node->rem_mac,
iwdev->rf->arp_table[arpindex].mac_addr);
@@ -2360,7 +2363,7 @@ irdma_make_cm_node(struct irdma_cm_core *cm_core, struct irdma_device *iwdev,
err:
kfree(cm_node);
- return NULL;
+ return ERR_PTR(ret);
}
static void irdma_destroy_connection(struct irdma_cm_node *cm_node)
@@ -3021,8 +3024,8 @@ static int irdma_create_cm_node(struct irdma_cm_core *cm_core,
/* create a CM connection node */
cm_node = irdma_make_cm_node(cm_core, iwdev, cm_info, NULL);
- if (!cm_node)
- return -ENOMEM;
+ if (IS_ERR(cm_node))
+ return PTR_ERR(cm_node);
/* set our node side to client (active) side */
cm_node->tcp_cntxt.client = 1;
@@ -3219,9 +3222,9 @@ void irdma_receive_ilq(struct irdma_sc_vsi *vsi, struct irdma_puda_buf *rbuf)
cm_info.cm_id = listener->cm_id;
cm_node = irdma_make_cm_node(cm_core, iwdev, &cm_info,
listener);
- if (!cm_node) {
+ if (IS_ERR(cm_node)) {
ibdev_dbg(&cm_core->iwdev->ibdev,
- "CM: allocate node failed\n");
+ "CM: allocate node failed ret=%ld\n", PTR_ERR(cm_node));
refcount_dec(&listener->refcnt);
return;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 163/342] RDMA/irdma: Harden depth calculation functions
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 162/342] RDMA/irdma: Return EINVAL for invalid arp index error Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 164/342] ASoC: simple-card-utils: Check value of is_playback_only and is_capture_only Greg Kroah-Hartman
` (195 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shiraz Saleem, Tatyana Nikolova,
Leon Romanovsky, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shiraz Saleem <shiraz.saleem@intel.com>
[ Upstream commit e37afcb56ae070477741fe2d6e61fc0c542cce2d ]
An issue was exposed where OS can pass in U32_MAX for SQ/RQ/SRQ size.
This can cause integer overflow and truncation of SQ/RQ/SRQ depth
returning a success when it should have failed.
Harden the functions to do all depth calculations and boundary
checking in u64 sizes.
Fixes: 563e1feb5f6e ("RDMA/irdma: Add SRQ support")
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/irdma/uk.c | 39 ++++++++++++++++++--------------
1 file changed, 22 insertions(+), 17 deletions(-)
diff --git a/drivers/infiniband/hw/irdma/uk.c b/drivers/infiniband/hw/irdma/uk.c
index f0846b800913d..3d6d0ee57c4c1 100644
--- a/drivers/infiniband/hw/irdma/uk.c
+++ b/drivers/infiniband/hw/irdma/uk.c
@@ -1442,7 +1442,7 @@ int irdma_uk_cq_poll_cmpl(struct irdma_cq_uk *cq,
* irdma_round_up_wq - return round up qp wq depth
* @wqdepth: wq depth in quanta to round up
*/
-static int irdma_round_up_wq(u32 wqdepth)
+static u64 irdma_round_up_wq(u64 wqdepth)
{
int scount = 1;
@@ -1495,15 +1495,16 @@ void irdma_get_wqe_shift(struct irdma_uk_attrs *uk_attrs, u32 sge,
int irdma_get_sqdepth(struct irdma_uk_attrs *uk_attrs, u32 sq_size, u8 shift,
u32 *sqdepth)
{
- u32 min_size = (u32)uk_attrs->min_hw_wq_size << shift;
+ u32 min_hw_quanta = (u32)uk_attrs->min_hw_wq_size << shift;
+ u64 hw_quanta =
+ irdma_round_up_wq(((u64)sq_size << shift) + IRDMA_SQ_RSVD);
- *sqdepth = irdma_round_up_wq((sq_size << shift) + IRDMA_SQ_RSVD);
-
- if (*sqdepth < min_size)
- *sqdepth = min_size;
- else if (*sqdepth > uk_attrs->max_hw_wq_quanta)
+ if (hw_quanta < min_hw_quanta)
+ hw_quanta = min_hw_quanta;
+ else if (hw_quanta > uk_attrs->max_hw_wq_quanta)
return -EINVAL;
+ *sqdepth = hw_quanta;
return 0;
}
@@ -1517,15 +1518,16 @@ int irdma_get_sqdepth(struct irdma_uk_attrs *uk_attrs, u32 sq_size, u8 shift,
int irdma_get_rqdepth(struct irdma_uk_attrs *uk_attrs, u32 rq_size, u8 shift,
u32 *rqdepth)
{
- u32 min_size = (u32)uk_attrs->min_hw_wq_size << shift;
-
- *rqdepth = irdma_round_up_wq((rq_size << shift) + IRDMA_RQ_RSVD);
+ u32 min_hw_quanta = (u32)uk_attrs->min_hw_wq_size << shift;
+ u64 hw_quanta =
+ irdma_round_up_wq(((u64)rq_size << shift) + IRDMA_RQ_RSVD);
- if (*rqdepth < min_size)
- *rqdepth = min_size;
- else if (*rqdepth > uk_attrs->max_hw_rq_quanta)
+ if (hw_quanta < min_hw_quanta)
+ hw_quanta = min_hw_quanta;
+ else if (hw_quanta > uk_attrs->max_hw_rq_quanta)
return -EINVAL;
+ *rqdepth = hw_quanta;
return 0;
}
@@ -1539,13 +1541,16 @@ int irdma_get_rqdepth(struct irdma_uk_attrs *uk_attrs, u32 rq_size, u8 shift,
int irdma_get_srqdepth(struct irdma_uk_attrs *uk_attrs, u32 srq_size, u8 shift,
u32 *srqdepth)
{
- *srqdepth = irdma_round_up_wq((srq_size << shift) + IRDMA_RQ_RSVD);
+ u32 min_hw_quanta = (u32)uk_attrs->min_hw_wq_size << shift;
+ u64 hw_quanta =
+ irdma_round_up_wq(((u64)srq_size << shift) + IRDMA_RQ_RSVD);
- if (*srqdepth < ((u32)uk_attrs->min_hw_wq_size << shift))
- *srqdepth = uk_attrs->min_hw_wq_size << shift;
- else if (*srqdepth > uk_attrs->max_hw_srq_quanta)
+ if (hw_quanta < min_hw_quanta)
+ hw_quanta = min_hw_quanta;
+ else if (hw_quanta > uk_attrs->max_hw_srq_quanta)
return -EINVAL;
+ *srqdepth = hw_quanta;
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 164/342] ASoC: simple-card-utils: Check value of is_playback_only and is_capture_only
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 163/342] RDMA/irdma: Harden depth calculation functions Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 165/342] ASoC: fsl: imx-card: initialize playback_only and capture_only Greg Kroah-Hartman
` (194 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuninori Morimoto, Shengjiu Wang,
Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 0e9fc79132ce7ea1e48c388b864382aa38eb0ed4 ]
The audio-graph-card2 gets the value of 'playback-only' and
'capture_only' property in below sequence, if there is 'playback_only' or
'capture_only' property in port_cpu and port_codec nodes, but no these
properties in ep_cpu and ep_codec nodes, the value of playback_only and
capture_only will be flushed to zero in the end.
graph_util_parse_link_direction(lnk, &playback_only, &capture_only);
graph_util_parse_link_direction(ports_cpu, &playback_only, &capture_only);
graph_util_parse_link_direction(ports_codec, &playback_only, &capture_only);
graph_util_parse_link_direction(port_cpu, &playback_only, &capture_only);
graph_util_parse_link_direction(port_codec, &playback_only, &capture_only);
graph_util_parse_link_direction(ep_cpu, &playback_only, &capture_only);
graph_util_parse_link_direction(ep_codec, &playback_only, &capture_only);
So check the value of is_playback_only and is_capture_only in
graph_util_parse_link_direction() function, if they are true, then rewrite
the values, and no need to check the np variable as
of_property_read_bool() will ignore if it was NULL.
Fixes: 3cc393d2232e ("ASoC: simple-card-utils: Fix pointer check in graph_util_parse_link_direction")
Fixes: 22a507d7680f ("ASoC: simple-card-utils: Check device node before overwrite direction")
Suggested-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260318102850.2794029-2-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/generic/simple-card-utils.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/generic/simple-card-utils.c b/sound/soc/generic/simple-card-utils.c
index 9e5be0eaa77f3..89d694c2cbdda 100644
--- a/sound/soc/generic/simple-card-utils.c
+++ b/sound/soc/generic/simple-card-utils.c
@@ -1183,9 +1183,9 @@ void graph_util_parse_link_direction(struct device_node *np,
bool is_playback_only = of_property_read_bool(np, "playback-only");
bool is_capture_only = of_property_read_bool(np, "capture-only");
- if (np && playback_only)
+ if (playback_only && is_playback_only)
*playback_only = is_playback_only;
- if (np && capture_only)
+ if (capture_only && is_capture_only)
*capture_only = is_capture_only;
}
EXPORT_SYMBOL_GPL(graph_util_parse_link_direction);
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 165/342] ASoC: fsl: imx-card: initialize playback_only and capture_only
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 164/342] ASoC: simple-card-utils: Check value of is_playback_only and is_capture_only Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 166/342] scsi: scsi_transport_sas: Fix the maximum channel scanning issue Greg Kroah-Hartman
` (193 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuninori Morimoto, Shengjiu Wang,
Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit ca67bd564e94aaa898a2cbb90922ca3cccd0612b ]
Fix uninitialized variable playback_only and capture_only because
graph_util_parse_link_direction() may not write them.
Fixes: 1877c3e7937f ("ASoC: imx-card: Add playback_only or capture_only support")
Suggested-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260318102850.2794029-3-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/imx-card.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/soc/fsl/imx-card.c b/sound/soc/fsl/imx-card.c
index 05b4e971a3661..a4518fefad690 100644
--- a/sound/soc/fsl/imx-card.c
+++ b/sound/soc/fsl/imx-card.c
@@ -710,6 +710,8 @@ static int imx_card_parse_of(struct imx_card_data *data)
link->ops = &imx_aif_ops;
}
+ playback_only = false;
+ capture_only = false;
graph_util_parse_link_direction(np, &playback_only, &capture_only);
link->playback_only = playback_only;
link->capture_only = capture_only;
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 166/342] scsi: scsi_transport_sas: Fix the maximum channel scanning issue
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 165/342] ASoC: fsl: imx-card: initialize playback_only and capture_only Greg Kroah-Hartman
@ 2026-03-31 16:19 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 167/342] x86/efi: efi_unmap_boot_services: fix calculation of ranges_to_free size Greg Kroah-Hartman
` (192 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yihang Li, John Garry,
Martin K. Petersen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yihang Li <liyihang9@huawei.com>
[ Upstream commit d71afa9deb4d413232ba16d693f7d43b321931b4 ]
After commit 37c4e72b0651 ("scsi: Fix sas_user_scan() to handle wildcard
and multi-channel scans"), if the device supports multiple channels (0 to
shost->max_channel), user_scan() invokes updated sas_user_scan() to perform
the scan behavior for a specific transfer. However, when the user
specifies shost->max_channel, it will return -EINVAL, which is not
expected.
Fix and support specifying the scan shost->max_channel for scanning.
Fixes: 37c4e72b0651 ("scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans")
Signed-off-by: Yihang Li <liyihang9@huawei.com>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Link: https://patch.msgid.link/20260317063147.2182562-1-liyihang9@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_transport_sas.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/scsi_transport_sas.c b/drivers/scsi/scsi_transport_sas.c
index d69c7c444a311..081c168094374 100644
--- a/drivers/scsi/scsi_transport_sas.c
+++ b/drivers/scsi/scsi_transport_sas.c
@@ -1734,7 +1734,7 @@ static int sas_user_scan(struct Scsi_Host *shost, uint channel,
break;
default:
- if (channel < shost->max_channel) {
+ if (channel <= shost->max_channel) {
res = scsi_scan_host_selected(shost, channel, id, lun,
SCSI_SCAN_MANUAL);
} else {
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 167/342] x86/efi: efi_unmap_boot_services: fix calculation of ranges_to_free size
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-03-31 16:19 ` [PATCH 6.19 166/342] scsi: scsi_transport_sas: Fix the maximum channel scanning issue Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 168/342] drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register Greg Kroah-Hartman
` (191 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck,
Mike Rapoport (Microsoft), Ard Biesheuvel, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Rapoport (Microsoft) <rppt@kernel.org>
[ Upstream commit 217c0a5c177a3d4f7c8497950cbf5c36756e8bbb ]
ranges_to_free array should have enough room to store the entire EFI
memmap plus an extra element for NULL entry.
The calculation of this array size wrongly adds 1 to the overall size
instead of adding 1 to the number of elements.
Add parentheses to properly size the array.
Reported-by: Guenter Roeck <linux@roeck-us.net>
Fixes: a4b0bf6a40f3 ("x86/efi: defer freeing of boot services memory")
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/platform/efi/quirks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c
index 35caa5746115d..79f0818131e83 100644
--- a/arch/x86/platform/efi/quirks.c
+++ b/arch/x86/platform/efi/quirks.c
@@ -424,7 +424,7 @@ void __init efi_unmap_boot_services(void)
if (efi_enabled(EFI_DBG))
return;
- sz = sizeof(*ranges_to_free) * efi.memmap.nr_map + 1;
+ sz = sizeof(*ranges_to_free) * (efi.memmap.nr_map + 1);
ranges_to_free = kzalloc(sz, GFP_KERNEL);
if (!ranges_to_free) {
pr_err("Failed to allocate storage for freeable EFI regions\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 168/342] drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 167/342] x86/efi: efi_unmap_boot_services: fix calculation of ranges_to_free size Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 169/342] drm/i915/gmbus: fix spurious timeout on 512-byte burst reads Greg Kroah-Hartman
` (190 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Leonardo Scorcia,
AngeloGioacchino Del Regno, CK Hu, Chun-Kuang Hu, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Leonardo Scorcia <l.scorcia@gmail.com>
[ Upstream commit 4cfdfeb6ac06079f92fccd977fa742d6c5b8dd3a ]
The call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind,
which uses dev_get_drvdata to retrieve the mtk_dsi struct, so this
structure needs to be stored inside the driver data before invoking it.
As drvdata is currently uninitialized it leads to a crash when
registering the DSI DRM encoder right after acquiring
the mode_config.idr_mutex, blocking all subsequent DRM operations.
Fixes the following crash during mediatek-drm probe (tested on Xiaomi
Smart Clock x04g):
Unable to handle kernel NULL pointer dereference at virtual address
0000000000000040
[...]
Modules linked in: mediatek_drm(+) drm_display_helper cec drm_client_lib
drm_dma_helper drm_kms_helper panel_simple
[...]
Call trace:
drm_mode_object_add+0x58/0x98 (P)
__drm_encoder_init+0x48/0x140
drm_encoder_init+0x6c/0xa0
drm_simple_encoder_init+0x20/0x34 [drm_kms_helper]
mtk_dsi_bind+0x34/0x13c [mediatek_drm]
component_bind_all+0x120/0x280
mtk_drm_bind+0x284/0x67c [mediatek_drm]
try_to_bring_up_aggregate_device+0x23c/0x320
__component_add+0xa4/0x198
component_add+0x14/0x20
mtk_dsi_host_attach+0x78/0x100 [mediatek_drm]
mipi_dsi_attach+0x2c/0x50
panel_simple_dsi_probe+0x4c/0x9c [panel_simple]
mipi_dsi_drv_probe+0x1c/0x28
really_probe+0xc0/0x3dc
__driver_probe_device+0x80/0x160
driver_probe_device+0x40/0x120
__device_attach_driver+0xbc/0x17c
bus_for_each_drv+0x88/0xf0
__device_attach+0x9c/0x1cc
device_initial_probe+0x54/0x60
bus_probe_device+0x34/0xa0
device_add+0x5b0/0x800
mipi_dsi_device_register_full+0xdc/0x16c
mipi_dsi_host_register+0xc4/0x17c
mtk_dsi_probe+0x10c/0x260 [mediatek_drm]
platform_probe+0x5c/0xa4
really_probe+0xc0/0x3dc
__driver_probe_device+0x80/0x160
driver_probe_device+0x40/0x120
__driver_attach+0xc8/0x1f8
bus_for_each_dev+0x7c/0xe0
driver_attach+0x24/0x30
bus_add_driver+0x11c/0x240
driver_register+0x68/0x130
__platform_register_drivers+0x64/0x160
mtk_drm_init+0x24/0x1000 [mediatek_drm]
do_one_initcall+0x60/0x1d0
do_init_module+0x54/0x240
load_module+0x1838/0x1dc0
init_module_from_file+0xd8/0xf0
__arm64_sys_finit_module+0x1b4/0x428
invoke_syscall.constprop.0+0x48/0xc8
do_el0_svc+0x3c/0xb8
el0_svc+0x34/0xe8
el0t_64_sync_handler+0xa0/0xe4
el0t_64_sync+0x198/0x19c
Code: 52800022 941004ab 2a0003f3 37f80040 (29005a80)
Fixes: e4732b590a77 ("drm/mediatek: dsi: Register DSI host after acquiring clocks and PHY")
Signed-off-by: Luca Leonardo Scorcia <l.scorcia@gmail.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Reviewed-by: CK Hu <ck.hu@mediatek.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20260225094047.76780-1-l.scorcia@gmail.com/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/mediatek/mtk_dsi.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c
index d7726091819c4..acee2227275b7 100644
--- a/drivers/gpu/drm/mediatek/mtk_dsi.c
+++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
@@ -1232,6 +1232,11 @@ static int mtk_dsi_probe(struct platform_device *pdev)
dsi->host.ops = &mtk_dsi_ops;
dsi->host.dev = dev;
+
+ init_waitqueue_head(&dsi->irq_wait_queue);
+
+ platform_set_drvdata(pdev, dsi);
+
ret = mipi_dsi_host_register(&dsi->host);
if (ret < 0)
return dev_err_probe(dev, ret, "Failed to register DSI host\n");
@@ -1243,10 +1248,6 @@ static int mtk_dsi_probe(struct platform_device *pdev)
return dev_err_probe(&pdev->dev, ret, "Failed to request DSI irq\n");
}
- init_waitqueue_head(&dsi->irq_wait_queue);
-
- platform_set_drvdata(pdev, dsi);
-
dsi->bridge.of_node = dev->of_node;
dsi->bridge.type = DRM_MODE_CONNECTOR_DSI;
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 169/342] drm/i915/gmbus: fix spurious timeout on 512-byte burst reads
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 168/342] drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 170/342] PM: hibernate: Drain trailing zero pages on userspace restore Greg Kroah-Hartman
` (189 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Samasth Norway Ananda, Jani Nikula,
Joonas Lahtinen, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
[ Upstream commit 08441f10f4dc09fdeb64529953ac308abc79dd38 ]
When reading exactly 512 bytes with burst read enabled, the
extra_byte_added path breaks out of the inner do-while without
decrementing len. The outer while(len) then re-enters and gmbus_wait()
times out since all data has been delivered. Decrement len before the
break so the outer loop terminates correctly.
Fixes: d5dc0f43f268 ("drm/i915/gmbus: Enable burst read")
Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patch.msgid.link/20260316231920.135438-2-samasth.norway.ananda@oracle.com
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
(cherry picked from commit 4ab0f09ee73fc853d00466682635f67c531f909c)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_gmbus.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/display/intel_gmbus.c b/drivers/gpu/drm/i915/display/intel_gmbus.c
index 795012d7c24c2..5a941bea81cad 100644
--- a/drivers/gpu/drm/i915/display/intel_gmbus.c
+++ b/drivers/gpu/drm/i915/display/intel_gmbus.c
@@ -498,8 +498,10 @@ gmbus_xfer_read_chunk(struct intel_display *display,
val = intel_de_read_fw(display, GMBUS3(display));
do {
- if (extra_byte_added && len == 1)
+ if (extra_byte_added && len == 1) {
+ len--;
break;
+ }
*buf++ = val & 0xff;
val >>= 8;
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 170/342] PM: hibernate: Drain trailing zero pages on userspace restore
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 169/342] drm/i915/gmbus: fix spurious timeout on 512-byte burst reads Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 171/342] PM: sleep: Drop spurious WARN_ON() from pm_restore_gfp_mask() Greg Kroah-Hartman
` (188 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alberto Garcia, Brian Geffon,
Rafael J. Wysocki, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alberto Garcia <berto@igalia.com>
[ Upstream commit 734eba62cd32cb9ceffa09e57cdc03d761528525 ]
Commit 005e8dddd497 ("PM: hibernate: don't store zero pages in the
image file") added an optimization to skip zero-filled pages in the
hibernation image. On restore, zero pages are handled internally by
snapshot_write_next() in a loop that processes them without returning
to the caller.
With the userspace restore interface, writing the last non-zero page
to /dev/snapshot is followed by the SNAPSHOT_ATOMIC_RESTORE ioctl. At
this point there are no more calls to snapshot_write_next() so any
trailing zero pages are not processed, snapshot_image_loaded() fails
because handle->cur is smaller than expected, the ioctl returns -EPERM
and the image is not restored.
The in-kernel restore path is not affected by this because the loop in
load_image() in swap.c calls snapshot_write_next() until it returns 0.
It is this final call that drains any trailing zero pages.
Fixed by calling snapshot_write_next() in snapshot_write_finalize(),
giving the kernel the chance to drain any trailing zero pages.
Fixes: 005e8dddd497 ("PM: hibernate: don't store zero pages in the image file")
Signed-off-by: Alberto Garcia <berto@igalia.com>
Acked-by: Brian Geffon <bgeffon@google.com>
Link: https://patch.msgid.link/ef5a7c5e3e3dbd17dcb20efaa0c53a47a23498bb.1773075892.git.berto@igalia.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/power/snapshot.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
index 0a946932d5c17..5706287e7230e 100644
--- a/kernel/power/snapshot.c
+++ b/kernel/power/snapshot.c
@@ -2855,6 +2855,17 @@ int snapshot_write_finalize(struct snapshot_handle *handle)
{
int error;
+ /*
+ * Call snapshot_write_next() to drain any trailing zero pages,
+ * but make sure we're in the data page region first.
+ * This function can return PAGE_SIZE if the kernel was expecting
+ * another copy page. Return -ENODATA in that situation.
+ */
+ if (handle->cur > nr_meta_pages + 1) {
+ error = snapshot_write_next(handle);
+ if (error)
+ return error > 0 ? -ENODATA : error;
+ }
copy_last_highmem_page();
error = hibernate_restore_protect_page(handle->buffer);
/* Do that only if we have loaded the image entirely */
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 171/342] PM: sleep: Drop spurious WARN_ON() from pm_restore_gfp_mask()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 170/342] PM: hibernate: Drain trailing zero pages on userspace restore Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 172/342] drm/xe/pf: Fix use-after-free in migration restore Greg Kroah-Hartman
` (187 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Youngjun Park, Rafael J. Wysocki,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Youngjun Park <youngjun.park@lge.com>
[ Upstream commit a8d51efb5929ae308895455a3e496b5eca2cd143 ]
Commit 35e4a69b2003f ("PM: sleep: Allow pm_restrict_gfp_mask()
stacking") introduced refcount-based GFP mask management that warns
when pm_restore_gfp_mask() is called with saved_gfp_count == 0.
Some hibernation paths call pm_restore_gfp_mask() defensively where
the GFP mask may or may not be restricted depending on the execution
path. For example, the uswsusp interface invokes it in
SNAPSHOT_CREATE_IMAGE, SNAPSHOT_UNFREEZE, and snapshot_release().
Before the stacking change this was a silent no-op; it now triggers
a spurious WARNING.
Remove the WARN_ON() wrapper from the !saved_gfp_count check while
retaining the check itself, so that defensive calls remain harmless
without producing false warnings.
Fixes: 35e4a69b2003f ("PM: sleep: Allow pm_restrict_gfp_mask() stacking")
Signed-off-by: Youngjun Park <youngjun.park@lge.com>
[ rjw: Subject tweak ]
Link: https://patch.msgid.link/20260322120528.750178-1-youngjun.park@lge.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/power/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/power/main.c b/kernel/power/main.c
index 03b2c5495c77a..9ce75b1a23ed3 100644
--- a/kernel/power/main.c
+++ b/kernel/power/main.c
@@ -40,7 +40,7 @@ void pm_restore_gfp_mask(void)
{
WARN_ON(!mutex_is_locked(&system_transition_mutex));
- if (WARN_ON(!saved_gfp_count) || --saved_gfp_count)
+ if (!saved_gfp_count || --saved_gfp_count)
return;
gfp_allowed_mask = saved_gfp_mask;
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 172/342] drm/xe/pf: Fix use-after-free in migration restore
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 171/342] PM: sleep: Drop spurious WARN_ON() from pm_restore_gfp_mask() Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 173/342] spi: sn-f-ospi: Fix resource leak in f_ospi_probe() Greg Kroah-Hartman
` (186 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Österlund,
Shuicheng Lin, Michał Winiarski, Rodrigo Vivi, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michał Winiarski <michal.winiarski@intel.com>
[ Upstream commit 87997b6c6516e049cbaf2fc6810b213d587a06b1 ]
When an error is returned from xe_sriov_pf_migration_restore_produce(),
the data pointer is not set to NULL, which can trigger use-after-free
in subsequent .write() calls.
Set the pointer to NULL upon error to fix the problem.
Fixes: 1ed30397c0b92 ("drm/xe/pf: Add support for encap/decap of bitstream to/from packet")
Reported-by: Sebastian Österlund <sebastian.osterlund@intel.com>
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/7230
Reviewed-by: Shuicheng Lin <shuicheng.lin@intel.com>
Link: https://patch.msgid.link/20260217154118.176902-1-michal.winiarski@intel.com
Signed-off-by: Michał Winiarski <michal.winiarski@intel.com>
(cherry picked from commit 4f53d8c6d23527d734fe3531d08e15cb170a0819)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_sriov_packet.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/xe/xe_sriov_packet.c b/drivers/gpu/drm/xe/xe_sriov_packet.c
index bab9946968964..111877b6d44cf 100644
--- a/drivers/gpu/drm/xe/xe_sriov_packet.c
+++ b/drivers/gpu/drm/xe/xe_sriov_packet.c
@@ -342,6 +342,8 @@ ssize_t xe_sriov_packet_write_single(struct xe_device *xe, unsigned int vfid,
ret = xe_sriov_pf_migration_restore_produce(xe, vfid, *data);
if (ret) {
xe_sriov_packet_free(*data);
+ *data = NULL;
+
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 173/342] spi: sn-f-ospi: Fix resource leak in f_ospi_probe()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 172/342] drm/xe/pf: Fix use-after-free in migration restore Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 174/342] ASoC: Intel: catpt: Fix the device initialization Greg Kroah-Hartman
` (185 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Felix Gu, Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit ef3d549e1deb3466c61f3b01d22fc3fe3e5efb08 ]
In f_ospi_probe(), when num_cs validation fails, it returns without
calling spi_controller_put() on the SPI controller, which causes a
resource leak.
Use devm_spi_alloc_host() instead of spi_alloc_host() to ensure the
SPI controller is properly freed when probe fails.
Fixes: 1b74dd64c861 ("spi: Add Socionext F_OSPI SPI flash controller driver")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Link: https://patch.msgid.link/20260319-sn-f-v1-1-33a6738d2da8@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-sn-f-ospi.c | 17 +++++------------
1 file changed, 5 insertions(+), 12 deletions(-)
diff --git a/drivers/spi/spi-sn-f-ospi.c b/drivers/spi/spi-sn-f-ospi.c
index c4969f66a0ba9..84a5b327022e8 100644
--- a/drivers/spi/spi-sn-f-ospi.c
+++ b/drivers/spi/spi-sn-f-ospi.c
@@ -612,7 +612,7 @@ static int f_ospi_probe(struct platform_device *pdev)
u32 num_cs = OSPI_NUM_CS;
int ret;
- ctlr = spi_alloc_host(dev, sizeof(*ospi));
+ ctlr = devm_spi_alloc_host(dev, sizeof(*ospi));
if (!ctlr)
return -ENOMEM;
@@ -636,16 +636,12 @@ static int f_ospi_probe(struct platform_device *pdev)
platform_set_drvdata(pdev, ospi);
ospi->base = devm_platform_ioremap_resource(pdev, 0);
- if (IS_ERR(ospi->base)) {
- ret = PTR_ERR(ospi->base);
- goto err_put_ctlr;
- }
+ if (IS_ERR(ospi->base))
+ return PTR_ERR(ospi->base);
ospi->clk = devm_clk_get_enabled(dev, NULL);
- if (IS_ERR(ospi->clk)) {
- ret = PTR_ERR(ospi->clk);
- goto err_put_ctlr;
- }
+ if (IS_ERR(ospi->clk))
+ return PTR_ERR(ospi->clk);
mutex_init(&ospi->mlock);
@@ -662,9 +658,6 @@ static int f_ospi_probe(struct platform_device *pdev)
err_destroy_mutex:
mutex_destroy(&ospi->mlock);
-err_put_ctlr:
- spi_controller_put(ctlr);
-
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 174/342] ASoC: Intel: catpt: Fix the device initialization
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 173/342] spi: sn-f-ospi: Fix resource leak in f_ospi_probe() Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 175/342] spi: meson-spicc: Fix double-put in remove path Greg Kroah-Hartman
` (184 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Cezary Rojewski,
Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cezary Rojewski <cezary.rojewski@intel.com>
[ Upstream commit 5a184f1cb43a8e035251c635f5c47da5dc3e3049 ]
The DMA mask shall be coerced before any buffer allocations for the
device are done. At the same time explain why DMA mask of 31 bits is
used in the first place.
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Fixes: 7a10b66a5df9 ("ASoC: Intel: catpt: Device driver lifecycle")
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/20260320101217.1243688-1-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/catpt/device.c | 10 +++++++++-
sound/soc/intel/catpt/dsp.c | 3 ---
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/sound/soc/intel/catpt/device.c b/sound/soc/intel/catpt/device.c
index d13062c8e907c..fcc7a7342a4ab 100644
--- a/sound/soc/intel/catpt/device.c
+++ b/sound/soc/intel/catpt/device.c
@@ -281,7 +281,15 @@ static int catpt_acpi_probe(struct platform_device *pdev)
if (IS_ERR(cdev->pci_ba))
return PTR_ERR(cdev->pci_ba);
- /* alloc buffer for storing DRAM context during dx transitions */
+ /*
+ * As per design HOST is responsible for preserving firmware's runtime
+ * context during D0 -> D3 -> D0 transitions. Addresses used for DMA
+ * to/from HOST memory shall be outside the reserved range of 0xFFFxxxxx.
+ */
+ ret = dma_coerce_mask_and_coherent(cdev->dev, DMA_BIT_MASK(31));
+ if (ret)
+ return ret;
+
cdev->dxbuf_vaddr = dmam_alloc_coherent(dev, catpt_dram_size(cdev),
&cdev->dxbuf_paddr, GFP_KERNEL);
if (!cdev->dxbuf_vaddr)
diff --git a/sound/soc/intel/catpt/dsp.c b/sound/soc/intel/catpt/dsp.c
index 008a20a2acbda..677f348909c8f 100644
--- a/sound/soc/intel/catpt/dsp.c
+++ b/sound/soc/intel/catpt/dsp.c
@@ -125,9 +125,6 @@ int catpt_dmac_probe(struct catpt_dev *cdev)
dmac->dev = cdev->dev;
dmac->irq = cdev->irq;
- ret = dma_coerce_mask_and_coherent(cdev->dev, DMA_BIT_MASK(31));
- if (ret)
- return ret;
/*
* Caller is responsible for putting device in D0 to allow
* for I/O and memory access before probing DW.
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 175/342] spi: meson-spicc: Fix double-put in remove path
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 174/342] ASoC: Intel: catpt: Fix the device initialization Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 176/342] drm/amd/display: Do not skip unrelated mode changes in DSC validation Greg Kroah-Hartman
` (183 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Johan Hovold, Mark Brown,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 63542bb402b7013171c9f621c28b609eda4dbf1f ]
meson_spicc_probe() registers the controller with
devm_spi_register_controller(), so teardown already drops the
controller reference via devm cleanup.
Calling spi_controller_put() again in meson_spicc_remove()
causes a double-put.
Fixes: 8311ee2164c5 ("spi: meson-spicc: fix memory leak in meson_spicc_remove")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260322-rockchip-v1-1-fac3f0c6dad8@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-meson-spicc.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/spi/spi-meson-spicc.c b/drivers/spi/spi-meson-spicc.c
index 6b91373075334..c99fab392add1 100644
--- a/drivers/spi/spi-meson-spicc.c
+++ b/drivers/spi/spi-meson-spicc.c
@@ -1102,8 +1102,6 @@ static void meson_spicc_remove(struct platform_device *pdev)
/* Disable SPI */
writel(0, spicc->base + SPICC_CONREG);
-
- spi_controller_put(spicc->host);
}
static const struct meson_spicc_data meson_spicc_gx_data = {
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 176/342] drm/amd/display: Do not skip unrelated mode changes in DSC validation
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 175/342] spi: meson-spicc: Fix double-put in remove path Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 177/342] ASoC: dt-bindings: stm32: Fix incorrect compatible string in stm32h7-sai match Greg Kroah-Hartman
` (182 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yussuf Khalil, Harry Wentland,
Alex Deucher, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yussuf Khalil <dev@pp3345.net>
[ Upstream commit aed3d041ab061ec8a64f50a3edda0f4db7280025 ]
Starting with commit 17ce8a6907f7 ("drm/amd/display: Add dsc pre-validation in
atomic check"), amdgpu resets the CRTC state mode_changed flag to false when
recomputing the DSC configuration results in no timing change for a particular
stream.
However, this is incorrect in scenarios where a change in MST/DSC configuration
happens in the same KMS commit as another (unrelated) mode change. For example,
the integrated panel of a laptop may be configured differently (e.g., HDR
enabled/disabled) depending on whether external screens are attached. In this
case, plugging in external DP-MST screens may result in the mode_changed flag
being dropped incorrectly for the integrated panel if its DSC configuration
did not change during precomputation in pre_validate_dsc().
At this point, however, dm_update_crtc_state() has already created new streams
for CRTCs with DSC-independent mode changes. In turn,
amdgpu_dm_commit_streams() will never release the old stream, resulting in a
memory leak. amdgpu_dm_atomic_commit_tail() will never acquire a reference to
the new stream either, which manifests as a use-after-free when the stream gets
disabled later on:
BUG: KASAN: use-after-free in dc_stream_release+0x25/0x90 [amdgpu]
Write of size 4 at addr ffff88813d836524 by task kworker/9:9/29977
Workqueue: events drm_mode_rmfb_work_fn
Call Trace:
<TASK>
dump_stack_lvl+0x6e/0xa0
print_address_description.constprop.0+0x88/0x320
? dc_stream_release+0x25/0x90 [amdgpu]
print_report+0xfc/0x1ff
? srso_alias_return_thunk+0x5/0xfbef5
? __virt_addr_valid+0x225/0x4e0
? dc_stream_release+0x25/0x90 [amdgpu]
kasan_report+0xe1/0x180
? dc_stream_release+0x25/0x90 [amdgpu]
kasan_check_range+0x125/0x200
dc_stream_release+0x25/0x90 [amdgpu]
dc_state_destruct+0x14d/0x5c0 [amdgpu]
dc_state_release.part.0+0x4e/0x130 [amdgpu]
dm_atomic_destroy_state+0x3f/0x70 [amdgpu]
drm_atomic_state_default_clear+0x8ee/0xf30
? drm_mode_object_put.part.0+0xb1/0x130
__drm_atomic_state_free+0x15c/0x2d0
atomic_remove_fb+0x67e/0x980
Since there is no reliable way of figuring out whether a CRTC has unrelated
mode changes pending at the time of DSC validation, remember the value of the
mode_changed flag from before the point where a CRTC was marked as potentially
affected by a change in DSC configuration. Reset the mode_changed flag to this
earlier value instead in pre_validate_dsc().
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/5004
Fixes: 17ce8a6907f7 ("drm/amd/display: Add dsc pre-validation in atomic check")
Signed-off-by: Yussuf Khalil <dev@pp3345.net>
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit cc7c7121ae082b7b82891baa7280f1ff2608f22b)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 +++++
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 1 +
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 4 +++-
3 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index 5a54d3f4a3de5..1430d18ae2c9e 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -12505,6 +12505,11 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
}
if (dc_resource_is_dsc_encoding_supported(dc)) {
+ for_each_oldnew_crtc_in_state(state, crtc, old_crtc_state, new_crtc_state, i) {
+ dm_new_crtc_state = to_dm_crtc_state(new_crtc_state);
+ dm_new_crtc_state->mode_changed_independent_from_dsc = new_crtc_state->mode_changed;
+ }
+
for_each_oldnew_crtc_in_state(state, crtc, old_crtc_state, new_crtc_state, i) {
if (drm_atomic_crtc_needs_modeset(new_crtc_state)) {
ret = add_affected_mst_dsc_crtcs(state, crtc);
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
index beb0d04d3e682..dbc3db0d68292 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
@@ -965,6 +965,7 @@ struct dm_crtc_state {
bool freesync_vrr_info_changed;
+ bool mode_changed_independent_from_dsc;
bool dsc_force_changed;
bool vrr_supported;
struct mod_freesync_config freesync_config;
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
index 5e92eaa67aa33..2e0895f4f9b10 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
@@ -1744,9 +1744,11 @@ int pre_validate_dsc(struct drm_atomic_state *state,
int ind = find_crtc_index_in_state_by_stream(state, stream);
if (ind >= 0) {
+ struct dm_crtc_state *dm_new_crtc_state = to_dm_crtc_state(state->crtcs[ind].new_state);
+
DRM_INFO_ONCE("%s:%d MST_DSC no mode changed for stream 0x%p\n",
__func__, __LINE__, stream);
- state->crtcs[ind].new_state->mode_changed = 0;
+ dm_new_crtc_state->base.mode_changed = dm_new_crtc_state->mode_changed_independent_from_dsc;
}
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 177/342] ASoC: dt-bindings: stm32: Fix incorrect compatible string in stm32h7-sai match
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 176/342] drm/amd/display: Do not skip unrelated mode changes in DSC validation Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 178/342] rust: regulator: do not assume that regulator_get() returns non-null Greg Kroah-Hartman
` (181 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jihed Chaibi, Olivier Moysan,
Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jihed Chaibi <jihed.chaibi.dev@gmail.com>
[ Upstream commit 91049ec2e18376ec2192e73ef7be4c7110436350 ]
The conditional block that defines clock constraints for the stm32h7-sai
variant references "st,stm32mph7-sai", which does not match any compatible
string in the enum. As a result, clock validation for the h7 variant is
silently skipped. Correct the compatible string to "st,stm32h7-sai".
Fixes: 8509bb1f11a1f ("ASoC: dt-bindings: add stm32mp25 support for sai")
Signed-off-by: Jihed Chaibi <jihed.chaibi.dev@gmail.com>
Reviewed-by: Olivier Moysan <olivier.moysan@foss.st.com>
Link: https://patch.msgid.link/20260321012011.125791-1-jihed.chaibi.dev@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/devicetree/bindings/sound/st,stm32-sai.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Documentation/devicetree/bindings/sound/st,stm32-sai.yaml b/Documentation/devicetree/bindings/sound/st,stm32-sai.yaml
index 4a7129d0b1574..551edf39e7663 100644
--- a/Documentation/devicetree/bindings/sound/st,stm32-sai.yaml
+++ b/Documentation/devicetree/bindings/sound/st,stm32-sai.yaml
@@ -164,7 +164,7 @@ allOf:
properties:
compatible:
contains:
- const: st,stm32mph7-sai
+ const: st,stm32h7-sai
then:
properties:
clocks:
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 178/342] rust: regulator: do not assume that regulator_get() returns non-null
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 177/342] ASoC: dt-bindings: stm32: Fix incorrect compatible string in stm32h7-sai match Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 179/342] drm/xe: Implement recent spec updates to Wa_16025250150 Greg Kroah-Hartman
` (180 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miguel Ojeda, Alice Ryhl,
Daniel Almeida, Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice Ryhl <aliceryhl@google.com>
[ Upstream commit 8121353a4bf8e38afee26299419a78ec108e14a6 ]
The Rust `Regulator` abstraction uses `NonNull` to wrap the underlying
`struct regulator` pointer. When `CONFIG_REGULATOR` is disabled, the C
stub for `regulator_get` returns `NULL`. `from_err_ptr` does not treat
`NULL` as an error, so it was passed to `NonNull::new_unchecked`,
causing undefined behavior.
Fix this by using a raw pointer `*mut bindings::regulator` instead of
`NonNull`. This allows `inner` to be `NULL` when `CONFIG_REGULATOR` is
disabled, and leverages the C stubs which are designed to handle `NULL`
or are no-ops.
Fixes: 9b614ceada7c ("rust: regulator: add a bare minimum regulator abstraction")
Reported-by: Miguel Ojeda <ojeda@kernel.org>
Closes: https://lore.kernel.org/r/20260322193830.89324-1-ojeda@kernel.org
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Daniel Almeida <daniel.almeida@collabora.com>
Link: https://patch.msgid.link/20260324-regulator-fix-v1-1-a5244afa3c15@google.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
rust/kernel/regulator.rs | 33 ++++++++++++++++++---------------
1 file changed, 18 insertions(+), 15 deletions(-)
diff --git a/rust/kernel/regulator.rs b/rust/kernel/regulator.rs
index 2c44827ad0b7e..40c7f2209867d 100644
--- a/rust/kernel/regulator.rs
+++ b/rust/kernel/regulator.rs
@@ -23,7 +23,10 @@ use crate::{
prelude::*,
};
-use core::{marker::PhantomData, mem::ManuallyDrop, ptr::NonNull};
+use core::{
+ marker::PhantomData,
+ mem::ManuallyDrop, //
+};
mod private {
pub trait Sealed {}
@@ -232,15 +235,17 @@ pub fn devm_enable_optional(dev: &Device<Bound>, name: &CStr) -> Result {
///
/// # Invariants
///
-/// - `inner` is a non-null wrapper over a pointer to a `struct
-/// regulator` obtained from [`regulator_get()`].
+/// - `inner` is a pointer obtained from a successful call to
+/// [`regulator_get()`]. It is treated as an opaque token that may only be
+/// accessed using C API methods (e.g., it may be `NULL` if the C API returns
+/// `NULL`).
///
/// [`regulator_get()`]: https://docs.kernel.org/driver-api/regulator.html#c.regulator_get
pub struct Regulator<State>
where
State: RegulatorState,
{
- inner: NonNull<bindings::regulator>,
+ inner: *mut bindings::regulator,
_phantom: PhantomData<State>,
}
@@ -252,7 +257,7 @@ impl<T: RegulatorState> Regulator<T> {
// SAFETY: Safe as per the type invariants of `Regulator`.
to_result(unsafe {
bindings::regulator_set_voltage(
- self.inner.as_ptr(),
+ self.inner,
min_voltage.as_microvolts(),
max_voltage.as_microvolts(),
)
@@ -262,7 +267,7 @@ impl<T: RegulatorState> Regulator<T> {
/// Gets the current voltage of the regulator.
pub fn get_voltage(&self) -> Result<Voltage> {
// SAFETY: Safe as per the type invariants of `Regulator`.
- let voltage = unsafe { bindings::regulator_get_voltage(self.inner.as_ptr()) };
+ let voltage = unsafe { bindings::regulator_get_voltage(self.inner) };
to_result(voltage).map(|()| Voltage::from_microvolts(voltage))
}
@@ -273,10 +278,8 @@ impl<T: RegulatorState> Regulator<T> {
// received from the C code.
from_err_ptr(unsafe { bindings::regulator_get(dev.as_raw(), name.as_char_ptr()) })?;
- // SAFETY: We can safely trust `inner` to be a pointer to a valid
- // regulator if `ERR_PTR` was not returned.
- let inner = unsafe { NonNull::new_unchecked(inner) };
-
+ // INVARIANT: `inner` is a pointer obtained from `regulator_get()`, and
+ // the call was successful.
Ok(Self {
inner,
_phantom: PhantomData,
@@ -285,12 +288,12 @@ impl<T: RegulatorState> Regulator<T> {
fn enable_internal(&self) -> Result {
// SAFETY: Safe as per the type invariants of `Regulator`.
- to_result(unsafe { bindings::regulator_enable(self.inner.as_ptr()) })
+ to_result(unsafe { bindings::regulator_enable(self.inner) })
}
fn disable_internal(&self) -> Result {
// SAFETY: Safe as per the type invariants of `Regulator`.
- to_result(unsafe { bindings::regulator_disable(self.inner.as_ptr()) })
+ to_result(unsafe { bindings::regulator_disable(self.inner) })
}
}
@@ -352,7 +355,7 @@ impl<T: IsEnabled> Regulator<T> {
/// Checks if the regulator is enabled.
pub fn is_enabled(&self) -> bool {
// SAFETY: Safe as per the type invariants of `Regulator`.
- unsafe { bindings::regulator_is_enabled(self.inner.as_ptr()) != 0 }
+ unsafe { bindings::regulator_is_enabled(self.inner) != 0 }
}
}
@@ -362,11 +365,11 @@ impl<T: RegulatorState> Drop for Regulator<T> {
// SAFETY: By the type invariants, we know that `self` owns a
// reference on the enabled refcount, so it is safe to relinquish it
// now.
- unsafe { bindings::regulator_disable(self.inner.as_ptr()) };
+ unsafe { bindings::regulator_disable(self.inner) };
}
// SAFETY: By the type invariants, we know that `self` owns a reference,
// so it is safe to relinquish it now.
- unsafe { bindings::regulator_put(self.inner.as_ptr()) };
+ unsafe { bindings::regulator_put(self.inner) };
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 179/342] drm/xe: Implement recent spec updates to Wa_16025250150
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 178/342] rust: regulator: do not assume that regulator_get() returns non-null Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 180/342] spi: use generic driver_override infrastructure Greg Kroah-Hartman
` (179 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Atwood, Matt Roper,
Rodrigo Vivi, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Roper <matthew.d.roper@intel.com>
[ Upstream commit 56781a4597706cd25185b1dedc38841ec6c31496 ]
The hardware teams noticed that the originally documented workaround
steps for Wa_16025250150 may not be sufficient to fully avoid a hardware
issue. The workaround documentation has been augmented to suggest
programming one additional register; make the corresponding change in
the driver.
Fixes: 7654d51f1fd8 ("drm/xe/xe2hpg: Add Wa_16025250150")
Reviewed-by: Matt Atwood <matthew.s.atwood@intel.com>
Link: https://patch.msgid.link/20260319-wa_16025250150_part2-v1-1-46b1de1a31b2@intel.com
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
(cherry picked from commit a31566762d4075646a8a2214586158b681e94305)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/regs/xe_gt_regs.h | 1 +
drivers/gpu/drm/xe/xe_wa.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/xe/regs/xe_gt_regs.h b/drivers/gpu/drm/xe/regs/xe_gt_regs.h
index 917a088c28f24..ec1ae2dc6cabe 100644
--- a/drivers/gpu/drm/xe/regs/xe_gt_regs.h
+++ b/drivers/gpu/drm/xe/regs/xe_gt_regs.h
@@ -544,6 +544,7 @@
#define ENABLE_SMP_LD_RENDER_SURFACE_CONTROL REG_BIT(44 - 32)
#define FORCE_SLM_FENCE_SCOPE_TO_TILE REG_BIT(42 - 32)
#define FORCE_UGM_FENCE_SCOPE_TO_TILE REG_BIT(41 - 32)
+#define L3_128B_256B_WRT_DIS REG_BIT(40 - 32)
#define MAXREQS_PER_BANK REG_GENMASK(39 - 32, 37 - 32)
#define DISABLE_128B_EVICTION_COMMAND_UDW REG_BIT(36 - 32)
diff --git a/drivers/gpu/drm/xe/xe_wa.c b/drivers/gpu/drm/xe/xe_wa.c
index 4039a6428e6c1..c15b0288e0ff5 100644
--- a/drivers/gpu/drm/xe/xe_wa.c
+++ b/drivers/gpu/drm/xe/xe_wa.c
@@ -261,7 +261,8 @@ static const struct xe_rtp_entry_sr gt_was[] = {
LSN_DIM_Z_WGT_MASK,
LSN_LNI_WGT(1) | LSN_LNE_WGT(1) |
LSN_DIM_X_WGT(1) | LSN_DIM_Y_WGT(1) |
- LSN_DIM_Z_WGT(1)))
+ LSN_DIM_Z_WGT(1)),
+ SET(LSC_CHICKEN_BIT_0_UDW, L3_128B_256B_WRT_DIS))
},
/* Xe2_HPM */
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 180/342] spi: use generic driver_override infrastructure
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 179/342] drm/xe: Implement recent spec updates to Wa_16025250150 Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 181/342] ACPI: EC: clean up handlers on probe failure in acpi_ec_setup() Greg Kroah-Hartman
` (178 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Danilo Krummrich,
Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich <dakr@kernel.org>
[ Upstream commit cc34d77dd48708d810c12bfd6f5bf03304f6c824 ]
When a driver is probed through __driver_attach(), the bus' match()
callback is called without the device lock held, thus accessing the
driver_override field without a lock, which can cause a UAF.
Fix this by using the driver-core driver_override infrastructure taking
care of proper locking internally.
Note that calling match() from __driver_attach() without the device lock
held is intentional. [1]
Also note that we do not enable the driver_override feature of struct
bus_type, as SPI - in contrast to most other buses - passes "" to
sysfs_emit() when the driver_override pointer is NULL. Thus, printing
"\n" instead of "(null)\n".
Link: https://lore.kernel.org/driver-core/DGRGTIRHA62X.3RY09D9SOK77P@kernel.org/ [1]
Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
Fixes: 5039563e7c25 ("spi: Add driver_override SPI device attribute")
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Link: https://patch.msgid.link/20260324005919.2408620-12-dakr@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi.c | 19 +++++++------------
include/linux/spi/spi.h | 5 -----
2 files changed, 7 insertions(+), 17 deletions(-)
diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
index 201b9569ce690..87d829d2a8427 100644
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -50,7 +50,6 @@ static void spidev_release(struct device *dev)
struct spi_device *spi = to_spi_device(dev);
spi_controller_put(spi->controller);
- kfree(spi->driver_override);
free_percpu(spi->pcpu_statistics);
kfree(spi);
}
@@ -73,10 +72,9 @@ static ssize_t driver_override_store(struct device *dev,
struct device_attribute *a,
const char *buf, size_t count)
{
- struct spi_device *spi = to_spi_device(dev);
int ret;
- ret = driver_set_override(dev, &spi->driver_override, buf, count);
+ ret = __device_set_driver_override(dev, buf, count);
if (ret)
return ret;
@@ -86,13 +84,8 @@ static ssize_t driver_override_store(struct device *dev,
static ssize_t driver_override_show(struct device *dev,
struct device_attribute *a, char *buf)
{
- const struct spi_device *spi = to_spi_device(dev);
- ssize_t len;
-
- device_lock(dev);
- len = sysfs_emit(buf, "%s\n", spi->driver_override ? : "");
- device_unlock(dev);
- return len;
+ guard(spinlock)(&dev->driver_override.lock);
+ return sysfs_emit(buf, "%s\n", dev->driver_override.name ?: "");
}
static DEVICE_ATTR_RW(driver_override);
@@ -376,10 +369,12 @@ static int spi_match_device(struct device *dev, const struct device_driver *drv)
{
const struct spi_device *spi = to_spi_device(dev);
const struct spi_driver *sdrv = to_spi_driver(drv);
+ int ret;
/* Check override first, and if set, only use the named driver */
- if (spi->driver_override)
- return strcmp(spi->driver_override, drv->name) == 0;
+ ret = device_match_driver_override(dev, drv);
+ if (ret >= 0)
+ return ret;
/* Attempt an OF style match */
if (of_driver_match_device(dev, drv))
diff --git a/include/linux/spi/spi.h b/include/linux/spi/spi.h
index cb2c2df310899..fe9dd430cc03a 100644
--- a/include/linux/spi/spi.h
+++ b/include/linux/spi/spi.h
@@ -156,10 +156,6 @@ extern void spi_transfer_cs_change_delay_exec(struct spi_message *msg,
* @modalias: Name of the driver to use with this device, or an alias
* for that name. This appears in the sysfs "modalias" attribute
* for driver coldplugging, and in uevents used for hotplugging
- * @driver_override: If the name of a driver is written to this attribute, then
- * the device will bind to the named driver and only the named driver.
- * Do not set directly, because core frees it; use driver_set_override() to
- * set or clear it.
* @pcpu_statistics: statistics for the spi_device
* @word_delay: delay to be inserted between consecutive
* words of a transfer
@@ -217,7 +213,6 @@ struct spi_device {
void *controller_state;
void *controller_data;
char modalias[SPI_NAME_SIZE];
- const char *driver_override;
/* The statistics */
struct spi_statistics __percpu *pcpu_statistics;
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 181/342] ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 180/342] spi: use generic driver_override infrastructure Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 182/342] drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib Greg Kroah-Hartman
` (177 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Rafael J. Wysocki, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit f6484cadbcaf26b5844b51bd7307a663dda48ef6 ]
When ec_install_handlers() returns -EPROBE_DEFER on reduced-hardware
platforms, it has already started the EC and installed the address
space handler with the struct acpi_ec pointer as handler context.
However, acpi_ec_setup() propagates the error without any cleanup.
The caller acpi_ec_add() then frees the struct acpi_ec for non-boot
instances, leaving a dangling handler context in ACPICA.
Any subsequent AML evaluation that accesses an EC OpRegion field
dispatches into acpi_ec_space_handler() with the freed pointer,
causing a use-after-free:
BUG: KASAN: slab-use-after-free in mutex_lock (kernel/locking/mutex.c:289)
Write of size 8 at addr ffff88800721de38 by task init/1
Call Trace:
<TASK>
mutex_lock (kernel/locking/mutex.c:289)
acpi_ec_space_handler (drivers/acpi/ec.c:1362)
acpi_ev_address_space_dispatch (drivers/acpi/acpica/evregion.c:293)
acpi_ex_access_region (drivers/acpi/acpica/exfldio.c:246)
acpi_ex_field_datum_io (drivers/acpi/acpica/exfldio.c:509)
acpi_ex_extract_from_field (drivers/acpi/acpica/exfldio.c:700)
acpi_ex_read_data_from_field (drivers/acpi/acpica/exfield.c:327)
acpi_ex_resolve_node_to_value (drivers/acpi/acpica/exresolv.c:392)
</TASK>
Allocated by task 1:
acpi_ec_alloc (drivers/acpi/ec.c:1424)
acpi_ec_add (drivers/acpi/ec.c:1692)
Freed by task 1:
kfree (mm/slub.c:6876)
acpi_ec_add (drivers/acpi/ec.c:1751)
The bug triggers on reduced-hardware EC platforms (ec->gpe < 0)
when the GPIO IRQ provider defers probing. Once the stale handler
exists, any unprivileged sysfs read that causes AML to touch an
EC OpRegion (battery, thermal, backlight) exercises the dangling
pointer.
Fix this by calling ec_remove_handlers() in the error path of
acpi_ec_setup() before clearing first_ec. ec_remove_handlers()
checks each EC_FLAGS_* bit before acting, so it is safe to call
regardless of how far ec_install_handlers() progressed:
-ENODEV (handler not installed): only calls acpi_ec_stop()
-EPROBE_DEFER (handler installed): removes handler, stops EC
Fixes: 03e9a0e05739 ("ACPI: EC: Consolidate event handler installation code")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Link: https://patch.msgid.link/20260324165458.1337233-2-bestswngs@gmail.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/ec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
index 59b3d50ff01ec..c981a53434edf 100644
--- a/drivers/acpi/ec.c
+++ b/drivers/acpi/ec.c
@@ -1655,6 +1655,8 @@ static int acpi_ec_setup(struct acpi_ec *ec, struct acpi_device *device, bool ca
ret = ec_install_handlers(ec, device, call_reg);
if (ret) {
+ ec_remove_handlers(ec);
+
if (ec == first_ec)
first_ec = NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 182/342] drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 181/342] ACPI: EC: clean up handlers on probe failure in acpi_ec_setup() Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 183/342] hwmon: (adm1177) fix sysfs ABI violation and current unit conversion Greg Kroah-Hartman
` (176 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Kuehling, Dan Carpenter,
Christian König, Alex Deucher, Srinivasan Shanmugam,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
[ Upstream commit 7150850146ebfa4ca998f653f264b8df6f7f85be ]
amdgpu_amdkfd_submit_ib() submits a GPU job and gets a fence
from amdgpu_ib_schedule(). This fence is used to wait for job
completion.
Currently, the code drops the fence reference using dma_fence_put()
before calling dma_fence_wait().
If dma_fence_put() releases the last reference, the fence may be
freed before dma_fence_wait() is called. This can lead to a
use-after-free.
Fix this by waiting on the fence first and releasing the reference
only after dma_fence_wait() completes.
Fixes the below:
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c:697 amdgpu_amdkfd_submit_ib() warn: passing freed memory 'f' (line 696)
Fixes: 9ae55f030dc5 ("drm/amdgpu: Follow up change to previous drm scheduler change.")
Cc: Felix Kuehling <Felix.Kuehling@amd.com>
Cc: Dan Carpenter <dan.carpenter@linaro.org>
Cc: Christian König <christian.koenig@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 8b9e5259adc385b61a6590a13b82ae0ac2bd3482)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
index a2879d2b7c8ec..1ec26be82f30e 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
@@ -687,9 +687,9 @@ int amdgpu_amdkfd_submit_ib(struct amdgpu_device *adev,
goto err_ib_sched;
}
- /* Drop the initial kref_init count (see drm_sched_main as example) */
- dma_fence_put(f);
ret = dma_fence_wait(f, false);
+ /* Drop the returned fence reference after the wait completes */
+ dma_fence_put(f);
err_ib_sched:
amdgpu_job_free(job);
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 183/342] hwmon: (adm1177) fix sysfs ABI violation and current unit conversion
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 182/342] drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 184/342] ASoC: SDCA: fix finding wrong entity Greg Kroah-Hartman
` (175 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Nuno Sá,
Guenter Roeck, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanman Pradhan <psanman@juniper.net>
[ Upstream commit bf08749a6abb6d1959bfdc0edc32c640df407558 ]
The adm1177 driver exposes the current alert threshold through
hwmon_curr_max_alarm. This violates the hwmon sysfs ABI, where
*_alarm attributes are read-only status flags and writable thresholds
must use currN_max.
The driver also stores the threshold internally in microamps, while
currN_max is defined in milliamps. Convert the threshold accordingly
on both the read and write paths.
Widen the cached threshold and related calculations to 64 bits so
that small shunt resistor values do not cause truncation or overflow.
Also use 64-bit arithmetic for the mA/uA conversions, clamp writes
to the range the hardware can represent, and propagate failures from
adm1177_write_alert_thr() instead of silently ignoring them.
Update the hwmon documentation to reflect the attribute rename and
the correct units returned by the driver.
Fixes: 09b08ac9e8d5 ("hwmon: (adm1177) Add ADM1177 Hot Swap Controller and Digital Power Monitor driver")
Signed-off-by: Sanman Pradhan <psanman@juniper.net>
Acked-by: Nuno Sá <nuno.sa@analog.com>
Link: https://lore.kernel.org/r/20260325051246.28262-1-sanman.pradhan@hpe.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/hwmon/adm1177.rst | 8 ++---
drivers/hwmon/adm1177.c | 54 +++++++++++++++++++--------------
2 files changed, 35 insertions(+), 27 deletions(-)
diff --git a/Documentation/hwmon/adm1177.rst b/Documentation/hwmon/adm1177.rst
index 1c85a2af92bf7..375f6d6e03a7d 100644
--- a/Documentation/hwmon/adm1177.rst
+++ b/Documentation/hwmon/adm1177.rst
@@ -27,10 +27,10 @@ for details.
Sysfs entries
-------------
-The following attributes are supported. Current maxim attribute
+The following attributes are supported. Current maximum attribute
is read-write, all other attributes are read-only.
-in0_input Measured voltage in microvolts.
+in0_input Measured voltage in millivolts.
-curr1_input Measured current in microamperes.
-curr1_max_alarm Overcurrent alarm in microamperes.
+curr1_input Measured current in milliamperes.
+curr1_max Overcurrent shutdown threshold in milliamperes.
diff --git a/drivers/hwmon/adm1177.c b/drivers/hwmon/adm1177.c
index 8b2c965480e3f..7888afe8dafd6 100644
--- a/drivers/hwmon/adm1177.c
+++ b/drivers/hwmon/adm1177.c
@@ -10,6 +10,8 @@
#include <linux/hwmon.h>
#include <linux/i2c.h>
#include <linux/init.h>
+#include <linux/math64.h>
+#include <linux/minmax.h>
#include <linux/module.h>
#include <linux/regulator/consumer.h>
@@ -33,7 +35,7 @@
struct adm1177_state {
struct i2c_client *client;
u32 r_sense_uohm;
- u32 alert_threshold_ua;
+ u64 alert_threshold_ua;
bool vrange_high;
};
@@ -48,7 +50,7 @@ static int adm1177_write_cmd(struct adm1177_state *st, u8 cmd)
}
static int adm1177_write_alert_thr(struct adm1177_state *st,
- u32 alert_threshold_ua)
+ u64 alert_threshold_ua)
{
u64 val;
int ret;
@@ -91,8 +93,8 @@ static int adm1177_read(struct device *dev, enum hwmon_sensor_types type,
*val = div_u64((105840000ull * dummy),
4096 * st->r_sense_uohm);
return 0;
- case hwmon_curr_max_alarm:
- *val = st->alert_threshold_ua;
+ case hwmon_curr_max:
+ *val = div_u64(st->alert_threshold_ua, 1000);
return 0;
default:
return -EOPNOTSUPP;
@@ -126,9 +128,10 @@ static int adm1177_write(struct device *dev, enum hwmon_sensor_types type,
switch (type) {
case hwmon_curr:
switch (attr) {
- case hwmon_curr_max_alarm:
- adm1177_write_alert_thr(st, val);
- return 0;
+ case hwmon_curr_max:
+ val = clamp_val(val, 0,
+ div_u64(105840000ULL, st->r_sense_uohm));
+ return adm1177_write_alert_thr(st, (u64)val * 1000);
default:
return -EOPNOTSUPP;
}
@@ -156,7 +159,7 @@ static umode_t adm1177_is_visible(const void *data,
if (st->r_sense_uohm)
return 0444;
return 0;
- case hwmon_curr_max_alarm:
+ case hwmon_curr_max:
if (st->r_sense_uohm)
return 0644;
return 0;
@@ -170,7 +173,7 @@ static umode_t adm1177_is_visible(const void *data,
static const struct hwmon_channel_info * const adm1177_info[] = {
HWMON_CHANNEL_INFO(curr,
- HWMON_C_INPUT | HWMON_C_MAX_ALARM),
+ HWMON_C_INPUT | HWMON_C_MAX),
HWMON_CHANNEL_INFO(in,
HWMON_I_INPUT),
NULL
@@ -192,7 +195,8 @@ static int adm1177_probe(struct i2c_client *client)
struct device *dev = &client->dev;
struct device *hwmon_dev;
struct adm1177_state *st;
- u32 alert_threshold_ua;
+ u64 alert_threshold_ua;
+ u32 prop;
int ret;
st = devm_kzalloc(dev, sizeof(*st), GFP_KERNEL);
@@ -208,22 +212,26 @@ static int adm1177_probe(struct i2c_client *client)
if (device_property_read_u32(dev, "shunt-resistor-micro-ohms",
&st->r_sense_uohm))
st->r_sense_uohm = 0;
- if (device_property_read_u32(dev, "adi,shutdown-threshold-microamp",
- &alert_threshold_ua)) {
- if (st->r_sense_uohm)
- /*
- * set maximum default value from datasheet based on
- * shunt-resistor
- */
- alert_threshold_ua = div_u64(105840000000,
- st->r_sense_uohm);
- else
- alert_threshold_ua = 0;
+ if (!device_property_read_u32(dev, "adi,shutdown-threshold-microamp",
+ &prop)) {
+ alert_threshold_ua = prop;
+ } else if (st->r_sense_uohm) {
+ /*
+ * set maximum default value from datasheet based on
+ * shunt-resistor
+ */
+ alert_threshold_ua = div_u64(105840000000ULL,
+ st->r_sense_uohm);
+ } else {
+ alert_threshold_ua = 0;
}
st->vrange_high = device_property_read_bool(dev,
"adi,vrange-high-enable");
- if (alert_threshold_ua && st->r_sense_uohm)
- adm1177_write_alert_thr(st, alert_threshold_ua);
+ if (alert_threshold_ua && st->r_sense_uohm) {
+ ret = adm1177_write_alert_thr(st, alert_threshold_ua);
+ if (ret)
+ return ret;
+ }
ret = adm1177_write_cmd(st, ADM1177_CMD_V_CONT |
ADM1177_CMD_I_CONT |
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 184/342] ASoC: SDCA: fix finding wrong entity
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 183/342] hwmon: (adm1177) fix sysfs ABI violation and current unit conversion Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 185/342] hwmon: (pmbus) Mark lowest/average/highest/rated attributes as read-only Greg Kroah-Hartman
` (174 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Charles Keepax, Shuming Fan,
Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuming Fan <shumingf@realtek.com>
[ Upstream commit c673efd5db2223c2e8b885025bcd96bca6cdb171 ]
This patch fixes an issue like:
where searching for the entity 'FU 11' could incorrectly match 'FU 113' first.
The driver should first perform an exact match on the full string name.
If no exact match is found, it can then fall back to a partial match.
Fixes: 48fa77af2f4a ("ASoC: SDCA: Add terminal type into input/output widget name")
Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Signed-off-by: Shuming Fan <shumingf@realtek.com>
Link: https://patch.msgid.link/20260325110406.3232420-1-shumingf@realtek.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sdca/sdca_functions.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/sound/soc/sdca/sdca_functions.c b/sound/soc/sdca/sdca_functions.c
index d2de9e81b4f9f..a1f6f931a8081 100644
--- a/sound/soc/sdca/sdca_functions.c
+++ b/sound/soc/sdca/sdca_functions.c
@@ -1568,10 +1568,19 @@ static int find_sdca_entities(struct device *dev, struct sdw_slave *sdw,
static struct sdca_entity *find_sdca_entity_by_label(struct sdca_function_data *function,
const char *entity_label)
{
+ struct sdca_entity *entity = NULL;
int i;
for (i = 0; i < function->num_entities; i++) {
- struct sdca_entity *entity = &function->entities[i];
+ entity = &function->entities[i];
+
+ /* check whole string first*/
+ if (!strcmp(entity->label, entity_label))
+ return entity;
+ }
+
+ for (i = 0; i < function->num_entities; i++) {
+ entity = &function->entities[i];
if (!strncmp(entity->label, entity_label, strlen(entity_label)))
return entity;
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 185/342] hwmon: (pmbus) Mark lowest/average/highest/rated attributes as read-only
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 184/342] ASoC: SDCA: fix finding wrong entity Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 186/342] hwmon: (pmbus) Introduce the concept of "write-only" attributes Greg Kroah-Hartman
` (173 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit 805a5bd1c3f307d45ae4e9cf8915ef16d585a54a ]
Writing those attributes is not supported, so mark them as read-only.
Prior to this change, attempts to write into these attributes returned
an error.
Mark boolean fields in struct pmbus_limit_attr and in struct
pmbus_sensor_attr as bit fields to reduce configuration data size.
The data is scanned only while probing, so performance is not a concern.
Fixes: 6f183d33a02e6 ("hwmon: (pmbus) Add support for peak attributes")
Reviewed-by: Sanman Pradhan <psanman@juniper.net>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/pmbus/pmbus_core.c | 48 ++++++++++++++++++++++++++++----
1 file changed, 42 insertions(+), 6 deletions(-)
diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c
index be6d05def1152..ecd1dddcbe0ff 100644
--- a/drivers/hwmon/pmbus/pmbus_core.c
+++ b/drivers/hwmon/pmbus/pmbus_core.c
@@ -1495,8 +1495,9 @@ static int pmbus_add_label(struct pmbus_data *data,
struct pmbus_limit_attr {
u16 reg; /* Limit register */
u16 sbit; /* Alarm attribute status bit */
- bool update; /* True if register needs updates */
- bool low; /* True if low limit; for limits with compare functions only */
+ bool readonly:1; /* True if the attribute is read-only */
+ bool update:1; /* True if register needs updates */
+ bool low:1; /* True if low limit; for limits with compare functions only */
const char *attr; /* Attribute name */
const char *alarm; /* Alarm attribute name */
};
@@ -1511,9 +1512,9 @@ struct pmbus_sensor_attr {
u8 nlimit; /* # of limit registers */
enum pmbus_sensor_classes class;/* sensor class */
const char *label; /* sensor label */
- bool paged; /* true if paged sensor */
- bool update; /* true if update needed */
- bool compare; /* true if compare function needed */
+ bool paged:1; /* true if paged sensor */
+ bool update:1; /* true if update needed */
+ bool compare:1; /* true if compare function needed */
u32 func; /* sensor mask */
u32 sfunc; /* sensor status mask */
int sreg; /* status register */
@@ -1544,7 +1545,7 @@ static int pmbus_add_limit_attrs(struct i2c_client *client,
curr = pmbus_add_sensor(data, name, l->attr, index,
page, 0xff, l->reg, attr->class,
attr->update || l->update,
- false, true);
+ l->readonly, true);
if (!curr)
return -ENOMEM;
if (l->sbit && (info->func[page] & attr->sfunc)) {
@@ -1707,23 +1708,28 @@ static const struct pmbus_limit_attr vin_limit_attrs[] = {
}, {
.reg = PMBUS_VIRT_READ_VIN_AVG,
.update = true,
+ .readonly = true,
.attr = "average",
}, {
.reg = PMBUS_VIRT_READ_VIN_MIN,
.update = true,
+ .readonly = true,
.attr = "lowest",
}, {
.reg = PMBUS_VIRT_READ_VIN_MAX,
.update = true,
+ .readonly = true,
.attr = "highest",
}, {
.reg = PMBUS_VIRT_RESET_VIN_HISTORY,
.attr = "reset_history",
}, {
.reg = PMBUS_MFR_VIN_MIN,
+ .readonly = true,
.attr = "rated_min",
}, {
.reg = PMBUS_MFR_VIN_MAX,
+ .readonly = true,
.attr = "rated_max",
},
};
@@ -1776,23 +1782,28 @@ static const struct pmbus_limit_attr vout_limit_attrs[] = {
}, {
.reg = PMBUS_VIRT_READ_VOUT_AVG,
.update = true,
+ .readonly = true,
.attr = "average",
}, {
.reg = PMBUS_VIRT_READ_VOUT_MIN,
.update = true,
+ .readonly = true,
.attr = "lowest",
}, {
.reg = PMBUS_VIRT_READ_VOUT_MAX,
.update = true,
+ .readonly = true,
.attr = "highest",
}, {
.reg = PMBUS_VIRT_RESET_VOUT_HISTORY,
.attr = "reset_history",
}, {
.reg = PMBUS_MFR_VOUT_MIN,
+ .readonly = true,
.attr = "rated_min",
}, {
.reg = PMBUS_MFR_VOUT_MAX,
+ .readonly = true,
.attr = "rated_max",
},
};
@@ -1852,20 +1863,24 @@ static const struct pmbus_limit_attr iin_limit_attrs[] = {
}, {
.reg = PMBUS_VIRT_READ_IIN_AVG,
.update = true,
+ .readonly = true,
.attr = "average",
}, {
.reg = PMBUS_VIRT_READ_IIN_MIN,
.update = true,
+ .readonly = true,
.attr = "lowest",
}, {
.reg = PMBUS_VIRT_READ_IIN_MAX,
.update = true,
+ .readonly = true,
.attr = "highest",
}, {
.reg = PMBUS_VIRT_RESET_IIN_HISTORY,
.attr = "reset_history",
}, {
.reg = PMBUS_MFR_IIN_MAX,
+ .readonly = true,
.attr = "rated_max",
},
};
@@ -1889,20 +1904,24 @@ static const struct pmbus_limit_attr iout_limit_attrs[] = {
}, {
.reg = PMBUS_VIRT_READ_IOUT_AVG,
.update = true,
+ .readonly = true,
.attr = "average",
}, {
.reg = PMBUS_VIRT_READ_IOUT_MIN,
.update = true,
+ .readonly = true,
.attr = "lowest",
}, {
.reg = PMBUS_VIRT_READ_IOUT_MAX,
.update = true,
+ .readonly = true,
.attr = "highest",
}, {
.reg = PMBUS_VIRT_RESET_IOUT_HISTORY,
.attr = "reset_history",
}, {
.reg = PMBUS_MFR_IOUT_MAX,
+ .readonly = true,
.attr = "rated_max",
},
};
@@ -1943,20 +1962,24 @@ static const struct pmbus_limit_attr pin_limit_attrs[] = {
}, {
.reg = PMBUS_VIRT_READ_PIN_AVG,
.update = true,
+ .readonly = true,
.attr = "average",
}, {
.reg = PMBUS_VIRT_READ_PIN_MIN,
.update = true,
+ .readonly = true,
.attr = "input_lowest",
}, {
.reg = PMBUS_VIRT_READ_PIN_MAX,
.update = true,
+ .readonly = true,
.attr = "input_highest",
}, {
.reg = PMBUS_VIRT_RESET_PIN_HISTORY,
.attr = "reset_history",
}, {
.reg = PMBUS_MFR_PIN_MAX,
+ .readonly = true,
.attr = "rated_max",
},
};
@@ -1980,20 +2003,24 @@ static const struct pmbus_limit_attr pout_limit_attrs[] = {
}, {
.reg = PMBUS_VIRT_READ_POUT_AVG,
.update = true,
+ .readonly = true,
.attr = "average",
}, {
.reg = PMBUS_VIRT_READ_POUT_MIN,
.update = true,
+ .readonly = true,
.attr = "input_lowest",
}, {
.reg = PMBUS_VIRT_READ_POUT_MAX,
.update = true,
+ .readonly = true,
.attr = "input_highest",
}, {
.reg = PMBUS_VIRT_RESET_POUT_HISTORY,
.attr = "reset_history",
}, {
.reg = PMBUS_MFR_POUT_MAX,
+ .readonly = true,
.attr = "rated_max",
},
};
@@ -2049,18 +2076,22 @@ static const struct pmbus_limit_attr temp_limit_attrs[] = {
.sbit = PB_TEMP_OT_FAULT,
}, {
.reg = PMBUS_VIRT_READ_TEMP_MIN,
+ .readonly = true,
.attr = "lowest",
}, {
.reg = PMBUS_VIRT_READ_TEMP_AVG,
+ .readonly = true,
.attr = "average",
}, {
.reg = PMBUS_VIRT_READ_TEMP_MAX,
+ .readonly = true,
.attr = "highest",
}, {
.reg = PMBUS_VIRT_RESET_TEMP_HISTORY,
.attr = "reset_history",
}, {
.reg = PMBUS_MFR_MAX_TEMP_1,
+ .readonly = true,
.attr = "rated_max",
},
};
@@ -2090,18 +2121,22 @@ static const struct pmbus_limit_attr temp_limit_attrs2[] = {
.sbit = PB_TEMP_OT_FAULT,
}, {
.reg = PMBUS_VIRT_READ_TEMP2_MIN,
+ .readonly = true,
.attr = "lowest",
}, {
.reg = PMBUS_VIRT_READ_TEMP2_AVG,
+ .readonly = true,
.attr = "average",
}, {
.reg = PMBUS_VIRT_READ_TEMP2_MAX,
+ .readonly = true,
.attr = "highest",
}, {
.reg = PMBUS_VIRT_RESET_TEMP2_HISTORY,
.attr = "reset_history",
}, {
.reg = PMBUS_MFR_MAX_TEMP_2,
+ .readonly = true,
.attr = "rated_max",
},
};
@@ -2131,6 +2166,7 @@ static const struct pmbus_limit_attr temp_limit_attrs3[] = {
.sbit = PB_TEMP_OT_FAULT,
}, {
.reg = PMBUS_MFR_MAX_TEMP_3,
+ .readonly = true,
.attr = "rated_max",
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 186/342] hwmon: (pmbus) Introduce the concept of "write-only" attributes
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 185/342] hwmon: (pmbus) Mark lowest/average/highest/rated attributes as read-only Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 187/342] hwmon: (pmbus/core) Protect regulator operations with mutex Greg Kroah-Hartman
` (172 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit cd658475e7694d58e1c40dabc1dacf8431ccedb2 ]
Attributes intended to clear sensor history are intended to be writeable
only. Reading those attributes today results in reporting more or less
random values. To avoid ABI surprises, have those attributes explicitly
return 0 when reading.
Fixes: 787c095edaa9d ("hwmon: (pmbus/core) Add support for rated attributes")
Reviewed-by: Sanman Pradhan <psanman@juniper.net>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/pmbus/pmbus_core.c | 32 ++++++++++++++++++++++++--------
1 file changed, 24 insertions(+), 8 deletions(-)
diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c
index ecd1dddcbe0ff..cbc36f0ba4bf9 100644
--- a/drivers/hwmon/pmbus/pmbus_core.c
+++ b/drivers/hwmon/pmbus/pmbus_core.c
@@ -1209,6 +1209,12 @@ static ssize_t pmbus_show_boolean(struct device *dev,
return sysfs_emit(buf, "%d\n", val);
}
+static ssize_t pmbus_show_zero(struct device *dev,
+ struct device_attribute *devattr, char *buf)
+{
+ return sysfs_emit(buf, "0\n");
+}
+
static ssize_t pmbus_show_sensor(struct device *dev,
struct device_attribute *devattr, char *buf)
{
@@ -1407,7 +1413,7 @@ static struct pmbus_sensor *pmbus_add_sensor(struct pmbus_data *data,
int reg,
enum pmbus_sensor_classes class,
bool update, bool readonly,
- bool convert)
+ bool writeonly, bool convert)
{
struct pmbus_sensor *sensor;
struct device_attribute *a;
@@ -1436,7 +1442,8 @@ static struct pmbus_sensor *pmbus_add_sensor(struct pmbus_data *data,
sensor->data = -ENODATA;
pmbus_dev_attr_init(a, sensor->name,
readonly ? 0444 : 0644,
- pmbus_show_sensor, pmbus_set_sensor);
+ writeonly ? pmbus_show_zero : pmbus_show_sensor,
+ pmbus_set_sensor);
if (pmbus_add_attribute(data, &a->attr))
return NULL;
@@ -1496,6 +1503,7 @@ struct pmbus_limit_attr {
u16 reg; /* Limit register */
u16 sbit; /* Alarm attribute status bit */
bool readonly:1; /* True if the attribute is read-only */
+ bool writeonly:1; /* True if the attribute is write-only */
bool update:1; /* True if register needs updates */
bool low:1; /* True if low limit; for limits with compare functions only */
const char *attr; /* Attribute name */
@@ -1545,7 +1553,7 @@ static int pmbus_add_limit_attrs(struct i2c_client *client,
curr = pmbus_add_sensor(data, name, l->attr, index,
page, 0xff, l->reg, attr->class,
attr->update || l->update,
- l->readonly, true);
+ l->readonly, l->writeonly, true);
if (!curr)
return -ENOMEM;
if (l->sbit && (info->func[page] & attr->sfunc)) {
@@ -1585,7 +1593,7 @@ static int pmbus_add_sensor_attrs_one(struct i2c_client *client,
return ret;
}
base = pmbus_add_sensor(data, name, "input", index, page, phase,
- attr->reg, attr->class, true, true, true);
+ attr->reg, attr->class, true, true, false, true);
if (!base)
return -ENOMEM;
/* No limit and alarm attributes for phase specific sensors */
@@ -1722,6 +1730,7 @@ static const struct pmbus_limit_attr vin_limit_attrs[] = {
.attr = "highest",
}, {
.reg = PMBUS_VIRT_RESET_VIN_HISTORY,
+ .writeonly = true,
.attr = "reset_history",
}, {
.reg = PMBUS_MFR_VIN_MIN,
@@ -1796,6 +1805,7 @@ static const struct pmbus_limit_attr vout_limit_attrs[] = {
.attr = "highest",
}, {
.reg = PMBUS_VIRT_RESET_VOUT_HISTORY,
+ .writeonly = true,
.attr = "reset_history",
}, {
.reg = PMBUS_MFR_VOUT_MIN,
@@ -1877,6 +1887,7 @@ static const struct pmbus_limit_attr iin_limit_attrs[] = {
.attr = "highest",
}, {
.reg = PMBUS_VIRT_RESET_IIN_HISTORY,
+ .writeonly = true,
.attr = "reset_history",
}, {
.reg = PMBUS_MFR_IIN_MAX,
@@ -1918,6 +1929,7 @@ static const struct pmbus_limit_attr iout_limit_attrs[] = {
.attr = "highest",
}, {
.reg = PMBUS_VIRT_RESET_IOUT_HISTORY,
+ .writeonly = true,
.attr = "reset_history",
}, {
.reg = PMBUS_MFR_IOUT_MAX,
@@ -1976,6 +1988,7 @@ static const struct pmbus_limit_attr pin_limit_attrs[] = {
.attr = "input_highest",
}, {
.reg = PMBUS_VIRT_RESET_PIN_HISTORY,
+ .writeonly = true,
.attr = "reset_history",
}, {
.reg = PMBUS_MFR_PIN_MAX,
@@ -2017,6 +2030,7 @@ static const struct pmbus_limit_attr pout_limit_attrs[] = {
.attr = "input_highest",
}, {
.reg = PMBUS_VIRT_RESET_POUT_HISTORY,
+ .writeonly = true,
.attr = "reset_history",
}, {
.reg = PMBUS_MFR_POUT_MAX,
@@ -2088,6 +2102,7 @@ static const struct pmbus_limit_attr temp_limit_attrs[] = {
.attr = "highest",
}, {
.reg = PMBUS_VIRT_RESET_TEMP_HISTORY,
+ .writeonly = true,
.attr = "reset_history",
}, {
.reg = PMBUS_MFR_MAX_TEMP_1,
@@ -2133,6 +2148,7 @@ static const struct pmbus_limit_attr temp_limit_attrs2[] = {
.attr = "highest",
}, {
.reg = PMBUS_VIRT_RESET_TEMP2_HISTORY,
+ .writeonly = true,
.attr = "reset_history",
}, {
.reg = PMBUS_MFR_MAX_TEMP_2,
@@ -2250,7 +2266,7 @@ static int pmbus_add_fan_ctrl(struct i2c_client *client,
sensor = pmbus_add_sensor(data, "fan", "target", index, page,
0xff, PMBUS_VIRT_FAN_TARGET_1 + id, PSC_FAN,
- false, false, true);
+ false, false, false, true);
if (!sensor)
return -ENOMEM;
@@ -2261,14 +2277,14 @@ static int pmbus_add_fan_ctrl(struct i2c_client *client,
sensor = pmbus_add_sensor(data, "pwm", NULL, index, page,
0xff, PMBUS_VIRT_PWM_1 + id, PSC_PWM,
- false, false, true);
+ false, false, false, true);
if (!sensor)
return -ENOMEM;
sensor = pmbus_add_sensor(data, "pwm", "enable", index, page,
0xff, PMBUS_VIRT_PWM_ENABLE_1 + id, PSC_PWM,
- true, false, false);
+ true, false, false, false);
if (!sensor)
return -ENOMEM;
@@ -2310,7 +2326,7 @@ static int pmbus_add_fan_attributes(struct i2c_client *client,
if (pmbus_add_sensor(data, "fan", "input", index,
page, 0xff, pmbus_fan_registers[f],
- PSC_FAN, true, true, true) == NULL)
+ PSC_FAN, true, true, false, true) == NULL)
return -ENOMEM;
/* Fan control */
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 187/342] hwmon: (pmbus/core) Protect regulator operations with mutex
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 186/342] hwmon: (pmbus) Introduce the concept of "write-only" attributes Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 188/342] sysctl: fix uninitialized variable in proc_do_large_bitmap Greg Kroah-Hartman
` (171 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit 754bd2b4a084b90b5e7b630e1f423061a9b9b761 ]
The regulator operations pmbus_regulator_get_voltage(),
pmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage()
access PMBus registers and shared data but were not protected by
the update_lock mutex. This could lead to race conditions.
However, adding mutex protection directly to these functions causes
a deadlock because pmbus_regulator_notify() (which calls
regulator_notifier_call_chain()) is often called with the mutex
already held (e.g., from pmbus_fault_handler()). If a regulator
callback then calls one of the now-protected voltage functions,
it will attempt to acquire the same mutex.
Rework pmbus_regulator_notify() to utilize a worker function to
send notifications outside of the mutex protection. Events are
stored as atomics in a per-page bitmask and processed by the worker.
Initialize the worker and its associated data during regulator
registration, and ensure it is cancelled on device removal using
devm_add_action_or_reset().
While at it, remove the unnecessary include of linux/of.h.
Cc: Sanman Pradhan <psanman@juniper.net>
Fixes: ddbb4db4ced1b ("hwmon: (pmbus) Add regulator support")
Reviewed-by: Sanman Pradhan <psanman@juniper.net>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/pmbus/pmbus_core.c | 114 ++++++++++++++++++++++++-------
1 file changed, 89 insertions(+), 25 deletions(-)
diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c
index cbc36f0ba4bf9..572be3ebc03df 100644
--- a/drivers/hwmon/pmbus/pmbus_core.c
+++ b/drivers/hwmon/pmbus/pmbus_core.c
@@ -6,6 +6,7 @@
* Copyright (c) 2012 Guenter Roeck
*/
+#include <linux/atomic.h>
#include <linux/debugfs.h>
#include <linux/delay.h>
#include <linux/dcache.h>
@@ -21,8 +22,8 @@
#include <linux/pmbus.h>
#include <linux/regulator/driver.h>
#include <linux/regulator/machine.h>
-#include <linux/of.h>
#include <linux/thermal.h>
+#include <linux/workqueue.h>
#include "pmbus.h"
/*
@@ -112,6 +113,11 @@ struct pmbus_data {
struct mutex update_lock;
+#if IS_ENABLED(CONFIG_REGULATOR)
+ atomic_t regulator_events[PMBUS_PAGES];
+ struct work_struct regulator_notify_work;
+#endif
+
bool has_status_word; /* device uses STATUS_WORD register */
int (*read_status)(struct i2c_client *client, int page);
@@ -3228,12 +3234,19 @@ static int pmbus_regulator_get_voltage(struct regulator_dev *rdev)
.class = PSC_VOLTAGE_OUT,
.convert = true,
};
+ int ret;
+ mutex_lock(&data->update_lock);
s.data = _pmbus_read_word_data(client, s.page, 0xff, PMBUS_READ_VOUT);
- if (s.data < 0)
- return s.data;
+ if (s.data < 0) {
+ ret = s.data;
+ goto unlock;
+ }
- return (int)pmbus_reg2data(data, &s) * 1000; /* unit is uV */
+ ret = (int)pmbus_reg2data(data, &s) * 1000; /* unit is uV */
+unlock:
+ mutex_unlock(&data->update_lock);
+ return ret;
}
static int pmbus_regulator_set_voltage(struct regulator_dev *rdev, int min_uv,
@@ -3250,16 +3263,22 @@ static int pmbus_regulator_set_voltage(struct regulator_dev *rdev, int min_uv,
};
int val = DIV_ROUND_CLOSEST(min_uv, 1000); /* convert to mV */
int low, high;
+ int ret;
*selector = 0;
+ mutex_lock(&data->update_lock);
low = pmbus_regulator_get_low_margin(client, s.page);
- if (low < 0)
- return low;
+ if (low < 0) {
+ ret = low;
+ goto unlock;
+ }
high = pmbus_regulator_get_high_margin(client, s.page);
- if (high < 0)
- return high;
+ if (high < 0) {
+ ret = high;
+ goto unlock;
+ }
/* Make sure we are within margins */
if (low > val)
@@ -3269,7 +3288,10 @@ static int pmbus_regulator_set_voltage(struct regulator_dev *rdev, int min_uv,
val = pmbus_data2reg(data, &s, val);
- return _pmbus_write_word_data(client, s.page, PMBUS_VOUT_COMMAND, (u16)val);
+ ret = _pmbus_write_word_data(client, s.page, PMBUS_VOUT_COMMAND, (u16)val);
+unlock:
+ mutex_unlock(&data->update_lock);
+ return ret;
}
static int pmbus_regulator_list_voltage(struct regulator_dev *rdev,
@@ -3279,6 +3301,7 @@ static int pmbus_regulator_list_voltage(struct regulator_dev *rdev,
struct i2c_client *client = to_i2c_client(dev->parent);
struct pmbus_data *data = i2c_get_clientdata(client);
int val, low, high;
+ int ret;
if (data->flags & PMBUS_VOUT_PROTECTED)
return 0;
@@ -3291,18 +3314,29 @@ static int pmbus_regulator_list_voltage(struct regulator_dev *rdev,
val = DIV_ROUND_CLOSEST(rdev->desc->min_uV +
(rdev->desc->uV_step * selector), 1000); /* convert to mV */
+ mutex_lock(&data->update_lock);
+
low = pmbus_regulator_get_low_margin(client, rdev_get_id(rdev));
- if (low < 0)
- return low;
+ if (low < 0) {
+ ret = low;
+ goto unlock;
+ }
high = pmbus_regulator_get_high_margin(client, rdev_get_id(rdev));
- if (high < 0)
- return high;
+ if (high < 0) {
+ ret = high;
+ goto unlock;
+ }
- if (val >= low && val <= high)
- return val * 1000; /* unit is uV */
+ if (val >= low && val <= high) {
+ ret = val * 1000; /* unit is uV */
+ goto unlock;
+ }
- return 0;
+ ret = 0;
+unlock:
+ mutex_unlock(&data->update_lock);
+ return ret;
}
const struct regulator_ops pmbus_regulator_ops = {
@@ -3333,12 +3367,42 @@ int pmbus_regulator_init_cb(struct regulator_dev *rdev,
}
EXPORT_SYMBOL_NS_GPL(pmbus_regulator_init_cb, "PMBUS");
+static void pmbus_regulator_notify_work_cancel(void *data)
+{
+ struct pmbus_data *pdata = data;
+
+ cancel_work_sync(&pdata->regulator_notify_work);
+}
+
+static void pmbus_regulator_notify_worker(struct work_struct *work)
+{
+ struct pmbus_data *data =
+ container_of(work, struct pmbus_data, regulator_notify_work);
+ int i, j;
+
+ for (i = 0; i < data->info->pages; i++) {
+ int event;
+
+ event = atomic_xchg(&data->regulator_events[i], 0);
+ if (!event)
+ continue;
+
+ for (j = 0; j < data->info->num_regulators; j++) {
+ if (i == rdev_get_id(data->rdevs[j])) {
+ regulator_notifier_call_chain(data->rdevs[j],
+ event, NULL);
+ break;
+ }
+ }
+ }
+}
+
static int pmbus_regulator_register(struct pmbus_data *data)
{
struct device *dev = data->dev;
const struct pmbus_driver_info *info = data->info;
const struct pmbus_platform_data *pdata = dev_get_platdata(dev);
- int i;
+ int i, ret;
data->rdevs = devm_kzalloc(dev, sizeof(struct regulator_dev *) * info->num_regulators,
GFP_KERNEL);
@@ -3362,19 +3426,19 @@ static int pmbus_regulator_register(struct pmbus_data *data)
info->reg_desc[i].name);
}
+ INIT_WORK(&data->regulator_notify_work, pmbus_regulator_notify_worker);
+
+ ret = devm_add_action_or_reset(dev, pmbus_regulator_notify_work_cancel, data);
+ if (ret)
+ return ret;
+
return 0;
}
static void pmbus_regulator_notify(struct pmbus_data *data, int page, int event)
{
- int j;
-
- for (j = 0; j < data->info->num_regulators; j++) {
- if (page == rdev_get_id(data->rdevs[j])) {
- regulator_notifier_call_chain(data->rdevs[j], event, NULL);
- break;
- }
- }
+ atomic_or(event, &data->regulator_events[page]);
+ schedule_work(&data->regulator_notify_work);
}
#else
static int pmbus_regulator_register(struct pmbus_data *data)
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 188/342] sysctl: fix uninitialized variable in proc_do_large_bitmap
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 187/342] hwmon: (pmbus/core) Protect regulator operations with mutex Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 189/342] ASoC: adau1372: Fix unchecked clk_prepare_enable() return value Greg Kroah-Hartman
` (170 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Buerg, Joel Granados,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Buerg <buermarc@googlemail.com>
[ Upstream commit f63a9df7e3f9f842945d292a19d9938924f066f9 ]
proc_do_large_bitmap() does not initialize variable c, which is expected
to be set to a trailing character by proc_get_long().
However, proc_get_long() only sets c when the input buffer contains a
trailing character after the parsed value.
If c is not initialized it may happen to contain a '-'. If this is the
case proc_do_large_bitmap() expects to be able to parse a second part of
the input buffer. If there is no second part an unjustified -EINVAL will
be returned.
Initialize c to 0 to prevent returning -EINVAL on valid input.
Fixes: 9f977fb7ae9d ("sysctl: add proc_do_large_bitmap")
Signed-off-by: Marc Buerg <buermarc@googlemail.com>
Reviewed-by: Joel Granados <joel.granados@kernel.org>
Signed-off-by: Joel Granados <joel.granados@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sysctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 2cd767b9680eb..c9389b50b8264 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -895,7 +895,7 @@ int proc_do_large_bitmap(const struct ctl_table *table, int dir,
unsigned long bitmap_len = table->maxlen;
unsigned long *bitmap = *(unsigned long **) table->data;
unsigned long *tmp_bitmap = NULL;
- char tr_a[] = { '-', ',', '\n' }, tr_b[] = { ',', '\n', 0 }, c;
+ char tr_a[] = { '-', ',', '\n' }, tr_b[] = { ',', '\n', 0 }, c = 0;
if (!bitmap || !bitmap_len || !left || (*ppos && SYSCTL_KERN_TO_USER(dir))) {
*lenp = 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 189/342] ASoC: adau1372: Fix unchecked clk_prepare_enable() return value
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 188/342] sysctl: fix uninitialized variable in proc_do_large_bitmap Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 190/342] ASoC: adau1372: Fix clock leak on PLL lock failure Greg Kroah-Hartman
` (169 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jihed Chaibi, Nuno Sá,
Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jihed Chaibi <jihed.chaibi.dev@gmail.com>
[ Upstream commit 326fe8104a4020d30080d37ac8b6b43893cdebca ]
adau1372_set_power() calls clk_prepare_enable() but discards the return
value. If the clock enable fails, the driver proceeds to access registers
on unpowered hardware, potentially causing silent corruption.
Make adau1372_set_power() return int and propagate the error from
clk_prepare_enable(). Update adau1372_set_bias_level() to return the
error directly for the STANDBY and OFF cases.
Signed-off-by: Jihed Chaibi <jihed.chaibi.dev@gmail.com>
Fixes: 6cd4c6459e47 ("ASoC: Add ADAU1372 audio CODEC support")
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Link: https://patch.msgid.link/20260325210704.76847-2-jihed.chaibi.dev@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/adau1372.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/sound/soc/codecs/adau1372.c b/sound/soc/codecs/adau1372.c
index fdee689cae538..6345342218d61 100644
--- a/sound/soc/codecs/adau1372.c
+++ b/sound/soc/codecs/adau1372.c
@@ -782,15 +782,18 @@ static void adau1372_enable_pll(struct adau1372 *adau1372)
dev_err(adau1372->dev, "Failed to lock PLL\n");
}
-static void adau1372_set_power(struct adau1372 *adau1372, bool enable)
+static int adau1372_set_power(struct adau1372 *adau1372, bool enable)
{
if (adau1372->enabled == enable)
- return;
+ return 0;
if (enable) {
unsigned int clk_ctrl = ADAU1372_CLK_CTRL_MCLK_EN;
+ int ret;
- clk_prepare_enable(adau1372->mclk);
+ ret = clk_prepare_enable(adau1372->mclk);
+ if (ret)
+ return ret;
if (adau1372->pd_gpio)
gpiod_set_value(adau1372->pd_gpio, 0);
@@ -829,6 +832,8 @@ static void adau1372_set_power(struct adau1372 *adau1372, bool enable)
}
adau1372->enabled = enable;
+
+ return 0;
}
static int adau1372_set_bias_level(struct snd_soc_component *component,
@@ -842,11 +847,9 @@ static int adau1372_set_bias_level(struct snd_soc_component *component,
case SND_SOC_BIAS_PREPARE:
break;
case SND_SOC_BIAS_STANDBY:
- adau1372_set_power(adau1372, true);
- break;
+ return adau1372_set_power(adau1372, true);
case SND_SOC_BIAS_OFF:
- adau1372_set_power(adau1372, false);
- break;
+ return adau1372_set_power(adau1372, false);
}
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 190/342] ASoC: adau1372: Fix clock leak on PLL lock failure
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 189/342] ASoC: adau1372: Fix unchecked clk_prepare_enable() return value Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 191/342] spi: spi-fsl-lpspi: fix teardown order issue (UAF) Greg Kroah-Hartman
` (168 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jihed Chaibi, Nuno Sá,
Mark Brown, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jihed Chaibi <jihed.chaibi.dev@gmail.com>
[ Upstream commit bfe6a264effcb6fe99ad7ceaf9e8c7439fc9555b ]
adau1372_enable_pll() was a void function that logged a dev_err() on
PLL lock timeout but did not propagate the error. As a result,
adau1372_set_power() would continue with adau1372->enabled set to true
despite the PLL being unlocked, and the mclk left enabled with no
corresponding disable on the error path.
Convert adau1372_enable_pll() to return int, using -ETIMEDOUT on lock
timeout and propagating regmap errors directly. In adau1372_set_power(),
check the return value and unwind in reverse order: restore regcache to
cache-only mode, reassert GPIO power-down, and disable the clock before
returning the error.
Signed-off-by: Jihed Chaibi <jihed.chaibi.dev@gmail.com>
Fixes: 6cd4c6459e47 ("ASoC: Add ADAU1372 audio CODEC support")
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Link: https://patch.msgid.link/20260325210704.76847-3-jihed.chaibi.dev@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/adau1372.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/sound/soc/codecs/adau1372.c b/sound/soc/codecs/adau1372.c
index 6345342218d61..d7363f9d53bb3 100644
--- a/sound/soc/codecs/adau1372.c
+++ b/sound/soc/codecs/adau1372.c
@@ -762,7 +762,7 @@ static int adau1372_startup(struct snd_pcm_substream *substream, struct snd_soc_
return 0;
}
-static void adau1372_enable_pll(struct adau1372 *adau1372)
+static int adau1372_enable_pll(struct adau1372 *adau1372)
{
unsigned int val, timeout = 0;
int ret;
@@ -778,8 +778,12 @@ static void adau1372_enable_pll(struct adau1372 *adau1372)
timeout++;
} while (!(val & 1) && timeout < 3);
- if (ret < 0 || !(val & 1))
+ if (ret < 0 || !(val & 1)) {
dev_err(adau1372->dev, "Failed to lock PLL\n");
+ return ret < 0 ? ret : -ETIMEDOUT;
+ }
+
+ return 0;
}
static int adau1372_set_power(struct adau1372 *adau1372, bool enable)
@@ -807,7 +811,14 @@ static int adau1372_set_power(struct adau1372 *adau1372, bool enable)
* accessed.
*/
if (adau1372->use_pll) {
- adau1372_enable_pll(adau1372);
+ ret = adau1372_enable_pll(adau1372);
+ if (ret) {
+ regcache_cache_only(adau1372->regmap, true);
+ if (adau1372->pd_gpio)
+ gpiod_set_value(adau1372->pd_gpio, 1);
+ clk_disable_unprepare(adau1372->mclk);
+ return ret;
+ }
clk_ctrl |= ADAU1372_CLK_CTRL_CLKSRC;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 191/342] spi: spi-fsl-lpspi: fix teardown order issue (UAF)
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 190/342] ASoC: adau1372: Fix clock leak on PLL lock failure Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 192/342] io_uring/fdinfo: fix SQE_MIXED SQE displaying Greg Kroah-Hartman
` (167 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde, Mark Brown,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
[ Upstream commit b341c1176f2e001b3adf0b47154fc31589f7410e ]
There is a teardown order issue in the driver. The SPI controller is
registered using devm_spi_register_controller(), which delays
unregistration of the SPI controller until after the fsl_lpspi_remove()
function returns.
As the fsl_lpspi_remove() function synchronously tears down the DMA
channels, a running SPI transfer triggers the following NULL pointer
dereference due to use after free:
| fsl_lpspi 42550000.spi: I/O Error in DMA RX
| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[...]
| Call trace:
| fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi]
| fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi]
| spi_transfer_one_message+0x49c/0x7c8
| __spi_pump_transfer_message+0x120/0x420
| __spi_sync+0x2c4/0x520
| spi_sync+0x34/0x60
| spidev_message+0x20c/0x378 [spidev]
| spidev_ioctl+0x398/0x750 [spidev]
[...]
Switch from devm_spi_register_controller() to spi_register_controller() in
fsl_lpspi_probe() and add the corresponding spi_unregister_controller() in
fsl_lpspi_remove().
Fixes: 5314987de5e5 ("spi: imx: add lpspi bus driver")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Link: https://patch.msgid.link/20260319-spi-fsl-lpspi-fixes-v1-1-b433e435b2d8@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-fsl-lpspi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c
index 065456aba2aea..47d372557e4f6 100644
--- a/drivers/spi/spi-fsl-lpspi.c
+++ b/drivers/spi/spi-fsl-lpspi.c
@@ -972,7 +972,7 @@ static int fsl_lpspi_probe(struct platform_device *pdev)
enable_irq(irq);
}
- ret = devm_spi_register_controller(&pdev->dev, controller);
+ ret = spi_register_controller(controller);
if (ret < 0) {
dev_err_probe(&pdev->dev, ret, "spi_register_controller error\n");
goto free_dma;
@@ -998,6 +998,7 @@ static void fsl_lpspi_remove(struct platform_device *pdev)
struct fsl_lpspi_data *fsl_lpspi =
spi_controller_get_devdata(controller);
+ spi_unregister_controller(controller);
fsl_lpspi_dma_exit(controller);
pm_runtime_dont_use_autosuspend(fsl_lpspi->dev);
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 192/342] io_uring/fdinfo: fix SQE_MIXED SQE displaying
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 191/342] spi: spi-fsl-lpspi: fix teardown order issue (UAF) Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 193/342] io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check Greg Kroah-Hartman
` (166 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
[ Upstream commit b59efde9e6c122207c16169d3d0deb623956eae9 ]
When displaying pending SQEs for a MIXED ring, each 128-byte SQE
increments sq_head to skip the second slot, but the loop counter is not
adjusted. This can cause the loop to read past sq_tail by one entry for
each 128-byte SQE encountered, displaying SQEs that haven't been made
consumable yet by the application.
Match the kernel's own consumption logic in io_init_req() which
decrements what's left when consuming the extra slot.
Fixes: 1cba30bf9fdd ("io_uring: add support for IORING_SETUP_SQE_MIXED")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
io_uring/fdinfo.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/io_uring/fdinfo.c b/io_uring/fdinfo.c
index 80178b69e05a2..25c92ace18bd1 100644
--- a/io_uring/fdinfo.c
+++ b/io_uring/fdinfo.c
@@ -125,6 +125,7 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
sq_idx);
break;
}
+ i++;
sqe128 = true;
}
seq_printf(m, "%5u: opcode:%s, fd:%d, flags:%x, off:%llu, "
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 193/342] io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 192/342] io_uring/fdinfo: fix SQE_MIXED SQE displaying Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 194/342] ALSA: usb-audio: Exclude Scarlett 2i4 1st Gen from SKIP_IFACE_SETUP Greg Kroah-Hartman
` (165 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicholas Carlini, Jens Axboe,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Carlini <nicholas@carlini.com>
[ Upstream commit 5170efd9c344c68a8075dcb8ed38d3f8a60e7ed4 ]
__io_uring_show_fdinfo() iterates over pending SQEs and, for 128-byte
SQEs on an IORING_SETUP_SQE_MIXED ring, needs to detect when the second
half of the SQE would be past the end of the sq_sqes array. The current
check tests (++sq_head & sq_mask) == 0, but sq_head is only incremented
when a 128-byte SQE is encountered, not on every iteration. The actual
array index is sq_idx = (i + sq_head) & sq_mask, which can be sq_mask
(the last slot) while the wrap check passes.
Fix by checking sq_idx directly. Keep the sq_head increment so the loop
still skips the second half of the 128-byte SQE on the next iteration.
Fixes: 1cba30bf9fdd ("io_uring: add support for IORING_SETUP_SQE_MIXED")
Signed-off-by: Nicholas Carlini <nicholas@carlini.com>
Link: https://patch.msgid.link/20260327021823.3138396-1-nicholas@carlini.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
io_uring/fdinfo.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/io_uring/fdinfo.c b/io_uring/fdinfo.c
index 25c92ace18bd1..c2d3e45544bb4 100644
--- a/io_uring/fdinfo.c
+++ b/io_uring/fdinfo.c
@@ -119,12 +119,13 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
sq_idx);
break;
}
- if ((++sq_head & sq_mask) == 0) {
+ if (sq_idx == sq_mask) {
seq_printf(m,
"%5u: corrupted sqe, wrapping 128B entry\n",
sq_idx);
break;
}
+ sq_head++;
i++;
sqe128 = true;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 194/342] ALSA: usb-audio: Exclude Scarlett 2i4 1st Gen from SKIP_IFACE_SETUP
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 193/342] io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 195/342] s390/syscalls: Add spectre boundary for syscall dispatch table Greg Kroah-Hartman
` (164 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geoffrey D. Bennett, Takashi Iwai,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geoffrey D. Bennett <g@b4.vu>
[ Upstream commit 990a8b0732cf899d4a0f847b0a67efeb9a384c82 ]
Same issue that the Scarlett 2i2 1st Gen had:
QUIRK_FLAG_SKIP_IFACE_SETUP causes distorted/flanging audio on the
Scarlett 2i4 1st Gen (1235:800a).
Fixes: 38c322068a26 ("ALSA: usb-audio: Add QUIRK_FLAG_SKIP_IFACE_SETUP")
Reported-by: dcferreira [https://github.com/geoffreybennett/linux-fcp/issues/54]
Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
Link: https://patch.msgid.link/acEkEbftzyNe8W7C@m.b4.vu
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index 461d7d254e378..09ed935107580 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -2426,6 +2426,7 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
VENDOR_FLG(0x07fd, /* MOTU */
QUIRK_FLAG_VALIDATE_RATES),
DEVICE_FLG(0x1235, 0x8006, 0), /* Focusrite Scarlett 2i2 1st Gen */
+ DEVICE_FLG(0x1235, 0x800a, 0), /* Focusrite Scarlett 2i4 1st Gen */
VENDOR_FLG(0x1235, /* Focusrite Novation */
QUIRK_FLAG_SKIP_IFACE_SETUP),
VENDOR_FLG(0x1511, /* AURALiC */
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 195/342] s390/syscalls: Add spectre boundary for syscall dispatch table
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 194/342] ALSA: usb-audio: Exclude Scarlett 2i4 1st Gen from SKIP_IFACE_SETUP Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 196/342] s390/barrier: Make array_index_mask_nospec() __always_inline Greg Kroah-Hartman
` (163 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Carstens, Vasily Gorbik,
Alexander Gordeev, Christian Borntraeger, Sven Schnelle,
Arnd Bergmann, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 48b8814e25d073dd84daf990a879a820bad2bcbd upstream.
The s390 syscall number is directly controlled by userspace, but does
not have an array_index_nospec() boundary to prevent access past the
syscall function pointer tables.
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Fixes: 56e62a737028 ("s390: convert to generic entry")
Cc: stable@kernel.org
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
Link: https://lore.kernel.org/r/2026032404-sterling-swoosh-43e6@gregkh
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kernel/syscall.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/arch/s390/kernel/syscall.c
+++ b/arch/s390/kernel/syscall.c
@@ -13,6 +13,7 @@
*/
#include <linux/cpufeature.h>
+#include <linux/nospec.h>
#include <linux/errno.h>
#include <linux/sched.h>
#include <linux/mm.h>
@@ -131,8 +132,10 @@ void noinstr __do_syscall(struct pt_regs
if (unlikely(test_and_clear_pt_regs_flag(regs, PIF_SYSCALL_RET_SET)))
goto out;
regs->gprs[2] = -ENOSYS;
- if (likely(nr < NR_syscalls))
+ if (likely(nr < NR_syscalls)) {
+ nr = array_index_nospec(nr, NR_syscalls);
regs->gprs[2] = sys_call_table[nr](regs);
+ }
out:
syscall_exit_to_user_mode(regs);
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 196/342] s390/barrier: Make array_index_mask_nospec() __always_inline
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 195/342] s390/syscalls: Add spectre boundary for syscall dispatch table Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 197/342] s390/entry: Scrub r12 register on kernel entry Greg Kroah-Hartman
` (162 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ilya Leoshkevich,
Vasily Gorbik
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasily Gorbik <gor@linux.ibm.com>
commit c5c0a268b38adffbb2e70e6957017537ff54c157 upstream.
Mark array_index_mask_nospec() as __always_inline to guarantee the
mitigation is emitted inline regardless of compiler inlining decisions.
Fixes: e2dd833389cc ("s390: add optimized array_index_mask_nospec")
Cc: stable@kernel.org
Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/include/asm/barrier.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/s390/include/asm/barrier.h
+++ b/arch/s390/include/asm/barrier.h
@@ -62,8 +62,8 @@ do { \
* @size: number of elements in array
*/
#define array_index_mask_nospec array_index_mask_nospec
-static inline unsigned long array_index_mask_nospec(unsigned long index,
- unsigned long size)
+static __always_inline unsigned long array_index_mask_nospec(unsigned long index,
+ unsigned long size)
{
unsigned long mask;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 197/342] s390/entry: Scrub r12 register on kernel entry
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 196/342] s390/barrier: Make array_index_mask_nospec() __always_inline Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 198/342] tracing: Drain deferred trigger frees if kthread creation fails Greg Kroah-Hartman
` (161 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ilya Leoshkevich,
Vasily Gorbik
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasily Gorbik <gor@linux.ibm.com>
commit 0738d395aab8fae3b5a3ad3fc640630c91693c27 upstream.
Before commit f33f2d4c7c80 ("s390/bp: remove TIF_ISOLATE_BP"),
all entry handlers loaded r12 with the current task pointer
(lg %r12,__LC_CURRENT) for use by the BPENTER/BPEXIT macros. That
commit removed TIF_ISOLATE_BP, dropping both the branch prediction
macros and the r12 load, but did not add r12 to the register clearing
sequence.
Add the missing xgr %r12,%r12 to make the register scrub consistent
across all entry points.
Fixes: f33f2d4c7c80 ("s390/bp: remove TIF_ISOLATE_BP")
Cc: stable@kernel.org
Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kernel/entry.S | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/s390/kernel/entry.S
+++ b/arch/s390/kernel/entry.S
@@ -260,6 +260,7 @@ SYM_CODE_START(system_call)
xgr %r9,%r9
xgr %r10,%r10
xgr %r11,%r11
+ xgr %r12,%r12
la %r2,STACK_FRAME_OVERHEAD(%r15) # pointer to pt_regs
mvc __PT_R8(64,%r2),__LC_SAVE_AREA(%r13)
MBEAR %r2,%r13
@@ -396,6 +397,7 @@ SYM_CODE_START(\name)
xgr %r6,%r6
xgr %r7,%r7
xgr %r10,%r10
+ xgr %r12,%r12
xc __PT_FLAGS(8,%r11),__PT_FLAGS(%r11)
mvc __PT_R8(64,%r11),__LC_SAVE_AREA(%r13)
MBEAR %r11,%r13
@@ -485,6 +487,7 @@ SYM_CODE_START(mcck_int_handler)
xgr %r6,%r6
xgr %r7,%r7
xgr %r10,%r10
+ xgr %r12,%r12
stmg %r8,%r9,__PT_PSW(%r11)
xc __PT_FLAGS(8,%r11),__PT_FLAGS(%r11)
xc __SF_BACKCHAIN(8,%r15),__SF_BACKCHAIN(%r15)
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 198/342] tracing: Drain deferred trigger frees if kthread creation fails
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 197/342] s390/entry: Scrub r12 register on kernel entry Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 199/342] tracing: Fix potential deadlock in cpu hotplug with osnoise Greg Kroah-Hartman
` (160 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wesley Atwell,
Steven Rostedt (Google)
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wesley Atwell <atwellwea@gmail.com>
commit 250ab25391edeeab8462b68be42e4904506c409c upstream.
Boot-time trigger registration can fail before the trigger-data cleanup
kthread exists. Deferring those frees until late init is fine, but the
post-boot fallback must still drain the deferred list if kthread
creation never succeeds.
Otherwise, boot-deferred nodes can accumulate on
trigger_data_free_list, later frees fall back to synchronously freeing
only the current object, and the older queued entries are leaked
forever.
To trigger this, add the following to the kernel command line:
trace_event=sched_switch trace_trigger=sched_switch.traceon,sched_switch.traceon
The second traceon trigger will fail and be freed. This triggers a NULL
pointer dereference and crashes the kernel.
Keep the deferred boot-time behavior, but when kthread creation fails,
drain the whole queued list synchronously. Do the same in the late-init
drain path so queued entries are not stranded there either.
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260324221326.1395799-3-atwellwea@gmail.com
Fixes: 61d445af0a7c ("tracing: Add bulk garbage collection of freeing event_trigger_data")
Signed-off-by: Wesley Atwell <atwellwea@gmail.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events_trigger.c | 79 ++++++++++++++++++++++++++++++------
1 file changed, 66 insertions(+), 13 deletions(-)
--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -22,6 +22,39 @@ static struct task_struct *trigger_kthre
static struct llist_head trigger_data_free_list;
static DEFINE_MUTEX(trigger_data_kthread_mutex);
+static int trigger_kthread_fn(void *ignore);
+
+static void trigger_create_kthread_locked(void)
+{
+ lockdep_assert_held(&trigger_data_kthread_mutex);
+
+ if (!trigger_kthread) {
+ struct task_struct *kthread;
+
+ kthread = kthread_create(trigger_kthread_fn, NULL,
+ "trigger_data_free");
+ if (!IS_ERR(kthread))
+ WRITE_ONCE(trigger_kthread, kthread);
+ }
+}
+
+static void trigger_data_free_queued_locked(void)
+{
+ struct event_trigger_data *data, *tmp;
+ struct llist_node *llnodes;
+
+ lockdep_assert_held(&trigger_data_kthread_mutex);
+
+ llnodes = llist_del_all(&trigger_data_free_list);
+ if (!llnodes)
+ return;
+
+ tracepoint_synchronize_unregister();
+
+ llist_for_each_entry_safe(data, tmp, llnodes, llist)
+ kfree(data);
+}
+
/* Bulk garbage collection of event_trigger_data elements */
static int trigger_kthread_fn(void *ignore)
{
@@ -56,30 +89,50 @@ void trigger_data_free(struct event_trig
if (data->cmd_ops->set_filter)
data->cmd_ops->set_filter(NULL, data, NULL);
+ /*
+ * Boot-time trigger registration can fail before kthread creation
+ * works. Keep the deferred-free semantics during boot and let late
+ * init start the kthread to drain the list.
+ */
+ if (system_state == SYSTEM_BOOTING && !trigger_kthread) {
+ llist_add(&data->llist, &trigger_data_free_list);
+ return;
+ }
+
if (unlikely(!trigger_kthread)) {
guard(mutex)(&trigger_data_kthread_mutex);
+
+ trigger_create_kthread_locked();
/* Check again after taking mutex */
if (!trigger_kthread) {
- struct task_struct *kthread;
-
- kthread = kthread_create(trigger_kthread_fn, NULL,
- "trigger_data_free");
- if (!IS_ERR(kthread))
- WRITE_ONCE(trigger_kthread, kthread);
+ llist_add(&data->llist, &trigger_data_free_list);
+ /* Drain the queued frees synchronously if creation failed. */
+ trigger_data_free_queued_locked();
+ return;
}
}
- if (!trigger_kthread) {
- /* Do it the slow way */
- tracepoint_synchronize_unregister();
- kfree(data);
- return;
- }
-
llist_add(&data->llist, &trigger_data_free_list);
wake_up_process(trigger_kthread);
}
+static int __init trigger_data_free_init(void)
+{
+ guard(mutex)(&trigger_data_kthread_mutex);
+
+ if (llist_empty(&trigger_data_free_list))
+ return 0;
+
+ trigger_create_kthread_locked();
+ if (trigger_kthread)
+ wake_up_process(trigger_kthread);
+ else
+ trigger_data_free_queued_locked();
+
+ return 0;
+}
+late_initcall(trigger_data_free_init);
+
static inline void data_ops_trigger(struct event_trigger_data *data,
struct trace_buffer *buffer, void *rec,
struct ring_buffer_event *event)
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 199/342] tracing: Fix potential deadlock in cpu hotplug with osnoise
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 198/342] tracing: Drain deferred trigger frees if kthread creation fails Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 200/342] drm/xe: always keep track of remap prev/next Greg Kroah-Hartman
` (159 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, mathieu.desnoyers, zhang.run,
yang.tao172, ran.xiaokai, Masami Hiramatsu (Google), Luo Haiyang,
Steven Rostedt (Google)
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luo Haiyang <luo.haiyang@zte.com.cn>
commit 1f9885732248d22f788e4992c739a98c88ab8a55 upstream.
The following sequence may leads deadlock in cpu hotplug:
task1 task2 task3
----- ----- -----
mutex_lock(&interface_lock)
[CPU GOING OFFLINE]
cpus_write_lock();
osnoise_cpu_die();
kthread_stop(task3);
wait_for_completion();
osnoise_sleep();
mutex_lock(&interface_lock);
cpus_read_lock();
[DEAD LOCK]
Fix by swap the order of cpus_read_lock() and mutex_lock(&interface_lock).
Cc: stable@vger.kernel.org
Cc: <mathieu.desnoyers@efficios.com>
Cc: <zhang.run@zte.com.cn>
Cc: <yang.tao172@zte.com.cn>
Cc: <ran.xiaokai@zte.com.cn>
Fixes: bce29ac9ce0bb ("trace: Add osnoise tracer")
Link: https://patch.msgid.link/20260326141953414bVSj33dAYktqp9Oiyizq8@zte.com.cn
Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Luo Haiyang <luo.haiyang@zte.com.cn>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_osnoise.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/kernel/trace/trace_osnoise.c
+++ b/kernel/trace/trace_osnoise.c
@@ -2073,8 +2073,8 @@ static void osnoise_hotplug_workfn(struc
if (!osnoise_has_registered_instances())
return;
- guard(mutex)(&interface_lock);
guard(cpus_read_lock)();
+ guard(mutex)(&interface_lock);
if (!cpu_online(cpu))
return;
@@ -2237,11 +2237,11 @@ static ssize_t osnoise_options_write(str
if (running)
stop_per_cpu_kthreads();
- mutex_lock(&interface_lock);
/*
* avoid CPU hotplug operations that might read options.
*/
cpus_read_lock();
+ mutex_lock(&interface_lock);
retval = cnt;
@@ -2257,8 +2257,8 @@ static ssize_t osnoise_options_write(str
clear_bit(option, &osnoise_options);
}
- cpus_read_unlock();
mutex_unlock(&interface_lock);
+ cpus_read_unlock();
if (running)
start_per_cpu_kthreads();
@@ -2345,16 +2345,16 @@ osnoise_cpus_write(struct file *filp, co
if (running)
stop_per_cpu_kthreads();
- mutex_lock(&interface_lock);
/*
* osnoise_cpumask is read by CPU hotplug operations.
*/
cpus_read_lock();
+ mutex_lock(&interface_lock);
cpumask_copy(&osnoise_cpumask, osnoise_cpumask_new);
- cpus_read_unlock();
mutex_unlock(&interface_lock);
+ cpus_read_unlock();
if (running)
start_per_cpu_kthreads();
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 200/342] drm/xe: always keep track of remap prev/next
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 199/342] tracing: Fix potential deadlock in cpu hotplug with osnoise Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 201/342] ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len() Greg Kroah-Hartman
` (158 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Auld, Matthew Brost,
Rodrigo Vivi
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Auld <matthew.auld@intel.com>
commit bfe9e314d7574d1c5c851972e7aee342733819d2 upstream.
During 3D workload, user is reporting hitting:
[ 413.361679] WARNING: drivers/gpu/drm/xe/xe_vm.c:1217 at vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe], CPU#7: vkd3d_queue/9925
[ 413.361944] CPU: 7 UID: 1000 PID: 9925 Comm: vkd3d_queue Kdump: loaded Not tainted 7.0.0-070000rc3-generic #202603090038 PREEMPT(lazy)
[ 413.361949] RIP: 0010:vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe]
[ 413.362074] RSP: 0018:ffffd4c25c3df930 EFLAGS: 00010282
[ 413.362077] RAX: 0000000000000000 RBX: ffff8f3ee817ed10 RCX: 0000000000000000
[ 413.362078] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 413.362079] RBP: ffffd4c25c3df980 R08: 0000000000000000 R09: 0000000000000000
[ 413.362081] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8f41fbf99380
[ 413.362082] R13: ffff8f3ee817e968 R14: 00000000ffffffef R15: ffff8f43d00bd380
[ 413.362083] FS: 00000001040ff6c0(0000) GS:ffff8f4696d89000(0000) knlGS:00000000330b0000
[ 413.362085] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
[ 413.362086] CR2: 00007ddfc4747000 CR3: 00000002e6262005 CR4: 0000000000f72ef0
[ 413.362088] PKRU: 55555554
[ 413.362089] Call Trace:
[ 413.362092] <TASK>
[ 413.362096] xe_vm_bind_ioctl+0xa9a/0xc60 [xe]
Which seems to hint that the vma we are re-inserting for the ops unwind
is either invalid or overlapping with something already inserted in the
vm. It shouldn't be invalid since this is a re-insertion, so must have
worked before. Leaving the likely culprit as something already placed
where we want to insert the vma.
Following from that, for the case where we do something like a rebind in
the middle of a vma, and one or both mapped ends are already compatible,
we skip doing the rebind of those vma and set next/prev to NULL. As well
as then adjust the original unmap va range, to avoid unmapping the ends.
However, if we trigger the unwind path, we end up with three va, with
the two ends never being removed and the original va range in the middle
still being the shrunken size.
If this occurs, one failure mode is when another unwind op needs to
interact with that range, which can happen with a vector of binds. For
example, if we need to re-insert something in place of the original va.
In this case the va is still the shrunken version, so when removing it
and then doing a re-insert it can overlap with the ends, which were
never removed, triggering a warning like above, plus leaving the vm in a
bad state.
With that, we need two things here:
1) Stop nuking the prev/next tracking for the skip cases. Instead
relying on checking for skip prev/next, where needed. That way on the
unwind path, we now correctly remove both ends.
2) Undo the unmap va shrinkage, on the unwind path. With the two ends
now removed the unmap va should expand back to the original size again,
before re-insertion.
v2:
- Update the explanation in the commit message, based on an actual IGT of
triggering this issue, rather than conjecture.
- Also undo the unmap shrinkage, for the skip case. With the two ends
now removed, the original unmap va range should expand back to the
original range.
v3:
- Track the old start/range separately. vma_size/start() uses the va
info directly.
Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/7602
Fixes: 8f33b4f054fc ("drm/xe: Avoid doing rebinds")
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: <stable@vger.kernel.org> # v6.8+
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20260318100208.78097-2-matthew.auld@intel.com
(cherry picked from commit aec6969f75afbf4e01fd5fb5850ed3e9c27043ac)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_pt.c | 12 ++++++------
drivers/gpu/drm/xe/xe_vm.c | 22 ++++++++++++++++++----
drivers/gpu/drm/xe/xe_vm_types.h | 4 ++++
3 files changed, 28 insertions(+), 10 deletions(-)
--- a/drivers/gpu/drm/xe/xe_pt.c
+++ b/drivers/gpu/drm/xe/xe_pt.c
@@ -1442,9 +1442,9 @@ static int op_check_svm_userptr(struct x
err = vma_check_userptr(vm, op->map.vma, pt_update);
break;
case DRM_GPUVA_OP_REMAP:
- if (op->remap.prev)
+ if (op->remap.prev && !op->remap.skip_prev)
err = vma_check_userptr(vm, op->remap.prev, pt_update);
- if (!err && op->remap.next)
+ if (!err && op->remap.next && !op->remap.skip_next)
err = vma_check_userptr(vm, op->remap.next, pt_update);
break;
case DRM_GPUVA_OP_UNMAP:
@@ -2029,12 +2029,12 @@ static int op_prepare(struct xe_vm *vm,
err = unbind_op_prepare(tile, pt_update_ops, old);
- if (!err && op->remap.prev) {
+ if (!err && op->remap.prev && !op->remap.skip_prev) {
err = bind_op_prepare(vm, tile, pt_update_ops,
op->remap.prev, false);
pt_update_ops->wait_vm_bookkeep = true;
}
- if (!err && op->remap.next) {
+ if (!err && op->remap.next && !op->remap.skip_next) {
err = bind_op_prepare(vm, tile, pt_update_ops,
op->remap.next, false);
pt_update_ops->wait_vm_bookkeep = true;
@@ -2258,10 +2258,10 @@ static void op_commit(struct xe_vm *vm,
unbind_op_commit(vm, tile, pt_update_ops, old, fence, fence2);
- if (op->remap.prev)
+ if (op->remap.prev && !op->remap.skip_prev)
bind_op_commit(vm, tile, pt_update_ops, op->remap.prev,
fence, fence2, false);
- if (op->remap.next)
+ if (op->remap.next && !op->remap.skip_next)
bind_op_commit(vm, tile, pt_update_ops, op->remap.next,
fence, fence2, false);
break;
--- a/drivers/gpu/drm/xe/xe_vm.c
+++ b/drivers/gpu/drm/xe/xe_vm.c
@@ -2532,7 +2532,6 @@ static int xe_vma_op_commit(struct xe_vm
if (!err && op->remap.skip_prev) {
op->remap.prev->tile_present =
tile_present;
- op->remap.prev = NULL;
}
}
if (op->remap.next) {
@@ -2542,11 +2541,13 @@ static int xe_vma_op_commit(struct xe_vm
if (!err && op->remap.skip_next) {
op->remap.next->tile_present =
tile_present;
- op->remap.next = NULL;
}
}
- /* Adjust for partial unbind after removing VMA from VM */
+ /*
+ * Adjust for partial unbind after removing VMA from VM. In case
+ * of unwind we might need to undo this later.
+ */
if (!err) {
op->base.remap.unmap->va->va.addr = op->remap.start;
op->base.remap.unmap->va->va.range = op->remap.range;
@@ -2665,6 +2666,8 @@ static int vm_bind_ioctl_ops_parse(struc
op->remap.start = xe_vma_start(old);
op->remap.range = xe_vma_size(old);
+ op->remap.old_start = op->remap.start;
+ op->remap.old_range = op->remap.range;
flags |= op->base.remap.unmap->va->flags & XE_VMA_CREATE_MASK;
if (op->base.remap.prev) {
@@ -2812,8 +2815,19 @@ static void xe_vma_op_unwind(struct xe_v
xe_svm_notifier_lock(vm);
vma->gpuva.flags &= ~XE_VMA_DESTROYED;
xe_svm_notifier_unlock(vm);
- if (post_commit)
+ if (post_commit) {
+ /*
+ * Restore the old va range, in case of the
+ * prev/next skip optimisation. Otherwise what
+ * we re-insert here could be smaller than the
+ * original range.
+ */
+ op->base.remap.unmap->va->va.addr =
+ op->remap.old_start;
+ op->base.remap.unmap->va->va.range =
+ op->remap.old_range;
xe_vm_insert_vma(vm, vma);
+ }
}
break;
}
--- a/drivers/gpu/drm/xe/xe_vm_types.h
+++ b/drivers/gpu/drm/xe/xe_vm_types.h
@@ -360,6 +360,10 @@ struct xe_vma_op_remap {
u64 start;
/** @range: range of the VMA unmap */
u64 range;
+ /** @old_start: Original start of the VMA we unmap */
+ u64 old_start;
+ /** @old_range: Original range of the VMA we unmap */
+ u64 old_range;
/** @skip_prev: skip prev rebind */
bool skip_prev;
/** @skip_next: skip next rebind */
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 201/342] ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 200/342] drm/xe: always keep track of remap prev/next Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 202/342] ksmbd: fix potencial OOB in get_file_all_info() for compound requests Greg Kroah-Hartman
` (157 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit 0e55f63dd08f09651d39e1b709a91705a8a0ddcb upstream.
After this commit (e2b76ab8b5c9 "ksmbd: add support for read compound"),
response buffer management was changed to use dynamic iov array.
In the new design, smb2_calc_max_out_buf_len() expects the second
argument (hdr2_len) to be the offset of ->Buffer field in the
response structure, not a hardcoded magic number.
Fix the remaining call sites to use the correct offsetof() value.
Cc: stable@vger.kernel.org
Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -4445,8 +4445,9 @@ int smb2_query_dir(struct ksmbd_work *wo
d_info.wptr = (char *)rsp->Buffer;
d_info.rptr = (char *)rsp->Buffer;
d_info.out_buf_len =
- smb2_calc_max_out_buf_len(work, 8,
- le32_to_cpu(req->OutputBufferLength));
+ smb2_calc_max_out_buf_len(work,
+ offsetof(struct smb2_query_directory_rsp, Buffer),
+ le32_to_cpu(req->OutputBufferLength));
if (d_info.out_buf_len < 0) {
rc = -EINVAL;
goto err_out;
@@ -4713,8 +4714,9 @@ static int smb2_get_ea(struct ksmbd_work
}
buf_free_len =
- smb2_calc_max_out_buf_len(work, 8,
- le32_to_cpu(req->OutputBufferLength));
+ smb2_calc_max_out_buf_len(work,
+ offsetof(struct smb2_query_info_rsp, Buffer),
+ le32_to_cpu(req->OutputBufferLength));
if (buf_free_len < 0)
return -EINVAL;
@@ -5040,8 +5042,9 @@ static int get_file_stream_info(struct k
file_info = (struct smb2_file_stream_info *)rsp->Buffer;
buf_free_len =
- smb2_calc_max_out_buf_len(work, 8,
- le32_to_cpu(req->OutputBufferLength));
+ smb2_calc_max_out_buf_len(work,
+ offsetof(struct smb2_query_info_rsp, Buffer),
+ le32_to_cpu(req->OutputBufferLength));
if (buf_free_len < 0)
goto out;
@@ -8190,8 +8193,9 @@ int smb2_ioctl(struct ksmbd_work *work)
buffer = (char *)req + le32_to_cpu(req->InputOffset);
cnt_code = le32_to_cpu(req->CtlCode);
- ret = smb2_calc_max_out_buf_len(work, 48,
- le32_to_cpu(req->MaxOutputResponse));
+ ret = smb2_calc_max_out_buf_len(work,
+ offsetof(struct smb2_ioctl_rsp, Buffer),
+ le32_to_cpu(req->MaxOutputResponse));
if (ret < 0) {
rsp->hdr.Status = STATUS_INVALID_PARAMETER;
goto out;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 202/342] ksmbd: fix potencial OOB in get_file_all_info() for compound requests
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 201/342] ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len() Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 203/342] ksmbd: fix memory leaks and NULL deref in smb2_lock() Greg Kroah-Hartman
` (156 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Asim Viladi Oglu Manizada,
Namjae Jeon, Steve French
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit beef2634f81f1c086208191f7228bce1d366493d upstream.
When a compound request consists of QUERY_DIRECTORY + QUERY_INFO
(FILE_ALL_INFORMATION) and the first command consumes nearly the entire
max_trans_size, get_file_all_info() would blindly call smbConvertToUTF16()
with PATH_MAX, causing out-of-bounds write beyond the response buffer.
In get_file_all_info(), there was a missing validation check for
the client-provided OutputBufferLength before copying the filename into
FileName field of the smb2_file_all_info structure.
If the filename length exceeds the available buffer space, it could lead to
potential buffer overflows or memory corruption during smbConvertToUTF16
conversion. This calculating the actual free buffer size using
smb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is
insufficient and updating smbConvertToUTF16 to use the actual filename
length (clamped by PATH_MAX) to ensure a safe copy operation.
Cc: stable@vger.kernel.org
Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -4933,7 +4933,8 @@ static int get_file_all_info(struct ksmb
int conv_len;
char *filename;
u64 time;
- int ret;
+ int ret, buf_free_len, filename_len;
+ struct smb2_query_info_req *req = ksmbd_req_buf_next(work);
if (!(fp->daccess & FILE_READ_ATTRIBUTES_LE)) {
ksmbd_debug(SMB, "no right to read the attributes : 0x%x\n",
@@ -4945,6 +4946,16 @@ static int get_file_all_info(struct ksmb
if (IS_ERR(filename))
return PTR_ERR(filename);
+ filename_len = strlen(filename);
+ buf_free_len = smb2_calc_max_out_buf_len(work,
+ offsetof(struct smb2_query_info_rsp, Buffer) +
+ offsetof(struct smb2_file_all_info, FileName),
+ le32_to_cpu(req->OutputBufferLength));
+ if (buf_free_len < (filename_len + 1) * 2) {
+ kfree(filename);
+ return -EINVAL;
+ }
+
ret = vfs_getattr(&fp->filp->f_path, &stat, STATX_BASIC_STATS,
AT_STATX_SYNC_AS_STAT);
if (ret) {
@@ -4988,7 +4999,8 @@ static int get_file_all_info(struct ksmb
file_info->Mode = fp->coption;
file_info->AlignmentRequirement = 0;
conv_len = smbConvertToUTF16((__le16 *)file_info->FileName, filename,
- PATH_MAX, conn->local_nls, 0);
+ min(filename_len, PATH_MAX),
+ conn->local_nls, 0);
conv_len *= 2;
file_info->FileNameLength = cpu_to_le32(conv_len);
rsp->OutputBufferLength =
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 203/342] ksmbd: fix memory leaks and NULL deref in smb2_lock()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 202/342] ksmbd: fix potencial OOB in get_file_all_info() for compound requests Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 204/342] ksmbd: do not expire session on binding failure Greg Kroah-Hartman
` (155 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ChenXiaoSong, Werner Kasselman,
Namjae Jeon, Steve French
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Werner Kasselman <werner@verivus.com>
commit 309b44ed684496ed3f9c5715d10b899338623512 upstream.
smb2_lock() has three error handling issues after list_del() detaches
smb_lock from lock_list at no_check_cl:
1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK
path, goto out leaks smb_lock and its flock because the out:
handler only iterates lock_list and rollback_list, neither of
which contains the detached smb_lock.
2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out
leaks smb_lock and flock for the same reason. The error code
returned to the dispatcher is also stale.
3) In the rollback path, smb_flock_init() can return NULL on
allocation failure. The result is dereferenced unconditionally,
causing a kernel NULL pointer dereference. Add a NULL check to
prevent the crash and clean up the bookkeeping; the VFS lock
itself cannot be rolled back without the allocation and will be
released at file or connection teardown.
Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before
the if(!rc) check in the UNLOCK branch so all exit paths share one
free site, and by freeing smb_lock and flock before goto out in the
non-UNLOCK branch. Propagate the correct error code in both cases.
Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding
a NULL check for locks_free_lock(rlock) in the shared cleanup.
Found via call-graph analysis using sqry.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Suggested-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Werner Kasselman <werner@verivus.com>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 29 +++++++++++++++++++----------
1 file changed, 19 insertions(+), 10 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -7600,14 +7600,15 @@ retry:
rc = vfs_lock_file(filp, smb_lock->cmd, flock, NULL);
skip:
if (smb_lock->flags & SMB2_LOCKFLAG_UNLOCK) {
+ locks_free_lock(flock);
+ kfree(smb_lock);
if (!rc) {
ksmbd_debug(SMB, "File unlocked\n");
} else if (rc == -ENOENT) {
rsp->hdr.Status = STATUS_NOT_LOCKED;
+ err = rc;
goto out;
}
- locks_free_lock(flock);
- kfree(smb_lock);
} else {
if (rc == FILE_LOCK_DEFERRED) {
void **argv;
@@ -7676,6 +7677,9 @@ skip:
spin_unlock(&work->conn->llist_lock);
ksmbd_debug(SMB, "successful in taking lock\n");
} else {
+ locks_free_lock(flock);
+ kfree(smb_lock);
+ err = rc;
goto out;
}
}
@@ -7706,13 +7710,17 @@ out:
struct file_lock *rlock = NULL;
rlock = smb_flock_init(filp);
- rlock->c.flc_type = F_UNLCK;
- rlock->fl_start = smb_lock->start;
- rlock->fl_end = smb_lock->end;
-
- rc = vfs_lock_file(filp, F_SETLK, rlock, NULL);
- if (rc)
- pr_err("rollback unlock fail : %d\n", rc);
+ if (rlock) {
+ rlock->c.flc_type = F_UNLCK;
+ rlock->fl_start = smb_lock->start;
+ rlock->fl_end = smb_lock->end;
+
+ rc = vfs_lock_file(filp, F_SETLK, rlock, NULL);
+ if (rc)
+ pr_err("rollback unlock fail : %d\n", rc);
+ } else {
+ pr_err("rollback unlock alloc failed\n");
+ }
list_del(&smb_lock->llist);
spin_lock(&work->conn->llist_lock);
@@ -7722,7 +7730,8 @@ out:
spin_unlock(&work->conn->llist_lock);
locks_free_lock(smb_lock->fl);
- locks_free_lock(rlock);
+ if (rlock)
+ locks_free_lock(rlock);
kfree(smb_lock);
}
out2:
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 204/342] ksmbd: do not expire session on binding failure
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 203/342] ksmbd: fix memory leaks and NULL deref in smb2_lock() Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 205/342] Revert "ALSA: hda/intel: Add MSI X870E Tomahawk to denylist" Greg Kroah-Hartman
` (154 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Namjae Jeon,
Steve French
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
commit 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 upstream.
When a multichannel session binding request fails (e.g. wrong password),
the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED.
However, during binding, sess points to the target session looked up via
ksmbd_session_lookup_slowpath() -- which belongs to another connection's
user. This allows a remote attacker to invalidate any active session by
simply sending a binding request with a wrong password (DoS).
Fix this by skipping session expiration when the failed request was
a binding attempt, since the session does not belong to the current
connection. The reference taken by ksmbd_session_lookup_slowpath() is
still correctly released via ksmbd_user_session_put().
Cc: stable@vger.kernel.org
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -1938,8 +1938,14 @@ out_err:
if (sess->user && sess->user->flags & KSMBD_USER_FLAG_DELAY_SESSION)
try_delay = true;
- sess->last_active = jiffies;
- sess->state = SMB2_SESSION_EXPIRED;
+ /*
+ * For binding requests, session belongs to another
+ * connection. Do not expire it.
+ */
+ if (!(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) {
+ sess->last_active = jiffies;
+ sess->state = SMB2_SESSION_EXPIRED;
+ }
ksmbd_user_session_put(sess);
work->sess = NULL;
if (try_delay) {
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 205/342] Revert "ALSA: hda/intel: Add MSI X870E Tomahawk to denylist"
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 204/342] ksmbd: do not expire session on binding failure Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 206/342] ALSA: hda/realtek: add quirk for ASUS Strix G16 G615JMR Greg Kroah-Hartman
` (153 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Juhyun Song, Stuart Hayhurst,
Mario Limonciello, Takashi Iwai
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit ed4da361bf943b9041fc63e5cb6af01b3c0de978 upstream.
commit 30b3211aa2416 ("ALSA: hda/intel: Add MSI X870E Tomahawk
to denylist") was added to silence a warning, but this effectively
reintroduced commit df42ee7e22f03 ("ALSA: hda: Add ASRock
X670E Taichi to denylist") which was already reported to cause
problems and reverted in commit ee8f1613596ad ("Revert "ALSA: hda:
Add ASRock X670E Taichi to denylist"")
Revert it yet again.
Cc: stable@vger.kernel.org
Reported-by: Juhyun Song <juju6985@outlook.kr>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221274
Cc: Stuart Hayhurst <stuart.a.hayhurst@gmail.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Link: https://patch.msgid.link/20260326190542.524515-1-mario.limonciello@amd.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/hda/controllers/intel.c | 1 -
1 file changed, 1 deletion(-)
--- a/sound/hda/controllers/intel.c
+++ b/sound/hda/controllers/intel.c
@@ -2077,7 +2077,6 @@ static const struct pci_device_id driver
{ PCI_DEVICE_SUB(0x1022, 0x1487, 0x1043, 0x874f) }, /* ASUS ROG Zenith II / Strix */
{ PCI_DEVICE_SUB(0x1022, 0x1487, 0x1462, 0xcb59) }, /* MSI TRX40 Creator */
{ PCI_DEVICE_SUB(0x1022, 0x1487, 0x1462, 0xcb60) }, /* MSI TRX40 */
- { PCI_DEVICE_SUB(0x1022, 0x15e3, 0x1462, 0xee59) }, /* MSI X870E Tomahawk WiFi */
{}
};
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 206/342] ALSA: hda/realtek: add quirk for ASUS Strix G16 G615JMR
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 205/342] Revert "ALSA: hda/intel: Add MSI X870E Tomahawk to denylist" Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 207/342] ALSA: firewire-lib: fix uninitialized local variable Greg Kroah-Hartman
` (152 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Heng, Takashi Iwai
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Heng <zhangheng@kylinos.cn>
commit 0bdf27abaf8940592207be939142451436afe39f upstream.
The machine is equipped with ALC294 and requires the
ALC287_FIXUP_TXNW2781_I2C_ASUS quirk for the amplifier to work properly.
Since the machine's PCI SSID is also 1043:1204, HDA_CODEC_QUIRK is
used to retain the previous quirk.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221173
Cc: <stable@vger.kernel.org>
Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
Link: https://patch.msgid.link/20260316022843.2809968-1-zhangheng@kylinos.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/hda/codecs/realtek/alc269.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/hda/codecs/realtek/alc269.c
+++ b/sound/hda/codecs/realtek/alc269.c
@@ -7203,6 +7203,7 @@ static const struct hda_quirk alc269_fix
SND_PCI_QUIRK(0x1043, 0x115d, "Asus 1015E", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
SND_PCI_QUIRK(0x1043, 0x1194, "ASUS UM3406KA", ALC287_FIXUP_CS35L41_I2C_2),
SND_PCI_QUIRK(0x1043, 0x11c0, "ASUS X556UR", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
+ HDA_CODEC_QUIRK(0x1043, 0x1204, "ASUS Strix G16 G615JMR", ALC287_FIXUP_TXNW2781_I2C_ASUS),
SND_PCI_QUIRK(0x1043, 0x1204, "ASUS Strix G615JHR_JMR_JPR", ALC287_FIXUP_TAS2781_I2C),
SND_PCI_QUIRK(0x1043, 0x1214, "ASUS Strix G615LH_LM_LP", ALC287_FIXUP_TAS2781_I2C),
SND_PCI_QUIRK(0x1043, 0x125e, "ASUS Q524UQK", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 207/342] ALSA: firewire-lib: fix uninitialized local variable
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 206/342] ALSA: hda/realtek: add quirk for ASUS Strix G16 G615JMR Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 208/342] accel/ivpu: Add disable clock relinquish workaround for NVL-A0 Greg Kroah-Hartman
` (151 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexey Nepomnyashih, Takashi Iwai
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Nepomnyashih <sdl@nppct.ru>
commit bb120ad57def62e3f23e3d999c5fbed11f610993 upstream.
Similar to commit d8dc8720468a ("ALSA: firewire-lib: fix uninitialized
local variable"), the local variable `curr_cycle_time` in
process_rx_packets() is declared without initialization.
When the tracepoint event is not probed, the variable may appear to be
used without being initialized. In practice the value is only relevant
when the tracepoint is enabled, however initializing it avoids potential
use of an uninitialized value and improves code safety.
Initialize `curr_cycle_time` to zero.
Fixes: fef4e61b0b76 ("ALSA: firewire-lib: extend tracepoints event including CYCLE_TIME of 1394 OHCI")
Cc: stable@vger.kernel.org
Signed-off-by: Alexey Nepomnyashih <sdl@nppct.ru>
Link: https://patch.msgid.link/20260316191824.83249-1-sdl@nppct.ru
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/firewire/amdtp-stream.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/firewire/amdtp-stream.c
+++ b/sound/firewire/amdtp-stream.c
@@ -1179,7 +1179,7 @@ static void process_rx_packets(struct fw
struct pkt_desc *desc = s->packet_descs_cursor;
unsigned int pkt_header_length;
unsigned int packets;
- u32 curr_cycle_time;
+ u32 curr_cycle_time = 0;
bool need_hw_irq;
int i;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 208/342] accel/ivpu: Add disable clock relinquish workaround for NVL-A0
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 207/342] ALSA: firewire-lib: fix uninitialized local variable Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 209/342] ASoC: codecs: wcd934x: fix typo in dt parsing Greg Kroah-Hartman
` (150 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lizhi.hou, Karol Wachowski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Karol Wachowski <karol.wachowski@linux.intel.com>
commit e8ab57b56402697a9bef50b71aecc613f0d61846 upstream.
Turn on disable clock relinquish workaround for Nova Lake A0.
Without this workaround NPU may not power off correctly after
inference, leading to unexpected system behavior.
Fixes: 550f4dd2cedd ("accel/ivpu: Add support for Nova Lake's NPU")
Cc: <stable@vger.kernel.org> # v6.19+
Reviewed-by: Lizhi.hou <lizhi.hou@amd.com>
Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Link: https://patch.msgid.link/20260323095029.64613-1-karol.wachowski@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/accel/ivpu/ivpu_drv.h | 1 +
drivers/accel/ivpu/ivpu_hw.c | 6 ++++--
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/accel/ivpu/ivpu_drv.h b/drivers/accel/ivpu/ivpu_drv.h
index 5b34b6f50e69..f1b6155065ff 100644
--- a/drivers/accel/ivpu/ivpu_drv.h
+++ b/drivers/accel/ivpu/ivpu_drv.h
@@ -35,6 +35,7 @@
#define IVPU_HW_IP_60XX 60
#define IVPU_HW_IP_REV_LNL_B0 4
+#define IVPU_HW_IP_REV_NVL_A0 0
#define IVPU_HW_BTRS_MTL 1
#define IVPU_HW_BTRS_LNL 2
diff --git a/drivers/accel/ivpu/ivpu_hw.c b/drivers/accel/ivpu/ivpu_hw.c
index d69cd0d93569..d4a9bcda4100 100644
--- a/drivers/accel/ivpu/ivpu_hw.c
+++ b/drivers/accel/ivpu/ivpu_hw.c
@@ -70,8 +70,10 @@ static void wa_init(struct ivpu_device *vdev)
if (ivpu_hw_btrs_gen(vdev) == IVPU_HW_BTRS_MTL)
vdev->wa.interrupt_clear_with_0 = ivpu_hw_btrs_irqs_clear_with_0_mtl(vdev);
- if (ivpu_device_id(vdev) == PCI_DEVICE_ID_LNL &&
- ivpu_revision(vdev) < IVPU_HW_IP_REV_LNL_B0)
+ if ((ivpu_device_id(vdev) == PCI_DEVICE_ID_LNL &&
+ ivpu_revision(vdev) < IVPU_HW_IP_REV_LNL_B0) ||
+ (ivpu_device_id(vdev) == PCI_DEVICE_ID_NVL &&
+ ivpu_revision(vdev) == IVPU_HW_IP_REV_NVL_A0))
vdev->wa.disable_clock_relinquish = true;
if (ivpu_test_mode & IVPU_TEST_MODE_CLK_RELINQ_ENABLE)
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 209/342] ASoC: codecs: wcd934x: fix typo in dt parsing
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 208/342] accel/ivpu: Add disable clock relinquish workaround for NVL-A0 Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 210/342] ASoC: sma1307: fix double free of devm_kzalloc() memory Greg Kroah-Hartman
` (149 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Joel Selvaraj,
Srinivas Kandagatla, Konrad Dybcio, Mark Brown
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit cfb385a8dc88d86a805a5682eaa68f59fa5c0ec3 upstream.
Looks like we ended up with a typo during device tree data parsing
as part of 4f16b6351bbff ("ASoC: codecs: wcd: add common helper for wcd
codecs") patch.
This will result in not parsing the device tree data and results in
zero mic bias values.
Fix this by calling wcd_dt_parse_micbias_info instead of
wcd_dt_parse_mbhc_data.
Fixes: 4f16b6351bbff ("ASoC: codecs: wcd: add common helper for wcd codecs")
Cc: Stable@vger.kernel.org
Reported-by: Joel Selvaraj <foss@joelselvaraj.com>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://patch.msgid.link/20260323231748.2217967-1-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/wcd934x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/codecs/wcd934x.c
+++ b/sound/soc/codecs/wcd934x.c
@@ -2172,7 +2172,7 @@ static int wcd934x_init_dmic(struct snd_
u32 def_dmic_rate, dmic_clk_drv;
int ret;
- ret = wcd_dt_parse_mbhc_data(comp->dev, &wcd->mbhc_cfg);
+ ret = wcd_dt_parse_micbias_info(&wcd->common);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 210/342] ASoC: sma1307: fix double free of devm_kzalloc() memory
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 209/342] ASoC: codecs: wcd934x: fix typo in dt parsing Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 211/342] ASoC: SOF: ipc4-topology: Allow bytes controls without initial payload Greg Kroah-Hartman
` (148 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Mark Brown
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit fe757092d2329c397ecb32f2bf68a5b1c4bd9193 upstream.
A previous change added NULL checks and cleanup for allocation
failures in sma1307_setting_loaded().
However, the cleanup for mode_set entries is wrong. Those entries are
allocated with devm_kzalloc(), so they are device-managed resources and
must not be freed with kfree(). Manually freeing them in the error path
can lead to a double free when devres later releases the same memory.
Drop the manual kfree() loop and let devres handle the cleanup.
Fixes: 0ec6bd16705fe ("ASoC: sma1307: Add NULL check in sma1307_setting_loaded()")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Link: https://patch.msgid.link/20260313040611.391479-1-lgs201920130244@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/sma1307.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/sound/soc/codecs/sma1307.c
+++ b/sound/soc/codecs/sma1307.c
@@ -1759,8 +1759,10 @@ static void sma1307_setting_loaded(struc
sma1307->set.mode_size * 2 * sizeof(int),
GFP_KERNEL);
if (!sma1307->set.mode_set[i]) {
- for (int j = 0; j < i; j++)
- kfree(sma1307->set.mode_set[j]);
+ for (int j = 0; j < i; j++) {
+ devm_kfree(sma1307->dev, sma1307->set.mode_set[j]);
+ sma1307->set.mode_set[j] = NULL;
+ }
sma1307->set.status = false;
return;
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 211/342] ASoC: SOF: ipc4-topology: Allow bytes controls without initial payload
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 210/342] ASoC: sma1307: fix double free of devm_kzalloc() memory Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 212/342] can: gw: fix OOB heap access in cgw_csum_crc8_rel() Greg Kroah-Hartman
` (147 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Ujfalusi, Bard Liao,
Liam Girdwood, Seppo Ingalsuo, Kai Vehmanen, Mark Brown
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
commit d40a198e2b7821197c5c77b89d0130cc90f400f5 upstream.
It is unexpected, but allowed to have no initial payload for a bytes
control and the code is prepared to handle this case, but the size check
missed this corner case.
Update the check for minimal size to allow the initial size to be 0.
Cc: stable@vger.kernel.org
Fixes: a653820700b8 ("ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls")
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
Reviewed-by: Seppo Ingalsuo <seppo.ingalsuo@linux.intel.com>
Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Link: https://patch.msgid.link/20260326075618.1603-1-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/sof/ipc4-topology.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/sof/ipc4-topology.c
+++ b/sound/soc/sof/ipc4-topology.c
@@ -2889,7 +2889,7 @@ static int sof_ipc4_control_load_bytes(s
return -EINVAL;
}
- if (scontrol->priv_size < sizeof(struct sof_abi_hdr)) {
+ if (scontrol->priv_size && scontrol->priv_size < sizeof(struct sof_abi_hdr)) {
dev_err(sdev->dev,
"bytes control %s initial data size %zu is insufficient.\n",
scontrol->name, scontrol->priv_size);
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 212/342] can: gw: fix OOB heap access in cgw_csum_crc8_rel()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 211/342] ASoC: SOF: ipc4-topology: Allow bytes controls without initial payload Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 213/342] can: isotp: fix tx.buf use-after-free in isotp_sendmsg() Greg Kroah-Hartman
` (146 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ali Norouzi, Oliver Hartkopp,
Marc Kleine-Budde
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ali Norouzi <ali.norouzi@keysight.com>
commit b9c310d72783cc2f30d103eed83920a5a29c671a upstream.
cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():
int from = calc_idx(crc8->from_idx, cf->len);
int to = calc_idx(crc8->to_idx, cf->len);
int res = calc_idx(crc8->result_idx, cf->len);
if (from < 0 || to < 0 || res < 0)
return;
However, the loop and the result write then use the raw s8 fields directly
instead of the computed variables:
for (i = crc8->from_idx; ...) /* BUG: raw negative index */
cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */
With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,
calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with
i = -64, reading cf->data[-64], and the write goes to cf->data[-64].
This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the
start of the canfd_frame on the heap.
The companion function cgw_csum_xor_rel() uses `from`/`to`/`res`
correctly throughout; fix cgw_csum_crc8_rel() to match.
Confirmed with KASAN on linux-7.0-rc2:
BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0
Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62
To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.
Fixes: 456a8a646b25 ("can: gw: add support for CAN FD frames")
Cc: stable@vger.kernel.org
Reported-by: Ali Norouzi <ali.norouzi@keysight.com>
Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Ali Norouzi <ali.norouzi@keysight.com>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-1-c45d52c6d2d8@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/gw.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -374,10 +374,10 @@ static void cgw_csum_crc8_rel(struct can
return;
if (from <= to) {
- for (i = crc8->from_idx; i <= crc8->to_idx; i++)
+ for (i = from; i <= to; i++)
crc = crc8->crctab[crc ^ cf->data[i]];
} else {
- for (i = crc8->from_idx; i >= crc8->to_idx; i--)
+ for (i = from; i >= to; i--)
crc = crc8->crctab[crc ^ cf->data[i]];
}
@@ -396,7 +396,7 @@ static void cgw_csum_crc8_rel(struct can
break;
}
- cf->data[crc8->result_idx] = crc ^ crc8->final_xor_val;
+ cf->data[res] = crc ^ crc8->final_xor_val;
}
static void cgw_csum_crc8_pos(struct canfd_frame *cf,
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 213/342] can: isotp: fix tx.buf use-after-free in isotp_sendmsg()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 212/342] can: gw: fix OOB heap access in cgw_csum_crc8_rel() Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 214/342] can: netlink: can_changelink(): add missing error handling to call can_ctrlmode_changelink() Greg Kroah-Hartman
` (145 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ali Norouzi, Oliver Hartkopp,
Marc Kleine-Budde
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Hartkopp <socketcan@hartkopp.net>
commit 424e95d62110cdbc8fd12b40918f37e408e35a92 upstream.
isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access
to so->tx.buf. isotp_release() waits for ISOTP_IDLE via
wait_event_interruptible() and then calls kfree(so->tx.buf).
If a signal interrupts the wait_event_interruptible() inside close()
while tx.state is ISOTP_SENDING, the loop exits early and release
proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf)
while sendmsg may still be reading so->tx.buf for the final CAN frame
in isotp_fill_dataframe().
The so->tx.buf can be allocated once when the standard tx.buf length needs
to be extended. Move the kfree() of this potentially extended tx.buf to
sk_destruct time when either isotp_sendmsg() and isotp_release() are done.
Fixes: 96d1c81e6a04 ("can: isotp: add module parameter for maximum pdu size")
Cc: stable@vger.kernel.org
Reported-by: Ali Norouzi <ali.norouzi@keysight.com>
Co-developed-by: Ali Norouzi <ali.norouzi@keysight.com>
Signed-off-by: Ali Norouzi <ali.norouzi@keysight.com>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-2-c45d52c6d2d8@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/isotp.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
--- a/net/can/isotp.c
+++ b/net/can/isotp.c
@@ -1230,12 +1230,6 @@ static int isotp_release(struct socket *
so->ifindex = 0;
so->bound = 0;
- if (so->rx.buf != so->rx.sbuf)
- kfree(so->rx.buf);
-
- if (so->tx.buf != so->tx.sbuf)
- kfree(so->tx.buf);
-
sock_orphan(sk);
sock->sk = NULL;
@@ -1604,6 +1598,21 @@ static int isotp_notifier(struct notifie
return NOTIFY_DONE;
}
+static void isotp_sock_destruct(struct sock *sk)
+{
+ struct isotp_sock *so = isotp_sk(sk);
+
+ /* do the standard CAN sock destruct work */
+ can_sock_destruct(sk);
+
+ /* free potential extended PDU buffers */
+ if (so->rx.buf != so->rx.sbuf)
+ kfree(so->rx.buf);
+
+ if (so->tx.buf != so->tx.sbuf)
+ kfree(so->tx.buf);
+}
+
static int isotp_init(struct sock *sk)
{
struct isotp_sock *so = isotp_sk(sk);
@@ -1648,6 +1657,9 @@ static int isotp_init(struct sock *sk)
list_add_tail(&so->notifier, &isotp_notifier_list);
spin_unlock(&isotp_notifier_lock);
+ /* re-assign default can_sock_destruct() reference */
+ sk->sk_destruct = isotp_sock_destruct;
+
return 0;
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 214/342] can: netlink: can_changelink(): add missing error handling to call can_ctrlmode_changelink()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 213/342] can: isotp: fix tx.buf use-after-free in isotp_sendmsg() Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 215/342] cpufreq: Dont skip cpufreq_frequency_table_cpuinfo() Greg Kroah-Hartman
` (144 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
commit cadf6019231b614ebbd9ec2a16e5997ecbd8d016 upstream.
In commit e1a5cd9d6665 ("can: netlink: add can_ctrlmode_changelink()") the
CAN Control Mode (IFLA_CAN_CTRLMODE) handling was factored out into the
can_ctrlmode_changelink() function. But the call to
can_ctrlmode_changelink() is missing the error handling.
Add the missing error handling and propagation to the call
can_ctrlmode_changelink().
Cc: stable@vger.kernel.org
Fixes: e1a5cd9d6665 ("can: netlink: add can_ctrlmode_changelink()")
Link: https://patch.msgid.link/20260310-can_ctrlmode_changelink-add-error-handling-v1-1-0daf63d85922@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/dev/netlink.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/can/dev/netlink.c
+++ b/drivers/net/can/dev/netlink.c
@@ -601,7 +601,9 @@ static int can_changelink(struct net_dev
/* We need synchronization with dev->stop() */
ASSERT_RTNL();
- can_ctrlmode_changelink(dev, data, extack);
+ err = can_ctrlmode_changelink(dev, data, extack);
+ if (err)
+ return err;
if (data[IFLA_CAN_BITTIMING]) {
struct can_bittiming bt;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 215/342] cpufreq: Dont skip cpufreq_frequency_table_cpuinfo()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 214/342] can: netlink: can_changelink(): add missing error handling to call can_ctrlmode_changelink() Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 216/342] cpufreq: conservative: Reset requested_freq on limits change Greg Kroah-Hartman
` (143 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Viresh Kumar, Rafael J. Wysocki
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viresh Kumar <viresh.kumar@linaro.org>
commit 8f13c0c6cb75cc4421d5a60fc060e9e6fd9d1097 upstream.
The commit 6db0f533d320 ("cpufreq: preserve freq_table_sorted
across suspend/hibernate") unintentionally made a change where
cpufreq_frequency_table_cpuinfo() isn't getting called anymore
for old policies getting re-initialized.
This leads to potentially invalid values of policy->max and
policy->cpuinfo_max_freq.
Fix the issue by reverting the original commit and adding the condition
for just the sorting function.
Fixes: 6db0f533d320 ("cpufreq: preserve freq_table_sorted across suspend/hibernate")
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Cc: 6.19+ <stable@vger.kernel.org> # 6.19+
Link: https://patch.msgid.link/65ba5c45749267c82e8a87af3dc788b37a0b3f48.1773998611.git.viresh.kumar@linaro.org
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/cpufreq.c | 9 +++------
drivers/cpufreq/freq_table.c | 4 ++++
2 files changed, 7 insertions(+), 6 deletions(-)
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -1421,12 +1421,9 @@ static int cpufreq_policy_online(struct
* If there is a problem with its frequency table, take it
* offline and drop it.
*/
- if (policy->freq_table_sorted != CPUFREQ_TABLE_SORTED_ASCENDING &&
- policy->freq_table_sorted != CPUFREQ_TABLE_SORTED_DESCENDING) {
- ret = cpufreq_table_validate_and_sort(policy);
- if (ret)
- goto out_offline_policy;
- }
+ ret = cpufreq_table_validate_and_sort(policy);
+ if (ret)
+ goto out_offline_policy;
/* related_cpus should at least include policy->cpus. */
cpumask_copy(policy->related_cpus, policy->cpus);
--- a/drivers/cpufreq/freq_table.c
+++ b/drivers/cpufreq/freq_table.c
@@ -360,6 +360,10 @@ int cpufreq_table_validate_and_sort(stru
if (policy_has_boost_freq(policy))
policy->boost_supported = true;
+ if (policy->freq_table_sorted == CPUFREQ_TABLE_SORTED_ASCENDING ||
+ policy->freq_table_sorted == CPUFREQ_TABLE_SORTED_DESCENDING)
+ return 0;
+
return set_freq_table_sorted(policy);
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 216/342] cpufreq: conservative: Reset requested_freq on limits change
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 215/342] cpufreq: Dont skip cpufreq_frequency_table_cpuinfo() Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 217/342] kbuild: Delete .builtin-dtbs.S when running make clean Greg Kroah-Hartman
` (142 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lifeng Zheng, Viresh Kumar,
Zhongqiu Han, Rafael J. Wysocki
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viresh Kumar <viresh.kumar@linaro.org>
commit 6a28fb8cb28b9eb39a392e531d938a889eacafc5 upstream.
A recently reported issue highlighted that the cached requested_freq
is not guaranteed to stay in sync with policy->cur. If the platform
changes the actual CPU frequency after the governor sets one (e.g.
due to platform-specific frequency scaling) and a re-sync occurs
later, policy->cur may diverge from requested_freq.
This can lead to incorrect behavior in the conservative governor.
For example, the governor may assume the CPU is already running at
the maximum frequency and skip further increases even though there
is still headroom.
Avoid this by resetting the cached requested_freq to policy->cur on
detecting a change in policy limits.
Reported-by: Lifeng Zheng <zhenglifeng1@huawei.com>
Tested-by: Lifeng Zheng <zhenglifeng1@huawei.com>
Link: https://lore.kernel.org/all/20260210115458.3493646-1-zhenglifeng1@huawei.com/
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>
Cc: All applicable <stable@vger.kernel.org>
Link: https://patch.msgid.link/d846a141a98ac0482f20560fcd7525c0f0ec2f30.1773999467.git.viresh.kumar@linaro.org
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/cpufreq_conservative.c | 12 ++++++++++++
drivers/cpufreq/cpufreq_governor.c | 3 +++
drivers/cpufreq/cpufreq_governor.h | 1 +
3 files changed, 16 insertions(+)
--- a/drivers/cpufreq/cpufreq_conservative.c
+++ b/drivers/cpufreq/cpufreq_conservative.c
@@ -313,6 +313,17 @@ static void cs_start(struct cpufreq_poli
dbs_info->requested_freq = policy->cur;
}
+static void cs_limits(struct cpufreq_policy *policy)
+{
+ struct cs_policy_dbs_info *dbs_info = to_dbs_info(policy->governor_data);
+
+ /*
+ * The limits have changed, so may have the current frequency. Reset
+ * requested_freq to avoid any unintended outcomes due to the mismatch.
+ */
+ dbs_info->requested_freq = policy->cur;
+}
+
static struct dbs_governor cs_governor = {
.gov = CPUFREQ_DBS_GOVERNOR_INITIALIZER("conservative"),
.kobj_type = { .default_groups = cs_groups },
@@ -322,6 +333,7 @@ static struct dbs_governor cs_governor =
.init = cs_init,
.exit = cs_exit,
.start = cs_start,
+ .limits = cs_limits,
};
#define CPU_FREQ_GOV_CONSERVATIVE (cs_governor.gov)
--- a/drivers/cpufreq/cpufreq_governor.c
+++ b/drivers/cpufreq/cpufreq_governor.c
@@ -563,6 +563,7 @@ EXPORT_SYMBOL_GPL(cpufreq_dbs_governor_s
void cpufreq_dbs_governor_limits(struct cpufreq_policy *policy)
{
+ struct dbs_governor *gov = dbs_governor_of(policy);
struct policy_dbs_info *policy_dbs;
/* Protect gov->gdbs_data against cpufreq_dbs_governor_exit() */
@@ -574,6 +575,8 @@ void cpufreq_dbs_governor_limits(struct
mutex_lock(&policy_dbs->update_mutex);
cpufreq_policy_apply_limits(policy);
gov_update_sample_delay(policy_dbs, 0);
+ if (gov->limits)
+ gov->limits(policy);
mutex_unlock(&policy_dbs->update_mutex);
out:
--- a/drivers/cpufreq/cpufreq_governor.h
+++ b/drivers/cpufreq/cpufreq_governor.h
@@ -138,6 +138,7 @@ struct dbs_governor {
int (*init)(struct dbs_data *dbs_data);
void (*exit)(struct dbs_data *dbs_data);
void (*start)(struct cpufreq_policy *policy);
+ void (*limits)(struct cpufreq_policy *policy);
};
static inline struct dbs_governor *dbs_governor_of(struct cpufreq_policy *policy)
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 217/342] kbuild: Delete .builtin-dtbs.S when running make clean
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 216/342] cpufreq: conservative: Reset requested_freq on limits change Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 218/342] mm/damon/stat: monitor all System RAM resources Greg Kroah-Hartman
` (141 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Charles Mirabile, Nicolas Schier,
Nathan Chancellor
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charles Mirabile <cmirabil@redhat.com>
commit a76e30c2479ce6ffa2aa6c8a8462897afc82bc90 upstream.
The makefile tries to delete a file named ".builtin-dtb.S" but the file
created by scripts/Makefile.vmlinux is actually called ".builtin-dtbs.S".
Fixes: 654102df2ac2a ("kbuild: add generic support for built-in boot DTBs")
Cc: stable@vger.kernel.org
Signed-off-by: Charles Mirabile <cmirabil@redhat.com>
Reviewed-by: Nicolas Schier <nsc@kernel.org>
Link: https://patch.msgid.link/20260308044338.181403-1-cmirabil@redhat.com
[nathan: Small commit message adjustments]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Makefile
+++ b/Makefile
@@ -1622,7 +1622,7 @@ CLEAN_FILES += vmlinux.symvers modules-o
modules.builtin.ranges vmlinux.o.map vmlinux.unstripped \
compile_commands.json rust/test \
rust-project.json .vmlinux.objs .vmlinux.export.c \
- .builtin-dtbs-list .builtin-dtb.S
+ .builtin-dtbs-list .builtin-dtbs.S
# Directories & files removed with 'make mrproper'
MRPROPER_FILES += include/config include/generated \
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 218/342] mm/damon/stat: monitor all System RAM resources
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 217/342] kbuild: Delete .builtin-dtbs.S when running make clean Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 219/342] thermal: intel: int340x: soc_slider: Set offset only for balanced mode Greg Kroah-Hartman
` (140 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeongJae Park, Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 84481e705ab07ed46e56587fe846af194acacafe upstream.
DAMON_STAT usage document (Documentation/admin-guide/mm/damon/stat.rst)
says it monitors the system's entire physical memory. But, it is
monitoring only the biggest System RAM resource of the system. When there
are multiple System RAM resources, this results in monitoring only an
unexpectedly small fraction of the physical memory. For example, suppose
the system has a 500 GiB System RAM, 10 MiB non-System RAM, and 500 GiB
System RAM resources in order on the physical address space. DAMON_STAT
will monitor only the first 500 GiB System RAM. This situation is
particularly common on NUMA systems.
Select a physical address range that covers all System RAM areas of the
system, to fix this issue and make it work as documented.
[sj@kernel.org: return error if monitoring target region is invalid]
Link: https://lkml.kernel.org/r/20260317053631.87907-1-sj@kernel.org
Link: https://lkml.kernel.org/r/20260316235118.873-1-sj@kernel.org
Fixes: 369c415e6073 ("mm/damon: introduce DAMON_STAT module")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> [6.17+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/stat.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 50 insertions(+), 3 deletions(-)
--- a/mm/damon/stat.c
+++ b/mm/damon/stat.c
@@ -145,12 +145,59 @@ static int damon_stat_damon_call_fn(void
return 0;
}
+struct damon_stat_system_ram_range_walk_arg {
+ bool walked;
+ struct resource res;
+};
+
+static int damon_stat_system_ram_walk_fn(struct resource *res, void *arg)
+{
+ struct damon_stat_system_ram_range_walk_arg *a = arg;
+
+ if (!a->walked) {
+ a->walked = true;
+ a->res.start = res->start;
+ }
+ a->res.end = res->end;
+ return 0;
+}
+
+static unsigned long damon_stat_res_to_core_addr(resource_size_t ra,
+ unsigned long addr_unit)
+{
+ /*
+ * Use div_u64() for avoiding linking errors related with __udivdi3,
+ * __aeabi_uldivmod, or similar problems. This should also improve the
+ * performance optimization (read div_u64() comment for the detail).
+ */
+ if (sizeof(ra) == 8 && sizeof(addr_unit) == 4)
+ return div_u64(ra, addr_unit);
+ return ra / addr_unit;
+}
+
+static int damon_stat_set_monitoring_region(struct damon_target *t,
+ unsigned long addr_unit, unsigned long min_region_sz)
+{
+ struct damon_addr_range addr_range;
+ struct damon_stat_system_ram_range_walk_arg arg = {};
+
+ walk_system_ram_res(0, -1, &arg, damon_stat_system_ram_walk_fn);
+ if (!arg.walked)
+ return -EINVAL;
+ addr_range.start = damon_stat_res_to_core_addr(
+ arg.res.start, addr_unit);
+ addr_range.end = damon_stat_res_to_core_addr(
+ arg.res.end + 1, addr_unit);
+ if (addr_range.end <= addr_range.start)
+ return -EINVAL;
+ return damon_set_regions(t, &addr_range, 1, min_region_sz);
+}
+
static struct damon_ctx *damon_stat_build_ctx(void)
{
struct damon_ctx *ctx;
struct damon_attrs attrs;
struct damon_target *target;
- unsigned long start = 0, end = 0;
ctx = damon_new_ctx();
if (!ctx)
@@ -188,8 +235,8 @@ static struct damon_ctx *damon_stat_buil
if (!target)
goto free_out;
damon_add_target(ctx, target);
- if (damon_set_region_biggest_system_ram_default(target, &start, &end,
- ctx->min_region_sz))
+ if (damon_stat_set_monitoring_region(target, ctx->addr_unit,
+ ctx->min_region_sz))
goto free_out;
return ctx;
free_out:
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 219/342] thermal: intel: int340x: soc_slider: Set offset only for balanced mode
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 218/342] mm/damon/stat: monitor all System RAM resources Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 220/342] RDMA/ionic: Preserve and set Ethernet source MAC after ib_ud_header_init() Greg Kroah-Hartman
` (139 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Erin Park, Srinivas Pandruvada,
Rafael J. Wysocki
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
commit 7dfe9846016b15816e287a4650be1ff1b48c5ab4 upstream.
The slider offset can be set via debugfs for balanced mode. The offset
should be only applicable in balanced mode. For other modes, it should
be 0 when writing to MMIO offset,
Fixes: 8306bcaba06d ("thermal: intel: int340x: Add module parameter to change slider offset")
Tested-by: Erin Park <erin.park@intel.com>
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Cc: 6.18+ <stable@vger.kernel.org> # 6.18+
[ rjw: Subject and changelog tweaks ]
Link: https://patch.msgid.link/20260324172346.3317145-1-srinivas.pandruvada@linux.intel.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thermal/intel/int340x_thermal/processor_thermal_soc_slider.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/thermal/intel/int340x_thermal/processor_thermal_soc_slider.c
+++ b/drivers/thermal/intel/int340x_thermal/processor_thermal_soc_slider.c
@@ -176,15 +176,21 @@ static inline void write_soc_slider(stru
static void set_soc_power_profile(struct proc_thermal_device *proc_priv, int slider)
{
+ u8 offset;
u64 val;
val = read_soc_slider(proc_priv);
val &= ~SLIDER_MASK;
val |= FIELD_PREP(SLIDER_MASK, slider) | BIT(SLIDER_ENABLE_BIT);
+ if (slider == SOC_SLIDER_VALUE_MINIMUM || slider == SOC_SLIDER_VALUE_MAXIMUM)
+ offset = 0;
+ else
+ offset = slider_offset;
+
/* Set the slider offset from module params */
val &= ~SLIDER_OFFSET_MASK;
- val |= FIELD_PREP(SLIDER_OFFSET_MASK, slider_offset);
+ val |= FIELD_PREP(SLIDER_OFFSET_MASK, offset);
write_soc_slider(proc_priv, val);
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 220/342] RDMA/ionic: Preserve and set Ethernet source MAC after ib_ud_header_init()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 219/342] thermal: intel: int340x: soc_slider: Set offset only for balanced mode Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 221/342] platform/x86: ISST: Correct locked bit width Greg Kroah-Hartman
` (138 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abhijit Gangurde, Leon Romanovsky
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abhijit Gangurde <abhijit.gangurde@amd.com>
commit a08aaf3968aec5d05cd32c801b8cc0c61da69c41 upstream.
ionic_build_hdr() populated the Ethernet source MAC (hdr->eth.smac_h) by
passing the header’s storage directly to rdma_read_gid_l2_fields().
However, ib_ud_header_init() is called after that and re-initializes the
UD header, which wipes the previously written smac_h. As a result, packets
are emitted with an zero source MAC address on the wire.
Correct the source MAC by reading the GID-derived smac into a temporary
buffer and copy it after ib_ud_header_init() completes.
Fixes: e8521822c733 ("RDMA/ionic: Register device ops for control path")
Cc: stable@vger.kernel.org # 6.18
Signed-off-by: Abhijit Gangurde <abhijit.gangurde@amd.com>
Link: https://patch.msgid.link/20260227061809.2979990-1-abhijit.gangurde@amd.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/ionic/ionic_controlpath.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/hw/ionic/ionic_controlpath.c
+++ b/drivers/infiniband/hw/ionic/ionic_controlpath.c
@@ -508,6 +508,7 @@ static int ionic_build_hdr(struct ionic_
{
const struct ib_global_route *grh;
enum rdma_network_type net;
+ u8 smac[ETH_ALEN];
u16 vlan;
int rc;
@@ -518,7 +519,7 @@ static int ionic_build_hdr(struct ionic_
grh = rdma_ah_read_grh(attr);
- rc = rdma_read_gid_l2_fields(grh->sgid_attr, &vlan, &hdr->eth.smac_h[0]);
+ rc = rdma_read_gid_l2_fields(grh->sgid_attr, &vlan, smac);
if (rc)
return rc;
@@ -536,6 +537,7 @@ static int ionic_build_hdr(struct ionic_
if (rc)
return rc;
+ ether_addr_copy(hdr->eth.smac_h, smac);
ether_addr_copy(hdr->eth.dmac_h, attr->roce.dmac);
if (net == RDMA_NETWORK_IPV4) {
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 221/342] platform/x86: ISST: Correct locked bit width
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 220/342] RDMA/ionic: Preserve and set Ethernet source MAC after ib_ud_header_init() Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 222/342] KVM: arm64: Discard PC update state on vcpu reset Greg Kroah-Hartman
` (137 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Srinivas Pandruvada,
Ilpo Järvinen
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
commit fbddf68d7b4e1e6da7a78dd7fbd8ec376536584a upstream.
SST-PP locked bit width is set to three bits. It should be only one bit.
Use SST_PP_LOCK_WIDTH define instead of SST_PP_LEVEL_WIDTH.
Fixes: ea009e4769fa ("platform/x86: ISST: Add SST-PP support via TPMI")
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260323153635.3263828-1-srinivas.pandruvada@linux.intel.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
+++ b/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
@@ -871,7 +871,7 @@ static int isst_if_get_perf_level(void _
_read_pp_info("current_level", perf_level.current_level, SST_PP_STATUS_OFFSET,
SST_PP_LEVEL_START, SST_PP_LEVEL_WIDTH, SST_MUL_FACTOR_NONE)
_read_pp_info("locked", perf_level.locked, SST_PP_STATUS_OFFSET,
- SST_PP_LOCK_START, SST_PP_LEVEL_WIDTH, SST_MUL_FACTOR_NONE)
+ SST_PP_LOCK_START, SST_PP_LOCK_WIDTH, SST_MUL_FACTOR_NONE)
_read_pp_info("feature_state", perf_level.feature_state, SST_PP_STATUS_OFFSET,
SST_PP_FEATURE_STATE_START, SST_PP_FEATURE_STATE_WIDTH, SST_MUL_FACTOR_NONE)
perf_level.enabled = !!(power_domain_info->sst_header.cap_mask & BIT(1));
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 222/342] KVM: arm64: Discard PC update state on vcpu reset
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 221/342] platform/x86: ISST: Correct locked bit width Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 223/342] KVM: arm64: Fix the descriptor address in __kvm_at_swap_desc() Greg Kroah-Hartman
` (136 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suzuki K Poulose, Joey Gouly,
Marc Zyngier
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit 1744a6ef48b9a48f017e3e1a0d05de0a6978396e upstream.
Our vcpu reset suffers from a particularly interesting flaw, as it
does not correctly deal with state that will have an effect on the
execution flow out of reset.
Take the following completely random example, never seen in the wild
and that never resulted in a couple of sleepless nights: /s
- vcpu-A issues a PSCI_CPU_OFF using the SMC conduit
- SMC being a trapped instruction (as opposed to HVC which is always
normally executed), we annotate the vcpu as needing to skip the
next instruction, which is the SMC itself
- vcpu-A is now safely off
- vcpu-B issues a PSCI_CPU_ON for vcpu-A, providing a starting PC
- vcpu-A gets reset, get the new PC, and is sent on its merry way
- right at the point of entering the guest, we notice that a PC
increment is pending (remember the earlier SMC?)
- vcpu-A skips its first instruction...
What could possibly go wrong?
Well, I'm glad you asked. For pKVM as a NV guest, that first instruction
is extremely significant, as it indicates whether the CPU is booting
or resuming. Having skipped that instruction, nothing makes any sense
anymore, and CPU hotplugging fails.
This is all caused by the decoupling of PC update from the handling
of an exception that triggers such update, making it non-obvious
what affects what when.
Fix this train wreck by discarding all the PC-affecting state on
vcpu reset.
Fixes: f5e30680616ab ("KVM: arm64: Move __adjust_pc out of line")
Cc: stable@vger.kernel.org
Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Reviewed-by: Joey Gouly <joey.gouly@arm.com>
Link: https://patch.msgid.link/20260312140850.822968-1-maz@kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/reset.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/arch/arm64/kvm/reset.c
+++ b/arch/arm64/kvm/reset.c
@@ -247,6 +247,20 @@ void kvm_reset_vcpu(struct kvm_vcpu *vcp
kvm_vcpu_set_be(vcpu);
*vcpu_pc(vcpu) = target_pc;
+
+ /*
+ * We may come from a state where either a PC update was
+ * pending (SMC call resulting in PC being increpented to
+ * skip the SMC) or a pending exception. Make sure we get
+ * rid of all that, as this cannot be valid out of reset.
+ *
+ * Note that clearing the exception mask also clears PC
+ * updates, but that's an implementation detail, and we
+ * really want to make it explicit.
+ */
+ vcpu_clear_flag(vcpu, PENDING_EXCEPTION);
+ vcpu_clear_flag(vcpu, EXCEPT_MASK);
+ vcpu_clear_flag(vcpu, INCREMENT_PC);
vcpu_set_reg(vcpu, 0, reset_state.r0);
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 223/342] KVM: arm64: Fix the descriptor address in __kvm_at_swap_desc()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 222/342] KVM: arm64: Discard PC update state on vcpu reset Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 224/342] hwmon: (pmbus/ina233) Fix error handling and sign extension in shunt voltage read Greg Kroah-Hartman
` (135 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zenghui Yu (Huawei), Marc Zyngier
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zenghui Yu (Huawei) <zenghui.yu@linux.dev>
commit 0496acc42fb51eee040b5170cec05cec41385540 upstream.
Using "(u64 __user *)hva + offset" to get the virtual addresses of S1/S2
descriptors looks really wrong, if offset is not zero. What we want to get
for swapping is hva + offset, not hva + offset*8. ;-)
Fix it.
Fixes: f6927b41d573 ("KVM: arm64: Add helper for swapping guest descriptor")
Signed-off-by: Zenghui Yu (Huawei) <zenghui.yu@linux.dev>
Link: https://patch.msgid.link/20260317115748.47332-1-zenghui.yu@linux.dev
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/at.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/kvm/at.c
+++ b/arch/arm64/kvm/at.c
@@ -1785,7 +1785,7 @@ int __kvm_at_swap_desc(struct kvm *kvm,
if (!writable)
return -EPERM;
- ptep = (u64 __user *)hva + offset;
+ ptep = (void __user *)hva + offset;
if (cpus_have_final_cap(ARM64_HAS_LSE_ATOMICS))
r = __lse_swap_desc(ptep, old, new);
else
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 224/342] hwmon: (pmbus/ina233) Fix error handling and sign extension in shunt voltage read
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 223/342] KVM: arm64: Fix the descriptor address in __kvm_at_swap_desc() Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 225/342] hwmon: (pmbus/isl68137) Add mutex protection for AVS enable sysfs attributes Greg Kroah-Hartman
` (134 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanman Pradhan <psanman@juniper.net>
commit f7e775c4694782844c66da5316fed82881835cf8 upstream.
ina233_read_word_data() reads MFR_READ_VSHUNT via pmbus_read_word_data()
but has two issues:
1. The return value is not checked for errors before being used in
arithmetic. A negative error code from a failed I2C transaction is
passed directly to DIV_ROUND_CLOSEST(), producing garbage data.
2. MFR_READ_VSHUNT is a 16-bit two's complement value. Negative shunt
voltages (values with bit 15 set) are treated as large positive
values since pmbus_read_word_data() returns them zero-extended in an
int. This leads to incorrect scaling in the VIN coefficient
conversion.
Fix both issues by adding an error check, casting to s16 for proper
sign extension, and clamping the result to a valid non-negative range.
The clamp is necessary because read_word_data callbacks must return
non-negative values on success (negative values indicate errors to the
pmbus core).
Fixes: b64b6cb163f16 ("hwmon: Add driver for TI INA233 Current and Power Monitor")
Cc: stable@vger.kernel.org
Signed-off-by: Sanman Pradhan <psanman@juniper.net>
Link: https://lore.kernel.org/r/20260319173055.125271-2-sanman.pradhan@hpe.com
[groeck: Fixed clamp to avoid losing the sign bit]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/ina233.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/hwmon/pmbus/ina233.c
+++ b/drivers/hwmon/pmbus/ina233.c
@@ -72,7 +72,8 @@ static int ina233_read_word_data(struct
/* Adjust returned value to match VIN coefficients */
/* VIN: 1.25 mV VSHUNT: 2.5 uV LSB */
- ret = DIV_ROUND_CLOSEST(ret * 25, 12500);
+ ret = clamp_val(DIV_ROUND_CLOSEST((s16)ret * 25, 12500),
+ S16_MIN, S16_MAX) & 0xffff;
break;
default:
ret = -ENODATA;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 225/342] hwmon: (pmbus/isl68137) Add mutex protection for AVS enable sysfs attributes
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 224/342] hwmon: (pmbus/ina233) Fix error handling and sign extension in shunt voltage read Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 226/342] hwmon: (peci/cputemp) Fix crit_hyst returning delta instead of absolute temperature Greg Kroah-Hartman
` (133 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanman Pradhan <psanman@juniper.net>
commit 3075a3951f7708da5a8ab47b0b7d068a32f69e58 upstream.
The custom avs0_enable and avs1_enable sysfs attributes access PMBus
registers through the exported API helpers (pmbus_read_byte_data,
pmbus_read_word_data, pmbus_write_word_data, pmbus_update_byte_data)
without holding the PMBus update_lock mutex. These exported helpers do
not acquire the mutex internally, unlike the core's internal callers
which hold the lock before invoking them.
The store callback is especially vulnerable: it performs a multi-step
read-modify-write sequence (read VOUT_COMMAND, write VOUT_COMMAND, then
update OPERATION) where concurrent access from another thread could
interleave and corrupt the register state.
Add pmbus_lock_interruptible()/pmbus_unlock() around both the show and
store callbacks to serialize PMBus register access with the rest of the
driver.
Fixes: 038a9c3d1e424 ("hwmon: (pmbus/isl68137) Add driver for Intersil ISL68137 PWM Controller")
Cc: stable@vger.kernel.org
Signed-off-by: Sanman Pradhan <psanman@juniper.net>
Link: https://lore.kernel.org/r/20260319173055.125271-3-sanman.pradhan@hpe.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/isl68137.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
--- a/drivers/hwmon/pmbus/isl68137.c
+++ b/drivers/hwmon/pmbus/isl68137.c
@@ -96,7 +96,15 @@ static ssize_t isl68137_avs_enable_show_
int page,
char *buf)
{
- int val = pmbus_read_byte_data(client, page, PMBUS_OPERATION);
+ int val;
+
+ val = pmbus_lock_interruptible(client);
+ if (val)
+ return val;
+
+ val = pmbus_read_byte_data(client, page, PMBUS_OPERATION);
+
+ pmbus_unlock(client);
if (val < 0)
return val;
@@ -118,6 +126,10 @@ static ssize_t isl68137_avs_enable_store
op_val = result ? ISL68137_VOUT_AVS : 0;
+ rc = pmbus_lock_interruptible(client);
+ if (rc)
+ return rc;
+
/*
* Writes to VOUT setpoint over AVSBus will persist after the VRM is
* switched to PMBus control. Switching back to AVSBus control
@@ -129,17 +141,20 @@ static ssize_t isl68137_avs_enable_store
rc = pmbus_read_word_data(client, page, 0xff,
PMBUS_VOUT_COMMAND);
if (rc < 0)
- return rc;
+ goto unlock;
rc = pmbus_write_word_data(client, page, PMBUS_VOUT_COMMAND,
rc);
if (rc < 0)
- return rc;
+ goto unlock;
}
rc = pmbus_update_byte_data(client, page, PMBUS_OPERATION,
ISL68137_VOUT_AVS, op_val);
+unlock:
+ pmbus_unlock(client);
+
return (rc < 0) ? rc : count;
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 226/342] hwmon: (peci/cputemp) Fix crit_hyst returning delta instead of absolute temperature
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 225/342] hwmon: (pmbus/isl68137) Add mutex protection for AVS enable sysfs attributes Greg Kroah-Hartman
@ 2026-03-31 16:20 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 227/342] hwmon: (peci/cputemp) Fix off-by-one in cputemp_is_visible() Greg Kroah-Hartman
` (132 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanman Pradhan <psanman@juniper.net>
commit 0adc752b4f7d82af7bd14f7cad3091b3b5d702ba upstream.
The hwmon sysfs ABI expects tempN_crit_hyst to report the temperature at
which the critical condition clears, not the hysteresis delta from the
critical limit.
The peci cputemp driver currently returns tjmax - tcontrol for
crit_hyst_type, which is the hysteresis margin rather than the
corresponding absolute temperature.
Return tcontrol directly, and update the documentation accordingly.
Fixes: bf3608f338e9 ("hwmon: peci: Add cputemp driver")
Cc: stable@vger.kernel.org
Signed-off-by: Sanman Pradhan <psanman@juniper.net>
Link: https://lore.kernel.org/r/20260323002352.93417-2-sanman.pradhan@hpe.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/hwmon/peci-cputemp.rst | 10 ++++++----
drivers/hwmon/peci/cputemp.c | 2 +-
2 files changed, 7 insertions(+), 5 deletions(-)
--- a/Documentation/hwmon/peci-cputemp.rst
+++ b/Documentation/hwmon/peci-cputemp.rst
@@ -51,8 +51,9 @@ temp1_max Provides thermal control temp
temp1_crit Provides shutdown temperature of the CPU package which
is also known as the maximum processor junction
temperature, Tjmax or Tprochot.
-temp1_crit_hyst Provides the hysteresis value from Tcontrol to Tjmax of
- the CPU package.
+temp1_crit_hyst Provides the hysteresis temperature of the CPU
+ package. Returns Tcontrol, the temperature at which
+ the critical condition clears.
temp2_label "DTS"
temp2_input Provides current temperature of the CPU package scaled
@@ -62,8 +63,9 @@ temp2_max Provides thermal control temp
temp2_crit Provides shutdown temperature of the CPU package which
is also known as the maximum processor junction
temperature, Tjmax or Tprochot.
-temp2_crit_hyst Provides the hysteresis value from Tcontrol to Tjmax of
- the CPU package.
+temp2_crit_hyst Provides the hysteresis temperature of the CPU
+ package. Returns Tcontrol, the temperature at which
+ the critical condition clears.
temp3_label "Tcontrol"
temp3_input Provides current Tcontrol temperature of the CPU
--- a/drivers/hwmon/peci/cputemp.c
+++ b/drivers/hwmon/peci/cputemp.c
@@ -131,7 +131,7 @@ static int get_temp_target(struct peci_c
*val = priv->temp.target.tjmax;
break;
case crit_hyst_type:
- *val = priv->temp.target.tjmax - priv->temp.target.tcontrol;
+ *val = priv->temp.target.tcontrol;
break;
default:
ret = -EOPNOTSUPP;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 227/342] hwmon: (peci/cputemp) Fix off-by-one in cputemp_is_visible()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-03-31 16:20 ` [PATCH 6.19 226/342] hwmon: (peci/cputemp) Fix crit_hyst returning delta instead of absolute temperature Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 228/342] media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex Greg Kroah-Hartman
` (131 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanman Pradhan <psanman@juniper.net>
commit b0c9d8ae71509f25690d57f2efddebf7f4b12194 upstream.
cputemp_is_visible() validates the channel index against
CPUTEMP_CHANNEL_NUMS, but currently uses '>' instead of '>='.
As a result, channel == CPUTEMP_CHANNEL_NUMS is not rejected even though
valid indices are 0 .. CPUTEMP_CHANNEL_NUMS - 1.
Fix the bounds check by using '>=' so invalid channel indices are
rejected before indexing the core bitmap.
Fixes: bf3608f338e9 ("hwmon: peci: Add cputemp driver")
Cc: stable@vger.kernel.org
Signed-off-by: Sanman Pradhan <psanman@juniper.net>
Link: https://lore.kernel.org/r/20260323002352.93417-3-sanman.pradhan@hpe.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/peci/cputemp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hwmon/peci/cputemp.c
+++ b/drivers/hwmon/peci/cputemp.c
@@ -319,7 +319,7 @@ static umode_t cputemp_is_visible(const
{
const struct peci_cputemp *priv = data;
- if (channel > CPUTEMP_CHANNEL_NUMS)
+ if (channel >= CPUTEMP_CHANNEL_NUMS)
return 0;
if (channel < channel_core)
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 228/342] media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 227/342] hwmon: (peci/cputemp) Fix off-by-one in cputemp_is_visible() Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 229/342] media: verisilicon: Fix kernel panic due to __initconst misuse Greg Kroah-Hartman
` (130 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuchan Nam, Sakari Ailus,
Mauro Carvalho Chehab
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuchan Nam <entropy1110@gmail.com>
commit bef4f4a88b73e4cc550d25f665b8a9952af22773 upstream.
MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0)
queue teardown paths. This can race request object cleanup against vb2
queue cancellation and lead to use-after-free reports.
We already serialize request queueing against STREAMON/OFF with
req_queue_mutex. Extend that serialization to REQBUFS, and also take
the same mutex in media_request_ioctl_reinit() so REINIT is in the
same exclusion domain.
This keeps request cleanup and queue cancellation from running in
parallel for request-capable devices.
Fixes: 6093d3002eab ("media: vb2: keep a reference to the request until dqbuf")
Cc: stable@vger.kernel.org
Signed-off-by: Yuchan Nam <entropy1110@gmail.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/mc/mc-request.c | 5 +++++
drivers/media/v4l2-core/v4l2-ioctl.c | 5 +++--
2 files changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/media/mc/mc-request.c
+++ b/drivers/media/mc/mc-request.c
@@ -190,6 +190,8 @@ static long media_request_ioctl_reinit(s
struct media_device *mdev = req->mdev;
unsigned long flags;
+ mutex_lock(&mdev->req_queue_mutex);
+
spin_lock_irqsave(&req->lock, flags);
if (req->state != MEDIA_REQUEST_STATE_IDLE &&
req->state != MEDIA_REQUEST_STATE_COMPLETE) {
@@ -197,6 +199,7 @@ static long media_request_ioctl_reinit(s
"request: %s not in idle or complete state, cannot reinit\n",
req->debug_str);
spin_unlock_irqrestore(&req->lock, flags);
+ mutex_unlock(&mdev->req_queue_mutex);
return -EBUSY;
}
if (req->access_count) {
@@ -204,6 +207,7 @@ static long media_request_ioctl_reinit(s
"request: %s is being accessed, cannot reinit\n",
req->debug_str);
spin_unlock_irqrestore(&req->lock, flags);
+ mutex_unlock(&mdev->req_queue_mutex);
return -EBUSY;
}
req->state = MEDIA_REQUEST_STATE_CLEANING;
@@ -214,6 +218,7 @@ static long media_request_ioctl_reinit(s
spin_lock_irqsave(&req->lock, flags);
req->state = MEDIA_REQUEST_STATE_IDLE;
spin_unlock_irqrestore(&req->lock, flags);
+ mutex_unlock(&mdev->req_queue_mutex);
return 0;
}
--- a/drivers/media/v4l2-core/v4l2-ioctl.c
+++ b/drivers/media/v4l2-core/v4l2-ioctl.c
@@ -3081,13 +3081,14 @@ static long __video_do_ioctl(struct file
}
/*
- * We need to serialize streamon/off with queueing new requests.
+ * We need to serialize streamon/off/reqbufs with queueing new requests.
* These ioctls may trigger the cancellation of a streaming
* operation, and that should not be mixed with queueing a new
* request at the same time.
*/
if (v4l2_device_supports_requests(vfd->v4l2_dev) &&
- (cmd == VIDIOC_STREAMON || cmd == VIDIOC_STREAMOFF)) {
+ (cmd == VIDIOC_STREAMON || cmd == VIDIOC_STREAMOFF ||
+ cmd == VIDIOC_REQBUFS)) {
req_queue_lock = &vfd->v4l2_dev->mdev->req_queue_mutex;
if (mutex_lock_interruptible(req_queue_lock))
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 229/342] media: verisilicon: Fix kernel panic due to __initconst misuse
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 228/342] media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 230/342] xfrm: iptfs: validate inner IPv4 header length in IPTFS payload Greg Kroah-Hartman
` (129 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Franz Schnyder,
Marco Felsch, Ming Qian, Frank Li, stable, Nicolas Dufresne,
Hans Verkuil
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Qian <ming.qian@oss.nxp.com>
commit e8d97c270cb46a2a88739019d0f8547adc7d97da upstream.
Fix a kernel panic when probing the driver as a module:
Unable to handle kernel paging request at virtual address
ffffd9c18eb05000
of_find_matching_node_and_match+0x5c/0x1a0
hantro_probe+0x2f4/0x7d0 [hantro_vpu]
The imx8mq_vpu_shared_resources array is referenced by variant
structures through their shared_devices field. When built as a
module, __initconst causes this data to be freed after module
init, but it's later accessed during probe, causing a page fault.
The imx8mq_vpu_shared_resources is referenced from non-init code,
so keeping __initconst or __initconst_or_module here is wrong.
Drop the __initconst annotation and let it live in the normal .rodata
section.
A bug of __initconst called from regular non-init probe code
leading to bugs during probe deferrals or during unbind-bind cycles.
Reported-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Closes: https://lore.kernel.org/all/68ef934f-baa0-4bf6-93d8-834bbc441e66@kernel.org/
Reported-by: Franz Schnyder <franz.schnyder@toradex.com>
Closes: https://lore.kernel.org/all/n3qmcb62tepxltoskpf7ws6yiirc2so62ia23b42rj3wlmpl67@rvkbuirx7kkp/
Fixes: e0203ddf9af7 ("media: verisilicon: Avoid G2 bus error while decoding H.264 and HEVC")
Suggested-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Suggested-by: Marco Felsch <m.felsch@pengutronix.de>
Reviewed-by: Marco Felsch <m.felsch@pengutronix.de>
Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Cc: stable@kernel.org
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/verisilicon/imx8m_vpu_hw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/platform/verisilicon/imx8m_vpu_hw.c b/drivers/media/platform/verisilicon/imx8m_vpu_hw.c
index 6f8e43b7f157..fa4224de4b99 100644
--- a/drivers/media/platform/verisilicon/imx8m_vpu_hw.c
+++ b/drivers/media/platform/verisilicon/imx8m_vpu_hw.c
@@ -343,7 +343,7 @@ const struct hantro_variant imx8mq_vpu_variant = {
.num_regs = ARRAY_SIZE(imx8mq_reg_names)
};
-static const struct of_device_id imx8mq_vpu_shared_resources[] __initconst = {
+static const struct of_device_id imx8mq_vpu_shared_resources[] = {
{ .compatible = "nxp,imx8mq-vpu-g1", },
{ .compatible = "nxp,imx8mq-vpu-g2", },
{ /* sentinel */ }
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 230/342] xfrm: iptfs: validate inner IPv4 header length in IPTFS payload
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 229/342] media: verisilicon: Fix kernel panic due to __initconst misuse Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 231/342] xfrm: iptfs: only publish mode_data after clone setup Greg Kroah-Hartman
` (128 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Roshan Kumar, Steffen Klassert
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roshan Kumar <roshaen09@gmail.com>
commit 0d10393d5eac33cbd92f7a41fddca12c41d3cb7e upstream.
Add validation of the inner IPv4 packet tot_len and ihl fields parsed
from decrypted IPTFS payloads in __input_process_payload(). A crafted
ESP packet containing an inner IPv4 header with tot_len=0 causes an
infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the
data offset never advances and the while(data < tail) loop never
terminates, spinning forever in softirq context.
Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct
iphdr), which catches both the tot_len=0 case and malformed ihl values.
The normal IP stack performs this validation in ip_rcv_core(), but IPTFS
extracts and processes inner packets before they reach that layer.
Reported-by: Roshan Kumar <roshaen09@gmail.com>
Fixes: 6c82d2433671 ("xfrm: iptfs: add basic receive packet (tunnel egress) handling")
Cc: stable@vger.kernel.org
Signed-off-by: Roshan Kumar <roshaen09@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_iptfs.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/xfrm/xfrm_iptfs.c
+++ b/net/xfrm/xfrm_iptfs.c
@@ -997,6 +997,11 @@ static bool __input_process_payload(stru
iplen = be16_to_cpu(iph->tot_len);
iphlen = iph->ihl << 2;
+ if (iplen < iphlen || iphlen < sizeof(*iph)) {
+ XFRM_INC_STATS(net,
+ LINUX_MIB_XFRMINHDRERROR);
+ goto done;
+ }
protocol = cpu_to_be16(ETH_P_IP);
XFRM_MODE_SKB_CB(skbseq->root_skb)->tos = iph->tos;
} else if (iph->version == 0x6) {
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 231/342] xfrm: iptfs: only publish mode_data after clone setup
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 230/342] xfrm: iptfs: validate inner IPv4 header length in IPTFS payload Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 232/342] virt: tdx-guest: Fix handling of host controlled quote buffer length Greg Kroah-Hartman
` (127 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paul Moses, Steffen Klassert
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Moses <p@1g4.org>
commit d849a2f7309fc0616e79d13b008b0a47e0458b6e upstream.
iptfs_clone_state() stores x->mode_data before allocating the reorder
window. If that allocation fails, the code frees the cloned state and
returns -ENOMEM, leaving x->mode_data pointing at freed memory.
The xfrm clone unwind later runs destroy_state() through x->mode_data,
so the failed clone path tears down IPTFS state that clone_state()
already freed.
Keep the cloned IPTFS state private until all allocations succeed so
failed clones leave x->mode_data unset. The destroy path already
handles a NULL mode_data pointer.
Fixes: 6be02e3e4f37 ("xfrm: iptfs: handle reordering of received packets")
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moses <p@1g4.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_iptfs.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/xfrm/xfrm_iptfs.c
+++ b/net/xfrm/xfrm_iptfs.c
@@ -2664,9 +2664,6 @@ static int iptfs_clone_state(struct xfrm
if (!xtfs)
return -ENOMEM;
- x->mode_data = xtfs;
- xtfs->x = x;
-
xtfs->ra_newskb = NULL;
if (xtfs->cfg.reorder_win_size) {
xtfs->w_saved = kcalloc(xtfs->cfg.reorder_win_size,
@@ -2677,6 +2674,9 @@ static int iptfs_clone_state(struct xfrm
}
}
+ x->mode_data = xtfs;
+ xtfs->x = x;
+
return 0;
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 232/342] virt: tdx-guest: Fix handling of host controlled quote buffer length
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 231/342] xfrm: iptfs: only publish mode_data after clone setup Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 233/342] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false Greg Kroah-Hartman
` (126 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zubin Mithra, Dan Williams,
Kiryl Shutsemau (Meta), Kuppuswamy Sathyanarayanan
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zubin Mithra <zsm@google.com>
commit c3fd16c3b98ed726294feab2f94f876290bf7b61 upstream.
Validate host controlled value `quote_buf->out_len` that determines how
many bytes of the quote are copied out to guest userspace. In TDX
environments with remote attestation, quotes are not considered private,
and can be forwarded to an attestation server.
Catch scenarios where the host specifies a response length larger than
the guest's allocation, or otherwise races modifying the response while
the guest consumes it.
This prevents contents beyond the pages allocated for `quote_buf`
(up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace,
and possibly forwarded in attestation requests.
Recall that some deployments want per-container configs-tsm-report
interfaces, so the leak may cross container protection boundaries, not
just local root.
Fixes: f4738f56d1dc ("virt: tdx-guest: Add Quote generation support using TSM_REPORTS")
Cc: stable@vger.kernel.org
Signed-off-by: Zubin Mithra <zsm@google.com>
Reviewed-by: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: Kiryl Shutsemau (Meta) <kas@kernel.org>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/virt/coco/tdx-guest/tdx-guest.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/drivers/virt/coco/tdx-guest/tdx-guest.c
+++ b/drivers/virt/coco/tdx-guest/tdx-guest.c
@@ -169,6 +169,8 @@ static void tdx_mr_deinit(const struct a
#define GET_QUOTE_SUCCESS 0
#define GET_QUOTE_IN_FLIGHT 0xffffffffffffffff
+#define TDX_QUOTE_MAX_LEN (GET_QUOTE_BUF_SIZE - sizeof(struct tdx_quote_buf))
+
/* struct tdx_quote_buf: Format of Quote request buffer.
* @version: Quote format version, filled by TD.
* @status: Status code of Quote request, filled by VMM.
@@ -267,6 +269,7 @@ static int tdx_report_new_locked(struct
u8 *buf;
struct tdx_quote_buf *quote_buf = quote_data;
struct tsm_report_desc *desc = &report->desc;
+ u32 out_len;
int ret;
u64 err;
@@ -304,12 +307,17 @@ static int tdx_report_new_locked(struct
return ret;
}
- buf = kvmemdup(quote_buf->data, quote_buf->out_len, GFP_KERNEL);
+ out_len = READ_ONCE(quote_buf->out_len);
+
+ if (out_len > TDX_QUOTE_MAX_LEN)
+ return -EFBIG;
+
+ buf = kvmemdup(quote_buf->data, out_len, GFP_KERNEL);
if (!buf)
return -ENOMEM;
report->outblob = buf;
- report->outblob_len = quote_buf->out_len;
+ report->outblob_len = out_len;
/*
* TODO: parse the PEM-formatted cert chain out of the quote buffer when
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 233/342] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 232/342] virt: tdx-guest: Fix handling of host controlled quote buffer length Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 234/342] vfio/pci: Fix double free in dma-buf feature Greg Kroah-Hartman
` (125 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, xietangxin, Xuan Zhuo,
Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: xietangxin <xietangxin@yeah.net>
commit ba8bda9a0896746053aa97ac6c3e08168729172c upstream.
A UAF issue occurs when the virtio_net driver is configured with napi_tx=N
and the device's IFF_XMIT_DST_RELEASE flag is cleared
(e.g., during the configuration of tc route filter rules).
When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack
expects the driver to hold the reference to skb->dst until the packet
is fully transmitted and freed. In virtio_net with napi_tx=N,
skbs may remain in the virtio transmit ring for an extended period.
If the network namespace is destroyed while these skbs are still pending,
the corresponding dst_ops structure has freed. When a subsequent packet
is transmitted, free_old_xmit() is triggered to clean up old skbs.
It then calls dst_release() on the skb associated with the stale dst_entry.
Since the dst_ops (referenced by the dst_entry) has already been freed,
a UAF kernel paging request occurs.
fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release
the dst reference before the skb is queued in virtio_net.
Call Trace:
Unable to handle kernel paging request at virtual address ffff80007e150000
CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT
...
percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)
dst_release+0xe0/0x110 net/core/dst.c:177
skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177
sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255
dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469
napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527
__free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net]
free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]
start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]
...
Reproduction Steps:
NETDEV="enp3s0"
config_qdisc_route_filter() {
tc qdisc del dev $NETDEV root
tc qdisc add dev $NETDEV root handle 1: prio
tc filter add dev $NETDEV parent 1:0 \
protocol ip prio 100 route to 100 flowid 1:1
ip route add 192.168.1.100/32 dev $NETDEV realm 100
}
test_ns() {
ip netns add testns
ip link set $NETDEV netns testns
ip netns exec testns ifconfig $NETDEV 10.0.32.46/24
ip netns exec testns ping -c 1 10.0.32.1
ip netns del testns
}
config_qdisc_route_filter
test_ns
sleep 2
test_ns
Fixes: f2fc6a54585a ("[NETNS][IPV6] route6 - move ip6_dst_ops inside the network namespace")
Cc: stable@vger.kernel.org
Signed-off-by: xietangxin <xietangxin@yeah.net>
Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Fixes: 0287587884b1 ("net: better IFF_XMIT_DST_RELEASE support")
Link: https://patch.msgid.link/20260312025406.15641-1-xietangxin@yeah.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/virtio_net.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -3355,6 +3355,7 @@ static netdev_tx_t start_xmit(struct sk_
/* Don't wait up for transmitted skbs to be freed. */
if (!use_napi) {
skb_orphan(skb);
+ skb_dst_drop(skb);
nf_reset_ct(skb);
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 234/342] vfio/pci: Fix double free in dma-buf feature
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 233/342] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 235/342] erofs: add GFP_NOIO in the bio completion if needed Greg Kroah-Hartman
` (124 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Renato Marziano, Leon Romanovsky,
Alex Williamson, Jason Gunthorpe, Alex Williamson
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <alex.williamson@nvidia.com>
commit e98137f0a874ab36d0946de4707aa48cb7137d1c upstream.
The error path through vfio_pci_core_feature_dma_buf() ignores its
own advice to only use dma_buf_put() after dma_buf_export(), instead
falling through the entire unwind chain. In the unlikely event that
we encounter file descriptor exhaustion, this can result in an
unbalanced refcount on the vfio device and double free of allocated
objects.
Avoid this by moving the "put" directly into the error path and return
the errno rather than entering the unwind chain.
Reported-by: Renato Marziano <renato@marziano.top>
Fixes: 5d74781ebc86 ("vfio/pci: Add dma-buf export support for MMIO regions")
Cc: stable@vger.kernel.org
Acked-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Alex Williamson <alex.williamson@nvidia.com>
Link: https://lore.kernel.org/r/20260323215659.2108191-3-alex.williamson@nvidia.com
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Alex Williamson <alex@shazbot.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vfio/pci/vfio_pci_dmabuf.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/vfio/pci/vfio_pci_dmabuf.c
+++ b/drivers/vfio/pci/vfio_pci_dmabuf.c
@@ -302,11 +302,10 @@ int vfio_pci_core_feature_dma_buf(struct
*/
ret = dma_buf_fd(priv->dmabuf, get_dma_buf.open_flags);
if (ret < 0)
- goto err_dma_buf;
+ dma_buf_put(priv->dmabuf);
+
return ret;
-err_dma_buf:
- dma_buf_put(priv->dmabuf);
err_dev_put:
vfio_device_put_registration(&vdev->vdev);
err_free_phys:
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 235/342] erofs: add GFP_NOIO in the bio completion if needed
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 234/342] vfio/pci: Fix double free in dma-buf feature Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 236/342] alarmtimer: Fix argument order in alarm_timer_forward() Greg Kroah-Hartman
` (123 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gao Xiang, Jiucheng Xu, Chao Yu
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiucheng Xu <jiucheng.xu@amlogic.com>
commit c23df30915f83e7257c8625b690a1cece94142a0 upstream.
The bio completion path in the process context (e.g. dm-verity)
will directly call into decompression rather than trigger another
workqueue context for minimal scheduling latencies, which can
then call vm_map_ram() with GFP_KERNEL.
Due to insufficient memory, vm_map_ram() may generate memory
swapping I/O, which can cause submit_bio_wait to deadlock
in some scenarios.
Trimmed down the call stack, as follows:
f2fs_submit_read_io
submit_bio //bio_list is initialized.
mmc_blk_mq_recovery
z_erofs_endio
vm_map_ram
__pte_alloc_kernel
__alloc_pages_direct_reclaim
shrink_folio_list
__swap_writepage
submit_bio_wait //bio_list is non-NULL, hang!!!
Use memalloc_noio_{save,restore}() to wrap up this path.
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Jiucheng Xu <jiucheng.xu@amlogic.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/erofs/zdata.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/erofs/zdata.c
+++ b/fs/erofs/zdata.c
@@ -1459,6 +1459,7 @@ static void z_erofs_decompress_kickoff(s
int bios)
{
struct erofs_sb_info *const sbi = EROFS_SB(io->sb);
+ int gfp_flag;
/* wake up the caller thread for sync decompression */
if (io->sync) {
@@ -1491,7 +1492,9 @@ static void z_erofs_decompress_kickoff(s
sbi->opt.sync_decompress = EROFS_SYNC_DECOMPRESS_FORCE_ON;
return;
}
+ gfp_flag = memalloc_noio_save();
z_erofs_decompressqueue_work(&io->u.work);
+ memalloc_noio_restore(gfp_flag);
}
static void z_erofs_fill_bio_vec(struct bio_vec *bvec,
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 236/342] alarmtimer: Fix argument order in alarm_timer_forward()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 235/342] erofs: add GFP_NOIO in the bio completion if needed Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 237/342] mm/huge_memory: fix folio isnt locked in softleaf_to_folio() Greg Kroah-Hartman
` (122 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhan Xusheng, Thomas Gleixner
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhan Xusheng <zhanxusheng1024@gmail.com>
commit 5d16467ae56343b9205caedf85e3a131e0914ad8 upstream.
alarm_timer_forward() passes arguments to alarm_forward() in the wrong
order:
alarm_forward(alarm, timr->it_interval, now);
However, alarm_forward() is defined as:
u64 alarm_forward(struct alarm *alarm, ktime_t now, ktime_t interval);
and uses the second argument as the current time:
delta = ktime_sub(now, alarm->node.expires);
Passing the interval as "now" results in incorrect delta computation,
which can lead to missed expirations or incorrect overrun accounting.
This issue has been present since the introduction of
alarm_timer_forward().
Fix this by swapping the arguments.
Fixes: e7561f1633ac ("alarmtimer: Implement forward callback")
Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260323061130.29991-1-zhanxusheng@xiaomi.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/time/alarmtimer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/time/alarmtimer.c
+++ b/kernel/time/alarmtimer.c
@@ -540,7 +540,7 @@ static s64 alarm_timer_forward(struct k_
{
struct alarm *alarm = &timr->it.alarm.alarmtimer;
- return alarm_forward(alarm, timr->it_interval, now);
+ return alarm_forward(alarm, now, timr->it_interval);
}
/**
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 237/342] mm/huge_memory: fix folio isnt locked in softleaf_to_folio()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 236/342] alarmtimer: Fix argument order in alarm_timer_forward() Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 238/342] writeback: dont block sync for filesystems with no data integrity guarantees Greg Kroah-Hartman
` (121 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jinjiang Tu, David Hildenbrand (Arm),
Lorenzo Stoakes (Oracle), Barry Song, Kefeng Wang, Liam Howlett,
Michal Hocko, Mike Rapoport, Nanyong Sun, Ryan Roberts,
Suren Baghdasaryan, Vlastimil Babka, Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjiang Tu <tujinjiang@huawei.com>
commit 4c5e7f0fcd592801c9cc18f29f80fbee84eb8669 upstream.
On arm64 server, we found folio that get from migration entry isn't locked
in softleaf_to_folio(). This issue triggers when mTHP splitting and
zap_nonpresent_ptes() races, and the root cause is lack of memory barrier
in softleaf_to_folio(). The race is as follows:
CPU0 CPU1
deferred_split_scan() zap_nonpresent_ptes()
lock folio
split_folio()
unmap_folio()
change ptes to migration entries
__split_folio_to_order() softleaf_to_folio()
set flags(including PG_locked) for tail pages folio = pfn_folio(softleaf_to_pfn(entry))
smp_wmb() VM_WARN_ON_ONCE(!folio_test_locked(folio))
prep_compound_page() for tail pages
In __split_folio_to_order(), smp_wmb() guarantees page flags of tail pages
are visible before the tail page becomes non-compound. smp_wmb() should
be paired with smp_rmb() in softleaf_to_folio(), which is missed. As a
result, if zap_nonpresent_ptes() accesses migration entry that stores tail
pfn, softleaf_to_folio() may see the updated compound_head of tail page
before page->flags.
This issue will trigger VM_WARN_ON_ONCE() in pfn_swap_entry_folio()
because of the race between folio split and zap_nonpresent_ptes()
leading to a folio incorrectly undergoing modification without a folio
lock being held.
This is a BUG_ON() before commit 93976a20345b ("mm: eliminate further
swapops predicates"), which in merged in v6.19-rc1.
To fix it, add missing smp_rmb() if the softleaf entry is migration entry
in softleaf_to_folio() and softleaf_to_page().
[tujinjiang@huawei.com: update function name and comments]
Link: https://lkml.kernel.org/r/20260321075214.3305564-1-tujinjiang@huawei.com
Link: https://lkml.kernel.org/r/20260319012541.4158561-1-tujinjiang@huawei.com
Fixes: e9b61f19858a ("thp: reintroduce split_huge_page()")
Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Reviewed-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Cc: Barry Song <baohua@kernel.org>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Nanyong Sun <sunnanyong@huawei.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/leafops.h | 32 +++++++++++++++++++++-----------
1 file changed, 21 insertions(+), 11 deletions(-)
--- a/include/linux/leafops.h
+++ b/include/linux/leafops.h
@@ -363,6 +363,23 @@ static inline unsigned long softleaf_to_
return swp_offset(entry) & SWP_PFN_MASK;
}
+static inline void softleaf_migration_sync(softleaf_t entry,
+ struct folio *folio)
+{
+ /*
+ * Ensure we do not race with split, which might alter tail pages into new
+ * folios and thus result in observing an unlocked folio.
+ * This matches the write barrier in __split_folio_to_order().
+ */
+ smp_rmb();
+
+ /*
+ * Any use of migration entries may only occur while the
+ * corresponding page is locked
+ */
+ VM_WARN_ON_ONCE(!folio_test_locked(folio));
+}
+
/**
* softleaf_to_page() - Obtains struct page for PFN encoded within leaf entry.
* @entry: Leaf entry, softleaf_has_pfn(@entry) must return true.
@@ -374,11 +391,8 @@ static inline struct page *softleaf_to_p
struct page *page = pfn_to_page(softleaf_to_pfn(entry));
VM_WARN_ON_ONCE(!softleaf_has_pfn(entry));
- /*
- * Any use of migration entries may only occur while the
- * corresponding page is locked
- */
- VM_WARN_ON_ONCE(softleaf_is_migration(entry) && !PageLocked(page));
+ if (softleaf_is_migration(entry))
+ softleaf_migration_sync(entry, page_folio(page));
return page;
}
@@ -394,12 +408,8 @@ static inline struct folio *softleaf_to_
struct folio *folio = pfn_folio(softleaf_to_pfn(entry));
VM_WARN_ON_ONCE(!softleaf_has_pfn(entry));
- /*
- * Any use of migration entries may only occur while the
- * corresponding folio is locked.
- */
- VM_WARN_ON_ONCE(softleaf_is_migration(entry) &&
- !folio_test_locked(folio));
+ if (softleaf_is_migration(entry))
+ softleaf_migration_sync(entry, folio);
return folio;
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 238/342] writeback: dont block sync for filesystems with no data integrity guarantees
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 237/342] mm/huge_memory: fix folio isnt locked in softleaf_to_folio() Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 239/342] x86/cpu: Enable FSGSBASE early in cpu_init_exception_handling() Greg Kroah-Hartman
` (120 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John, Joanne Koong, Jan Kara,
David Hildenbrand (Arm), Christian Brauner
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joanne Koong <joannelkoong@gmail.com>
commit 76f9377cd2ab7a9220c25d33940d9ca20d368172 upstream.
Add a SB_I_NO_DATA_INTEGRITY superblock flag for filesystems that cannot
guarantee data persistence on sync (eg fuse). For superblocks with this
flag set, sync kicks off writeback of dirty inodes but does not wait
for the flusher threads to complete the writeback.
This replaces the per-inode AS_NO_DATA_INTEGRITY mapping flag added in
commit f9a49aa302a0 ("fs/writeback: skip AS_NO_DATA_INTEGRITY mappings
in wait_sb_inodes()"). The flag belongs at the superblock level because
data integrity is a filesystem-wide property, not a per-inode one.
Having this flag at the superblock level also allows us to skip having
to iterate every dirty inode in wait_sb_inodes() only to skip each inode
individually.
Prior to this commit, mappings with no data integrity guarantees skipped
waiting on writeback completion but still waited on the flusher threads
to finish initiating the writeback. Waiting on the flusher threads is
unnecessary. This commit kicks off writeback but does not wait on the
flusher threads. This change properly addresses a recent report [1] for
a suspend-to-RAM hang seen on fuse-overlayfs that was caused by waiting
on the flusher threads to finish:
Workqueue: pm_fs_sync pm_fs_sync_work_fn
Call Trace:
<TASK>
__schedule+0x457/0x1720
schedule+0x27/0xd0
wb_wait_for_completion+0x97/0xe0
sync_inodes_sb+0xf8/0x2e0
__iterate_supers+0xdc/0x160
ksys_sync+0x43/0xb0
pm_fs_sync_work_fn+0x17/0xa0
process_one_work+0x193/0x350
worker_thread+0x1a1/0x310
kthread+0xfc/0x240
ret_from_fork+0x243/0x280
ret_from_fork_asm+0x1a/0x30
</TASK>
On fuse this is problematic because there are paths that may cause the
flusher thread to block (eg if systemd freezes the user session cgroups
first, which freezes the fuse daemon, before invoking the kernel
suspend. The kernel suspend triggers ->write_node() which on fuse issues
a synchronous setattr request, which cannot be processed since the
daemon is frozen. Or if the daemon is buggy and cannot properly complete
writeback, initiating writeback on a dirty folio already under writeback
leads to writeback_get_folio() -> folio_prepare_writeback() ->
unconditional wait on writeback to finish, which will cause a hang).
This commit restores fuse to its prior behavior before tmp folios were
removed, where sync was essentially a no-op.
[1] https://lore.kernel.org/linux-fsdevel/CAJnrk1a-asuvfrbKXbEwwDSctvemF+6zfhdnuzO65Pt8HsFSRw@mail.gmail.com/T/#m632c4648e9cafc4239299887109ebd880ac6c5c1
Fixes: 0c58a97f919c ("fuse: remove tmp folio for writebacks and internal rb tree")
Reported-by: John <therealgraysky@proton.me>
Cc: stable@vger.kernel.org
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Link: https://patch.msgid.link/20260320005145.2483161-2-joannelkoong@gmail.com
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: David Hildenbrand (Arm) <david@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fs-writeback.c | 18 ++++++++++++------
fs/fuse/file.c | 4 +---
fs/fuse/inode.c | 1 +
include/linux/fs/super_types.h | 1 +
include/linux/pagemap.h | 11 -----------
5 files changed, 15 insertions(+), 20 deletions(-)
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -2759,13 +2759,8 @@ static void wait_sb_inodes(struct super_
* The mapping can appear untagged while still on-list since we
* do not have the mapping lock. Skip it here, wb completion
* will remove it.
- *
- * If the mapping does not have data integrity semantics,
- * there's no need to wait for the writeout to complete, as the
- * mapping cannot guarantee that data is persistently stored.
*/
- if (!mapping_tagged(mapping, PAGECACHE_TAG_WRITEBACK) ||
- mapping_no_data_integrity(mapping))
+ if (!mapping_tagged(mapping, PAGECACHE_TAG_WRITEBACK))
continue;
spin_unlock_irq(&sb->s_inode_wblist_lock);
@@ -2900,6 +2895,17 @@ void sync_inodes_sb(struct super_block *
*/
if (bdi == &noop_backing_dev_info)
return;
+
+ /*
+ * If the superblock has SB_I_NO_DATA_INTEGRITY set, there's no need to
+ * wait for the writeout to complete, as the filesystem cannot guarantee
+ * data persistence on sync. Just kick off writeback and return.
+ */
+ if (sb->s_iflags & SB_I_NO_DATA_INTEGRITY) {
+ wakeup_flusher_threads_bdi(bdi, WB_REASON_SYNC);
+ return;
+ }
+
WARN_ON(!rwsem_is_locked(&sb->s_umount));
/* protect against inode wb switch, see inode_switch_wbs_work_fn() */
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -3200,10 +3200,8 @@ void fuse_init_file_inode(struct inode *
inode->i_fop = &fuse_file_operations;
inode->i_data.a_ops = &fuse_file_aops;
- if (fc->writeback_cache) {
+ if (fc->writeback_cache)
mapping_set_writeback_may_deadlock_on_reclaim(&inode->i_data);
- mapping_set_no_data_integrity(&inode->i_data);
- }
INIT_LIST_HEAD(&fi->write_files);
INIT_LIST_HEAD(&fi->queued_writes);
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -1709,6 +1709,7 @@ static void fuse_sb_defaults(struct supe
sb->s_export_op = &fuse_export_operations;
sb->s_iflags |= SB_I_IMA_UNVERIFIABLE_SIGNATURE;
sb->s_iflags |= SB_I_NOIDMAP;
+ sb->s_iflags |= SB_I_NO_DATA_INTEGRITY;
if (sb->s_user_ns != &init_user_ns)
sb->s_iflags |= SB_I_UNTRUSTED_MOUNTER;
sb->s_flags &= ~(SB_NOSEC | SB_I_VERSION);
--- a/include/linux/fs/super_types.h
+++ b/include/linux/fs/super_types.h
@@ -332,5 +332,6 @@ struct super_block {
#define SB_I_NOUMASK 0x00001000 /* VFS does not apply umask */
#define SB_I_NOIDMAP 0x00002000 /* No idmapped mounts on this superblock */
#define SB_I_ALLOW_HSM 0x00004000 /* Allow HSM events on this superblock */
+#define SB_I_NO_DATA_INTEGRITY 0x00008000 /* fs cannot guarantee data persistence on sync */
#endif /* _LINUX_FS_SUPER_TYPES_H */
--- a/include/linux/pagemap.h
+++ b/include/linux/pagemap.h
@@ -210,7 +210,6 @@ enum mapping_flags {
AS_WRITEBACK_MAY_DEADLOCK_ON_RECLAIM = 9,
AS_KERNEL_FILE = 10, /* mapping for a fake kernel file that shouldn't
account usage to user cgroups */
- AS_NO_DATA_INTEGRITY = 11, /* no data integrity guarantees */
/* Bits 16-25 are used for FOLIO_ORDER */
AS_FOLIO_ORDER_BITS = 5,
AS_FOLIO_ORDER_MIN = 16,
@@ -346,16 +345,6 @@ static inline bool mapping_writeback_may
return test_bit(AS_WRITEBACK_MAY_DEADLOCK_ON_RECLAIM, &mapping->flags);
}
-static inline void mapping_set_no_data_integrity(struct address_space *mapping)
-{
- set_bit(AS_NO_DATA_INTEGRITY, &mapping->flags);
-}
-
-static inline bool mapping_no_data_integrity(const struct address_space *mapping)
-{
- return test_bit(AS_NO_DATA_INTEGRITY, &mapping->flags);
-}
-
static inline gfp_t mapping_gfp_mask(const struct address_space *mapping)
{
return mapping->gfp_mask;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 239/342] x86/cpu: Enable FSGSBASE early in cpu_init_exception_handling()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 238/342] writeback: dont block sync for filesystems with no data integrity guarantees Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 240/342] x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask Greg Kroah-Hartman
` (119 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Borislav Petkov, Sohil Mehta,
Nikunj A Dadhania, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikunj A Dadhania <nikunj@amd.com>
commit 05243d490bb7852a8acca7b5b5658019c7797a52 upstream.
Move FSGSBASE enablement from identify_cpu() to cpu_init_exception_handling()
to ensure it is enabled before any exceptions can occur on both boot and
secondary CPUs.
== Background ==
Exception entry code (paranoid_entry()) uses ALTERNATIVE patching based on
X86_FEATURE_FSGSBASE to decide whether to use RDGSBASE/WRGSBASE instructions
or the slower RDMSR/SWAPGS sequence for saving/restoring GSBASE.
On boot CPU, ALTERNATIVE patching happens after enabling FSGSBASE in CR4.
When the feature is available, the code is permanently patched to use
RDGSBASE/WRGSBASE, which require CR4.FSGSBASE=1 to execute without triggering
== Boot Sequence ==
Boot CPU (with CR pinning enabled):
trap_init()
cpu_init() <- Uses unpatched code (RDMSR/SWAPGS)
x2apic_setup()
...
arch_cpu_finalize_init()
identify_boot_cpu()
identify_cpu()
cr4_set_bits(X86_CR4_FSGSBASE) # Enables the feature
# This becomes part of cr4_pinned_bits
...
alternative_instructions() <- Patches code to use RDGSBASE/WRGSBASE
Secondary CPUs (with CR pinning enabled):
start_secondary()
cr4_init() <- Code already patched, CR4.FSGSBASE=1
set implicitly via cr4_pinned_bits
cpu_init() <- exceptions work because FSGSBASE is
already enabled
Secondary CPU (with CR pinning disabled):
start_secondary()
cr4_init() <- Code already patched, CR4.FSGSBASE=0
cpu_init()
x2apic_setup()
rdmsrq(MSR_IA32_APICBASE) <- Triggers #VC in SNP guests
exc_vmm_communication()
paranoid_entry() <- Uses RDGSBASE with CR4.FSGSBASE=0
(patched code)
...
ap_starting()
identify_secondary_cpu()
identify_cpu()
cr4_set_bits(X86_CR4_FSGSBASE) <- Enables the feature, which is
too late
== CR Pinning ==
Currently, for secondary CPUs, CR4.FSGSBASE is set implicitly through
CR-pinning: the boot CPU sets it during identify_cpu(), it becomes part of
cr4_pinned_bits, and cr4_init() applies those pinned bits to secondary CPUs.
This works but creates an undocumented dependency between cr4_init() and the
pinning mechanism.
== Problem ==
Secondary CPUs boot after alternatives have been applied globally. They
execute already-patched paranoid_entry() code that uses RDGSBASE/WRGSBASE
instructions, which require CR4.FSGSBASE=1. Upcoming changes to CR pinning
behavior will break the implicit dependency, causing secondary CPUs to
generate #UD.
This issue manifests itself on AMD SEV-SNP guests, where the rdmsrq() in
x2apic_setup() triggers a #VC exception early during cpu_init(). The #VC
handler (exc_vmm_communication()) executes the patched paranoid_entry() path.
Without CR4.FSGSBASE enabled, RDGSBASE instructions trigger #UD.
== Fix ==
Enable FSGSBASE explicitly in cpu_init_exception_handling() before loading
exception handlers. This makes the dependency explicit and ensures both
boot and secondary CPUs have FSGSBASE enabled before paranoid_entry()
executes.
Fixes: c82965f9e530 ("x86/entry/64: Handle FSGSBASE enabled paranoid entry/exit")
Reported-by: Borislav Petkov <bp@alien8.de>
Suggested-by: Sohil Mehta <sohil.mehta@intel.com>
Signed-off-by: Nikunj A Dadhania <nikunj@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Sohil Mehta <sohil.mehta@intel.com>
Cc: <stable@kernel.org>
Link: https://patch.msgid.link/20260318075654.1792916-2-nikunj@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/common.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -2042,12 +2042,6 @@ static void identify_cpu(struct cpuinfo_
setup_umip(c);
setup_lass(c);
- /* Enable FSGSBASE instructions if available. */
- if (cpu_has(c, X86_FEATURE_FSGSBASE)) {
- cr4_set_bits(X86_CR4_FSGSBASE);
- elf_hwcap2 |= HWCAP2_FSGSBASE;
- }
-
/*
* The vendor-specific functions might have changed features.
* Now we do "generic changes."
@@ -2408,6 +2402,18 @@ void cpu_init_exception_handling(bool bo
/* GHCB needs to be setup to handle #VC. */
setup_ghcb();
+ /*
+ * On CPUs with FSGSBASE support, paranoid_entry() uses
+ * ALTERNATIVE-patched RDGSBASE/WRGSBASE instructions. Secondary CPUs
+ * boot after alternatives are patched globally, so early exceptions
+ * execute patched code that depends on FSGSBASE. Enable the feature
+ * before any exceptions occur.
+ */
+ if (cpu_feature_enabled(X86_FEATURE_FSGSBASE)) {
+ cr4_set_bits(X86_CR4_FSGSBASE);
+ elf_hwcap2 |= HWCAP2_FSGSBASE;
+ }
+
if (cpu_feature_enabled(X86_FEATURE_FRED)) {
/* The boot CPU has enabled FRED during early boot */
if (!boot_cpu)
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 240/342] x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 239/342] x86/cpu: Enable FSGSBASE early in cpu_init_exception_handling() Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 241/342] x86/fred: Fix early boot failures on SEV-ES/SNP guests Greg Kroah-Hartman
` (118 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Hansen, Peter Zijlstra,
Borislav Petkov (AMD), stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Borislav Petkov (AMD) <bp@alien8.de>
commit 411df123c017169922cc767affce76282b8e6c85 upstream.
Commit in Fixes added the FRED CR4 bit to the CR4 pinned bits mask so
that whenever something else modifies CR4, that bit remains set. Which
in itself is a perfectly fine idea.
However, there's an issue when during boot FRED is initialized: first on
the BSP and later on the APs. Thus, there's a window in time when
exceptions cannot be handled.
This becomes particularly nasty when running as SEV-{ES,SNP} or TDX
guests which, when they manage to trigger exceptions during that short
window described above, triple fault due to FRED MSRs not being set up
yet.
See Link tag below for a much more detailed explanation of the
situation.
So, as a result, the commit in that Link URL tried to address this
shortcoming by temporarily disabling CR4 pinning when an AP is not
online yet.
However, that is a problem in itself because in this case, an attack on
the kernel needs to only modify the online bit - a single bit in RW
memory - and then disable CR4 pinning and then disable SM*P, leading to
more and worse things to happen to the system.
So, instead, remove the FRED bit from the CR4 pinning mask, thus
obviating the need to temporarily disable CR4 pinning.
If someone manages to disable FRED when poking at CR4, then
idt_invalidate() would make sure the system would crash'n'burn on the
first exception triggered, which is a much better outcome security-wise.
Fixes: ff45746fbf00 ("x86/cpu: Add X86_CR4_FRED macro")
Suggested-by: Dave Hansen <dave.hansen@linux.intel.com>
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: <stable@kernel.org> # 6.12+
Link: https://lore.kernel.org/r/177385987098.1647592.3381141860481415647.tip-bot2@tip-bot2
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -433,7 +433,7 @@ static __always_inline void setup_lass(s
/* These bits should not change their value after CPU init is finished. */
static const unsigned long cr4_pinned_mask = X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_UMIP |
- X86_CR4_FSGSBASE | X86_CR4_CET | X86_CR4_FRED;
+ X86_CR4_FSGSBASE | X86_CR4_CET;
static DEFINE_STATIC_KEY_FALSE_RO(cr_pinning);
static unsigned long cr4_pinned_bits __ro_after_init;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 241/342] x86/fred: Fix early boot failures on SEV-ES/SNP guests
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 240/342] x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 242/342] phy: qcom: qmp-ufs: Fix SM8650 PCS table for Gear 4 Greg Kroah-Hartman
` (117 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikunj A Dadhania,
Borislav Petkov (AMD), Tom Lendacky, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikunj A Dadhania <nikunj@amd.com>
commit 3645eb7e3915990a149460c151a00894cb586253 upstream.
FRED-enabled SEV-(ES,SNP) guests fail to boot due to the following issues
in the early boot sequence:
* FRED does not have a #VC exception handler in the dispatch logic
* Early FRED #VC exceptions attempt to use uninitialized per-CPU GHCBs
instead of boot_ghcb
Add X86_TRAP_VC case to fred_hwexc() with a new exc_vmm_communication()
function that provides the unified entry point FRED requires, dispatching
to existing user/kernel handlers based on privilege level. The function is
already declared via DECLARE_IDTENTRY_VC().
Fix early GHCB access by falling back to boot_ghcb in
__sev_{get,put}_ghcb() when per-CPU GHCBs are not yet initialized.
Fixes: 14619d912b65 ("x86/fred: FRED entry/exit and dispatch code")
Signed-off-by: Nikunj A Dadhania <nikunj@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Cc: <stable@kernel.org> # 6.12+
Link: https://patch.msgid.link/20260318075654.1792916-4-nikunj@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/coco/sev/noinstr.c | 6 ++++++
arch/x86/entry/entry_fred.c | 14 ++++++++++++++
2 files changed, 20 insertions(+)
--- a/arch/x86/coco/sev/noinstr.c
+++ b/arch/x86/coco/sev/noinstr.c
@@ -120,6 +120,9 @@ noinstr struct ghcb *__sev_get_ghcb(stru
WARN_ON(!irqs_disabled());
+ if (!sev_cfg.ghcbs_initialized)
+ return boot_ghcb;
+
data = this_cpu_read(runtime_data);
ghcb = &data->ghcb_page;
@@ -163,6 +166,9 @@ noinstr void __sev_put_ghcb(struct ghcb_
WARN_ON(!irqs_disabled());
+ if (!sev_cfg.ghcbs_initialized)
+ return;
+
data = this_cpu_read(runtime_data);
ghcb = &data->ghcb_page;
--- a/arch/x86/entry/entry_fred.c
+++ b/arch/x86/entry/entry_fred.c
@@ -176,6 +176,16 @@ static noinstr void fred_extint(struct p
}
}
+#ifdef CONFIG_AMD_MEM_ENCRYPT
+noinstr void exc_vmm_communication(struct pt_regs *regs, unsigned long error_code)
+{
+ if (user_mode(regs))
+ return user_exc_vmm_communication(regs, error_code);
+ else
+ return kernel_exc_vmm_communication(regs, error_code);
+}
+#endif
+
static noinstr void fred_hwexc(struct pt_regs *regs, unsigned long error_code)
{
/* Optimize for #PF. That's the only exception which matters performance wise */
@@ -206,6 +216,10 @@ static noinstr void fred_hwexc(struct pt
#ifdef CONFIG_X86_CET
case X86_TRAP_CP: return exc_control_protection(regs, error_code);
#endif
+#ifdef CONFIG_AMD_MEM_ENCRYPT
+ case X86_TRAP_VC: return exc_vmm_communication(regs, error_code);
+#endif
+
default: return fred_bad_type(regs, error_code);
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 242/342] phy: qcom: qmp-ufs: Fix SM8650 PCS table for Gear 4
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 241/342] x86/fred: Fix early boot failures on SEV-ES/SNP guests Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 243/342] ovl: make fsync after metadata copy-up opt-in mount option Greg Kroah-Hartman
` (116 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nitin Rawat, Abel Vesa,
Konrad Dybcio, Neil Armstrong, Vinod Koul
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abel Vesa <abel.vesa@oss.qualcomm.com>
commit 81af9e40e2e4e1aa95f09fb34811760be6742c58 upstream.
According to internal documentation, on SM8650, when the PHY is configured
in Gear 4, the QPHY_V6_PCS_UFS_PLL_CNTL register needs to have the same
value as for Gear 5.
At the moment, there is no board that comes with a UFS 3.x device, so
this issue doesn't show up, but with the new Eliza SoC, which uses the
same init sequence as SM8650, on the MTP board, the link startup fails
with the current Gear 4 PCS table.
So fix that by moving the entry into the PCS generic table instead,
while keeping the value from Gear 5 configuration.
Cc: stable@vger.kernel.org # v6.10
Fixes: b9251e64a96f ("phy: qcom: qmp-ufs: update SM8650 tables for Gear 4 & 5")
Suggested-by: Nitin Rawat <nitin.rawat@oss.qualcomm.com>
Signed-off-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-HDK
Link: https://patch.msgid.link/20260219-phy-qcom-qmp-ufs-fix-sm8650-pcs-g4-table-v1-1-f136505b57f6@oss.qualcomm.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/qualcomm/phy-qcom-qmp-ufs.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/phy/qualcomm/phy-qcom-qmp-ufs.c
+++ b/drivers/phy/qualcomm/phy-qcom-qmp-ufs.c
@@ -928,6 +928,7 @@ static const struct qmp_phy_init_tbl sm8
QMP_PHY_INIT_CFG(QPHY_V6_PCS_UFS_MULTI_LANE_CTRL1, 0x02),
QMP_PHY_INIT_CFG(QPHY_V6_PCS_UFS_TX_MID_TERM_CTRL1, 0x43),
QMP_PHY_INIT_CFG(QPHY_V6_PCS_UFS_PCS_CTRL1, 0xc1),
+ QMP_PHY_INIT_CFG(QPHY_V6_PCS_UFS_PLL_CNTL, 0x33),
QMP_PHY_INIT_CFG(QPHY_V6_PCS_UFS_TX_LARGE_AMP_DRV_LVL, 0x0f),
QMP_PHY_INIT_CFG(QPHY_V6_PCS_UFS_RX_SIGDET_CTRL2, 0x68),
QMP_PHY_INIT_CFG(QPHY_V6_PCS_UFS_TX_POST_EMP_LVL_S4, 0x0e),
@@ -937,13 +938,11 @@ static const struct qmp_phy_init_tbl sm8
};
static const struct qmp_phy_init_tbl sm8650_ufsphy_g4_pcs[] = {
- QMP_PHY_INIT_CFG(QPHY_V6_PCS_UFS_PLL_CNTL, 0x13),
QMP_PHY_INIT_CFG(QPHY_V6_PCS_UFS_TX_HSGEAR_CAPABILITY, 0x04),
QMP_PHY_INIT_CFG(QPHY_V6_PCS_UFS_RX_HSGEAR_CAPABILITY, 0x04),
};
static const struct qmp_phy_init_tbl sm8650_ufsphy_g5_pcs[] = {
- QMP_PHY_INIT_CFG(QPHY_V6_PCS_UFS_PLL_CNTL, 0x33),
QMP_PHY_INIT_CFG(QPHY_V6_PCS_UFS_TX_HSGEAR_CAPABILITY, 0x05),
QMP_PHY_INIT_CFG(QPHY_V6_PCS_UFS_RX_HSGEAR_CAPABILITY, 0x05),
QMP_PHY_INIT_CFG(QPHY_V6_PCS_UFS_RX_HS_G5_SYNC_LENGTH_CAPABILITY, 0x4d),
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 243/342] ovl: make fsync after metadata copy-up opt-in mount option
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 242/342] phy: qcom: qmp-ufs: Fix SM8650 PCS table for Gear 4 Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 244/342] ovl: fix wrong detection of 32bit inode numbers Greg Kroah-Hartman
` (115 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chenglong Tang, Fei Lv,
Amir Goldstein
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fei Lv <feilv@asrmicro.com>
commit 1f6ee9be92f8df85a8c9a5a78c20fd39c0c21a95 upstream.
Commit 7d6899fb69d25 ("ovl: fsync after metadata copy-up") was done to
fix durability of overlayfs copy up on an upper filesystem which does
not enforce ordering on storing of metadata changes (e.g. ubifs).
In an earlier revision of the regressing commit by Lei Lv, the metadata
fsync behavior was opt-in via a new "fsync=strict" mount option.
We were hoping that the opt-in mount option could be avoided, so the
change was only made to depend on metacopy=off, in the hope of not
hurting performance of metadata heavy workloads, which are more likely
to be using metacopy=on.
This hope was proven wrong by a performance regression report from Google
COS workload after upgrade to kernel 6.12.
This is an adaptation of Lei's original "fsync=strict" mount option
to the existing upstream code.
The new mount option is mutually exclusive with the "volatile" mount
option, so the latter is now an alias to the "fsync=volatile" mount
option.
Reported-by: Chenglong Tang <chenglongtang@google.com>
Closes: https://lore.kernel.org/linux-unionfs/CAOdxtTadAFH01Vui1FvWfcmQ8jH1O45owTzUcpYbNvBxnLeM7Q@mail.gmail.com/
Link: https://lore.kernel.org/linux-unionfs/CAOQ4uxgKC1SgjMWre=fUb00v8rxtd6sQi-S+dxR8oDzAuiGu8g@mail.gmail.com/
Fixes: 7d6899fb69d25 ("ovl: fsync after metadata copy-up")
Depends: 50e638beb67e0 ("ovl: Use str_on_off() helper in ovl_show_options()")
Cc: stable@vger.kernel.org # v6.12+
Signed-off-by: Fei Lv <feilv@asrmicro.com>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/filesystems/overlayfs.rst | 50 ++++++++++++++++++++++++++++++++
fs/overlayfs/copy_up.c | 6 +--
fs/overlayfs/overlayfs.h | 21 +++++++++++++
fs/overlayfs/ovl_entry.h | 7 ----
fs/overlayfs/params.c | 33 +++++++++++++++++----
fs/overlayfs/super.c | 2 -
6 files changed, 104 insertions(+), 15 deletions(-)
--- a/Documentation/filesystems/overlayfs.rst
+++ b/Documentation/filesystems/overlayfs.rst
@@ -783,6 +783,56 @@ controlled by the "uuid" mount option, w
mounted with "uuid=on".
+Durability and copy up
+----------------------
+
+The fsync(2) system call ensures that the data and metadata of a file
+are safely written to the backing storage, which is expected to
+guarantee the existence of the information post system crash.
+
+Without an fsync(2) call, there is no guarantee that the observed
+data after a system crash will be either the old or the new data, but
+in practice, the observed data after crash is often the old or new data
+or a mix of both.
+
+When an overlayfs file is modified for the first time, copy up will
+create a copy of the lower file and its parent directories in the upper
+layer. Since the Linux filesystem API does not enforce any particular
+ordering on storing changes without explicit fsync(2) calls, in case
+of a system crash, the upper file could end up with no data at all
+(i.e. zeros), which would be an unusual outcome. To avoid this
+experience, overlayfs calls fsync(2) on the upper file before completing
+data copy up with rename(2) or link(2) to make the copy up "atomic".
+
+By default, overlayfs does not explicitly call fsync(2) on copied up
+directories or on metadata-only copy up, so it provides no guarantee to
+persist the user's modification unless the user calls fsync(2).
+The fsync during copy up only guarantees that if a copy up is observed
+after a crash, the observed data is not zeroes or intermediate values
+from the copy up staging area.
+
+On traditional local filesystems with a single journal (e.g. ext4, xfs),
+fsync on a file also persists the parent directory changes, because they
+are usually modified in the same transaction, so metadata durability during
+data copy up effectively comes for free. Overlayfs further limits risk by
+disallowing network filesystems as upper layer.
+
+Overlayfs can be tuned to prefer performance or durability when storing
+to the underlying upper layer. This is controlled by the "fsync" mount
+option, which supports these values:
+
+- "auto": (default)
+ Call fsync(2) on upper file before completion of data copy up.
+ No explicit fsync(2) on directory or metadata-only copy up.
+- "strict":
+ Call fsync(2) on upper file and directories before completion of any
+ copy up.
+- "volatile": [*]
+ Prefer performance over durability (see `Volatile mount`_)
+
+[*] The mount option "volatile" is an alias to "fsync=volatile".
+
+
Volatile mount
--------------
--- a/fs/overlayfs/copy_up.c
+++ b/fs/overlayfs/copy_up.c
@@ -1146,15 +1146,15 @@ static int ovl_copy_up_one(struct dentry
return -EOVERFLOW;
/*
- * With metacopy disabled, we fsync after final metadata copyup, for
+ * With "fsync=strict", we fsync after final metadata copyup, for
* both regular files and directories to get atomic copyup semantics
* on filesystems that do not use strict metadata ordering (e.g. ubifs).
*
- * With metacopy enabled we want to avoid fsync on all meta copyup
+ * By default, we want to avoid fsync on all meta copyup, because
* that will hurt performance of workloads such as chown -R, so we
* only fsync on data copyup as legacy behavior.
*/
- ctx.metadata_fsync = !OVL_FS(dentry->d_sb)->config.metacopy &&
+ ctx.metadata_fsync = ovl_should_sync_metadata(OVL_FS(dentry->d_sb)) &&
(S_ISREG(ctx.stat.mode) || S_ISDIR(ctx.stat.mode));
ctx.metacopy = ovl_need_meta_copy_up(dentry, ctx.stat.mode, flags);
--- a/fs/overlayfs/overlayfs.h
+++ b/fs/overlayfs/overlayfs.h
@@ -99,6 +99,12 @@ enum {
OVL_VERITY_REQUIRE,
};
+enum {
+ OVL_FSYNC_VOLATILE,
+ OVL_FSYNC_AUTO,
+ OVL_FSYNC_STRICT,
+};
+
/*
* The tuple (fh,uuid) is a universal unique identifier for a copy up origin,
* where:
@@ -656,6 +662,21 @@ static inline bool ovl_xino_warn(struct
return ofs->config.xino == OVL_XINO_ON;
}
+static inline bool ovl_should_sync(struct ovl_fs *ofs)
+{
+ return ofs->config.fsync_mode != OVL_FSYNC_VOLATILE;
+}
+
+static inline bool ovl_should_sync_metadata(struct ovl_fs *ofs)
+{
+ return ofs->config.fsync_mode == OVL_FSYNC_STRICT;
+}
+
+static inline bool ovl_is_volatile(struct ovl_config *config)
+{
+ return config->fsync_mode == OVL_FSYNC_VOLATILE;
+}
+
/*
* To avoid regressions in existing setups with overlay lower offline changes,
* we allow lower changes only if none of the new features are used.
--- a/fs/overlayfs/ovl_entry.h
+++ b/fs/overlayfs/ovl_entry.h
@@ -18,7 +18,7 @@ struct ovl_config {
int xino;
bool metacopy;
bool userxattr;
- bool ovl_volatile;
+ int fsync_mode;
};
struct ovl_sb {
@@ -120,11 +120,6 @@ static inline struct ovl_fs *OVL_FS(stru
return (struct ovl_fs *)sb->s_fs_info;
}
-static inline bool ovl_should_sync(struct ovl_fs *ofs)
-{
- return !ofs->config.ovl_volatile;
-}
-
static inline unsigned int ovl_numlower(struct ovl_entry *oe)
{
return oe ? oe->__numlower : 0;
--- a/fs/overlayfs/params.c
+++ b/fs/overlayfs/params.c
@@ -58,6 +58,7 @@ enum ovl_opt {
Opt_xino,
Opt_metacopy,
Opt_verity,
+ Opt_fsync,
Opt_volatile,
Opt_override_creds,
};
@@ -140,6 +141,23 @@ static int ovl_verity_mode_def(void)
return OVL_VERITY_OFF;
}
+static const struct constant_table ovl_parameter_fsync[] = {
+ { "volatile", OVL_FSYNC_VOLATILE },
+ { "auto", OVL_FSYNC_AUTO },
+ { "strict", OVL_FSYNC_STRICT },
+ {}
+};
+
+static const char *ovl_fsync_mode(struct ovl_config *config)
+{
+ return ovl_parameter_fsync[config->fsync_mode].name;
+}
+
+static int ovl_fsync_mode_def(void)
+{
+ return OVL_FSYNC_AUTO;
+}
+
const struct fs_parameter_spec ovl_parameter_spec[] = {
fsparam_string_empty("lowerdir", Opt_lowerdir),
fsparam_file_or_string("lowerdir+", Opt_lowerdir_add),
@@ -155,6 +173,7 @@ const struct fs_parameter_spec ovl_param
fsparam_enum("xino", Opt_xino, ovl_parameter_xino),
fsparam_enum("metacopy", Opt_metacopy, ovl_parameter_bool),
fsparam_enum("verity", Opt_verity, ovl_parameter_verity),
+ fsparam_enum("fsync", Opt_fsync, ovl_parameter_fsync),
fsparam_flag("volatile", Opt_volatile),
fsparam_flag_no("override_creds", Opt_override_creds),
{}
@@ -665,8 +684,11 @@ static int ovl_parse_param(struct fs_con
case Opt_verity:
config->verity_mode = result.uint_32;
break;
+ case Opt_fsync:
+ config->fsync_mode = result.uint_32;
+ break;
case Opt_volatile:
- config->ovl_volatile = true;
+ config->fsync_mode = OVL_FSYNC_VOLATILE;
break;
case Opt_userxattr:
config->userxattr = true;
@@ -800,6 +822,7 @@ int ovl_init_fs_context(struct fs_contex
ofs->config.nfs_export = ovl_nfs_export_def;
ofs->config.xino = ovl_xino_def();
ofs->config.metacopy = ovl_metacopy_def;
+ ofs->config.fsync_mode = ovl_fsync_mode_def();
fc->s_fs_info = ofs;
fc->fs_private = ctx;
@@ -870,9 +893,9 @@ int ovl_fs_params_verify(const struct ov
config->index = false;
}
- if (!config->upperdir && config->ovl_volatile) {
+ if (!config->upperdir && ovl_is_volatile(config)) {
pr_info("option \"volatile\" is meaningless in a non-upper mount, ignoring it.\n");
- config->ovl_volatile = false;
+ config->fsync_mode = ovl_fsync_mode_def();
}
if (!config->upperdir && config->uuid == OVL_UUID_ON) {
@@ -1070,8 +1093,8 @@ int ovl_show_options(struct seq_file *m,
seq_printf(m, ",xino=%s", ovl_xino_mode(&ofs->config));
if (ofs->config.metacopy != ovl_metacopy_def)
seq_printf(m, ",metacopy=%s", str_on_off(ofs->config.metacopy));
- if (ofs->config.ovl_volatile)
- seq_puts(m, ",volatile");
+ if (ofs->config.fsync_mode != ovl_fsync_mode_def())
+ seq_printf(m, ",fsync=%s", ovl_fsync_mode(&ofs->config));
if (ofs->config.userxattr)
seq_puts(m, ",userxattr");
if (ofs->config.verity_mode != ovl_verity_mode_def())
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -776,7 +776,7 @@ static int ovl_make_workdir(struct super
* For volatile mount, create a incompat/volatile/dirty file to keep
* track of it.
*/
- if (ofs->config.ovl_volatile) {
+ if (ovl_is_volatile(&ofs->config)) {
err = ovl_create_volatile_dirty(ofs);
if (err < 0) {
pr_err("Failed to create volatile/dirty file.\n");
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 244/342] ovl: fix wrong detection of 32bit inode numbers
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 243/342] ovl: make fsync after metadata copy-up opt-in mount option Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 245/342] scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() Greg Kroah-Hartman
` (114 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Amir Goldstein
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amir Goldstein <amir73il@gmail.com>
commit 53a7c171e9dd833f0a96b545adcb89bd57387239 upstream.
The implicit FILEID_INO32_GEN encoder was changed to be explicit,
so we need to fix the detection.
When mounting overlayfs with upperdir and lowerdir on different ext4
filesystems, the expected kmsg log is:
overlayfs: "xino" feature enabled using 32 upper inode bits.
But instead, since the regressing commit, the kmsg log was:
overlayfs: "xino" feature enabled using 2 upper inode bits.
Fixes: e21fc2038c1b9 ("exportfs: make ->encode_fh() a mandatory method for NFS export")
Cc: stable@vger.kernel.org # v6.7+
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/overlayfs/util.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/overlayfs/util.c
+++ b/fs/overlayfs/util.c
@@ -85,7 +85,10 @@ int ovl_can_decode_fh(struct super_block
if (!exportfs_can_decode_fh(sb->s_export_op))
return 0;
- return sb->s_export_op->encode_fh ? -1 : FILEID_INO32_GEN;
+ if (sb->s_export_op->encode_fh == generic_encode_ino32_fh)
+ return FILEID_INO32_GEN;
+
+ return -1;
}
struct dentry *ovl_indexdir(struct super_block *sb)
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 245/342] scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 244/342] ovl: fix wrong detection of 32bit inode numbers Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 246/342] scsi: ses: Handle positive SCSI error from ses_recv_diag() Greg Kroah-Hartman
` (113 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Tyllis Xu,
Dave Marquardt, Tyrel Datwyler, Martin K. Petersen
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tyllis Xu <livelycarpet87@gmail.com>
commit 61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f upstream.
A malicious or compromised VIO server can return a num_written value in the
discover targets MAD response that exceeds max_targets. This value is
stored directly in vhost->num_targets without validation, and is then used
as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which
is only allocated for max_targets entries. Indices at or beyond max_targets
access kernel memory outside the DMA-coherent allocation. The
out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI
MADs that are sent back to the VIO server, leaking kernel memory.
Fix by clamping num_written to max_targets before storing it.
Fixes: 072b91f9c651 ("[SCSI] ibmvfc: IBM Power Virtual Fibre Channel Adapter Client Driver")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Tyllis Xu <LivelyCarpet87@gmail.com>
Reviewed-by: Dave Marquardt <davemarq@linux.ibm.com>
Acked-by: Tyrel Datwyler <tyreld@linux.ibm.com>
Link: https://patch.msgid.link/20260314170151.548614-1-LivelyCarpet87@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/ibmvscsi/ibmvfc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/scsi/ibmvscsi/ibmvfc.c
+++ b/drivers/scsi/ibmvscsi/ibmvfc.c
@@ -4965,7 +4965,8 @@ static void ibmvfc_discover_targets_done
switch (mad_status) {
case IBMVFC_MAD_SUCCESS:
ibmvfc_dbg(vhost, "Discover Targets succeeded\n");
- vhost->num_targets = be32_to_cpu(rsp->num_written);
+ vhost->num_targets = min_t(u32, be32_to_cpu(rsp->num_written),
+ max_targets);
ibmvfc_set_host_action(vhost, IBMVFC_HOST_ACTION_ALLOC_TGTS);
break;
case IBMVFC_MAD_FAILED:
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 246/342] scsi: ses: Handle positive SCSI error from ses_recv_diag()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 245/342] scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 247/342] net: macb: Move devm_{free,request}_irq() out of spin lock area Greg Kroah-Hartman
` (112 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, James E.J. Bottomley,
Martin K. Petersen, stable, Hannes Reinecke
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7a9f448d44127217fabc4065c5ba070d4e0b5d37 upstream.
ses_recv_diag() can return a positive value, which also means that an
error happened, so do not only test for negative values.
Cc: James E.J. Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Link: https://patch.msgid.link/2026022301-bony-overstock-a07f@gregkh
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/ses.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -216,7 +216,7 @@ static unsigned char *ses_get_page2_desc
unsigned char *type_ptr = ses_dev->page1_types;
unsigned char *desc_ptr = ses_dev->page2 + 8;
- if (ses_recv_diag(sdev, 2, ses_dev->page2, ses_dev->page2_len) < 0)
+ if (ses_recv_diag(sdev, 2, ses_dev->page2, ses_dev->page2_len))
return NULL;
for (i = 0; i < ses_dev->page1_num_types; i++, type_ptr += 4) {
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 247/342] net: macb: Move devm_{free,request}_irq() out of spin lock area
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 246/342] scsi: ses: Handle positive SCSI error from ses_recv_diag() Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 248/342] net: macb: Protect access to net_device::ip_ptr with RCU lock Greg Kroah-Hartman
` (111 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Théo Lebrun, Kevin Hao,
Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Hao <haokexin@gmail.com>
commit 317e49358ebbf6390fa439ef3c142f9239dd25fb upstream.
The devm_free_irq() and devm_request_irq() functions should not be
executed in an atomic context.
During device suspend, all userspace processes and most kernel threads
are frozen. Additionally, we flush all tx/rx status, disable all macb
interrupts, and halt rx operations. Therefore, it is safe to split the
region protected by bp->lock into two independent sections, allowing
devm_free_irq() and devm_request_irq() to run in a non-atomic context.
This modification resolves the following lockdep warning:
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 501, name: rtcwake
preempt_count: 1, expected: 0
RCU nest depth: 1, expected: 0
7 locks held by rtcwake/501:
#0: ffff0008038c3408 (sb_writers#5){.+.+}-{0:0}, at: vfs_write+0xf8/0x368
#1: ffff0008049a5e88 (&of->mutex#2){+.+.}-{4:4}, at: kernfs_fop_write_iter+0xbc/0x1c8
#2: ffff00080098d588 (kn->active#70){.+.+}-{0:0}, at: kernfs_fop_write_iter+0xcc/0x1c8
#3: ffff800081c84888 (system_transition_mutex){+.+.}-{4:4}, at: pm_suspend+0x1ec/0x290
#4: ffff0008009ba0f8 (&dev->mutex){....}-{4:4}, at: device_suspend+0x118/0x4f0
#5: ffff800081d00458 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x4/0x48
#6: ffff0008031fb9e0 (&bp->lock){-.-.}-{3:3}, at: macb_suspend+0x144/0x558
irq event stamp: 8682
hardirqs last enabled at (8681): [<ffff8000813c7d7c>] _raw_spin_unlock_irqrestore+0x44/0x88
hardirqs last disabled at (8682): [<ffff8000813c7b58>] _raw_spin_lock_irqsave+0x38/0x98
softirqs last enabled at (7322): [<ffff8000800f1b4c>] handle_softirqs+0x52c/0x588
softirqs last disabled at (7317): [<ffff800080010310>] __do_softirq+0x20/0x2c
CPU: 1 UID: 0 PID: 501 Comm: rtcwake Not tainted 7.0.0-rc3-next-20260310-yocto-standard+ #125 PREEMPT
Hardware name: ZynqMP ZCU102 Rev1.1 (DT)
Call trace:
show_stack+0x24/0x38 (C)
__dump_stack+0x28/0x38
dump_stack_lvl+0x64/0x88
dump_stack+0x18/0x24
__might_resched+0x200/0x218
__might_sleep+0x38/0x98
__mutex_lock_common+0x7c/0x1378
mutex_lock_nested+0x38/0x50
free_irq+0x68/0x2b0
devm_irq_release+0x24/0x38
devres_release+0x40/0x80
devm_free_irq+0x48/0x88
macb_suspend+0x298/0x558
device_suspend+0x218/0x4f0
dpm_suspend+0x244/0x3a0
dpm_suspend_start+0x50/0x78
suspend_devices_and_enter+0xec/0x560
pm_suspend+0x194/0x290
state_store+0x110/0x158
kobj_attr_store+0x1c/0x30
sysfs_kf_write+0xa8/0xd0
kernfs_fop_write_iter+0x11c/0x1c8
vfs_write+0x248/0x368
ksys_write+0x7c/0xf8
__arm64_sys_write+0x28/0x40
invoke_syscall+0x4c/0xe8
el0_svc_common+0x98/0xf0
do_el0_svc+0x28/0x40
el0_svc+0x54/0x1e0
el0t_64_sync_handler+0x84/0x130
el0t_64_sync+0x198/0x1a0
Fixes: 558e35ccfe95 ("net: macb: WoL support for GEM type of Ethernet controller")
Cc: stable@vger.kernel.org
Reviewed-by: Théo Lebrun <theo.lebrun@bootlin.com>
Signed-off-by: Kevin Hao <haokexin@gmail.com>
Link: https://patch.msgid.link/20260318-macb-irq-v2-1-f1179768ab24@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/cadence/macb_main.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/drivers/net/ethernet/cadence/macb_main.c
+++ b/drivers/net/ethernet/cadence/macb_main.c
@@ -5832,6 +5832,7 @@ static int __maybe_unused macb_suspend(s
/* write IP address into register */
tmp |= MACB_BFEXT(IP, be32_to_cpu(ifa->ifa_local));
}
+ spin_unlock_irqrestore(&bp->lock, flags);
/* Change interrupt handler and
* Enable WoL IRQ on queue 0
@@ -5844,11 +5845,12 @@ static int __maybe_unused macb_suspend(s
dev_err(dev,
"Unable to request IRQ %d (error %d)\n",
bp->queues[0].irq, err);
- spin_unlock_irqrestore(&bp->lock, flags);
return err;
}
+ spin_lock_irqsave(&bp->lock, flags);
queue_writel(bp->queues, IER, GEM_BIT(WOL));
gem_writel(bp, WOL, tmp);
+ spin_unlock_irqrestore(&bp->lock, flags);
} else {
err = devm_request_irq(dev, bp->queues[0].irq, macb_wol_interrupt,
IRQF_SHARED, netdev->name, bp->queues);
@@ -5856,13 +5858,13 @@ static int __maybe_unused macb_suspend(s
dev_err(dev,
"Unable to request IRQ %d (error %d)\n",
bp->queues[0].irq, err);
- spin_unlock_irqrestore(&bp->lock, flags);
return err;
}
+ spin_lock_irqsave(&bp->lock, flags);
queue_writel(bp->queues, IER, MACB_BIT(WOL));
macb_writel(bp, WOL, tmp);
+ spin_unlock_irqrestore(&bp->lock, flags);
}
- spin_unlock_irqrestore(&bp->lock, flags);
enable_irq_wake(bp->queues[0].irq);
}
@@ -5929,6 +5931,8 @@ static int __maybe_unused macb_resume(st
queue_readl(bp->queues, ISR);
if (bp->caps & MACB_CAPS_ISR_CLEAR_ON_WRITE)
queue_writel(bp->queues, ISR, -1);
+ spin_unlock_irqrestore(&bp->lock, flags);
+
/* Replace interrupt handler on queue 0 */
devm_free_irq(dev, bp->queues[0].irq, bp->queues);
err = devm_request_irq(dev, bp->queues[0].irq, macb_interrupt,
@@ -5937,10 +5941,8 @@ static int __maybe_unused macb_resume(st
dev_err(dev,
"Unable to request IRQ %d (error %d)\n",
bp->queues[0].irq, err);
- spin_unlock_irqrestore(&bp->lock, flags);
return err;
}
- spin_unlock_irqrestore(&bp->lock, flags);
disable_irq_wake(bp->queues[0].irq);
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 248/342] net: macb: Protect access to net_device::ip_ptr with RCU lock
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 247/342] net: macb: Move devm_{free,request}_irq() out of spin lock area Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 249/342] net: macb: Use dev_consume_skb_any() to free TX SKBs Greg Kroah-Hartman
` (110 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kevin Hao, Théo Lebrun,
Jakub Kicinski
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Hao <haokexin@gmail.com>
commit baa35a698cea26930679a20a7550bbb4c8319725 upstream.
Access to net_device::ip_ptr and its associated members must be
protected by an RCU lock. Since we are modifying this piece of code,
let's also move it to execute only when WAKE_ARP is enabled.
To minimize the duration of the RCU lock, a local variable is used to
temporarily store the IP address. This change resolves the following
RCU check warning:
WARNING: suspicious RCU usage
7.0.0-rc3-next-20260310-yocto-standard+ #122 Not tainted
-----------------------------
drivers/net/ethernet/cadence/macb_main.c:5944 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
5 locks held by rtcwake/518:
#0: ffff000803ab1408 (sb_writers#5){.+.+}-{0:0}, at: vfs_write+0xf8/0x368
#1: ffff0008090bf088 (&of->mutex#2){+.+.}-{4:4}, at: kernfs_fop_write_iter+0xbc/0x1c8
#2: ffff00080098d588 (kn->active#70){.+.+}-{0:0}, at: kernfs_fop_write_iter+0xcc/0x1c8
#3: ffff800081c84888 (system_transition_mutex){+.+.}-{4:4}, at: pm_suspend+0x1ec/0x290
#4: ffff0008009ba0f8 (&dev->mutex){....}-{4:4}, at: device_suspend+0x118/0x4f0
stack backtrace:
CPU: 3 UID: 0 PID: 518 Comm: rtcwake Not tainted 7.0.0-rc3-next-20260310-yocto-standard+ #122 PREEMPT
Hardware name: ZynqMP ZCU102 Rev1.1 (DT)
Call trace:
show_stack+0x24/0x38 (C)
__dump_stack+0x28/0x38
dump_stack_lvl+0x64/0x88
dump_stack+0x18/0x24
lockdep_rcu_suspicious+0x134/0x1d8
macb_suspend+0xd8/0x4c0
device_suspend+0x218/0x4f0
dpm_suspend+0x244/0x3a0
dpm_suspend_start+0x50/0x78
suspend_devices_and_enter+0xec/0x560
pm_suspend+0x194/0x290
state_store+0x110/0x158
kobj_attr_store+0x1c/0x30
sysfs_kf_write+0xa8/0xd0
kernfs_fop_write_iter+0x11c/0x1c8
vfs_write+0x248/0x368
ksys_write+0x7c/0xf8
__arm64_sys_write+0x28/0x40
invoke_syscall+0x4c/0xe8
el0_svc_common+0x98/0xf0
do_el0_svc+0x28/0x40
el0_svc+0x54/0x1e0
el0t_64_sync_handler+0x84/0x130
el0t_64_sync+0x198/0x1a0
Fixes: 0cb8de39a776 ("net: macb: Add ARP support to WOL")
Signed-off-by: Kevin Hao <haokexin@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Théo Lebrun <theo.lebrun@bootlin.com>
Link: https://patch.msgid.link/20260318-macb-irq-v2-2-f1179768ab24@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/cadence/macb_main.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
--- a/drivers/net/ethernet/cadence/macb_main.c
+++ b/drivers/net/ethernet/cadence/macb_main.c
@@ -5773,9 +5773,9 @@ static int __maybe_unused macb_suspend(s
struct macb_queue *queue;
struct in_device *idev;
unsigned long flags;
+ u32 tmp, ifa_local;
unsigned int q;
int err;
- u32 tmp;
if (!device_may_wakeup(&bp->dev->dev))
phy_exit(bp->phy);
@@ -5784,14 +5784,21 @@ static int __maybe_unused macb_suspend(s
return 0;
if (bp->wol & MACB_WOL_ENABLED) {
- /* Check for IP address in WOL ARP mode */
- idev = __in_dev_get_rcu(bp->dev);
- if (idev)
- ifa = rcu_dereference(idev->ifa_list);
- if ((bp->wolopts & WAKE_ARP) && !ifa) {
- netdev_err(netdev, "IP address not assigned as required by WoL walk ARP\n");
- return -EOPNOTSUPP;
+ if (bp->wolopts & WAKE_ARP) {
+ /* Check for IP address in WOL ARP mode */
+ rcu_read_lock();
+ idev = __in_dev_get_rcu(bp->dev);
+ if (idev)
+ ifa = rcu_dereference(idev->ifa_list);
+ if (!ifa) {
+ rcu_read_unlock();
+ netdev_err(netdev, "IP address not assigned as required by WoL walk ARP\n");
+ return -EOPNOTSUPP;
+ }
+ ifa_local = be32_to_cpu(ifa->ifa_local);
+ rcu_read_unlock();
}
+
spin_lock_irqsave(&bp->lock, flags);
/* Disable Tx and Rx engines before disabling the queues,
@@ -5830,7 +5837,7 @@ static int __maybe_unused macb_suspend(s
if (bp->wolopts & WAKE_ARP) {
tmp |= MACB_BIT(ARP);
/* write IP address into register */
- tmp |= MACB_BFEXT(IP, be32_to_cpu(ifa->ifa_local));
+ tmp |= MACB_BFEXT(IP, ifa_local);
}
spin_unlock_irqrestore(&bp->lock, flags);
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 249/342] net: macb: Use dev_consume_skb_any() to free TX SKBs
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 248/342] net: macb: Protect access to net_device::ip_ptr with RCU lock Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 250/342] KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE Greg Kroah-Hartman
` (109 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kevin Hao, Simon Horman, Paolo Abeni
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Hao <haokexin@gmail.com>
commit 647b8a2fe474474704110db6bd07f7a139e621eb upstream.
The napi_consume_skb() function is not intended to be called in an IRQ
disabled context. However, after commit 6bc8a5098bf4 ("net: macb: Fix
tx_ptr_lock locking"), the freeing of TX SKBs is performed with IRQs
disabled. To resolve the following call trace, use dev_consume_skb_any()
for freeing TX SKBs:
WARNING: kernel/softirq.c:430 at __local_bh_enable_ip+0x174/0x188, CPU#0: ksoftirqd/0/15
Modules linked in:
CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 7.0.0-rc4-next-20260319-yocto-standard-dirty #37 PREEMPT
Hardware name: ZynqMP ZCU102 Rev1.1 (DT)
pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __local_bh_enable_ip+0x174/0x188
lr : local_bh_enable+0x24/0x38
sp : ffff800082b3bb10
x29: ffff800082b3bb10 x28: ffff0008031f3c00 x27: 000000000011ede0
x26: ffff000800a7ff00 x25: ffff800083937ce8 x24: 0000000000017a80
x23: ffff000803243a78 x22: 0000000000000040 x21: 0000000000000000
x20: ffff000800394c80 x19: 0000000000000200 x18: 0000000000000001
x17: 0000000000000001 x16: ffff000803240000 x15: 0000000000000000
x14: ffffffffffffffff x13: 0000000000000028 x12: ffff000800395650
x11: ffff8000821d1528 x10: ffff800081c2bc08 x9 : ffff800081c1e258
x8 : 0000000100000301 x7 : ffff8000810426ec x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000008 x1 : 0000000000000200 x0 : ffff8000810428dc
Call trace:
__local_bh_enable_ip+0x174/0x188 (P)
local_bh_enable+0x24/0x38
skb_attempt_defer_free+0x190/0x1d8
napi_consume_skb+0x58/0x108
macb_tx_poll+0x1a4/0x558
__napi_poll+0x50/0x198
net_rx_action+0x1f4/0x3d8
handle_softirqs+0x16c/0x560
run_ksoftirqd+0x44/0x80
smpboot_thread_fn+0x1d8/0x338
kthread+0x120/0x150
ret_from_fork+0x10/0x20
irq event stamp: 29751
hardirqs last enabled at (29750): [<ffff8000813be184>] _raw_spin_unlock_irqrestore+0x44/0x88
hardirqs last disabled at (29751): [<ffff8000813bdf60>] _raw_spin_lock_irqsave+0x38/0x98
softirqs last enabled at (29150): [<ffff8000800f1aec>] handle_softirqs+0x504/0x560
softirqs last disabled at (29153): [<ffff8000800f2fec>] run_ksoftirqd+0x44/0x80
Fixes: 6bc8a5098bf4 ("net: macb: Fix tx_ptr_lock locking")
Signed-off-by: Kevin Hao <haokexin@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260321-macb-tx-v1-1-b383a58dd4e6@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/cadence/macb_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/cadence/macb_main.c
+++ b/drivers/net/ethernet/cadence/macb_main.c
@@ -1071,7 +1071,7 @@ static void macb_tx_unmap(struct macb *b
}
if (tx_skb->skb) {
- napi_consume_skb(tx_skb->skb, budget);
+ dev_consume_skb_any(tx_skb->skb);
tx_skb->skb = NULL;
}
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 250/342] KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 249/342] net: macb: Use dev_consume_skb_any() to free TX SKBs Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 251/342] KVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE Greg Kroah-Hartman
` (108 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Bulekov, Fred Griffoul,
Sean Christopherson
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit aad885e774966e97b675dfe928da164214a71605 upstream.
When installing an emulated MMIO SPTE, do so *after* dropping/zapping the
existing SPTE (if it's shadow-present). While commit a54aa15c6bda3 was
right about it being impossible to convert a shadow-present SPTE to an
MMIO SPTE due to a _guest_ write, it failed to account for writes to guest
memory that are outside the scope of KVM.
E.g. if host userspace modifies a shadowed gPTE to switch from a memslot
to emulted MMIO and then the guest hits a relevant page fault, KVM will
install the MMIO SPTE without first zapping the shadow-present SPTE.
------------[ cut here ]------------
is_shadow_present_pte(*sptep)
WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292
Modules linked in: kvm_intel kvm irqbypass
CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]
Call Trace:
<TASK>
mmu_set_spte+0x237/0x440 [kvm]
ept_page_fault+0x535/0x7f0 [kvm]
kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]
kvm_mmu_page_fault+0x8d/0x620 [kvm]
vmx_handle_exit+0x18c/0x5a0 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]
kvm_vcpu_ioctl+0x2d5/0x980 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0xb5/0x730
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x47fa3f
</TASK>
---[ end trace 0000000000000000 ]---
Reported-by: Alexander Bulekov <bkov@amazon.com>
Debugged-by: Alexander Bulekov <bkov@amazon.com>
Suggested-by: Fred Griffoul <fgriffo@amazon.co.uk>
Fixes: a54aa15c6bda3 ("KVM: x86/mmu: Handle MMIO SPTEs directly in mmu_set_spte()")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/mmu/mmu.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -3044,12 +3044,6 @@ static int mmu_set_spte(struct kvm_vcpu
bool prefetch = !fault || fault->prefetch;
bool write_fault = fault && fault->write;
- if (unlikely(is_noslot_pfn(pfn))) {
- vcpu->stat.pf_mmio_spte_created++;
- mark_mmio_spte(vcpu, sptep, gfn, pte_access);
- return RET_PF_EMULATE;
- }
-
if (is_shadow_present_pte(*sptep)) {
if (prefetch && is_last_spte(*sptep, level) &&
pfn == spte_to_pfn(*sptep))
@@ -3073,6 +3067,14 @@ static int mmu_set_spte(struct kvm_vcpu
was_rmapped = 1;
}
+ if (unlikely(is_noslot_pfn(pfn))) {
+ vcpu->stat.pf_mmio_spte_created++;
+ mark_mmio_spte(vcpu, sptep, gfn, pte_access);
+ if (flush)
+ kvm_flush_remote_tlbs_gfn(vcpu->kvm, gfn, level);
+ return RET_PF_EMULATE;
+ }
+
wrprot = make_spte(vcpu, sp, slot, pte_access, gfn, pfn, *sptep, prefetch,
false, host_writable, &spte);
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 251/342] KVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 250/342] KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 252/342] jbd2: gracefully abort on checkpointing state corruptions Greg Kroah-Hartman
` (107 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit df83746075778958954aa0460cca55f4b3fc9c02 upstream.
Adjust KVM's sanity check against overwriting a shadow-present SPTE with a
another SPTE with a different target PFN to only apply to direct MMUs,
i.e. only to MMUs without shadowed gPTEs. While it's impossible for KVM
to overwrite a shadow-present SPTE in response to a guest write, writes
from outside the scope of KVM, e.g. from host userspace, aren't detected
by KVM's write tracking and so can break KVM's shadow paging rules.
------------[ cut here ]------------
pfn != spte_to_pfn(*sptep)
WARNING: arch/x86/kvm/mmu/mmu.c:3069 at mmu_set_spte+0x1e4/0x440 [kvm], CPU#0: vmx_ept_stale_r/872
Modules linked in: kvm_intel kvm irqbypass
CPU: 0 UID: 1000 PID: 872 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:mmu_set_spte+0x1e4/0x440 [kvm]
Call Trace:
<TASK>
ept_page_fault+0x535/0x7f0 [kvm]
kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]
kvm_mmu_page_fault+0x8d/0x620 [kvm]
vmx_handle_exit+0x18c/0x5a0 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]
kvm_vcpu_ioctl+0x2d5/0x980 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0xb5/0x730
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
---[ end trace 0000000000000000 ]---
Fixes: 11d45175111d ("KVM: x86/mmu: Warn if PFN changes on shadow-present SPTE in shadow MMU")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/mmu/mmu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -3060,7 +3060,8 @@ static int mmu_set_spte(struct kvm_vcpu
child = spte_to_child_sp(pte);
drop_parent_pte(vcpu->kvm, child, sptep);
flush = true;
- } else if (WARN_ON_ONCE(pfn != spte_to_pfn(*sptep))) {
+ } else if (pfn != spte_to_pfn(*sptep)) {
+ WARN_ON_ONCE(vcpu->arch.mmu->root_role.direct);
drop_spte(vcpu->kvm, sptep);
flush = true;
} else
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 252/342] jbd2: gracefully abort on checkpointing state corruptions
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 251/342] KVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 253/342] irqchip/qcom-mpm: Add missing mailbox TX done acknowledgment Greg Kroah-Hartman
` (106 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Milos Nikic, Andreas Dilger,
Zhang Yi, Baokun Li, Jan Kara, Theodore Tso, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Milos Nikic <nikic.milos@gmail.com>
commit bac3190a8e79beff6ed221975e0c9b1b5f2a21da upstream.
This patch targets two internal state machine invariants in checkpoint.c
residing inside functions that natively return integer error codes.
- In jbd2_cleanup_journal_tail(): A blocknr of 0 indicates a severely
corrupted journal superblock. Replaced the J_ASSERT with a WARN_ON_ONCE
and a graceful journal abort, returning -EFSCORRUPTED.
- In jbd2_log_do_checkpoint(): Replaced the J_ASSERT_BH checking for
an unexpected buffer_jwrite state. If the warning triggers, we
explicitly drop the just-taken get_bh() reference and call __flush_batch()
to safely clean up any previously queued buffers in the j_chkpt_bhs array,
preventing a memory leak before returning -EFSCORRUPTED.
Signed-off-by: Milos Nikic <nikic.milos@gmail.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Baokun Li <libaokun@linux.alibaba.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20260311041548.159424-1-nikic.milos@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/checkpoint.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/fs/jbd2/checkpoint.c
+++ b/fs/jbd2/checkpoint.c
@@ -267,7 +267,15 @@ restart:
*/
BUFFER_TRACE(bh, "queue");
get_bh(bh);
- J_ASSERT_BH(bh, !buffer_jwrite(bh));
+ if (WARN_ON_ONCE(buffer_jwrite(bh))) {
+ put_bh(bh); /* drop the ref we just took */
+ spin_unlock(&journal->j_list_lock);
+ /* Clean up any previously batched buffers */
+ if (batch_count)
+ __flush_batch(journal, &batch_count);
+ jbd2_journal_abort(journal, -EFSCORRUPTED);
+ return -EFSCORRUPTED;
+ }
journal->j_chkpt_bhs[batch_count++] = bh;
transaction->t_chp_stats.cs_written++;
transaction->t_checkpoint_list = jh->b_cpnext;
@@ -325,7 +333,10 @@ int jbd2_cleanup_journal_tail(journal_t
if (!jbd2_journal_get_log_tail(journal, &first_tid, &blocknr))
return 1;
- J_ASSERT(blocknr != 0);
+ if (WARN_ON_ONCE(blocknr == 0)) {
+ jbd2_journal_abort(journal, -EFSCORRUPTED);
+ return -EFSCORRUPTED;
+ }
/*
* We need to make sure that any blocks that were recently written out
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 253/342] irqchip/qcom-mpm: Add missing mailbox TX done acknowledgment
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 252/342] jbd2: gracefully abort on checkpointing state corruptions Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 254/342] iomap: fix invalid folio access when i_blkbits differs from I/O granularity Greg Kroah-Hartman
` (105 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jassi Brar, Thomas Gleixner,
Douglas Anderson
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jassi Brar <jassisinghbrar@gmail.com>
commit cfe02147e86307a17057ee4e3604f5f5919571d2 upstream.
The mbox_client for qcom-mpm sends NULL doorbell messages via
mbox_send_message() but never signals TX completion.
Set knows_txdone=true and call mbox_client_txdone() after a successful
send, matching the pattern used by other Qualcomm mailbox clients (smp2p,
smsm, qcom_aoss etc).
Fixes: a6199bb514d8a6 "irqchip: Add Qualcomm MPM controller driver"
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260322171533.608436-1-jassisinghbrar@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-qcom-mpm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/irqchip/irq-qcom-mpm.c
+++ b/drivers/irqchip/irq-qcom-mpm.c
@@ -306,6 +306,8 @@ static int mpm_pd_power_off(struct gener
if (ret < 0)
return ret;
+ mbox_client_txdone(priv->mbox_chan, 0);
+
return 0;
}
@@ -434,6 +436,7 @@ static int qcom_mpm_probe(struct platfor
}
priv->mbox_client.dev = dev;
+ priv->mbox_client.knows_txdone = true;
priv->mbox_chan = mbox_request_channel(&priv->mbox_client, 0);
if (IS_ERR(priv->mbox_chan)) {
ret = PTR_ERR(priv->mbox_chan);
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 254/342] iomap: fix invalid folio access when i_blkbits differs from I/O granularity
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 253/342] irqchip/qcom-mpm: Add missing mailbox TX done acknowledgment Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 255/342] i2c: designware: amdisp: Fix resume-probe race condition issue Greg Kroah-Hartman
` (104 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Joanne Koong,
Christoph Hellwig, Christian Brauner
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joanne Koong <joannelkoong@gmail.com>
commit bd71fb3fea9945987053968f028a948997cba8cc upstream.
Commit aa35dd5cbc06 ("iomap: fix invalid folio access after
folio_end_read()") partially addressed invalid folio access for folios
without an ifs attached, but it did not handle the case where
1 << inode->i_blkbits matches the folio size but is different from the
granularity used for the IO, which means IO can be submitted for less
than the full folio for the !ifs case.
In this case, the condition:
if (*bytes_submitted == folio_len)
ctx->cur_folio = NULL;
in iomap_read_folio_iter() will not invalidate ctx->cur_folio, and
iomap_read_end() will still be called on the folio even though the IO
helper owns it and will finish the read on it.
Fix this by unconditionally invalidating ctx->cur_folio for the !ifs
case.
Reported-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Tested-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Link: https://lore.kernel.org/linux-fsdevel/b3dfe271-4e3d-4922-b618-e73731242bca@wdc.com/
Fixes: b2f35ac4146d ("iomap: add caller-provided callbacks for read and readahead")
Cc: stable@vger.kernel.org
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Link: https://patch.msgid.link/20260317203935.830549-1-joannelkoong@gmail.com
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/iomap/buffered-io.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/fs/iomap/buffered-io.c
+++ b/fs/iomap/buffered-io.c
@@ -506,6 +506,7 @@ static int iomap_read_folio_iter(struct
loff_t length = iomap_length(iter);
struct folio *folio = ctx->cur_folio;
size_t folio_len = folio_size(folio);
+ struct iomap_folio_state *ifs;
size_t poff, plen;
loff_t pos_diff;
int ret;
@@ -517,7 +518,7 @@ static int iomap_read_folio_iter(struct
return iomap_iter_advance(iter, length);
}
- ifs_alloc(iter->inode, folio, iter->flags);
+ ifs = ifs_alloc(iter->inode, folio, iter->flags);
length = min_t(loff_t, length, folio_len - offset_in_folio(folio, pos));
while (length) {
@@ -548,11 +549,15 @@ static int iomap_read_folio_iter(struct
*bytes_submitted += plen;
/*
- * If the entire folio has been read in by the IO
- * helper, then the helper owns the folio and will end
- * the read on it.
+ * Hand off folio ownership to the IO helper when:
+ * 1) The entire folio has been submitted for IO, or
+ * 2) There is no ifs attached to the folio
+ *
+ * Case (2) occurs when 1 << i_blkbits matches the folio
+ * size but the underlying filesystem or block device
+ * uses a smaller granularity for IO.
*/
- if (*bytes_submitted == folio_len)
+ if (*bytes_submitted == folio_len || !ifs)
ctx->cur_folio = NULL;
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 255/342] i2c: designware: amdisp: Fix resume-probe race condition issue
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 254/342] iomap: fix invalid folio access when i_blkbits differs from I/O granularity Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 256/342] futex: Clear stale exiting pointer in futex_lock_pi() retry path Greg Kroah-Hartman
` (103 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bin Du, Pratap Nirujogi,
Mika Westerberg, Mario Limonciello (AMD), Andy Shevchenko,
Andi Shyti
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pratap Nirujogi <pratap.nirujogi@amd.com>
commit e2f1ada8e089dd5a331bcd8b88125ae2af8d188f upstream.
Identified resume-probe race condition in kernel v7.0 with the commit
38fa29b01a6a ("i2c: designware: Combine the init functions"),but this
issue existed from the beginning though not detected.
The amdisp i2c device requires ISP to be in power-on state for probe
to succeed. To meet this requirement, this device is added to genpd
to control ISP power using runtime PM. The pm_runtime_get_sync() called
before i2c_dw_probe() triggers PM resume, which powers on ISP and also
invokes the amdisp i2c runtime resume before the probe completes resulting
in this race condition and a NULL dereferencing issue in v7.0
Fix this race condition by using the genpd APIs directly during probe:
- Call dev_pm_genpd_resume() to Power ON ISP before probe
- Call dev_pm_genpd_suspend() to Power OFF ISP after probe
- Set the device to suspended state with pm_runtime_set_suspended()
- Enable runtime PM only after the device is fully initialized
Fixes: d6263c468a761 ("i2c: amd-isp: Add ISP i2c-designware driver")
Co-developed-by: Bin Du <bin.du@amd.com>
Signed-off-by: Bin Du <bin.du@amd.com>
Signed-off-by: Pratap Nirujogi <pratap.nirujogi@amd.com>
Cc: <stable@vger.kernel.org> # v6.16+
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260320201302.3490570-1-pratap.nirujogi@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-designware-amdisp.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
--- a/drivers/i2c/busses/i2c-designware-amdisp.c
+++ b/drivers/i2c/busses/i2c-designware-amdisp.c
@@ -7,6 +7,7 @@
#include <linux/module.h>
#include <linux/platform_device.h>
+#include <linux/pm_domain.h>
#include <linux/pm_runtime.h>
#include <linux/soc/amd/isp4_misc.h>
@@ -82,22 +83,20 @@ static int amd_isp_dw_i2c_plat_probe(str
if (isp_i2c_dev->shared_with_punit)
pm_runtime_get_noresume(&pdev->dev);
- pm_runtime_enable(&pdev->dev);
- pm_runtime_get_sync(&pdev->dev);
-
+ dev_pm_genpd_resume(&pdev->dev);
ret = i2c_dw_probe(isp_i2c_dev);
if (ret) {
dev_err_probe(&pdev->dev, ret, "i2c_dw_probe failed\n");
goto error_release_rpm;
}
-
- pm_runtime_put_sync(&pdev->dev);
+ dev_pm_genpd_suspend(&pdev->dev);
+ pm_runtime_set_suspended(&pdev->dev);
+ pm_runtime_enable(&pdev->dev);
return 0;
error_release_rpm:
amd_isp_dw_i2c_plat_pm_cleanup(isp_i2c_dev);
- pm_runtime_put_sync(&pdev->dev);
return ret;
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 256/342] futex: Clear stale exiting pointer in futex_lock_pi() retry path
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 255/342] i2c: designware: amdisp: Fix resume-probe race condition issue Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 257/342] i2c: imx: fix i2c issue when reading multiple messages Greg Kroah-Hartman
` (102 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Davidlohr Bueso, Thomas Gleixner
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davidlohr Bueso <dave@stgolabs.net>
commit 210d36d892de5195e6766c45519dfb1e65f3eb83 upstream.
Fuzzying/stressing futexes triggered:
WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524
When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY
and stores a refcounted task pointer in 'exiting'.
After wait_for_owner_exiting() consumes that reference, the local pointer
is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a
different error, the bogus pointer is passed to wait_for_owner_exiting().
CPU0 CPU1 CPU2
futex_lock_pi(uaddr)
// acquires the PI futex
exit()
futex_cleanup_begin()
futex_state = EXITING;
futex_lock_pi(uaddr)
futex_lock_pi_atomic()
attach_to_pi_owner()
// observes EXITING
*exiting = owner; // takes ref
return -EBUSY
wait_for_owner_exiting(-EBUSY, owner)
put_task_struct(); // drops ref
// exiting still points to owner
goto retry;
futex_lock_pi_atomic()
lock_pi_update_atomic()
cmpxchg(uaddr)
*uaddr ^= WAITERS // whatever
// value changed
return -EAGAIN;
wait_for_owner_exiting(-EAGAIN, exiting) // stale
WARN_ON_ONCE(exiting)
Fix this by resetting upon retry, essentially aligning it with requeue_pi.
Fixes: 3ef240eaff36 ("futex: Prevent exit livelock")
Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260326001759.4129680-1-dave@stgolabs.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/futex/pi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/kernel/futex/pi.c
+++ b/kernel/futex/pi.c
@@ -918,7 +918,7 @@ int fixup_pi_owner(u32 __user *uaddr, st
int futex_lock_pi(u32 __user *uaddr, unsigned int flags, ktime_t *time, int trylock)
{
struct hrtimer_sleeper timeout, *to;
- struct task_struct *exiting = NULL;
+ struct task_struct *exiting;
struct rt_mutex_waiter rt_waiter;
struct futex_q q = futex_q_init;
DEFINE_WAKE_Q(wake_q);
@@ -933,6 +933,7 @@ int futex_lock_pi(u32 __user *uaddr, uns
to = futex_setup_timer(time, &timeout, flags, 0);
retry:
+ exiting = NULL;
ret = get_futex_key(uaddr, flags, &q.key, FUTEX_WRITE);
if (unlikely(ret != 0))
goto out;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 257/342] i2c: imx: fix i2c issue when reading multiple messages
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 256/342] futex: Clear stale exiting pointer in futex_lock_pi() retry path Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 258/342] i2c: imx: ensure no clock is generated after last read Greg Kroah-Hartman
` (101 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Eichenberger, Frank Li,
Andi Shyti
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
commit f88e2e748a1fc3cb4b8d163a9be790812f578850 upstream.
When reading multiple messages, meaning a repeated start is required,
polling the bus busy bit must be avoided. This must only be done for
the last message. Otherwise, the driver will timeout.
Here an example of such a sequence that fails with an error:
i2ctransfer -y -a 0 w1@0x00 0x02 r1 w1@0x00 0x02 r1
Error: Sending messages failed: Connection timed out
Fixes: 5f5c2d4579ca ("i2c: imx: prevent rescheduling in non dma mode")
Cc: stable@vger.kernel.org # v6.13+
Signed-off-by: Stefan Eichenberger <stefan.eichenberger@toradex.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260218150940.131354-2-eichest@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-imx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-imx.c
+++ b/drivers/i2c/busses/i2c-imx.c
@@ -1522,7 +1522,7 @@ static int i2c_imx_read(struct imx_i2c_s
dev_err(&i2c_imx->adapter.dev, "<%s> read timedout\n", __func__);
return -ETIMEDOUT;
}
- if (!i2c_imx->stopped)
+ if (i2c_imx->is_lastmsg && !i2c_imx->stopped)
return i2c_imx_bus_busy(i2c_imx, 0, false);
return 0;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 258/342] i2c: imx: ensure no clock is generated after last read
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 257/342] i2c: imx: fix i2c issue when reading multiple messages Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 259/342] dmaengine: fsl-edma: fix channel parameter config for fixed channel requests Greg Kroah-Hartman
` (100 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stefan Eichenberger, Andi Shyti
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
commit 13101db735bdb29c5f60e95fb578690bd178b30f upstream.
When reading from the I2DR register, right after releasing the bus by
clearing MSTA and MTX, the I2C controller might still generate an
additional clock cycle which can cause devices to misbehave. Ensure to
only read from I2DR after the bus is not busy anymore. Because this
requires polling, the read of the last byte is moved outside of the
interrupt handler.
An example for such a failing transfer is this:
i2ctransfer -y -a 0 w1@0x00 0x02 r1
Error: Sending messages failed: Connection timed out
It does not happen with every device because not all devices react to
the additional clock cycle.
Fixes: 5f5c2d4579ca ("i2c: imx: prevent rescheduling in non dma mode")
Cc: stable@vger.kernel.org # v6.13+
Signed-off-by: Stefan Eichenberger <stefan.eichenberger@toradex.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260218150940.131354-3-eichest@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-imx.c | 51 ++++++++++++++++++++++++++-----------------
1 file changed, 32 insertions(+), 19 deletions(-)
--- a/drivers/i2c/busses/i2c-imx.c
+++ b/drivers/i2c/busses/i2c-imx.c
@@ -1018,8 +1018,9 @@ static inline int i2c_imx_isr_read(struc
return 0;
}
-static inline void i2c_imx_isr_read_continue(struct imx_i2c_struct *i2c_imx)
+static inline enum imx_i2c_state i2c_imx_isr_read_continue(struct imx_i2c_struct *i2c_imx)
{
+ enum imx_i2c_state next_state = IMX_I2C_STATE_READ_CONTINUE;
unsigned int temp;
if ((i2c_imx->msg->len - 1) == i2c_imx->msg_buf_idx) {
@@ -1033,18 +1034,20 @@ static inline void i2c_imx_isr_read_cont
i2c_imx->stopped = 1;
temp &= ~(I2CR_MSTA | I2CR_MTX);
imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR);
- } else {
- /*
- * For i2c master receiver repeat restart operation like:
- * read -> repeat MSTA -> read/write
- * The controller must set MTX before read the last byte in
- * the first read operation, otherwise the first read cost
- * one extra clock cycle.
- */
- temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR);
- temp |= I2CR_MTX;
- imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR);
+
+ return IMX_I2C_STATE_DONE;
}
+ /*
+ * For i2c master receiver repeat restart operation like:
+ * read -> repeat MSTA -> read/write
+ * The controller must set MTX before read the last byte in
+ * the first read operation, otherwise the first read cost
+ * one extra clock cycle.
+ */
+ temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR);
+ temp |= I2CR_MTX;
+ imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR);
+ next_state = IMX_I2C_STATE_DONE;
} else if (i2c_imx->msg_buf_idx == (i2c_imx->msg->len - 2)) {
temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR);
temp |= I2CR_TXAK;
@@ -1052,6 +1055,7 @@ static inline void i2c_imx_isr_read_cont
}
i2c_imx->msg->buf[i2c_imx->msg_buf_idx++] = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2DR);
+ return next_state;
}
static inline void i2c_imx_isr_read_block_data_len(struct imx_i2c_struct *i2c_imx)
@@ -1088,11 +1092,9 @@ static irqreturn_t i2c_imx_master_isr(st
break;
case IMX_I2C_STATE_READ_CONTINUE:
- i2c_imx_isr_read_continue(i2c_imx);
- if (i2c_imx->msg_buf_idx == i2c_imx->msg->len) {
- i2c_imx->state = IMX_I2C_STATE_DONE;
+ i2c_imx->state = i2c_imx_isr_read_continue(i2c_imx);
+ if (i2c_imx->state == IMX_I2C_STATE_DONE)
wake_up(&i2c_imx->queue);
- }
break;
case IMX_I2C_STATE_READ_BLOCK_DATA:
@@ -1490,6 +1492,7 @@ static int i2c_imx_read(struct imx_i2c_s
bool is_lastmsg)
{
int block_data = msgs->flags & I2C_M_RECV_LEN;
+ int ret = 0;
dev_dbg(&i2c_imx->adapter.dev,
"<%s> write slave address: addr=0x%x\n",
@@ -1522,10 +1525,20 @@ static int i2c_imx_read(struct imx_i2c_s
dev_err(&i2c_imx->adapter.dev, "<%s> read timedout\n", __func__);
return -ETIMEDOUT;
}
- if (i2c_imx->is_lastmsg && !i2c_imx->stopped)
- return i2c_imx_bus_busy(i2c_imx, 0, false);
+ if (i2c_imx->is_lastmsg) {
+ if (!i2c_imx->stopped)
+ ret = i2c_imx_bus_busy(i2c_imx, 0, false);
+ /*
+ * Only read the last byte of the last message after the bus is
+ * not busy. Else the controller generates another clock which
+ * might confuse devices.
+ */
+ if (!ret)
+ i2c_imx->msg->buf[i2c_imx->msg_buf_idx++] = imx_i2c_read_reg(i2c_imx,
+ IMX_I2C_I2DR);
+ }
- return 0;
+ return ret;
}
static int i2c_imx_xfer_common(struct i2c_adapter *adapter,
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 259/342] dmaengine: fsl-edma: fix channel parameter config for fixed channel requests
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 258/342] i2c: imx: ensure no clock is generated after last read Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 260/342] dmaengine: sh: rz-dmac: Protect the driver specific lists Greg Kroah-Hartman
` (99 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joy Zou, Frank Li, Vinod Koul
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joy Zou <joy.zou@nxp.com>
commit 2e7b5cf72e51c9cf9c8b75190189c757df31ddd9 upstream.
Configure only the requested channel when a fixed channel is specified
to avoid modifying other channels unintentionally.
Fix parameter configuration when a fixed DMA channel is requested on
i.MX9 AON domain and i.MX8QM/QXP/DXL platforms. When a client requests
a fixed channel (e.g., channel 6), the driver traverses channels 0-5
and may unintentionally modify their configuration if they are unused.
This leads to issues such as setting the `is_multi_fifo` flag unexpectedly,
causing memcpy tests to fail when using the dmatest tool.
Only affect edma memcpy test when the channel is fixed.
Fixes: 72f5801a4e2b ("dmaengine: fsl-edma: integrate v3 support")
Signed-off-by: Joy Zou <joy.zou@nxp.com>
Cc: stable@vger.kernel.org
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20250917-b4-edma-chanconf-v1-1-886486e02e91@nxp.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/fsl-edma-main.c | 26 +++++++++++---------------
1 file changed, 11 insertions(+), 15 deletions(-)
--- a/drivers/dma/fsl-edma-main.c
+++ b/drivers/dma/fsl-edma-main.c
@@ -317,10 +317,8 @@ static struct dma_chan *fsl_edma3_xlate(
return NULL;
i = fsl_chan - fsl_edma->chans;
- fsl_chan->priority = dma_spec->args[1];
- fsl_chan->is_rxchan = dma_spec->args[2] & FSL_EDMA_RX;
- fsl_chan->is_remote = dma_spec->args[2] & FSL_EDMA_REMOTE;
- fsl_chan->is_multi_fifo = dma_spec->args[2] & FSL_EDMA_MULTI_FIFO;
+ if (!b_chmux && i != dma_spec->args[0])
+ continue;
if ((dma_spec->args[2] & FSL_EDMA_EVEN_CH) && (i & 0x1))
continue;
@@ -328,17 +326,15 @@ static struct dma_chan *fsl_edma3_xlate(
if ((dma_spec->args[2] & FSL_EDMA_ODD_CH) && !(i & 0x1))
continue;
- if (!b_chmux && i == dma_spec->args[0]) {
- chan = dma_get_slave_channel(chan);
- chan->device->privatecnt++;
- return chan;
- } else if (b_chmux && !fsl_chan->srcid) {
- /* if controller support channel mux, choose a free channel */
- chan = dma_get_slave_channel(chan);
- chan->device->privatecnt++;
- fsl_chan->srcid = dma_spec->args[0];
- return chan;
- }
+ fsl_chan->srcid = dma_spec->args[0];
+ fsl_chan->priority = dma_spec->args[1];
+ fsl_chan->is_rxchan = dma_spec->args[2] & FSL_EDMA_RX;
+ fsl_chan->is_remote = dma_spec->args[2] & FSL_EDMA_REMOTE;
+ fsl_chan->is_multi_fifo = dma_spec->args[2] & FSL_EDMA_MULTI_FIFO;
+
+ chan = dma_get_slave_channel(chan);
+ chan->device->privatecnt++;
+ return chan;
}
return NULL;
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 260/342] dmaengine: sh: rz-dmac: Protect the driver specific lists
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 259/342] dmaengine: fsl-edma: fix channel parameter config for fixed channel requests Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 261/342] dmaengine: sh: rz-dmac: Move CHCTRL updates under spinlock Greg Kroah-Hartman
` (98 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Frank Li, Claudiu Beznea, Vinod Koul
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudiu Beznea <claudiu.beznea@tuxon.dev>
commit abb863e6213dc41a58ef8bb3289b7e77460dabf3 upstream.
The driver lists (ld_free, ld_queue) are used in
rz_dmac_free_chan_resources(), rz_dmac_terminate_all(),
rz_dmac_issue_pending(), and rz_dmac_irq_handler_thread(), all under
the virtual channel lock. Take the same lock in rz_dmac_prep_slave_sg()
and rz_dmac_prep_dma_memcpy() as well to avoid concurrency issues, since
these functions also check whether the lists are empty and update or
remove list entries.
Fixes: 5000d37042a6 ("dmaengine: sh: Add DMAC driver for RZ/G2L SoC")
Cc: stable@vger.kernel.org
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Link: https://patch.msgid.link/20260316133252.240348-2-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/sh/rz-dmac.c | 63 ++++++++++++++++++++++++++---------------------
1 file changed, 35 insertions(+), 28 deletions(-)
--- a/drivers/dma/sh/rz-dmac.c
+++ b/drivers/dma/sh/rz-dmac.c
@@ -10,6 +10,7 @@
*/
#include <linux/bitfield.h>
+#include <linux/cleanup.h>
#include <linux/dma-mapping.h>
#include <linux/dmaengine.h>
#include <linux/interrupt.h>
@@ -448,6 +449,7 @@ static int rz_dmac_alloc_chan_resources(
if (!desc)
break;
+ /* No need to lock. This is called only for the 1st client. */
list_add_tail(&desc->node, &channel->ld_free);
channel->descs_allocated++;
}
@@ -503,18 +505,21 @@ rz_dmac_prep_dma_memcpy(struct dma_chan
dev_dbg(dmac->dev, "%s channel: %d src=0x%pad dst=0x%pad len=%zu\n",
__func__, channel->index, &src, &dest, len);
- if (list_empty(&channel->ld_free))
- return NULL;
+ scoped_guard(spinlock_irqsave, &channel->vc.lock) {
+ if (list_empty(&channel->ld_free))
+ return NULL;
+
+ desc = list_first_entry(&channel->ld_free, struct rz_dmac_desc, node);
+
+ desc->type = RZ_DMAC_DESC_MEMCPY;
+ desc->src = src;
+ desc->dest = dest;
+ desc->len = len;
+ desc->direction = DMA_MEM_TO_MEM;
- desc = list_first_entry(&channel->ld_free, struct rz_dmac_desc, node);
-
- desc->type = RZ_DMAC_DESC_MEMCPY;
- desc->src = src;
- desc->dest = dest;
- desc->len = len;
- desc->direction = DMA_MEM_TO_MEM;
+ list_move_tail(channel->ld_free.next, &channel->ld_queue);
+ }
- list_move_tail(channel->ld_free.next, &channel->ld_queue);
return vchan_tx_prep(&channel->vc, &desc->vd, flags);
}
@@ -530,27 +535,29 @@ rz_dmac_prep_slave_sg(struct dma_chan *c
int dma_length = 0;
int i = 0;
- if (list_empty(&channel->ld_free))
- return NULL;
-
- desc = list_first_entry(&channel->ld_free, struct rz_dmac_desc, node);
+ scoped_guard(spinlock_irqsave, &channel->vc.lock) {
+ if (list_empty(&channel->ld_free))
+ return NULL;
+
+ desc = list_first_entry(&channel->ld_free, struct rz_dmac_desc, node);
+
+ for_each_sg(sgl, sg, sg_len, i)
+ dma_length += sg_dma_len(sg);
+
+ desc->type = RZ_DMAC_DESC_SLAVE_SG;
+ desc->sg = sgl;
+ desc->sgcount = sg_len;
+ desc->len = dma_length;
+ desc->direction = direction;
+
+ if (direction == DMA_DEV_TO_MEM)
+ desc->src = channel->src_per_address;
+ else
+ desc->dest = channel->dst_per_address;
- for_each_sg(sgl, sg, sg_len, i) {
- dma_length += sg_dma_len(sg);
+ list_move_tail(channel->ld_free.next, &channel->ld_queue);
}
- desc->type = RZ_DMAC_DESC_SLAVE_SG;
- desc->sg = sgl;
- desc->sgcount = sg_len;
- desc->len = dma_length;
- desc->direction = direction;
-
- if (direction == DMA_DEV_TO_MEM)
- desc->src = channel->src_per_address;
- else
- desc->dest = channel->dst_per_address;
-
- list_move_tail(channel->ld_free.next, &channel->ld_queue);
return vchan_tx_prep(&channel->vc, &desc->vd, flags);
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 261/342] dmaengine: sh: rz-dmac: Move CHCTRL updates under spinlock
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 260/342] dmaengine: sh: rz-dmac: Protect the driver specific lists Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 262/342] drm/amdgpu: prevent immediate PASID reuse case Greg Kroah-Hartman
` (97 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Biju Das, Frank Li, Claudiu Beznea,
Vinod Koul
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudiu Beznea <claudiu.beznea@tuxon.dev>
commit 89a8567d84bde88cb7cdbbac2ab2299c4f991490 upstream.
Both rz_dmac_disable_hw() and rz_dmac_irq_handle_channel() update the
CHCTRL register. To avoid concurrency issues when configuring
functionalities exposed by this registers, take the virtual channel lock.
All other CHCTRL updates were already protected by the same lock.
Previously, rz_dmac_disable_hw() disabled and re-enabled local IRQs, before
accessing CHCTRL registers but this does not ensure race-free access.
Remove the local IRQ disable/enable code as well.
Fixes: 5000d37042a6 ("dmaengine: sh: Add DMAC driver for RZ/G2L SoC")
Cc: stable@vger.kernel.org
Reviewed-by: Biju Das <biju.das.jz@bp.renesas.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Link: https://patch.msgid.link/20260316133252.240348-3-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/sh/rz-dmac.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/drivers/dma/sh/rz-dmac.c
+++ b/drivers/dma/sh/rz-dmac.c
@@ -298,13 +298,10 @@ static void rz_dmac_disable_hw(struct rz
{
struct dma_chan *chan = &channel->vc.chan;
struct rz_dmac *dmac = to_rz_dmac(chan->device);
- unsigned long flags;
dev_dbg(dmac->dev, "%s channel %d\n", __func__, channel->index);
- local_irq_save(flags);
rz_dmac_ch_writel(channel, CHCTRL_DEFAULT, CHCTRL, 1);
- local_irq_restore(flags);
}
static void rz_dmac_set_dmars_register(struct rz_dmac *dmac, int nr, u32 dmars)
@@ -569,8 +566,8 @@ static int rz_dmac_terminate_all(struct
unsigned int i;
LIST_HEAD(head);
- rz_dmac_disable_hw(channel);
spin_lock_irqsave(&channel->vc.lock, flags);
+ rz_dmac_disable_hw(channel);
for (i = 0; i < DMAC_NR_LMDESC; i++)
lmdesc[i].header = 0;
@@ -707,7 +704,9 @@ static void rz_dmac_irq_handle_channel(s
if (chstat & CHSTAT_ER) {
dev_err(dmac->dev, "DMAC err CHSTAT_%d = %08X\n",
channel->index, chstat);
- rz_dmac_ch_writel(channel, CHCTRL_DEFAULT, CHCTRL, 1);
+
+ scoped_guard(spinlock_irqsave, &channel->vc.lock)
+ rz_dmac_ch_writel(channel, CHCTRL_DEFAULT, CHCTRL, 1);
goto done;
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 262/342] drm/amdgpu: prevent immediate PASID reuse case
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 261/342] dmaengine: sh: rz-dmac: Move CHCTRL updates under spinlock Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 263/342] drm/amdgpu: fix strsep() corrupting lockup_timeout on multi-GPU (v3) Greg Kroah-Hartman
` (96 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Huang, Christian König,
Alex Deucher
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Huang <jinhuieric.huang@amd.com>
commit 14b81abe7bdc25f8097906fc2f91276ffedb2d26 upstream.
PASID resue could cause interrupt issue when process
immediately runs into hw state left by previous
process exited with the same PASID, it's possible that
page faults are still pending in the IH ring buffer when
the process exits and frees up its PASID. To prevent the
case, it uses idr cyclic allocator same as kernel pid's.
Signed-off-by: Eric Huang <jinhuieric.huang@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 8f1de51f49be692de137c8525106e0fce2d1912d)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_ids.c | 45 ++++++++++++++++++++++----------
drivers/gpu/drm/amd/amdgpu/amdgpu_ids.h | 1
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 1
3 files changed, 34 insertions(+), 13 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ids.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ids.c
@@ -35,10 +35,13 @@
* PASIDs are global address space identifiers that can be shared
* between the GPU, an IOMMU and the driver. VMs on different devices
* may use the same PASID if they share the same address
- * space. Therefore PASIDs are allocated using a global IDA. VMs are
- * looked up from the PASID per amdgpu_device.
+ * space. Therefore PASIDs are allocated using IDR cyclic allocator
+ * (similar to kernel PID allocation) which naturally delays reuse.
+ * VMs are looked up from the PASID per amdgpu_device.
*/
-static DEFINE_IDA(amdgpu_pasid_ida);
+
+static DEFINE_IDR(amdgpu_pasid_idr);
+static DEFINE_SPINLOCK(amdgpu_pasid_idr_lock);
/* Helper to free pasid from a fence callback */
struct amdgpu_pasid_cb {
@@ -50,8 +53,8 @@ struct amdgpu_pasid_cb {
* amdgpu_pasid_alloc - Allocate a PASID
* @bits: Maximum width of the PASID in bits, must be at least 1
*
- * Allocates a PASID of the given width while keeping smaller PASIDs
- * available if possible.
+ * Uses kernel's IDR cyclic allocator (same as PID allocation).
+ * Allocates sequentially with automatic wrap-around.
*
* Returns a positive integer on success. Returns %-EINVAL if bits==0.
* Returns %-ENOSPC if no PASID was available. Returns %-ENOMEM on
@@ -59,14 +62,15 @@ struct amdgpu_pasid_cb {
*/
int amdgpu_pasid_alloc(unsigned int bits)
{
- int pasid = -EINVAL;
+ int pasid;
- for (bits = min(bits, 31U); bits > 0; bits--) {
- pasid = ida_alloc_range(&amdgpu_pasid_ida, 1U << (bits - 1),
- (1U << bits) - 1, GFP_KERNEL);
- if (pasid != -ENOSPC)
- break;
- }
+ if (bits == 0)
+ return -EINVAL;
+
+ spin_lock(&amdgpu_pasid_idr_lock);
+ pasid = idr_alloc_cyclic(&amdgpu_pasid_idr, NULL, 1,
+ 1U << bits, GFP_KERNEL);
+ spin_unlock(&amdgpu_pasid_idr_lock);
if (pasid >= 0)
trace_amdgpu_pasid_allocated(pasid);
@@ -81,7 +85,10 @@ int amdgpu_pasid_alloc(unsigned int bits
void amdgpu_pasid_free(u32 pasid)
{
trace_amdgpu_pasid_freed(pasid);
- ida_free(&amdgpu_pasid_ida, pasid);
+
+ spin_lock(&amdgpu_pasid_idr_lock);
+ idr_remove(&amdgpu_pasid_idr, pasid);
+ spin_unlock(&amdgpu_pasid_idr_lock);
}
static void amdgpu_pasid_free_cb(struct dma_fence *fence,
@@ -616,3 +623,15 @@ void amdgpu_vmid_mgr_fini(struct amdgpu_
}
}
}
+
+/**
+ * amdgpu_pasid_mgr_cleanup - cleanup PASID manager
+ *
+ * Cleanup the IDR allocator.
+ */
+void amdgpu_pasid_mgr_cleanup(void)
+{
+ spin_lock(&amdgpu_pasid_idr_lock);
+ idr_destroy(&amdgpu_pasid_idr);
+ spin_unlock(&amdgpu_pasid_idr_lock);
+}
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ids.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ids.h
@@ -74,6 +74,7 @@ int amdgpu_pasid_alloc(unsigned int bits
void amdgpu_pasid_free(u32 pasid);
void amdgpu_pasid_free_delayed(struct dma_resv *resv,
u32 pasid);
+void amdgpu_pasid_mgr_cleanup(void);
bool amdgpu_vmid_had_gpu_reset(struct amdgpu_device *adev,
struct amdgpu_vmid *id);
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
@@ -2898,6 +2898,7 @@ void amdgpu_vm_manager_fini(struct amdgp
xa_destroy(&adev->vm_manager.pasids);
amdgpu_vmid_mgr_fini(adev);
+ amdgpu_pasid_mgr_cleanup();
}
/**
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 263/342] drm/amdgpu: fix strsep() corrupting lockup_timeout on multi-GPU (v3)
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 262/342] drm/amdgpu: prevent immediate PASID reuse case Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 264/342] drm/amd/display: Fix DCE LVDS handling Greg Kroah-Hartman
` (95 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Ruijing Dong
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruijing Dong <ruijing.dong@amd.com>
commit 2d300ebfc411205fa31ba7741c5821d381912381 upstream.
amdgpu_device_get_job_timeout_settings() passes a pointer directly
to the global amdgpu_lockup_timeout[] buffer into strsep().
strsep() destructively replaces delimiter characters with '\0'
in-place.
On multi-GPU systems, this function is called once per device.
When a multi-value setting like "0,0,0,-1" is used, the first
GPU's call transforms the global buffer into "0\00\00\0-1". The
second GPU then sees only "0" (terminated at the first '\0'),
parses a single value, hits the single-value fallthrough
(index == 1), and applies timeout=0 to all rings — causing
immediate false job timeouts.
Fix this by copying into a stack-local array before calling
strsep(), so the global module parameter buffer remains intact
across calls. The buffer is AMDGPU_MAX_TIMEOUT_PARAM_LENGTH
(256) bytes, which is safe for the stack.
v2: wrap commit message to 72 columns, add Assisted-by tag.
v3: use stack array with strscpy() instead of kstrdup()/kfree()
to avoid unnecessary heap allocation (Christian).
This patch was developed with assistance from Claude (claude-opus-4-6).
Assisted-by: Claude:claude-opus-4-6
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ruijing Dong <ruijing.dong@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 94d79f51efecb74be1d88dde66bdc8bfcca17935)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -4361,7 +4361,8 @@ fail:
static int amdgpu_device_get_job_timeout_settings(struct amdgpu_device *adev)
{
- char *input = amdgpu_lockup_timeout;
+ char buf[AMDGPU_MAX_TIMEOUT_PARAM_LENGTH];
+ char *input = buf;
char *timeout_setting = NULL;
int index = 0;
long timeout;
@@ -4371,9 +4372,17 @@ static int amdgpu_device_get_job_timeout
adev->gfx_timeout = adev->compute_timeout = adev->sdma_timeout =
adev->video_timeout = msecs_to_jiffies(2000);
- if (!strnlen(input, AMDGPU_MAX_TIMEOUT_PARAM_LENGTH))
+ if (!strnlen(amdgpu_lockup_timeout, AMDGPU_MAX_TIMEOUT_PARAM_LENGTH))
return 0;
+ /*
+ * strsep() destructively modifies its input by replacing delimiters
+ * with '\0'. Use a stack copy so the global module parameter buffer
+ * remains intact for multi-GPU systems where this function is called
+ * once per device.
+ */
+ strscpy(buf, amdgpu_lockup_timeout, sizeof(buf));
+
while ((timeout_setting = strsep(&input, ",")) &&
strnlen(timeout_setting, AMDGPU_MAX_TIMEOUT_PARAM_LENGTH)) {
ret = kstrtol(timeout_setting, 0, &timeout);
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 264/342] drm/amd/display: Fix DCE LVDS handling
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 263/342] drm/amdgpu: fix strsep() corrupting lockup_timeout on multi-GPU (v3) Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 265/342] drm/amd/display: Fix drm_edid leak in amdgpu_dm Greg Kroah-Hartman
` (94 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivasan Shanmugam, Roman Li,
Alex Deucher
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 90d239cc53723c1a3f89ce08eac17bf3a9e9f2d4 upstream.
LVDS does not use an HPD pin so it may be invalid. Handle
this case correctly in link encoder creation.
Fixes: 7c8fb3b8e9ba ("drm/amd/display: Add hpd_source index check for DCE60/80/100/110/112/120 link encoders")
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/5012
Cc: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Cc: Roman Li <roman.li@amd.com>
Reviewed-by: Roman Li <roman.li@amd.com>
Reviewed-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 3b5620f7ee688177fcf65cf61588c5435bce1872)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/resource/dce100/dce100_resource.c | 6 +---
drivers/gpu/drm/amd/display/dc/resource/dce110/dce110_resource.c | 5 ++-
drivers/gpu/drm/amd/display/dc/resource/dce112/dce112_resource.c | 5 ++-
drivers/gpu/drm/amd/display/dc/resource/dce120/dce120_resource.c | 5 ++-
drivers/gpu/drm/amd/display/dc/resource/dce60/dce60_resource.c | 14 ++++------
drivers/gpu/drm/amd/display/dc/resource/dce80/dce80_resource.c | 6 +---
6 files changed, 19 insertions(+), 22 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/resource/dce100/dce100_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/resource/dce100/dce100_resource.c
@@ -651,9 +651,6 @@ static struct link_encoder *dce100_link_
return &enc110->base;
}
- if (enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs))
- return NULL;
-
link_regs_id =
map_transmitter_id_to_phy_instance(enc_init_data->transmitter);
@@ -662,7 +659,8 @@ static struct link_encoder *dce100_link_
&link_enc_feature,
&link_enc_regs[link_regs_id],
&link_enc_aux_regs[enc_init_data->channel - 1],
- &link_enc_hpd_regs[enc_init_data->hpd_source]);
+ enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs) ?
+ NULL : &link_enc_hpd_regs[enc_init_data->hpd_source]);
return &enc110->base;
}
--- a/drivers/gpu/drm/amd/display/dc/resource/dce110/dce110_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/resource/dce110/dce110_resource.c
@@ -672,7 +672,7 @@ static struct link_encoder *dce110_link_
kzalloc(sizeof(struct dce110_link_encoder), GFP_KERNEL);
int link_regs_id;
- if (!enc110 || enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs))
+ if (!enc110)
return NULL;
link_regs_id =
@@ -683,7 +683,8 @@ static struct link_encoder *dce110_link_
&link_enc_feature,
&link_enc_regs[link_regs_id],
&link_enc_aux_regs[enc_init_data->channel - 1],
- &link_enc_hpd_regs[enc_init_data->hpd_source]);
+ enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs) ?
+ NULL : &link_enc_hpd_regs[enc_init_data->hpd_source]);
return &enc110->base;
}
--- a/drivers/gpu/drm/amd/display/dc/resource/dce112/dce112_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/resource/dce112/dce112_resource.c
@@ -633,7 +633,7 @@ static struct link_encoder *dce112_link_
kzalloc(sizeof(struct dce110_link_encoder), GFP_KERNEL);
int link_regs_id;
- if (!enc110 || enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs))
+ if (!enc110)
return NULL;
link_regs_id =
@@ -644,7 +644,8 @@ static struct link_encoder *dce112_link_
&link_enc_feature,
&link_enc_regs[link_regs_id],
&link_enc_aux_regs[enc_init_data->channel - 1],
- &link_enc_hpd_regs[enc_init_data->hpd_source]);
+ enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs) ?
+ NULL : &link_enc_hpd_regs[enc_init_data->hpd_source]);
return &enc110->base;
}
--- a/drivers/gpu/drm/amd/display/dc/resource/dce120/dce120_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/resource/dce120/dce120_resource.c
@@ -717,7 +717,7 @@ static struct link_encoder *dce120_link_
kzalloc(sizeof(struct dce110_link_encoder), GFP_KERNEL);
int link_regs_id;
- if (!enc110 || enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs))
+ if (!enc110)
return NULL;
link_regs_id =
@@ -728,7 +728,8 @@ static struct link_encoder *dce120_link_
&link_enc_feature,
&link_enc_regs[link_regs_id],
&link_enc_aux_regs[enc_init_data->channel - 1],
- &link_enc_hpd_regs[enc_init_data->hpd_source]);
+ enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs) ?
+ NULL : &link_enc_hpd_regs[enc_init_data->hpd_source]);
return &enc110->base;
}
--- a/drivers/gpu/drm/amd/display/dc/resource/dce60/dce60_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/resource/dce60/dce60_resource.c
@@ -747,18 +747,16 @@ static struct link_encoder *dce60_link_e
return &enc110->base;
}
- if (enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs))
- return NULL;
-
link_regs_id =
map_transmitter_id_to_phy_instance(enc_init_data->transmitter);
dce60_link_encoder_construct(enc110,
- enc_init_data,
- &link_enc_feature,
- &link_enc_regs[link_regs_id],
- &link_enc_aux_regs[enc_init_data->channel - 1],
- &link_enc_hpd_regs[enc_init_data->hpd_source]);
+ enc_init_data,
+ &link_enc_feature,
+ &link_enc_regs[link_regs_id],
+ &link_enc_aux_regs[enc_init_data->channel - 1],
+ enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs) ?
+ NULL : &link_enc_hpd_regs[enc_init_data->hpd_source]);
return &enc110->base;
}
--- a/drivers/gpu/drm/amd/display/dc/resource/dce80/dce80_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/resource/dce80/dce80_resource.c
@@ -753,9 +753,6 @@ static struct link_encoder *dce80_link_e
return &enc110->base;
}
- if (enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs))
- return NULL;
-
link_regs_id =
map_transmitter_id_to_phy_instance(enc_init_data->transmitter);
@@ -764,7 +761,8 @@ static struct link_encoder *dce80_link_e
&link_enc_feature,
&link_enc_regs[link_regs_id],
&link_enc_aux_regs[enc_init_data->channel - 1],
- &link_enc_hpd_regs[enc_init_data->hpd_source]);
+ enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs) ?
+ NULL : &link_enc_hpd_regs[enc_init_data->hpd_source]);
return &enc110->base;
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 265/342] drm/amd/display: Fix drm_edid leak in amdgpu_dm
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 264/342] drm/amd/display: Fix DCE LVDS handling Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 266/342] drm/amd/display: check if ext_caps is valid in BL setup Greg Kroah-Hartman
` (93 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Roman Li, Alex Hung, Chuanyu Tseng,
Alex Deucher
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Hung <alex.hung@amd.com>
commit 37c2caa167b0b8aca4f74c32404c5288b876a2a3 upstream.
[WHAT]
When a sink is connected, aconnector->drm_edid was overwritten without
freeing the previous allocation, causing a memory leak on resume.
[HOW]
Free the previous drm_edid before updating it.
Reviewed-by: Roman Li <roman.li@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Chuanyu Tseng <chuanyu.tseng@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 52024a94e7111366141cfc5d888b2ef011f879e5)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -3891,8 +3891,9 @@ void amdgpu_dm_update_connector_after_de
aconnector->dc_sink = sink;
dc_sink_retain(aconnector->dc_sink);
+ drm_edid_free(aconnector->drm_edid);
+ aconnector->drm_edid = NULL;
if (sink->dc_edid.length == 0) {
- aconnector->drm_edid = NULL;
hdmi_cec_unset_edid(aconnector);
if (aconnector->dc_link->aux_mode) {
drm_dp_cec_unset_edid(&aconnector->dm_dp_aux.aux);
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 266/342] drm/amd/display: check if ext_caps is valid in BL setup
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 265/342] drm/amd/display: Fix drm_edid leak in amdgpu_dm Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 267/342] drm/i915/dp_tunnel: Fix error handling when clearing stream BW in atomic state Greg Kroah-Hartman
` (92 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello,
Mario Limonciello (AMD), Alex Deucher
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 9da4f9964abcaeb6e19797d5e3b10faad338a786 upstream.
LVDS connectors don't have extended backlight caps so check
if the pointer is valid before accessing it.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/5012
Fixes: 1454642960b0 ("drm/amd: Re-introduce property to control adaptive backlight modulation")
Cc: Mario Limonciello <mario.limonciello@amd.com>
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 3f797396d7f4eb9bb6eded184bbc6f033628a6f6)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -5406,7 +5406,7 @@ static void setup_backlight_device(struc
caps = &dm->backlight_caps[aconnector->bl_idx];
/* Only offer ABM property when non-OLED and user didn't turn off by module parameter */
- if (!caps->ext_caps->bits.oled && amdgpu_dm_abm_level < 0)
+ if (caps->ext_caps && !caps->ext_caps->bits.oled && amdgpu_dm_abm_level < 0)
drm_object_attach_property(&aconnector->base.base,
dm->adev->mode_info.abm_level_property,
ABM_SYSFS_CONTROL);
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 267/342] drm/i915/dp_tunnel: Fix error handling when clearing stream BW in atomic state
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 266/342] drm/amd/display: check if ext_caps is valid in BL setup Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 268/342] drm/i915: Order OP vs. timeout correctly in __wait_for() Greg Kroah-Hartman
` (91 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uma Shankar, Ville Syrjälä,
Michał Grzelak, Imre Deak, Joonas Lahtinen
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Imre Deak <imre.deak@intel.com>
commit 77fcf58df15edcf3f5b5421f24814fb72796def9 upstream.
Clearing the DP tunnel stream BW in the atomic state involves getting
the tunnel group state, which can fail. Handle the error accordingly.
This fixes at least one issue where drm_dp_tunnel_atomic_set_stream_bw()
failed to get the tunnel group state returning -EDEADLK, which wasn't
handled. This lead to the ctx->contended warn later in modeset_lock()
while taking a WW mutex for another object in the same atomic state, and
thus within the same already contended WW context.
Moving intel_crtc_state_alloc() later would avoid freeing saved_state on
the error path; this stable patch leaves that simplification for a
follow-up.
Cc: Uma Shankar <uma.shankar@intel.com>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: <stable@vger.kernel.org> # v6.9+
Fixes: a4efae87ecb2 ("drm/i915/dp: Compute DP tunnel BW during encoder state computation")
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/7617
Reviewed-by: Michał Grzelak <michal.grzelak@intel.com>
Reviewed-by: Uma Shankar <uma.shankar@intel.com>
Signed-off-by: Imre Deak <imre.deak@intel.com>
Link: https://patch.msgid.link/20260320092900.13210-1-imre.deak@intel.com
(cherry picked from commit fb69d0076e687421188bc8103ab0e8e5825b1df1)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/display/intel_display.c | 8 +++++++-
drivers/gpu/drm/i915/display/intel_dp_tunnel.c | 20 ++++++++++++++------
drivers/gpu/drm/i915/display/intel_dp_tunnel.h | 11 +++++++----
3 files changed, 28 insertions(+), 11 deletions(-)
--- a/drivers/gpu/drm/i915/display/intel_display.c
+++ b/drivers/gpu/drm/i915/display/intel_display.c
@@ -4578,6 +4578,7 @@ intel_crtc_prepare_cleared_state(struct
struct intel_crtc_state *crtc_state =
intel_atomic_get_new_crtc_state(state, crtc);
struct intel_crtc_state *saved_state;
+ int err;
saved_state = intel_crtc_state_alloc(crtc);
if (!saved_state)
@@ -4586,7 +4587,12 @@ intel_crtc_prepare_cleared_state(struct
/* free the old crtc_state->hw members */
intel_crtc_free_hw_state(crtc_state);
- intel_dp_tunnel_atomic_clear_stream_bw(state, crtc_state);
+ err = intel_dp_tunnel_atomic_clear_stream_bw(state, crtc_state);
+ if (err) {
+ kfree(saved_state);
+
+ return err;
+ }
/* FIXME: before the switch to atomic started, a new pipe_config was
* kzalloc'd. Code that depends on any field being zero should be
--- a/drivers/gpu/drm/i915/display/intel_dp_tunnel.c
+++ b/drivers/gpu/drm/i915/display/intel_dp_tunnel.c
@@ -622,19 +622,27 @@ int intel_dp_tunnel_atomic_compute_strea
*
* Clear any DP tunnel stream BW requirement set by
* intel_dp_tunnel_atomic_compute_stream_bw().
+ *
+ * Returns 0 in case of success, a negative error code otherwise.
*/
-void intel_dp_tunnel_atomic_clear_stream_bw(struct intel_atomic_state *state,
- struct intel_crtc_state *crtc_state)
+int intel_dp_tunnel_atomic_clear_stream_bw(struct intel_atomic_state *state,
+ struct intel_crtc_state *crtc_state)
{
struct intel_crtc *crtc = to_intel_crtc(crtc_state->uapi.crtc);
+ int err;
if (!crtc_state->dp_tunnel_ref.tunnel)
- return;
+ return 0;
+
+ err = drm_dp_tunnel_atomic_set_stream_bw(&state->base,
+ crtc_state->dp_tunnel_ref.tunnel,
+ crtc->pipe, 0);
+ if (err)
+ return err;
- drm_dp_tunnel_atomic_set_stream_bw(&state->base,
- crtc_state->dp_tunnel_ref.tunnel,
- crtc->pipe, 0);
drm_dp_tunnel_ref_put(&crtc_state->dp_tunnel_ref);
+
+ return 0;
}
/**
--- a/drivers/gpu/drm/i915/display/intel_dp_tunnel.h
+++ b/drivers/gpu/drm/i915/display/intel_dp_tunnel.h
@@ -40,8 +40,8 @@ int intel_dp_tunnel_atomic_compute_strea
struct intel_dp *intel_dp,
const struct intel_connector *connector,
struct intel_crtc_state *crtc_state);
-void intel_dp_tunnel_atomic_clear_stream_bw(struct intel_atomic_state *state,
- struct intel_crtc_state *crtc_state);
+int intel_dp_tunnel_atomic_clear_stream_bw(struct intel_atomic_state *state,
+ struct intel_crtc_state *crtc_state);
int intel_dp_tunnel_atomic_add_state_for_crtc(struct intel_atomic_state *state,
struct intel_crtc *crtc);
@@ -88,9 +88,12 @@ intel_dp_tunnel_atomic_compute_stream_bw
return 0;
}
-static inline void
+static inline int
intel_dp_tunnel_atomic_clear_stream_bw(struct intel_atomic_state *state,
- struct intel_crtc_state *crtc_state) {}
+ struct intel_crtc_state *crtc_state)
+{
+ return 0;
+}
static inline int
intel_dp_tunnel_atomic_add_state_for_crtc(struct intel_atomic_state *state,
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 268/342] drm/i915: Order OP vs. timeout correctly in __wait_for()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 267/342] drm/i915/dp_tunnel: Fix error handling when clearing stream BW in atomic state Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 269/342] drm/i915: Unlink NV12 planes earlier Greg Kroah-Hartman
` (90 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ville Syrjälä, Jani Nikula,
Joonas Lahtinen
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
commit 6ad2a661ff0d3d94884947d2a593311ba46d34c2 upstream.
Put the barrier() before the OP so that anything we read out in
OP and check in COND will actually be read out after the timeout
has been evaluated.
Currently the only place where we use OP is __intel_wait_for_register(),
but the use there is precisely susceptible to this reordering, assuming
the ktime_*() stuff itself doesn't act as a sufficient barrier:
__intel_wait_for_register(...)
{
...
ret = __wait_for(reg_value = intel_uncore_read_notrace(...),
(reg_value & mask) == value, ...);
...
}
Cc: stable@vger.kernel.org
Fixes: 1c3c1dc66a96 ("drm/i915: Add compiler barrier to wait_for")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patch.msgid.link/20260313110740.24620-1-ville.syrjala@linux.intel.com
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
(cherry picked from commit a464bace0482aa9a83e9aa7beefbaf44cd58e6cf)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/i915_wait_util.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/i915/i915_wait_util.h
+++ b/drivers/gpu/drm/i915/i915_wait_util.h
@@ -25,9 +25,9 @@
might_sleep(); \
for (;;) { \
const bool expired__ = ktime_after(ktime_get_raw(), end__); \
- OP; \
/* Guarantee COND check prior to timeout */ \
barrier(); \
+ OP; \
if (COND) { \
ret__ = 0; \
break; \
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 269/342] drm/i915: Unlink NV12 planes earlier
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 268/342] drm/i915: Order OP vs. timeout correctly in __wait_for() Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 270/342] LoongArch: Fix missing NULL checks for kstrdup() Greg Kroah-Hartman
` (89 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Khaled Almahallawy,
Ville Syrjälä, Uma Shankar, Joonas Lahtinen
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
commit bfa71b7a9dc6b5b8af157686e03308291141d00c upstream.
unlink_nv12_plane() will clobber parts of the plane state
potentially already set up by plane_atomic_check(), so we
must make sure not to call the two in the wrong order.
The problem happens when a plane previously selected as
a Y plane is now configured as a normal plane by user space.
plane_atomic_check() will first compute the proper plane
state based on the userspace request, and unlink_nv12_plane()
later clears some of the state.
This used to work on account of unlink_nv12_plane() skipping
the state clearing based on the plane visibility. But I removed
that check, thinking it was an impossible situation. Now when
that situation happens unlink_nv12_plane() will just WARN
and proceed to clobber the state.
Rather than reverting to the old way of doing things, I think
it's more clear if we unlink the NV12 planes before we even
compute the new plane state.
Cc: stable@vger.kernel.org
Reported-by: Khaled Almahallawy <khaled.almahallawy@intel.com>
Closes: https://lore.kernel.org/intel-gfx/20260212004852.1920270-1-khaled.almahallawy@intel.com/
Tested-by: Khaled Almahallawy <khaled.almahallawy@intel.com>
Fixes: 6a01df2f1b2a ("drm/i915: Remove pointless visible check in unlink_nv12_plane()")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patch.msgid.link/20260316163953.12905-2-ville.syrjala@linux.intel.com
Reviewed-by: Uma Shankar <uma.shankar@intel.com>
(cherry picked from commit 017ecd04985573eeeb0745fa2c23896fb22ee0cc)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/display/intel_plane.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/i915/display/intel_plane.c
+++ b/drivers/gpu/drm/i915/display/intel_plane.c
@@ -433,11 +433,16 @@ void intel_plane_copy_hw_state(struct in
drm_framebuffer_get(plane_state->hw.fb);
}
+static void unlink_nv12_plane(struct intel_crtc_state *crtc_state,
+ struct intel_plane_state *plane_state);
+
void intel_plane_set_invisible(struct intel_crtc_state *crtc_state,
struct intel_plane_state *plane_state)
{
struct intel_plane *plane = to_intel_plane(plane_state->uapi.plane);
+ unlink_nv12_plane(crtc_state, plane_state);
+
crtc_state->active_planes &= ~BIT(plane->id);
crtc_state->scaled_planes &= ~BIT(plane->id);
crtc_state->nv12_planes &= ~BIT(plane->id);
@@ -1511,6 +1516,9 @@ static void unlink_nv12_plane(struct int
struct intel_display *display = to_intel_display(plane_state);
struct intel_plane *plane = to_intel_plane(plane_state->uapi.plane);
+ if (!plane_state->planar_linked_plane)
+ return;
+
plane_state->planar_linked_plane = NULL;
if (!plane_state->is_y_plane)
@@ -1548,8 +1556,7 @@ static int icl_check_nv12_planes(struct
if (plane->pipe != crtc->pipe)
continue;
- if (plane_state->planar_linked_plane)
- unlink_nv12_plane(crtc_state, plane_state);
+ unlink_nv12_plane(crtc_state, plane_state);
}
if (!crtc_state->nv12_planes)
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 270/342] LoongArch: Fix missing NULL checks for kstrdup()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 269/342] drm/i915: Unlink NV12 planes earlier Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 271/342] LoongArch: vDSO: Emit GNU_EH_FRAME correctly Greg Kroah-Hartman
` (88 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Jun, Huacai Chen
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Jun <lijun01@kylinos.cn>
commit 3a28daa9b7d7c2ddf2c722e9e95d7e0928bf0cd1 upstream.
1. Replace "of_find_node_by_path("/")" with "of_root" to avoid multiple
calls to "of_node_put()".
2. Fix a potential kernel oops during early boot when memory allocation
fails while parsing CPU model from device tree.
Cc: stable@vger.kernel.org
Signed-off-by: Li Jun <lijun01@kylinos.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kernel/env.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/arch/loongarch/kernel/env.c
+++ b/arch/loongarch/kernel/env.c
@@ -42,16 +42,15 @@ static int __init init_cpu_fullname(void
int cpu, ret;
char *cpuname;
const char *model;
- struct device_node *root;
/* Parsing cpuname from DTS model property */
- root = of_find_node_by_path("/");
- ret = of_property_read_string(root, "model", &model);
+ ret = of_property_read_string(of_root, "model", &model);
if (ret == 0) {
cpuname = kstrdup(model, GFP_KERNEL);
+ if (!cpuname)
+ return -ENOMEM;
loongson_sysconf.cpuname = strsep(&cpuname, " ");
}
- of_node_put(root);
if (loongson_sysconf.cpuname && !strncmp(loongson_sysconf.cpuname, "Loongson", 8)) {
for (cpu = 0; cpu < NR_CPUS; cpu++)
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 271/342] LoongArch: vDSO: Emit GNU_EH_FRAME correctly
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 270/342] LoongArch: Fix missing NULL checks for kstrdup() Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 272/342] LoongArch: Workaround LS2K/LS7A GPU DMA hang bug Greg Kroah-Hartman
` (87 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xi Ruoyao, Huacai Chen
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xi Ruoyao <xry111@xry111.site>
commit e4878c37f6679fdea91b27a0f4e60a871f0b7bad upstream.
With -fno-asynchronous-unwind-tables and --no-eh-frame-hdr (the default
of the linker), the GNU_EH_FRAME segment (specified by vdso.lds.S) is
empty. This is not valid, as the current DWARF specification mandates
the first byte of the EH frame to be the version number 1. It causes
some unwinders to complain, for example the ClickHouse query profiler
spams the log with messages:
clickhouse-server[365854]: libunwind: unsupported .eh_frame_hdr
version: 127 at 7ffffffb0000
Here "127" is just the byte located at the p_vaddr (0, i.e. the
beginning of the vDSO) of the empty GNU_EH_FRAME segment. Cross-
checking with /proc/365854/maps has also proven 7ffffffb0000 is the
start of vDSO in the process VM image.
In LoongArch the -fno-asynchronous-unwind-tables option seems just a
MIPS legacy, and MIPS only uses this option to satisfy the MIPS-specific
"genvdso" program, per the commit cfd75c2db17e ("MIPS: VDSO: Explicitly
use -fno-asynchronous-unwind-tables"). IIRC it indicates some inherent
limitation of the MIPS ELF ABI and has nothing to do with LoongArch. So
we can simply flip it over to -fasynchronous-unwind-tables and pass
--eh-frame-hdr for linking the vDSO, allowing the profilers to unwind the
stack for statistics even if the sample point is taken when the PC is in
the vDSO.
However simply adjusting the options above would exploit an issue: when
the libgcc unwinder saw the invalid GNU_EH_FRAME segment, it silently
falled back to a machine-specific routine to match the code pattern of
rt_sigreturn() and extract the registers saved in the sigframe if the
code pattern is matched. As unwinding from signal handlers is vital for
libgcc to support pthread cancellation etc., the fall-back routine had
been silently keeping the LoongArch Linux systems functioning since
Linux 5.19. But when we start to emit GNU_EH_FRAME with the correct
format, fall-back routine will no longer be used and libgcc will fail
to unwind the sigframe, and unwinding from signal handlers will no
longer work, causing dozens of glibc test failures. To make it possible
to unwind from signal handlers again, it's necessary to code the unwind
info in __vdso_rt_sigreturn via .cfi_* directives.
The offsets in the .cfi_* directives depend on the layout of struct
sigframe, notably the offset of sigcontext in the sigframe. To use the
offset in the assembly file, factor out struct sigframe into a header to
allow asm-offsets.c to output the offset for assembly.
To work around a long-term issue in the libgcc unwinder (the pc is
unconditionally substracted by 1: doing so is technically incorrect for
a signal frame), a nop instruction is included with the two real
instructions in __vdso_rt_sigreturn in the same FDE PC range. The same
hack has been used on x86 for a long time.
Cc: stable@vger.kernel.org
Fixes: c6b99bed6b8f ("LoongArch: Add VDSO and VSYSCALL support")
Signed-off-by: Xi Ruoyao <xry111@xry111.site>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/include/asm/linkage.h | 36 ++++++++++++++++++++++++++++++++++
arch/loongarch/include/asm/sigframe.h | 9 ++++++++
arch/loongarch/kernel/asm-offsets.c | 2 +
arch/loongarch/kernel/signal.c | 6 -----
arch/loongarch/vdso/Makefile | 4 +--
arch/loongarch/vdso/sigreturn.S | 6 ++---
6 files changed, 53 insertions(+), 10 deletions(-)
create mode 100644 arch/loongarch/include/asm/sigframe.h
--- a/arch/loongarch/include/asm/linkage.h
+++ b/arch/loongarch/include/asm/linkage.h
@@ -41,4 +41,40 @@
.cfi_endproc; \
SYM_END(name, SYM_T_NONE)
+/*
+ * This is for the signal handler trampoline, which is used as the return
+ * address of the signal handlers in userspace instead of called normally.
+ * The long standing libgcc bug https://gcc.gnu.org/PR124050 requires a
+ * nop between .cfi_startproc and the actual address of the trampoline, so
+ * we cannot simply use SYM_FUNC_START.
+ *
+ * This wrapper also contains all the .cfi_* directives for recovering
+ * the content of the GPRs and the "return address" (where the rt_sigreturn
+ * syscall will jump to), assuming there is a struct rt_sigframe (where
+ * a struct sigcontext containing those information we need to recover) at
+ * $sp. The "DWARF for the LoongArch(TM) Architecture" manual states
+ * column 0 is for $zero, but it does not make too much sense to
+ * save/restore the hardware zero register. Repurpose this column here
+ * for the return address (here it's not the content of $ra we cannot use
+ * the default column 3).
+ */
+#define SYM_SIGFUNC_START(name) \
+ .cfi_startproc; \
+ .cfi_signal_frame; \
+ .cfi_def_cfa 3, RT_SIGFRAME_SC; \
+ .cfi_return_column 0; \
+ .cfi_offset 0, SC_PC; \
+ \
+ .irp num, 1, 2, 3, 4, 5, 6, 7, 8, \
+ 9, 10, 11, 12, 13, 14, 15, 16, \
+ 17, 18, 19, 20, 21, 22, 23, 24, \
+ 25, 26, 27, 28, 29, 30, 31; \
+ .cfi_offset \num, SC_REGS + \num * SZREG; \
+ .endr; \
+ \
+ nop; \
+ SYM_START(name, SYM_L_GLOBAL, SYM_A_ALIGN)
+
+#define SYM_SIGFUNC_END(name) SYM_FUNC_END(name)
+
#endif
--- /dev/null
+++ b/arch/loongarch/include/asm/sigframe.h
@@ -0,0 +1,9 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+
+#include <asm/siginfo.h>
+#include <asm/ucontext.h>
+
+struct rt_sigframe {
+ struct siginfo rs_info;
+ struct ucontext rs_uctx;
+};
--- a/arch/loongarch/kernel/asm-offsets.c
+++ b/arch/loongarch/kernel/asm-offsets.c
@@ -16,6 +16,7 @@
#include <asm/ptrace.h>
#include <asm/processor.h>
#include <asm/ftrace.h>
+#include <asm/sigframe.h>
#include <vdso/datapage.h>
static void __used output_ptreg_defines(void)
@@ -220,6 +221,7 @@ static void __used output_sc_defines(voi
COMMENT("Linux sigcontext offsets.");
OFFSET(SC_REGS, sigcontext, sc_regs);
OFFSET(SC_PC, sigcontext, sc_pc);
+ OFFSET(RT_SIGFRAME_SC, rt_sigframe, rs_uctx.uc_mcontext);
BLANK();
}
--- a/arch/loongarch/kernel/signal.c
+++ b/arch/loongarch/kernel/signal.c
@@ -35,6 +35,7 @@
#include <asm/cpu-features.h>
#include <asm/fpu.h>
#include <asm/lbt.h>
+#include <asm/sigframe.h>
#include <asm/ucontext.h>
#include <asm/vdso.h>
@@ -51,11 +52,6 @@
#define lock_lbt_owner() ({ preempt_disable(); pagefault_disable(); })
#define unlock_lbt_owner() ({ pagefault_enable(); preempt_enable(); })
-struct rt_sigframe {
- struct siginfo rs_info;
- struct ucontext rs_uctx;
-};
-
struct _ctx_layout {
struct sctx_info *addr;
unsigned int size;
--- a/arch/loongarch/vdso/Makefile
+++ b/arch/loongarch/vdso/Makefile
@@ -26,7 +26,7 @@ cflags-vdso := $(ccflags-vdso) \
$(filter -W%,$(filter-out -Wa$(comma)%,$(KBUILD_CFLAGS))) \
-std=gnu11 -fms-extensions -O2 -g -fno-strict-aliasing -fno-common -fno-builtin \
-fno-stack-protector -fno-jump-tables -DDISABLE_BRANCH_PROFILING \
- $(call cc-option, -fno-asynchronous-unwind-tables) \
+ $(call cc-option, -fasynchronous-unwind-tables) \
$(call cc-option, -fno-stack-protector)
aflags-vdso := $(ccflags-vdso) \
-D__ASSEMBLY__ -Wa,-gdwarf-2
@@ -41,7 +41,7 @@ endif
# VDSO linker flags.
ldflags-y := -Bsymbolic --no-undefined -soname=linux-vdso.so.1 \
- $(filter -E%,$(KBUILD_CFLAGS)) -shared --build-id -T
+ $(filter -E%,$(KBUILD_CFLAGS)) -shared --build-id --eh-frame-hdr -T
#
# Shared build commands.
--- a/arch/loongarch/vdso/sigreturn.S
+++ b/arch/loongarch/vdso/sigreturn.S
@@ -12,13 +12,13 @@
#include <asm/regdef.h>
#include <asm/asm.h>
+#include <asm/asm-offsets.h>
.section .text
- .cfi_sections .debug_frame
-SYM_FUNC_START(__vdso_rt_sigreturn)
+SYM_SIGFUNC_START(__vdso_rt_sigreturn)
li.w a7, __NR_rt_sigreturn
syscall 0
-SYM_FUNC_END(__vdso_rt_sigreturn)
+SYM_SIGFUNC_END(__vdso_rt_sigreturn)
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 272/342] LoongArch: Workaround LS2K/LS7A GPU DMA hang bug
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 271/342] LoongArch: vDSO: Emit GNU_EH_FRAME correctly Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 273/342] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust Greg Kroah-Hartman
` (86 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qianhai Wu, Huacai Chen
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 95db0c9f526d583634cddb2e5914718570fbac87 upstream.
1. Hardware limitation: GPU, DC and VPU are typically PCI device 06.0,
06.1 and 06.2. They share some hardware resources, so when configure the
PCI 06.0 device BAR1, DMA memory access cannot be performed through this
BAR, otherwise it will cause hardware abnormalities.
2. In typical scenarios of reboot or S3/S4, DC access to memory through
BAR is not prohibited, resulting in GPU DMA hangs.
3. Workaround method: When configuring the 06.0 device BAR1, turn off
the memory access of DC, GPU and VPU (via DC's CRTC registers).
Cc: stable@vger.kernel.org
Signed-off-by: Qianhai Wu <wuqianhai@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/pci/pci.c | 80 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 80 insertions(+)
--- a/arch/loongarch/pci/pci.c
+++ b/arch/loongarch/pci/pci.c
@@ -5,9 +5,11 @@
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/acpi.h>
+#include <linux/delay.h>
#include <linux/types.h>
#include <linux/pci.h>
#include <linux/vgaarb.h>
+#include <linux/io-64-nonatomic-lo-hi.h>
#include <asm/cacheflush.h>
#include <asm/loongson.h>
@@ -15,6 +17,9 @@
#define PCI_DEVICE_ID_LOONGSON_DC1 0x7a06
#define PCI_DEVICE_ID_LOONGSON_DC2 0x7a36
#define PCI_DEVICE_ID_LOONGSON_DC3 0x7a46
+#define PCI_DEVICE_ID_LOONGSON_GPU1 0x7a15
+#define PCI_DEVICE_ID_LOONGSON_GPU2 0x7a25
+#define PCI_DEVICE_ID_LOONGSON_GPU3 0x7a35
int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
int reg, int len, u32 *val)
@@ -99,3 +104,78 @@ static void pci_fixup_vgadev(struct pci_
DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_DC1, pci_fixup_vgadev);
DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_DC2, pci_fixup_vgadev);
DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_DC3, pci_fixup_vgadev);
+
+#define CRTC_NUM_MAX 2
+#define CRTC_OUTPUT_ENABLE 0x100
+
+static void loongson_gpu_fixup_dma_hang(struct pci_dev *pdev, bool on)
+{
+ u32 i, val, count, crtc_offset, device;
+ void __iomem *crtc_reg, *base, *regbase;
+ static u32 crtc_status[CRTC_NUM_MAX] = { 0 };
+
+ base = pdev->bus->ops->map_bus(pdev->bus, pdev->devfn + 1, 0);
+ device = readw(base + PCI_DEVICE_ID);
+
+ regbase = ioremap(readq(base + PCI_BASE_ADDRESS_0) & ~0xffull, SZ_64K);
+ if (!regbase) {
+ pci_err(pdev, "Failed to ioremap()\n");
+ return;
+ }
+
+ switch (device) {
+ case PCI_DEVICE_ID_LOONGSON_DC2:
+ crtc_reg = regbase + 0x1240;
+ crtc_offset = 0x10;
+ break;
+ case PCI_DEVICE_ID_LOONGSON_DC3:
+ crtc_reg = regbase;
+ crtc_offset = 0x400;
+ break;
+ }
+
+ for (i = 0; i < CRTC_NUM_MAX; i++, crtc_reg += crtc_offset) {
+ val = readl(crtc_reg);
+
+ if (!on)
+ crtc_status[i] = val;
+
+ /* No need to fixup if the status is off at startup. */
+ if (!(crtc_status[i] & CRTC_OUTPUT_ENABLE))
+ continue;
+
+ if (on)
+ val |= CRTC_OUTPUT_ENABLE;
+ else
+ val &= ~CRTC_OUTPUT_ENABLE;
+
+ mb();
+ writel(val, crtc_reg);
+
+ for (count = 0; count < 40; count++) {
+ val = readl(crtc_reg) & CRTC_OUTPUT_ENABLE;
+ if ((on && val) || (!on && !val))
+ break;
+ udelay(1000);
+ }
+
+ pci_info(pdev, "DMA hang fixup at reg[0x%lx]: 0x%x\n",
+ (unsigned long)crtc_reg & 0xffff, readl(crtc_reg));
+ }
+
+ iounmap(regbase);
+}
+
+static void pci_fixup_dma_hang_early(struct pci_dev *pdev)
+{
+ loongson_gpu_fixup_dma_hang(pdev, false);
+}
+DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_GPU2, pci_fixup_dma_hang_early);
+DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_GPU3, pci_fixup_dma_hang_early);
+
+static void pci_fixup_dma_hang_final(struct pci_dev *pdev)
+{
+ loongson_gpu_fixup_dma_hang(pdev, true);
+}
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_GPU2, pci_fixup_dma_hang_final);
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_GPU3, pci_fixup_dma_hang_final);
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 273/342] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 272/342] LoongArch: Workaround LS2K/LS7A GPU DMA hang bug Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 274/342] LoongArch: KVM: Fix base address calculation in kvm_eiointc_regs_access() Greg Kroah-Hartman
` (85 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aurelien Jarno, Huacai Chen
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 2db06c15d8c7a0ccb6108524e16cd9163753f354 upstream.
kvm_get_vcpu_by_cpuid() takes a cpuid parameter whose type is int, so
cpuid can be negative. Let kvm_get_vcpu_by_cpuid() return NULL for this
case so as to make it more robust.
This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].
Cc: <stable@vger.kernel.org>
Fixes: 73516e9da512adc ("LoongArch: KVM: Add vcpu mapping from physical cpuid")
Reported-by: Aurelien Jarno <aurel32@debian.org>
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kvm/vcpu.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/loongarch/kvm/vcpu.c
+++ b/arch/loongarch/kvm/vcpu.c
@@ -562,6 +562,9 @@ struct kvm_vcpu *kvm_get_vcpu_by_cpuid(s
{
struct kvm_phyid_map *map;
+ if (cpuid < 0)
+ return NULL;
+
if (cpuid >= KVM_MAX_PHYID)
return NULL;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 274/342] LoongArch: KVM: Fix base address calculation in kvm_eiointc_regs_access()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 273/342] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 275/342] LoongArch: KVM: Handle the case that EIOINTCs coremap is empty Greg Kroah-Hartman
` (84 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aurelien Jarno, Bibo Mao,
Huacai Chen
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bibo Mao <maobibo@loongson.cn>
commit 6bcfb7f46d667b04bd1a1169ccedf5fb699c60df upstream.
In function kvm_eiointc_regs_access(), the register base address is
caculated from array base address plus offset, the offset is absolute
value from the base address. The data type of array base address is
u64, it should be converted into the "void *" type and then plus the
offset.
Cc: <stable@vger.kernel.org>
Fixes: d3e43a1f34ac ("LoongArch: KVM: Use 64-bit register definition for EIOINTC").
Reported-by: Aurelien Jarno <aurel32@debian.org>
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
Signed-off-by: Bibo Mao <maobibo@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kvm/intc/eiointc.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/arch/loongarch/kvm/intc/eiointc.c
+++ b/arch/loongarch/kvm/intc/eiointc.c
@@ -481,34 +481,34 @@ static int kvm_eiointc_regs_access(struc
switch (addr) {
case EIOINTC_NODETYPE_START ... EIOINTC_NODETYPE_END:
offset = (addr - EIOINTC_NODETYPE_START) / 4;
- p = s->nodetype + offset * 4;
+ p = (void *)s->nodetype + offset * 4;
break;
case EIOINTC_IPMAP_START ... EIOINTC_IPMAP_END:
offset = (addr - EIOINTC_IPMAP_START) / 4;
- p = &s->ipmap + offset * 4;
+ p = (void *)&s->ipmap + offset * 4;
break;
case EIOINTC_ENABLE_START ... EIOINTC_ENABLE_END:
offset = (addr - EIOINTC_ENABLE_START) / 4;
- p = s->enable + offset * 4;
+ p = (void *)s->enable + offset * 4;
break;
case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END:
offset = (addr - EIOINTC_BOUNCE_START) / 4;
- p = s->bounce + offset * 4;
+ p = (void *)s->bounce + offset * 4;
break;
case EIOINTC_ISR_START ... EIOINTC_ISR_END:
offset = (addr - EIOINTC_ISR_START) / 4;
- p = s->isr + offset * 4;
+ p = (void *)s->isr + offset * 4;
break;
case EIOINTC_COREISR_START ... EIOINTC_COREISR_END:
if (cpu >= s->num_cpu)
return -EINVAL;
offset = (addr - EIOINTC_COREISR_START) / 4;
- p = s->coreisr[cpu] + offset * 4;
+ p = (void *)s->coreisr[cpu] + offset * 4;
break;
case EIOINTC_COREMAP_START ... EIOINTC_COREMAP_END:
offset = (addr - EIOINTC_COREMAP_START) / 4;
- p = s->coremap + offset * 4;
+ p = (void *)s->coremap + offset * 4;
break;
default:
kvm_err("%s: unknown eiointc register, addr = %d\n", __func__, addr);
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 275/342] LoongArch: KVM: Handle the case that EIOINTCs coremap is empty
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 274/342] LoongArch: KVM: Fix base address calculation in kvm_eiointc_regs_access() Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 276/342] drm/amd/pm: Return -EOPNOTSUPP for unsupported OD_MCLK on smu_v13_0_6 Greg Kroah-Hartman
` (83 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aurelien Jarno, Huacai Chen
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit b97bd69eb0f67b5f961b304d28e9ba45e202d841 upstream.
EIOINTC's coremap in eiointc_update_sw_coremap() can be empty, currently
we get a cpuid with -1 in this case, but we actually need 0 because it's
similar as the case that cpuid >= 4.
This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].
Cc: <stable@vger.kernel.org>
Fixes: 3956a52bc05bd81 ("LoongArch: KVM: Add EIOINTC read and write functions")
Reported-by: Aurelien Jarno <aurel32@debian.org>
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kvm/intc/eiointc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/loongarch/kvm/intc/eiointc.c
+++ b/arch/loongarch/kvm/intc/eiointc.c
@@ -83,7 +83,7 @@ static inline void eiointc_update_sw_cor
if (!(s->status & BIT(EIOINTC_ENABLE_CPU_ENCODE))) {
cpuid = ffs(cpuid) - 1;
- cpuid = (cpuid >= 4) ? 0 : cpuid;
+ cpuid = ((cpuid < 0) || (cpuid >= 4)) ? 0 : cpuid;
}
vcpu = kvm_get_vcpu_by_cpuid(s->kvm, cpuid);
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 276/342] drm/amd/pm: Return -EOPNOTSUPP for unsupported OD_MCLK on smu_v13_0_6
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 275/342] LoongArch: KVM: Handle the case that EIOINTCs coremap is empty Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 277/342] mm/memory: fix PMD/PUD checks in follow_pfnmap_start() Greg Kroah-Hartman
` (82 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Asad Kamal, Lijo Lazar, Alex Deucher
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Asad Kamal <asad.kamal@amd.com>
commit 2f0e491faee43181b6a86e90f34016b256042fe1 upstream.
When SET_UCLK_MAX capability is absent, return -EOPNOTSUPP from
smu_v13_0_6_emit_clk_levels() for OD_MCLK instead of 0. This makes
unsupported OD_MCLK reporting consistent with other clock types
and allows callers to skip the entry cleanly.
Signed-off-by: Asad Kamal <asad.kamal@amd.com>
Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit d82e0a72d9189e8acd353988e1a57f85ce479e37)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_6_ppt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_6_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_6_ppt.c
@@ -1520,7 +1520,7 @@ static int smu_v13_0_6_print_clk_levels(
case SMU_OD_MCLK:
if (!smu_v13_0_6_cap_supported(smu, SMU_CAP(SET_UCLK_MAX)))
- return 0;
+ return -EOPNOTSUPP;
size += sysfs_emit_at(buf, size, "%s:\n", "OD_MCLK");
size += sysfs_emit_at(buf, size, "0: %uMhz\n1: %uMhz\n",
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 277/342] mm/memory: fix PMD/PUD checks in follow_pfnmap_start()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 276/342] drm/amd/pm: Return -EOPNOTSUPP for unsupported OD_MCLK on smu_v13_0_6 Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 278/342] mm/mseal: update VMA end correctly on merge Greg Kroah-Hartman
` (81 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand (Arm),
Mike Rapoport (Microsoft), Lorenzo Stoakes (Oracle), Liam Howlett,
Michal Hocko, Peter Xu, Suren Baghdasaryan, Vlastimil Babka,
Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand (Arm) <david@kernel.org>
commit ffef67b93aa352b34e6aeba3d52c19a63885409a upstream.
follow_pfnmap_start() suffers from two problems:
(1) We are not re-fetching the pmd/pud after taking the PTL
Therefore, we are not properly stabilizing what the lock actually
protects. If there is concurrent zapping, we would indicate to the
caller that we found an entry, however, that entry might already have
been invalidated, or contain a different PFN after taking the lock.
Properly use pmdp_get() / pudp_get() after taking the lock.
(2) pmd_leaf() / pud_leaf() are not well defined on non-present entries
pmd_leaf()/pud_leaf() could wrongly trigger on non-present entries.
There is no real guarantee that pmd_leaf()/pud_leaf() returns something
reasonable on non-present entries. Most architectures indeed either
perform a present check or make it work by smart use of flags.
However, for example loongarch checks the _PAGE_HUGE flag in pmd_leaf(),
and always sets the _PAGE_HUGE flag in __swp_entry_to_pmd(). Whereby
pmd_trans_huge() explicitly checks pmd_present(), pmd_leaf() does not do
that.
Let's check pmd_present()/pud_present() before assuming "the is a present
PMD leaf" when spotting pmd_leaf()/pud_leaf(), like other page table
handling code that traverses user page tables does.
Given that non-present PMD entries are likely rare in VM_IO|VM_PFNMAP, (1)
is likely more relevant than (2). It is questionable how often (1) would
actually trigger, but let's CC stable to be sure.
This was found by code inspection.
Link: https://lkml.kernel.org/r/20260323-follow_pfnmap_fix-v1-1-5b0ec10872b3@kernel.org
Fixes: 6da8e9634bb7 ("mm: new follow_pfnmap API")
Signed-off-by: David Hildenbrand (Arm) <david@kernel.org>
Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Reviewed-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -6775,11 +6775,16 @@ retry:
pudp = pud_offset(p4dp, address);
pud = pudp_get(pudp);
- if (pud_none(pud))
+ if (!pud_present(pud))
goto out;
if (pud_leaf(pud)) {
lock = pud_lock(mm, pudp);
- if (!unlikely(pud_leaf(pud))) {
+ pud = pudp_get(pudp);
+
+ if (unlikely(!pud_present(pud))) {
+ spin_unlock(lock);
+ goto out;
+ } else if (unlikely(!pud_leaf(pud))) {
spin_unlock(lock);
goto retry;
}
@@ -6791,9 +6796,16 @@ retry:
pmdp = pmd_offset(pudp, address);
pmd = pmdp_get_lockless(pmdp);
+ if (!pmd_present(pmd))
+ goto out;
if (pmd_leaf(pmd)) {
lock = pmd_lock(mm, pmdp);
- if (!unlikely(pmd_leaf(pmd))) {
+ pmd = pmdp_get(pmdp);
+
+ if (unlikely(!pmd_present(pmd))) {
+ spin_unlock(lock);
+ goto out;
+ } else if (unlikely(!pmd_leaf(pmd))) {
spin_unlock(lock);
goto retry;
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 278/342] mm/mseal: update VMA end correctly on merge
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 277/342] mm/memory: fix PMD/PUD checks in follow_pfnmap_start() Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 279/342] mm/damon/sysfs: fix param_ctx leak on damon_sysfs_new_test_ctx() failure Greg Kroah-Hartman
` (80 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes (Oracle), Antonius,
David Hildenbrand (ARM), Vlastimil Babka (SUSE), Pedro Falcato,
Jann Horn, Jeff Xu, Liam Howlett, Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
commit 2697dd8ae721db4f6a53d4f4cbd438212a80f8dc upstream.
Previously we stored the end of the current VMA in curr_end, and then upon
iterating to the next VMA updated curr_start to curr_end to advance to the
next VMA.
However, this doesn't take into account the fact that a VMA might be
updated due to a merge by vma_modify_flags(), which can result in curr_end
being stale and thus, upon setting curr_start to curr_end, ending up with
an incorrect curr_start on the next iteration.
Resolve the issue by setting curr_end to vma->vm_end unconditionally to
ensure this value remains updated should this occur.
While we're here, eliminate this entire class of bug by simply setting
const curr_[start/end] to be clamped to the input range and VMAs, which
also happens to simplify the logic.
Link: https://lkml.kernel.org/r/20260327173104.322405-1-ljs@kernel.org
Fixes: 6c2da14ae1e0 ("mm/mseal: rework mseal apply logic")
Signed-off-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Reported-by: Antonius <antonius@bluedragonsec.com>
Closes: https://lore.kernel.org/linux-mm/CAK8a0jwWGj9-SgFk0yKFh7i8jMkwKm5b0ao9=kmXWjO54veX2g@mail.gmail.com/
Suggested-by: David Hildenbrand (ARM) <david@kernel.org>
Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
Reviewed-by: Pedro Falcato <pfalcato@suse.de>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Cc: Jann Horn <jannh@google.com>
Cc: Jeff Xu <jeffxu@chromium.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/mseal.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/mm/mseal.c
+++ b/mm/mseal.c
@@ -56,7 +56,6 @@ static int mseal_apply(struct mm_struct
unsigned long start, unsigned long end)
{
struct vm_area_struct *vma, *prev;
- unsigned long curr_start = start;
VMA_ITERATOR(vmi, mm, start);
/* We know there are no gaps so this will be non-NULL. */
@@ -66,6 +65,7 @@ static int mseal_apply(struct mm_struct
prev = vma;
for_each_vma_range(vmi, vma, end) {
+ const unsigned long curr_start = MAX(vma->vm_start, start);
const unsigned long curr_end = MIN(vma->vm_end, end);
if (!(vma->vm_flags & VM_SEALED)) {
@@ -79,7 +79,6 @@ static int mseal_apply(struct mm_struct
}
prev = vma;
- curr_start = curr_end;
}
return 0;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 279/342] mm/damon/sysfs: fix param_ctx leak on damon_sysfs_new_test_ctx() failure
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 278/342] mm/mseal: update VMA end correctly on merge Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 280/342] mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0] Greg Kroah-Hartman
` (79 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josh Law, SeongJae Park,
Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Law <objecting@objecting.org>
commit 7fe000eb32904758a85e62f6ea9483f89d5dabfc upstream.
Patch series "mm/damon/sysfs: fix memory leak and NULL dereference
issues", v4.
DAMON_SYSFS can leak memory under allocation failure, and do NULL pointer
dereference when a privileged user make wrong sequences of control. Fix
those.
This patch (of 3):
When damon_sysfs_new_test_ctx() fails in damon_sysfs_commit_input(),
param_ctx is leaked because the early return skips the cleanup at the out
label. Destroy param_ctx before returning.
Link: https://lkml.kernel.org/r/20260321175427.86000-1-sj@kernel.org
Link: https://lkml.kernel.org/r/20260321175427.86000-2-sj@kernel.org
Fixes: f0c5118ebb0e ("mm/damon/sysfs: catch commit test ctx alloc failure")
Signed-off-by: Josh Law <objecting@objecting.org>
Reviewed-by: SeongJae Park <sj@kernel.org>
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> [6.18+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/sysfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/mm/damon/sysfs.c
+++ b/mm/damon/sysfs.c
@@ -1526,8 +1526,10 @@ static int damon_sysfs_commit_input(void
if (IS_ERR(param_ctx))
return PTR_ERR(param_ctx);
test_ctx = damon_sysfs_new_test_ctx(kdamond->damon_ctx);
- if (!test_ctx)
+ if (!test_ctx) {
+ damon_destroy_ctx(param_ctx);
return -ENOMEM;
+ }
err = damon_commit_ctx(test_ctx, param_ctx);
if (err)
goto out;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 280/342] mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0]
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 279/342] mm/damon/sysfs: fix param_ctx leak on damon_sysfs_new_test_ctx() failure Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 281/342] mm/damon/sysfs: check contexts->nr in repeat_call_fn Greg Kroah-Hartman
` (78 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josh Law, SeongJae Park,
Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Law <objecting@objecting.org>
commit 1bfe9fb5ed2667fb075682408b776b5273162615 upstream.
Multiple sysfs command paths dereference contexts_arr[0] without first
verifying that kdamond->contexts->nr == 1. A user can set nr_contexts to
0 via sysfs while DAMON is running, causing NULL pointer dereferences.
In more detail, the issue can be triggered by privileged users like
below.
First, start DAMON and make contexts directory empty
(kdamond->contexts->nr == 0).
# damo start
# cd /sys/kernel/mm/damon/admin/kdamonds/0
# echo 0 > contexts/nr_contexts
Then, each of below commands will cause the NULL pointer dereference.
# echo update_schemes_stats > state
# echo update_schemes_tried_regions > state
# echo update_schemes_tried_bytes > state
# echo update_schemes_effective_quotas > state
# echo update_tuned_intervals > state
Guard all commands (except OFF) at the entry point of
damon_sysfs_handle_cmd().
Link: https://lkml.kernel.org/r/20260321175427.86000-3-sj@kernel.org
Fixes: 0ac32b8affb5 ("mm/damon/sysfs: support DAMOS stats")
Signed-off-by: Josh Law <objecting@objecting.org>
Reviewed-by: SeongJae Park <sj@kernel.org>
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> [5.18+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/sysfs.c | 3 +++
1 file changed, 3 insertions(+)
--- a/mm/damon/sysfs.c
+++ b/mm/damon/sysfs.c
@@ -1752,6 +1752,9 @@ static int damon_sysfs_update_schemes_tr
static int damon_sysfs_handle_cmd(enum damon_sysfs_cmd cmd,
struct damon_sysfs_kdamond *kdamond)
{
+ if (cmd != DAMON_SYSFS_CMD_OFF && kdamond->contexts->nr != 1)
+ return -EINVAL;
+
switch (cmd) {
case DAMON_SYSFS_CMD_ON:
return damon_sysfs_turn_damon_on(kdamond);
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 281/342] mm/damon/sysfs: check contexts->nr in repeat_call_fn
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 280/342] mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0] Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 282/342] mm/pagewalk: fix race between concurrent split and refault Greg Kroah-Hartman
` (77 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josh Law, SeongJae Park,
Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Law <objecting@objecting.org>
commit 6557004a8b59c7701e695f02be03c7e20ed1cc15 upstream.
damon_sysfs_repeat_call_fn() calls damon_sysfs_upd_tuned_intervals(),
damon_sysfs_upd_schemes_stats(), and
damon_sysfs_upd_schemes_effective_quotas() without checking contexts->nr.
If nr_contexts is set to 0 via sysfs while DAMON is running, these
functions dereference contexts_arr[0] and cause a NULL pointer
dereference. Add the missing check.
For example, the issue can be reproduced using DAMON sysfs interface and
DAMON user-space tool (damo) [1] like below.
$ sudo damo start --refresh_interval 1s
$ echo 0 | sudo tee \
/sys/kernel/mm/damon/admin/kdamonds/0/contexts/nr_contexts
Link: https://patch.msgid.link/20260320163559.178101-3-objecting@objecting.org
Link: https://lkml.kernel.org/r/20260321175427.86000-4-sj@kernel.org
Link: https://github.com/damonitor/damo [1]
Fixes: d809a7c64ba8 ("mm/damon/sysfs: implement refresh_ms file internal work")
Signed-off-by: Josh Law <objecting@objecting.org>
Reviewed-by: SeongJae Park <sj@kernel.org>
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> [6.17+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/sysfs.c | 3 +++
1 file changed, 3 insertions(+)
--- a/mm/damon/sysfs.c
+++ b/mm/damon/sysfs.c
@@ -1622,9 +1622,12 @@ static int damon_sysfs_repeat_call_fn(vo
if (!mutex_trylock(&damon_sysfs_lock))
return 0;
+ if (sysfs_kdamond->contexts->nr != 1)
+ goto out;
damon_sysfs_upd_tuned_intervals(sysfs_kdamond);
damon_sysfs_upd_schemes_stats(sysfs_kdamond);
damon_sysfs_upd_schemes_effective_quotas(sysfs_kdamond);
+out:
mutex_unlock(&damon_sysfs_lock);
return 0;
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 282/342] mm/pagewalk: fix race between concurrent split and refault
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 281/342] mm/damon/sysfs: check contexts->nr in repeat_call_fn Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 283/342] xfs: stop reclaim before pushing AIL during unmount Greg Kroah-Hartman
` (76 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand (Arm), Max Boone,
Liam Howlett, Lorenzo Stoakes (Oracle), Michal Hocko,
Mike Rapoport, Suren Baghdasaryan, Vlastimil Babka, Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Boone <mboone@akamai.com>
commit 3b89863c3fa482912911cd65a12a3aeef662c250 upstream.
The splitting of a PUD entry in walk_pud_range() can race with a
concurrent thread refaulting the PUD leaf entry causing it to try walking
a PMD range that has disappeared.
An example and reproduction of this is to try reading numa_maps of a
process while VFIO-PCI is setting up DMA (specifically the
vfio_pin_pages_remote call) on a large BAR for that process.
This will trigger a kernel BUG:
vfio-pci 0000:03:00.0: enabling device (0000 -> 0002)
BUG: unable to handle page fault for address: ffffa23980000000
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
...
RIP: 0010:walk_pgd_range+0x3b5/0x7a0
Code: 8d 43 ff 48 89 44 24 28 4d 89 ce 4d 8d a7 00 00 20 00 48 8b 4c 24
28 49 81 e4 00 00 e0 ff 49 8d 44 24 ff 48 39 c8 4c 0f 43 e3 <49> f7 06
9f ff ff ff 75 3b 48 8b 44 24 20 48 8b 40 28 48 85 c0 74
RSP: 0018:ffffac23e1ecf808 EFLAGS: 00010287
RAX: 00007f44c01fffff RBX: 00007f4500000000 RCX: 00007f44ffffffff
RDX: 0000000000000000 RSI: 000ffffffffff000 RDI: ffffffff93378fe0
RBP: ffffac23e1ecf918 R08: 0000000000000004 R09: ffffa23980000000
R10: 0000000000000020 R11: 0000000000000004 R12: 00007f44c0200000
R13: 00007f44c0000000 R14: ffffa23980000000 R15: 00007f44c0000000
FS: 00007fe884739580(0000) GS:ffff9b7d7a9c0000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffa23980000000 CR3: 000000c0650e2005 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
<TASK>
__walk_page_range+0x195/0x1b0
walk_page_vma+0x62/0xc0
show_numa_map+0x12b/0x3b0
seq_read_iter+0x297/0x440
seq_read+0x11d/0x140
vfs_read+0xc2/0x340
ksys_read+0x5f/0xe0
do_syscall_64+0x68/0x130
? get_page_from_freelist+0x5c2/0x17e0
? mas_store_prealloc+0x17e/0x360
? vma_set_page_prot+0x4c/0xa0
? __alloc_pages_noprof+0x14e/0x2d0
? __mod_memcg_lruvec_state+0x8d/0x140
? __lruvec_stat_mod_folio+0x76/0xb0
? __folio_mod_stat+0x26/0x80
? do_anonymous_page+0x705/0x900
? __handle_mm_fault+0xa8d/0x1000
? __count_memcg_events+0x53/0xf0
? handle_mm_fault+0xa5/0x360
? do_user_addr_fault+0x342/0x640
? arch_exit_to_user_mode_prepare.constprop.0+0x16/0xa0
? irqentry_exit_to_user_mode+0x24/0x100
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fe88464f47e
Code: c0 e9 b6 fe ff ff 50 48 8d 3d be 07 0b 00 e8 69 01 02 00 66 0f 1f
84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00
f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
RSP: 002b:00007ffe6cd9a9b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fe88464f47e
RDX: 0000000000020000 RSI: 00007fe884543000 RDI: 0000000000000003
RBP: 00007fe884543000 R08: 00007fe884542010 R09: 0000000000000000
R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
</TASK>
Fix this by validating the PUD entry in walk_pmd_range() using a stable
snapshot (pudp_get()). If the PUD is not present or is a leaf, retry the
walk via ACTION_AGAIN instead of descending further. This mirrors the
retry logic in walk_pte_range(), which lets walk_pmd_range() retry if the
PTE is not being got by pte_offset_map_lock().
Link: https://lkml.kernel.org/r/20260325-pagewalk-check-pmd-refault-v2-1-707bff33bc60@akamai.com
Fixes: f9e54c3a2f5b ("vfio/pci: implement huge_fault support")
Co-developed-by: David Hildenbrand (Arm) <david@kernel.org>
Signed-off-by: David Hildenbrand (Arm) <david@kernel.org>
Signed-off-by: Max Boone <mboone@akamai.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/pagewalk.c | 25 ++++++++++++++++++++++---
1 file changed, 22 insertions(+), 3 deletions(-)
--- a/mm/pagewalk.c
+++ b/mm/pagewalk.c
@@ -97,6 +97,7 @@ static int walk_pte_range(pmd_t *pmd, un
static int walk_pmd_range(pud_t *pud, unsigned long addr, unsigned long end,
struct mm_walk *walk)
{
+ pud_t pudval = pudp_get(pud);
pmd_t *pmd;
unsigned long next;
const struct mm_walk_ops *ops = walk->ops;
@@ -105,6 +106,24 @@ static int walk_pmd_range(pud_t *pud, un
int err = 0;
int depth = real_depth(3);
+ /*
+ * For PTE handling, pte_offset_map_lock() takes care of checking
+ * whether there actually is a page table. But it also has to be
+ * very careful about concurrent page table reclaim.
+ *
+ * Similarly, we have to be careful here - a PUD entry that points
+ * to a PMD table cannot go away, so we can just walk it. But if
+ * it's something else, we need to ensure we didn't race something,
+ * so need to retry.
+ *
+ * A pertinent example of this is a PUD refault after PUD split -
+ * we will need to split again or risk accessing invalid memory.
+ */
+ if (!pud_present(pudval) || pud_leaf(pudval)) {
+ walk->action = ACTION_AGAIN;
+ return 0;
+ }
+
pmd = pmd_offset(pud, addr);
do {
again:
@@ -218,12 +237,12 @@ static int walk_pud_range(p4d_t *p4d, un
else if (pud_leaf(*pud) || !pud_present(*pud))
continue; /* Nothing to do. */
- if (pud_none(*pud))
- goto again;
-
err = walk_pmd_range(pud, addr, next, walk);
if (err)
break;
+
+ if (walk->action == ACTION_AGAIN)
+ goto again;
} while (pud++, addr = next, addr != end);
return err;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 283/342] xfs: stop reclaim before pushing AIL during unmount
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 282/342] mm/pagewalk: fix race between concurrent split and refault Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 284/342] xfs: save ailp before dropping the AIL lock in push callbacks Greg Kroah-Hartman
` (75 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+652af2b3c5569c4ab63c,
Yuto Ohnuki, Darrick J. Wong, Carlos Maiolino
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuto Ohnuki <ytohnuki@amazon.com>
commit 4f24a767e3d64a5f58c595b5c29b6063a201f1e3 upstream.
The unmount sequence in xfs_unmount_flush_inodes() pushed the AIL while
background reclaim and inodegc are still running. This is broken
independently of any use-after-free issues - background reclaim and
inodegc should not be running while the AIL is being pushed during
unmount, as inodegc can dirty and insert inodes into the AIL during the
flush, and background reclaim can race to abort and free dirty inodes.
Reorder xfs_unmount_flush_inodes() to stop inodegc and cancel background
reclaim before pushing the AIL. Stop inodegc before cancelling
m_reclaim_work because the inodegc worker can re-queue m_reclaim_work
via xfs_inodegc_set_reclaimable.
Reported-by: syzbot+652af2b3c5569c4ab63c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=652af2b3c5569c4ab63c
Fixes: 90c60e164012 ("xfs: xfs_iflush() is no longer necessary")
Cc: stable@vger.kernel.org # v5.9
Signed-off-by: Yuto Ohnuki <ytohnuki@amazon.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_mount.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/fs/xfs/xfs_mount.c
+++ b/fs/xfs/xfs_mount.c
@@ -607,8 +607,9 @@ xfs_unmount_check(
* have been retrying in the background. This will prevent never-ending
* retries in AIL pushing from hanging the unmount.
*
- * Finally, we can push the AIL to clean all the remaining dirty objects, then
- * reclaim the remaining inodes that are still in memory at this point in time.
+ * Stop inodegc and background reclaim before pushing the AIL so that they
+ * are not running while the AIL is being flushed. Then push the AIL to
+ * clean all the remaining dirty objects and reclaim the remaining inodes.
*/
static void
xfs_unmount_flush_inodes(
@@ -620,9 +621,9 @@ xfs_unmount_flush_inodes(
xfs_set_unmounting(mp);
- xfs_ail_push_all_sync(mp->m_ail);
xfs_inodegc_stop(mp);
cancel_delayed_work_sync(&mp->m_reclaim_work);
+ xfs_ail_push_all_sync(mp->m_ail);
xfs_reclaim_inodes(mp);
xfs_health_unmount(mp);
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 284/342] xfs: save ailp before dropping the AIL lock in push callbacks
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 283/342] xfs: stop reclaim before pushing AIL during unmount Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 285/342] xfs: avoid dereferencing log items after " Greg Kroah-Hartman
` (74 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+652af2b3c5569c4ab63c,
Darrick J. Wong, Dave Chinner, Yuto Ohnuki, Carlos Maiolino
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuto Ohnuki <ytohnuki@amazon.com>
commit 394d70b86fae9fe865e7e6d9540b7696f73aa9b6 upstream.
In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock
is dropped to perform buffer IO. Once the cluster buffer no longer
protects the log item from reclaim, the log item may be freed by
background reclaim or the dquot shrinker. The subsequent spin_lock()
call dereferences lip->li_ailp, which is a use-after-free.
Fix this by saving the ailp pointer in a local variable while the AIL
lock is held and the log item is guaranteed to be valid.
Reported-by: syzbot+652af2b3c5569c4ab63c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=652af2b3c5569c4ab63c
Fixes: 90c60e164012 ("xfs: xfs_iflush() is no longer necessary")
Cc: stable@vger.kernel.org # v5.9
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Yuto Ohnuki <ytohnuki@amazon.com>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_dquot_item.c | 9 +++++++--
fs/xfs/xfs_inode_item.c | 9 +++++++--
2 files changed, 14 insertions(+), 4 deletions(-)
--- a/fs/xfs/xfs_dquot_item.c
+++ b/fs/xfs/xfs_dquot_item.c
@@ -126,6 +126,7 @@ xfs_qm_dquot_logitem_push(
struct xfs_dq_logitem *qlip = DQUOT_ITEM(lip);
struct xfs_dquot *dqp = qlip->qli_dquot;
struct xfs_buf *bp;
+ struct xfs_ail *ailp = lip->li_ailp;
uint rval = XFS_ITEM_SUCCESS;
int error;
@@ -154,7 +155,7 @@ xfs_qm_dquot_logitem_push(
goto out_unlock;
}
- spin_unlock(&lip->li_ailp->ail_lock);
+ spin_unlock(&ailp->ail_lock);
error = xfs_dquot_use_attached_buf(dqp, &bp);
if (error == -EAGAIN) {
@@ -173,9 +174,13 @@ xfs_qm_dquot_logitem_push(
rval = XFS_ITEM_FLUSHING;
}
xfs_buf_relse(bp);
+ /*
+ * The buffer no longer protects the log item from reclaim, so
+ * do not reference lip after this point.
+ */
out_relock_ail:
- spin_lock(&lip->li_ailp->ail_lock);
+ spin_lock(&ailp->ail_lock);
out_unlock:
mutex_unlock(&dqp->q_qlock);
return rval;
--- a/fs/xfs/xfs_inode_item.c
+++ b/fs/xfs/xfs_inode_item.c
@@ -749,6 +749,7 @@ xfs_inode_item_push(
struct xfs_inode_log_item *iip = INODE_ITEM(lip);
struct xfs_inode *ip = iip->ili_inode;
struct xfs_buf *bp = lip->li_buf;
+ struct xfs_ail *ailp = lip->li_ailp;
uint rval = XFS_ITEM_SUCCESS;
int error;
@@ -774,7 +775,7 @@ xfs_inode_item_push(
if (!xfs_buf_trylock(bp))
return XFS_ITEM_LOCKED;
- spin_unlock(&lip->li_ailp->ail_lock);
+ spin_unlock(&ailp->ail_lock);
/*
* We need to hold a reference for flushing the cluster buffer as it may
@@ -798,7 +799,11 @@ xfs_inode_item_push(
rval = XFS_ITEM_LOCKED;
}
- spin_lock(&lip->li_ailp->ail_lock);
+ /*
+ * The buffer no longer protects the log item from reclaim, so
+ * do not reference lip after this point.
+ */
+ spin_lock(&ailp->ail_lock);
return rval;
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 285/342] xfs: avoid dereferencing log items after push callbacks
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 284/342] xfs: save ailp before dropping the AIL lock in push callbacks Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 286/342] xfs: scrub: unlock dquot before early return in quota scrub Greg Kroah-Hartman
` (73 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+652af2b3c5569c4ab63c,
Yuto Ohnuki, Darrick J. Wong, Carlos Maiolino
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuto Ohnuki <ytohnuki@amazon.com>
commit 79ef34ec0554ec04bdbafafbc9836423734e1bd6 upstream.
After xfsaild_push_item() calls iop_push(), the log item may have been
freed if the AIL lock was dropped during the push. Background inode
reclaim or the dquot shrinker can free the log item while the AIL lock
is not held, and the tracepoints in the switch statement dereference
the log item after iop_push() returns.
Fix this by capturing the log item type, flags, and LSN before calling
xfsaild_push_item(), and introducing a new xfs_ail_push_class trace
event class that takes these pre-captured values and the ailp pointer
instead of the log item pointer.
Reported-by: syzbot+652af2b3c5569c4ab63c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=652af2b3c5569c4ab63c
Fixes: 90c60e164012 ("xfs: xfs_iflush() is no longer necessary")
Cc: stable@vger.kernel.org # v5.9
Signed-off-by: Yuto Ohnuki <ytohnuki@amazon.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_trace.h | 36 ++++++++++++++++++++++++++++++++----
fs/xfs/xfs_trans_ail.c | 26 +++++++++++++++++++-------
2 files changed, 51 insertions(+), 11 deletions(-)
--- a/fs/xfs/xfs_trace.h
+++ b/fs/xfs/xfs_trace.h
@@ -56,6 +56,7 @@
#include <linux/tracepoint.h>
struct xfs_agf;
+struct xfs_ail;
struct xfs_alloc_arg;
struct xfs_attr_list_context;
struct xfs_buf_log_item;
@@ -1647,16 +1648,43 @@ TRACE_EVENT(xfs_log_force,
DEFINE_EVENT(xfs_log_item_class, name, \
TP_PROTO(struct xfs_log_item *lip), \
TP_ARGS(lip))
-DEFINE_LOG_ITEM_EVENT(xfs_ail_push);
-DEFINE_LOG_ITEM_EVENT(xfs_ail_pinned);
-DEFINE_LOG_ITEM_EVENT(xfs_ail_locked);
-DEFINE_LOG_ITEM_EVENT(xfs_ail_flushing);
DEFINE_LOG_ITEM_EVENT(xfs_cil_whiteout_mark);
DEFINE_LOG_ITEM_EVENT(xfs_cil_whiteout_skip);
DEFINE_LOG_ITEM_EVENT(xfs_cil_whiteout_unpin);
DEFINE_LOG_ITEM_EVENT(xlog_ail_insert_abort);
DEFINE_LOG_ITEM_EVENT(xfs_trans_free_abort);
+DECLARE_EVENT_CLASS(xfs_ail_push_class,
+ TP_PROTO(struct xfs_ail *ailp, uint type, unsigned long flags, xfs_lsn_t lsn),
+ TP_ARGS(ailp, type, flags, lsn),
+ TP_STRUCT__entry(
+ __field(dev_t, dev)
+ __field(uint, type)
+ __field(unsigned long, flags)
+ __field(xfs_lsn_t, lsn)
+ ),
+ TP_fast_assign(
+ __entry->dev = ailp->ail_log->l_mp->m_super->s_dev;
+ __entry->type = type;
+ __entry->flags = flags;
+ __entry->lsn = lsn;
+ ),
+ TP_printk("dev %d:%d lsn %d/%d type %s flags %s",
+ MAJOR(__entry->dev), MINOR(__entry->dev),
+ CYCLE_LSN(__entry->lsn), BLOCK_LSN(__entry->lsn),
+ __print_symbolic(__entry->type, XFS_LI_TYPE_DESC),
+ __print_flags(__entry->flags, "|", XFS_LI_FLAGS))
+)
+
+#define DEFINE_AIL_PUSH_EVENT(name) \
+DEFINE_EVENT(xfs_ail_push_class, name, \
+ TP_PROTO(struct xfs_ail *ailp, uint type, unsigned long flags, xfs_lsn_t lsn), \
+ TP_ARGS(ailp, type, flags, lsn))
+DEFINE_AIL_PUSH_EVENT(xfs_ail_push);
+DEFINE_AIL_PUSH_EVENT(xfs_ail_pinned);
+DEFINE_AIL_PUSH_EVENT(xfs_ail_locked);
+DEFINE_AIL_PUSH_EVENT(xfs_ail_flushing);
+
DECLARE_EVENT_CLASS(xfs_ail_class,
TP_PROTO(struct xfs_log_item *lip, xfs_lsn_t old_lsn, xfs_lsn_t new_lsn),
TP_ARGS(lip, old_lsn, new_lsn),
--- a/fs/xfs/xfs_trans_ail.c
+++ b/fs/xfs/xfs_trans_ail.c
@@ -365,6 +365,12 @@ xfsaild_resubmit_item(
return XFS_ITEM_SUCCESS;
}
+/*
+ * Push a single log item from the AIL.
+ *
+ * @lip may have been released and freed by the time this function returns,
+ * so callers must not dereference the log item afterwards.
+ */
static inline uint
xfsaild_push_item(
struct xfs_ail *ailp,
@@ -505,7 +511,10 @@ xfsaild_push(
lsn = lip->li_lsn;
while ((XFS_LSN_CMP(lip->li_lsn, ailp->ail_target) <= 0)) {
- int lock_result;
+ int lock_result;
+ uint type = lip->li_type;
+ unsigned long flags = lip->li_flags;
+ xfs_lsn_t item_lsn = lip->li_lsn;
if (test_bit(XFS_LI_FLUSHING, &lip->li_flags))
goto next_item;
@@ -514,14 +523,17 @@ xfsaild_push(
* Note that iop_push may unlock and reacquire the AIL lock. We
* rely on the AIL cursor implementation to be able to deal with
* the dropped lock.
+ *
+ * The log item may have been freed by the push, so it must not
+ * be accessed or dereferenced below this line.
*/
lock_result = xfsaild_push_item(ailp, lip);
switch (lock_result) {
case XFS_ITEM_SUCCESS:
XFS_STATS_INC(mp, xs_push_ail_success);
- trace_xfs_ail_push(lip);
+ trace_xfs_ail_push(ailp, type, flags, item_lsn);
- ailp->ail_last_pushed_lsn = lsn;
+ ailp->ail_last_pushed_lsn = item_lsn;
break;
case XFS_ITEM_FLUSHING:
@@ -537,22 +549,22 @@ xfsaild_push(
* AIL is being flushed.
*/
XFS_STATS_INC(mp, xs_push_ail_flushing);
- trace_xfs_ail_flushing(lip);
+ trace_xfs_ail_flushing(ailp, type, flags, item_lsn);
flushing++;
- ailp->ail_last_pushed_lsn = lsn;
+ ailp->ail_last_pushed_lsn = item_lsn;
break;
case XFS_ITEM_PINNED:
XFS_STATS_INC(mp, xs_push_ail_pinned);
- trace_xfs_ail_pinned(lip);
+ trace_xfs_ail_pinned(ailp, type, flags, item_lsn);
stuck++;
ailp->ail_log_flush++;
break;
case XFS_ITEM_LOCKED:
XFS_STATS_INC(mp, xs_push_ail_locked);
- trace_xfs_ail_locked(lip);
+ trace_xfs_ail_locked(ailp, type, flags, item_lsn);
stuck++;
break;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 286/342] xfs: scrub: unlock dquot before early return in quota scrub
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 285/342] xfs: avoid dereferencing log items after " Greg Kroah-Hartman
@ 2026-03-31 16:21 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 287/342] xfs: fix ri_total validation in xlog_recover_attri_commit_pass2 Greg Kroah-Hartman
` (72 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, hongao, Darrick J. Wong,
Carlos Maiolino
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: hongao <hongao@uniontech.com>
commit 268378b6ad20569af0d1957992de1c8b16c6e900 upstream.
xchk_quota_item can return early after calling xchk_fblock_process_error.
When that helper returns false, the function returned immediately without
dropping dq->q_qlock, which can leave the dquot lock held and risk lock
leaks or deadlocks in later quota operations.
Fix this by unlocking dq->q_qlock before the early return.
Signed-off-by: hongao <hongao@uniontech.com>
Fixes: 7d1f0e167a067e ("xfs: check the ondisk space mapping behind a dquot")
Cc: <stable@vger.kernel.org> # v6.8
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/scrub/quota.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/xfs/scrub/quota.c
+++ b/fs/xfs/scrub/quota.c
@@ -171,8 +171,10 @@ xchk_quota_item(
error = xchk_quota_item_bmap(sc, dq, offset);
xchk_iunlock(sc, XFS_ILOCK_SHARED);
- if (!xchk_fblock_process_error(sc, XFS_DATA_FORK, offset, &error))
+ if (!xchk_fblock_process_error(sc, XFS_DATA_FORK, offset, &error)) {
+ mutex_unlock(&dq->q_qlock);
return error;
+ }
/*
* Warn if the hard limits are larger than the fs.
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 287/342] xfs: fix ri_total validation in xlog_recover_attri_commit_pass2
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2026-03-31 16:21 ` [PATCH 6.19 286/342] xfs: scrub: unlock dquot before early return in quota scrub Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 288/342] xfs: dont irele after failing to iget in xfs_attri_recover_work Greg Kroah-Hartman
` (71 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Long Li,
Christoph Hellwig, Carlos Maiolino
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <leo.lilong@huawei.com>
commit d72f2084e30966097c8eae762e31986a33c3c0ae upstream.
The ri_total checks for SET/REPLACE operations are hardcoded to 3,
but xfs_attri_item_size() only emits a value iovec when value_len > 0,
so ri_total is 2 when value_len == 0.
For PPTR_SET/PPTR_REMOVE/PPTR_REPLACE, value_len is validated by
xfs_attri_validate() to be exactly sizeof(struct xfs_parent_rec) and
is never zero, so their hardcoded checks remain correct.
This problem may cause log recovery failures. The following script can be
used to reproduce the problem:
#!/bin/bash
mkfs.xfs -f /dev/sda
mount /dev/sda /mnt/test/
touch /mnt/test/file
for i in {1..200}; do
attr -s "user.attr_$i" -V "value_$i" /mnt/test/file > /dev/null
done
echo 1 > /sys/fs/xfs/debug/larp
echo 1 > /sys/fs/xfs/sda/errortag/larp
attr -s "user.zero" -V "" /mnt/test/file
echo 0 > /sys/fs/xfs/sda/errortag/larp
umount /mnt/test
mount /dev/sda /mnt/test/ # mount failed
Fix this by deriving the expected count dynamically as "2 + !!value_len"
for SET/REPLACE operations.
Cc: stable@vger.kernel.org # v6.9
Fixes: ad206ae50eca ("xfs: check opcode and iovec count match in xlog_recover_attri_commit_pass2")
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Long Li <leo.lilong@huawei.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_attr_item.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/xfs/xfs_attr_item.c
+++ b/fs/xfs/xfs_attr_item.c
@@ -1050,8 +1050,8 @@ xlog_recover_attri_commit_pass2(
break;
case XFS_ATTRI_OP_FLAGS_SET:
case XFS_ATTRI_OP_FLAGS_REPLACE:
- /* Log item, attr name, attr value */
- if (item->ri_total != 3) {
+ /* Log item, attr name, optional attr value */
+ if (item->ri_total != 2 + !!attri_formatp->alfi_value_len) {
XFS_CORRUPTION_ERROR(__func__, XFS_ERRLEVEL_LOW, mp,
attri_formatp, len);
return -EFSCORRUPTED;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 288/342] xfs: dont irele after failing to iget in xfs_attri_recover_work
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 287/342] xfs: fix ri_total validation in xlog_recover_attri_commit_pass2 Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 289/342] xfs: remove file_path tracepoint data Greg Kroah-Hartman
` (70 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Long Li,
Christoph Hellwig, Carlos Maiolino, Carlos Maiolino
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
commit 70685c291ef82269180758130394ecdc4496b52c upstream.
xlog_recovery_iget* never set @ip to a valid pointer if they return
an error, so this irele will walk off a dangling pointer. Fix that.
Cc: stable@vger.kernel.org # v6.10
Fixes: ae673f534a3097 ("xfs: record inode generation in xattr update log intent items")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Long Li <leo.lilong@huawei.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_attr_item.c | 1 -
1 file changed, 1 deletion(-)
--- a/fs/xfs/xfs_attr_item.c
+++ b/fs/xfs/xfs_attr_item.c
@@ -656,7 +656,6 @@ xfs_attri_recover_work(
break;
}
if (error) {
- xfs_irele(ip);
XFS_CORRUPTION_ERROR(__func__, XFS_ERRLEVEL_LOW, mp, attrp,
sizeof(*attrp));
return ERR_PTR(-EFSCORRUPTED);
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 289/342] xfs: remove file_path tracepoint data
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 288/342] xfs: dont irele after failing to iget in xfs_attri_recover_work Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 290/342] ext4: fix journal credit check when setting fscrypt context Greg Kroah-Hartman
` (69 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, rostedt, david.laight.linux,
Darrick J. Wong, Carlos Maiolino, Christoph Hellwig,
Carlos Maiolino
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
commit e31c53a8060e134111ed095783fee0aa0c43b080 upstream.
The xfile/xmbuf shmem file descriptions are no longer as detailed as
they were when online fsck was first merged, because moving to static
strings in commit 60382993a2e180 ("xfs: get rid of the
xchk_xfile_*_descr calls") removed a memory allocation and hence a
source of failure.
However this makes encoding the description in the tracepoints sort of a
waste of memory. David Laight also points out that file_path doesn't
zero the whole buffer which causes exposure of stale trace bytes, and
Steven Rostedt wonders why we're not using a dynamic array for the file
path.
I don't think this is worth fixing, so let's just rip it out.
Cc: rostedt@goodmis.org
Cc: david.laight.linux@gmail.com
Link: https://lore.kernel.org/linux-xfs/20260323172204.work.979-kees@kernel.org/
Cc: stable@vger.kernel.org # v6.11
Fixes: 19ebc8f84ea12e ("xfs: fix file_path handling in tracepoints")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/scrub/trace.h | 12 ++----------
fs/xfs/xfs_trace.h | 11 ++---------
2 files changed, 4 insertions(+), 19 deletions(-)
--- a/fs/xfs/scrub/trace.h
+++ b/fs/xfs/scrub/trace.h
@@ -972,20 +972,12 @@ TRACE_EVENT(xfile_create,
TP_STRUCT__entry(
__field(dev_t, dev)
__field(unsigned long, ino)
- __array(char, pathname, MAXNAMELEN)
),
TP_fast_assign(
- char *path;
-
__entry->ino = file_inode(xf->file)->i_ino;
- path = file_path(xf->file, __entry->pathname, MAXNAMELEN);
- if (IS_ERR(path))
- strncpy(__entry->pathname, "(unknown)",
- sizeof(__entry->pathname));
),
- TP_printk("xfino 0x%lx path '%s'",
- __entry->ino,
- __entry->pathname)
+ TP_printk("xfino 0x%lx",
+ __entry->ino)
);
TRACE_EVENT(xfile_destroy,
--- a/fs/xfs/xfs_trace.h
+++ b/fs/xfs/xfs_trace.h
@@ -5115,23 +5115,16 @@ TRACE_EVENT(xmbuf_create,
TP_STRUCT__entry(
__field(dev_t, dev)
__field(unsigned long, ino)
- __array(char, pathname, MAXNAMELEN)
),
TP_fast_assign(
- char *path;
struct file *file = btp->bt_file;
__entry->dev = btp->bt_mount->m_super->s_dev;
__entry->ino = file_inode(file)->i_ino;
- path = file_path(file, __entry->pathname, MAXNAMELEN);
- if (IS_ERR(path))
- strncpy(__entry->pathname, "(unknown)",
- sizeof(__entry->pathname));
),
- TP_printk("dev %d:%d xmino 0x%lx path '%s'",
+ TP_printk("dev %d:%d xmino 0x%lx",
MAJOR(__entry->dev), MINOR(__entry->dev),
- __entry->ino,
- __entry->pathname)
+ __entry->ino)
);
TRACE_EVENT(xmbuf_free,
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 290/342] ext4: fix journal credit check when setting fscrypt context
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 289/342] xfs: remove file_path tracepoint data Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 291/342] ext4: convert inline data to extents when truncate exceeds inline size Greg Kroah-Hartman
` (68 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anthony Durrer, Simon Weber,
Eric Biggers, Theodore Tso, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Weber <simon.weber.39@gmail.com>
commit b1d682f1990c19fb1d5b97d13266210457092bcd upstream.
Fix an issue arising when ext4 features has_journal, ea_inode, and encrypt
are activated simultaneously, leading to ENOSPC when creating an encrypted
file.
Fix by passing XATTR_CREATE flag to xattr_set_handle function if a handle
is specified, i.e., when the function is called in the control flow of
creating a new inode. This aligns the number of jbd2 credits set_handle
checks for with the number allocated for creating a new inode.
ext4_set_context must not be called with a non-null handle (fs_data) if
fscrypt context xattr is not guaranteed to not exist yet. The only other
usage of this function currently is when handling the ioctl
FS_IOC_SET_ENCRYPTION_POLICY, which calls it with fs_data=NULL.
Fixes: c1a5d5f6ab21eb7e ("ext4: improve journal credit handling in set xattr paths")
Co-developed-by: Anthony Durrer <anthonydev@fastmail.com>
Signed-off-by: Anthony Durrer <anthonydev@fastmail.com>
Signed-off-by: Simon Weber <simon.weber.39@gmail.com>
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Link: https://patch.msgid.link/20260207100148.724275-4-simon.weber.39@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/crypto.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/fs/ext4/crypto.c
+++ b/fs/ext4/crypto.c
@@ -163,10 +163,17 @@ static int ext4_set_context(struct inode
*/
if (handle) {
+ /*
+ * Since the inode is new it is ok to pass the
+ * XATTR_CREATE flag. This is necessary to match the
+ * remaining journal credits check in the set_handle
+ * function with the credits allocated for the new
+ * inode.
+ */
res = ext4_xattr_set_handle(handle, inode,
EXT4_XATTR_INDEX_ENCRYPTION,
EXT4_XATTR_NAME_ENCRYPTION_CONTEXT,
- ctx, len, 0);
+ ctx, len, XATTR_CREATE);
if (!res) {
ext4_set_inode_flag(inode, EXT4_INODE_ENCRYPT);
ext4_clear_inode_state(inode,
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 291/342] ext4: convert inline data to extents when truncate exceeds inline size
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 290/342] ext4: fix journal credit check when setting fscrypt context Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 292/342] ext4: fix stale xarray tags after writeback Greg Kroah-Hartman
` (67 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+7de5fe447862fc37576f,
Deepanshu Kartikey, Theodore Tso, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit ed9356a30e59c7cc3198e7fc46cfedf3767b9b17 upstream.
Add a check in ext4_setattr() to convert files from inline data storage
to extent-based storage when truncate() grows the file size beyond the
inline capacity. This prevents the filesystem from entering an
inconsistent state where the inline data flag is set but the file size
exceeds what can be stored inline.
Without this fix, the following sequence causes a kernel BUG_ON():
1. Mount filesystem with inode that has inline flag set and small size
2. truncate(file, 50MB) - grows size but inline flag remains set
3. sendfile() attempts to write data
4. ext4_write_inline_data() hits BUG_ON(write_size > inline_capacity)
The crash occurs because ext4_write_inline_data() expects inline storage
to accommodate the write, but the actual inline capacity (~60 bytes for
i_block + ~96 bytes for xattrs) is far smaller than the file size and
write request.
The fix checks if the new size from setattr exceeds the inode's actual
inline capacity (EXT4_I(inode)->i_inline_size) and converts the file to
extent-based storage before proceeding with the size change.
This addresses the root cause by ensuring the inline data flag and file
size remain consistent during truncate operations.
Reported-by: syzbot+7de5fe447862fc37576f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7de5fe447862fc37576f
Tested-by: syzbot+7de5fe447862fc37576f@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
Link: https://patch.msgid.link/20260207043607.1175976-1-kartikey406@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5901,6 +5901,18 @@ int ext4_setattr(struct mnt_idmap *idmap
if (attr->ia_size == inode->i_size)
inc_ivers = false;
+ /*
+ * If file has inline data but new size exceeds inline capacity,
+ * convert to extent-based storage first to prevent inconsistent
+ * state (inline flag set but size exceeds inline capacity).
+ */
+ if (ext4_has_inline_data(inode) &&
+ attr->ia_size > EXT4_I(inode)->i_inline_size) {
+ error = ext4_convert_inline_data(inode);
+ if (error)
+ goto err_out;
+ }
+
if (shrink) {
if (ext4_should_order_data(inode)) {
error = ext4_begin_ordered_truncate(inode,
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 292/342] ext4: fix stale xarray tags after writeback
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 291/342] ext4: convert inline data to extents when truncate exceeds inline size Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 293/342] ext4: do not check fast symlink during orphan recovery Greg Kroah-Hartman
` (66 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerald Yang, Jan Kara, Theodore Tso,
stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit f4a2b42e78914ff15630e71289adc589c3a8eb45 upstream.
There are cases where ext4_bio_write_page() gets called for a page which
has no buffers to submit. This happens e.g. when the part of the file is
actually a hole, when we cannot allocate blocks due to being called from
jbd2, or in data=journal mode when checkpointing writes the buffers
earlier. In these cases we just return from ext4_bio_write_page()
however if the page didn't need redirtying, we will leave stale DIRTY
and/or TOWRITE tags in xarray because those get cleared only in
__folio_start_writeback(). As a result we can leave these tags set in
mappings even after a final sync on filesystem that's getting remounted
read-only or that's being frozen. Various assertions can then get upset
when writeback is started on such filesystems (Gerald reported assertion
in ext4_journal_check_start() firing).
Fix the problem by cycling the page through writeback state even if we
decide nothing needs to be written for it so that xarray tags get
properly updated. This is slightly silly (we could update the xarray
tags directly) but I don't think a special helper messing with xarray
tags is really worth it in this relatively rare corner case.
Reported-by: Gerald Yang <gerald.yang@canonical.com>
Link: https://lore.kernel.org/all/20260128074515.2028982-1-gerald.yang@canonical.com
Fixes: dff4ac75eeee ("ext4: move keep_towrite handling to ext4_bio_write_page()")
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20260205092223.21287-2-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/page-io.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/fs/ext4/page-io.c
+++ b/fs/ext4/page-io.c
@@ -523,9 +523,15 @@ int ext4_bio_write_folio(struct ext4_io_
nr_to_submit++;
} while ((bh = bh->b_this_page) != head);
- /* Nothing to submit? Just unlock the folio... */
- if (!nr_to_submit)
+ if (!nr_to_submit) {
+ /*
+ * We have nothing to submit. Just cycle the folio through
+ * writeback state to properly update xarray tags.
+ */
+ __folio_start_writeback(folio, keep_towrite);
+ folio_end_writeback(folio);
return 0;
+ }
bh = head = folio_buffers(folio);
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 293/342] ext4: do not check fast symlink during orphan recovery
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 292/342] ext4: fix stale xarray tags after writeback Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 294/342] ext4: fix fsync(2) for nojournal mode Greg Kroah-Hartman
` (65 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Yi, Jan Kara, Theodore Tso,
stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
commit 84e21e3fb8fd99ea460eb7274584750d11cf3e9f upstream.
Commit '5f920d5d6083 ("ext4: verify fast symlink length")' causes the
generic/475 test to fail during orphan cleanup of zero-length symlinks.
generic/475 84s ... _check_generic_filesystem: filesystem on /dev/vde is inconsistent
The fsck reports are provided below:
Deleted inode 9686 has zero dtime.
Deleted inode 158230 has zero dtime.
...
Inode bitmap differences: -9686 -158230
Orphan file (inode 12) block 13 is not clean.
Failed to initialize orphan file.
In ext4_symlink(), a newly created symlink can be added to the orphan
list due to ENOSPC. Its data has not been initialized, and its size is
zero. Therefore, we need to disregard the length check of the symbolic
link when cleaning up orphan inodes. Instead, we should ensure that the
nlink count is zero.
Fixes: 5f920d5d6083 ("ext4: verify fast symlink length")
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20260131091156.1733648-1-yi.zhang@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 40 +++++++++++++++++++++++++++++-----------
1 file changed, 29 insertions(+), 11 deletions(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5449,18 +5449,36 @@ struct inode *__ext4_iget(struct super_b
inode->i_op = &ext4_encrypted_symlink_inode_operations;
} else if (ext4_inode_is_fast_symlink(inode)) {
inode->i_op = &ext4_fast_symlink_inode_operations;
- if (inode->i_size == 0 ||
- inode->i_size >= sizeof(ei->i_data) ||
- strnlen((char *)ei->i_data, inode->i_size + 1) !=
- inode->i_size) {
- ext4_error_inode(inode, function, line, 0,
- "invalid fast symlink length %llu",
- (unsigned long long)inode->i_size);
- ret = -EFSCORRUPTED;
- goto bad_inode;
+
+ /*
+ * Orphan cleanup can see inodes with i_size == 0
+ * and i_data uninitialized. Skip size checks in
+ * that case. This is safe because the first thing
+ * ext4_evict_inode() does for fast symlinks is
+ * clearing of i_data and i_size.
+ */
+ if ((EXT4_SB(sb)->s_mount_state & EXT4_ORPHAN_FS)) {
+ if (inode->i_nlink != 0) {
+ ext4_error_inode(inode, function, line, 0,
+ "invalid orphan symlink nlink %d",
+ inode->i_nlink);
+ ret = -EFSCORRUPTED;
+ goto bad_inode;
+ }
+ } else {
+ if (inode->i_size == 0 ||
+ inode->i_size >= sizeof(ei->i_data) ||
+ strnlen((char *)ei->i_data, inode->i_size + 1) !=
+ inode->i_size) {
+ ext4_error_inode(inode, function, line, 0,
+ "invalid fast symlink length %llu",
+ (unsigned long long)inode->i_size);
+ ret = -EFSCORRUPTED;
+ goto bad_inode;
+ }
+ inode_set_cached_link(inode, (char *)ei->i_data,
+ inode->i_size);
}
- inode_set_cached_link(inode, (char *)ei->i_data,
- inode->i_size);
} else {
inode->i_op = &ext4_symlink_inode_operations;
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 294/342] ext4: fix fsync(2) for nojournal mode
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 293/342] ext4: do not check fast symlink during orphan recovery Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 295/342] ext4: make recently_deleted() properly work with lazy itable initialization Greg Kroah-Hartman
` (64 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Free Ekanayaka, Jan Kara, Zhang Yi,
Theodore Tso, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 1308255bbf8452762f89f44f7447ce137ecdbcff upstream.
When inode metadata is changed, we sometimes just call
ext4_mark_inode_dirty() to track modified metadata. This copies inode
metadata into block buffer which is enough when we are journalling
metadata. However when we are running in nojournal mode we currently
fail to write the dirtied inode buffer during fsync(2) because the inode
is not marked as dirty. Use explicit ext4_write_inode() call to make
sure the inode table buffer is written to the disk. This is a band aid
solution but proper solution requires a much larger rewrite including
changes in metadata bh tracking infrastructure.
Reported-by: Free Ekanayaka <free.ekanayaka@gmail.com>
Link: https://lore.kernel.org/all/87il8nhxdm.fsf@x1.mail-host-address-is-not-set/
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Link: https://patch.msgid.link/20260216164848.3074-4-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/fsync.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- a/fs/ext4/fsync.c
+++ b/fs/ext4/fsync.c
@@ -83,11 +83,23 @@ static int ext4_fsync_nojournal(struct f
int datasync, bool *needs_barrier)
{
struct inode *inode = file->f_inode;
+ struct writeback_control wbc = {
+ .sync_mode = WB_SYNC_ALL,
+ .nr_to_write = 0,
+ };
int ret;
ret = generic_buffers_fsync_noflush(file, start, end, datasync);
- if (!ret)
- ret = ext4_sync_parent(inode);
+ if (ret)
+ return ret;
+
+ /* Force writeout of inode table buffer to disk */
+ ret = ext4_write_inode(inode, &wbc);
+ if (ret)
+ return ret;
+
+ ret = ext4_sync_parent(inode);
+
if (test_opt(inode->i_sb, BARRIER))
*needs_barrier = true;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 295/342] ext4: make recently_deleted() properly work with lazy itable initialization
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 294/342] ext4: fix fsync(2) for nojournal mode Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 296/342] ext4: replace BUG_ON with proper error handling in ext4_read_inline_folio Greg Kroah-Hartman
` (63 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Zhang Yi, Theodore Tso,
stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit bd060afa7cc3e0ad30afa9ecc544a78638498555 upstream.
recently_deleted() checks whether inode has been used in the near past.
However this can give false positive result when inode table is not
initialized yet and we are in fact comparing to random garbage (or stale
itable block of a filesystem before mkfs). Ultimately this results in
uninitialized inodes being skipped during inode allocation and possibly
they are never initialized and thus e2fsck complains. Verify if the
inode has been initialized before checking for dtime.
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Link: https://patch.msgid.link/20260216164848.3074-3-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ialloc.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -686,6 +686,12 @@ static int recently_deleted(struct super
if (unlikely(!gdp))
return 0;
+ /* Inode was never used in this filesystem? */
+ if (ext4_has_group_desc_csum(sb) &&
+ (gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT) ||
+ ino >= EXT4_INODES_PER_GROUP(sb) - ext4_itable_unused_count(sb, gdp)))
+ return 0;
+
bh = sb_find_get_block(sb, ext4_inode_table(sb, gdp) +
(ino / inodes_per_block));
if (!bh || !buffer_uptodate(bh))
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 296/342] ext4: replace BUG_ON with proper error handling in ext4_read_inline_folio
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 295/342] ext4: make recently_deleted() properly work with lazy itable initialization Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 297/342] ext4: publish jinode after initialization Greg Kroah-Hartman
` (62 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuto Ohnuki, Theodore Tso, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuto Ohnuki <ytohnuki@amazon.com>
commit 356227096eb66e41b23caf7045e6304877322edf upstream.
Replace BUG_ON() with proper error handling when inline data size
exceeds PAGE_SIZE. This prevents kernel panic and allows the system to
continue running while properly reporting the filesystem corruption.
The error is logged via ext4_error_inode(), the buffer head is released
to prevent memory leak, and -EFSCORRUPTED is returned to indicate
filesystem corruption.
Signed-off-by: Yuto Ohnuki <ytohnuki@amazon.com>
Link: https://patch.msgid.link/20260223123345.14838-2-ytohnuki@amazon.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inline.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -522,7 +522,15 @@ static int ext4_read_inline_folio(struct
goto out;
len = min_t(size_t, ext4_get_inline_size(inode), i_size_read(inode));
- BUG_ON(len > PAGE_SIZE);
+
+ if (len > PAGE_SIZE) {
+ ext4_error_inode(inode, __func__, __LINE__, 0,
+ "inline size %zu exceeds PAGE_SIZE", len);
+ ret = -EFSCORRUPTED;
+ brelse(iloc.bh);
+ goto out;
+ }
+
kaddr = kmap_local_folio(folio, 0);
ret = ext4_read_inline_data(inode, kaddr, len, &iloc);
kaddr = folio_zero_tail(folio, len, kaddr + len);
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 297/342] ext4: publish jinode after initialization
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 296/342] ext4: replace BUG_ON with proper error handling in ext4_read_inline_folio Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 298/342] ext4: test if inodes all dirty pages are submitted to disk Greg Kroah-Hartman
` (61 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Chen, Jan Kara, Theodore Tso,
stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Chen <me@linux.beauty>
commit 1aec30021edd410b986c156f195f3d23959a9d11 upstream.
ext4_inode_attach_jinode() publishes ei->jinode to concurrent users.
It used to set ei->jinode before jbd2_journal_init_jbd_inode(),
allowing a reader to observe a non-NULL jinode with i_vfs_inode
still unset.
The fast commit flush path can then pass this jinode to
jbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and
may crash.
Below is the crash I observe:
```
BUG: unable to handle page fault for address: 000000010beb47f4
PGD 110e51067 P4D 110e51067 PUD 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014
RIP: 0010:xas_find_marked+0x3d/0x2e0
Code: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f <49> 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02
RSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246
RAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003
RDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10
RBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ec
R10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000
R13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88
FS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
filemap_get_folios_tag+0x87/0x2a0
__filemap_fdatawait_range+0x5f/0xd0
? srso_alias_return_thunk+0x5/0xfbef5
? __schedule+0x3e7/0x10c0
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? preempt_count_sub+0x5f/0x80
? srso_alias_return_thunk+0x5/0xfbef5
? cap_safe_nice+0x37/0x70
? srso_alias_return_thunk+0x5/0xfbef5
? preempt_count_sub+0x5f/0x80
? srso_alias_return_thunk+0x5/0xfbef5
filemap_fdatawait_range_keep_errors+0x12/0x40
ext4_fc_commit+0x697/0x8b0
? ext4_file_write_iter+0x64b/0x950
? srso_alias_return_thunk+0x5/0xfbef5
? preempt_count_sub+0x5f/0x80
? srso_alias_return_thunk+0x5/0xfbef5
? vfs_write+0x356/0x480
? srso_alias_return_thunk+0x5/0xfbef5
? preempt_count_sub+0x5f/0x80
ext4_sync_file+0xf7/0x370
do_fsync+0x3b/0x80
? syscall_trace_enter+0x108/0x1d0
__x64_sys_fdatasync+0x16/0x20
do_syscall_64+0x62/0x2c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
...
```
Fix this by initializing the jbd2_inode first.
Use smp_wmb() and WRITE_ONCE() to publish ei->jinode after
initialization. Readers use READ_ONCE() to fetch the pointer.
Fixes: a361293f5fede ("jbd2: Fix oops in jbd2_journal_file_inode()")
Cc: stable@vger.kernel.org
Signed-off-by: Li Chen <me@linux.beauty>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20260225082617.147957-1-me@linux.beauty
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/fast_commit.c | 4 ++--
fs/ext4/inode.c | 15 +++++++++++----
2 files changed, 13 insertions(+), 6 deletions(-)
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -975,13 +975,13 @@ static int ext4_fc_flush_data(journal_t
int ret = 0;
list_for_each_entry(ei, &sbi->s_fc_q[FC_Q_MAIN], i_fc_list) {
- ret = jbd2_submit_inode_data(journal, ei->jinode);
+ ret = jbd2_submit_inode_data(journal, READ_ONCE(ei->jinode));
if (ret)
return ret;
}
list_for_each_entry(ei, &sbi->s_fc_q[FC_Q_MAIN], i_fc_list) {
- ret = jbd2_wait_inode_data(journal, ei->jinode);
+ ret = jbd2_wait_inode_data(journal, READ_ONCE(ei->jinode));
if (ret)
return ret;
}
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -126,6 +126,8 @@ void ext4_inode_csum_set(struct inode *i
static inline int ext4_begin_ordered_truncate(struct inode *inode,
loff_t new_size)
{
+ struct jbd2_inode *jinode = READ_ONCE(EXT4_I(inode)->jinode);
+
trace_ext4_begin_ordered_truncate(inode, new_size);
/*
* If jinode is zero, then we never opened the file for
@@ -133,10 +135,10 @@ static inline int ext4_begin_ordered_tru
* jbd2_journal_begin_ordered_truncate() since there's no
* outstanding writes we need to flush.
*/
- if (!EXT4_I(inode)->jinode)
+ if (!jinode)
return 0;
return jbd2_journal_begin_ordered_truncate(EXT4_JOURNAL(inode),
- EXT4_I(inode)->jinode,
+ jinode,
new_size);
}
@@ -4499,8 +4501,13 @@ int ext4_inode_attach_jinode(struct inod
spin_unlock(&inode->i_lock);
return -ENOMEM;
}
- ei->jinode = jinode;
- jbd2_journal_init_jbd_inode(ei->jinode, inode);
+ jbd2_journal_init_jbd_inode(jinode, inode);
+ /*
+ * Publish ->jinode only after it is fully initialized so that
+ * readers never observe a partially initialized jbd2_inode.
+ */
+ smp_wmb();
+ WRITE_ONCE(ei->jinode, jinode);
jinode = NULL;
}
spin_unlock(&inode->i_lock);
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 298/342] ext4: test if inodes all dirty pages are submitted to disk
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 297/342] ext4: publish jinode after initialization Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 299/342] ext4: validate p_idx bounds in ext4_ext_correct_indexes Greg Kroah-Hartman
` (60 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ye Bin, Jan Kara, Theodore Tso,
stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
commit 73bf12adbea10b13647864cd1c62410d19e21086 upstream.
The commit aa373cf55099 ("writeback: stop background/kupdate works from
livelocking other works") introduced an issue where unmounting a filesystem
in a multi-logical-partition scenario could lead to batch file data loss.
This problem was not fixed until the commit d92109891f21 ("fs/writeback:
bail out if there is no more inodes for IO and queued once"). It took
considerable time to identify the root cause. Additionally, in actual
production environments, we frequently encountered file data loss after
normal system reboots. Therefore, we are adding a check in the inode
release flow to verify whether all dirty pages have been flushed to disk,
in order to determine whether the data loss is caused by a logic issue in
the filesystem code.
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20260303012242.3206465-1-yebin@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -184,6 +184,14 @@ void ext4_evict_inode(struct inode *inod
if (EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)
ext4_evict_ea_inode(inode);
if (inode->i_nlink) {
+ /*
+ * If there's dirty page will lead to data loss, user
+ * could see stale data.
+ */
+ if (unlikely(!ext4_emergency_state(inode->i_sb) &&
+ mapping_tagged(&inode->i_data, PAGECACHE_TAG_DIRTY)))
+ ext4_warning_inode(inode, "data will be lost");
+
truncate_inode_pages_final(&inode->i_data);
goto no_delete;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 299/342] ext4: validate p_idx bounds in ext4_ext_correct_indexes
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 298/342] ext4: test if inodes all dirty pages are submitted to disk Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 300/342] ext4: avoid infinite loops caused by residual data Greg Kroah-Hartman
` (59 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+04c4e65cab786a2e5b7e,
Tejas Bharambe, Theodore Tso, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejas Bharambe <tejas.bharambe@outlook.com>
commit 2acb5c12ebd860f30e4faf67e6cc8c44ddfe5fe8 upstream.
ext4_ext_correct_indexes() walks up the extent tree correcting
index entries when the first extent in a leaf is modified. Before
accessing path[k].p_idx->ei_block, there is no validation that
p_idx falls within the valid range of index entries for that
level.
If the on-disk extent header contains a corrupted or crafted
eh_entries value, p_idx can point past the end of the allocated
buffer, causing a slab-out-of-bounds read.
Fix this by validating path[k].p_idx against EXT_LAST_INDEX() at
both access sites: before the while loop and inside it. Return
-EFSCORRUPTED if the index pointer is out of range, consistent
with how other bounds violations are handled in the ext4 extent
tree code.
Reported-by: syzbot+04c4e65cab786a2e5b7e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=04c4e65cab786a2e5b7e
Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
Link: https://patch.msgid.link/JH0PR06MB66326016F9B6AD24097D232B897CA@JH0PR06MB6632.apcprd06.prod.outlook.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/extents.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -1741,6 +1741,13 @@ static int ext4_ext_correct_indexes(hand
err = ext4_ext_get_access(handle, inode, path + k);
if (err)
return err;
+ if (unlikely(path[k].p_idx > EXT_LAST_INDEX(path[k].p_hdr))) {
+ EXT4_ERROR_INODE(inode,
+ "path[%d].p_idx %p > EXT_LAST_INDEX %p",
+ k, path[k].p_idx,
+ EXT_LAST_INDEX(path[k].p_hdr));
+ return -EFSCORRUPTED;
+ }
path[k].p_idx->ei_block = border;
err = ext4_ext_dirty(handle, inode, path + k);
if (err)
@@ -1753,6 +1760,14 @@ static int ext4_ext_correct_indexes(hand
err = ext4_ext_get_access(handle, inode, path + k);
if (err)
goto clean;
+ if (unlikely(path[k].p_idx > EXT_LAST_INDEX(path[k].p_hdr))) {
+ EXT4_ERROR_INODE(inode,
+ "path[%d].p_idx %p > EXT_LAST_INDEX %p",
+ k, path[k].p_idx,
+ EXT_LAST_INDEX(path[k].p_hdr));
+ err = -EFSCORRUPTED;
+ goto clean;
+ }
path[k].p_idx->ei_block = border;
err = ext4_ext_dirty(handle, inode, path + k);
if (err)
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 300/342] ext4: avoid infinite loops caused by residual data
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 299/342] ext4: validate p_idx bounds in ext4_ext_correct_indexes Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 301/342] ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal() Greg Kroah-Hartman
` (58 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+512459401510e2a9a39f,
syzbot+1659aaaaa8d9d11265d7, Edward Adam Davis, Jan Kara,
Theodore Tso, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
commit 5422fe71d26d42af6c454ca9527faaad4e677d6c upstream.
On the mkdir/mknod path, when mapping logical blocks to physical blocks,
if inserting a new extent into the extent tree fails (in this example,
because the file system disabled the huge file feature when marking the
inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to
reclaim the physical block without deleting the corresponding data in
the extent tree. This causes subsequent mkdir operations to reference
the previously reclaimed physical block number again, even though this
physical block is already being used by the xattr block. Therefore, a
situation arises where both the directory and xattr are using the same
buffer head block in memory simultaneously.
The above causes ext4_xattr_block_set() to enter an infinite loop about
"inserted" and cannot release the inode lock, ultimately leading to the
143s blocking problem mentioned in [1].
If the metadata is corrupted, then trying to remove some extent space
can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE
was passed, remove space wrongly update quota information.
Jan Kara suggests distinguishing between two cases:
1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully
consistent and we must maintain its consistency including all the
accounting. However these errors can happen only early before we've
inserted the extent into the extent tree. So current code works correctly
for this case.
2) Some other error - this means metadata is corrupted. We should strive to
do as few modifications as possible to limit damage. So I'd just skip
freeing of allocated blocks.
[1]
INFO: task syz.0.17:5995 blocked for more than 143 seconds.
Call Trace:
inode_lock_nested include/linux/fs.h:1073 [inline]
__start_dirop fs/namei.c:2923 [inline]
start_dirop fs/namei.c:2934 [inline]
Reported-by: syzbot+512459401510e2a9a39f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=1659aaaaa8d9d11265d7
Tested-by: syzbot+1659aaaaa8d9d11265d7@syzkaller.appspotmail.com
Reported-by: syzbot+1659aaaaa8d9d11265d7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=512459401510e2a9a39f
Tested-by: syzbot+1659aaaaa8d9d11265d7@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Tested-by: syzbot+512459401510e2a9a39f@syzkaller.appspotmail.com
Link: https://patch.msgid.link/tencent_43696283A68450B761D76866C6F360E36705@qq.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/extents.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -4461,9 +4461,13 @@ got_allocated_blocks:
path = ext4_ext_insert_extent(handle, inode, path, &newex, flags);
if (IS_ERR(path)) {
err = PTR_ERR(path);
- if (allocated_clusters) {
+ /*
+ * Gracefully handle out of space conditions. If the filesystem
+ * is inconsistent, we'll just leak allocated blocks to avoid
+ * causing even more damage.
+ */
+ if (allocated_clusters && (err == -EDQUOT || err == -ENOSPC)) {
int fb_flags = 0;
-
/*
* free data blocks we just allocated.
* not a good idea to call discard here directly,
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 301/342] ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 300/342] ext4: avoid infinite loops caused by residual data Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 302/342] ext4: reject mount if bigalloc with s_first_data_block != 0 Greg Kroah-Hartman
` (57 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Ritesh Harjani (IBM),
Zhang Yi, Andreas Dilger, Jan Kara, Theodore Tso, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
commit 46066e3a06647c5b186cc6334409722622d05c44 upstream.
There's issue as follows:
...
EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost
EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost
EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost
EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost
EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2243 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost
EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2239 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost
EXT4-fs (mmcblk0p1): error count since last fsck: 1
EXT4-fs (mmcblk0p1): initial error at time 1765597433: ext4_mb_generate_buddy:760
EXT4-fs (mmcblk0p1): last error at time 1765597433: ext4_mb_generate_buddy:760
...
According to the log analysis, blocks are always requested from the
corrupted block group. This may happen as follows:
ext4_mb_find_by_goal
ext4_mb_load_buddy
ext4_mb_load_buddy_gfp
ext4_mb_init_cache
ext4_read_block_bitmap_nowait
ext4_wait_block_bitmap
ext4_validate_block_bitmap
if (!grp || EXT4_MB_GRP_BBITMAP_CORRUPT(grp))
return -EFSCORRUPTED; // There's no logs.
if (err)
return err; // Will return error
ext4_lock_group(ac->ac_sb, group);
if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) // Unreachable
goto out;
After commit 9008a58e5dce ("ext4: make the bitmap read routines return
real error codes") merged, Commit 163a203ddb36 ("ext4: mark block group
as corrupt on block bitmap error") is no real solution for allocating
blocks from corrupted block groups. This is because if
'EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info)' is true, then
'ext4_mb_load_buddy()' may return an error. This means that the block
allocation will fail.
Therefore, check block group if corrupted when ext4_mb_load_buddy()
returns error.
Fixes: 163a203ddb36 ("ext4: mark block group as corrupt on block bitmap error")
Fixes: 9008a58e5dce ("ext4: make the bitmap read routines return real error codes")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20260302134619.3145520-1-yebin@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/mballoc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2443,8 +2443,12 @@ int ext4_mb_find_by_goal(struct ext4_all
return 0;
err = ext4_mb_load_buddy(ac->ac_sb, group, e4b);
- if (err)
+ if (err) {
+ if (EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info) &&
+ !(ac->ac_flags & EXT4_MB_HINT_GOAL_ONLY))
+ return 0;
return err;
+ }
ext4_lock_group(ac->ac_sb, group);
if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info)))
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 302/342] ext4: reject mount if bigalloc with s_first_data_block != 0
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 301/342] ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal() Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 303/342] ext4: fix use-after-free in update_super_work when racing with umount Greg Kroah-Hartman
` (56 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Helen Koike, Theodore Tso,
syzbot+b73703b873a33d8eb8f6, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helen Koike <koike@igalia.com>
commit 3822743dc20386d9897e999dbb990befa3a5b3f8 upstream.
bigalloc with s_first_data_block != 0 is not supported, reject mounting
it.
Signed-off-by: Helen Koike <koike@igalia.com>
Suggested-by: Theodore Ts'o <tytso@mit.edu>
Reported-by: syzbot+b73703b873a33d8eb8f6@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b73703b873a33d8eb8f6
Link: https://patch.msgid.link/20260317142325.135074-1-koike@igalia.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3625,6 +3625,13 @@ int ext4_feature_set_ok(struct super_blo
"extents feature\n");
return 0;
}
+ if (ext4_has_feature_bigalloc(sb) &&
+ le32_to_cpu(EXT4_SB(sb)->s_es->s_first_data_block)) {
+ ext4_msg(sb, KERN_WARNING,
+ "bad geometry: bigalloc file system with non-zero "
+ "first_data_block\n");
+ return 0;
+ }
#if !IS_ENABLED(CONFIG_QUOTA) || !IS_ENABLED(CONFIG_QFMT_V2)
if (!readonly && (ext4_has_feature_quota(sb) ||
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 303/342] ext4: fix use-after-free in update_super_work when racing with umount
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 302/342] ext4: reject mount if bigalloc with s_first_data_block != 0 Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 304/342] ext4: fix the might_sleep() warnings in kvfree() Greg Kroah-Hartman
` (55 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, Jan Kara, Jiayuan Chen,
Ritesh Harjani (IBM), Theodore Tso, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@shopee.com>
commit d15e4b0a418537aafa56b2cb80d44add83e83697 upstream.
Commit b98535d09179 ("ext4: fix bug_on in start_this_handle during umount
filesystem") moved ext4_unregister_sysfs() before flushing s_sb_upd_work
to prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups
reads during unmount. However, this introduced a use-after-free because
update_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which
accesses the kobject's kernfs_node after it has been freed by kobject_del()
in ext4_unregister_sysfs():
update_super_work ext4_put_super
----------------- --------------
ext4_unregister_sysfs(sb)
kobject_del(&sbi->s_kobj)
__kobject_del()
sysfs_remove_dir()
kobj->sd = NULL
sysfs_put(sd)
kernfs_put() // RCU free
ext4_notify_error_sysfs(sbi)
sysfs_notify(&sbi->s_kobj)
kn = kobj->sd // stale pointer
kernfs_get(kn) // UAF on freed kernfs_node
ext4_journal_destroy()
flush_work(&sbi->s_sb_upd_work)
Instead of reordering the teardown sequence, fix this by making
ext4_notify_error_sysfs() detect that sysfs has already been torn down
by checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call
in that case. A dedicated mutex (s_error_notify_mutex) serializes
ext4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs()
to prevent TOCTOU races where the kobject could be deleted between the
state_in_sysfs check and the sysfs_notify() call.
Fixes: b98535d09179 ("ext4: fix bug_on in start_this_handle during umount filesystem")
Cc: Jiayuan Chen <jiayuan.chen@linux.dev>
Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20260319120336.157873-1-jiayuan.chen@linux.dev
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ext4.h | 1 +
fs/ext4/super.c | 1 +
fs/ext4/sysfs.c | 10 +++++++++-
3 files changed, 11 insertions(+), 1 deletion(-)
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -1583,6 +1583,7 @@ struct ext4_sb_info {
struct proc_dir_entry *s_proc;
struct kobject s_kobj;
struct completion s_kobj_unregister;
+ struct mutex s_error_notify_mutex; /* protects sysfs_notify vs kobject_del */
struct super_block *s_sb;
struct buffer_head *s_mmp_bh;
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -5400,6 +5400,7 @@ static int __ext4_fill_super(struct fs_c
timer_setup(&sbi->s_err_report, print_daily_error_info, 0);
spin_lock_init(&sbi->s_error_lock);
+ mutex_init(&sbi->s_error_notify_mutex);
INIT_WORK(&sbi->s_sb_upd_work, update_super_work);
err = ext4_group_desc_init(sb, es, logical_sb_block, &first_not_zeroed);
--- a/fs/ext4/sysfs.c
+++ b/fs/ext4/sysfs.c
@@ -561,7 +561,10 @@ static const struct kobj_type ext4_feat_
void ext4_notify_error_sysfs(struct ext4_sb_info *sbi)
{
- sysfs_notify(&sbi->s_kobj, NULL, "errors_count");
+ mutex_lock(&sbi->s_error_notify_mutex);
+ if (sbi->s_kobj.state_in_sysfs)
+ sysfs_notify(&sbi->s_kobj, NULL, "errors_count");
+ mutex_unlock(&sbi->s_error_notify_mutex);
}
static struct kobject *ext4_root;
@@ -574,8 +577,10 @@ int ext4_register_sysfs(struct super_blo
int err;
init_completion(&sbi->s_kobj_unregister);
+ mutex_lock(&sbi->s_error_notify_mutex);
err = kobject_init_and_add(&sbi->s_kobj, &ext4_sb_ktype, ext4_root,
"%s", sb->s_id);
+ mutex_unlock(&sbi->s_error_notify_mutex);
if (err) {
kobject_put(&sbi->s_kobj);
wait_for_completion(&sbi->s_kobj_unregister);
@@ -608,7 +613,10 @@ void ext4_unregister_sysfs(struct super_
if (sbi->s_proc)
remove_proc_subtree(sb->s_id, ext4_proc_root);
+
+ mutex_lock(&sbi->s_error_notify_mutex);
kobject_del(&sbi->s_kobj);
+ mutex_unlock(&sbi->s_error_notify_mutex);
}
int __init ext4_init_sysfs(void)
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 304/342] ext4: fix the might_sleep() warnings in kvfree()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 303/342] ext4: fix use-after-free in update_super_work when racing with umount Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 305/342] ext4: handle wraparound when searching for blocks for indirect mapped blocks Greg Kroah-Hartman
` (54 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zqiang, Baokun Li, Theodore Tso,
stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zqiang <qiang.zhang@linux.dev>
commit 496bb99b7e66f48b178126626f47e9ba79e2d0fa upstream.
Use the kvfree() in the RCU read critical section can trigger
the following warnings:
EXT4-fs (vdb): unmounting filesystem cd983e5b-3c83-4f5a-a136-17b00eb9d018.
WARNING: suspicious RCU usage
./include/linux/rcupdate.h:409 Illegal context switch in RCU read-side critical section!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
Call Trace:
<TASK>
dump_stack_lvl+0xbb/0xd0
dump_stack+0x14/0x20
lockdep_rcu_suspicious+0x15a/0x1b0
__might_resched+0x375/0x4d0
? put_object.part.0+0x2c/0x50
__might_sleep+0x108/0x160
vfree+0x58/0x910
? ext4_group_desc_free+0x27/0x270
kvfree+0x23/0x40
ext4_group_desc_free+0x111/0x270
ext4_put_super+0x3c8/0xd40
generic_shutdown_super+0x14c/0x4a0
? __pfx_shrinker_free+0x10/0x10
kill_block_super+0x40/0x90
ext4_kill_sb+0x6d/0xb0
deactivate_locked_super+0xb4/0x180
deactivate_super+0x7e/0xa0
cleanup_mnt+0x296/0x3e0
__cleanup_mnt+0x16/0x20
task_work_run+0x157/0x250
? __pfx_task_work_run+0x10/0x10
? exit_to_user_mode_loop+0x6a/0x550
exit_to_user_mode_loop+0x102/0x550
do_syscall_64+0x44a/0x500
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
BUG: sleeping function called from invalid context at mm/vmalloc.c:3441
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 556, name: umount
preempt_count: 1, expected: 0
CPU: 3 UID: 0 PID: 556 Comm: umount
Call Trace:
<TASK>
dump_stack_lvl+0xbb/0xd0
dump_stack+0x14/0x20
__might_resched+0x275/0x4d0
? put_object.part.0+0x2c/0x50
__might_sleep+0x108/0x160
vfree+0x58/0x910
? ext4_group_desc_free+0x27/0x270
kvfree+0x23/0x40
ext4_group_desc_free+0x111/0x270
ext4_put_super+0x3c8/0xd40
generic_shutdown_super+0x14c/0x4a0
? __pfx_shrinker_free+0x10/0x10
kill_block_super+0x40/0x90
ext4_kill_sb+0x6d/0xb0
deactivate_locked_super+0xb4/0x180
deactivate_super+0x7e/0xa0
cleanup_mnt+0x296/0x3e0
__cleanup_mnt+0x16/0x20
task_work_run+0x157/0x250
? __pfx_task_work_run+0x10/0x10
? exit_to_user_mode_loop+0x6a/0x550
exit_to_user_mode_loop+0x102/0x550
do_syscall_64+0x44a/0x500
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The above scenarios occur in initialization failures and teardown
paths, there are no parallel operations on the resources released
by kvfree(), this commit therefore remove rcu_read_lock/unlock() and
use rcu_access_pointer() instead of rcu_dereference() operations.
Fixes: 7c990728b99e ("ext4: fix potential race between s_flex_groups online resizing and access")
Fixes: df3da4ea5a0f ("ext4: fix potential race between s_group_info online resizing and access")
Signed-off-by: Zqiang <qiang.zhang@linux.dev>
Reviewed-by: Baokun Li <libaokun@linux.alibaba.com>
Link: https://patch.msgid.link/20260319094545.19291-1-qiang.zhang@linux.dev
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/mballoc.c | 10 +++-------
fs/ext4/super.c | 8 ++------
2 files changed, 5 insertions(+), 13 deletions(-)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -3584,9 +3584,7 @@ err_freebuddy:
rcu_read_unlock();
iput(sbi->s_buddy_cache);
err_freesgi:
- rcu_read_lock();
- kvfree(rcu_dereference(sbi->s_group_info));
- rcu_read_unlock();
+ kvfree(rcu_access_pointer(sbi->s_group_info));
return -ENOMEM;
}
@@ -3903,7 +3901,8 @@ void ext4_mb_release(struct super_block
WARN_ON_ONCE(!list_empty(&sbi->s_discard_list));
}
- if (sbi->s_group_info) {
+ group_info = rcu_access_pointer(sbi->s_group_info);
+ if (group_info) {
for (i = 0; i < ngroups; i++) {
cond_resched();
grinfo = ext4_get_group_info(sb, i);
@@ -3921,12 +3920,9 @@ void ext4_mb_release(struct super_block
num_meta_group_infos = (ngroups +
EXT4_DESC_PER_BLOCK(sb) - 1) >>
EXT4_DESC_PER_BLOCK_BITS(sb);
- rcu_read_lock();
- group_info = rcu_dereference(sbi->s_group_info);
for (i = 0; i < num_meta_group_infos; i++)
kfree(group_info[i]);
kvfree(group_info);
- rcu_read_unlock();
}
ext4_mb_avg_fragment_size_destroy(sbi);
ext4_mb_largest_free_orders_destroy(sbi);
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1249,12 +1249,10 @@ static void ext4_group_desc_free(struct
struct buffer_head **group_desc;
int i;
- rcu_read_lock();
- group_desc = rcu_dereference(sbi->s_group_desc);
+ group_desc = rcu_access_pointer(sbi->s_group_desc);
for (i = 0; i < sbi->s_gdb_count; i++)
brelse(group_desc[i]);
kvfree(group_desc);
- rcu_read_unlock();
}
static void ext4_flex_groups_free(struct ext4_sb_info *sbi)
@@ -1262,14 +1260,12 @@ static void ext4_flex_groups_free(struct
struct flex_groups **flex_groups;
int i;
- rcu_read_lock();
- flex_groups = rcu_dereference(sbi->s_flex_groups);
+ flex_groups = rcu_access_pointer(sbi->s_flex_groups);
if (flex_groups) {
for (i = 0; i < sbi->s_flex_groups_allocated; i++)
kvfree(flex_groups[i]);
kvfree(flex_groups);
}
- rcu_read_unlock();
}
static void ext4_put_super(struct super_block *sb)
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 305/342] ext4: handle wraparound when searching for blocks for indirect mapped blocks
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 304/342] ext4: fix the might_sleep() warnings in kvfree() Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 306/342] ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths Greg Kroah-Hartman
` (53 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Baokun Li, Theodore Tso,
stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit bb81702370fad22c06ca12b6e1648754dbc37e0f upstream.
Commit 4865c768b563 ("ext4: always allocate blocks only from groups
inode can use") restricts what blocks will be allocated for indirect
block based files to block numbers that fit within 32-bit block
numbers.
However, when using a review bot running on the latest Gemini LLM to
check this commit when backporting into an LTS based kernel, it raised
this concern:
If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal
group was populated via stream allocation from s_mb_last_groups),
then start will be >= ngroups.
Does this allow allocating blocks beyond the 32-bit limit for
indirect block mapped files? The commit message mentions that
ext4_mb_scan_groups_linear() takes care to not select unsupported
groups. However, its loop uses group = *start, and the very first
iteration will call ext4_mb_scan_group() with this unsupported
group because next_linear_group() is only called at the end of the
iteration.
After reviewing the code paths involved and considering the LLM
review, I determined that this can happen when there is a file system
where some files/directories are extent-mapped and others are
indirect-block mapped. To address this, add a safety clamp in
ext4_mb_scan_groups().
Fixes: 4865c768b563 ("ext4: always allocate blocks only from groups inode can use")
Cc: Jan Kara <jack@suse.cz>
Reviewed-by: Baokun Li <libaokun@linux.alibaba.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Link: https://patch.msgid.link/20260326045834.1175822-1-tytso@mit.edu
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/mballoc.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1199,6 +1199,8 @@ static int ext4_mb_scan_groups(struct ex
/* searching for the right group start from the goal value specified */
start = ac->ac_g_ex.fe_group;
+ if (start >= ngroups)
+ start = 0;
ac->ac_prefetch_grp = start;
ac->ac_prefetch_nr = 0;
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 306/342] ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 305/342] ext4: handle wraparound when searching for blocks for indirect mapped blocks Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 307/342] ext4: always drain queued discard work in ext4_mb_release() Greg Kroah-Hartman
` (52 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joseph Qi, Baokun Li, Zhang Yi,
Jan Kara, Theodore Tso, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun@linux.alibaba.com>
commit ec0a7500d8eace5b4f305fa0c594dd148f0e8d29 upstream.
During code review, Joseph found that ext4_fc_replay_inode() calls
ext4_get_fc_inode_loc() to get the inode location, which holds a
reference to iloc.bh that must be released via brelse().
However, several error paths jump to the 'out' label without
releasing iloc.bh:
- ext4_handle_dirty_metadata() failure
- sync_dirty_buffer() failure
- ext4_mark_inode_used() failure
- ext4_iget() failure
Fix this by introducing an 'out_brelse' label placed just before
the existing 'out' label to ensure iloc.bh is always released.
Additionally, make ext4_fc_replay_inode() propagate errors
properly instead of always returning 0.
Reported-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Fixes: 8016e29f4362 ("ext4: fast commit recovery path")
Signed-off-by: Baokun Li <libaokun@linux.alibaba.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20260323060836.3452660-1-libaokun@linux.alibaba.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/fast_commit.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -1613,19 +1613,21 @@ static int ext4_fc_replay_inode(struct s
/* Immediately update the inode on disk. */
ret = ext4_handle_dirty_metadata(NULL, NULL, iloc.bh);
if (ret)
- goto out;
+ goto out_brelse;
ret = sync_dirty_buffer(iloc.bh);
if (ret)
- goto out;
+ goto out_brelse;
ret = ext4_mark_inode_used(sb, ino);
if (ret)
- goto out;
+ goto out_brelse;
/* Given that we just wrote the inode on disk, this SHOULD succeed. */
inode = ext4_iget(sb, ino, EXT4_IGET_NORMAL);
if (IS_ERR(inode)) {
ext4_debug("Inode not found.");
- return -EFSCORRUPTED;
+ inode = NULL;
+ ret = -EFSCORRUPTED;
+ goto out_brelse;
}
/*
@@ -1642,13 +1644,14 @@ static int ext4_fc_replay_inode(struct s
ext4_inode_csum_set(inode, ext4_raw_inode(&iloc), EXT4_I(inode));
ret = ext4_handle_dirty_metadata(NULL, NULL, iloc.bh);
sync_dirty_buffer(iloc.bh);
+out_brelse:
brelse(iloc.bh);
out:
iput(inode);
if (!ret)
blkdev_issue_flush(sb->s_bdev);
- return 0;
+ return ret;
}
/*
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 307/342] ext4: always drain queued discard work in ext4_mb_release()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 306/342] ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 308/342] arm64: dts: imx8mn-tqma8mqnl: fix LDO5 power off Greg Kroah-Hartman
` (51 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Theodore Tso, stable
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit 9ee29d20aab228adfb02ca93f87fb53c56c2f3af upstream.
While reviewing recent ext4 patch[1], Sashiko raised the following
concern[2]:
> If the filesystem is initially mounted with the discard option,
> deleting files will populate sbi->s_discard_list and queue
> s_discard_work. If it is then remounted with nodiscard, the
> EXT4_MOUNT_DISCARD flag is cleared, but the pending s_discard_work is
> neither cancelled nor flushed.
[1] https://lore.kernel.org/r/20260319094545.19291-1-qiang.zhang@linux.dev/
[2] https://sashiko.dev/#/patchset/20260319094545.19291-1-qiang.zhang%40linux.dev
The concern was valid, but it had nothing to do with the patch[1].
One of the problems with Sashiko in its current (early) form is that
it will detect pre-existing issues and report it as a problem with the
patch that it is reviewing.
In practice, it would be hard to hit deliberately (unless you are a
malicious syzkaller fuzzer), since it would involve mounting the file
system with -o discard, and then deleting a large number of files,
remounting the file system with -o nodiscard, and then immediately
unmounting the file system before the queued discard work has a change
to drain on its own.
Fix it because it's a real bug, and to avoid Sashiko from raising this
concern when analyzing future patches to mballoc.c.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Fixes: 55cdd0af2bc5 ("ext4: get discard out of jbd2 commit kthread contex")
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/mballoc.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -3895,13 +3895,11 @@ void ext4_mb_release(struct super_block
struct kmem_cache *cachep = get_groupinfo_cache(sb->s_blocksize_bits);
int count;
- if (test_opt(sb, DISCARD)) {
- /*
- * wait the discard work to drain all of ext4_free_data
- */
- flush_work(&sbi->s_discard_work);
- WARN_ON_ONCE(!list_empty(&sbi->s_discard_list));
- }
+ /*
+ * wait the discard work to drain all of ext4_free_data
+ */
+ flush_work(&sbi->s_discard_work);
+ WARN_ON_ONCE(!list_empty(&sbi->s_discard_list));
group_info = rcu_access_pointer(sbi->s_group_info);
if (group_info) {
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 308/342] arm64: dts: imx8mn-tqma8mqnl: fix LDO5 power off
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 307/342] ext4: always drain queued discard work in ext4_mb_release() Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 309/342] powerpc64/bpf: do not increment tailcall count when prog is NULL Greg Kroah-Hartman
` (50 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Markus Niebel, Alexander Stein,
Shawn Guo
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Markus Niebel <Markus.Niebel@ew.tq-group.com>
commit 8adc841d43ebceabec996c9dcff6e82d3e585268 upstream.
Fix SD card removal caused by automatic LDO5 power off after boot
To prevent this, add vqmmc regulator for USDHC, using a GPIO-controlled
regulator that is supplied by LDO5. Since this is implemented on SoM but
used on baseboards with SD-card interface, implement the functionality
on SoM part and optionally enable it on baseboards if needed.
Signed-off-by: Markus Niebel <Markus.Niebel@ew.tq-group.com>
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl-mba8mx.dts | 13 ++++----
arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi | 22 ++++++++++++++
2 files changed, 29 insertions(+), 6 deletions(-)
--- a/arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl-mba8mx.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl-mba8mx.dts
@@ -69,6 +69,10 @@
samsung,esc-clock-frequency = <20000000>;
};
+®_usdhc2_vqmmc {
+ status = "okay";
+};
+
&sai3 {
assigned-clocks = <&clk IMX8MN_CLK_SAI3>;
assigned-clock-parents = <&clk IMX8MN_AUDIO_PLL1_OUT>;
@@ -216,8 +220,7 @@
<MX8MN_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x1d4>,
<MX8MN_IOMUXC_SD2_DATA1_USDHC2_DATA1 0x1d4>,
<MX8MN_IOMUXC_SD2_DATA2_USDHC2_DATA2 0x1d4>,
- <MX8MN_IOMUXC_SD2_DATA3_USDHC2_DATA3 0x1d4>,
- <MX8MN_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x84>;
+ <MX8MN_IOMUXC_SD2_DATA3_USDHC2_DATA3 0x1d4>;
};
pinctrl_usdhc2_100mhz: usdhc2-100mhzgrp {
@@ -226,8 +229,7 @@
<MX8MN_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x1d4>,
<MX8MN_IOMUXC_SD2_DATA1_USDHC2_DATA1 0x1d4>,
<MX8MN_IOMUXC_SD2_DATA2_USDHC2_DATA2 0x1d4>,
- <MX8MN_IOMUXC_SD2_DATA3_USDHC2_DATA3 0x1d4>,
- <MX8MN_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x84>;
+ <MX8MN_IOMUXC_SD2_DATA3_USDHC2_DATA3 0x1d4>;
};
pinctrl_usdhc2_200mhz: usdhc2-200mhzgrp {
@@ -236,8 +238,7 @@
<MX8MN_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x1d4>,
<MX8MN_IOMUXC_SD2_DATA1_USDHC2_DATA1 0x1d4>,
<MX8MN_IOMUXC_SD2_DATA2_USDHC2_DATA2 0x1d4>,
- <MX8MN_IOMUXC_SD2_DATA3_USDHC2_DATA3 0x1d4>,
- <MX8MN_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x84>;
+ <MX8MN_IOMUXC_SD2_DATA3_USDHC2_DATA3 0x1d4>;
};
pinctrl_usdhc2_gpio: usdhc2-gpiogrp {
--- a/arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi
@@ -30,6 +30,20 @@
regulator-max-microvolt = <3300000>;
};
+ reg_usdhc2_vqmmc: regulator-usdhc2-vqmmc {
+ compatible = "regulator-gpio";
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_reg_usdhc2_vqmmc>;
+ regulator-name = "V_SD2";
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <3300000>;
+ gpios = <&gpio1 4 GPIO_ACTIVE_HIGH>;
+ states = <1800000 0x1>,
+ <3300000 0x0>;
+ vin-supply = <&ldo5_reg>;
+ status = "disabled";
+ };
+
reserved-memory {
#address-cells = <2>;
#size-cells = <2>;
@@ -233,6 +247,10 @@
vddio-supply = <&ldo3_reg>;
};
+&usdhc2 {
+ vqmmc-supply = <®_usdhc2_vqmmc>;
+};
+
&usdhc3 {
pinctrl-names = "default", "state_100mhz", "state_200mhz";
pinctrl-0 = <&pinctrl_usdhc3>;
@@ -287,6 +305,10 @@
fsl,pins = <MX8MN_IOMUXC_SD2_RESET_B_GPIO2_IO19 0x84>;
};
+ pinctrl_reg_usdhc2_vqmmc: regusdhc2vqmmcgrp {
+ fsl,pins = <MX8MN_IOMUXC_GPIO1_IO04_GPIO1_IO4 0xc0>;
+ };
+
pinctrl_usdhc3: usdhc3grp {
fsl,pins = <MX8MN_IOMUXC_NAND_WE_B_USDHC3_CLK 0x1d4>,
<MX8MN_IOMUXC_NAND_WP_B_USDHC3_CMD 0x1d2>,
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 309/342] powerpc64/bpf: do not increment tailcall count when prog is NULL
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 308/342] arm64: dts: imx8mn-tqma8mqnl: fix LDO5 power off Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 310/342] mm/damon/core: avoid use of half-online-committed context Greg Kroah-Hartman
` (49 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Venkat Rao Bagalkote, Hari Bathini,
Madhavan Srinivasan
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hari Bathini <hbathini@linux.ibm.com>
commit 521bd39d9d28ce54cbfec7f9b89c94ad4fdb8350 upstream.
Do not increment tailcall count, if tailcall did not succeed due to
missing BPF program.
Fixes: ce0761419fae ("powerpc/bpf: Implement support for tail calls")
Cc: stable@vger.kernel.org
Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260303181031.390073-2-hbathini@linux.ibm.com
[ Conflict due to missing feature commit 2ed2d8f6fb38 ("powerpc64/bpf:
Support tailcalls with subprogs") resolved accordingly. ]
Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/net/bpf_jit_comp64.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
--- a/arch/powerpc/net/bpf_jit_comp64.c
+++ b/arch/powerpc/net/bpf_jit_comp64.c
@@ -430,27 +430,32 @@ static int bpf_jit_emit_tail_call(u32 *i
/*
* tail_call_cnt++;
+ * Writeback this updated value only if tailcall succeeds.
*/
EMIT(PPC_RAW_ADDI(bpf_to_ppc(TMP_REG_1), bpf_to_ppc(TMP_REG_1), 1));
- EMIT(PPC_RAW_STD(bpf_to_ppc(TMP_REG_1), _R1, bpf_jit_stack_tailcallcnt(ctx)));
/* prog = array->ptrs[index]; */
- EMIT(PPC_RAW_MULI(bpf_to_ppc(TMP_REG_1), b2p_index, 8));
- EMIT(PPC_RAW_ADD(bpf_to_ppc(TMP_REG_1), bpf_to_ppc(TMP_REG_1), b2p_bpf_array));
- EMIT(PPC_RAW_LD(bpf_to_ppc(TMP_REG_1), bpf_to_ppc(TMP_REG_1), offsetof(struct bpf_array, ptrs)));
+ EMIT(PPC_RAW_MULI(bpf_to_ppc(TMP_REG_2), b2p_index, 8));
+ EMIT(PPC_RAW_ADD(bpf_to_ppc(TMP_REG_2), bpf_to_ppc(TMP_REG_2), b2p_bpf_array));
+ EMIT(PPC_RAW_LD(bpf_to_ppc(TMP_REG_2), bpf_to_ppc(TMP_REG_2),
+ offsetof(struct bpf_array, ptrs)));
/*
* if (prog == NULL)
* goto out;
*/
- EMIT(PPC_RAW_CMPLDI(bpf_to_ppc(TMP_REG_1), 0));
+ EMIT(PPC_RAW_CMPLDI(bpf_to_ppc(TMP_REG_2), 0));
PPC_BCC_SHORT(COND_EQ, out);
/* goto *(prog->bpf_func + prologue_size); */
- EMIT(PPC_RAW_LD(bpf_to_ppc(TMP_REG_1), bpf_to_ppc(TMP_REG_1), offsetof(struct bpf_prog, bpf_func)));
- EMIT(PPC_RAW_ADDI(bpf_to_ppc(TMP_REG_1), bpf_to_ppc(TMP_REG_1),
- FUNCTION_DESCR_SIZE + bpf_tailcall_prologue_size));
- EMIT(PPC_RAW_MTCTR(bpf_to_ppc(TMP_REG_1)));
+ EMIT(PPC_RAW_LD(bpf_to_ppc(TMP_REG_2), bpf_to_ppc(TMP_REG_2),
+ offsetof(struct bpf_prog, bpf_func)));
+ EMIT(PPC_RAW_ADDI(bpf_to_ppc(TMP_REG_2), bpf_to_ppc(TMP_REG_2),
+ FUNCTION_DESCR_SIZE + bpf_tailcall_prologue_size));
+ EMIT(PPC_RAW_MTCTR(bpf_to_ppc(TMP_REG_2)));
+
+ /* Writeback updated tailcall count */
+ EMIT(PPC_RAW_STD(bpf_to_ppc(TMP_REG_1), _R1, bpf_jit_stack_tailcallcnt(ctx)));
/* tear down stack, restore NVRs, ... */
bpf_jit_emit_common_epilogue(image, ctx);
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 310/342] mm/damon/core: avoid use of half-online-committed context
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 309/342] powerpc64/bpf: do not increment tailcall count when prog is NULL Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 311/342] rust: pin-init: internal: init: document load-bearing fact of field accessors Greg Kroah-Hartman
` (48 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeongJae Park, Andrew Morton
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 26f775a054c3cda86ad465a64141894a90a9e145 upstream.
One major usage of damon_call() is online DAMON parameters update. It is
done by calling damon_commit_ctx() inside the damon_call() callback
function. damon_commit_ctx() can fail for two reasons: 1) invalid
parameters and 2) internal memory allocation failures. In case of
failures, the damon_ctx that attempted to be updated (commit destination)
can be partially updated (or, corrupted from a perspective), and therefore
shouldn't be used anymore. The function only ensures the damon_ctx object
can safely deallocated using damon_destroy_ctx().
The API callers are, however, calling damon_commit_ctx() only after
asserting the parameters are valid, to avoid damon_commit_ctx() fails due
to invalid input parameters. But it can still theoretically fail if the
internal memory allocation fails. In the case, DAMON may run with the
partially updated damon_ctx. This can result in unexpected behaviors
including even NULL pointer dereference in case of damos_commit_dests()
failure [1]. Such allocation failure is arguably too small to fail, so
the real world impact would be rare. But, given the bad consequence, this
needs to be fixed.
Avoid such partially-committed (maybe-corrupted) damon_ctx use by saving
the damon_commit_ctx() failure on the damon_ctx object. For this,
introduce damon_ctx->maybe_corrupted field. damon_commit_ctx() sets it
when it is failed. kdamond_call() checks if the field is set after each
damon_call_control->fn() is executed. If it is set, ignore remaining
callback requests and return. All kdamond_call() callers including
kdamond_fn() also check the maybe_corrupted field right after
kdamond_call() invocations. If the field is set, break the kdamond_fn()
main loop so that DAMON sill doesn't use the context that might be
corrupted.
[sj@kernel.org: let kdamond_call() with cancel regardless of maybe_corrupted]
Link: https://lkml.kernel.org/r/20260320031553.2479-1-sj@kernel.org
Link: https://sashiko.dev/#/patchset/20260319145218.86197-1-sj%40kernel.org
Link: https://lkml.kernel.org/r/20260319145218.86197-1-sj@kernel.org
Link: https://lore.kernel.org/20260319043309.97966-1-sj@kernel.org [1]
Fixes: 3301f1861d34 ("mm/damon/sysfs: handle commit command using damon_call()")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> [6.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/damon.h | 7 +++++++
mm/damon/core.c | 9 ++++++++-
2 files changed, 15 insertions(+), 1 deletion(-)
--- a/include/linux/damon.h
+++ b/include/linux/damon.h
@@ -806,7 +806,14 @@ struct damon_ctx {
struct damos_walk_control *walk_control;
struct mutex walk_control_lock;
+ /*
+ * indicate if this may be corrupted. Currentonly this is set only for
+ * damon_commit_ctx() failure.
+ */
+ bool maybe_corrupted;
+
/* public: */
+ /* Working thread of the given DAMON context */
struct task_struct *kdamond;
struct mutex kdamond_lock;
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -1241,6 +1241,7 @@ int damon_commit_ctx(struct damon_ctx *d
{
int err;
+ dst->maybe_corrupted = true;
if (!is_power_of_2(src->min_region_sz))
return -EINVAL;
@@ -1266,6 +1267,7 @@ int damon_commit_ctx(struct damon_ctx *d
dst->addr_unit = src->addr_unit;
dst->min_region_sz = src->min_region_sz;
+ dst->maybe_corrupted = false;
return 0;
}
@@ -2610,10 +2612,11 @@ static void kdamond_call(struct damon_ct
complete(&control->completion);
} else if (control->canceled && control->dealloc_on_cancel) {
kfree(control);
- continue;
} else {
list_add(&control->list, &repeat_controls);
}
+ if (!cancel && ctx->maybe_corrupted)
+ break;
}
control = list_first_entry_or_null(&repeat_controls,
struct damon_call_control, list);
@@ -2646,6 +2649,8 @@ static int kdamond_wait_activation(struc
kdamond_usleep(min_wait_time);
kdamond_call(ctx, false);
+ if (ctx->maybe_corrupted)
+ return -EINVAL;
damos_walk_cancel(ctx);
}
return -EBUSY;
@@ -2731,6 +2736,8 @@ static int kdamond_fn(void *data)
* kdamond_merge_regions() if possible, to reduce overhead
*/
kdamond_call(ctx, false);
+ if (ctx->maybe_corrupted)
+ break;
if (!list_empty(&ctx->schemes))
kdamond_apply_schemes(ctx);
else
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 311/342] rust: pin-init: internal: init: document load-bearing fact of field accessors
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 310/342] mm/damon/core: avoid use of half-online-committed context Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 312/342] ksmbd: fix use-after-free and NULL deref in smb_grant_oplock() Greg Kroah-Hartman
` (47 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Benno Lossin, Gary Guo, Miguel Ojeda
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benno Lossin <lossin@kernel.org>
[ Upstream commit 580cc37b1de4fcd9997c48d7080e744533f09f36 ]
The functions `[Pin]Init::__[pinned_]init` and `ptr::write` called from
the `init!` macro require the passed pointer to be aligned. This fact is
ensured by the creation of field accessors to previously initialized
fields.
Since we missed this very important fact from the beginning [1],
document it in the code.
Link: https://rust-for-linux.zulipchat.com/#narrow/channel/561532-pin-init/topic/initialized.20field.20accessor.20detection/with/576210658 [1]
Fixes: 90e53c5e70a6 ("rust: add pin-init API core")
Cc: <stable@vger.kernel.org> # 6.6.y, 6.12.y: 42415d163e5d: rust: pin-init: add references to previously initialized fields
Cc: <stable@vger.kernel.org> # 6.6.y, 6.12.y, 6.18.y, 6.19.y
Signed-off-by: Benno Lossin <lossin@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Link: https://patch.msgid.link/20260302140424.4097655-2-lossin@kernel.org
[ Updated Cc: stable@ tags as discussed. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
[ Moved changes to the declarative macro, because 6.19.y and earlier do not
have `syn`. Also duplicated the comment for all field accessor creations.
- Benno ]
Signed-off-by: Benno Lossin <lossin@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
rust/pin-init/src/macros.rs | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/rust/pin-init/src/macros.rs
+++ b/rust/pin-init/src/macros.rs
@@ -1312,6 +1312,10 @@ macro_rules! __init_internal {
// return when an error/panic occurs.
// We also use the `data` to require the correct trait (`Init` or `PinInit`) for `$field`.
unsafe { $data.$field(::core::ptr::addr_of_mut!((*$slot).$field), init)? };
+ // NOTE: the field accessor ensures that the initialized field is properly aligned.
+ // Unaligned fields will cause the compiler to emit E0793. We do not support
+ // unaligned fields since `Init::__init` requires an aligned pointer; the call to
+ // `ptr::write` below has the same requirement.
// SAFETY:
// - the project function does the correct field projection,
// - the field has been initialized,
@@ -1351,6 +1355,10 @@ macro_rules! __init_internal {
// return when an error/panic occurs.
unsafe { $crate::Init::__init(init, ::core::ptr::addr_of_mut!((*$slot).$field))? };
+ // NOTE: the field accessor ensures that the initialized field is properly aligned.
+ // Unaligned fields will cause the compiler to emit E0793. We do not support
+ // unaligned fields since `Init::__init` requires an aligned pointer; the call to
+ // `ptr::write` below has the same requirement.
// SAFETY:
// - the field is not structurally pinned, since the line above must compile,
// - the field has been initialized,
@@ -1391,6 +1399,10 @@ macro_rules! __init_internal {
unsafe { ::core::ptr::write(::core::ptr::addr_of_mut!((*$slot).$field), $field) };
}
+ // NOTE: the field accessor ensures that the initialized field is properly aligned.
+ // Unaligned fields will cause the compiler to emit E0793. We do not support
+ // unaligned fields since `Init::__init` requires an aligned pointer; the call to
+ // `ptr::write` below has the same requirement.
#[allow(unused_variables)]
// SAFETY:
// - the field is not structurally pinned, since no `use_data` was required to create this
@@ -1431,6 +1443,10 @@ macro_rules! __init_internal {
// SAFETY: The memory at `slot` is uninitialized.
unsafe { ::core::ptr::write(::core::ptr::addr_of_mut!((*$slot).$field), $field) };
}
+ // NOTE: the field accessor ensures that the initialized field is properly aligned.
+ // Unaligned fields will cause the compiler to emit E0793. We do not support
+ // unaligned fields since `Init::__init` requires an aligned pointer; the call to
+ // `ptr::write` below has the same requirement.
// SAFETY:
// - the project function does the correct field projection,
// - the field has been initialized,
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 312/342] ksmbd: fix use-after-free and NULL deref in smb_grant_oplock()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 311/342] rust: pin-init: internal: init: document load-bearing fact of field accessors Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 313/342] dmaengine: idxd: Fix crash when the event log is disabled Greg Kroah-Hartman
` (46 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Werner Kasselman, ChenXiaoSong,
Namjae Jeon, Steve French, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Werner Kasselman <werner@verivus.com>
[ Upstream commit 48623ec358c1c600fa1e38368746f933e0f1a617 ]
smb_grant_oplock() has two issues in the oplock publication sequence:
1) opinfo is linked into ci->m_op_list (via opinfo_add) before
add_lease_global_list() is called. If add_lease_global_list()
fails (kmalloc returns NULL), the error path frees the opinfo
via __free_opinfo() while it is still linked in ci->m_op_list.
Concurrent m_op_list readers (opinfo_get_list, or direct iteration
in smb_break_all_levII_oplock) dereference the freed node.
2) opinfo->o_fp is assigned after add_lease_global_list() publishes
the opinfo on the global lease list. A concurrent
find_same_lease_key() can walk the lease list and dereference
opinfo->o_fp->f_ci while o_fp is still NULL.
Fix by restructuring the publication sequence to eliminate post-publish
failure:
- Set opinfo->o_fp before any list publication (fixes NULL deref).
- Preallocate lease_table via alloc_lease_table() before opinfo_add()
so add_lease_global_list() becomes infallible after publication.
- Keep the original m_op_list publication order (opinfo_add before
lease list) so concurrent opens via same_client_has_lease() and
opinfo_get_list() still see the in-flight grant.
- Use opinfo_put() instead of __free_opinfo() on err_out so that
the RCU-deferred free path is used.
This also requires splitting add_lease_global_list() to take a
preallocated lease_table and changing its return type from int to void,
since it can no longer fail.
Fixes: 1dfd062caa16 ("ksmbd: fix use-after-free by using call_rcu() for oplock_info")
Cc: stable@vger.kernel.org
Signed-off-by: Werner Kasselman <werner@verivus.com>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ adapted kmalloc_obj() macro to kmalloc(sizeof()) ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/oplock.c | 72 ++++++++++++++++++++++++++++++-------------------
1 file changed, 45 insertions(+), 27 deletions(-)
--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -82,11 +82,19 @@ static void lease_del_list(struct oplock
spin_unlock(&lb->lb_lock);
}
-static void lb_add(struct lease_table *lb)
+static struct lease_table *alloc_lease_table(struct oplock_info *opinfo)
{
- write_lock(&lease_list_lock);
- list_add(&lb->l_entry, &lease_table_list);
- write_unlock(&lease_list_lock);
+ struct lease_table *lb;
+
+ lb = kmalloc(sizeof(struct lease_table), KSMBD_DEFAULT_GFP);
+ if (!lb)
+ return NULL;
+
+ memcpy(lb->client_guid, opinfo->conn->ClientGUID,
+ SMB2_CLIENT_GUID_SIZE);
+ INIT_LIST_HEAD(&lb->lease_list);
+ spin_lock_init(&lb->lb_lock);
+ return lb;
}
static int alloc_lease(struct oplock_info *opinfo, struct lease_ctx_info *lctx)
@@ -1042,34 +1050,27 @@ static void copy_lease(struct oplock_inf
lease2->version = lease1->version;
}
-static int add_lease_global_list(struct oplock_info *opinfo)
+static void add_lease_global_list(struct oplock_info *opinfo,
+ struct lease_table *new_lb)
{
struct lease_table *lb;
- read_lock(&lease_list_lock);
+ write_lock(&lease_list_lock);
list_for_each_entry(lb, &lease_table_list, l_entry) {
if (!memcmp(lb->client_guid, opinfo->conn->ClientGUID,
SMB2_CLIENT_GUID_SIZE)) {
opinfo->o_lease->l_lb = lb;
lease_add_list(opinfo);
- read_unlock(&lease_list_lock);
- return 0;
+ write_unlock(&lease_list_lock);
+ kfree(new_lb);
+ return;
}
}
- read_unlock(&lease_list_lock);
- lb = kmalloc(sizeof(struct lease_table), KSMBD_DEFAULT_GFP);
- if (!lb)
- return -ENOMEM;
-
- memcpy(lb->client_guid, opinfo->conn->ClientGUID,
- SMB2_CLIENT_GUID_SIZE);
- INIT_LIST_HEAD(&lb->lease_list);
- spin_lock_init(&lb->lb_lock);
- opinfo->o_lease->l_lb = lb;
+ opinfo->o_lease->l_lb = new_lb;
lease_add_list(opinfo);
- lb_add(lb);
- return 0;
+ list_add(&new_lb->l_entry, &lease_table_list);
+ write_unlock(&lease_list_lock);
}
static void set_oplock_level(struct oplock_info *opinfo, int level,
@@ -1189,6 +1190,7 @@ int smb_grant_oplock(struct ksmbd_work *
int err = 0;
struct oplock_info *opinfo = NULL, *prev_opinfo = NULL;
struct ksmbd_inode *ci = fp->f_ci;
+ struct lease_table *new_lb = NULL;
bool prev_op_has_lease;
__le32 prev_op_state = 0;
@@ -1291,21 +1293,37 @@ set_lev:
set_oplock_level(opinfo, req_op_level, lctx);
out:
- opinfo_count_inc(fp);
- opinfo_add(opinfo, fp);
-
+ /*
+ * Set o_fp before any publication so that concurrent readers
+ * (e.g. find_same_lease_key() on the lease list) that
+ * dereference opinfo->o_fp don't hit a NULL pointer.
+ *
+ * Keep the original publication order so concurrent opens can
+ * still observe the in-flight grant via ci->m_op_list, but make
+ * everything after opinfo_add() no-fail by preallocating any new
+ * lease_table first.
+ */
+ opinfo->o_fp = fp;
if (opinfo->is_lease) {
- err = add_lease_global_list(opinfo);
- if (err)
+ new_lb = alloc_lease_table(opinfo);
+ if (!new_lb) {
+ err = -ENOMEM;
goto err_out;
+ }
}
+ opinfo_count_inc(fp);
+ opinfo_add(opinfo, fp);
+
+ if (opinfo->is_lease)
+ add_lease_global_list(opinfo, new_lb);
+
rcu_assign_pointer(fp->f_opinfo, opinfo);
- opinfo->o_fp = fp;
return 0;
err_out:
- __free_opinfo(opinfo);
+ kfree(new_lb);
+ opinfo_put(opinfo);
return err;
}
^ permalink raw reply [flat|nested] 366+ messages in thread
* [PATCH 6.19 313/342] dmaengine: idxd: Fix crash when the event log is disabled
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 312/342] ksmbd: fix use-after-free and NULL deref in smb_grant_oplock() Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 314/342] dmaengine: idxd: Fix possible invalid memory access after FLR Greg Kroah-Hartman
` (45 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Jiang, Vinicius Costa Gomes,
Vinod Koul, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
[ Upstream commit 52d2edea0d63c935e82631e4b9e4a94eccf97b5b ]
If reporting errors to the event log is not supported by the hardware,
and an error that causes Function Level Reset (FLR) is received, the
driver will try to restore the event log even if it was not allocated.
Also, only try to free the event log if it was properly allocated.
Fixes: 6078a315aec1 ("dmaengine: idxd: Add idxd_device_config_save() and idxd_device_config_restore() helpers")
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-2-7ed70658a9d1@intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/idxd/device.c | 3 +++
drivers/dma/idxd/init.c | 3 ++-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c
index c2cdf41b6e576..f9e49c5545f65 100644
--- a/drivers/dma/idxd/device.c
+++ b/drivers/dma/idxd/device.c
@@ -830,6 +830,9 @@ static void idxd_device_evl_free(struct idxd_device *idxd)
struct device *dev = &idxd->pdev->dev;
struct idxd_evl *evl = idxd->evl;
+ if (!evl)
+ return;
+
gencfg.bits = ioread32(idxd->reg_base + IDXD_GENCFG_OFFSET);
if (!gencfg.evl_en)
return;
diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c
index 2acc34b3daff8..449424242631d 100644
--- a/drivers/dma/idxd/init.c
+++ b/drivers/dma/idxd/init.c
@@ -962,7 +962,8 @@ static void idxd_device_config_restore(struct idxd_device *idxd,
idxd->rdbuf_limit = idxd_saved->saved_idxd.rdbuf_limit;
- idxd->evl->size = saved_evl->size;
+ if (idxd->evl)
+ idxd->evl->size = saved_evl->size;
for (i = 0; i < idxd->max_groups; i++) {
struct idxd_group *saved_group, *group;
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 314/342] dmaengine: idxd: Fix possible invalid memory access after FLR
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 313/342] dmaengine: idxd: Fix crash when the event log is disabled Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 315/342] dmaengine: idxd: Fix not releasing workqueue on .release() Greg Kroah-Hartman
` (44 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Jiang, Vinicius Costa Gomes,
Vinod Koul, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
[ Upstream commit d6077df7b75d26e4edf98983836c05d00ebabd8d ]
In the case that the first Function Level Reset (FLR) concludes
correctly, but in the second FLR the scratch area for the saved
configuration cannot be allocated, it's possible for a invalid memory
access to happen.
Always set the deallocated scratch area to NULL after FLR completes.
Fixes: 98d187a98903 ("dmaengine: idxd: Enable Function Level Reset (FLR) for halt")
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-3-7ed70658a9d1@intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/idxd/init.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c
index 449424242631d..f2b37c63a964c 100644
--- a/drivers/dma/idxd/init.c
+++ b/drivers/dma/idxd/init.c
@@ -1137,6 +1137,7 @@ static void idxd_reset_done(struct pci_dev *pdev)
}
out:
kfree(idxd->idxd_saved);
+ idxd->idxd_saved = NULL;
}
static const struct pci_error_handlers idxd_error_handler = {
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 315/342] dmaengine: idxd: Fix not releasing workqueue on .release()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 314/342] dmaengine: idxd: Fix possible invalid memory access after FLR Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 316/342] dmaengine: idxd: Fix memory leak when a wq is reset Greg Kroah-Hartman
` (43 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Jiang, Vinicius Costa Gomes,
Vinod Koul, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
[ Upstream commit 3d33de353b1ff9023d5ec73b9becf80ea87af695 ]
The workqueue associated with an DSA/IAA device is not released when
the object is freed.
Fixes: 47c16ac27d4c ("dmaengine: idxd: fix idxd conf_dev 'struct device' lifetime")
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-7-7ed70658a9d1@intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/idxd/sysfs.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/dma/idxd/sysfs.c b/drivers/dma/idxd/sysfs.c
index 9f0701021af0e..cdd7a59140d90 100644
--- a/drivers/dma/idxd/sysfs.c
+++ b/drivers/dma/idxd/sysfs.c
@@ -1812,6 +1812,7 @@ static void idxd_conf_device_release(struct device *dev)
{
struct idxd_device *idxd = confdev_to_idxd(dev);
+ destroy_workqueue(idxd->wq);
kfree(idxd->groups);
bitmap_free(idxd->wq_enable_map);
kfree(idxd->wqs);
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 316/342] dmaengine: idxd: Fix memory leak when a wq is reset
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 315/342] dmaengine: idxd: Fix not releasing workqueue on .release() Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 317/342] dmaengine: idxd: Fix freeing the allocated ida too late Greg Kroah-Hartman
` (42 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Jiang, Vinicius Costa Gomes,
Vinod Koul, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
[ Upstream commit d9cfb5193a047a92a4d3c0e91ea4cc87c8f7c478 ]
idxd_wq_disable_cleanup() which is called from the reset path for a
workqueue, sets the wq type to NONE, which for other parts of the
driver mean that the wq is empty (all its resources were released).
Only set the wq type to NONE after its resources are released.
Fixes: da32b28c95a7 ("dmaengine: idxd: cleanup workqueue config after disabling")
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-8-7ed70658a9d1@intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/idxd/device.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c
index f9e49c5545f65..a7ecc17442354 100644
--- a/drivers/dma/idxd/device.c
+++ b/drivers/dma/idxd/device.c
@@ -175,6 +175,7 @@ void idxd_wq_free_resources(struct idxd_wq *wq)
free_descs(wq);
dma_free_coherent(dev, wq->compls_size, wq->compls, wq->compls_addr);
sbitmap_queue_free(&wq->sbq);
+ wq->type = IDXD_WQT_NONE;
}
EXPORT_SYMBOL_NS_GPL(idxd_wq_free_resources, "IDXD");
@@ -382,7 +383,6 @@ static void idxd_wq_disable_cleanup(struct idxd_wq *wq)
lockdep_assert_held(&wq->wq_lock);
wq->state = IDXD_WQ_DISABLED;
memset(wq->wqcfg, 0, idxd->wqcfg_size);
- wq->type = IDXD_WQT_NONE;
wq->threshold = 0;
wq->priority = 0;
wq->enqcmds_retries = IDXD_ENQCMDS_RETRIES;
@@ -1531,7 +1531,6 @@ void idxd_drv_disable_wq(struct idxd_wq *wq)
idxd_wq_reset(wq);
idxd_wq_free_resources(wq);
percpu_ref_exit(&wq->wq_active);
- wq->type = IDXD_WQT_NONE;
wq->client_count = 0;
}
EXPORT_SYMBOL_NS_GPL(idxd_drv_disable_wq, "IDXD");
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 317/342] dmaengine: idxd: Fix freeing the allocated ida too late
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 316/342] dmaengine: idxd: Fix memory leak when a wq is reset Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 318/342] dmaengine: idxd: Fix leaking event log memory Greg Kroah-Hartman
` (41 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Jiang, Vinicius Costa Gomes,
Vinod Koul, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
[ Upstream commit c311f5e9248471a950f0a524c2fd736414d98900 ]
It can happen that when the cdev .release() is called, the driver
already called ida_destroy(). Move ida_free() to the _del() path.
We see with DEBUG_KOBJECT_RELEASE enabled and forcing an early PCI
unbind.
Fixes: 04922b7445a1 ("dmaengine: idxd: fix cdev setup and free device lifetime issues")
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-9-7ed70658a9d1@intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/idxd/cdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c
index 7e4715f927732..4105688cf3f06 100644
--- a/drivers/dma/idxd/cdev.c
+++ b/drivers/dma/idxd/cdev.c
@@ -158,11 +158,7 @@ static const struct device_type idxd_cdev_file_type = {
static void idxd_cdev_dev_release(struct device *dev)
{
struct idxd_cdev *idxd_cdev = dev_to_cdev(dev);
- struct idxd_cdev_context *cdev_ctx;
- struct idxd_wq *wq = idxd_cdev->wq;
- cdev_ctx = &ictx[wq->idxd->data->type];
- ida_free(&cdev_ctx->minor_ida, idxd_cdev->minor);
kfree(idxd_cdev);
}
@@ -582,11 +578,15 @@ int idxd_wq_add_cdev(struct idxd_wq *wq)
void idxd_wq_del_cdev(struct idxd_wq *wq)
{
+ struct idxd_cdev_context *cdev_ctx;
struct idxd_cdev *idxd_cdev;
idxd_cdev = wq->idxd_cdev;
wq->idxd_cdev = NULL;
cdev_device_del(&idxd_cdev->cdev, cdev_dev(idxd_cdev));
+
+ cdev_ctx = &ictx[wq->idxd->data->type];
+ ida_free(&cdev_ctx->minor_ida, idxd_cdev->minor);
put_device(cdev_dev(idxd_cdev));
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 318/342] dmaengine: idxd: Fix leaking event log memory
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 317/342] dmaengine: idxd: Fix freeing the allocated ida too late Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 319/342] phy: ti: j721e-wiz: Fix device node reference leak in wiz_get_lane_phy_types() Greg Kroah-Hartman
` (40 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Jiang, Vinicius Costa Gomes,
Vinod Koul, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
[ Upstream commit ee66bc29578391c9b48523dc9119af67bd5c7c0f ]
During the device remove process, the device is reset, causing the
configuration registers to go back to their default state, which is
zero. As the driver is checking if the event log support was enabled
before deallocating, it will fail if a reset happened before.
Do not check if the support was enabled, the check for 'idxd->evl'
being valid (only allocated if the HW capability is available) is
enough.
Fixes: 244da66cda35 ("dmaengine: idxd: setup event log configuration")
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-10-7ed70658a9d1@intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/idxd/device.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c
index a7ecc17442354..4013f970cb3b2 100644
--- a/drivers/dma/idxd/device.c
+++ b/drivers/dma/idxd/device.c
@@ -833,10 +833,6 @@ static void idxd_device_evl_free(struct idxd_device *idxd)
if (!evl)
return;
- gencfg.bits = ioread32(idxd->reg_base + IDXD_GENCFG_OFFSET);
- if (!gencfg.evl_en)
- return;
-
mutex_lock(&evl->lock);
gencfg.evl_en = 0;
iowrite32(gencfg.bits, idxd->reg_base + IDXD_GENCFG_OFFSET);
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 319/342] phy: ti: j721e-wiz: Fix device node reference leak in wiz_get_lane_phy_types()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 318/342] dmaengine: idxd: Fix leaking event log memory Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 320/342] dmaengine: dw-edma: Fix multiple times setting of the CYCLE_STATE and CYCLE_BIT bits for HDMA Greg Kroah-Hartman
` (39 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Felix Gu,
Vinod Koul, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 584b457f4166293bdfa50f930228e9fb91a38392 ]
The serdes device_node is obtained using of_get_child_by_name(),
which increments the reference count. However, it is never put,
leading to a reference leak.
Add the missing of_node_put() calls to ensure the reference count is
properly balanced.
Fixes: 7ae14cf581f2 ("phy: ti: j721e-wiz: Implement DisplayPort mode to the wiz driver")
Suggested-by: Vladimir Oltean <olteanv@gmail.com>
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
Link: https://patch.msgid.link/20260212-wiz-v2-1-6e8bd4cc7a4a@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/ti/phy-j721e-wiz.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/phy/ti/phy-j721e-wiz.c b/drivers/phy/ti/phy-j721e-wiz.c
index ba31b0a1f7f79..77f18de6fdf62 100644
--- a/drivers/phy/ti/phy-j721e-wiz.c
+++ b/drivers/phy/ti/phy-j721e-wiz.c
@@ -1425,6 +1425,7 @@ static int wiz_get_lane_phy_types(struct device *dev, struct wiz *wiz)
dev_err(dev,
"%s: Reading \"reg\" from \"%s\" failed: %d\n",
__func__, subnode->name, ret);
+ of_node_put(serdes);
return ret;
}
of_property_read_u32(subnode, "cdns,num-lanes", &num_lanes);
@@ -1439,6 +1440,7 @@ static int wiz_get_lane_phy_types(struct device *dev, struct wiz *wiz)
}
}
+ of_node_put(serdes);
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 320/342] dmaengine: dw-edma: Fix multiple times setting of the CYCLE_STATE and CYCLE_BIT bits for HDMA.
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 319/342] phy: ti: j721e-wiz: Fix device node reference leak in wiz_get_lane_phy_types() Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 321/342] dmaengine: xilinx: xdma: Fix regmap init error handling Greg Kroah-Hartman
` (38 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, LUO Haowen, Frank Li, Vinod Koul,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: LUO Haowen <luo-hw@foxmail.com>
[ Upstream commit 3f63297ff61a994b99d710dcb6dbde41c4003233 ]
Others have submitted this issue (https://lore.kernel.org/dmaengine/
20240722030405.3385-1-zhengdongxiong@gxmicro.cn/),
but it has not been fixed yet. Therefore, more supplementary information
is provided here.
As mentioned in the "PCS-CCS-CB-TCB" Producer-Consumer Synchronization of
"DesignWare Cores PCI Express Controller Databook, version 6.00a":
1. The Consumer CYCLE_STATE (CCS) bit in the register only needs to be
initialized once; the value will update automatically to be
~CYCLE_BIT (CB) in the next chunk.
2. The Consumer CYCLE_BIT bit in the register is loaded from the LL
element and tested against CCS. When CB = CCS, the data transfer is
executed. Otherwise not.
The current logic sets customer (HDMA) CS and CB bits to 1 in each chunk
while setting the producer (software) CB of odd chunks to 0 and even
chunks to 1 in the linked list. This is leading to a mismatch between
the producer CB and consumer CS bits.
This issue can be reproduced by setting the transmission data size to
exceed one chunk. By the way, in the EDMA using the same "PCS-CCS-CB-TCB"
mechanism, the CS bit is only initialized once and this issue was not
found. Refer to
drivers/dma/dw-edma/dw-edma-v0-core.c:dw_edma_v0_core_start.
So fix this issue by initializing the CYCLE_STATE and CYCLE_BIT bits
only once.
Fixes: e74c39573d35 ("dmaengine: dw-edma: Add support for native HDMA")
Signed-off-by: LUO Haowen <luo-hw@foxmail.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/tencent_CB11AA9F3920C1911AF7477A9BD8EFE0AD05@qq.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/dw-edma/dw-hdma-v0-core.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/dma/dw-edma/dw-hdma-v0-core.c b/drivers/dma/dw-edma/dw-hdma-v0-core.c
index e3f8db4fe909a..ce8f7254bab21 100644
--- a/drivers/dma/dw-edma/dw-hdma-v0-core.c
+++ b/drivers/dma/dw-edma/dw-hdma-v0-core.c
@@ -252,10 +252,10 @@ static void dw_hdma_v0_core_start(struct dw_edma_chunk *chunk, bool first)
lower_32_bits(chunk->ll_region.paddr));
SET_CH_32(dw, chan->dir, chan->id, llp.msb,
upper_32_bits(chunk->ll_region.paddr));
+ /* Set consumer cycle */
+ SET_CH_32(dw, chan->dir, chan->id, cycle_sync,
+ HDMA_V0_CONSUMER_CYCLE_STAT | HDMA_V0_CONSUMER_CYCLE_BIT);
}
- /* Set consumer cycle */
- SET_CH_32(dw, chan->dir, chan->id, cycle_sync,
- HDMA_V0_CONSUMER_CYCLE_STAT | HDMA_V0_CONSUMER_CYCLE_BIT);
dw_hdma_v0_sync_ll_data(chunk);
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 321/342] dmaengine: xilinx: xdma: Fix regmap init error handling
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 320/342] dmaengine: dw-edma: Fix multiple times setting of the CYCLE_STATE and CYCLE_BIT bits for HDMA Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 322/342] netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators Greg Kroah-Hartman
` (37 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Stein, Frank Li,
Vinod Koul, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Stein <alexander.stein@ew.tq-group.com>
[ Upstream commit e0adbf74e2a0455a6bc9628726ba87bcd0b42bf8 ]
devm_regmap_init_mmio returns an ERR_PTR() upon error, not NULL.
Fix the error check and also fix the error message. Use the error code
from ERR_PTR() instead of the wrong value in ret.
Fixes: 17ce252266c7 ("dmaengine: xilinx: xdma: Add xilinx xdma driver")
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20251014061309.283468-1-alexander.stein@ew.tq-group.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/xilinx/xdma.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/dma/xilinx/xdma.c b/drivers/dma/xilinx/xdma.c
index 5ecf8223c112e..58e01e22b9765 100644
--- a/drivers/dma/xilinx/xdma.c
+++ b/drivers/dma/xilinx/xdma.c
@@ -1236,8 +1236,8 @@ static int xdma_probe(struct platform_device *pdev)
xdev->rmap = devm_regmap_init_mmio(&pdev->dev, reg_base,
&xdma_regmap_config);
- if (!xdev->rmap) {
- xdma_err(xdev, "config regmap failed: %d", ret);
+ if (IS_ERR(xdev->rmap)) {
+ xdma_err(xdev, "config regmap failed: %pe", xdev->rmap);
goto failed;
}
INIT_LIST_HEAD(&xdev->dma_dev.channels);
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 322/342] netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 321/342] dmaengine: xilinx: xdma: Fix regmap init error handling Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 323/342] netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry Greg Kroah-Hartman
` (36 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+9c058f0d63475adc97fd,
Deepanshu Kartikey, Christian Brauner, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit 67e467a11f62ff64ad219dc6aa5459e132c79d14 ]
When a process crashes and the kernel writes a core dump to a 9P
filesystem, __kernel_write() creates an ITER_KVEC iterator. This
iterator reaches netfs_limit_iter() via netfs_unbuffered_write(), which
only handles ITER_FOLIOQ, ITER_BVEC and ITER_XARRAY iterator types,
hitting the BUG() for any other type.
Fix this by adding netfs_limit_kvec() following the same pattern as
netfs_limit_bvec(), since both kvec and bvec are simple segment arrays
with pointer and length fields. Dispatch it from netfs_limit_iter() when
the iterator type is ITER_KVEC.
Fixes: cae932d3aee5 ("netfs: Add func to calculate pagecount/size-limited span of an iterator")
Reported-by: syzbot+9c058f0d63475adc97fd@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9c058f0d63475adc97fd
Tested-by: syzbot+9c058f0d63475adc97fd@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
Link: https://patch.msgid.link/20260307090041.359870-1-kartikey406@gmail.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/netfs/iterator.c | 43 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
diff --git a/fs/netfs/iterator.c b/fs/netfs/iterator.c
index 72a435e5fc6da..154a14bb2d7f7 100644
--- a/fs/netfs/iterator.c
+++ b/fs/netfs/iterator.c
@@ -142,6 +142,47 @@ static size_t netfs_limit_bvec(const struct iov_iter *iter, size_t start_offset,
return min(span, max_size);
}
+/*
+ * Select the span of a kvec iterator we're going to use. Limit it by both
+ * maximum size and maximum number of segments. Returns the size of the span
+ * in bytes.
+ */
+static size_t netfs_limit_kvec(const struct iov_iter *iter, size_t start_offset,
+ size_t max_size, size_t max_segs)
+{
+ const struct kvec *kvecs = iter->kvec;
+ unsigned int nkv = iter->nr_segs, ix = 0, nsegs = 0;
+ size_t len, span = 0, n = iter->count;
+ size_t skip = iter->iov_offset + start_offset;
+
+ if (WARN_ON(!iov_iter_is_kvec(iter)) ||
+ WARN_ON(start_offset > n) ||
+ n == 0)
+ return 0;
+
+ while (n && ix < nkv && skip) {
+ len = kvecs[ix].iov_len;
+ if (skip < len)
+ break;
+ skip -= len;
+ n -= len;
+ ix++;
+ }
+
+ while (n && ix < nkv) {
+ len = min3(n, kvecs[ix].iov_len - skip, max_size);
+ span += len;
+ nsegs++;
+ ix++;
+ if (span >= max_size || nsegs >= max_segs)
+ break;
+ skip = 0;
+ n -= len;
+ }
+
+ return min(span, max_size);
+}
+
/*
* Select the span of an xarray iterator we're going to use. Limit it by both
* maximum size and maximum number of segments. It is assumed that segments
@@ -245,6 +286,8 @@ size_t netfs_limit_iter(const struct iov_iter *iter, size_t start_offset,
return netfs_limit_bvec(iter, start_offset, max_size, max_segs);
if (iov_iter_is_xarray(iter))
return netfs_limit_xarray(iter, start_offset, max_size, max_segs);
+ if (iov_iter_is_kvec(iter))
+ return netfs_limit_kvec(iter, start_offset, max_size, max_segs);
BUG();
}
EXPORT_SYMBOL(netfs_limit_iter);
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 323/342] netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 322/342] netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 324/342] dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc() Greg Kroah-Hartman
` (35 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+7227db0fbac9f348dba0,
Deepanshu Kartikey, Christian Brauner, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit e9075e420a1eb3b52c60f3b95893a55e77419ce8 ]
When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path
in netfs_unbuffered_write() unconditionally calls stream->prepare_write()
without checking if it is NULL.
Filesystems such as 9P do not set the prepare_write operation, so
stream->prepare_write remains NULL. When get_user_pages() fails with
-EFAULT and the subrequest is flagged for retry, this results in a NULL
pointer dereference at fs/netfs/direct_write.c:189.
Fix this by mirroring the pattern already used in write_retry.c: if
stream->prepare_write is NULL, skip renegotiation and directly reissue
the subrequest via netfs_reissue_write(), which handles iterator reset,
IN_PROGRESS flag, stats update and reissue internally.
Fixes: a0b4c7a49137 ("netfs: Fix unbuffered/DIO writes to dispatch subrequests in strict sequence")
Reported-by: syzbot+7227db0fbac9f348dba0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
Link: https://patch.msgid.link/20260307043947.347092-1-kartikey406@gmail.com
Tested-by: syzbot+7227db0fbac9f348dba0@syzkaller.appspotmail.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/netfs/direct_write.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index dd1451bf7543d..4d9760e36c119 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -186,10 +186,18 @@ static int netfs_unbuffered_write(struct netfs_io_request *wreq)
stream->sreq_max_segs = INT_MAX;
netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit);
- stream->prepare_write(subreq);
- __set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
- netfs_stat(&netfs_n_wh_retry_write_subreq);
+ if (stream->prepare_write) {
+ stream->prepare_write(subreq);
+ __set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
+ netfs_stat(&netfs_n_wh_retry_write_subreq);
+ } else {
+ struct iov_iter source;
+
+ netfs_reset_iter(subreq);
+ source = subreq->io_iter;
+ netfs_reissue_write(stream, subreq, &source);
+ }
}
netfs_unbuffered_write_done(wreq);
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 324/342] dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 323/342] netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 325/342] dmaengine: xilinx: xilinx_dma: Fix dma_device directions Greg Kroah-Hartman
` (34 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tuo Li, Dave Jiang, Vinod Koul,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tuo Li <islituo@gmail.com>
[ Upstream commit e1c9866173c5f8521f2d0768547a01508cb9ff27 ]
At the end of this function, d is the traversal cursor of flist, but the
code completes found instead. This can lead to issues such as NULL pointer
dereferences, double completion, or descriptor leaks.
Fix this by completing d instead of found in the final
list_for_each_entry_safe() loop.
Fixes: aa8d18becc0c ("dmaengine: idxd: add callback support for iaa crypto")
Signed-off-by: Tuo Li <islituo@gmail.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://patch.msgid.link/20260106032428.162445-1-islituo@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/idxd/submit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/submit.c b/drivers/dma/idxd/submit.c
index 6db1c5fcedc58..03217041b8b3e 100644
--- a/drivers/dma/idxd/submit.c
+++ b/drivers/dma/idxd/submit.c
@@ -138,7 +138,7 @@ static void llist_abort_desc(struct idxd_wq *wq, struct idxd_irq_entry *ie,
*/
list_for_each_entry_safe(d, t, &flist, list) {
list_del_init(&d->list);
- idxd_dma_complete_txd(found, IDXD_COMPLETE_ABORT, true,
+ idxd_dma_complete_txd(d, IDXD_COMPLETE_ABORT, true,
NULL, NULL);
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 325/342] dmaengine: xilinx: xilinx_dma: Fix dma_device directions
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 324/342] dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc() Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 326/342] dmaengine: xilinx: xilinx_dma: Fix residue calculation for cyclic DMA Greg Kroah-Hartman
` (33 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marek Vasut, Vinod Koul, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marex@nabladev.com>
[ Upstream commit e9cc95397bb7da13fe8a5b53a2f23cfaf9018ade ]
Unlike chan->direction , struct dma_device .directions field is a
bitfield. Turn chan->direction into a bitfield to make it compatible
with struct dma_device .directions .
Fixes: 7e01511443c3 ("dmaengine: xilinx_dma: Set dma_device directions")
Signed-off-by: Marek Vasut <marex@nabladev.com>
Link: https://patch.msgid.link/20260316221728.160139-1-marex@nabladev.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/xilinx/xilinx_dma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
index 89a8254d9cdc6..e6d10079ec670 100644
--- a/drivers/dma/xilinx/xilinx_dma.c
+++ b/drivers/dma/xilinx/xilinx_dma.c
@@ -3003,7 +3003,7 @@ static int xilinx_dma_chan_probe(struct xilinx_dma_device *xdev,
return -EINVAL;
}
- xdev->common.directions |= chan->direction;
+ xdev->common.directions |= BIT(chan->direction);
/* Request the interrupt */
chan->irq = of_irq_get(node, chan->tdest);
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 326/342] dmaengine: xilinx: xilinx_dma: Fix residue calculation for cyclic DMA
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 325/342] dmaengine: xilinx: xilinx_dma: Fix dma_device directions Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 327/342] dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction Greg Kroah-Hartman
` (32 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marek Vasut, Vinod Koul, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marex@nabladev.com>
[ Upstream commit f61d145999d61948a23cd436ebbfa4c3b9ab8987 ]
The cyclic DMA calculation is currently entirely broken and reports
residue only for the first segment. The problem is twofold.
First, when the first descriptor finishes, it is moved from active_list
to done_list, but it is never returned back into the active_list. The
xilinx_dma_tx_status() expects the descriptor to be in the active_list
to report any meaningful residue information, which never happens after
the first descriptor finishes. Fix this up in xilinx_dma_start_transfer()
and if the descriptor is cyclic, lift it from done_list and place it back
into active_list list.
Second, the segment .status fields of the descriptor remain dirty. Once
the DMA did one pass on the descriptor, the .status fields are populated
with data by the DMA, but the .status fields are not cleared before reuse
during the next cyclic DMA round. The xilinx_dma_get_residue() recognizes
that as if the descriptor was complete and had 0 residue, which is bogus.
Reinitialize the status field before placing the descriptor back into the
active_list.
Fixes: c0bba3a99f07 ("dmaengine: vdma: Add Support for Xilinx AXI Direct Memory Access Engine")
Signed-off-by: Marek Vasut <marex@nabladev.com>
Link: https://patch.msgid.link/20260316221943.160375-1-marex@nabladev.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/xilinx/xilinx_dma.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
index e6d10079ec670..ccfcc2b801f82 100644
--- a/drivers/dma/xilinx/xilinx_dma.c
+++ b/drivers/dma/xilinx/xilinx_dma.c
@@ -1546,8 +1546,29 @@ static void xilinx_dma_start_transfer(struct xilinx_dma_chan *chan)
if (chan->err)
return;
- if (list_empty(&chan->pending_list))
+ if (list_empty(&chan->pending_list)) {
+ if (chan->cyclic) {
+ struct xilinx_dma_tx_descriptor *desc;
+ struct list_head *entry;
+
+ desc = list_last_entry(&chan->done_list,
+ struct xilinx_dma_tx_descriptor, node);
+ list_for_each(entry, &desc->segments) {
+ struct xilinx_axidma_tx_segment *axidma_seg;
+ struct xilinx_axidma_desc_hw *axidma_hw;
+ axidma_seg = list_entry(entry,
+ struct xilinx_axidma_tx_segment,
+ node);
+ axidma_hw = &axidma_seg->hw;
+ axidma_hw->status = 0;
+ }
+
+ list_splice_tail_init(&chan->done_list, &chan->active_list);
+ chan->desc_pendingcount = 0;
+ chan->idle = false;
+ }
return;
+ }
if (!chan->idle)
return;
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 327/342] dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 326/342] dmaengine: xilinx: xilinx_dma: Fix residue calculation for cyclic DMA Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 328/342] dmaengine: xilinx_dma: Fix reset related timeout with two-channel AXIDMA Greg Kroah-Hartman
` (31 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marek Vasut, Vinod Koul, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marex@nabladev.com>
[ Upstream commit c7d812e33f3e8ca0fa9eeabf71d1c7bc3acedc09 ]
The segment .control and .status fields both contain top bits which are
not part of the buffer size, the buffer size is located only in the bottom
max_buffer_len bits. To avoid interference from those top bits, mask out
the size using max_buffer_len first, and only then subtract the values.
Fixes: a575d0b4e663 ("dmaengine: xilinx_dma: Introduce xilinx_dma_get_residue")
Signed-off-by: Marek Vasut <marex@nabladev.com>
Link: https://patch.msgid.link/20260316222530.163815-1-marex@nabladev.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/xilinx/xilinx_dma.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
index ccfcc2b801f82..7b24d0a18ea53 100644
--- a/drivers/dma/xilinx/xilinx_dma.c
+++ b/drivers/dma/xilinx/xilinx_dma.c
@@ -997,16 +997,16 @@ static u32 xilinx_dma_get_residue(struct xilinx_dma_chan *chan,
struct xilinx_cdma_tx_segment,
node);
cdma_hw = &cdma_seg->hw;
- residue += (cdma_hw->control - cdma_hw->status) &
- chan->xdev->max_buffer_len;
+ residue += (cdma_hw->control & chan->xdev->max_buffer_len) -
+ (cdma_hw->status & chan->xdev->max_buffer_len);
} else if (chan->xdev->dma_config->dmatype ==
XDMA_TYPE_AXIDMA) {
axidma_seg = list_entry(entry,
struct xilinx_axidma_tx_segment,
node);
axidma_hw = &axidma_seg->hw;
- residue += (axidma_hw->control - axidma_hw->status) &
- chan->xdev->max_buffer_len;
+ residue += (axidma_hw->control & chan->xdev->max_buffer_len) -
+ (axidma_hw->status & chan->xdev->max_buffer_len);
} else {
aximcdma_seg =
list_entry(entry,
@@ -1014,8 +1014,8 @@ static u32 xilinx_dma_get_residue(struct xilinx_dma_chan *chan,
node);
aximcdma_hw = &aximcdma_seg->hw;
residue +=
- (aximcdma_hw->control - aximcdma_hw->status) &
- chan->xdev->max_buffer_len;
+ (aximcdma_hw->control & chan->xdev->max_buffer_len) -
+ (aximcdma_hw->status & chan->xdev->max_buffer_len);
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 328/342] dmaengine: xilinx_dma: Fix reset related timeout with two-channel AXIDMA
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 327/342] dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 329/342] selftests/mount_setattr: increase tmpfs size for idmapped mount tests Greg Kroah-Hartman
` (30 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tomi Valkeinen, Vinod Koul,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
[ Upstream commit a17ce4bc6f4f9acf77ba416c36791a15602e53aa ]
A single AXIDMA controller can have one or two channels. When it has two
channels, the reset for both are tied together: resetting one channel
resets the other as well. This creates a problem where resetting one
channel will reset the registers for both channels, including clearing
interrupt enable bits for the other channel, which can then lead to
timeouts as the driver is waiting for an interrupt which never comes.
The driver currently has a probe-time work around for this: when a
channel is created, the driver also resets and enables the
interrupts. With two channels the reset for the second channel will
clear the interrupt enables for the first one. The work around in the
driver is just to manually enable the interrupts again in
xilinx_dma_alloc_chan_resources().
This workaround only addresses the probe-time issue. When channels are
reset at runtime (e.g., in xilinx_dma_terminate_all() or during error
recovery), there's no corresponding mechanism to restore the other
channel's interrupt enables. This leads to one channel having its
interrupts disabled while the driver expects them to work, causing
timeouts and DMA failures.
A proper fix is a complicated matter, as we should not reset the other
channel when it's operating normally. So, perhaps, there should be some
kind of synchronization for a common reset, which is not trivial to
implement. To add to the complexity, the driver also supports other DMA
types, like VDMA, CDMA and MCDMA, which don't have a shared reset.
However, when the two-channel AXIDMA is used in the (assumably) normal
use case, providing DMA for a single memory-to-memory device, the common
reset is a bit smaller issue: when something bad happens on one channel,
or when one channel is terminated, the assumption is that we also want
to terminate the other channel. And thus resetting both at the same time
is "ok".
With that line of thinking we can implement a bit better work around
than just the current probe time work around: let's enable the
AXIDMA interrupts at xilinx_dma_start_transfer() instead.
This ensures interrupts are enabled whenever a transfer starts,
regardless of any prior resets that may have cleared them.
This approach is also more logical: enable interrupts only when needed
for a transfer, rather than at resource allocation time, and, I think,
all the other DMA types should also use this model, but I'm reluctant to
do such changes as I cannot test them.
The reset function still enables interrupts even though it's not needed
for AXIDMA anymore, but it's common code for all DMA types (VDMA, CDMA,
MCDMA), so leave it unchanged to avoid affecting other variants.
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Fixes: c0bba3a99f07 ("dmaengine: vdma: Add Support for Xilinx AXI Direct Memory Access Engine")
Link: https://patch.msgid.link/20260311-xilinx-dma-fix-v2-1-a725abb66e3c@ideasonboard.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/xilinx/xilinx_dma.c | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
index 7b24d0a18ea53..7dec5e6babe14 100644
--- a/drivers/dma/xilinx/xilinx_dma.c
+++ b/drivers/dma/xilinx/xilinx_dma.c
@@ -1217,14 +1217,6 @@ static int xilinx_dma_alloc_chan_resources(struct dma_chan *dchan)
dma_cookie_init(dchan);
- if (chan->xdev->dma_config->dmatype == XDMA_TYPE_AXIDMA) {
- /* For AXI DMA resetting once channel will reset the
- * other channel as well so enable the interrupts here.
- */
- dma_ctrl_set(chan, XILINX_DMA_REG_DMACR,
- XILINX_DMA_DMAXR_ALL_IRQ_MASK);
- }
-
if ((chan->xdev->dma_config->dmatype == XDMA_TYPE_CDMA) && chan->has_sg)
dma_ctrl_set(chan, XILINX_DMA_REG_DMACR,
XILINX_CDMA_CR_SGMODE);
@@ -1594,6 +1586,7 @@ static void xilinx_dma_start_transfer(struct xilinx_dma_chan *chan)
head_desc->async_tx.phys);
reg &= ~XILINX_DMA_CR_DELAY_MAX;
reg |= chan->irq_delay << XILINX_DMA_CR_DELAY_SHIFT;
+ reg |= XILINX_DMA_DMAXR_ALL_IRQ_MASK;
dma_ctrl_write(chan, XILINX_DMA_REG_DMACR, reg);
xilinx_dma_start(chan);
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 329/342] selftests/mount_setattr: increase tmpfs size for idmapped mount tests
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 328/342] dmaengine: xilinx_dma: Fix reset related timeout with two-channel AXIDMA Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 330/342] netfs: Fix read abandonment during retry Greg Kroah-Hartman
` (29 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Brauner, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
[ Upstream commit c465f5591aa84a6f85d66d152e28b92844a45d4f ]
The mount_setattr_idmapped fixture mounts a 2 MB tmpfs at /mnt and then
creates a 2 GB sparse ext4 image at /mnt/C/ext4.img. While ftruncate()
succeeds (sparse file), mkfs.ext4 needs to write actual metadata blocks
(inode tables, journal, bitmaps) which easily exceeds the 2 MB tmpfs
limit, causing ENOSPC and failing the fixture setup for all
mount_setattr_idmapped tests.
This was introduced by commit d37d4720c3e7 ("selftests/mount_settattr:
ensure that ext4 filesystem can be created") which increased the image
size from 2 MB to 2 GB but didn't adjust the tmpfs size.
Bump the tmpfs size to 256 MB which is sufficient for the ext4 metadata.
Fixes: d37d4720c3e7 ("selftests/mount_settattr: ensure that ext4 filesystem can be created")
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/mount_setattr/mount_setattr_test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/mount_setattr/mount_setattr_test.c b/tools/testing/selftests/mount_setattr/mount_setattr_test.c
index 7aec3ae82a446..c6dafb3cc1163 100644
--- a/tools/testing/selftests/mount_setattr/mount_setattr_test.c
+++ b/tools/testing/selftests/mount_setattr/mount_setattr_test.c
@@ -1020,7 +1020,7 @@ FIXTURE_SETUP(mount_setattr_idmapped)
"size=100000,mode=700"), 0);
ASSERT_EQ(mount("testing", "/mnt", "tmpfs", MS_NOATIME | MS_NODEV,
- "size=2m,mode=700"), 0);
+ "size=256m,mode=700"), 0);
ASSERT_EQ(mkdir("/mnt/A", 0777), 0);
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 330/342] netfs: Fix read abandonment during retry
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 329/342] selftests/mount_setattr: increase tmpfs size for idmapped mount tests Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 331/342] btrfs: fix super block offset in error message in btrfs_validate_super() Greg Kroah-Hartman
` (28 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells,
Paulo Alcantara (Red Hat), netfs, linux-fsdevel,
Christian Brauner, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 7e57523490cd2efb52b1ea97f2e0a74c0fb634cd ]
Under certain circumstances, all the remaining subrequests from a read
request will get abandoned during retry. The abandonment process expects
the 'subreq' variable to be set to the place to start abandonment from, but
it doesn't always have a useful value (it will be uninitialised on the
first pass through the loop and it may point to a deleted subrequest on
later passes).
Fix the first jump to "abandon:" to set subreq to the start of the first
subrequest expected to need retry (which, in this abandonment case, turned
out unexpectedly to no longer have NEED_RETRY set).
Also clear the subreq pointer after discarding superfluous retryable
subrequests to cause an oops if we do try to access it.
Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading")
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/3775287.1773848338@warthog.procyon.org.uk
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
cc: Paulo Alcantara <pc@manguebit.org>
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/netfs/read_retry.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/netfs/read_retry.c b/fs/netfs/read_retry.c
index 7793ba5e3e8fc..cca9ac43c0773 100644
--- a/fs/netfs/read_retry.c
+++ b/fs/netfs/read_retry.c
@@ -93,8 +93,10 @@ static void netfs_retry_read_subrequests(struct netfs_io_request *rreq)
from->start, from->transferred, from->len);
if (test_bit(NETFS_SREQ_FAILED, &from->flags) ||
- !test_bit(NETFS_SREQ_NEED_RETRY, &from->flags))
+ !test_bit(NETFS_SREQ_NEED_RETRY, &from->flags)) {
+ subreq = from;
goto abandon;
+ }
list_for_each_continue(next, &stream->subrequests) {
subreq = list_entry(next, struct netfs_io_subrequest, rreq_link);
@@ -178,6 +180,7 @@ static void netfs_retry_read_subrequests(struct netfs_io_request *rreq)
if (subreq == to)
break;
}
+ subreq = NULL;
continue;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 331/342] btrfs: fix super block offset in error message in btrfs_validate_super()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 330/342] netfs: Fix read abandonment during retry Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 332/342] btrfs: fix leak of kobject name for sub-group space_info Greg Kroah-Hartman
` (27 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Mark Harmstone,
David Sterba, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Harmstone <mark@harmstone.com>
[ Upstream commit b52fe51f724385b3ed81e37e510a4a33107e8161 ]
Fix the superblock offset mismatch error message in
btrfs_validate_super(): we changed it so that it considers all the
superblocks, but the message still assumes we're only looking at the
first one.
The change from %u to %llu is because we're changing from a constant to
a u64.
Fixes: 069ec957c35e ("btrfs: Refactor btrfs_check_super_valid")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Mark Harmstone <mark@harmstone.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/disk-io.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 6d2dcd023cc6f..8df7eb7f01e90 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -2503,8 +2503,8 @@ int btrfs_validate_super(const struct btrfs_fs_info *fs_info,
if (mirror_num >= 0 &&
btrfs_super_bytenr(sb) != btrfs_sb_offset(mirror_num)) {
- btrfs_err(fs_info, "super offset mismatch %llu != %u",
- btrfs_super_bytenr(sb), BTRFS_SUPER_INFO_OFFSET);
+ btrfs_err(fs_info, "super offset mismatch %llu != %llu",
+ btrfs_super_bytenr(sb), btrfs_sb_offset(mirror_num));
ret = -EINVAL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 332/342] btrfs: fix leak of kobject name for sub-group space_info
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 331/342] btrfs: fix super block offset in error message in btrfs_validate_super() Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 333/342] btrfs: fix lost error when running device stats on multiple devices fs Greg Kroah-Hartman
` (26 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn,
Shinichiro Kawasaki, David Sterba, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
[ Upstream commit a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41 ]
When create_space_info_sub_group() allocates elements of
space_info->sub_group[], kobject_init_and_add() is called for each
element via btrfs_sysfs_add_space_info_type(). However, when
check_removing_space_info() frees these elements, it does not call
btrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is
not called and the associated kobj->name objects are leaked.
This memory leak is reproduced by running the blktests test case
zbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak
feature reports the following error:
unreferenced object 0xffff888112877d40 (size 16):
comm "mount", pid 1244, jiffies 4294996972
hex dump (first 16 bytes):
64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f data-reloc......
backtrace (crc 53ffde4d):
__kmalloc_node_track_caller_noprof+0x619/0x870
kstrdup+0x42/0xc0
kobject_set_name_vargs+0x44/0x110
kobject_init_and_add+0xcf/0x150
btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs]
create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs]
create_space_info+0x211/0x320 [btrfs]
btrfs_init_space_info+0x15a/0x1b0 [btrfs]
open_ctree+0x33c7/0x4a50 [btrfs]
btrfs_get_tree.cold+0x9f/0x1ee [btrfs]
vfs_get_tree+0x87/0x2f0
vfs_cmd_create+0xbd/0x280
__do_sys_fsconfig+0x3df/0x990
do_syscall_64+0x136/0x1540
entry_SYSCALL_64_after_hwframe+0x76/0x7e
To avoid the leak, call btrfs_sysfs_remove_space_info() instead of
kfree() for the elements.
Fixes: f92ee31e031c ("btrfs: introduce btrfs_space_info sub-group")
Link: https://lore.kernel.org/linux-block/b9488881-f18d-4f47-91a5-3c9bf63955a5@wdc.com/
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/block-group.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c
index 25a0d207f10c9..4b73ccefcbcba 100644
--- a/fs/btrfs/block-group.c
+++ b/fs/btrfs/block-group.c
@@ -4466,7 +4466,7 @@ static void check_removing_space_info(struct btrfs_space_info *space_info)
for (int i = 0; i < BTRFS_SPACE_INFO_SUB_GROUP_MAX; i++) {
if (space_info->sub_group[i]) {
check_removing_space_info(space_info->sub_group[i]);
- kfree(space_info->sub_group[i]);
+ btrfs_sysfs_remove_space_info(space_info->sub_group[i]);
space_info->sub_group[i] = NULL;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 333/342] btrfs: fix lost error when running device stats on multiple devices fs
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 332/342] btrfs: fix leak of kobject name for sub-group space_info Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 334/342] xen/privcmd: unregister xenstore notifier on module exit Greg Kroah-Hartman
` (25 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, David Sterba,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 1c37d896b12dfd0d4c96e310b0033c6676933917 ]
Whenever we get an error updating the device stats item for a device in
btrfs_run_dev_stats() we allow the loop to go to the next device, and if
updating the stats item for the next device succeeds, we end up losing
the error we had from the previous device.
Fix this by breaking out of the loop once we get an error and make sure
it's returned to the caller. Since we are in the transaction commit path
(and in the critical section actually), returning the error will result
in a transaction abort.
Fixes: 733f4fbbc108 ("Btrfs: read device stats on mount, write modified ones during commit")
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/volumes.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index fbf23d20cce01..052b830a0b66e 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -7874,8 +7874,9 @@ int btrfs_run_dev_stats(struct btrfs_trans_handle *trans)
smp_rmb();
ret = update_dev_stat_item(trans, device);
- if (!ret)
- atomic_sub(stats_cnt, &device->dev_stats_ccnt);
+ if (ret)
+ break;
+ atomic_sub(stats_cnt, &device->dev_stats_ccnt);
}
mutex_unlock(&fs_devices->device_list_mutex);
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 334/342] xen/privcmd: unregister xenstore notifier on module exit
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 333/342] btrfs: fix lost error when running device stats on multiple devices fs Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 335/342] netfs: Fix the handling of stream->front by removing it Greg Kroah-Hartman
` (24 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, GuoHan Zhao, Juergen Gross,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: GuoHan Zhao <zhaoguohan@kylinos.cn>
[ Upstream commit cd7e1fef5a1ca1c4fcd232211962ac2395601636 ]
Commit 453b8fb68f36 ("xen/privcmd: restrict usage in
unprivileged domU") added a xenstore notifier to defer setting the
restriction target until Xenstore is ready.
XEN_PRIVCMD can be built as a module, but privcmd_exit() leaves that
notifier behind. Balance the notifier lifecycle by unregistering it on
module exit.
This is harmless even if xenstore was already ready at registration
time and the notifier was never queued on the chain.
Fixes: 453b8fb68f3641fe ("xen/privcmd: restrict usage in unprivileged domU")
Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20260325120246.252899-1-zhaoguohan@kylinos.cn>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/xen/privcmd.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
index b8a546fe7c1e2..cbc62f0df11b7 100644
--- a/drivers/xen/privcmd.c
+++ b/drivers/xen/privcmd.c
@@ -1764,6 +1764,9 @@ static int __init privcmd_init(void)
static void __exit privcmd_exit(void)
{
+ if (!xen_initial_domain())
+ unregister_xenstore_notifier(&xenstore_notifier);
+
privcmd_ioeventfd_exit();
privcmd_irqfd_exit();
misc_deregister(&privcmd_dev);
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 335/342] netfs: Fix the handling of stream->front by removing it
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 334/342] xen/privcmd: unregister xenstore notifier on module exit Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 336/342] irqchip/renesas-rzv2h: Fix error path in rzv2h_icu_probe_common() Greg Kroah-Hartman
` (23 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara, David Howells,
netfs, linux-fsdevel, Christian Brauner, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 0e764b9d46071668969410ec5429be0e2f38c6d3 ]
The netfs_io_stream::front member is meant to point to the subrequest
currently being collected on a stream, but it isn't actually used this way
by direct write (which mostly ignores it). However, there's a tracepoint
which looks at it. Further, stream->front is actually redundant with
stream->subrequests.next.
Fix the potential problem in the direct code by just removing the member
and using stream->subrequests.next instead, thereby also simplifying the
code.
Fixes: a0b4c7a49137 ("netfs: Fix unbuffered/DIO writes to dispatch subrequests in strict sequence")
Reported-by: Paulo Alcantara <pc@manguebit.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/4158599.1774426817@warthog.procyon.org.uk
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/netfs/buffered_read.c | 3 +--
fs/netfs/direct_read.c | 3 +--
fs/netfs/direct_write.c | 1 -
fs/netfs/read_collect.c | 4 ++--
fs/netfs/read_single.c | 1 -
fs/netfs/write_collect.c | 4 ++--
fs/netfs/write_issue.c | 3 +--
include/linux/netfs.h | 1 -
include/trace/events/netfs.h | 8 ++++----
9 files changed, 11 insertions(+), 17 deletions(-)
diff --git a/fs/netfs/buffered_read.c b/fs/netfs/buffered_read.c
index 37ab6f28b5ad0..88361e8c70961 100644
--- a/fs/netfs/buffered_read.c
+++ b/fs/netfs/buffered_read.c
@@ -171,9 +171,8 @@ static void netfs_queue_read(struct netfs_io_request *rreq,
spin_lock(&rreq->lock);
list_add_tail(&subreq->rreq_link, &stream->subrequests);
if (list_is_first(&subreq->rreq_link, &stream->subrequests)) {
- stream->front = subreq;
if (!stream->active) {
- stream->collected_to = stream->front->start;
+ stream->collected_to = subreq->start;
/* Store list pointers before active flag */
smp_store_release(&stream->active, true);
}
diff --git a/fs/netfs/direct_read.c b/fs/netfs/direct_read.c
index a498ee8d66745..f72e6da88cca7 100644
--- a/fs/netfs/direct_read.c
+++ b/fs/netfs/direct_read.c
@@ -71,9 +71,8 @@ static int netfs_dispatch_unbuffered_reads(struct netfs_io_request *rreq)
spin_lock(&rreq->lock);
list_add_tail(&subreq->rreq_link, &stream->subrequests);
if (list_is_first(&subreq->rreq_link, &stream->subrequests)) {
- stream->front = subreq;
if (!stream->active) {
- stream->collected_to = stream->front->start;
+ stream->collected_to = subreq->start;
/* Store list pointers before active flag */
smp_store_release(&stream->active, true);
}
diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index 4d9760e36c119..f9ab69de3e298 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -111,7 +111,6 @@ static int netfs_unbuffered_write(struct netfs_io_request *wreq)
netfs_prepare_write(wreq, stream, wreq->start + wreq->transferred);
subreq = stream->construct;
stream->construct = NULL;
- stream->front = NULL;
}
/* Check if (re-)preparation failed. */
diff --git a/fs/netfs/read_collect.c b/fs/netfs/read_collect.c
index 137f0e28a44c5..e5f6665b3341e 100644
--- a/fs/netfs/read_collect.c
+++ b/fs/netfs/read_collect.c
@@ -205,7 +205,8 @@ static void netfs_collect_read_results(struct netfs_io_request *rreq)
* in progress. The issuer thread may be adding stuff to the tail
* whilst we're doing this.
*/
- front = READ_ONCE(stream->front);
+ front = list_first_entry_or_null(&stream->subrequests,
+ struct netfs_io_subrequest, rreq_link);
while (front) {
size_t transferred;
@@ -301,7 +302,6 @@ static void netfs_collect_read_results(struct netfs_io_request *rreq)
list_del_init(&front->rreq_link);
front = list_first_entry_or_null(&stream->subrequests,
struct netfs_io_subrequest, rreq_link);
- stream->front = front;
spin_unlock(&rreq->lock);
netfs_put_subrequest(remove,
notes & ABANDON_SREQ ?
diff --git a/fs/netfs/read_single.c b/fs/netfs/read_single.c
index 8e6264f62a8f3..d0e23bc42445f 100644
--- a/fs/netfs/read_single.c
+++ b/fs/netfs/read_single.c
@@ -107,7 +107,6 @@ static int netfs_single_dispatch_read(struct netfs_io_request *rreq)
spin_lock(&rreq->lock);
list_add_tail(&subreq->rreq_link, &stream->subrequests);
trace_netfs_sreq(subreq, netfs_sreq_trace_added);
- stream->front = subreq;
/* Store list pointers before active flag */
smp_store_release(&stream->active, true);
spin_unlock(&rreq->lock);
diff --git a/fs/netfs/write_collect.c b/fs/netfs/write_collect.c
index 83eb3dc1adf8a..b194447f4b111 100644
--- a/fs/netfs/write_collect.c
+++ b/fs/netfs/write_collect.c
@@ -228,7 +228,8 @@ static void netfs_collect_write_results(struct netfs_io_request *wreq)
if (!smp_load_acquire(&stream->active))
continue;
- front = stream->front;
+ front = list_first_entry_or_null(&stream->subrequests,
+ struct netfs_io_subrequest, rreq_link);
while (front) {
trace_netfs_collect_sreq(wreq, front);
//_debug("sreq [%x] %llx %zx/%zx",
@@ -279,7 +280,6 @@ static void netfs_collect_write_results(struct netfs_io_request *wreq)
list_del_init(&front->rreq_link);
front = list_first_entry_or_null(&stream->subrequests,
struct netfs_io_subrequest, rreq_link);
- stream->front = front;
spin_unlock(&wreq->lock);
netfs_put_subrequest(remove,
notes & SAW_FAILURE ?
diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c
index 437268f656409..2db688f941251 100644
--- a/fs/netfs/write_issue.c
+++ b/fs/netfs/write_issue.c
@@ -206,9 +206,8 @@ void netfs_prepare_write(struct netfs_io_request *wreq,
spin_lock(&wreq->lock);
list_add_tail(&subreq->rreq_link, &stream->subrequests);
if (list_is_first(&subreq->rreq_link, &stream->subrequests)) {
- stream->front = subreq;
if (!stream->active) {
- stream->collected_to = stream->front->start;
+ stream->collected_to = subreq->start;
/* Write list pointers before active flag */
smp_store_release(&stream->active, true);
}
diff --git a/include/linux/netfs.h b/include/linux/netfs.h
index 72ee7d210a744..ba17ac5bf356a 100644
--- a/include/linux/netfs.h
+++ b/include/linux/netfs.h
@@ -140,7 +140,6 @@ struct netfs_io_stream {
void (*issue_write)(struct netfs_io_subrequest *subreq);
/* Collection tracking */
struct list_head subrequests; /* Contributory I/O operations */
- struct netfs_io_subrequest *front; /* Op being collected */
unsigned long long collected_to; /* Position we've collected results to */
size_t transferred; /* The amount transferred from this stream */
unsigned short error; /* Aggregate error for the stream */
diff --git a/include/trace/events/netfs.h b/include/trace/events/netfs.h
index 2d366be46a1c3..cbe28211106c5 100644
--- a/include/trace/events/netfs.h
+++ b/include/trace/events/netfs.h
@@ -740,19 +740,19 @@ TRACE_EVENT(netfs_collect_stream,
__field(unsigned int, wreq)
__field(unsigned char, stream)
__field(unsigned long long, collected_to)
- __field(unsigned long long, front)
+ __field(unsigned long long, issued_to)
),
TP_fast_assign(
__entry->wreq = wreq->debug_id;
__entry->stream = stream->stream_nr;
__entry->collected_to = stream->collected_to;
- __entry->front = stream->front ? stream->front->start : UINT_MAX;
+ __entry->issued_to = atomic64_read(&wreq->issued_to);
),
- TP_printk("R=%08x[%x:] cto=%llx frn=%llx",
+ TP_printk("R=%08x[%x:] cto=%llx ito=%llx",
__entry->wreq, __entry->stream,
- __entry->collected_to, __entry->front)
+ __entry->collected_to, __entry->issued_to)
);
TRACE_EVENT(netfs_folioq,
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 336/342] irqchip/renesas-rzv2h: Fix error path in rzv2h_icu_probe_common()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 335/342] netfs: Fix the handling of stream->front by removing it Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 337/342] futex: Require sys_futex_requeue() to have identical flags Greg Kroah-Hartman
` (22 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Biju Das, Thomas Gleixner,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biju Das <biju.das.jz@bp.renesas.com>
[ Upstream commit 897cf98926429c8671a9009442883c2f62deae96 ]
Replace pm_runtime_put() with pm_runtime_put_sync() when
irq_domain_create_hierarchy() fails to ensure the device suspends
synchronously before devres cleanup disables runtime PM via
pm_runtime_disable().
Fixes: 5ec8cabc3b86 ("irqchip/renesas-rzv2h: Use devm_pm_runtime_enable()")
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260323124917.41602-1-biju.das.jz@bp.renesas.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-renesas-rzv2h.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/irqchip/irq-renesas-rzv2h.c b/drivers/irqchip/irq-renesas-rzv2h.c
index 9b487120f0113..85eb194dfe3b2 100644
--- a/drivers/irqchip/irq-renesas-rzv2h.c
+++ b/drivers/irqchip/irq-renesas-rzv2h.c
@@ -567,7 +567,7 @@ static int rzv2h_icu_probe_common(struct platform_device *pdev, struct device_no
return 0;
pm_put:
- pm_runtime_put(&pdev->dev);
+ pm_runtime_put_sync(&pdev->dev);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 337/342] futex: Require sys_futex_requeue() to have identical flags
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 336/342] irqchip/renesas-rzv2h: Fix error path in rzv2h_icu_probe_common() Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 338/342] futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy() Greg Kroah-Hartman
` (21 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicholas Carlini,
Peter Zijlstra (Intel), Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 19f94b39058681dec64a10ebeb6f23fe7fc3f77a ]
Nicholas reported that his LLM found it was possible to create a UaF
when sys_futex_requeue() is used with different flags. The initial
motivation for allowing different flags was the variable sized futex,
but since that hasn't been merged (yet), simply mandate the flags are
identical, as is the case for the old style sys_futex() requeue
operations.
Fixes: 0f4b5f972216 ("futex: Add sys_futex_requeue()")
Reported-by: Nicholas Carlini <npc@anthropic.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/futex/syscalls.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/kernel/futex/syscalls.c b/kernel/futex/syscalls.c
index 880c9bf2f3150..99723189c8cf7 100644
--- a/kernel/futex/syscalls.c
+++ b/kernel/futex/syscalls.c
@@ -459,6 +459,14 @@ SYSCALL_DEFINE4(futex_requeue,
if (ret)
return ret;
+ /*
+ * For now mandate both flags are identical, like the sys_futex()
+ * interface has. If/when we merge the variable sized futex support,
+ * that patch can modify this test to allow a difference in size.
+ */
+ if (futexes[0].w.flags != futexes[1].w.flags)
+ return -EINVAL;
+
cmpval = futexes[0].w.val;
return futex_requeue(u64_to_user_ptr(futexes[0].w.uaddr), futexes[0].w.flags,
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 338/342] futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 337/342] futex: Require sys_futex_requeue() to have identical flags Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 339/342] ext4: introduce EXPORT_SYMBOL_FOR_EXT4_TEST() helper Greg Kroah-Hartman
` (20 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hao-Yu Yang, Eric Dumazet,
Peter Zijlstra (Intel), David Hildenbrand (Arm), Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hao-Yu Yang <naup96721@gmail.com>
[ Upstream commit 190a8c48ff623c3d67cb295b4536a660db2012aa ]
During futex_key_to_node_opt() execution, vma->vm_policy is read under
speculative mmap lock and RCU. Concurrently, mbind() may call
vma_replace_policy() which frees the old mempolicy immediately via
kmem_cache_free().
This creates a race where __futex_key_to_node() dereferences a freed
mempolicy pointer, causing a use-after-free read of mpol->mode.
[ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349)
[ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87
[ 151.415969] Call Trace:
[ 151.416732] __asan_load2 (mm/kasan/generic.c:271)
[ 151.416777] __futex_key_to_node (kernel/futex/core.c:349)
[ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593)
Fix by adding rcu to __mpol_put().
Fixes: c042c505210d ("futex: Implement FUTEX2_MPOL")
Reported-by: Hao-Yu Yang <naup96721@gmail.com>
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Hao-Yu Yang <naup96721@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Link: https://patch.msgid.link/20260324174418.GB1850007@noisy.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/mempolicy.h | 1 +
kernel/futex/core.c | 2 +-
mm/mempolicy.c | 10 ++++++++--
3 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/include/linux/mempolicy.h b/include/linux/mempolicy.h
index 0fe96f3ab3ef0..65c732d440d2f 100644
--- a/include/linux/mempolicy.h
+++ b/include/linux/mempolicy.h
@@ -55,6 +55,7 @@ struct mempolicy {
nodemask_t cpuset_mems_allowed; /* relative to these nodes */
nodemask_t user_nodemask; /* nodemask passed by user */
} w;
+ struct rcu_head rcu;
};
/*
diff --git a/kernel/futex/core.c b/kernel/futex/core.c
index cf7e610eac429..31e83a09789e0 100644
--- a/kernel/futex/core.c
+++ b/kernel/futex/core.c
@@ -342,7 +342,7 @@ static int __futex_key_to_node(struct mm_struct *mm, unsigned long addr)
if (!vma)
return FUTEX_NO_NODE;
- mpol = vma_policy(vma);
+ mpol = READ_ONCE(vma->vm_policy);
if (!mpol)
return FUTEX_NO_NODE;
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 68a98ba578821..74ebf38a7db1a 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -488,7 +488,13 @@ void __mpol_put(struct mempolicy *pol)
{
if (!atomic_dec_and_test(&pol->refcnt))
return;
- kmem_cache_free(policy_cache, pol);
+ /*
+ * Required to allow mmap_lock_speculative*() access, see for example
+ * futex_key_to_node_opt(). All accesses are serialized by mmap_lock,
+ * however the speculative lock section unbound by the normal lock
+ * boundaries, requiring RCU freeing.
+ */
+ kfree_rcu(pol, rcu);
}
EXPORT_SYMBOL_FOR_MODULES(__mpol_put, "kvm");
@@ -1021,7 +1027,7 @@ static int vma_replace_policy(struct vm_area_struct *vma,
}
old = vma->vm_policy;
- vma->vm_policy = new; /* protected by mmap_lock */
+ WRITE_ONCE(vma->vm_policy, new); /* protected by mmap_lock */
mpol_put(old);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 339/342] ext4: introduce EXPORT_SYMBOL_FOR_EXT4_TEST() helper
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 338/342] futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy() Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 340/342] ext4: fix mballoc-test.c is not compiled when EXT4_KUNIT_TESTS=M Greg Kroah-Hartman
` (19 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Jan Kara, Theodore Tso,
Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
[ Upstream commit 49504a512587147dd6da3b4b08832ccc157b97dc ]
Introduce EXPORT_SYMBOL_FOR_EXT4_TEST() helper for kuint test.
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20260314075258.1317579-2-yebin@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: 519b76ac0b31 ("ext4: fix mballoc-test.c is not compiled when EXT4_KUNIT_TESTS=M")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/ext4.h | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index d4a98ff58076f..f1c476303f3a9 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -3953,6 +3953,11 @@ static inline bool ext4_inode_can_atomic_write(struct inode *inode)
extern int ext4_block_write_begin(handle_t *handle, struct folio *folio,
loff_t pos, unsigned len,
get_block_t *get_block);
+
+#if IS_ENABLED(CONFIG_EXT4_KUNIT_TESTS)
+#define EXPORT_SYMBOL_FOR_EXT4_TEST(sym) \
+ EXPORT_SYMBOL_FOR_MODULES(sym, "ext4-test")
+#endif
#endif /* __KERNEL__ */
#define EFSBADCRC EBADMSG /* Bad CRC detected */
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 340/342] ext4: fix mballoc-test.c is not compiled when EXT4_KUNIT_TESTS=M
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 339/342] ext4: introduce EXPORT_SYMBOL_FOR_EXT4_TEST() helper Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 341/342] bug: avoid format attribute warning for clang as well Greg Kroah-Hartman
` (18 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ChenXiaoSong, Ye Bin, Jan Kara,
Theodore Tso, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
[ Upstream commit 519b76ac0b31d86b45784735d4ef964e8efdc56b ]
Now, only EXT4_KUNIT_TESTS=Y testcase will be compiled in 'mballoc.c'.
To solve this issue, the ext4 test code needs to be decoupled. The ext4
test module is compiled into a separate module.
Reported-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Closes: https://patchwork.kernel.org/project/cifs-client/patch/20260118091313.1988168-2-chenxiaosong.chenxiaosong@linux.dev/
Fixes: 7c9fa399a369 ("ext4: add first unit test for ext4_mb_new_blocks_simple in mballoc")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20260314075258.1317579-3-yebin@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/Makefile | 4 +-
fs/ext4/mballoc-test.c | 81 ++++++++++++++++----------------
fs/ext4/mballoc.c | 102 +++++++++++++++++++++++++++++++++++++++--
fs/ext4/mballoc.h | 30 ++++++++++++
4 files changed, 172 insertions(+), 45 deletions(-)
diff --git a/fs/ext4/Makefile b/fs/ext4/Makefile
index 72206a2926765..d836c3fe311b5 100644
--- a/fs/ext4/Makefile
+++ b/fs/ext4/Makefile
@@ -14,7 +14,7 @@ ext4-y := balloc.o bitmap.o block_validity.o dir.o ext4_jbd2.o extents.o \
ext4-$(CONFIG_EXT4_FS_POSIX_ACL) += acl.o
ext4-$(CONFIG_EXT4_FS_SECURITY) += xattr_security.o
-ext4-inode-test-objs += inode-test.o
-obj-$(CONFIG_EXT4_KUNIT_TESTS) += ext4-inode-test.o
+ext4-test-objs += inode-test.o mballoc-test.o
+obj-$(CONFIG_EXT4_KUNIT_TESTS) += ext4-test.o
ext4-$(CONFIG_FS_VERITY) += verity.o
ext4-$(CONFIG_FS_ENCRYPTION) += crypto.o
diff --git a/fs/ext4/mballoc-test.c b/fs/ext4/mballoc-test.c
index 4abb40d4561ce..749ed2fc22415 100644
--- a/fs/ext4/mballoc-test.c
+++ b/fs/ext4/mballoc-test.c
@@ -8,6 +8,7 @@
#include <linux/random.h>
#include "ext4.h"
+#include "mballoc.h"
struct mbt_grp_ctx {
struct buffer_head bitmap_bh;
@@ -337,7 +338,7 @@ ext4_mb_mark_context_stub(handle_t *handle, struct super_block *sb, bool state,
if (state)
mb_set_bits(bitmap_bh->b_data, blkoff, len);
else
- mb_clear_bits(bitmap_bh->b_data, blkoff, len);
+ mb_clear_bits_test(bitmap_bh->b_data, blkoff, len);
return 0;
}
@@ -414,14 +415,14 @@ static void test_new_blocks_simple(struct kunit *test)
/* get block at goal */
ar.goal = ext4_group_first_block_no(sb, goal_group);
- found = ext4_mb_new_blocks_simple(&ar, &err);
+ found = ext4_mb_new_blocks_simple_test(&ar, &err);
KUNIT_ASSERT_EQ_MSG(test, ar.goal, found,
"failed to alloc block at goal, expected %llu found %llu",
ar.goal, found);
/* get block after goal in goal group */
ar.goal = ext4_group_first_block_no(sb, goal_group);
- found = ext4_mb_new_blocks_simple(&ar, &err);
+ found = ext4_mb_new_blocks_simple_test(&ar, &err);
KUNIT_ASSERT_EQ_MSG(test, ar.goal + EXT4_C2B(sbi, 1), found,
"failed to alloc block after goal in goal group, expected %llu found %llu",
ar.goal + 1, found);
@@ -429,7 +430,7 @@ static void test_new_blocks_simple(struct kunit *test)
/* get block after goal group */
mbt_ctx_mark_used(sb, goal_group, 0, EXT4_CLUSTERS_PER_GROUP(sb));
ar.goal = ext4_group_first_block_no(sb, goal_group);
- found = ext4_mb_new_blocks_simple(&ar, &err);
+ found = ext4_mb_new_blocks_simple_test(&ar, &err);
KUNIT_ASSERT_EQ_MSG(test,
ext4_group_first_block_no(sb, goal_group + 1), found,
"failed to alloc block after goal group, expected %llu found %llu",
@@ -439,7 +440,7 @@ static void test_new_blocks_simple(struct kunit *test)
for (i = goal_group; i < ext4_get_groups_count(sb); i++)
mbt_ctx_mark_used(sb, i, 0, EXT4_CLUSTERS_PER_GROUP(sb));
ar.goal = ext4_group_first_block_no(sb, goal_group);
- found = ext4_mb_new_blocks_simple(&ar, &err);
+ found = ext4_mb_new_blocks_simple_test(&ar, &err);
KUNIT_ASSERT_EQ_MSG(test,
ext4_group_first_block_no(sb, 0) + EXT4_C2B(sbi, 1), found,
"failed to alloc block before goal group, expected %llu found %llu",
@@ -449,7 +450,7 @@ static void test_new_blocks_simple(struct kunit *test)
for (i = 0; i < ext4_get_groups_count(sb); i++)
mbt_ctx_mark_used(sb, i, 0, EXT4_CLUSTERS_PER_GROUP(sb));
ar.goal = ext4_group_first_block_no(sb, goal_group);
- found = ext4_mb_new_blocks_simple(&ar, &err);
+ found = ext4_mb_new_blocks_simple_test(&ar, &err);
KUNIT_ASSERT_NE_MSG(test, err, 0,
"unexpectedly get block when no block is available");
}
@@ -493,16 +494,16 @@ validate_free_blocks_simple(struct kunit *test, struct super_block *sb,
continue;
bitmap = mbt_ctx_bitmap(sb, i);
- bit = mb_find_next_zero_bit(bitmap, max, 0);
+ bit = mb_find_next_zero_bit_test(bitmap, max, 0);
KUNIT_ASSERT_EQ_MSG(test, bit, max,
"free block on unexpected group %d", i);
}
bitmap = mbt_ctx_bitmap(sb, goal_group);
- bit = mb_find_next_zero_bit(bitmap, max, 0);
+ bit = mb_find_next_zero_bit_test(bitmap, max, 0);
KUNIT_ASSERT_EQ(test, bit, start);
- bit = mb_find_next_bit(bitmap, max, bit + 1);
+ bit = mb_find_next_bit_test(bitmap, max, bit + 1);
KUNIT_ASSERT_EQ(test, bit, start + len);
}
@@ -525,7 +526,7 @@ test_free_blocks_simple_range(struct kunit *test, ext4_group_t goal_group,
block = ext4_group_first_block_no(sb, goal_group) +
EXT4_C2B(sbi, start);
- ext4_free_blocks_simple(inode, block, len);
+ ext4_free_blocks_simple_test(inode, block, len);
validate_free_blocks_simple(test, sb, goal_group, start, len);
mbt_ctx_mark_used(sb, goal_group, 0, EXT4_CLUSTERS_PER_GROUP(sb));
}
@@ -567,15 +568,15 @@ test_mark_diskspace_used_range(struct kunit *test,
bitmap = mbt_ctx_bitmap(sb, TEST_GOAL_GROUP);
memset(bitmap, 0, sb->s_blocksize);
- ret = ext4_mb_mark_diskspace_used(ac, NULL);
+ ret = ext4_mb_mark_diskspace_used_test(ac, NULL);
KUNIT_ASSERT_EQ(test, ret, 0);
max = EXT4_CLUSTERS_PER_GROUP(sb);
- i = mb_find_next_bit(bitmap, max, 0);
+ i = mb_find_next_bit_test(bitmap, max, 0);
KUNIT_ASSERT_EQ(test, i, start);
- i = mb_find_next_zero_bit(bitmap, max, i + 1);
+ i = mb_find_next_zero_bit_test(bitmap, max, i + 1);
KUNIT_ASSERT_EQ(test, i, start + len);
- i = mb_find_next_bit(bitmap, max, i + 1);
+ i = mb_find_next_bit_test(bitmap, max, i + 1);
KUNIT_ASSERT_EQ(test, max, i);
}
@@ -618,54 +619,54 @@ static void mbt_generate_buddy(struct super_block *sb, void *buddy,
max = EXT4_CLUSTERS_PER_GROUP(sb);
bb_h = buddy + sbi->s_mb_offsets[1];
- off = mb_find_next_zero_bit(bb, max, 0);
+ off = mb_find_next_zero_bit_test(bb, max, 0);
grp->bb_first_free = off;
while (off < max) {
grp->bb_counters[0]++;
grp->bb_free++;
- if (!(off & 1) && !mb_test_bit(off + 1, bb)) {
+ if (!(off & 1) && !mb_test_bit_test(off + 1, bb)) {
grp->bb_free++;
grp->bb_counters[0]--;
- mb_clear_bit(off >> 1, bb_h);
+ mb_clear_bit_test(off >> 1, bb_h);
grp->bb_counters[1]++;
grp->bb_largest_free_order = 1;
off++;
}
- off = mb_find_next_zero_bit(bb, max, off + 1);
+ off = mb_find_next_zero_bit_test(bb, max, off + 1);
}
for (order = 1; order < MB_NUM_ORDERS(sb) - 1; order++) {
bb = buddy + sbi->s_mb_offsets[order];
bb_h = buddy + sbi->s_mb_offsets[order + 1];
max = max >> 1;
- off = mb_find_next_zero_bit(bb, max, 0);
+ off = mb_find_next_zero_bit_test(bb, max, 0);
while (off < max) {
- if (!(off & 1) && !mb_test_bit(off + 1, bb)) {
+ if (!(off & 1) && !mb_test_bit_test(off + 1, bb)) {
mb_set_bits(bb, off, 2);
grp->bb_counters[order] -= 2;
- mb_clear_bit(off >> 1, bb_h);
+ mb_clear_bit_test(off >> 1, bb_h);
grp->bb_counters[order + 1]++;
grp->bb_largest_free_order = order + 1;
off++;
}
- off = mb_find_next_zero_bit(bb, max, off + 1);
+ off = mb_find_next_zero_bit_test(bb, max, off + 1);
}
}
max = EXT4_CLUSTERS_PER_GROUP(sb);
- off = mb_find_next_zero_bit(bitmap, max, 0);
+ off = mb_find_next_zero_bit_test(bitmap, max, 0);
while (off < max) {
grp->bb_fragments++;
- off = mb_find_next_bit(bitmap, max, off + 1);
+ off = mb_find_next_bit_test(bitmap, max, off + 1);
if (off + 1 >= max)
break;
- off = mb_find_next_zero_bit(bitmap, max, off + 1);
+ off = mb_find_next_zero_bit_test(bitmap, max, off + 1);
}
}
@@ -707,7 +708,7 @@ do_test_generate_buddy(struct kunit *test, struct super_block *sb, void *bitmap,
/* needed by validation in ext4_mb_generate_buddy */
ext4_grp->bb_free = mbt_grp->bb_free;
memset(ext4_buddy, 0xff, sb->s_blocksize);
- ext4_mb_generate_buddy(sb, ext4_buddy, bitmap, TEST_GOAL_GROUP,
+ ext4_mb_generate_buddy_test(sb, ext4_buddy, bitmap, TEST_GOAL_GROUP,
ext4_grp);
KUNIT_ASSERT_EQ(test, memcmp(mbt_buddy, ext4_buddy, sb->s_blocksize),
@@ -761,7 +762,7 @@ test_mb_mark_used_range(struct kunit *test, struct ext4_buddy *e4b,
ex.fe_group = TEST_GOAL_GROUP;
ext4_lock_group(sb, TEST_GOAL_GROUP);
- mb_mark_used(e4b, &ex);
+ mb_mark_used_test(e4b, &ex);
ext4_unlock_group(sb, TEST_GOAL_GROUP);
mb_set_bits(bitmap, start, len);
@@ -770,7 +771,7 @@ test_mb_mark_used_range(struct kunit *test, struct ext4_buddy *e4b,
memset(buddy, 0xff, sb->s_blocksize);
for (i = 0; i < MB_NUM_ORDERS(sb); i++)
grp->bb_counters[i] = 0;
- ext4_mb_generate_buddy(sb, buddy, bitmap, 0, grp);
+ ext4_mb_generate_buddy_test(sb, buddy, bitmap, 0, grp);
KUNIT_ASSERT_EQ(test, memcmp(buddy, e4b->bd_buddy, sb->s_blocksize),
0);
@@ -799,7 +800,7 @@ static void test_mb_mark_used(struct kunit *test)
bb_counters[MB_NUM_ORDERS(sb)]), GFP_KERNEL);
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, grp);
- ret = ext4_mb_load_buddy(sb, TEST_GOAL_GROUP, &e4b);
+ ret = ext4_mb_load_buddy_test(sb, TEST_GOAL_GROUP, &e4b);
KUNIT_ASSERT_EQ(test, ret, 0);
grp->bb_free = EXT4_CLUSTERS_PER_GROUP(sb);
@@ -810,7 +811,7 @@ static void test_mb_mark_used(struct kunit *test)
test_mb_mark_used_range(test, &e4b, ranges[i].start,
ranges[i].len, bitmap, buddy, grp);
- ext4_mb_unload_buddy(&e4b);
+ ext4_mb_unload_buddy_test(&e4b);
}
static void
@@ -826,16 +827,16 @@ test_mb_free_blocks_range(struct kunit *test, struct ext4_buddy *e4b,
return;
ext4_lock_group(sb, e4b->bd_group);
- mb_free_blocks(NULL, e4b, start, len);
+ mb_free_blocks_test(NULL, e4b, start, len);
ext4_unlock_group(sb, e4b->bd_group);
- mb_clear_bits(bitmap, start, len);
+ mb_clear_bits_test(bitmap, start, len);
/* bypass bb_free validatoin in ext4_mb_generate_buddy */
grp->bb_free += len;
memset(buddy, 0xff, sb->s_blocksize);
for (i = 0; i < MB_NUM_ORDERS(sb); i++)
grp->bb_counters[i] = 0;
- ext4_mb_generate_buddy(sb, buddy, bitmap, 0, grp);
+ ext4_mb_generate_buddy_test(sb, buddy, bitmap, 0, grp);
KUNIT_ASSERT_EQ(test, memcmp(buddy, e4b->bd_buddy, sb->s_blocksize),
0);
@@ -866,7 +867,7 @@ static void test_mb_free_blocks(struct kunit *test)
bb_counters[MB_NUM_ORDERS(sb)]), GFP_KERNEL);
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, grp);
- ret = ext4_mb_load_buddy(sb, TEST_GOAL_GROUP, &e4b);
+ ret = ext4_mb_load_buddy_test(sb, TEST_GOAL_GROUP, &e4b);
KUNIT_ASSERT_EQ(test, ret, 0);
ex.fe_start = 0;
@@ -874,7 +875,7 @@ static void test_mb_free_blocks(struct kunit *test)
ex.fe_group = TEST_GOAL_GROUP;
ext4_lock_group(sb, TEST_GOAL_GROUP);
- mb_mark_used(&e4b, &ex);
+ mb_mark_used_test(&e4b, &ex);
ext4_unlock_group(sb, TEST_GOAL_GROUP);
grp->bb_free = 0;
@@ -887,7 +888,7 @@ static void test_mb_free_blocks(struct kunit *test)
test_mb_free_blocks_range(test, &e4b, ranges[i].start,
ranges[i].len, bitmap, buddy, grp);
- ext4_mb_unload_buddy(&e4b);
+ ext4_mb_unload_buddy_test(&e4b);
}
#define COUNT_FOR_ESTIMATE 100000
@@ -905,7 +906,7 @@ static void test_mb_mark_used_cost(struct kunit *test)
if (sb->s_blocksize > PAGE_SIZE)
kunit_skip(test, "blocksize exceeds pagesize");
- ret = ext4_mb_load_buddy(sb, TEST_GOAL_GROUP, &e4b);
+ ret = ext4_mb_load_buddy_test(sb, TEST_GOAL_GROUP, &e4b);
KUNIT_ASSERT_EQ(test, ret, 0);
ex.fe_group = TEST_GOAL_GROUP;
@@ -919,7 +920,7 @@ static void test_mb_mark_used_cost(struct kunit *test)
ex.fe_start = ranges[i].start;
ex.fe_len = ranges[i].len;
ext4_lock_group(sb, TEST_GOAL_GROUP);
- mb_mark_used(&e4b, &ex);
+ mb_mark_used_test(&e4b, &ex);
ext4_unlock_group(sb, TEST_GOAL_GROUP);
}
end = jiffies;
@@ -930,14 +931,14 @@ static void test_mb_mark_used_cost(struct kunit *test)
continue;
ext4_lock_group(sb, TEST_GOAL_GROUP);
- mb_free_blocks(NULL, &e4b, ranges[i].start,
+ mb_free_blocks_test(NULL, &e4b, ranges[i].start,
ranges[i].len);
ext4_unlock_group(sb, TEST_GOAL_GROUP);
}
}
kunit_info(test, "costed jiffies %lu\n", all);
- ext4_mb_unload_buddy(&e4b);
+ ext4_mb_unload_buddy_test(&e4b);
}
static const struct mbt_ext4_block_layout mbt_test_layouts[] = {
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 9e01195a73488..88dcf218f456a 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -4086,7 +4086,7 @@ void ext4_exit_mballoc(void)
#define EXT4_MB_BITMAP_MARKED_CHECK 0x0001
#define EXT4_MB_SYNC_UPDATE 0x0002
-static int
+int
ext4_mb_mark_context(handle_t *handle, struct super_block *sb, bool state,
ext4_group_t group, ext4_grpblk_t blkoff,
ext4_grpblk_t len, int flags, ext4_grpblk_t *ret_changed)
@@ -7191,6 +7191,102 @@ ext4_mballoc_query_range(
return error;
}
-#ifdef CONFIG_EXT4_KUNIT_TESTS
-#include "mballoc-test.c"
+#if IS_ENABLED(CONFIG_EXT4_KUNIT_TESTS)
+void mb_clear_bits_test(void *bm, int cur, int len)
+{
+ mb_clear_bits(bm, cur, len);
+}
+EXPORT_SYMBOL_FOR_EXT4_TEST(mb_clear_bits_test);
+
+ext4_fsblk_t
+ext4_mb_new_blocks_simple_test(struct ext4_allocation_request *ar,
+ int *errp)
+{
+ return ext4_mb_new_blocks_simple(ar, errp);
+}
+EXPORT_SYMBOL_FOR_EXT4_TEST(ext4_mb_new_blocks_simple_test);
+
+int mb_find_next_zero_bit_test(void *addr, int max, int start)
+{
+ return mb_find_next_zero_bit(addr, max, start);
+}
+EXPORT_SYMBOL_FOR_EXT4_TEST(mb_find_next_zero_bit_test);
+
+int mb_find_next_bit_test(void *addr, int max, int start)
+{
+ return mb_find_next_bit(addr, max, start);
+}
+EXPORT_SYMBOL_FOR_EXT4_TEST(mb_find_next_bit_test);
+
+void mb_clear_bit_test(int bit, void *addr)
+{
+ mb_clear_bit(bit, addr);
+}
+EXPORT_SYMBOL_FOR_EXT4_TEST(mb_clear_bit_test);
+
+int mb_test_bit_test(int bit, void *addr)
+{
+ return mb_test_bit(bit, addr);
+}
+EXPORT_SYMBOL_FOR_EXT4_TEST(mb_test_bit_test);
+
+int ext4_mb_mark_diskspace_used_test(struct ext4_allocation_context *ac,
+ handle_t *handle)
+{
+ return ext4_mb_mark_diskspace_used(ac, handle);
+}
+EXPORT_SYMBOL_FOR_EXT4_TEST(ext4_mb_mark_diskspace_used_test);
+
+int mb_mark_used_test(struct ext4_buddy *e4b, struct ext4_free_extent *ex)
+{
+ return mb_mark_used(e4b, ex);
+}
+EXPORT_SYMBOL_FOR_EXT4_TEST(mb_mark_used_test);
+
+void ext4_mb_generate_buddy_test(struct super_block *sb, void *buddy,
+ void *bitmap, ext4_group_t group,
+ struct ext4_group_info *grp)
+{
+ ext4_mb_generate_buddy(sb, buddy, bitmap, group, grp);
+}
+EXPORT_SYMBOL_FOR_EXT4_TEST(ext4_mb_generate_buddy_test);
+
+int ext4_mb_load_buddy_test(struct super_block *sb, ext4_group_t group,
+ struct ext4_buddy *e4b)
+{
+ return ext4_mb_load_buddy(sb, group, e4b);
+}
+EXPORT_SYMBOL_FOR_EXT4_TEST(ext4_mb_load_buddy_test);
+
+void ext4_mb_unload_buddy_test(struct ext4_buddy *e4b)
+{
+ ext4_mb_unload_buddy(e4b);
+}
+EXPORT_SYMBOL_FOR_EXT4_TEST(ext4_mb_unload_buddy_test);
+
+void mb_free_blocks_test(struct inode *inode, struct ext4_buddy *e4b,
+ int first, int count)
+{
+ mb_free_blocks(inode, e4b, first, count);
+}
+EXPORT_SYMBOL_FOR_EXT4_TEST(mb_free_blocks_test);
+
+void ext4_free_blocks_simple_test(struct inode *inode, ext4_fsblk_t block,
+ unsigned long count)
+{
+ return ext4_free_blocks_simple(inode, block, count);
+}
+EXPORT_SYMBOL_FOR_EXT4_TEST(ext4_free_blocks_simple_test);
+
+EXPORT_SYMBOL_FOR_EXT4_TEST(ext4_wait_block_bitmap);
+EXPORT_SYMBOL_FOR_EXT4_TEST(ext4_mb_init);
+EXPORT_SYMBOL_FOR_EXT4_TEST(ext4_get_group_desc);
+EXPORT_SYMBOL_FOR_EXT4_TEST(ext4_count_free_clusters);
+EXPORT_SYMBOL_FOR_EXT4_TEST(ext4_get_group_info);
+EXPORT_SYMBOL_FOR_EXT4_TEST(ext4_free_group_clusters_set);
+EXPORT_SYMBOL_FOR_EXT4_TEST(ext4_mb_release);
+EXPORT_SYMBOL_FOR_EXT4_TEST(ext4_read_block_bitmap_nowait);
+EXPORT_SYMBOL_FOR_EXT4_TEST(mb_set_bits);
+EXPORT_SYMBOL_FOR_EXT4_TEST(ext4_fc_init_inode);
+EXPORT_SYMBOL_FOR_EXT4_TEST(ext4_mb_mark_context);
#endif
diff --git a/fs/ext4/mballoc.h b/fs/ext4/mballoc.h
index 15a049f05d04a..39333ce72cbd5 100644
--- a/fs/ext4/mballoc.h
+++ b/fs/ext4/mballoc.h
@@ -270,4 +270,34 @@ ext4_mballoc_query_range(
ext4_mballoc_query_range_fn formatter,
void *priv);
+extern int ext4_mb_mark_context(handle_t *handle,
+ struct super_block *sb, bool state,
+ ext4_group_t group, ext4_grpblk_t blkoff,
+ ext4_grpblk_t len, int flags,
+ ext4_grpblk_t *ret_changed);
+#if IS_ENABLED(CONFIG_EXT4_KUNIT_TESTS)
+extern void mb_clear_bits_test(void *bm, int cur, int len);
+extern ext4_fsblk_t
+ext4_mb_new_blocks_simple_test(struct ext4_allocation_request *ar,
+ int *errp);
+extern int mb_find_next_zero_bit_test(void *addr, int max, int start);
+extern int mb_find_next_bit_test(void *addr, int max, int start);
+extern void mb_clear_bit_test(int bit, void *addr);
+extern int mb_test_bit_test(int bit, void *addr);
+extern int
+ext4_mb_mark_diskspace_used_test(struct ext4_allocation_context *ac,
+ handle_t *handle);
+extern int mb_mark_used_test(struct ext4_buddy *e4b,
+ struct ext4_free_extent *ex);
+extern void ext4_mb_generate_buddy_test(struct super_block *sb,
+ void *buddy, void *bitmap, ext4_group_t group,
+ struct ext4_group_info *grp);
+extern int ext4_mb_load_buddy_test(struct super_block *sb,
+ ext4_group_t group, struct ext4_buddy *e4b);
+extern void ext4_mb_unload_buddy_test(struct ext4_buddy *e4b);
+extern void mb_free_blocks_test(struct inode *inode,
+ struct ext4_buddy *e4b, int first, int count);
+extern void ext4_free_blocks_simple_test(struct inode *inode,
+ ext4_fsblk_t block, unsigned long count);
+#endif
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 341/342] bug: avoid format attribute warning for clang as well
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 340/342] ext4: fix mballoc-test.c is not compiled when EXT4_KUNIT_TESTS=M Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 342/342] Bluetooth: L2CAP: Fix regressions caused by reusing ident Greg Kroah-Hartman
` (17 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Brendan Jackman,
Arnd Bergmann, Bill Wendling, Ingo Molnar, Justin Stitt,
Nathan Chancellor, Peter Zijlstra, Andrew Morton, Sasha Levin
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 2598ab9d63f41160c7081998857fef409182933d ]
Like gcc, clang-22 now also warns about a function that it incorrectly
identifies as a printf-style format:
lib/bug.c:190:22: error: diagnostic behavior may be improved by adding the 'format(printf, 1, 0)' attribute to the declaration of '__warn_printf' [-Werror,-Wmissing-format-attribute]
179 | static void __warn_printf(const char *fmt, struct pt_regs *regs)
| __attribute__((format(printf, 1, 0)))
180 | {
181 | if (!fmt)
182 | return;
183 |
184 | #ifdef HAVE_ARCH_BUG_FORMAT_ARGS
185 | if (regs) {
186 | struct arch_va_list _args;
187 | va_list *args = __warn_args(&_args, regs);
188 |
189 | if (args) {
190 | vprintk(fmt, *args);
| ^
Revert the change that added a gcc-specific workaround, and instead add
the generic annotation that avoid the warning.
Link: https://lkml.kernel.org/r/20260323205534.1284284-1-arnd@kernel.org
Fixes: d36067d6ea00 ("bug: Hush suggest-attribute=format for __warn_printf()")
Suggested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Suggested-by: Brendan Jackman <jackmanb@google.com>
Link: https://lore.kernel.org/all/20251208141618.2805983-1-andriy.shevchenko@linux.intel.com/T/#u
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Brendan Jackman <jackmanb@google.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Bill Wendling <morbo@google.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Justin Stitt <justinstitt@google.com>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/bug.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/lib/bug.c b/lib/bug.c
index 623c467a8b76c..aab9e6a40c5f9 100644
--- a/lib/bug.c
+++ b/lib/bug.c
@@ -173,10 +173,8 @@ struct bug_entry *find_bug(unsigned long bugaddr)
return module_find_bug(bugaddr);
}
-__diag_push();
-__diag_ignore(GCC, all, "-Wsuggest-attribute=format",
- "Not a valid __printf() conversion candidate.");
-static void __warn_printf(const char *fmt, struct pt_regs *regs)
+static __printf(1, 0)
+void __warn_printf(const char *fmt, struct pt_regs *regs)
{
if (!fmt)
return;
@@ -195,7 +193,6 @@ static void __warn_printf(const char *fmt, struct pt_regs *regs)
printk("%s", fmt);
}
-__diag_pop();
static enum bug_trap_type __report_bug(struct bug_entry *bug, unsigned long bugaddr, struct pt_regs *regs)
{
--
2.53.0
^ permalink raw reply related [flat|nested] 366+ messages in thread
* [PATCH 6.19 342/342] Bluetooth: L2CAP: Fix regressions caused by reusing ident
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 341/342] bug: avoid format attribute warning for clang as well Greg Kroah-Hartman
@ 2026-03-31 16:22 ` Greg Kroah-Hartman
2026-03-31 17:23 ` [PATCH 6.19 000/342] 6.19.11-rc1 review Ronald Warsow
` (16 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-03-31 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz,
Christian Eggers
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit 761fb8ec8778f0caf2bba5a41e3cff1ea86974f3 upstream.
This attempt to fix regressions caused by reusing ident which apparently
is not handled well on certain stacks causing the stack to not respond to
requests, so instead of simple returning the first unallocated id this
stores the last used tx_ident and then attempt to use the next until all
available ids are exausted and then cycle starting over to 1.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221120
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221177
Fixes: 6c3ea155e5ee ("Bluetooth: L2CAP: Fix not tracking outstanding TX ident")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Tested-by: Christian Eggers <ceggers@arri.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/bluetooth/l2cap.h | 1 +
net/bluetooth/l2cap_core.c | 29 ++++++++++++++++++++++++++---
2 files changed, 27 insertions(+), 3 deletions(-)
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -658,6 +658,7 @@ struct l2cap_conn {
struct sk_buff *rx_skb;
__u32 rx_len;
struct ida tx_ida;
+ __u8 tx_ident;
struct sk_buff_head pending_rx;
struct work_struct pending_rx_work;
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -926,16 +926,39 @@ int l2cap_chan_check_security(struct l2c
static int l2cap_get_ident(struct l2cap_conn *conn)
{
+ u8 max;
+ int ident;
+
/* LE link does not support tools like l2ping so use the full range */
if (conn->hcon->type == LE_LINK)
- return ida_alloc_range(&conn->tx_ida, 1, 255, GFP_ATOMIC);
-
+ max = 255;
/* Get next available identificator.
* 1 - 128 are used by kernel.
* 129 - 199 are reserved.
* 200 - 254 are used by utilities like l2ping, etc.
*/
- return ida_alloc_range(&conn->tx_ida, 1, 128, GFP_ATOMIC);
+ else
+ max = 128;
+
+ /* Allocate ident using min as last used + 1 (cyclic) */
+ ident = ida_alloc_range(&conn->tx_ida, READ_ONCE(conn->tx_ident) + 1,
+ max, GFP_ATOMIC);
+ /* Force min 1 to start over */
+ if (ident <= 0) {
+ ident = ida_alloc_range(&conn->tx_ida, 1, max, GFP_ATOMIC);
+ if (ident <= 0) {
+ /* If all idents are in use, log an error, this is
+ * extremely unlikely to happen and would indicate a bug
+ * in the code that idents are not being freed properly.
+ */
+ BT_ERR("Unable to allocate ident: %d", ident);
+ return 0;
+ }
+ }
+
+ WRITE_ONCE(conn->tx_ident, ident);
+
+ return ident;
}
static void l2cap_send_acl(struct l2cap_conn *conn, struct sk_buff *skb,
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2026-03-31 16:22 ` [PATCH 6.19 342/342] Bluetooth: L2CAP: Fix regressions caused by reusing ident Greg Kroah-Hartman
@ 2026-03-31 17:23 ` Ronald Warsow
2026-03-31 18:24 ` Dileep malepu
` (15 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Ronald Warsow @ 2026-03-31 17:23 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
conor, hargar, broonie, achill, sr
Hi
no regressions here on x86_64 (Intel 11th Gen. CPU)
Thanks
Tested-by: Ronald Warsow <rwarsow@gmx.de>
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2026-03-31 17:23 ` [PATCH 6.19 000/342] 6.19.11-rc1 review Ronald Warsow
@ 2026-03-31 18:24 ` Dileep malepu
2026-03-31 21:18 ` François Valenduc
` (14 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Dileep malepu @ 2026-03-31 18:24 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Tue, Mar 31, 2026 at 10:17 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.19.11 release.
> There are 342 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 02 Apr 2026 16:16:56 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.19.11-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
> -------------
Build and Boot Report for 6.19.11-rc1
Build and boot testing was performed on version 6.19.11-rc1 using the
default configuration on both x86_64 and arm64 architectures in
a virtual environment. The kernel built and booted successfully,
and no dmesg regressions were observed.
kernel version: 6.19.11-rc1
Configurations: x86_64_defconfig, defconfig
Architectures: arm64, x86_64
Kernel Source: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
Commit: 411f8a553ae8d2f6aa5462b6dd5f1d6e9103fbac
Tested-by: Dileep Malepu <dileep.debian@gmail.com>
Best regards,
Dileep Malepu
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2026-03-31 18:24 ` Dileep malepu
@ 2026-03-31 21:18 ` François Valenduc
2026-04-01 18:20 ` François Valenduc
2026-04-02 7:56 ` Thorsten Leemhuis
2026-03-31 21:52 ` Justin Forbes
` (13 subsequent siblings)
358 siblings, 2 replies; 366+ messages in thread
From: François Valenduc @ 2026-03-31 21:18 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable; +Cc: linux-kernel
Le 31/03/26 à 18:17, Greg Kroah-Hartman a écrit :
> This is the start of the stable review cycle for the 6.19.11 release.
> There are 342 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 02 Apr 2026 16:16:56 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.19.11-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
> -------------
> Pseudo-Shortlog of commits:
>
> Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Linux 6.19.11-rc1
>
> Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Bluetooth: L2CAP: Fix regressions caused by reusing ident
>
> Arnd Bergmann <arnd@arndb.de>
> bug: avoid format attribute warning for clang as well
>
> Ye Bin <yebin10@huawei.com>
> ext4: fix mballoc-test.c is not compiled when EXT4_KUNIT_TESTS=M
>
> Ye Bin <yebin10@huawei.com>
> ext4: introduce EXPORT_SYMBOL_FOR_EXT4_TEST() helper
>
> Hao-Yu Yang <naup96721@gmail.com>
> futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()
>
> Peter Zijlstra <peterz@infradead.org>
> futex: Require sys_futex_requeue() to have identical flags
>
> Biju Das <biju.das.jz@bp.renesas.com>
> irqchip/renesas-rzv2h: Fix error path in rzv2h_icu_probe_common()
>
> David Howells <dhowells@redhat.com>
> netfs: Fix the handling of stream->front by removing it
>
> GuoHan Zhao <zhaoguohan@kylinos.cn>
> xen/privcmd: unregister xenstore notifier on module exit
>
> Filipe Manana <fdmanana@suse.com>
> btrfs: fix lost error when running device stats on multiple devices fs
>
> Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
> btrfs: fix leak of kobject name for sub-group space_info
>
> Mark Harmstone <mark@harmstone.com>
> btrfs: fix super block offset in error message in btrfs_validate_super()
>
> David Howells <dhowells@redhat.com>
> netfs: Fix read abandonment during retry
>
> Christian Brauner <brauner@kernel.org>
> selftests/mount_setattr: increase tmpfs size for idmapped mount tests
>
> Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
> dmaengine: xilinx_dma: Fix reset related timeout with two-channel AXIDMA
>
> Marek Vasut <marex@nabladev.com>
> dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction
>
> Marek Vasut <marex@nabladev.com>
> dmaengine: xilinx: xilinx_dma: Fix residue calculation for cyclic DMA
>
> Marek Vasut <marex@nabladev.com>
> dmaengine: xilinx: xilinx_dma: Fix dma_device directions
>
> Tuo Li <islituo@gmail.com>
> dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()
>
> Deepanshu Kartikey <kartikey406@gmail.com>
> netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry
>
> Deepanshu Kartikey <kartikey406@gmail.com>
> netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators
>
> Alexander Stein <alexander.stein@ew.tq-group.com>
> dmaengine: xilinx: xdma: Fix regmap init error handling
>
> LUO Haowen <luo-hw@foxmail.com>
> dmaengine: dw-edma: Fix multiple times setting of the CYCLE_STATE and CYCLE_BIT bits for HDMA.
>
> Felix Gu <ustc.gu@gmail.com>
> phy: ti: j721e-wiz: Fix device node reference leak in wiz_get_lane_phy_types()
>
> Vinicius Costa Gomes <vinicius.gomes@intel.com>
> dmaengine: idxd: Fix leaking event log memory
>
> Vinicius Costa Gomes <vinicius.gomes@intel.com>
> dmaengine: idxd: Fix freeing the allocated ida too late
>
> Vinicius Costa Gomes <vinicius.gomes@intel.com>
> dmaengine: idxd: Fix memory leak when a wq is reset
>
> Vinicius Costa Gomes <vinicius.gomes@intel.com>
> dmaengine: idxd: Fix not releasing workqueue on .release()
>
> Vinicius Costa Gomes <vinicius.gomes@intel.com>
> dmaengine: idxd: Fix possible invalid memory access after FLR
>
> Vinicius Costa Gomes <vinicius.gomes@intel.com>
> dmaengine: idxd: Fix crash when the event log is disabled
>
> Werner Kasselman <werner@verivus.com>
> ksmbd: fix use-after-free and NULL deref in smb_grant_oplock()
>
> Benno Lossin <lossin@kernel.org>
> rust: pin-init: internal: init: document load-bearing fact of field accessors
>
> SeongJae Park <sj@kernel.org>
> mm/damon/core: avoid use of half-online-committed context
>
> Hari Bathini <hbathini@linux.ibm.com>
> powerpc64/bpf: do not increment tailcall count when prog is NULL
>
> Markus Niebel <Markus.Niebel@ew.tq-group.com>
> arm64: dts: imx8mn-tqma8mqnl: fix LDO5 power off
>
> Theodore Ts'o <tytso@mit.edu>
> ext4: always drain queued discard work in ext4_mb_release()
>
> Baokun Li <libaokun@linux.alibaba.com>
> ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths
>
> Theodore Ts'o <tytso@mit.edu>
> ext4: handle wraparound when searching for blocks for indirect mapped blocks
>
> Zqiang <qiang.zhang@linux.dev>
> ext4: fix the might_sleep() warnings in kvfree()
>
> Jiayuan Chen <jiayuan.chen@shopee.com>
> ext4: fix use-after-free in update_super_work when racing with umount
>
> Helen Koike <koike@igalia.com>
> ext4: reject mount if bigalloc with s_first_data_block != 0
>
> Ye Bin <yebin10@huawei.com>
> ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()
>
> Edward Adam Davis <eadavis@qq.com>
> ext4: avoid infinite loops caused by residual data
>
> Tejas Bharambe <tejas.bharambe@outlook.com>
> ext4: validate p_idx bounds in ext4_ext_correct_indexes
>
> Ye Bin <yebin10@huawei.com>
> ext4: test if inode's all dirty pages are submitted to disk
>
> Li Chen <me@linux.beauty>
> ext4: publish jinode after initialization
>
> Yuto Ohnuki <ytohnuki@amazon.com>
> ext4: replace BUG_ON with proper error handling in ext4_read_inline_folio
>
> Jan Kara <jack@suse.cz>
> ext4: make recently_deleted() properly work with lazy itable initialization
>
> Jan Kara <jack@suse.cz>
> ext4: fix fsync(2) for nojournal mode
>
> Zhang Yi <yi.zhang@huawei.com>
> ext4: do not check fast symlink during orphan recovery
>
> Jan Kara <jack@suse.cz>
> ext4: fix stale xarray tags after writeback
>
> Deepanshu Kartikey <kartikey406@gmail.com>
> ext4: convert inline data to extents when truncate exceeds inline size
>
> Simon Weber <simon.weber.39@gmail.com>
> ext4: fix journal credit check when setting fscrypt context
>
> Darrick J. Wong <djwong@kernel.org>
> xfs: remove file_path tracepoint data
>
> Darrick J. Wong <djwong@kernel.org>
> xfs: don't irele after failing to iget in xfs_attri_recover_work
>
> Long Li <leo.lilong@huawei.com>
> xfs: fix ri_total validation in xlog_recover_attri_commit_pass2
>
> hongao <hongao@uniontech.com>
> xfs: scrub: unlock dquot before early return in quota scrub
>
> Yuto Ohnuki <ytohnuki@amazon.com>
> xfs: avoid dereferencing log items after push callbacks
>
> Yuto Ohnuki <ytohnuki@amazon.com>
> xfs: save ailp before dropping the AIL lock in push callbacks
>
> Yuto Ohnuki <ytohnuki@amazon.com>
> xfs: stop reclaim before pushing AIL during unmount
>
> Max Boone <mboone@akamai.com>
> mm/pagewalk: fix race between concurrent split and refault
>
> Josh Law <objecting@objecting.org>
> mm/damon/sysfs: check contexts->nr in repeat_call_fn
>
> Josh Law <objecting@objecting.org>
> mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0]
>
> Josh Law <objecting@objecting.org>
> mm/damon/sysfs: fix param_ctx leak on damon_sysfs_new_test_ctx() failure
>
> Lorenzo Stoakes (Oracle) <ljs@kernel.org>
> mm/mseal: update VMA end correctly on merge
>
> David Hildenbrand (Arm) <david@kernel.org>
> mm/memory: fix PMD/PUD checks in follow_pfnmap_start()
>
> Asad Kamal <asad.kamal@amd.com>
> drm/amd/pm: Return -EOPNOTSUPP for unsupported OD_MCLK on smu_v13_0_6
>
> Huacai Chen <chenhuacai@kernel.org>
> LoongArch: KVM: Handle the case that EIOINTC's coremap is empty
>
> Bibo Mao <maobibo@loongson.cn>
> LoongArch: KVM: Fix base address calculation in kvm_eiointc_regs_access()
>
> Huacai Chen <chenhuacai@kernel.org>
> LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust
>
> Huacai Chen <chenhuacai@kernel.org>
> LoongArch: Workaround LS2K/LS7A GPU DMA hang bug
>
> Xi Ruoyao <xry111@xry111.site>
> LoongArch: vDSO: Emit GNU_EH_FRAME correctly
>
> Li Jun <lijun01@kylinos.cn>
> LoongArch: Fix missing NULL checks for kstrdup()
>
> Ville Syrjälä <ville.syrjala@linux.intel.com>
> drm/i915: Unlink NV12 planes earlier
>
> Ville Syrjälä <ville.syrjala@linux.intel.com>
> drm/i915: Order OP vs. timeout correctly in __wait_for()
>
> Imre Deak <imre.deak@intel.com>
> drm/i915/dp_tunnel: Fix error handling when clearing stream BW in atomic state
>
> Alex Deucher <alexander.deucher@amd.com>
> drm/amd/display: check if ext_caps is valid in BL setup
>
> Alex Hung <alex.hung@amd.com>
> drm/amd/display: Fix drm_edid leak in amdgpu_dm
>
> Alex Deucher <alexander.deucher@amd.com>
> drm/amd/display: Fix DCE LVDS handling
>
> Ruijing Dong <ruijing.dong@amd.com>
> drm/amdgpu: fix strsep() corrupting lockup_timeout on multi-GPU (v3)
>
> Eric Huang <jinhuieric.huang@amd.com>
> drm/amdgpu: prevent immediate PASID reuse case
>
> Claudiu Beznea <claudiu.beznea@tuxon.dev>
> dmaengine: sh: rz-dmac: Move CHCTRL updates under spinlock
>
> Claudiu Beznea <claudiu.beznea@tuxon.dev>
> dmaengine: sh: rz-dmac: Protect the driver specific lists
>
> Joy Zou <joy.zou@nxp.com>
> dmaengine: fsl-edma: fix channel parameter config for fixed channel requests
>
> Stefan Eichenberger <stefan.eichenberger@toradex.com>
> i2c: imx: ensure no clock is generated after last read
>
> Stefan Eichenberger <stefan.eichenberger@toradex.com>
> i2c: imx: fix i2c issue when reading multiple messages
>
> Davidlohr Bueso <dave@stgolabs.net>
> futex: Clear stale exiting pointer in futex_lock_pi() retry path
>
> Pratap Nirujogi <pratap.nirujogi@amd.com>
> i2c: designware: amdisp: Fix resume-probe race condition issue
>
> Joanne Koong <joannelkoong@gmail.com>
> iomap: fix invalid folio access when i_blkbits differs from I/O granularity
>
> Jassi Brar <jassisinghbrar@gmail.com>
> irqchip/qcom-mpm: Add missing mailbox TX done acknowledgment
>
> Milos Nikic <nikic.milos@gmail.com>
> jbd2: gracefully abort on checkpointing state corruptions
>
> Sean Christopherson <seanjc@google.com>
> KVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE
>
> Sean Christopherson <seanjc@google.com>
> KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE
>
> Kevin Hao <haokexin@gmail.com>
> net: macb: Use dev_consume_skb_any() to free TX SKBs
>
> Kevin Hao <haokexin@gmail.com>
> net: macb: Protect access to net_device::ip_ptr with RCU lock
>
> Kevin Hao <haokexin@gmail.com>
> net: macb: Move devm_{free,request}_irq() out of spin lock area
>
> Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> scsi: ses: Handle positive SCSI error from ses_recv_diag()
>
> Tyllis Xu <livelycarpet87@gmail.com>
> scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
>
> Amir Goldstein <amir73il@gmail.com>
> ovl: fix wrong detection of 32bit inode numbers
>
> Fei Lv <feilv@asrmicro.com>
> ovl: make fsync after metadata copy-up opt-in mount option
>
> Abel Vesa <abel.vesa@oss.qualcomm.com>
> phy: qcom: qmp-ufs: Fix SM8650 PCS table for Gear 4
>
> Nikunj A Dadhania <nikunj@amd.com>
> x86/fred: Fix early boot failures on SEV-ES/SNP guests
>
> Borislav Petkov (AMD) <bp@alien8.de>
> x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask
>
> Nikunj A Dadhania <nikunj@amd.com>
> x86/cpu: Enable FSGSBASE early in cpu_init_exception_handling()
>
> Joanne Koong <joannelkoong@gmail.com>
> writeback: don't block sync for filesystems with no data integrity guarantees
>
> Jinjiang Tu <tujinjiang@huawei.com>
> mm/huge_memory: fix folio isn't locked in softleaf_to_folio()
>
> Zhan Xusheng <zhanxusheng1024@gmail.com>
> alarmtimer: Fix argument order in alarm_timer_forward()
>
> Jiucheng Xu <jiucheng.xu@amlogic.com>
> erofs: add GFP_NOIO in the bio completion if needed
>
> Alex Williamson <alex.williamson@nvidia.com>
> vfio/pci: Fix double free in dma-buf feature
>
> xietangxin <xietangxin@yeah.net>
> virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false
>
> Zubin Mithra <zsm@google.com>
> virt: tdx-guest: Fix handling of host controlled 'quote' buffer length
>
> Paul Moses <p@1g4.org>
> xfrm: iptfs: only publish mode_data after clone setup
>
> Roshan Kumar <roshaen09@gmail.com>
> xfrm: iptfs: validate inner IPv4 header length in IPTFS payload
>
> Ming Qian <ming.qian@oss.nxp.com>
> media: verisilicon: Fix kernel panic due to __initconst misuse
>
> Yuchan Nam <entropy1110@gmail.com>
> media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
>
> Sanman Pradhan <psanman@juniper.net>
> hwmon: (peci/cputemp) Fix off-by-one in cputemp_is_visible()
>
> Sanman Pradhan <psanman@juniper.net>
> hwmon: (peci/cputemp) Fix crit_hyst returning delta instead of absolute temperature
>
> Sanman Pradhan <psanman@juniper.net>
> hwmon: (pmbus/isl68137) Add mutex protection for AVS enable sysfs attributes
>
> Sanman Pradhan <psanman@juniper.net>
> hwmon: (pmbus/ina233) Fix error handling and sign extension in shunt voltage read
>
> Zenghui Yu (Huawei) <zenghui.yu@linux.dev>
> KVM: arm64: Fix the descriptor address in __kvm_at_swap_desc()
>
> Marc Zyngier <maz@kernel.org>
> KVM: arm64: Discard PC update state on vcpu reset
>
> Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
> platform/x86: ISST: Correct locked bit width
>
> Abhijit Gangurde <abhijit.gangurde@amd.com>
> RDMA/ionic: Preserve and set Ethernet source MAC after ib_ud_header_init()
>
> Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
> thermal: intel: int340x: soc_slider: Set offset only for balanced mode
>
> SeongJae Park <sj@kernel.org>
> mm/damon/stat: monitor all System RAM resources
>
> Charles Mirabile <cmirabil@redhat.com>
> kbuild: Delete .builtin-dtbs.S when running make clean
>
> Viresh Kumar <viresh.kumar@linaro.org>
> cpufreq: conservative: Reset requested_freq on limits change
>
> Viresh Kumar <viresh.kumar@linaro.org>
> cpufreq: Don't skip cpufreq_frequency_table_cpuinfo()
>
> Marc Kleine-Budde <mkl@pengutronix.de>
> can: netlink: can_changelink(): add missing error handling to call can_ctrlmode_changelink()
>
> Oliver Hartkopp <socketcan@hartkopp.net>
> can: isotp: fix tx.buf use-after-free in isotp_sendmsg()
>
> Ali Norouzi <ali.norouzi@keysight.com>
> can: gw: fix OOB heap access in cgw_csum_crc8_rel()
>
> Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
> ASoC: SOF: ipc4-topology: Allow bytes controls without initial payload
>
> Guangshuo Li <lgs201920130244@gmail.com>
> ASoC: sma1307: fix double free of devm_kzalloc() memory
>
> Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
> ASoC: codecs: wcd934x: fix typo in dt parsing
>
> Karol Wachowski <karol.wachowski@linux.intel.com>
> accel/ivpu: Add disable clock relinquish workaround for NVL-A0
>
> Alexey Nepomnyashih <sdl@nppct.ru>
> ALSA: firewire-lib: fix uninitialized local variable
>
> Zhang Heng <zhangheng@kylinos.cn>
> ALSA: hda/realtek: add quirk for ASUS Strix G16 G615JMR
>
> Mario Limonciello <mario.limonciello@amd.com>
> Revert "ALSA: hda/intel: Add MSI X870E Tomahawk to denylist"
>
> Hyunwoo Kim <imv4bel@gmail.com>
> ksmbd: do not expire session on binding failure
>
> Werner Kasselman <werner@verivus.com>
> ksmbd: fix memory leaks and NULL deref in smb2_lock()
>
> Namjae Jeon <linkinjeon@kernel.org>
> ksmbd: fix potencial OOB in get_file_all_info() for compound requests
>
> Namjae Jeon <linkinjeon@kernel.org>
> ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()
>
> Matthew Auld <matthew.auld@intel.com>
> drm/xe: always keep track of remap prev/next
>
> Luo Haiyang <luo.haiyang@zte.com.cn>
> tracing: Fix potential deadlock in cpu hotplug with osnoise
>
> Wesley Atwell <atwellwea@gmail.com>
> tracing: Drain deferred trigger frees if kthread creation fails
>
> Vasily Gorbik <gor@linux.ibm.com>
> s390/entry: Scrub r12 register on kernel entry
>
> Vasily Gorbik <gor@linux.ibm.com>
> s390/barrier: Make array_index_mask_nospec() __always_inline
>
> Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> s390/syscalls: Add spectre boundary for syscall dispatch table
>
> Geoffrey D. Bennett <g@b4.vu>
> ALSA: usb-audio: Exclude Scarlett 2i4 1st Gen from SKIP_IFACE_SETUP
>
> Nicholas Carlini <nicholas@carlini.com>
> io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check
>
> Jens Axboe <axboe@kernel.dk>
> io_uring/fdinfo: fix SQE_MIXED SQE displaying
>
> Marc Kleine-Budde <mkl@pengutronix.de>
> spi: spi-fsl-lpspi: fix teardown order issue (UAF)
>
> Jihed Chaibi <jihed.chaibi.dev@gmail.com>
> ASoC: adau1372: Fix clock leak on PLL lock failure
>
> Jihed Chaibi <jihed.chaibi.dev@gmail.com>
> ASoC: adau1372: Fix unchecked clk_prepare_enable() return value
>
> Marc Buerg <buermarc@googlemail.com>
> sysctl: fix uninitialized variable in proc_do_large_bitmap
>
> Guenter Roeck <linux@roeck-us.net>
> hwmon: (pmbus/core) Protect regulator operations with mutex
>
> Guenter Roeck <linux@roeck-us.net>
> hwmon: (pmbus) Introduce the concept of "write-only" attributes
>
> Guenter Roeck <linux@roeck-us.net>
> hwmon: (pmbus) Mark lowest/average/highest/rated attributes as read-only
>
> Shuming Fan <shumingf@realtek.com>
> ASoC: SDCA: fix finding wrong entity
>
> Sanman Pradhan <psanman@juniper.net>
> hwmon: (adm1177) fix sysfs ABI violation and current unit conversion
>
> Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
> drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib
>
> Weiming Shi <bestswngs@gmail.com>
> ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()
>
> Danilo Krummrich <dakr@kernel.org>
> spi: use generic driver_override infrastructure
>
> Matt Roper <matthew.d.roper@intel.com>
> drm/xe: Implement recent spec updates to Wa_16025250150
>
> Alice Ryhl <aliceryhl@google.com>
> rust: regulator: do not assume that regulator_get() returns non-null
>
> Jihed Chaibi <jihed.chaibi.dev@gmail.com>
> ASoC: dt-bindings: stm32: Fix incorrect compatible string in stm32h7-sai match
>
> Yussuf Khalil <dev@pp3345.net>
> drm/amd/display: Do not skip unrelated mode changes in DSC validation
>
> Felix Gu <ustc.gu@gmail.com>
> spi: meson-spicc: Fix double-put in remove path
>
> Cezary Rojewski <cezary.rojewski@intel.com>
> ASoC: Intel: catpt: Fix the device initialization
>
> Felix Gu <ustc.gu@gmail.com>
> spi: sn-f-ospi: Fix resource leak in f_ospi_probe()
>
> Michał Winiarski <michal.winiarski@intel.com>
> drm/xe/pf: Fix use-after-free in migration restore
>
> Youngjun Park <youngjun.park@lge.com>
> PM: sleep: Drop spurious WARN_ON() from pm_restore_gfp_mask()
>
> Alberto Garcia <berto@igalia.com>
> PM: hibernate: Drain trailing zero pages on userspace restore
>
> Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
> drm/i915/gmbus: fix spurious timeout on 512-byte burst reads
>
> Luca Leonardo Scorcia <l.scorcia@gmail.com>
> drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register
>
> Mike Rapoport (Microsoft) <rppt@kernel.org>
> x86/efi: efi_unmap_boot_services: fix calculation of ranges_to_free size
>
> Yihang Li <liyihang9@huawei.com>
> scsi: scsi_transport_sas: Fix the maximum channel scanning issue
>
> Shengjiu Wang <shengjiu.wang@nxp.com>
> ASoC: fsl: imx-card: initialize playback_only and capture_only
>
> Shengjiu Wang <shengjiu.wang@nxp.com>
> ASoC: simple-card-utils: Check value of is_playback_only and is_capture_only
>
> Shiraz Saleem <shiraz.saleem@intel.com>
> RDMA/irdma: Harden depth calculation functions
>
> Tatyana Nikolova <tatyana.e.nikolova@intel.com>
> RDMA/irdma: Return EINVAL for invalid arp index error
>
> Anil Samal <anil.samal@intel.com>
> RDMA/irdma: Fix deadlock during netdev reset with active connections
>
> Tatyana Nikolova <tatyana.e.nikolova@intel.com>
> RDMA/irdma: Remove reset check from irdma_modify_qp_to_err()
>
> Ivan Barrera <ivan.d.barrera@intel.com>
> RDMA/irdma: Clean up unnecessary dereference of event->cm_node
>
> Tatyana Nikolova <tatyana.e.nikolova@intel.com>
> RDMA/irdma: Remove a NOP wait_event() in irdma_modify_qp_roce()
>
> Tatyana Nikolova <tatyana.e.nikolova@intel.com>
> RDMA/irdma: Update ibqp state to error if QP is already in error state
>
> Jacob Moroni <jmoroni@google.com>
> RDMA/irdma: Initialize free_qp completion before using it
>
> Geoffrey D. Bennett <g@b4.vu>
> ALSA: usb-audio: Exclude Scarlett 2i2 1st Gen from SKIP_IFACE_SETUP
>
> Ethan Tidmore <ethantidmore06@gmail.com>
> RDMA/efa: Fix possible deadlock
>
> Chuck Lever <chuck.lever@oracle.com>
> RDMA/rw: Fall back to direct SGE on MR pool exhaustion
>
> Sean Rhodes <sean@starlabs.systems>
> ALSA: hda/realtek: Sequence GPIO2 on Star Labs StarFighter
>
> Andy Shevchenko <andriy.shevchenko@linux.intel.com>
> regmap: Synchronize cache for the page selector
>
> Yonatan Nachum <ynachum@amazon.com>
> RDMA/efa: Fix use of completion ctx after free
>
> Yonatan Nachum <ynachum@amazon.com>
> RDMA/efa: Improve admin completion context state machine
>
> Yonatan Nachum <ynachum@amazon.com>
> RDMA/efa: Check stored completion CTX command ID with received one
>
> Kamal Heib <kheib@redhat.com>
> RDMA/bng_re: Fix silent failure in HWRM version query
>
> Paolo Valerio <pvalerio@redhat.com>
> net: macb: use the current queue number for stats
>
> David Carlier <devnexen@gmail.com>
> netfilter: ctnetlink: use netlink policy range checks
>
> Weiming Shi <bestswngs@gmail.com>
> netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
>
> Pablo Neira Ayuso <pablo@netfilter.org>
> netfilter: nf_conntrack_expect: skip expectations in other netns via proc
>
> Pablo Neira Ayuso <pablo@netfilter.org>
> netfilter: nft_set_rbtree: revisit array resize logic
>
> Ren Wei <n05ec@lzu.edu.cn>
> netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
>
> Weiming Shi <bestswngs@gmail.com>
> netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
>
> Chuck Lever <chuck.lever@oracle.com>
> tls: Purge async_hold in tls_decrypt_async_wait()
>
> Pengpeng Hou <pengpeng@iscas.ac.cn>
> Bluetooth: btusb: clamp SCO altsetting table indices
>
> Hyunwoo Kim <imv4bel@gmail.com>
> Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
>
> Hyunwoo Kim <imv4bel@gmail.com>
> Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()
>
> Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Bluetooth: L2CAP: Fix not tracking outstanding TX ident
>
> Cen Zhang <zzzccc427@gmail.com>
> Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
>
> Zhang Chen <zhangchen01@kylinos.cn>
> Bluetooth: L2CAP: Fix send LE flow credits in ACL link
>
> Miguel Ojeda <ojeda@kernel.org>
> dma-mapping: add missing `inline` for `dma_free_attrs`
>
> Jonas Köppeler <j.koeppeler@tu-berlin.de>
> net_sched: codel: fix stale state for empty flows in fq_codel
>
> Sabrina Dubroca <sd@queasysnail.net>
> rtnetlink: fix leak of SRCU struct in rtnl_link_register
>
> Thangaraj Samynathan <thangaraj.s@microchip.com>
> net: lan743x: fix duplex configuration in mac_link_up
>
> David Carlier <devnexen@gmail.com>
> net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path
>
> Jiayuan Chen <jiayuan.chen@shopee.com>
> team: fix header_ops type confusion with non-Ethernet ports
>
> Xuan Zhuo <xuanzhuo@linux.alibaba.com>
> virtio-net: correct hdr_len handling for tunnel gso
>
> Xuan Zhuo <xuanzhuo@linux.alibaba.com>
> virtio-net: correct hdr_len handling for VIRTIO_NET_F_GUEST_HDRLEN
>
> Wei Fang <wei.fang@nxp.com>
> net: enetc: fix the output issue of 'ethtool --show-ring'
>
> Martin KaFai Lau <martin.lau@kernel.org>
> udp: Fix wildcard bind conflict check when using hash2
>
> Arnd Bergmann <arnd@arndb.de>
> net: b44: always select CONFIG_FIXED_PHY
>
> Qingfang Deng <dqfext@gmail.com>
> net: airoha: add RCU lock around dev_fill_forward_path
>
> Yochai Eisenrich <echelonh@gmail.com>
> net: fix fanout UAF in packet_release() via NETDEV_UP race
>
> Kuniyuki Iwashima <kuniyu@google.com>
> ipv6: Don't remove permanent routes with exceptions from tb6_gc_hlist.
>
> Kuniyuki Iwashima <kuniyu@google.com>
> ipv6: Remove permanent routes from tb6_gc_hlist when all exceptions expire.
>
> Kohei Enju <kohei@enjuk.jp>
> iavf: fix out-of-bounds writes in iavf_get_ethtool_stats()
>
> Petr Oros <poros@redhat.com>
> ice: use ice_update_eth_stats() for representor stats
>
> Petr Oros <poros@redhat.com>
> ice: fix inverted ready check for VF representors
>
> David McFarland <corngood@gmail.com>
> platform/x86: intel-hid: disable wakeup_mode during hibernation
>
> Alok Tiwari <alok.a.tiwari@oracle.com>
> platform/olpc: olpc-xo175-ec: Fix overflow error message to print inlen
>
> Nathan Chancellor <nathan@kernel.org>
> platform/x86: lenovo: wmi-gamezone: Drop gz_chain_head
>
> Li RongQing <lirongqing@baidu.com>
> platform/x86: ISST: Check HWP support before MSR access
>
> Justin Chen <justin.chen@broadcom.com>
> net: bcmasp: fix double disable of clk
>
> Justin Chen <justin.chen@broadcom.com>
> net: bcmasp: fix double free of WoL irq
>
> Justin Chen <justin.chen@broadcom.com>
> net: bcmasp: streamline early exit in probe
>
> Sabrina Dubroca <sd@queasysnail.net>
> rtnetlink: count IFLA_INFO_SLAVE_KIND in if_nlmsg_size
>
> Sabrina Dubroca <sd@queasysnail.net>
> rtnetlink: count IFLA_PARENT_DEV_{NAME,BUS_NAME} in if_nlmsg_size
>
> Qi Tang <tpluszz77@gmail.com>
> net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer
>
> Yang Yang <n05ec@lzu.edu.cn>
> openvswitch: validate MPLS set/set_masked payload length
>
> Yang Yang <n05ec@lzu.edu.cn>
> openvswitch: defer tunnel netdev_put to RCU release
>
> Toke Høiland-Jørgensen <toke@redhat.com>
> net: openvswitch: Avoid releasing netdev before teardown completes
>
> Jakub Kicinski <kuba@kernel.org>
> nfc: nci: fix circular locking dependency in nci_close_device
>
> Mohammad Heib <mheib@redhat.com>
> ionic: fix persistent MAC address override on PF
>
> Luca Leonardo Scorcia <l.scorcia@gmail.com>
> pinctrl: mediatek: common: Fix probe failure for devices without EINT
>
> Helen Koike <koike@igalia.com>
> Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
>
> Anas Iqbal <mohd.abd.6602@gmail.com>
> Bluetooth: hci_ll: Fix firmware leak on error path
>
> Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete
>
> Hyunwoo Kim <imv4bel@gmail.com>
> Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
>
> Hyunwoo Kim <imv4bel@gmail.com>
> Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()
>
> Minseo Park <jacob.park.9436@gmail.com>
> Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req
>
> Amelie Delaunay <amelie.delaunay@foss.st.com>
> pinctrl: stm32: fix HDP driver dependency on GPIO_GENERIC
>
> Oliver Hartkopp <socketcan@hartkopp.net>
> can: statistics: add missing atomic access in hot path
>
> Sheng Yong <shengyong1@xiaomi.com>
> erofs: set fileio bio failed in short read case
>
> Shigeru Yoshida <syoshida@redhat.com>
> dma: swiotlb: add KMSAN annotations to swiotlb_bounce()
>
> Eric Dumazet <edumazet@google.com>
> af_key: validate families in pfkey_send_migrate()
>
> Minwoo Ra <raminwo0202@gmail.com>
> xfrm: prevent policy_hthresh.work from racing with netns teardown
>
> Hyunwoo Kim <imv4bel@gmail.com>
> xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()
>
> Dmitry Torokhov <dmitry.torokhov@gmail.com>
> pinctrl: renesas: rza1: Normalize return value of gpio_get()
>
> Neil Armstrong <neil.armstrong@linaro.org>
> pinctrl: qcom: spmi-gpio: implement .get_direction()
>
> Fernando Fernandez Mancera <fmancera@suse.de>
> xfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly
>
> Felix Gu <ustc.gu@gmail.com>
> pinctrl: renesas: rzt2h: Fix device node leak in rzt2h_gpio_register()
>
> Sabrina Dubroca <sd@queasysnail.net>
> esp: fix skb leak with espintcp and async crypto
>
> Sabrina Dubroca <sd@queasysnail.net>
> xfrm: call xdo_dev_state_delete during state update
>
> Sabrina Dubroca <sd@queasysnail.net>
> xfrm: fix the condition on x->pcpu_num in xfrm_sa_len
>
> Sabrina Dubroca <sd@queasysnail.net>
> xfrm: add missing extack for XFRMA_SA_PCPU in add_acquire and allocspi
>
> Peter Yin <peteryin.openbmc@gmail.com>
> i3c: master: dw-i3c: Fix missing of_node for virtual I2C adapter
>
> Zhang Heng <zhangheng@kylinos.cn>
> ALSA: hda/realtek: add quirk for ASUS UM6702RC
>
> Lianqin Hu <hulianqin@vivo.com>
> ALSA: usb-audio: Add iface reset and delay quirk for SPACETOUCH USB Audio
>
> Alan Borzeszkowski <alan.borzeszkowski@linux.intel.com>
> spi: intel-pci: Add support for Nova Lake mobile SPI flash
>
> Jie Deng <dengjie03@kylinos.cn>
> usb: core: new quirk to handle devices with zero configurations
>
> Yang Wang <kevinyang.wang@amd.com>
> drm/amdgpu: fix gpu idle power consumption issue for gfx v12
>
> Chaitanya Kulkarni <kch@nvidia.com>
> nvmet: move async event work off nvmet-wq
>
> Josh Poimboeuf <jpoimboe@kernel.org>
> objtool: Handle Clang RSP musical chairs
>
> Uzair Mughal <contact@uzair.is-a.dev>
> ALSA: hda/realtek: Add headset jack quirk for Thinkpad X390
>
> Zhang Heng <zhangheng@kylinos.cn>
> ALSA: hda/realtek: Add quirk for Gigabyte Technology to fix headphone
>
> Josh Poimboeuf <jpoimboe@kernel.org>
> objtool/klp: Disable unsupported pr_debug() usage
>
> Liucheng Lu <luliucheng100@outlook.com>
> ALSA: hda/realtek: add HP Laptop 14s-dr5xxx mute LED quirk
>
> Hari Bathini <hbathini@linux.ibm.com>
> powerpc64/ftrace: fix OOL stub count with clang
>
> HONG Yifan <elsk@google.com>
> objtool: Use HOSTCFLAGS for HAVE_XXHASH test
>
> Boris Burkov <boris@bur.io>
> btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create
>
> zhidao su <soolaugust@gmail.com>
> sched_ext: Use WRITE_ONCE() for the write side of dsq->seq update
>
> Günther Noack <gnoack@google.com>
> HID: apple: avoid memory leak in apple_report_fixup()
>
> Eduard Zingerman <eddyz87@gmail.com>
> bpf: Fix u32/s32 bounds when ranges cross min/max boundary
>
> Simon Trimmer <simont@opensource.cirrus.com>
> ASoC: amd: acp: Add ACP6.3 match entries for Cirrus Logic parts
>
> Maarten Lankhorst <dev@lankhorst.se>
> drm/ttm/tests: Fix build failure on PREEMPT_RT
>
> wangdicheng <wangdicheng@kylinos.cn>
> ALSA: hda/senary: Ensure EAPD is enabled during init
>
> Nilay Shroff <nilay@linux.ibm.com>
> block: break pcpu_alloc_mutex dependency on freeze_lock
>
> Isaac J. Manjarres <isaacmanjarres@google.com>
> dma-buf: Include ioctl.h in UAPI header
>
> Vladimir Yakovlev <vovchkir@gmail.com>
> spi: spi-dw-dma: fix print error log when wait finish transaction
>
> Richard Fitzgerald <rf@opensource.cirrus.com>
> ASoC: cs35l56: Only patch ASP registers if the DAI is part of a DAIlink
>
> Mark Brown <broonie@kernel.org>
> ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_put_bits()
>
> Sheetal <sheetal@nvidia.com>
> ALSA: hda/hdmi: Add Tegra238 HDA codec device ID
>
> Oliver Freyermuth <o.freyermuth@googlemail.com>
> ASoC: Intel: sof_sdw: Add quirk for Alienware Area 51 (2025) 0CCD SKU
>
> Florian Fuchs <fuchsfl@gmail.com>
> scsi: devinfo: Add BLIST_SKIP_IO_HINTS for Iomega ZIP
>
> Shuming Fan <shumingf@realtek.com>
> ASoC: rt1321: fix DMIC ch2/3 mask issue
>
> Ranjan Kumar <ranjan.kumar@broadcom.com>
> scsi: mpi3mr: Clear reset history on ready and recheck state after timeout
>
> Mark Brown <broonie@kernel.org>
> ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_set_reg()
>
> Ihor Solodrai <ihor.solodrai@linux.dev>
> module: Fix kernel panic when a symbol st_shndx is out of bounds
>
> Denis Benato <denis.benato@linux.dev>
> HID: asus: add xg mobile 2023 external hardware support
>
> Romain Sioen <romain.sioen@microchip.com>
> HID: mcp2221: cancel last I2C command on read error
>
> Antheas Kapenekakis <lkml@antheas.dev>
> platform/x86: oxpec: Add support for OneXPlayer X1 Air
>
> Antheas Kapenekakis <lkml@antheas.dev>
> platform/x86: oxpec: Add support for Aokzoe A2 Pro
>
> Thomas Weißschuh <thomas.weissschuh@linutronix.de>
> kbuild: install-extmod-build: Package resolve_btfids if necessary
>
> Valentin Spreckels <valentin@spreckels.dev>
> net: usb: r8152: add TRENDnet TUC-ET2G
>
> Antheas Kapenekakis <lkml@antheas.dev>
> platform/x86: oxpec: Add support for OneXPlayer X1z
>
> Takashi Iwai <tiwai@suse.de>
> HID: apple: Add EPOMAKER TH87 to the non-apple keyboards list
>
> Antheas Kapenekakis <lkml@antheas.dev>
> platform/x86: oxpec: Add support for OneXPlayer APEX
>
> Zhang Lixu <lixu.zhang@intel.com>
> HID: intel-ish-hid: ipc: Add Nova Lake-H/S PCI device IDs
>
> Victor Lattaro Volpini <victorlattaro@proton.me>
> platform/x86: hp-wmi: Add Victus 16-d0xxx support
>
> Günther Noack <gnoack@google.com>
> HID: magicmouse: avoid memory leak in magicmouse_report_fixup()
>
> Julius Lehmann <lehmanju@devpi.de>
> HID: magicmouse: fix battery reporting for Apple Magic Trackpad 2
>
> Keith Busch <kbusch@kernel.org>
> nvme-pci: ensure we're polling a polled queue
>
> Anton Plotnikov <plotnikovanton@gmail.com>
> platform/x86: hp-wmi: add Omen 14-fb1xxx (board 8E41) support
>
> Hans de Goede <johannes.goede@oss.qualcomm.com>
> platform/x86: touchscreen_dmi: Add quirk for y-inverted Goodix touchscreen on SUPI S10
>
> Leif Skunberg <diamondback@cohunt.app>
> platform/x86: intel-hid: Enable 5-button array on ThinkPad X1 Fold 16 Gen 1
>
> Krishna Chomal <krishna.chomal108@gmail.com>
> platform/x86: hp-wmi: Add Omen 16-xd0xxx fan and thermal support
>
> Daniel Hodges <hodgesd@meta.com>
> nvme-fabrics: use kfree_sensitive() for DHCHAP secrets
>
> Keith Busch <kbusch@kernel.org>
> nvme-pci: cap queue creation to used queues
>
> Peter Metz <peter.metz@unarin.com>
> platform/x86: intel-hid: Add Dell 14 Plus 2-in-1 to dmi_vgbs_allow_list
>
> Günther Noack <gnoack@google.com>
> HID: asus: avoid memory leak in asus_report_fixup()
>
> Krishna Chomal <krishna.chomal108@gmail.com>
> platform/x86: hp-wmi: Add Omen 16-wf0xxx fan and thermal support
>
> Xuewen Yan <xuewen.yan@unisoc.com>
> tracing: Revert "tracing: Remove pid in task_rename tracing output"
>
> Daniel Wade <danjwade95@gmail.com>
> bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR
>
> Jenny Guanni Qu <qguanni@gmail.com>
> bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN
>
> Ihor Solodrai <ihor.solodrai@linux.dev>
> bpf: Fix exception exit lock checking for subprogs
>
> Cui Chao <cuichao1753@phytium.com.cn>
> cxl: Adjust the startup priority of cxl_pmem to be higher than that of cxl_acpi
>
> Kumar Kartikeya Dwivedi <memxor@gmail.com>
> bpf: Release module BTF IDR before module unload
>
> Ian Rogers <irogers@google.com>
> perf metricgroup: Fix metricgroup__has_metric_or_groups()
>
> Danilo Krummrich <dakr@kernel.org>
> driver core: platform: use generic driver_override infrastructure
>
> Danilo Krummrich <dakr@kernel.org>
> driver core: generalize driver_override in struct device
>
> Danilo Krummrich <dakr@kernel.org>
> sh: platform_early: remove pdev->driver_override check
>
> Danilo Krummrich <dakr@kernel.org>
> hwmon: axi-fan: don't use driver_override as IRQ name
>
> Smita Koralahalli <Smita.KoralahalliChannabasappa@amd.com>
> cxl/hdm: Avoid incorrect DVSEC fallback when HDM decoders are enabled
>
> Josh Poimboeuf <jpoimboe@kernel.org>
> livepatch/klp-build: Fix inconsistent kernel version
>
> Joe Lawrence <joe.lawrence@redhat.com>
> objtool/klp: fix data alignment in __clone_symbol()
>
> Janosch Frank <frankja@linux.ibm.com>
> s390/mm: Add missing secure storage access fixups for donated memory
>
> Peter Zijlstra <peterz@infradead.org>
> perf: Make sure to use pmu_ctx->pmu for groups
>
> Peter Zijlstra <peterz@infradead.org>
> x86/perf: Make sure to program the counter value for stopped events on migration
>
> Sachin Kumar <xcyfun@protonmail.com>
> bpf: Fix constant blinding for PROBE_MEM32 stores
>
> Yazhou Tang <tangyazhou518@outlook.com>
> bpf: Reset register ID for BPF_END value tracking
>
> Davidlohr Bueso <dave@stgolabs.net>
> cxl/region: Fix leakage in __construct_region()
>
> Alison Schofield <alison.schofield@intel.com>
> cxl/port: Fix use after free of parent_port in cxl_detach_ep()
>
>
> -------------
>
> Diffstat:
>
> Documentation/admin-guide/kernel-parameters.txt | 3 +
> .../devicetree/bindings/sound/st,stm32-sai.yaml | 2 +-
> Documentation/filesystems/overlayfs.rst | 50 +++
> Documentation/hwmon/adm1177.rst | 8 +-
> Documentation/hwmon/peci-cputemp.rst | 10 +-
> Makefile | 6 +-
> .../boot/dts/freescale/imx8mn-tqma8mqnl-mba8mx.dts | 13 +-
> .../arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi | 22 ++
> arch/arm64/kvm/at.c | 2 +-
> arch/arm64/kvm/reset.c | 14 +
> arch/loongarch/include/asm/linkage.h | 36 ++
> arch/loongarch/include/asm/sigframe.h | 9 +
> arch/loongarch/kernel/asm-offsets.c | 2 +
> arch/loongarch/kernel/env.c | 7 +-
> arch/loongarch/kernel/signal.c | 6 +-
> arch/loongarch/kvm/intc/eiointc.c | 16 +-
> arch/loongarch/kvm/vcpu.c | 3 +
> arch/loongarch/pci/pci.c | 80 ++++
> arch/loongarch/vdso/Makefile | 4 +-
> arch/loongarch/vdso/sigreturn.S | 6 +-
> arch/powerpc/net/bpf_jit_comp64.c | 23 +-
> arch/powerpc/tools/ftrace-gen-ool-stubs.sh | 4 +-
> arch/s390/include/asm/barrier.h | 4 +-
> arch/s390/kernel/entry.S | 3 +
> arch/s390/kernel/syscall.c | 5 +-
> arch/s390/mm/fault.c | 11 +-
> arch/sh/drivers/platform_early.c | 4 -
> arch/x86/coco/sev/noinstr.c | 6 +
> arch/x86/entry/entry_fred.c | 14 +
> arch/x86/events/core.c | 4 +-
> arch/x86/kernel/cpu/common.c | 20 +-
> arch/x86/kvm/mmu/mmu.c | 17 +-
> arch/x86/platform/efi/quirks.c | 2 +-
> block/blk-mq.c | 45 ++-
> drivers/accel/ivpu/ivpu_drv.h | 1 +
> drivers/accel/ivpu/ivpu_hw.c | 6 +-
> drivers/acpi/ec.c | 2 +
> drivers/base/bus.c | 43 ++-
> drivers/base/core.c | 2 +
> drivers/base/dd.c | 60 +++
> drivers/base/platform.c | 37 +-
> drivers/base/regmap/regmap.c | 30 +-
> drivers/bluetooth/btintel.c | 11 +-
> drivers/bluetooth/btusb.c | 5 +-
> drivers/bluetooth/hci_ll.c | 2 +
> drivers/bus/simple-pm-bus.c | 4 +-
> drivers/clk/imx/clk-scu.c | 3 +-
> drivers/cpufreq/cpufreq.c | 9 +-
> drivers/cpufreq/cpufreq_conservative.c | 12 +
> drivers/cpufreq/cpufreq_governor.c | 3 +
> drivers/cpufreq/cpufreq_governor.h | 1 +
> drivers/cpufreq/freq_table.c | 4 +
> drivers/cxl/core/hdm.c | 25 +-
> drivers/cxl/core/port.c | 8 +-
> drivers/cxl/core/region.c | 4 +-
> drivers/cxl/pmem.c | 2 +-
> drivers/dma/dw-edma/dw-hdma-v0-core.c | 6 +-
> drivers/dma/fsl-edma-main.c | 26 +-
> drivers/dma/idxd/cdev.c | 8 +-
> drivers/dma/idxd/device.c | 6 +-
> drivers/dma/idxd/init.c | 4 +-
> drivers/dma/idxd/submit.c | 2 +-
> drivers/dma/idxd/sysfs.c | 1 +
> drivers/dma/sh/rz-dmac.c | 68 ++--
> drivers/dma/xilinx/xdma.c | 4 +-
> drivers/dma/xilinx/xilinx_dma.c | 46 ++-
> drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 4 +-
> drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 13 +-
> drivers/gpu/drm/amd/amdgpu/amdgpu_ids.c | 45 ++-
> drivers/gpu/drm/amd/amdgpu/amdgpu_ids.h | 1 +
> drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 1 +
> drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 5 +-
> drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 +-
> drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 1 +
> .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 4 +-
> .../display/dc/resource/dce100/dce100_resource.c | 6 +-
> .../display/dc/resource/dce110/dce110_resource.c | 5 +-
> .../display/dc/resource/dce112/dce112_resource.c | 5 +-
> .../display/dc/resource/dce120/dce120_resource.c | 5 +-
> .../amd/display/dc/resource/dce60/dce60_resource.c | 14 +-
> .../amd/display/dc/resource/dce80/dce80_resource.c | 6 +-
> .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_6_ppt.c | 2 +-
> drivers/gpu/drm/i915/display/intel_display.c | 8 +-
> drivers/gpu/drm/i915/display/intel_dp_tunnel.c | 20 +-
> drivers/gpu/drm/i915/display/intel_dp_tunnel.h | 11 +-
> drivers/gpu/drm/i915/display/intel_gmbus.c | 4 +-
> drivers/gpu/drm/i915/display/intel_plane.c | 11 +-
> drivers/gpu/drm/i915/i915_wait_util.h | 2 +-
> drivers/gpu/drm/mediatek/mtk_dsi.c | 9 +-
> drivers/gpu/drm/ttm/tests/ttm_bo_test.c | 4 +-
> drivers/gpu/drm/xe/regs/xe_gt_regs.h | 1 +
> drivers/gpu/drm/xe/xe_pt.c | 12 +-
> drivers/gpu/drm/xe/xe_sriov_packet.c | 2 +
> drivers/gpu/drm/xe/xe_vm.c | 22 +-
> drivers/gpu/drm/xe/xe_vm_types.h | 4 +
> drivers/gpu/drm/xe/xe_wa.c | 3 +-
> drivers/hid/hid-apple.c | 7 +-
> drivers/hid/hid-asus.c | 18 +-
> drivers/hid/hid-ids.h | 1 +
> drivers/hid/hid-magicmouse.c | 6 +-
> drivers/hid/hid-mcp2221.c | 2 +
> drivers/hid/intel-ish-hid/ipc/hw-ish.h | 2 +
> drivers/hid/intel-ish-hid/ipc/pci-ish.c | 12 +
> drivers/hwmon/adm1177.c | 54 +--
> drivers/hwmon/axi-fan-control.c | 2 +-
> drivers/hwmon/peci/cputemp.c | 4 +-
> drivers/hwmon/pmbus/ina233.c | 3 +-
> drivers/hwmon/pmbus/isl68137.c | 21 +-
> drivers/hwmon/pmbus/pmbus_core.c | 192 ++++++++--
> drivers/i2c/busses/i2c-designware-amdisp.c | 11 +-
> drivers/i2c/busses/i2c-imx.c | 51 ++-
> drivers/i3c/master/dw-i3c-master.c | 2 +
> drivers/infiniband/core/rw.c | 27 +-
> drivers/infiniband/hw/bng_re/bng_dev.c | 14 +-
> drivers/infiniband/hw/efa/efa_com.c | 175 ++++-----
> drivers/infiniband/hw/ionic/ionic_controlpath.c | 4 +-
> drivers/infiniband/hw/irdma/cm.c | 29 +-
> drivers/infiniband/hw/irdma/uk.c | 39 +-
> drivers/infiniband/hw/irdma/utils.c | 2 -
> drivers/infiniband/hw/irdma/verbs.c | 9 +-
> drivers/irqchip/irq-qcom-mpm.c | 3 +
> drivers/irqchip/irq-renesas-rzv2h.c | 2 +-
> drivers/media/mc/mc-request.c | 5 +
> drivers/media/platform/verisilicon/imx8m_vpu_hw.c | 2 +-
> drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
> drivers/net/can/dev/netlink.c | 4 +-
> drivers/net/ethernet/airoha/airoha_ppe.c | 2 +
> drivers/net/ethernet/broadcom/Kconfig | 2 +-
> drivers/net/ethernet/broadcom/asp2/bcmasp.c | 66 ++--
> drivers/net/ethernet/cadence/macb_main.c | 41 +-
> .../net/ethernet/freescale/enetc/enetc_ethtool.c | 2 +
> drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 31 +-
> drivers/net/ethernet/intel/ice/ice_ethtool.c | 14 +-
> drivers/net/ethernet/intel/ice/ice_repr.c | 5 +-
> drivers/net/ethernet/microchip/lan743x_main.c | 5 +
> drivers/net/ethernet/pensando/ionic/ionic_lif.c | 17 +-
> drivers/net/ethernet/ti/icssg/icssg_common.c | 4 +-
> drivers/net/team/team_core.c | 65 +++-
> drivers/net/tun_vnet.h | 2 +-
> drivers/net/usb/r8152.c | 1 +
> drivers/net/virtio_net.c | 7 +-
> drivers/nvme/host/fabrics.c | 4 +-
> drivers/nvme/host/pci.c | 11 +-
> drivers/nvme/target/admin-cmd.c | 2 +-
> drivers/nvme/target/core.c | 14 +-
> drivers/nvme/target/nvmet.h | 1 +
> drivers/nvme/target/rdma.c | 1 +
> drivers/phy/qualcomm/phy-qcom-qmp-ufs.c | 3 +-
> drivers/phy/ti/phy-j721e-wiz.c | 2 +
> drivers/pinctrl/mediatek/pinctrl-mtk-common.c | 9 +-
> drivers/pinctrl/qcom/pinctrl-spmi-gpio.c | 16 +
> drivers/pinctrl/renesas/pinctrl-rza1.c | 2 +-
> drivers/pinctrl/renesas/pinctrl-rzt2h.c | 1 +
> drivers/pinctrl/stm32/Kconfig | 1 +
> drivers/platform/olpc/olpc-xo175-ec.c | 2 +-
> drivers/platform/x86/hp/hp-wmi.c | 12 +-
> drivers/platform/x86/intel/hid.c | 23 +-
> .../x86/intel/speed_select_if/isst_tpmi_core.c | 5 +-
> drivers/platform/x86/lenovo/wmi-gamezone.c | 2 -
> drivers/platform/x86/oxpec.c | 30 +-
> drivers/platform/x86/touchscreen_dmi.c | 18 +
> drivers/scsi/ibmvscsi/ibmvfc.c | 3 +-
> drivers/scsi/mpi3mr/mpi3mr_fw.c | 10 +
> drivers/scsi/scsi_devinfo.c | 2 +-
> drivers/scsi/scsi_transport_sas.c | 2 +-
> drivers/scsi/ses.c | 2 +-
> drivers/slimbus/qcom-ngd-ctrl.c | 6 +-
> drivers/spi/spi-dw-dma.c | 2 +-
> drivers/spi/spi-fsl-lpspi.c | 3 +-
> drivers/spi/spi-intel-pci.c | 1 +
> drivers/spi/spi-meson-spicc.c | 2 -
> drivers/spi/spi-sn-f-ospi.c | 17 +-
> drivers/spi/spi.c | 19 +-
> .../int340x_thermal/processor_thermal_soc_slider.c | 8 +-
> drivers/usb/core/config.c | 6 +-
> drivers/usb/core/quirks.c | 5 +
> drivers/vfio/pci/vfio_pci_dmabuf.c | 5 +-
> drivers/virt/coco/tdx-guest/tdx-guest.c | 12 +-
> drivers/xen/privcmd.c | 3 +
> fs/btrfs/block-group.c | 2 +-
> fs/btrfs/disk-io.c | 4 +-
> fs/btrfs/ioctl.c | 7 +
> fs/btrfs/volumes.c | 5 +-
> fs/erofs/fileio.c | 6 +-
> fs/erofs/zdata.c | 3 +
> fs/ext4/Makefile | 4 +-
> fs/ext4/crypto.c | 9 +-
> fs/ext4/ext4.h | 6 +
> fs/ext4/extents.c | 23 +-
> fs/ext4/fast_commit.c | 17 +-
> fs/ext4/fsync.c | 16 +-
> fs/ext4/ialloc.c | 6 +
> fs/ext4/inline.c | 10 +-
> fs/ext4/inode.c | 75 +++-
> fs/ext4/mballoc-test.c | 81 ++--
> fs/ext4/mballoc.c | 132 ++++++-
> fs/ext4/mballoc.h | 30 ++
> fs/ext4/page-io.c | 10 +-
> fs/ext4/super.c | 16 +-
> fs/ext4/sysfs.c | 10 +-
> fs/fs-writeback.c | 18 +-
> fs/fuse/file.c | 4 +-
> fs/fuse/inode.c | 1 +
> fs/iomap/buffered-io.c | 15 +-
> fs/jbd2/checkpoint.c | 15 +-
> fs/netfs/buffered_read.c | 3 +-
> fs/netfs/direct_read.c | 3 +-
> fs/netfs/direct_write.c | 15 +-
> fs/netfs/iterator.c | 43 +++
> fs/netfs/read_collect.c | 4 +-
> fs/netfs/read_retry.c | 5 +-
> fs/netfs/read_single.c | 1 -
> fs/netfs/write_collect.c | 4 +-
> fs/netfs/write_issue.c | 3 +-
> fs/overlayfs/copy_up.c | 6 +-
> fs/overlayfs/overlayfs.h | 21 ++
> fs/overlayfs/ovl_entry.h | 7 +-
> fs/overlayfs/params.c | 33 +-
> fs/overlayfs/super.c | 2 +-
> fs/overlayfs/util.c | 5 +-
> fs/smb/server/oplock.c | 72 ++--
> fs/smb/server/smb2pdu.c | 73 ++--
> fs/xfs/scrub/quota.c | 4 +-
> fs/xfs/scrub/trace.h | 12 +-
> fs/xfs/xfs_attr_item.c | 5 +-
> fs/xfs/xfs_dquot_item.c | 9 +-
> fs/xfs/xfs_inode_item.c | 9 +-
> fs/xfs/xfs_mount.c | 7 +-
> fs/xfs/xfs_trace.h | 47 ++-
> fs/xfs/xfs_trans_ail.c | 26 +-
> include/linux/damon.h | 7 +
> include/linux/device.h | 54 +++
> include/linux/device/bus.h | 4 +
> include/linux/dma-mapping.h | 4 +-
> include/linux/fs/super_types.h | 1 +
> include/linux/leafops.h | 32 +-
> include/linux/mempolicy.h | 1 +
> include/linux/netfs.h | 1 -
> include/linux/pagemap.h | 11 -
> include/linux/platform_device.h | 5 -
> include/linux/spi/spi.h | 5 -
> include/linux/usb/quirks.h | 3 +
> include/linux/usb/r8152.h | 1 +
> include/linux/virtio_net.h | 53 ++-
> include/net/bluetooth/l2cap.h | 2 +-
> include/net/codel_impl.h | 1 +
> include/net/inet_hashtables.h | 14 +
> include/net/ip6_fib.h | 21 +-
> include/sound/cs35l56.h | 1 +
> include/trace/events/netfs.h | 8 +-
> include/trace/events/task.h | 7 +-
> include/uapi/linux/dma-buf.h | 1 +
> include/uapi/linux/netfilter/nf_conntrack_common.h | 4 +
> io_uring/fdinfo.c | 4 +-
> kernel/bpf/btf.c | 24 +-
> kernel/bpf/core.c | 43 ++-
> kernel/bpf/verifier.c | 36 +-
> kernel/dma/swiotlb.c | 21 +-
> kernel/events/core.c | 19 +-
> kernel/futex/core.c | 2 +-
> kernel/futex/pi.c | 3 +-
> kernel/futex/syscalls.c | 8 +
> kernel/module/main.c | 7 +
> kernel/power/main.c | 2 +-
> kernel/power/snapshot.c | 11 +
> kernel/sched/ext.c | 2 +-
> kernel/sysctl.c | 2 +-
> kernel/time/alarmtimer.c | 2 +-
> kernel/trace/trace_events_trigger.c | 85 ++++-
> kernel/trace/trace_osnoise.c | 10 +-
> lib/bug.c | 7 +-
> mm/damon/core.c | 9 +-
> mm/damon/stat.c | 53 ++-
> mm/damon/sysfs.c | 10 +-
> mm/memory.c | 18 +-
> mm/mempolicy.c | 10 +-
> mm/mseal.c | 3 +-
> mm/pagewalk.c | 25 +-
> net/bluetooth/l2cap_core.c | 103 +++--
> net/bluetooth/l2cap_sock.c | 3 +
> net/bluetooth/mgmt.c | 2 +-
> net/bluetooth/sco.c | 10 +-
> net/can/af_can.c | 4 +-
> net/can/af_can.h | 2 +-
> net/can/gw.c | 6 +-
> net/can/isotp.c | 24 +-
> net/can/proc.c | 3 +-
> net/core/rtnetlink.c | 28 +-
> net/ipv4/esp4.c | 9 +-
> net/ipv4/inet_connection_sock.c | 20 +-
> net/ipv4/udp.c | 2 +-
> net/ipv6/addrconf.c | 4 +-
> net/ipv6/esp6.c | 9 +-
> net/ipv6/ip6_fib.c | 15 +-
> net/ipv6/netfilter/ip6t_rt.c | 4 +
> net/ipv6/route.c | 2 +-
> net/key/af_key.c | 19 +-
> net/netfilter/nf_conntrack_expect.c | 4 +
> net/netfilter/nf_conntrack_netlink.c | 16 +-
> net/netfilter/nf_conntrack_proto_tcp.c | 10 +-
> net/netfilter/nf_conntrack_sip.c | 14 +-
> net/netfilter/nfnetlink_log.c | 8 +-
> net/netfilter/nft_set_rbtree.c | 92 ++++-
> net/nfc/nci/core.c | 10 +-
> net/openvswitch/flow_netlink.c | 2 +
> net/openvswitch/vport-netdev.c | 11 +-
> net/packet/af_packet.c | 1 +
> net/smc/smc_rx.c | 9 +-
> net/tls/tls_sw.c | 2 +-
> net/xfrm/xfrm_iptfs.c | 17 +-
> net/xfrm/xfrm_nat_keepalive.c | 2 +-
> net/xfrm/xfrm_policy.c | 2 +
> net/xfrm/xfrm_state.c | 1 +
> net/xfrm/xfrm_user.c | 7 +-
> rust/kernel/regulator.rs | 33 +-
> rust/pin-init/src/macros.rs | 16 +
> scripts/livepatch/klp-build | 9 +-
> scripts/package/install-extmod-build | 4 +
> sound/firewire/amdtp-stream.c | 2 +-
> sound/hda/codecs/hdmi/tegrahdmi.c | 1 +
> sound/hda/codecs/realtek/alc269.c | 42 ++-
> sound/hda/codecs/realtek/alc662.c | 9 +
> sound/hda/codecs/senarytech.c | 5 +
> sound/hda/controllers/intel.c | 1 -
> sound/soc/amd/acp/amd-acp63-acpi-match.c | 413 +++++++++++++++++++++
> sound/soc/codecs/adau1372.c | 34 +-
> sound/soc/codecs/cs35l56-shared.c | 16 +-
> sound/soc/codecs/cs35l56.c | 8 +
> sound/soc/codecs/rt1320-sdw.c | 5 +-
> sound/soc/codecs/sma1307.c | 6 +-
> sound/soc/codecs/wcd934x.c | 2 +-
> sound/soc/fsl/fsl_easrc.c | 14 +-
> sound/soc/fsl/imx-card.c | 2 +
> sound/soc/generic/simple-card-utils.c | 4 +-
> sound/soc/intel/boards/sof_sdw.c | 8 +
> sound/soc/intel/catpt/device.c | 10 +-
> sound/soc/intel/catpt/dsp.c | 3 -
> sound/soc/samsung/i2s.c | 6 +-
> sound/soc/sdca/sdca_functions.c | 11 +-
> sound/soc/sof/ipc4-topology.c | 2 +-
> sound/usb/quirks.c | 4 +
> tools/objtool/Makefile | 2 +-
> tools/objtool/arch/x86/decode.c | 68 ++--
> tools/objtool/check.c | 14 +
> tools/objtool/klp-diff.c | 26 +-
> tools/perf/util/metricgroup.c | 6 +-
> .../testing/selftests/bpf/prog_tests/reg_bounds.c | 62 +++-
> .../testing/selftests/bpf/progs/exceptions_fail.c | 9 +-
> .../selftests/mount_setattr/mount_setattr_test.c | 2 +-
> 349 files changed, 3991 insertions(+), 1331 deletions(-)
>
>
For me it does not work. systemd fail to start the virtual console
setup. I am using luks to encrypt the root partition. When I type the
password, it is always rejected almost I am 99,9% I type the correct
password. I will try to bisect it tomorrow.
Best regards,
François Valenduc
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2026-03-31 21:18 ` François Valenduc
@ 2026-03-31 21:52 ` Justin Forbes
2026-03-31 22:18 ` Florian Fainelli
` (12 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Justin Forbes @ 2026-03-31 21:52 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Tue, Mar 31, 2026 at 06:17:13PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.19.11 release.
> There are 342 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 02 Apr 2026 16:16:56 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.19.11-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Tested rc1 against the Fedora build system (aarch64, ppc64le, s390x,
x86_64), and boot tested x86_64. No regressions noted.
Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2026-03-31 21:52 ` Justin Forbes
@ 2026-03-31 22:18 ` Florian Fainelli
2026-04-01 11:42 ` Greg Kroah-Hartman
2026-04-01 6:21 ` Peter Schneider
` (11 subsequent siblings)
358 siblings, 1 reply; 366+ messages in thread
From: Florian Fainelli @ 2026-03-31 22:18 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, rwarsow, conor,
hargar, broonie, achill, sr
On 3/31/26 09:17, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.19.11 release.
> There are 342 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 02 Apr 2026 16:16:56 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.19.11-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
perf still fails to build for arm64 this was reported bck in 6.19.7. Can
you revert b56111d7a4642ea7ef776ae97ecb1dd2724a1503 ("perf jevents:
Handle deleted JSONS in out of source builds")?
Thanks!
--
Florian
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2026-03-31 22:18 ` Florian Fainelli
@ 2026-04-01 6:21 ` Peter Schneider
2026-04-01 6:45 ` Shung-Hsi Yu
` (10 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Peter Schneider @ 2026-04-01 6:21 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
Am 31.03.2026 um 18:17 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.19.11 release.
> There are 342 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2026-04-01 6:21 ` Peter Schneider
@ 2026-04-01 6:45 ` Shung-Hsi Yu
2026-04-01 7:28 ` Brett A C Sheffield
` (9 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Shung-Hsi Yu @ 2026-04-01 6:45 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Tue, Mar 31, 2026 at 06:17:13PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.19.11 release.
> There are 342 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
test_progs, test_progs-no_alu32, test_progs-cpuv4, test_maps,
test_verifier in BPF selftests all passes[1] on x86_64.
Tested-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
1: https://github.com/shunghsiyu/libbpf/actions/runs/23814574909/job/69410511598
[...]
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2026-04-01 6:45 ` Shung-Hsi Yu
@ 2026-04-01 7:28 ` Brett A C Sheffield
2026-04-01 9:17 ` Ron Economos
` (8 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Brett A C Sheffield @ 2026-04-01 7:28 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 6.19.11-rc1-g411f8a553ae8 #1 SMP PREEMPT_DYNAMIC Wed Apr 1 07:19:19 -00 2026 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2026-04-01 7:28 ` Brett A C Sheffield
@ 2026-04-01 9:17 ` Ron Economos
2026-04-01 9:19 ` Jon Hunter
` (7 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Ron Economos @ 2026-04-01 9:17 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
On 3/31/26 09:17, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.19.11 release.
> There are 342 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 02 Apr 2026 16:16:56 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.19.11-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2026-04-01 9:17 ` Ron Economos
@ 2026-04-01 9:19 ` Jon Hunter
2026-04-01 10:06 ` Luna Jernberg
2026-04-01 11:14 ` Takeshi Ogasawara
` (6 subsequent siblings)
358 siblings, 1 reply; 366+ messages in thread
From: Jon Hunter @ 2026-04-01 9:19 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
linux-tegra, stable
On Tue, 31 Mar 2026 18:17:13 +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.19.11 release.
> There are 342 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 02 Apr 2026 16:16:56 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.19.11-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v6.19:
11 builds: 11 pass, 0 fail
28 boots: 28 pass, 0 fail
133 tests: 133 pass, 0 fail
Linux version: 6.19.11-rc1-g411f8a553ae8
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra186-p3509-0000+p3636-0001, tegra194-p2972-0000,
tegra194-p3509-0000+p3668-0000, tegra20-ventana,
tegra210-p2371-2180, tegra210-p3450-0000,
tegra234-p3737-0000+p3701-0000,
tegra234-p3768-0000+p3767-0005, tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-04-01 9:19 ` Jon Hunter
@ 2026-04-01 10:06 ` Luna Jernberg
0 siblings, 0 replies; 366+ messages in thread
From: Luna Jernberg @ 2026-04-01 10:06 UTC (permalink / raw)
To: Jon Hunter, Luna Jernberg
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr, linux-tegra, stable
Tested-by: Luna Jernberg <droidbittin@gmail.com>
AMD Ryzen 5 5600 6-Core Processor:
https://www.inet.se/produkt/5304697/amd-ryzen-5-5600-3-5-ghz-35mb on a
https://www.gigabyte.com/Motherboard/B550-AORUS-ELITE-V2-rev-12
https://www.inet.se/produkt/1903406/gigabyte-b550-aorus-elite-v2
motherboard :)
running Arch Linux with the testing repos enabled:
https://archlinux.org/ https://archboot.com/
https://wiki.archlinux.org/title/Arch_Testing_Team
Den ons 1 apr. 2026 kl 11:25 skrev Jon Hunter <jonathanh@nvidia.com>:
>
> On Tue, 31 Mar 2026 18:17:13 +0200, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 6.19.11 release.
> > There are 342 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Thu, 02 Apr 2026 16:16:56 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.19.11-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.19.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
>
> All tests passing for Tegra ...
>
> Test results for stable-v6.19:
> 11 builds: 11 pass, 0 fail
> 28 boots: 28 pass, 0 fail
> 133 tests: 133 pass, 0 fail
>
> Linux version: 6.19.11-rc1-g411f8a553ae8
> Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
> tegra186-p3509-0000+p3636-0001, tegra194-p2972-0000,
> tegra194-p3509-0000+p3668-0000, tegra20-ventana,
> tegra210-p2371-2180, tegra210-p3450-0000,
> tegra234-p3737-0000+p3701-0000,
> tegra234-p3768-0000+p3767-0005, tegra30-cardhu-a04
>
> Tested-by: Jon Hunter <jonathanh@nvidia.com>
>
> Jon
>
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2026-04-01 9:19 ` Jon Hunter
@ 2026-04-01 11:14 ` Takeshi Ogasawara
2026-04-01 15:58 ` Jeffrin Thalakkottoor
` (5 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Takeshi Ogasawara @ 2026-04-01 11:14 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
Hi Greg
On Wed, Apr 1, 2026 at 2:01 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.19.11 release.
> There are 342 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 02 Apr 2026 16:16:56 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.19.11-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
6.19.11-rc1 tested.
Build successfully completed.
Boot successfully completed.
No dmesg regressions.
Video output normal.
Sound output normal.
Lenovo ThinkPad X1 Carbon Gen10(Intel i7-1260P(x86_64) arch linux)
[ 0.000000] Linux version 6.19.11-rc1rv-g411f8a553ae8
(takeshi@ThinkPadX1Gen10J0764) (gcc (GCC) 15.2.1 20260209, GNU ld (GNU
Binutils) 2.46) #1 SMP PREEMPT_DYNAMIC Wed Apr 1 19:21:05 JST 2026
Thanks
Tested-by: Takeshi Ogasawara <takeshi.ogasawara@futuring-girl.com>
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 22:18 ` Florian Fainelli
@ 2026-04-01 11:42 ` Greg Kroah-Hartman
0 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-04-01 11:42 UTC (permalink / raw)
To: Florian Fainelli
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, sudipm.mukherjee, rwarsow,
conor, hargar, broonie, achill, sr
On Tue, Mar 31, 2026 at 03:18:19PM -0700, Florian Fainelli wrote:
> On 3/31/26 09:17, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 6.19.11 release.
> > There are 342 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Thu, 02 Apr 2026 16:16:56 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.19.11-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.19.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
>
> perf still fails to build for arm64 this was reported bck in 6.19.7. Can you
> revert b56111d7a4642ea7ef776ae97ecb1dd2724a1503 ("perf jevents: Handle
> deleted JSONS in out of source builds")?
Now reverted, sorry for missing that before.
greg k-h
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2026-04-01 11:14 ` Takeshi Ogasawara
@ 2026-04-01 15:58 ` Jeffrin Thalakkottoor
2026-04-01 16:09 ` Shuah Khan
` (4 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Jeffrin Thalakkottoor @ 2026-04-01 15:58 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
hello,
$sudo dmesg -l err
[sudo] password for jeffrin:
[ 11.985734] nouveau 0000:01:00.0: drm: failed to create ce channel, -22
[ 33.336996] nouveau 0000:01:00.0: msvld: unable to load firmware data
[ 33.337001] nouveau 0000:01:00.0: msvld: init failed, -19
[ 33.366460] nouveau 0000:01:00.0: gr: TRAP ch 3 [007fb90000
gst-plugin-scan[1242]]
[ 33.366485] nouveau 0000:01:00.0: gr: GPC0/PROP trap: 00000020
[RT_HEIGHT_OVERRUN] x = 48, y = 16, format = 37, storage type = 0
[ 43.524931] nouveau 0000:01:00.0: msvld: unable to load firmware data
[ 43.524937] nouveau 0000:01:00.0: msvld: init failed, -19
$
Tested-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in>
--
software engineer
rajagiri school of engineering and technology
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2026-04-01 15:58 ` Jeffrin Thalakkottoor
@ 2026-04-01 16:09 ` Shuah Khan
2026-04-01 17:35 ` Mark Brown
` (3 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Shuah Khan @ 2026-04-01 16:09 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr, Shuah Khan
On 3/31/26 10:17, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.19.11 release.
> There are 342 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 02 Apr 2026 16:16:56 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.19.11-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2026-04-01 16:09 ` Shuah Khan
@ 2026-04-01 17:35 ` Mark Brown
2026-04-02 9:43 ` Barry K. Nathan
` (2 subsequent siblings)
358 siblings, 0 replies; 366+ messages in thread
From: Mark Brown @ 2026-04-01 17:35 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, achill, sr
[-- Attachment #1: Type: text/plain, Size: 346 bytes --]
On Tue, Mar 31, 2026 at 06:17:13PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.19.11 release.
> There are 342 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Mark Brown <broonie@kernel.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 21:18 ` François Valenduc
@ 2026-04-01 18:20 ` François Valenduc
[not found] ` <2026040220-sincere-undaunted-65b5@gregkh>
2026-04-02 7:56 ` Thorsten Leemhuis
1 sibling, 1 reply; 366+ messages in thread
From: François Valenduc @ 2026-04-01 18:20 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable; +Cc: linux-kernel, alison.schofield
>>
>>
> For me it does not work. systemd fail to start the virtual console
> setup. I am using luks to encrypt the root partition. When I type the
> password, it is always rejected almost I am 99,9% I type the correct
> password. I will try to bisect it tomorrow.
>
> Best regards,
>
> François Valenduc
I tried git bisect, but it is quite inconclusive. All commits where bad
until the end. So the first bad commit is this one:
commit 43ee946d8339fb35944b67f598f940814ec139d3 (HEAD)
Author: Alison Schofield <alison.schofield@intel.com>
Date: Thu Feb 26 10:44:36 2026 -0800
cxl/port: Fix use after free of parent_port in cxl_detach_ep()
However, reverting it does not solve the problem. 6.18.21-rc1 fails in
the same way.
Any ideas on this ?
Thanks in advance,
Best regards.
François Valenduc
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 21:18 ` François Valenduc
2026-04-01 18:20 ` François Valenduc
@ 2026-04-02 7:56 ` Thorsten Leemhuis
1 sibling, 0 replies; 366+ messages in thread
From: Thorsten Leemhuis @ 2026-04-02 7:56 UTC (permalink / raw)
To: François Valenduc, Greg Kroah-Hartman, stable; +Cc: linux-kernel
On 3/31/26 23:18, François Valenduc wrote:
> Le 31/03/26 à 18:17, Greg Kroah-Hartman a écrit :
>> This is the start of the stable review cycle for the 6.19.11 release.
>> There are 342 patches in this series, all will be posted as a response
>> to this one. If anyone has any issues with these being applied, please
>> let me know.
> [...]
>> 349 files changed, 3991 insertions(+), 1331 deletions(-)
Side note: please trim replies.
> For me it does not work. systemd fail to start the virtual console
> setup. I am using luks to encrypt the root partition. When I type the
> password, it is always rejected almost I am 99,9% I type the correct
> password. I will try to bisect it tomorrow.
Shot in the dark: Does it work with 6.19.10? If not, I wonder if it
might be this issue:
https://lore.kernel.org/lkml/20260327160050.31631-1-liavmordouch@gmail.com/
Ciao, Thorsten
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2026-04-01 17:35 ` Mark Brown
@ 2026-04-02 9:43 ` Barry K. Nathan
2026-04-02 12:04 ` Miguel Ojeda
2026-04-07 11:59 ` Pavel Machek
358 siblings, 0 replies; 366+ messages in thread
From: Barry K. Nathan @ 2026-04-02 9:43 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
On 3/31/26 09:17, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.19.11 release.
> There are 342 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 02 Apr 2026 16:16:56 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.19.11-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Tested on 4 systems (3 amd64, 1 arm64). Working well, no regressions
observed.
Tested-by: Barry K. Nathan <barryn@pobox.com>
--
-Barry K. Nathan <barryn@pobox.com>
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2026-04-02 9:43 ` Barry K. Nathan
@ 2026-04-02 12:04 ` Miguel Ojeda
2026-04-07 11:59 ` Pavel Machek
358 siblings, 0 replies; 366+ messages in thread
From: Miguel Ojeda @ 2026-04-02 12:04 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda
On Tue, 31 Mar 2026 18:17:13 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.19.11 release.
> There are 342 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 02 Apr 2026 16:16:56 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64, arm64 and riscv64; built-tested
for loongarch64 and arm32:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
[not found] ` <2026040243-dwelled-overdrive-51b3@gregkh>
@ 2026-04-02 19:09 ` François Valenduc
2026-04-03 6:15 ` Greg Kroah-Hartman
0 siblings, 1 reply; 366+ messages in thread
From: François Valenduc @ 2026-04-02 19:09 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: linux-kernel, stable
Le 2/04/26 à 15:38, Greg Kroah-Hartman a écrit :
> On Thu, Apr 02, 2026 at 03:19:15PM +0200, François Valenduc wrote:
>> It seems there is no difference between the final stable versions and
>> what was posted for review.
>> So I guess I will have the problem in 6.18.21 and 6.19.11. I will try
>> later today.
>> 6.19.10 and 6.18.20 worked just fine.
> If you can track it down to a specific commit, please let us know.
>
> thanks,
>
> greg k-h
In fact this has nothing to do with a kernel problem. This was caused by
a strange change in dracut which happened at the same time and some
keyboard layout files were not included anymore.
I would never have noticed if I didn't need an azerty keyboard 🙂 No
wonder that git bisect was inconclusive.
Sorry for the noise.
François Valenduc
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-04-02 19:09 ` François Valenduc
@ 2026-04-03 6:15 ` Greg Kroah-Hartman
0 siblings, 0 replies; 366+ messages in thread
From: Greg Kroah-Hartman @ 2026-04-03 6:15 UTC (permalink / raw)
To: François Valenduc; +Cc: linux-kernel, stable
On Thu, Apr 02, 2026 at 09:09:38PM +0200, François Valenduc wrote:
>
> Le 2/04/26 à 15:38, Greg Kroah-Hartman a écrit :
> > On Thu, Apr 02, 2026 at 03:19:15PM +0200, François Valenduc wrote:
> > > It seems there is no difference between the final stable versions and
> > > what was posted for review.
> > > So I guess I will have the problem in 6.18.21 and 6.19.11. I will try
> > > later today.
> > > 6.19.10 and 6.18.20 worked just fine.
> > If you can track it down to a specific commit, please let us know.
> >
> > thanks,
> >
> > greg k-h
>
> In fact this has nothing to do with a kernel problem. This was caused by a
> strange change in dracut which happened at the same time and some keyboard
> layout files were not included anymore.
> I would never have noticed if I didn't need an azerty keyboard 🙂 No wonder
> that git bisect was inconclusive.
>
> Sorry for the noise.
Hey, the number of times I've been "bitten" by the French keyboard
layout is way too many :)
Thanks for letting us know, glad it's not a kernel issue.
greg k-h
^ permalink raw reply [flat|nested] 366+ messages in thread
* Re: [PATCH 6.19 000/342] 6.19.11-rc1 review
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2026-04-02 12:04 ` Miguel Ojeda
@ 2026-04-07 11:59 ` Pavel Machek
358 siblings, 0 replies; 366+ messages in thread
From: Pavel Machek @ 2026-04-07 11:59 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
[-- Attachment #1: Type: text/plain, Size: 505 bytes --]
Hi!
> This is the start of the stable review cycle for the 6.19.11 release.
> There are 342 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-6.19.y
Tested-by: Pavel Machek (CIP) <pavel@nabladev.com>
Best regards,
Pavel
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 366+ messages in thread
end of thread, other threads:[~2026-04-07 11:59 UTC | newest]
Thread overview: 366+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-31 16:17 [PATCH 6.19 000/342] 6.19.11-rc1 review Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 001/342] cxl/port: Fix use after free of parent_port in cxl_detach_ep() Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 002/342] cxl/region: Fix leakage in __construct_region() Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 003/342] bpf: Reset register ID for BPF_END value tracking Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 004/342] bpf: Fix constant blinding for PROBE_MEM32 stores Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 005/342] x86/perf: Make sure to program the counter value for stopped events on migration Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 006/342] perf: Make sure to use pmu_ctx->pmu for groups Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 007/342] s390/mm: Add missing secure storage access fixups for donated memory Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 008/342] objtool/klp: fix data alignment in __clone_symbol() Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 009/342] livepatch/klp-build: Fix inconsistent kernel version Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 010/342] cxl/hdm: Avoid incorrect DVSEC fallback when HDM decoders are enabled Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 011/342] hwmon: axi-fan: dont use driver_override as IRQ name Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 012/342] sh: platform_early: remove pdev->driver_override check Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 013/342] driver core: generalize driver_override in struct device Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 014/342] driver core: platform: use generic driver_override infrastructure Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 015/342] perf metricgroup: Fix metricgroup__has_metric_or_groups() Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 016/342] bpf: Release module BTF IDR before module unload Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 017/342] cxl: Adjust the startup priority of cxl_pmem to be higher than that of cxl_acpi Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 018/342] bpf: Fix exception exit lock checking for subprogs Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 019/342] bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 020/342] bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 021/342] tracing: Revert "tracing: Remove pid in task_rename tracing output" Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 022/342] platform/x86: hp-wmi: Add Omen 16-wf0xxx fan and thermal support Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 023/342] HID: asus: avoid memory leak in asus_report_fixup() Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 024/342] platform/x86: intel-hid: Add Dell 14 Plus 2-in-1 to dmi_vgbs_allow_list Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 025/342] nvme-pci: cap queue creation to used queues Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 026/342] nvme-fabrics: use kfree_sensitive() for DHCHAP secrets Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 027/342] platform/x86: hp-wmi: Add Omen 16-xd0xxx fan and thermal support Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 028/342] platform/x86: intel-hid: Enable 5-button array on ThinkPad X1 Fold 16 Gen 1 Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 029/342] platform/x86: touchscreen_dmi: Add quirk for y-inverted Goodix touchscreen on SUPI S10 Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 030/342] platform/x86: hp-wmi: add Omen 14-fb1xxx (board 8E41) support Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 031/342] nvme-pci: ensure were polling a polled queue Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 032/342] HID: magicmouse: fix battery reporting for Apple Magic Trackpad 2 Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 033/342] HID: magicmouse: avoid memory leak in magicmouse_report_fixup() Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 034/342] platform/x86: hp-wmi: Add Victus 16-d0xxx support Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 035/342] HID: intel-ish-hid: ipc: Add Nova Lake-H/S PCI device IDs Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 036/342] platform/x86: oxpec: Add support for OneXPlayer APEX Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 037/342] HID: apple: Add EPOMAKER TH87 to the non-apple keyboards list Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 038/342] platform/x86: oxpec: Add support for OneXPlayer X1z Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 039/342] net: usb: r8152: add TRENDnet TUC-ET2G Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 040/342] kbuild: install-extmod-build: Package resolve_btfids if necessary Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 041/342] platform/x86: oxpec: Add support for Aokzoe A2 Pro Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 042/342] platform/x86: oxpec: Add support for OneXPlayer X1 Air Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 043/342] HID: mcp2221: cancel last I2C command on read error Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 044/342] HID: asus: add xg mobile 2023 external hardware support Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 045/342] module: Fix kernel panic when a symbol st_shndx is out of bounds Greg Kroah-Hartman
2026-03-31 16:17 ` [PATCH 6.19 046/342] ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_set_reg() Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 047/342] scsi: mpi3mr: Clear reset history on ready and recheck state after timeout Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 048/342] ASoC: rt1321: fix DMIC ch2/3 mask issue Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 049/342] scsi: devinfo: Add BLIST_SKIP_IO_HINTS for Iomega ZIP Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 050/342] ASoC: Intel: sof_sdw: Add quirk for Alienware Area 51 (2025) 0CCD SKU Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 051/342] ALSA: hda/hdmi: Add Tegra238 HDA codec device ID Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 052/342] ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_put_bits() Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 053/342] ASoC: cs35l56: Only patch ASP registers if the DAI is part of a DAIlink Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 054/342] spi: spi-dw-dma: fix print error log when wait finish transaction Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 055/342] dma-buf: Include ioctl.h in UAPI header Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 056/342] block: break pcpu_alloc_mutex dependency on freeze_lock Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 057/342] ALSA: hda/senary: Ensure EAPD is enabled during init Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 058/342] drm/ttm/tests: Fix build failure on PREEMPT_RT Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 059/342] ASoC: amd: acp: Add ACP6.3 match entries for Cirrus Logic parts Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 060/342] bpf: Fix u32/s32 bounds when ranges cross min/max boundary Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 061/342] HID: apple: avoid memory leak in apple_report_fixup() Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 062/342] sched_ext: Use WRITE_ONCE() for the write side of dsq->seq update Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 063/342] btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 064/342] objtool: Use HOSTCFLAGS for HAVE_XXHASH test Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 065/342] powerpc64/ftrace: fix OOL stub count with clang Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 066/342] ALSA: hda/realtek: add HP Laptop 14s-dr5xxx mute LED quirk Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 067/342] objtool/klp: Disable unsupported pr_debug() usage Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 068/342] ALSA: hda/realtek: Add quirk for Gigabyte Technology to fix headphone Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 069/342] ALSA: hda/realtek: Add headset jack quirk for Thinkpad X390 Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 070/342] objtool: Handle Clang RSP musical chairs Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 071/342] nvmet: move async event work off nvmet-wq Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 072/342] drm/amdgpu: fix gpu idle power consumption issue for gfx v12 Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 073/342] usb: core: new quirk to handle devices with zero configurations Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 074/342] spi: intel-pci: Add support for Nova Lake mobile SPI flash Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 075/342] ALSA: usb-audio: Add iface reset and delay quirk for SPACETOUCH USB Audio Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 076/342] ALSA: hda/realtek: add quirk for ASUS UM6702RC Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 077/342] i3c: master: dw-i3c: Fix missing of_node for virtual I2C adapter Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 078/342] xfrm: add missing extack for XFRMA_SA_PCPU in add_acquire and allocspi Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 079/342] xfrm: fix the condition on x->pcpu_num in xfrm_sa_len Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 080/342] xfrm: call xdo_dev_state_delete during state update Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 081/342] esp: fix skb leak with espintcp and async crypto Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 082/342] pinctrl: renesas: rzt2h: Fix device node leak in rzt2h_gpio_register() Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 083/342] xfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 084/342] pinctrl: qcom: spmi-gpio: implement .get_direction() Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 085/342] pinctrl: renesas: rza1: Normalize return value of gpio_get() Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 086/342] xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 087/342] xfrm: prevent policy_hthresh.work from racing with netns teardown Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 088/342] af_key: validate families in pfkey_send_migrate() Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 089/342] dma: swiotlb: add KMSAN annotations to swiotlb_bounce() Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 090/342] erofs: set fileio bio failed in short read case Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 091/342] can: statistics: add missing atomic access in hot path Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 092/342] pinctrl: stm32: fix HDP driver dependency on GPIO_GENERIC Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 093/342] Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 094/342] Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv() Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 095/342] Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 096/342] Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 097/342] Bluetooth: hci_ll: Fix firmware leak on error path Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 098/342] Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 099/342] pinctrl: mediatek: common: Fix probe failure for devices without EINT Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 100/342] ionic: fix persistent MAC address override on PF Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 101/342] nfc: nci: fix circular locking dependency in nci_close_device Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 102/342] net: openvswitch: Avoid releasing netdev before teardown completes Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 103/342] openvswitch: defer tunnel netdev_put to RCU release Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 104/342] openvswitch: validate MPLS set/set_masked payload length Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 105/342] net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer Greg Kroah-Hartman
2026-03-31 16:18 ` [PATCH 6.19 106/342] rtnetlink: count IFLA_PARENT_DEV_{NAME,BUS_NAME} in if_nlmsg_size Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 107/342] rtnetlink: count IFLA_INFO_SLAVE_KIND " Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 108/342] net: bcmasp: streamline early exit in probe Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 109/342] net: bcmasp: fix double free of WoL irq Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 110/342] net: bcmasp: fix double disable of clk Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 111/342] platform/x86: ISST: Check HWP support before MSR access Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 112/342] platform/x86: lenovo: wmi-gamezone: Drop gz_chain_head Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 113/342] platform/olpc: olpc-xo175-ec: Fix overflow error message to print inlen Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 114/342] platform/x86: intel-hid: disable wakeup_mode during hibernation Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 115/342] ice: fix inverted ready check for VF representors Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 116/342] ice: use ice_update_eth_stats() for representor stats Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 117/342] iavf: fix out-of-bounds writes in iavf_get_ethtool_stats() Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 118/342] ipv6: Remove permanent routes from tb6_gc_hlist when all exceptions expire Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 119/342] ipv6: Dont remove permanent routes with exceptions from tb6_gc_hlist Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 120/342] net: fix fanout UAF in packet_release() via NETDEV_UP race Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 121/342] net: airoha: add RCU lock around dev_fill_forward_path Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 122/342] net: b44: always select CONFIG_FIXED_PHY Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 123/342] udp: Fix wildcard bind conflict check when using hash2 Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 124/342] net: enetc: fix the output issue of ethtool --show-ring Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 125/342] virtio-net: correct hdr_len handling for VIRTIO_NET_F_GUEST_HDRLEN Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 126/342] virtio-net: correct hdr_len handling for tunnel gso Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 127/342] team: fix header_ops type confusion with non-Ethernet ports Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 128/342] net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 129/342] net: lan743x: fix duplex configuration in mac_link_up Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 130/342] rtnetlink: fix leak of SRCU struct in rtnl_link_register Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 131/342] net_sched: codel: fix stale state for empty flows in fq_codel Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 132/342] dma-mapping: add missing `inline` for `dma_free_attrs` Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 133/342] Bluetooth: L2CAP: Fix send LE flow credits in ACL link Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 134/342] Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 135/342] Bluetooth: L2CAP: Fix not tracking outstanding TX ident Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 136/342] Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del() Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 137/342] Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 138/342] Bluetooth: btusb: clamp SCO altsetting table indices Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 139/342] tls: Purge async_hold in tls_decrypt_async_wait() Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 140/342] netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 141/342] netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 142/342] netfilter: nft_set_rbtree: revisit array resize logic Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 143/342] netfilter: nf_conntrack_expect: skip expectations in other netns via proc Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 144/342] netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 145/342] netfilter: ctnetlink: use netlink policy range checks Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 146/342] net: macb: use the current queue number for stats Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 147/342] RDMA/bng_re: Fix silent failure in HWRM version query Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 148/342] RDMA/efa: Check stored completion CTX command ID with received one Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 149/342] RDMA/efa: Improve admin completion context state machine Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 150/342] RDMA/efa: Fix use of completion ctx after free Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 151/342] regmap: Synchronize cache for the page selector Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 152/342] ALSA: hda/realtek: Sequence GPIO2 on Star Labs StarFighter Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 153/342] RDMA/rw: Fall back to direct SGE on MR pool exhaustion Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 154/342] RDMA/efa: Fix possible deadlock Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 155/342] ALSA: usb-audio: Exclude Scarlett 2i2 1st Gen from SKIP_IFACE_SETUP Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 156/342] RDMA/irdma: Initialize free_qp completion before using it Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 157/342] RDMA/irdma: Update ibqp state to error if QP is already in error state Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 158/342] RDMA/irdma: Remove a NOP wait_event() in irdma_modify_qp_roce() Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 159/342] RDMA/irdma: Clean up unnecessary dereference of event->cm_node Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 160/342] RDMA/irdma: Remove reset check from irdma_modify_qp_to_err() Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 161/342] RDMA/irdma: Fix deadlock during netdev reset with active connections Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 162/342] RDMA/irdma: Return EINVAL for invalid arp index error Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 163/342] RDMA/irdma: Harden depth calculation functions Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 164/342] ASoC: simple-card-utils: Check value of is_playback_only and is_capture_only Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 165/342] ASoC: fsl: imx-card: initialize playback_only and capture_only Greg Kroah-Hartman
2026-03-31 16:19 ` [PATCH 6.19 166/342] scsi: scsi_transport_sas: Fix the maximum channel scanning issue Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 167/342] x86/efi: efi_unmap_boot_services: fix calculation of ranges_to_free size Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 168/342] drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 169/342] drm/i915/gmbus: fix spurious timeout on 512-byte burst reads Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 170/342] PM: hibernate: Drain trailing zero pages on userspace restore Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 171/342] PM: sleep: Drop spurious WARN_ON() from pm_restore_gfp_mask() Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 172/342] drm/xe/pf: Fix use-after-free in migration restore Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 173/342] spi: sn-f-ospi: Fix resource leak in f_ospi_probe() Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 174/342] ASoC: Intel: catpt: Fix the device initialization Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 175/342] spi: meson-spicc: Fix double-put in remove path Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 176/342] drm/amd/display: Do not skip unrelated mode changes in DSC validation Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 177/342] ASoC: dt-bindings: stm32: Fix incorrect compatible string in stm32h7-sai match Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 178/342] rust: regulator: do not assume that regulator_get() returns non-null Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 179/342] drm/xe: Implement recent spec updates to Wa_16025250150 Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 180/342] spi: use generic driver_override infrastructure Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 181/342] ACPI: EC: clean up handlers on probe failure in acpi_ec_setup() Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 182/342] drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 183/342] hwmon: (adm1177) fix sysfs ABI violation and current unit conversion Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 184/342] ASoC: SDCA: fix finding wrong entity Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 185/342] hwmon: (pmbus) Mark lowest/average/highest/rated attributes as read-only Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 186/342] hwmon: (pmbus) Introduce the concept of "write-only" attributes Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 187/342] hwmon: (pmbus/core) Protect regulator operations with mutex Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 188/342] sysctl: fix uninitialized variable in proc_do_large_bitmap Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 189/342] ASoC: adau1372: Fix unchecked clk_prepare_enable() return value Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 190/342] ASoC: adau1372: Fix clock leak on PLL lock failure Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 191/342] spi: spi-fsl-lpspi: fix teardown order issue (UAF) Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 192/342] io_uring/fdinfo: fix SQE_MIXED SQE displaying Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 193/342] io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 194/342] ALSA: usb-audio: Exclude Scarlett 2i4 1st Gen from SKIP_IFACE_SETUP Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 195/342] s390/syscalls: Add spectre boundary for syscall dispatch table Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 196/342] s390/barrier: Make array_index_mask_nospec() __always_inline Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 197/342] s390/entry: Scrub r12 register on kernel entry Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 198/342] tracing: Drain deferred trigger frees if kthread creation fails Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 199/342] tracing: Fix potential deadlock in cpu hotplug with osnoise Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 200/342] drm/xe: always keep track of remap prev/next Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 201/342] ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len() Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 202/342] ksmbd: fix potencial OOB in get_file_all_info() for compound requests Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 203/342] ksmbd: fix memory leaks and NULL deref in smb2_lock() Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 204/342] ksmbd: do not expire session on binding failure Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 205/342] Revert "ALSA: hda/intel: Add MSI X870E Tomahawk to denylist" Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 206/342] ALSA: hda/realtek: add quirk for ASUS Strix G16 G615JMR Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 207/342] ALSA: firewire-lib: fix uninitialized local variable Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 208/342] accel/ivpu: Add disable clock relinquish workaround for NVL-A0 Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 209/342] ASoC: codecs: wcd934x: fix typo in dt parsing Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 210/342] ASoC: sma1307: fix double free of devm_kzalloc() memory Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 211/342] ASoC: SOF: ipc4-topology: Allow bytes controls without initial payload Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 212/342] can: gw: fix OOB heap access in cgw_csum_crc8_rel() Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 213/342] can: isotp: fix tx.buf use-after-free in isotp_sendmsg() Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 214/342] can: netlink: can_changelink(): add missing error handling to call can_ctrlmode_changelink() Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 215/342] cpufreq: Dont skip cpufreq_frequency_table_cpuinfo() Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 216/342] cpufreq: conservative: Reset requested_freq on limits change Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 217/342] kbuild: Delete .builtin-dtbs.S when running make clean Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 218/342] mm/damon/stat: monitor all System RAM resources Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 219/342] thermal: intel: int340x: soc_slider: Set offset only for balanced mode Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 220/342] RDMA/ionic: Preserve and set Ethernet source MAC after ib_ud_header_init() Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 221/342] platform/x86: ISST: Correct locked bit width Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 222/342] KVM: arm64: Discard PC update state on vcpu reset Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 223/342] KVM: arm64: Fix the descriptor address in __kvm_at_swap_desc() Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 224/342] hwmon: (pmbus/ina233) Fix error handling and sign extension in shunt voltage read Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 225/342] hwmon: (pmbus/isl68137) Add mutex protection for AVS enable sysfs attributes Greg Kroah-Hartman
2026-03-31 16:20 ` [PATCH 6.19 226/342] hwmon: (peci/cputemp) Fix crit_hyst returning delta instead of absolute temperature Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 227/342] hwmon: (peci/cputemp) Fix off-by-one in cputemp_is_visible() Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 228/342] media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 229/342] media: verisilicon: Fix kernel panic due to __initconst misuse Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 230/342] xfrm: iptfs: validate inner IPv4 header length in IPTFS payload Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 231/342] xfrm: iptfs: only publish mode_data after clone setup Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 232/342] virt: tdx-guest: Fix handling of host controlled quote buffer length Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 233/342] virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 234/342] vfio/pci: Fix double free in dma-buf feature Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 235/342] erofs: add GFP_NOIO in the bio completion if needed Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 236/342] alarmtimer: Fix argument order in alarm_timer_forward() Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 237/342] mm/huge_memory: fix folio isnt locked in softleaf_to_folio() Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 238/342] writeback: dont block sync for filesystems with no data integrity guarantees Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 239/342] x86/cpu: Enable FSGSBASE early in cpu_init_exception_handling() Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 240/342] x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 241/342] x86/fred: Fix early boot failures on SEV-ES/SNP guests Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 242/342] phy: qcom: qmp-ufs: Fix SM8650 PCS table for Gear 4 Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 243/342] ovl: make fsync after metadata copy-up opt-in mount option Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 244/342] ovl: fix wrong detection of 32bit inode numbers Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 245/342] scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 246/342] scsi: ses: Handle positive SCSI error from ses_recv_diag() Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 247/342] net: macb: Move devm_{free,request}_irq() out of spin lock area Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 248/342] net: macb: Protect access to net_device::ip_ptr with RCU lock Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 249/342] net: macb: Use dev_consume_skb_any() to free TX SKBs Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 250/342] KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 251/342] KVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 252/342] jbd2: gracefully abort on checkpointing state corruptions Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 253/342] irqchip/qcom-mpm: Add missing mailbox TX done acknowledgment Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 254/342] iomap: fix invalid folio access when i_blkbits differs from I/O granularity Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 255/342] i2c: designware: amdisp: Fix resume-probe race condition issue Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 256/342] futex: Clear stale exiting pointer in futex_lock_pi() retry path Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 257/342] i2c: imx: fix i2c issue when reading multiple messages Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 258/342] i2c: imx: ensure no clock is generated after last read Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 259/342] dmaengine: fsl-edma: fix channel parameter config for fixed channel requests Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 260/342] dmaengine: sh: rz-dmac: Protect the driver specific lists Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 261/342] dmaengine: sh: rz-dmac: Move CHCTRL updates under spinlock Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 262/342] drm/amdgpu: prevent immediate PASID reuse case Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 263/342] drm/amdgpu: fix strsep() corrupting lockup_timeout on multi-GPU (v3) Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 264/342] drm/amd/display: Fix DCE LVDS handling Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 265/342] drm/amd/display: Fix drm_edid leak in amdgpu_dm Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 266/342] drm/amd/display: check if ext_caps is valid in BL setup Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 267/342] drm/i915/dp_tunnel: Fix error handling when clearing stream BW in atomic state Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 268/342] drm/i915: Order OP vs. timeout correctly in __wait_for() Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 269/342] drm/i915: Unlink NV12 planes earlier Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 270/342] LoongArch: Fix missing NULL checks for kstrdup() Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 271/342] LoongArch: vDSO: Emit GNU_EH_FRAME correctly Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 272/342] LoongArch: Workaround LS2K/LS7A GPU DMA hang bug Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 273/342] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 274/342] LoongArch: KVM: Fix base address calculation in kvm_eiointc_regs_access() Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 275/342] LoongArch: KVM: Handle the case that EIOINTCs coremap is empty Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 276/342] drm/amd/pm: Return -EOPNOTSUPP for unsupported OD_MCLK on smu_v13_0_6 Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 277/342] mm/memory: fix PMD/PUD checks in follow_pfnmap_start() Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 278/342] mm/mseal: update VMA end correctly on merge Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 279/342] mm/damon/sysfs: fix param_ctx leak on damon_sysfs_new_test_ctx() failure Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 280/342] mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0] Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 281/342] mm/damon/sysfs: check contexts->nr in repeat_call_fn Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 282/342] mm/pagewalk: fix race between concurrent split and refault Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 283/342] xfs: stop reclaim before pushing AIL during unmount Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 284/342] xfs: save ailp before dropping the AIL lock in push callbacks Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 285/342] xfs: avoid dereferencing log items after " Greg Kroah-Hartman
2026-03-31 16:21 ` [PATCH 6.19 286/342] xfs: scrub: unlock dquot before early return in quota scrub Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 287/342] xfs: fix ri_total validation in xlog_recover_attri_commit_pass2 Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 288/342] xfs: dont irele after failing to iget in xfs_attri_recover_work Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 289/342] xfs: remove file_path tracepoint data Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 290/342] ext4: fix journal credit check when setting fscrypt context Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 291/342] ext4: convert inline data to extents when truncate exceeds inline size Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 292/342] ext4: fix stale xarray tags after writeback Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 293/342] ext4: do not check fast symlink during orphan recovery Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 294/342] ext4: fix fsync(2) for nojournal mode Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 295/342] ext4: make recently_deleted() properly work with lazy itable initialization Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 296/342] ext4: replace BUG_ON with proper error handling in ext4_read_inline_folio Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 297/342] ext4: publish jinode after initialization Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 298/342] ext4: test if inodes all dirty pages are submitted to disk Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 299/342] ext4: validate p_idx bounds in ext4_ext_correct_indexes Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 300/342] ext4: avoid infinite loops caused by residual data Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 301/342] ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal() Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 302/342] ext4: reject mount if bigalloc with s_first_data_block != 0 Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 303/342] ext4: fix use-after-free in update_super_work when racing with umount Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 304/342] ext4: fix the might_sleep() warnings in kvfree() Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 305/342] ext4: handle wraparound when searching for blocks for indirect mapped blocks Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 306/342] ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 307/342] ext4: always drain queued discard work in ext4_mb_release() Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 308/342] arm64: dts: imx8mn-tqma8mqnl: fix LDO5 power off Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 309/342] powerpc64/bpf: do not increment tailcall count when prog is NULL Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 310/342] mm/damon/core: avoid use of half-online-committed context Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 311/342] rust: pin-init: internal: init: document load-bearing fact of field accessors Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 312/342] ksmbd: fix use-after-free and NULL deref in smb_grant_oplock() Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 313/342] dmaengine: idxd: Fix crash when the event log is disabled Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 314/342] dmaengine: idxd: Fix possible invalid memory access after FLR Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 315/342] dmaengine: idxd: Fix not releasing workqueue on .release() Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 316/342] dmaengine: idxd: Fix memory leak when a wq is reset Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 317/342] dmaengine: idxd: Fix freeing the allocated ida too late Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 318/342] dmaengine: idxd: Fix leaking event log memory Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 319/342] phy: ti: j721e-wiz: Fix device node reference leak in wiz_get_lane_phy_types() Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 320/342] dmaengine: dw-edma: Fix multiple times setting of the CYCLE_STATE and CYCLE_BIT bits for HDMA Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 321/342] dmaengine: xilinx: xdma: Fix regmap init error handling Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 322/342] netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 323/342] netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 324/342] dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc() Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 325/342] dmaengine: xilinx: xilinx_dma: Fix dma_device directions Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 326/342] dmaengine: xilinx: xilinx_dma: Fix residue calculation for cyclic DMA Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 327/342] dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 328/342] dmaengine: xilinx_dma: Fix reset related timeout with two-channel AXIDMA Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 329/342] selftests/mount_setattr: increase tmpfs size for idmapped mount tests Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 330/342] netfs: Fix read abandonment during retry Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 331/342] btrfs: fix super block offset in error message in btrfs_validate_super() Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 332/342] btrfs: fix leak of kobject name for sub-group space_info Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 333/342] btrfs: fix lost error when running device stats on multiple devices fs Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 334/342] xen/privcmd: unregister xenstore notifier on module exit Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 335/342] netfs: Fix the handling of stream->front by removing it Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 336/342] irqchip/renesas-rzv2h: Fix error path in rzv2h_icu_probe_common() Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 337/342] futex: Require sys_futex_requeue() to have identical flags Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 338/342] futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy() Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 339/342] ext4: introduce EXPORT_SYMBOL_FOR_EXT4_TEST() helper Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 340/342] ext4: fix mballoc-test.c is not compiled when EXT4_KUNIT_TESTS=M Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 341/342] bug: avoid format attribute warning for clang as well Greg Kroah-Hartman
2026-03-31 16:22 ` [PATCH 6.19 342/342] Bluetooth: L2CAP: Fix regressions caused by reusing ident Greg Kroah-Hartman
2026-03-31 17:23 ` [PATCH 6.19 000/342] 6.19.11-rc1 review Ronald Warsow
2026-03-31 18:24 ` Dileep malepu
2026-03-31 21:18 ` François Valenduc
2026-04-01 18:20 ` François Valenduc
[not found] ` <2026040220-sincere-undaunted-65b5@gregkh>
[not found] ` <CACU-xRtcWU=RKOfhL+8B2YmYnPN-fxc+TYc4rjaQEFc5qAk1+g@mail.gmail.com>
[not found] ` <2026040243-dwelled-overdrive-51b3@gregkh>
2026-04-02 19:09 ` François Valenduc
2026-04-03 6:15 ` Greg Kroah-Hartman
2026-04-02 7:56 ` Thorsten Leemhuis
2026-03-31 21:52 ` Justin Forbes
2026-03-31 22:18 ` Florian Fainelli
2026-04-01 11:42 ` Greg Kroah-Hartman
2026-04-01 6:21 ` Peter Schneider
2026-04-01 6:45 ` Shung-Hsi Yu
2026-04-01 7:28 ` Brett A C Sheffield
2026-04-01 9:17 ` Ron Economos
2026-04-01 9:19 ` Jon Hunter
2026-04-01 10:06 ` Luna Jernberg
2026-04-01 11:14 ` Takeshi Ogasawara
2026-04-01 15:58 ` Jeffrin Thalakkottoor
2026-04-01 16:09 ` Shuah Khan
2026-04-01 17:35 ` Mark Brown
2026-04-02 9:43 ` Barry K. Nathan
2026-04-02 12:04 ` Miguel Ojeda
2026-04-07 11:59 ` Pavel Machek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox